SQL Injection

Presented By – Satyaki De On April, 2011

Me (Satyaki De)

• 7+ Years Of experience • Application Developer / Team Leader • C, Pro*C • Oracle 8i/9i/10g/11g • Oracle Forms • SAP Business Object • Prelytis • Unix/AIX Shell • Training • Community Contributor (OTN)

Presented By – Satyaki De On April, 2011

Agenda
 Basic about SQL Injection

 Types Of SQL Injection Attacks with demo
 SQL Injection avoidance guidelines with demo

Presented By – Satyaki De On April, 2011

SQL injection is a code injection technique that
exploits a security loop holes in the database layer of an application. These loop holes are present when user input is – • Incorrectly filtered for string inputs(using escape characters) embedded in SQL statements • Not strongly typed and thereby unexpectedly executed. - It is an instance of a more general class of threats that can occur whenever one programming or scripting language is embedded inside another.

SQL injection attacks are also known as SQL insertion attacks.

Presented By – Satyaki De On April, 2011

History Of SQL Injection

Presented By – Satyaki De On April, 2011

6 million to company Heartland Other Major Attacks •April 2008 – Thousands of Social Security Numbers leaked from Oklahoma Department of Corrections •August 2008 – SQL Injection on Microsoft IIS & SQL Server hits 50000 web pages •December 2009 – Using SQL Injection Facebook game maker RockYou! exposed 32 million plaintext user name & password Presented By – Satyaki De On April.Biggest SQL Injection Attacks •130 Million credit card numbers •SQL Injection is used to fetch data from credit card servers •Sentenced 20 years in March 2010 •It costs $12. 2011 .

verizonbusiness. 2009 “When hackers are required to work to gain access.Data Breach Investigation Report VeriZon Business RISK Team. “In 2008.com/resources/security/reports/2009_databreach_rp. SQL injection appears to be the uncontested technique of choice.” Ref: http://www. 2011 .pdf Presented By – Satyaki De On April. this type of attack ranked second in prevalence (utilized in 16 breaches) and first in the amount of records compromised (79 percent of the aggregate 285 million).

SQL Injection Demo Presented By – Satyaki De On April. 2011 .

2011 .It can be of two types – 1. User Supplied Column Comparison Value 2. User Supplied Table Name Presented By – Satyaki De On April.

2011 .User Supplied Column Comparison Value Presented By – Satyaki De On April.

.email%type default null.put_line('Successful Login.last_name%type null ) is buff varchar2(1000).email%type... pv_last_name emp.'). dbms_output. execute immediate buff into v_mail. exception when others then raise_application_error(-20001..... dbms_output.set serveroutput on create or replace procedure log_in( pv_mail emp.'Failed Login. begin buff := 'select email from emp where email = '''||pv_mail|| ''' and last_name = '''||pv_last_name||''''. end. Presented By – Satyaki De On April. v_mail emp.').. 2011 Buff contains sql injectable string based on user input .put_line('Statement Execute: '||buff).

. PL/SQL procedure successfully completed. 2011 .Test Using Valid Value set serveroutput on exec log_in('satyaki.de@in.com'..com' and last_name = ‘DE' Successful Login. Continue….de@in. Presented By – Satyaki De On April.‘DE').. Statement Execute: select email from emp where email = 'satyaki...

: As expected.de@in.. ORA-06512: at “SCOTT. Continue…. 2011 . ‘abcd efg’) . Statement Execute: select email from emp where email = 'satyaki..log_in”. line 23 ORA-06512: at line 1 N.‘abcd efg').com'.B.de@in. * ERROR at line 1: ORA-20000: Failed Login…. the above Procedure failed. END. Presented By – Satyaki De On April.Test Using Invalid Value set serveroutput on exec log_in('satyaki.com’.de@in.com' and last_name = ‘abcd efg' BEGIN log_in(‘satyaki.

