网页F12分析
发送封包时并没有使用本地 Cookie, 推测采用了某种方式在服务端进行验证, 用户登录一次之后再访问内部域名时就允许放行, 整个决策过程都在服务端, 也是为什么承载能力差, 同时也方便实现限制多端登录。
对应策略就是先伪造发送登录POST封包, 若成功则再发送剩下的功能封包。
退出登录封包
GET /jwweb/sys/Logout.aspx HTTP/1.1
Host: 211.67.81.82
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://211.67.81.82/jwweb/SYS/Main_tools.aspx
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Cookie: myCookie=; ASP.NET_SessionId=plwry4qsx5y4p51j1wvnip1v
Cache-Control: no-cache
Accept-Encoding: gzip, deflate登录按钮按下后会调用 check():
function CkValue() {
var vU = "帐号";
var vcFlag = "YES";
var cwcs_flag = "0";
if ($('txt_asmcdefsddsd').value == '' || $('txt_asmcdefsddsd').value=="请输入帐号") {
alert('须录入' + vU + '!');
$('txt_asmcdefsddsd').focus();
return false;
}
else if ($('txt_pewerwedsdfsdff').value == '') {
alert('须录入密码!');
if ($("txt_psasas").style.display == "") {
$("txt_psasas").focus();
}
else {
$('txt_pewerwedsdfsdff').focus();
}
return false;
}
这里说明会有验证码模块, 且在vcFlag = YES 和 cwcs_flag = 1 的情况下才会触发验证
else if (($('txt_sdertfgsadscxcadsads').value == '' || $('txt_sdertfgsadscxcadsads').value == '请输入验证码') && vcFlag == "YES" && cwcs_flag == "1") {
alert('须录入验证码!');
$('txt_sdertfgsadscxcadsads').focus();
return false;
}
else {
$('divLogNote').innerHTML = '<font color="red">正在通过身份验证...请稍候!</font>';
txt_pewerwedsdfsdff 这个变量就是密码框, 清空并提交登录
document.getElementById("txt_pewerwedsdfsdff").value = '';
//document.getElementById("txt_sdertfgsadscxcadsads").value = '';
Logon.action = "login_home.aspx";
Logon.method = "post";
Logon.submit();
这里转接 Post 到 login_home.aspx 进行登录操作, 并调用submit方法
return true;
}
}抓包获取之后发现, dsdsdsdsdxcxdfgfg 对应的就是加密后的密码, 经过POST提交到服务器申请登录。
在登录页面中调试搜索该变量可以找到 chkpwd() 函数, 其中对其进行了一系列操作, 猜测是加密操作
function chkpwd(obj) {
if (obj.value != '') {
var s = md5(document.all.txt_asmcdefsddsd.value + md5(obj.value).substring(0, 30).toUpperCase() + '10482').substring(0, 30).toUpperCase();
document.all.dsdsdsdsdxcxdfgfg.value = s;
} else {
document.all.dsdsdsdsdxcxdfgfg.value = obj.value;
}
} function chkyzm(obj) {
if (obj.value != '') {
var s = md5(md5(obj.value.toUpperCase()).substring(0, 30).toUpperCase() + '10482').substring(0, 30).toUpperCase();
document.all.fgfggfdgtyuuyyuuckjg.value = s;
} else {
document.all.fgfggfdgtyuuyyuuckjg.value = obj.value.toUpperCase();
}
}而网页中搜索的另一个位置是一个隐藏的输入框, 将其解隐藏可以看到:
而这个输入框会显示根据输入的账号和密码得出的加密串。
可以猜测, 用户先输入账号和密码, 点击登录后调用 check() 函数, 接着通过一系列函数调用得到加密串, 并赋值给这个隐藏的输入框, 之后清空用户输入框内容, 后续再将加密串包装一下提交表单到 login.aspx 向服务器请求登录, 成功后服务器端标记当前ip为对应已经登录的账号, 后续的发包就不需要安全验证。
回到网页继续查看, 找到调用该函数的地方:
是在输入框中按键弹开时调用, 测试时一直按着一个键确实密文不会更新。似乎只有密码框会实时更新密文, 账号框只会影响到密文的值。
那么当下任务是破解该密文的加密过程并写一份。
var s = md5(
document.all.txt_asmcdefsddsd.value
+ md5(obj.value).substring(0, 30).toUpperCase()
+ '10482')
.substring(0, 30).toUpperCase();这里只有md5加密尚不清楚如何实现, 不同的编码可能导致不同的结果, 在网站中向上搜索可以发现导入了一个本地md5包:
试试看能不能直接下载, 幸运地发现没设置权限:
直接进行一个拷贝到本地复现:
成功!那么第一步就已经完成, 接下来实现选课操作即可。
基本流程 FD8FAF731037787F4ABC449AE868A3
获取当前年级
获取能选择的课程
http://211.67.81.82/jwweb/wsxk/stu_xszx_rpt.aspx
Host: 211.67.81.82
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://211.67.81.82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://211.67.81.82/jwweb/wsxk/stu_xszx.aspx
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Cookie: myCookie=; ASP.NET_SessionId=plwry4qsx5y4p51j1wvnip1v
