OS command injection using commix

Command injection exploiter (commix) is an automated tool written in Python that is pre-compiled in Kali Linux to perform various OS commands if the application is vulnerable to command injection. It allows attackers to inject into any specific vulnerable parts of the application, or even into an HTTP header.

commix also comes as an additional plugin in various penetration testing frameworks such as TrustedSec's Penetration Testers Framework (PTF) and OWASP's Offensive Web Testing Framework (OWTF).

Attackers may use all the functionalities provided by commix by entering commix -h in the Terminal.

To simulate the exploit, execute the following command in the Terminal on the targeted vulnerable web server:

Commix -url=http://YourIP/mutillidae/index.php popupnotificationcode=5L5&page=dns-lookup.php -data="target_host=INJECT_HERE" -headers="Accept-Language:fr
 ETAG:123
"

When commix tool is run against the vulnerable URL, Penetration testers should be able to see the progress of command execution on the target server and also be able to see which parameter is vulnerable. In the preceding scenario, target_host is the variable that was injectable using classic injection techniques, as shown in the following screenshot:

Once the injection is successful, attackers are able to run commands on the server, for example, dir to list all the files and folders, as shown in the following screenshot:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.198.146.224