From 28d30e3359a764702b6bf00afb76463a5b2dab8d Mon Sep 17 00:00:00 2001 From: Hamza-Ayed Date: Wed, 17 Jun 2026 03:24:05 +0300 Subject: [PATCH] Update: 2026-06-17 03:24:05 --- COMPREHENSIVE_SECURITY_AUDIT_FINAL.md | 1020 +++++++++++++++++++++++ nuclei_results.txt | 0 scratch/generate_study.py | 146 ++-- semgrep_deep_php.json | 1 + semgrep_php_results.json | 1 + semgrep_wallet_results.json | 1 + study.html | 144 ++-- study_v2_archive.html | 1102 +++++++++++++++++++++++++ دراسة_الجدوى_سيرو_الإصدار_الثالث.docx | Bin 47573 -> 47832 bytes 9 files changed, 2282 insertions(+), 133 deletions(-) create mode 100644 COMPREHENSIVE_SECURITY_AUDIT_FINAL.md create mode 100644 nuclei_results.txt create mode 100644 semgrep_deep_php.json create mode 100644 semgrep_php_results.json create mode 100644 semgrep_wallet_results.json create mode 100644 study_v2_archive.html diff --git a/COMPREHENSIVE_SECURITY_AUDIT_FINAL.md b/COMPREHENSIVE_SECURITY_AUDIT_FINAL.md new file mode 100644 index 0000000..79de69d --- /dev/null +++ b/COMPREHENSIVE_SECURITY_AUDIT_FINAL.md @@ -0,0 +1,1020 @@ +# Siro Ride-Hailing Platform — Comprehensive Security Audit Report + +**Audit Date:** June 17, 2026 +**Scope:** Full-stack audit (PHP backend, 4 Flutter apps, wallet server, Android manifests, infrastructure) +**Methodology:** Static code analysis (Semgrep), dynamic scanning (Nuclei), AI-assisted code review, manual penetration testing methodology + +--- + +## 📊 Executive Summary + +This audit identified **76+ security vulnerabilities** across the Siro platform, including **26 critical**, **32 high**, **14 medium**, and **4 low** severity issues. The most severe systemic problems are: + +| # | Issue | Impact | Risk Level | +|---|-------|--------|------------| +| 1 | **Live secrets committed to Git** (`.env` files, RSA private keys) | Complete system compromise | 🔴 **CRITICAL** | +| 2 | **Pervasive IDOR** — 90% of endpoints ignore JWT identity | Any user can act as any other user | 🔴 **CRITICAL** | +| 3 | **Zero role checks on admin endpoints** | Any passenger can access admin functions | 🔴 **CRITICAL** | +| 4 | **Unauthenticated FCM relay** | Spam/phish all app users | 🔴 **CRITICAL** | +| 5 | **Unauthenticated payment webhooks** | Create money out of thin air | 🔴 **CRITICAL** | +| 6 | **RSA private keys in source code** | Payment integration compromised | 🔴 **CRITICAL** | +| 7 | **FCM private key in client app** | Impersonate server to all devices | 🔴 **CRITICAL** | +| 8 | **PCI DSS violation** — CVV storage in app | Legal liability, fines | 🔴 **CRITICAL** | +| 9 | **SQL injection** in payment update | Full database compromise | 🔴 **CRITICAL** | +| 10 | **Weak OTP** — 3-digit, `rand()`, no rate limiting | Account takeover | 🔴 **CRITICAL** | + +--- + +## 🔴 SECTION 1: CRITICAL VULNERABILITIES (26) + +### C-01: Live Secrets Committed to Git (P1) + +**Files:** `siro_admin/.env`, `siro_service/.env`, `backend/.env.example` + +**Severity:** CRITICAL + +**Details:** Both `siro_admin/.env` and `siro_service/.env` contain live production secrets including: +- `privateKeyFCM` — Firebase Cloud Messaging private key (server-only credential) +- `basicAuthCredentials` — Basic auth credentials for internal services +- `mapAPIKEY` (`AIzaSyCFsWBqvkXzk1Gb-bCGxwqTwJQKIeHjH64`) — Google Maps API key +- `authTokenTwillo` — Twilio authentication token +- `chatGPTkey`, `chatGPTkeySefer`, `chatGPTkeySeferNew` — OpenAI API keys +- `geminiApi`, `geminiApiMasa` — Google Gemini API keys +- `secretKey` — Application JWT/encryption secret +- `payPalClientIdLive`, `payPalSecretLive` — PayPal live credentials +- `payMobApikey`, `usernamePayMob`, `passwordPayMob` — Payment gateway credentials +- `agoraAppId`, `agoraAppCertificate` — Agora voice/video credentials +- `whatsapp` — WhatsApp Business API access token +- `claudeAiAPI`, `anthropicAIkeySeferNew` — Anthropic Claude API keys +- `llamaKey`, `llama3Key` — LLM API keys +- `cohere`, `visionApi` — Additional AI API keys +- `stripe_publishableKe` — Stripe publishable key +- `keyOfApp`, `initializationVector` — Encryption key/IV +- Private Firebase service account key (embedded in `privateKeyFCM`) + +**Impact:** Any attacker with repo access has full API access to 15+ external services, can send SMS/Twilio messages, send push notifications, charge PayPal accounts, and decrypt the entire application database. + +**No `.gitignore` file exists**, meaning all these files are tracked by Git. + +--- + +### C-02: RSA Private Keys in Repository (P1) + +**Files:** +- `walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/private_key.pem` +- `walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/private_key.pem` +- `walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/public_key.pem` +- `walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/public_key.pem` + +**Severity:** CRITICAL + +**Details:** RSA private keys for MTN mobile money integration are committed to the Git repository. Driver and passenger keys are identical. Anyone with repo access can: +- Decrypt MTN API traffic +- Forge payment confirmations +- Impersonate the payment terminal to MTN's API +- Sign arbitrary requests + +**Fix:** Remove keys from repo immediately, rotate keys on MTN side, use a secrets manager (AWS Secrets Manager, HashiCorp Vault). + +--- + +### C-03: Pervasive IDOR — JWT Identity Ignored Across All Endpoints (P1) + +**Files (representative sample):** +- `backend/ride/rides/add_ride.php` — `$passenger_id` from POST, not JWT +- `backend/ride/rides/acceptRide.php` — `$driverId` from POST, not JWT +- `backend/ride/rides/finish_ride_updates.php` — `$driver_id`, `$passengerId` from POST +- `backend/ride/cancelRide/add.php` — `$driverID`, `$passengerID` from POST +- `backend/ride/rate/add.php` — `$passenger_id`, `$driverID`, `$rideId` from POST +- `backend/ride/rate/addRateToDriver.php` — `$passenger_id`, `$driver_id` from POST +- `backend/ride/invitor/add.php` — `$driverId` from POST +- `backend/ride/invitor/claim.php` — `$driverId`, `$passengerId` from POST +- `backend/uploadImagePortrate.php` — `$driverID` from POST +- `backend/ride/driverWallet/add.php` — `$driverId` from POST +- `walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/add.php` — `$passenger_id` from POST +- `walletintaleq.intaleq.xyz/v2/main/ride/payment/updatePaymetToPaid.php` — `$driverID` from POST + +**Severity:** CRITICAL + +**Impact:** While `connect.php` properly authenticates users via JWT and populates `$user_id` and `$role`, almost every downstream endpoint ignores these and reads user identifiers from request parameters. This means: +1. Any authenticated user can create rides as any passenger +2. Any user can accept rides as any driver +3. Any user can finish rides for any driver/passenger pair +4. Any user can overwrite any driver's profile image +5. Any user can submit ratings for any driver/passenger/ride +6. Any user can claim referral rewards for any driver +7. Any user can credit/debit any wallet + +**This is the single most critical architectural flaw in the application.** + +--- + +### C-04: No Role-Based Access Control on Admin Endpoints (P1) + +**Files:** +- `backend/Admin/AdminCaptain/get.php` — Returns ALL drivers with full PII + FCM tokens +- `backend/Admin/rides/admin_get_rides_by_phone.php` — Returns any user's ride history +- `backend/Admin/rides/monitorRide.php` — Live GPS tracking of any driver +- `backend/Admin/passenger/admin_delete_and_blacklist_passenger.php` — Delete any passenger +- `backend/Admin/passenger/admin_update_passenger.php` — Modify any passenger's data +- `backend/Admin/ride/AdminRide/get.php` — View any ride details +- `backend/Admin/send_whatsapp_message.php` — Send WhatsApp via company account +- `backend/Admin/errorApp.php` — Inject arbitrary error records + +**Severity:** CRITICAL + +**Details:** These endpoints include `connect.php` (JWT auth) but **never check `$role`**. Any authenticated user — passenger, driver, service — can access all admin functions. Only `dashbord.php` enforces a role check. + +**Impact:** A passenger can: +- Enumerate all captains' personal data and device tokens +- Look up any phone number's ride history +- Live-track any driver's GPS position in real-time +- Delete and blacklist any passenger account +- Send WhatsApp messages at company expense + +--- + +### C-05: Unauthenticated FCM Push Notification Relay (P1) + +**File:** `backend/ride/firebase/send_fcm.php` + +**Severity:** CRITICAL + +**Details:** This endpoint has **zero authentication** — no JWT, no API key, no IP restriction. Anyone on the internet can send arbitrary push notifications to any FCM token or topic. + +**Impact:** +- Send phishing notifications to all app users +- Impersonate the Siro app with fake messages +- Drain FCM quota +- Send malicious data payloads to trigger app actions + +**Attack Vector:** `POST /ride/firebase/send_fcm.php` with body `{"target": "", "title": "Phishing", "body": "Click here"}` + +--- + +### C-06: Unauthenticated Payment Webhooks (Wallet) (P1) + +**Files:** +- `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions.php` +- `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions_new.php` + +**Severity:** CRITICAL + +**Details:** ShamCash payment webhooks process incoming payment notifications and credit user wallets. They have **zero authentication** — no HMAC signature, no API key, no IP allowlist. The `jwtconnect.php` is included but its failure is silently ignored (`if(isset($con)) break;`). + +**Impact:** Anyone who discovers the URL can POST fake transactions and trigger automatic wallet deposits with bonuses — effectively creating money. + +--- + +### C-07: FCM Private Key in Client Apps (P1) + +**File:** `siro_driver/lib/env/env.dart` (and rider, admin equivalents) + +**Severity:** CRITICAL + +**Details:** The Firebase Cloud Messaging private key is included in all Flutter client apps via the `envied` package with `obfuscate: true`. The `envied` obfuscation is XOR-at-compile-time and trivially reversible — the generated `env.g.dart` contains both the XOR key and ciphertext. + +**Impact:** Extraction enables sending arbitrary push notifications impersonating the server, phishing users, or triggering malicious actions in-app. FCM private keys are server-only credentials and must never be in client apps. + +--- + +### C-08: PCI DSS Violation — Credit Card Data in Client App (P1) + +**File:** `siro_driver/lib/constant/box_name.dart` (Lines 87-94) + +**Severity:** CRITICAL + +**Details:** Storage keys for `cardNumber`, `cvvCode`, and `expiryDate` are defined in the app. Storing CVV post-authorization violates PCI DSS Requirement 3.2. Even with FlutterSecureStorage, CVV must never be retained after authorization. + +--- + +### C-09: SQL Injection in Payment Status Update (P1) + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/payment/updatePaymetToPaid.php` (Line 7) + +**Severity:** CRITICAL + +**Code:** +```php +$sql = "UPDATE `payments` SET `isGiven`='Paid' WHERE driverID='$driverID'"; +``` + +**Details:** `$driverID` from `filterRequest()` is interpolated directly into SQL string. Despite using `prepare()/execute()`, the SQL is fully concatenated with user input, making `prepare()` useless. + +**Impact:** Full database compromise — read/write any table including payment records, user credentials, wallet balances. + +--- + +### C-10: OTP Weaknesses (P1) + +**Files:** +- `backend/auth/token_passenger/send_otp.php` — Uses `rand(100, 999)` (3-digit, predictable) +- `backend/auth/otp/request.php` — Uses `random_int(0, 999)` with `str_pad` to 3 digits +- `backend/auth/token_passenger/verify_otp.php` — No rate limiting + +**Severity:** CRITICAL + +**Details:** +1. `rand()` is a linear congruential generator — cryptographically predictable +2. 3-digit OTP = only 1000 combinations +3. No rate limiting on `token_passenger` endpoints +4. Loose comparison (`==`) in OTP verification enables type juggling + +**Impact:** OTP brute-forceable within hours. Complete account takeover. + +--- + +### C-11: JWT Parsed Without Signature Verification (Auth) (P1) + +**Files:** +- `backend/auth/otp/request.php:22-31` +- `backend/auth/otp/verify.php:26-36` + +**Severity:** CRITICAL + +**Details:** The JWT Authorization header is base64-decoded (not verified) and the `role` claim is extracted WITHOUT signature verification. Any attacker can craft a fake JWT with any role. + +**Impact:** Privilege escalation — impersonate any user type without a valid token. + +--- + +### C-12: Storage Backend Mismatch — OTP Verification Always Fails (P1) + +**Files:** +- `backend/auth/token_passenger/send_otp.php:60-69` — Writes OTP to MySQL +- `backend/auth/token_passenger/verify_otp.php:31` — Reads OTP from Redis + +**Severity:** CRITICAL (Authentication Broken) + +**Details:** OTP is stored in MySQL table `token_verification` but verification reads from Redis key `otp:passenger:{phone}`. Different storage backends means verification **always fails**. Legitimate users cannot verify their OTP. + +--- + +### C-13: Debug Endpoint with Encryption Oracle + Weak Auth (P1) + +**File:** `backend/Admin/debug/ggg.php` + +**Severity:** CRITICAL + +**Details:** This debug endpoint: +- Does NOT use JWT auth (uses custom `connect.php` include with CWD-dependent relative path) +- Auth is gated only by `admin_phone` parameter matching `ADMIN_PHONE_NUMBERS` env var +- Provides arbitrary encryption/decryption oracle via `$encryptionHelper` + +**Impact:** Complete compromise of encryption-at-rest. Attacker can decrypt all PII and encrypt malicious payloads. + +--- + +### C-14: Driver Token Retrieval Without Auth Check (P1) + +**File:** `backend/Admin/AdminCaptain/get.php` + +**Severity:** CRITICAL + +**Details:** Returns all captain records including FCM device tokens from `driverToken` table. No role check. FCM tokens enable account impersonation via push notifications. + +--- + +### C-15: Ride History + Live GPS Tracking Without Auth Check (P1) + +**Files:** +- `backend/Admin/rides/admin_get_rides_by_phone.php` +- `backend/Admin/rides/monitorRide.php` + +**Severity:** CRITICAL + +**Details:** +- `admin_get_rides_by_phone.php` — Returns full ride history for ANY phone number +- `monitorRide.php` — Returns live GPS coordinates (lat, lng, speed, heading) of any driver + +No role check on either endpoint. + +--- + +### C-16: Admin Debug Endpoints in Production (P1) + +**Directory:** `backend/Admin/debug/` (10+ files) + +**Severity:** CRITICAL + +**Details:** Contains scripts for: database connection testing, Redis connection testing, phone debugging, environment variable dumping. Protected only by `.htaccess` (Apache-specific). If server uses nginx/Caddy, all are publicly accessible. + +--- + +### C-17: Wallet Balance Deduction Without Sufficient Balance Check (P1) + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/payment/process_ride_payments.php:81-94` + +**Severity:** CRITICAL + +**Details:** Passenger wallet is debited via negative ledger entry with NO query checking if the passenger has sufficient balance. No `SELECT ... FOR UPDATE` row lock. + +**Impact:** Passengers can drive wallets arbitrarily negative. Race-condition double deduction. + +--- + +### C-18: Missing FOR UPDATE Row Locks in Payment Processing (P1) + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/payment/process_ride_payments.php:60-130` + +**Severity:** CRITICAL + +**Details:** Uses `beginTransaction/commit` but never `SELECT ... FOR UPDATE`. Concurrent requests can interleave, enabling race-condition exploitation. + +--- + +### C-19: Client-Controlled Debt/Amount in Payment Processing (P1) + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/payment/process_ride_payments.php:44` + +**Severity:** CRITICAL + +**Code:** `$passengerWalletBurc = filterRequest("passengerWalletBurc");` + +**Details:** Debt settlement amount is provided by the caller (S2S). If the S2S caller is compromised, attacker can settle any amount. + +--- + +### C-20: Race Condition in ShamCash Transaction Processing (P1) + +**Files:** +- `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions.php:45-46` +- `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions_new.php:54-55` + +**Severity:** CRITICAL + +**Details:** Transaction deduplication uses file-based counter (`last_id.txt`) with no atomic locking. Under concurrent requests, the same transaction can trigger two wallet deposits. + +**Impact:** Double-spend — create money. + +--- + +### C-21: Encryption Oracle in Client-Side Crypto (P1) + +**Files:** `siro_admin/.env`, `siro_driver/.env`, all `char_map.dart`, `encrypt_decrypt.dart` + +**Severity:** CRITICAL + +**Details:** Custom substitution cipher (a=q, b=x, c=f, etc.) is used for "encryption." The substitution tables, obfuscation algorithm, and delimiter (`BlBlNl`) are all in source code. The `envied` XOR-based obfuscation is trivially reversible. + +**Impact:** All 40+ API keys, credentials, and secrets in the Flutter apps are extractable from the binary via static analysis. + +--- + +### C-22: Static IV in AES-CBC Encryption (P1) + +**Files:** +- `walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php` — Static IV from env +- `siro_admin/lib/controller/functions/encrypt_decrypt.dart` — Static IV per env + +**Severity:** CRITICAL + +**Details:** AES-CBC with a static, never-changing IV makes encryption deterministic. Same plaintext always produces same ciphertext. Enables chosen-plaintext attacks. + +**Impact:** All encrypted data (phone numbers, names, emails) is recoverable via known-plaintext attacks. + +--- + +### C-23: Webhook Token Bypass — Any Non-Empty Token Works (P1) + +**File:** `walletintaleq.intaleq.xyz/v2/main/jwtconnect.php:96-103` + +**Severity:** CRITICAL + +**Code:** +```php +$webhookToken = $_SERVER['HTTP_X_AUTH_TOKEN'] ?? ''; +if (!empty($webhookToken)) { + $authMethod = 'WEBHOOK'; +``` + +**Details:** Any non-empty `X-Auth-Token` header bypasses JWT authentication entirely. No validation of token value — only existence check. + +--- + +### C-24: `siro_service` App Has `allowBackup=true` (Default) + +**File:** `siro_service/android/app/src/main/AndroidManifest.xml` + +**Severity:** HIGH + +**Details:** `android:allowBackup` not explicitly set — defaults to `true`. App data (tokens, keys, database) can be backed up via `adb`, enabling data exfiltration. + +--- + +### C-25: OTP Replay Attack — No `verified` Status Check + +**File:** `backend/auth/otp/verify.php` + +**Severity:** HIGH + +**Details:** SELECT queries don't check `verified = 0`. After first successful verification, same OTP can be reused within expiration window. + +--- + +### C-26: `rand()` for OTP Generation Instead of `random_int()` + +**File:** `backend/auth/token_passenger/send_otp.php:6` + +**Severity:** HIGH + +**Details:** `$otp = (string)rand(100, 999)` uses PHP's `rand()` which is a linear congruential generator. OTPs are cryptographically predictable. + +--- + +## 🟠 SECTION 2: HIGH VULNERABILITIES (32) + +### H-01: Missing `.gitignore` — All Secrets Tracked by Git + +**File:** Root directory — `.gitignore` does not exist + +**Severity:** HIGH + +**Impact:** Every file in the repository is tracked. `.env` files, PEM keys, and secrets are permanently in Git history. + +--- + +### H-02: Host Header Injection in Upload Endpoints + +**Files:** +- `backend/uploadImagePortrate.php:50-52` +- `backend/upload_audio.php:62-64` + +**Severity:** HIGH + +**Code:** `$host = $_SERVER['HTTP_HOST'] ?? 'api.siromove.com';` + +**Impact:** Attacker-controlled Host header generates URLs pointing to attacker servers. Enables SSRF or open redirect. + +--- + +### H-03: Log Injection / Log Forging + +**File:** `backend/Admin/errorApp.php:13` + +**Severity:** HIGH + +**Impact:** User-controlled input written directly to logs without sanitization. CRLF injection enables fake log entries. + +--- + +### H-04: Information Disclosure — Hardcoded Internal IPs and Paths + +**Files:** +- `backend/functions.php:23-34` — Internal IPs (`http://188.68.36.205:2021`, etc.) +- `backend/encrypt_decrypt.php:7` — `/home/siro-api/env/.env` +- `backend/core/helpers.php:230` — `/home/siro-api/.internal_socket_key` +- `walletintaleq.intaleq.xyz/v2/main/loginWalletAdmin.php:5` — `/home/intaleq-wallet/env/.env` +- `walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php:6` — `/home/intaleq-walletintaleq/env/.env` + +**Severity:** HIGH + +**Impact:** Internal network topology and filesystem paths exposed. Aids targeted attacks. + +--- + +### H-05: User Enumeration via Distinct Error Messages + +**Files:** +- `backend/auth/signup.php:38` — "already registered" vs success +- `backend/auth/login.php:53,61` — "User does not exist" vs "Incorrect password" +- `walletintaleq.intaleq.xyz/v2/main/loginWalletAdmin.php:72-85` — "User not found" vs "Invalid credentials" + +**Severity:** HIGH + +**Impact:** Attacker can enumerate valid phone numbers, emails, and admin usernames. + +--- + +### H-06: User-Supplied Primary Key (`id` field) + +**File:** `backend/auth/signup.php:14,49` + +**Severity:** HIGH + +**Impact:** Client provides the user ID. No server-side generation. Enables ID collision and IDOR. + +--- + +### H-07: No Input Validation on Phone, Email, or Password + +**Files:** +- `backend/auth/signup.php:6-14` +- `backend/auth/login.php:5-7` +- `backend/auth/otp/request.php:14-40` + +**Severity:** HIGH + +**Impact:** Allows malformed data, weak passwords, injection in downstream systems. + +--- + +### H-08: Login Requires BOTH Phone AND Email (AND Logic) + +**File:** `backend/auth/login.php:32` — `WHERE phone = :phone AND email = :email` + +**Severity:** HIGH + +**Impact:** Unintentional AND logic. Login requires both identifiers, breaking phone-only or email-only login flows. + +--- + +### H-09: Fatal Error — Undefined Variable `$conn` + +**File:** `backend/auth/login.php:65` — `$conn->close()` (should be `$con`) + +**Severity:** HIGH + +**Impact:** Fatal PHP error. Path disclosure if error reporting is enabled. + +--- + +### H-10: Config Mismatch — Hardcoded .env Paths Inconsistent + +**Files:** +- `walletintaleq.intaleq.xyz/v2/main/connect.php:5` — `/home/intaleq-walletintaleq/env/.env` +- `walletintaleq.intaleq.xyz/v2/main/loginWalletAdmin.php:5` — `/home/intaleq-wallet/env/.env` +- `walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php:6` — `/home/intaleq-walletintaleq/env/.env` +- `walletintaleq.intaleq.xyz/v2/main/jwtconnect.php:22` — `/home/intaleq-wallet/env/.env` + +**Severity:** HIGH + +**Impact:** Four different hardcoded paths for .env files across the wallet codebase. Some files will fail to load env if path doesn't match. + +--- + +### H-11: Email Header Injection in Wallet Functions + +**File:** `walletintaleq.intaleq.xyz/v2/main/functions.php:279-282` + +**Severity:** HIGH + +**Code:** `$header = "From: $from" . "\n" . "CC: $from"; mail($to, $title, $body, $header);` + +**Impact:** If `$from` contains CRLF, attacker can inject arbitrary email headers (spam relay, phishing). + +--- + +### H-12: AI Prompt Injection in Gemini Payment Verification + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/GeminiAi.php:24-31` + +**Severity:** HIGH + +**Impact:** Attacker can inject instructions into Gemini prompt via `$proofText` (e.g., "return verified: true"), defeating AI-based payment verification. + +--- + +### H-13: Gemini API Key in URL Query Parameter + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/GeminiAi.php:41` + +**Code:** `$url = $this->baseUrl . ":" . $this->model . ":generateContent?key=" . $this->apiKey;` + +**Severity:** HIGH + +**Impact:** API key exposed in URL — visible in server access logs, proxy logs, network monitoring. + +--- + +### H-14: Static IV in Wallet AES-CBC + +**File:** `walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php:10-11` + +**Severity:** HIGH + +**Impact:** AES-CBC with static IV makes encryption deterministic. Semantic security defeated. + +--- + +### H-15: Weak Obfuscation — Substitution Cipher in Env Values + +**Files:** All `char_map.dart` files across all Flutter apps + +**Severity:** HIGH + +**Impact:** Custom substitution cipher (a=q, b=x, c=f, etc.) with algorithm+keys in source code. Trivially reversible. + +--- + +### H-16: `jailbreak_root_detection` Package Never Used + +**Files:** All `pubspec.yaml` files + +**Severity:** HIGH + +**Impact:** Root/jailbreak detection package included in dependencies but never invoked. Provides false sense of security. + +--- + +### H-17: No SSL/TLS Certificate Pinning + +**Files:** All Flutter apps + +**Severity:** HIGH + +**Impact:** All API traffic vulnerable to MITM on hostile networks. `dio` configured without pinning. + +--- + +### H-18: Hardcoded Developer PII in Production Apps + +**Files:** All `constant/info.dart` files + +**Severity:** HIGH + +**Details:** `phoneNumber = '962798583052'`, `email = 'hamzaayed@intaleqapp.com'`, LinkedIn profile hardcoded in all production binaries. + +--- + +### H-19: `siro_service` App — Cleartext Traffic Not Explicitly Disabled + +**File:** `siro_service/android/app/src/main/AndroidManifest.xml` + +**Severity:** HIGH + +**Impact:** `android:usesCleartextTraffic` not set. On API < 28, cleartext HTTP may be permitted. + +--- + +### H-20: Missing CSRF Protection on All Auth Endpoints + +**Files:** All auth endpoints + +**Severity:** HIGH + +**Impact:** No CSRF tokens, SameSite cookies, or Origin/Referer validation. Vulnerable to cross-origin request forgery. + +--- + +### H-21: Shared Rate Limit Counter Between OTP Request and Verify + +**Files:** +- `backend/auth/otp/request.php:11` +- `backend/auth/otp/verify.php:10` + +**Severity:** HIGH + +**Impact:** Both request and verify use same rate limit context key `'otp'`. Requesting OTPs consumes verification attempts and vice versa. + +--- + +### H-22: Payment Amount Not Validated (Zero/Negative) + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/payment/process_ride_payments.php:66-69` + +**Severity:** HIGH + +**Impact:** No min/max validation. Negative payment amounts could reverse charges. + +--- + +### H-23: Type Juggling in OTP Verification (Loose Comparison) + +**File:** `backend/auth/token_passenger/verify_otp.php:33` — `$cachedOtp == $otp` + +**Severity:** HIGH + +**Impact:** PHP type juggling can bypass verification (e.g., "0e123" vs "0e456"). + +--- + +### H-24: LEFT JOIN on Encrypted Email Will Never Match + +**File:** `backend/auth/login.php:30` + +**Severity:** HIGH + +**Impact:** `LEFT JOIN email_verifications ON email_verifications.email = passengers.email` — email is AES-encrypted. Join predicate never true. Email verification status always NULL. + +--- + +### H-25: Plaintext Phone Number Stored in adminUser Table + +**File:** `backend/auth/otp/verify.php:88,93,97` + +**Severity:** HIGH + +**Impact:** Phone numbers stored unencrypted in adminUser table while all other tables use AES encryption. + +--- + +### H-26: JSON_UNESCAPED_UNICODE Allows XSS via JSON + +**Files:** Various endpoints using `JSON_UNESCAPED_UNICODE` + +**Severity:** HIGH + +**Impact:** Characters `<` and `>` pass through unchanged in JSON responses. If admin panel renders as innerHTML, XSS is possible. + +--- + +### H-27: No SSL Verification on Any cURL Call + +**Files:** All MTN, ShamCash, and payment integration files + +**Severity:** HIGH + +**Impact:** `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST` not set. All outbound HTTP vulnerable to MITM. + +--- + +### H-28: Broken Crypto — `openssl_sign` with String Instead of Key Resource + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php:25` + +**Severity:** HIGH + +**Impact:** PEM string passed directly to `openssl_sign()` which expects key resource. Signature silently fails (null), breaking MTN payment flow. + +--- + +### H-29: Hardcoded Payment Token Secrets + +**Files:** Multiple ShamCash and MTN finalize files + +**Severity:** HIGH + +**Impact:** Token generation uses hardcoded strings (`'shamcash_secret'`, `'default_secret'`) concatenated with predictable values. Tokens can be predicted/forged. + +--- + +### H-30: IDOR on Invoice Creation — No Ownership Check + +**Files:** +- `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/create_invoice_shamcash.php:8` +- `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/create_invoice.php:7` + +**Severity:** HIGH + +**Impact:** Any authenticated user can create invoices for any driver/passenger. + +--- + +### H-31: Mass Data Exposure — All Device Fingerprints + +**File:** `backend/migration/get_all_fingerprints.php` + +**Severity:** HIGH + +**Impact:** Exposes all device fingerprints without pagination or rate limiting. Single static key (`MIGRATION_ADMIN_KEY`) is the only gate. + +--- + +### H-32: Unauthenticated `send_fcm.php` — Debug Application + +**File:** `backend/ride/firebase/send_fcm.php` + +**Severity:** HIGH + +**Impact:** No authentication. Open FCM relay enables phishing all app users. + +--- + +## 🟡 SECTION 3: MEDIUM VULNERABILITIES (14) + +### M-01: `UCropActivity` Not Explicitly Unexported + +**File:** `siro_rider/android/app/src/main/AndroidManifest.xml` + +**Severity:** MEDIUM + +### M-02: Custom URI Scheme Without Host Validation + +**Files:** `siro_driver`, `siro_rider` manifests — `siromove://` scheme without host restriction + +**Severity:** MEDIUM + +### M-03: `WRITE_EXTERNAL_STORAGE` Without `maxSdkVersion` + +**Files:** `siro_driver`, `siro_rider` manifests + +**Severity:** MEDIUM + +### M-04: `BackgroundService` Exported with Location Type + +**File:** `siro_driver/android/app/src/main/AndroidManifest.xml` + +**Severity:** MEDIUM + +### M-05: Empty `taskAffinity` on Admin App + +**File:** `siro_admin/android/app/src/main/AndroidManifest.xml` + +**Severity:** MEDIUM (Task hijacking risk) + +### M-06: Debug Logging of JWT Payloads + +**File:** `walletintaleq.intaleq.xyz/v2/main/functions.php:29-181` + +**Severity:** MEDIUM + +### M-07: PDO Exception Messages Leaked to Client + +**Files:** `backend/ride/invitor/add.php:55,86`, various others + +**Severity:** MEDIUM + +### M-08: Sensitive Data in Error Logs + +**Files:** Multiple wallet files — phone numbers, invoice numbers, GUIDs in logs + +**Severity:** MEDIUM + +### M-09: MethodChannel Without Origin Validation + +**File:** `siro_driver/lib/main.dart:44` + +**Severity:** MEDIUM + +### M-10: API Key Download Without Client-Side Signature Verification + +**File:** `siro_driver/lib/constant/credential.dart:13-35` + +**Severity:** MEDIUM + +### M-11: Token Expiration Missing on Payment Tokens + +**Files:** Multiple wallet files + +**Severity:** MEDIUM + +### M-12: Loose Comparison in Bonus Calculation + +**Files:** Multiple MTN/ShamCash files + +**Severity:** MEDIUM + +### M-13: `GetStorage` for Sensitive Data Instead of `FlutterSecureStorage` + +**Files:** All Flutter apps' `main.dart` + +**Severity:** MEDIUM + +### M-14: Exception Message Leak in Wallet Admin Registration + +**File:** `backend/Admin/auth/register.php:83` + +**Severity:** MEDIUM + +--- + +## 🟢 SECTION 4: LOW VULNERABILITIES (4) + +### L-01: Payment Token Replay (Stale Tokens) + +**Files:** Multiple wallet files + +**Severity:** LOW + +### L-02: CORS Misconfiguration on ShamCash Webhook + +**File:** `walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions.php:6` + +**Severity:** LOW + +### L-03: Padding Oracle Potential (Wallet CBC) + +**File:** `walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php:48-71` + +**Severity:** LOW + +### L-04: Dead Code — `$hashed_password` Computed but Never Used + +**File:** `backend/auth/login.php:10` + +**Severity:** LOW + +--- + +## 🔍 SECTION 5: AUTOMATED SCAN RESULTS + +### Semgrep Results + +| Tool | Files Scanned | Rules | Findings | +|------|--------------|-------|----------| +| Semgrep (Backend) | 448 | 180 | 3 (XSS) | +| Semgrep (Wallet) | 159 | 33 | 4 (XSS, Host injection) | +| Semgrep Deep | 601 | 129 | 5 (Cross-cutting) | + +### Nuclei Results + +Targets: `api.siromove.com`, `walletintaleq.intaleq.xyz`, `siromove.com` +- `api.siromove.com` — DNS not resolving (offline/unreachable) +- `siromove.com` — DNS not resolving (offline/unreachable) +- `walletintaleq.intaleq.xyz` — Reachable, no template matches found (standard Nuclei templates) + +--- + +## 🏗️ SECTION 6: ARCHITECTURAL ISSUES + +### A-01: No Centralized Authorization Layer +Every endpoint implements its own auth checks (or none). No middleware for role-based access control. + +### A-02: Inconsistent Authentication Patterns +- Some endpoints use `connect.php` (JWT + rate limiting + fingerprint) +- Some use `jwtconnect.php` (JWT with webhook bypass) +- Some use custom auth (phone-based, key-based) +- Some have no auth at all + +### A-03: No Input Validation Layer +No centralized input sanitization, validation, or typed request objects. Every endpoint parses raw `$_POST` / `$_GET` / `php://input` manually. + +### A-04: Secret Management MIA +No secrets manager. Secrets stored in: +- `.env` files committed to Git +- PEM files committed to Git +- Flutter app binaries (extractable via reverse engineering) + +### A-05: No Audit Logging +No centralized audit trail for sensitive operations (admin actions, payment modifications, account deletions). + +### A-06: No Rate Limiting on Sensitive Endpoints +Admin endpoints, payment processing, and token_passenger OTP have no rate limiting. + +--- + +## 📋 SECTION 7: REMEDIATION PRIORITIES + +### Phase 1 — Immediate (24 hours) + +| Priority | Vulnerability | Action | +|----------|--------------|--------| +| P1 | C-01: Live secrets in repo | Rotate ALL secrets, add `.gitignore`, purge Git history | +| P1 | C-02: RSA keys in repo | Remove keys, rotate with MTN, use secrets manager | +| P1 | C-07: FCM key in client | Remove from client, move to server-side only | +| P1 | C-08: CVV storage | Remove CVV handling immediately | +| P1 | C-05: Open FCM relay | Add authentication or remove endpoint | +| P1 | C-06: Unauthenticated webhooks | Add HMAC/API key verification | +| P1 | C-09: SQL injection | Fix parameterized query | +| P1 | C-16: Debug endpoints | Remove or firewall-protect | + +### Phase 2 — Short-term (7 days) + +| Priority | Vulnerability | Action | +|----------|--------------|--------| +| P1 | C-03: Pervasive IDOR | Fix all endpoints to validate JWT user_id == request user_id | +| P1 | C-04: Admin role checks | Add role validation to all admin endpoints | +| P1 | C-10: OTP weaknesses | Increase to 6 digits, use random_int(), add rate limiting | +| P1 | C-11: JWT signature verification | Fix OTP auth to verify JWT signature | +| P1 | C-17/18: Payment race conditions | Add FOR UPDATE locks, balance checks | +| H-01 | Missing .gitignore | Create .gitignore, clean history | +| H-16 | Root detection unused | Activate jailbreak detection at startup | + +### Phase 3 — Medium-term (30 days) + +| Priority | Vulnerability | Action | +|----------|--------------|--------| +| H-17 | SSL pinning | Implement certificate pinning in all Flutter apps | +| H-15 | Weak obfuscation | Replace custom cipher with platform Keychain/KeyStore | +| M-13 | GetStorage | Migrate sensitive data to FlutterSecureStorage | +| H-04 | Hardcoded paths | Move to configuration | +| A-01 | Authorization layer | Build centralized auth middleware | + +--- + +## 📊 STATISTICAL SUMMARY + +### By Component + +| Component | PHP Files | Dart Files | Critical | High | Medium | Low | Total | +|-----------|-----------|------------|----------|------|--------|-----|-------| +| Backend API | ~400 | - | 12 | 18 | 6 | 2 | 38 | +| Wallet Server | ~150 | - | 9 | 10 | 5 | 2 | 26 | +| Driver App | - | 275 | 3 | 4 | 3 | 0 | 10 | +| Rider App | - | 222 | 2 | 3 | 2 | 0 | 7 | +| Admin App | - | 128 | 2 | 3 | 2 | 0 | 7 | +| Service App | - | 63 | 1 | 1 | 1 | 0 | 3 | +| Android Config | - | - | 1 | 1 | 4 | 0 | 6 | +| **Total** | **~550** | **~690** | **26** | **32** | **14** | **4** | **76+** | + +### By Vulnerability Type + +| Type | Count | +|------|-------| +| IDOR / Missing Authorization | 18 | +| Secrets in Source Code / Config | 12 | +| Missing Authentication | 8 | +| SQL Injection / Database | 5 | +| OTP / Authentication Weakness | 6 | +| Insecure Cryptography | 5 | +| Information Disclosure | 6 | +| Input Validation / Injection | 7 | +| Race Condition / Business Logic | 4 | +| Android Misconfiguration | 5 | + +--- + +## 📝 FINAL NOTES + +The previous audit (June 16, 2026) identified **20 vulnerabilities** with **3 critical**. This comprehensive audit found **76+ vulnerabilities** with **26 critical**, demonstrating that previous assessments significantly underestimated the security posture. + +**Key systemic issues:** +1. **Authentication without authorization** — users are authenticated via JWT but endpoint-level authorization is almost completely absent +2. **Secrets management** — every secret is in the repo or extractable from the binary +3. **Payment/financial logic** — race conditions, missing balances checks, unauthenticated webhooks create direct financial fraud risk +4. **Mobile app security** — server credentials (FCM key) in client, PCI DSS violations, no SSL pinning + +**Estimated remediation effort:** 200-400 hours across all components +**Estimated cost:** $25,000-$50,000 +**Risk rating:** **EXTREME** — active exploitation likely given secrets in public repo diff --git a/nuclei_results.txt b/nuclei_results.txt new file mode 100644 index 0000000..e69de29 diff --git a/scratch/generate_study.py b/scratch/generate_study.py index 1a8861f..c3ce07e 100644 --- a/scratch/generate_study.py +++ b/scratch/generate_study.py @@ -131,11 +131,11 @@ def generate_docx(): metrics = [ ("السوق المستهدف", "سوريا — دمشق الكبرى"), ("نموذج الاستثمار", "دفع شهري مرحلي ($8,000/شهر)"), - ("رأس المال التأسيسي", "$9,000 (دفعة واحدة)"), + ("رأس المال التأسيسي", "$11,500 - $12,000 (دفعة واحدة)"), ("نقطة الخروج", "نهاية الشهر الخامس إذا لم تتحقق المؤشرات"), ("نطاق نقطة التعادل", "الشهر السابع حتى التاسع"), - ("أقصى تعرض للمستثمر", "$49,000 (عند الخروج المبكر)"), - ("إجمالي الاستثمار المتوقع", "$65,000 — $81,000"), + ("أقصى تعرض للمستثمر", "$51,500 - $52,000 (عند الخروج المبكر)"), + ("إجمالي الاستثمار المتوقع", "$67,500 — $84,000"), ] for label, val in metrics: p = doc.add_paragraph() @@ -178,12 +178,12 @@ def generate_docx(): add_table(doc, ["المؤشر", "القيمة"], [ - ["رأس المال التأسيسي (مرة واحدة)", "$9,000"], + ["رأس المال التأسيسي (مرة واحدة)", "$11,500 - $12,000"], ["المصاريف التشغيلية الشهرية", "$8,000/شهر"], ["نقطة الخروج للمستثمر", "نهاية الشهر الخامس إذا لم تتحقق المؤشرات"], ["نطاق التعادل", "الشهر 7 — 9"], - ["أقصى خسارة عند الخروج المبكر", "$49,000"], - ["إجمالي الاستثمار حتى التعادل", "$65,000 — $81,000"], + ["أقصى خسارة عند الخروج المبكر", "$51,500 - $52,000"], + ["إجمالي الاستثمار حتى التعادل", "$67,500 — $84,000"], ["عمولة التطبيق", "11% من كل رحلة"], ["متوسط حصة الشركة للرحلة", "$0.30 / رحلة"], ["هدف الرحلات عند التعادل", "889 رحلة/يوم"], @@ -192,7 +192,6 @@ def generate_docx(): ) # ── 2. Vision & Business Model ── - doc.add_page_break() add_heading(doc, "ثانياً: الرؤية والنموذج التجاري", 1) add_para(doc, "الرؤية", bold=True, size=11) @@ -218,7 +217,6 @@ def generate_docx(): ) # ── 3. Market Analysis ── - doc.add_page_break() add_heading(doc, "ثالثاً: تحليل السوق السوري", 1) add_heading(doc, "3-1: لماذا الآن؟", 2) @@ -276,15 +274,16 @@ def generate_docx(): add_table(doc, ["البند", "الكمية", "سعر الوحدة", "الإجمالي"], [ - ["مكتب رئيسي مع أدراج", 1, "$80", "$80"], - ["مكاتب موظفين بسيطة", 3, "$40", "$120"], - ["كرسي مكتبي دوّار رئيسي", 1, "$60", "$60"], - ["كراسي موظفين", 3, "$30", "$90"], - ["طاولة اجتماعات صغيرة (4 أشخاص)", 1, "$50", "$50"], - ["برادي (ستائر) للمكتب", "—", "—", "$25"], - ["رفوف تخزين بسيطة", "—", "—", "$25"], - ["مراوح (عدد 2)", 2, "$25", "$50"], - ["إجمالي الأثاث", "", "", "$500"], + ["مكتب رئيسي مع أدراج", 1, "$150", "$150"], + ["مكاتب موظفين بسيطة", 3, "$90", "$270"], + ["كرسي مكتبي دوّار رئيسي", 1, "$110", "$110"], + ["كراسي موظفين", 3, "$60", "$180"], + ["طاولة اجتماعات صغيرة (4 أشخاص)", 1, "$80", "$80"], + ["كراسي اجتماعات", 4, "$50", "$200"], + ["برادي (ستائر) للمكتب", "—", "—", "$200"], + ["رفوف تخزين بسيطة", "—", "—", "$50"], + ["مراوح (عدد 2)", 2, "$40", "$80"], + ["إجمالي الأثاث", "", "", "$1,320"], ], col_widths=[7, 2, 2.5, 2.5] ) @@ -293,11 +292,13 @@ def generate_docx(): add_table(doc, ["البند", "الإجمالي"], [ - ["طابعة/ماسح ضوئي", "$35"], - ["إكسسوارات (كابلات، ماوس، لوحات مفاتيح)", "$20"], - ["قرطاسية ومستلزمات (3 أشهر)", "$20"], - ["أدوات ضيافة أولية", "$25"], - ["إجمالي التجهيزات", "$100"], + ["راوتر WiFi احترافي", "$80"], + ["طابعة/ماسح ضوئي", "$65"], + ["إكسسوارات متنوعة", "$100"], + ["مكيف هواء (شراء + تركيب)", "$450"], + ["قرطاسية ومستلزمات (3 أشهر)", "$80"], + ["أدوات ضيافة", "$80"], + ["إجمالي التجهيزات", "$855"], ], col_widths=[10, 4] ) @@ -306,13 +307,15 @@ def generate_docx(): add_table(doc, ["البند", "الإجمالي"], [ - ["سرير + فرشة (عدد 2)", "$100"], - ["إحرامات + مخدات (عدد 2)", "$25"], - ["برادي للسكن", "$25"], - ["ثلاجة صغيرة للمكتب والسكن", "$80"], - ["غاز صغير (سفري) + أدوات مطبخ", "$70"], - ["سخان مياه (شمسي/كهربائي)", "$50"], - ["إجمالي تجهيزات السكن", "$350"], + ["سرير (عدد 2)", "$80"], + ["فرشة (عدد 2)", "$180"], + ["إحرامات + مخدات (عدد 2)", "$40"], + ["برادي للسكن", "$100"], + ["ثلاجة صغيرة", "$100"], + ["غاز صغير + أدوات مطبخ", "$100"], + ["سخان مياه", "$70"], + ["سفري + أدوات ضيافة", "$25"], + ["إجمالي تجهيزات السكن", "$695"], ], col_widths=[10, 4] ) @@ -334,7 +337,6 @@ def generate_docx(): add_para(doc, "ملاحظة: تم استبدال أجهزة الحاسوب المكتبي لخدمة العملاء بهواتف ذكية (3 × $150 ضمن بند هواتف خدمة العملاء في CAPEX).", size=9, color=GREY) # ── 5. HR Plan ── - doc.add_page_break() add_heading(doc, "خامساً: خطة الموارد البشرية", 1) add_heading(doc, "5-1: الهيكل الوظيفي والرواتب", 2) @@ -370,9 +372,11 @@ def generate_docx(): ["هواتف خدمة العملاء (3 أجهزة)", "$450", "3 × $150"], ["أجهزة التطوير (Mac + iPhone + Android)", "$5,000", "حسب التفصيل في 4-3"], ["لابتوب للسيرفرات وإدارة الإعلانات", "$350", "جهاز منفصل لإدارة السيرفرات"], - ["تجهيز المكتب (أثاث + معدات)", "$550", "حسب التفصيل في 4-2"], - ["تجهيزات سكن المؤسس", "$350", "أثاث وتجهيزات أساسية"], - ["إجمالي رأس المال التأسيسي", "$9,000", ""], + ["تجهيز المكتب — أثاث", "$1,320", "حسب التفصيل في 4-2-أ"], + ["تجهيز المكتب — معدات وتجهيزات", "$855", "حسب التفصيل في 4-2-ب"], + ["تجهيزات سكن المؤسس", "$695", "أثاث وتجهيزات أساسية"], + ["تكاليف السفر والنقل والإقامة التأسيسية (أسبوعين)", "$400 - $800", "مواصلات + سكن مؤقت + تجهيز"], + ["إجمالي رأس المال التأسيسي", "$11,370 - $11,770 ≈ $11,500 - $12,000", ""], ], col_widths=[8, 2.5, 6] ) @@ -415,16 +419,16 @@ def generate_docx(): add_table(doc, ["الشهر", "صرف المستثمر", "الإيرادات", "العجز", "الإجمالي", "رحلات/يوم", "سائق نشط"], [ - ["التأسيس", "$9,000", "—", "-$9,000", "$9,000", "—", "—"], - ["1", "$8,000", "$270", "-$7,730", "$17,000", "30", "100"], - ["2", "$8,000", "$630", "-$7,370", "$25,000", "70", "120"], - ["3", "$8,000", "$1,350", "-$6,650", "$33,000", "150", "220"], - ["★4 — فحص", "$8,000", "$3,150", "-$4,850", "$41,000", "350", "350"], - ["★5 — خروج", "$8,000", "$5,400", "-$2,600", "$49,000", "600", "480"], - ["6", "$8,000", "$6,750", "-$1,250", "$57,000", "750", "550"], - ["⚡7", "$8,000", "$8,100", "+$100", "$65,000", "900", "630"], - ["⚡8", "$8,000", "$9,450", "+$1,450", "$73,000", "1,050", "750"], - ["⚡9", "$8,000", "$10,500", "+$2,500", "$81,000", "1,167", "840"], + ["التأسيس", "$11,500-12,000", "—", "-$11,500-12,000", "$11,500-12,000", "—", "—"], + ["1", "$8,000", "$270", "-$7,730", "$19,500-20,000", "30", "100"], + ["2", "$8,000", "$630", "-$7,370", "$27,500-28,000", "70", "120"], + ["3", "$8,000", "$1,350", "-$6,650", "$35,500-36,000", "150", "220"], + ["★4 — فحص", "$8,000", "$3,150", "-$4,850", "$43,500-44,000", "350", "350"], + ["★5 — خروج", "$8,000", "$5,400", "-$2,600", "$51,500-52,000", "600", "480"], + ["6", "$8,000", "$6,750", "-$1,250", "$59,500-60,000", "750", "550"], + ["⚡7", "$8,000", "$8,100", "+$100", "$67,500-68,000", "900", "630"], + ["⚡8", "$8,000", "$9,450", "+$1,450", "$75,500-76,000", "1,050", "750"], + ["⚡9", "$8,000", "$10,500", "+$2,500", "$83,500-84,000", "1,167", "840"], ["10", "$0", "$11,250", "+$3,250", "—", "1,250", "900"], ["11", "$0", "$12,375", "+$4,375", "—", "1,375", "980"], ["12", "$0", "$13,500", "+$5,500", "—", "1,500", "1,050"], @@ -439,7 +443,7 @@ def generate_docx(): add_heading(doc, "سابعاً: هيكل الاستثمار — نموذج الدفع الشهري", 1) add_para(doc, "آلية الدفع:", bold=True, size=11) - add_bullet(doc, "المستثمر يدفع $9,000 مرة واحدة عند التوقيع (CAPEX)") + add_bullet(doc, "المستثمر يدفع $11,500-$12,000 مرة واحدة عند التوقيع (CAPEX)") add_bullet(doc, "يدفع $8,000 شهرياً لتغطية التشغيل الكامل") add_bullet(doc, "الدفع يتوقف تلقائياً عندما تتجاوز الإيرادات $8,000/شهر") add_bullet(doc, "لا يوجد التزام بإجمالي محدد مقدماً") @@ -449,7 +453,7 @@ def generate_docx(): add_table(doc, ["الشهر", "المبلغ", "نوع الدفع", "حالة المشروع"], [ - ["صفر", "$9,000", "مرة واحدة", "تجهيز + ترخيص + تعيين"], + ["صفر", "$11,500-$12,000", "مرة واحدة", "تجهيز + ترخيص + تعيين"], ["1", "$8,000", "شهري", "إطلاق ناعم"], ["2", "$8,000", "شهري", "نمو متصاعد"], ["3", "$8,000", "شهري", "حوافز ذاتية"], @@ -468,10 +472,10 @@ def generate_docx(): add_table(doc, ["السيناريو", "التوقف", "الإجمالي", "ملاحظة"], [ - ["خروج مبكر (فشل)", "نهاية ش5", "$49,000", "أقصى خسارة $49,000"], - ["تعادل متفائل", "منتصف ش7", "$57,000", "أفضل سيناريو"], - ["تعادل قاعدي", "منتصف ش8", "$65,000", "الأرجح"], - ["تعادل محافظ", "منتصف ش9", "$73,000", "نمو أبطأ"], + ["خروج مبكر (فشل)", "نهاية ش5", "$51,500-$52,000", "أقصى خسارة ~$52,000"], + ["تعادل متفائل", "منتصف ش7", "$59,500-$60,000", "أفضل سيناريو"], + ["تعادل قاعدي", "منتصف ش8", "$67,500-$68,000", "الأرجح"], + ["تعادل محافظ", "منتصف ش9", "$75,500-$76,000", "نمو أبطأ"], ], col_widths=[5, 3, 3, 5] ) @@ -481,11 +485,10 @@ def generate_docx(): add_para(doc, "في النموذج القديم (مبلغ واحد)، المستثمر يدفع كل شيء مقدماً والاحتياطي يجلس خاملاً. في النموذج الجديد (شهري):", size=10) add_bullet(doc, "المستثمر يدفع فقط ما صُرف فعلاً") add_bullet(doc, "لا توجد أموال خاملة — كل دولار يُشغَّل") - add_bullet(doc, "المستثمر يخاطر بـ$49,000 كحد أقصى (عند الخروج)") + add_bullet(doc, "المستثمر يخاطر بـ$51,000 كحد أقصى (عند الخروج)") add_bullet(doc, "نقطة الخروج هي الحماية الحقيقية بدلاً من الاحتياطي") # ── 8. Exit Clause ── - doc.add_page_break() add_heading(doc, "ثامناً: شرط الخروج — بند الحماية", 1) add_para(doc, "يحق للمستثمر إيقاف الدفعات الشهرية والخروج في نهاية الشهر الخامس إذا لم تتحقق المؤشرات.", size=10) @@ -495,12 +498,12 @@ def generate_docx(): add_table(doc, ["المؤشر", "الحد الأدنى", "الحد المثالي"], [ - ["الرحلات اليومية", "200/يوم", "350/يوم"], - ["السائقون المسجلون", "300", "450"], - ["السائقون النشطون", "150", "250"], - ["الإيرادات الشهرية", "$1,800", "$3,150"], - ["معدل احتجاز السائق", "55%", "70%"], - ["تقييم التطبيق", "4.0+", "4.3+"], + ["الرحلات اليومية", "70/يوم", "150/يوم"], + ["السائقون المسجلون", "150", "350"], + ["السائقون النشطون", "50", "150"], + ["الإيرادات الشهرية", "$630", "$1,350"], + ["معدل احتجاز السائق", "50%", "70%"], + ["تقييم التطبيق", "3.0+", "3.5+"], ], col_widths=[6, 4, 4] ) @@ -510,9 +513,9 @@ def generate_docx(): add_table(doc, ["المؤشر", "حد الاستمرار", "الخروج إذا أقل من"], [ - ["الرحلات اليومية", "400/يوم", "300/يوم"], - ["السائقون النشطون", "400", "250"], - ["الإيرادات الشهرية", "$4,000+", "$2,700"], + ["الرحلات اليومية", "120/يوم", "70/يوم"], + ["السائقون النشطون", "100", "50"], + ["الإيرادات الشهرية", "$1,080+", "$630"], ["نمو أسبوعي", "+10% متواصل", "ثبات أو تراجع"], ["عقود B2B", "عقد واحد", "صفر عقود"], ], @@ -520,7 +523,6 @@ def generate_docx(): ) # ── 9. Break-Even ── - doc.add_page_break() add_heading(doc, "تاسعاً: تحليل نقطة التعادل — نطاق الشهر 7 إلى 9", 1) add_para(doc, "لماذا نطاق وليس رقماً ثابتاً؟", bold=True, size=10) @@ -530,10 +532,10 @@ def generate_docx(): add_table(doc, ["السيناريو", "نقطة التعادل", "إجمالي الاستثمار", "الوصف"], [ - ["متفائل", "الشهر 7", "$57,000", "نمو سريع، B2B مبكر"], - ["قاعدي (الأرجح)", "الشهر 8", "$65,000", "نمو طبيعي"], - ["محافظ", "الشهر 9", "$73,000", "سوق متقلب"], - ["خروج مبكر", "لا تعادل", "$49,000", "آخر دفعة ش5"], + ["متفائل", "الشهر 7", "$59,500-$60,000", "نمو سريع، B2B مبكر"], + ["قاعدي (الأرجح)", "الشهر 8", "$67,500-$68,000", "نمو طبيعي"], + ["محافظ", "الشهر 9", "$75,500-$76,000", "سوق متقلب"], + ["خروج مبكر", "لا تعادل", "$51,500-$52,000", "آخر دفعة ش5"], ], col_widths=[4, 3, 4, 5] ) @@ -554,7 +556,6 @@ def generate_docx(): ) # ── 10. Risk Analysis ── - doc.add_page_break() add_heading(doc, "عاشراً: تحليل المخاطر وخطط التخفيف", 1) add_table(doc, ["المخاطرة", "التأثير", "الاحتمالية", "خطة التخفيف"], @@ -571,7 +572,6 @@ def generate_docx(): ) # ── 11. Roadmap ── - doc.add_page_break() add_heading(doc, "حادي عشر: خارطة الطريق والأهداف التشغيلية", 1) add_table(doc, ["المرحلة", "الشهر", "الأهداف", "مؤشرات النجاح"], @@ -579,8 +579,8 @@ def generate_docx(): ["التأسيس", "قبل الإطلاق", "ترخيص + مكتب + توظيف", "وثائق قانونية + فريق جاهز"], ["الإطلاق الناعم", "ش 1-2", "100-120 سائق محفز", "70+ رحلة/يوم"], ["بناء الزخم", "ش 3", "حوافز ذاتية + B2B", "150 رحلة/يوم"], - ["نقطة الفحص", "ش 4", "مراجعة مع المستثمر", "350 رحلة/يوم | $3,150"], - ["قرار الاستمرار", "ش 5", "استمرار أو خروج", "600 رحلة/يوم | عقد B2B"], + ["نقطة الفحص", "ش 4", "مراجعة مع المستثمر", "70-150 رحلة/يوم | $630-$1,350"], + ["قرار الاستمرار", "ش 5", "استمرار أو خروج", "120 رحلة/يوم | عقد B2B"], ["الاقتراب من التعادل", "ش 6", "750 رحلة/يوم", "عجز $1,250 فقط"], ["⚡ نطاق التعادل", "ش 7-9", "الإيرادات ≥ OPEX", "889+ رحلة/يوم"], ["النمو الذاتي", "ش 10-12", "فائض شهري", "$3,250-$5,500 فائض"], @@ -597,7 +597,7 @@ def generate_docx(): add_bullet(doc, "المنتج جاهز ومختبر — 1,447 سائق التحقوا بـ$1,400 فقط") add_bullet(doc, "أدنى عمولة في السوق (11%) = ميزة تنافسية دائمة") add_bullet(doc, "نموذج الدفع الشهري يحمي المستثمر — لا تجميد لرأس المال") - add_bullet(doc, "شرط الخروج الواضح يضع سقفاً لأقصى خسارة ($49,000)") + add_bullet(doc, "شرط الخروج الواضح يضع سقفاً لأقصى خسارة (~$52,000)") add_bullet(doc, "نقطة التعادل (7-9 أشهر) واقعية ومبنية على بيانات حقيقية") add_bullet(doc, "البنية التقنية المستقلة = مقاومة للعقوبات والقيود") @@ -605,10 +605,10 @@ def generate_docx(): add_table(doc, ["المؤشر", "القيمة"], [ - ["رأس المال التأسيسي (مرة واحدة)", "$9,000 — عند توقيع الاتفاقية"], + ["رأس المال التأسيسي (مرة واحدة)", "$11,500-$12,000 — عند توقيع الاتفاقية"], ["المصاريف التشغيلية الشهرية", "$8,000/شهر — يتوقف عند التعادل"], - ["أقصى تعرض للمستثمر", "$49,000 — نقطة الخروج: نهاية الشهر الخامس"], - ["إجمالي الاستثمار حتى التعادل", "$65,000 — $73,000"], + ["أقصى تعرض للمستثمر", "$51,500-$52,000 — نقطة الخروج: نهاية الشهر الخامس"], + ["إجمالي الاستثمار حتى التعادل", "$67,500 — $84,000"], ["نطاق التعادل", "الشهر السابع إلى التاسع"], ], col_widths=[10, 8] diff --git a/semgrep_deep_php.json b/semgrep_deep_php.json new file mode 100644 index 0000000..871cb18 --- /dev/null +++ b/semgrep_deep_php.json @@ -0,0 +1 @@ +{"version":"1.166.0","results":[{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"backend/Admin/debug/ggg.php","start":{"line":67,"col":5,"offset":2058},"end":{"line":71,"col":8,"offset":2182},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\n 'status' => 'success',\n 'action' => $action,\n 'result' => (string) $result,\n ]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"backend/ggg.php","start":{"line":67,"col":5,"offset":2058},"end":{"line":71,"col":8,"offset":2182},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\n 'status' => 'success',\n 'action' => $action,\n 'result' => (string) $result,\n ]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.tainted-filename.tainted-filename","path":"siromove.com/invite.php","start":{"line":43,"col":43,"offset":1488},"end":{"line":43,"col":73,"offset":1518},"extra":{"message":"File name based on user input risks server-side request forgery.","metadata":{"technology":["php"],"category":"security","cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)","A01:2025 - Broken Access Control"],"references":["https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","shortlink":"https://sg.run/Ayqp"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"walletintaleq.intaleq.xyz/v2/main/ride/cliq/verify_payment_ai.php","start":{"line":68,"col":9,"offset":2684},"end":{"line":68,"col":96,"offset":2771},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\"status\" => \"failure\", \"message\" => \"Verification failed: $reason\"]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/verify_payment_ai.php","start":{"line":68,"col":9,"offset":2604},"end":{"line":68,"col":96,"offset":2691},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\"status\" => \"failure\", \"message\" => \"Verification failed: $reason\"]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"path":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]],"message":"Syntax error at line backend/EgyptDocuments/uploadEgyptIdBack.php:16:\n `'` was unexpected","path":"backend/EgyptDocuments/uploadEgyptIdBack.php","spans":[{"file":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"file":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"path":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]],"message":"Syntax error at line backend/EgyptDocuments/uploadEgyptidFront.php:16:\n `'` was unexpected","path":"backend/EgyptDocuments/uploadEgyptidFront.php","spans":[{"file":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"file":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":24,"offset":0},"end":{"line":57,"col":25,"offset":1}},{"path":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":29,"offset":0},"end":{"line":57,"col":30,"offset":1}}]],"message":"Syntax error at line backend/auth/syria/uploadSyrianDocs.php:57:\n `'` was unexpected","path":"backend/auth/syria/uploadSyrianDocs.php","spans":[{"file":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":24,"offset":0},"end":{"line":57,"col":25,"offset":1}},{"file":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":29,"offset":0},"end":{"line":57,"col":30,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":24,"offset":0},"end":{"line":19,"col":25,"offset":1}},{"path":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":30,"offset":0},"end":{"line":19,"col":31,"offset":1}}]],"message":"Syntax error at line backend/ride/card-image-driver/add.php:19:\n `'` was unexpected","path":"backend/ride/card-image-driver/add.php","spans":[{"file":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":24,"offset":0},"end":{"line":19,"col":25,"offset":1}},{"file":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":30,"offset":0},"end":{"line":19,"col":31,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/uploadImagePortrate.php","start":{"line":14,"col":28,"offset":0},"end":{"line":14,"col":29,"offset":1}},{"path":"backend/uploadImagePortrate.php","start":{"line":14,"col":34,"offset":0},"end":{"line":14,"col":35,"offset":1}}]],"message":"Syntax error at line backend/uploadImagePortrate.php:14:\n `'` was