##ps：本文章仅用来分享，请勿将文章内的相关技术用于非法目的，请勿将文章内的相关技术用于非法目的，请勿将文章内的相关技术用于非法目的！！如有非法行为与本文章作者无任何关系。一切行为以遵守《中华人民共和国网络安全法》为前提。######

🌟🌟今天hw貌似爆了挺多劲爆的0day，大佬果然多啊

昨天看到群里有人说扣扣爆了0day，看了一下复现没什么技术难点，还是七夕，就想给朋友一个小礼物（虽然非常土。。。。。。。）。

原理

qq windows客户端的“文件传输消息”在经过“回复消息”功能处理后，该文件会变为无需用户点击“下载”或“运行”等确认按钮，点击消息文本后即可自动下载并执行。大大降低了黑客的钓鱼难度🎣。

（目前qq官方以紧急修复该漏洞，升级qq版本即可）

影响版本

QQ Windows版9.7.13及以前版本

复现过程

1、搞一个可执行脚本文件，随便什么.bat、.vbs、.html都行

（我搞了个七夕的小玩意儿，非恶意的，test还打错了，打成了text，卒///）

 2、把文件先发给自己（可以随便跟一个人建一个群，然后把那人踢出去，就成了自己一个群，就可以发消息给自己啦～）

 3、然后右键，回复这个消息，随便回复什么都可以。

4、然后就可以把这条带有可执行文件的消息转发给朋友们啦。

5、本来想跟朋友试，结果我的朋友不想打开电脑💻。。。。。。。卒

我就自己玩了，效果是这样的：

 （烟花还能跟着鼠标动，鼠标点哪里，烟花就放哪里。。。。。好吧是有点土。。。）

 6、 正常情况下，qq中的文件想要下载，需要我们主动点击“打开”按钮，和“确认下载”按钮，再主动双击这个文件，它才会完成执行。比如这样：

但这个漏洞，只需要点击消息它就会自动下载、自动执行。

后记——烟花脚本代码

<!DOCTYPE html>//心心部分代码
<html>
<head><meta charset="utf-8"><title>loveHeart</title><link rel="shortcut icon" href="http://zhouql.vip/images/心.png" type="image/x-icon"><style>html,body {height: 100%;padding: 0;margin: 0;background: #000;}canvas {position: absolute;width: 100%;height: 100%;}p{position: fixed;top: 50%;left: 50%;transform: translate(-50%,-50%);color: pink;animation: k 1.5s ease-in-out infinite;}@keyframes k{100%{font-size: 24px;opacity: 0;}}</style>
</head>
<body><p style="font-size:35px; ">七夕快乐~yeah</p>h1 {font-family: Verdana, Geneva, Tahoma, sans-serif;}<canvas id="pinkboard"></canvas><script>var settings = {particles: {length: 700,  // 爱心的大小duration: 2,  // 爱心扩散速度，越小速度越快velocity: 100,  // 爱心扩散速度，越小速度越慢effect: -0.25, // 爱心收缩效果，比如：1扩散，-2收缩size: 56, // 爱心数量},};(function () { var b = 0; var c = ["ms", "moz", "webkit", "o"]; for (var a = 0; a < c.length && !window.requestAnimationFrame; ++a) { window.requestAnimationFrame = window[c[a] + "RequestAnimationFrame"]; window.cancelAnimationFrame = window[c[a] + "CancelAnimationFrame"] || window[c[a] + "CancelRequestAnimationFrame"] } if (!window.requestAnimationFrame) { window.requestAnimationFrame = function (h, e) { var d = new Date().getTime(); var f = Math.max(0, 16 - (d - b)); var g = window.setTimeout(function () { h(d + f) }, f); b = d + f; return g } } if (!window.cancelAnimationFrame) { window.cancelAnimationFrame = function (d) { clearTimeout(d) } } }());var Point = (function () {function Point(x, y) {this.x = (typeof x !== 'undefined') ? x : 0;this.y = (typeof y !== 'undefined') ? y : 0;}Point.prototype.clone = function () {return new Point(this.x, this.y);};Point.prototype.length = function (length) {if (typeof length == 'undefined')return Math.sqrt(this.x * this.x + this.y * this.y);this.normalize();this.x *= length;this.y *= length;return this;};Point.prototype.normalize = function () {var length = this.length();this.x /= length;this.y /= length;return this;};return Point;})();var Particle = (function () {function Particle() {this.position = new Point();this.velocity = new Point();this.acceleration = new Point();this.age = 0;}Particle.prototype.initialize = function (x, y, dx, dy) {this.position.x = x;this.position.y = y;this.velocity.x = dx;this.velocity.y = dy;this.acceleration.x = dx * settings.particles.effect;this.acceleration.y = dy * settings.particles.effect;this.age = 0;};Particle.prototype.update = function (deltaTime) {this.position.x += this.velocity.x * deltaTime;this.position.y += this.velocity.y * deltaTime;this.velocity.x += this.acceleration.x * deltaTime;this.velocity.y += this.acceleration.y * deltaTime;this.age += deltaTime;};Particle.prototype.draw = function (context, image) {function ease(t) {return (--t) * t * t + 1;}var size = image.width * ease(this.age / settings.particles.duration);context.globalAlpha = 1 - this.age / settings.particles.duration;context.drawImage(image, this.position.x - size / 2, this.position.y - size / 2, size, size);};return Particle;})();var ParticlePool = (function () {var particles,firstActive = 0,firstFree = 0,duration = settings.particles.duration;function ParticlePool(length) {// 创建并填充粒子池particles = new Array(length);for (var i = 0; i < particles.length; i++)particles[i] = new Particle();}ParticlePool.prototype.add = function (x, y, dx, dy) {particles[firstFree].initialize(x, y, dx, dy);// 处理循环队列firstFree++;if (firstFree == particles.length) firstFree = 0;if (firstActive == firstFree) firstActive++;if (firstActive == particles.length) firstActive = 0;};ParticlePool.prototype.update = function (deltaTime) {var i;// 更新活性粒子if (firstActive < firstFree) {for (i = firstActive; i < firstFree; i++)particles[i].update(deltaTime);}if (firstFree < firstActive) {for (i = firstActive; i < particles.length; i++)particles[i].update(deltaTime);for (i = 0; i < firstFree; i++)particles[i].update(deltaTime);}// 去除非活性颗粒while (particles[firstActive].age >= duration && firstActive != firstFree) {firstActive++;if (firstActive == particles.length) firstActive = 0;}};ParticlePool.prototype.draw = function (context, image) {// 绘制活性粒子if (firstActive < firstFree) {for (i = firstActive; i < firstFree; i++)particles[i].draw(context, image);}if (firstFree < firstActive) {for (i = firstActive; i < particles.length; i++)particles[i].draw(context, image);for (i = 0; i < firstFree; i++)particles[i].draw(context, image);}};return ParticlePool;})();(function (canvas) {var context = canvas.getContext('2d'),particles = new ParticlePool(settings.particles.length),particleRate = settings.particles.length / settings.particles.duration, // particles/sectime;// 用 -PI <= t <= PI 获得心脏点function pointOnHeart(t) {return new Point(160 * Math.pow(Math.sin(t), 3),130 * Math.cos(t) - 50 * Math.cos(2 * t) - 20 * Math.cos(3 * t) - 10 * Math.cos(4 * t) + 25);}// 使用虚拟画布创建粒子图像var image = (function () {var canvas = document.createElement('canvas'),context = canvas.getContext('2d');canvas.width = settings.particles.size;canvas.height = settings.particles.size;//用于创建路径的帮助程序函数function to(t) {var point = pointOnHeart(t);point.x = settings.particles.size / 2 + point.x * settings.particles.size / 350;point.y = settings.particles.size / 2 - point.y * settings.particles.size / 350;return point;}// 创建路径context.beginPath();var t = -Math.PI;var point = to(t);context.moveTo(point.x, point.y);while (t < Math.PI) {t += 0.01; // baby steps!point = to(t);context.lineTo(point.x, point.y);}context.closePath();// 创建填充context.fillStyle = '#ea80b0';context.fill();// 创建映像var image = new Image();image.src = canvas.toDataURL();return image;})();// 渲染那个东西！function render() {// 下一个动画帧requestAnimationFrame(render);// 更新时间var newTime = new Date().getTime() / 1000,deltaTime = newTime - (time || newTime);time = newTime;// 透明画布，清楚画布context.clearRect(0, 0, canvas.width, canvas.height);// 创建新粒子var amount = particleRate * deltaTime;for (var i = 0; i < amount; i++) {var pos = pointOnHeart(Math.PI - 2 * Math.PI * Math.random());var dir = pos.clone().length(settings.particles.velocity);particles.add(canvas.width / 2 + pos.x, canvas.height / 2 - pos.y, dir.x, -dir.y);}//更新和绘制粒子particles.update(deltaTime);particles.draw(context, image);}// 处理（重新）调整画布的大小function onResize() {canvas.width = canvas.clientWidth;canvas.height = canvas.clientHeight;}window.onresize = onResize;// 延迟渲染引导setTimeout(function () {onResize();render();}, 10);})(document.getElementById('pinkboard'));</script>
</body></html>//烟花部分代码<html dir="ltr" lang="zh-CN">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width" />
<title>带交互功能的HTML5+JS烟花特效</title> 
<style>
/* basic styles for black background and crosshair cursor */
body {background: #000;margin: 0;
}canvas {cursor: crosshair;display: block;
}
</style>
</head>
<canvas id="canvas">Canvas is not supported in your browser.</canvas>
<script>
// when animating on canvas, it is best to use requestAnimationFrame instead of setTimeout or setInterval
// not supported in all browsers though and sometimes needs a prefix, so we need a shim
window.requestAnimFrame = ( function() {return window.requestAnimationFrame ||window.webkitRequestAnimationFrame ||window.mozRequestAnimationFrame ||function( callback ) {window.setTimeout( callback, 1000 / 60 );};
})();// now we will setup our basic variables for the demo
