related to problem after gaining shell it doesnt work out..as shown in the picture about commix HOT 17 CLOSED

@vincentubuntu hmm according to the payload, i can assume that it is false positive
which is probably due to the server's response time. I added a fix at 8e82392. Please update commix and try again.

from commix.

still the same SIr.
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __ __\ /' __ `/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// //////////////////
{ v0.1b-8e82392 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

() Checking connection to the target URL... SUCCEED Testing the file-based semiblind injection technique...
() Trying to upload the 'WABKLN.txt' on /var/www/... 2% Error: It seems that you don't have permissions to write on /var/www/.
(?) Do you want to try the temporary directory (/tmp/) [Y/n] > y
() Trying to upload file, on temporary directory (/tmp/)...
(!) The estimated response time is 1 second.
() Testing the tempfile-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Semiblind-based Command Injection.
(+) Type : Semiblind-based Command Injection
(+) Technique : Tempfile-Based Injection Technique
(+) Payload : || echo 'WUZZYX' > /tmp/WUZZYX.txt | [ 6 -ne $(cat "/tmp/WUZZYX.txt" | tr -d '\n' | wc -c) ] || sleep 2

() Retrieving the length of execution output... SUCCEED Retrieved 3 characters.
() Grabbing the output from '/tmp/WUZZYX.txt', please wait... [ 100% ]

(!) The hostname is '0+.

from commix.

is it can be due to firewall ???

from commix.

@stasinopoulos
this is time-base

___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __ __\ /' __ `/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-8e82392 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

() Checking connection to the target URL... SUCCEED The estimated response time is 1 second.
() Testing the time-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Blind-based Command Injection.
(+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : ; str=$(echo VNVPBT); str1=${#str}; if [ 6 -ne ${str1} ]; then sleep 0; else sleep 2; fi

() Retrieving the length of execution output... SUCCEED Retrieved 3 characters.
() Grabbing the output, please wait... [ 100% ]

(!) The hostname is 6(7.

(?) Do you want a Pseudo-Terminal shell? [Y/n] > y

Pseudo-Terminal (type 'q' or use to quit)
Shell > ls

() Retrieving the length of execution output... SUCCEED Retrieved 9 characters.
() Grabbing the output, please wait... [ 100% ]

% " $

from commix.

Very weird situation. The problem is that i can't reproduce the error in order to understand the reason of failure. I would recommend (if you know that the target has python installed) to use '--alter-shell="python"'.

from commix.

actually when i test other site which arenot vulnerable it cant even upload in tmp folder --returning not acceptable but here in that bug bounty website we can upload in tmp folder.--is that a conclusion of its not a false positive??ok ill test it again with --alter-shell="python"

from commix.

if u want i can give u the link..cause its still open for bug bounty

from commix.

Ok send me an email with the link. Thanks

from commix.

commix --url="http://xxx.xxx/search?term=INJECT_HERE" --technique=t --random-agent --hostname --alter-shell="python"
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __ __\ /' __ `/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-8e82392 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

() Checking connection to the target URL... SUCCEED The estimated response time is 1 second.
() Testing the time-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Blind-based Command Injection.
(+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : || [ 6 -ne $(python -c "print len('RZARFS')") ] || $(python -c "import time\ntime.sleep(0)") | $(python -c "import time\ntime.sleep(2)")

() Retrieving the length of execution output... SUCCEED Retrieved 13 characters.
() Grabbing the output, please wait... [ 100% ]

(!) The hostname is !$ 3!!&5, .& .
full link..you might know the reason..of failure

from commix.

today they will announce no.1 in buy bounty am the only one..they ask me to "cat" out some content inside the server i cant perform..lol

from commix.

incase you might think its illegal:- this the bounty side announcement
UPDATE: The Submission deadline has been extended to 3:00 PM.

Note: The URL for SenhriHack is xxxxxx

The main aim of Senhri Security Testing Contest is to find security vulnerabilities that exists in the Goverment Content Management System (Senhri).

PRIZES:

First Prize – Rs 30,000 + Certificate + Trophy
Second Prize – Rs 20,000 + Certificate + Trophy
Third Prize – Rs 10,000 + Certificate + Trophy

RULES AND GUIDELINES:

The contest will be open to anyone
Individual/Team Participation
Participants should register online on the website www.diw.mizoram.gov.in
Contest closing date and last date of submission will be up to 4th July 2015 11:00AM
Evaluation will be done between 4th and 6th July 2015
Final results will be published on Digital Week website on 7th July 2015 and prizes distribution will be done on the same day.
Any kind of denial of service (DDOS) attacks will be treated as invalid.
The organizer will have the rights to reject or disqualify any entry deemed unsuitable.
Exploits reported should be accompanied by tools used and steps to reproduce the same.
Merely finding a vulnerability is not enough. Only successful exploits will be accepted as valid entry.
The security vulnerabilities should exist within the confines of the Content Management System(Senhri). Security vulnerabilities found within the server environment will not be counted.
Testing should be done only on the mentioned url (http:/xxxxx.in). Anyone found hacking or attacking other government live sites will be disqualified.

from commix.

inform me whether its tools fault or website failure..when you ready Sir.
today is last date for evaluation,so i have to inform them whether i can
upload or do "cat"

On Tue, Jul 7, 2015 at 4:01 AM, Anastasios Stasinopoulos <
[email protected]> wrote:

Ok send me an email with the link. Thanks

—
Reply to this email directly or view it on GitHub
#4 (comment).

from commix.

The target host, seems to be not vulnerable to command injection attacks. The reason of false positive was the non-stable server's response time (1-3 seconds). I added a hotfix (011a159) in order to limit that fault behavior. Thanks @vincentubuntu for the heads up!

from commix.

Thanks..then ill update it..
On 7 Jul 2015 20:04, "Anastasios Stasinopoulos" [email protected]
wrote:

The target host, seems to be not vulnerable to command injection attacks.
The reason of false positive was the non-stable server's response time (1-3
seconds). I added a hotfix (011a159
011a159)
in order to limit that fault behavior. Thanks @vincentubuntu
https://github.com/vincentubuntu for the heads up!

[image: screenshot from 2015-07-07 17 28 58]
https://cloud.githubusercontent.com/assets/5289251/8548559/1dfce8aa-24ce-11e5-90b8-c9da93635510.png

—
Reply to this email directly or view it on GitHub
#4 (comment).

from commix.

commix --url="http://xxxx/search?term=INJECT_HERE" --technique=t
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __ __\ /' __ `/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-011a159 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

() Checking connection to the target URL... SUCCEED The estimated response time is 2 seconds.
() Testing the time-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Blind-based Command Injection.
(+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : & sleep 0 && str=$(echo AHCSGI) && str1=${#str} && [ 6 -eq ${str1} ] && sleep 3 \

(?) Do you want a Pseudo-Terminal shell? [Y/n] > y

Pseudo-Terminal (type 'q' or use to quit)
Shell > ls

() Retrieving the length of execution output... SUCCEED Retrieved 27 characters.
() Grabbing the output, please wait... [ 22% ]

still same for time-based

from commix.

A reliability check has been added (8498f05) on the used payloads (time-based attacks). This check evaluates the injection's behavior, in order to prevent false positive results.

from commix.

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related issues.

from commix.