I was testing a banking portal when I stumbled upon an “Export to Excel” feature. What looked harmless turned into a full Remote Code Execution (RCE) chain that gave me root access to their internal servers. The bank paid me $200 for this critical find. Today, I’ll break down exactly how I did it, with real code snippets you can test yourself.
Most hackers focus on web inputs. The real goldmine? Document processing (Excel, PDF, Word).
How the Bank’s System Worked:
- Users could export transaction logs to Excel.
- The server used an old Apache POI library (CVE-2021–27568) to generate files.
- No sandboxing — the parser ran with full system privileges.
Step 1: Found the Vulnerable Endpoint
Intercepted a request with Burp:
POST /export_transactions
{ "format": "xlsx", "data": [/* transaction data */] }