Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications


Despite the prevalence and the high impact of command injection attacks, little attention has been given by the research community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or cross-site scripting, there is no dedicated and specialized software that detects and exploits, automatically, command injection vulnerabilities. This paper proposes an open-source tool that automates the process of detecting and exploiting command injection flaws on Web applications, named as COMMand Injection eXploiter (Commix). We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.e., also known as blind command injections). Furthermore, we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented operating systems including the well-known Kali Linux.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10


  1. 1.

    OWASP, 2013 Top 10 List,

  2. 2.

    OWASP, SQL injection,

  3. 3.

    OWASP, Cross-site scripting (XSS),

  4. 4.

    Klein, A.: Blind XPath injection.

  5. 5.

    Alonso, C., Bordn, R., Antonio, G.: y Marta Beltrn Speakers, LDAP injection & blind LDAP injection. BlackHat, New York (2009)

  6. 6.

    OWASP, Command injection,

  7. 7.

    How the internet of things could kill you,,news-19182.html

  8. 8.

    Is IoT in the smart home giving away the keys to your kingdom?,

  9. 9.

    Wired, The internet of things is wildly insecure—and often unpatchable.

  10. 10.

    Shellshock: a deadly new vulnerability that could lay waste to the internet.

  11. 11.

    Hackers are already using the shellshock bug to launch botnet attacks.

  12. 12.

    Vulnerability in citrix access gateway legacy authentication support could result in command injection.

  13. 13.

    Symantec web gateway remote command execution.

  14. 14.

    IBM Tealeaf CX passive capture application is vulnerable to a remotely exploitable OS command injection and local file inclusion,

  15. 15.

    Sophos web protection appliance sblistpack command injection exploit.

  16. 16.

    Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps ’11: Proceedings of the 2nd USENIX Conference on Web Application Development, June 15–16, 2011, Portland, Oregon, USA (2011)

  17. 17.

    Bravenboer, M., Dolstra, E. Visser, E.: Preventing injection attacks with syntax embeddings. In: ’GPCE ’07: Proceedings of the 6th International Conference on Generative Programming and Component Engineering’, ACM, New York, NY, USA, pp. 3–12 (2007)

  18. 18.

    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, NY, USA, pp. 372–382 (2006)

  19. 19.

    Lin, J.-C., Chen, J.-M.: The automatic defense mechanism for malicious injection attack. In: IEEE, 7th IEEE International Conference on Computer and Information Technology, 2007 (CIT 2007), Fukushima, Japan (2007)

  20. 20.

    Pietraszek, T., VandenBerghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of 8th International Conference on Recent Advances in Intrusion Detection (RAID) (2005)

  21. 21.

    OWASP, Testing for command injection (OTG-INPVAL-013).

  22. 22.

    ExploitDB, Offensive security exploit database archive.

  23. 23., shell_exec - Execute command via shell and return the complete output as a string.

  24. 24., passthru—Execute an external program and display raw output.

  25. 25., system—Execute an external program and display the output.

  26. 26.

    Privoxy proxy,

  27. 27.

    Kali Linux, Tools,

  28. 28.

    Data exfiltration on Linux,

  29. 29.

    Exfiltrate data using the old ping utility trick,

  30. 30.

    Damn Vulnerable Web Application (DVWA),

  31. 31.

    Extremely buggy web app (bWAPP),

  32. 32.

    OWASP, Mutillidae.

  33. 33.

    Pentester Lab, Web For Pentester,,71/

  34. 34.

    Pentester Academy, Command Injection ISO: 1,,81/

  35. 35.

    TrustwaveSpiderLabs: MCIR (ShelLOL).

  36. 36.

    Petbot, Petbot-device client side code.

  37. 37.

    Tantium generator.

  38. 38.

    Tantium generator (online).

  39. 39.


  40. 40.

    ‘Red’ alert.

  41. 41.

    Microsoft, Microsoft PowerBI.

  42. 42.


  43. 43.


  44. 44.


  45. 45.


  46. 46.


  47. 47.


  48. 48.


  49. 49.


  50. 50.


  51. 51.

    Wake-on-LAN (WOL) plugin.

  52. 52.


  53. 53., print_r - Prints human-readable information about a variable.

  54. 54.


  55. 55.

    DHCP monitor.

  56. 56.


  57. 57.

    Sabai Technology, VPN accelerator.

  58. 58.

    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: The weakest link on the network: exploiting ADSL routers to perform cyber-attacks. In: Proceedings of 13th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Athens, Greece (2013)

  59. 59., escapeshellarg—Escape a string to be used as a shell argument.

  60. 60., escapeshellcmd—Escape shell metacharacters.

  61. 61.


  62. 62.

    PHP multibyte shell command escaping bypass vulnerability.

  63. 63.

    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. BlackHat, London (2015)

  64. 64.

    PHP extension and application repository—net library.

  65. 65.

    WAP, Web application protection.

  66. 66.

    Command injection test environment.

  67. 67.

    AWStats referrer arbitrary command execution vulnerability.

  68. 68.

    Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd edn. Wiley, Hoboken (2011)

    Google Scholar 

  69. 69.

    PHP-Charts v1.0 PHP code execution vulnerability.

  70. 70.

    D-Link cookie command execution.

  71. 71.

    Command injection without spaces.

Download references


This research has been funded by the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).

Author information



Corresponding author

Correspondence to Christoforos Ntantogian.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Stasinopoulos, A., Ntantogian, C. & Xenakis, C. Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications. Int. J. Inf. Secur. 18, 49–72 (2019).

Download citation


  • Command injection
  • Code injection
  • Exploitation
  • Software tool
  • Web security