Malicious QR Code with QRGen

QR codes are machine-readable data formats used across various applications, from product packaging to airline boarding passes. However, these convenient codes can be exploited by attackers who embed malicious payloads into custom QR codes using tools like QRGen. Since humans cannot read QR code content without scanning, malicious codes are difficult to identify before exposure, making QR code attacks particularly effective against vulnerable devices.

QRGen is a Python tool that generates malicious QR codes by encoding various exploit payloads. It includes a built-in library of popular exploits, making it valuable for penetration testers auditing QR code scanners and security professionals testing device vulnerabilities.

Payload Categories

QRGen supports multiple attack vectors accessible using the -l flag with corresponding numbers:

• Command Injection − Execute system commands

• Format String − Memory corruption attacks

• String Fuzzing − Input validation testing

• SQL Injection − Database manipulation

• Directory Traversal − File system access

• LFI (Local File Inclusion) − Access local files

• XSS (Cross-Site Scripting) − Web application attacks

Installing QRGen

To install QRGen, clone the repository from GitHub and install the required dependencies:

git clone https://github.com/h0nus/QRGen
cd QRGen
pip3 install -r requirements.txt

Basic Usage

Run QRGen using Python 3 with the following command structure:

python3 qrgen.py [options]

Viewing Available Payloads

List available payload categories using the -l flag:

python3 qrgen.py -l 1

Generating Format String Payloads

Create QR codes containing format string exploitation payloads:

python3 qrgen.py -l 2

Output and Results

QRGen generates a series of QR codes containing the selected payloads. The tool automatically opens the most recently created QR code for immediate use. Generated codes are saved as image files in the output directory for batch testing or distribution.

Security Considerations

Important: QRGen should only be used for authorized penetration testing, security research, and educational purposes. Using malicious QR codes against systems without permission is illegal and unethical. Always obtain proper authorization before testing QR code vulnerabilities.

Conclusion

QRGen provides security professionals with a powerful tool for testing QR code scanner vulnerabilities. Its comprehensive payload library makes it effective for penetration testing, but it must be used responsibly and only on authorized systems.