From 8978120a5d545a28ff543fa3d677c9f481e81539 Mon Sep 17 00:00:00 2001 From: evilddog Date: Wed, 9 Dec 2015 11:01:00 +0800 Subject: [PATCH] add web 275 --- .../Readme.md" | 21 +++++ .../clean.sh" | 9 ++ .../index.html" | 6 ++ .../uploads.php" | 78 ++++++++++++++++++ .../20fb33a13d42b2f03bae134d5cf2049a.png" | Bin 0 -> 208 bytes .../4498b16ae04baecf3d033b4d84324f17.png" | Bin 0 -> 91 bytes .../4a7748d22c314b089ce291fafb4087c6.png" | Bin 0 -> 91 bytes .../77d14b85cb5e7b5be4b52a9ea91b160c.png" | Bin 0 -> 208 bytes .../97626c89716856cf38a706dd7e13aa9e.png" | Bin 0 -> 91 bytes .../9b8d1cc05e6672af09cab905a6f4d77e.png" | Bin 0 -> 91 bytes .../a5aa1cc363106ba9f668650fba91a796.png" | Bin 0 -> 208 bytes .../a9f02dce8cfc35b255e1d1030d0f04ff.png" | Bin 0 -> 91 bytes .../c2639124e42efe1ce6434983b5f996fe.png" | Bin 0 -> 91 bytes .../c30d18dd845484f73f450845716117b2.png" | Bin 0 -> 208 bytes .../dce4a3076f6695333e539e8dcafbdd52.png" | Bin 0 -> 3500 bytes 15 files changed, 114 insertions(+) create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md" create mode 100755 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/20fb33a13d42b2f03bae134d5cf2049a.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4498b16ae04baecf3d033b4d84324f17.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4a7748d22c314b089ce291fafb4087c6.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/97626c89716856cf38a706dd7e13aa9e.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a5aa1cc363106ba9f668650fba91a796.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c2639124e42efe1ce6434983b5f996fe.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c30d18dd845484f73f450845716117b2.png" create mode 100644 "\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/dce4a3076f6695333e539e8dcafbdd52.png" diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md" new file mode 100644 index 0000000..55f3ab3 --- /dev/null +++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/Readme.md" @@ -0,0 +1,21 @@ +web 275 + +这道题其实非常简单,打开就一个上传点,源码中title提示upload image,注释提示要小于20KB,于是尝试png、jpg、bmp,发现png可以上传 + +上传之后发现会输出png到页面,猜想上传包含webshell的图getshell + +提示文件上传后会被重命名为一段hash,其实是md5(time()+filename)这一点其实很好猜 + +如果不猜一样很容易找到,因为一秒内上传多次会提示重命名后的文件已存在 + +down下来文件会发现所有图片都会被缩放成64*64,如果上传64*64的图片可能会被原样输出 + +这个方法出题人本地测试过,于是禁止了64*64图片上传,那么只有一种方法 + +构造缩放后能够出现webshell的正常png图片,在上传之后会输出到upload.php + +之前还有两个坑,一个是重命名后的文件名,还有一个是filename如果包含`'`会强行报错 + +不过老赛棍都能一眼看出来 + + diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh" new file mode 100755 index 0000000..782bd59 --- /dev/null +++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/clean.sh" @@ -0,0 +1,9 @@ +#! /bin/bash + +while true +do + #echo "+-----------------------------------------------------------------+" + ls -al uploads/ > 33384bb51f3f987a7db3f0301a01a43f.log + mv uploads/*.png /root/test + sleep 2s +done diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html" new file mode 100644 index 0000000..9574e7c --- /dev/null +++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/index.html" @@ -0,0 +1,6 @@ +Please upload an image! +
+ + + +
diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php" new file mode 100644 index 0000000..f9090e0 --- /dev/null +++ "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads.php" @@ -0,0 +1,78 @@ + 0 ){ + echo "Upload Error" . "
"; + } + + if(strstr($fileName, "'")){ + echo "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 23333"; + + } + + if( $fileSudffix == "png" + && $fileType == "image/png" + && !($width == 64 && $height == 64) + && $fileSize < 20*1024 ){ + + + echo "Upload: " . $fileName . "
"; + echo "Type: " . $fileType . "
"; + echo "Size: " . ($fileSize / 1024) . "
"; + echo "Temp file: " . $fileTempName . "
"; + + + if (file_exists("uploads/" . $fileRename)){ + + echo $fileRename . " is exist." . "
"; + + }else{ + + + move_uploaded_file($fileTempName, "uploads/" . $fileRename); + + echo "Stored in :" . "uploads/" . "renameBymd5.png" . "
"; + + $newWidth = 64; + $newHeight = 64; + + $newImage = imagecreatetruecolor($newWidth, $newHeight); + + $imageIdentifier = imagecreatefrompng("uploads/" . $fileRename); + + imagecopyresampled($newImage, $imageIdentifier, 0, 0, 0, 0, $newWidth, $newHeight, $width, $height); + + imagepng($newImage, "uploads/" . $fileRename); + + @include("uploads/" . $fileRename); + + } + + }else{ + + echo "Oops?! What are you doing???" . ""; + #echo "Upload: " . $fileRename . "
"; + #echo "Type: " . $fileType . "
"; + #echo "Size: " . ($fileSize / 1024) . "
"; + #echo "Temp file: " . $fileTempName . "
"; + + } + + }else{ + + header("Location: index.html"); + + } diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/20fb33a13d42b2f03bae134d5cf2049a.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/20fb33a13d42b2f03bae134d5cf2049a.png" new file mode 100644 index 0000000000000000000000000000000000000000..816f8c4141c96055247935d0ed66d06f75773e9d GIT binary patch literal 208 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGJM>7Fi*AsLNt&lvI@1WH|8U&t`E zMD>VLhR-7|v(9(N_}b)-$V$jGcq+YQ<&o7fTg)7yG_m8z6Slce_A~Ffl{cHo(~PC+ zA_K=|wFxPT0^gMrE_gP+(_)_1&1S#(tQ5yB{Rc%g%-1izopr0RLo2r~m)} literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4498b16ae04baecf3d033b4d84324f17.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4498b16ae04baecf3d033b4d84324f17.png" new file mode 100644 index 0000000000000000000000000000000000000000..21bf2378c4949e9f25c3f4af7ac10145eeceb56a GIT binary patch literal 91 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGH$B~KT}kc`H+2N`*Ryh97V`{(kr civXE0@FCB@fr0Vcf(Kv$Pgg&ebxsLQ01(j=W&i*H literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4a7748d22c314b089ce291fafb4087c6.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/4a7748d22c314b089ce291fafb4087c6.png" new file mode 100644 index 0000000000000000000000000000000000000000..21bf2378c4949e9f25c3f4af7ac10145eeceb56a GIT binary patch literal 91 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGH$B~KT}kc`H+2N`*Ryh97V`{(kr civXE0@FCB@fr0Vcf(Kv$Pgg&ebxsLQ01(j=W&i*H literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/77d14b85cb5e7b5be4b52a9ea91b160c.png" new file mode 100644 index 0000000000000000000000000000000000000000..816f8c4141c96055247935d0ed66d06f75773e9d GIT binary patch literal 208 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGJM>7Fi*AsLNt&lvI@1WH|8U&t`E zMD>VLhR-7|v(9(N_}b)-$V$jGcq+YQ<&o7fTg)7yG_m8z6Slce_A~Ffl{cHo(~PC+ zA_K=|wFxPT0^gMrE_gP+(_)_1&1S#(tQ5yB{Rc%g%-1izopr0RLo2r~m)} literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/97626c89716856cf38a706dd7e13aa9e.