Text file injection lead to remote code execution at client side



This is  one of my finding in recent days when i was penetsting domain in private scope.As i found this one worth sharing so writing few lines about it.The domain was related to a company's HR section,from where they used to send regular updates to their employee and clients.

There was section where a customer can upload the data in bulk through csv file .

This section caught my eyes as later on these uplaoded  data were meant for back-end team,where they can export it form a excel file. 

Since excel file is being exported from the domain itself so trust factor for file would obviously be high,so if by chance an attacker could infect those excel file in such a way that it can execute some remote code in client side,then needless to say backend system can easily be compromised with this.


so i thought to uplaod a injected csv file but to my woes file was well handled by the policies set at server side .My reaction was at the that time 
Image result for o hell image 

so i start fiddling with file uplaoding type allowed in server though only csv was mentioned but to my luck i found that text file is allowed, i just uploaded a text file and it was through 
Image result for wow image 

As file were still being exported as excel so i thought to make simple injection like 
=-2+3+sum(1,10) in my text file and uploaded it to server when i exported the file(excel) it was to see how it looks
 

Voilla!! that means it can be used to infect the internal system as  user-cum attacker can write small macro code in text file to infect the internal system.

Thats for all now ..will get back to you some interesting finding or stuff...till then signing off!!





SHARE
  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment