Commix Versions Save

Automated All-in-One OS Command Injection Exploitation Tool.

v3.9

4 months ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Revised: Minor improvement regarding logging user-supplied command(s) (i.e. --os-cmd option) to a file.
  • Revised: Improvement regarding parsing HTTP requests through Tor HTTP proxy (i.e. --tor switch).
  • Added: New (hidden) option --ignore-stdin regarding ignoring STDIN input. (via @n00b-bot)
  • Revised: Minor improvement regarding successfully completing the scanning process (i.e. in case that parameters with anti-CSRF tokens are omitted). (via @xerxoria)
  • Revised: Minor improvement regarding Windows-based payloads for semiblind (i.e. "file-based") technique (i.e. command execution output).
  • Revised: Minor improvement in semiblind (i.e. "file-based") technique, regarding defining the URL where the execution output of an injected payload is shown.
  • Added: New switch --ignore-proxy to ignore the system default HTTP proxy.
  • Revised: Minor improvement regarding parsing HTTP requests through HTTP proxy (i.e. --proxy option).
  • Added: New switch --smart for conducting through tests only in case of positive heuristic(s).
  • Added: Translation for README.md in Turkish. (via @Kazgangap)
  • Revised: Minor improvement regarding parsing SOAP/XML POST data.

Note: For more check the detailed changeset.

v3.8

9 months ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Revised: Minor improvement regarding parsing raw HTTP request from a file (i.e. -r option).
  • Revised: Minor improvement regarding dynamic code evaluation technique (i.e. command execution output).
  • Added: Translation for README.md in Farsi(Persian) (via @verfosec)
  • Fixed: Minor bug-fix regarding --skip-empty flag, for skipping the testing of the parameter(s) with empty value(s).
  • Revised: Minor improvement regarding tamper script "uninitializedvariable.py", for adding randomly generated uninitialized bash variables between the characters of each command of the generated payloads.
  • Revised: Minor improvement regarding skipping further tests involving target that an injection point has already been detected.
  • Revised: Minor code refactoring regarding multiple tamper scripts (i.e. "backslashes.py", "dollaratsigns.py", "doublequotes.py", "singlequotes.py", "uninitializedvariable.py").
  • Added: New tamper script "rev.py" that reverses (characterwise) the user-supplied operating system commands (for *nix targets).
  • Fixed: Minor bug-fix regarding checking for similarity in provided parameter(s) name(s) and value(s).
  • Fixed: Minor bug-fix regarding forcing usage of SSL/HTTPS requests toward the target (i.e. --force-ssl flag).
  • Fixed: Minor bug-fix regarding setting custom output directory path (i.e. --output-dir option).
  • Added: Support for Bearer HTTP authentication type.
  • Revised: Minor improvement regarding tamper script "xforwardedfor.py" (that appends a fake HTTP header X-Forwarded-For).
  • Fixed: Minor bug-fix regarding not ignoring specified injection technique(s) when --ignore-session or --flush-session options are set.
  • Replaced: The --dependencies option has been replaced with --ignore-dependencies, regarding ignoring all required third-party library dependencies.
  • Added: New option --alert to run host OS command(s) when injection point is found.

Note: For more check the detailed changeset.

v3.7

1 year ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Added: Translation for README.md in Indonesian (via @galihap76)
  • Revised: Improvements regarding parsing HTTP requests through HTTP proxy (i.e. --proxy option).
  • Revised: Improvements regarding identifying injection marker (i.e. asterisk *) in provided parameter values (e.g. GET, POST or HTTP headers).
  • Added: New option --crawl-exclude regarding setting regular expression for excluding pages from crawling (e.g. logout).
  • Revised: Improvement regarding --crawl option, for skipping further tests involving target that an injection point has already been detected.
  • Added: Support regarding combining --crawl option with scanning multiple targets given from piped-input (i.e. stdin).
  • Revised: Minor improvement regarding adding PCRE /e modifier (i.e. dynamic code evaluation technique).
  • Revised: Minor bug-fix regarding logging all HTTP traffic into a textual file (i.e. -t option).