unexpected","path":"backend/uploadImagePortrate.php","spans":[{"file":"backend/uploadImagePortrate.php","start":{"line":14,"col":28,"offset":0},"end":{"line":14,"col":29,"offset":1}},{"file":"backend/uploadImagePortrate.php","start":{"line":14,"col":34,"offset":0},"end":{"line":14,"col":35,"offset":1}}]}],"paths":{"scanned":["backend/.env.example","backend/.gitignore","backend/Admin/AdminCaptain/add.php","backend/Admin/AdminCaptain/delete.php","backend/Admin/AdminCaptain/get.php","backend/Admin/AdminCaptain/getCaptainDetailsByEmailOrIDOrPhone.php","backend/Admin/AdminCaptain/getCaptainDetailsById.php","backend/Admin/AdminCaptain/getDriversPhonesAndTokens.php","backend/Admin/AdminCaptain/update.php","backend/Admin/AdminRide/get.php","backend/Admin/AdminRide/getRidesPerMonth.php","backend/Admin/Staff/activate.php","backend/Admin/Staff/add.php","backend/Admin/Staff/pending.php","backend/Admin/Staff/setup.php","backend/Admin/adminUser/add.php","backend/Admin/adminUser/add_invoice.php","backend/Admin/adminUser/delete.php","backend/Admin/adminUser/get.php","backend/Admin/adminUser/invoice_images/INV-20250729-224_123.jpg","backend/Admin/adminUser/invoice_images/INV-20250729-592_123.jpg","backend/Admin/adminUser/invoice_images/INV-20250810-859_123.jpg","backend/Admin/adminUser/invoice_total.php","backend/Admin/adminUser/update.php","backend/Admin/auth/approve_admin.php","backend/Admin/auth/list_pending.php","backend/Admin/auth/login.php","backend/Admin/auth/loginWallet.php","backend/Admin/auth/migrate_db.php","backend/Admin/auth/migration_cryptography.php","backend/Admin/auth/register.php","backend/Admin/auth/send_otp_admin.php","backend/Admin/auth/verify_login.php","backend/Admin/auth/verify_otp_admin.php","backend/Admin/dashbord.php","backend/Admin/debug/.htaccess","backend/Admin/debug/check_driver_phones.php","backend/Admin/debug/check_users_cols.php","backend/Admin/debug/debug_phone.php","backend/Admin/debug/env_test.php","backend/Admin/debug/ggg.php","backend/Admin/debug/scratch_db_check.php","backend/Admin/debug/scratch_log_path.php","backend/Admin/debug/scratch_test_find.php","backend/Admin/debug/scratch_test_redis.php","backend/Admin/driver/deleteCaptain.php","backend/Admin/driver/deleteRecord.php","backend/Admin/driver/find_driver_by_phone.php","backend/Admin/driver/getBestDriver.php","backend/Admin/driver/getDriverGiftPayment.php","backend/Admin/driver/remove_from_blacklist.php","backend/Admin/driver/updateDriverFromAdmin.php","backend/Admin/employee/add.php","backend/Admin/employee/get.php","backend/Admin/error/error_list_last20.php","backend/Admin/error/error_search_by_phone.php","backend/Admin/errorApp.php","backend/Admin/facebook.php","backend/Admin/getPassengerDetails.php","backend/Admin/getPassengerDetailsByPassengerID.php","backend/Admin/getPassengerbyEmail.php","backend/Admin/getVisaForEachDriver.php","backend/Admin/ggg.php","backend/Admin/jwtService.php","backend/Admin/passenger/admin_delete_and_blacklist_passenger.php","backend/Admin/passenger/admin_unblacklist.php","backend/Admin/passenger/admin_update_passenger.php","backend/Admin/rides/admin_get_rides_by_phone.php","backend/Admin/rides/admin_update_ride_status.php","backend/Admin/rides/get_driver_live_pos.php","backend/Admin/rides/get_rides_by_status.php","backend/Admin/rides/monitorRide.php","backend/Admin/sendEmailToDrivertransaction.php","backend/Admin/send_whatsapp_message.php","backend/Admin/v2/analytics/driver_ranking.php","backend/Admin/v2/analytics/growth.php","backend/Admin/v2/analytics/revenue.php","backend/Admin/v2/financial/settlements.php","backend/Admin/v2/financial/stats.php","backend/Admin/v2/quality/blacklist_manager.php","backend/Admin/v2/quality/driver_scorecard.php","backend/Admin/v2/realtime_dashboard.php","backend/Admin/v2/security/audit_logs.php","backend/Admin/v2/smart_alerts.php","backend/Admin/view_errors.php","backend/EgyptDocuments/uploadEgyptIdBack.php","backend/EgyptDocuments/uploadEgyptidFront.php","backend/aggregate_files.py","backend/auth/Tester/getTesterApp.php","backend/auth/Tester/updateTesterApp.php","backend/auth/captin/addCriminalDocuments.php","backend/auth/captin/deletecaptainAccounr.php","backend/auth/captin/getAccount.php","backend/auth/captin/getPromptDriverDocumentsEgypt.php","backend/auth/captin/login.php","backend/auth/captin/loginFromGoogle.php","backend/auth/captin/loginUsingCredentialsWithoutGoogle.php","backend/auth/captin/removeAccount.php","backend/auth/captin/updateAccountBank.php","backend/auth/captin/updateDriverClaim.php","backend/auth/captin/updateShamCashDriver.php","backend/auth/checkPhoneNumberISVerfiedDriver.php","backend/auth/checkPhoneNumberISVerfiedPassenger.php","backend/auth/document_syria/ai_document.php","backend/auth/login.php","backend/auth/loginFromGooglePassenger.php","backend/auth/loginUsingCredentialsWithoutGooglePassenger.php","backend/auth/otp/providers.php","backend/auth/otp/request.php","backend/auth/otp/verify.php","backend/auth/packageInfo.php","backend/auth/passengerRemovedAccountEmail.php","backend/auth/save_passenger_location.php","backend/auth/sendEmail.php","backend/auth/sendVerifyEmail.php","backend/auth/signup.php","backend/auth/syria/driver/driver_details.php","backend/auth/syria/driver/drivers_pending_list.php","backend/auth/syria/driver/isPhoneVerified.php","backend/auth/syria/driver/register_driver_and_car.php","backend/auth/syria/driver/register_driver_and_car_signed.php","backend/auth/syria/register_passenger.php","backend/auth/syria/uploadSyrianDocs.php","backend/auth/token_passenger/driver/send_otp_driver.php","backend/auth/token_passenger/driver/verify_otp_driver.php","backend/auth/token_passenger/send_otp.php","backend/auth/token_passenger/verify_otp.php","backend/auth/uploads/documents/driver_driving_license_sy_back_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_driving_license_sy_back_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_driving_license_sy_front_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_driving_license_sy_front_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_generic_unknown.jpg","backend/auth/uploads/documents/driver_id_back_sy_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_id_back_sy_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_id_front_sy_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_id_front_sy_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_back_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_back_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_front_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_front_eddfdfdgfd.jpg","backend/auth/verifyEmail.php","backend/card_image/criminalRecord-1b73bad5ed4f147d688e.jpg","backend/card_image/idFrontEmployee-795C0P4Z.jpg","backend/card_image/idFrontEmployee-AYZHXEIE.jpg","backend/card_image/idbackEmployee-795C0P4Z.jpg","backend/card_image/idbackEmployee-AYZHXEIE.jpg","backend/composer.json","backend/composer.lock","backend/connect.php","backend/core/Auth/JwtService.php","backend/core/Auth/RateLimiter.php","backend/core/Database/Database.php","backend/core/Security/EncryptionHelper.php","backend/core/Services/FcmService.php","backend/core/Services/OtpService.php","backend/core/bootstrap.php","backend/core/helpers.php","backend/driver_assurance/add.php","backend/driver_assurance/get.php","backend/driver_assurance/update.php","backend/driver_socket.php","backend/email/sendTripEmail.php","backend/encrypt_decrypt.php","backend/functions.php","backend/get_connect.php","backend/ggg.php","backend/git_push.sh","backend/imageForUsingApp/order_page.jpg","backend/instructions_web/animation.mp4","backend/instructions_web/delete_account.html","backend/instructions_web/logo.gif","backend/instructions_web/logo.png","backend/intaleq_v1.code-workspace","backend/invest_code.php","backend/load_env.php","backend/login.php","backend/loginAdmin.php","backend/loginFirstTime.php","backend/loginFirstTimeDriver.php","backend/loginJwtDriver.php","backend/loginJwtWalletDriver.php","backend/loginWallet.php","backend/logout.php","backend/migrate_driver_passwords.php","backend/migration/get_all_driver_fingerprints.php","backend/migration/get_all_fingerprints.php","backend/migration/update_driver_fingerprint_admin.php","backend/migration/update_fingerprint_admin.php","backend/migration_create_table.php","backend/migration_referral_system.sql","backend/new_driver_car/100221243420413735049.jpg","backend/new_driver_car/100276066669243532075.jpg","backend/new_driver_car/105897591838899631737.jpg","backend/new_driver_car/114243034311436865474.jpg","backend/new_driver_car/mahmoudcici40FGH4MCQC3fd.jpg","backend/passenger_socket.php","backend/privacy_policy.php","backend/privacy_policy1.php","backend/ride/RegisrationCar/add.php","backend/ride/RegisrationCar/delete.php","backend/ride/RegisrationCar/get.php","backend/ride/RegisrationCar/makeDefaultCar.php","backend/ride/RegisrationCar/selectDriverAndCarForMishwariTrip.php","backend/ride/RegisrationCar/update.php","backend/ride/apiKey/add.php","backend/ride/apiKey/delete.php","backend/ride/apiKey/get.php","backend/ride/apiKey/update.php","backend/ride/call/driver/create_call_session.php","backend/ride/call/passenger/create_call_session.php","backend/ride/cancelRide/add.php","backend/ride/cancelRide/addCancelTripFromDriverAfterApplied.php","backend/ride/cancelRide/delete.php","backend/ride/cancelRide/get.php","backend/ride/cancelRide/update.php","backend/ride/carDrivers/add.php","backend/ride/carDrivers/delete.php","backend/ride/carDrivers/get.php","backend/ride/card-image-driver/add.php","backend/ride/card-image-driver/delete.php","backend/ride/card-image-driver/get.php","backend/ride/card-image-driver/update.php","backend/ride/chat/send_message.php","backend/ride/driverWallet/driverStatistic.php","backend/ride/driverWallet/getDriverDetails.php","backend/ride/driverWallet/transfer.php","backend/ride/driver_behavior/get_driver_behavior.php","backend/ride/driver_order/add.php","backend/ride/driver_order/delete.php","backend/ride/driver_order/get.php","backend/ride/driver_order/getOrderCancelStatus.php","backend/ride/driver_order/update.php","backend/ride/driver_scam/add.php","backend/ride/driver_scam/delete.php","backend/ride/driver_scam/get.php","backend/ride/driver_scam/update.php","backend/ride/egyptPhones/add.php","backend/ride/egyptPhones/get.php","backend/ride/egyptPhones/syrianAdd.php","backend/ride/feedBack/add.php","backend/ride/feedBack/add_solve_all.php","backend/ride/feedBack/delete.php","backend/ride/feedBack/get.php","backend/ride/feedBack/update.php","backend/ride/firebase/add.php","backend/ride/firebase/addDriver.php","backend/ride/firebase/addToken.php","backend/ride/firebase/delete.php","backend/ride/firebase/fcm_fun.php","backend/ride/firebase/get.php","backend/ride/firebase/getALlTokenDrivers.php","backend/ride/firebase/getAllTokenPassengers.php","backend/ride/firebase/getDriverToken.php","backend/ride/firebase/getTokenParent.php","backend/ride/firebase/getTokensPassenger.php","backend/ride/firebase/notify_driver_arrival.php","backend/ride/firebase/send_fcm.php","backend/ride/gamification/claimChallengeReward.php","backend/ride/gamification/getDriverBehavior.php","backend/ride/gamification/getGamificationDashboard.php","backend/ride/gamification/getLeaderboard.php","backend/ride/gamification/getReferralStats.php","backend/ride/gamification/getWeeklyAggregate.php","backend/ride/helpCenter/add.php","backend/ride/helpCenter/delete.php","backend/ride/helpCenter/get.php","backend/ride/helpCenter/getById.php","backend/ride/helpCenter/update.php","backend/ride/invitor/add.php","backend/ride/invitor/addInvitationPassenger.php","backend/ride/invitor/add_unified_invite.php","backend/ride/invitor/claim.php","backend/ride/invitor/claim_driver_reward.php","backend/ride/invitor/get.php","backend/ride/invitor/getDriverInvitationToPassengers.php","backend/ride/invitor/get_driver_referrals.php","backend/ride/invitor/get_passenger_referrals.php","backend/ride/invitor/get_unified_code.php","backend/ride/invitor/update.php","backend/ride/invitor/updateDriverInvitationDirectly.php","backend/ride/invitor/updateInvitationCodeFromRegister.php","backend/ride/invitor/updatePassengerGift.php","backend/ride/invitor/updatePassengersInvitation.php","backend/ride/kazan/add.php","backend/ride/kazan/delete.php","backend/ride/kazan/get.php","backend/ride/kazan/update.php","backend/ride/license/add.php","backend/ride/license/delete.php","backend/ride/license/get.php","backend/ride/license/update.php","backend/ride/location/add.php","backend/ride/location/addpassengerLocation.php","backend/ride/location/delete.php","backend/ride/location/driversTime.html","backend/ride/location/get.php","backend/ride/location/getBalash.php","backend/ride/location/getCarsLocationByPassengerVan.php","backend/ride/location/getComfort.php","backend/ride/location/getDelivery.php","backend/ride/location/getDriverCarsLocationToPassengerAfterApplied.php","backend/ride/location/getDriverTimeOnline.php","backend/ride/location/getElectric.php","backend/ride/location/getFemalDriver.php","backend/ride/location/getLatestLocationPassenger.php","backend/ride/location/getLocationParents.php","backend/ride/location/getPinkBike.php","backend/ride/location/getRidesDriverByDay.php","backend/ride/location/getSpeed.php","backend/ride/location/getTotalDriverDuration.php","backend/ride/location/getTotalDriverDurationToday.php","backend/ride/location/getUpdatedLocationForAdmin.php","backend/ride/location/get_location_area_links.php","backend/ride/location/getfemalbehavior.php","backend/ride/location/print.php","backend/ride/location/save_behavior.php","backend/ride/location/update.php","backend/ride/mishwari/add.php","backend/ride/mishwari/cancel.php","backend/ride/mishwari/get.php","backend/ride/mishwari/getDriver.php","backend/ride/mishwari/test.php","backend/ride/notificationCaptain/add.php","backend/ride/notificationCaptain/addWaitingRide.php","backend/ride/notificationCaptain/delete.php","backend/ride/notificationCaptain/deleteAvailableRide.php","backend/ride/notificationCaptain/get.php","backend/ride/notificationCaptain/getRideWaiting.php","backend/ride/notificationCaptain/update.php","backend/ride/notificationCaptain/updateWaitingTrip.php","backend/ride/notificationPassenger/add.php","backend/ride/notificationPassenger/delete.php","backend/ride/notificationPassenger/get.php","backend/ride/notificationPassenger/update.php","backend/ride/overLay/_log.txt","backend/ride/overLay/add.php","backend/ride/overLay/deletArgumets.php","backend/ride/overLay/get.php","backend/ride/overLay/getArgumentAfterAppliedFromBackground.php","backend/ride/places/add.php","backend/ride/places_syria/add.php","backend/ride/places_syria/get.php","backend/ride/places_syria/reverse_geocode.php","backend/ride/pricing/get.php","backend/ride/profile/get.php","backend/ride/profile/getCaptainProfile.php","backend/ride/