RPO(Relative Path Overwrite)

1. Conception(Relative vs Absolute)
   
   Abosolute Path: “/etc/hosts”(in Linux),
   
   “C:\Windows\System32\Drivers\etc\hosts”(in Windows)
   
   Relative Path:”./hosts” or “hosts”(when in “etc” folder)

This also valid in website.

Absolute URL: “https://www.site.com/styles.css”

Relative URL in html:









In this case, the styles.css is a relative path in server’s root directory.

var/www/

|— index.html

|— styles.css

Using relative directory can be easier when has a complex file structure.

var/www

|— index.html

|— login

| |— login.php

| |— register.php

| |— pc.css

| |— mobile.css

|— static

|— js

| |— jQuery.js

| |— bootstrap.js

|— css

|— styles.css

In this case, we can load css using relative path like “pc.css”(Its absolute path is /login/pc.css)

1. Example(A missing css style)

Client side(Incorrect url parse):

Considering the following urls:

www.site.com/login/login.php

www.site.com/login/login.php/

In server side, the two urls returns same page named index.php.

But as client side, the two urls differs from each other.

To load css style with relative urls, client requests resource as follows:

www.site.com/static/css/style.css

www.site.com/login/static/css/style.css

Obversely the second url is invalid which would return 404 from server when adding a forward slash.

In this case we can perform XSS without server side checking.

Server side(Incorrect server action and properties):

Some server framework like Apache and Nginx parse url differently.

Urls as follows:

www.site.com/login%2flogin.php

Apache would return 404 cause there is no file named login%2flogin.php, at the same time, Nginx would return the login.php page currectly.

1. Get it work
   
   We build a website structured as follows:
   
   var/www/
   
   |— index.php
   
   |— styles.css

index.php











Hi, my name is .

Press the green button below to friend me and the red to cancel.

<button id=”green”>...</button>
<button id=”red”>...</button>

When accessing the page through https://www.site.com/index.php, the included stylesheet will be loaded from https://www.site.com/style.css. If the page is loaded through https://www.site.com/index.php/[anything] instead, the stylesheet will be loaded from https://www.site.com/index.php/style.css.

As stated before, the URL router on the server side will ignore everything after friend.php/ and the included stylesheet will therefore be loaded from the page itself. By changing the name on a vulnerable social network, the attacker can control the value of name and, consequently, the stylesheet.

We can get valid CSS within the HTML page by putting “{}” in front of the CSS, so the result is this:

https://www.site.com/index.php?name={}#green{background-color:red;}#red{background-color:green;}

The button intended to be green is now red.

1. Share your mind(CTF Writeup)
   
   Write article section to post text, Overview section to view text, Reports section to post url to bot.

The source code contents following segment:



Which has a RPO attack exploit with a relative path.

So we can exploit it this way:

Write article section to post a XSS file. Then edit a url using PRO exploit with Overview section’s text as malicious JavaScript. Bot will access malicious JavaScript after post the RPO url.

1. Additional Information
   
   Phpinfo url mode:
   
   https://www.site.com/login/login.php/u/user/p/pass

This url is equivalent as

https://www.site.com/login/login.php?u=user&p=pass

补充2018/4/14

RPO简介：

RPO(Relative Path Overwrite) 攻击又称为相对路径覆盖攻击，利用的是nginx服务器、配置错误的Apache服务器和浏览器之间对URL解析出现的差异，并借助文件中包含的相对路径的css或者js造成跨目录读取css或者js，甚至可以将本身不是css或者js的页面当做css或者js解析，从而触发xss等进一步的攻击手段。

RPO原理：

上文英文详细介绍。

RPO漏洞触发前提：

①Apache 配置错误导致AllowEncodedSlashes这个选项开启（对Apache来说默认情况下 AllowEncodedSlashes 这个选项是关闭的），或者nginx服务器。

如何理解：

在Nginx服务器下，当我们访问“http://rpo.com/test/..%2fshow.php”时，nginx服务器默认会返回“http://rpo.com/show.php”页面并显示，这是因为在nginx的路由解析中，“%2f”是url编码过的“/”，这就意味着“..%2f”会被解析成退回上级目录，所以造成了跨目录调用。

在apache服务器下，nginx的情况默认不会出现，相反apache会将“..%2fshow.php”当做是一个文件然后去访问，肯定访问不到返回404。而当apache服务器配置文件中AllowEncodedSlashes=true时，上面的跨目录调用会复现。

②存在相对路径的js或者css的引用

如何理解：

一般情况下我们访问css或者js静态资源时会使用类似"http://rpo.com/test/style.css"的绝对路径进行访问。但是一个网站如果想要迁移更方便或者开发者为了省事，通常会使用相对路径的静态资源加载，例如“http://rpo.com/test/show.php”想要加载test目录下的style.css样式文件，会使用“style.css”直接进行访问。当使用相对路径的资源调用时，就有可能会有rpo漏洞。

漏洞利用实例：

待补充