Usage

This guide breaks down every critical option, command, and technique you need to master commix’s full range of features and capabilities.

Usage: python commix.py [option(s)]

Options:
  -h, --help            Show help and exit.

  General:
    These options relate to general matters.

    -v VERBOSE          Verbosity level (0-4, Default: 0).
    --install           Install commix to your system.
    --version           Show version number and exit.
    --update            Check for updates (apply if any) and exit.
    --output-dir=OUT..  Set custom output directory path.
    -s SESSION_FILE     Load session from a stored (.sqlite) file.
    --flush-session     Flush session files for current target.
    --ignore-session    Ignore results stored in session file.
    -t TRAFFIC_FILE     Log all HTTP traffic into a textual file.
    --time-limit=TIM..  Run with a time limit in seconds (e.g. 3600).
    --batch             Never ask for user input, use the default behaviour.
    --skip-heuristics   Skip heuristic detection for code injection.
    --codec=CODEC       Force codec for character encoding (e.g. 'ascii').
    --charset=CHARSET   Time-related injection charset (e.g.
                        '0123456789abcdef').
    --check-internet    Check internet connection before assessing the target.
    --answers=ANSWERS   Set predefined answers (e.g. 'quit=N,follow=N').

  Target:
    This options has to be provided, to define the target URL.

    -u URL, --url=URL   Target URL.
    --url-reload        Reload target URL after command execution.
    -l LOGFILE          Parse target from HTTP proxy log file.
    -m BULKFILE         Scan multiple targets given in a textual file.
    -r REQUESTFILE      Load HTTP request from a file.
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
                        (Default: 1).
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. 'logout').
    -x SITEMAP_URL      Parse target(s) from remote sitemap(.xml) file.
    --method=METHOD     Force usage of given HTTP method (e.g. 'PUT').

  Request:
    These options can be used to specify how to connect to the target URL.

    -d DATA, --data=..  Data string to be sent through POST.
    --host=HOST         HTTP Host header.
    --referer=REFERER   HTTP Referer header.
    --user-agent=AGENT  HTTP User-Agent header.
    --random-agent      Use a randomly selected HTTP User-Agent header.
    --param-del=PDEL    Set character for splitting parameter values.
    --cookie=COOKIE     HTTP Cookie header.
    --cookie-del=CDEL   Set character for splitting cookie values.
    -H HEADER, --hea..  Extra header (e.g. 'X-Forwarded-For: 127.0.0.1').
    --headers=HEADERS   Extra headers (e.g. 'Accept-Language: fr\nETag: 123').
    --proxy=PROXY       Use a proxy to connect to the target URL.
    --tor               Use the Tor network.
    --tor-port=TOR_P..  Set Tor proxy port (Default: 8118).
    --tor-check         Check to see if Tor is used properly.
    --auth-url=AUTH_..  Login panel URL.
    --auth-data=AUTH..  Login parameters and data.
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, Bearer).
    --auth-cred=AUTH..  HTTP authentication credentials (e.g. 'admin:admin').
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401).
    --force-ssl         Force usage of SSL/HTTPS.
    --ignore-proxy      Ignore system default proxy settings.
    --ignore-redirects  Ignore redirection attempts.
    --timeout=TIMEOUT   Seconds to wait before timeout connection (Default:
                        30).
    --retries=RETRIES   Retries when the connection timeouts (Default: 3).
    --drop-set-cookie   Ignore Set-Cookie header from response.

  Enumeration:
    These options can be used to enumerate the target host.

    --all               Retrieve everything.
    --current-user      Retrieve current user name.
    --hostname          Retrieve current hostname.
    --is-root           Check if the current user have root privileges.
    --is-admin          Check if the current user have admin privileges.
    --sys-info          Retrieve system information.
    --users             Retrieve system users.
    --passwords         Retrieve system users password hashes.
    --privileges        Retrieve system users privileges.
    --ps-version        Retrieve PowerShell's version number.

  File access:
    These options can be used to access files on the target host.

    --file-read=FILE..  Read a file from the target host.
    --file-write=FIL..  Write to a file on the target host.
    --file-upload=FI..  Upload a file on the target host.
    --file-dest=FILE..  Host's absolute filepath to write and/or upload to.

  Modules:
    These options can be used increase the detection and/or injection
    capabilities.

    --shellshock        The 'shellshock' injection module.

  Injection:
    These options can be used to specify which parameters to inject and to
    provide custom injection payloads.

    -p TEST_PARAMETER   Testable parameter(s).
    --skip=SKIP_PARA..  Skip testing for given parameter(s).
    --suffix=SUFFIX     Injection payload suffix string.
    --prefix=PREFIX     Injection payload prefix string.
    --technique=TECH    Specify injection technique(s) to use.
    --skip-technique..  Specify injection technique(s) to skip.
    --maxlen=MAXLEN     Set the max length of output for time-related
                        injection techniques (Default: 10000 chars).
    --delay=DELAY       Seconds to delay between each HTTP request.
    --time-sec=TIMESEC  Seconds to delay the OS response (Default: 1).
    --tmp-path=TMP_P..  Set the absolute path of web server's temp directory.
    --web-root=WEB_R..  Set the web server document root directory (e.g.
                        '/var/www').
    --alter-shell=AL..  Use an alternative os-shell (e.g. 'Python').
    --os-cmd=OS_CMD     Execute a single operating system command.
    --os=OS             Force back-end operating system (e.g. 'Windows' or
                        'Unix').
    --tamper=TAMPER     Use given script(s) for tampering injection data.
    --msf-path=MSF_P..  Set a local path where metasploit is installed.

  Detection:
    These options can be used to customize the detection phase.

    --level=LEVEL       Level of tests to perform (1-3, Default: 1).
    --skip-calc         Skip the mathematic calculation during the detection
                        phase.
    --skip-empty        Skip testing the parameter(s) with empty value(s).
    --failed-tries=F..  Set a number of failed injection tries, in file-based
                        technique.
    --smart             Perform thorough tests only if positive heuristic(s).

  Miscellaneous:
    --ignore-depende..  Ignore all required third-party library dependencies.
    --list-tampers      Display list of available tamper scripts.
    --alert=ALERT       Run host OS command(s) when injection point is found.
    --no-logging        Disable logging to a file.
    --purge             Safely remove all content from commix data directory.
    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection.
    --mobile            Imitate smartphone through HTTP User-Agent header.
    --offline           Work in offline mode.
    --wizard            Simple wizard interface for beginner users.
    --disable-coloring  Disable console output coloring.

---

Below is an exhaustive breakdown of all options and switches together with examples.

General options

These options control the overall behavior of the tool, such as managing sessions, setting verbosity levels, controlling output formats, and configuring global runtime parameters. Use these to customize how commix interacts with the target and how it reports results.

Show help message

Option: -h, --help

Description:
Display the general help message with usage syntax and a categorized list of all available options. Useful for quick reference or to explore the full range of features and switches. Typically the first step when getting familiar with the tool or verifying available flags before launching an attack.

Usage example:

python commix.py --help

Output verbosity

Option: -v VERBOSE

Description:
This option increases the verbosity level, providing progressively deeper insights into the tool’s internal processes. It is invaluable for troubleshooting, debugging, and gaining a clear understanding of each step commix takes during testing.

