Command Injection
Premium roomLearn about a vulnerability allowing you to execute commands through a vulnerable app, and its remediations.
easy
To access material, start machines and answer questions login.
Introduction
Web applications frequently execute commands on the underlying operating system as part of their normal functionality. When a developer builds an application that takes user input and passes it into a system command without proper checks, an attacker can inject additional commands alongside the legitimate ones. This is , a vulnerability that allows arbitrary -level commands to be executed through a vulnerable application.
The injected commands run with the same privileges as the application itself. If a web server runs as a user called joe, every injected command executes as joe and inherits whatever permissions that account holds. If the application runs with elevated privileges, the impact scales accordingly.
You may hear referred to as "Remote Code Execution" (). The two concepts are related but distinct. describes the broader outcome where an attacker gains the ability to execute code on a remote system. is one specific technique for achieving that outcome. Other techniques such as insecure deserialization or memory corruption can also lead to .
In the Top 10:2025, this vulnerability falls under A05: Injection. specifically maps to CWE-78 (Improper Neutralization of Special Elements used in an Command). Even though injection has dropped a couple of positions compared to earlier editions of the list, it remains one of the most widely tested and exploited vulnerability classes.
In this room, we cover what is, how it arises in application code, how to detect and exploit it, and how to prevent it. The final task provides a hands-on practical where you will exploit a vulnerable application to retrieve a flag.
Learning Objectives
By the end of this room, you will be able to:
- Explain what is and why it poses a critical risk to applications
- Understand how unsafe use of system calls in application code introduces this vulnerability
- Distinguish between blind and verbose and know how to detect each
- Exploit using shell operators and common payloads on both and Windows
- Apply remediation techniques such as input sanitisation and the use of safe APIs
- Perform against a live target to retrieve sensitive data
Prerequisites
This room assumes familiarity with basic commands and shell operators. If you are not comfortable with these yet, complete the Fundamentals module first. The room also includes code examples in and Python. You do not need to be proficient in either language, but a basic understanding of how web applications handle user input will help. The Web Fundamentals path is a useful starting point if you need to brush up.
Click me to proceed to the next tasks.
Ready to learn Cyber Security?
The Command Injection room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in