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/97626c89716856cf38a706dd7e13aa9e.png" new file mode 100644 index 0000000000000000000000000000000000000000..21bf2378c4949e9f25c3f4af7ac10145eeceb56a GIT binary patch literal 91 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGH$B~KT}kc`H+2N`*Ryh97V`{(kr civXE0@FCB@fr0Vcf(Kv$Pgg&ebxsLQ01(j=W&i*H literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/9b8d1cc05e6672af09cab905a6f4d77e.png" new file mode 100644 index 0000000000000000000000000000000000000000..21bf2378c4949e9f25c3f4af7ac10145eeceb56a GIT binary patch literal 91 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGH$B~KT}kc`H+2N`*Ryh97V`{(kr civXE0@FCB@fr0Vcf(Kv$Pgg&ebxsLQ01(j=W&i*H literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a5aa1cc363106ba9f668650fba91a796.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a5aa1cc363106ba9f668650fba91a796.png" new file mode 100644 index 0000000000000000000000000000000000000000..816f8c4141c96055247935d0ed66d06f75773e9d GIT binary patch literal 208 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGJM>7Fi*AsLNt&lvI@1WH|8U&t`E zMD>VLhR-7|v(9(N_}b)-$V$jGcq+YQ<&o7fTg)7yG_m8z6Slce_A~Ffl{cHo(~PC+ zA_K=|wFxPT0^gMrE_gP+(_)_1&1S#(tQ5yB{Rc%g%-1izopr0RLo2r~m)} literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/a9f02dce8cfc35b255e1d1030d0f04ff.png" new file mode 100644 index 0000000000000000000000000000000000000000..21bf2378c4949e9f25c3f4af7ac10145eeceb56a GIT binary patch literal 91 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGH$B~KT}kc`H+2N`*Ryh97V`{(kr civXE0@FCB@fr0Vcf(Kv$Pgg&ebxsLQ01(j=W&i*H literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c2639124e42efe1ce6434983b5f996fe.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c2639124e42efe1ce6434983b5f996fe.png" new file mode 100644 index 0000000000000000000000000000000000000000..21bf2378c4949e9f25c3f4af7ac10145eeceb56a GIT binary patch literal 91 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGH$B~KT}kc`H+2N`*Ryh97V`{(kr civXE0@FCB@fr0Vcf(Kv$Pgg&ebxsLQ01(j=W&i*H literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c30d18dd845484f73f450845716117b2.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/c30d18dd845484f73f450845716117b2.png" new file mode 100644 index 0000000000000000000000000000000000000000..816f8c4141c96055247935d0ed66d06f75773e9d GIT binary patch literal 208 zcmeAS@N?(olHy`uVBq!ia0vp^4j|0I1SD0tpLGJM>7Fi*AsLNt&lvI@1WH|8U&t`E zMD>VLhR-7|v(9(N_}b)-$V$jGcq+YQ<&o7fTg)7yG_m8z6Slce_A~Ffl{cHo(~PC+ zA_K=|wFxPT0^gMrE_gP+(_)_1&1S#(tQ5yB{Rc%g%-1izopr0RLo2r~m)} literal 0 HcmV?d00001 diff --git "a/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/dce4a3076f6695333e539e8dcafbdd52.png" "b/\351\225\277\346\261\237\351\230\262\347\272\277\345\233\272\350\213\245\351\207\221\346\261\244/uploads/dce4a3076f6695333e539e8dcafbdd52.png" new file mode 100644 index 0000000000000000000000000000000000000000..a16e9495740b0d389f31881fcf44e2ffff054ecc GIT binary patch literal 3500 zcmV;d4O8-oP)000ehNkl@Inx+ z0D%yy`T|naCqR`zX$c{eHsoq2PUASq#CLn{mvh_qy>2{A;+n*X=gb@wB>aEeXP@=` ze|zt5t#5sM18`l}_5WM2=OZ!