Verbosity levels:

• 0: Displays only essential information and high-level results. Ideal for routine scans where you want concise output without additional debug details.
• 1: Enables simple debugging information including key events and warnings. Useful for identifying general issues without overwhelming detail.
• 2: In addition to level 1 output, shows all HTTP requests sent by commix. This allows you to verify exactly what data and headers are being transmitted to the target server.
• 3: Extends level 2 by also displaying HTTP response headers received from the server. This helps to analyze server behavior, headers, cookies, redirects, and error codes during testing.
• 4: Provides the most comprehensive output, including complete HTTP request and response bodies. This level is essential for in-depth debugging, allowing you to inspect payloads, server responses, and data exchange in detail to troubleshoot complex injection points or server issues.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" -v3

System-wide installation

Option: --install

Description:
This option installs commix system-wide, making it accessible globally from any location on your system. It is especially useful if you plan to use commix regularly and want to integrate it into your long-term penetration testing toolkit. By installing commix, you streamline workflow and avoid needing to run it from its local directory each time.

Notes:

• This option requires administrator privileges to install correctly system-wide.
• After installation, you can invoke commix simply using commix from any terminal session.

Usage example:

sudo python commix.py --install

If the above method doesn’t work, you can manually clone the official commix repository and install it using Python’s standard setup script. This approach gives you direct access to the latest source code and provides a flexible installation process.

Usage example:

git clone https://github.com/commixproject/commix.git
cd commix
sudo python setup.py install

Notes:

• This method downloads the most recent source code and installs commix system-wide.
• Administrator privileges are required to place files in system directories and create executable launcher scripts.
• After installation, you can run commix from any terminal session without specifying its full path.
• To avoid permission issues or keep commix isolated, consider installing it inside a Python virtual environment instead.

Display current version

Option: --version

Description:
This option displays the currently installed version of commix. It is useful for verifying that the tool has been correctly installed and for determining whether you're running the latest version. Use this before a scan to ensure compatibility, access to the latest features, and to avoid bugs fixed in newer releases.

Notes:

• Helps confirm successful installation.
• Useful for troubleshooting and when reporting issues, as version information is often required.

Usage example:

python commix.py --version

Update to latest development version

Option: --update

Description:
This option ensures that you are using the most up-to-date exploit techniques and features. Keeping the tool updated improves detection accuracy and allows you to leverage the latest security research.

Notes:

• This option requires that commix was installed via git clone from the official repository. The update mechanism uses Git to fetch and apply the latest commits.
• If you are running commix from a static release package (such as a ZIP archive), the --update option will not function properly, and you will need to manually download newer versions.

Usage example:

python commix.py --update

Set custom output directory path

Option: --output-dir=OUTDIR

Description:
This option allows you to define a custom directory for storing session data, result files, and logs generated during a scan. By default, commix saves these files in a subdirectory named output within the current working directory. Using this option improves file organization - especially when handling multiple targets or running scans in different environments - by directing results to a location of your choice.

Notes:

• The specified directory will be created if it doesn't exist.
• Useful for keeping scan data centralized, especially when automating or logging multiple engagements.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --output-dir="/tmp/commix_reports"

Resume from stored session data

Option: -s SESSION_FILE

Description:
This option allows you to load a previously saved session from a .sqlite file. Commix creates and maintains persistent session files for each scan, storing valuable information such as detected injection points, tested parameters, and scan progress. By specifying this option, you can resume a scan exactly where it left off - saving time, avoiding redundant testing, and enabling deeper follow-up analysis. This is particularly useful when working on long assessments or revisiting targets at a later stage. You may also provide a custom file path if you're organizing session data for multiple targets in a central location.

Notes:

• Sessions are automatically saved in the .output/ directory - unless a custom path is specified.
• Combine with --output-dir for streamlined session and result management.
• Use --ignore-session if you want to temporarily skip loading a session without deleting it.

Usage example:

python commix.py -s session_data.sqlite

Flush stored session data

Option: --flush-session

Description:
This option deletes all previously stored session data for the target, ensuring that the current scan starts fresh without interference from cached results. Session files in commix store discovered injection points, tested parameters, payload results, and more.

It can be useful when:

• You suspect the session data is outdated or corrupted
• You want to rerun a scan from scratch with new options
• You’ve updated commix and want to avoid compatibility issues with older session files

By using this option, commix removes the corresponding .sqlite file and regenerates it from the beginning of the scan.

Notes:

• Use --flush-session cautiously, as it clears all stored session data and forces commix to perform fresh scans from scratch.
• Use --ignore-session instead if you want to temporarily bypass session loading without deleting data.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --flush-session

Ignore stored session data

Option: --ignore-session

Description:
This option tells skips loading previously saved session data but does not delete it, allowing temporary fresh scans without losing history. Unlike --flush-session, which permanently deletes stored data, --ignore-session simply bypasses it for the current run - leaving the session file intact for future use.

It can be useful when:

• You suspect previous session results are outdated or no longer reliable
• You want to test new parameters or techniques without losing historical data
• You need to revalidate a finding without interference from cached results

Notes:

• Use --flush-session if you want to fully erase session data.
• Helpful in scenarios where repeat testing is necessary but session data may skew results.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --ignore-session

Log all HTTP traffic into a textual file

Option: -t TRAFFIC_FILE

Description:
This option records all raw HTTP traffic - including full request and response data - into the specified file. By preserving complete HTTP exchanges, this log helps validate findings, trace behavior, and document the exploitation process with forensic accuracy.

It can be useful for:

• Post-exploitation analysis
• Bug bounty or vulnerability disclosure reports
• Auditing and compliance logging
• Reproducing exploitation steps during reviews or testing

Notes:

• Log files may include sensitive data such as cookies or credentials - store them securely.
• Combine with --verbose to enhance live debugging while capturing permanent records.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" -t traffic_log.txt

Set time limit for the scan to complete

Option: --time-limit=SECONDS

Description:
This option sets a hard time limit for how long commix is allowed to run, specified in seconds. Once the specified duration is reached, commix will forcibly stop the scan - regardless of its current progress. It is particularly useful in automated environments (e.g., CI/CD pipelines), where it's critical to prevent long-running scans from delaying or blocking build processes.

Notes:

• Use this to enforce predictable scan durations during scheduled assessments or integration testing.
• Combine with --delay or --technique to better manage the scan's depth and performance within the time limit.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --time-limit=1800

Act in non-interactive mode

Option: --batch

Description:
This option runs commix in fully non-interactive mode, automatically selecting default responses to any prompts or confirmations during the scan. It is ideal for automation, scripting, and headless environments where manual input is unavailable or impractical. Using this option enables smooth, unattended execution of scans - making commix suitable for integration into automated testing pipelines, scheduled jobs, or batch operations.

