通过腾讯网页快捷登录协议截取 QQ邮箱 的 QQClientkey / QQKey 教程

最近发现之前的老代码已经不能获取QQ邮箱的Clientkey,经过一番调试后发现QQ邮箱更新了获取的流程,所以决定重新发布一篇文章,废话不多,直接上教程,喜欢的朋友记得点赞加关注。

step 1

首先需要获取到 Qrsig 的值(流程已更改)

Request URL:

https://ssl.ptlogin2.qq.com/ptqrshow?appid=716027609&e=2&l=M&s=3&d=72&v=4&t=0.1957881457063695&daid=383&pt_3rd_aid=102013353&u1=https%3A%2F%2Fgraph.qq.com%2Foauth2.0%2Flogin_jump

返回数据在浏览器 Set-Cookie 中。

实现代码:

		// 初始化URL
		URL_COMPONENTSA crackedURL = { 0 };
 
		char URL_STRING[] = "https://ssl.ptlogin2.qq.com/ptqrshow?appid=716027609&e=2&l=M&s=3&d=72&v=4&t=0.7009436033346066&daid=383&pt_3rd_aid=102013353&u1=https://graph.qq.com/oauth2.0/login_jump";
 
		char szHostName[128] = { 0 };
		char szUrlPath[256] = { 0 };
 
		crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);
		crackedURL.lpszHostName = szHostName;
		crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);
		crackedURL.lpszUrlPath = szUrlPath;
		crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);
		InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);
 
		// 初始化首次会话
		HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
		if (hInternet != NULL){
			HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
			if (hHttpSession != NULL){
				HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
				if (hHttpRequest != NULL){
					BOOL bRet = FALSE;
					// 发送HTTP请求
					bRet = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);
					if (bRet){
						// 查询HTTP请求状态
						DWORD dwRetCode = 0;
						DWORD dwSizeOfRq = sizeof(DWORD);
						bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
						if (bRet){
							// 读取整个Headers
							char lpHeaderBuffer[1024] = { 0 };
							dwSizeOfRq = 1024;
							HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
							// 从Cookie中提取qrsig的值
							char* qrsig = lpHeaderBuffer + dwSizeOfRq;
							while (qrsig != lpHeaderBuffer){
								if (strstr(qrsig, "qrsig=")){
									// 退出之前,修正偏移
									qrsig += sizeof("qrsig");
									char* pEndBuffer = strstr(qrsig, ";");
									*pEndBuffer = 0;
									break;
								}
								qrsig--;
							}
 
							// 关闭句柄
							InternetCloseHandle(hHttpRequest);
							InternetCloseHandle(hHttpSession);
 
							cout << "[+] qrsig:" << qrsig << "\r\n" << endl;
					}
				}
			}
		}

效果演示:

step 2

利用 Qrsig 获取 pt_local_token

Request URL:

https://xui.ptlogin2.qq.com/cgi-bin/xlogin?target=self&appid=522005705&daid=4&s_url=https%3A%2F%2Fwx.mail.qq.com%2Flist%2Freadtemplate%3Fname%3Dlogin_jump.html%26target%3D&style=25&low_login=1&proxy_url=https://mail.qq.com/proxy.html&need_qr=0&hide_border=1&border_radius=0&self_regurl=https%3A%2F%2Freg.mail.qq.com&app_id=11005?t=regist&pt_feedback_link=http://support.qq.com/discuss/350_1.shtml&css=https://res.mail.qq.com/zh_CN/htmledition/style/ptlogin_input_for_xmail.css&enable_qlogin=0

请求标头带入 Cookie(Qrsig 的值),返回数据在浏览器 Set-Cookie 中。

**实现代码: **

							/* 第二次建立会话 */
 
							// 初始化URL参数
							char lpszUrlPath_2[1024] = { 0 };
							strcpy(lpszUrlPath_2, "/cgi-bin/xlogin?target=self&appid=522005705&daid=4&s_url=https://wx.mail.qq.com/list/readtemplate?name=login_jump.html&target=&style=25&low_login=1&proxy_url=https://mail.qq.com/proxy.html&need_qr=0&hide_border=1&border_radius=0&self_regurl=https://reg.mail.qq.com&app_id=11005?t=regist&pt_feedback_link=http://support.qq.com/discuss/350_1.shtml&css=https://res.mail.qq.com/zh_CN/htmledition/style/ptlogin_input_for_xmail.css&enable_qlogin=0");
 
							// 初始化会话
							hHttpSession = InternetConnectA(hInternet, "xui.ptlogin2.qq.com", 443, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
							if (NULL != hHttpSession)
							{
								hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath_2, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
								if (NULL != hHttpRequest)
								{
									// 请求标头添加 Cookie 
									char lpCookie[256] = { 0 };
									strcpy(lpCookie, "Cookie: qrsig=");
									strcat(lpCookie, qrsig);
									strcat(lpCookie, "\r\n");
 
