upload-labs通关手册(1-9关)加代码审计

已于 2022-03-25 20:16:11 修改
阅读量4.3k 收藏 4
点赞数
文章标签: 安全
于 2022-03-23 16:36:31 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xiao_he0123/article/details/123680235
版权

upload-labs通关手册

前言

upload是基于文件上传漏洞的一个靶场,在里面可以学习到文件上传的一些常见方法

一、文件上传

文件上传常见验证:后缀名,类型,文件头等

后缀名:

有白名单和黑名单之分(白名单就是规定允许上传的后缀名格式,黑名单是规定不允许上传的后缀名格式)

文件类型:

对MIME信息的判断

文件头:

内容头信息的判定

二、通关手册

1.pass-01(客户端js检查)

源代码如下:

function checkFile() {
    var file = document.getElementsByName('upload_file')[0].value;
    if (file == null || file == "") {
        alert("请选择要上传的文件!");
        return false;
    }
    //定义允许上传的文件类型
    var allow_ext = ".jpg|.png|.gif";
    //提取上传文件的类型
    var ext_name = file.substring(file.lastIndexOf("."));
    //判断上传文件类型是否允许上传
    if (allow_ext.indexOf(ext_name + "|") == -1) {
        var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
        alert(errMsg);
        return false;
    }
}

源码分析

第一关通过分析源码 "var allow_ext = ".jpg|.png|.gif";"可以得出则是对后缀名进行白名单的判断这里只要是客户端js的检测

通关方法

这里我们可以先将php文件改为jpg文件上传进行抓包上传后在对jpg后缀改为php
在这里插入图片描述

2.pass-02(服务端白名单之MIME绕过 )

源码如下:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '文件类型不正确,请重新上传!';
        }
    } else {
        $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
    }

代码分析

“isset”:用于检测变量是否已设置并且非 NULL

if (isset($_POST['submit']))就是指有没有点击上传

file_exists(UPLOAD_PATH)UPLOAD_PATH是对上传路径的规定,这句代码的意思就判断这个上传路径的文件是否存在

if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_files']['type'] == 'image/gif'))判断文件类型是否为image/jpeg或者image/png或者image/gif

$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']规定文件路径为UPLPAD_PATH./加上文件名

move_uploaded_file($temp_file, $img_path)将文件移动到文件上传的路径中

通关方法

在这里插入图片描述
在这里插入图片描述

抓包后发现这个文件类型与规定的都不一样所以就无法进行上传

这里我们只要修改上传文件的格式就可以达到文件上传

在这里插入图片描述
选取一个规定中的文件类型更改就可以上传成功
在这里插入图片描述

3.pass-03(服务端黑名单之特殊解析后缀)

源码如下

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array('.asp','.aspx','.php','.jsp');
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if(!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            
            if (move_uploaded_file($temp_file,$img_path)) {
                 $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

代码分析

$deny_ext = array('.asp','.aspx','.php','.jsp');规定拒绝的后缀名

$file_name = trim($_FILES['upload_file']['name']);trim就是去除空格如果文件名中有空格就去除(这里的文件名就是抓包中的file_name)

$file_ext = strrchr($file_name, '.');strrch就是分割的意思将第一个参数按第二个参数进行分割输出后面的值

if(!in_array($file_ext, $deny_ext))判断你上面获取的file_ext在不在deny_ext(禁止上传后缀名中)不在的话就在继续执行下面上传代码

通关方法

php可以通过php5,php3进行上传(前提在apache的配置文件中将php3,5的注释去掉)所以这里可以直接将后缀名改为php3或php5这俩个不在黑名单中的后缀上传并同时可以达到执行php代码的要求
在这里插入图片描述

4.pass-04(服务端黑名单之.htaccess解析)

源码如下:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

代码分析

$deny_ext=array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml","
相对第三关黑名单的数量增多其余代码没有变化

通关方法

htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置(前提要在apache下),为apache的平台做伪静态的转换,实现文件解析自定义

