1

I know how we do code injections with scripted languages like JavaScript, SQL, PHP, etc. and pretty much wherever a execute() function is used. However, I'm still unsure about how code injection works with compiled languages like C and C++

I've looked up "C code injection" and "C++ code injection" on Google and our beloved StackOverflow but haven't found much besides the fact that it uses overflows like inputting -1 for an unsigned int variable or inputting too many values for an array.

I've seen some CTF videos where people input strings like aaaaaa with a lot of a's followed by some hex values (after seeing that the program returns SegFault with those long strings) but never really got a good explanation.

My question(s): How exactly is code injection done in compiled programs (like those written with C/C++)? How do people know when to use such injections? How are programs written to avoid such injections?

ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • 5
    I think you are confused between overflows,code injection and shell execute function. – yeah_well Oct 29 '19 at 07:09
  • An injection attack is when you can get a program to interpret data in a way unintended by the developer. For example, `' OR 1=1 --`, the single apostrophe is interpreted as "end of string", not just as data. You can use the same technique in C or C++ programs, as long as the same requirements are given. For example, if a C++ program builds an SQL query based on user input, it may be vulnerable to SQL Injection. –  Oct 29 '19 at 09:10

0 Answers0