var canvas = document.getElementById( 'canvas' ),ctx = canvas.getContext( '2d' ),// full screen dimensionscw = window.innerWidth,ch = window.innerHeight,// firework collectionfireworks = [],// particle collectionparticles = [],// starting huehue = 120,// when launching fireworks with a click, too many get launched at once without a limiter, one launch per 5 loop tickslimiterTotal = 5,limiterTick = 0,// this will time the auto launches of fireworks, one launch per 80 loop tickstimerTotal = 80,timerTick = 0,mousedown = false,// mouse x coordinate,mx,// mouse y coordinatemy;// set canvas dimensions
canvas.width = cw;
canvas.height = ch;// now we are going to setup our function placeholders for the entire demo// get a random number within a range
function random( min, max ) {return Math.random() * ( max - min ) + min;
}// calculate the distance between two points
function calculateDistance( p1x, p1y, p2x, p2y ) {var xDistance = p1x - p2x,yDistance = p1y - p2y;return Math.sqrt( Math.pow( xDistance, 2 ) + Math.pow( yDistance, 2 ) );
}// create firework
function Firework( sx, sy, tx, ty ) {// actual coordinatesthis.x = sx;this.y = sy;// starting coordinatesthis.sx = sx;this.sy = sy;// target coordinatesthis.tx = tx;this.ty = ty;// distance from starting point to targetthis.distanceToTarget = calculateDistance( sx, sy, tx, ty );this.distanceTraveled = 0;// track the past coordinates of each firework to create a trail effect, increase the coordinate count to create more prominent trailsthis.coordinates = [];this.coordinateCount = 3;// populate initial coordinate collection with the current coordinateswhile( this.coordinateCount-- ) {this.coordinates.push( [ this.x, this.y ] );}this.angle = Math.atan2( ty - sy, tx - sx );this.speed = 2;this.acceleration = 1.05;this.brightness = random( 50, 70 );// circle target indicator radiusthis.targetRadius = 1;
}// update firework
Firework.prototype.update = function( index ) {// remove last item in coordinates arraythis.coordinates.pop();// add current coordinates to the start of the arraythis.coordinates.unshift( [ this.x, this.y ] );// cycle the circle target indicator radiusif( this.targetRadius < 8 ) {this.targetRadius += 0.3;} else {this.targetRadius = 1;}// speed up the fireworkthis.speed *= this.acceleration;// get the current velocities based on angle and speedvar vx = Math.cos( this.angle ) * this.speed,vy = Math.sin( this.angle ) * this.speed;// how far will the firework have traveled with velocities applied?this.distanceTraveled = calculateDistance( this.sx, this.sy, this.x + vx, this.y + vy );// if the distance traveled, including velocities, is greater than the initial distance to the target, then the target has been reachedif( this.distanceTraveled >= this.distanceToTarget ) {createParticles( this.tx, this.ty );// remove the firework, use the index passed into the update function to determine which to removefireworks.splice( index, 1 );} else {// target not reached, keep travelingthis.x += vx;this.y += vy;}
}// draw firework
Firework.prototype.draw = function() {ctx.beginPath();// move to the last tracked coordinate in the set, then draw a line to the current x and yctx.moveTo( this.coordinates[ this.coordinates.length - 1][ 0 ], this.coordinates[ this.coordinates.length - 1][ 1 ] );ctx.lineTo( this.x, this.y );ctx.strokeStyle = 'hsl(' + hue + ', 100%, ' + this.brightness + '%)';ctx.stroke();ctx.beginPath();// draw the target for this firework with a pulsing circlectx.arc( this.tx, this.ty, this.targetRadius, 0, Math.PI * 2 );ctx.stroke();
}// create particle
function Particle( x, y ) {this.x = x;this.y = y;// track the past coordinates of each particle to create a trail effect, increase the coordinate count to create more prominent trailsthis.coordinates = [];this.coordinateCount = 5;while( this.coordinateCount-- ) {this.coordinates.push( [ this.x, this.y ] );}// set a random angle in all possible directions, in radiansthis.angle = random( 0, Math.PI * 2 );this.speed = random( 1, 10 );// friction will slow the particle downthis.friction = 0.95;// gravity will be applied and pull the particle downthis.gravity = 1;// set the hue to a random number +-20 of the overall hue variablethis.hue = random( hue - 20, hue + 20 );this.brightness = random( 50, 80 );this.alpha = 1;// set how fast the particle fades outthis.decay = random( 0.015, 0.03 );