<FilesMatch "shana">
SetHandler application/x-httpd-php
</FilesMatch>
#对文件进行匹配如果发现文件名中shana就将其以application/x-httpd-php格式执行

将该文件上传之后就会将目录下的文件名中带shana的文件都已php格式执行
在这里插入图片描述
将上传文件中的加入php代码并将文件名改为shana.jpg然后上传
在这里插入图片描述

上传之后访问就会以php的格式执行
在这里插入图片描述

5.pass-05(服务端黑名单之大小写绕过)

源码如下


代码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

代码分析

$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");对黑名单的规定中又大小写之分

通关方法

源码中并没有 $file_ext = strtolower($file_ext); 来转换为小写
所以直接后缀名携程大小写即可
在这里插入图片描述
上传成功
在这里插入图片描述

6.pass-06(服务端黑名单之空格绕过)

源码如下

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

源码分析

这个关卡的源码都和之前一样知识缺少了首尾去空的一行代码

$file_ext = trim($file_ext); //首尾去空

通关方法

由于少了首位去空只要在文件名后加一个空格就可以进行绕过因为黑名单中并没有“.php ”的声明,上传后存储文件后又会自动去除空格
在这里插入图片描述

7. pass-07(服务端黑名单之点绕过)

源码如下:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

源码分析

这个代码中少了删除文件末尾点的代码

$file_name = deldot($file_name);

通关方法

只要在文件名之后加一个‘.’就可以做到绕过
在这里插入图片描述

8.pass-08(服务端黑名单之::$DATA绕过)

源码如下:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

源码分析

这里少了对字符串::$DATA的绕过

$file_ext = str_ireplace('::$DATA', '', $file_ext);

通关方法

 ::$DATA是windows下对于php文件的一种定义,如果在文件名之后加上::$DATA就会不对后缀名进行检测保持::$DATA之前的文件名

在这里插入图片描述

9.pass-9(服务端黑名单之双写绕过)

源码如下:

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错!';
            }
        } else {
            $msg = '此文件类型不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

通关方法

这里涉及到一个循环的问题
当这里涉及到比如deldot对末尾点的过滤式代码中只进行了一次过滤那我们就可以考虑加2个点之后被过滤掉一个空格从“.php..”变为了“ php.”这里就任然可以绕过黑名单进行上交并执行php文件内容

