Command injection is a vulnerability in which a web application receives user input which eventually leads to the web application executing a system function call, executing commands on the host machine to conduct operating system related actions. An attacker can use this to obtain information about the host operating system, gain code execution, and ultimately a shell and active session. More about command injection from OWASP:

Input sanitization

Often developers will attempt to mitigate command injection vulnerabilities using input sanitization. There are several ways to bypass this, examples being encoding with either base64 or xxd. Some examples are provided in the resources below:

Blind injection

If responses from the host after executing a command are not returned to the attacker via the web application, we can use methods like sleep to execute blind injection to determine if our input is being processed by the host server.

Shells

With reliable command injection, attackers can create reverse or bind shells on the target through various means. Here are some great resources and snippets for reverse and bind shell payloads on web applications vulnerable to command injection: