Automated All-in-One OS Command Injection Exploitation Tool.
--os-cmd
option) to a file.--tor
switch).--ignore-stdin
regarding ignoring STDIN input. (via @n00b-bot)--ignore-proxy
to ignore the system default HTTP proxy.--proxy
option).--smart
for conducting through tests only in case of positive heuristic(s).Note: For more check the detailed changeset.
-r
option).--skip-empty
flag, for skipping the testing of the parameter(s) with empty value(s).--force-ssl
flag).--output-dir
option).Bearer
HTTP authentication type.X-Forwarded-For
).--ignore-session
or --flush-session
options are set.--dependencies
option has been replaced with --ignore-dependencies
, regarding ignoring all required third-party library dependencies.--alert
to run host OS command(s) when injection point is found.Note: For more check the detailed changeset.
--proxy
option).*
) in provided parameter values (e.g. GET, POST or HTTP headers). --crawl-exclude
regarding setting regular expression for excluding pages from crawling (e.g. logout
).--crawl
option, for skipping further tests involving target that an injection point has already been detected.--crawl
option with scanning multiple targets given from piped-input (i.e. stdin
)./e
modifier (i.e. dynamic code evaluation technique).-t
option).Note: For more check the detailed changeset.
--wizard
option.printf "%d" "'$char'"
with echo -n $char | od -An -tuC | xargs
.--proxy
option).Note: For more check the detailed changeset.
--alter-shell
) for generating Python 3x payloads.stdin
).--answers
to set user answers to asked questions during commix run.--crawl
option with scanning multiple targets given in a textual file (i.e. via option -m
).--file-upload
option.Hex
and/or Base64
encoded parameter(s) value(s).--no-logging
for disabling logging to a file.-m
).--level
option, which not only adds more injection points (i.e. Cookies, HTTP headers) but also performs more tests for each injection point.Note: For more check the detailed changeset.
PUT
).-r
option).--drop-set-cookie
for ignoring Set-Cookie
HTTP header from response.--smoke-test
that runs the basic smoke testing.--encoding
option has been replaced with --codec
.Note: For more check the detailed changeset.
-m
).--backticks
switch has been replaced with "backticks.py" tamper script.$()
, for commands substitution (for *nix targets).--skip-heuristic
) for skipping dynamic code evaluation heuristic check.Basic
, Digest
) dictionary-based cracker.--data
option.%1a
) has been added.--method
to force usage of provided HTTP method (e.g. PUT
).Note: For more check the detailed changeset.
/
) with environment variable value ${PATH%%u*}
(for *nix targets).--web-root
option.deflate
, x-gzip
and gzip
HTTP responses.Basic
, Digest
) dictionary-based cracker.html.unescape()
function for converting HTML entities to plain-text representations.--random-agent
or --mobile
switch with -r
option.Hex
encoding/decoding.--timeout
) for setting a number of seconds to wait before timeout connection (default 30).Note: For more check the detailed changeset.
param=/value/
).*
in nested JSON objects.""
) between the characters of the generated payloads (for *nix targets).-r
option).Note: For more check the detailed changeset.
--ignore-401
option has been replaced with --ignore-code
option.--ignore-code
) for ignoring (problematic) HTTP error code (e.g. 401).Note: For more check the detailed changeset.