OS command injection
Command injection
& echo qwerty &
Placing & after the injected command is generally useful because it separates the injected command from whatever follows the injection point
Blind OS command
Bypass restriction
There are so many ways ...
https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions
Metacharacters
Windows & Unix
&
&&
|
||
Unix
;
Unix inline execution
`command`
$(command)
Defences
Whitelist of permitted values
Validating that the input is a number
Validating that the input contains only alphanumeric characters, no other syntax or whitespace
Never attempt to sanitize input by escaping shell metacharacters