Note: This article is only for technical explanation and not for illegal use. Although technology is good, please do not use it for illegal purposes.
First, we need to know what an XML message is. In the QQ chat box, almost everything except text and images is an XML message. For example, recently popular "message receipt", "internet police inspection", "fake red envelope", etc. They use XML to achieve special message display in QQ.
Here comes the key point (drum roll)
So, what is the relationship between QQXML messages and IP detection?
Have we seen this kind of message before:
This message has a title, content, and a cover image. At this point, we extract the XML code of this message:
We can see that there are two links in this code. One is the url, which is the address of this article. When clicked, QQ will use the browser to access this website. The other is the cover, the cover image of this article.
We notice that the image is automatically loaded. When we receive this message, the image will be automatically displayed. In other words, as long as we have a network connection, our QQ will automatically "visit" this image, beyond our control.
And we all know that when accessing a network resource, the server logs some information, that is, the HTTP request information. By checking the log for request information, we can know the visitor's IP, UA, and other information.
So, what if the image in this XML message is tampered with?
Now, let's replace the image in the XML code. It can be replaced with anything, but as long as it is in the position of the cover, QQ will actively "visit" it.
After the replacement is completed, find a way to send the XML message to the target through QQ, and then we can check the information in the server log to obtain the opponent's IP and UA. Through the IP, we can know the opponent's location, and through the UA, we can obtain the opponent's device model.
Next, let's put it into practice, and the target is our naughty girl Xi who is not doing her job properly.
First, we prepare an XML message, let's use the most common one, Baidu (less likely to be suspected). Visit Baidu in QQ, then share it, so we can quickly get an XML message.
Then extract and modify it, change the cover to a resource on our own server. Here I used ceye as a substitute (because I'm poor and lazy), fill in your own ceye address:
http://XXX.ceye.io/favicon.ico
Send the modified XML message to the target, and wait a few seconds before recalling it. (Wait a few seconds to allow the target to finish loading. Recall it because the image may be accessed multiple times, causing confusion in the information)
At this time, the image cannot be loaded because the cover in the XML has a problem and cannot be displayed.
Finally, go to the ceye backend and check the HTTP Request option.
You can see that the latest one at the top is the information of Meng Xi. The ones below are earlier, which are mine. Because the XML message is definitely the first to finish loading. Then we take the IP and UA to query. I won't talk about the IP query results here. Look at the UA, I searched on Baidu.
Tsk tsk tsk (You can check what device I have, and see how poor I am.
The practical part ends here.
Final words:
In fact, these operations can be further optimized to achieve a more smooth effect.
For example, not using ceye, this thing crashes every now and then, which is really exhausting.
For example, using some means to treat PHP as an image, so that a perfect private sniffing system can be created.
For example, using high-precision IP geolocation, accurate to the street level, I can intercept girls on the way home from school (smirking)