%`yA#{ygGEMbSsleo4U<7LE4zSi<4%}GQJ$s3XoEf&UK^l|QQ80qEt}RVE{7%!)45i9rkTv8`C^*4gj~msSSJ7k zV1IvUqUd-QE;y`EakT-RRxEQ#F@*3M!>*EG2$VKqDjSiAGuaaIRFGUsvaX!0Gl{o( zcHLo{%64C$@Ay1wCs~w1V=%h5djJ4}5J7+`_DW7G%=$da2x_I0B1jQxi7qmGJpeXF zw+@x|3>K<2Ut}Wgq(&P60p)~Q6e4Jh0U!S~V1kS>001Erg0R|OI6K|07kJ5{L81Tv z9U;Y<)4FSbA|nru*Gq&lo9R?2sVFC2(Y9PmN|nXAR{9g%Ba9s1%2Oefjx$9OD3%

0UCIesiE|8LW6jfR*R#-|!-7ac4v13BWnRhA$^@-Q=GR_a3B$#j-&*V#W9Hjg z)ngFAIF&&nJPT)1S3R~VvQpi}jMNG_ie}UNy8v|-S4|0V-xJHQX0P373N)PsV!(-K`6-S-q zqvsf7a%rMmLI8aWLkO8g{fdhTZZCDRLav>CDp zatIFPn(C$Q0GhenK2qAcxzb!{UwPrRF}c)nu9949Z5)n^HX#^shj~SZa+1Y)Yq6uG z4pTYPN_`7gd`2mrn{8_Y000Jnr64c6w3A4mlRBsWD*&~Eb@N2MvCvjR0RW`ZL8^jO zW>PbZJPX%6#wel`+a9-E3lo$jqA}mjQ(=s0$8x@t6>ZXAGrdGIJxzD0sm zmTX$2Yctorx{;-tVdC(MK{Q_PAJQOfcP{@WH()l2{em}QJ5dm}w7e+u9AN{2>$uxC zkJY4_I`(cm`Pr1vS768H+JR8-1o72e{10{U2vtk|Z#{gVdF%~C03^mJ6Imv~I7~^i z6BVJkV`M041`A0ROBG5H0T?K06Ex&lHU@$Q>Qms`8Bk!Dk@8xE)+p(?$ z(Asc>7WK6+e|G@8wv9QQEg5Y*42{lQAdOVHa2PBP`IPeh-4i0qzyGfmm-Ok$aAf=V`+!UFiz_wJX|lL z)%}411^@(djO=Q~t$KKADXUP1DG8#C6Lc|1T!`0LP;`;RahlC7t!R)>ZW*GOSe*He z<61n5GYB9Apuex4CfT`#=&!%|`$rCZcBR$swA=NfV{>K<2%N2Ekc6N@!7CIC zMw_$ersrGf5VQPx^~P;ud6Kk)^n8>$7_X(SM%O&!N=;o{o{iEA%K_sS=eF;<1c3p`|XF1EOau9TNqPLIk!BFnG)J}-8j>&Mu!rrgp6`S zY+mrJJ(HV$?a?D&{l-@rCGQ0B#W=mTp>Ed!W58@fo?7fIcA_1l{T1IK5RPvi(OM^2 z{=$i~Keuc5=MNr8!#2WX>-gBA{rjfge)FbHeM;$0xQHS4U4O7vGX_wCA%IDc%r)bC zZrgjKW#4+&9*cr<{~#$9z@^1C7IW*_Qa<(M?{T7@d+F$<**S_Kg3xu{k)go{_TRO4 z*A57wF*=I^%PR^g|NQU1ck=DGZWdv8Nna4EsB-$e;z$~W})@nKl-`@f$tDR z=u!&yJ@Ul-+AjY(0k#bH{nKCm!On?IN^2=4gpd;QaXU$4%*j({pMB|-lT+^@B|MuU z1f|p~K@_HPWO(RnUwrt6&12H3HBuZcoPOfTzxl!QudUt8Iyd#MZGHQR$A106yAi(H zG@uNcOZ1Qp(9gy<#xz>(i}MR#0T$QK?vdHlt$oNTDE zb$H(`-+JP)iP3=%|BxyAMpJEeb-#W2m^S8zFQ2^s_MIQPR|`ukfBIKXJv%iQD!6#* zoYvj7O*h(^vn}?8`}ck2p+mbT$FIEFAXR`Na7CBS7?bAGVgy2Hj9Ff8Or1P)^yN2> z9eeA!>BVL@orqontO{dv+pg`uapac{@84T4xK}+#>0-RRhI;dp)wAyOs%*#K@tI#(NG(y=@-Hu(T8`l>XTs9Z_}pTX7pgbi zzJFGlpB#TJ5KLf_nFUfbmBje$;kc%i{h0{Sd-Smu5Mq^=kR)fBfgyUOc+I zv^2VT3;?)kY~r@t?);A*J<}70-T*)d4;(l&&_5`ID3yx7UjP71y?ZVQ1DPb%TD8?^ zx}M7&yId(_j4fst{KD}!j%_@2ZvY;+|L~CqAF?cNaSAc^Tu%sj;?1drh527Rxc}IT zM*#qpzS_X>U=qj1NWW0ny7h)I>YP6P-UdT&6rf%$-2C-FysID@D=T|;Zu`kAua0lo zDy2@6^z^9<#;B3eq1}6L-a5Ixe|S)9qm7xFKD+(K9pzGC-yL`U=-;1d1)Xb$`FL&U z4Gm}XH;)|r)k%Bj#C^-H_Lsi-?GvYF?z;0HV@$Kz9vQCR_SyTgEQJVbBk>1C$H})( z96WIM%%6ROWzh{5JiieK-R=iIq%0RvobKGZ2|`eC?VrAVCd)FV)ceg)hxYZ=C?#5J z$FVOLp>qq%j~=;KR119XE#LXuKi)Ah`l$iznVi@?IlkOz0|1_W{`F=j%(5&D0|0<+ z+n!%V2vbTKqY%Q?PLbAnd3k%_^$*`;^S&#ccw4~n^x=eEKqN#AcGjEvn>EY(Mcs}rNuLZNVBw%urjK@iR_EC?YA z#nS0_k7jA;So~X$f0;9OZf5>F|M1L8EBJH(KB{{EmVu!y0Kz=WvMenWOHxQmsgN?y z(mYFME}c|T003-@F+y@FFT<}x8+}jwQ7I*)$b?jckUUGG5JJQtf>H?1Ek>zUA9O;~ zJOS&szN!r+@m1x>%vAy!&1J5l<@2YHL!dCi7-Ma8yR&ReZ>peG^&X%s(`}7Q4~2_g zNg7P&O39^#^IB_!AOgT_;H!eGs`mf^Mj9avbRtDFi2(pfYiU$PHHHSu-ndJ98?MJW zu*vmqE|m)aeug`9aa7PI1OOrEEL_}<$qke}r+e^;&6VmIKmp<39UkoiNN`@4N-Gs8 zRk8W3$Rz-P5@W!!lC!NwuOhChX8;47PZmpA6h}#RM#&ip-m%qOsD^F()_Px^TRRLA zc|OEBh}JpfUsXK=I4`olXwKFUkqFFbF}>7j$Jyf}V>>7dAgoG*pq^3ESpQdZAeZXc z%;JX*mN~-^TX}v?$qPuIA?iYMl~>CfQSVpcD>Yd5Mr{WG5FsiTa6>(V`KqE@8<0000