Notes:

• Be aware that some decisions will default automatically, which may affect scan behavior.
• Combine with logging or verbose options to capture details during unattended runs.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --batch 

Skip heuristic detection during the scan

Option: --skip-heuristics

Description:
This option disables heuristic detection during the scan, which can speed up the process but might cause some vulnerabilities to be overlooked. It is particularly useful when you want to manually specify parameters or focus on very specific behaviors, enabling more targeted and efficient testing.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --skip-heuristics

Force specific codec on each request

Option: --codec=CODEC

Description:
This option forces commix to use a specific codec (i.e. character encoding) when sending HTTP requests. It is particularly useful when targeting applications that utilize non-standard or legacy encodings, ensuring payloads are correctly encoded and interpreted by the server.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --codec="utf-8"

Specify custom set of characters

Option: --charset=CHARSET

Description:
This option allows you to specify a custom set of characters for use in timing delay injection payloads. It is particularly helpful for bypassing input filters, Web Application Firewalls (WAFs), or other security mechanisms that block or sanitize certain characters. By tailoring the character set, commix can better adapt its payloads to the target’s input constraints, improving the chances of successful exploitation in restrictive environments.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --charset="0123456789abcdef"

Check internet access before scanning

Option: --check-internet

Description:
This option verifies whether the system has an active internet connection before starting a scan. It is primarily used to ensure that dependencies, update checks, or external integrations can function properly during the assessment.

Usage example:

python commix.py --check-internet

Predefine answers to interactive questions

Option: --answers=ANSWERS

Description:
This option enables automation by predefining responses to commix’s interactive prompts. It allows you to control decision points during the scan - such as whether to follow redirects, apply specific techniques, or proceed with detected injection points - without requiring manual input. This is especially useful for scripting, batch scanning, or CI/CD integrations.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --answers="quit=N,follow=N"

---

Target options

Target options specify the URL or application entry point for testing, including parameters to test, HTTP methods, and ways to define injection points explicitly. They also include options for specifying data to be sent to the server, such as POST data or HTTP headers.

Target URL

Option: -u URL, --url=URL

Description:
This option is the main entry point for commix to begin injection testing. You must specify a URL that includes parameters potentially vulnerable to command injection. It supports both HTTP and HTTPS URLs. This option is mandatory unless the target is defined through alternative methods such as log files or bulk input files.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1"

Reload target URL (on each request)

Option: --url-reload

Description:
This option helps when the application state changes after each injection attempt, ensuring that commix works with a fresh session or page state every time. It is especially useful for applications that reset parameters or session data on each request, maintaining consistent testing conditions.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --url-reload

Parse target(s) from proxy log file

Option: -l LOGFILE

Description:
This option allows scanning multiple URLs gathered from a proxy log without manually specifying them individually. The log file should contain standard HTTP requests intercepted during a proxy session, enabling automated batch testing of all captured targets.

Usage example:

python commix.py -l proxy.log

Load multiple targets enlisted in a file

Option: -m BULKFILE

Description:
This option makes commix scan each URL sequentially, making it ideal for bulk testing or automation across multiple targets. It saves time by running scans against several endpoints automatically, without requiring manual input for each one.

Usage example:

python commix.py -m targets.txt

Load HTTP request from a file

Option: -r REQUESTFILE

Description:
This option is useful for complex requests that cannot be easily specified on the command line, such as those with custom headers, cookies, or POST data. The request file must contain the full raw HTTP request exactly as it is sent to the server, allowing precise replay and testing.

Usage example:

python commix.py -r request.txt

Crawl website starting from target URL

Option: --crawl=CRAWLDEPTH

Description:
This option automatically crawls the target website starting from the specified URL to discover additional URLs for testing. The crawling depth controls how many link levels the spider follows (default is 1). It is useful for uncovering hidden or dynamically generated URLs that may be vulnerable to command injection.

Notes:

• Higher crawl depths can significantly increase scan duration and server load.
• Use option --crawl-exclude to optimize crawling and avoid irrelevant pages.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --crawl=2

Exclude pages from website crawling

Option: --crawl-exclude=REGEX

Description:
This option lets you exclude pages from crawling by specifying a regular expression. For example, to skip all pages containing the keyword logout in their paths, you can use --crawl-exclude=logout. This helps focus the scan on relevant areas and avoid undesired URLs.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --crawl-exclude="logout"

Scan URLs from sitemap.xml

Option: -x SITEMAP_URL

Description:
This option allows commix to efficiently gather all URLs listed in the sitemap.xml file for scanning. This often provides comprehensive coverage of the entire application structure, improving the chances of identifying vulnerabilities across all accessible endpoints.

Usage example:

python commix.py -x http://www.target.com/sitemap.xml

Force HTTP method usage

Option: --method=METHOD

Description: By default, commix attempts to determine and use the most appropriate HTTP method for interacting with the target (typically GET or POST). However, some applications may require or behave differently with other methods such as PUT, DELETE, PATCH, or even less common ones like OPTIONS or HEAD. This option allows you to override the default behavior and explicitly set the HTTP method commix should use in its requests. This can be essential for testing non-standard endpoints, RESTful APIs, or custom HTTP behavior that depends on specific verbs.

It can be useful when:

• The endpoint accepts input only via a specific method not auto-selected by commix.
• You want to test whether different methods are treated inconsistently or introduce vulnerabilities (e.g., PUT vs POST).

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --data="addr=1" --method="PUT"

---

Request options

These options configure the details of the HTTP request sent to the target, such as custom headers, cookies, authentication credentials, timeouts, proxy usage, and user agent strings. They enable tailoring the request to bypass security controls or fit specific scenarios.

HTTP data

Option: -d DATA, --data=DATA

Description:
By default, commix uses the HTTP GET method to send requests. However, if you provide data using the --data option (which includes key-value pairs meant for the request body), commix automatically switches to using the POST method. This allows it to simulate form submissions or API interactions that rely on request bodies.

It can be useful for:

• Sending the request as POST instead of GET, which may be necessary when targeting endpoints that only accept or process input through the request body. This approach also helps bypass certain server-side filters or access control rules that apply differently to GET and POST methods.
• Testing parameters from both the query string (URL) and the POST body for command injection vulnerabilities, ensuring that all possible entry points are evaluated.

Notes:

• You can override the method explicitly using --method (if needed).
• This approach is useful for testing forms, and APIs that expect POSTed data.

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --data="addr=1&name=test"

Host HTTP header

Option: --host=HOST

Description:
This option is useful when testing virtual hosts or servers that rely on the Host header for routing requests. Setting a custom Host header helps target specific sites hosted on the same IP address or server.

Notes:

• By default Host HTTP header is parsed from a provided target URL.
• The Host HTTP header is tested if the --level is set to 3.

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --host="example.local"

Referer HTTP header

Option: --referer=REFERER

Description:
This option sets a custom Referer HTTP header to simulate requests originating from a specific page or domain. It can be useful for testing how the target handles requests based on their referral source or to bypass certain access restrictions.

Notes:

• The Referer HTTP header is tested if the --level is set to 3.

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --referer="https://google.com"

User-Agent HTTP header

Option: --user-agent

Description:
This option specifies a custom User-Agent string to mimic different browsers, devices, or clients. It helps test how the target responds to various user agents and can be used to bypass User-Agent-based filters or restrictions.

By default, commix performs HTTP requests with the following User-Agent HTTP header value:

commix/vX.Y.devZZ (https://commixproject.com)

Note:

• The User-Agent HTTP header is tested if the --level is set to 3.

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --user-agent="Mozilla/5.0"

Use random User-Agent HTTP header

Option: --random-agent

Description:
This option instructs commix to use a randomly selected User-Agent header from a built-in list of common browser and device signatures.

