From 144fb234bf0d5f71eb9f6dd8d8e3d5fddfc7dde1 Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Mon, 18 Dec 2017 19:46:06 +0100
Subject: [PATCH] SQL injection exercise
---
Doc/Sda1/Ref/Fig/sqlInject.screen.png | Bin 19305 -> 0 bytes
Doc/Sda1/jdbc.xml | 177 +++++++++---------
.../sda1/insert/SimpleInsert.java | 2 +-
.../src/main/resources/jdbc.properties | 2 +-
.../src/main/resources/sqlinject.sql | 0
5 files changed, 89 insertions(+), 92 deletions(-)
delete mode 100644 Doc/Sda1/Ref/Fig/sqlInject.screen.png
create mode 100644 P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/sqlinject.sql
diff --git a/Doc/Sda1/Ref/Fig/sqlInject.screen.png b/Doc/Sda1/Ref/Fig/sqlInject.screen.png
deleted file mode 100644
index a7f14bd172213218ce8e75d1d574e1bc352ebb5b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 19305
zcmZs@1y~es+%~$Rs353xNh1x?9V*@3-QC@xbV*A~OZSpXcM40Vba(fe#sB%f_dVB{
zi@j#{nb~LNsbAdpJ%q?giy$N7B7#65WHC`ec@XIN4-n|tr`K>mNfTZD4X}IWATRP2
zR66`&8~B1?E2`!I0=?~oeV)bByu||wUpb0N3B8&}#CwSXVjf>M1B!4Qg;X5{Y^<z|
ztQ|oD_C|V+MutQ#W{##rB4SdqDt>RVKp-NJnBW&h*V+9A4_CbPv`<G%;q(b*AqHrk
za>2U`PQK$ozbIu#$u*D+)8djjsP|E{sAr8i>B;lUzbt@fB^os<tfUg0zo~sf)*4SQ
z!Ti1Z_v;b4E=P_a9c30TIee3rfqoZ42tEaPHD$y80b5IWEZiDw!2RHz&f~T=I>>$4
z#9Z0zy_ts7&B*i>cxDhN3?q#E>EMO(|JZ%jg@=8s>#Pn{sJ)It@NcaQu7Z^?9OkTD
zXPFtO`#H^NJcNdxgi58Hx%1Axg`K32C@3fhh33C}B?EDVP^sxITqG<RGT|V-WWj-*
z*A##GEwgZk)W~Q(e94D_t*SfqtnByi&+4$7`ND^ntYfU(p=J9yr97&tso^9ez<z`&
ztET35&zNDai}B*wLJ_Q}yd3G}H_Fg{Ka9&4u<yQIMD&RyIj{k2T^TMjg&lzYYeH`f
zrW6Qd_dP^`f-jXs|D?Z6-AcFW=QCqy6Y#@U#B#|H<_-#(NP9uS94cz|1Z->;@jy9;
zoes2oit3_CMNG3#YO5hof#><%t|VUDO7ZZxd+;FD$fF+KR(k{uC>Fi_GU3(nsM&I*
z)CS1~8>ls_&F({wU0;6AcLHVKb-xT;NG}?SnG+HgdO*mV*d}8Bc^!(u@OSSb!evf7
zcTSWsHz~Ro6q!2%R->6a44}-ZpOH`)aUsM$U4`-R?g9MKLe^(%t@T9F;NR6h8f};L
zWp%NwtmVwM`{za3$@zKNnC$iRse92virLs(T$Sv;yv3`%Li9en>%!4iP}QSd8OgxI
z$w*xe5hYX3hi+mfmiA9E3X+{D7;FmDOG-MxMfaN8pM-{nsjQhL)s20xI9-MEM0c03
zgwljMta@vNwuPWfC>c(=?+kq$4u2u7{rX-x1BdJQ;XMkDvW`+Zo@7hFGtk)N<HKzz
zw21E{x){0>@{Uhe%~?rIOim63B_c919ghI>#d2YdMa`_^H%jmNXS7lLwiKTvgMm)3
z%c_=@5M1dD2sz5Ao$sp35A4o&Bhkn9KABHqR<M)EPbTL3exeY|oHL4t^im*Fn)HY{
zHrqr7S>{Nrh=a?KuXkh390#?&?@hi;Mh2#UnuqDp_@8OTA13FVobDy9QW0sqZti5@
zsGoTFxXm1NrmBI&)|Ojm0ev`pitxN0uky(Ss!n4CC}iG6$vD6<;?hZw@H^P8b+j>K
zaWa-xBcx9-33ke8T`_37L?~xZFp-eH?3qycf&<o$+0b`#_aXyZRCA?C=TDheTIzv(
z16nJKDMLF11hStt;2?|A*!|Y$tQ?N^ISIR+UTCnWf^1xD2l|e%i2vYOKv<hU2A43B
zHV;4XdzAI!LRy{7?7!37t>v@|xv9i{-R184>c|p2JqRQS&`s&IH1vS5Z0JWfx1E-(
zv#xjy8pm+#CI)N{ten4F*990V8%%A-%Z!o1)igBJp$@93d4bRKMXr-hH_5~LPqVui
z1IPMl-Z&wJ+>IX*2?)+&s3c%)ng$2Ipzp0hipKuH&pwQXf+HSb6rdiM!r^c-DD>qg
zb~8h)N>-HhSGjt-c)w-(RHW25F&s{elxt?H0tI%+C@2UD(A0kFl{r4A-H#Tf{xmd>
z%Z$Zc7^95EYBda?&+2RU1?FC*+b^X`fLYOZ^yfW_*rSAUd|b{FBotVLJSXP1j*fxB
zqP1DFJq(JnIfOXrnSZCJB}WTCFmm9Kkz}QkY<q&~%Vha^SV=W_x{wgQ|Ly#9R3FA{
zhabs9LB?5<-4`DSVo(<-P4NE^!VGQtIWR0a_?}U4{<;lqbN$VWd=5r_RK}UR_)O?=
zxNxG0ZVx@;d_Wr-mY{Oc)V9N$P-XO;;P0|#S(%hF1Mj0JWes)drGq<VhK|swq*5|6
zI#5xHrcmKSUJyI$(iSy`e(#o<aaUteQKmxzmA}u42Ax!^%d1mM3F^Z8n${)Z;3p10
zyc&V$<G}LzhKHA??Iy&L6M}?xKxl{^O_^E6u#U8RohLH<R%<O-R7bU`{TE98@p3d(
zv}gl?xD_LL41!SCKpsndfZK`1DNe)}G&Ew?Xm(b&TnwYY(TXrAbDQpuH_{Gm+aY3^
zmG(xndeR-jZ1JL*TsuX7sBC_j?;4G2s(~3mtuX<uh_*AE6WgP9@tG0rU84m`DqHqW
zEI4Gw8!Ids8TrKC8~U>8Za)DNl-MujASfuQ-B*b5GQr=#;43awXbN`5h656=x4R~8
zXy29t3lifE53dw_h@jMB|5%f(@VW^(g`1jSMA?@gXYe13-h>2qCPlaYb&K>zV{Y$n
zk~JF~-+Ga#^4qAcK#pqL49Oi?Zr0%Qgi2-@<W#YLQer`Kc`EC3PLj}@=OEe_X7h!f
zp=SodX~nOLL5ZB+C+$Mf!M(O!$(8;`BIzxzH=RjTs1(C8C+pWVr^3V1!R=kpeChRF
zQ+IvwVB}&d<KT`RB=zJC(I(f6J==704o0>#<%E?U>9o4vdhps@BPBHIX1XDwDzfsn
z%V!*)!hJXx3fQ->{Z@@R(piMouj@lw+65n0l3F>Xv!S~zv>|O`k=P_9UwTlpsZ^D0
zmpkmz^8(>0gjqU|;RFONwfhjgUWR<?qh86egeVSmnc7zi@{A51^`T)^<KBnTNH|nl
z=z;3y$=)&y-Pk{@bs0yj);V-^jP1sZjftxBvh$=SCI&UW0Daza>FNwXAR%Ew$2M%i
zVhL>5Bq2#|W@xiGDWm+<H=-vLn3DWj-g~<+bvpL%EHGHYEMCX)x$y20y|!ouSoy3%
zAFsFP541I^8>(eR;7}N6=P`_oXdHgZYL)$_{Y1yK#nL$<DJ3;>lrzvrLrpK+=*Hi%
zb9!p;*f|6gOG%v;3nywg3aM436O%|;n;EHzeThu?=(h<UIJ$EhR#vQ<mNA+QiYX=W
z?ue<??%x>Oh)-DCRf`r~tN%NQ^vQUp9Rzyw<^795y&StDAt9lUxw%LkufH0zKR5Y6
zN;+0#^<cp6b+>A&464h?s^z0AWhq1k!GnB1&e^rw36dR3N~OkZZS9t|n9gF~L-F@t
z!@T$@8RJi5M*$jyz$Z`Nx*`n$+`Fo1IJoyJnxy(U2=rUv9S!VCqVgxV|KASosSNbL
zcC;9bwKX@lJ`V`$hHrVRccodLA_mQu$|N^BI(Iy{M$&h?E%)5G&w%Q551toEfBW)O
zClDsU?(oA%cY?_j9d@YN>4(8v3_JRN&sphC3|r}*H%Jcc8(N)n)0tYr&i?e$MYjJc
zJP?+3>A`;B9U0NBxg1IOuz{Cw)ad_Nkj(xIUoUO$XvLVb)1P5jIiUeVDG(=ubdO&s
z^Fdpwj|BZ~dls{GTB7wjV;@J)k`~yVS;YBK7wUR$y9r28JBdOhsLK(X&}-a?gP$I=
zJnnfBW$!nw8I#NX{l<yo`SinwZ5o~1pOg<b8EpJVJo{IR(Jc*rKz%YxkM$x;MrtIe
z-z^S(ZbT;gWiioxP8T%r)5do9>B<i4qlvR(M-Fb<o0lZe$`<b>chiJPV)}U~5246d
z@oRM3B3*E3H0ArZ9!Wt2JiV2)yqi~@4*q|LCJ2Mx0Ig`v#p2gz?F~tKh~<*5??s1Z
zSfjnz@jN$`{n5gWc6M+-pWTvw{<xdpva{oT&#!Zh`M7^5cItUVsM9<#N@ck;H*xQ-
za=DwJ((J-Q2`hd89%X9&QW7ZSZ$3<Rx%9fAc|`e9Cg;A}mGN*`w7uWce1G<;a)PQk
zKBu(~asF)Q@m}?k-wN%;7t^btL?5TEiI#@+kvbz=OV}_E%IK~KNIr_?54*)vA(TDV
z-H8+TzDbq!zUAwA`6YE(`h(YX9g(KP;U=3{n2qZnJA8g3sd;+?wI5jGHck67FP0a8
zI{jC3?O!ZIUG^#8oP0g%XH^nByS<e8u9A7BY)F?0=i+H*QTMqE(eiy~=YIbdVI&=J
zXJ1Z669KrZBUKr@qi@Z<=%LL6jO=??{WU=k=ZQ<RHxgzu8js5pw``1A9Dg3)qTI_}
zn-lj2iM;NVMpwa`LWNvPFM&SA$qwQgQ2*E~@q2IyHd>moS*qlZn@~f<_^s-9wGW%U
zzCtLfoP1RdGg+d5OD5@gj}qc{`Pf={W};yZzoNfHXJzV<=NBx>GkH?q;<fyv$_UyP
z#3pOBJ|TGcuq^nwxFi@Ik6G>m&oLj0mX;IzCwp`SV@dcJh?1HcE5f07zuQsf?)o!D
zB5B3q&v(wSPHpwqMT0B)vCSV%IUdyirj5P%5vcmhd$7-abA;XD%X*#1f#)NsYp#)4
zbu?4TZ{SKa8k4bHGd(*tEYvO*d^|4L$4DrAjt3c=C6is(rk+J&z4W;s^Qqb+v}vwT
ze7`!0eVIM0v0T%1<S6plou>ExMhEP*)N>q)aTE~aQT<!;ad{fn_Md3Syv3Q}iEP{B
zoC5@R5BRTgsoJd`uMUUUe~30w2Feu25(UFmZHK)}znaXqIfy+#{XF$>{f%2fXho>v
z3|hipFn=4+@_3^a6dYXGau#b7CYWLEwbeNk#p8CVB@;;D-QbU<-@k?vdL2E!q)*wD
zAnWH}es3{yZ&acV|J(k&)I#U_xb1MsPB!_J3keB$CXnjua05d@_nIM}y<CGwtJ`^#
zQA&sQ(=+CG`weLOuq%EPEH$tDj8-$A7_49`rw+UX%6x?k!2(a#2t;qDyZ&DF$w)E2
zQU=0G;B@QC+hXjFCo>hsS*|Y%s|G~7(|R)&miC{?$^p_PWO&feT#*a@Fkuj=H(CF~
zM3xo^w2?4i_X#k1L~lq*NxQnbNSAxmh00BFVO6LijZ4cD|GPz2;6FPEcxKr4Z}(*X
z7zp7A8v70qei4I?sHE^!g^q_rZ0gs+bJmUP4;NqL!X@k16GWEKk6+M&e9zpp$P?K&
zgl@uebc}BTdgAooGSk_LhmS9rI@C^9*FpMEdueEw7RhW-+_a)=4Q<G@$n*lg&%hCQ
zXr^>wV7q;?o9awVwcpPhbUE-O=nlanfYOT7{i=h6&i!nffff#qt_4sMz6+~9eooN1
zasw&tb*3Q*HK)s)4-|WApS$!<+eJdEXwEqGyzJK=<x)_*SJ}SV((o(xWtvwY-2__c
z7Nf=f!E)QOfu=@-`*i7y5$t<wbA}pKjeF?<e|E*Rn))Gw+Ualv8@0>p_Vd#QN%F>Q
zD1JK41zjV>nRKgx&A|e6y9#G@F<6c4Zv}hr5&~<%5)O4~BYmkBoJfP|rt}UMYI$Em
zNXa*7)l5k_^07mqxHbgdum;wA@OR|bu6xK@=V^SkjCa`sy9pcebJ_urgyI=!5mKz-
z(noFrOoLTCD=B4#_I%>MW)`(<*AY8G`o`RfW{1BIhJ5o&rk3sL=a2Il$UeWHEYYCg
zIeh5)C119qdwX9S(B;&*n71;@F4Wa^XhRrBo<)cSqSs;6LLrFa9qU2+0ZEri+Qy{!
zG9f(b@`T5;vi8Z(uI0=l{WuR_G<jRdAz+wQ-0`tW3Ougn(GdAU-q@+8R8=CaCf|lA
z^HXr|ilSPlsYNJljB;b6#_xx8j~%gkxC*DADdQwGbhGWF&QW07-$9bOgpBKpV)<o|
z;e#zJiByYUWj(X#yuZWQT*!Uy4d?W!<K-6Ywm-ZJD>$Zee%0lL3v^tsUTuyWrLmZm
z&C5u~^KnHSg$I4{Y5AJTl(1IuGZE+8{XGvWncJ16_g!BOU$Hm7!{_q6I?4>Htvak(
zxc~Mu3C!=g^`p@&ji^^gr1B8xjSKMQBy0UULcTp~^-Jv(-WauKpaj1Qdi!fnzNO~w
z$OU7QD<_XFkEs>O(TX_Fz_ozbsfDj^6Nj+55>44s_6ec})=pwZH$uJHU-DcSo1X)}
z%NP+7L2W_8F!>>4`O)oe$S^j0=Hs@TFwjL1jcrFW7Z0oR<UcePX&=u?p2=vqMpx_0
z0A=^a*>(<ICHnCCI}ESZCSq%CO}tbDs@-NaZjymYmkz6cOij!;Zu+t$mX*%M+aHP!
