Custom Formula CSV XLS XLSX Injection Wordlist

I did a web app pen test a few months ago where I ended up finding a server-side formula injection vulnerability. Really odd as normally formula injections are client-side.

While doing research on trying to find a way to perform command injection, I compiled a wordlist for future engagements.

If you’re wondering, I was not able to perform command injection, just SSRF, internal directory disclosure and general formulas.

Anyway, I added the wordlists to TreeHouse Wordlists.

This one with context found HERE

This one without context found HERE

Leave a Reply