Scan with http request txt file issue

[kaczalapa]

What's the problem (or question)?

1. When I try to run scan with request file input in txt form burp data, commix stop this with Critical error: [x] Critical: You specified more than one injection markers. Use the '-p' option to define them (i.e -p "id1,id2").
2. I am not sure that I take correct data to txt request file. Maybe there should be some tags, which will help commix to identify injection points. Unfortunately in Use examples there is not any example of input request file to compare, and on the commix help there is not any information what should be on request file.
3. Little think - as you can see on Critical error description there is missing one letter on word "injecton" :)

Do you have an idea for a solution?

Ad2 - Put some example on input file in Usage example site (https://github.com/commixproject/commix/wiki/Usage-Examples) and/or on help description in commix --help Ad1 - If with examples scan will run up - that will be probably enough solution for this case. Ad3 - Change injecton to injection :)

How can we reproduce the issue?

1. In my case I copy from burp request raw from bee-box test:

   GET /bWAPP/htmli_get.php?firstname=aa&lastname=&form=submit HTTP/1.1
   Host: ip:port
   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate
   Referer: https://ip:port/bWAPP/htmli_get.php
   Connection: close
   Cookie: PHPSESSID=value; security_level=0
   Upgrade-Insecure-Requests: 1

2. Save in requestCommix.txt file
3. Run in terminal: sudo commix -r '/.../.../.../requestCommix.txt'
4. And that is the terminal logs:

   
   [!] Warning: Python version 3.7.6 detected. You are advised to use Python version 2.7.x.
                                     __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
   /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.0-stable
   /\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
   \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ https://commixproject.com
   \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ (@commixproject)

+-- Automated All-in-One OS Command Injection and Exploitation Tool Copyright © 2014-2019 Anastasios Stasinopoulos (@ancst) +--

(!) Legal disclaimer: Usage of commix for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

[!] Warning: Internet seems unreachable. [*] Parsing HTTP request using the 'requestCommix.txt' file... [ SUCCEED ] [x] Critical: You specified more than one injecton markers. Use the '-p' option to define them (i.e -p "id1,id2").

It doesnt matter that, It is GET/POST request, http/https. In my opinion something wrong is with the request file, but I dont find any solution for that case in network.

## What are the running context details?
<!--- Include as many relevant details about the running context you experienced the bug/problem in -->
Installation method: apt-get (v3.0-stable);
Client OS: Kali 2020.1
Target OS: in private lab ubuntu bee-box
Command injection techniques found by commix: default method
Results of manual target assessment: dont have result
Relevant console output (if any): I gave above
Exception traceback (if any): I gave above

[Kali95739]

I'm having the same problem to? What is the solution??

[stasinopoulos]

Hello @Kali95739, @kaczalapa i think that the problem occurs due to the following HTTP Header which contains the "*" symbol:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Please remove it and re-run commix

[kaczalapa]

Its works, thank you!