z+<5Z&SV)B_xC=mzBfxpRnsOF}7ISlz!^CQ}KkbdiC!;5i%U|R2Ti>pkjqh3)Ac*v_
zyzQbb*dOw1CUC=}zN43)lRuwK`PM3K=>2zjzy0(;Cp9!}kO5<|rCON*2_^a(Z4TZq
z{ZT1LLlLmv?UIV#6NFvOc`nkaaqR~*hp*ckQs~wN6`P^WTJIO#y0|Grk*c=a5_P<<
z*I%)VeS8kmOmEl1N@x(yWIS<?yjhFEBG@`CDOs{4Lv&50V=eK{7}?A!z4+r|pd{tW
zrbh7=#|qrZ94OA*DH*<xn>-~&o^`Ph{l(R4Vmqxhf_{wX&_#mgf@LOLelvxKJVz&J
zD|IKE45J8ZYVYJ+L&G3OpxTH|+N2+Xro{$H%Npl2tFGtXZN!ah_%jY>4}&Ba8*S{_
zs=tV^DX0>zGH8WjN-Y!y=_laP%yEld7>DwgDS}zVc8!FKE&{I|F0~vkS7mOS@t_@C
z)6KUBJxc~1jEP2KqCQ#_GED-sx7sOQ78-`fKzEQ8w$@^UTJLbTb_)uayU*gVt)wOs
z4s4T4z&(Qrl^@PSx(k!j51wVIAw5X=SXvu?&<5;;EUsRXVRU#ST#3`LXq@T61s7ey
z6<jP*l%&f<=qb|K`I+M$!y)n`t*k+sePaz^XqX33<qUrRlDw2Y>8_o|x004=)ejpe
z_SUH5E@_iq#uViYWW9$ZcpDj?t1NwG_g>i$`=<CDSUSs<Ib7%_Efqj3lUwvwz$`<P
z5>n@2WyydEZ*Ja0=SLT^l2Dt6zd$21Et2Ph-V*Y8ZvE+)gC~x4Qqp!pMrgkX0@l-q
zKy4+EuY|sola-CnXLpo?l_Td`i6!x2%)%wh@FY4T&K<Pp_mG*iHL24*+jfM-qgqQE
zRtbn8f{AB5R$sOKILda+?828&d?5#}Kvr--$*rfH_e2{pX8zLQ>9yypi?cv=gUAc%
z>de@*&=FhJa?i3MFC#+_BetH7c2;jgRbNkz&&feqEBUM)h`kqidzZpoyP>6&_mcx`
z<uT)ZH^bbc596x&-phQw#<qAWfd%FBp2!0P;Ycj+yVwaK>ww`y!P0sL>TQwUT$X0+
zF2vmqCC?sO-?Cy$8ZuU3S1a(UbraEv<)07IpQmjMC;fX&HeWAn7x*(o+lB1GI9)~H
zO<}F?l#%&CM5><Rz(>r+yRS@T5>C;M@H|%glgcwwrDYR^EaNuPJ>~r_OB*+f8$TNz
z>f>yl<uPzVA+aY%vC>^GBAbb69K*J%47sf7EZ_Qn53&@kF3Ynu%MZ;ppQeFL1E9R<
zXp`v&iz<sLR6zrUR%Xd1iOFngoyFy|Ha>SLuSi22pwIashb@QRJnqu`0vMA$Z?(?1
zCT(VIEJ%Tfet*ep+fNGV+fPIg!xF8th{iX^f!tmkev*7>()9W|Q_>JEO39K#YsoZ4
z0>d}YtUuE`wML059kqKQQ_XYp#1Pc)-O4R<S?OM1UAmcO=S#dcjzW67m6!Goq|qI|
zvdyLslRgI*PVbbsIC4dZPk0aNP-LJkCOCSe07g8&$C~Xh!P|0v(}6m#mP^GkT{**O
z_#(2sZT#ybmsxJ9cVnMps!<1?k%Xlm*<8w+w{en+Fyz|Uj)&H86_0&NLE;T3S40v)
zXhey3z7Y80J0j%){shFVnpI7z?<L`HD>L_!MBG(uoM>&UQ^Gl02to_=8OV4w`hKM0
z!)44AYgmz({9-86kcSdAt;ym-h4+Y`DWsCltTf=@0lRcszhJWRdv{PZUvB0%Bh17h
zDtj=`vi&?a6Vu6D?cJwjHsL&r3Lw4QNG+&WnS>@3C?<XoDvR!~)6Ez;s9^tj8R((;
zy?b())lW@}h?Qau(#*myqv6ZRb*Eb&dLQSmmABzsnAY{FVGx#)4)V4v@!A-9XdzcJ
zf3J!N1c7Gm^;TQr-Zg&(kakt~B{WlDr>x2Xi|YR0RMrpy7VvFM_xARZ-ew4K|2sh|
z48)05b#>G0by!l*p7PIf>`WUBAae1!AcftF+p!D|WN2b&m{V8hN_MAO^jg#L3C<7m
zpB1D2hx4nB|BE0&ei*Pj{<nLtx*15>e7!|iJ8wUbZ4;Vx$LjnN)T+Pkl%%Q60^l?6
ztu*8A+DdfzdxaH>i7X!vB;Hx-V^^aCnO=BMBlq;t;qrN;bnTEUj*W#&+LBqD_A6hO
z=exNG1^@X42K49(AT!iINpW-Ox#3OY)8WVhJm*V=u$prwWGBpgLOl$Se6O*nuOq=D
z8%9(!4szzV{Y#O&C3~OSUzGBDKYTm&8F>J%A@;ACy&I2n)r=)uiWGSx1(A`=HoRP`
z0ehde$RZGdIkaLyGtH~(@6#d|H;(27wG%ldz0((WnF5rt(r^`!6BFSorx4!=PoWfM
zu`C>HN6mqYmC@<`pldNPO@FTFiql~0o9*~GKy%pU`qFnDTb1;GL=XIj4?-M2-@5bH
z&3JA7S?&mW$J>+!gpmh?SASMO<(Ad8XRJ@5z@|-!nVmbF;k>4d*K<KZmOn13yaaAi
z=P40_+AeQ6HQBP!Yb7hojjHQEj60DL1ypS;^1jOP_i|duq{KX$PAO1Io))ikl-So=
zJGu63_KLu792!2_y#Sl4N77EKEls?Sbbc09l}pY7DJaX;O5mzekDfBJj~O6TkIt@D
zBNiYBt2U8YBqp5SreU7<KW|+}Q&qe8%U)}Z>=agb>4MmPA@eh&zw9P^dg^RABvw$c
z^Pl$@6?ik4F-`ya?5-^4EL~gxUfcWn3sMri?|^>|t3B$HyvhDH9ubrBM74`YNblUj
z;`B7Oo0ftR8RFUH<fIK-;A+Cs=4t(J8gy{D5-V?}rv$o}k)8PN>kr!`LA=#mVZ1Tc
zA-%I?=TquCxB=b078bw5f5JzA$%_>8zr$H{gfPxwsHHxb_EcC3QK{3?myxS^II2wm
zEs&3$rUQU&rX!goGAX<1!u7Yi=@587*}^a&rIA-@F;q~s3IP7)IBSl3Qo@Ai)G
zJC$x9)=YASnEoou&l{$MluxR)x0U9mh>BNDT*#hSI3-CMCw$E6_TtMIYPKX>aDMkb
z*DiPRvyO~R&)d_*UKJ4QWVF2BxCl!MhS)bdjmV%D^mdwl(PRsiA|4Q}(y5aMjhyG{
zE8r>KYC+fd9IuX+1%e0`>4{1KuxiJ=A=0&BuEYtma$Ie$kyoU_JjbyiuK`@kPXu}G
z!tdTVms`AP86Ai$OIdZ}#g}o|ntqgY-dl+-R%<a<IFh`hzRRZ*$M0yR^3`wjx=JH@
zYT}R5()PPDlML3BNePF2^Y~Z316<|e6uUqu3xvGOd(tx*Hvt;nwX`+iVPU19zm>Il
z$rlIvKl~??cV;6Y9#rTJuwl^>ffE!?85o_jWJ(#zv#ylCwLXn(&g(^RDwEJV%eQmj
zt*H}$Laf~yq=xJ2`HVTt>dvm<Jd7K&>dt28(;u2fCGy5J8`amJ=@!UiqqbJQYN<c}
zb;h-;p~*Oy_sZLS$!F=_6^N4Xl5s$vG4m#az9rnTqNwdff?wvFRLvO!>l6G3PCB1C
z4-{54Yy|Terk3Yo0;~~iE=2=|Y*m6}EZ`exvt7~X#=+TiHvGXUCmNz=OOGCMhSG?$
z5T=PmEho>#XKh{MlElT?3F>zs3H1Nz73knV40us{K9lQp?6>OzmwLSKA)gUkCNpw<
zdk)B^jPCY;DIHw3j*z&z7#$t`U*gTA6_)o5q$)@YB!5rVUO3%xVtTfo{KrOs)ceS5
zf)U)5A<@j}=V_+Az8{eRBdS{w{qD6d?YBqc%9Np=5K+~`Ek}|vxF<N0wt4(eVCPkx
zX8Hf7CQ)Ia=3oVITUbi&{ExF#4JVj&GO@EeE<UgXtTrsmKHZFXN51_{41ha7Pg<)2
z*$&{-TeP_W$P&ofxizdCdF@C5sI&FsO#onAXYSjgU{`!%Q%?Ma0s@V>6x*oo(*cIx
z*DVvuWcmWYp8Q}J@cSu!!_#{H<ZoaP3j2Ic@Kb`-56kPzgW)-!MSxDfphK1#?Oa~%
