search

commixproject / commix

Automated All-in-One OS Command Injection Exploitation Tool.
https://commixproject.com
Other
4.53k stars 808 forks source link

Feature request and improvements #904

Open U53RW4R3 opened 5 months ago

U53RW4R3 commented 5 months ago

Transfer Files

Using living off the land techniques after successfully exploiting the webapp vuln. I am aware of the two flags --file-write and --file-read. But it's just nice to have in case if the attacker forgot to upload and/or download the files during shell interaction.

  1. Download (download /path/to/remote/file /path/to/local/file)
  2. Upload (upload /path/to/local/file /path/to/remote/file)

Data Exfiltration

What happened with these features? These help a lot for blind command injection is there are reason you've removed them? I find it a waste.

  1. DNS (--dns-server): It is possible to use this using projectdiscovery interactsh-server and they have own which is similar to burp suite pro collaborator here's the website https://app.interactsh.com.
  2. ICMP (--icmp-exfil)

Update MSF payload modules by detecting architecture and OS

If you cannot maintain the new modules. Just remove them since I can use the --os-cmd to execute one-liner payloads and the three flags (--file-write, --file-upload and --file-dest) to upload the binary .exe,.dll,.elf, and .so file and change permission to execute it just to get the job done. There are too many architectures to keep up.

Google dorking (from sqlmap)

It does help with finding key parameters in google dorking such as, inurl:?ping=.

-g GOOGLEDORK
--gpage=GOOGLEPAGE

Update the documentation

Alter Shell

--alter-shell: How does this works? What interpreter should I use? Is it Python, Perl, Bash, Script, or Expect? Which operating system is compatible with this flag?

Command injection techniques

--technique: So far I know there are four techniques in total and I haven't checked the source code to my understanding after looking at previous tutorials and the user manual you've posted. They are:

So by default I could use all 3 (--technique=CTF) or 4 (--technique=CETF) as default techniques if not specified. I had a hard time figuring this out since there's no specific flags of how to use the techniques flag. In sqlmap manual was a huge help and I couldn't find it anywhere other than researching from the ground up. Like I said I haven't read the source code.

Finally the --skip-technique. How does this work exactly? Does it skip the specific payload or just the four techniques from above? Best to update the documentation of what it's used for. In the case of sqlmap's --test-skip flag. It allows the user to exclude specific payloads by specifying the string BENCHMARK for example to reduce the HTTP requests.

Shellshock module

Explain use cases for --shellshock module even if it's not CVE related especially when exploiting cgi-bin/. Such as, IoTs like Routers.

Proxychains feature (from sqlmap)

I saw the --proxy flag but I don't see the documentation about this feature and unsure of what type of proxy servers it supports other than HTTP proxy to my knowledge. If these are missing then consider implementing to support the SOCKS Proxy feature or to save yourself the trouble from adding too many dependencies. Add the documentation to advise the user by using proxychains-ng for pivoting in the network or establishing connection with proxy servers.

--proxy=socks4://<IP>:<PORT>
--proxy=socks5://<IP>:<PORT> --proxy-cred=[username]:[password]
--proxy=http://<IP>:<PORT> --proxy-cred=[username]:[password]
--proxy-file=proxy-servers.txt

What are the running context details?

$ sudo apt install -y commix

$ commix --version    
v3.9-stable
stasinopoulos commented 5 months ago

Thanks for the comments and suggestions. I will take a closer look at your comments when I have more time and i will act accordingly.