I know how we do code injections with scripted languages like JavaScript, SQL, PHP, etc. and pretty much wherever a execute()
function is used. However, I'm still unsure about how code injection works with compiled languages like C and C++
I've looked up "C code injection" and "C++ code injection" on Google and our beloved StackOverflow but haven't found much besides the fact that it uses overflows like inputting -1
for an unsigned int
variable or inputting too many values for an array.
I've seen some CTF videos where people input strings like aaaaaa
with a lot of a
's followed by some hex values (after seeing that the program returns SegFault
with those long strings) but never really got a good explanation.
My question(s): How exactly is code injection done in compiled programs (like those written with C/C++)? How do people know when to use such injections? How are programs written to avoid such injections?