z-!0oTA2SBlTTa5m&fE4qrvdJCicSKb9xS@%O3ZQScRp6~=E<A*VbG_vQX?+E=M-qU
z&L4XB!7zIjfXilYGajOAVu(qO*Pxd^2cs@(Y}Q;TX`aqgSQq!&?q25yChCVQsL_-U
z>e{#?OSaEXcMWI<#vCGLcqm>YFL9r!uoHpdV2uSV87B(xbm*$N24Sn6L;>0WFgVEX
zlPAw}eWt?y_zge;tLx9J*3VLW9-e?ko$Ku=TpAoX9=BiD9wHho;1Io+KFzxlQ7xo&
zOjoB`I<uEEWk(}-rzX^-A0=$WP%biTypP~#m)+MbQm_ME5mDb-!f53>OE?;LRlR07
zi!B!3kvCsZT}i%NooR9R`!^A3*XM<9EiAS8_+yESCGSTKl%f0c2q*%0;wyxea1PtE
z^;Q2PFD664nLlX(%Do37jJ{}7E*$5UMD1_8U#n0!d*;!CtFN2@rw(({z-R1DaVGII
zo=-2tE|T@uZ0rV+xts0xGkxyYYrzll>PM44uIJ5C;goOBT7ax%*!wo&ehiOR;_wXl
z=&P8e+3_wAWx$4i0I6qnkZMptH}?ozIhu6Fg8YImP#kYI-HeC?HLAw*z($8-&2q-^
zC=*%nf1-OhibV9z$5&3oWlueCgrz##0Svn;JOJ=Th*wS_k^0bx+8p?733iZ9(%=X;
z*;~~R-RUjNPBgVLuj8@l3|urHIrcmjLj-Vt-*i97w1Br0Jxasq=)ASI^!|IaPrrgN
zHmJ(Q^S8y`3#J>ECH<^@VGPA0<T);pS(>L<_~=`D51815(9SUZ?R*U%`TEN@K0W{n
zC(dm1IP2h}MuYmPJ5E?oFa><ra1l>P_=NY(lnPh|1hjGp3+JfJ-Sx0(+I$TI7F{<U
zp=7i3)iqu1f_6RiyOL+1AI-6w<T*<j?8QU(`x*~eQh1~`nL)t9*472kv{ub8z`*~+
z!bbfE`IrB;gRM;1Ck)5^-zb4FYbyGPVC(_R9z?tEADseg4Fv0WA@c#N+H7DgZqSs6
z!bM>|1O1GUvN(e+#Tik_97ex$mzG=n*(b^aGkz<!^eHIAB!+1hfbAdD_CFD~e@_9N
z`j3D3?~1A*kt(=WlFA_;$@ec3x|YU3phUdwsoSu;2;hox!|a{^E85_hMF;&oVPR!e
zvb!1o`?mnAj2!^_TE`@c$Yc9-8Gca#L6*V)5^Tf{hMro3%8#h2sedQ~K#7bcT^Z$w
zDGJa+Rb8NS`}_O<078%fktf9lA+Shkar}vXc>ukk#)yrSMM(nGALHi%M74ht`Tub<
zwCj%le*%=c56f*pN0xiOM*DVel7~Y=GFHZ<jJ};SwK6EGd&DCmC}`<DlT2ejn)$pu
z`0sN-Dlz~a40r?eKa0s|V(8Bl0#$bW(_svv!p288X{Bdarj&MIDs;ZHx9)TJ7%kL*
zloX3R&z~o{*WBSWOa%jLtz1x0-&TKZzV~VkNk)*Qf(yXl>Kv7tBgHNf7<lcCT`k=M
zV<&q|&jRl-ij*<81n@=M2d|F)^j@*Z6w})n**$b7RVe@r>a|i4vSlIlGg?V?-s84c
zv;(EoR8-W|Bw3@QqX7NqPo!DnT%yd)E{6up6;J}P*O%eJtFyK1W8Fo><@RfwKve-h
zV{;x#nIZ*&Z}~kOB>Lx^Tq}7ddELY5sc)45%ATR^I1`Em^i0I!F9RWB4rXRnPC8k>
zkR2NofZAU}+CF>9I}q$?OU=Q|>3)Gef?L)LeQ$>~l8&4FJ~$X#_$QCc21(b(mZ8#D
z<A8wn|1=9@QDb5CkRCSJ;Lr*r&#$!iK@Hm8Y*MhabBN^7X`21y;U!2DK#F`9Wha=U
zr6wnr+7ZLR`hkPDe<YQkT}?54K*j+H#Y{z0O*u82m;|+sXoN}7|3*U)w_~Tqf|d68
z14S^IWCpjBvphO|q;%riI%8YdW^Q$|g1nk`&XexpNU=ewe@eHu9qx~LO_8{G&JWza
zV!`Ud9K+HE6_ls3)IX<D-s%}13eUhH38c)g6P1WP!TFvP0(=YR=679bx=Z_uPO-6j
zg0wd+<k!gHy5iq!e$M4({be-tD?Uom17`I5RBT*67dzqL666sCK}%ctoxej=Fl9{6
z0L>syda`t_IPS|v49xE=sGrl7CB!9iL!K5{RqNJC*r_mIDiO&TI{Kzr62dwTD?rn$
zt6>_lyhM&BFRRWPWZ-hPb0^0}vTrk^=ip_eQdBM-FKEe4!{Ow1j3y=V(mO`{CcM@i
zB$6jcLK5Fo7>1*W@b?5@>Vat-NA6;j>8u||x)2)AN!#V*UirTWccL{I;hq*q?Dr<7
z`In&+vD{gyYFh}7UT&nESJ-+UCkY98nc)QDbBVSJMq)1U_|f$pQzlUsUbeP%EORP=
z5Rd&555nx-+WOt(5#J6eahUD{BpASrF=7=o-6jyDv6YDr7#sX!{NLpFxar+>_=!Qj
z^t}GS-f;{lq((+2j<7~v4BO$RY3J*SAxYbJzBfbWN)VJjr&BihGsYsa(p6;=bjs2e
zQeo!CUqJ6;w0K>G1}B9K&xbwwegxLirLA%zj!15H9$E-J6<tKm1h699+}s>k!!f4N
z;XtiSk;TQr*`wwCkXYOfjQI6jp_gfaS4jm0+c@ctoNhv0@alos${87n*`(IS=D?P0
z!rCyOMbjU8-nTS{rK6_)YbqFtozdA&T|p7mBR7uiG4y22|3ic*8De<mRp{7<=-^<z
zvEQhzUr}E8>0z7Ao6E_`iJ4J#F!&P<E>j;}Vgs|E&{A8-DZbw$*}uQg|H_Or;G<E%
zM{$QuOr0c+V$B~n8l78+Wxpw#NVxQbqW4~*!ZXDw7DtnZ%wGj<;*g*^y`)QN5C<6X
zq6uwat)G2OmRD4aOH8E5@Q3xb?e+V-;kT*C=I8GC62L0$WfsiQsHY~>nJTYiw&<sN
znrn#&!igFAglWl1=_Dl46WI2rVWHV0ZE&jKBy5;xC>Jf~q$w-b3~>epKbrn}(#!pS
zGx{e);lE`6-%dBA)v5%fyDTLsnFY9{&&V+Q2y8G*^nZ5$>ld&X<o}-f@52AeFyE&G
z=z_%b-@k4xkKfwbPQAQLNYILkBnAe;%32-@Lqp?{I^IX0J*K)EK317JgM8zF0G9&h
z99(*$GCUuym+U@hC@Ix=-$!VG<F?M-NpSJ-@CXSH4-Z`$m;RVvTg{o5LBRe-YJqwi
z)L;PJ$+~|Aim?Ur$Z2ZwFfqZpb6|YU@Mx3Y=d|TvcTb9aK~X^g?b2HBX>)U{@6zAi
z-@m^eiBeYa`7>?WKQfXuHw_Ge`3Be{o*@tel%T18KN_VCag}qK(sKEjH^ITm%IdP<
zG<#+(!`=9w}}6f#S74WvFSlMDH$BeG`u4E7i$=q!;Zya?<Ij0?fa5j+uXH+bPkg
z6@LyQo6^QR9Wf23&zjn;wO(kjH@a4kf$+H`IcaxH>WkWkIH^vn(>*w*2qBY(_3Hf8
z?+9(0_U*9-5;5Z{HMZC(BSa~r77RM->(1#~bc<Zsr0l*o#|<QCO34Bh`fsq1<0lWD
zguvW?D=212sq%mC<JUmM08rtH+EV2GI%ZiB=P;ai^i$qYgT3Vo9)Kn3_FY|%ERFA~
zc%Q^(NP6!2y-NR~U96!3^vn|O<pBl%b)P`cTYQeANfZ9Y=-_Jg5*8ki6k=HTggSKP
zVm39Q)AlLxbinK2Z)mbMqX*K`_B}f&ggzD^yuh6I-X>d{2V5;H@>J9vKZI(2`1UN$
zH|9f4nERE@B$X?GufN!)?wDtji}To`7Er5h0IF(Xc8whs1wPVobT|!wKy(Mdp`jik
zPBt%jtRQa_6>3<*pf*Xn#=&t(ddu30|Di@1a$vPQObd%0QW_c{fb`8>-miWBc&=lD
z0X661yY7=o=U}|KnDg7--mb^P`wPHV1W{U<-@fD)QH>E3r?9K{o=+|Lv=r2T+n+93
zypC&nq44`1?M*hjb%ALCV%3m&tN~YqKH^@~VA&XacD39IJI1V_S(rQ~-dsKa%XAbe
z6n!>qu<Wk8r($&-!!;f|Ry1)r1AiRm|1)J^6&eTt%4uSh<p4u=^OA|bS&2G(Y__ub
