In the bustling tech hub of Boston, Massachusetts, ethical hacker Zara Nguyen dives into the...

The scenario describes user input being passed into system-level execution and causing “unintended operations at the system level,” which is the defining behavior of command injection in CEH web application hacking coverage. Command injection occurs when an application constructs or invokes operating system commands using unsanitized, user-controlled input. By inserting shell metacharacters or command separators such as ;, & & , |, or backticks, an attacker can cause the server to execute additional commands beyond what the developer intended. The impact often includes reading sensitive files, listing directories, creating users, downloading malware, pivoting, or otherwise interacting with restricted server resources, matching the prompt’s “access to restricted server resources.”

The question also rules out other injection families. LDAP injection targets directory service queries and manipulates LDAP filters, which the prompt explicitly excludes. CRLF injection involves inserting carriage return and line feed characters to manipulate HTTP headers or split responses; it does not primarily produce OS-level execution. “Shell Injection” is sometimes used informally to describe the same concept, but in CEH-style terminology and exam question patterns, the standard label for injecting into OS command execution is Command Injection, making option D the best and most precise answer.

Effective mitigations emphasized in CEH-aligned guidance include avoiding OS command calls where possible, using safe APIs that do not invoke shells, strict allowlisting and canonical validation of input, proper escaping for the target interpreter when needed, running services with least privilege, and applying segmentation and monitoring to limit blast radius.

\