WEB安全-上传漏洞
[TOC]
1.什么是上传漏洞
web应用上有一些上传文件或者图片的功能点,因未作严格安全限制,导致可以上传恶意代码或者魔改文件,getshell。
2.文件上传漏洞如何查找及判断?
一般分为在查找或者利用时候归类,原因是为了更好借助互联网资料展开工作。
-
常规类
工具扫描获取文件上传页面,使用上传页面字典
浏览器Google语法直接搜索:inurl
点击WEB功能浏览
-
CMS类
百度或者谷歌搜索相关资料
-
编辑器类
百度或者谷歌搜索相关资料
-
第三方应用
如weblogic等
大思路:一个WEB,先看看中间件有没有解析漏洞,没有就通过功能浏览(如会员中心)或者字典爆破看看上传漏洞,这里没找到,看看是什么CMS\编辑器,再看看最新的CVE漏洞。全程信息搜集,站在巨人肩膀上看的远。
3. 上传图片的功能页面
3.1 代码
<?php
error_reporting(0);//取消报错
$is_upload = false;//申明一个变量
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {//判断路径是否存在
$temp_file = $_FILES['upload_file']['tmp_name'];//文件临时名字
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<h3>上传</h3>
<form enctype="multipart/form-data" method="post" action="">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
</ol>
</div>
3.2 上传图片成功
4. 前端本地JS后缀名验证
<?php
header("Content-Type:text/html;charset=UTF-8");
error_reporting(0);//取消报错
$is_upload = false;//申明一个变量
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {//判断路径是否存在
$temp_file = $_FILES['upload_file']['tmp_name'];//文件临时名字
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<h3>上传</h3>
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
</ol>
</div>
<script type="text/javascript">
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
</script>使用删除JS代码绕过
直接删除相关JS代码,上传成功。
5. 后缀名黑名单形式验证-绕过
5.1 后缀名验证
<?php
function deldot($s){
for($i = strlen($s)-1;$i>0;$i--){
$c = substr($s,$i,1);
if($i == strlen($s)-1 and $c != '.'){
return $s;
}
if($c != '.'){
return substr($s,0,$i+1);
}
}
}
header("Content-Type:text/html;charset=UTF-8");
error_reporting(0);
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');//返回从该位置'.'到字符串结尾的所有字符:
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<li>
<form enctype="multipart/form-data" method="post" action="">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
</li>
</ol>
</div>使用特殊解析后缀php3,php4,php5,pht,phtml,phps绕过
后缀名改成phtml等,当然这取决于apache的配置是否支持这些特殊解析后缀。
上传.php3,绕过成功
5.2 特殊解析后缀名验证
<?php
function deldot($s){
for($i = strlen($s)-1;$i>0;$i--){
$c = substr($s,$i,1);
if($i == strlen($s)-1 and $c != '.'){
return $s;
}
if($c != '.'){
return substr($s,0,$i+1);
}
}
}
header("Content-Type:text/html;charset=UTF-8");
error_reporting(0);
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);//移除字符串两侧的空格字符
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');//返回从该位置'.'到字符串结尾的所有字符:
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<li>
<form enctype="multipart/form-data" method="post" action="">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
</li>
</ol>
</div>
使用.htaccess绕过
.htaccess示例一
<FilesMatch "xazl">
Sethandler application/x-httpd-php
</Filesmatch >
.htaccess示例二
Sethandler application/x-httpd-php
使用示例二上传图片马,右键访问解析成功
5.3 大小写绕过
原理
缺少了大小写过滤,所以可以使用大写绕过;
过滤函数 strtolower($file_ext); //转换为小写。
<?php
function deldot($s){
for($i = strlen($s)-1;$i>0;$i--){
$c = substr($s,$i,1);
if($i == strlen($s)-1 and $c != '.'){
return $s;
}
if($c != '.'){
return substr($s,0,$i+1);
}
}
}
header("Content-Type:text/html;charset=UTF-8");
error_reporting(0);
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<li>
<form enctype="multipart/form-data" method="post" action="">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
</li>
</ol>
</div>使用.phP 大写替换上传成功
5.4 空格绕过
原理
Windows操作系统自动强制去除文件扩展名后边的空格,而在数据包则会保留。数据包中更改加入空格,绕过黑名单过滤,传到服务器上时候则由于系统特性去除了空格,达到绕过执行效果。
相关函数 $file_ext = trim($file_ext); //收尾去空格
<?php
function deldot($s){
for($i = strlen($s)-1;$i>0;$i--){
$c = substr($s,$i,1);
if($i == strlen($s)-1 and $c != '.'){
return $s;
}
if($c != '.'){
return substr($s,0,$i+1);
}
}
}
header("Content-Type:text/html;charset=UTF-8");
error_reporting(0);
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<li>
<form enctype="multipart/form-data" method="post" action="">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
</li>
</ol>
</div>bp抓包使用空格绕过
5.5 点“.”绕过
原理
操作系统自动强制去除文件扩展名后边的“.”,而数据包可以加上点,用来绕过黑名单限制。
Windows下文件名结尾接入. 空格 < > >>> 0x81-0xff等字符,会被忽略。
相关函数 $file_name = deldot($file_name);//删除文件名末尾的点
<?phpfunction deldot($s){ for($i = strlen($s)-1;$i>0;$i--){ $c = substr($s,$i,1); if($i == strlen($s)-1 and $c != '.'){ return $s; } if($c != '.'){ return substr($s,0,$i+1); } }}header("Content-Type:text/html;charset=UTF-8");error_reporting(0);$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //首尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '此文件类型不允许上传!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; }}?><div id="upload_panel"> <ol> <li> <form enctype="multipart/form-data" method="post" action=""> <p>请选择要上传的图片:<p> <input class="input_file" type="file" name="upload_file"/> <input class="button" type="submit" name="submit" value="上传"/> </form> <div id="msg"> <?php if($msg != null){ echo "提示:".$msg; } ?> </div> </li> </ol></div>bp抓包使用文件后缀名最后加“.”绕过
上传test.php成功
注意.空格.
还有个xxx.php.空格.绕过,原理是最后一个点被deldot过滤后,trim去空格,重新变成xxx.php.
思路拓展:数组接受+目录命名
5.6 ::$DATA 不检查后缀名(Windows ADS流特性)
原理
::$DATA加在文件后缀名后就是当成文件流处理,也就是使得不检测后缀名
相关函数 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
<?phpfunction deldot($s){ for($i = strlen($s)-1;$i>0;$i--){ $c = substr($s,$i,1); if($i == strlen($s)-1 and $c != '.'){ return $s; } if($c != '.'){ return substr($s,0,$i+1); } }}header("Content-Type:text/html;charset=UTF-8");error_reporting(0);$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = trim($file_ext); //首尾去空 if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '此文件类型不允许上传!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; }}?><div id="upload_panel"> <ol> <li> <form enctype="multipart/form-data" method="post" action=""> <p>请选择要上传的图片:<p> <input class="input_file" type="file" name="upload_file"/> <input class="button" type="submit" name="submit" value="上传"/> </form> <div id="msg"> <?php if($msg != null){ echo "提示:".$msg; } ?> </div> </li> </ol></div>抓包在后缀名加::$DATA绕过
