A command injection vulnerability allows an attacker to execute arbitrary system commands, which can result in an entire takeover of the web server. Command injection attacks are possible if a web application passes untrusted user input directly to functions like exec() or system().
A command injection vulnerability exists when user-supplied input is not validated correctly by the web application. The following snippet shows PHP code which is vulnerable to command injection.
$ip = $_POST['ip'];
$cmd = system('ping '.$ip);
In the case of the vulnerable code above, the attacker could escape the ping command by adding a semicolon to the command and executing arbitrary other system commands. Example input: ; cat /etc/passwd
In order to secure your web application from command injection, validate the user's input and only allow commands that are needed for the task. You can also sanitize the user's input by removing characters like ; and other shell escapes like &, &&, |, ||, <.