whatisgithub

What is commix?

commixproject/commix — explained in plain English

Analysis updated 2026-06-26

5,733PythonAudience · developerComplexity · 3/5LicenseSetup · easy

In one sentence

Commix automates the discovery and exploitation of command injection vulnerabilities in web applications, helping penetration testers and bug bounty hunters prove a target is vulnerable by running system commands through detected flaws.

Mindmap

mindmap
  root((commix))
    Detection
      Scan target URL
      Identify injection points
      Filter bypass techniques
    Exploitation
      Run system commands
      Demonstrate impact
      Automated payloads
    Setup
      Clone repo
      Run Python script
      No build step
    Use Cases
      Penetration testing
      Bug bounty work
      Authorized audits
    Reporting
      OWASP resources
      Wiki documentation
      Usage examples
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Test a web application for command injection vulnerabilities during an authorized penetration testing engagement

USE CASE 2

Automate command injection detection and exploitation for bug bounty submissions

USE CASE 3

Verify whether a specific URL parameter passes user input unsafely to the operating system

USE CASE 4

Bypass input filters that block basic command injection attempts to fully assess exposure

What is it built with?

PythonCommand Line

How does it compare?

commixproject/commix649453932/chinese-text-classification-pytorchklavis-ai/klavis
Stars5,7335,7335,734
LanguagePythonPythonPython
Setup difficultyeasyeasymoderate
Complexity3/52/53/5
Audiencedeveloperresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Clone the repository and run the Python script directly. No build or install step required. Supports Python 2.6, 2.7, and 3.x. Only use against targets you have explicit permission to test.

Released under GPLv3. Free to use and modify, but any distributed derivative must also be open source under the same license.

So what is it?

Commix is a Python tool for penetration testers that automates the process of finding and exploiting command injection vulnerabilities in web applications. A command injection vulnerability is a type of security flaw where a web application passes user-supplied input to the operating system in an unsafe way, allowing an attacker to run arbitrary system commands on the server. Commix is designed to detect whether a given target is vulnerable to this class of problem and, if so, to demonstrate the impact by running those commands automatically. The name is a contraction of command injection exploiter. The tool was written by security researcher Anastasios Stasinopoulos and is released under the GPLv3 open source license. It supports Python versions 2.6, 2.7, and 3.x, and can be installed simply by cloning the repository and running the script directly with no build step required. Commix is intended for authorized security testing, bug bounty work, and penetration testing engagements where a tester has permission to probe a target application. It is included in security-focused Linux distributions and is listed in OWASP-related resources as a relevant testing tool. The wiki on its GitHub page covers available options, usage examples, and techniques for bypassing input filters that would otherwise block detection attempts. The tool is available in several translated README versions covering Persian, Greek, Indonesian, and Turkish.

Copy-paste prompts

Prompt 1
I am doing an authorized penetration test. Using commix, how do I scan a target URL for command injection vulnerabilities and capture the output of a system command if the target is vulnerable?
Prompt 2
How do I use commix to bypass input sanitization filters when testing a web application for command injection? Show me the relevant flags and an example command.
Prompt 3
I want to use commix during a bug bounty engagement. Walk me through cloning the repo, running it against a test URL, and interpreting the results to write a vulnerability report.
Prompt 4
Using commix, how can I test a POST request parameter rather than a GET URL parameter for command injection? Provide a sample command with placeholder values.
Prompt 5
What commix options should I use to test a web application that uses a web application firewall, and how do I tune the tool to reduce false negatives?

Frequently asked questions

What is commix?

Commix automates the discovery and exploitation of command injection vulnerabilities in web applications, helping penetration testers and bug bounty hunters prove a target is vulnerable by running system commands through detected flaws.

What language is commix written in?

Mainly Python. The stack also includes Python, Command Line.

What license does commix use?

Released under GPLv3. Free to use and modify, but any distributed derivative must also be open source under the same license.

How hard is commix to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is commix for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.