文件上传(2018版).

已于 2022-04-11 10:48:10 修改
阅读量3.1k 收藏
点赞数
分类专栏: 靶场 文章标签: 网络安全
于 2021-11-09 10:40:56 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Curry197/article/details/121223076
版权

目录

pass-01

pass-02

pass-03

pass-04

pass-05

pass-06

pass-07

pass-08

pass-09

pass-10

pass-01

代码:

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

分析:
document.getElementsByName 获取input name为upload_file的值 [0].value数组第一个元素的值
substring 提取字符串中介于两个指定下标之间的字符(这里省略了直接到结尾)
lastIndexOf 查找字符最后出现的位置
indexOf 首次出现的位置 如果没有则返回-1

方法:
只进行前端验证,因此先将wellshell改成可上传文件类型在抓包改回即可

pass-02

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;

            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR.'文件夹不存在,请手工创建!';
    }
}

分析:
isset 检查变量是否设置
$_POST['submit'] 判断是否为表单提交过来的值
file_exists 判断文件是否存在
$_FILES['upload_file']['type']  判断上传文件的MIME类型是否为这些
move_uploaded_file 将文件移动到新位置

参考资料:
1.$_FILES['upload_file']['type']函数详解:https://www.cnblogs.com/haimian/p/6066839.html
2.MIME类型:https://www.cnblogs.com/endv/p/8540601.html

方法:

上传.php,改MIME类型

pass-03

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
                 $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
                 $is_upload = true;
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:

黑名单
isset($_POST['submit']) 判断表单提交过来的值是否存在
array(数组)php 定义数组 $a=array();
trim() 函数移除字符串两侧的空白字符或其他预定义字符。
strrchr() 函数查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符。
strtolower() 函数把字符串转换为小写。
str_ireplace(a,b,c) 函数替换字符串中的一些字符(不区分大小写)。a是即将要被替换的值。b是新值。c是字符串
!in_array($file_ext, $deny_ext) 判断在不在数组中
apache服务器可以使用php解析php3,php5.phtml,可能需要更改配置文件

方法:
1.直接抓包将.php改成.php5等
2.直接修改后缀为php5等

可能对方服务器解析不了

pass-04

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
网站使用php,脚本尽量也用php
htaccess 网站在搭建的时候会产生的文件(只限于apache)htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置
里面有了.htaccess会将带有值的文件以php形式解析

方法:
用notepad++写一个.htaccess文件(第四关可以上传)百度搜htaccess上传漏洞即可找到代码
然后在上传一个jpg 名字需要与htaccess一样,然后该jpg格式可以以php格式解析
 

pass-05

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
和pass04相比,黑名单里加上了htaccess但是没有将后缀名全部转换成小写,因此可利用

方法:
将php改成phP即可通过

pass-06

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
与之前相比最后少了trim函数,首尾去除空格,在window里后缀加上空格会自动删掉,但是在数据包里不会

方法:
上传.php然后抓包,然后在.php后面加上空格,即可通过,上传之后对面又会恢复成php

pass-07

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
与之前相比少了 deldot函数,没有将两边的点去除
window下在后缀后加点会自动删除,数据包不会

方法:
上传.php,抓包,改成.php. 既可通过,上传完成后又会自动将点删除变回.php

pass-08

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
与之前相比,少了去除::$DATA 

方法:
上传php,抓包后面加上::$DATA,既可通过

pass-09

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
以上过滤方式齐全了,但这只是一次过滤不是循环过滤
例如:(去掉php)
.pphphp 去掉php后还是php

方法:
上传php,抓包,在php后面加上. .,既php. . ,经以上过滤后剩下php. ,因此可以通过,上传到对方服务器之后window会自动删除末尾的点,Linux貌似不会

pass-10

代码:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
            $img_path = $UPLOAD_ADDR . '/' .$file_name;
            $is_upload = true;
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
    }
}

分析:
str_ireplace 替换 将黑名单里出现的值替换为空

方法:
php,抓包,pphphp,通过

!!!

