Closed CptGuo closed 4 months ago
stasinopoulos
commented
4 months ago Firstly, take a look with the latest dev version. Also, try to increase the value for --level option(to perform more tests).
Fyi, you can increase the verbosity with -v argument and see exactly which point / part of the executed requests fail.
Tip: A good practice to conclude why this happens is to exploit the vulnerability manually and then run commix against it.
stasinopoulos
commented
4 months ago Just check against the following java code:
https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java
CptGuo
commented
4 months ago If this is just a basic test environment and it can't even complete an injection directly, what else can this tool do?
stasinopoulos
commented
4 months ago As you can see in the image above, it works fine with Java applications. In any case that commix does not meet your needs, you can find a similar one that does.
github-actions[bot]
commented
2 months ago This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
This action has been performed automatically by a bot.
What's the problem (or question)?
Commix can't inject java Runtime.exec()
How can we reproduce the issue?
See java code below.
What are the running context details?
JAVA CODE
@GetMapping("/too") public String too(@Param("txt") String txt) { Runtime runtime = Runtime.getRuntime(); StringBuffer bf = new StringBuffer(); try { Process process = runtime.exec(txt); InputStream inputStream = process.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); String line;
Commix run logs
python commix.py -u "http://localhost:9090/attdef/too?txt=who"
[13:36:19] [info] Testing connection to the target URL. [13:36:19] [info] Checking if the target is protected by some kind of WAF/IPS. [13:36:19] [info] Performing identification (passive) tests to the target URL. [13:36:19] [info] Setting GET parameter 'txt' for tests. Do you want to ignore the response HTTP error code '400' and continue the tests? [Y/n] > y [13:36:20] [warning] Heuristic (basic) tests shows that GET parameter 'txt' might not be injectable. [13:36:30] [info] Testing the (results-based) classic command injection technique.
[13:36:42] [info] Testing the (results-based) dynamic code evaluation technique.
[13:36:42] [warning] It is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions. [13:36:42] [info] Testing the (blind) time-based command injection technique.
Enter what you want to use for writable directory (e.g. '/var/www/localhost/public_html/') > /tmp/ [13:36:46] [info] Trying to create a file in directory '/tmp/' for command execution output. Do you want to use URL 'http://localhost:9090/HEPYZJ.txt' for command execution output? [Y/n] > y It seems that you don't have permissions to read and/or write files in directory '/tmp/'.8%) Do you want to use the temporary directory ('/tmp/')? [Y/n] > y [13:37:18] [info] Trying to create a file in directory '/tmp/' for command execution output. [13:37:18] [warning] It is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions. [13:37:18] [info] Testing the (semi-blind) tempfile-based injection technique.
[13:37:18] [warning] The tested GET parameter 'txt' does not seem to be injectable. [13:37:18] [critical] All tested parameters appear to be not injectable. Try to increase value for '--level' option if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved, maybe you could try to use option '--tamper' and/or switch '--random-agent'.