2011 . N. PL/SQL procedure successfully completed. Presented By – Satyaki De On April..Test Using Injected Value set serveroutput on exec log_in(‘‘’ or 1=1 and rownum = 1 –’..B.. Check the statement interpreted By oracle compiler..: SQL Injection is successful. Continue…..‘abracadabra'). It is parsed as additional condition. Statement Execute: select email from emp where email = ‘‘ or 1=1 and rownum = 1 –’ and last_name = ‘abracadabra‘ Successful Login. Here is the Injected String.

Extracting Static Statement from buff select email from emp where email = pv_mail and last_name = pv_last_name. 2011 .Let’s closely observe Initial Dynamic String buff := 'select email from emp where email = '''||pv_mail|| ''' and last_name = '''||pv_last_name||''''.. Presented By – Satyaki De On April. Continue….

com’ and last_name = ‘de’. Substitute with Injected Input select email from emp where email = '' or 1=1 and rownum = 1 --and last_name = 'abracadabra' N. 2011 .B.Let’s closely observe Substitute with Normal Input select email from emp where email = ‘satyaki. Presented By – Satyaki De On April.de@in.: SQL Injection is successful as the where clause trickily changed by the user.

User Supplied Table Name Presented By – Satyaki De On April. 2011 .

end.count loop dbms_output. 2011 .. begin buff := 'select '||pv_col||' from '||pv_tab. dbms_output. execute immediate buff bulk collect into cell_val. cell_val arr. Buff contains sql injectable string based on user input Presented By – Satyaki De On April. for i in 1. pv_tab varchar2 ) is type arr is varray(200) of varchar2(40).put_line('Executed SQL :: '||buff).cell_val. buff varchar2(1000).set serveroutput on create or replace procedure fetch_col_info( pv_col varchar2. end loop.put_line(cell_val(i)).

com PL/SQL procedure successfully completed.chowdhury@rediffmail.mondal@hotmail.Test Using Valid Value set serveroutput on exec fetch_col_info(‘email'.in sagar.de@in. 2011 .com pranab. Executed SQL :: select email from emp..com arijit.paul@aol.com banku.bardhan@gmail.’emp'). satyaki.ghosh@yahoo.com promit. Presented By – Satyaki De On April. Continue….

2011 . END. Presented By – Satyaki De On April. line 11 ORA-06512: at line 1 N.Test Using Invalid Value set serveroutput on exec fetch_col_info(‘email'.’hr_detail’). the above Procedure failed. BEGIN fetch_col_info(‘email’. Executed SQL :: select email from hr_detail. Continue…. * ERROR at line 1 ORA-00942: table or view does not exist ORA-06512: at “SCOTT.: As expected.’hr_detail').B.fetch_col_info”..

: SQL Injection is successful. N. Presented By – Satyaki De On April.Test Using Injected Value set serveroutput on exec fetch_col_info(‘email'. 2011 . Continue…. Check the statement interpreted By oracle compiler.’ emp where 1=2 union all select username from all_users --').B. Executed SQL :: select email from emp where 1 =2 union all select username from all_users -- APEX_PUBLIC_USER BI CTXSYS DBSNMP HR FIN ORDERS PM SCOTT SH SYS PL/SQL procedure successfully completed. Here is the Injected String.. It is parsed as additional condition.

: SQL Injection is successful as the where clause trickily changed by the user. Presented By – Satyaki De On April. 2011 .Let’s closely observe select email from emp where 1 =2 union all select username from all_users This block will return sensitive information Union all will append the result for the 2nd block supplied trickily by user This won’t return any value to final output as 1=2 condition will fail N.B.

Types Of SQL Injection Attacks Presented By – Satyaki De On April. 2011 .

2011 . Lateral Injection Presented By – Satyaki De On April.It can be of three types – 1. Second Order Attack 3. First Order Attack 2.

2011 .First Order Attack Presented By – Satyaki De On April.

