OS Command Injection

OS Command Injection is a critical injection vulnerability that occurs when an application passes unsafe user-supplied data to a system shell. Within the Payload Execution phase, this sub-technique enables attackers to execute arbitrary operating system commands on the host system with the same privileges as the vulnerable application. Unlike other injection types that manipulate application data flow, command injection allows direct interaction with the underlying operating system, providing attackers with a powerful vector to establish persistence, elevate privileges, access sensitive information, or pivot to other systems within the network. Attackers typically exploit this vulnerability by injecting shell metacharacters (such as semicolons, pipes, ampersands) or command terminators into input fields, URL parameters, HTTP headers, or file uploads that are subsequently processed by server-side functions like system(), exec(), popen(), or their language-specific equivalents. The impact of successful command injection is severe, as it bypasses application-level controls and directly compromises the operating system security boundary.