}// update particle
Particle.prototype.update = function( index ) {// remove last item in coordinates arraythis.coordinates.pop();// add current coordinates to the start of the arraythis.coordinates.unshift( [ this.x, this.y ] );// slow down the particlethis.speed *= this.friction;// apply velocitythis.x += Math.cos( this.angle ) * this.speed;this.y += Math.sin( this.angle ) * this.speed + this.gravity;// fade out the particlethis.alpha -= this.decay;// remove the particle once the alpha is low enough, based on the passed in indexif( this.alpha <= this.decay ) {particles.splice( index, 1 );}
}// draw particle
Particle.prototype.draw = function() {ctx. beginPath();// move to the last tracked coordinates in the set, then draw a line to the current x and yctx.moveTo( this.coordinates[ this.coordinates.length - 1 ][ 0 ], this.coordinates[ this.coordinates.length - 1 ][ 1 ] );ctx.lineTo( this.x, this.y );ctx.strokeStyle = 'hsla(' + this.hue + ', 100%, ' + this.brightness + '%, ' + this.alpha + ')';ctx.stroke();
}// create particle group/explosion
function createParticles( x, y ) {// increase the particle count for a bigger explosion, beware of the canvas performance hit with the increased particles thoughvar particleCount = 30;while( particleCount-- ) {particles.push( new Particle( x, y ) );}
}// main demo loop
function loop() {// this function will run endlessly with requestAnimationFramerequestAnimFrame( loop );// increase the hue to get different colored fireworks over timehue += 0.5;// normally, clearRect() would be used to clear the canvas// we want to create a trailing effect though// setting the composite operation to destination-out will allow us to clear the canvas at a specific opacity, rather than wiping it entirelyctx.globalCompositeOperation = 'destination-out';// decrease the alpha property to create more prominent trailsctx.fillStyle = 'rgba(0, 0, 0, 0.5)';ctx.fillRect( 0, 0, cw, ch );// change the composite operation back to our main mode// lighter creates bright highlight points as the fireworks and particles overlap each otherctx.globalCompositeOperation = 'lighter';// loop over each firework, draw it, update itvar i = fireworks.length;while( i-- ) {fireworks[ i ].draw();fireworks[ i ].update( i );}// loop over each particle, draw it, update itvar i = particles.length;while( i-- ) {particles[ i ].draw();particles[ i ].update( i );}// launch fireworks automatically to random coordinates, when the mouse isn't downif( timerTick >= timerTotal ) {if( !mousedown ) {// start the firework at the bottom middle of the screen, then set the random target coordinates, the random y coordinates will be set within the range of the top half of the screenfireworks.push( new Firework( cw / 2, ch, random( 0, cw ), random( 0, ch / 2 ) ) );timerTick = 0;}} else {timerTick++;}// limit the rate at which fireworks get launched when mouse is downif( limiterTick >= limiterTotal ) {if( mousedown ) {// start the firework at the bottom middle of the screen, then set the current mouse coordinates as the targetfireworks.push( new Firework( cw / 2, ch, mx, my ) );limiterTick = 0;}} else {limiterTick++;}
}// mouse event bindings
// update the mouse coordinates on mousemove
canvas.addEventListener( 'mousemove', function( e ) {mx = e.pageX - canvas.offsetLeft;my = e.pageY - canvas.offsetTop;
});// toggle mousedown state and prevent canvas from being selected
canvas.addEventListener( 'mousedown', function( e ) {e.preventDefault();mousedown = true;
});canvas.addEventListener( 'mouseup', function( e ) {e.preventDefault();mousedown = false;
});
window.onload = loop;
</script>
// once the window loads, we are ready for some fireworks!

 ps：

一次失败的计划...............over