Obrela Security Industries is proud to be a sponsor of the popular open-source penetration testing tool, Commix. Commix tool, created by Anastasios Stasinopoulos, Team Leader at Obrela Labs, automates the process of detection and exploitation of command injection vulnerabilities.
The background story
Anastasios started the development of Commix – a short for [comm]and [i]njection e[x]ploiter – approximately eight years ago, after realizing that only a couple of scanning tools were able to identify but not actively exploit command injection vulnerabilities.Βy developing this tool he was hoping to fill this gap. After writing up a research paper regarding that issue, which was accepted and presented at Black Hat 2015, the journey began.
Commix’s strong points
Commix provides penetration testers and information security researchers with everything they need to perform effective command injection attacks. It automates the detection and exploitation of these vulnerabilities. Except for the powerful engine, Commix is modular. It provides the opportunity to the end-users to make the tool interoperate with their modules to adapt it to their particular needs. Also, by being compatible with various well-known penetration testing tools, such as Metasploit, Burp-suite, sqlmap etc., Commix drastically improves a penetration tester’s ability to detect and exploit command injection vulnerabilities.
Why Open-source?
As an open-source enthusiast, Anastasios knew that such penetration testing tools could be improved through the infosec community contribution. Thus he ultimately decided to push it into an open-source project approximately two months after its initial development. By publishing Commix to GitHub, Anastasios has seen an enormous interest, over these years, from the infosec community. The community actively supports the tool, giving him the motivation to expand the tool’s capabilities constantly.
Final thoughts
Commix will provide excellent value to help the infosec community as long as command injection vulnerabilities exist. It will help identify injection vulnerabilities and thus perform the necessary actions to remediate them within their affected applications.