Accept-Encoding: gzip, deflate
Content-Length: 44
HTTP/1.1 200 OK
Content-Type: text/html; charset=gb2312
Connection: keep-alive
Cache-Control: private
Server: Microsoft-IIS/8.5
X-Frame-Options: SAMEORIGIN
Set-Cookie: name=value;Secure=true; HttpOnly;
Set-Cookie: myCookie=; path=/; HttpOnly
X-Frame-Options: SAMEORIGIN
Date: Fri, 17 Feb 2023 03:16:16 GMT
Content-Length: 12482
<script language=javascript>parent.document.getElementById('btn_search').disabled=false;parent.document.getElementById('btn_save').disabled=false;</script><script type="text/javascript">parent.document.getElementById("msgInfo").style.display="none";try{parent.document.getElementById("imgCode").click();}catch(e){}</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
</title><link href="../_Style/styles_Rpt.css" type="text/css" rel="stylesheet" />
<script language="JavaScript" type="text/JavaScript">
function openWin(theID,vT)
{
var theURL,w,h,Tform;
if(vT=='kc'){
w=480,h=300;
eval("Tform='width="+w+",height="+h+"'");
theURL = '../JXJH/INFO_KC.aspx?id='+theID.getAttribute("value");
}else if(vT=='Tea'){
w=450,h=400;
eval("Tform='width="+w+",height="+h+"'");
theURL = '../JXZY/INFO_Teacher.aspx?id='+theID.getAttribute("value");
}else if(vT=='xkmc'){
w=650,h=380;
eval("Tform='width="+w+",height="+h+"'");
theURL = '../WSXK/j_zxb_bjrs.aspx?id='+theID.getAttribute("value");
}
pop=window.open(theURL,'winKPT',Tform);
}
function closeDialog()
{
var ReturnStr=document.all.hid_ReturnStr.value;
var N=document.all.hid_N.value;
var jsskbj_str="",jsskbj_val="";
try
{
jsskbj_str=ReturnStr.split('@')[0];
jsskbj_val=ReturnStr.split('@')[1];
if(ReturnStr.split('@')[0]=="undefined"){jsskbj_str="";}
if(ReturnStr.split('@')[1]=="undefined"){jsskbj_val="";}
if(jsskbj_str!="")
{
document.getElementById("chkSKBJstr"+N).value = jsskbj_str;
document.getElementById("chkSKBJ"+N).value = jsskbj_val;
if( document.getElementById("chkKC"+N).disabled == false){
if( document.getElementById("chkSKBJ"+N).value != "" ){
document.getElementById("chkKC"+N).checked = true;
}else{
document.getElementById("chkKC"+N).checked = false;
}
}
}
document.all.hid_ReturnStr.value="";
document.all.hid_N.value="";
}catch(e){}
}
function openWinDialog(theID,N){
var Tform;
var ReturnStr="";
var jsskbj_str="";
var jsskbj_val="";
var w=800,h=450;
if("10482"== "51799")//ɽ¶«ŮדѧԺ
{
w=900;
}
var skbjval="";
var sel_xq = "";
try
{
sel_xq = parent.document.getElementById("sel_xq").value;
}
catch(e)
{
sel_xq = "2";
}
document.all.hid_N.value=N;
skbjval=document.getElementById("chkSKBJ"+N).value;
var url="stu_xszx_chooseskbj.aspx?lx=ZX&id="+theID.getAttribute("value")+"&skbjval="+skbjval+"&xq="+sel_xq;
parent.openWinDialog(theID,N,w,h,url);
}
function openWinDialog2(theID,N)
{
var Tform;
var ReturnStr="";
var jsskbj_str="";
var jsskbj_val="";
var w=800,h=600;
if("10482"== "51799")//ɽ¶«ŮדѧԺ
{
w=900;
}
var skbjval="";
var sel_xq = "";
try
{
sel_xq = parent.document.getElementById("sel_xq").value;
}
catch(e)
{
sel_xq = "2";
}
skbjval=document.getElementById("chkSKBJ"+N).value;
var url="stu_xszx_chooseskbj.aspx?lx=ZX&id="+theID.getAttribute("value")+"&skbjval="+skbjval+"&xq="+sel_xq;
