Closed CptGuo closed 4 months ago
Firstly, take a look with the latest dev version. Also, try to increase the value for --level
option(to perform more tests).
Fyi, you can increase the verbosity with -v
argument and see exactly which point / part of the executed requests fail.
Tip: A good practice to conclude why this happens is to exploit the vulnerability manually and then run commix against it.
Just check against the following java code: https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java
If this is just a basic test environment and it can't even complete an injection directly, what else can this tool do?
As you can see in the image above, it works fine with Java applications. In any case that commix does not meet your needs, you can find a similar one that does.
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
This action has been performed automatically by a bot.
What's the problem (or question)?
Commix can't inject java Runtime.exec()
How can we reproduce the issue?
See java code below.
What are the running context details?
JAVA CODE
@GetMapping("/too") public String too(@Param("txt") String txt) { Runtime runtime = Runtime.getRuntime(); StringBuffer bf = new StringBuffer(); try { Process process = runtime.exec(txt); InputStream inputStream = process.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); String line;
Commix run logs
python commix.py -u "http://localhost:9090/attdef/too?txt=who"
[13:36:19] [info] Testing connection to the target URL. [13:36:19] [info] Checking if the target is protected by some kind of WAF/IPS. [13:36:19] [info] Performing identification (passive) tests to the target URL. [13:36:19] [info] Setting GET parameter 'txt' for tests. Do you want to ignore the response HTTP error code '400' and continue the tests? [Y/n] > y [13:36:20] [warning] Heuristic (basic) tests shows that GET parameter 'txt' might not be injectable. [13:36:30] [info] Testing the (results-based) classic command injection technique.
[13:36:42] [info] Testing the (results-based) dynamic code evaluation technique.
[13:36:42] [warning] It is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions. [13:36:42] [info] Testing the (blind) time-based command injection technique.
Enter what you want to use for writable directory (e.g. '/var/www/localhost/public_html/') > /tmp/ [13:36:46] [info] Trying to create a file in directory '/tmp/' for command execution output. Do you want to use URL 'http://localhost:9090/HEPYZJ.txt' for command execution output? [Y/n] > y It seems that you don't have permissions to read and/or write files in directory '/tmp/'.8%) Do you want to use the temporary directory ('/tmp/')? [Y/n] > y [13:37:18] [info] Trying to create a file in directory '/tmp/' for command execution output. [13:37:18] [warning] It is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions. [13:37:18] [info] Testing the (semi-blind) tempfile-based injection technique.
[13:37:18] [warning] The tested GET parameter 'txt' does not seem to be injectable. [13:37:18] [critical] All tested parameters appear to be not injectable. Try to increase value for '--level' option if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved, maybe you could try to use option '--tamper' and/or switch '--random-agent'.