Basic injection
Input: 127.0.0.1; cat /etc/passwd or 127.0.0.1 && whoami. Semicolon, pipe, and backtick chaining on Linux targets.
Blind command injection
No output in response — use time delay (sleep 5) or DNS/HTTP out-of-band callbacks to confirm.
Mitigation
Avoid shell calls; use parameterized APIs. Input allowlists. Least privilege for web server user.