profile/update.php","backend/ride/profile/updateDriverEmail.php","backend/ride/promo/add.php","backend/ride/promo/delete.php","backend/ride/promo/get.php","backend/ride/promo/getPromoBytody.php","backend/ride/promo/getPromoFirst.php","backend/ride/promo/update.php","backend/ride/rate/add.php","backend/ride/rate/addRateToDriver.php","backend/ride/rate/add_rate_app.php","backend/ride/rate/getDriverRate.php","backend/ride/rate/getPassengerRate.php","backend/ride/rate/sendEmailRateingApp.php","backend/ride/rides/acceptRide.php","backend/ride/rides/add_ride.php","backend/ride/rides/arrive_ride.php","backend/ride/rides/cancelRideFromDriver.php","backend/ride/rides/cancel_ride_by_driver.php","backend/ride/rides/cancel_ride_by_passenger.php","backend/ride/rides/cron_ride_timeout.php","backend/ride/rides/delete.php","backend/ride/rides/emailToPassengerTripDetail.php","backend/ride/rides/finish_ride_updates.php","backend/ride/rides/get.php","backend/ride/rides/getRealTimeHeatmap.php","backend/ride/rides/getRideOrderID.php","backend/ride/rides/getRideOrderIDNew.php","backend/ride/rides/getRideStatus.php","backend/ride/rides/getRideStatusBegin.php","backend/ride/rides/getRideStatusFromStartApp.php","backend/ride/rides/getTripCountByCaptain.php","backend/ride/rides/get_driver_location.php","backend/ride/rides/gterideForDriverManyTime.php","backend/ride/rides/heatmap_live.json","backend/ride/rides/public_track_location.php","backend/ride/rides/retry_search_drivers.php","backend/ride/rides/start_ride.php","backend/ride/rides/test_notification.php","backend/ride/rides/update.php","backend/ride/rides/updateRideAndCheckIfApplied.php","backend/ride/rides/updateStausFromSpeed.php","backend/ride/rides/update_ride_cancel_wait.php","backend/ride/seferWallet/add.php","backend/ride/seferWallet/get.php","backend/ride/tips/add.php","backend/ride/tips/get.php","backend/ride/videos_driver/get.php","backend/schema_primary.sql","backend/schema_ride.sql","backend/schema_tracking.sql","backend/serviceapp/addCartoDriver.php","backend/serviceapp/addNotesDriver.php","backend/serviceapp/addNotesPassenger.php","backend/serviceapp/addWelcomeDriverNote.php","backend/serviceapp/check_db.php","backend/serviceapp/deleteDriverNotCompleteRegistration.php","backend/serviceapp/driverWhoregisterFfterCall.php","backend/serviceapp/drivers_list.txt","backend/serviceapp/editCarPlate.php","backend/serviceapp/getCarPlateNotEdit.php","backend/serviceapp/getComplaintAllData.php","backend/serviceapp/getComplaintAllDataForDriver.php","backend/serviceapp/getDriverByNational.php","backend/serviceapp/getDriverByPhone.php","backend/serviceapp/getDriverDetailsForActivate.php","backend/serviceapp/getDriverNotCompleteRegistration.php","backend/serviceapp/getDriversPhoneNotComplete.php","backend/serviceapp/getDriversWaitingActive.php","backend/serviceapp/getEditorStatsCalls.php","backend/serviceapp/getEmployeeDriverAfterCallingRegister.php","backend/serviceapp/getEmployeeStatic.php","backend/serviceapp/getJsonFile.php","backend/serviceapp/getNewDriverRegister.php","backend/serviceapp/getNotesForEmployee.php","backend/serviceapp/getPackages.php","backend/serviceapp/getPassengersByPhone.php","backend/serviceapp/getPassengersNotCompleteRegistration.php","backend/serviceapp/getPassengersStatic.php","backend/serviceapp/getRidesStatic.php","backend/serviceapp/getdriverWithoutCar.php","backend/serviceapp/getdriverstotalMonthly.php","backend/serviceapp/login.php","backend/serviceapp/register.php","backend/serviceapp/registerDriverAndCarService.php","backend/serviceapp/updateDriver.php","backend/serviceapp/updateDriverToActive.php","backend/serviceapp/updatePackages.php","backend/serviceapp/update_complaint.php","backend/serviceapp/web/drivers.html","backend/serviceapp/web/f.html","backend/serviceapp/web/getDrivers.php","backend/serviceapp/work/addCarWantWork.php","backend/serviceapp/work/addDriverWantWork.php","backend/test_signed_pricing.php","backend/uploadImagePortrate.php","backend/upload_audio.php","backend/webhook_sms/webhook.php","siromove.com/invite.php","siromove.com/inviteSyria.php","socket_intaleq/driver_socket.php","socket_intaleq/passenger_socket.php","walletintaleq.intaleq.xyz/v2/main/connect.php","walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php","walletintaleq.intaleq.xyz/v2/main/functions.php","walletintaleq.intaleq.xyz/v2/main/jwtconnect.php","walletintaleq.intaleq.xyz/v2/main/load_env.php","walletintaleq.intaleq.xyz/v2/main/loginWalletAdmin.php","walletintaleq.intaleq.xyz/v2/main/ride/GeminiAi.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/add.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/get.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/update.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/cliq_invoices.sql","walletintaleq.intaleq.xyz/v2/main/ride/cliq/cliq_webhook_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/create_cliq_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/query_click_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/verify_payment_ai.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/add.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/get.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/update.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add300ToDriver.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addFromAdmin.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addPaymentToken.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add_s2s_reward.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/convertBudgetToPoints.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/deleteNewDriverGiftCronJob.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/driverStatistic.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/get.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/getDriverDetails.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/getDriverWeekPaymentMove.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/getWalletByDriver.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/get_s2s_wallet_dashboard.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/promotionDriver.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/sendEmailTransfer.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/transfer.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/update.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/ecash_verify.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/ecash_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/payWithEcash.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/webhook_connect.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/ecash_config.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/logs/ecash_production.log","walletintaleq.intaleq.xyz/v2/main/ride/ecash/logs/payment_verification.log","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/ecash_verify.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/ecash_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/payWithEcash.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/webhook_connect.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/payWithEcash.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/webhook_ecash.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/generate_keys.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/key.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/mtn_start.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/private_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/public_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver_payout_syria.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/generate_keys.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/initiate_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/key.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/mtn_confirm.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/mtn_start.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/private_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/public_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/create_mtn_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/mtn_webhook_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/query_mtn_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/verify_payment_ai.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/add.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/addPaymentTokenPassenger.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/add_s2s_debt.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/get.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/getAllPassengerTransaction.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/getPassengerWalletArchive.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/getWalletByPassenger.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/process_wait_compensation.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/update.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/error_log","walletintaleq.intaleq.xyz/v2/main/ride/payMob/payWithPayMob.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymet_verfy.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymet_verfy.php.zip","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/payWithCard.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/payWithWallet.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymet_verfy.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymob_payout.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymob_webHookWallet.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymob_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_webhook.log","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/error_log","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/payWithPayMob.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/paymet_verfy.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/paymob_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/add.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/get.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/getAllPayment.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/getAllPaymentVisa.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/getCountRide.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/process_ride_payments.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/update.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/updatePaymetToPaid.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/create_invoice_shamcash.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/deposit_errors.log","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/finalize_deposit.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/last_id.txt","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/create_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/finalize_deposit.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions_new.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/server_check.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/transactions.log","walletintaleq.intaleq.xyz/v2/main/ride/siroWallet/add.php","walletintaleq.intaleq.xyz/v2/main/ride/siroWallet/get.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/archive.zip","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/start_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/syriatel_token_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/logs/payment_verification.log","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/start_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/syriatel_token.cache","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/syriatel_token_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/tips/add.php","walletintaleq.intaleq.xyz/v2/main/ride/tips/get.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/archive.zip","walletintaleq.intaleq.xyz/v2/main/sms_webhook/check_invoice_status.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/check_invoice_status_passenger.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/create_invoice.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/create_invoice_passenger.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/finalize_payout.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/process_passenger_sms_payment.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/process_with_gemini.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/request_payout.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/save_raw_sms.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/save_raw_sms_passenger.