• Sub-query added to an existing statement. Presented By – Satyaki De On April.First Order Attack – The attacker can simply enter malicious string and that Acts like a modified condition interpreted by Oracle compiler. sensitive information Passed to unauthorized user/s. • Using short circuit method by applying OR condition can bring back sensitive data. Hence. 2011 . • UNIONS added to an existing statement to execute the injected statement.

2011 .Second Order Attack Presented By – Satyaki De On April.

Then sal of ARIJIT can be retrieved by attacker. • Attacker can retrieve information based on the short circuit code using OR clause as shown – select sal from emp_payroll where username = ‘XXX’ OR username = ‘ARIJIT’ . procedure which contains SQL Injection code like 1=1 -.& can exploit DB security later. 2011 . An attack is subsequently executed by another activity. • Attacker can create malicious database API such as function. Presented By – Satyaki De On April.Second Order Attack – The attacker injects persistent storage such as a table row that is deemed as a trusted source.If the user XXX doesn’t exists.

Lateral Injection Presented By – Satyaki De On April. 2011 .

hh24. an attacker can exploit a PL/SQL procedure that does not even take user input.. contrary to popular belief. respectively. • The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters. and you do not need to include any of the “structured” elements such as Mon. • One can include arbitrary text in the format model. Continue…. • When a variable whose data type is date or number is concatenated into the text of a SQL statement.Lateral Injection – Using Lateral SQL Injection. Here's the “normal” use of that flexibility. 2011 . Presented By – Satyaki De On April. and so on. there still is a risk of injection. then.

Presented By – Satyaki De On April. 6 END. 23:15'). 2011 ... hh24:mi' 2/ Session altered... 23:15 PL/SQL procedure successfully completed.. SCOTT> SELECT TO_CHAR(SYSDATE) d FROM Dual 2/ D -------------------The time is. 3 BEGIN 4 -.Let’s closely observe SCOTT> SET SERVEROUTPUT ON SCOTT> ALTER session SET NLS_Date_Format = '"The time is".. 19:49 SCOTT> DECLARE 2 d DATE := TO_DATE('The time is.PUT_LINE(d).. 7/ The time is..Implicit To_Char() 5 DBMS_OUTPUT.

2011 .Reducing SQL Attacks Presented By – Satyaki De On April.

4. 2011 .It can be of three types – 1. 2. 3. Use Of Proper Invoker’s Right Strengthen DB Security Avoid Using Dynamic SQL Use Of Bind Variables Presented By – Satyaki De On April.

Use Of Proper Invoker‟s Right Presented By – Satyaki De On April. 2011 .

end. execute immediate v_sql. SQL>set serveroutput on SQL>create or replace procedure alter_passwd( pv_usernm varchar2 default NULL. Presented By – Satyaki De On April. begin v_sql := ‘alter user '||pv_usernm||‘ identified by '||pv_pwd.SQL>conn as / sysdba Connected. SQL> grant execute on alter_passwd to public. Grant succeeded. pv_pwd varchar2 default NULL ) is v_sql varchar2(1000). / v_sql contains sql injectable string based on user input Procedure Created. 2011 .

SQL>conn scott Enter password: ****** Connected. SQL> N. SQL>set serveroutput on SQL>exec sys. PL/SQL procedure successfully completed.B. ’oracle’).: SQL Injection is successful as the where SCOTT is successful at changing SYS’s password. 2011 . Presented By – Satyaki De On April. Alter_Passwd procedure is owned by SYS and by default execute with SYS’s privileges (definer’s right).alter_passwd(‘sys’.

Let’s execute with invoker’s rights SQL>conn as / sysdba Connected. SQL>set serveroutput on SQL>create or replace procedure alter_passwd( pv_usernm varchar2 default NULL. 2011 . execute immediate v_sql. / Procedure Created. end. begin v_sql := ‘alter user '||pv_usernm||‘ identified by '||pv_pwd. Presented By – Satyaki De On April. pv_pwd varchar2 default NULL ) authid current_user is v_sql varchar2(1000).

