Run Commands On Company Machines (CSV Injection)
One of the more challenging tasks in web app pentesting is approaching an application that has limited interaction. It’s very easy to give up after trying every common method to exploit something, but putting in the time to understand an application is often rewarding and beneficial to ones personal growth as a hacker.
Introduction:
Let's follow a privacy of web and name a web redacted.com so after my recon I started to hunt web first i check subdomains for Subdomain takeover bug but i did't find any so i created an account on this web and check for low hanging fruits like session issues ,xss , csrf bypass and many other but i did't find any of this bug because of law interaction i have less hope to give it a try more but then i go to redacted.com/signup and create my account on this web and check all functions i found that if I attempt a fail login of my account then user agent and ip goes to my account activity log and admin has option to download this log file in csv format..So some thing clicks in my mind that if any how i was able to change user agent to my custom user agent i can send commands to admin panel and when admin download this log as csv my command was also downloadSteps:
1) https://redacted.com/login/index?redirectUrl=%2F2) just type a company email whom Computer You want to hack
3) and put random password
4) intercept request
5) change user agent to any excel formula "=1+1" i am using this because i am tester not attacker you can use "=cmd|' /C calc'!A0" this will
open calculator on victum machine
6) Forward the request
7) if company owner check activity log and export activity log and download it
8) excel formula run on Company owner computer and a calculator will run on victum machine
){kind=link}
0 Comments