├── .gitattributes
├── .gitignore
├── README.md
├── docs
├── appendix.pdf
└── user-manual.pdf
├── gui-src
├── wsd-gui.sln
└── wsd-gui
│ ├── AlphanumComparatorFast.cs
│ ├── Form1.Designer.cs
│ ├── Form1.cs
│ ├── Form1.resx
│ ├── Program.cs
│ ├── Properties
│ ├── AssemblyInfo.cs
│ ├── Resources.Designer.cs
│ ├── Resources.resx
│ ├── Settings.Designer.cs
│ └── Settings.settings
│ ├── SysReqMet.ico
│ ├── orionicon.ico
│ └── wsd-gui.csproj
└── src
├── base64.cpp
├── dangerFunction
├── fileReader.cpp
├── fileScanner.cpp
├── header.h
├── main.cpp
├── md5-signatures-w-names
├── md5.h
└── results.cpp
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 | *.sln merge=union
7 | *.csproj merge=union
8 | *.vbproj merge=union
9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 |
12 | # Standard to msysgit
13 | *.doc diff=astextplain
14 | *.DOC diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot diff=astextplain
18 | *.DOT diff=astextplain
19 | *.pdf diff=astextplain
20 | *.PDF diff=astextplain
21 | *.rtf diff=astextplain
22 | *.RTF diff=astextplain
23 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | #################
2 | ## Eclipse
3 | #################
4 |
5 | *.pydevproject
6 | .project
7 | .metadata
8 | bin/
9 | tmp/
10 | *.tmp
11 | *.bak
12 | *.swp
13 | *~.nib
14 | local.properties
15 | .classpath
16 | .settings/
17 | .loadpath
18 |
19 | # External tool builders
20 | .externalToolBuilders/
21 |
22 | # Locally stored "Eclipse launch configurations"
23 | *.launch
24 |
25 | # CDT-specific
26 | .cproject
27 |
28 | # PDT-specific
29 | .buildpath
30 |
31 |
32 | #################
33 | ## Visual Studio
34 | #################
35 |
36 | ## Ignore Visual Studio temporary files, build results, and
37 | ## files generated by popular Visual Studio add-ons.
38 |
39 | # User-specific files
40 | *.suo
41 | *.user
42 | *.sln.docstates
43 |
44 | # Build results
45 | [Dd]ebug/
46 | [Rr]elease/
47 | *_i.c
48 | *_p.c
49 | *.ilk
50 | *.meta
51 | *.obj
52 | *.pch
53 | *.pdb
54 | *.pgc
55 | *.pgd
56 | *.rsp
57 | *.sbr
58 | *.tlb
59 | *.tli
60 | *.tlh
61 | *.tmp
62 | *.vspscc
63 | .builds
64 | *.dotCover
65 |
66 | ## TODO: If you have NuGet Package Restore enabled, uncomment this
67 | #packages/
68 |
69 | # Visual C++ cache files
70 | ipch/
71 | *.aps
72 | *.ncb
73 | *.opensdf
74 | *.sdf
75 |
76 | # Visual Studio profiler
77 | *.psess
78 | *.vsp
79 |
80 | # ReSharper is a .NET coding add-in
81 | _ReSharper*
82 |
83 | # Installshield output folder
84 | [Ee]xpress
85 |
86 | # DocProject is a documentation generator add-in
87 | DocProject/buildhelp/
88 | DocProject/Help/*.HxT
89 | DocProject/Help/*.HxC
90 | DocProject/Help/*.hhc
91 | DocProject/Help/*.hhk
92 | DocProject/Help/*.hhp
93 | DocProject/Help/Html2
94 | DocProject/Help/html
95 |
96 | # Click-Once directory
97 | publish
98 |
99 | # Others
100 | [Bb]in
101 | [Oo]bj
102 | sql
103 | TestResults
104 | *.Cache
105 | ClientBin
106 | stylecop.*
107 | ~$*
108 | *.dbmdl
109 | Generated_Code #added for RIA/Silverlight projects
110 |
111 | # Backup & report files from converting an old project file to a newer
112 | # Visual Studio version. Backup files are not needed, because we have git ;-)
113 | _UpgradeReport_Files/
114 | Backup*/
115 | UpgradeLog*.XML
116 |
117 |
118 |
119 | ############
120 | ## Windows
121 | ############
122 |
123 | # Windows image file caches
124 | Thumbs.db
125 |
126 | # Folder config file
127 | Desktop.ini
128 |
129 |
130 | #############
131 | ## Python
132 | #############
133 |
134 | *.py[co]
135 |
136 | # Packages
137 | *.egg
138 | *.egg-info
139 | dist
140 | build
141 | eggs
142 | parts
143 | bin
144 | var
145 | sdist
146 | develop-eggs
147 | .installed.cfg
148 |
149 | # Installer logs
150 | pip-log.txt
151 |
152 | # Unit test / coverage reports
153 | .coverage
154 | .tox
155 |
156 | #Translations
157 | *.mo
158 |
159 | #Mr Developer
160 | .mr.developer.cfg
161 |
162 | # Mac crap
163 | .DS_Store
164 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | created by v00d0089 & gaber52
2 |
3 | Synopsis
4 | --------
5 | This work-in-progress "Orion Webshell Detector" was created with the intention of assisting web application code reviews coded in PHP, ASP and JSP technologies. It is capable of detecting potential web shells as well as detecting potentially dangerous usage of system function calls such as shell_exec() and more. It is coded in C/C++ and has a GUI for Windows coded in C#.
6 |
7 | The CLi version is platform independent while the GUI only works on Windows.
8 |
9 | What is a webshell?
10 | -------------------
11 | More and more web sites are currently making use of server side web application languages like ASP, PHP and JSP to produce dynamically generated web pages. This provides a way to customize web content for different, individual users. These web application languages are powerful, and a security issue within a web application can often lead to the execution of arbitrary scripting codes. As we know that web application codes are often not maintained upon deployment, resulting in weak points which are open to attack and this is one of the main reasons why web servers have become a favorite target of malicious attackers.
12 |
13 | A malicious attacker will be able to exploit those vulnerabilities to leave a backdoor into a compromised system. A backdoor using server side web application is also known as a “web shell”. These shells usually allow system command execution and remote file access, which can be a huge problem if used by unintended parties.
14 |
15 | Brief program flow
16 | ------------------
17 | 1. Scan files in a directory and all sub directories
18 | 2. Scan for webshell signature matches
19 | 3. Scan for dangerous function matches
20 | 4. Scan for codes placed on the same line:
21 |
22 | Scan for php:
23 | - Scanning for user input via $_GET, $_POST etc.
24 | - Scanning for variables used in dangerous functions
25 | - Scanning for user input assigned to variables
26 | - Scanning for variables of user input assigned to other variables
27 | - Scan for codes encoded using base64
28 | - Properly identify user-defined functions, and identify dangerous functions used in them
29 |
30 | Scan for asp:
31 | - Scan for user input
32 | - Scan for user input assigned to variables
33 | - Scan for variables of user input assigned to other variables
34 | - Scan for use of user input in dangerous functions
35 | - Scan for user-defined functions, and identify dangerous functions used in them
36 |
37 | Scan for jsp:
38 | - Scan for user input
39 | - Scan for user input assigned to variables
40 | - Scan for variables of user input assigned to other variables
41 | - Scan for use of user input in dangerous functions
42 |
43 | Compilation notes
44 | -----------------
45 | Quincy 2005 was used to develop and compile this webshell detector. The GUI is compiled using Microsoft Visual Studio 2010. (.sln file provided)
46 |
47 | Note: More information can be found in the docs folder.
--------------------------------------------------------------------------------
/docs/appendix.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cygonz0/orion-webshell-detector/3133719f4b6d23a5768b267010c82e4a7e4d1c52/docs/appendix.pdf
--------------------------------------------------------------------------------
/docs/user-manual.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cygonz0/orion-webshell-detector/3133719f4b6d23a5768b267010c82e4a7e4d1c52/docs/user-manual.pdf
--------------------------------------------------------------------------------
/gui-src/wsd-gui.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wsd-gui", "wsd-gui\wsd-gui.csproj", "{CCA7A030-5016-45C2-9C2A-BB3D35F9FB27}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|x86 = Debug|x86
9 | Release|x86 = Release|x86
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {CCA7A030-5016-45C2-9C2A-BB3D35F9FB27}.Debug|x86.ActiveCfg = Debug|x86
13 | {CCA7A030-5016-45C2-9C2A-BB3D35F9FB27}.Debug|x86.Build.0 = Debug|x86
14 | {CCA7A030-5016-45C2-9C2A-BB3D35F9FB27}.Release|x86.ActiveCfg = Release|x86
15 | {CCA7A030-5016-45C2-9C2A-BB3D35F9FB27}.Release|x86.Build.0 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/AlphanumComparatorFast.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace wsd_gui
7 | {
8 | public class AlphanumComparatorFast : IComparer
9 | {
10 | public int Compare(object x, object y)
11 | {
12 | string s1 = x as string;
13 | if (s1 == null)
14 | {
15 | return 0;
16 | }
17 | string s2 = y as string;
18 | if (s2 == null)
19 | {
20 | return 0;
21 | }
22 |
23 | int len1 = s1.Length;
24 | int len2 = s2.Length;
25 | int marker1 = 0;
26 | int marker2 = 0;
27 |
28 | // Walk through two the strings with two markers.
29 | while (marker1 < len1 && marker2 < len2)
30 | {
31 | char ch1 = s1[marker1];
32 | char ch2 = s2[marker2];
33 |
34 | // Some buffers we can build up characters in for each chunk.
35 | char[] space1 = new char[len1];
36 | int loc1 = 0;
37 | char[] space2 = new char[len2];
38 | int loc2 = 0;
39 |
40 | // Walk through all following characters that are digits or
41 | // characters in BOTH strings starting at the appropriate marker.
42 | // Collect char arrays.
43 | do
44 | {
45 | space1[loc1++] = ch1;
46 | marker1++;
47 |
48 | if (marker1 < len1)
49 | {
50 | ch1 = s1[marker1];
51 | }
52 | else
53 | {
54 | break;
55 | }
56 | } while (char.IsDigit(ch1) == char.IsDigit(space1[0]));
57 |
58 | do
59 | {
60 | space2[loc2++] = ch2;
61 | marker2++;
62 |
63 | if (marker2 < len2)
64 | {
65 | ch2 = s2[marker2];
66 | }
67 | else
68 | {
69 | break;
70 | }
71 | } while (char.IsDigit(ch2) == char.IsDigit(space2[0]));
72 |
73 | // If we have collected numbers, compare them numerically.
74 | // Otherwise, if we have strings, compare them alphabetically.
75 | string str1 = new string(space1);
76 | string str2 = new string(space2);
77 |
78 | int result;
79 |
80 | if (char.IsDigit(space1[0]) && char.IsDigit(space2[0]))
81 | {
82 | int thisNumericChunk = int.Parse(str1);
83 | int thatNumericChunk = int.Parse(str2);
84 | result = thisNumericChunk.CompareTo(thatNumericChunk);
85 | }
86 | else
87 | {
88 | result = str1.CompareTo(str2);
89 | }
90 |
91 | if (result != 0)
92 | {
93 | return result;
94 | }
95 | }
96 | return len1 - len2;
97 | }
98 | }
99 | }
100 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Form1.Designer.cs:
--------------------------------------------------------------------------------
1 | namespace wsd_gui
2 | {
3 | partial class Form1
4 | {
5 | ///
6 | /// Required designer variable.
7 | ///
8 | private System.ComponentModel.IContainer components = null;
9 |
10 | ///
11 | /// Clean up any resources being used.
12 | ///
13 | /// true if managed resources should be disposed; otherwise, false.
14 | protected override void Dispose(bool disposing)
15 | {
16 | if (disposing && (components != null))
17 | {
18 | components.Dispose();
19 | }
20 | base.Dispose(disposing);
21 | }
22 |
23 | #region Windows Form Designer generated code
24 |
25 | ///
26 | /// Required method for Designer support - do not modify
27 | /// the contents of this method with the code editor.
28 | ///
29 | private void InitializeComponent()
30 | {
31 | System.ComponentModel.ComponentResourceManager resources = new System.ComponentModel.ComponentResourceManager(typeof(Form1));
32 | this.btn_folderPath = new System.Windows.Forms.Button();
33 | this.folderBrowserDialog1 = new System.Windows.Forms.FolderBrowserDialog();
34 | this.btn_start = new System.Windows.Forms.Button();
35 | this.lb_status = new System.Windows.Forms.Label();
36 | this.tb_arguments = new System.Windows.Forms.TextBox();
37 | this.rtb_results = new System.Windows.Forms.RichTextBox();
38 | this.ddl_logfiles = new System.Windows.Forms.ComboBox();
39 | this.progressBar1 = new System.Windows.Forms.ProgressBar();
40 | this.lb_directory = new System.Windows.Forms.Label();
41 | this.btn_reset = new System.Windows.Forms.Button();
42 | this.lb_indicator = new System.Windows.Forms.Label();
43 | this.lb_scantype = new System.Windows.Forms.Label();
44 | this.cb_option1 = new System.Windows.Forms.CheckBox();
45 | this.cb_option2 = new System.Windows.Forms.CheckBox();
46 | this.ddl_logfiles2 = new System.Windows.Forms.ComboBox();
47 | this.lb_logs = new System.Windows.Forms.Label();
48 | this.label1 = new System.Windows.Forms.Label();
49 | this.lb_version = new System.Windows.Forms.Label();
50 | this.btn_summary = new System.Windows.Forms.Button();
51 | this.label2 = new System.Windows.Forms.Label();
52 | this.label3 = new System.Windows.Forms.Label();
53 | this.tb_folderPath = new System.Windows.Forms.TextBox();
54 | this.SuspendLayout();
55 | //
56 | // btn_folderPath
57 | //
58 | this.btn_folderPath.Location = new System.Drawing.Point(745, 61);
59 | this.btn_folderPath.Name = "btn_folderPath";
60 | this.btn_folderPath.Size = new System.Drawing.Size(119, 24);
61 | this.btn_folderPath.TabIndex = 0;
62 | this.btn_folderPath.Text = "Load Directory";
63 | this.btn_folderPath.UseVisualStyleBackColor = true;
64 | this.btn_folderPath.Click += new System.EventHandler(this.btn_folderPath_Click);
65 | //
66 | // btn_start
67 | //
68 | this.btn_start.Enabled = false;
69 | this.btn_start.FlatStyle = System.Windows.Forms.FlatStyle.System;
70 | this.btn_start.Location = new System.Drawing.Point(745, 116);
71 | this.btn_start.Name = "btn_start";
72 | this.btn_start.Size = new System.Drawing.Size(119, 24);
73 | this.btn_start.TabIndex = 2;
74 | this.btn_start.Text = "Start Scan";
75 | this.btn_start.UseVisualStyleBackColor = true;
76 | this.btn_start.Click += new System.EventHandler(this.btn_scan_Click);
77 | //
78 | // lb_status
79 | //
80 | this.lb_status.AutoSize = true;
81 | this.lb_status.BackColor = System.Drawing.Color.Transparent;
82 | this.lb_status.Font = new System.Drawing.Font("Courier New", 8.25F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
83 | this.lb_status.Location = new System.Drawing.Point(115, 683);
84 | this.lb_status.Name = "lb_status";
85 | this.lb_status.Size = new System.Drawing.Size(98, 14);
86 | this.lb_status.TabIndex = 3;
87 | this.lb_status.Text = "";
88 | //
89 | // tb_arguments
90 | //
91 | this.tb_arguments.Location = new System.Drawing.Point(442, 89);
92 | this.tb_arguments.Name = "tb_arguments";
93 | this.tb_arguments.ReadOnly = true;
94 | this.tb_arguments.Size = new System.Drawing.Size(10, 24);
95 | this.tb_arguments.TabIndex = 7;
96 | this.tb_arguments.Visible = false;
97 | //
98 | // rtb_results
99 | //
100 | this.rtb_results.BackColor = System.Drawing.Color.White;
101 | this.rtb_results.Font = new System.Drawing.Font("Trebuchet MS", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
102 | this.rtb_results.Location = new System.Drawing.Point(6, 172);
103 | this.rtb_results.Name = "rtb_results";
104 | this.rtb_results.ReadOnly = true;
105 | this.rtb_results.Size = new System.Drawing.Size(858, 488);
106 | this.rtb_results.TabIndex = 8;
107 | this.rtb_results.Text = "";
108 | //
109 | // ddl_logfiles
110 | //
111 | this.ddl_logfiles.BackColor = System.Drawing.Color.White;
112 | this.ddl_logfiles.Enabled = false;
113 | this.ddl_logfiles.FormattingEnabled = true;
114 | this.ddl_logfiles.Location = new System.Drawing.Point(101, 116);
115 | this.ddl_logfiles.Name = "ddl_logfiles";
116 | this.ddl_logfiles.Size = new System.Drawing.Size(637, 23);
117 | this.ddl_logfiles.TabIndex = 9;
118 | this.ddl_logfiles.SelectedIndexChanged += new System.EventHandler(this.ddl_logfiles_SelectedIndexChanged);
119 | //
120 | // progressBar1
121 | //
122 | this.progressBar1.Location = new System.Drawing.Point(693, 666);
123 | this.progressBar1.Name = "progressBar1";
124 | this.progressBar1.Size = new System.Drawing.Size(170, 20);
125 | this.progressBar1.Style = System.Windows.Forms.ProgressBarStyle.Marquee;
126 | this.progressBar1.TabIndex = 10;
127 | this.progressBar1.Visible = false;
128 | //
129 | // lb_directory
130 | //
131 | this.lb_directory.AutoSize = true;
132 | this.lb_directory.BackColor = System.Drawing.Color.Transparent;
133 | this.lb_directory.Location = new System.Drawing.Point(8, 66);
134 | this.lb_directory.Name = "lb_directory";
135 | this.lb_directory.Size = new System.Drawing.Size(88, 15);
136 | this.lb_directory.TabIndex = 11;
137 | this.lb_directory.Text = "Scan Directory:";
138 | //
139 | // btn_reset
140 | //
141 | this.btn_reset.Location = new System.Drawing.Point(745, 89);
142 | this.btn_reset.Name = "btn_reset";
143 | this.btn_reset.Size = new System.Drawing.Size(119, 24);
144 | this.btn_reset.TabIndex = 13;
145 | this.btn_reset.Text = "Reset";
146 | this.btn_reset.UseVisualStyleBackColor = true;
147 | this.btn_reset.Click += new System.EventHandler(this.btn_reset_Click);
148 | //
149 | // lb_indicator
150 | //
151 | this.lb_indicator.AutoSize = true;
152 | this.lb_indicator.BackColor = System.Drawing.Color.Transparent;
153 | this.lb_indicator.Font = new System.Drawing.Font("Lucida Sans Unicode", 8.25F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
154 | this.lb_indicator.Location = new System.Drawing.Point(3, 682);
155 | this.lb_indicator.Name = "lb_indicator";
156 | this.lb_indicator.Size = new System.Drawing.Size(116, 15);
157 | this.lb_indicator.TabIndex = 14;
158 | this.lb_indicator.Text = "Current Scan Status:";
159 | //
160 | // lb_scantype
161 | //
162 | this.lb_scantype.AutoSize = true;
163 | this.lb_scantype.BackColor = System.Drawing.Color.Transparent;
164 | this.lb_scantype.Location = new System.Drawing.Point(8, 92);
165 | this.lb_scantype.Name = "lb_scantype";
166 | this.lb_scantype.Size = new System.Drawing.Size(64, 15);
167 | this.lb_scantype.TabIndex = 15;
168 | this.lb_scantype.Text = "Scan Type:";
169 | //
170 | // cb_option1
171 | //
172 | this.cb_option1.AutoSize = true;
173 | this.cb_option1.BackColor = System.Drawing.Color.Transparent;
174 | this.cb_option1.Location = new System.Drawing.Point(101, 92);
175 | this.cb_option1.Name = "cb_option1";
176 | this.cb_option1.Size = new System.Drawing.Size(163, 19);
177 | this.cb_option1.TabIndex = 19;
178 | this.cb_option1.Text = "Dangerous Function Scan";
179 | this.cb_option1.UseVisualStyleBackColor = false;
180 | //
181 | // cb_option2
182 | //
183 | this.cb_option2.AutoSize = true;
184 | this.cb_option2.BackColor = System.Drawing.Color.Transparent;
185 | this.cb_option2.Location = new System.Drawing.Point(271, 92);
186 | this.cb_option2.Name = "cb_option2";
187 | this.cb_option2.Size = new System.Drawing.Size(155, 19);
188 | this.cb_option2.TabIndex = 20;
189 | this.cb_option2.Text = "Webshell Signature Scan";
190 | this.cb_option2.UseVisualStyleBackColor = false;
191 | //
192 | // ddl_logfiles2
193 | //
194 | this.ddl_logfiles2.BackColor = System.Drawing.Color.White;
195 | this.ddl_logfiles2.Enabled = false;
196 | this.ddl_logfiles2.FormattingEnabled = true;
197 | this.ddl_logfiles2.Location = new System.Drawing.Point(101, 143);
198 | this.ddl_logfiles2.Name = "ddl_logfiles2";
199 | this.ddl_logfiles2.Size = new System.Drawing.Size(637, 23);
200 | this.ddl_logfiles2.TabIndex = 21;
201 | this.ddl_logfiles2.SelectedIndexChanged += new System.EventHandler(this.ddl_logfiles2_SelectedIndexChanged);
202 | //
203 | // lb_logs
204 | //
205 | this.lb_logs.AutoSize = true;
206 | this.lb_logs.BackColor = System.Drawing.Color.Transparent;
207 | this.lb_logs.Location = new System.Drawing.Point(8, 119);
208 | this.lb_logs.Name = "lb_logs";
209 | this.lb_logs.Size = new System.Drawing.Size(36, 15);
210 | this.lb_logs.TabIndex = 22;
211 | this.lb_logs.Text = "Logs:";
212 | //
213 | // label1
214 | //
215 | this.label1.AutoSize = true;
216 | this.label1.BackColor = System.Drawing.Color.Transparent;
217 | this.label1.Location = new System.Drawing.Point(8, 146);
218 | this.label1.Name = "label1";
219 | this.label1.Size = new System.Drawing.Size(84, 15);
220 | this.label1.TabIndex = 23;
221 | this.label1.Text = "Signature Log:";
222 | //
223 | // lb_version
224 | //
225 | this.lb_version.AutoSize = true;
226 | this.lb_version.BackColor = System.Drawing.Color.Transparent;
227 | this.lb_version.Font = new System.Drawing.Font("Lucida Sans Unicode", 8.25F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
228 | this.lb_version.Location = new System.Drawing.Point(818, 686);
229 | this.lb_version.Name = "lb_version";
230 | this.lb_version.Size = new System.Drawing.Size(47, 15);
231 | this.lb_version.TabIndex = 24;
232 | this.lb_version.Text = "v1.0.31";
233 | //
234 | // btn_summary
235 | //
236 | this.btn_summary.Enabled = false;
237 | this.btn_summary.Location = new System.Drawing.Point(745, 143);
238 | this.btn_summary.Name = "btn_summary";
239 | this.btn_summary.Size = new System.Drawing.Size(119, 24);
240 | this.btn_summary.TabIndex = 25;
241 | this.btn_summary.Text = "Back to Summary";
242 | this.btn_summary.UseVisualStyleBackColor = true;
243 | this.btn_summary.Click += new System.EventHandler(this.btn_summary_Click);
244 | //
245 | // label2
246 | //
247 | this.label2.AutoSize = true;
248 | this.label2.BackColor = System.Drawing.Color.Transparent;
249 | this.label2.Font = new System.Drawing.Font("Britannic Bold", 36F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
250 | this.label2.ForeColor = System.Drawing.Color.White;
251 | this.label2.Location = new System.Drawing.Point(1, 0);
252 | this.label2.Name = "label2";
253 | this.label2.Size = new System.Drawing.Size(141, 53);
254 | this.label2.TabIndex = 26;
255 | this.label2.Text = "Orion";
256 | //
257 | // label3
258 | //
259 | this.label3.AutoSize = true;
260 | this.label3.BackColor = System.Drawing.Color.Transparent;
