Commix testbed - A command injection test environment!

A collection of web pages, vulnerable to command injection flaws, used to test commix's vulnerability detection and exploitation features.

Command injection scenarios categories



1. Regular (GET / POST)

  • Classic regular example
    (GET | POST)
  • Classic (Base64) regular example
    (GET | POST)
  • Classic (Hex) regular example
    (GET | POST)
  • Classic single-quote example
    (GET | POST)
  • Classic double-quote example
    (GET | POST)
  • Classic non-space example
    (GET | POST)
  • Classic blacklisting example
    (GET | POST)
  • Classic hashing example
    (GET | POST)
  • Classic example & Basic HTTP Authentication
    (GET | POST)
  • Classic example & Digest HTTP Authentication
    (GET | POST)
  • Blind regular example
    (GET | POST)
  • Double Blind regular example
    (GET | POST)
  • Eval regular example
    (GET | POST )
  • Eval (Base64) regular example
    (GET | POST )
  • Classic (SOAP/XML) regular example
    (POST)
  • Blind (SOAP/XML) regular example
    (POST)
  • Classic (JSON) regular example
    (POST)
  • Blind (JSON) regular example
    (POST)
  • Eval (JSON) regular example
    (POST)
  • Preg_match() regular example
    (GET | POST)
  • Preg_match() blind example
    (GET | POST )
  • Preg_Replace() regular example
    (GET)
  • Assert() regular example
    (GET)
  • Str_Replace() regular example
    (GET | POST )
  • Create_Function() regular example
    (GET | POST )

2. Regex Filters

3. User-Agent HTTP Header

4. Cookie HTTP Header

5. Referer HTTP Header