qr scanner | Defend the Web

0

hello :)
in my school their is somthing called PDS (personal dedicated study). this means that we have to spend 30 hours in the libary per 3 months. The way that you login is through a QR scanner, everyone has their own unquie code on are ID badge. if i scan the qr code on my phone the output is “ GOD13132911-12423” the GOD13132911 is the stand login and ID for pupils (used for loging into computer email etc) but the 12423 is not related to me other than the code. I am unsure of how to find the database type and i asume that the database type is SQL,

my idea, i want to be able to inject a statement and put this statement into a QR code for the scanner to read.
i just dont know what to inject, i am doing this for fun and not trying to add hours on my id.

gudgip
11 years ago

0

I don’t think this will work. But you could try to generate your own QR code like this:
‘ or 1=1–
Via http://goqr.me/
And see whatever the output is.

If your school uses SQL (probably SQL Server), they will tend to use it for every db they need.

0

that was my first thought i just refused to scan it D:

0

it will output “invalid membership card please try again”

J [ColdIV]
11 years ago

0

GOD13132911-‘or 1=1–
might be worth a try as well not sure how they do it
Probably won’t work but yea… d:

0

i will try next Monday :))))

*********** [ADIGA]
11 years ago

0

hehe, just tried decoding an XSS from a QR code on few online sites and found few with bugs :P

I Hate Signatures.

Luke [flabbyrabbit]
11 years ago

0

It is a great example of exploiting technologies that the manufacturer probably didn’t fully consider. I wonder how many other hardware based authentication systems are flawed.

0

they are all flawed just no one has found the flaws :)

0

ADIGA how would i try xss on the scanner ?

0

i have only just noticed that there are some buttons on the scanner not a clue what they do D;

daMage
11 years ago

0

can you see how the scanner is connected to the computer? it’s probably connected via USB and the computer sees it as a normal keyboard… imagine if you would plug in your own keyboard instead ;)

daMage

jayssj11
11 years ago

0

LOL !!! damage :D . yeah try it

JAYSSJ11- “I’d rather be hated for who I am, than loved for who I am not.”

[deleted user]
11 years ago

0

Does it mean that you need to create your own scanner? Which would be so cool.

0

nope Ethernet D;

[deleted user]
11 years ago

0

So does it have an IP address and a MAC address assigned to it.

*********** [ADIGA]
11 years ago

1

as a start … you will mostly find a model/model number on the qr reader …
that is someplace to start … as you can google for specs and manuals for it and get an idea how it works and what it connects to.

I Hate Signatures.

daMage
11 years ago

0

Or you could plug in your “throwing star” passive wiretap and sniff the traffic… ;)

daMage

0

the thing is that they are right at the front of the entrances they get used often so sitting with my laptop plugged in next to it is not the smartest idea D; more chance of plugging my laptop into the hub