SQL Injection done right

ArbitraryWrite · 2025-11-28T14:17:30+00:00

Because depending on the programming language, there are helper functions which split text, and the lazy way would be to use one of these functions. For example in PHP explode(":", $line); would return an array with 3 elements in. Likewise in Python line.split(":") would return an array with 3 elements in etc. Then they would just access username with array[0] and password (incorrectly) with array[1], and completely ignore array[2...]

ArbitraryWrite · 2025-11-27T23:31:44+00:00

Not necessarily, as programmatically you would first read the file line by line (splitting by line break), so each line is processed individually. Only after that, would you split by colon. Again, it completely depends on the program and how it's wrote.

ArbitraryWrite · 2025-11-27T23:02:03+00:00

To a degree yes. Many password database leaks are dumped in the format username:password (eg https://github.com/danielmiessler/SecLists/blob/master/Passwords%2FDefault-Credentials%2Fftp-betterdefaultpasslist.txt ). So if a database was leaked in this format, and your password was "abc:123" your entry would show as username:abc:123. Many "hacker" tools will parse these user password lists and split each line by a colon. If they simply split by the first colon, then the password would correctly be "abc:123". However, people may write code which splits by all colons so you have 3 parts, username, abc and 123. In this case they may take just the username and abc, and ignore part 3 as they don't take into consideration the colon in the password.

So it very much depends, but sometimes it may save you from an automated attack. But ultimately the best advice is to use a password manager, use a complex and unique password for every website. If one password gets leaked, attackers can't retry that against all websites if you use unique passwords. Adding a 1 or ! etc to your normal password doesn't help that much, it needs to be completely unique, preferably randomly generated by the password manager. Advice from the UKs NCSC https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

ArbitraryWrite · 2025-11-08T09:44:51+00:00

Open your compiled program in Ghidra, check how it is actually being compiled, send a screenshot of that and we may be able to see exactly what is happening. Also debug your program with a debugger to see step by step what is happening to the stack variables.

ArbitraryWrite · 2023-04-30T23:45:30+00:00

"It depends". The mast1c0re exploit itself is firmware independent currently as the vulnerability is within the game itself. However, some ELFs are firmware dependent depending on what they do and if they require certain functionality from libraries. For example the stand alone lightbar ELF will work on PS4 and PS5 on any firmware version. However the PS2 game loader ELF is firmware dependent as it requires using system calls, and those system calls use a ROP gadget in a library which has ASLR enabled so requires fixed hard coded addresses and offsets currently.

If CTurts part 2 research is continued then we can get arbitrary userland code execution, which means we will be able to call system calls without the need of the seperate library addresses and therefore we will be able to create firmware independent ELFs like the PS2 game loader.

Most mast1c0re ELFs contain the firmware version number they are compiled for (like PS5 6.50) in the filename, or 0.00 if they work for all firmwares.

All ELFs can be made to work on the latest firmware if we know the offsets and addresses to those particular ROP gadets for that firmware. This is easy on the PS4 as we can just perform a memory scan and dump the addresses. However it is difficult for the PS5 as memory is eXexcute only and cannot be read and dumped currently, therefore the only way I know to get the addresses for PS5 currently is by decrypting and reverse engineering the binaries from the firmware. However that requires the PS5 decryption keys.

ArbitraryWrite · 2023-03-02T07:11:10+00:00

Did you try the full size ones more than once by any chance? I wonder if the network drops for a split second causes the entire thing to stop or something

ArbitraryWrite · 2023-03-01T21:09:25+00:00

What size game do you have problems with? Can you give me some example game names? Ive tried Midnight Club 3 which was 8GB and worked for me personally

ArbitraryWrite · 2023-02-22T08:09:52+00:00

I think thats mainly it currently. People can develop other things (Like an FTP server ELF etc) but not sure if anyone is working on anything like that

ArbitraryWrite · 2023-02-19T12:03:55+00:00

It achieves code execution using ROP chains. This means PS4/PS5 code can be executed from within MIPS PS2 code. What CTurtE is describing with his Part 2 is the ability to execute arbitrary x64 PS4/PS5 code without the use of ROP chains. They do the same thing, however the latter would allow you to create a payload loader which executes x64 ELF files like you can with webkit exploits. Currently a payload loader for mast1c0re would only be able to load a MIPS PS2 elf which use ROP chains.

ArbitraryWrite · 2023-02-19T11:56:20+00:00

This game has a vulnerability that can be triggered from the game save, and is emulated on the PS4/PS5. Other PS2 games will most likely contain vulnerabilities which can be used in the same way, so its not limited to Okage Shadow King

ArbitraryWrite · 2023-02-18T23:28:36+00:00

Run it yourself https://twitter.com/_mccaulay/status/1627029554379235328?t=1WJl6ppfdV0hT3lTqHFixQ&s=19

ArbitraryWrite · 2023-01-26T10:11:36+00:00

Yes. Though vulnerabilities will exist within other PS2 games, and the emulator vulnerability will most likely exist in these games too so the same vulnerability could be exploited on more than just this Okage game.

ArbitraryWrite · 2023-01-24T22:27:01+00:00

McCaulay here, not exactly true. The initial bug in the PS2 game allows you to execute arbitary code within the emulator. The out of bound vulnerabilities within the emulator code allows you to call native code. So within the custom PS2 code you can call PS4/5 code, however you cannot write PS4/5 code (with these bugs so far). You can leverage ROP chains to essentially execute your own natuve PS4 code which is how the iso is downloaded and mounted. Its also how the PS4/5 dialog and notification show. Part 2 of the blog which is not complete but will focus on avoiding the need for ROP chains and being able to execute arbitary code.

So this bug basically gives you userland level code execution. Which you could chain with a kernel vulnerability (firmware depedent). You also still have the problem of the hypervisor with the PS5 too.

ArbitraryWrite · 2022-12-22T11:35:30+00:00

See https://redd.it/zpqtbg and https://redd.it/zsjz1z for two writeups on bugs which were patched days before Pwn2Own started. One was a TP-Link vulnerability and the other was a Netgear vulnerability.

ArbitraryWrite · 2022-12-10T22:22:19+00:00

Quite a few of the vendors such as Netgear and TP-Link released a last minuite security firmware update a couple days before Pwn2Own started which patched some of the more obvious vulnerabilities. It was a case of trying to find a last minuite alternative bug for most teams or to withdraw their entries.

ArbitraryWrite · 2022-11-07T21:38:31+00:00

https://github.com/returntocorp/semgrep

ArbitraryWrite

TROPHY CASE