Releases: commixproject/commix
Releases · commixproject/commix
v4.0-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Revised: Minor bug-fix regarding tamper script "backticks.py"
- Revised: Improvements regarding shell options
reverse_tcp
,bind_tcp
. - Revised: Major code refactoring regarding session handler.
- Revised: Minor improvement regarding options
--prefix
,--suffix
. - Revised: Improvement regarding writing text to the stdout (console) stream.
- Fixed: Minor bug-fix regarding combining custom injection marker (i.e. asterisk
*
) with-p
option. - Revised: Improvement regarding specifying multiple injection points by appending custom injection marker (i.e. asterisk
*
). - Fixed: Minor bug-fix regarding crawler (i.e. option
--crawl
). - Updated: Six (third party) module has been updated (Python 3.12 support).
- Revised: Minor improvement regarding determining (passively) the target's underlying operating system.
- Revised: Minor improvement for enabling end-users to choose whether to skip or continue testing the remaining parameters, if one is found vulnerable.
- Revised: Minor improvements regarding semiblind (i.e. "file-based") technique.
- Fixed: Minor bug-fix regarding option
--output-dir
. - Revised: Improvement regarding option
--skip
for excluding certain parameter(s) from testing. - Revised: Improvement regarding specifying which parameter(s) to test (i.e.
-p
option). - Revised: Improvement regarding processing / ignoring custom injection marker (i.e. asterisk
*
). - Revised: Improvement regarding forcing usage of provided HTTP method (e.g.
PUT
). - Revised: Improvement regarding parsing raw HTTP request from a file (i.e.
-r
option). - Revised: Improvement regarding parsing JSON nested objects.
- Revised: Improvement regarding (basic) heuristic detection of WAF/IPS protection.
- Revised: Improvement regarding option
--ignore-code
for ignoring multiple (problematic) HTTP error codes. - Added: New option
--abort-code
for aborting on (problematic) HTTP error code(s) (e.g. 401) - Added: New option
--time-limit
for running with a time limit in seconds (e.g. 3600).
Note: For more check the detailed changeset.
v3.9-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Revised: Minor improvement regarding logging user-supplied command(s) (i.e.
--os-cmd
option) to a file. - Revised: Improvement regarding parsing HTTP requests through Tor HTTP proxy (i.e.
--tor
switch). - Added: New (hidden) option
--ignore-stdin
regarding ignoring STDIN input. (via @n00b-bot) - Revised: Minor improvement regarding successfully completing the scanning process (i.e. in case that parameters with anti-CSRF tokens are omitted). (via @xerxoria)
- Revised: Minor improvement regarding Windows-based payloads for semiblind (i.e. "file-based") technique (i.e. command execution output).
- Revised: Minor improvement in semiblind (i.e. "file-based") technique, regarding defining the URL where the execution output of an injected payload is shown.
- Added: New switch
--ignore-proxy
to ignore the system default HTTP proxy. - Revised: Minor improvement regarding parsing HTTP requests through HTTP proxy (i.e.
--proxy
option). - Added: New switch
--smart
for conducting through tests only in case of positive heuristic(s). - Added: Translation for README.md in Turkish. (via @Kazgangap)
- Revised: Minor improvement regarding parsing SOAP/XML POST data.
Note: For more check the detailed changeset.
v3.8-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Revised: Minor improvement regarding parsing raw HTTP request from a file (i.e.
-r
option). - Revised: Minor improvement regarding dynamic code evaluation technique (i.e. command execution output).
- Added: Translation for README.md in Farsi(Persian) (via @verfosec)
- Fixed: Minor bug-fix regarding
--skip-empty
flag, for skipping the testing of the parameter(s) with empty value(s). - Revised: Minor improvement regarding tamper script "uninitializedvariable.py", for adding randomly generated uninitialized bash variables between the characters of each command of the generated payloads.
- Revised: Minor improvement regarding skipping further tests involving target that an injection point has already been detected.
- Revised: Minor code refactoring regarding multiple tamper scripts (i.e. "backslashes.py", "dollaratsigns.py", "doublequotes.py", "singlequotes.py", "uninitializedvariable.py").
- Added: New tamper script "rev.py" that reverses (characterwise) the user-supplied operating system commands.
- Fixed: Minor bug-fix regarding checking for similarity in provided parameter(s) name(s) and value(s).