It helps evade basic security mechanisms and filtering rules that:

• Block or throttle requests based on known scanner User-Agents
• Apply stricter rules to suspected automated tools
• Serve different content or behavior depending on the perceived client

Notes:

• Can be combined with --header or --headers for further customization of HTTP headers.
• Useful in stealth assessments or when bypassing naive WAFs and CDN edge filters.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --random-agent

Set parameters splitting character

Option: --param-del=PDEL

Description:
This option lets you specify a custom delimiter character to split multiple parameters in HTTP requests. By default, commix expects parameters to be separated by the ampersand (&) character, which is standard in URL query strings and POST bodies. However, some applications or legacy systems may use alternative delimiters like semicolon (;) or others. Using this option ensures that commix correctly parses each parameter individually, allowing accurate injection testing on all supplied parameters regardless of the separator used.

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --data="addr=foobar;id=1" --param-del=";"

Set custom Cookie header values

Option: --cookie=COOKIE

Description:
This option sets one or more custom cookie values to be included in the Cookie header of each request. It is particularly useful for maintaining authenticated sessions, simulating specific user roles or states, or reproducing application behavior under specific conditions. This allows commix to access and test parts of the application that are otherwise restricted to logged-in or session-specific users.

Note:

• The cookie string should follow the standard format: key1=value1; key2=value2.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --cookie="key1=value1; key2=value2"

Set cookies splitting character

Option: --cookie-del=CDEL

Description:
This option allows you to specify a custom delimiter character to separate multiple cookies in the Cookie header. By default, cookies are split using the semicolon (;) character. However, in certain applications or testing environments—such as those using custom parsing logic or non-standard formatting—using an alternative delimiter (e.g., | or ,) may be necessary to ensure proper recognition and injection of individual cookie values.This is particularly useful when working with intercepted or reconstructed HTTP traffic that deviates from conventional formatting, or when fuzzing cookie-based injection points.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --cookie-del="|"

Set extra HTTP header (single)

Option: -H HEADER, --header=HEADER

Description:
This option adds a single custom HTTP header to all HTTP requests sent by commix. It is useful for scenarios where a specific header is required - such as authentication, session identification, client emulation, or routing logic. The header is included exactly as provided and must follow the standard Header-Name: value format. This option is designed for situations where only one extra header is needed.

Note:

• To add multiple headers, use the --headers=HEADERS option, which supports a newline-separated list.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --header="X-Forwarded-For: 127.0.0.1"

Set extra HTTP headers (bulk)

Option: --headers=HEADERS

Description:
This option allows you to define multiple custom HTTP headers simultaneously by passing them as a single string, with each header separated by a newline character (\n). All specified headers will be included in every HTTP request sent by commix. This feature is particularly useful when testing scenarios require multiple headers for authentication, user simulation, proxy routing, or to meet specific application requirements. Ensure that each header follows the Header-Name: value format and that newline separation is correctly handled by your shell or scripting environment.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" \
--headers="Accept-Language: en-US\nUser-Agent: CustomAgent/1.0\nCache-Control: no-cache"

Route all traffic through specified HTTP proxy

Option: --proxy=PROXY

Description:
This option routes all HTTP requests sent by commix through a specified HTTP proxy server. An HTTP proxy acts as an intermediary between your tool and the target server, forwarding requests and responses. Using an HTTP proxy can help you anonymize your traffic by hiding your original IP address, capture and log request/response data for analysis, or bypass network restrictions such as firewalls or IP-based blocking. The proxy address should include the scheme and the port number (e.g., http://127.0.0.1:8080).

Note:

• Currently, this option provides native support for HTTP proxies only and does not support SOCKS4, SOCKS5, or other proxy protocols out of the box. If you need to use a SOCKS proxy, or want to bridge a SOCKS proxy with an HTTP proxy (e.g., for traffic inspection or compatibility purposes), refer to the relevant usage sections in the documentation [1], [2].

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --proxy="http://127.0.0.1:8080"

Enable sending requests over Tor

Option: --tor

Description:
This option enables commix to route its HTTP requests through the Tor network, effectively concealing your real IP address and enhancing privacy during exploitation or testing. By anonymizing your traffic, it helps protect your identity and reduces the risk of detection or tracking by target systems.

Note:

• This option requires Tor service to be running.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --tor 

Specify Tor proxy port

Option: --tor-port=TOR_PORT

Description:
This option allows you to override the default port used for Tor connections. It is particularly useful when your Tor service is configured to listen on a non-standard or custom port, ensuring that commix can correctly connect and route traffic through the Tor network without connectivity issues.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --tor --tor-port=9050

Check if traffic is routed through Tor

Option: --tor-check

Description:
This option performs a preliminary check to verify Tor network connectivity before initiating the scan. By doing so, it ensures that all outgoing traffic is properly routed through the Tor network, maintaining user anonymity and enhancing privacy. This verification helps prevent accidental exposure of your real IP address by confirming that the Tor proxy or service is active and functioning correctly before any data is sent. This is particularly important in scenarios where anonymity or bypassing network restrictions is critical.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --tor --tor-check

Specify login page URL

Option: --auth-url=AUTH_URL

Description:
Specify the full URL of the login page to enable automated authentication before the exploitation process begins. This feature allows commix to handle authenticated sessions by automatically submitting the necessary login credentials, simulating a real user login. Upon successful authentication, commix captures and stores the relevant session data - such as access tokens, session cookies, or headers - which it then reuses throughout the scan to maintain an authenticated context. This option is particularly useful for targeting applications that restrict access to injection points behind a login wall.

Note:

• Use this in combination with --auth-data, to fully configure the login process.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" \
--auth-data="user=admin&pass=1234" \
--auth-url="http://www.target.com/login.php"

Specify authentication data

Option: --auth-data=AUTH_DATA

Description:
This option specifies the authentication data to submit during the login process when interacting with targets that require user authentication. It typically consists of URL-encoded key-value pairs - such as a username and password - that are submitted as part of a POST request to the login form. This is essential for testing authenticated areas of an application, where session-based access is required to reach potential injection points.

Notes:

• Combine with --auth-url to specify the login form’s URL.
• Use --cookie to manually manage session persistence, if needed.
• Some forms may use hidden tokens or CSRF protection; consider scripting or manual login capture if necessary.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" \
--auth-data="user=admin&pass=1234" \
--auth-url="http://www.target.com/login.php"

Specify HTTP authentication type

Option: --auth-type=AUTH_TYPE

Description:
Specify the HTTP authentication scheme to use when accessing the target application. This option allows commix to handle protected resources that require HTTP-level authentication by automatically including the appropriate Authorization headers in each request. It is essential for exploiting targets that enforce access control via HTTP auth mechanisms.

Αuthentication types:

• Basic: Sends credentials encoded in Base64 within the Authorization header.
• Digest: Uses a challenge-response mechanism for improved security over Basic.
• Bearer: Sends a token (such as a JWT) in the Authorization header for token-based authentication.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1"  \
--auth-type="basic"  \
--auth-cred="username:password"

Set HTTP authentication credentials

Option: --auth-cred=AUTH_CREDENTIALS

Description:
This option allows you to supply credentials for HTTP authentication in the format username:password. These credentials are used to authenticate against web servers that protect resources using supported HTTP authentication schemes such as Basic or Digest authentication. This is particularly useful when testing applications or endpoints that require access control at the HTTP level (e.g., .htaccess-protected directories).

