Commix 1.6 – Automated All-In-One OS Command Injection And Exploitation Tool

Commix (short for [ comm ]and [ i ]njection e[ x ]ploiter) is an automated tool written by Anastasios Stasinopoulos ( @ancst ) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Python version 2.6.x or 2.7.x is required for running this program.
Download commix by cloning the Git repository:
git clone commix
Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!

Commix also comes as a plugin , on the following penetration testing frameworks:

Supported Platforms

  • Linux
  • Mac OS X
  • Windows (experimental)


To get a list of all options and switches use:

python -h

Q : Where can I check all the available options and switches?
A : Check the ‘ usage ‘ wiki page.

Usage Examples
Q : Can I get some basic ideas on how to use commix?
A : Just go and check the ‘ usage examples ‘ wiki page, where there are several test cases and attack scenarios.

Upload Shells
Q : How easily can I upload web-shells on a target host via commix?
A : Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the ‘ upload shells ‘ wiki page.

Modules Development
Q : Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?
A : You can easily develop and import our own modules. For more, check the ‘ module development ‘ wiki page.

Command Injection Testbeds
Q : How can I test or evaluate the exploitation abilities of commix?
A : Check the ‘ command injection testbeds ‘ wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.

Exploitation Demos
Q : Is there a place where I can check for demos of commix?
A : If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the ‘ exploitation demos ‘ wiki page.

Bugs and Enhancements
Q : I found a bug / I have to suggest a new feature! What can I do?
A : For bug reports or enhancements, please open an issue here .

Presentations and White Papers
Q : Is there a place where I can find presentations and/or white papers regarding commix?
A : For presentations and/or white papers published in conferences, check the ‘ presentations ‘ wiki page.

Support and Donations
Q : Except for tech stuff (bug reports or enhancements) is there any other way that I can support the development of commix?
A : Sure! Commix is the outcome of many hours of work and total personal dedication. Feel free to ‘ donate ‘ via PayPal to [email protected] and instantly prove your feelings for it! :).

Be the first to comment on "Commix 1.6 – Automated All-In-One OS Command Injection And Exploitation Tool"

Leave a comment

Your email address will not be published.