- Fixed: Minor bug-fix regarding forcing usage of SSL/HTTPS requests toward the target (i.e.
--force-ssl
flag). - Fixed: Minor bug-fix regarding setting custom output directory path (i.e.
--output-dir
option). - Added: Support for
Bearer
HTTP authentication type. - Revised: Minor improvement regarding tamper script "xforwardedfor.py" (that appends a fake HTTP header
X-Forwarded-For
). - Fixed: Minor bug-fix regarding not ignoring specified injection technique(s) when
--ignore-session
or--flush-session
options are set. - Replaced: The
--dependencies
option has been replaced with--ignore-dependencies
, regarding ignoring all required third-party library dependencies. - Added: New option
--alert
to run host OS command(s) when injection point is found.
Note: For more check the detailed changeset.
v3.7-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Added: Translation for README.md in Indonesian (via @galihap76)
- Revised: Improvements regarding parsing HTTP requests through HTTP proxy (i.e.
--proxy
option). - Revised: Improvements regarding identifying injection marker (i.e. asterisk
*
) in provided parameter values (e.g. GET, POST or HTTP headers). - Added: New option
--crawl-exclude
regarding setting regular expression for excluding pages from crawling (e.g.logout
). - Revised: Improvement regarding
--crawl
option, for skipping further tests involving target that an injection point has already been detected. - Added: Support regarding combining
--crawl
option with scanning multiple targets given from piped-input (i.e.stdin
). - Revised: Minor improvement regarding adding PCRE
/e
modifier (i.e. dynamic code evaluation technique). - Revised: Minor bug-fix regarding logging all HTTP traffic into a textual file (i.e.
-t
option).
Note: For more check the detailed changeset.
v3.6-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Revised: Improvements regarding dynamic code evaluation heuristic check.
- Revised: Minor improvement regarding session handler.
- Revised: Minor improvement regarding
--wizard
option. - Added: New tamper script "printf2echo.py" that replaces the printf-based ASCII to Decimal
printf "%d" "'$char'"
withecho -n $char | od -An -tuC | xargs
. - Revised: Minor improvement regarding parsing HTTP requests through HTTP proxy (i.e.
--proxy
option). - Revised: Minor improvement regarding handling HTTP Error 401 (Unauthorized).
Note: For more check the detailed changeset.
v3.5-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Revised: Improvements regarding Windows-based payloads for every supported technique.
- Revised: Improvement regarding alternative shell (i.e.
--alter-shell
) for generating Python 3x payloads. - Removed: The depricated modules "ICMP exfiltration" and "DNS exfiltration" have been removed.
- Revised: Improvement regarding identifying injection marker (i.e. asterisk) in provided options.
- Revised: Improvement regarding shellshock module.
- Added: Support regarding parsing target(s) from piped-input (i.e.
stdin
). - Added: New option
--answers
to set user answers to asked questions during commix run. - Added: Support regarding combining
--crawl
option with scanning multiple targets given in a textual file (i.e. via option-m
). - Added: Support for normalizing crawling results.
- Revised: Improvement regarding crawler.
- Revised: Minor bug-fix regarding
--file-upload
option. - Revised: Minor improvement regarding identifying
Hex
and/orBase64
encoded parameter(s) value(s). - Added: New option
--no-logging
for disabling logging to a file. - Revised: Minor improvement regarding redirect handler.
- Updated: Minor update regarding scanning multiple targets given in a textual file (i.e. via option
-m
). - Added: Support for heuristic detection regarding command injections.
- Revised: Ιmprovement regarding
--level
option, which not only adds more injection points (i.e. Cookies, HTTP headers) but also performs more tests for each injection point. - Revised: Improvement regarding injecting into custom HTTP Header(s).
Note: For more check the detailed changeset.
v3.4-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Fixed: Bug-fix regarding forcing usage of provided HTTP method (e.g.
PUT
). - Fixed: Bug-fix regarding parsing raw HTTP headers from a file (i.e.
-r
option). - Fixed: Minor bug-fix regarding parsing JSON objects.
- Added: New option
--drop-set-cookie
for ignoringSet-Cookie
HTTP header from response. - Added: Support for checking for not declared cookie(s).
- Added: New (hidden) option
--smoke-test
that runs the basic smoke testing. - Revised: Improvement regarding mechanism which nagging if used "dev" version is > 30 days old.