前面为黑名单上传,11-12关为白名单

pass-11

pass-12

pass-13

pass-14

pass-15

pass-16

pass-17

pass-18

pass-19

Curry197
关注
专栏目录
文件上传漏洞——upload-labs(1-10)
Lemon's blog
08-02 2498
前言:文件上传漏洞还有很多知识要学习,这次就通过upload-labs进行学习 第一关 上传有限制,只让上传JPEG或
攻防系列——上传漏洞利用之upload labs通关练习
weixin_43140411的博客
10-19 1705
upload labs通关练习(有几关因为php本问题没办法做),主要是记录一下思路和一些常见的办法。之前做web上传漏洞这块思路都是乱糟糟的,现在总算是整理了下思路了。
文件上传 [upload-labs-master][Pass11-19]
weixin_45253622的博客
05-20 510
Pass-11(白名单过滤)00截断 源代码: $is_upload = false; $msg = null; if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); if(in_array($file_ex
文件上传(Upload Labs)通关指南
AaronLuo
12-09 1689
0x1 Pass 1 前端过滤 打开burpSuite,上传一个php探针, 发现上传之后Burp并没有抓到包,推断是前端过滤 禁用JavaScript Burp拦截请求 修改文件名为info.png,绕过前端过滤之后,在burp中修改文件后缀名 0x2 Pass 2 Content-Type验证 禁用JavaScript修改Content-Type绕过 $is_upload = false...
文件上传漏洞与Upload-labs靶场分析实战
weixin_51339377的博客
04-13 963
网站常用后缀名 php php3 php5 phtml asp asa cdx cer aspx ashx shtml 小知识:防火墙常见函数 <?php $a=" Wo jin tian lai LE! "; $b=trim($a); //trim() 首尾去空函数 echo $b; //Wo jin tian lai LE! ?> <?php $b=deldot($a); // 删除文件名末...
php中is upload,PHP中,文件上传
weixin_35712811的博客
03-24 329
PHP中,文件上传更新时间:2006年12月06日 00:00:00 作者:在PHP中,文件上传一般是通过move_uploaded_file()来实现的。boolmove_uploaded_file(stringfilename,stringdestination)本函数检查并确保由filename指定的文件是合法的上传文件(即通过PHP的HTTPPOST上传机制...
Struts2漏洞检查工具2018.zip
07-20
3. **CVE-2016-1000031**:这个漏洞允许攻击者通过上传恶意的文件并利用Struts2的Content-Type处理机制来执行任意代码。 4. **CVE-2016-3092**:这是另一个与OGNL相关的远程代码执行漏洞,它存在于Struts2的某些...
Struts2漏洞检查工具2018.exe
07-15
可执行命令,暂时无法上传文件。 2014-11-12: 最近遇到s19这个debug模式开启导致代码执行,这个有点少,但还是有一些,为了方便大家把13本修改了一下。可以利用这个漏洞执行命令、上传shell。 警告: 本工具为...
无忧购物系统ASP专业 v2018.6.15
10-11
无忧购物系统ASP专业 v2018.6.15 是一款专为中小企业和个人商家设计的电子商务解决方案,旨在提供一个高效、稳定的在线销售平台。该系统基于ASP(Active Server Pages)技术,允许开发者利用VBScript或JScript进行...
uploadlabs
qq_51744055的博客
04-17 2164
小迪老师,nb,虽然口音 莫名想起汤家凤老师 https://www.bilibili.com/video/BV1Fr4y1q7VE?p=58&spm_id_from=333.1007.top_right_bar_window_history.content.click 搭建文件上传漏洞 根据内容类型 前端,检测文件类型(下面的),猜测什么格式 根据content-type判断什么格式, 修改后面的值进行绕过,误认为上传的是一个jpg的文件 通过文件类型,下面的,判断
