Command injection happens when we can control a parameter that gets passed into a shell. If that input is not handled safely and sanitised properly, we can insert a command into our input and have that executed by the shell. Depending on the capabilities and privilidges of that shell, we can execute various commands.
The theory sounds very simple however it's not simple at all to find this kind of vulnerability.
The reason command injection is so hard to find is because we never really know which of our processes will trigger a back-end shell to execute. This means we will need to fuzz every parameter we find but you might be wondering what characters to fuzz with. To determine this, we first need to talk about which command separators can possibly be used and also which commands.
The following command separators work on both Windows and Unix-based systems:
&&&|||The following command separators work only on Unix-based systems:
;0x0a or \\n)On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:
injected command $( injected command )