z3rSd2O<vc&6h4j-hJ>4?2lU#I3V)gU-UqYsTSH{0Br*&fSwLMRDQwwHcNecG#*v>(
z@gvpZWmW24%iyzV&#P}j{{b0ZN&LwUZO`SGetV_=Fv&1G{~#@5bIRjX4GXZwj@sWm
z9_FQ3$3(sOp;23^exstMR><*9yR2n9FGbsJ{T&nv1=M4k*POV6vx{R>YXI)fm(c<|
z8P$E^MMJX3<%b{Sw>u32Et}5?JeX_5(O?uxR?CAxK-2l8LDaPdUH|}<Wat#6kQgC&
zx18op6Vg>k)WqEF3i4^(P`prLn^_}E<X2=Dv2pmi;K`@scu~zpJ@y=ZiF`*Ru1Pg}
z2t!O4K&^@vjhG8nKJzUIiHze0i75%>M#O+6s2p*vq!3H00e}QTxBKDmzI9oNcB~df
z&KSLdT2Rd}YD&ypV=SQ@z@6pjZ-1CeVBu2>6>;6Gz^(N<VcBu29si!4Q`-mudsmIt
z)i<+E1R9E3*}OeF@12ufe~n<Hj#Upd*G9*n$GVF7j!V<}#K=UA!)<|X?X{1qBsl;m
zUb<?MCnkoosk9S5gDq>%R36TDJIk1&;^vchja(mOWIR`GxAf#>T$20N)}vJCN_7p=
zmJ5TMimWo)VbM#moWsCyF!{_>eesW+r9-nsqDMyKf@!{7mZ_9sat#30vXQV{FjtyP
zx6d9kf0fHL5r#}rZmOwN@_F7-gPbnDOSmsvP=7NAz&wf%&1H8gt(Ho7#F@Aj#+B2~
z%`U6m#hLH$KFL=Enr2wu^f-sgB<!G+&JS7sUs7xFz_|dA1$v)fSy2gzHMB84Vnl+s
zkkHEhgYA~4rQ#kK@ao3HVwW8+1dhN2Fd0u+T@i2fX`%T>-rM6Rn+O8zd0}B88M9z_
zx%IT|5Wb70a!N^I;m*}D)W}Fky+k>CbZ|~oISjhA!;~~gD<K$>DQEfIi<cLld(fkU
z8DU&CQLSPop5f1wf&v!ry{Zxv%KO<+@%QPTa5_BCMPR}zZHg@WjF@yljY);vwq>+=
zMFQ9E!2&lfKs}hHX6>X_Sk$9?P&a(qi)72E(5>h)Qf{Fe8*@f9`4eZL3QW##V|CLr
zipI)%q6O_{;GeS;G-;$fegB8^idmoFG9jB_bMZ*S9Qa^m83U;&6U612{b&i$2pSC?
zX5iUKnD_WW8JaI0QLK|OS=&{p6d<+;w9<VwqIrAU45D2I-DbfZYFbEQ^|TTPNIP4%
zd+9eN1*J6y4kH`x-}l5-6}0B&2#F-N;G!IxrS-AIEU3zgGK-p_gbm@}o9Go>u1eM{
zM)b4CW=LxEpQnQ_y1l$9>Ltgl<<gilQ8v6}`c@?sBKo#x=5sDeYd+pf0;re<sRs9E
ze8`8R<4o!FtBuMobbhrYg5~3sO~4MX0aUJ*mC)M0b$;YqhgU*q)#Ca?D;-&2_9?|F
zunA81r-EMc0qVVdYl^~b-=3MT=V_-X&5UF~qT$=zoayiH&tmfSrP30Rl3X8kgth6)
z;&xNNZoeC!+LgzyGM(4_L^xBxqi|9NE*597PS9dqajKOC_-XyLY?D|6OtFTz*$ehs
z5uY8gh6`FY>NGles>xmJ=wSj4k}0$TB_d<GXHh+PH-(Yu_>l{P^$SyD1y={A&nnS+
zPBJsh5|mBSh8PCx0M5%WQO9Q0iS<%g8alF2QF75IzWG{4{S<uYnNO#_408^+xafGe
zxE4xy0;yd=LRL1z9kw%W^&e9!3iI-JMTuA_n`R6F{C~kP_hMlK-%IMjZ3iGofY`!$
zOcdJQ-ado%QLCyeVEf!%4t+B-Xkw+<A!(>Fmk?LOD?wHzv=M3$CA|c2R6ZWyeTEeH
zOvd92hVA$t(*dj2PDz8t3BkZj^ug7kI1w7t=wGqiXA6?qE?rtJm)E(XE6Q$=Dy-7y
zG_zFnOv$Md67TA_Q8TQr-`STQF|L&=fjg-w1_(BM^?p5@*J&{cR(W5MtELqY@D~06
z99V&y*1dDA7_J?0r=`QKwHyDhF+I|clN;Z;IgB)t$X-e5tYHICs8Mw#3qQVjMzLhn
zQRm>y*GStQ-N9*J)8`yfNYjOD$OPv5hJ=`1kn9F_7<g`ma8{uXpsRsLK|O>7v@4EW
zn-00*1_uPEh@c+<fCLk-l>K9p-=<ssDc0qpN7*bA5T@XFsH?bi^zec8Ohs#|Dbih6
zPBU5>e*OCO`!^*&zYZ?;4{s~Nna5&4CUk)d8VvfwtG*72)1IQGPmypNSzxj0FDg%c
z^31QY&O_<?W=_5j*d2<F{kZ-|rRCLs1yo9{V+_p9+0HUWXAuz*DA7dU0^xnT1Qv~`
z7QWY|nd7GoTaHxbH~eJUwaEEDuxnsrLckNrR{hCk038-HI%iRqYH2X>@Mvml^9^Km
z_w-0eAZJkuTbr_qxEKHsjYITi=nz_2(HAy!{e*4zbQq?ADyytKzO=-D+d8|n)S@47
zaAJ}1c(+gVHU|F81dsa9>vF;8$MOX<2LQSghTp+3rDd{rc$ncOcYlAcq80zCC4S;=
z9ts4EK+LO~RPbB1ud;1%anaG34LdIX^5VjNzOzv2rLwUYs{lYi4M80mo`EvPx{zQo
zS4AwBpiRBe!s!ShU{%Duw<r2y``KUrOiJQ(KidjKrcq0nFl7OZsr%rB{FYvXrl$q4
z{BI=@-_fCV8Q|+YG#W(bOCo3-x>dU2caZsn1$U<RJlq5Y<xJtV+{_Qpj)##Azh_UO
zOm|;6$NKa~XU~o;j(TcYhVOhqgs&nQ1y;#LY2p+`=31PEOzJW!T9*Mmv}Hm}rh%Qc
zc8ZHD{!{8(Kyc&{CE>!PPMF@e%f#x^X<6pDnf-G+6wP2soJT#5#-Xa^Af7D1Rcm7*
zbB=+Pnm=0%h(a-u@oth)r#>|n@&Q7p>L0TNVw^%&hrjowNKP6w%-d@VViIE~;;&9!
zB7DA5HFA^ODmHV%QX8C?lNO~^j|+!zWz9D`fJO;z^SbR_R&6paz7plygo=(<O=wB+
zpoy9?9#{~rNHgZvY|>|0WckPJ=`?%G-4Ap`j757VaXERO)A<&jn+NbAAJ%Z>yL)l7
z=*$j}i$E-d!{`WZpS!zZS?6%ER6#+Lr7NE^6Jz)Ng(~C>)e?CK1y`9fTO6g0fupoj
zUt#U9;>l#p+|6Hs2g+-2coAv;Rx~zczT(dH1XBZqTBQfq0{G}7hgmmzKtIFit}7}c
zg6rN8#DmLgnat{v@>QZ~7obo3HmeDQ{1%nTsC>vLDf@s*2^Q3T<aK9l#4oINQM@#6
zg--6;awh(<iTkrqz~#l4ZMiB*Hwk|yA&3Kz0j;P+PGQz_&im8TK|sHl&o{O_dJVRG
z{!Cnw&dqMh6mQCctMyYjJ89?#s0?67V5!3F41X6637U~i#&LrreN+#<l#3e`kw?i-
z)!d*#vaqX~Oa8mRBHA3k9XY#1=u&Q828IOxzWf{2Pk{7MF>q%3cco}wiHi`Xn8;xp
z;b=t0H5BikU<*>W1GyaEAJ#$!{+6zW9R#vO1+!fDuyow_RDv!!Tv$C<C88h{q52~R
zV?4k$En6Xr<RlGy3OzYgCq`+FxXs78ye(X@D_~ToXc5yc?5*7jHX(u7(S*@&8gx#R
z>CJwFcp|w>)Irsaxp}NHyt(-rZVDp8YF$}DE@!`@2o}k=e_b{V>Yb4Ctc!Hy*k�
zyU5Px6Wiv5waXL(6AUIV)6WoO#Tvgb{wt~?BNfj$q=Ro4^-JCy67Eg>5v<f|@GkKq
zVZr+(+WQduR;*L3pwW#Bm;Ma(gg$x!U3g!ka6N3Qa!kw(?+xZDWMt$IT#ly3#^h;6
zCdS5Z@wpst93Ol5wapn!Yt&1$%SQV8LS9Vnxx+#a=79A1tt`^TGh>*}Yv%G<jZ5^v
z=IQkXtMeWkcSl*rh<`Q5x)=WFUd&l$7-5a2`_QfSid5s`MY9?t@4F~^6uwW1_q~Y1
zC#JixksP5h;?SPR7Vv?Ori!xtLIP_j#*Ya->E0rCN7oUBGpnfw>8XcdUiN126u#J?