SQL>conn scott Enter password: ****** Connected.ALTER_PASSWD”. Presented By – Satyaki De On April.alter_passwd(‘sys’. BEGIN sys. * ERROR at line 1 ORA-01031: insufficient privileges ORA-06512: at “SYS.alter_passwd(‘sys’. ’oracle’).: SQL Injection is unsuccessful as SCOTT now unable to alter password of SYS from it’s account . ‘oracle’) END. 2011 .B. line 10 ORA-06512: at line 1 N. SQL>set serveroutput on SQL>exec sys.

SQL> exec sys. 2011 .: SQL Injection is unsuccessful due to proper invoker rights but SCOTT can alter it’s own Password . ‘oracle quota unlimited on users’) END. PL/SQL procedure successfully completed.alter_passwd(‘scott’. * ERROR at line 1 ORA-01031: insufficient privileges ORA-06512: at “SYS.B.ALTER_PASSWD”. ‟oracle quota unlimited on users‟). line 10 ORA-06512: at line 1 N.alter_passwd(‘sys’. BEGIN sys. SQL>set serveroutput on SQL>exec sys. Presented By – Satyaki De On April. ’oracle’).alter_passwd(„scott‟.SQL>conn scott Enter password: ****** Connected.

Strengthen DB Security Presented By – Satyaki De On April. 2011 .

UTL_MAIL & UTL_FTP. •Lock & expire the default user accounts and change the default user password. •Carefully monitor Oracle directory objects. •Do not widely grant execute any procedure. •Evaluate all public privs and revoke them where possible. Presented By – Satyaki De On April. make privs configurable if necessary. •Do not allow wide access to any Standard Oracle Packages that can operate on OS. UTL_SMTP. Packages are – UTL_HTTP. •Run the database listener as a non privilege user. •Ensure that application users are granted minimum privs by default. •Ensure that password management is active. DBMS_PIPE. •Avoid granting privs WITH ADMIN option.Security Guidelines •Encrypt sensitive data so that can be viewed. UTL_TCP. 2011 .

Avoid Using Dynamic SQL Presented By – Satyaki De On April. 2011 .

• Handle LIKE comparison operator in the query condition. 2011 . Presented By – Satyaki De On April.Use Of Static SQL – There are two dynamic SQL common situations. where developers often use Static SQL. when it serves the purpose & is more secure: • Handle variable numbers of Input Argument in the query condition.

.'CHICAGO'). loc from dept where LOC in ('DALLAS'.Let’s closely observe Static SQL Using Variable Input Arguments select deptno. Application programmer tends to build more generic or dynamic PL/SQL solution. Continue….B. DEPTNO -----10 20 30 LOC -----------------DALLAS CHICAGO NEW YORK N.'NEW YORK'). Generally. 2011 .: As here we’ve to pass different sets of argument in SQL. Presented By – Satyaki De On April.'CHICAGO'. DEPTNO -----10 20 LOC -----------------DALLAS CHICAGO select deptno. loc from dept where LOC in ('DALLAS'.

''))) + 1 )k ) select * from dept where trim(LOC) in ( select trim(cooked_src) from csv_splitter ).Alternatives with tt as ( select '&p_str' as src from dual ). Continue….'[^.'. 2011 .level) cooked_src from tt connect by level <= (length(src) . csv_splitter as ( select k.Let’s closely observe Static SQL Using Variable Input Arguments ..length(replace(src.* from ( select regexp_substr(src.1. Presented By – Satyaki De On April.]+'.'.

Presented By – Satyaki De On April. CHICAGO DEPTNO -----10 20 LOC -----------------DALLAS CHICAGO / Enter value for p_str: DALLAS.Alternatives / Enter value for p_str: DALLAS.Let’s closely observe Static SQL Using Variable Input Arguments . NEW YORK DEPTNO -----10 20 30 LOC -----------------DALLAS CHICAGO NEW YORK N.: As you can see no need to write generic or dynamic PL/SQL solution that may be subject to SQL Injection later. CHICAGO. 2011 .B.

