Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request and improvements #904

Open
U53RW4R3 opened this issue Apr 17, 2024 · 1 comment
Open

Feature request and improvements #904

U53RW4R3 opened this issue Apr 17, 2024 · 1 comment
Assignees
@stasinopoulos
Labels
enhancement needs investigation new feature

Comments

@U53RW4R3
Copy link

U53RW4R3 commented Apr 17, 2024
edited
Loading

Transfer Files

Using living off the land techniques after successfully exploiting the webapp vuln. I am aware of the two flags --file-write and --file-read. But it's just nice to have in case if the attacker forgot to upload and/or download the files during shell interaction.

  1. Download (download /path/to/remote/file /path/to/local/file)
  2. Upload (upload /path/to/local/file /path/to/remote/file)

Data Exfiltration

What happened with these features? These help a lot for blind command injection is there are reason you've removed them? I find it a waste.

  1. DNS (--dns-server): It is possible to use this using projectdiscovery interactsh-server and they have own which is similar to burp suite pro collaborator here's the website https://app.interactsh.com.
  2. ICMP (--icmp-exfil)

Update MSF payload modules by detecting architecture and OS

  • If 64 bit and Linux
    • linux/x64/meterpreter/bind_tcp (bind shell)
    • linux/x64/meterpreter/reverse_tcp (reverse shell)
  • If 32 bit and Linux
    • linux/x86/meterpreter/bind_tcp (bind shell)
    • linux/x86/meterpreter/reverse_tcp (reverse shell)
  • If 64 bit and Windows
    • windows/x64/meterpreter/bind_tcp (bind shell)
    • windows/x64/meterpreter/reverse_tcp (reverse shell)
  • If 32 bit and Windows
    • windows/meterpreter/bind_tcp (bind shell)
    • windows/meterpreter/reverse_tcp (reverse shell)

If you cannot maintain the new modules. Just remove them since I can use the --os-cmd to execute one-liner payloads and the three flags (--file-write, --file-upload and --file-dest) to upload the binary .exe,.dll,.elf, and .so file and change permission to execute it just to get the job done. There are too many architectures to keep up.

Google dorking (from sqlmap)

It does help with finding key parameters in google dorking such as, inurl:?ping=.

-g GOOGLEDORK
--gpage=GOOGLEPAGE

Update the documentation

Alter Shell

--alter-shell: How does this works? What interpreter should I use? Is it Python, Perl, Bash, Script, or Expect? Which operating system is compatible with this flag?

Command injection techniques

--technique: So far I know there are four techniques in total and I haven't checked the source code to my understanding after looking at previous tutorials and the user manual you've posted. They are:

  • Result-based injection

  • Classic results-based command injection (--technique=C).

  • Eval-based command injection (--technique=E). I've seen this in the old tutorials but again you can correct me if I'm wrong.

  • Blind injection

  • Time-based injection (--technique=T).

  • File-based injection (--technique=F).

So by default I could use all 3 (--technique=CTF) or 4 (--technique=CETF) as default techniques if not specified. I had a hard time figuring this out since there's no specific flags of how to use the techniques flag. In sqlmap manual was a huge help and I couldn't find it anywhere other than researching from the ground up. Like I said I haven't read the source code.

Finally the --skip-technique. How does this work exactly? Does it skip the specific payload or just the four techniques from above? Best to update the documentation of what it's used for. In the case of sqlmap's --test-skip flag. It allows the user to exclude specific payloads by specifying the string BENCHMARK for example to reduce the HTTP requests.

Shellshock module

Explain use cases for --shellshock module even if it's not CVE related especially when exploiting cgi-bin/. Such as, IoTs like Routers.

Proxychains feature (from sqlmap)

I saw the --proxy flag but I don't see the documentation about this feature and unsure of what type of proxy servers it supports other than HTTP proxy to my knowledge. If these are missing then consider implementing to support the SOCKS Proxy feature or to save yourself the trouble from adding too many dependencies. Add the documentation to advise the user by using proxychains-ng for pivoting in the network or establishing connection with proxy servers.

--proxy=socks4://<IP>:<PORT>
--proxy=socks5://<IP>:<PORT> --proxy-cred=[username]:[password]
--proxy=http://<IP>:<PORT> --proxy-cred=[username]:[password]
--proxy-file=proxy-servers.txt

What are the running context details?

  • Installation method

$ sudo apt install -y commix

  • Client OS is Kali Linux

  • Program version

$ commix --version    
v3.9-stable
@stasinopoulos
Copy link
Member

Thanks for the comments and suggestions. I will take a closer look at your comments when I have more time and i will act accordingly.

@stasinopoulos stasinopoulos self-assigned this May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stasinopoulos stasinopoulos

Labels
enhancement needs investigation new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stasinopoulos @U53RW4R3