z)~D2_ftr?6LLW~b<ZEsMFQ2)N5wWTg{z+;j`Q|;|GnXhrK8)I83!lx7ciw9O6kI`q
za)_1v8Yb1O6V)86q&)x)cmXaJVRLU}_QbR}>Hl5Qp>7f))mM;?M(rb7e0KzkJc9{R
z_UXK&07=`Yv=1;&o#?Cy+F-5H9~D?#JhFLOOKll4I*E=~1UX1Zwv9V;uAKs?-{Fqu
zG7}dYpLL>|kPZ0j#cCCE&(Xz$!}cn1Q0MyV>eIja$RM5Jn?#9dOT3FZZ_wynMnq0y
z0NicW!m1shG+>(5jOK@DS};0=hgncFL*)X8>fe-Q6?XT_9T5K8nGx%T?Y!jVWJ4`4
z2t*``05BHuV};WB1ATn}&K%vEyzlD!lY$)=Lz<0x_&u|n`<TI%piy0IxBL{PtkzXc
zO}&S%^+Ef>d2GvTWJQd^<`1~<i1Hx8<>%=XP`>2{@Z}Jl%l)c(;8vstc;5SNf5WLJ
zX_A<WqTsEZ((iP@)Lycm6?jOErcZtHSgJ}f4-VcrtQg41yI4$m7ov=YQqs8TO%kdB
zHonzqy6eOfs1^T)X*l3LUb!uI$RKx8ZDj{`?s><`Hank&-aODy?j5zq(lA@4WE2I8
zNaAM}k59_2Gl`}Cuvig=T?6heZp#1UsjBgH<V5mfG?>2VE+iO-j1>8mtuR_03yUt>
zJ07KZn11bL3zwlra?bf!{vYLp!sH9<GN}Hsb1gfYI%%23PU;x*^PPR+EFdD3hwiv&
zPy!}fRtg^lr^wu$q$F+h--1}`E1WQQu(ww(rJZi}T4+2>_g;-4?TN%M0&;=ELTXA%
zN?Ka7tcr??<KyE8*ybIXQg_gRfq~&BKRwjf*EjUE0ZT>GF<!~(<&C@fPI%Jrdv3;!
zTO#g)bUic-++!-Ox978S$lMlCEix$AIl=C1bp<E-E!!l&(_l-Lvw@~xv|Y6WQ=pRZ
zk>rv`PqSN3ShVXGjVYQB5_otScg{VD{QHJ#q1xtbu6c)~yJfFO90MwfKdCVo{RGT@
z>RNORW@GlyHiD{U1;lT;vG^6BG2sqSknU$JeijAM!;Ds_V5-VgUG{5EPmjdkfQ)wA
z6f5wVYG{$iCK*w=YfTmN;hI;B%q>`#IP{-rIEN^~yxNeYx07HkAe|e~-<(pLyLm3S
zus_M=gP+s@83tr`@*RTIX#3b~0KP%DAb3KdJ9Pilrvp4y;`IveU&x`CH8)u9&tedI
zb6f=Rd;UFtnELZa(Qr5h)k`kgdbQghgGO2K0D&lXqN%A#&7}-=6j-K<4<NO0oFSn9
zb}2{ztpHT*$m%dfgO=OCgAph1Zgtqk#k2k#LXk4Xh&N?(&8_zC_X!CO;P!iTvJF}q
zR#mGdLfgGknYParj7#;MobItwkH4_lIb>l)q`4jFG%wyP#tyM6Ry5q)SDBclImS=V
zv~KUPY8cC5WS10lubo+1%X>`C#yns(jcx!@vF4&>nZKAe4oSQ$g^Z_}7iID7817HJ
z<{cVfK8fP7Hbw=GPAVGMdss=^1G#u9nB>H{RzW1F$t6w^)uR2MZf^r-e{$MXtt6l}
zkU=yHsW}uGsm7XNG0aLJTPyUi*qLXHk5-zSTaZ>10ic3_9a5Rr<Xx=<jBo(%`G}@U
znpXVs8!<m@Ysu1I@8MH+8=&jvJ}d^S7vbWSnOioQ4<u9~<B5xl+n>7wSsXhy5`Zy}
z-Ho~W&N!8!M%z{GF-7|JtbPo|mjgu2gMwv^Lb$>SQrgILzqtaH_T2VTqM9EI_Q|_S
z+s-u_B3q;c6|3$)N%P<QaKwnFB-oWzBlGI`biX%5m#OzFv+b8ggSPi}_1B;2jf}-7
z9Ny;<hx{1$wc>}oxeSAf=u!781qR{+!eywtyjP?R$AM(oL@^P15uQCT&3hy1?a)WO
zbqd0pBxjKs%Rs$uC1E4-#yfGmvZ8u+&tv&y!q7$Ind2=dDuUF|Sd-h)@@agC)zY=J
zMs+&?gfz0Uv@@{`j}@{7av1M#D}A=I$@@TG1kR<>__XbNj_xD&XAy!g4-e#r&U*_I
znF1rKN~Bt?fI9XAWC#X%?2yyc9I_p5S)2qlhHn}r8a)GEZz?}yqCpX>y`M6#`3D)T
za-?tO4y(jy<>yWW29}CDaxD}?&8r6nER91<@6(?jz?@-t<oy6gnL25jXvIpP6JM6I
zGQ`;6USY(^`r1@rdxyLE<Zr7^&`73@=TZF;Z%HKzI}%GZy&1z6U3|sFZLEwJAm|8W
z&6~ZrCzP;3DykftyEx!%>Z#wI8;b%WUQPWV#tuu%`72e&^j8_Nh@T)<hrBWi2lHL1
z(MKURkE>QyUT+y-3X?$0%1N>4(Fq&&q{ynVH173A9V;XYPkp7v47H7TF?-d^qz;Na
zJPj|Ll0j1k7xz8mQ|s*>m<UMUvD86m)9hSrV=Y?`kZ#cd*pLfCcQ|q|o9}6_Zwa*?
zQYn-~!{aMF`eo$Kq9o^?A~2CHAheH7+JwWgCsWJc+P7!+z(TJ$-gBl6OOy{(UfmyJ
z<FwThfoOj{Wnm+~3}n!SfOle?Gyj4>h|N#`7a)C;gC4sZMqAqXDK*TPukk6XmpHSz
zy!^pa`KSgcRN&1E|11z@^AaxKnm%mWys{(G61QXjbzg;yVTvYu7Z=D^uuOqtXkkt8
z{+DX`zmzP7SDlz<IDtYl(nBOBaPU8c%Mctu;e#Z?(S=F9egkhWBbNCSz4m{fL^lRs
zgrLC{1(x5ZiFW!XOOB=0mP+`&?^A>SI?aW`j#E<dT*2h%cB<C9wI;7=I+#EPVd>a6
z=j|$>g>-B7r+x#2%*dFF1pABqi2yjiU{i@emGqSM{x@(xxwU$IiLFn|LWls{kl<+v
zq&``cp_x6n0f8?Bjf3x8aXP5XKy^*9tSu(0WPmsZ4n%8GSAqd*{o41S%o-MRXSSZ$
zJX&cn$dcGFcrji%%k}i8zu=Fp20(XOwAXe(wF?7$MSwgeX|O`_RQp;2%Ey>uto~EB
z&b8e%hulFvcP*e35+>-)*$VvY2j78_uM3}vRvQDDMvLS(_PcrCP~GT`0ARK5<>0}h
zaQR;m4q9y3Yc_`c0QAp8&^Yd}aU%cuLY+_Hw*}n>iyIJRO4WMYtRf;05z>83!w`BC
zcfQ<pW-KJmP>@j}(|lpuchc{H?omSPq`bY%>F~u48XSB>s*zLqg*u|FSf}0#{ZdiA
zQ9F8c(hyM9i7Iz|e|gzJf?wSql+d54FAkZ(!4KMzDwORoWJP&O&&u%|CmK`Hl+ll-
zjjCSqI5(PnUNpni2^uf*&3z4fF;UI*FbfzOQ2;Tot#=uDwp~Lt--rzp6iysg$!=ZG
zDalXiwXRwgn4LG$Wgbo(#RjdNdT5cW$!MNnh`Eqm-i8aFyz=T%uF3tR$OOExvt7@I
zuq<S?KWd~zLpV2OR8YkxF`^VDsj|x@wJ4Tg2+gXIpC_v6R#B_5zx};m5Z9>9OAM}=
znw(P@mtFj;t>SQ)KKy4juZcc!YNa}-zA6hZYrZ#$Acz`6xm52Yd4A32<9VrL7sia{
z+eRo_`E)q?5l7>W)&VP-#14X!ZFd>mLPg^9r(tNDCG!&aCmY<g#Zvz(iX}u~VO`A{
zknx<58ORaF16%S|^AxIMnXW@=rF~dR`jpWXCMLJAT+*6iqsCO9goGopWGTu;@)`l|
zh1FvH7h;taeV3wlglvr+X+Frns|lIN;_?D+-_Yc$Wq~&=NFiyt>KSW|@+C)P7}CXh
z!mMJ-6<eX<;Jjqad<vqjiSPVx(02i`1?&L_>z~4kBj%Y9(O=ySf6kH{dZ$V%3IlIM
z?cAfr#gc|qntB%hknln^!C8_PDZ_wnEkpWjkXq=swYrp2<!mAA!`>{}LPUg2M>Jz`
zoE<Wqv=5+$W2&MRdzV-{cpxhVaWW4mQc|r5JUwnBmPm8DJitf(YEZQFQ<&x%jJwYP
z=QT_=jHF#n)ISLgKVxolv;SF=P|W9mfM?SuLz_wiOK+rG=CB_|$J3OoplX1KZ`FK!
