Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Security - The Basics

Inndy
October 07, 2016
Technology
0
620

Web Security - The Basics

2016/Computer Security at National Taiwan University of Science and Technology (NTUST)

Inndy

October 07, 2016
Tweet

More Decks by Inndy

See All by Inndy
工程師一定要懂的 Text Encoding
inndy
1
620
資訊安全:麻瓜的黑魔法防禦術
inndy
3
2.8k
HackmeCTF 平台背後的心酸血淚史
inndy
2
790
COSCUP 2018 Lightning Talk - 審稿好難,所以我們來寫程式吧
inndy
0
410
逆向工程:從入門到放棄
inndy
7
3.5k
HITCON 2017 Zeroday 發表會
inndy
0
1.3k
No More Crypto Fails
inndy
33
7.9k
你再共用密碼啊
inndy
1
720
CTF From Zero To One
inndy
5
4.9k

Other Decks in Technology

See All in Technology
LambdaとSQLiteでシステム構築
ogadra
1
150
GDG Tokyo 生成 AI 論文をわいわい読む会
enakai00
0
260
2週に1度のビッグバンリリースをデイリーリリース化するまでの苦悩 ~急成長するスタートアップのリアルな裏側~
kworkdev
PRO
8
6k
ココナラのセキュリティ組織の体制・役割・今後目指す世界
coconala_engineer
0
200
Women in Agile
kawaguti
PRO
2
150
パブリッククラウドのプロダクトマネジメントとアーキテクト
tagomoris
3
340
Tokyo RubyKaigi 12 - Scaling Ruby at GitHub
jhawthorn
2
170
攻撃者の視点で社内リソースはどう見えるのかを ASMで実現する
hikaruegashira
3
1.9k
TypeScriptでモジュラーモノリスやってみた
diggymo
0
120
レイクハウスとはなんだったのか?
akuwano
15
1.8k
ブロックチェーンR&D企業における SREの実態 / SRE Kaigi 2025
datachain
0
3.4k
Mocking your codebase without cursing it
gaqzi
0
140

Featured

See All Featured
Scaling GitHub
holman
459
140k
Site-Speed That Sticks
csswizardry
3
300
KATA
mclloyd
29
14k
Making the Leap to Tech Lead
cromwellryan
133
9k
Building Applications with DynamoDB
mza
93
6.2k
The Language of Interfaces
destraynor
156
24k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.5k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
A designer walks into a library…
pauljervisheath
205
24k
Visualization
eitanlees
146
15k
BBQ
matthewcrist
85
9.4k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
98
18k