文件上传漏洞upload-labs1-19关详解
最新发布
qq_51780583的博客
03-07 2205
upload-labs1-19关详解
文件上传(一)
qq_48947141的博客
09-28 1824
一、文件上传概述 1.1、原理 在存在文件上传功能的页面,若没有对上传的文件进行检测、验证以及过滤。可能会导致恶意用户上传恶意脚本文件,被获取服务端的权限。 二、文件上传漏洞绕过 2.1、前端JS限制绕过 原理:浏览器通过JS代码对上传的文件进行格式验证 绕过方式: 1》可以通过Burp抓包修改上传文件的格式 2》修改JS其中关键的检测函数,或者直接禁用JS 漏洞代码分析: <script type="text/javascript...
文件上传漏洞——upload-labs 1-19 (详解)
m0_62879498的博客
02-19 7104
upload-labs-1 删除 js 进行绕过 上传图片,发现上传成功 上传 shell 发现: 发现是白名单,所以由前面我们知道,极有可能在前端存在过滤,我们检查一下: 发现 checkFile() 起到了检查过滤的效果,我们将其删去并提交 发现: 然后用中国以蚁剑 进行链接 发现成功 发现成功 同时我们发现仅仅在前端进行过滤是远远不够的,我们可以轻易的删去,所以除了前端,后端也必须进行校验 如果我们在使用蚁剑发现了返回值为空说明一句话木马语法错误,如果我们发现返回值是一串乱码 则是链接地址
文件上传漏洞练习
qq_61109509的博客
02-11 4449
目录 Pass-01 Pass-02 Pass-03 Pass-04 Pass-05 Pass-06 Pass-07 Pass-08 Pass-09 Pass-10 大佬文章总结的很好 靶场: upload-labs Pass-01 先试着上传一个php文件 将php后缀改成jpg。不成功,看提示 本pass在客户端使用js对不合法图片进行检查! 上传一句话木马,将后缀名改成jpg,然后抓包拦截,重新改为php,实现绕过js验证 Pas...
几种简单的文件上传漏洞类型
热门推荐
简单查找漏洞
08-19 1万+
1. 绕过前端js: 要求上传图片类型的文件,我们可以把php文件改成jpg的文件类型,通过burpsuite抓包 把"c.jpg"修改为"c.php",这样便可以成功上传文件。 2. 文件类型绕过: 上传"c.php"时,通过burpsuite抓包: 把"Content-Type:"修改为“image/jpeg”的图片类型,成功上传 3. php文件后缀名绕过: php...
Upload-labs文件上传(6-10)
a1b2c3是弱口令
07-29 2042
第六关(禁止上传很多中后缀,识别大小写) 我们查看第五关代码: $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, '.'); $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串...
文件上传之服务器检测,目录的遍历以及上传文件只服务器与检测
weixin_35299004的博客
07-30 235
实例"enctype="multipart/form-data"method="post">文件上传选择文件:上传//上传文件到服务器上面if($_SERVER['REQUEST_METHOD']==['POST']){if(isset($_FILES['upload'])){$allow=['image/jpg','image/jpeg','image/png'];if(in_arra...
upload上传通关游戏
weixin_30432179的博客
09-10 341
第一关:后缀名限制,抓包改一下后缀。 前端脚本检测文件扩展名。当客户端选择文件点击上传的时候,客户端还没有向服务器发送任何消 息,前端的 js 脚本就对文件的扩展名进行检测来判断是否是可以上传的类型 代码: function checkFile() { var file = document.getElementsByName('upload_file')[0].value; ...
Python库 onegov.applications-2018.11.0 下载资源
资源摘要信息:"PyPI官网下载的onegov.applications-2018.11.0.tar.gz文件是Python库的源代码压缩包。该资源通过pypi官网发布,资源全名为onegov.applications-2018.11.0.tar.gz,表明这是一个特定本的Python软件包...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值