os : windows;
IBOS version : IBOS 4.5.4 OPEN
The backup database function is in the code file IBOS\system\core\utils\Database.php with line 228.Then it will filter some file types and some sensitive characters.

in this function,another filter some sensitive characters in line 308.

finally,the run command code was begin in line 434,and it will run in line 453

Code to execute the command in line 453 is like this.The parameter $dumpFile will input this command string.
`{$mysqlBin}mysqldump --force --quick {$command1} --add-drop-table {$command2} {$command3} --host="{$db['host']}" {$command5} --user="{$db['username']}" --password="{$db['password']}" "{$db['dbname']}" {$tablesstr} > {$dumpFile}`;
Because some characters are not filtered, it can still cause command injection.
login in the IBOS backstage,and enter the database function.For faster execution, only one of the data tables is selected for backup operation.

then you need to open the "more",and select as follows like this.

in this filename,you can input you want to run for command,and I run ipconfig like this.

2020-01-17_exdEQ1ro&ipconfig>kkkkkk&ss
submit it and access url like this http://127.0.0.1/kkkkkk.You can see the results after the command is executed.

filter more sensitive characters.