RPO(Relative Path Overwrite)

Posted 2020-10-30 mountain2

1. Conception(Relative vs Absolute)
   Abosolute Path: “/etc/hosts”(in Linux),
   “C:\Windows\System32\Drivers\etc\hosts”(in Windows)
   Relative Path:”./hosts” or “hosts”(when in “etc” folder)

This also valid in website.
Absolute URL: “https://www.site.com/styles.css”
Relative URL in html:
??????

In this case, the styles.css is a relative path in server’s root directory.
var/www/
|— index.html
|— styles.css

Using relative directory can be easier when has a complex file structure.
var/www
|— index.html
|— login
| |— login.php
| |— register.php
| |— pc.css
| |— mobile.css
|— static
|— js
| |— jQuery.js
| |— bootstrap.js
|— css
|— styles.css

In this case, we can load css using relative path like “pc.css”(Its absolute path is /login/pc.css)

1. Example(A missing css style)

Client side(Incorrect url parse):
Considering the following urls:
www.site.com/login/login.php
www.site.com/login/login.php/

In server side, the two urls returns same page named index.php.
But as client side, the two urls differs from each other.

To load css style with relative urls, client requests resource as follows:
www.site.com/static/css/style.css
www.site.com/login/static/css/style.css

Obversely the second url is invalid which would return 404 from server when adding a forward slash.

In this case we can perform XSS without server side checking.

Server side(Incorrect server action and properties):
Some server framework like Apache and nginx parse url differently.

Urls as follows:
www.site.com/login%2flogin.php

Apache would return 404 cause there is no file named login%2flogin.php, at the same time, Nginx would return the login.php page currectly.

1. Get it work
   We build a website structured as follows:
   var/www/
   |— index.php
   |— styles.css

index.php





Hi, my name is .
Press the green button below to friend me and the red to cancel.

<button id=”green”>...</button>
<button id=”red”>...</button>

When accessing the page through https://www.site.com/index.php, the included stylesheet will be loaded from https://www.site.com/style.css. If the page is loaded through https://www.site.com/index.php/[anything] instead, the stylesheet will be loaded from https://www.site.com/index.php/style.css.

As stated before, the URL router on the server side will ignore everything after friend.php/ and the included stylesheet will therefore be loaded from the page itself. By changing the name on a vulnerable social network, the attacker can control the value of name and, consequently, the stylesheet.

We can get valid CSS within the HTML page by putting “{}” in front of the CSS, so the result is this:
https://www.site.com/index.php?name={}#green{background-color:red;}#red{background-color:green;}
The button intended to be green is now red.

1. Share your mind(CTF Writeup)
   Write article section to post text, Overview section to view text, Reports section to post url to bot.

The source code contents following segment:

Which has a RPO attack exploit with a relative path.

So we can exploit it this way:
Write article section to post a XSS file. Then edit a url using PRO exploit with Overview section’s text as malicious javascript. Bot will access malicious JavaScript after post the RPO url.

1. Additional Information
   Phpinfo url mode:
   https://www.site.com/login/login.php/u/user/p/pass

This url is equivalent as
https://www.site.com/login/login.php?u=user&p=pass