Description
Transfer Files
Using living off the land techniques after successfully exploiting the webapp vuln. I am aware of the two flags --file-write and --file-read. But it's just nice to have in case if the attacker forgot to upload and/or download the files during shell interaction.
- Download (
download /path/to/remote/file /path/to/local/file) - Upload (
upload /path/to/local/file /path/to/remote/file)
Data Exfiltration
What happened with these features? These help a lot for blind command injection is there are reason you've removed them? I find it a waste.
- DNS (
--dns-server): It is possible to use this using projectdiscoveryinteractsh-serverand they have own which is similar to burp suite pro collaborator here's the website https://app.interactsh.com. - ICMP (
--icmp-exfil)
Update MSF payload modules by detecting architecture and OS
- If 64 bit and Linux
linux/x64/meterpreter/bind_tcp(bind shell)linux/x64/meterpreter/reverse_tcp(reverse shell)
- If 32 bit and Linux
linux/x86/meterpreter/bind_tcp(bind shell)linux/x86/meterpreter/reverse_tcp(reverse shell)
- If 64 bit and Windows
windows/x64/meterpreter/bind_tcp(bind shell)windows/x64/meterpreter/reverse_tcp(reverse shell)
- If 32 bit and Windows
windows/meterpreter/bind_tcp(bind shell)windows/meterpreter/reverse_tcp(reverse shell)
If you cannot maintain the new modules. Just remove them since I can use the --os-cmd to execute one-liner payloads and the three flags (--file-write, --file-upload and --file-dest) to upload the binary .exe,.dll,.elf, and .so file and change permission to execute it just to get the job done. There are too many architectures to keep up.
Google dorking (from sqlmap)
It does help with finding key parameters in google dorking such as, inurl:?ping=.
-g GOOGLEDORK
--gpage=GOOGLEPAGE
Update the documentation
Alter Shell
--alter-shell: How does this works? What interpreter should I use? Is it Python, Perl, Bash, Script, or Expect? Which operating system is compatible with this flag?
Command injection techniques
--technique: So far I know there are four techniques in total and I haven't checked the source code to my understanding after looking at previous tutorials and the user manual you've posted. They are:
- Result-based injection
-
Classic results-based command injection (
--technique=C). -
Eval-based command injection (
--technique=E). I've seen this in the old tutorials but again you can correct me if I'm wrong.
- Blind injection
-
Time-based injection (
--technique=T). -
File-based injection (
--technique=F).
So by default I could use all 3 (--technique=CTF) or 4 (--technique=CETF) as default techniques if not specified. I had a hard time figuring this out since there's no specific flags of how to use the techniques flag. In sqlmap manual was a huge help and I couldn't find it anywhere other than researching from the ground up. Like I said I haven't read the source code.
Finally the --skip-technique. How does this work exactly? Does it skip the specific payload or just the four techniques from above? Best to update the documentation of what it's used for. In the case of sqlmap's --test-skip flag. It allows the user to exclude specific payloads by specifying the string BENCHMARK for example to reduce the HTTP requests.
Shellshock module
Explain use cases for --shellshock module even if it's not CVE related especially when exploiting cgi-bin/. Such as, IoTs like Routers.
Proxychains feature (from sqlmap)
I saw the --proxy flag but I don't see the documentation about this feature and unsure of what type of proxy servers it supports other than HTTP proxy to my knowledge. If these are missing then consider implementing to support the SOCKS Proxy feature or to save yourself the trouble from adding too many dependencies. Add the documentation to advise the user by using proxychains-ng for pivoting in the network or establishing connection with proxy servers.
--proxy=socks4://<IP>:<PORT>
--proxy=socks5://<IP>:<PORT> --proxy-cred=[username]:[password]
--proxy=http://<IP>:<PORT> --proxy-cred=[username]:[password]
--proxy-file=proxy-servers.txt
What are the running context details?
- Installation method
$ sudo apt install -y commix
-
Client OS is Kali Linux
-
Program version
$ commix --version
v3.9-stable