Transcript

  1. $PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ5IF#BTJDT

  2. 4PVSDFDPEFPGIUUQTWVMTFDVSJUZOUVTUJTBWBJMBCMFBU IUUQTHJUIVCDPNJOOEZXFCTFD

  3. XIPBNJ ˙ *OOEZ加啄 ˙ 1MBZ$5' ˙ 3FWFSTF&OHJOFFSJOH ˙ (BNF)BDLJOH ˙

    JOOEZUX!HNBJMDPN

  4. 0VUMJOF ˙ *OUFSOFUBOE/FUXPSL ˙ 'SPOUFOE#BDLFOE ˙ )551 ˙ $PNNPO)551)FBEFST ˙

    $PPLJF ˙ &ODPEJOH ˙ 44-5-4 ˙ 08"415PQ

  5. *OUFSOFUBOE/FUXPSL

  6. *OUFSOFUBOE/FUXPSL   1PSUPG,BPITJVOH

  7. *OUFSOFUBOE/FUXPSL  XXXOUVTUFEVUX

  8. *OUFSOFUBOE/FUXPSL '51  44)  5FMOFU 155  )551 

    )5514  .Z42-  3%1  7/$  3FEJT 

  9. 8FC"SDIJUFDUVSF

  10. 4FSWFS $MJFOU Ճ)551PWFS*OUFSOFUՃ

  11. #BDLFOE 'SPOUFOE Ճ)551PWFS*OUFSOFUՃ

  12. OHJOYBQBDIFMJHIUUQE 1)1QZUIPOSVCZ )5.-$44 +BWB4DSJQU Ճ)551PWFS*OUFSOFUՃ

  13. 8FC'SPOUFOE

  14. )5.-

  15. )5.- $44

  16. )5.- $44 +BWB4DSJQU

  17. 8FC#BDLFOE

  18. )5513FRVFTU

  19. 8IBUIBQQFOFEBGUFS&OUFS  $MJFOU ˙ %/4MPPLVQ *GOFFEFE  ˙ $SFBUF5$1DPOOFDUJPO ˙

    44-IBOETIBLF *GOFFEFE  ˙ $PNQPTFBOETFOE)551SFRVFTU

  20. 8IBUIBQQFOFEBGUFS&OUFS  4FSWFS ˙ "DDFQU5$1DPOOFDUJPO ˙ 1BSTFSFRVFTUIFBEFST ˙ $IFDLSPVUFSVMFT ˙

    'JMFPS3FWFSTFQSPYZ

  21. 8IBUIBQQFOFEBGUFS&OUFS  'JMFCBTFE ˙ $IFDLJGMFFYJTUT  ˙ *GOPU SFTQPOTFXJUIFSSPS ˙

    *TJUBTUBUJDMF  ˙ *GTP TFOEJUUPDMJFOU ˙ 0UIFSXJTF DBMMSFTQPOEJOHQSPDFTTPS ˙ .BZCFBDHJ QIQ QFSMTDSJQU ˙ 4FOESFTQPOTFUPDMJFOU

  22. 8IBUIBQQFOFEBGUFS&OUFS  4PGUXBSFSVMFT ˙ 1BSTFSFRVFTUGSPN)551TFSWFS ˙ 3PVUF ˙ %JTQBUDIDPOUSPMMFS ˙

    1SPDFTTSFRVFTUBOE3FOEFSSFTQPOTFEBUB ˙ 4FOEJUCBDLUP)551TFSWFS ˙ 4FSWFSTFOESFTQPOTFEBUBUPDMJFOU

  23. 8IBUIBQQFOFEBGUFS&OUFS  $MJFOU ˙ (PUSFTQPOTFEBUB .BZCFB)5.-EPDVNFOU  ˙ 1BSTF)5.-BOE%PXOMPBESFMBUFEBTTFUT ˙

    $44 *NBHF +BWB4DSJQU 'MBTI PS0UIFSNFEJBDPOUFOU ˙ 3FOEFSFOHJOFTUBSUXPSLJOHXJUI$44BOE)5.- ˙ 8FCLJU (FDLP #MJOL 5SJEFOU &EHF)5.- ˙ +BWB4DSJQUFOHJOFSVOUIFTDSJQUT ˙ 7 4QJEFS.POLFZ $BSBLBO $IBLSB 3IJOP

  24. )551

  25. )5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>

    <CRLF> title=title+text&msg=This+is+message+content. .FUIPE 1BUI 1SPUPDPM7FSTJPO "\r\n"JO$

  26. )5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>

    <CRLF> title=title+text&msg=This+is+message+content. 3FRVFTU)FBEFST 3FRVFTU#PEZ .BZCFCJOBSZEBUB

  27. )5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct

    2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... )5517FSTJPO 3FTQPOTF4UBUVT

  28. )5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct

    2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... (1973 bytes) 3FTQPOTF)FBEFST 3FTQPOTF#PEZ .BZCFCJOBSZEBUB

