Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool
written by Anastasios Stasinopoulos that can be used from web developers,
penetration testers or even security researchers in order to test web-based
applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By
using this tool, it is very easy to find and exploit a command injection
vulnerability in a certain vulnerable parameter or HTTP header.
First
of all , install tamper data on firefox which is used for modifying http requests.We will be using DVWA for the testing purposes. DVWA is installed on the target machine with ip=192.168.0.105.
Login into DVWA and set the security to low and open the command
injection tab
Now,
open the tamper data and start tampering and enter any IP address and submit . Now
tamper data will pop up asking for tampering the data ,click on submit to all the pop-ups.
Now open tamper data and find the cookie value from the GET
request and copy it.
Also copy the POST string from the POST method.
Now open up the terminal on kali Linux and type the following command
commix --url="http://192.168.0.105/dvwa/vulnerabilities/exec/#"
--cookie="security=low;
PHPSESSID=nh5ehntedbu7ha97lpm8o8vjm2" --data="ip=192.168.0.105&Submit=Submit"
In URL field paste the target URL.
In the cookie field paste the
cookie value you copied and in data field paste the POST string you copied and
put the IP of target machine in the ip
field of post string .
After execution of the command you
will get the os-shell of the
targeted machine and you can run any
windows command as my target machine was windows.
0 comments:
Post a Comment