261 | this.label3.Font = new System.Drawing.Font("Meiryo UI", 8.25F, System.Drawing.FontStyle.Bold, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
262 | this.label3.ForeColor = System.Drawing.Color.White;
263 | this.label3.Location = new System.Drawing.Point(11, 40);
264 | this.label3.Name = "label3";
265 | this.label3.Size = new System.Drawing.Size(119, 14);
266 | this.label3.TabIndex = 27;
267 | this.label3.Text = "Web Shell Detector";
268 | //
269 | // tb_folderPath
270 | //
271 | this.tb_folderPath.BackColor = System.Drawing.Color.White;
272 | this.tb_folderPath.Cursor = System.Windows.Forms.Cursors.Default;
273 | this.tb_folderPath.Location = new System.Drawing.Point(101, 62);
274 | this.tb_folderPath.Name = "tb_folderPath";
275 | this.tb_folderPath.ReadOnly = true;
276 | this.tb_folderPath.Size = new System.Drawing.Size(637, 24);
277 | this.tb_folderPath.TabIndex = 1;
278 | //
279 | // Form1
280 | //
281 | this.AutoScaleDimensions = new System.Drawing.SizeF(7F, 15F);
282 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
283 | this.BackgroundImage = ((System.Drawing.Image)(resources.GetObject("$this.BackgroundImage")));
284 | this.BackgroundImageLayout = System.Windows.Forms.ImageLayout.Stretch;
285 | this.ClientSize = new System.Drawing.Size(869, 709);
286 | this.Controls.Add(this.label3);
287 | this.Controls.Add(this.label2);
288 | this.Controls.Add(this.btn_summary);
289 | this.Controls.Add(this.lb_version);
290 | this.Controls.Add(this.label1);
291 | this.Controls.Add(this.lb_logs);
292 | this.Controls.Add(this.ddl_logfiles2);
293 | this.Controls.Add(this.cb_option2);
294 | this.Controls.Add(this.cb_option1);
295 | this.Controls.Add(this.lb_scantype);
296 | this.Controls.Add(this.lb_indicator);
297 | this.Controls.Add(this.btn_reset);
298 | this.Controls.Add(this.lb_directory);
299 | this.Controls.Add(this.progressBar1);
300 | this.Controls.Add(this.ddl_logfiles);
301 | this.Controls.Add(this.rtb_results);
302 | this.Controls.Add(this.tb_arguments);
303 | this.Controls.Add(this.lb_status);
304 | this.Controls.Add(this.btn_start);
305 | this.Controls.Add(this.tb_folderPath);
306 | this.Controls.Add(this.btn_folderPath);
307 | this.DoubleBuffered = true;
308 | this.Font = new System.Drawing.Font("Lucida Sans Unicode", 8.25F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
309 | this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle;
310 | this.Icon = ((System.Drawing.Icon)(resources.GetObject("$this.Icon")));
311 | this.MaximizeBox = false;
312 | this.Name = "Form1";
313 | this.SizeGripStyle = System.Windows.Forms.SizeGripStyle.Hide;
314 | this.Text = "Orion - Webshell Detector";
315 | this.Load += new System.EventHandler(this.Form1_Load);
316 | this.ResumeLayout(false);
317 | this.PerformLayout();
318 |
319 | }
320 |
321 | #endregion
322 |
323 | private System.Windows.Forms.Button btn_folderPath;
324 | private System.Windows.Forms.FolderBrowserDialog folderBrowserDialog1;
325 | private System.Windows.Forms.Button btn_start;
326 | private System.Windows.Forms.Label lb_status;
327 | private System.Windows.Forms.TextBox tb_arguments;
328 | private System.Windows.Forms.RichTextBox rtb_results;
329 | private System.Windows.Forms.ComboBox ddl_logfiles;
330 | private System.Windows.Forms.ProgressBar progressBar1;
331 | private System.Windows.Forms.Label lb_directory;
332 | private System.Windows.Forms.Button btn_reset;
333 | private System.Windows.Forms.Label lb_indicator;
334 | private System.Windows.Forms.Label lb_scantype;
335 | private System.Windows.Forms.CheckBox cb_option1;
336 | private System.Windows.Forms.CheckBox cb_option2;
337 | private System.Windows.Forms.ComboBox ddl_logfiles2;
338 | private System.Windows.Forms.Label lb_logs;
339 | private System.Windows.Forms.Label label1;
340 | private System.Windows.Forms.Label lb_version;
341 | private System.Windows.Forms.Button btn_summary;
342 | private System.Windows.Forms.Label label2;
343 | private System.Windows.Forms.Label label3;
344 | private System.Windows.Forms.TextBox tb_folderPath;
345 | }
346 | }
347 |
348 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Form1.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.ComponentModel;
4 | using System.Data;
5 | using System.Drawing;
6 | using System.Linq;
7 | using System.Text;
8 | using System.Windows.Forms;
9 | using System.Diagnostics;
10 | using System.IO;
11 |
12 | namespace wsd_gui
13 | {
14 | public partial class Form1 : Form
15 | {
16 | public Form1()
17 | {
18 | InitializeComponent();
19 | }
20 |
21 | private void btn_folderPath_Click(object sender, EventArgs e)
22 | {
23 | // gets directory path via dialog
24 | if (folderBrowserDialog1.ShowDialog() == DialogResult.OK)
25 | {
26 | tb_folderPath.Text = folderBrowserDialog1.SelectedPath;
27 | btn_start.Enabled = true;
28 | }
29 | }
30 |
31 | private void Form1_Load(object sender, EventArgs e)
32 | {
33 | // reset form elements
34 | btn_start.Enabled = false;
35 | btn_summary.Enabled = false;
36 | //ddl_logfiles.Enabled = false;
37 | //ddl_logfiles2.Enabled = false;
38 | tb_folderPath.Text = "";
39 | progressBar1.Enabled = true;
40 | lb_status.Text = "Idle";
41 | tb_arguments.Text = "";
42 | cb_option1.Checked = true;
43 | cb_option2.Checked = true;
44 | rtb_results.Text = "";
45 | //rtb_results.Enabled = false;
46 | ddl_logfiles.Text = "";
47 | ddl_logfiles.Items.Clear();
48 | ddl_logfiles2.Text = "";
49 | ddl_logfiles2.Items.Clear();
50 | progressBar1.Visible = false;
51 |
52 |
53 | }
54 |
55 | private void btn_scan_Click(object sender, EventArgs e)
56 | {
57 | btn_start.Enabled = false;
58 | //btn_exit.Enabled = false;
59 | btn_reset.Enabled = false;
60 | btn_folderPath.Enabled = false;
61 | progressBar1.Visible = true;
62 | rtb_results.Text = "";
63 | ddl_logfiles.Text = "";
64 | ddl_logfiles.Items.Clear();
65 | progressBar1.MarqueeAnimationSpeed = 100;
66 | Application.DoEvents();
67 |
68 | // initialize arguments
69 | string args = "";
70 | if (cb_option1.Checked == true && cb_option2.Checked == false)
71 | {
72 | args = "1";
73 | }
74 | else if (cb_option1.Checked == false && cb_option2.Checked == true)
75 | {
76 | args = "2";
77 | }
78 | else if (cb_option1.Checked == true && cb_option2.Checked == true)
79 | {
80 | args = "3";
81 | }
82 | tb_arguments.Text = "Arguments: " + args + " " + tb_folderPath.Text;
83 |
84 | if (args == "")
85 | {
86 | progressBar1.Visible = false;
87 | ddl_logfiles.Enabled = false;
88 | ddl_logfiles2.Enabled = false;
89 | MessageBox.Show("Please select a scan type.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
90 | btn_start.Enabled = true;
91 | //btn_exit.Enabled = true;
92 | btn_reset.Enabled = true;
93 | btn_folderPath.Enabled = true;
94 | }
95 |
96 | // create process
97 | Process p1 = new Process();
98 |
99 | // initialize process information
100 | p1.StartInfo.FileName = "webshell-detector.exe";
101 | p1.StartInfo.UseShellExecute = false;
102 | p1.StartInfo.RedirectStandardOutput = true;
103 | p1.StartInfo.CreateNoWindow = true;
104 | p1.StartInfo.Arguments = args + " " + '"' + tb_folderPath.Text + '"';
105 | // Console.WriteLine("Executing: webshell-detector.exe " + args + " " + '"' + tb_folderPath.Text + '"');
106 |
107 | try
108 | {
109 | // attempt to start the scan process
110 | // Console.WriteLine("Starting scan process...");
111 | p1.Start();
112 |
113 | // create stream to capture standard output
114 | StreamReader sr = p1.StandardOutput;
115 | while (!sr.EndOfStream)
116 | {
117 | lb_status.Text = sr.ReadLine();
118 | Application.DoEvents();
119 | // Console.WriteLine("Scanning: " + sr.ReadLine());
120 | }
121 | // wait for process to end
122 | p1.WaitForExit();
123 | p1.Close();
124 |
125 | // stops progressbar animation
126 | progressBar1.MarqueeAnimationSpeed = 0;
127 |
128 | if (args == "1") {
129 | // populates dropdownlist with logs
130 |
131 | ddl_logfiles.Enabled = true;
132 | ddl_logfiles.Items.Clear();
133 | string logDir = tb_folderPath.Text + "\\logs";
134 | string[] filePaths = System.IO.Directory.GetFiles(logDir, "*.txt");
135 | Array.Sort(filePaths, new AlphanumComparatorFast());
136 | Array.Reverse(filePaths);
137 | foreach (string files in filePaths)
138 | {
139 | this.ddl_logfiles.Items.Add(files);
140 | }
141 |
142 | rtb_results.Enabled = true;
143 | btn_start.Enabled = true;
144 | btn_summary.Enabled = false;
145 | //btn_exit.Enabled = true;
146 | btn_reset.Enabled = true;
147 | btn_folderPath.Enabled = true;
148 | progressBar1.Visible = true;
149 | progressBar1.Visible = false;
150 | lb_status.Text = "Dangerous Function Scan Completed!";
151 | MessageBox.Show("Scan Completed!", "Information", MessageBoxButtons.OK, MessageBoxIcon.Information);
152 | rtb_results.LoadFile(tb_folderPath.Text + "\\Summary\\Summary.txt", RichTextBoxStreamType.PlainText);
153 | Application.DoEvents();
154 | }
155 | if (args == "2")
156 | {
157 | // populates dropdownlist with logs
158 |
159 | ddl_logfiles2.Enabled = true;
160 | ddl_logfiles2.Items.Clear();
161 | string logDir = tb_folderPath.Text + "\\signatureLogs";
162 | string[] filePaths = System.IO.Directory.GetFiles(logDir, "*.txt");
163 | Array.Sort(filePaths, new AlphanumComparatorFast());
164 | Array.Reverse(filePaths);
165 | foreach (string files in filePaths)
166 | {
167 | this.ddl_logfiles2.Items.Add(files);
168 | }
169 |
170 | rtb_results.Enabled = true;
171 | btn_start.Enabled = true;
172 | btn_summary.Enabled = false;
173 | //btn_exit.Enabled = true;
174 | btn_reset.Enabled = true;
175 | btn_folderPath.Enabled = true;
176 | progressBar1.Visible = true;
177 | progressBar1.Visible = false;
178 | lb_status.Text = "Signature Scan Completed!";
179 | MessageBox.Show("Scan Completed!", "Information", MessageBoxButtons.OK, MessageBoxIcon.Information);
180 | rtb_results.LoadFile(tb_folderPath.Text + "\\Summary\\Summary.txt", RichTextBoxStreamType.PlainText);
181 | Application.DoEvents();
182 | }
183 | if (args == "3")
184 | {
185 | // populates dropdownlist with logs
186 |
187 | ddl_logfiles.Enabled = true;
188 | ddl_logfiles2.Enabled = true;
189 | ddl_logfiles.Items.Clear();
190 | ddl_logfiles2.Items.Clear();
191 | string logDir = tb_folderPath.Text + "\\logs";
192 | string[] filePaths = System.IO.Directory.GetFiles(logDir, "*.txt");
193 | Array.Sort(filePaths, new AlphanumComparatorFast());
194 | Array.Reverse(filePaths);
195 | foreach (string files in filePaths)
196 | {
197 | this.ddl_logfiles.Items.Add(files);
198 | }
199 | string logDir2 = tb_folderPath.Text + "\\signatureLogs";
200 | string[] filePaths2 = System.IO.Directory.GetFiles(logDir2, "*.txt");
201 | Array.Sort(filePaths2, new AlphanumComparatorFast());
202 | Array.Reverse(filePaths2);
203 | foreach (string files in filePaths2)
204 | {
205 | this.ddl_logfiles2.Items.Add(files);
206 | }
207 |
208 | rtb_results.Enabled = true;
209 | btn_start.Enabled = true;
210 | btn_summary.Enabled = false;
211 | //btn_exit.Enabled = true;
212 | btn_reset.Enabled = true;
213 | btn_folderPath.Enabled = true;
214 | progressBar1.Visible = true;
215 | progressBar1.Visible = false;
216 | lb_status.Text = "Comprehensive Scan Completed!";
217 | MessageBox.Show("Scan Completed!", "Information", MessageBoxButtons.OK, MessageBoxIcon.Information);
218 | rtb_results.LoadFile(tb_folderPath.Text + "\\Summary\\Summary.txt", RichTextBoxStreamType.PlainText);
219 | Application.DoEvents();
220 | }
221 |
222 | }
223 | catch (Win32Exception ex)
224 | {
225 | // catch exception
226 | // Console.WriteLine(ex.Message);
227 | lb_status.Text = "Error - " + ex.Message;
228 | // stops progressbar animation
229 | progressBar1.MarqueeAnimationSpeed = 0;
230 |
231 | }
232 |
233 | }
234 |
235 | private void ddl_logfiles_SelectedIndexChanged(object sender, EventArgs e)
236 | {
237 | // to trigger and load textfiles into richtextbox
238 | // Console.WriteLine(ddl_logfiles.Text + " is loaded.");
239 | rtb_results.LoadFile(ddl_logfiles.Text,RichTextBoxStreamType.PlainText);
240 | btn_summary.Enabled = true;
241 | }
242 |
243 | private void btn_reset_Click(object sender, EventArgs e)
244 | {
245 | Form1_Load(this,e);
246 | }
247 |
248 | private void ll_website_LinkClicked(object sender, LinkLabelLinkClickedEventArgs e)
249 | {
250 | System.Diagnostics.Process.Start("http://jremio.dyndns.org/fyp/");
251 | }
252 |
253 | private void ddl_logfiles2_SelectedIndexChanged(object sender, EventArgs e)
254 | {
255 | rtb_results.LoadFile(ddl_logfiles2.Text, RichTextBoxStreamType.PlainText);
256 | btn_summary.Enabled = true;
257 | }
258 |
259 | private void btn_summary_Click(object sender, EventArgs e)
260 | {
261 | rtb_results.LoadFile(tb_folderPath.Text + "\\Summary\\Summary.txt", RichTextBoxStreamType.PlainText);
262 | btn_summary.Enabled = false;
263 | Application.DoEvents();
264 | }
265 | }
266 | }
267 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Form1.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 | 17, 43
122 |
123 |
124 |
125 |
126 | iVBORw0KGgoAAAANSUhEUgAABNYAAAMyCAYAAAChB0ylAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8
127 | YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAAAAlwSFlzAAAXEAAA
128 | FxABGGER2wAAXe1JREFUeF7t27GKXHUYh+HxTvQWvAbBvQdB8ArsLUwO2KgoxE6DYEQQLIRtNKCspLCw
129 | 0H4LK10rMSSICoOMWUGb7BTfW/7nESbVNJ7z8K2+v+wz27bt/OMJeAKegCfgCXgCnoAn4Al4Ap6AJ+AJ
130 | eAKegCfgCXgCwydwHdZ8PAMGGGCAAQYYYIABBhhggAEGGGCAAQZmBv6Paj/+9uezF5e/vPvqZ99c+HgG
131 | DDDAAAMMMMAAAwwwwAADDNxs4J3z+/f/+PKNCx/PgIF1Dfx1/trnh7tnrx/9fHj28r+/Bfpfibx6tL/9
132 | 9tffH55/856PZ8AAAwwwwAADDDDAAAMMMMDAEQPvffrx4cn/bPt4BgyctoFbwpoflH5QMsAAAwwwwAAD
133 | DDDAAAMMDA0Ia6KisMrAEwPCmr+d528nMsAAAwwwwAADDDDAAAMMTA0Ia6KKsMaAsDZcJKaH1vf9cGaA
134 | AQYYYIABBhhggAEG1jQgrIkqwhoDwpqw5q97M8AAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaW1ac23y
135 | Xr1XBhhggAEGGGCAAQYYmBgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheM5WTB8
136 | 1+LFAAMMMMAAAwwwwAADDKxpQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp7Vp
137 | zbXJe/VeGWCAAQYYYIABBhhgYGJAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo7n
138 | ZMHwXYsXAwwwwAADDDDAAAMMMLCmAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4
139 | ntamNdcm79V7ZYABBhhggAEGGGCAgYkBYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPC
140 | WjiekwXDdy1eDDDAAAMMMMAAAwwwwMCaBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsM
141 | CGvheFqb1lybvFfvlQEGGGCAAQYYYIABBiYGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoI
142 | awwIa+F4ThYM37V4McAAAwwwwAADDDDAAANrGhDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqo
143 | IqwxIKyF42ltWnNt8l69VwYYYIABBhhggAEGGJgYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPC
144 | mqgirDEgrIXjOVkwfNfixQADDDDAAAMMMMAAAwysaUBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAM
145 | CGuiirDGgLAWjqe1ac21yXv1XhlggAEGGGCAAQYYYGBiQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwww
146 | EAwIa6KKsMaAsBaO52TB8F2LFwMMMMAAAwwwwAADDDCwpgFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwww
147 | wEAwIKyJKsIaA8JaOJ7WpjXXJu/Ve2WAAQYYYIABBhhggIGJAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAAD
148 | DDDAQDAgrIkqwhoDwlo4npMFw3ctXgwwwAADDDDAAAMMMMDAmgaENVFFWGNAWBPWLFMMMMAAAwwwwAAD
149 | DDDAAAPBgLAmqghrDAhr4Xham9Zcm7xX75UBBhhggAEGGGCAAQYmBoQ1UUVYY0BYE9YsUwwwwAADDDDA
150 | AAMMMMAAA8GAsCaqCGsMCGvheE4WDN+1eDHAAAMMMMAAAwwwwAADaxoQ1kQVYY0BYU1Ys0wxwAADDDDA
151 | AAMMMMAAAwwEA8KaqCKsMSCsheNpbVpzbfJevVcGGGCAAQYYYIABBhiYGBDWRBVhjQFhTVizTDHAAAMM
152 | MMAAAwwwwAADDAQDwpqoIqwxIKyF4zlZMHzX4sUAAwwwwAADDDDAAAMMrGlAWBNVhDUGhDVhzTLFAAMM
153 | MMAAAwwwwAADDDAQDAhrooqwxoCwFo6ntWnNtcl79V4ZYIABBhhggAEGGGBgYkBYE1WENQaENWHNMsUA
154 | AwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjudkwfBdixcDDDDAAAMMMMAAAwwwsKYBYU1UEdYYENaENcsU
155 | AwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjie1qY11ybv1XtlgAEGGGCAAQYYYICBiQFhTVQR1hgQ1oQ1
156 | yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6TBcN3LV4MMMAAAwwwwAADDDDAwJoGhDVRRVhjQFgT
157 | 1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WpvWXJu8V++VAQYYYIABBhhggAEGJgaENVFFWGNA
158 | WBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhOFgzftXgxwAADDDDAAAMMMMAAA2saENZEFWGN
159 | AWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaW1ac23yXr1XBhhggAEGGGCAAQYYmBgQ1kQV
160 | YY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheM5WTB81+LFAAMMMMAAAwwwwAADDKxpQFgT
161 | VYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp7VpzbXJe/VeGWCAAQYYYIABBhhgYGJA
162 | WBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo7nZMHwXYsXAwwwwAADDDDAAAMMMLCm
163 | AWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4ntamNdcm79V7ZYABBhhggAEGGGCA
164 | gYkBYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjiekwXDdy1eDDDAAAMMMMAAAwww
165 | wMCaBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqb1lybvFfvlQEGGGCAAQYY
166 | YIABBiYGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4ThYM37V4McAAAwwwwAAD
167 | DDDAAANrGhDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxcGNY++i7y8NbX/3g4xkwwAAD
168 | DDDAAAMMMMAAAwwwcMTA5cW9g7AirDBw8gZubdu2213/cf25erS/ffVwf/DxDBhggAEGGGCAAQYYYIAB
169 | Bhg4buDxt8KaqHTyUUlcvnsmrPlB4T8WGGCAAQYYYIABBhhggAEGpgaENVFJWGTgxl8FnR4T3/cDiAEG
170 | GGCAAQYYYIABBhhg4NQMCGuiirDGgLDm11792i8DDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6ntsL4
171 | 97U8MsAAAwwwwAADDDDAAANPGxDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mp
172 | sdYxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmm
173 | GGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwww
174 | wAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCA
175 | AQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAAD
176 | DDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYY
177 | YIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDA
178 | AAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIAB
179 | BhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMM
180 | CGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1
181 | UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgi
182 | rDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYY
183 | ENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhr
184 | wppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHN
185 | MsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpli
186 | gAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAA
187 | AwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEG
188 | GGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwww
189 | wAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCA
190 | AQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAAD
191 | DDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYY
192 | YCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQ
193 | DAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaE
194 | NVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqo
195 | IqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHW
196 | GBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwI
197 | a+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVw
198 | PC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6W
199 | KcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5Rl
200 | igEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUA
201 | AwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEG
202 | GGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwww
203 | wAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCA
204 | AQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAAD
205 | DDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYY
206 | YIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDA
207 | gLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBY
208 | E1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkq
209 | whoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGN
210 | AWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCw
211 | JqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPW
212 | LFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5Yp
213 | BhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMM
214 | MMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhg
215 | gAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAA
216 | AwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEG
217 | GGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwww
218 | wAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCA
219 | AQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAAD
220 | wYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBA
221 | WBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJ
222 | KsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVh
223 | jQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaA
224 | sBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgL
225 | x9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNp
226 | mbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZ
227 | phhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMM
228 | MMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhg
229 | gAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAA
230 | AwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEG
231 | GGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwww
232 | wAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCA
233 | AQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAAD
234 | DAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaE
235 | NVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqo
236 | IqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHW
237 | GBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwI
238 | a8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVh
239 | zTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZ
240 | YoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHA
241 | AAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIAB
242 | BhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMM
243 | MMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhg
244 | gAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAA
245 | AwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEG
246 | GGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwww
247 | EAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgG
248 | hDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8Ka
249 | qCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR
250 | 1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsM
251 | CGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1
252 | cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjie
253 | linLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uU
254 | ZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLF
255 | AAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoAB
256 | BhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMM
257 | MMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhg
258 | gAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAA
259 | AwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEG
260 | GGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwww
261 | wICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBA
262 | WBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJ
263 | KsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVh
264 | jQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaA
265 | sCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT
266 | 1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuW
267 | KQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQD
268 | DDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYY
269 | YIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDA
270 | AAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIAB
271 | BhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMM
272 | MMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhg
273 | gAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAA
274 | A8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFg
275 | QFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCs
276 | iSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQV
277 | YY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDG
278 | gLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BY
279 | C8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXj
280 | aZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRM
281 | WaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixT
282 | DDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYY
283 | YIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDA
284 | AAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIAB
285 | BhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMM
286 | MMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhg
287 | gAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAA
288 | AwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEG
289 | hDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8Ka
290 | qCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR
291 | 1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsM
292 | CGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1
293 | Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBm
294 | mWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wx
295 | wAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCA
296 | AQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAAD
297 | DDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYY
298 | YIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDA
299 | AAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIAB
300 | BhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMM
301 | MBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgI
302 | BoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPC
303 | mqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1U
304 | EdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghr
305 | DAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaE
306 | tXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4
307 | npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/L
308 | lGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoy
309 | xQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKA
310 | AQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAAD
311 | DDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYY
312 | YIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDA
313 | AAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIAB
314 | BhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMM
315 | MMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhg
316 | QFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCs
317 | iSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQV
318 | YY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDG
319 | gLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BY
320 | E9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlr
321 | likGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsU
322 | AwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEG
323 | GGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwww
324 | wAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCA
325 | AQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAAD
326 | DDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYY
327 | YIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDA
328 | AAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICB
329 | YEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAg
330 | rIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZE
331 | FWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqw
332 | xoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNA
333 | WAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF
334 | 42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0
335 | TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYs
336 | UwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikG
337 | GGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwww
338 | wAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCA
339 | AQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAAD
340 | DDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYY
341 | YIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDA
342 | AAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIAB
343 | BoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPC
344 | mqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1U
345 | EdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghr
346 | DAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaE
347 | NWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqw
348 | ZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNM
349 | McAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhg
350 | gAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAA
351 | AwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEG
352 | GGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwww
353 | wAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCA
354 | AQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAAD
355 | DDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYY
356 | CAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQD
357 | wpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFN
358 | VBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoI
359 | awwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUG
360 | hLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8Ja
361 | OJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxP
362 | y5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XK
363 | MsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZli
364 | gAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAA
365 | AwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEG
366 | GGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwww
367 | wAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCA
368 | AQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAAD
369 | DDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYY
370 | YEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAg
371 | rIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZE
372 | FWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqw
373 | xoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNA
374 | WBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJ
375 | a5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXL
376 | FAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoB
377 | BhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMM
378 | MMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhg
379 | gAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAA
380 | AwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEG
381 | GGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwww
382 | wAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCA
383 | gWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAw
384 | IKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDW
385 | RBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KK
386 | sMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhj
387 | QFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCs
388 | heNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLx
389 | tExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqm
390 | LFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5Yp
391 | BhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMM
392 | MMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhg
393 | gAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAA
394 | AwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEG
395 | GGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwww
396 | wAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCA
397 | AQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAAD
398 | wpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFN
399 | VBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoI
400 | awwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUG
401 | hDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8Ka
402 | sGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTViz
403 | TDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYY
404 | YIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDA
405 | AAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIAB
406 | BhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMM
407 | MMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhg
408 | gAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAA
409 | AwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEG
410 | GAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwE
411 | A8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFh
412 | TVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaq
413 | CGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1
414 | BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPC
415 | WjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0c
416 | T8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdl
417 | yjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZ
418 | YoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHA
419 | AAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIAB
420 | BhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMM
421 | MMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhg
422 | gAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAA
423 | AwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEG
424 | GGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwww
425 | IKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDW
426 | RBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KK
427 | sMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhj
428 | QFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCs
429 | CWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1
430 | yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWK
431 | AQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQAD
432 | DDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYY
433 | YIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDA
434 | AAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIAB
435 | BhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMM
436 | MMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhg
437 | gIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBA
438 | MCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ
439 | 1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGui
440 | irDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVY
441 | Y0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEg
442 | rIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC
443 | 8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4Xha
444 | pixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOW
445 | KQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQD
446 | DDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYY
447 | YIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDA
448 | AAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIAB
449 | BhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMM
450 | MMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhg
451 | gAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAA
452 | A8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFh
453 | TVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaq
454 | CGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1
455 | BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPC
456 | mrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Y
457 | s0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGuiirDGgLAmrFmm
458 | GGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVYY0BYE9YsUwww
459 | wAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEgrAlrlikGGGCA
460 | AQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaENcsUAwwwwAAD
461 | DDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppligEGGGCAAQYY
462 | YIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUAAwwwwAADDDDA
463 | AAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEGGGCAAQYYYIAB
464 | BhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwwwwAADDDDAAAMM
465 | BAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCAAQYYYIABBoIB
466 | YU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAADDDDAAAPBgLAm
467 | qghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYYYICBYEBYE1WE
468 | NQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDAQDAgrIkqwhoD
469 | wlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAYENZEFWGNAWEt
470 | HE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhrooqwxoCwFo6n
471 | ZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFFWGNAWAvH0zJl
472 | mWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwxIKyF42mZskwx
473 | wAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDWwvG0TFmmGGCA
474 | AQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4WqYsUwwwwAAD
475 | DDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1TlikGGGCAAQYY
476 | YIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsUAwwwwAADDDDA
477 | AAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEGGGCAAQYYYIAB
478 | BhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwwwwAADDDDAAAMM
479 | MCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCAAQYYYIABBhgQ
480 | 1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAADDDDAAAMMCGui
481 | irDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYYYIABBoQ1UUVY
482 | Y0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDAAAPCmqgirDEg
483 | rAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIABYU1UEdYYENaE
484 | NcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAmqghrDAhrwppl
485 | igEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WENQaENWHNMsUA
486 | AwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoDwpqwZpligAEG
487 | GGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFNWLNMMcAAAwww
488 | wAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZphhggAEGGGCA
489 | AQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMMMMAAAwwwwAAD
490 | DDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhggAEGGGCAAQYY
491 | YICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAAAwwwwAADDDDA
492 | QDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEGGGCAAQYYYCAY
493 | ENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwwwwAADDDAQDAhr
494 | ooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCAAQYYCAaENVFF
495 | WGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAADDAQDwpqoIqwx
496 | IKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaCAWFNVBHWGBDW
497 | wvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCwJqoIawwIa+F4
498 | WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNVhDUGhLVwPC1T
499 | likGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIaA8JaOJ6WKcsU
500 | AwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFhLRxPy5RligEG
501 | GGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaOp2XKMsUAAwww
502 | wAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9MyZZligAEGGGCA
503 | AQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMSCsheNpmbJMMcAAAwwwwAAD
504 | DDDAAAMMCGuiirDGgLAmrFmmGGCAAQYYYIABBhhggAEGggFhTVQR1hgQ1sLxtExZphhggAEGGGCAAQYY
505 | YIABBoQ1UUVYY0BYE9YsUwwwwAADDDDAAAMMMMAAA8GAsCaqCGsMCGvheFqmLFMMMMAAAwwwwAADDDDA
506 | AAPCmqgirDEgrAlrlikGGGCAAQYYYIABBhhggIFgQFgTVYQ1BoS1cDwtU5YpBhhggAEGGGCAAQYYYIAB
507 | YU1UEdYYENaENcsUAwwwwAADDDDAAAMMMMBAMCCsiSrCGgPCWjielinLFAMMMMAAAwwwwAADDDDAgLAm
508 | qghrDAhrwppligEGGGCAAQYYYIABBhhgIBgQ1kQVYY0BYS0cT8uUZYoBBhhggAEGGGCAAQYYYEBYE1WE
509 | NQaENWHNMsUAAwwwwAADDDDAAAMMMBAMCGuiirDGgLAWjqdlyjLFAAMMMMAAAwwwwAADDDAgrIkqwhoD
510 | wpqwZpligAEGGGCAAQYYYIABBhgIBoQ1UUVYY0BYC8fTMmWZYoABBhhggAEGGGCAAQYYENZEFWGNAWFN
511 | WLNMMcAAAwwwwAADDDDAAAMMBAPCmqgirDEgrIXjaZmyTDHAAAMMMMAAAwwwwAADDAhrooqwxoCwJqxZ
512 | phhggAEGGGCAAQYYYIABBoIBYU1UEdYYENbC8bRMWaYYYIABBhhggAEGGGCAAQaENVFFWGNAWBPWLFMM
513 | MMAAAwwwwAADDDDAAAPBgLAmqghrDAhr4XhapixTDDDAAAMMMMAAAwwwwAADwpqoIqwxIKwJa5YpBhhg
514 | gAEGGGCAAQYYYICBYEBYE1WENQaEtXA8LVOWKQYYYIABBhhggAEGGGCAAWFNVBHWGBDWhDXLFAMMMMAA
515 | AwwwwAADDDDAQDAgrIkqwhoDwlo4npYpyxQDDDDAAAMMMMAAAwwwwICwJqoIawwIa8KaZYoBBhhggAEG
516 | GGCAAQYYYCAYENZEFWGNAWEtHE/LlGWKAQYYYIABBhhggAEGGGBAWBNVhDUGhDVhzTLFAAMMMMAAAwww
517 | wAADDDAQDAhrooqwxoCwFo6nZcoyxQADDDDAAAMMMMAAAwwwIKyJKsIaA8KasGaZYoABBhhggAEGGGCA
518 | AQYYCAaENVFFWGNAWAvH0zJlmWKAAQYYYIABBhhggAEGGBDWRBVhjQFhTVizTDHAAAMMMMAAAwwwwAAD
519 | DAQDwpqoIqwxIKyF42mZskwxwAADDDDAAAMMMMAAAwwIa6KKsMaAsCasWaYYYIABBhhggAEGGGCAAQaC
520 | AWFNVBHWGBDWwvG0TFmmGGCAAQYYYIABBhhggAEGhDVRRVhjQFgT1ixTDDDAAAMMMMAAAwwwwAADwYCw
521 | JqoIawwIa+F4WqYsUwwwwAADDDDAAAMMMMAAA8KaqCKsMSCsCWuWKQYYYIABBhhggAEGGGCAgWBAWBNV
522 | hDUGhLVwPC1TlikGGGCAAQYYYIABBhhggAFhTVQR1hgQ1oQ1yxQDDDDAAAMMMMAAAwwwwEAwIKyJKsIa
523 | A8JaOJ6WKcsUAwwwwAADDDDAAAMMMMCAsCaqCGsMCGvCmmWKAQYYYIABBhhggAEGGGAgGBDWRBVhjQFh
524 | LRxPy5RligEGGGCAAQYYYIABBhhgQFgTVYQ1BoQ1Yc0yxQADDDDAAAMMMMAAAwwwEAwIa6KKsMaAsBaO
525 | p2XKMsUAAwwwwAADDDDAAAMMMCCsiSrCGgPCmrBmmWKAAQYYYIABBhhggAEGGAgGhDVRRVhjQFgLx9My
526 | ZZligAEGGGCAAQYYYIABBhgQ1kQVYY0BYU1Ys0wxwAADDDDAAAMMMMAAAwwEA8KaqCKsMfBUWPv51/0r
527 | Pz3cbz6eAQMMMMAAAwwwwAADDDDAAAPHDTx+8P75719sD3w8AwbWNbD/5KU7f3/w4nbsc7jzwnPbtu12
528 | 13/4eAYMMMAAAwwwwAADDDDAAAMMMMAAAwzMDIhqwiIDDDDAAAMMMMAAAwwwwAADDDDAAAPBwD+Dgwsx
529 | Ak49SQAAAABJRU5ErkJggg==
530 |
531 |
532 |
533 |
534 | AAABAAEAEBAAAAEACABoBQAAFgAAACgAAAAQAAAAIAAAAAEACAAAAAAAQAUAAAAAAAAAAAAAAAEAAAAB
535 | AADs7OwAi4uLAHx8fABeXl4Aa2trAP///wC3t7cAdnZ2ANjY2ABcXFwAd3d3ANPT0wCQkJAAREVFAD09
536 | PQCfn58Az8/PAGFhYQBISEgALS0tACYmJgA0NDQAcnJyAB8eHwAfHx8AJycnAF1dXQBAQEAAZmdnAGdn
537 | ZgB6enoALCwtAHBwcAA4OTgAHh4fABcXFwAXFxYAbm5uAM7OzgA+Pj4A5+fnAFpaWgBvb28ADw8PABMT
538 | EwAvLy8AISEhADk5OQAdHR0AbW1tAAcHBwAMDQwAIiIhABwcHAAREREAbGxsAAEBAQACAQIAUVFRAAIC
539 | AgAiIiIAnZ2dAGprawAAAAAAxcXFAOLi4gCoqKgAh4eHAJ6engAODg4AhISEAFZWVgCBgYEAEBAQACAg
540 | IAC1tbUAMDAwAPr6+gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
541 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
542 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
543 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
544 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
545 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
546 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
547 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
548 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
549 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
550 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
551 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
552 | AAAAAAAAAAECAwQEBAQEBAQEBAQBAAUFBgcIBQUFBQUFBQUFBQUFBQYJCgsFBQUFBQUFBQUFBQgMDQ4K
553 | Dw8PDw8PDw8IBRAREhMUFRISEhISEhISERAWFxgXGRobHB0bHh8gISIWICMkJBMGJSYmJQUnKCkjICor
554 | KyssLS4VFS4nIy8wKyoxMjIyMy4uNDIyMjU0LjYxNzg4OToGBgYTOzw9BgY+Cjc/Pz8PQCVBNz86KCVC
555 | BkM3Pz8/D0RFJjc/OihFJQZDNz8/P0YoKChHPxsmKCg9SDc/Pz9JOjo6Pz8/Gzo6SjdLTD8/Pz8/Pz8/
556 | Pz8/P0xLTUs3Nzc3Nzc3Nzc3NzdLTQAA//8AAP//AAD//wAA//8AAP//AAD//wAA//8AAP//AAD//wAA
557 | //8AAP//AAD//wAA//8AAP//AAD//wAA//8=
558 |
559 |
560 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Windows.Forms;
5 |
6 | namespace wsd_gui
7 | {
8 | static class Program
9 | {
10 | ///
11 | /// The main entry point for the application.