Note: For more check the detailed changeset.

v3.6

1 year ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Revised: Improvements regarding dynamic code evaluation heuristic check.
  • Revised: Minor improvement regarding session handler.
  • Revised: Minor improvement regarding --wizard option.
  • Added: New tamper script "printf2echo.py" that replaces the printf-based ASCII to Decimal printf "%d" "'$char'" with echo -n $char | od -An -tuC | xargs.
  • Revised: Minor improvement regarding parsing HTTP requests through HTTP proxy (i.e. --proxy option).
  • Revised: Minor improvement regarding handling HTTP Error 401 (Unauthorized).

Note: For more check the detailed changeset.

v3.5

1 year ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Revised: Improvements regarding Windows-based payloads for every supported technique.
  • Revised: Improvement regarding alternative shell (i.e.--alter-shell) for generating Python 3x payloads.
  • Removed: The depricated modules "ICMP exfiltration" and "DNS exfiltration" have been removed.
  • Revised: Improvement regarding identifying injection marker (i.e. asterisk) in provided options.
  • Revised: Improvement regarding shellshock module.
  • Added: Support regarding parsing target(s) from piped-input (i.e. stdin).
  • Added: New option --answers to set user answers to asked questions during commix run.
  • Added: Support regarding combining --crawl option with scanning multiple targets given in a textual file (i.e. via option -m).
  • Added: Support for normalizing crawling results.
  • Revised: Improvement regarding crawler.
  • Revised: Minor bug-fix regarding --file-upload option.
  • Revised: Minor improvement regarding identifying Hex and/or Base64 encoded parameter(s) value(s).
  • Added: New option --no-logging for disabling logging to a file.
  • Revised: Minor improvement regarding redirect handler.
  • Updated: Minor update regarding scanning multiple targets given in a textual file (i.e. via option -m).
  • Added: Support for heuristic detection regarding command injections.
  • Revised: Ιmprovement regarding --level option, which not only adds more injection points (i.e. Cookies, HTTP headers) but also performs more tests for each injection point.
  • Revised: Improvement regarding injecting into custom HTTP Header(s).

Note: For more check the detailed changeset.

v3.4

2 years ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Fixed: Bug-fix regarding forcing usage of provided HTTP method (e.g. PUT).
  • Fixed: Bug-fix regarding parsing raw HTTP headers from a file (i.e. -r option).
  • Fixed: Minor bug-fix regarding parsing JSON objects.
  • Added: New option --drop-set-cookie for ignoring Set-Cookie HTTP header from response.
  • Added: Support for checking for not declared cookie(s).
  • Added: New (hidden) option --smoke-test that runs the basic smoke testing.
  • Revised: Improvement regarding mechanism which nagging if used "dev" version is > 30 days old.
  • Revised: Improvements regarding dynamic code evaluation heuristic check.
  • Replaced: The --encoding option has been replaced with --codec.

Note: For more check the detailed changeset.

v3.3

2 years ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Fixed: Minor bug-fix regarding scanning multiple targets given in a textual file (i.e. via option -m).
  • Removed: The "Regsvr32.exe application whitelisting bypass" attack vector has been removed.
  • Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).
  • Replaced: The --backticks switch has been replaced with "backticks.py" tamper script.
  • Added: New tamper script "backticks.py" that uses backticks instead of $(), for commands substitution (for *nix targets).
  • Added: New option ( --skip-heuristic) for skipping dynamic code evaluation heuristic check.
  • Added: Support for parsing custom wordlists regarding HTTP authentication (i.e. Basic, Digest) dictionary-based cracker.
  • Revised: Improvements regarding dynamic code evaluation heuristic check.
  • Fixed: Minor bug-fix regarding parsing SOAP/XML data via --data option.
  • Revised: Minor improvement regarding parsing GraphQL JSON objects.
  • Added: The .bat files command separator (i.e. %1a) has been added.
  • Added: New option --method to force usage of provided HTTP method (e.g. PUT).