									HttpAddRequestHeaders(hHttpRequest, lpCookie, -1L, HTTP_ADDREQ_FLAG_ADD);
 
									bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
									if (bRet)
									{
										// 查询HTTP请求状态
										dwRetCode = 0;
										dwSizeOfRq = sizeof(DWORD);
										bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
										if (bRet)
										{
											// 读取整个Headers
											ZeroMemory(lpHeaderBuffer, 1024);
											dwSizeOfRq = 1024;
											HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
											// 从Cookie中提取pt_local_token的值
											char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;
											while (pt_local_token != lpHeaderBuffer) {
												if (strstr(pt_local_token, "pt_local_token=")) {
													// 退出之前,修正偏移
													pt_local_token += sizeof("pt_local_token");
													char* pEndBuffer = strstr(pt_local_token, ";");
													*pEndBuffer = 0;
													break;
												}
												pt_local_token--;
											}
 
											// 释放资源,注意关闭句柄时按相反的顺序
											InternetCloseHandle(hHttpRequest);
											InternetCloseHandle(hHttpSession);
 
											cout << "[+] pt_local_token:" << pt_local_token << "\r\n" << endl;
 
											
										}
									}
								}
							}

效果演示:

step 3

利用 pt_local_token 获取本地已登录的 QQ Uin。

Request URL:

https://localhost.ptlogin2.qq.com:4301/pt_get_uins?callback=ptui_getuins_CB&r=0.7544340024793896&pt_local_tk=pt_local_tk

返回在浏览器中的 Response (网页数据),请求标头带入 Referer。

Referer: https://xui.ptlogin2.qq.com/

实现代码:

                                            /* 第三次建立会话 */
 
											// 初始化URL参数
											char lpszUrlPath_3[1024] = { 0 };
											strcpy(lpszUrlPath_3, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");
											strcat(lpszUrlPath_3, szRandNum);			// 追加16位随机数
											strcat(lpszUrlPath_3, "&pt_local_tk=");
											strcat(lpszUrlPath_3, pt_local_token);	// 追加pt_local_token
 
											//cout << "[+] lpszUrlPath_3:" << lpszUrlPath_3 << "\r\n" << endl;
 
											// 初始化会话
											hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
											if (NULL != hHttpSession)
											{
												hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath_3, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
												if (NULL != hHttpRequest)
												{
													// 请求标头添加 Referer 
													char lpReferer[256] = { 0 };
													strcpy(lpReferer, "Referer: https://xui.ptlogin2.qq.com/");
													strcat(lpReferer, "\r\n");
 
													HttpAddRequestHeaders(hHttpRequest, lpReferer, -1L, HTTP_ADDREQ_FLAG_ADD);
 
													bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
													if (bRet)
													{
														// 查询HTTP请求状态
														dwRetCode = 0;
														dwSizeOfRq = sizeof(DWORD);
														bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
														if (bRet)
														{
															// 获取返回数据的大小
															DWORD dwNumberOfBytesAvailable = 0;
															bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);
															if (bRet)
															{
																// 读取网页内容
																char* lpBuffer = new char[dwNumberOfBytesAvailable + 1]();
																bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);
																if (bRet)
																{
																	// 从内容中提取已登陆QQ账号
																	char* uin = lpBuffer + dwNumberOfBytesAvailable;
																	while (uin != lpBuffer)
																	{
																		if (strstr(uin, "\"account\":"))
																		{
																			// 退出之前,修正偏移
																			uin += sizeof("\"account\":") - 1;
																			char* pEndBuffer = strstr(uin, "}");
																			*pEndBuffer = 0;
																			break;
																		}
																		uin--;
																	}
 
																	// 释放资源,注意关闭句柄时按相反的顺序
																	InternetCloseHandle(hHttpRequest);
																	InternetCloseHandle(hHttpSession);
 
																	cout << "[+] uin:" << uin << "\r\n" << endl;
 
																	
																}
															}
														}
													}
												}
											}

效果演示:

step 4

利用 QQuin 与 pt_local_token 获取 QQClientkey。

Request URL:

https://localhost.ptlogin2.qq.com:4301/pt_get_st?clientuin=QQUin&r=0.8134579633763475&pt_local_tk=pt_local_token&callback=__jp0

请求标头带上 Referer

Referer: https://xui.ptlogin2.qq.com/

返回数据在浏览器 Set-cookie 中。

实现代码:

/* 第四次会话 */
 
																	// 初始化URL参数
																	char lpszUrlPath_4[1024] = { 0 };
																	strcpy(lpszUrlPath_4, "/pt_get_st?clientuin=");
																	strcat(lpszUrlPath_4, uin);
																	strcat(lpszUrlPath_4, "&r=0.");
																	strcat(lpszUrlPath_4, szRandNum);
																	strcat(lpszUrlPath_4, "&pt_local_tk=");
																	strcat(lpszUrlPath_4, pt_local_token);
																	strcat(lpszUrlPath_4, "&callback=__jp0");
 
																	cout << "[+] lpszUrlPath_4:" << lpszUrlPath_4 << "\r\n" << endl;
 
