Welches Theme ist das? WPScan

Veröffentlicht von

Man sieht eine gute Seite und will wissen, welches Theme genutzt wird oder welche Plugins installiert sind. Für den schnellen Blick helfen Seiten wie: WordPress Theme Search, WPThemeDoctor und WhatTheme.

Wenn man sorgfältig sein WordPress betreiben möchte oder seinen Dienstleister unterstützen will, hat man einen Schwachstellen-Scanner wie zum Bsp. WPScan installiert und im regelmäßigen Einsatz. Mit WPScan ist ein Scan nach Plugin und Theme effektiver, denn er zeigt Sicherheitsprobleme, die man mit den Plugin oder dem Theme haben könnte, gleich mit an.

Mit den o.g. Web-Tools läßt man sich das entsprechende Theme oder Plugin anzeigen, installiert es in seine Testumgebung und prüft dann mit WPScan.

WPScan

WPScan läuft da wo Ruby läuft, weiters auf der Projektseite. Wer weitere Sicherheittest macht, dem sei die Linux-Distribution Kali Linux1) empfohlen, hier ist WPScan bereits installiert.

Web-Seite scannen

ruby wpscan.rb --url http://test.jens-falk.de

Das sieht dann so aus:

_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://test.jens-falk.de/
[+] Started: Fri Sep 22 20:20:15 2017

[+] robots.txt available under: 'http://test.jens-falk.de/robots.txt'
[!] The WordPress 'http://test.jens-falk.de/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in 'http://test.jens-falk.de/wp-includes/rss-functions.php': 
[+] Interesting header: LINK: <http://test.jens-falk.de/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.25
[+] Interesting header: X-CACHE: MISS from falkproxy
[+] Interesting header: X-CACHE-LOOKUP: HIT from falkproxy:800
[+] Interesting header: X-POWERED-BY: PHP/5.6.28
[+] XML-RPC Interface available under: http://test.jens-falk.de/xmlrpc.php

[+] WordPress version 4.8.2 (Released on 2017-09-19) identified from meta generator, links opml

[+] WordPress theme in use: advanced-twenty-seventeen-child - v1.0

[+] Name: advanced-twenty-seventeen-child - v1.0
 |  Location: http://test.jens-falk.de/wp-content/themes/advanced-twenty-seventeen-child/
 |  Style URL: http://test.jens-falk.de/wp-content/themes/advanced-twenty-seventeen-child/style.css
 |  Theme Name: Advanced Twenty Seventeen Child
 |  Theme URI: http://saturnsolutions.com
 |  Description: Twenty Seventeen brings your site to life with immersive featured images and subtle animations. W...
 |  Author: SaturnSolutions
 |  Author URI: http://saturnsolutions.com/

[+] Detected parent theme: twentyseventeen - v1.3

[+] Name: twentyseventeen - v1.3
 |  Latest version: 1.3 (up to date)
 |  Last updated: 2017-06-08T00:00:00.000Z
 |  Location: http://test.jens-falk.de/wp-content/themes/twentyseventeen/
 |  Readme: http://test.jens-falk.de/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://test.jens-falk.de/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
 | 1 plugin found:

[+] Name: advanced-twenty-seventeen - v1.3.1
 |  Latest version: 1.3.1 (up to date)
 |  Last updated: 2017-02-27T05:49:00.000Z
 |  Location: http://test.jens-falk.de/wp-content/plugins/advanced-twenty-seventeen/
 |  Readme: http://test.jens-falk.de/wp-content/plugins/advanced-twenty-seventeen/readme.txt

Benutzernamen suchen

Der Befehl lautet:

ruby wpscan.rb --url http://test.jens-falk.de --enumerate u

bzw. bei zahlreichen Benutzern

ruby wpscan.rb --url http://deinewebseite.de --enumerate u[10-20]

Das Ergebnis

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+--------+----------+
    | Id | Login  | Name     |
    +----+--------+----------+
    | 1  | tester | Tester – |
    +----+--------+----------+

