Difference between Code Injection, Command Injection and Remote Code Execution

Hmm let me try:

• Code injection consists of modifying an executable / compilation unit / script so that it contains malicious code on top of it´s intended functions. Code can be injected locally into it and then it could be uploaded into the internet, forums, news servers etc. It is a rather easy form of exploit and similar to a trojan horse. Early viruses were made like this, and spread via users sharing executables. You probably find this still today in "key generators" and other illegal software, as well as in data files like the notorious windows sreensavers ".scr" and other formats that aren´t executables per se but can be loaded with code that gets executed.

• Command injection is IMHO using the weakness of an unprotected system to allow execution of arbitrary commands to modify or damage the target system. This could be for example to inject instructions via web URLs and make the remote server execute them. Unguarded SQL strings became famous for this. Either they can corrupt the database or even execute code on the underlying OS.

• Remote code execution is to actually again craft malicious code but this time it is not attached to the binary unit, but send via the network. The difference to command injection could be seen in that additionally to the malicious code / script it also needs a weakness or fault of the receiving process, like you would send over a wrong instruction, make the process crash, and then make use of the crash handler to execute code that has been delivered together with your "crash packet". Most modern "zero day" exploits work like this.

I think the terminology is used in a fuzzy way though, so other people might see this different.