just a leaf
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
upload-labs19-20以及总结1
08-08
第一步:直接上传php文件,保存名称填成PHP第二步:抓包分析可以看到filename是文件本来的名称,而save_name是传递的参数,此处改为PHP可以绕过
upload-labs-master.zip
06-22
文件上传漏洞小游戏靶场upload-labs-master/upload-labs-master/upload-labs-master/upload-labs-master
upload-labs详解1-19通关全解(最全最详细一看就会)
最新发布
m0_59598029的博客
02-25 903
upload-labs是一个使用php语言编写的,专门收集渗透测试过程中遇到的各种上传漏洞的靶场。旨在帮助大家对上传漏洞有一个全面的了解。目前一共19,每一都包含着不同上传方式。
Upload-labs通关手册.pdf
08-06
Upload-labs通关手册
upload-labs通关手册
12-03
详细记录了upload-labs靶场的通关步骤,并且附带有caidao和burpsuite工具资源,非常适合初学者!!!
安装upload-labs
10-22
安装upload-labs
upload-labs代码审计 1-12
weixin_44747030的博客
11-01 620
upload-labs代码审计
upload-labs
weixin_44576725的博客
04-14 1493
upload-labs通关记录 upload-labs是收集ctf和渗透测试中文件上传遇到的各种漏洞的靶场,旨在通过卡的形式来帮助大家对文件上传有个全面的了解。 项目地址:https://github.com/c0ny1/upload-labs Pass-01 选择本地1.php文件上传,打开burp抓包,还没抓到包页面就显示只能上传.jpg.png等类型文件,说明是前端JS判断。 这里有两种绕过方法: 打开浏览器的审查元素,找到文件上传的js代码,发现checkFile()函数,推测是这个函数进行
文件上传-uploadlab通关手册
李安北的博客
05-03 3352
11
upload-labs通关详细教程
m0_52923241的博客
03-01 3288
在很多时候有限制文件上传的类型,而黑名单ban了很多相的后缀,如果没有禁用.htaccee那么就能触发getshell.htaccess可以把.jpg解析成php:函数会将所有字母转换为小写,在没有此功能,且很多后缀被ban的情况下,可以使用大小写绕过:该函数将字符串收尾去空,在大小写绕不过,且没有使用此函数时,可使用后缀空绕过此函数删除了文件名末尾的点:去除字符串::$DATA。
Upload-labs(1-21详细教程)【简单易懂】【万字教程】
墨鱼菜鸡
09-10 3092
目录 思维导图 练习网站: 注意: 知识点 Pass-01 代码: 提示: 解题思路: Pass-02 知识点: 代码: 提示: 解题思路: Pass-03(本需要使用自己搭建upload-labs) 代码: 提示: 解题思路: Pass-04 代码: 提示: 解题思路: Pass-05(建议使用本机搭建的...
Upload-labs通关攻略(适合新手)
夜思红尘的博客
04-12 2008
这是一篇upload-labs通关攻略,适合新手
upload-labs详细教程
热门推荐
shayebudon的博客
11-09 1万+
第一 js检查 查看源码 由源代码可知,允许上传的文件为.jpg|.png|.gif 我们上传一个.jpg文件 利用burp suite进行抓包 将jpg改为php后,放包 上传成功。 第二Content-Type 查看源码 有源码可知,发现只判断Content-Type类型,所以我们只需修改Content-Type进行绕过即可 首先上传php文件,抓上传包 将箭头所指的内容改为image/jpeg或image/png或image/gif后...
于文件上传漏洞的观点(upload-labs第九
hanjunhao2002的博客
02-24 217
我们可以利用这样的检验机制,首先我们在文件后缀名后添一个点,希望最终以此来绕过黑名单检测,但是因为存在去除文件名末尾的点的代码,所以我们需要不止一个点,注意我们用来绕过黑名单的点显然不能够被消除,所以要在他后面放一个东西防止他落在最后一位。我们看到收尾去空的代码在去点代码之后,所以用空格来充当占位符号。以上面为例,我们可以看到于文件是如何识别的,本通过查看源码发现,不仅黑名单奇长无比,且限制了’.htaccess’文件类型。这时我们理解代码的含义,发现首先会去处文件名末尾的点,然后首尾去空。
upload-labs之1-20通关(超详细,全程干货,没有废话)
qq_64652650的博客
10-23 1690
通关记录,干货,无废话
upload-labs通关手册(10-20)代码审计
xiao_he0123的博客
03-25 3933
upload-labs通关手册(10-20)前言二、通关手册pass-10(黑名单之双后缀名绕过)源码分析通关方法pass-11(白名单之%00截断绕过)源码分析通关手册pass-12()总结 前言 上篇博文记录了1-9通关手册,这篇文章我们记录一下10-20通关手册 二、通关手册 pass-10(黑名单之双后缀名绕过) 源码如下 $is_upload = false; $msg = null; if (isset($_POST['submit'])) { if (file_exists(
upload-labs pass-1-21 wp(附源码解析)
lyy0xfff的博客
08-09 3970
ContentsPreface本博文仅限于信息安全防御教学,切勿用于其他用途!!!Pass-1 前端验证绕过 Preface 因为我之前做过一遍靶场,但是并不是完全白盒测试过的(查看提示+查看源码+wp),所以这次我准备再上源码分析,顺便可以提升一下自己的php水平,所以下面的解析有可能会有些啰嗦,大家根据自身需求来进行选择 本博文仅限于信息安全防御教学,切勿用于其他用途!!! Pass-1 前端验证绕过 0x00 首先我们查看一下它的源码,这是一个JS脚本 function checkFile() {
通关选择】upload-labs通关攻略(大全)
Continuejww的博客
11-02 1255
前提条件:1.文件能够成功上传到服务器2.攻击者能够知道文件的上传路径。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值