2011 .Let’s closely observe Static SQL Using Variable Input Arguments . N.Alternatives 1) v_sql := ‘select empno. Step 2) Immune to SQL injection. select empno. ename from emp where ename like ‘’%’||pv_ename||’%’’.B. 2) v_match_str := ‘%’||pv_ename||’%’. Presented By – Satyaki De On April. ename from emp where ename like v_match_str .: Step 1) This piece of code are subjected to SQL Injection.

Use Of Bind Variables Presented By – Satyaki De On April. 2011 .

B.: Step 1) This piece of code are subjected to SQL Injection. Using clause securely receive input data from user & then validate SQL Injection & pass it to parser once this process is over. 2) v_sql := ‘select empno. ename from emp where ename = :1‘. ename from emp where ename = ‘’’||pv_ename||’’’’. execute immediate v_sql using pv_ename. Step 2) Immune to SQL injection. N. Presented By – Satyaki De On April.Bind Variable 1) v_sql := ‘select empno. 2011 .

2011 .Summary  Basic about SQL Injection  Types Of SQL Injection  Use Of Dynamic PL/SQL prone to SQL Injection  Use Of Static SQL are less prone  Use Of Bind variables are good option  Proper privileges of DB should always keep in close watch Presented By – Satyaki De On April.

2011 .Thank You - Presented By – Satyaki De On April..

9.789 7/0799..0 357   . !7080390/ $.

@ ffn nf°¾¯½ ° ¯fn¾¾°–f° f n¾ f¯ € n° °° ½   fn n¯½   °n ¾ °¾ °€¯f° 9f¾¾ °f ¾ $¾ W D--f f° ¾°–¾f ¯ °  n  °© n ¾f ¯ ° W   f f° ¾°–¾f ¯ ° W D¾°–¾nn¯   f½½°–n° °nf° °– fn¾ °¾  ff ¾ fn !7080390/ $.9.0 357   .

.9.43/ 7/0799.0 357   . !7080390/ $.$0.

0 357   .@ ffn °© n¾½ ¾¾ °¾f– ¾nf¾ ff  f¾ ¯ f¾f¾ ¾n °ffn¾¾ ¾  °  n  f°  fn W fn nf°   °€¯f° f¾ ° ¾nnn ¾°–nf¾ f¾¾° ¾  n¾f€¯ ¯½%½f  ¾ °f¯  #OOO#¾ °f¯  #@# € ¾ OOO  ¾°# ¾¾ @ °¾f€@nf°     ffn  W fn nf°n f ¯fn¾ ff f¾ 9¾nf¾€°n° ½n  nn°f°¾.9. °© n°n    nf° ½ ¾ nf   n°  fn !7080390/ $.

9.30.943 !7080390/ $.0 357   .907..

99.30549. !.943 ..907.3.07..$"30.f f°© n° &83.

3-02.9.9.9:70/ 00203988:.90/3949090941.35:.7-97.4397...91:3. :8041 9.910-9 .90473:2-078.9/4083490.9508/.43.*.$"574.903.943  W %025.7.90/-:83$*..33.943% *# .784130.7-001 9070898.:/0.79093901472.. $"89.924/0 ..:/0.0/:709..3/8443 070 890 3472.90*472.0:80735:9  W 03.794545:.-0480/..947 $*:207.039.902039 903 .9078 70850.843  .3 4190 897:.0  W 30.3/4:/4349300/943.7.

0 357   .9.°° !7080390/ $.

 #¾n¾  ¾  .

@@ @ID@9D@.

@@ @¾ ¾¾°@-%f %¯f  @ ¯ ¾ $  ¾¾°f  .

@@ .

@@%.

f $  @ ¯ ¾   .%@% .