5.7 双写绕过
原理 一次过滤和递归循环过滤后缀名是不同的,这也是一次过滤就造成双写的绕过。
$file_name = str_ireplace($deny_ext,"", $file_name);//把黑名单中的后缀去掉,可是只能执行一次
if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = str_ireplace($deny_ext,"", $file_name);// $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH.'/'.$file_name; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!'; }}
抓包使用test.PHphpp双写后缀名绕过
6. 解析漏洞绕过执行
6.1 原理
上传之后需要解析执行
6.2 存在解析漏洞的中间件及其版本信息、利用方式整理
代码层是黑名单+白名单思路,遇到如下中间件可直接打
6.3 存在解析漏洞的编辑器及其版本信息、利用方式资料搜集
https://www.bilibili.com/video/BV1JZ4y1c7ro?p=22 0:50:15
当前[ FCKeditor这一种用的多。
7. 后缀名白名单形式验证-绕过
7.1 %00截断
截断条件
php版本小于5.3.4,php的magic_quotes_gpc为OFF状态 场景多为上传路径暴露
%00应用场景在url编码地址中;0x0a场景是在文件名中
get自动识别空格=%00 post不会自己解码%00,需要HEX编码下
%00截断:利用%00截断move_uploaded_file函数,只解析%00前的字符,%00后的字符不解析,通常运用在GET方式,因为GET方式传入能自动进行URL解码,如upload-lacbs Pass-11
0x00截断:原理同%00截断,只不过是通过POST方式传递参数,需要通过Burp在十六进制形式中修改
这里使用upload-labs环境验证绕过
7.2后端白名单MIME验证
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))<?phperror_reporting(0);$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {//验证MIME类型 $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']; if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg = '文件类型不正确,请重新上传!'; } } else { $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!'; }}?><div id="upload_panel"> <ol> <h3>上传</h3> <form enctype="multipart/form-data" method="post" action=""> <p>请选择要上传的图片:<p> <input class="input_file" type="file" name="upload_file"/> <input class="button" type="submit" name="submit" value="上传"/> </form> <div id="msg"> <?php if($msg != null){ echo "提示:".$msg; } ?> </div> </ol></div>使用burpsuit改包绕过
上传成功
8 文件内容及其他验证
8.1 文件头验证
原理
如.Jpg .png .gif文件右键以notepad打开,在首部就可以看到属于图片类型专有的标识。有的上传是会验证这里的所谓文件头。
使用图片马+文件包含漏洞绕过、
注意:学习图片马生产命令
copy 1.png /b +shell.php /a webshell.jpg 等同与notepad打开手动添加
以upload-labs 13关实现,效果差不多这样仅代表触发而已
或者使用GIF89A+文件包含漏洞绕过
利用GIF89A伪造成GIF文件:在PHP文件开头内容加入GIF89A,服务器通过getimagesize会认为这是GIF文件
8.2 获取图片信息(如大小、类型等)函数验证
原理
getinmagesize、exif_imagetype 等获取图片信息的这一类函数,只要检测不是图片,直接不执行了。所以这时候需要文件包含漏洞来执行。
使用图片马+文件包含漏洞绕过 (同上)
8.3 二次渲染场景+使用条件竞争绕过(代码逻辑漏洞)
原理
二次渲染场景:上传后选择保存或者删除操作就是服务器进行二次渲染操作
条件竞争:bp不断发包请求,在一次上传 在二次渲染之前不断访问,有几率访问成功,成功的基本原理就是程序占用。
9.WAF绕过-暂时思路搜集提供
9.1 数据包里上传参数名解析里,首先明确哪些东西能修改
Content-Disposition 一般可更改
name: 表单参数值 不能更改
filename:文件名,可以更改
Content-Type 文件MIME,视情况更改
9.2 常见绕过方法
数据溢出-防匹配(xxx...)
符号变异-防匹配(' '' ;)
数据截断-防匹配(%00 ; 换行)
重复数据-防匹配(参数多次)
10 文件上传安全修复方案
10.1 客户端检查
一般是JS,改包或者删除JS代码比较简单可以绕过
10.2 服务端验证模式
后缀名检测:基于黑名单(特殊解析后缀、.htaccess、大小写、空格、点、ADS文件流::$DATA、双写、上传.7z压缩包等)、白名单(%00、MIME检测)过滤;
内容检测:文件头,完整性(图片类型大小等信息)检测,代码优化防止二次渲染条件竞争;
WAF防护产品:安全狗、云盾、宝塔等;
BY:先知论坛
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论