eval("Tform='dialogWidth:"+w+"px;dialogHeight:"+h+"px;status:no;center:yes;scroll=no;help:no'");
ReturnStr=window.showModalDialog(url,1,Tform);
try
{
jsskbj_str=ReturnStr.split('@')[0];
jsskbj_val=ReturnStr.split('@')[1];
if(ReturnStr.split('@')[0]=="undefined"){jsskbj_str="";}
if(ReturnStr.split('@')[1]=="undefined"){jsskbj_val="";}
document.getElementById("chkSKBJstr"+N).value = jsskbj_str;
document.getElementById("chkSKBJ"+N).value = jsskbj_val;
}catch(e){}
if( document.getElementById("chkKC"+N).disabled == false){
if( document.getElementById("chkSKBJ"+N).value != "" ){
document.getElementById("chkKC"+N).checked = true;
}else{
document.getElementById("chkKC"+N).checked = false;
}
}
}
function go(theObj)
{
var mFlag=true;
var mb=false;
var mcount;
var m;
mcount=FormAdd.mcount.value;
if(mcount>0) {
for(i=0;i<mcount;i++){
if(eval("FormAdd.chkKC"+i+".checked==true")&&eval("FormAdd.chkKC"+i+".disabled==false"))
{
mb=true;
if(mb==true)
{
if(eval("window.document.all.chkSKBJ"+i+".value==''"))
{mFlag=false;}
}
}
}
if(mb==false){
alert("Шѡ¶¨һÅ¿γ̣¡");
return false;
}
if(mFlag==false){
alert("Шѡ¶¨ɏ¿ΰ¡úȎ¿ν̊¦£¡");
return false;
}
else{
return ChkValue(theObj);
return false;
}
}
}
function ChkValue(theObj)
{
var strurl;
var strid="TTT",s=false;
var N;
var s1=theObj.value;
var jsskbj_str="";
var jsskbj_array;
var xyjc;
N=FormAdd.mcount.value;
if(s1=="̡½»սѡ"){
for (i=1;i<=N;i++){
if(eval("FormAdd.chkKC"+(i-1)+".checked==true")&&eval("FormAdd.chkKC"+(i-1)+".disabled==false")){
eval("jsskbj_str=FormAdd.chkSKBJ"+(i-1)+".value;");
if(jsskbj_str!=""){
var jsskbj_array=jsskbj_str.split(";");
for(j=0;j<jsskbj_array.length;j++){
strid+=","+jsskbj_array[j]+"¡被eval("FormAdd.chkKC"+(i-1)+".value");
}
}
s=true;
}
}
if (!s)return false;
if (!confirm('ʇ·»¼ǂ¼£¿'))return false;
FormAdd.id.value=strid;
strurl="stu_xszx_rpt.aspx?func=1";
FormAdd.action=strurl;
//³¤ɳÀ�´¨ОԊЭʱ¼䳥ͻ
if("10482"== "10536" && document.getElementById("sel_lx").value == "1"){
try{
if(parent.document.getElementById("__thecheck").checked)
document.getElementById("yxsjct").value = "1";
else
document.getElementById("yxsjct").value = "0";
}catch(e){}
}
//À¥÷À�´焪¼¶/רҵԊЭʱ¼䳥ͻŐ¶ύ
if ("10482" == "10674" && document.getElementById("sel_lx").value == "3") {
try{
if(parent.document.getElementById("__thecheck").checked)
document.getElementById("yxsjct").value = "1";
else
document.getElementById("yxsjct").value = "0";
}catch(e){}
}
FormAdd.submit();
}
}
function selradio(theID,skbj,skbz_id)
{
var kcid=theID.getAttribute("kcid");
var kcflag=theID.name.substring(0,1);
var divCol = document.getElementsByTagName("input");
try{
if(theID.checked)
{
for (i=0;i<divCol.length;i++)
{
if(divCol[i].type == "checkbox" && divCol[i].getAttribute("sfkx")=="0" && divCol[i].id!=theID.id && divCol[i].getAttribute("kcid")==kcid && ((divCol[i].getAttribute("skbz")!=skbz_id && skbz_id!="") || (skbz_id=="" && divCol[i].name.substring(0,1)==kcflag)))
{
divCol[i].disabled=true;
}
}
if(skbz_id!=""){
try{eval("window.document.all.J"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.S"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.E"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.D"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.M"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.N"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.P"+skbz_id+".checked=true;");}catch(e){}