Note: For more check the detailed changeset.

v3.2

3 years ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Added: New tamper script "slash2env.py" that replaces slashes (/) with environment variable value ${PATH%%u*} (for *nix targets).
  • Revised: Minor improvement regarding session handler for supporting Python 3.4+.
  • Revised: Minor improvement regarding --web-root option.
  • Added: New tamper script "uninitializedvariable.py" that adds uninitialized bash variables between the characters of each command of the generated payloads (for *nix targets).
  • Revised: Improvement regarding decompressing deflate, x-gzip and gzip HTTP responses.
  • Fixed: Bug-fix regarding several charset-related unhandled exceptions.
  • Revised: Improvements regarding dynamic code evaluation heuristic check.
  • Fixed: Bug-fix regarding HTTP authentication (i.e. Basic, Digest) dictionary-based cracker.
  • Fixed: Bug-fix regarding logging all HTTP traffic into a textual file.
  • Revised: Improvement regarding crawler.
  • Fixed: Multiple bug-fixes regarding supporting Python 3.9.
  • Revised: Improvement regarding mechanism which nagging if used version is > 30 days old.
  • Fixed: Multiple bug-fixes regarding the shellshock module.
  • Revised: Improvement regarding Python 3.4+ for using the html.unescape() function for converting HTML entities to plain-text representations.
  • Updated: Minor update regarding smartphones to imitate, through HTTP User-Agent header.
  • Fixed: Bug-fix regarding setting suitable HTTP header User-Agent, when combining --random-agent or --mobile switch with -r option.
  • Fixed: Bug-fix regarding Hex encoding/decoding.
  • Added: New option ( --timeout) for setting a number of seconds to wait before timeout connection (default 30).
  • Revised: Increased default timeout to 30 seconds.
  • Fixed: Bug-fix regarding Basic HTTP authentication.
  • Fixed: Bug-fix regarding connection problems (via @fuero).

Note: For more check the detailed changeset.

v3.1

3 years ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Added: A script "setup.py" has been added (i.e. easier installation).
  • Revised: Improvement regarding checking if the provided value has boundaries (e.g. param=/value/).
  • Revised: Improvement regarding dynamic code evaluation technique's heuristic checks.
  • Revised: Improvement regarding identifying the indicated web-page charset.
  • Revised: Minor improvement regarding verbose mode (i.e. debug messages).
  • Fixed: Bug-fix regarding Basic HTTP authentication.
  • Revised: Minor improvement regarding redirection mechanism.
  • Fixed: Bug-fix regarding defining wildcard character * in nested JSON objects.
  • Revised: Minor improvement regarding Flatten_json (third party) module.
  • Revised: Minor improvement regarding parsing nested JSON objects.
  • Added: New tamper script "doublequotes.py" that adds double-quotes ("") between the characters of the generated payloads (for *nix targets).
  • Fixed: Bug-fix regarding parsing raw HTTP headers from a file (i.e. -r option).
  • Revised: Improvements regarding data in the detailed message about occurred unhandled exception.
  • Revised: Minor bug-fixes and improvements regarding HTTP authentication dictionary-based cracker.

Note: For more check the detailed changeset.

v3.0-20191111

4 years ago
  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Revised: Improvement regarding identifying the indicated web-page charset.
  • Added: Support for Python 3.x
  • Updated: Beautiful Soup (third party) module has been updated.
  • Added: Six (third party) module has been added.
  • Revised: Improvement regarding parsing nested JSON objects that contain boolean values.
  • Replaced: The --ignore-401 option has been replaced with --ignore-code option.
  • Added: New option ( --ignore-code) for ignoring (problematic) HTTP error code (e.g. 401).

Note: For more check the detailed changeset.