Paßwortsicherheit prüfen

Es  macht durchaus Sinn nun zu prüfen ob ein Angreifer sich anmelden könnte:

ruby wpscan.rb --url http://deineseite.de --wordlist passwoerter.txt

Das Ergebnis

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+--------+----------+
    | Id | Login  | Name     |
    +----+--------+----------+
    | 1  | tester | Tester – |
    +----+--------+----------+
[+] Starting the password brute forcer
  Brute Forcing 'tester' Time: 00:00:00 <=====================================================================================> (1 / 1) 100.00% Time: 00:00:00
  [+] [SUCCESS] Login : tester Password : geheim                                                                                            


  +----+--------+----------+--------------------------+
  | Id | Login  | Name     | Password                 |
  +----+--------+----------+--------------------------+
  | 1  | tester | Tester – | geheim                   |
  +----+--------+----------+--------------------------+

Dateien mit Paßwörtern sind zahlreich zu finden (Google „password list txt“). Viele Nutzer verwenden für Webseiten immer das gleiche Paßwort. Ihnen ist nicht klar, daß mit einem Einbruch Paßwörter ausgelesen und in Listen gespeichert werden.

Schwachstellen im Theme finden

ruby wpscan.rb --url http://deineseite.de --enumerate vt

Schwachstellen bei Plugins finden

ruby wpscan.rb --url http://deineseite.de --enumerate vp

Das Ergebnis

[+] URL: https://meine-verwundbaren-wp-plugins.de/
[+] Started: Fri Sep 22 20:29:41 2017

[+] robots.txt available under: 'https://meine-verwundbaren-wp-plugins.de/robots.txt'
[+] Interesting entry from robots.txt: Sitemap: http://meine-verwundbaren-wp-plugins.de/?feed=google_news_sitemap
[!] The WordPress 'https://meine-verwundbaren-wp-plugins.de/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] Interesting header: X-CACHE-ENGINE: WP-FFPC with memcached via PHP
[+] Interesting header: X-POWERED-BY: PHP/5.4.45-1~dotdeb+7.1
[+] This site has 'Must Use Plugins' (http://codex.wordpress.org/Must_Use_Plugins)
[+] XML-RPC Interface available under: https://meine-verwundbaren-wp-plugins.de/xmlrpc.php

[+] WordPress version 4.7 (Released on 2016-12-06) identified from readme
[!] 27 vulnerabilities identified from the version number

[!] Title: WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
    Reference: https://wpvulndb.com/vulnerabilities/8714
    Reference: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
    Reference: https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491
    Reference: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
    Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_phpmailer_host_header
[i] Fixed in: 4.7.1

[!] Title: WordPress 4.7 - User Information Disclosure via REST API
    Reference: https://wpvulndb.com/vulnerabilities/8715
    Reference: https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/
    Reference: https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5487
[i] Fixed in: 4.7.1

[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
    Reference: https://wpvulndb.com/vulnerabilities/8716
    Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 4.7.1

[!] Title: WordPress <= 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload
    Reference: https://wpvulndb.com/vulnerabilities/8717
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5489
[i] Fixed in: 4.7.1

[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
    Reference: https://wpvulndb.com/vulnerabilities/8718
    Reference: https://www.mehmetince.net/low-severity-wordpress/
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
[i] Fixed in: 4.7.1

[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
    Reference: https://wpvulndb.com/vulnerabilities/8719
    Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 4.7.1

[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
    Reference: https://wpvulndb.com/vulnerabilities/8720
    Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
[i] Fixed in: 4.7.1

[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
    Reference: https://wpvulndb.com/vulnerabilities/8721
    Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
[i] Fixed in: 4.7.1

[!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
    Reference: https://wpvulndb.com/vulnerabilities/8729
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
[i] Fixed in: 4.7.2

