Scenario: -
Where you can upload only excel file and you have confirmed all type of possibilities to upload a file ( changing the extension, double extensions, terminate extension [;], changing the content type header in the request etc.), finally not able to upload file except excel or csv.
Steps are: -
- Try to have a valid excel file.
- Disable all security options in the excel. Options >> trust center >> enable all "not recommended things".
- Enter payloads in any cell , if cell or data oriented sheet is not permiting you to enter the payloads or not executing the payloads then add a new worksheet and enter below mentioned payloads.
- =cmd|'/c calc.exe'!_xlbgnm.A1
- =cmd|'/C notepad'!_xlbgnm.B9
- you need to change the cells A1, B9 according to the pasted cell.
When any user will open this file it will give some warnings then obviously will run the calculator and notepad.
Comments
Post a Comment