loading
Loading content
loading
Also known as OS command injection
Command injection happens when an application builds a shell command from user input and runs it without proper sanitization. If a feature pings a host the user supplies, and the code concatenates that value straight into a shell call, an attacker appends ; cat /etc/passwd or a reverse-shell payload and the server executes it. The flaw stems from mixing untrusted data with a command interpreter, the same root cause behind sql injection on the database side.
This matters because the payoff is direct code execution on the host, often as the web server's user. From there an attacker reads secrets, pivots into the network, or chains the access toward privilege escalation to reach root. Few bugs hand over a target this completely.
Testers probe for it by injecting shell metacharacters (;, |, &&, backticks, $()) into every parameter that might reach a system call, then watching for command output, timing delays, or out-of-band callbacks. It sits among the high-severity classes that web application security testing prioritizes, alongside related server-side flaws like ssrf.
In Trickest you can fan a list of endpoints and parameters into an injection-testing workflow that fires payloads at scale and flags any host that returns command output.
Related terms