Command injection is when a malicious actor targets the execution of arbitrary commands on the host operating system through the web application. The attack vector occurs due to lack of input validation when accepting user input within certain fields on the web application itself.

The goal is to trigger user-provided commands to execute on the underlying server.  This may lead to actions where an attacker is able to download and execute further files that may be used as a means to gain more persistent access to the server.

While the commands will be executed with the privilege level of the application, it is possible that an attacker may be able to leverage this vulnerability to identify a method of privilege escalation and completely compromise the server.

This attack may occur in both GET and POST requests depending on the application and may require an attacker to have an understanding of what technology is used by the underlying server.  Different applications may require different payloads depending on the application code.

An example parameter that may be vulnerable to command injection could be the following:

www.northgreen-insecuresite.com/live.php?ping.1.1.1.1

‍