Skip to main content

Hack XLXS

When Microsoft introduced Excel 2007, they introduced new file types – we all know them by now: xlsx, xlsm, xltx, etc. These file types are often referred to as Open XML. That’s because the new file types are essentially packages that contain XML files. If you take an xlsx file and change the extension to zip, you’ll be able to see all the xml documents that make up your Excel file.
The new Open XML file types come with lots of benefits. One of the major benefits is that you can change the content and properties of an Excel 2007 file simply by manipulating the XML documents that make it up.
Well, while playing with the Open XML files, I discovered that you can remove spreadsheet protection simply by applying a simple edit to the xml within the Excel file.

Say I have a workbook where Sheet1 is password protected. So I think to myself, “the nerve of some people – trying to keep me out of their spreadsheet”.
I decide that I want to unprotect this sheet, but I don’t know the password. Because this is Excel 2007, I’ll hack into the xml and remove the spreadsheet protection.

Step 1: Make a backup of your file in case you really monkey it up.
Step 2: Change the file extension to zip.

Step 3: Extract the contents of the zip file.
Step 4: Go to the extracted files and navigate to the xml for the target sheet (found in the ‘xl\worksheets’ directory)

Step 5: Open the target sheet’s xml document using an XML editor (I use a free editor called XML Marker)
Step 6: Find the ‘sheetProtection’ tag and remove the entire line.

Step 7: Save the edited xml document and replace the old xml document found in the original zip file.
Step 8: Change the extension back to xlsx.

Step 9: Enjoy your unprotected sheet.
That’s right folks; simply removing the sheetProtection element from the xml part negates all protections placed on that sheet. Amazing, right?
A couple of notes:
  1. Any password you see in the XML file is not the real password, nor will it work if you try to use it. It’s worthless.
  2. See this link to hack into a protected workbook.
  3. Do I have to even mention that this doesn’t apply to any xls files?
  4. Of course, you could do this all programmatically, but this strikes me as a one-off kind of thing. So coding something up is just not worth it to me.

Comments

Popular posts from this blog

FPDF dengan CodeIgniter

Cetak Surat Keputusan Controller: <?php //File in controller named surat_keputusan.php defined('BASEPATH') OR exit('No direct script access allowed'); class Cetak_surat_keputusan extends CI_Controller { public function __construct()     {         parent::__construct();         $this->load->helper('url');         $this->load->database();                $this->db->select();         $this->db->from('surat.config_sk');                $query = $this->db->get();                 return $query->result();             } public function index() {      ...

Token_Model

<?php defined('BASEPATH') OR exit('No direct script access allowed'); class Token_model extends CI_Model { public function __construct() { parent::__construct(); $this->load->library('session'); $this->load->helper('url'); } public function token_feeder() { $username = '*****'; $password = '*****'; $data_sesi=array( 'username'=>$username, 'password'=>$password, 'sudah_login'=>true, ); $this->session->set_userdata($data_sesi); $username=$this->session->userdata('username'); $password=$this->session->userdata('password'); $mytoken = array('act'=>'GetToken', 'username'=>$username, 'password'=>$password); $payload = json_encode($mytoken); $ch = curl_init('http://192.168.30.99:8082/ws/live2.php'); curl_setopt($ch, CURLOPT_RETURNTRANS...

Layar Biru versi PHP Bagian 1 (file prefil_dbf.php)

file config.php <?php $db_uname = 'root'; $db_passwd = ''; $db_name = 'layar_biru'; //database yang dipilih $db_host = 'localhost'; $xbase_dir = 'D:\ACADEMIC\htdocs\layar_biru\files'; $die_on_mysql_error = false; // when investigating errors, set this to true $from_encoding=""; //Encoding of database, e.g. CP866 or empty, if convert is not required     file prefil.dbf   <?php include "config.php";            // please copy the config.sample.php and edit the correct fields include "classes/XBase/Table.php"; include "classes/XBase/Column.php"; include "classes/XBase/Record.php"; include "classes/DBFhandler.php"; use XBase\Table;  // Initializing vars ini_set( 'memory_limit', '2048M' ); set_time_limit( 0 ); $time_start = time(); $files = scandir($xbase_dir) or die ("Error! Could not open directory '$xbase_dir'."); $conn = new mysqli($db_host,...