@@ .

  @ @%@% @ ¯ ¾   %   ¯½n@%.

f%%  .9.0 357   .%D@9D@ 9D@%-% % - $ @ ¯ ¾   9$.½n  ¾nn ¾¾€n¯½   ¯ !7080390/ $.

.#0/:.9.0 357   .3$"99.8 !7080390/ $.

0 357   . D¾ € ° Iff  ¾ !7080390/ $.9.nf° € ½ ¾     D¾ €9½ ° #¾–  °– °  n  D¾°–°f¯n.

0 357   .&80 1!745073.9.407 8#9 !7080390/ $.

. n°° f¾$¾¾ f .

 n f  ½fn ½n  f %½f¾¾ % ½%¾ °¯fnf €f-D ½%½ fnf €f-D % ¾ %¾fnf%% –° %¾ #f ¾  $$½%¾ °¯$$# °€   $$½%½  n ¯¯ f %¾ ° $ 9n  . ¾ ¾  ½° .°° n .

 –f°  n °f %½f¾¾ ½ n f°¾nn %¾n°f°¾¾ °© nf  ¾°– f¾ °¾ °½ !7080390/ $.0 357   . f .9.

 n°° ¾n ° ½f¾¾ &&&&&& ..

 ¾ ¾  ½° .½n  ¾nn ¾¾€n¯½  .°© n°¾¾nn ¾¾€f¾   . .°° n .  n¾¾ f %½f¾¾ %#¾¾# #fn #% 9$. .

@@¾¾nn ¾¾€fnf°–°–#¾ ½f¾¾  %9f¾¾ ½n  ¾°  f°   €f  n #¾ ½ – ¾% €° #¾–% !7080390/ $.0 357   .9.

 #¾  n ° #¾–¾ . n°° f¾$¾¾ f .

 n f  ½fn ½n  f %½f¾¾ % ½%¾ °¯fnf €f-D ½%½ fnf €f-D % f n °%¾  ¾ %¾fnf%% –° %¾ #f ¾  $$½%¾ °¯$$# °€   $$½%½  n ¯¯ f %¾ ° $ 9n  . ¾ ¾  ½° .°° n .

 f !7080390/ $.0 357   .9.

 n°° ¾n ° ½f¾¾ &&&&&& ..

 ¾ ¾  ½° .°© n°¾°¾nn ¾¾€f¾. .°° n .  n¾¾ f %½f¾¾ %#¾¾# #fn #% -¾¾ f %½f¾¾ %#¾¾# #fn #%-  & f°    °¾€€n °½ – ¾   f# @%9J# °    f°  .

9.@@°°f  f ½f¾¾ €€¯#¾ fnn° !7080390/ $.0 357   .

. n°° ¾n ° ½f¾¾ &&&&&& .

06:49.:3290/43:8078  -¾¾ f %½f¾¾ %#¾¾# #47.:3290/43:8078#%-  & f°    °¾€€n °½ – ¾   f# @%9J# °    f°  ...88 .  n¾¾ f %½f¾¾ %#¾n# #fn #% 9$.88/ 8.°© n°¾°¾nn ¾¾€  ½½ ° –¾ .06:49.907*5.°° n . .499  47.½n  ¾nn ¾¾€n¯½  . 00. ¾ ¾  ½° .

@@nf°f #¾° 9f¾¾  !7080390/ $.9.0 357   .

9.0 357   .$9703903$0.:79 !7080390/ $.

-½° W°¾ ff½½nf°¾ ¾f –f° ¯°¯¯½¾  €f ¯f ½¾ n°€–f  €° n ¾¾f W. n ° ¾ W°n½¾ °¾  ff¾fnf°   Wff f½ n½¾f°    ¯  ½¾¾  W° –f°  n f°½n  W –f°°–½¾J@.

f €¯°fn   n © n¾ W°  ff f¾ ¾ ° f¾f°°½ – ¾  W°¾ f½f¾¾ ¯f°f– ¯ °¾fn Wn  ½   €f¾ fnn°¾f° nf°–   €f¾ ½f¾¾ W°f fnn ¾¾f°f° f fn 9fnf– ¾fnf°½ f ° 9fnf– ¾f  D@%@@9 D@%.@9 D@%@.