12 | ///
13 | [STAThread]
14 | static void Main()
15 | {
16 | Application.EnableVisualStyles();
17 | Application.SetCompatibleTextRenderingDefault(false);
18 | Application.Run(new Form1());
19 | }
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("CSCI321 - Webshell Detector")]
9 | [assembly: AssemblyDescription("Program that scans web directories for malicious and dangerous content.")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("Double Trouble")]
12 | [assembly: AssemblyProduct("wsd-gui")]
13 | [assembly: AssemblyCopyright("Copyright © 2012")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ad2b4f29-92fb-4f27-97dd-6bb8395a4908")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.20")]
36 | [assembly: AssemblyFileVersion("1.0.0.20")]
37 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.1
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace wsd_gui.Properties
12 | {
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources
26 | {
27 |
28 | private static global::System.Resources.ResourceManager resourceMan;
29 |
30 | private static global::System.Globalization.CultureInfo resourceCulture;
31 |
32 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
33 | internal Resources()
34 | {
35 | }
36 |
37 | ///
38 | /// Returns the cached ResourceManager instance used by this class.
39 | ///
40 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
41 | internal static global::System.Resources.ResourceManager ResourceManager
42 | {
43 | get
44 | {
45 | if ((resourceMan == null))
46 | {
47 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("wsd_gui.Properties.Resources", typeof(Resources).Assembly);
48 | resourceMan = temp;
49 | }
50 | return resourceMan;
51 | }
52 | }
53 |
54 | ///
55 | /// Overrides the current thread's CurrentUICulture property for all
56 | /// resource lookups using this strongly typed resource class.
57 | ///
58 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
59 | internal static global::System.Globalization.CultureInfo Culture
60 | {
61 | get
62 | {
63 | return resourceCulture;
64 | }
65 | set
66 | {
67 | resourceCulture = value;
68 | }
69 | }
70 | }
71 | }
72 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 | text/microsoft-resx
107 |
108 |
109 | 2.0
110 |
111 |
112 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
113 |
114 |
115 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Properties/Settings.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.1
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace wsd_gui.Properties
12 | {
13 |
14 |
15 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
16 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "10.0.0.0")]
17 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase
18 | {
19 |
20 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings())));
21 |
22 | public static Settings Default
23 | {
24 | get
25 | {
26 | return defaultInstance;
27 | }
28 | }
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/Properties/Settings.settings:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/gui-src/wsd-gui/SysReqMet.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cygonz0/orion-webshell-detector/3133719f4b6d23a5768b267010c82e4a7e4d1c52/gui-src/wsd-gui/SysReqMet.ico
--------------------------------------------------------------------------------
/gui-src/wsd-gui/orionicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cygonz0/orion-webshell-detector/3133719f4b6d23a5768b267010c82e4a7e4d1c52/gui-src/wsd-gui/orionicon.ico
--------------------------------------------------------------------------------
/gui-src/wsd-gui/wsd-gui.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Debug
5 | x86
6 | 8.0.30703
7 | 2.0
8 | {CCA7A030-5016-45C2-9C2A-BB3D35F9FB27}
9 | WinExe
10 | Properties
11 | wsd_gui
12 | wsd-gui
13 | v4.0
14 | Client
15 | 512
16 | publish\
17 | true
18 | Disk
19 | false
20 | Foreground
21 | 7
22 | Days
23 | false
24 | false
25 | true
26 | 0
27 | 1.0.0.%2a
28 | false
29 | false
30 | true
31 |
32 |
33 | x86
34 | true
35 | full
36 | false
37 | bin\Debug\
38 | DEBUG;TRACE
39 | prompt
40 | 4
41 |
42 |
43 | x86
44 | pdbonly
45 | true
46 | bin\Release\
47 | TRACE
48 | prompt
49 | 4
50 |
51 |
52 | orionicon.ico
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 | Form
70 |
71 |
72 | Form1.cs
73 |
74 |
75 |
76 |
77 | Form1.cs
78 |
79 |
80 | ResXFileCodeGenerator
81 | Resources.Designer.cs
82 | Designer
83 |
84 |
85 | True
86 | Resources.resx
87 |
88 |
89 | SettingsSingleFileGenerator
90 | Settings.Designer.cs
91 |
92 |
93 | True
94 | Settings.settings
95 | True
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 | False
105 | Microsoft .NET Framework 4 Client Profile %28x86 and x64%29
106 | true
107 |
108 |
109 | False
110 | .NET Framework 3.5 SP1 Client Profile
111 | false
112 |
113 |
114 | False
115 | .NET Framework 3.5 SP1
116 | false
117 |
118 |
119 | False
120 | Windows Installer 3.1
121 | true
122 |
123 |
124 |
125 |
132 |
--------------------------------------------------------------------------------
/src/base64.cpp:
--------------------------------------------------------------------------------
1 | //orion-webshell-detector by v00d0089 & gaber52
2 | //File: base64.cpp
3 | //Base 64 encoding and decoding methods
4 | //Obtained from www.adp-gmbh.ch/cpp/common/base64.html
5 |
6 | #include "header.h"
7 |
8 | static const std::string base64_chars =
9 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
10 | "abcdefghijklmnopqrstuvwxyz"
11 | "0123456789+/";
12 |
13 |
14 | static inline bool is_base64(unsigned char c) {
15 | return (isalnum(c) || (c == '+') || (c == '/'));
16 | }
17 |
18 | std::string base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len) {
19 | std::string ret;
20 | int i = 0;
21 | int j = 0;
22 | unsigned char char_array_3[3];
23 | unsigned char char_array_4[4];
24 |
25 | while (in_len--) {
26 | char_array_3[i++] = *(bytes_to_encode++);
27 | if (i == 3) {
28 | char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
29 | char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
30 | char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
31 | char_array_4[3] = char_array_3[2] & 0x3f;
32 |
33 | for(i = 0; (i <4) ; i++)
34 | ret += base64_chars[char_array_4[i]];
35 | i = 0;
36 | }
37 | }
38 |
39 | if (i)
40 | {
41 | for(j = i; j < 3; j++)
42 | char_array_3[j] = '\0';
43 |
44 | char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
45 | char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
46 | char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
47 | char_array_4[3] = char_array_3[2] & 0x3f;
48 |
49 | for (j = 0; (j < i + 1); j++)
50 | ret += base64_chars[char_array_4[j]];
51 |
52 | while((i++ < 3))
53 | ret += '=';
54 |
55 | }
56 |
57 | return ret;
58 |
59 | }
60 |
61 | std::string base64_decode(std::string const& encoded_string) {
62 | int in_len = encoded_string.size();
63 | int i = 0;
64 | int j = 0;
65 | int in_ = 0;
66 | unsigned char char_array_4[4], char_array_3[3];
67 | std::string ret;
68 |
69 | while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_])) {
70 | char_array_4[i++] = encoded_string[in_]; in_++;
71 | if (i ==4) {
72 | for (i = 0; i <4; i++)
73 | char_array_4[i] = base64_chars.find(char_array_4[i]);
74 |
75 | char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
76 | char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
77 | char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
78 |
79 | for (i = 0; (i < 3); i++)
80 | ret += char_array_3[i];
81 | i = 0;
82 | }
83 | }
84 |
85 | if (i) {
86 | for (j = i; j <4; j++)
87 | char_array_4[j] = 0;
88 |
89 | for (j = 0; j <4; j++)
90 | char_array_4[j] = base64_chars.find(char_array_4[j]);
91 |
92 | char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
93 | char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
94 | char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
95 |
96 | for (j = 0; (j < i - 1); j++) ret += char_array_3[j];
97 | }
98 |
99 | return ret;
100 | }
101 |
102 |
--------------------------------------------------------------------------------
/src/dangerFunction:
--------------------------------------------------------------------------------
1 | 1
2 | base64_decode
3 | exec
4 | passthru
5 | system
6 | shell_exec
7 | popen
8 | proc_open
9 | pcntl_exec
10 | 2
11 | eval
12 | assert
13 | create_function
14 | include
15 | include_once
16 | require
17 | require_once
18 | ReflectionFunction
19 | 3
20 | ob_start
21 | array_diff_uassoc
22 | array_diff_ukey
23 | array_filter
24 | array_intersect_uassoc
25 | array_intersect_ukey
26 | array_map
27 | array_reduce
28 | array_udiff_assoc
29 | array_udiff_uassoc
30 | array_udiff
31 | array_uintersect_assoc
32 | array_uintersect_uassoc
33 | array_uintersect
34 | array_walk_recursive
35 | array_walk
36 | assert_options
37 | uasort
38 | uksort
39 | usort
40 | preg_replace_callback
41 | spl_autoload_register
42 | iterator_apply
43 | call_user_func
44 | call_user_func_array
45 | register_shutdown_function
46 | register_tick_function
47 | set_error_handler
48 | set_exception_handler
49 | session_set_save_handler
50 | sqlite_create_aggregate
51 | sqlite_create_function
52 | 4
53 | phpinfo
54 | posix_mkfifo
55 | posix_getlogin
56 | posix_ttyname
57 | getenv
58 | get_current_user
59 | proc_get_status
60 | get_cfg_var
61 | disk_free_space
62 | disk_total_space
63 | diskfreespace
64 | getcwd
65 | getlastmo
66 | getmygid
67 | getmyinode
68 | getmypid
69 | getmyuid
70 | 5
71 | extract
72 | parse_str
73 | putenv
74 | ini_set
75 | mail
76 | header
77 | proc_nice
78 | proc_terminate
79 | proc_close
80 | pfsockopen
81 | fsockopen
82 | apache_child_terminate
83 | posix_kill
84 | posix_mkfifo
85 | posix_setpgid
86 | posix_setsid
87 | posix_setuid
88 | 6
89 | fopen
90 | bzopen
91 | gzopen
92 | SplFileObject->__construct
93 | chgrp
94 | chmod
95 | chown
96 | copy
97 | file_put_contents
98 | lchgrp
99 | lchown
100 | link
101 | mkdir
102 | move_uploaded_file
103 | rename
104 | rmdir
105 | symlink
106 | tempnam
107 | touch
108 | unlink
109 | imagepng
110 | imagewbmp
111 | image2wbmp
112 | imagejpeg
113 | imagexbm
114 | imagegif
115 | imagegd
116 | imagegd2
117 | iptcembed
118 | ftp_get
119 | ftp_nb_get
120 | file_get_contents
121 | file_exist
122 | file
123 | fileatime
124 | filectime
125 | filegroup
126 | fileinode
127 | filemtime
128 | fileowner
129 | fileperms
130 | filesize
131 | filetype
132 | glob
133 | linkinfo
134 | lstat
135 | parse_ini_file
136 | pathinfo
137 | readfile
138 | readlink
139 | realpath
140 | stat
141 | gzfile
142 | readgzfile
143 | ftp_put
144 | ftp_nb_put
145 | exif_read_data
146 | read_exif_data
147 | exif_thumbnail
148 | exif_imagetype
149 | hash_file
150 | hash_hmac_file
151 | hash_update_file
152 | md5_file
153 | sha1_file
154 | highlight_file
155 | show_source
156 | php_strip_whitespace
157 | get_meta_tags
158 | 7
159 | end function
160 | end sub
161 | function
162 | sub
163 | request.cookies
164 | request.form
165 | request.querystring
166 | b.score);
8 | }
9 |
10 | //Default Constructor and Deconstructor
11 | FileReader::FileReader(){}
12 |
13 | FileReader::~FileReader(){}
14 |
15 | //User-defined Constructor
16 | FileReader::FileReader(string startdir) {
17 | ifstream dangerInput, signatureInput;
18 | string line;
19 | int type = 1;
20 | this->startdir = startdir;
21 |
22 | //naming log folders
23 | #ifdef _WIN32
24 | this->logfolder= this->startdir + "\\logs";
25 | this->shellFolder = this->startdir + "\\signatureLogs";
26 | this->summaryfolder = this->startdir + "\\Summary";
27 |
28 | #else
29 | this->logfolder= this->startdir + "/logs";
30 | this->shellFolder = this->startdir + "/signatureLogs";
31 | this->summaryfolder = this->startdir + "/Summary";
32 | #endif
33 |
34 |
35 | //retrieving danger functions from text file
36 | dangerInput.open("dangerFunction");
37 | if(dangerInput) {
38 | while (getline(dangerInput, line)) {
39 | if (line == "7")
40 | type = 2;
41 | if (line== "11")
42 | type = 3;
43 | switch(type) {
44 | case 1: dangerFunction.push_back(line);
45 | break;
46 | case 2: aspFunction.push_back(line);
47 | break;
48 | case 3: jspFunction.push_back(line);
49 | default:;
50 | }
51 | }
52 | }
53 | else {
54 | cout << "ERROR OPENING DANGER FUNCTION FILE. EXITING" << endl;
55 | exit(0);
56 | }
57 | dangerInput.close();
58 |
59 | //retrieving web shell signatures from text file
60 | signatureInput.open("md5-signatures-w-names");
61 | if(signatureInput) {
62 | while (getline(signatureInput, line)) {
63 | signatures.push_back(line);
64 | }
65 | }
66 | else {
67 | cout << "ERROR OPENING SIGNATURE FILE. EXITING" << endl;
68 | exit(0);
69 | }
70 | signatureInput.close();
71 |
72 | //creating log folders
73 |
74 | #ifdef _WIN32
75 | _mkdir(logfolder.c_str());
76 | _mkdir(shellFolder.c_str());
77 | _mkdir(summaryfolder.c_str());
78 | #else
79 | mkdir(logfolder.c_str(), 0777);
80 | mkdir(shellFolder.c_str(), 0777);
81 | mkdir(summaryfolder.c_str(), 0777);
82 | #endif
83 |
84 | }
85 |
86 | //accessor and mutator functions
87 | string FileReader::getDir() {
88 | return startdir;
89 | }
90 |
91 | string FileReader::getFilePath() {
92 | return filepath;
93 | }
94 |
95 | void FileReader::setDir(string startdir) {
96 | this->startdir = startdir;
97 | }
98 |
99 | void FileReader::setFilePath(string filepath) {
100 | this->filepath = filepath;
101 | }
102 |
103 | void FileReader::removeLog() {
104 | DIR *dp;
105 | struct dirent *dirp;
106 | struct stat filestat;
107 | FileScanner fs;
108 | size_t found;
109 | fstream logger;
110 | int offset;
111 | char buffer;
112 | string filename, logfile, shellLog;
113 | stringstream ss;
114 |
115 | dp = opendir(logfolder.c_str());
116 |
117 |
118 | int i=0;
119 |
120 |
121 |
122 | if (dp == NULL)
123 | {
124 | cout << "Error opening " << logfolder << endl;
125 | }
126 |
127 | while ((dirp = readdir(dp)) != NULL) {
128 |
129 | //ignore files named "." and ".."
130 | if (!strcmp(dirp->d_name, "..") || !strcmp(dirp->d_name, ".")) {
131 | continue;
132 | }
133 |
134 | //obtain full filepath
135 | #ifdef _WIN32
136 | filepath = logfolder + "\\" + dirp->d_name;
137 | #else
138 | filepath = logfolder + "/" + dirp->d_name;
139 | #endif
140 | //filepath = dir + "\\" + dirp->d_name;
141 |
142 | if (stat(filepath.c_str(), &filestat)) continue;
143 |
144 | remove(filepath.c_str());
145 | }
146 | closedir(dp);
147 | }
148 |
149 | //scan directory function
150 | void FileReader::scanDirectory(string dir, string option, int counter){
151 | DIR *dp;
152 | struct dirent *dirp;
153 | struct stat filestat;
154 | FileScanner fs;
155 | size_t found;
156 | fstream logger, afile;
157 | int offset;
158 | char buffer;
159 | string filename, logfile, shellLog, summaryfile;
160 | stringstream ss;
161 | bool flag = false;
162 | string cDir = dir;
163 |
164 | //naming of file containing the log of webshell signature scan
165 | //as well as removing results from previous scan if it exists
166 |
167 |
168 | #ifdef _WIN32
169 | shellLog = shellFolder + "\\signatureScanResults.txt";
170 | summaryfile = summaryfolder + "\\Summary.txt";
171 | #else
172 | shellLog = shellFolder + "/signatureScanResults.txt";
173 | summaryfile = summaryfolder + "/Summary.txt";
174 | #endif
175 |
176 | //shellLog = shellFolder + "\\signatureScanResults.txt";
177 | if (option == "1") {
178 | removeLog();
179 | afile.open(summaryfile.c_str(), ios::out);
180 | afile << "Summary of Dangerous Function Scan Results" << endl;
181 | afile << "================================================" << endl;
182 | afile.close();
183 | }
184 | else if(option == "2")
185 | remove(shellLog.c_str());
186 | else if (option == "999") {}
187 | else {
188 | removeLog();
189 | remove(shellLog.c_str());
190 | afile.open(summaryfile.c_str(), ios::out);
191 | afile << "Summary of Dangerous Function Scan Results" << endl;
192 | afile << "================================================" << endl;
193 | afile.close();
194 | }
195 |
196 |
197 | if ((dir[0] == '"') || (dir[0] == '\'')) {
198 | dir.erase(0,1);
199 | dir.erase(dir.size()-1, 1);
200 | }
201 |
202 | dp = opendir(dir.c_str());
203 |
204 |
205 | int i=0;
206 |
207 |
208 |
209 | if (dp == NULL)
210 | {
211 | cout << "Error opening " << dir << endl;
212 | }
213 |
214 | //while not end of directory
215 | while ((dirp = readdir(dp)) != NULL) {
216 |
217 | //ignore files named "." and ".."
218 | if (!strcmp(dirp->d_name, "..") || !strcmp(dirp->d_name, ".")) {
219 | continue;
220 | }
221 |
222 | //obtain full filepath
223 | #ifdef _WIN32
224 | filepath = dir + "\\" + dirp->d_name;
225 | #else
226 | filepath = dir + "/" + dirp->d_name;
227 | #endif
228 | //filepath = dir + "\\" + dirp->d_name;
229 |
230 | if (stat(filepath.c_str(), &filestat)) continue;
231 |
232 | //if file detected is a directory, increment of directory lvl counter
233 | //and call a recursive scanDirectory method for the detected directory
234 | if (S_ISDIR(filestat.st_mode)) {
235 | if ((filepath != logfolder) && (filepath!= shellFolder) && (filepath!=summaryfolder)) {
236 | cout << "directory detected" << endl;
237 | counter++;
238 | scanDirectory(filepath, "999", counter);
239 | }
240 | }
241 | //if file detected is a regular file,
242 | else if (S_ISREG(filestat.st_mode)) {
243 | //retrieving filename
244 | i = filepath.size()-1;
245 | while (((filepath[i] != '/') && (filepath[i] != '\\')) && (i>=0)) {
246 | i--;
247 | }
248 | filename = filepath.substr(i+1, filepath.size()-1);
249 | ss << counter;
250 | //use filename to name its corresponding log file
251 | #ifdef _WIN32
252 | logfile = logfolder + "\\" + filename + "-" + ss.str()+ "-" + ".txt";
253 | #else
254 | logfile = logfolder + "/" + filename + "-" + ss.str()+ "-" + ".txt";
255 | #endif
256 | ss.str("");
257 |
258 | cout << logfile << endl;
259 | //setting of log files and current filepath
260 | fs.setLogfile(logfile);
261 | fs.setShellLog(shellLog);
262 |
263 | cout << filepath << endl;
264 | cout << "file detected" << endl;
265 | fs.setCurrentFile(filepath);
266 |
267 | //running of different scans depending on options chosen
268 | //if option = 2, run webshell scan only
269 | if (option == "2")
270 | fs.webshellScan(signatures);
271 | //if option = 1, run dangerFunction scan only
272 | else if (option == "1") {
273 | if ((offset = filepath.find(".php", 0)) != string::npos) {
274 | format = ".php";
275 | fs.scanCurrentFile(dangerFunction, format);
276 |
277 | }
278 | else if ((offset = filepath.find(".asp", 0)) != string::npos) {
279 | format = ".asp";
280 | fs.scanCurrentFile(aspFunction, format);
281 | }
282 | else if ((offset = filepath.find(".aspx", 0)) != string::npos) {
283 | format = ".aspx";
284 | fs.scanCurrentFile(aspFunction, format);
285 | }
286 | else if ((offset = filepath.find(".jsp", 0)) != string::npos) {
287 | format = ".jsp";
288 | fs.scanCurrentFile(jspFunction, format);
289 | }
290 | else {//if ((offset = filepath.find(".txt", 0)) != string::npos) {
291 | format = ".php";
292 | fs.scanCurrentFile(dangerFunction, format);
293 | }
294 | }
295 | //by default it runs both scans
296 | else {
297 | fs.webshellScan(signatures);
298 | if ((offset = filepath.find(".php", 0)) != string::npos) {
299 | format = ".php";
300 | fs.scanCurrentFile(dangerFunction, format);
301 |
302 | }
303 | else if ((offset = filepath.find(".asp", 0)) != string::npos) {
304 | format = ".asp";
305 | fs.scanCurrentFile(aspFunction, format);
306 | }
307 | else if ((offset = filepath.find(".aspx", 0)) != string::npos) {
308 | format = ".aspx";
309 | fs.scanCurrentFile(aspFunction, format);
310 | }
311 | else if ((offset = filepath.find(".jsp", 0)) != string::npos) {
312 | format = ".jsp";
313 | fs.scanCurrentFile(jspFunction, format);
314 | }
315 | else if ((offset = filepath.find(".txt", 0)) != string::npos) {
316 | format = ".php";
317 | fs.scanCurrentFile(dangerFunction, format);
318 | }
319 | }
320 | }
321 | }
322 | closedir(dp);
323 | logger.open(shellLog.c_str(), ios::out | ios::app);
324 | if (fs.getFlag()) {
325 | cout << "No signature matches found in " << dir << endl;
326 | logger << "No signature matches found in " << dir << endl;
327 | }
328 | logger.close();
329 | }
330 |
331 | void FileReader::retrieveLog(string filename) {
332 | DIR *dp;
333 | struct dirent *dirp;
334 | struct stat filestat;
335 | FileScanner fs;
336 | size_t found;
337 | fstream logger, afile;
338 | int offset;
339 | char buffer;
340 | string logfile, shellLog, summaryfile;
341 | string line;
342 | stringstream ss;
343 | int i;
344 |
345 | i = filename.size()-1;
346 | while (((filename[i] != '/') && (filename[i] != '\\')) && (i>=0)) {
347 | i--;
348 | }
349 | filename = filename.substr(i+1, filename.size()-1);
350 |
351 | dp = opendir(logfolder.c_str());
352 |
353 | if (dp == NULL)
354 | {
355 | cout << "Error opening " << logfolder << endl;
356 | }
357 |
358 | //while not end of directory
359 | while ((dirp = readdir(dp)) != NULL) {
360 |
361 | //ignore files named "." and ".."