  29. -FUTUSZOD $ nc www.ntust.edu.tw 80 GET / HTTP/1.1 Host: www.ntust.edu.tw

    <Enter> <Enter>

  30. )5514UBUVT$PEF ˙ 99 ˙ *UTOF ˙ 99 ˙ 3FEJSFDUJPO ˙

    99 ˙ *UTZPVSGBVMU ˙ 99 ˙ *UTNZGBVMU

  31. )5514UBUVT$PEF ˙ 0, ˙ *UTBMMHPPE ˙ /P$POUFOU ˙ 3FRVFTUJTOFCVU*IBWFOPUIJOHUPUBML ˙

    1BSJUBM$POUFOU ˙ *IBWFQBSUPGEBUBGPSZPV

  32. )5514UBUVT$PEF ˙ .PWFE1FSNBOFOUMZ ˙ 'PVOE ˙ 7FSZDPNNPOGPSSFEJSFDUJPO ˙ /PU.PEJFE ˙

    $BDIFJTOF ˙ 5FNQPSBSZ3FEJSFDU

  33. )5514UBUVT$PEF ˙ #BE3FRVFTU ˙ :PVKVTUHBWFNFXSPOHUIJOHT ˙ 6OBVUIPSJ[FE ˙ 'PSCJEEFO ˙

    :PVBSFOPUBMMPXFEIFSF ˙ /PU'PVOE ˙ .FUIPE/PU"MMPXFE ˙ *NBUFBQPU ˙ 6OBWBJMBCMF'PS-FHBM3FBTPOT

  34. )5514UBUVT$PEF ˙ *OUFSOBM4FSWFS&SSPS ˙ &YDFQUJPOSBJTFEJOZPVSDPEF ˙ #BE(BUFXBZ ˙ 6QTUSFBNPGSFWFSTFQSPYZJTEFBE ˙

    4FSWJDF6OBWBJMBCMF ˙ .BJOUFOBODFNPEF  ˙ (BUFXBZ5JNFPVU ˙ 6QTUSFBNPGSFWFSTFQSPYZUJNFPVU

  35. 8IBUTUIFEJFSFODF

  36. )551.FUIPE (&5 1045 165 1"5$) %&-&5& 015*0/4 )&"% $0//&$5 53"$&

    $034 "QBDIFEFCVHQVSQPTF )551QSPYZ /PSFTQPOTFCPEZ

  37. )551.FUIPE ˙ (&5 ˙ %PXOMPBETPNFUIJOHGSPNXFCTJUF ˙ 1045 ˙ 4FOETPNFUIJOHUPXFCTJUF ˙

    )&"% ˙ +VTUHJWFNFSFTQPOTFIFBEFST CVU*EPOUXBOUCPEZ ˙ 53"$& ˙ "QBDIFXJMMSFUVSOXIPMFSFRVFTUBTQMBJOUFYUUPZPV ˙ $0//&$5 ˙ 4QFDJBMNFUIPEGPSQSPYZUPEFBMXJUI)5514SFRVFTU

  38. )551.FUIPE 3&45GVM"1* ˙ (&5 ˙ (FUMJTUBSFTPVSDF ˙ 1045 ˙ $SFBUFBOFXSFTPVSDF

    ˙ 165 ˙ 3FQMBDFBOFYJTUFESFTPVSDF ˙ 1"5$) ˙ 1BSUJBMVQEBUFBOFYJTUFESFTPVSDF ˙ %&-&5& ˙ %FMFUFBOFYJTUFESFTPVSDF

  39. $PNNPO3FRVFTU)FBEFST&TTFOUJBM ˙ )PTUOUVTU ˙ 3FRVJSFE ˙ :PVDBOIBWFNVMUJQMFXFCTJUFPOPOF*1IPTU

  40. $PNNPO3FRVFTU)FBEFST$PNNPO ˙ "DDFQUUFYUIUNMUFYUQMBJO ˙ 8IJDIUZQFPGDPOUFOUEPFTDMJFOUBDDFQU  ˙ "DDFQU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[ 

    ˙ )PXUPDPNQSFTTEBUB ˙ "DDFQU-BOHVBHF[IUXFO ˙ 8IBUMBOHVBHFEPZPVQSFGFS  ˙ "MPUPGXFCTJUFDPOTJEFS[IUXBT[I

  41. $PNNPO3FRVFTU)FBEFST$PNNPO ˙ 3FGFSFS63- ˙ 8IFSFEJEZPVGSPN  ˙ 8FCQBHFBDPNCIUNMIBWF<img src="b.com/a.jpg"> ˙

    3FRVFTUUPCDPNBKQHDPOUBJOTIFBEFS • Referer: http://a.com/b.html ˙ 1SJWBDZJTTVF ˙ KNQESPQCPYSFGFSFSWVM

  42. $PNNPO3FRVFTU)FBEFST$PNNPO ˙ 6TFS"HFOU.P[JMMB .BDJOUPTI*OUFM.BD049SW  (FDLP'JSFGPY ˙ *UUFMMTTFSWFSXIJDICSPXTFS041MBUGPSNBSFZPVVTJOH ˙ 3FEJSFDUHPHPPHMFDPNDISPNFJG*&EFUFDUFE

    ˙ 5FMMTTFSWFSXIJDIFYQMPJUQBZMPBEUPTFOE ˙ #BEGPSQSJWBDZ UPP

  43. $PNNPO3FRVFTU)FBEFST"VUIFOUJDBUJPO ˙ "VUIFOUJDBUJPO #BTJD]#FBSFS "65)@50,&/ ˙ "VUIUPLFOJTVTVBMMZCBTFTUSJOH ˙ CBTF 64&3/".&1"44803%

    GPS)551 CBTJDBVUIFOUJDBUJPO ˙ 0"VUIVTFT#FBSFS

  44. $PNNPO3FRVFTU)FBEFST$POOFDUJPO ˙ $POOFDUJPOLFFQBMJWF ˙ 5$1IBOETIBLFJTFYQFOTJWF TPXFXBOUUPSFVTFFYJTUFEDPOOFDUJPO ˙ "TLTFSWFSOPUUPTIVUEPXO5$1DPOOFDUJPOBGUFSUIJTSFTQPOTF ˙ 4VQQPSUFETJODF)551

