# Command Injection

This happens when the user's input data goes to a web query that executes system commands without being sanitized.

The vast majority of these bugs are blind and you won’t see any output making it harder to detect.

### Exploitation <a href="#f6f3" id="f6f3"></a>

We can use an injection operator to inject another command.

* EX: AND, OR, semicolon, pipe, sub-shell, background, and new line

If the command output changes from the ordinary result, we have successfully exploited the vulnerability.

#### EX: Command injection request and response

* injecting the “echo hi” command and receiving a response:

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FeVbZ64pLlcFSkCAzfNxc%2Fimage.png?alt=media&#x26;token=1e2d38cf-5cf9-4b6c-9b7f-621788de1c04" alt=""><figcaption></figcaption></figure>

**With blind command injection**, you can’t use the “echo” command to test, try to ping, perform DNS lookup, or make an HTTP request against your machine though.

* use a public IP address to receive a call back from the target server
* listen on your machine for a request from the target
* If you get a request then you know they are vulnerable to blind command injection