As we all know, Tencent used Activex to implement QQ fast login, using it on an unfamiliar browser, and the first thing to do was install the QuickLogin control.
Just when I don't know when, the quick login suddenly doesn't need the controls.
At that time, I was very puzzled, what strange method did Tencent use to interact with local applications?
Without plugins, web pages should not be able to interact directly with local applications (unless a protocol is defined, but can only be called up and not the results provided by the program).
By chance (well, just bored looking at the task manager and discovering the native httpd, and finding Apache running), I suddenly realized a possibility: if QQ opens a local port, makes a web server, that is, a TCP server that complies with the HTTP protocol, and then the web page ajax makes a request to that QQ (at this time as the web server), can you get the result?
And that's really the result.
Web JS initiates a GET request to http://localhost.ptlogin2.qq.com (ports from 4300-4308, one by one to success).
Ping it will find that it is 127.0.0.1, and when you check the port, it is indeed QQ in use.
First request: /pt_get_uins?callback=ptui_getuins_CB&r=0.5919004196050326&pt_local_tk=399224727
pt_local_tk from cookies, whatever it is; r is a random number
The result returned is a JSON array:
var var_sso_uin_list=[{"account":"Logged in QQ account","face_index":-1,"gender":0,"nickname":"Your QQ nickname","uin":"Still your QQ account","client_type":66818,"uin_flag":8388612}]; ptui_getuins_CB(var_sso_uin_list);
Then use http://ptlogin2.qq.com/getface to get QQ avatars, which will not be discussed here
This way your QQ information can be displayed on the web page.
When you press your avatar (when you select this login)
The following requests are generated:
http://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=你的QQ号&callback=ptui_getst_CB&r=0.7293395590126179&pt_local_tk=399224727
Similarly, r is a random number, pt_local_tk is from a cookie, local_token
What does this request do?
Well, Set-Cookie.
Then proceed with the request
http://ptlogin2.qq.com/jump?clientuin=你的QQ号&keyindex=19&pt_aid=549000912&daid=5&u1=http%3A%2F%2Fqzs.qzone.qq.com%2Fqzone%2Fv5%2Floginsucc.html%3Fpara%3Dizone&pt_local_tk=1881902769&pt_3rd_aid=0&ptopt=1&style=40
The only U1 here is the destination address
This request will return all the cookies you need, and you are logged in.
So after learning the protocol, a serious problem was discovered: what happens if a (black-hearted) program does these things on behalf of the user?
Get started now!
I only had a Mac at hand, so I wrote it in Obj-C.
[self GET:@"http://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.47178753013324637&pt_local_tk=-1211438011" header:nil];
//这里的GET是我自己封装的一个方法,GET网页上的数据
Note: Due to my previous experience in QQ bots (based on the WebQQ protocol): the Referer header is very important (it must be a .qq.com domain name), once it is wrong, it will definitely fail. So there are no roundabouts here
By the way, I was new to Obj-C at that time, and some of the code may seem a bit silly, please forgive me.
//cookiedata是个NSDictionary
In this way, the login is completed, and you can find a QQ space interface (not posted here), and the post is successful.
What does this mean? This means that as long as it is a program running locally, there is a chance to complete QQ login instead of you, and do some sneaky operations on platforms such as QQ space that do not require secondary authentication
|
Posted on 3/21/2017 3:45:47 PM
|
|
|
|
Posted on 3/21/2017 4:36:43 PM
|
Landlord|
Posted on 3/21/2017 4:44:46 PM
|