try{eval("window.document.all.Q"+skbz_id+".checked=true;");}catch(e){}
}
}
else
{
for (i=0;i<divCol.length;i++)
{
if(divCol[i].type == "checkbox" && divCol[i].getAttribute("sfkx")=="0" && divCol[i].id!=theID.id && divCol[i].getAttribute("kcid")==kcid && ((divCol[i].getAttribute("skbz")!=skbz_id && skbz_id!="") || (skbz_id=="" && divCol[i].name.substring(0,1)==kcflag)))
{
divCol[i].disabled=false;
}
}
if(skbz_id!=""){
try{eval("window.document.all.J"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.S"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.E"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.D"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.M"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.N"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.P"+skbz_id+".checked=false;");}catch(e){}
try{eval("window.document.all.Q"+skbz_id+".checked=false;");}catch(e){}
}
}
}catch(e){}
}
function go_10222(theObj)
{
var mb=false;
var mcount;
var m;
mcount=FormAdd.mcount.value;
if(mcount>0) {
var divCol = document.getElementsByTagName("input");
for (i=0;i<divCol.length;i++)
{
if(divCol[i].type == "checkbox" && divCol[i].checked==true && divCol[i].disabled==false)
{
mb=true;
}
}
if(mb==false){
alert("Шѡ¶¨¿γ̡úɏ¿ΰ༶£¡");
return false;
}
else{
return ChkValue_10222(theObj);
return false;
}
}
}
function ChkValue_10222(theObj)
{
var strurl;
var strid="TTT",s=false;
var N;
var s1=theObj.value;
N=FormAdd.mcount.value;
if(s1=="̡½»սѡ"){
var divCol = document.getElementsByTagName("input");
for (i=0;i<divCol.length;i++)
{
if(divCol[i].type == "checkbox" && divCol[i].checked==true && divCol[i].disabled==false)
{
strid += ","+divCol[i].value;
s=true;
}
}
if (!s)return false;
if (!confirm('ʇ·»¼ǂ¼£¿'))return false;
FormAdd.id.value=strid;
strurl="stu_xszx_rpt.aspx?func=1";
FormAdd.action=strurl;
FormAdd.submit();
}
}
</script>
</head>
<body
leftMargin="0" topMargin="0" marginheight="0" marginwidth="0" style="height:100%;">
<form method="post" action="stu_xszx_rpt.aspx?func=1" id="FormAdd">
<div class="aspNetHidden">
</div>
<div id="pageRpt">
<TABLE id=oTable WIDTH=100% BORDER=0 align=center CELLPADDING=0 CELLSPACING=1 bgcolor=#89bfa7 ><TR align=center class=T><TD width='4%'>ѡ¶¨</TD><td align=center width='29%' >¿γ̼/td><TD width='4%'>ѧ·ּ/TD><TD width='6%'>לѧʱ</TD><TD width='18%'>À</TD><TD width='7%'>¿¼º˷½ʽ</TD><TD width='32%'><br></TD></TR><tr class=B><td align=center><input name=chkKC0 id=chkKC0 type=checkbox value='180004%1102|01|01|01|1.0|2021|0|[0016000019]J1lmW1NPsoAI/9tWCf8=|09|dwblagsabgbsagkalwb6agkaega5agsaoqbpahuaawbpagmaeqbuahqaoabsahkabgbhag0apqa=|' ></td><td align=left><a href='javascript:void(0)' onclick=openWin(this,'kc') value=180004>[0016000019]´哽£¨˄£©</a></td><td align=right>1.0<br></td><td align=right>36<br></td><td align=left>¹«¹²¿ί±ؐμ/td><td align=center>¿¼ʔ<br></td><td align=left><input type=hidden name='chkSKBJ0' id='chkSKBJ0'><input type=text name='chkSKBJstr0' id='chkSKBJstr0' style='width:215px' disabled > <a href='javascript:void(0)' onclick=openWinDialog(this,0) value='2022|1|180004|0|0|2021|1102|1'>ѡԱ</a></td></tr><tr