commix
Automated All-in-One OS Command Injection Exploitation Tool
Commix automates the discovery and exploitation of command injection vulnerabilities in web applications, helping penetration testers and bug bounty hunters prove a target is vulnerable by running system commands through detected flaws.
Commix is a Python tool for penetration testers that automates the process of finding and exploiting command injection vulnerabilities in web applications. A command injection vulnerability is a type of security flaw where a web application passes user-supplied input to the operating system in an unsafe way, allowing an attacker to run arbitrary system commands on the server. Commix is designed to detect whether a given target is vulnerable to this class of problem and, if so, to demonstrate the impact by running those commands automatically.
The name is a contraction of command injection exploiter. The tool was written by security researcher Anastasios Stasinopoulos and is released under the GPLv3 open source license. It supports Python versions 2.6, 2.7, and 3.x, and can be installed simply by cloning the repository and running the script directly with no build step required.
Commix is intended for authorized security testing, bug bounty work, and penetration testing engagements where a tester has permission to probe a target application. It is included in security-focused Linux distributions and is listed in OWASP-related resources as a relevant testing tool. The wiki on its GitHub page covers available options, usage examples, and techniques for bypassing input filters that would otherwise block detection attempts. The tool is available in several translated README versions covering Persian, Greek, Indonesian, and Turkish.
Where it fits
- Test a web application for command injection vulnerabilities during an authorized penetration testing engagement
- Automate command injection detection and exploitation for bug bounty submissions
- Verify whether a specific URL parameter passes user input unsafely to the operating system
- Bypass input filters that block basic command injection attempts to fully assess exposure