OS Command Injection
Also known as: Command Injection · Shell Injection · RCE
OS Command Injection occurs when an application builds a system command using untrusted input and executes it via a shell. The attacker injects shell metacharacters to run additional commands with the privileges of the application, frequently achieving full remote code execution on the host.
How it works
- 1The application invokes a shell command incorporating user input.
- 2Shell metacharacters (; | & $() ``) in the input are not neutralized.
- 3The shell interprets the injected operators as additional commands.
- 4The attacker executes arbitrary commands, often pivoting to a reverse shell.
Example
Vulnerable: exec("ping -c1 " + host)
Attacker host: 8.8.8.8; id
Executed: ping -c1 8.8.8.8; idImpact
Command injection typically yields remote code execution, giving the attacker control of the host and a foothold for lateral movement.
Remediation
- Avoid shells entirely; call programs directly with argument arrays, never a command string.
- If a shell is unavoidable, strictly allowlist inputs and escape per the platform.
- Run services with least privilege and network egress controls.
Detection & testing
Inject benign command separators with time-based or out-of-band payloads to detect execution. Confirm safely without destructive commands.
Impactr tests for OS Command Injection the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for Command InjectionTools
Frequently asked questions
What is the difference between command injection and code injection?
Command injection runs OS/shell commands via a system call. Code injection (e.g. SSTI, eval) executes code inside the application's runtime. Both can lead to RCE but through different sinks.