362 | if (!strcmp(dirp->d_name, "..") || !strcmp(dirp->d_name, ".")) {
363 | continue;
364 | }
365 |
366 | //obtain full filepath
367 | #ifdef _WIN32
368 | filepath = logfolder + "\\" + dirp->d_name;
369 | #else
370 | filepath = logfolder + "/" + dirp->d_name;
371 | #endif
372 | //filepath = dir + "\\" + dirp->d_name;
373 |
374 | if (stat(filepath.c_str(), &filestat)) continue;
375 |
376 | if (filepath.find(filename, 0) != string::npos) {
377 | afile.open(filepath.c_str(), ios::in);
378 | while(getline(afile, line)) {
379 | cout << line << endl;
380 | }
381 | afile.close();
382 | cout << endl;
383 | }
384 | }
385 | closedir(dp);
386 | }
387 |
388 |
--------------------------------------------------------------------------------
/src/header.h:
--------------------------------------------------------------------------------
1 | //orion-webshell-detector by v00d0089 & gaber52
2 | //File: header.h
3 | //Contains File Reader, File Scanner, Results class declarations
4 |
5 | //libraries for required methods
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include "md5.h"
16 |
17 | using namespace std;
18 |
19 | struct Summarized {
20 | string filename;
21 | int score;
22 | };
23 |
24 | bool comparer(Summarized, Summarized);
25 |
26 | //vector declarations used for holding information regarding dangerous functions
27 | extern vector phpComments;
28 | extern vector aspComments;
29 | extern vector jspComments;
30 |
31 | //vector declarations used for holding summary of scan
32 | extern vector ranking;
33 |
34 | //base64 encode and decode declaration
35 | std::string base64_encode(unsigned char const* , unsigned int len);
36 | std::string base64_decode(std::string const& s);
37 |
38 | //Results class declaration
39 | class Results {
40 | public:
41 | //Constructors and Deconstructors
42 | Results();
43 | ~Results();
44 | Results(string, string, string);
45 |
46 | //Mutator and Accessor functions
47 | void setName(string);
48 | void setLog(string);
49 | string getName();
50 | int getScore();
51 | vector getDangerFunctions();
52 |
53 | //method used to compute total score
54 | int calculateScore();
55 |
56 | //method used to add detected dangerous functions to the list
57 | void addDangerFunctions(string, int, int);
58 |
59 | //method to print the results
60 | void printResults();
61 |
62 | private:
63 | //class attributes
64 | string cfilename, logfile, format;
65 | int totalscore;
66 | vector dangerFunctions;
67 |
68 | vector functionScore;
69 | vector line;
70 | };
71 |
72 | //File Scanner class declaratioon
73 | class FileScanner {
74 |
75 | public:
76 | //Constructors and Deconstructors
77 | FileScanner();
78 | ~FileScanner();
79 | FileScanner(string, string, string);
80 |
81 | //Accessor and Mutator functions
82 | string getCurrentFileName();
83 | string getLogfile();
84 | string getShellLog();
85 | bool getFlag();
86 | void setCurrentFile(string);
87 | void setLogfile(string);
88 | void setShellLog(string);
89 |
90 | //method to scan the file for dangerous functions
91 | void scanCurrentFile(vector, string);
92 |
93 | //method to scan the file for webshell signatures
94 | void webshellScan(vector);
95 |
96 | private:
97 | //class attributes and private methods
98 | string cfilename;
99 | string logfile;
100 | string shellLog;
101 | bool flag;
102 |
103 | //respective scanners for the different web server languages
104 | int scanPHP(vector);
105 | void scanASP(vector);
106 | void scanJSP(vector);
107 | };
108 |
109 | //File Reader class declaration
110 | class FileReader {
111 |
112 | public:
113 | //Constructor and Deconstructor
114 | FileReader();
115 | ~FileReader();
116 | FileReader(string);
117 |
118 | //Accessor and Mutator functions
119 | string getDir();
120 | string getFilePath();
121 | void setDir(string);
122 | void setFilePath(string);
123 |
124 | //method to scan the directory and sub-directories of specified location
125 | void scanDirectory(string, string, int);
126 | void removeLog();
127 | void retrieveLog(string);
128 |
129 | private:
130 | //class attributes
131 | string startdir;
132 | string filepath;
133 | string cDir;
134 | vector dangerFunction;
135 | vector aspFunction;
136 | vector jspFunction;
137 | vector signatures;
138 | string logfolder, shellFolder, summaryfolder;
139 | string format;
140 | };
141 |
142 |
--------------------------------------------------------------------------------
/src/main.cpp:
--------------------------------------------------------------------------------
1 | //orion-webshell-detector by v00d0089 & gaber52
2 | //File: main.cpp
3 |
4 | #include "header.h"
5 |
6 | vector phpComments;
7 | vector aspComments;
8 | vector jspComments;
9 |
10 | int main(int argc, char *argv[]) {
11 |
12 | //populating information of dangerous functions
13 | // catergory 1
14 | phpComments.push_back("base64_decode");
15 | phpComments.push_back("This function decodes a base64 encoded data. Webshells scripts and dangerous functions \n"
16 | "may be pre-encoded and this function may pose a security threat.");
17 | phpComments.push_back("exec");
18 | phpComments.push_back("This function executes the given command. When allowing user-supplied data to be passed \n"
19 | "to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot \n"
20 | "trick the system into executing arbitrary commands.");
21 | phpComments.push_back("passthru");
22 | phpComments.push_back("This function executes the given command. When allowing user-supplied data to be passed \n"
23 | "to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot \n"
24 | "trick the system into executing arbitrary commands.");
25 | phpComments.push_back("system");
26 | phpComments.push_back("This function executes an external program and display the output. When allowing user \n"
27 | "supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() \n"
28 | "to ensure that users cannot trick the system into executing arbitrary commands.");
29 | phpComments.push_back("shell_exec");
30 | phpComments.push_back("This function executes command via shell and return the complete output as a string. \n"
31 | "It is advised to check that user input supplied to the function is sanitized.");
32 | phpComments.push_back("popen");
33 | phpComments.push_back("This function opens a process file pointer. With safe mode enabled, the command string \n"
34 | "is escaped with escapeshellcmd().");
35 | phpComments.push_back("proc_open");
36 | phpComments.push_back("This function executes a command and open file pointers for input / output.");
37 | phpComments.push_back("pcntl_exec");
38 | phpComments.push_back("This function executes a specified program in current process space. It is advised to \n"
39 | "check that user input supplied to the function is sanitized.");
40 | // catergory 2
41 | phpComments.push_back("eval");
42 | phpComments.push_back("This function evaluates a string as PHP code. Caution: the eval() language construct is \n"
43 | "very dangerous because it allows execution of arbitrary PHP code. Its use thus is \n"
44 | "discouraged. If you have carefully verified that there is no other option than to use \n"
45 | "this construct, pay special attention not to pass any user provided data into it without \n"
46 | "properly validating it beforehand.");
47 | phpComments.push_back("assert");
48 | phpComments.push_back("This function checks if assertion is false.");
49 | phpComments.push_back("create_function");
50 | phpComments.push_back("This function creates an anonymous (lambda-style) function.");
51 | phpComments.push_back("include");
52 | phpComments.push_back("The include statement includes and evaluates the specified file.");
53 | phpComments.push_back("include_once");
54 | phpComments.push_back("The include_once statement includes and evaluates the specified file once.");
55 | phpComments.push_back("require");
56 | phpComments.push_back("The require statement includes and evaluates the specified file.");
57 | phpComments.push_back("require_once");
58 | phpComments.push_back("The require_once statement includes and evaluates the specified file.");
59 | phpComments.push_back("ReflectionFunction");
60 | phpComments.push_back("The ReflectionFunction class reports information about a function.");
61 | // catergory 3
62 | phpComments.push_back("ob_start");
63 | phpComments.push_back("This function turns output buffering on. While output buffering is active no output is \n"
64 | "sent from the script, instead the output is stored in an internal buffer.");
65 | phpComments.push_back("array_diff_uassoc");
66 | phpComments.push_back("This function computes the difference of arrays with additional index check which is \n"
67 | "performed by a user supplied callback function.");
68 | phpComments.push_back("array_diff_ukey");
69 | phpComments.push_back("This function computes the difference of arrays using a callback function on the keys for \n"
70 | "comparison.");
71 | phpComments.push_back("array_filter");
72 | phpComments.push_back("This function filters elements of an array using a callback function.");
73 | phpComments.push_back("array_intersect_uassoc");
74 | phpComments.push_back("This function computes the intersection of arrays with additional index check, compares \n"
75 | "indexes by a callback function.");
76 | phpComments.push_back("array_intersect_ukey");
77 | phpComments.push_back("This function computes the intersection of arrays using a callback function on the keys \n"
78 | "for comparison.");
79 | phpComments.push_back("array_map");
80 | phpComments.push_back("This function applies the callback to the elements of the given arrays.");
81 | phpComments.push_back("array_reduce");
82 | phpComments.push_back("This function iteratively reduce the array to a single value using a callback function.");
83 | phpComments.push_back("array_udiff_assoc");
84 | phpComments.push_back("This function computes the difference of arrays with additional index check, compares data \n"
85 | "by a callback function.");
86 | phpComments.push_back("array_udiff_uassoc");
87 | phpComments.push_back("This function computes the difference of arrays with additional index check, compares data \n"
88 | "and indexes by a callback function.");
89 | phpComments.push_back("array_udiff");
90 | phpComments.push_back("This function computes the difference of arrays by using a callback function for data \n"
91 | "comparison.");
92 | phpComments.push_back("array_uintersect_assoc");
93 | phpComments.push_back("This function computes the intersection of arrays with additional index check, compares \n"
94 | "data by a callback function.");
95 | phpComments.push_back("array_uintersect_uassoc");
96 | phpComments.push_back("This function computes the intersection of arrays with additional index check, compares \n"
97 | "data and indexes by a callback function.");
98 | phpComments.push_back("array_uintersect");
99 | phpComments.push_back("This function computes the intersection of arrays, compares data by a callback function.");
100 | phpComments.push_back("array_walk_recursive");
101 | phpComments.push_back("This function applies a user function recursively to every member of an array.");
102 | phpComments.push_back("array_walk");
103 | phpComments.push_back("This function applies a user function to every member of an array.");
104 | phpComments.push_back("assert_options");
105 | phpComments.push_back("This function sets / gets the various assert flags.");
106 | phpComments.push_back("uasort");
107 | phpComments.push_back("This function sorts an array with a user-defined comparison function and maintain index \n"
108 | "association.");
109 | phpComments.push_back("uksort");
110 | phpComments.push_back("This function sorts an array by keys using a user-defined comparison function.");
111 | phpComments.push_back("usort");
112 | phpComments.push_back("This function sorts an array by values using a user-defined comparison function.");
113 | phpComments.push_back("preg_replace_callback");
114 | phpComments.push_back("This function performs a regular expression search and replace using a callback.");
115 | phpComments.push_back("spl_autoload_register");
116 | phpComments.push_back("This function registers a given function as __autoload() implementation.");
117 | phpComments.push_back("iterator_apply");
118 | phpComments.push_back("This function calls a function for every element in an iterator.");
119 | phpComments.push_back("call_user_func");
120 | phpComments.push_back("This function calls the callback given by the first paramenter.");
121 | phpComments.push_back("call_user_func_array");
122 | phpComments.push_back("this function calls a callback with an array as parameters.");
123 | phpComments.push_back("register_shutdown_function");
124 | phpComments.push_back("This function registers a function for execution on shutdown.");
125 | phpComments.push_back("register_tick_function");
126 | phpComments.push_back("This function registers a function for execution on each tick.");
127 | phpComments.push_back("set_error_handler");
128 | phpComments.push_back("This function sets a user-defined error handler function.");
129 | phpComments.push_back("set_exception_handler");
130 | phpComments.push_back("This function sets a user-defined exeption handler function.");
131 | phpComments.push_back("session_set_save_handler");
132 | phpComments.push_back("This function sets user-level session storage functions.");
133 | phpComments.push_back("sqlite_create_aggregate");
134 | phpComments.push_back("This function registers an aggregate UDP for use in SQL statements.");
135 | phpComments.push_back("sqlite_create_function");
136 | phpComments.push_back("This function registers a regular user defined function for use in SQL statements.");
137 | // catergory 4
138 | phpComments.push_back("phpinfo");
139 | phpComments.push_back("This function outputs information of the current server's PHP configuration. This \n"
140 | "function is reveals server's configurations and may pose a security threat as sensitive \n"
141 | "information may be disclosed and used to exploit. This function is classified as \n"
142 | "information disclosure and its use is discouraged");
143 | phpComments.push_back("posix_mkfifo");
144 | phpComments.push_back("This function create a special FIFO file which exists in the file system and acts \n"
145 | "as a bidirectional communication endpoint for processes. This function is classified \n"
146 | "as information disclosure and its use is discouraged");
147 | phpComments.push_back("posix_getlogin");
148 | phpComments.push_back("This function returns the login name of the user owning the current process. If used \n"
149 | "inappropriately, the user can obtain the username and attempt a brute-force attack. \n"
150 | "This function is classified as information disclosure and its used is discouraged");
151 | phpComments.push_back("posix_ttyname");
152 | phpComments.push_back("This function returns a string for the absolute path to the current terminal device that \n"
153 | "is open on the file descriptor, fd. This function is classified as information disclosure \n"
154 | "and its use is discouraged.");
155 | phpComments.push_back("getenv");
156 | phpComments.push_back("This function gets the value of an environment variable. This function is classified as \n"
157 | "information disclosure and its used is discouraged");
158 | phpComments.push_back("get_current_user");
159 | phpComments.push_back("This function returns the name of the owner of the current PHP script. This function is \n"
160 | "classified as information disclosure and its used is discouraged");
161 | phpComments.push_back("proc_get_status");
162 | phpComments.push_back("This function fetches data about a process opened using proc_open(). This function is \n"
163 | "classified as information disclosure and its used is discouraged");
164 | phpComments.push_back("get_cfg_var");
165 | phpComments.push_back("This function gets the value of a PHP configuration option. This function is classified \n"
166 | "as information disclosure and its used is discouraged");
167 | phpComments.push_back("disk_free_space");
168 | phpComments.push_back("This function, given a string containing a directory, will return the number of bytes \n"
169 | "available on the corresponding filesystem or disk partition. This function is classified \n"
170 | "as information disclosure and its used is discouraged");
171 | phpComments.push_back("disk_total_space");
172 | phpComments.push_back("This function, given a string containing a directory, will return the number of bytes \n"
173 | "available on the corresponding filesystem or disk partition. This function is classified \n"
174 | "as information disclosure and its used is discouraged");
175 | phpComments.push_back("diskfreespace");
176 | phpComments.push_back("This function, given a string containing a directory, will return the number of bytes \n"
177 | "available on the corresponding filesystem or disk partition. This function is classified \n"
178 | "as information disclosure and its used is discouraged");
179 | phpComments.push_back("getcwd");
180 | phpComments.push_back("This function returns the current working directory. This function is classified as \n"
181 | "information disclosure and its used is discouraged");
182 | phpComments.push_back("getlastmod");
183 | phpComments.push_back("This function gets the last modification date of the current page. This function is \n"
184 | "classified as information disclosure and its used is discouraged");
185 | phpComments.push_back("getmygid");
186 | phpComments.push_back("This function gets the group ID of the current script. This function is classified \n"
187 | "as information disclosure and its used is discouraged");
188 | phpComments.push_back("getmyinode");
189 | phpComments.push_back("This function gets the inode of the current script. This function is classified as \n"
190 | "information disclosure and its used is discouraged");
191 | phpComments.push_back("getmypid");
192 | phpComments.push_back("This function gets the current PHP process ID. This function is classified as information \n"
193 | "disclosure and its used is discouraged");
194 | phpComments.push_back("getmyuid");
195 | phpComments.push_back("This function gets the user id of the current script. This function is classified as \n"
196 | "information disclosure and its used is discouraged");
197 | // catergory 5
198 | phpComments.push_back("extract");
199 | phpComments.push_back("This function imports variables from an array into the current symbol state. Warning: \n"
200 | "Do not use extract() on untrusted data, like user input ($_GET, $_FILES, etc). If you do, \n"
201 | "for example if you want to run old code that relies on register_globals temporarily, make \n"
202 | "sure that you use one of the non-overwriting extract_type values such as EXTR_SKIP and be \n"
203 | "aware that you should extract in the same order that's defined in variables_order within \n"
204 | "php.ini.");
205 | phpComments.push_back("parse_str");
206 | phpComments.push_back("This function parses a string as if it were the query string passed via a URL and sets \n"
207 | "variables in the current scope");
208 | phpComments.push_back("putenv");
209 | phpComments.push_back("This function sets the values of an environment variable.");
210 | phpComments.push_back("ini_set");
211 | phpComments.push_back("This function sets the value of a given configuration option. The configuration option \n"
212 | "will keep this new value during the script's execution, and will be restored at the \n"
213 | "script's ending.");
214 | phpComments.push_back("mail");
215 | phpComments.push_back("This function sends an email. It may be exploited for spam if user input to this function \n"
216 | "is not sanitized.");
217 | phpComments.push_back("header");
218 | phpComments.push_back("This function is used to send a raw HTTP header.");
219 | phpComments.push_back("proc_nice");
220 | phpComments.push_back("This function changes the priority of the current process by the amount specified in \n"
221 | "increment. A posive increment will lower the priority of the current process, whereas a \n"
