commix v2.7 releases: Automated All-in-One OS command injection and exploitation tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.



Version 2.7-20181218

  • Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
  • Revised: The suffixes list has been shortly revised.
  • Updated: With each commix run end users are obligated to agree with the “Legal disclaimer” prelude message.
  • Fixed: Minor improvement regarding local HTTP server (for¬†–file-upload¬†option).
  • Added: A list of extensions to exclude from crawling.
  • Revised: Minor improvements regarding crawler.
  • Revised: Minor update of redirection mechanism.
  • Revised: Minor improvement regarding identifying the target web server.
  • Revised: Minor improvement regarding identifying corrupted .pyc file(s).
  • Added: New tamper script “” that adds dollar-sign followed by an at-sign (“$@”) between the characters of the generated payloads.
  • Fixed: Bug-fix regarding proxying SSL/TLS requests.
  • Revised: Minor improvement regarding checking for a potentially miswritten (illegal ‘=’) short option.
  • Revised: Minor improvement regarding checking for an illegal (non-console) quote and comma characters.
  • Revised: Minor improvement regarding merging of tamper script arguments.
  • Revised: Minor improvement regarding ignoring the parameter(s) that carrying anti-CSRF token(s) in all scanning attempts.
  • Updated: Beautiful Soup (third party) module has been updated.
  • Added: New tamper script “” that appends a fake HTTP header ‘X-Forwarded-For’.
  • Fixed: Minor bug-fix regarding loading tamper scripts.
  • Revised: Minor improvement regarding “INJECT_HERE” tag (i.e. declaring injection position) to be case insensitive.


git clone commix


Copyright (c) 2014-2018 Anastasios Stasinopoulos