Shell Injection is a very dangerous type of injection vulnerability that can occur when a server executes shell commands based on user input from a website.
It’s not abnormal for programs, including website backends, to use shell commands. Shells provide a powerful and convenient method of allowing programs to invoke and “talk” to one another.
Shell injection is very dangerous because of how much power it can give an attacker over a server. Even in a best case scenario, it still gives the attacker the same permissions and access as the webserver software itself.
If you don’t have access to the back-end code, you can still look for shell injection vulnerabilities! If you think there’s an input field that is used by the server to execute shell commands, you can try providing malformed inputs that contain special characters used by the shell and/or attempt harmless demonstrations of shell injection.