Example vulnerable code: $output = shell_exec("ls -l $_GET['name'] 2>&1");
Example attack string: ; cat /etc/passwd #
Resulting shell command: ls -l ; cat /etc/passwd # 2>&1
This form actually only displays the contents of a fixed path, ignoring the submitted parameter – it's too dangerous to leave code like this lying around!
In case you were wondering, the display of the dir name is not vulnerable to XSS!