Notes:

• Use quotes if your password includes special characters.
• Avoid using this option on shared systems or leaving it in shell history; use tools like history -d to remove sensitive entries.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --auth-cred="admin:password"

Set HTTP status code(s) to abort

Option: --abort-code=ABORT_CODES

Description:
This option specifies a comma-separated list of HTTP status codes that, if encountered during the scanning or exploitation process, will cause commix to immediately terminate execution. It is useful for preventing further interaction with the target when specific server-side errors, redirects, or access denials are encountered.

Notes:

• By configuring this option, users can avoid triggering rate-limiting mechanisms, intrusion detection systems, or simply halt the scan upon detecting conditions that indicate failure or unintended behavior.
• Use this option proactively when testing production environments or sensitive systems.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --abort-code="401,403"

Set HTTP status code(s) to ignore

Option: --ignore-code=IGNORE_CODES

Description:
This option specifies a comma-separated list of HTTP status codes that commix should treat as non-fatal during scanning. When any of the specified status codes are encountered in server responses, commix will not interpret them as errors and will continue scanning normally. This is particularly useful when targeting applications that return unconventional status codes (e.g., 404 or 403) as part of their normal behavior - even when injection points are accessible.

It can be useful for:

• Bypassing soft-blocking or decoy responses.
• Testing applications with custom error-handling logic.
• Handling scenarios where valid responses are misrepresented by unusual status codes.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --ignore-code="404,403"

Force HTTPS usage

Option: --force-ssl

Description:
This option forces commix to use HTTPS for all requests, regardless of whether the provided target URL begins with http://. When enabled, commix will automatically upgrade all connections to use SSL/TLS, ensuring that communication with the target server is encrypted.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --force-ssl

Ignore system proxy settings

Option: --ignore-proxy

Description:
This option ignores any system or environment proxy settings and connects directly to the target server. It ensures that commix bypasses all configured proxies, establishing a direct network connection.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --ignore-proxy

Ignore HTTP redirects during scanning

Option: --ignore-redirects

Description:
This option disables automatic following of HTTP redirects during the scanning process. When enabled, commix will stop after receiving redirect responses (such as HTTP 3xx status codes) instead of automatically following the Location header to the next URL.

Notes:

• By default, commix follows redirects to ensure seamless scanning through multi-step workflows.
• Use this option to gain finer control over response analysis and scanning logic.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --ignore-redirects

Set connection timeout

Option: --timeout=SECONDS

Description:
This option sets the maximum time in seconds, that commix will wait for a response from the server before timing out. By default, the timeout is set to 30 seconds. Setting this appropriately ensures commix does not hang indefinitely or abort too early due to minor delays in the server response.

It can be useful when dealing with:

• Slow or high-latency servers: Increase the timeout to prevent premature connection termination.
• Unresponsive or rate-limited targets: Fine-tune the timeout to balance scan reliability and speed.
• Burp Suite or proxy delays: Accommodate additional processing time when routing through intercepting proxies.

Note:

• Short timeouts may cause false negatives on slow or heavily loaded servers. Adjust accordingly.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --timeout=10

Set number of retry failed connection attempts

Option: --retries=NUM

Description:
This option sets the maximum number of times commix will retry a failed connection attempt (default is 3). Each retry is triggered only after a connection failure, not on normal timeouts. This feature helps improve scan resilience without restarting the entire process.

It can be useful with:

• Intermittent connectivity.
• Unstable or rate-limited web servers.
• Proxies that occasionally drop connections.

Notes:

• Use in combination with --timeout to fine-tune network robustness.
• Higher retry counts increase reliability but may slow down scanning on consistently failing hosts.
• Setting --retries=0 disables retrying entirely, which is useful for quick scans against stable targets.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --retries=5

Ignore Set-Cookie headers

Option: --drop-set-cookie

Description:
This option tells commix to ignore all Set-Cookie headers sent by the server in HTTP responses. This is particularly useful when testing applications that issue new or modified cookies per request or when attempting to replay consistent behavior in session-dependent workflows. By doing so, it prevents automatic updates to the current session’s cookies.

It can be useful for:

• Maintaining a stable session throughout the scan
• Preventing forced logouts or user role changes triggered by cookie rotation
• Bypassing anti-bot protections that rely on dynamic session identifiers

Notes:

• Combine with manually specified cookies (--cookie) for fixed-session testing.
• Disabling cookie updates can reduce server-side anomalies during injection testing.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --drop-set-cookie

---

Enumeration options

Enumeration options are used to collect detailed information about the target system’s operating system and environment after successfully exploiting a command injection vulnerability.

Retrieve all available target information

Option: --all

Description:
Retrieve all possible information from the target, including users, privileges, hostname, operating system, and more. This option runs multiple enumeration checks to provide a comprehensive overview of the compromised system.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --all 

Retrieve current username

Option: --current-user

Description:
This option retrieves all possible information from the target, including users, privileges, hostname, operating system, and more. It performs multiple enumeration checks to provide a comprehensive overview of the compromised system, aiding in thorough post-exploitation analysis.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --current-user

Retrieve hostname

Option: --hostname

Description:
This option retrieves the hostname of the target system to identify the machine within a network environment or domain. It helps in mapping the target’s network context and understanding its role or location.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --hostname

Check if current user has root privileges

Option: --is-root

Description:
This option checks if the current user has root privileges on Unix/Linux systems, which indicates full system control.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --is-root

Check if current user has administrative privileges

Option: --is-admin

Description:
This option checks if the current user has administrative privileges on Windows systems, important for privilege escalation assessment.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --is-admin 

Retrieve detailed system information

Option: --sys-info

Description:
This option retrieves detailed system information such as operating system version, kernel details, environment variables, and system architecture.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --sys-info

Retrieve a list of user accounts

Option: --users

Description:
This option retrieves a list of user accounts configured on the target system, useful for further enumeration or password attacks.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --users 

Attempt to retrieve password hashes

Option: --passwords

Description:
This option attempts to retrieve password hashes from the target system for offline cracking or analysis.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --passwords 

Retrieve detailed privilege information

Option: --privileges

Description:
This option retrieves detailed privilege information of the current user or other users on the target system.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --privileges 

Retrieve installed PowerShell version

Option: --ps-version

Description:
This option retrieves the installed PowerShell version on Windows targets, which helps in selecting compatible post-exploitation modules or scripts.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --ps-version 

---

File Access options

Read and display contents of a target file

Option: --file-read=FILE

Description:
This option allows you to retrieve and read files from the target system, which can be invaluable for extracting sensitive information such as configuration files, password lists, logs, or other critical data during an assessment.

Notes:

• Ensure you have explicit permission and legal authorization before accessing or reading any files on a target system.
• Unauthorized file access is illegal and may lead to severe legal consequences.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --file-read="/etc/passwd" 

Write arbitrary content to a target file

Option: --file-write=FILE

Description:
This option enables you to remotely create or overwrite files on the target system. It is particularly useful for placing web shells, backdoors, or other malicious payloads when the target environment allows writing to the filesystem.

Notes:

• Ensure the target directory is writable; otherwise, the operation will fail.
• Use responsibly and only with explicit authorization to avoid legal issues.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1"  \
--file-write="local.txt"  \
--file-dest="/tmp/remote.txt"

Upload a local file to the target server

Option: --file-upload=FILE

Description:
This option enables commix to transfer custom payloads, scripts, or files to the target system as part of the exploitation process. Uploading allows for advanced post-exploitation activities such as executing remote commands, gathering additional information, or establishing persistent access.