style='display:none'><td colspan=5 style='display:none'><input type='submit' name='Submit' id='btn_save' onclick='return go(this)' value=̡½»սѡ class=but40><input name=sel_xnxq id=sel_xnxq type=hidden value='20221'><input name=mcount id=mcount type=hidden value='1'><input name=sel_lx id=sel_lx type=hidden value=0><input name=SelSpeciality id=SelSpeciality type=hidden value=20211102><input name=id type=hidden value=''></td></tr><script language=javascript> try {parent.document.getElementById('btn_save').disabled=false;}catch(e){}try{parent.document.getElementById('kcmc').style.display='';}catch(e){}</script></table>
</div>
<input type=hidden name="yxsjct" id="yxsjct" ><!--ԊЭʱ¼䳥ͻ-->
<input type="hidden" name="sel_xq" value="2">
<input type="hidden" name="hid_ReturnStr"><input type="hidden" name="hid_N">
<input type="hidden" id="txt_yzm" name="txt_yzm" value="" />
</form>
</body>
</html>
获取选课列表
http://211.67.81.82/jwweb/wsxk/stu_xszx_chooseskbj.aspx?lx=ZX&id=2022|1|180004|0|0|2021|1102|0&skbjval=180004-070&xq=2
Host: 211.67.81.82
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://211.67.81.82/jwweb/wsxk/stu_xszx.aspx
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Cookie: myCookie=; ASP.NET_SessionId=plwry4qsx5y4p51j1wvnip1v
Accept-Encoding: gzip, deflate另一个人的
GET /jwweb/wsxk/stu_xszx_chooseskbj.aspx?lx=ZX&id=2022|1|180004|0|0|2021|1102|1&skbjval=&xq=2 HTTP/1.1
Host: 211.67.81.82
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://211.67.81.82/jwweb/wsxk/stu_xszx.aspx
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Cookie: myCookie=; ASP.NET_SessionId=plwry4qsx5y4p51j1wvnip1v
Accept-Encoding: gzip, deflate
提交选课内容
http://211.67.81.82/jwweb/wsxk/stu_xszx_rpt.aspx?func=1
Host: 211.67.81.82
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://211.67.81.82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://211.67.81.82/jwweb/wsxk/stu_xszx_rpt.aspx
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Cookie: myCookie=; ASP.NET_SessionId=plwry4qsx5y4p51j1wvnip1v
Accept-Encoding: gzip, deflate
Content-Length: 685
另一个人的
POST /jwweb/wsxk/stu_xszx_rpt.aspx?func=1 HTTP/1.1
Host: 211.67.81.82
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://211.67.81.82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://211.67.81.82/jwweb/wsxk/stu_xszx_rpt.aspx
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Cookie: myCookie=; ASP.NET_SessionId=plwry4qsx5y4p51j1wvnip1v
Accept-Encoding: gzip, deflate
Content-Length: 686
chkKC0=180004%251102%7C01%7C01%7C01%7C1.0%7C2021%7C0%7C%5B0016000019%5DJ1lmW1NPsoAI%2F9tWCf8%3D%7C09%7Cyqbpahoabgbqadyaeabiahiaawbwadeanqboadaazgbrahmanaa2agwamabhahcayqb5aguapqa%3D%7C&chkSKBJ0=0%240000367%24180004-063%24%24ngbmagwadwb6aguababuadqazabuagwamqa2adyanqb2agcaywa2agqamwa3agqadwa&sel_xnxq=20221&mcount=1&sel_lx=0&SelSpeciality=20211102&id=TTT%2C0%240000367%24180004-063%24%24ngbmagwadwb6aguababuadqazabuagwamqa2adyanqb2agcaywa2agqamwa3agqadwa%A1%E8180004%251102%7C01%7C01%7C01%7C1.0%7C2021%7C0%7C%5B0016000019%5DJ1lmW1NPsoAI%2F9tWCf8%3D%7C09%7Cyqbpahoabgbqadyaeabiahiaawbwadeanqboadaazgbrahmanaa2agwamabhahcayqb5aguapqa%3D%7C&yxsjct=&sel_xq=2&hid_ReturnStr=&hid_N=0&txt_yzm=