9  .%99 D@%.9. D@%@9 !7080390/ $.0 357   .

0 357   .9.4/&833..$" !7080390/ $.2.

0 357   . !7080390/ $.  °¾  ¾ ½½¾  ¾¯ ¾ n W f°  ff  °¯ ¾€°½–¯ °°  n° ° W f°  n¯½f¾°½ f°  n° ° D¾ €fn.9.n¯¯°¾f°¾     ½ ¾€ °¾ fn.@  f  °f¯n.

D¾°–Iff  °½–¯ °¾ ¾  n ½° n €¯ ½   . #¾n¾  ¾  fn.

°%  .

.

 % 9@-   .

 .

.

 ¾  n ½° n €¯ ½   .

°%  .

.

 -J % 9@-    .

 .

.

¾   # ½f¾¾ €€  °¾ ¾€f–¯ °°.¾° .  ° f ½½nf°½–f¯¯   ° ¾  ¯ – ° n °f¯n 9$. -J .

9.0 357   .°° !7080390/ $.

 #¾n¾  ¾  fn.D¾°–Iff  °½–¯ °¾  °f ¾  f¾ % ¾  n ½%¾ f¾¾n€¯ f % n¾%¾½  f¾ % ¾  n & €¯% ¾  n – ½%¾ ¾%¾n +    %n %¾n €¯ n°° n    % °–%¾n%  °–% ½fn %¾n %%%+ % % ¾  n& €¯ ½   ¯%.

%°%¾  n¯%n %¾n%€¯n¾%¾½ %  .

0 357   .°° !7080390/ $.9.

D¾°–Iff  °½–¯ °¾  °f ¾ $ ° f €½%¾  . #¾n¾  ¾  fn.

.

 9@-   .

 .

.

 $ ° f €½%¾  .

.

 -J 9@-    .

 .

.

9.¾°f ¯f ¾ © n. -J . ¾nf°¾ °°   – ° n °f¯n9$.°© n°f  !7080390/ $.0 357   .

°© n° !7080390/ $.  ½%@¾½ n €n f ¾ © n .°© n°  ½%¯¯° .D¾°–Iff  °½–¯ °¾  °f ¾ % %¾ #¾  n ¯½°  °f¯ €¯ ¯½    °f¯  ## #$$½% °f¯ $$# ## % %¯fn%¾ # #$$½% °f¯ $$# # ¾  n ¯½°  °f¯ €¯ ¯½    °f¯  %¯fn%¾ . #¾n¾  ¾  fn.9.0 357   .

&80 13/'.9.-08 !7080390/ $.0 357   .7.

 °© n° ½f¾¾½f¾ °n  ¾½n ¾¾¾  .  ½%@¾½ n €n f ¾ © n . ° Iff  % %¾ #¾  n ¯½°  °f¯ €¯ ¯½    °f¯  ###$$½% °f¯ $$#### %%¾ #¾  n ¯½°  °f¯ €¯ ¯½    °f¯   #  n ¯¯ f %¾¾°–½% °f¯ D¾°–nf¾ ¾ n  n  °½ ff€¯¾   °f f .0 357   .9.°© n° !7080390/ $.°© n°  ½%¯¯° .

°© n°  D¾ €°f¯n9$.$:22.°© n°  D¾ €fn.½° .9.°© n°  @½ ¾€.0 357   .7  f¾nf .f  ¾¾½°  D¾ € ° ff  ¾f – ½°  9½ ½ – ¾€ ¾ ff¾ ½°n¾ fn !7080390/ $.

0 357   .9. %.34: !7080390/ $.