- Revised: Improvements regarding dynamic code evaluation heuristic check.
- Replaced: The
--encoding
option has been replaced with--codec
.
Note: For more check the detailed changeset.
v3.3-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Fixed: Minor bug-fix regarding scanning multiple targets given in a textual file (i.e. via option
-m
). - Removed: The "Regsvr32.exe application whitelisting bypass" attack vector has been removed.
- Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).
- Replaced: The
--backticks
switch has been replaced with "backticks.py" tamper script. - Added: New tamper script "backticks.py" that uses backticks instead of
$()
, for commands substitution. - Added: New option (
--skip-heuristic
) for skipping dynamic code evaluation heuristic check. - Added: Support for parsing custom wordlists regarding HTTP authentication (i.e.
Basic
,Digest
) dictionary-based cracker. - Revised: Improvements regarding dynamic code evaluation heuristic check.
- Fixed: Minor bug-fix regarding parsing SOAP/XML data via
--data
option. - Revised: Minor improvement regarding parsing GraphQL JSON objects.
- Added: The .bat files command separator (i.e.
%1a
) has been added. - Added: New option
--method
to force usage of provided HTTP method (e.g.PUT
).
Note: For more check the detailed changeset.
v3.2-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Added: New tamper script "slash2env.py" that replaces slashes (
/
) with environment variable value${PATH%%u*}
. - Revised: Minor improvement regarding session handler for supporting Python 3.4+.
- Revised: Minor improvement regarding
--web-root
option. - Added: New tamper script "uninitializedvariable.py" that adds uninitialized bash variables between the characters of each command of the generated payloads.
- Revised: Improvement regarding decompressing
deflate
,x-gzip
andgzip
HTTP responses. - Fixed: Bug-fix regarding several charset-related unhandled exceptions.
- Revised: Improvements regarding dynamic code evaluation heuristic check.
- Fixed: Bug-fix regarding HTTP authentication (i.e.
Basic
,Digest
) dictionary-based cracker. - Fixed: Bug-fix regarding logging all HTTP traffic into a textual file.
- Revised: Improvement regarding crawler.
- Fixed: Multiple bug-fixes regarding supporting Python 3.9.
- Revised: Improvement regarding mechanism which nagging if used version is > 30 days old.
- Fixed: Multiple bug-fixes regarding the shellshock module.
- Revised: Improvement regarding Python 3.4+ for using the
html.unescape()
function for converting HTML entities to plain-text representations. - Updated: Minor update regarding smartphones to imitate, through HTTP User-Agent header.
- Fixed: Bug-fix regarding setting suitable HTTP header User-Agent, when combining
--random-agent
or--mobile
switch with-r
option. - Fixed: Bug-fix regarding
Hex
encoding/decoding. - Added: New option (
--timeout
) for setting a number of seconds to wait before timeout connection (default 30). - Revised: Increased default timeout to 30 seconds.
- Fixed: Bug-fix regarding Basic HTTP authentication.
- Fixed: Bug-fix regarding connection problems (via @fuero).
Note: For more check the detailed changeset.
v3.1-stable
- Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
- Added: A script "setup.py" has been added (i.e. easier installation).
- Revised: Improvement regarding checking if the provided value has boundaries (e.g.
param=/value/
). - Revised: Improvement regarding dynamic code evaluation technique's heuristic checks.
- Revised: Improvement regarding identifying the indicated web-page charset.
- Revised: Minor improvement regarding verbose mode (i.e. debug messages).
- Fixed: Bug-fix regarding Basic HTTP authentication.
- Revised: Minor improvement regarding redirection mechanism.
- Fixed: Bug-fix regarding defining wildcard character
*
in nested JSON objects. - Revised: Minor improvement regarding Flatten_json (third party) module.
- Revised: Minor improvement regarding parsing nested JSON objects.
- Added: New tamper script "doublequotes.py" that adds double-quotes (
""
) between the characters of the generated payloads. - Fixed: Bug-fix regarding parsing raw HTTP headers from a file (i.e.
-r
option). - Revised: Improvements regarding data in the detailed message about occurred unhandled exception.
- Revised: Minor bug-fixes and improvements regarding HTTP authentication dictionary-based cracker.
Note: For more check the detailed changeset.