Notes:

• Ensure the target directory is writable; otherwise, the operation will fail.
• Use responsibly and only with explicit authorization to avoid legal issues.
• Use along with --file-dest to specify the upload location.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1"  \
--file-upload="local.txt"  \
--file-dest="/tmp/remote.txt"

Set absolute target path for file write or upload

Option: --file-dest=FILE

Description:
This option works in combination with --file-write or --file-upload to specify the exact destination path on the target system where files should be created, overwritten, or uploaded. It allows precise control over the location of file operations, ensuring payloads or scripts are placed in the desired directory for successful execution or persistence.

Usage examples:

python commix.py --url="http://www.target.com/vuln.php?addr=1"   \
--file-upload="local.txt"  \
--file-dest="/tmp/local.txt"

---

Modules

Activate Shellshock injection module

Option: --shellshock

Description:
This option enables Shellshock (CVE-2014-6271 and related CVEs) testing module to identify vulnerabilities in CGI scripts that rely on the Bash shell. The Shellshock bug allows attackers to achieve unauthenticated remote code execution by injecting malicious payloads into specially crafted environment variables—commonly set via HTTP headers such as User-Agent, Referer, Cookie, or custom headers. When Bash processes these variables, it may incorrectly evaluate appended function definitions followed by arbitrary commands. This flaw is particularly critical in web server environments that expose Bash through CGI interfaces, enabling attackers to execute system-level commands remotely. Successful exploitation can result in full system compromise, data exfiltration, privilege escalation, or lateral movement across the network.

Note:

• Want to build your own module like this? Check out the Module Development Guide for a full walkthrough on writing and integrating custom commix modules.

Usage example:

python commix.py --url="http://www.target.com/cgi-bin/status/" --shellshock 

---

Injection options

Injection options control how commix crafts and delivers payloads to exploit command injection vulnerabilities. They include techniques for encoding payloads, using tampering scripts, selecting injection methods, and evading Web Application Firewalls (WAFs) or other filtering mechanisms. These options help customize and optimize the command injection process for higher success rates and stealth.

Test only specified parameter(s)

Option: -p PARAMETER

Description:
This option allows you to limit the scanning and testing process to specific input parameters instead of scanning all parameters indiscriminately. By targeting only selected parameters, you can significantly reduce the scope of testing, save time, and minimize unnecessary noise in the results.

Notes:

• Multiple parameters can be specified as a comma-separated list.
• Use this option to improve the precision and safety of your tests

Usage example:

python commix.py --url="http://www.target.com/vuln.php" --data="id=2&addr=1&test=3" -p addr 

Skip testing specified parameter(s)

Option: --skip=PARAMS

Description:
This option allows you to exclude specific parameters from the scanning and testing process. By skipping known safe or irrelevant parameters, you can focus the assessment on inputs that are more likely to be vulnerable, thereby improving scan efficiency and reducing noise in the results.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1"  \
--data="id=2&addr=1&test=3"  \
--skip="test"

Append custom string (to all injection payloads)

Option: --suffix=SUFFIX

Description:
This option appends a custom string or character sequence to every injection payload sent during testing. Appending such suffixes can help bypass input validation filters, fix syntax errors, or tailor payloads to the target’s specific parsing behavior. This technique is especially useful when the injection context requires closing quotes, comments, or other delimiters to maintain valid syntax and increase exploitation success.

Notes:

• Combine with other options like --prefix or --tamper for complex payload customization.
• Experiment with different suffixes depending on the target’s input parsing and filter behavior.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --suffix="'"

Prepend custom string (to all injection payloads)

Option: --prefix=PREFIX

Description:
This option prepends a custom string or character sequence to every injection payload sent during testing. Prepending prefixes can help bypass input validation filters, fix syntax errors, or adjust the payload to fit the target’s parsing context. It is particularly useful when the injection point expects certain opening characters - such as quotes, parentheses, or comment tokens - to form valid or exploitable input.

Notes:

• Combine with other options like --suffix or --tamper for complex payload customization.
• Experiment with different suffixes depending on the target’s input parsing and filter behavior.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --prefix="'"

Select technique(s) to use during testing

Option: --technique=TECH

Description:
By default, commix tests all available command injection techniques to maximize the chances of detection. This option allows you to specify one or more particular injection techniques to use during the scan, tailoring the testing process to the target’s environment, defenses, or your preferred strategy. Selecting specific techniques can optimize scan speed and reduce noise when you have prior knowledge about the target’s behavior.

Τechniques:

• (C)lassic: This technique relies on results-based injection, where the output of injected commands is directly reflected in the server’s HTTP response. It is the most straightforward injection method, allowing immediate verification of successful command execution by analyzing the HTTP response content. For example, injecting id and observing the user and group information directly in the response body. This technique is highly effective when the vulnerable application does not sanitize or suppress command output in its responses.
• Dynamic Code (E)valuation: This technique relies on results-based injection and targets vulnerable uses of eval() or similar dynamic code execution functions (e.g., assert(), preg_replace() with /e modifier in PHP). Injected payloads are directly evaluated and executed within the application’s runtime environment. Exploiting this requires that user input be passed unsafely to these functions, allowing for arbitrary code execution within the interpreter’s context. Because the code executes inline, this technique can sometimes bypass traditional output filtering or encoding mechanisms, increasing the potential impact of the injection.
• (T)ime-based: This technique does not rely on visible output; instead, it exploits blind injection by conditionally delaying the server's response. Payloads typically use commands (like sleep or timeout) to introduce measurable delays when specific conditions are met. By observing variations in response times, attackers can infer system behavior, evaluate boolean conditions, or extract data one bit at a time. Although inherently slower due to its indirect feedback mechanism, this approach is highly effective in restrictive environments where standard output channels are filtered, suppressed, or entirely unavailable.
• (F)ile-based: This semi-blind injection technique writes the output of executed commands to a file on the server's filesystem, which is then read back to confirm successful execution. It requires either knowledge or educated guessing of a writable path on the server. When this is not possible - due to file system restrictions, permission issues, or unknown writable locations - the payload targets common temporary directories (e.g., /tmp, /var/tmp, or C:\Windows\Temp) to write output to temporary files. The attacker then accesses these files to retrieve command results. This technique bridges the gap between blind and classic injections and is particularly useful when direct command output is suppressed but file I/O is allowed.

Notes:

• You can specify one or multiple techniques (e.g., --technique="ct").
• Combining techniques allows for a more comprehensive and flexible injection testing strategy.
• For comprehensive details on each technique, including usage examples and requirements, refer to the Techniques wiki.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --technique="ctf"

Skip specified injection technique(s)

Option: --skip-technique=TECH

Description:
This option allows you to exclude specific command injection techniques from the scanning process. By skipping techniques that are known to cause false positives, instability, or undesired side effects on the target system, you can make your testing more precise, efficient, and safer.

Note:

• You can skip one or multiple techniques (e.g., --skip-technique="tf").

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --skip-technique="tf"

Set maximum output length

Option: --maxlen=MAXLEN

Description:
This option defines the maximum length of output data to be retrieved during time-based delay injection techniques. By limiting the size of extracted data (default is 10000 characters), it helps prevent excessively long response times that could slow down the scan or cause timeouts. Using this option ensures more efficient scanning by balancing thoroughness with practical time constraints, especially when extracting large amounts of data via timing delay injection methods.

