# Exploit Title: ERPGo SaaS 3.9 – CSV Injection
# Date: 18/01/2023
# Exploit Author: Sajibe Kanti
# CVE ID
# Vendor Name: RajodiyaInfotech
# Vendor Homepage: https://rajodiya.com/
# Software Link
# Version: 3.9
# Tested with: Windows & Live Litespeed Web Server
# Demo Link : https://demo.rajodiya.com/erpgo-saas/login
ERPGo, a SaaS platform for software-as-a-service (SaaS), is susceptible to CSV.
injection attacks. When an attacker can inject malware into the victim’s computer, this type of attack is called injection attacks.
To manipulate data imported into or exported from a CSV file in order to
Execute malicious code, or gain unauthorized access to sensitive information
information. An attacker can exploit this vulnerability by
Injecting data that is specially designed into a CSV File, then import it
In the ERPGo system. The attacker could gain access to the ERPGo system.
Access to confidential information such as financial or login credentials is possible
data or execute malicious code on the system.
# Proof of Concept (PoC), Exploit
1) Go To : https://erpgo.127.0.0.1/ERPGo/register <====| Register New
2) Fill out the registration
3. Now, click Accounting System
Step 4: Now, Add a new Vendor / Click Create
‘ /C calc’!A0
6. Now, submit this form
7) Download the Vendors list as a csv
8) File This CSV in Excel
9) Open the Calculator
# Image PoC: Refer Image
1) Payload Fired: https://prnt.sc/EkKPZiMa6yz8