Command Injection is very simple, you just exploit it by executing commands on a web page because it allows you to do so. In other words, if you ever see a page that offers the functionality of executing a command in the backend, then it's probably vulnerable to this attack. Command Injection is very popular in Capture the Flag (CTF) because it allows you to completely own a remote machine (the machine that hosts the web application).

As usual, let's see a practical example using Mutillidae. Open the left menu  OWASP 2017 | Injection | Command Injection | DNS Lookup:

This page executes the DNS Lookup command in the backend. In this example, I entered the IP address 10.0.0.1 and clicked on the Lookup DNS button.

Do you think we can override the normal behavior of this page and execute any command of our liking? (Or maybe execute a backdoor such as netcat, just a hint). Let's analyze the functionality on this page first. We are passing the IP address (or hostname) as a variable to a function in the backend that executes most probably in the following way:

nslookup [domain name variable]

If we're lucky and the developer didn't validate it, we can append other commands after the variable and the application will be happy to execute it for us. Our goal is to make the backend execute something like this:

nslookup [domain name variable] && [other command]

Let's see if this is going to work! For the POC, I will use the dir command (since it's a Windows machine that hosts Mutillidae).

I will enter the IP address and the dir command in the Hostname/IP: 10.0.0.1 && dir and click on the Lookup DNS button:

Amazing! The dir command has executed successfully!