Notes:

• Decreasing this value can speed up scans but may truncate output.
• Increasing it may slow the scan and risk longer delays on slow or unstable targets.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --maxlen=500 

Set delay between HTTP requests

Option: --delay=SECONDS

Description:
This option adds a specified delay in seconds, between each HTTP request sent during the scanning process. Introducing this delay slows down the testing pace, helping to reduce the risk of triggering rate-limiting mechanisms, Web Application Firewalls (WAFs), or other security mechanisms. By pacing requests more discreetly, this option helps evade automated defenses and makes the scan less likely to be detected or blocked.

Notes:

• Increasing delay improves stealth but prolongs scan duration.
• Use a delay suitable to the target’s security posture and response times.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --delay=2 

Set delay duration

Option: --time-sec=SECONDS

Description:
This option specifies the time delay used in timing delay injection payloads to measure response time differences (default is typically 5 seconds). It defines the duration the target server is instructed to pause, enabling accurate detection of timing delay vulnerabilities.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --time-sec=5

Set web server temporary directory path for file uploads

Option: --tmp-path=PATH

Description:
This option sets the absolute path to the temporary directory on the web server, used for file upload or write operations. It ensures that commix can correctly locate a writable directory for storing files during exploitation attempts.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --tmp-path="/tmp"

Set web server document root directory for file operations

Option: --web-root=PATH

Description:
This option defines the web server's document root directory to assist with file write or upload operations. It helps commix accurately place files within the web-accessible directory structure during exploitation.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --web-root="/var/www/html"

Use alternative shell for command execution

Option: --alter-shell=SHELL

Description:
This option enables the use of an alternative shell environment for executing commands on the target system. This is particularly useful when the default system shell is restricted or unavailable. Currently, commix supports Python as the alternative shell. By leveraging the Python interpreter, which is commonly present on many systems, commix can bypass certain command execution limitations imposed by security controls or system configurations. This enhances the tool's ability to exploit command injection vulnerabilities, especially in environments where traditional shell access is constrained.

Note:

• Before using this option, ensure that the target system has Python installed and accessible.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --alter-shell="python"

Execute a single OS command on the target and show output

Option: --os-cmd=COMMAND

Description:
This option instructs commix to execute a single operating system command on the target if a command injection vulnerability is confirmed. Rather than launching an interactive shell, it performs one-off command execution and displays the command output directly in the console.

It can be useful for:

• Quickly verifying exploitability of a suspected injection point.
• Extracting specific data (e.g., file contents, system info) in a non-interactive manner.
• Reducing noise during stealthy testing or proof-of-concept phases.

Notes:

• Output is limited to that of a single command.
• Some complex commands requiring interactive input or long execution may not behave as expected.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --os-cmd="uname -a"

Force OS detection to Windows or Unix/Linux for tailored payloads

Option: --os=OS

Description:
This option manually sets the target's operating system to either Windows or Unix (case-insensitive). It overrides Commix’s automatic OS detection and tailors payloads, encodings, and command syntax based on the specified platform. Setting the correct OS improves payload accuracy, reliability, and effectiveness, especially in command execution and post-exploitation phases.

It can be useful when:

• The automatic detection is inconclusive or fails due to limited response feedback.
• You already know the target OS based on reconnaissance or headers.
• You want to bypass detection entirely for faster or stealthier testing.

Note:

• When unsure, run commix without this option first and review the detected OS - if misidentified, re-run with --os manually set to ensure correct payload behavior.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --os="Windows"

Use tamper scripts to modify payloads

Option: --tamper=SCRIPT

Description:
This option applies one or more tamper scripts to modify injection payloads, helping to bypass Web Application Firewalls (WAFs), filters, or input validation mechanisms. By altering the payload format, it increases the likelihood of successful exploitation in environments with security defenses.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --tamper="space2ifs"

Specify MSF installation path

Option: --msf-path=PATH

Description:
This option sets the absolute installation path of the Metasploit Framework (MSF), enabling commix to interface with MSF's post-exploitation capabilities. When correctly configured, commix can invoke MSF modules to facilitate tasks such as session management, privilege escalation, or establishing reverse shells once a successful injection has been confirmed. This integration is especially valuable in advanced exploitation workflows, providing a seamless bridge between vulnerability detection and active exploitation within the MSF ecosystem.

It can be useful for:

• Leveraging MSF's payloads and listeners directly from commix.
• Automating post-exploitation steps once a shell is obtained.
• Aligning with red team tools and methodologies.

Notes:

• MSF must be properly installed and accessible at the specified path.
• Permissions may be required to execute MSF commands or modules from commix.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --msf-path="/opt/metasploit-framework"

---

Detection options

Detection options control how commix identifies potential command injection vulnerabilities on the target application. These settings determine the scope, depth, and techniques used during initial testing phases, balancing thoroughness with scan efficiency. They help customize the detection process to fit various target environments and testing needs.

Level

Option: --level=LEVEL

Description:
This option specifies the thoroughness level of the injection tests, ranging from 1 (light) to 3 (most thorough). Higher levels execute a larger number of payloads and perform more extensive checks, improving detection accuracy and reducing false negatives. However, increasing the level also extends the scan duration, so choose a balance between speed and comprehensiveness based on your testing needs.

Levels:

• 1: Performs basic injection tests on URL parameters and POST data only. This level is faster and suitable for quick assessments or when minimizing requests.
• 2: Includes all Level 1 tests, plus injection testing in HTTP cookies. Additionally, Level 2 runs an extensive suite of injection payloads to increase the likelihood of detecting more complex vulnerabilities.
• 3: Includes all Level 2 tests, plus injection testing in HTTP headers (such as User-Agent, Referer, etc.). Level 3 also executes the most extensive and comprehensive set of payloads and techniques to uncover hidden or sophisticated injection points.

Note:

• Use higher levels when initial scans are inconclusive or to detect complex injection vectors.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --level=3

Speed up scan by skipping calculation tests

Option: --skip-calc

Description:
This option speeds up the scan by skipping tests that involve calculations. By avoiding complex payloads that require additional processing or response analysis, it reduces overall scan time and helps achieve quicker results.

Note:

• This option may not be relevant or effective against all targets and could potentially miss some injection vectors that rely on calculation-based payloads.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --skip-calc 

Skip parameters with empty values during injection tests

Option: --skip-empty

Description:
This option skips testing parameters that have empty values, which are generally less likely to be injectable. By focusing only on inputs containing data, it optimizes scan speed and improves accuracy.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --skip-empty

Set max number of failed attempts

Option: --failed-tries=NUM

Description:
This option limits the number of consecutive failed timing delay tests. If the specified number of failures is reached, the test aborts early to avoid wasting time and resources on slow or unresponsive injection attempts.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --failed-tries=3

Run thorough tests only on positive heuristics

Option: --smart

Description:
This option enables smart scanning mode, performing in-depth injection tests only when initial heuristic checks suggest a strong chance of vulnerability. It enhances scanning efficiency by reducing unnecessary tests on safe parameters, lowering false positives, and shortening overall scan time.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --smart

---

Miscellaneous options

The miscellaneous options in commix provide additional control over the tool’s behavior and environment. They include settings for dependency management, output formatting, user interface modes, environment simulation, and operational controls such as logging and data management. These options enhance flexibility and usability, allowing users to tailor commix to different testing scenarios, environments, and user preferences beyond core injection functionalities.