222 | "negative increment will raise the priority.");
223 | phpComments.push_back("proc_terminate");
224 | phpComments.push_back("This function signals a process that it should terminate. Dangerous if user input that is \n"
225 | "not sanitized is allowed as crucial processes can be terminated by a user.");
226 | phpComments.push_back("proc_close");
227 | phpComments.push_back("This function closes a process opened by proc_open() and reutrns the exit code of that \n"
228 | "process");
229 | phpComments.push_back("pfsockopen");
230 | phpComments.push_back("This function opens a persistent internet or Unix domain socket connection.");
231 | phpComments.push_back("fsockopen");
232 | phpComments.push_back("This function opens internet or unix domain socket connection.");
233 | phpComments.push_back("apache_child_terminate");
234 | phpComments.push_back("This function will register the apache process executing the current PHP request for \n"
235 | "termination once execution of the PHP code is completed. It may be used to terminate a \n"
236 | "process after a script with high memory consumption has been run as memory will usually \n"
237 | "only be freed internally but not given back to the operating system.");
238 | phpComments.push_back("posix_kill");
239 | phpComments.push_back("This function sends the kill signal sig to the process with the process identifier pid");
240 | phpComments.push_back("posix_mkfifo");
241 | phpComments.push_back("This function creates a special FIFO file which exists in the file system and acts as a \n"
242 | "bidirectional communication endpoint for processes.");
243 | phpComments.push_back("posix_setpgid");
244 | phpComments.push_back("This function lets the process pid join the process group gpid.");
245 | phpComments.push_back("posix_setsid");
246 | phpComments.push_back("This function maes the current process a session leader.");
247 | phpComments.push_back("posix_setuid");
248 | phpComments.push_back("This function sets the real user ID of the current process. This is a privileged function \n"
249 | "that needs appropriate privileges (usually root) on the system to be able to perform this \n"
250 | "function.");
251 | // catergory 6
252 | phpComments.push_back("fopen");
253 | phpComments.push_back("This function opens the file specified.\n"
254 | "Allowing user input may allow users to open files and perform modifications without\n"
255 | "knowledge of the server admin");
256 | phpComments.push_back("bzopen");
257 | phpComments.push_back("This function opens the bzip2 file specified.\n"
258 | "Allowing user input may allow users to open files and perform modifications without\n"
259 | "knowledge of the server admin");
260 | phpComments.push_back("gzopen");
261 | phpComments.push_back("This function opens the gz file specified.\n"
262 | "Allowing user input may allow users to open files and perform modifications without\n"
263 | "knowledge of the server admin");
264 | phpComments.push_back("SplFileObject->__construct");
265 | phpComments.push_back("This function creates a file object with the specified file name.\n"
266 | "Allowing user input may allow users to create new file objects withou server admin knowledge");
267 | phpComments.push_back("chgrp");
268 | phpComments.push_back("This function changes the group of the file specified.\n"
269 | "Allowing user input may allow users to group of the files on the server without admin knowledge,\n"
270 | "potentially changing to a group with higher permissions");
271 | phpComments.push_back("chmod");
272 | phpComments.push_back("This function changes the mode of the file specified.\n"
273 | "Allowing user input may allow users to change modes of the files on the server without admin knowledge,\n"
274 | "potentially allowing further unauthorised modification of the server files.");
275 | phpComments.push_back("chown");
276 | phpComments.push_back("This function changes the ownership of the file specified.\n"
277 | "Allowing user input may allow users to change owners of files on the server without admin knowledge,\n"
278 | "potentially hindering server operations");
279 | phpComments.push_back("copy");
280 | phpComments.push_back("This function copies the file specified to a target location.\n"
281 | "Allowing user input may allow users to copy files on the server to another location.\n"
282 | "Possibly taking up memory of the server, or to use as a stepping stone for further attacks.");
283 | phpComments.push_back("file_put_contents");
284 | phpComments.push_back("This function writes a string to the file specified.\n"
285 | "Allowing user input may allow users to modify files on the server.\n"
286 | "This could be used to mess up server operations, or even add new code");
287 | phpComments.push_back("lchgrp");
288 | phpComments.push_back("This function changes the group ownership of the symbolic link specified.\n"
289 | "Allowing user input may allow users to change owners of links on the server without admin knowledge,\n"
290 | "potentially hindering server operations");
291 | phpComments.push_back("lchown");
292 | phpComments.push_back("This function changes the ownership of the symbolic link specified.\n"
293 | "Allowing user input may allow users to change owners of links on the server without admin knowledge,\n"
294 | "potentially hindering server operations");
295 | phpComments.push_back("link");
296 | phpComments.push_back("This function creates a hard link to the target specified.\n"
297 | "Allowing user input may allow users to create links to files on the server without admin knowledge.");
298 | phpComments.push_back("mkdir");
299 | phpComments.push_back("This function creates a new directory.\n"
300 | "Allowing user input may allow users to create directories on the server without admin knowledge,\n"
301 | "and could be used to hide webshells");
302 | phpComments.push_back("move_uploaded_file");
303 | phpComments.push_back("This function moves a uploaded file to a specified location.\n"
304 | "Allowing user input may allow users to move files on the server to other areas without admin knowledge.");
305 | phpComments.push_back("rename");
306 | phpComments.push_back("This function renames the file specified.\n"
307 | "Allowing user input may allow users to rename files on the server without admin knowledge.");
308 | phpComments.push_back("rmdir");
309 | phpComments.push_back("This function removes the directory specified.\n"
310 | "Allowing user input may allow users to remove directories on the server without admin knowledge.");
311 | phpComments.push_back("symlink");
312 | phpComments.push_back("This function creates a symbolic link to the file specified.\n"
313 | "Allowing user input may allow users to create links to files on the server without admin knowledge.");
314 | phpComments.push_back("tempnam");
315 | phpComments.push_back("This function creates a file with a unique name.\n"
316 | "Allowing user input may allow users to create files on the server without admin knowledge.");
317 | phpComments.push_back("touch");
318 | phpComments.push_back("This function sets the access and modification time for the file specified.\n"
319 | "Allowing user input may allow users modify the times for a file,\n"
320 | "allowing them to hide the fact of them accessing or modifying certain files.");
321 | phpComments.push_back("unlink");
322 | phpComments.push_back("This function deletes the specified file.\n"
323 | "Allowing user input may allow users to delete files on the server, potentially causing\n"
324 | "problems for the server operations.");
325 | phpComments.push_back("ftp_get");
326 | phpComments.push_back("This function retrieves a file from the FTP server and writes to local file.\n"
327 | "Allowing user input may allow users access to information to files on the FTP server, that\n"
328 | "they would otherwise have no access to.");
329 | phpComments.push_back("ftp_nb_get");
330 | phpComments.push_back("This function retrieves a file from the FTP server and writes to local file.\n"
331 | "Allowing user input may allow users access to information to files on the FTP server, that\n"
332 | "they would otherwise have no access to.");
333 | phpComments.push_back("file_get_contents");
334 | phpComments.push_back("This function reads the entire file into a string.\n"
335 | "Allowing user input may allow users access to information to other files on the server, that\n"
336 | "they would otherwise have no access to.");
337 | phpComments.push_back("file");
338 | phpComments.push_back("This function reads the entire file into an array.\n"
339 | "Allowing user input may allow users access to information to other files on the server, that\n"
340 | "they would otherwise have no access to.");
341 | phpComments.push_back("file_exist");
342 | phpComments.push_back("This function checks if a file exists.\n"
343 | "Allowing user input may allow users access to information to other files on the server, that\n"
344 | "they would otherwise have no access to.");
345 | phpComments.push_back("fileatime");
346 | phpComments.push_back("This function returns the last access time of the file specified.\n"
347 | "Allowing user input may allow users access to information to other files on the server, that\n"
348 | "they would otherwise have no access to.");
349 | phpComments.push_back("filectime");
350 | phpComments.push_back("This function returns the inode change time of the file specified.\n"
351 | "Allowing user input may allow users access to information to other files on the server, that\n"
352 | "they would otherwise have no access to.");
353 | phpComments.push_back("filegroup");
354 | phpComments.push_back("This function returns the group of the file specified.\n"
355 | "Allowing user input may allow users access to information to other files on the server, that\n"
356 | "they would otherwise have no access to.");
357 | phpComments.push_back("fileinode");
358 | phpComments.push_back("This function returns the file node of the file specified.\n"
359 | "Allowing user input may allow users access to information to other files on the server, that\n"
360 | "they would otherwise have no access to.");
361 | phpComments.push_back("filemtime");
362 | phpComments.push_back("This function returns the file modification time of the file specified.\n"
363 | "Allowing user input may allow users access to information to other files on the server, that\n"
364 | "they would otherwise have no access to.");
365 | phpComments.push_back("fileowner");
366 | phpComments.push_back("This function returns the owner of the file specified.\n"
367 | "Allowing user input may allow users access to information to other files on the server, that\n"
368 | "they would otherwise have no access to.");
369 | phpComments.push_back("fileperms");
370 | phpComments.push_back("This function returns the permissions of the file specified.\n"
371 | "Allowing user input may allow users access to information to other files on the server, that\n"
372 | "they would otherwise have no access to.");
373 | phpComments.push_back("filesize");
374 | phpComments.push_back("This function returns the size of the file specified.\n"
375 | "Allowing user input may allow users access to information to other files on the server, that\n"
376 | "they would otherwise have no access to.");
377 | phpComments.push_back("filetype");
378 | phpComments.push_back("This function returns the file type of the file specified.\n"
379 | "Allowing user input may allow users access to information to other files on the server, that\n"
380 | "they would otherwise have no access to.");
381 | phpComments.push_back("glob");
382 | phpComments.push_back("This function finds the pathnames that match the pattern specified.\n"
383 | "Allowing user input may allow users access to information to other files on the server, that\n"
384 | "they would otherwise have no access to.");
385 | phpComments.push_back("is_writable");
386 | phpComments.push_back("This function checks if the file or directory specified is writable or not.\n"
387 | "Allowing user input may allow users access to information to other files on the server, that\n"
388 | "they would otherwise have no access to.");
389 | phpComments.push_back("is_writeable");
390 | phpComments.push_back("This function checks if the file or directory specified is writable or not.\n"
391 | "Allowing user input may allow users access to information to other files on the server, that\n"
392 | "they would otherwise have no access to.");
393 | phpComments.push_back("linkinfo");
394 | phpComments.push_back("This function returns information about a link.\n"
395 | "Allowing user input may allow users access to information to other files on the server, that\n"
396 | "they would otherwise have no access to.");
397 | phpComments.push_back("lstat");
398 | phpComments.push_back("This function returns information about a file or symbolic link.\n"
399 | "Allowing user input may allow users access to information to other files on the server, that\n"
400 | "they would otherwise have no access to.");
401 | phpComments.push_back("parse_ini_file");
402 | phpComments.push_back("This function parses the ini file specified, and returns the settings in an associative array.\n"
403 | "Allowing user input may allow users access to information to other files on the server, that\n"
404 | "they would otherwise have no access to.");
405 | phpComments.push_back("pathinfo");
406 | phpComments.push_back("This function returns information about a filepath.\n"
407 | "Allowing user input may allow users access to information to other files on the server, that\n"
408 | "they would otherwise have no access to.");
409 | phpComments.push_back("readfile");
410 | phpComments.push_back("This function allows users to read a file, and printing it to the standard output.\n"
411 | "Allowing user input may allow users access to information to other files on the server, that\n"
412 | "they would otherwise have no access to.");
413 | phpComments.push_back("readlink");
414 | phpComments.push_back("This function returns the target of a symbolic link.\n"
415 | "Allowing user input may allow users access to information to other files on the server, that\n"
416 | "they would otherwise have no access to.");
417 | phpComments.push_back("realpath");
418 | phpComments.push_back("This function returns the canoicalized absolute pathname of the file specified.\n"
419 | "Allowing user input may allow users access to information to other files on the server, that\n"
420 | "they would otherwise have no access to.");
421 | phpComments.push_back("stat");
422 | phpComments.push_back("This function returns information about a file.\n"
423 | "Allowing user input may allow users access to information to other files on the server, that\n"
424 | "they would otherwise have no access to.");
425 | phpComments.push_back("gzfile");
426 | phpComments.push_back("This function allows users to read a gz file, by decompressing it and returns the file in an array.\n"
427 | "Allowing user input may allow users access to information to other files on the server, that\n"
428 | "they would otherwise have no access to.");
429 | phpComments.push_back("readgzfile");
430 | phpComments.push_back("This function allows users to read a gz file, by decompressing it and printing it to the standard output.\n"
431 | "Allowing user input may allow users access to information to other files on the server, that\n"
432 | "they would otherwise have no access to.");
433 | phpComments.push_back("ftp_put");
434 | phpComments.push_back("This function allows users to store a local file on the FTP server.\n"
435 | "Allowing user input may allow users to place certain files on the server to the FTP server,\n"
436 | "making the file downloadable by others");
437 | phpComments.push_back("ftp_nb_put");
438 | phpComments.push_back("This function allows users to store a local file on the FTP server.\n"
439 | "Allowing user input may allow users to place certain files on the server to the FTP server,\n"
440 | "making the file downloadable by others");
441 | phpComments.push_back("exif_read_data");
442 | phpComments.push_back("This function allows users to read the EXIF headers from JPEG or TIFF.\n"
443 | "Allowing user input may allow users access to information to other files on the server, that\n"
444 | "they would otherwise have no access to.");
445 | phpComments.push_back("read_exif_data");
446 | phpComments.push_back("This function allows users to read the EXIF headers from JPEG or TIFF.\n"
447 | "Allowing user input may allow users access to information to other files on the server, that\n"
448 | "they would otherwise have no access to.");
449 | phpComments.push_back("exif_thumbnail");
450 | phpComments.push_back("This function allows users to obtain the embedded thumbnail of a TIFF or JPEG image on the server.\n"
451 | "Allowing user input may allow users access to information to other files on the server, that\n"
452 | "they would otherwise have no access to.");
453 | phpComments.push_back("exif_imagetype");
454 | phpComments.push_back("This function allows users to determine the type of an image on the server.\n"
455 | "Allowing user input may allow users access to information to other files on the server, that\n"
456 | "they would otherwise have no access to.");
457 | phpComments.push_back("hash_file");
458 | phpComments.push_back("This function allows users to obtain the hash of a file on the server with the specified hash algorithm.\n"
459 | "Allowing user input may allow users access to information to other files on the server, that\n"
460 | "they would otherwise have no access to.");
461 | phpComments.push_back("hash_hmac_file");
462 | phpComments.push_back("This function allows users to generate the hash of a file on the server using the HMAC method.\n"
463 | "Allowing user input may allow users access to information to other files on the server, that\n"
464 | "they would otherwise have no access to.");
465 | phpComments.push_back("hash_update_file");
466 | phpComments.push_back("This function allows users to pump data into an active hashing context from a file.\n"
467 | "Allowing user input would let users pump data of their chooing from a file of their choice.");
468 | phpComments.push_back("md5_file");
469 | phpComments.push_back("This function allows users to obtain the MD5 hash of a file on the server.\n"
470 | "Allowing user input may allow users access to information to other files on the server, that\n"
471 | "they would otherwise have no access to.");
472 | phpComments.push_back("sha1_file");
473 | phpComments.push_back("This function allows users to obtain the SHA1 hash of a file on the server.\n"
474 | "Allowing user input may allow users access to information to other files on the server, that\n"
475 | "they would otherwise have no access to.");
476 | phpComments.push_back("highlight_file");
477 | phpComments.push_back("This function allows users to retrieve the highlighted version php source code of a file.\n"
478 | "Allowing user input may allow users access to information to other files on the server, that\n"
479 | "they would otherwise have no access to.");
480 | phpComments.push_back("show_source");
481 | phpComments.push_back("This function allows users to retrieve the highlighted version php source code of a file.\n"
482 | "Allowing user input may allow users access to information to other files on the server, that\n"
483 | "they would otherwise have no access to.");
484 | phpComments.push_back("php_strip_whitespace");
485 | phpComments.push_back("This function allows users to retrieve the php source code of a file with the comments and spaces removed.\n"
486 | "Allowing user input may allow users access to information to other files on the server, that\n"
487 | "they would otherwise have no access to.");
488 | phpComments.push_back("get_meta_tags");
489 | phpComments.push_back("This function allows users to parse through a file and retrieve content with the tags.\n"
490 | "Allowing user input may allow users access to information to other files on the server, that\n"
491 | "they would otherwise have no access to.");