zA>DetYO#8)M#<uCrY2;id-!-c^QYRqbj-Vu-W%DZA-kVB?IEnGQ3(jHv$J@Y*J*1^
zRK<qYyPz=iCp8=ADj;|_o;fGbR@v&7N!g{cU!o{$%%$M+8FVaMO6{sy1Ezw<&8cvi
zh!{+`DAQYX95&J>6`;>vLSbe#fy)o&{poI?z-pNnB=S`bF?MrJw(pEXvB*|gDn)3(
zb%Ab7^jX-#=p3d8?@a2{Gfb+d9v9HBspsZ(u5znAGg#%zVCI2L7%`=&k*Gf@1x*uV
zuy8f*w-^7P{XPL1!&`WY`^=VYFW1Db{j{<2>a8d9Crg{F-ZTM?=w(G81%`j!wcJUi
zhtsMmj%;_Bt8L|<{UT^h4*%3G+x*rROy$zPZt!&8R_j}3GtM?$xH0R3^r|h38kXx8
zg-GVEtJ;0}GiQ0|r7*8;ToH>Tj-TL&Vq_4zVD^6_@AcW!ybuFvtTtupJCoL(=Lc{0
z+HqNfVFGj+;u6Kr+w*_Mo8<azcHjX{>Nc2E+CIFzvFrJx+&ueBS`25{A)>%p!n-+k
zelCZq+?NaA6amlDCQJlw{I-*x#mJy%3Q`3Gz~wmz3VJLGDn*`(2$?Ow^^6TYKme+q
zK%23FN$)_?mkaBxySuw%`>HPjH%o&?d%CZjIKcs281*3NkObH<c&vvy7ez(GX<0cL
zpdTjeZLRft@4Wln5xs_|43G`j8&-f;X)z>hdw0L|yK3Cy<lpsOY3yJhc}(|fHl7Aq
zHU-=jnI#F_@D0iw2bB2M0A~%sRsabw-H^k)TC7ntLGB?l8}OK$Xh%PffB9-Z4*vhy
zbW$em*P-+G_&+_|9`~Pp^2wB6=O*6JEZltbuk-A~o0{Z+K5B?$53`GG67m1%emVW$
zOAFI?w!gkgOS*~d)itlZT9te~y#C*lxl?;IxNHO`p7`iAA@PuL{g>6}Z7S1Motq?7
z1a)~%%YdihpDAom`&s@){r?xf)A#m$&sKBf`NX7t=f{D2vO2$i%l|tf{iIbvpX=cP
ztKu&Y?f<^v@4MXhUiRn3J|jcVnHj|pzxXg|tFQVyo3kqZwTffLh8ZcBed~Am3at2i
zb+M!3iOwK?t>=I5t?l!B2;3ZfMLT}?JpZt?3C{Dib@V~&+ZYU9A6RwosifuO^Phn(
z6;YdXKzL)$^ZPY(Ssu=+-v4o?wgC@=f*8!XtNwG({rEgoy^Cq0!kvHS{|l^7@7oM)
zWwh^qHo4yrSi?fxbf#d>if{emc{jH7Mtu8u{r(i+`p^IO9oe)c*L$sljQ>KzHP_!)
z{(5ik>Z1Smth#))vqzBH@x}kaOCT8(HXqPZ`T70g?|t=~7503&u4~u#yh8EB-(7Fl
z*K2az-d}g$Et74c$E)0@=5Ky}-+$ZB1-Og&^Zq>t)is54`A%~k1D47RXTmg!SKaz@
z^!Y#kpV$BW`CTqErB3YH-TmKxTc37$<Qgcl^dX}Phthe0*!|Dd`@?HjzuXwUulDrm
z`l9>y-oMx3?yrF+l}fHPE+HGgR^N?&D(v#ec{}@!FGrd0#!vCry!~@Kdzso9Hpr^H
zn};l`z{$D6Rks(IOuzvVVIc!dgWzPC)CLp;rPPL_vJr;BWeA`Z7zu{2s~%dKFdg`F
zuo;-6fC7Qw6Am1{ftF23F(&K-r+4sJG)NlT(hSrU8hBJpQ_!6SJYs2%#s|<!MWFi{
zj=l!1L<HtlhARer69u<`HWxGKL_zl!gEBJ^Kq%<a!-AE6>pdfGXYIb;<_D7WboFyt
I=akR{0AQb~s{jB1
diff --git a/Doc/Sda1/jdbc.xml b/Doc/Sda1/jdbc.xml
index 0cfe4abcd..8a3b5a3f2 100644
--- a/Doc/Sda1/jdbc.xml
+++ b/Doc/Sda1/jdbc.xml
@@ -1260,7 +1260,11 @@ static public int insertPerson(
<answer>
<para>Our last exercise's database schema <filename
xlink:href="https://gitlab.mi.hdm-stuttgart.de/goik/GoikLectures/blob/master/P/Sda1/Jdbc/Insert/Minimum/src/main/resources/schema.sql">resources/schema.sql</filename>
- may remain untouched.</para>
+ may remain untouched. Solution:</para>
+
+ <annotation role="make">
+ <para role="eclipse">Sda1/Jdbc/Insert/MinimumTest</para>
+ </annotation>
</answer>
</qandaentry>
</qandadiv>
@@ -1699,6 +1703,12 @@ public someClass {
disclosed.</para>
</listitem>
+ <listitem>
+ <para><productname
+ xlink:href="https://www.mysql.com">Mysql</productname> mitigates
+ the attack type's severity</para>
+ </listitem>
+
<listitem>
<para>Possible solutions:</para>
@@ -1712,96 +1722,74 @@ public someClass {
</listitem>
<listitem>
- <para>Many database vendors <link
- xlink:href="https://dev.mysql.com/doc/refman/5.1/de/connector-j-reference-using-ssl.html">supply
- SSL</link> or similar <trademark
+ <para>Use <trademark
xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
- protocol encryption extensions. This requires additional
- configuration procedures like setting up server side
- certificates. Moreover similar to the http/https protocols
- encryption generally slows down data traffic.</para>
+ driver supporting <xref linkend="glo_TLS"/>.</para>
</listitem>
</itemizedlist>
</listitem>
+
+ <listitem>
+ <para>Irrelevant e.g. within DMZ.</para>
+ </listitem>
</itemizedlist>
</figure>
-
- <para>Conclusion: <productname
- xlink:href="https://www.mysql.com">Mysql</productname> mitigates the
- attack type's severity</para>
-
- <para>Solution: Use <xref linkend="glo_TLS"/> if driver
- supported.</para>
-
- <para>Of course this is only relevant if the transport layer is
- considered to be insecure. If both server and client reside within the
- same trusted infrastructure no action has to be taken. We also note
- that this kind of problem is not limited to <trademark
- xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>.