Ignore all required third-party dependencies

Option: --ignore-dependencies

Description:
This option instructs commix to ignore all required third-party library dependencies. It is useful when running in environments with partial setups or where dependencies are managed manually, allowing the tool to operate despite missing or incomplete libraries. Use with caution, as skipping dependencies may lead to reduced functionality or unexpected errors.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --ignore-dependencies

Show available tamper scripts

Option: --list-tampers

Description:
This option displays a list of tamper scripts included with commix. These scripts help bypass filters, Web Application Firewalls (WAFs), or input validation mechanisms during testing, allowing users to select the most suitable tamper script for their target.

Usage example:

python commix.py --list-tampers

Alert on successful injection detection

Option: --alert=ALERT

Description:
This option executes the specified host operating system command(s) immediately when an injection point is detected. It enables automated responses such as triggering alerts, running custom scripts, or integrating with external monitoring tools upon successful vulnerability discovery.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --alert="sh sample.sh"

Disable file logging

Option: --no-logging

Description:
This option disables logging output to files, displaying all results exclusively in the console. It is useful for ephemeral testing scenarios or when privacy concerns require avoiding the creation of persistent log files.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --no-logging

Safely remove all data directory content

Option: --purge

Description:
This option safely removes all data stored by commix in its data directory, including cache files, session data, and logs. It helps reset the tool’s state between tests to ensure a clean scanning environment without residual information from previous runs.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --purge

Skip heuristic WAF/IPS detection

Option: --skip-waf

Description:
This option disables commix’s heuristic detection of Web Application Firewalls (WAF), or other security mechanisms. It is useful when such detection mechanisms introduce false positives, slow down the scan, or interfere with payload delivery. Disabling WAF/IPS detection can improve performance and reduce noise in known environments but may also prevent commix from adapting payloads to bypass security filters.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --skip-waf

Imitate a smartphone

Option: --mobile

Description:
This option sets the HTTP User-Agent header to mimic a smartphone or mobile device. It It is useful for targeting mobile-specific application interfaces, content, or security behaviors that differ from desktop views. Some applications apply different validation or filtering rules to mobile clients, making this option essential when attempting to bypass device-specific protections or access mobile-only endpoints.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --mobile

Run in offline mode

Option: --offline

Description:
This option runs commix in offline mode, disabling update checks and any internet connectivity requirements. It is especially useful in restricted or air-gapped environments where external network access is limited or unavailable, ensuring uninterrupted operation without relying on external resources.

Usage example:

python commix.py --offline

Use simple wizard interface for beginners

Option: --wizard

Description:
This option starts a simple, guided interactive wizard tailored for beginner users. It walks you through essential configuration steps in a clear, step-by-step manner, making the scanning process easier to understand and use, especially for newcomers.

Usage example:

python commix.py --wizard

Disable colored console output

Option: --disable-coloring

Description:
This option disables colored output in the console, producing plain text instead. It is useful when logging scan results to files, or when running commix in terminals that do not support color formatting, ensuring readability and compatibility.

Usage example:

python commix.py --url="http://www.target.com/vuln.php?addr=1" --disable-coloring

---

Advanced usage tips

Parsing target addresses from piped input (stdin)

Commix supports reading target URLs directly from standard input (stdin), allowing seamless integration with other tools in a command-line pipeline. This enables powerful automation workflows where targets are dynamically discovered and tested in real-time without manual intervention.

Description:
Instead of specifying the --url option manually, you can pipe a list of URLs into commix. This is particularly useful when combining commix with reconnaissance tools such as:

• waybackurls (for extracting historical URLs from the Wayback Machine)
• gau (GetAllURLs - for fetching known URLs from public sources)
• or custom scripts that generate or filter URLs dynamically

Commix will parse each line of input as a potential target, applying its injection detection logic accordingly.

Advantages:

• Automation-friendly: Ideal for CI/CD pipelines and bug bounty workflows.
• Scalable: Test large volumes of URLs with minimal manual effort.
• Filterable: Combine with grep, jq, or awk to include/exclude certain patterns before testing.

Usage example:

echo "www.target.com" | waybackurls | grep vuln.php | python commix.py --data="addr=1" --os-cmd="whoami" --batch

Using SOCKS proxies

Commix supports proxy usage via the --proxy option, but this is limited to HTTP and HTTPS proxies only. This limitation means that SOCKS4 or SOCKS5 proxies are not supported natively.

Description:
ProxyChains is a powerful tool that enables transparent routing of all TCP traffic through one or more SOCKS proxies, such as a remote VPS SOCKS tunnel. It supports multi-hop SOCKS proxy chaining (e.g., Tor → SSH Tunnel → VPS), providing enhanced anonymity and routing flexibility. This makes it ideal for applications like commix, which do not natively support SOCKS proxies, allowing them to benefit from SOCKS-based tunneling without requiring any internal configuration changes.

To configure ProxyChains, edit its configuration file—typically located at /etc/proxychains.conf for system-wide settings or ~/.proxychains/proxychains.conf for per-user configurations. Then, add your SOCKS proxy entry at the end of the file:

# remote SOCKS proxy
# socks5 your.proxy.ip 1080

Important: To prevent DNS leaks—where DNS requests bypass the proxy and could reveal your real IP address—make sure to uncomment or add the proxy_dns directive in your ProxyChains configuration file. Enabling this setting ensures that all DNS queries are routed through the proxy chain, maintaining your anonymity and privacy.

Usage example:

proxychains python commix.py --url="http://www.target.com/vuln.php?addr=1"

Bridging SOCKS with HTTP proxy for traffic inspection

Description:
If you want to inspect or manipulate commix traffic in Burp Suite but your network only provides access to a SOCKS proxy, you’ll need to set up a local HTTP proxy endpoint that forwards traffic through the SOCKS proxy. This acts as a "bridge" converting SOCKS-level traffic (which commix doesn’t natively support) into an HTTP proxy interface that commix can interact with.

Tools like redsocks or proxychains + Burp Suite listener can handle this bridging. Configure commix to use the local HTTP proxy via the --proxy option. Once the SOCKS-to-HTTP bridge is live (e.g., on 127.0.0.1:8080), you can instruct commix to route its traffic through it like so.

Usage example:

python commix.py --url="http://target.com/vuln.php?input=1" --proxy="http://127.0.0.1:8080"

This allows commix to function as if it’s using a regular HTTP proxy, while the traffic is actually being tunneled over SOCKS.

---

Exploitation Guides

Dive deeper into commix’s features with practical, battle-tested strategies that boost your testing efficiency and fine-tune your precision in real-world scenarios.

• Dive into a rich collection of practical, real-world examples demonstrating how commix can be leveraged against popular vulnerable targets such as DVWA, Mutillidae, and various specialized testbeds. The usage examples section offers step-by-step examples illustrating everything from simple injection points to complex exploitation scenarios.

• Master the art of evasion with advanced payload tricks, creative encoding methods, and innovative techniques designed to bypass common input sanitization routines and Web Application Firewalls (WAFs). The filters bypass examples section, covers a range of evasion techniques—such as whitespace manipulation, character encoding, separator chaining, and other advanced methods—to help you effectively bypass defenses.

• Unlock the power of commix with comprehensive examples for gaining interactive access to your target systems. The getting shells section offers step-by-step examples on delivering, triggering, and maintaining reliable shell access throughout your assessments.

---