492 | // asp
493 | aspComments.push_back("File System Object");
494 | aspComments.push_back("File System ojects allow the read and write operations of the servers files. Allowing user input would\n"
495 | "let users have access to files on the system that they would otherwise have no access to");
496 | aspComments.push_back("Process variable");
497 | aspComments.push_back("Processes allow the execution of system commands on the server. When using user input for the data of\n"
498 | "the process attributes, would allow users to execute sysem operations on the server");
499 | aspComments.push_back("Command Object");
500 | aspComments.push_back("Command objects allow the running of system commands on the server. When allowing user-supplied data\n"
501 | "to be passed to this function, users will have the ability to run system operations on the server.");
502 | // jsp
503 | jspComments.push_back(".loadClass");
504 | jspComments.push_back("This function loads a Java class specified by the arguments. Allowing user input would\n"
505 | "let users to load a arbitrary class.");
506 | jspComments.push_back("new FileInputStream");
507 | jspComments.push_back("This function creates a reader that can be used to read from a file. Allowing user input would\n"
508 | "let users access a file on the server that the user would otherwise have no access to.");
509 | jspComments.push_back("new FileReader");
510 | jspComments.push_back("This function creates a reader that can be used to read from a file. Allowing user input would\n"
511 | "let users access a file on the server that the user would otherwise have no access to.");
512 | jspComments.push_back("new RandomAccessFile");
513 | jspComments.push_back("This function creates a reader that can be used to read from a file. Allowing user input would\n"
514 | "let users access a file on the server that the user would otherwise have no access to.");
515 | jspComments.push_back("System.setProperty");
516 | jspComments.push_back("This function allows the setting of some system properties. Allowing user input would\n"
517 | "let users to alter certain properties that might cause some problems to the execution\n"
518 | "of certain critical programs.");
519 | jspComments.push_back("System.load");
520 | jspComments.push_back("The function loads a system library from a file, using a filename as argument\n"
521 | "When user input is used, may allow users to load a library of his/her choice,\n"
522 | "or even from a file previous uploaded by the user, allowing access of functions\n"
523 | "to the user unexpected to the server admin.");
524 | jspComments.push_back("System.loadLibrary");
525 | jspComments.push_back("The function loads a system library using the library name as argument.\n"
526 | "When user input is used, may allow users to load a library of his/her choice,\n"
527 | "allowing access of functions to the user unexpected to the server admin");
528 | jspComments.push_back(".exec");
529 | jspComments.push_back("This function executes the given system command. When allowing user-supplied data to be passed \n"
530 | "to this function, users will have the ability to run system operations on the server.");
531 | jspComments.push_back("new ProcessBuilder");
532 | jspComments.push_back("This function constructs a operating system process using the arguments passed to it.\n"
533 | "When user input is passed to it, allows them to execute system commands on the server");
534 | jspComments.push_back(".eval");
535 | jspComments.push_back("This function evaluates a string as Java code. Caution: the .eval language construct is \n"
536 | "very dangerous because it allows execution of arbitrary PHP code. Its use thus is \n"
537 | "discouraged. If you have carefully verified that there is no other option than to use \n"
538 | "this construct, pay special attention not to pass any user provided data into it without \n"
539 | "properly validating it beforehand.");
540 |
541 | string dir, option;
542 | fstream afile;
543 | string summaryfile;
544 | char choice;
545 | int limit, fileno;
546 | try {
547 |
548 | //Codes to run detector by passing info through command line
549 | #ifdef _WIN32
550 |
551 | if (argc != 3)
552 | throw 1;
553 | else {
554 |
555 | option = argv[1];
556 | dir = argv[2];
557 | //remove double quotes from starting directory
558 | //if it exists
559 | if ((dir[0] == '"') || (dir[0] == '\'')) {
560 | dir.erase(0,1);
561 | dir.erase(dir.size()-1, 1);
562 | }
563 | FileReader reader(dir);
564 | reader.scanDirectory(dir, option, 1);
565 | }
566 |
567 | summaryfile = dir + "\\Summary\\Summary.txt";
568 |
569 | // Codes for running the detector by passing info through prompts
570 | #else
571 | cout << "Web Shell Detector v1.0" << endl;
572 | cout << "Please select an option:" << endl;
573 | cout << "1. Scan a directory recursively for potentially dangerous functions." << endl;
574 | cout << "2. Scan a directory recursively for web shells based on signatures." << endl;
575 | cout << "Enter option: ";
576 | getline(cin, option);
577 | cout << endl;
578 | if (option == "1") {
579 | cout << "Dangerous function scan selected." << endl;
580 | }
581 | else if (option == "2") {
582 | cout << "Web shell scan selected." << endl;
583 | }
584 | else if (option == "3") {
585 | cout << "Auto Scan selected." << endl;
586 | }
587 | else {
588 | cout << "Invalid option, exiting..." << endl;
589 | exit(0);
590 | }
591 | cout << "Enter directory path: ";
592 | getline(cin, dir);
593 | //remove double quotes from starting directory
594 | //if it exists
595 | if ((dir[0] == '"') || (dir[0] == '\'')) {
596 | dir.erase(0,1);
597 | dir.erase(dir.size()-1, 1);
598 | }
599 | FileReader reader(dir);
600 | reader.scanDirectory(dir, option, 1);
601 | summaryfile = dir + "/Summary/Summary.txt";
602 | #endif
603 |
604 | sort(ranking.begin(), ranking.end(), comparer);
605 | afile.open(summaryfile.c_str(), ios::out | ios::app);
606 | afile << endl;
607 | for (int i=0; i < ranking.size(); i++) {
608 | afile << i+1 << ". ";
609 | afile << "Filename: " << ranking[i].filename << endl;
610 | afile << "Score: " << ranking[i].score << endl;
611 | afile << endl;
612 | }
613 | afile.close();
614 |
615 | #ifdef _WIN32
616 | #else
617 | if (ranking.size() > 0) {
618 | limit = 10;
619 | cout << "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" << endl;
620 | cout << "Summary of Dangerous Functions Scan" << endl;
621 | cout << "========================================================" << endl;
622 | for (int i=0; i<=ranking.size(); i++) {
623 |
624 | if ((i < limit) && (i 10)
634 | cout << ", (P)revious";
635 | if (i > choice;
641 | cin.clear();
642 | cin.ignore(100, '\n');
643 |
644 | switch(choice) {
645 | case 'e':
646 | case 'E': exit(0);
647 | break;
648 | case 'p':
649 | case 'P': cout << "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" << endl;
650 | cout << "Summary of Dangerous Functions Scan" << endl;
651 | cout << "========================================================" << endl;
652 | if ((i%10)==0)
653 | i = i - 20;
654 | else
655 | i = (i-(i%10)) - 10;
656 | limit = limit - 10;
657 | break;
658 | case 'n':
659 | case 'N': cout << "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" << endl;
660 | cout << "Summary of Dangerous Functions Scan" << endl;
661 | cout << "========================================================" << endl;
662 | limit = limit + 10;
663 | break;
664 | case 'v':
665 | case 'V': choice = ' ';
666 | cout << "Enter file number to view log: ";
667 | cin >> fileno;
668 | reader.retrieveLog(ranking[fileno-1].filename);
669 | cout << "(B)ack, (E)xit" << endl;
670 | cout << "Enter choice: ";
671 | cin >> choice;
672 | cin.clear();
673 | cin.ignore(100, '\n');
674 | switch(choice) {
675 | case 'b':
676 | case 'B': cout << "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" << endl;
677 | cout << "Summary of Dangerous Functions Scan" << endl;
678 | cout << "========================================================" << endl;
679 | if ((i%10)==0)
680 | i = i - 10;
681 | else
682 | i = (i-(i%10));
683 | break;
684 | case 'e':
685 | case 'E': exit(0);
686 | break;
687 | default : cout << "Please select a valid choice" << endl;
688 | }
689 | break;
690 | default: cout << "Please select a valid choice" << endl;
691 | }
692 | i--;
693 | }
694 | }
695 | }
696 | #endif
697 | }
698 | //catching of exceptions
699 | catch (int n) {
700 | return 1;
701 | }
702 | catch (exception e) {
703 | return 1;
704 | }
705 |
706 | return 0;
707 | }
708 |
709 |
--------------------------------------------------------------------------------
/src/md5-signatures-w-names:
--------------------------------------------------------------------------------
1 | 50635cfab8b52190a732af2f18d8f7cc
2 | accept_language
3 | 93d1a2e13a3368a2472043bd6331afe9
4 | Ajax_PHPCommandShell
5 | 7b4e81ba8703e7ebeca0001ed18263b3
6 | AK-74SecurityTeamWebShellBetaVersion
7 | 9a18b844240259ad8a34b82209b574e7
8 | AntichatShell.ModifiedbyGo0o$E
9 | 128e90b5e2df97e21e96d8e268cde7e3
10 | AntichatShell
11 | 40d0abceba125868be7f3f990f031521
12 | AntichatShellv1.3
13 | 184901d7b9a409f76f7647167e07abe5
14 | AyyildizTim-AYT-Shellv2.1Biz
15 | 26b2d3943395682e36da06ed493a3715
16 | aZRaiLPhpv1.0
17 | 89b44581dd1760b0d7181692b28c2997
18 | b374k-mini-shell-php
19 | 06de49bb09977bae1981676cde1e344c
20 | b374k
21 | ab1a06ab1a1fe94e3f3b7f80eedbc12f
22 | backupsql
23 | ebcd8da8e0bb3fc8092379933e5a34ab
24 | c0derzshell[csh]v.0.1.1release
25 | 38fd7e45f9c11a37463c3ded1c76af4c
26 | c99_locus7s
27 | 0e2bcce5189a5c8de2785977e83aa413
28 | c99_madnet
29 | c478958ee813994853eb7bcaedaf87a8
30 | C99madShellv.2.0madnetedition
31 | 61a92ce63369e2fa4919ef0ff7c51167
32 | c99
33 | cf37833c6c6e603e1d3be1a9056a1ebf
34 | c99_PSych0
35 | bbaba04910d91fc14a53f01115cb652b
36 | C99Shellv.1.0beta(5.02.2005)
37 | 58242026b70dd896d3e8798cea88f941
38 | C99Shellv.1.0pre-releasebuild(safe-mode)
39 | 9c34adbc8fd8d908cbb341734830f971
40 | c99_w4cking
41 | 5e2ede2d1c4fa1fcc3cbfe0c005d7b13
42 | CasuS1.5
43 | da7e313938d2a976eb0c46318755807c
44 | CmdAsp
45 | fdbf54d5bf3264eb1c4bff1fac548879
46 | Crystal
47 | 0e4dc2d07f334c26dbba6291f0a66156
48 | Crystalshell
49 | 7f8f092a534010cf45fd31c434980a26
50 | CrystalShellv.1
51 | e408bbaca8ab4f0b6de2f012671c68fb
52 | CTTShell
53 | 671cad517edd254352fe7e0c7c981c39
54 | ctt_sh
55 | ef8828e0bc0641a655de3932199c0527
56 | cybershell
57 | 9a80c3a8db3e2c81bbac680cda989ee2
58 | CyberShell
59 | 46a18979750fa458a04343cf58faa9bd
60 | CyberShell(v1.0)
61 | fc1fd3b425a779a5e72722daff765b27
62 | CyberSpy5
63 | 433706fdc539238803fd47c4394b5109
64 | dC3SecurityCrewShellPRiV
65 | 1b5102bdc41a7bc439eea8f0010310a5
66 | DiveShell1.0-EmperorHackingTeam
67 | 366ad973a3f327dfbfb915b0faaea5a6
68 | DToolPro
69 | 9cfe372d49fe8bf2fac8e1c534153d9b
70 | Dx
71 | 2a726fccf7c7c685481750114e9714ee
72 | DxShell.1.0
73 | f6ed34c9d4276ffef65b97b77ecb3e7d
74 | DxShellv1.0
75 | a341270f9ebd01320a7490c12cb2e64c
76 | EFSO_2
77 | ccf48af0c8c09bbd038e610a49c9862e
78 | Elmaliseker
79 | 3aa403e0a42badb2c23d4a54ef43e2f4
80 | ELMALISEKERBackd00r
81 | bc486c2e00b5fc3e4e783557a2441e6f
82 | GammaWebShell
83 | a2516ac6ee41a7cf931cbaef1134a9e4
84 | gfs_sh
85 | 3ee979808ce2b2fb7b54639d2614e7ee
86 | GFSWeb-Shell
87 | a77bd663f0a02ac1c14c8c82861175cd
88 | GFSweb-shellver3.1.7-PRiV8
89 | 5d0352dd49ecd05b05e083484924d7c7
90 | go-shell
91 | 7eea859c8799e895be2c75f817a72c34
92 | GRPWebShell2.0releasebuild2018(C)2006,Great
93 | 06ed0b2398f8096f1bebf092d0526137
94 | h4ntushell[poweredbytsoi]
95 | c2f3327d60884561970c63ffa09439a4
96 | iMHaBiRLiGiPhpFTP
97 | 12911b73bc6a5d313b494102abcf5c57
98 | iMHaPFtp
99 | 135fc50f85228691b401848caef3be9e
100 | indexer
101 | 8bfa2eeb8a3ff6afc619258e39fded56
102 | ironshell
103 | 3f9acbd76c536c0838744845f9cf50ec
104 | JspWebshell1.2
105 | 685f5d4f7f6751eaefc2695071569aab
106 | KAdotUniversalShellv0.1.6
107 | 527cf81f9272919bf872007e21c4bdda
108 | KA_uShell0.1.6
109 | ed4083affc99bd75c361f6d908d5f49f
110 | klasvayv
111 | de9abc2e38420cad729648e93dfc6687
112 | lamashell
113 | c6eeacbe779518ea78b8f7ed5f63fc11
114 | Liz0ziMPrivateSafeModeCommandExecuritonBypassExploit
115 | bd05310a77ff9aa72b6cc3289e99bbd7
116 | LoaderzWEBShell
117 | de0b7923a98c1e6a750222c2b5d5738d
118 | load_shell
119 | e24cbf0e294da9ac2117dc660d890bb9
120 | Macker'sPrivatePHPShell
121 | 1a95f0163b6dea771da1694de13a3d8d
122 | matamu
123 | d1b7b311a7ffffebf51437d7cd97dc65
124 | MoroccanSpamersMa-EditioNByGhOsT
125 | 9cd8c95fd47ca61f655cf2aa2d480c1f
126 | MyShell
127 | 31566c70aabf203ab7166202ec197792
128 | Mysqlinterfacev1.0
129 | 12bbdf6ef403720442a47a3cc730d034
130 | mysql
131 | 5fbe4d8edeb2769eda5f4add9bab901e
132 | mysql_tool
133 | 6f5357ecedaaf3c6ca5cd6040dd86971
134 | MySQLWebInterfaceVersion0.8
135 | 77970bda2a9061e9f48385ea6cca0699
136 | NCC-Shell
137 | acdbba993a5a4186fd864c5e4ea0ba4f
138 | NetworkFileManagerPHP
139 | 6a056393dfb4451cae44075bca0ab63d
140 | NFM1.8
141 | cc6e570a7500dcbd78629c51efd5119c
142 | NGH
143 | 734d4743e00031fd4afb85f456eec00e
144 | NIXREMOTEWEBSHELL
145 | f3ca29b7999643507081caab926e2e74
146 | NIXREMOTEWEB-SHELLv.0.5alphaLitePublicVersion
147 | 4a44d82da21438e32d4f514ab35c26b6
148 | nshell
149 | 4745d510fed4378e4b1730f56f25e569
150 | nstview
151 | 3871888a0c1ac4270104918231029a56
152 | nsTViewv2.1
153 | f6262f3ad9f73b8d3e7d9ea5ec07a357
154 | NTDaddyv1.9
155 | 72066ebafdf76d14fcb0c198bbda021c
156 | PerlWebShellbyRST-GHC
157 | 52779a27fa377ae404761a7ce76a5da7
158 | PHANTASMA
159 | 2b5cb105c4ea9b5ebc64705b4bd86bf7
160 | php-backdoor
161 | 4e913f159e33867be729631a7ca46850
162 | php-include-w-shell
163 | d7a4b0df45d34888d5a09f745e85733f
164 | pHpINJ
165 | e2830d3286001d1455479849aacbbb38
166 | PHPJackal
167 | b4a09911a5b23e00b55abe546ded691c
168 | phpRemoteView
169 | a2f8fa4cce578fc9c06f8e674b9e63fd
170 | PHPShell
171 | 3998f59252b56a7e50923b9d8e47704f
172 | PhpSpyVer2006
173 | 35fb37f3c806718545d97c6559abd262
174 | PHVayv
175 | 205ecda66c443083403efb1e5c7f7878
176 | PHVayv
177 | 9a71dafe76c34fc36b0d8c8bbdf7165e
178 | Predator
179 | 13f5c7a035ecce5f9f380967cf9d4e92
180 | Private-i3lue
181 | ecdc6c20f62f99fa265ec9257b7bf2ce
182 | pws
183 | 513b7be8bd0595c377283a7c87b44b2e
184 | r57_iFX
185 | 1d912c55b96e2efe8ca873d6040e3b30
186 | r57_kartal
187 | e5b2131dd1db0dbdb43b53c5ce99016a
188 | r57_Mohajer22
189 | 085d2b3b585846128083cb3e329ea1cc
190 | r57shell
191 | 4108f28a9792b50d95f95b9e5314fa1e
192 | r57
193 | b598c8b662f2a1f6cc61f291fb0a6fa2
194 | reader
195 | 7d3a0fd7a5e8a5e5e23c632a9a857ec5
196 | RedhatC99[login=redhat-pass=root]
197 | b69670ecdbb40012c73686cd22696eeb
198 | RemExp
199 | e147350a686e5cbe6a2cfc230d324aab
200 | rootshell
201 | e0823dee1f9ddf471773e5232e453eef
202 | Rootshell.v.1.0
203 | 5b334d494564393f419af745dc1eeec7
204 | ru24_post_sh
205 | c2e8346a5515c81797af36e7e4a3828e
206 | s72Shellv1.1Coding
207 | 6163b30600f1e80d2bb5afaa753490b6
208 | Safe0verShell-SafeModBypassByEvilc0der
209 | 49ad9117c96419c35987aaa7e2230f63
210 | Safe_ModeBypassPHP4.4.2andPHP5.1.2
211 | 089ff24d978aeff2b4b2869f0c7d38a3
212 | SimAttacker-Vrsion1.0.0-priv84Myfriend
213 | f091d1b9274c881f8e41b2f96e6b9936
214 | simple-backdoor
215 | c6381412df74dbf3bcd5a2b31522b544
216 | simple_cmd
217 | 37cb1db26b1b0161a4bf678a6b4565bd
218 | SimShell1.0-SimorghSecurityMGZ
219 | b68b90ff6012a103e57d141ed38a7ee9
220 | Sincap1.0
221 | b8983d3388ba2d4f73e3113ad15b3a14
222 | SmallWebShellbyZaCo
223 | 911195a9b7c010f61b66439d9048f400
224 | SnIpEr_SAShell
225 | f0aafe3fed7534beaebcb6eb8e5203fd
226 | STNCWebShellv0.8
227 | 0b53b67bb3b004a8681e1458dd1895d0
228 | Uploader
229 | 330af9337ae51d0bac175ba7076d6299
230 | Web-shell(c)ShAnKaR
231 | 17ab5086aef89d4951fe9b7c7a561dda
232 | WinXShell
233 | f00f6fc8333cc430a1a736e01f2cee32
234 | WorseLinuxShell
235 | 5295ee8dc2f5fd416be442548d68f7a6
236 | zacosmall
237 | 5b496a61363d304532bcf52ee21f5d55
238 | zehir4
239 | 3db7345ccff92af13f3ef6b3f0f5d541
240 | ZyklonShell
241 | d7346a76a829f24c4b0d9a5a7bcda10a
242 | testphpshell
243 | edd553f8e6e18df648afe55c536a2420
244 | md5signshell
245 | ddb8cc2104239b861c21a9b0721ac905
246 | GFS-PHP-Web-Shell
247 | 560a0a62fa8fa4870a4dedccc57624ef
248 | Safe-Mode-Bypass-PHP4.4.2-PHP5.1.2-Shell
249 | d5b40d4fbdfda93068431b3a18588faf
250 | R57-Mohajer22-PHP-Shell
251 | 95d4d053bb56bbf322130ed393916f7c
252 | MySQL-Web-Interface-v0.8-PHP-Shell
253 | 08f1f93f4995bfe718bf45823eaa3874
254 | AK-74-Security-Team-PHP-Shell
255 | fde2f85efd759372b85ee18513e0f3cf
256 | Crystal-PHP-Shell
257 | f2486455f9c9b036dc11b05e088e0f2e
258 | Simple-Backdoor-PHP-Shell
259 | a79d0edfd5f8a80f33b5565bf8e5f8ed
260 | Vayv-PHP-Shell
261 | d826e96c691fbd3862eeca8e452b4c72
262 | Root-PHP-Shell
263 | 1b48f3319863be58f605dc371350b007
264 | RST-GHC-Perl-Shell
265 | 0ad65ec7ddbab3a31b3527da9c97e7aa
266 | Redhat-C99-PHP-Shell
267 | fe78652fbd3bb101f083e740cb7157e9
268 | NFM-v1.8-PHP-Shell
269 | aac63d035365667a03cca8faf05dc3bb
270 | GFS-PHP-Shell
271 | 7d991cbfa626f5fa7e45cd4ad65191cd
272 | Web-Shell-Shankar-PHP-Shell
273 | 821b6afa6d51e39aa80594c96cde88f9
274 | c0derz-[csh]-v0.1.1-release-PHP Shell
275 | 1d58f1ff532a87197d862173aa13284d
276 | Simple-CMD-PHP-Shell
277 | ea9489af558fa16c9b1344f7749c0b07
278 | NIX-Remote-PHP-Shell
279 | 4f48450cd7edc56f909c10d6689e713a
280 | NNIX-Remote-AlphaLite-v0.5-PHP-Shell
281 | 1a170bcc814ef07ccd9a8436674ad5b6
282 | Safe0ver-Safe-Mod-PHP-Shell
283 | 6751b298a32e11415188467a258806ff
284 | PhpSpy-v2006-PHP-Shell
285 | 14f231db07d79c73267c312633133039
286 | PHP-Jackal-PHP-Shell
287 | 622a891f1e6ed792b09d37a344ec4c2c
288 | ru24-Post-Shell
289 | 5ac112208e3c5e0498159fbe5922a0a3
290 | NSTView-v2.1-PHP-Shell
291 | f7f6262feadf8d55e9260ec44f468c0d
292 | C99-PHP-Shell
293 | 9c91eba33da86e268b8e4df4837a0993
294 | Reader-ASP-Shell
295 | c3d852459d4bbeca385e5706f8772aff
296 | WinX-PHP-Shell
297 | 267cc54004f2d989c1b87248087d90bd
298 | Elmaliseker-ASP-Shell
299 | 2fb5288b2794ccac31563def7de35a55
300 | CyberSpy-V5-ASP-Shell.asp
301 | fca5a52a9e257956fd6cea92c7e551c3
302 | Crystal-V1-PHP-Shell
303 | 15b70395d134e28cee95e46af140615d
304 | C99-Locus7s-PHP-Shell
305 | ca80e87f44bb1abaa0f8269bd21b1442
306 | C99-PSych0-PHP-Shell
307 | cd6ff12340d2ff38fb59b9ba0eb63736
308 | Predator-PHP-Shell
309 | 17a03899cc13410917677072e568e594
310 | NShell-PHP-Shell
311 | 4a2c2c32488a77c355454e1c8637126d
312 | Sniper-SA-PHP-Shell
313 | 502b30932daac9436c98599f34cc3bb3
314 | Crystal-v2-PHP-Shell
315 | eb17f0dbf8bfd64929c87871103b8629
316 | MySQL-Interface-PHP-Shell
317 | 395a84db89ecaefca8cc87a551e247ec
318 | DxShell-v1.0-PHP-Shell
319 | 64134e993c13a0da658904e93a20cd1a
320 | Hidden-v1-PHP-Shell
321 | b8a6b2d7550e2af119748069d93948e6
322 | Worse-Linux-PHP-Shell
323 | 785852cb52ec3e216b3e5e431fadb603
324 | PHP-INJ-PHP-Shell
325 | 6c66f5bfd46dfe47d43e6f2bcb1d6752
326 | KA-Shell-v0.1.6-PHP-Shell
327 | 8f479d9141fe94b8a19f107008b72fef
328 | Dive-v1-Emperor-Hacking-Team-PHP-Shell
329 | 21a20d2d6cf4f092385bce24e5cd6b98
330 | MyShell-PHP-Shell
331 | ba0bd1a94c78bba2bdddaa483a81bb48
332 | R57-iFX-PHP-Shell
333 | 70a2b7b16ad1a28b9fdf522096338825
334 | GRP-WebShell-v2-build2018-PHP-Shell
335 | dfffb3387006ebbb04f8d574126a9887
336 | Moroccan-Spammers-Ghost-PHP-Shell
337 | 98f21b6e766c53b53406d1977fe7a1c3
338 | AntiChat-v1.3-PHP-Shell
339 | 3030b9a577037984521a5d8b117755b6
340 | Klasvayv-ASP-Shell
341 | 65f092c4b834e5c76c8f7dc69516d39b
342 | Indexer-ASP-Shell
343 | d3af52e2fd1c42a5a505894bb851c2dd
344 | Lizozim-Safe-Mode-PHP-Shell
345 | 846dbbeb513a19b18897a9d49bd4a0c5
346 | SimAttacker-v1-PHP-Shell
347 | 018107375c2b8ae420398aca4b62354d
348 | PHVayv-PHP-Shell
349 | f67085d12b859e139a58af7b81cfa45f
350 | NSTview-PHP-Shell
351 | 4bfcd4da8adfe70f04409f6110034f63
352 | CyberShell-PHP-Shell
353 | 25844dc81e6522167ae076fbdfc7a999
354 | R57-PHP-Shell
355 | 59340e1d5065a4c4ddad297c6e8262f0
356 | CTT-PHP-Shell
357 | 68757e4f902c39c17968c2396f2dfc8b
358 | NGH-Perl-Shell
359 | 65ea0ff27db4de62996c104d8d0c765e
360 | B374K-PHP-Shell
361 | b56114f21bda189544d1b99f1d960d18
362 | Uploader-PHP-Shell
363 | 63e31c72debc174845332a51a29c911d
364 | MySQL-Toolkit-PHP-Shell
365 | 3537e6dcab1031084cc41d5c67e0ea4a
366 | ZacoSmall-PHP-Shell