- In fact all protocols lacking encryption are subject to this type of
- attack.</para>
</section>
<section xml:id="sqlInjection">
<title>SQL injection</title>
- <para>Before diving into technical details we shed some light on the
- possible impact of this common attack type being described in this
- chapter. Our example is the well known Heartland Payment Systems data
- breach:</para>
-
- <figure xml:id="figHeartlandSecurityBreach">
- <title>SQL injection impact</title>
+ <figure xml:id="figSqlInject">
+ <title>SQL injection principle</title>
<mediaobject>
<imageobject>
- <imagedata fileref="Ref/Fig/heartland.fig"/>
+ <imagedata fileref="Ref/Fig/sqlinject.fig"/>
</imageobject>
</mediaobject>
</figure>
- <para>Why should we be concerned with SQL injection? In the
- introduction of <xref linkend="bib_Clarke09"/> a compelling argument
- is being given:</para>
-
- <blockquote>
- <para>Many people say they know what SQL injection is, but all they
- have heard about or experienced are trivial examples. SQL injection
- is one of the most devastating vulnerabilities to impact a business,
- as it can lead to exposure of all of the sensitive information
- stored in an application's database, including handy information
- such as usernames, passwords, names, addresses, phone numbers, and
- credit card details.</para>
- </blockquote>
-
- <para>In this lecture due to limited resources we only deal with
- trivial examples mentioned above. One possible way SQL injection
- attacks work is by inserting SQL code into fields being designed for
- end user input:</para>
-
- <figure xml:id="figSqlInject">
- <title>SQL injection principle</title>
+ <figure xml:id="sda1_fig_littleBobbyTables">
+ <title><link xlink:href="http://xkcd.com/327">Trouble at
+ school</link></title>
<mediaobject>
<imageobject>
- <imagedata fileref="Ref/Fig/sqlinject.fig"/>
+ <imagedata fileref="Ref/Fig/exploits_of_a_mom.png"/>
</imageobject>
</mediaobject>
</figure>
- <para>And a nice explanation from <link
- xlink:href="???">http://xkcd.com/327</link>:</para>
+ <para>Before diving into technical details we shed some light on the
+ possible impact of this common attack type being described in this
+ chapter. Our example is the well known Heartland Payment Systems data
+ breach:</para>
- <figure xml:id="sda1_fig_littleBobbyTables">
- <title>Trouble at school ...</title>
+ <figure xml:id="figHeartlandSecurityBreach">
+ <title>SQL injection impact</title>
<mediaobject>
<imageobject>
- <imagedata fileref="Ref/Fig/exploits_of_a_mom.png"/>
+ <imagedata fileref="Ref/Fig/heartland.fig"/>
</imageobject>
</mediaobject>
</figure>
+ <figure xml:id="sda1_jdbc_sqlInjectionRelevance">
+ <title>SQL injection relevance, <xref
+ linkend="bib_Clarke09"/></title>
+
+ <blockquote>
+ <para>Many people say they know what SQL injection is, but all
+ they have heard about or experienced are trivial examples. SQL
+ injection is one of the most devastating vulnerabilities to impact
+ a business, as it can lead to exposure of all of the sensitive
+ information stored in an application's database, including handy
+ information such as usernames, passwords, names, addresses, phone
+ numbers, and credit card details.</para>
+ </blockquote>
+ </figure>
+
<figure xml:id="sda1_fig_sqlInjectLessonsLearned">
<title>Lessons learned?</title>
@@ -1816,9 +1804,9 @@ public someClass {
<qandaentry>
<question>
<para>Use the application from <xref
- linkend="sda1SectUserInitiatedConnect"/> and <xref
- linkend="figSqlInject"/> to launch a SQL injection attack. We
- provide some hints:</para>
+ linkend="quandaentry_DupInsertUnitTest"/> and the idea of
+ <xref linkend="figSqlInject"/> to launch an SQL injection
+ attack. We provide some hints:</para>
<orderedlist>
<listitem>
@@ -1837,12 +1825,11 @@ public someClass {
<para>In order to execute these so called multi user
queries we explicitly have to enable a <productname
xlink:href="https://www.mysql.com">Mysql</productname>
- property. This may be achieved by extending our <trademark
- xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
- URL:</para>
+ property thereby overriding the default security
+ configuration:</para>
<literallayout>jdbc:mysql://localhost:3306/hdm?useSSL=false&<emphasis
- role="bold">allowMultiQueries=true</emphasis></literallayout>
+ role="red">allowMultiQueries=true</emphasis></literallayout>
<para>The <productname
xlink:href="https://www.mysql.com">Mysql</productname>
@@ -1866,39 +1853,49 @@ public someClass {
</question>
<answer>
- <para>We construct a suitable string being injected to drop
- our <code>Person</code> table:</para>
+ <para>Logging tells us about SQL code being generated when
+ inserting a record based on e.g. user <emphasis
+ role="red">Eve</emphasis> having an email <emphasis
+ role="red">eve@my.org</emphasis>:</para>
- <programlisting language="sql">Jim', 'jim@c.com');DROP TABLE Person;INSERT INTO Person VALUES('Joe</programlisting>
+ <programlisting language="sql">main INFO insert.SimpleInsert - Executing »INSERT INTO Person VALUES('<emphasis
+ role="red">Eve</emphasis>', '<emphasis role="red">eve@my.org</emphasis>')«</programlisting>
- <para>This being entered into the name field kills our
- <code>Table</code> relation effectively. As the error message
- shows two INSERT statements are separated by a DROP TABLE
- statement. So after executing the first INSERT our database
- server drops the whole table. At last the second INSERT
- statement fails giving rise to an error message no end user
- will ever understand:</para>
+ <para>We craft our first input <code>username</code> replacing
+ <emphasis role="red">Eve</emphasis> to launch our
+ attack:</para>
- <figure xml:id="figSqlInjectDropPerson">
- <title>Dropping the <code>Person</code> table by SQL
- injection</title>
+ <programlisting language="sql"><emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim</emphasis></programlisting>
- <mediaobject>
- <imageobject>
- <imagedata fileref="Ref/Fig/sqlInject.screen.png"/>
- </imageobject>
- </mediaobject>
- </figure>
+ <para>A corresponding dialog reads:</para>
+
+ <screen>MinimumTest> java -jar /ma/goik/GoikLectures/P/Sda1/Jdbc/Insert/MinimumTest/target/insert_user-0.1.jar
+Enter a person's name or 'x' to exit: <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim</emphasis>
+Enter <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim's</emphasis> email or 'x' to exit: jim@company.com
+</screen>
+
+ <para>This <quote>successfully</quote> kills our
+ <code>Person</code> table:</para>
+
+ <screen>goik@goikschlepptop MinimumTest> cat A1.log
+main INFO insert.SimpleInsert - Executing »INSERT INTO Person VALUES('Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim', 'jim@company.com')«
+main ERROR insert.SimpleInsert - General database connection problem:
+java.sql.SQLSyntaxErrorException: Table 'hdm.Person' doesn't exist
+ at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:112) ~[insert_user-0.1.jar:?]
+...</screen>
<para>According to the message text the table
<code>Person</code> gets dropped as expected. Thus the
- subsequent (second) <code>INSERT</code> action is bound to
- fail.</para>
+ subsequent (second) <code>INSERT</code> action is then bound
+ to fail.</para>
+
+ <para>In practice this result may be avoided: The database
+ user in question will (hopefully!) not have sufficient
+ permissions to drop the whole table. Use <code>GRANT</code> /
+ <code>REVOKE</code> statements accordingly!</para>
- <para>In practice this result my be avoided. The database user
- will (hopefully!) not have sufficient permissions to drop the
- whole table. Malicious modifications by INSERT, UPDATE or
- DELETE statements are still possible.</para>
+ <para>Malicious modifications by INSERT, UPDATE or DELETE
+ statements of data records are still possible though!</para>
</answer>
</qandaentry>
</qandadiv>
diff --git a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java
index 6620ed372..59157c9ac 100644
--- a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java
+++ b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/java/de/hdm_stuttgart/sda1/insert/SimpleInsert.java
@@ -77,7 +77,7 @@ public class SimpleInsert {
if (1 == insertCount) {
System.out.println("Successfully inserted new user '" + name + "'\n");
} else {
- System.out.println("Insetion failed, duplicate email '" + email + "' ?\n");
+ System.out.println("Insertion failed, duplicate email '" + email + "' ?\n");
}
}
System.out.println("Bye!");
diff --git a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties
index 3ee6101a8..d8fef888f 100644
--- a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties
+++ b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/jdbc.properties
@@ -1,3 +1,3 @@
-jdbcurl=jdbc:mysql://localhost:3306/hdm
+jdbcurl=jdbc:mysql://localhost:3306/hdm?allowMultiQueries=true
password=XYZ
username=hdmuser
\ No newline at end of file
diff --git a/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/sqlinject.sql b/P/Sda1/Jdbc/Insert/MinimumTest/src/main/resources/sqlinject.sql
new file mode 100644
index 000000000..e69de29bb
--
GitLab