Shell command injection is possible when a program uses a data, entered by the user, without filtering it, as an argument of a shell command.
Example: You enter your name in a Web Form, your name is sent to the server then used in a shell command. The server-side code looks like:
system ('echo '.$NAME);
Instead of just entering Yolo, you enter:
code>YOLO; cat /etc/password;
The server will chain the two commands by executing:
system ('echo YOLO; cat /etc/password;');
It is then possible to dump the content of the passwd file.
A command injection gives full control over the server. One can retrieve informations about the server (uname -a), account names (cat /etc/passwd), web server config files, launch a reverse shell...