																	// 发送HTTPS请求
																	hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.qq.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
																	if (NULL != hHttpSession)
																	{
																		hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath_4, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
																		if (NULL != hHttpRequest)
																		{
																			// 请求标头添加 Referer 
																			char lpReferer_2[256] = { 0 };
																			strcpy(lpReferer_2, "Referer: https://xui.ptlogin2.qq.com/");
																			strcat(lpReferer_2, "\r\n");
 
																			HttpAddRequestHeaders(hHttpRequest, lpReferer_2, -1L, HTTP_ADDREQ_FLAG_ADD);
 
																			bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
																			if (bRet)
																			{
																				// 查询HTTP请求状态
																				dwRetCode = 0;
																				dwSizeOfRq = sizeof(DWORD);
																				bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
																				if (bRet)
																				{
																					// 读取整个Headers
																					ZeroMemory(lpHeaderBuffer, 1024);
																					dwSizeOfRq = 1024;
																					bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);
																					if (bRet)
																					{
																						// 从Cookie中提取ClientKey的值
																						char* clientkey = lpHeaderBuffer + dwSizeOfRq;
																						while (clientkey != lpHeaderBuffer)
																						{
																							if (strstr(clientkey, "clientkey="))
																							{
																								// 退出之前,修正偏移
																								clientkey += sizeof("clientkey");
																								char* pEndBuffer = strstr(clientkey, ";");
																								*pEndBuffer = 0;
																								break;
																							}
																							clientkey--;
																						}
 
																						// 释放资源,注意关闭句柄时按相反的顺序
																						InternetCloseHandle(hHttpRequest);
																						InternetCloseHandle(hHttpSession);
 
																						cout << "[+] clientkey:" << clientkey << "\r\n" << endl;
																					}
																				}
																			}
																		}
																	}

效果演示:

step 5

获取 ptsigx

Request URL:

https://ssl.ptlogin2.qq.com/jump?clientuin=QQUin&keyindex=9&pt_aid=716027609&daid=383&u1=https%3A%2F%2Fgraph.qq.com%2Foauth2.0%2Flogin_jump&pt_local_tk=633103212&pt_3rd_aid=102013353&ptopt=1&style=40

请求标头带上 Referer 与 Cookie(QQClientkey)

Referer: https://xui.ptlogin2.qq.com/
Cookie: QQClientkey

返回数据在浏览器 Response 中(网页数据) 。

实现代码:

/* 第五次会话 */
 
// 初始化URL参数
																						char lpszUrlPath_5[1024] = { 0 };
																						strcat(lpszUrlPath_5, "/jump?clientuin=");
																						strcat(lpszUrlPath_5, u_Uin);
																						strcat(lpszUrlPath_5, "&keyindex=9&pt_aid=716027609&daid=383&u1=https%3A%2F%2Fgraph.qq.com%2Foauth2.0%2Flogin_jump&pt_local_tk=");
																						strcat(lpszUrlPath_5, u_Token);
																						strcat(lpszUrlPath_5, "&pt_3rd_aid=102013353&ptopt=1&style=40");
 
// 发送HTTPS请求
																						hHttpSession = InternetConnectA(hInternet, "ssl.ptlogin2.qq.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
																						if (NULL != hHttpSession)
																						{
																							hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath_5, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);
																							if (NULL != hHttpRequest)
																							{
																								// 请求标头添加 Referer & Cookie 
																								char lpCookie_2[1024] = { 0 };
																								strcpy(lpCookie_2, "Referer: https://xui.ptlogin2.qq.com/");
																								strcat(lpCookie_2, "\r\n");
																								strcat(lpCookie_2, "Cookie: clientkey=");
																								strcat(lpCookie_2, u_Ckey);
																								strcat(lpCookie_2, "\r\n");
 
																								HttpAddRequestHeaders(hHttpRequest, lpCookie_2, -1L, HTTP_ADDREQ_FLAG_ADD);
 
																								bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);
																								if (bRet)
																								{
																									// 查询HTTP请求状态
																									dwRetCode = 0;
																									dwSizeOfRq = sizeof(DWORD);
																									bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);
																									if (bRet)
																									{
																										// 获取返回数据的大小
																										DWORD dwNumberOfBytesAvailablex = 0;
																										InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailablex, NULL, NULL);
 
																										// 读取网页内容
																										char* lpBufferx = new char[dwNumberOfBytesAvailablex + 1]();
																										InternetReadFile(hHttpRequest, lpBufferx, dwNumberOfBytesAvailablex, &dwNumberOfBytesAvailablex);
 
																										// 返回的数据
																										cout << "[+] Response Data:" << lpBufferx << "\r\n" << endl;
 
																										delete[] lpBufferx;
 
																										
																									}
																								}
																							}
																						}

效果演示:

完整工具下载

【蓝奏云下载】(提取码:eh9v)

【百度云下载】(提取码:wqau)

官方网站

【www.CHWM.vip】

posted @ 2024-01-12 13:24  Rainbow_Technology  阅读(613)  评论(0编辑  收藏  举报