367 | ab03fcc097342aeaadccc936ff480f21
368 | BackupSQL-PHP-Shell
369 | 58aadb545d0a9165d853d4691d10db92
370 | Include-PHP-Shell
371 | 931b5d10d9270a78b04b8b950ce58f89
372 | Ajax-Command-PHP-Shell
373 | 08c1232f0805f10d0d229789a8d88c92
374 | Casus-v1.5-PHP-Shell
375 | 27149ed2d0671dc78699a30eb73ae933
376 | Cmd-ASP-Shell
377 | c40ae2b9ebeb23b15470e3e3f26403b0
378 | LamaShell-PHP-Shell
379 | 95f45f9cf936276638ad984fa84fb0eb
380 | GFS-v3.1.7-PHP-Shell
381 | 8e5e589ff62cb884e55be89eb8d64da9
382 | DTool-Pro-PHP-Shell
383 | 0646d1a5be2df5218d2bef3ced49bade
384 | Zehir4-ASP-Shell
385 | 470d1e3ca7d5ab3b2b12061f38ce42ef
386 | C99Shell-v1.0-pre-release-PHP-Shell
387 | 1d890d7a52fc3a319a950a1e372d4386
388 | NCC-PHP-Shell
389 | 11f2f619c15fb88ea665858445993422
390 | MySQL-Interface-v1.0-PHP-Shell
391 | 8488a96e6a24b39417a6a1aadbf0c126
392 | SimShell-v1-MGZ-PHP-Shell
393 | 846d253a08fcb3048124d0cc45a34a36
394 | R57-PHP-Shell
395 | 943ac583a672a987d2126cb6b28aab10
396 | AntiChat-PHP-Shell
397 | 349971a8c7e68b8e293160b4fe6eab99
398 | CTT-PHP-Shell
399 | c634a1abecca8aa3a7e3522ec6005976
400 | Small-Web-Shell-ZACO-PHP-Shell
401 | 2b2f23a7b8d92ad8f71c786529e0bd8b
402 | RootShell-v1-PHP-Shell
403 | e193ae5ed798393274fef8289c7c7790
404 | NetworkFileManager-PHP-Shell
405 | 492b2a65c562e409a054f6d38f95ca24
406 | HANTU-PHP-Shell
407 | cd23eceb1713077156becfe9d12c2d6c
408 | PHP-Shell
409 | 90d0d3c0ba307c4d7b5bf76db0d0165b
410 | C99Shell-v1-beta-5.02.2005-PHP-Shell
411 | 342b569dc7da8cb0a4776a1b952418cc
412 | Loaderz-WEB-PHP-Shell
413 | f5b8abd057a07584d6371b0ab32dbbd8
414 | phpRemoteView-PHP-Shell
415 | 7463568baf11945e8c9a1d9205be6467
416 | STNC-v0.8-PHP-Shell
417 | d74e776665120710e117d8b3c247b061
418 | S72-v1.1-PHP-Shell
419 | 600cb3c717dcce0e7149732e7df56fbb
420 | AntiChat-Shell-Mod-Goose-PHP-Shell
421 | df813eabaab0aa094042be33593a955c
422 | IronShell-PHP-Shell
423 | d1c73ac4f7fd43fc6c08381e1a56c5f4
424 | Sincap-v1-PHP-Shell
425 | 6d79b9c1d136f71c339fdf108aba2d27
426 | Ayyildiz-Tim-AYT-v2.1-PHP-Shell
427 | d25501a088abf964e7d6d8a0408edfb8
428 | C99-Wacking-PHP-Shell
429 | 6ce2f5f11712ad22b8b2445a8eb3460c
430 | RemExp-ASP-Shell
431 | 8216938b857e0827908766f2969513c1
432 | Cyber-PHP-Shell
433 | 68191fb6029b2226bc9749e2fe70c2de
434 | Private-Blue-PHP-Shell
435 | 7a8a2106f204c9ad8b953d124b509377
436 | Cyber-Shell-v1-PHP-Shell
437 | 99bab1c35e2c33107905064cd7aef721
438 | GO-Perl-Shell
439 | 94bd07fae04cabd86a5080a395590897
440 | PWS-PHP-Shell
441 | bfb90e873ae41201dc3359d6a2233070
442 | Macker-Private-PHP-Shell
443 | 8a06afc1e88a1d406ae1c5dd49bccf50
444 | DC3-Security-Crew-PHP-Shell
445 | e2aef0e2de50f645050f975c2d2acfb7
446 | PHANTASMA-PHP-Shell
447 | 3fd71f271bfcac8c8ced9f986dad5983
448 | B374K-mini-PHP-Shell
449 | 54d536ea08351e243489419abcf16f0a
450 | JSP-v1.2-PHP-Shell
451 | ec11e442d5d6ebe49350621caf9f9ea2
452 | R57-Kartal-PHP-Shell
453 | b609989f4a4626f19303ebc11842227b
454 | /hZyklon-PHP-Shell
455 | c9cb898638e346a8efa883a6a3fad370
456 | C99-Madnet-PHP-Shell
457 | bb3a2436cf6212228acf54f3544b57b7
458 | NTDaddy-v1.9-PHP-Shell
459 | 2ec9a66141052d68259d73b16e0f2445
460 | Dx-PHP-Shell
461 | dd6b114975b96a86e403c67b907203fc
462 | Matamu-PHP-Shell
463 | 5852d20ca7b6fdc19cdcf778495f70cd
464 | EFSO-v2-ASP-Shell
465 | 697e4de01f6b04d8ddd3396054dcf0ba
466 | DxShell-v1-PHP-Shell
467 | 180bccaff2558144cef732ea93872cd8
468 | IMHAP-FTP-PHP-Shell
469 | fff8c6aa49f7c78f67bb79c4eb1bb6cf
470 | AZRaiL-v1-PHP-Shell
471 | b7063f16a052f84e344734b48b08c005
472 | LOAD-PHP-Shell
473 | e775f7844d6698b539f8e2cd42925b60
474 | KADOT-Universal-v0.1.6-PHP-Shell
475 | d3e2c8422b489a68833f0bc689e73f59
476 | Gamma-Perl-Shell
477 | 5b904ddaadb5c17fb899d228605011c5
478 | Accept-Language-PHP-Shell
479 | 0032e6ae0f3e847187d07518a12b6ada
480 | C99-MadShell-v2-PHP-Shell
481 | cd90de93996a1b74ef57e7a0763d7770
482 | Backd00r-PHP-Shell
483 |
--------------------------------------------------------------------------------
/src/md5.h:
--------------------------------------------------------------------------------
1 | //orion-webshell-detector by v00d0089 & gaber52
2 | //file: md5.h
3 |
4 | #ifndef MD5_H
5 | #define MD5_H
6 |
7 | // Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
8 | // rights reserved.
9 |
10 | // License to copy and use this software is granted provided that it
11 | // is identified as the "RSA Data Security, Inc. MD5 Message-Digest
12 | // Algorithm" in all material mentioning or referencing this software
13 | // or this function.
14 | //
15 | // License is also granted to make and use derivative works provided
16 | // that such works are identified as "derived from the RSA Data
17 | // Security, Inc. MD5 Message-Digest Algorithm" in all material
18 | // mentioning or referencing the derived work.
19 | //
20 | // RSA Data Security, Inc. makes no representations concerning either
21 | // the merchantability of this software or the suitability of this
22 | // software for any particular purpose. It is provided "as is"
23 | // without express or implied warranty of any kind.
24 | //
25 | // These notices must be retained in any copies of any part of this
26 | // documentation and/or software.
27 |
28 |
29 |
30 | // The original md5 implementation avoids external libraries.
31 | // This version has dependency on stdio.h for file input and
32 | // string.h for memcpy.
33 | #include
34 | #include
35 |
36 | #pragma region MD5 defines
37 | // Constants for MD5Transform routine.
38 | #define S11 7
39 | #define S12 12
40 | #define S13 17
41 | #define S14 22
42 | #define S21 5
43 | #define S22 9
44 | #define S23 14
45 | #define S24 20
46 | #define S31 4
47 | #define S32 11
48 | #define S33 16
49 | #define S34 23
50 | #define S41 6
51 | #define S42 10
52 | #define S43 15
53 | #define S44 21
54 |
55 |
56 |
57 |
58 |
59 |
60 | static unsigned char PADDING[64] = {
61 | 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
62 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
63 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
64 | };
65 |
66 | // F, G, H and I are basic MD5 functions.
67 | #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
68 | #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
69 | #define H(x, y, z) ((x) ^ (y) ^ (z))
70 | #define I(x, y, z) ((y) ^ ((x) | (~z)))
71 |
72 | // ROTATE_LEFT rotates x left n bits.
73 | #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
74 |
75 | // FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
76 | // Rotation is separate from addition to prevent recomputation.
77 | #define FF(a, b, c, d, x, s, ac) { \
78 | (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
79 | (a) = ROTATE_LEFT ((a), (s)); \
80 | (a) += (b); \
81 | }
82 | #define GG(a, b, c, d, x, s, ac) { \
83 | (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
84 | (a) = ROTATE_LEFT ((a), (s)); \
85 | (a) += (b); \
86 | }
87 | #define HH(a, b, c, d, x, s, ac) { \
88 | (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
89 | (a) = ROTATE_LEFT ((a), (s)); \
90 | (a) += (b); \
91 | }
92 | #define II(a, b, c, d, x, s, ac) { \
93 | (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
94 | (a) = ROTATE_LEFT ((a), (s)); \
95 | (a) += (b); \
96 | }
97 | #pragma endregion
98 |
99 | typedef unsigned char BYTE ;
100 |
101 | // POINTER defines a generic pointer type
102 | typedef unsigned char *POINTER;
103 |
104 | // UINT2 defines a two byte word
105 | typedef unsigned short int UINT2;
106 |
107 | // UINT4 defines a four byte word
108 | typedef unsigned long int UINT4;
109 |
110 |
111 | // convenient object that wraps
112 | // the C-functions for use in C++ only
113 | class MD5
114 | {
115 | private:
116 | struct __context_t {
117 | UINT4 state[4]; /* state (ABCD) */
118 | UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
119 | unsigned char buffer[64]; /* input buffer */
120 | } context ;
121 |
122 | #pragma region static helper functions
123 | // The core of the MD5 algorithm is here.
124 | // MD5 basic transformation. Transforms state based on block.
125 | static void MD5Transform( UINT4 state[4], unsigned char block[64] )
126 | {
127 | UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
128 |
129 | Decode (x, block, 64);
130 |
131 | /* Round 1 */
132 | FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
133 | FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
134 | FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
135 | FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
136 | FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
137 | FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
138 | FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
139 | FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
140 | FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
141 | FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
142 | FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
143 | FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
144 | FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
145 | FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
146 | FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
147 | FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
148 |
149 | /* Round 2 */
150 | GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
151 | GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
152 | GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
153 | GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
154 | GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
155 | GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
156 | GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
157 | GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
158 | GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
159 | GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
160 | GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
161 | GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
162 | GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
163 | GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
164 | GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
165 | GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
166 |
167 | /* Round 3 */
168 | HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
169 | HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
170 | HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
171 | HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
172 | HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
173 | HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
174 | HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
175 | HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
176 | HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
177 | HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
178 | HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
179 | HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
180 | HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
181 | HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
182 | HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
183 | HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
184 |
185 | /* Round 4 */
186 | II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
187 | II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
188 | II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
189 | II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
190 | II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
191 | II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
192 | II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
193 | II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
194 | II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
195 | II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
196 | II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
197 | II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
198 | II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
199 | II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
200 | II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
201 | II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
202 |
203 | state[0] += a;
204 | state[1] += b;
205 | state[2] += c;
206 | state[3] += d;
207 |
208 | // Zeroize sensitive information.
209 | memset((POINTER)x, 0, sizeof (x));
210 | }
211 |
212 | // Encodes input (UINT4) into output (unsigned char). Assumes len is
213 | // a multiple of 4.
214 | static void Encode( unsigned char *output, UINT4 *input, unsigned int len )
215 | {
216 | unsigned int i, j;
217 |
218 | for (i = 0, j = 0; j < len; i++, j += 4) {
219 | output[j] = (unsigned char)(input[i] & 0xff);
220 | output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
221 | output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
222 | output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
223 | }
224 | }
225 |
226 | // Decodes input (unsigned char) into output (UINT4). Assumes len is
227 | // a multiple of 4.
228 | static void Decode( UINT4 *output, unsigned char *input, unsigned int len )
229 | {
230 | unsigned int i, j;
231 |
232 | for (i = 0, j = 0; j < len; i++, j += 4)
233 | output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
234 | (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
235 | }
236 | #pragma endregion
237 |
238 |
239 | public:
240 | // MAIN FUNCTIONS
241 | MD5()
242 | {
243 | Init() ;
244 | }
245 |
246 | // MD5 initialization. Begins an MD5 operation, writing a new context.
247 | void Init()
248 | {
249 | context.count[0] = context.count[1] = 0;
250 |
251 | // Load magic initialization constants.
252 | context.state[0] = 0x67452301;
253 | context.state[1] = 0xefcdab89;
254 | context.state[2] = 0x98badcfe;
255 | context.state[3] = 0x10325476;
256 | }
257 |
258 | // MD5 block update operation. Continues an MD5 message-digest
259 | // operation, processing another message block, and updating the
260 | // context.
261 | void Update(
262 | unsigned char *input, // input block
263 | unsigned int inputLen ) // length of input block
264 | {
265 | unsigned int i, index, partLen;
266 |
267 | // Compute number of bytes mod 64
268 | index = (unsigned int)((context.count[0] >> 3) & 0x3F);
269 |
270 | // Update number of bits
271 | if ((context.count[0] += ((UINT4)inputLen << 3))
272 | < ((UINT4)inputLen << 3))
273 | context.count[1]++;
274 | context.count[1] += ((UINT4)inputLen >> 29);
275 |
276 | partLen = 64 - index;
277 |
278 | // Transform as many times as possible.
279 | if (inputLen >= partLen) {
280 | memcpy((POINTER)&context.buffer[index], (POINTER)input, partLen);
281 | MD5Transform (context.state, context.buffer);
282 |
283 | for (i = partLen; i + 63 < inputLen; i += 64)
284 | MD5Transform (context.state, &input[i]);
285 |
286 | index = 0;
287 | }
288 | else
289 | i = 0;
290 |
291 | /* Buffer remaining input */
292 | memcpy((POINTER)&context.buffer[index], (POINTER)&input[i], inputLen-i);
293 | }
294 |
295 | // MD5 finalization. Ends an MD5 message-digest operation, writing the
296 | // the message digest and zeroizing the context.
297 | // Writes to digestRaw
298 | void Final()
299 | {
300 | unsigned char bits[8];
301 | unsigned int index, padLen;
302 |
303 | // Save number of bits
304 | Encode( bits, context.count, 8 );
305 |
306 | // Pad out to 56 mod 64.
307 | index = (unsigned int)((context.count[0] >> 3) & 0x3f);
308 | padLen = (index < 56) ? (56 - index) : (120 - index);
309 | Update( PADDING, padLen );
310 |
311 | // Append length (before padding)
312 | Update( bits, 8 );
313 |
314 | // Store state in digest
315 | Encode( digestRaw, context.state, 16);
316 |
317 | // Zeroize sensitive information.
318 | memset((POINTER)&context, 0, sizeof (context));
319 |
320 | writeToString() ;
321 | }
322 |
323 | /// Buffer must be 32+1 (nul) = 33 chars long at least
324 | void writeToString()
325 | {
326 | int pos ;
327 |
328 | for( pos = 0 ; pos < 16 ; pos++ )
329 | sprintf( digestChars+(pos*2), "%02x", digestRaw[pos] ) ;
330 | }
331 |
332 |
333 | public:
334 | // an MD5 digest is a 16-byte number (32 hex digits)
335 | BYTE digestRaw[ 16 ] ;
336 |
337 | // This version of the digest is actually
338 | // a "printf'd" version of the digest.
339 | char digestChars[ 33 ] ;
340 |
341 | /// Load a file from disk and digest it
342 | // Digests a file and returns the result.
343 | char* digestFile( char *filename )
344 | {
345 | Init() ;
346 |
347 | FILE *file;
348 |
349 | int len;
350 | unsigned char buffer[1024] ;
351 |
352 | if( (file = fopen (filename, "rb")) == NULL )
353 | printf( "%s can't be opened\n", filename ) ;
354 | else
355 | {
356 | while( len = fread( buffer, 1, 1024, file ) )
357 | Update( buffer, len ) ;
358 | Final();
359 |
360 | fclose( file );
361 | }
362 |
363 | return digestChars ;
364 | }
365 |
366 | /// Digests a byte-array already in memory
367 | char* digestMemory( BYTE *memchunk, int len )
368 | {
369 | Init() ;
370 | Update( memchunk, len ) ;
371 | Final() ;
372 |
373 | return digestChars ;
374 | }
375 |
376 | // Digests a string and prints the result.
377 | char* digestString( char *string )
378 | {
379 | Init() ;
380 | Update( (unsigned char*)string, strlen(string) ) ;
381 | Final() ;
382 |
383 | return digestChars ;
384 | }
385 | } ;
386 |
387 | #endif
388 |
389 |
--------------------------------------------------------------------------------
/src/results.cpp:
--------------------------------------------------------------------------------
1 | //orion-webshell-detector by v00d0089 & gaber52
2 | //file: results.cpp
3 | //Results class implementation
4 |
5 | #include "header.h"
6 |
7 | vector ranking;
8 |
9 | //Default constructor and deconstructor
10 | Results::Results(){}
11 |
12 | Results::~Results(){}
13 |
14 | //user-defined constructor
15 | Results::Results(string cfilename, string logfile, string format) {
16 | this->cfilename = cfilename;
17 | this->logfile = logfile;
18 | this->format = format;
19 | totalscore = 0;
20 | }
21 |
22 | //accessor and mutator functions
23 | void Results::setName(string cfilename) {
24 | this->cfilename = cfilename;
25 | }
26 |
27 | void Results::setLog(string logfile) {
28 | this->logfile = logfile;
29 | }
30 |
31 | string Results::getName() {
32 | return cfilename;
33 | }
34 |
35 | int Results::getScore(){
36 | return totalscore;
37 | }
38 |
39 | vector Results::getDangerFunctions() {
40 | return dangerFunctions;
41 | }
42 |
43 | //function to calculate the total score of all danger functions detected
44 | int Results::calculateScore() {
45 | totalscore = 0;
46 | for (int i=0; i=0)) {
68 | j--;
69 | }
70 | string logfolder = logfile.substr(0, j);
71 | string logname = logfile.substr(j+1, logfile.size()-1);
72 |
73 | while (((logfolder[j] != '/') && (logfolder[j] != '\\')) && (j>=0)) {
74 | j--;
75 | }
76 | string summaryfolder = logfolder.substr(0,j);
77 |
78 | ss << totalscore;
79 | //use filename to name its corresponding log file
80 | #ifdef _WIN32
81 | logfile = logfolder + "\\" + ss.str() + "-" + logname;
82 | #else
83 | logfile = logfolder + "/" + ss.str() + "-" + logname;
84 | #endif
85 |
86 | ss.str("");
87 | cout << logfile << endl;
88 |
89 | summary.score = totalscore;
90 | summary.filename = cfilename;
91 | ranking.push_back(summary);
92 |
93 | logger.open(logfile.c_str(), ios::out | ios::app);
94 |
95 | if (cfilename.find("decoded",0) != string::npos) {
96 | logger << "Decoded code score: " << totalscore << endl;
97 | }
98 | else {
99 | logger << "Total Danger Score: " << totalscore << endl;
100 | logger << endl;
101 | logger << "===============================================" << endl;
102 | logger << "Filename: " << cfilename << endl;
103 | logger << "===============================================" << endl;
104 | logger << endl;
105 | }
106 |
107 | for (int i=0; i -1) {
109 |
110 | logger << "Danger Function: " << dangerFunctions[i] << endl;
111 | logger << "Line " << line[i] << endl;
112 | logger << "Score awarded: " << functionScore[i] << endl;
113 |
114 |
115 | //display the reasons why the functions are dangerous
116 | if (format == ".php") {
117 | for (int j=0; j