A new tool (Commix), even a Greek developer, is available to anyone who wants to test the security of their Web site's Web applications, and to reveal possible vulnerabilities that could be exploited by injections fraudsters.
The new tool, as we said earlier, is called Commix (abbreviation of [comm] and [i] njection e [x]ploiter, which aims to find bugs or vulnerabilities related to injection attacks. In other words, it is a tool that tries to use several variations of complex attack vectors to "detect" and then "exploit" command injection vulnerabilities.
Commix is written in Python, that is, it has a simple interface and can be used by web developers, penetration testers και από ερευνητές ασφάλειας για να δοκιμάσουν την ασφάλεια των web εφαρμογών τους. Το πρόγραμμα προορίζεται μόνο για ελέγχους security and the manufacturer of the program never allows its use for malicious purposes.
A successful injection attack can lead to the execution of arbitrary commands in a system that is affected by a vulnerable application. It can happen if the application does not provide sufficient input validation and passes long user commands through forms, cookies, or HTTP headers.
Using this tool, it's very easy to find and exploit a vulnerable injection command, says the developer who built it, Anastasios Stasinopoulos, in the explanatory page at GitHub.
However, though Commix is intended for testing and testing activity, it can also be used by a malicious user, just like any other security tool. Stasinopoulos warns of this and says that "you can only use it once you have been given complete consent".
The possibilities of Commix include a number of options to specify which parameters can be injected. In order for the program to work you must have it installed Python, version 2.6.x or 2.7.x version.
At the GitHub site to download and the program, you will also find instructions for installing and running it.
In order to become familiar with Commix, Stasinopoulos provides you with a number of examples. One of these is one page that is vulnerable to PHP / MySQL Web App and you can test your skills, tools, and break it as much as you want after you have the full legal license to do it ..