    ˙ 3FTQPOTFIFBEFSTXJMMDPOUBJOTBNFIFBEFSJGTFSWFSTVQQPSUTJU ˙ *UTVTFGVMBOEJNQPSUBOUUPFYQMPJUTPNFCVH FY"4-3QSPUFDUJPO

  45. $PNNPO3FRVFTU)FBEFST3FRVFTU#PEZ ˙ $POUFOU-FOHUI ˙ *UNFBOTXFIBWFCZUFTPGCPEZDPOUFOUBGUFSSFRVFTUIFBEFST ˙ $POUFOU5ZQF.*.& • application/x-www-form-urlencoded ˙

    /PSNBMGPSNQPTU • multipart/form-data; boundary=$RANDOM_STRING ˙ 4UBOEBSEMFVQMPBEUBLFTUIJT ˙ UZQJDBMCPVOEBSZGPSXFCLJU----WebKitFormBoundaryo3CVe... ˙ application/jsonGPS8FC"1*

  46. $PNNPO3FRVFTU)FBEFST.JTD ˙ %/5 ˙ %P/PU5SBDL ˙ 93FRVFTUFE8JUI9.-)UUQ3FRVFTU ˙ 'PS"+"9SFRVFTUT ˙

    3BOHFCZUFT ˙ 3FRVFTUQBSUJBMDPOUFOU %PZPVLOPX'MBTI(FU  ˙ .VMUJUISFBEFEMFEPXOMPBE ˙ 9'PSXBSEFE'PS ˙ 1SPYZNBZBEEUIJTIFBEFSXIJMFGPSXBSEJOHSFRVFTUUPUBSHFUTFSWFS

  47. $PNNPO3FTQPOTF)FBEFST3FTQPOTF#PEZ ˙ $POUFOU-FOHUI ˙ 5IJT)551SFTQPOTFIBTCZUFTPGCPEZDPOUFOU ˙ $POUFOU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[  ˙

    *OEJDBUFXIBUDPNQSFTTJPONFUIPEXBTVTFEXJUISFTQPOTFEBUB ˙ $POUFOU5ZQF.*.& ˙ text/html; charset=utf-8JTWFSZDPNNPOJONPEFSOXFCQBHFT ˙ &5BH)"4) ˙ )BTIWBMVFGPSDBDIFEBUB

  48. $PNNPO3FTQPOTF)FBEFST3FEJSFDU ˙ -PDBUJPOIUUQTHPPHMFDPN ˙ 3FEJSFDUJNNFEJBUFMZ ˙ 3FGSFTIVSMIUUQTTFDVSJUZOUVTU ˙ 3FEJSFDUCVUEFMBZGPSTFDPOET VTFGVMUPTIPXTPNFNFTTBHF

  49. $PNNPO3FTQPOTF)FBEFST.JTD ˙ 4FSWFSOHJOY ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIJDI)551TFSWFSZPVBSFVTJOH ˙ 91PXFSFE#Z1)1 ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIBUMBOHVBHFZPVBSFVTJOH UPP

    ˙ %BUF5IV 0DU(.5 ˙ 4PNFTFSWFSTFOETEBUF JUTBHPPEXBZUPPCUBJOEBUF

  50. $PNNPO3FTQPOTF)FBEFST4FDVSJUZ ˙ 99441SPUFDUJPONPEFCMPDL ˙ #BTJD944QSPUFDUJPO EFGBVMUFOBCMFEJO(PPHMF$ISPNF ˙ 3FGVTFUPFYFDVUF+4XIJDIBQQFBS ˙ 9'SBNF0QUJPOTEFOZ

    ˙ $BOUIJTXFCQBHFQVUUFEJOBJGSBNF  ˙ $POUFOU4FDVSJUZ1PMJDZ ˙ *UTDPNQMJDBUFE JUQSPWJEFEBCVODIPGTFDVSJUZQSPUFDUJPO

  51. $PPLJFT

  52. ˊ8JLJQFEJB չ$PPLJFJTBTNBMMQJFDFPGEBUBTFOUGSPNB XFCLJUBOETUPSFEJOUIFVTFSTXFCCSPXTFS XIJMFUIFVTFSJTCSPXTJOHպ

  53. $PPLJF ˙ "DPPLJFDPOUBJOT ˙ /BNF ˙ 7BMVF ˙ %PNBJO ˙

    1BUI ˙ .BY"HF ˙ )5510OMZ'MBH ˙ 4FDVSF'MBH

  54. $PPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJFTJOHMFQIQ ˙ 4FU$PPLJFTJOHMF@DPPLJFEBUB PG TJOHMF DPPLJF

    ˙ -FUTPCTFSWFJUJO$ISPNFTEFWFMPQFSUPPMT

  55. $PPLJFBOE4FTTJPO ˙ 4FTTJPOJOEJFSFOUGSBNFXPSLNBZIBWFUIFJSJNQMFNFOUBUJPO ˙ #VUUIFZIBWFTBNFJEFB ˙ 4UPSFEBUBJOTPNFXIFSFTBGFUZBOEHJWFZPVUIFLFZ TFTJTPOJE  ˙

