Jump to content
Nytro

Excel formula injection in Google Docs

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]Excel formula injection in Google Docs[/h][h=2]December 21, 2011[/h]

Surely all of you know about Google reward program for information security researchers who provide information about weak spots of Google resources. We had the chance to participate in this program, too. Here is a short story from @_chipik and @asintsov.

One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey.

There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms.

1.png

After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey.

This is how the form looks for a participant:

2.png

And this is how the author sees the participant's answers:

3.png

I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here?

We tried it, too. However, everything was encoded and filtered exactly as planned.

Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula?

Excel formulas start with an “=”.

OK, let’s give it a try.

4.png

Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell.

So how do we get rid of the space? Easy as pie: use backspace :)

%08 is the Hex code of the backspace key.

5.png

Thus, we wrote in the entry field:

%08=1+2+C3

Voila!

6.pngThe formula got inserted into the table just fine.

All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here.

7.pngWith the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell.

That gave us the following attack vector:

1) Put sensitive user data into A1 cell (or probably they are already there)

2) Put a formula which makes GET request to http://own_site.com/secret_data_in_base64 into Z666 cell.

3) Read web server logs, get data from cells.

4) Profit!

Soon after describing the bug and the possible attack vector we got the following letter:

8.png

And a bit later we saw our names in Google Hall of Fame

9.pngFinally, a little Google Hack ;)

10.png

Posted by DSecRG

Sursa: Digital Security Research Group: Excel formula injection in Google Docs

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...