[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
    Reference: https://wpvulndb.com/vulnerabilities/8731
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
    Reference: https://wpvulndb.com/vulnerabilities/8734
    Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
    Reference: https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
    Reference: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
    Reference: https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7
    Reference: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_content_injection
[i] Fixed in: 4.7.2

[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
    Reference: https://wpvulndb.com/vulnerabilities/8765
    Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
    Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
    Reference: http://seclists.org/oss-sec/2017/q1/563
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
[i] Fixed in: 4.7.3

[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
    Reference: https://wpvulndb.com/vulnerabilities/8766
    Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
[i] Fixed in: 4.7.3

[!] Title: WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
    Reference: https://wpvulndb.com/vulnerabilities/8767
    Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6816
[i] Fixed in: 4.7.3

[!] Title: WordPress  4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
    Reference: https://wpvulndb.com/vulnerabilities/8768
    Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
    Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
[i] Fixed in: 4.7.3

[!] Title: WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
    Reference: https://wpvulndb.com/vulnerabilities/8769
    Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6818
[i] Fixed in: 4.7.3

[!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
    Reference: https://wpvulndb.com/vulnerabilities/8770
    Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
    Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
    Reference: http://seclists.org/oss-sec/2017/q1/562
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
[i] Fixed in: 4.7.3

[!] Title: WordPress 2.3-4.7.5 - Host Header Injection in Password Reset
    Reference: https://wpvulndb.com/vulnerabilities/8807
    Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
    Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295

[!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
    Reference: https://wpvulndb.com/vulnerabilities/8815
    Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
    Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
[i] Fixed in: 4.7.5

[!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
    Reference: https://wpvulndb.com/vulnerabilities/8816
    Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
    Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
[i] Fixed in: 4.7.5

[!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks 
    Reference: https://wpvulndb.com/vulnerabilities/8817
    Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
    Reference: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
[i] Fixed in: 4.7.5

[!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
    Reference: https://wpvulndb.com/vulnerabilities/8818
    Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
    Reference: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
    Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
[i] Fixed in: 4.7.5

[!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
    Reference: https://wpvulndb.com/vulnerabilities/8819
    Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
    Reference: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
    Reference: https://hackerone.com/reports/203515
    Reference: https://hackerone.com/reports/203515
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
[i] Fixed in: 4.7.5

[!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
    Reference: https://wpvulndb.com/vulnerabilities/8820
    Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
    Reference: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
[i] Fixed in: 4.7.5

[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8905
    Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
    Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
[i] Fixed in: 4.8.2

[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
    Reference: https://wpvulndb.com/vulnerabilities/8906
    Reference: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
    Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
    Reference: https://wpvulndb.com/vulnerabilities/8905
[i] Fixed in: 4.7.5

Diese Scripte werden ganz sicher auch von jenen genutzt, die sich Zugang zum Content Managemant System verschaffen möchten. Deshalb sollte WPScan regelmäßig die eigene WordPress-Installation prüfen.

Möchten Sie eine sicherere WordPress-Installation als die Standartinstallation und regelmäßige Überprüfung Ihres CMS, so schreiben Sie uns, zum Kontaktformular.

 

-   [ + ]

1. Kali Linux enthält Softwaretools, die zum Teil Sicherheitsvorkehrungen umgehen und die nach § 202c StGB, dem Ende Mai 2007 in Kraft getretenen sogenannten Hackerparagrafen, in Deutschland als Computerprogramme zum Ausspähen von Daten aufgefasst werden. Aufgrund dieser Gesetzeslage kann bereits der Besitz oder Vertrieb strafbar sein, sofern die Absicht zu einer rechtswidrigen Nutzung nach § 202a StGB (Ausspähen von Daten) oder § 202b StGB (Abfangen von Daten) besteht. Zitat von Seite „Kali Linux“, Rechtliches. In: Wikipedia, Die freie Enzyklopädie. Bearbeitungsstand: 4. August 2017, 20:02 UTC. URL: https://de.wikipedia.org/w/index.php?title=Kali_Linux&oldid=167875818 (Abgerufen: 22. September 2017, 09:59 UTC)

Kommentar hinterlassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.