    &ODSZQUFEDPPLJF ˙ $BDIFTFSWJDF 3FEJT .FNDBDIFE  ˙ 5FNQPSBSZMF 1)1TEFGBVMUTFTTJPO  ˙ 4UPSFEJOEBUBCBTF

  56. &ODPEJOH5FYU&ODPEJOH

  57. &ODPEJOH ˙ )PXUPFYQSFTTBOVNCFS  ˙ CJO#JOBSZ ˙ PJO0DUBM ˙ JO%FDJNBM

    ˙ YBDJO)FY ˙ =YD=YB=Y=YJOCZUFTMJUUMFFOEJBOJOUFHFS

  58. 5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS" ˙ STUBMQIBCFUJOVQQFSDBTF ˙ " ˙ BTDJJDPEFY

  59. 5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS꽺 ˙ 꽺 ˙ 6OJDPEFYFE ˙ #JH&ODPEJOH=YD=Y ˙

    4UBUJDNBQQJOH ˙ 65'&ODPEJOH=YF=YB=YBE ˙ 8FIBWFBSVMFUPUSBOTGPSNCFUXFFOVOJDPEFBOE65'

  60. &ODPEJOH 4(7TC(T*'EWDNYL*2

  61. &ODPEJOH ˙ 8FBMTPIBWFPUIFSFODPEJOH ˙ )FYFODPEF ˙ CBTF ]] FODPEF ˙

    63-&ODPEF

  62. 44-5-4

  63. 44-5VOOFM GET /user/login.php HTTP/1.1.... $MJFOU 4FSWFS

  64. openssl s_client -host google.com -port 443

  65. 08"415PQ

  66. 08"41 0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDU

  67. "6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET ˙ 4PNFUJNFTZPVOETPNFUIJOHJO63- ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUIPNFQIQ ˙ 8FDIBOHFSFEJSFDUUPBQIJTIJOHTJUF BOETFOEJUUPTPNFPOF ˙

    FYBNQMFDPNMPHJOQIQ SFEJSFDUNBMXBSFDPNIPNFQIQ

  68. "6TJOH$PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT ˙ 7VMOFSBCJMJUJFTJOUIJSEQBSUZMJCSBSZ ˙ &YDLFEJUPS

  69. "$SPTT4JUF3FRVFTU'PSHFSZ $43' ˙ 4FOESFRVFTUGSPNBOPUIFSEPNBJO ˙ JNHTSDFYBQMFDPNMPHPVUQIQ ˙ IUUQTVQFSMPHPVUDPN ˙ &YQMPJU944CVHUPNBLFBGPSNBOEQPTUJU

  70. ".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *DBODIBOHFPUIFSVTFSTQBTTXPSECVU*NOPUBENJO • curl https://vul.security.ntu.st/sqlinj/ --data 'truncate_confirm=1'

  71. "4FOTJUJWF%BUB&YQPTVSF ˙ IUUQTWVMTFDVSJUZOUVTUTRMJOKDPOHJOD

  72. "4FDVSJUZ.JTDPOHVSBUJPO • google('"index of"') ˙ 4PNFUJNFT JUMFBLTTPNFVTFGVMJOGPSNBUJPOUPIBDLFST

  73. "*OTFDVSF%JSFDU0CKFDU3FGFSFODFT ˙ *VQMPBEFENZQSJWBUFQIPUPTUPTPNFXFCEJTL CVUBOZPOFDBO EPXOMPBEJUXJUIMFBLFE63-/PBDDFTTDPOUSPMPOUIBUMF

  74. "$SPTT4JUF4DSJQUJOH 944 • "><script>alert(1)</script><br " ˙ %FNP

  75. "#SPLFO"VUIFOUJDBUJPOBOE4FTTJPO.BOBHFNFOU • function is_admin() {
 return $_COOKIE['role'] == 'admin;
 }

    ˙ %FNP

  76. "*OKFDUJPO • ' or '' = ' ˙ %FNP

  77. 4PNF6TFGVM5PPMT

  78. #VSQ4VJUF

  79. )BDLCBS

  80. $PPLJF.BOBHFS

  81. .PEJGZ)FBEFST

  82. 6TFS"HFOU4XJUDIFS

  83. 8BQQBMZ[FS