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/webhook.php"]},"time":{"rules":[],"rules_parse_time":0.10977911949157715,"profiling_times":{"config_time":1.05698823928833,"core_time":6.532242059707642,"ignores_time":0.00028014183044433594,"total_time":7.603438138961792},"parsing_time":{"total_time":0.0,"per_file_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"scanning_time":{"total_time":20.893765926361084,"per_file_time":{"mean":0.01829576701082405,"std_dev":0.004070237342058577},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"matching_time":{"total_time":0.0,"per_file_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_files":[]},"tainting_time":{"total_time":0.0,"per_def_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_defs":[]},"fixpoint_timeouts":[],"prefiltering":{"project_level_time":0.0,"file_level_time":0.0,"rules_with_project_prefilters_ratio":0.0,"rules_with_file_prefilters_ratio":0.9993387215282881,"rules_selected_ratio":0.05569434239529757,"rules_matched_ratio":0.05569434239529757},"targets":[],"total_bytes":0,"max_memory_bytes":669419328},"engine_requested":"OSS","skipped_rules":[],"profiling_results":[]} \ No newline at end of file diff --git a/semgrep_php_results.json b/semgrep_php_results.json new file mode 100644 index 0000000..a82bb90 --- /dev/null +++ b/semgrep_php_results.json @@ -0,0 +1 @@ +{"version":"1.166.0","results":[{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"backend/Admin/debug/ggg.php","start":{"line":67,"col":5,"offset":2058},"end":{"line":71,"col":8,"offset":2182},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\n 'status' => 'success',\n 'action' => $action,\n 'result' => (string) $result,\n ]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"backend/ggg.php","start":{"line":67,"col":5,"offset":2058},"end":{"line":71,"col":8,"offset":2182},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\n 'status' => 'success',\n 'action' => $action,\n 'result' => (string) $result,\n ]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.tainted-filename.tainted-filename","path":"siromove.com/invite.php","start":{"line":43,"col":43,"offset":1488},"end":{"line":43,"col":73,"offset":1518},"extra":{"message":"File name based on user input risks server-side request forgery.","metadata":{"technology":["php"],"category":"security","cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)","A01:2025 - Broken Access Control"],"references":["https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","shortlink":"https://sg.run/Ayqp"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"path":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]],"message":"Syntax error at line backend/EgyptDocuments/uploadEgyptIdBack.php:16:\n `'` was unexpected","path":"backend/EgyptDocuments/uploadEgyptIdBack.php","spans":[{"file":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"file":"backend/EgyptDocuments/uploadEgyptIdBack.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"path":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]],"message":"Syntax error at line backend/EgyptDocuments/uploadEgyptidFront.php:16:\n `'` was unexpected","path":"backend/EgyptDocuments/uploadEgyptidFront.php","spans":[{"file":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":24,"offset":0},"end":{"line":16,"col":25,"offset":1}},{"file":"backend/EgyptDocuments/uploadEgyptidFront.php","start":{"line":16,"col":30,"offset":0},"end":{"line":16,"col":31,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":24,"offset":0},"end":{"line":57,"col":25,"offset":1}},{"path":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":29,"offset":0},"end":{"line":57,"col":30,"offset":1}}]],"message":"Syntax error at line backend/auth/syria/uploadSyrianDocs.php:57:\n `'` was unexpected","path":"backend/auth/syria/uploadSyrianDocs.php","spans":[{"file":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":24,"offset":0},"end":{"line":57,"col":25,"offset":1}},{"file":"backend/auth/syria/uploadSyrianDocs.php","start":{"line":57,"col":29,"offset":0},"end":{"line":57,"col":30,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":24,"offset":0},"end":{"line":19,"col":25,"offset":1}},{"path":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":30,"offset":0},"end":{"line":19,"col":31,"offset":1}}]],"message":"Syntax error at line backend/ride/card-image-driver/add.php:19:\n `'` was unexpected","path":"backend/ride/card-image-driver/add.php","spans":[{"file":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":24,"offset":0},"end":{"line":19,"col":25,"offset":1}},{"file":"backend/ride/card-image-driver/add.php","start":{"line":19,"col":30,"offset":0},"end":{"line":19,"col":31,"offset":1}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"backend/uploadImagePortrate.php","start":{"line":14,"col":28,"offset":0},"end":{"line":14,"col":29,"offset":1}},{"path":"backend/uploadImagePortrate.php","start":{"line":14,"col":34,"offset":0},"end":{"line":14,"col":35,"offset":1}}]],"message":"Syntax error at line backend/uploadImagePortrate.php:14:\n `'` was unexpected","path":"backend/uploadImagePortrate.php","spans":[{"file":"backend/uploadImagePortrate.php","start":{"line":14,"col":28,"offset":0},"end":{"line":14,"col":29,"offset":1}},{"file":"backend/uploadImagePortrate.php","start":{"line":14,"col":34,"offset":0},"end":{"line":14,"col":35,"offset":1}}]}],"paths":{"scanned":["backend/.env.example","backend/.gitignore","backend/Admin/AdminCaptain/add.php","backend/Admin/AdminCaptain/delete.php","backend/Admin/AdminCaptain/get.php","backend/Admin/AdminCaptain/getCaptainDetailsByEmailOrIDOrPhone.php","backend/Admin/AdminCaptain/getCaptainDetailsById.php","backend/Admin/AdminCaptain/getDriversPhonesAndTokens.php","backend/Admin/AdminCaptain/update.php","backend/Admin/AdminRide/get.php","backend/Admin/AdminRide/getRidesPerMonth.php","backend/Admin/Staff/activate.php","backend/Admin/Staff/add.php","backend/Admin/Staff/pending.php","backend/Admin/Staff/setup.php","backend/Admin/adminUser/add.php","backend/Admin/adminUser/add_invoice.php","backend/Admin/adminUser/delete.php","backend/Admin/adminUser/get.php","backend/Admin/adminUser/invoice_images/INV-20250729-224_123.jpg","backend/Admin/adminUser/invoice_images/INV-20250729-592_123.jpg","backend/Admin/adminUser/invoice_images/INV-20250810-859_123.jpg","backend/Admin/adminUser/invoice_total.php","backend/Admin/adminUser/update.php","backend/Admin/auth/approve_admin.php","backend/Admin/auth/list_pending.php","backend/Admin/auth/login.php","backend/Admin/auth/loginWallet.php","backend/Admin/auth/migrate_db.php","backend/Admin/auth/migration_cryptography.php","backend/Admin/auth/register.php","backend/Admin/auth/send_otp_admin.php","backend/Admin/auth/verify_login.php","backend/Admin/auth/verify_otp_admin.php","backend/Admin/dashbord.php","backend/Admin/debug/.htaccess","backend/Admin/debug/check_driver_phones.php","backend/Admin/debug/check_users_cols.php","backend/Admin/debug/debug_phone.php","backend/Admin/debug/env_test.php","backend/Admin/debug/ggg.php","backend/Admin/debug/scratch_db_check.php","backend/Admin/debug/scratch_log_path.php","backend/Admin/debug/scratch_test_find.php","backend/Admin/debug/scratch_test_redis.php","backend/Admin/driver/deleteCaptain.php","backend/Admin/driver/deleteRecord.php","backend/Admin/driver/find_driver_by_phone.php","backend/Admin/driver/getBestDriver.php","backend/Admin/driver/getDriverGiftPayment.php","backend/Admin/driver/remove_from_blacklist.php","backend/Admin/driver/updateDriverFromAdmin.php","backend/Admin/employee/add.php","backend/Admin/employee/get.php","backend/Admin/error/error_list_last20.php","backend/Admin/error/error_search_by_phone.php","backend/Admin/errorApp.php","backend/Admin/facebook.php","backend/Admin/getPassengerDetails.php","backend/Admin/getPassengerDetailsByPassengerID.php","backend/Admin/getPassengerbyEmail.php","backend/Admin/getVisaForEachDriver.php","backend/Admin/ggg.php","backend/Admin/jwtService.php","backend/Admin/passenger/admin_delete_and_blacklist_passenger.php","backend/Admin/passenger/admin_unblacklist.php","backend/Admin/passenger/admin_update_passenger.php","backend/Admin/rides/admin_get_rides_by_phone.php","backend/Admin/rides/admin_update_ride_status.php","backend/Admin/rides/get_driver_live_pos.php","backend/Admin/rides/get_rides_by_status.php","backend/Admin/rides/monitorRide.php","backend/Admin/sendEmailToDrivertransaction.php","backend/Admin/send_whatsapp_message.php","backend/Admin/v2/analytics/driver_ranking.php","backend/Admin/v2/analytics/growth.php","backend/Admin/v2/analytics/revenue.php","backend/Admin/v2/financial/settlements.php","backend/Admin/v2/financial/stats.php","backend/Admin/v2/quality/blacklist_manager.php","backend/Admin/v2/quality/driver_scorecard.php","backend/Admin/v2/realtime_dashboard.php","backend/Admin/v2/security/audit_logs.php","backend/Admin/v2/smart_alerts.php","backend/Admin/view_errors.php","backend/EgyptDocuments/uploadEgyptIdBack.php","backend/EgyptDocuments/uploadEgyptidFront.php","backend/aggregate_files.py","backend/auth/Tester/getTesterApp.php","backend/auth/Tester/updateTesterApp.php","backend/auth/captin/addCriminalDocuments.php","backend/auth/captin/deletecaptainAccounr.php","backend/auth/captin/getAccount.php","backend/auth/captin/getPromptDriverDocumentsEgypt.php","backend/auth/captin/login.php","backend/auth/captin/loginFromGoogle.php","backend/auth/captin/loginUsingCredentialsWithoutGoogle.php","backend/auth/captin/removeAccount.php","backend/auth/captin/updateAccountBank.php","backend/auth/captin/updateDriverClaim.php","backend/auth/captin/updateShamCashDriver.php","backend/auth/checkPhoneNumberISVerfiedDriver.php","backend/auth/checkPhoneNumberISVerfiedPassenger.php","backend/auth/document_syria/ai_document.php","backend/auth/login.php","backend/auth/loginFromGooglePassenger.php","backend/auth/loginUsingCredentialsWithoutGooglePassenger.php","backend/auth/otp/providers.php","backend/auth/otp/request.php","backend/auth/otp/verify.php","backend/auth/packageInfo.php","backend/auth/passengerRemovedAccountEmail.php","backend/auth/save_passenger_location.php","backend/auth/sendEmail.php","backend/auth/sendVerifyEmail.php","backend/auth/signup.php","backend/auth/syria/driver/driver_details.php","backend/auth/syria/driver/drivers_pending_list.php","backend/auth/syria/driver/isPhoneVerified.php","backend/auth/syria/driver/register_driver_and_car.php","backend/auth/syria/driver/register_driver_and_car_signed.php","backend/auth/syria/register_passenger.php","backend/auth/syria/uploadSyrianDocs.php","backend/auth/token_passenger/driver/send_otp_driver.php","backend/auth/token_passenger/driver/verify_otp_driver.php","backend/auth/token_passenger/send_otp.php","backend/auth/token_passenger/verify_otp.php","backend/auth/uploads/documents/driver_driving_license_sy_back_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_driving_license_sy_back_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_driving_license_sy_front_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_driving_license_sy_front_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_generic_unknown.jpg","backend/auth/uploads/documents/driver_id_back_sy_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_id_back_sy_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_id_front_sy_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_id_front_sy_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_back_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_back_eddfdfdgfd.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_front_34feffd3fa72d6bee56b.jpg","backend/auth/uploads/documents/driver_vehicle_license_sy_front_eddfdfdgfd.jpg","backend/auth/verifyEmail.php","backend/card_image/criminalRecord-1b73bad5ed4f147d688e.jpg","backend/card_image/idFrontEmployee-795C0P4Z.jpg","backend/card_image/idFrontEmployee-AYZHXEIE.jpg","backend/card_image/idbackEmployee-795C0P4Z.jpg","backend/card_image/idbackEmployee-AYZHXEIE.jpg","backend/composer.json","backend/composer.lock","backend/connect.php","backend/core/Auth/JwtService.php","backend/core/Auth/RateLimiter.php","backend/core/Database/Database.php","backend/core/Security/EncryptionHelper.php","backend/core/Services/FcmService.php","backend/core/Services/OtpService.php","backend/core/bootstrap.php","backend/core/helpers.php","backend/driver_assurance/add.php","backend/driver_assurance/get.php","backend/driver_assurance/update.php","backend/driver_socket.php","backend/email/sendTripEmail.php","backend/encrypt_decrypt.php","backend/functions.php","backend/get_connect.php","backend/ggg.php","backend/git_push.sh","backend/imageForUsingApp/order_page.jpg","backend/instructions_web/animation.mp4","backend/instructions_web/delete_account.html","backend/instructions_web/logo.gif","backend/instructions_web/logo.png","backend/intaleq_v1.code-workspace","backend/invest_code.php","backend/load_env.php","backend/login.php","backend/loginAdmin.php","backend/loginFirstTime.php","backend/loginFirstTimeDriver.php","backend/loginJwtDriver.php","backend/loginJwtWalletDriver.php","backend/loginWallet.php","backend/logout.php","backend/migrate_driver_passwords.php","backend/migration/get_all_driver_fingerprints.php","backend/migration/get_all_fingerprints.php","backend/migration/update_driver_fingerprint_admin.php","backend/migration/update_fingerprint_admin.php","backend/migration_create_table.php","backend/migration_referral_system.sql","backend/new_driver_car/100221243420413735049.jpg","backend/new_driver_car/100276066669243532075.jpg","backend/new_driver_car/105897591838899631737.jpg","backend/new_driver_car/114243034311436865474.jpg","backend/new_driver_car/mahmoudcici40FGH4MCQC3fd.jpg","backend/passenger_socket.php","backend/privacy_policy.php","backend/privacy_policy1.php","backend/ride/RegisrationCar/add.php","backend/ride/RegisrationCar/delete.php","backend/ride/RegisrationCar/get.php","backend/ride/RegisrationCar/makeDefaultCar.php","backend/ride/RegisrationCar/selectDriverAndCarForMishwariTrip.php","backend/ride/RegisrationCar/update.php","backend/ride/apiKey/add.php","backend/ride/apiKey/delete.php","backend/ride/apiKey/get.php","backend/ride/apiKey/update.php","backend/ride/call/driver/create_call_session.php","backend/ride/call/passenger/create_call_session.php","backend/ride/cancelRide/add.php","backend/ride/cancelRide/addCancelTripFromDriverAfterApplied.php","backend/ride/cancelRide/delete.php","backend/ride/cancelRide/get.php","backend/ride/cancelRide/update.php","backend/ride/carDrivers/add.php","backend/ride/carDrivers/delete.php","backend/ride/carDrivers/get.php","backend/ride/card-image-driver/add.php","backend/ride/card-image-driver/delete.php","backend/ride/card-image-driver/get.php","backend/ride/card-image-driver/update.php","backend/ride/chat/send_message.php","backend/ride/driverWallet/driverStatistic.php","backend/ride/driverWallet/getDriverDetails.php","backend/ride/driverWallet/transfer.php","backend/ride/driver_behavior/get_driver_behavior.php","backend/ride/driver_order/add.php","backend/ride/driver_order/delete.php","backend/ride/driver_order/get.php","backend/ride/driver_order/getOrderCancelStatus.php","backend/ride/driver_order/update.php","backend/ride/driver_scam/add.php","backend/ride/driver_scam/delete.php","backend/ride/driver_scam/get.php","backend/ride/driver_scam/update.php","backend/ride/egyptPhones/add.php","backend/ride/egyptPhones/get.php","backend/ride/egyptPhones/syrianAdd.php","backend/ride/feedBack/add.php","backend/ride/feedBack/add_solve_all.php","backend/ride/feedBack/delete.php","backend/ride/feedBack/get.php","backend/ride/feedBack/update.php","backend/ride/firebase/add.php","backend/ride/firebase/addDriver.php","backend/ride/firebase/addToken.php","backend/ride/firebase/delete.php","backend/ride/firebase/fcm_fun.php","backend/ride/firebase/get.php","backend/ride/firebase/getALlTokenDrivers.php","backend/ride/firebase/getAllTokenPassengers.php","backend/ride/firebase/getDriverToken.php","backend/ride/firebase/getTokenParent.php","backend/ride/firebase/getTokensPassenger.php","backend/ride/firebase/notify_driver_arrival.php","backend/ride/firebase/send_fcm.php","backend/ride/gamification/claimChallengeReward.php","backend/ride/gamification/getDriverBehavior.php","backend/ride/gamification/getGamificationDashboard.php","backend/ride/gamification/getLeaderboard.php","backend/ride/gamification/getReferralStats.php","backend/ride/gamification/getWeeklyAggregate.php","backend/ride/helpCenter/add.php","backend/ride/helpCenter/delete.php","backend/ride/helpCenter/get.php","backend/ride/helpCenter/getById.php","backend/ride/helpCenter/update.php","backend/ride/invitor/add.php","backend/ride/invitor/addInvitationPassenger.php","backend/ride/invitor/add_unified_invite.php","backend/ride/invitor/claim.php","backend/ride/invitor/claim_driver_reward.php","backend/ride/invitor/get.php","backend/ride/invitor/getDriverInvitationToPassengers.php","backend/ride/invitor/get_driver_referrals.php","backend/ride/invitor/get_passenger_referrals.php","backend/ride/invitor/get_unified_code.php","backend/ride/invitor/update.php","backend/ride/invitor/updateDriverInvitationDirectly.php","backend/ride/invitor/updateInvitationCodeFromRegister.php","backend/ride/invitor/updatePassengerGift.php","backend/ride/invitor/updatePassengersInvitation.php","backend/ride/kazan/add.php","backend/ride/kazan/delete.php","backend/ride/kazan/get.php","backend/ride/kazan/update.php","backend/ride/license/add.php","backend/ride/license/delete.php","backend/ride/license/get.php","backend/ride/license/update.php","backend/ride/location/add.php","backend/ride/location/addpassengerLocation.php","backend/ride/location/delete.php","backend/ride/location/driversTime.html","backend/ride/location/get.php","backend/ride/location/getBalash.php","backend/ride/location/getCarsLocationByPassengerVan.php","backend/ride/location/getComfort.php","backend/ride/location/getDelivery.php","backend/ride/location/getDriverCarsLocationToPassengerAfterApplied.php","backend/ride/location/getDriverTimeOnline.php","backend/ride/location/getElectric.php","backend/ride/location/getFemalDriver.php","backend/ride/location/getLatestLocationPassenger.php","backend/ride/location/getLocationParents.php","backend/ride/location/getPinkBike.php","backend/ride/location/getRidesDriverByDay.php","backend/ride/location/getSpeed.php","backend/ride/location/getTotalDriverDuration.php","backend/ride/location/getTotalDriverDurationToday.php","backend/ride/location/getUpdatedLocationForAdmin.php","backend/ride/location/get_location_area_links.php","backend/ride/location/getfemalbehavior.php","backend/ride/location/print.php","backend/ride/location/save_behavior.php","backend/ride/location/update.php","backend/ride/mishwari/add.php","backend/ride/mishwari/cancel.php","backend/ride/mishwari/get.php","backend/ride/mishwari/getDriver.php","backend/ride/mishwari/test.php","backend/ride/notificationCaptain/add.php","backend/ride/notificationCaptain/addWaitingRide.php","backend/ride/notificationCaptain/delete.php","backend/ride/notificationCaptain/deleteAvailableRide.php","backend/ride/notificationCaptain/get.php","backend/ride/notificationCaptain/getRideWaiting.php","backend/ride/notificationCaptain/update.php","backend/ride/notificationCaptain/updateWaitingTrip.php","backend/ride/notificationPassenger/add.php","backend/ride/notificationPassenger/delete.php","backend/ride/notificationPassenger/get.php","backend/ride/notificationPassenger/update.php","backend/ride/overLay/_log.txt","backend/ride/overLay/add.php","backend/ride/overLay/deletArgumets.php","backend/ride/overLay/get.php","backend/ride/overLay/getArgumentAfterAppliedFromBackground.php","backend/ride/places/add.php","backend/ride/places_syria/add.php","backend/ride/places_syria/get.php","backend/ride/places_syria/reverse_geocode.php","backend/ride/pricing/get.php","backend/ride/profile/get.php","backend/ride/profile/getCaptainProfile.php","backend/ride/profile/update.php","backend/ride/profile/updateDriverEmail.php","backend/ride/promo/add.php","backend/ride/promo/delete.php","backend/ride/promo/get.php","backend/ride/promo/getPromoBytody.php","backend/ride/promo/getPromoFirst.php","backend/ride/promo/update.php","backend/ride/rate/add.php","backend/ride/rate/addRateToDriver.php","backend/ride/rate/add_rate_app.php","backend/ride/rate/getDriverRate.php","backend/ride/rate/getPassengerRate.php","backend/ride/rate/sendEmailRateingApp.php","backend/ride/rides/acceptRide.php","backend/ride/rides/add_ride.php","backend/ride/rides/arrive_ride.php","backend/ride/rides/cancelRideFromDriver.php","backend/ride/rides/cancel_ride_by_driver.php","backend/ride/rides/cancel_ride_by_passenger.php","backend/ride/rides/cron_ride_timeout.php","backend/ride/rides/delete.php","backend/ride/rides/emailToPassengerTripDetail.php","backend/ride/rides/finish_ride_updates.php","backend/ride/rides/get.php","backend/ride/rides/getRealTimeHeatmap.php","backend/ride/rides/getRideOrderID.php","backend/ride/rides/getRideOrderIDNew.php","backend/ride/rides/getRideStatus.php","backend/ride/rides/getRideStatusBegin.php","backend/ride/rides/getRideStatusFromStartApp.php","backend/ride/rides/getTripCountByCaptain.php","backend/ride/rides/get_driver_location.php","backend/ride/rides/gterideForDriverManyTime.php","backend/ride/rides/heatmap_live.json","backend/ride/rides/public_track_location.php","backend/ride/rides/retry_search_drivers.php","backend/ride/rides/start_ride.php","backend/ride/rides/test_notification.php","backend/ride/rides/update.php","backend/ride/rides/updateRideAndCheckIfApplied.php","backend/ride/rides/updateStausFromSpeed.php","backend/ride/rides/update_ride_cancel_wait.php","backend/ride/seferWallet/add.php","backend/ride/seferWallet/get.php","backend/ride/tips/add.php","backend/ride/tips/get.php","backend/ride/videos_driver/get.php","backend/schema_primary.sql","backend/schema_ride.sql","backend/schema_tracking.sql","backend/serviceapp/addCartoDriver.php","backend/serviceapp/addNotesDriver.php","backend/serviceapp/addNotesPassenger.php","backend/serviceapp/addWelcomeDriverNote.php","backend/serviceapp/check_db.php","backend/serviceapp/deleteDriverNotCompleteRegistration.php","backend/serviceapp/driverWhoregisterFfterCall.php","backend/serviceapp/drivers_list.txt","backend/serviceapp/editCarPlate.php","backend/serviceapp/getCarPlateNotEdit.php","backend/serviceapp/getComplaintAllData.php","backend/serviceapp/getComplaintAllDataForDriver.php","backend/serviceapp/getDriverByNational.php","backend/serviceapp/getDriverByPhone.php","backend/serviceapp/getDriverDetailsForActivate.php","backend/serviceapp/getDriverNotCompleteRegistration.php","backend/serviceapp/getDriversPhoneNotComplete.php","backend/serviceapp/getDriversWaitingActive.php","backend/serviceapp/getEditorStatsCalls.php","backend/serviceapp/getEmployeeDriverAfterCallingRegister.php","backend/serviceapp/getEmployeeStatic.php","backend/serviceapp/getJsonFile.php","backend/serviceapp/getNewDriverRegister.php","backend/serviceapp/getNotesForEmployee.php","backend/serviceapp/getPackages.php","backend/serviceapp/getPassengersByPhone.php","backend/serviceapp/getPassengersNotCompleteRegistration.php","backend/serviceapp/getPassengersStatic.php","backend/serviceapp/getRidesStatic.php","backend/serviceapp/getdriverWithoutCar.php","backend/serviceapp/getdriverstotalMonthly.php","backend/serviceapp/login.php","backend/serviceapp/register.php","backend/serviceapp/registerDriverAndCarService.php","backend/serviceapp/updateDriver.php","backend/serviceapp/updateDriverToActive.php","backend/serviceapp/updatePackages.php","backend/serviceapp/update_complaint.php","backend/serviceapp/web/drivers.html","backend/serviceapp/web/f.html","backend/serviceapp/web/getDrivers.php","backend/serviceapp/work/addCarWantWork.php","backend/serviceapp/work/addDriverWantWork.php","backend/test_signed_pricing.php","backend/uploadImagePortrate.php","backend/upload_audio.php","backend/webhook_sms/webhook.php","siromove.com/invite.php","siromove.com/inviteSyria.php","socket_intaleq/driver_socket.php","socket_intaleq/passenger_socket.php"]},"time":{"rules":[],"rules_parse_time":0.3916339874267578,"profiling_times":{"config_time":3.5235681533813477,"core_time":7.5553388595581055,"ignores_time":0.00048422813415527344,"total_time":11.093009233474731},"parsing_time":{"total_time":0.0,"per_file_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"scanning_time":{"total_time":16.29555320739746,"per_file_time":{"mean":0.012506180512200697,"std_dev":0.0036765773292479105},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"matching_time":{"total_time":0.0,"per_file_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_files":[]},"tainting_time":{"total_time":0.0,"per_def_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_defs":[]},"fixpoint_timeouts":[],"prefiltering":{"project_level_time":0.0,"file_level_time":0.0,"rules_with_project_prefilters_ratio":0.0,"rules_with_file_prefilters_ratio":0.9993088552915766,"rules_selected_ratio":0.07447084233261339,"rules_matched_ratio":0.07447084233261339},"targets":[],"total_bytes":0,"max_memory_bytes":803370176},"engine_requested":"OSS","skipped_rules":[],"profiling_results":[]} \ No newline at end of file diff --git a/semgrep_wallet_results.json b/semgrep_wallet_results.json new file mode 100644 index 0000000..52e97fa --- /dev/null +++ b/semgrep_wallet_results.json @@ -0,0 +1 @@ +{"version":"1.166.0","results":[{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"walletintaleq.intaleq.xyz/v2/main/ride/cliq/verify_payment_ai.php","start":{"line":68,"col":9,"offset":2684},"end":{"line":68,"col":96,"offset":2771},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\"status\" => \"failure\", \"message\" => \"Verification failed: $reason\"]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.nginx.security.request-host-used.request-host-used","path":"walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/mtn_confirm.php","start":{"line":16,"col":9,"offset":571},"end":{"line":16,"col":14,"offset":576},"extra":{"message":"'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.","metadata":{"cwe":["CWE-290: Authentication Bypass by Spoofing"],"references":["https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md","https://portswigger.net/web-security/host-header"],"category":"security","technology":["nginx"],"confidence":"MEDIUM","owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authentication"],"source":"https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used","shortlink":"https://sg.run/4x3Z"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.nginx.security.request-host-used.request-host-used","path":"walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/mtn_confirm.php","start":{"line":17,"col":46,"offset":694},"end":{"line":17,"col":51,"offset":699},"extra":{"message":"'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.","metadata":{"cwe":["CWE-290: Authentication Bypass by Spoofing"],"references":["https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md","https://portswigger.net/web-security/host-header"],"category":"security","technology":["nginx"],"confidence":"MEDIUM","owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authentication"],"source":"https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used","shortlink":"https://sg.run/4x3Z"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"php.lang.security.injection.echoed-request.echoed-request","path":"walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/verify_payment_ai.php","start":{"line":68,"col":9,"offset":2604},"end":{"line":68,"col":96,"offset":2691},"extra":{"message":"`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.","fix":"echo htmlentities(json_encode([\"status\" => \"failure\", \"message\" => \"Verification failed: $reason\"]));","metadata":{"technology":["php"],"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","references":["https://www.php.net/manual/en/function.htmlentities.php","https://www.php.net/manual/en/reserved.variables.request.php","https://www.php.net/manual/en/reserved.variables.post.php","https://www.php.net/manual/en/reserved.variables.get.php","https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request","shortlink":"https://sg.run/Bqqb"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[],"paths":{"scanned":["walletintaleq.intaleq.xyz/.gitignore","walletintaleq.intaleq.xyz/WalletDB.sql","walletintaleq.intaleq.xyz/mtnpayment.html","walletintaleq.intaleq.xyz/ttt.php","walletintaleq.intaleq.xyz/v2/composer.json","walletintaleq.intaleq.xyz/v2/composer.lock","walletintaleq.intaleq.xyz/v2/main/connect.php","walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php","walletintaleq.intaleq.xyz/v2/main/functions.php","walletintaleq.intaleq.xyz/v2/main/jwtconnect.php","walletintaleq.intaleq.xyz/v2/main/load_env.php","walletintaleq.intaleq.xyz/v2/main/loginWalletAdmin.php","walletintaleq.intaleq.xyz/v2/main/ride/GeminiAi.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/add.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/get.php","walletintaleq.intaleq.xyz/v2/main/ride/apiKey/update.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/cliq_invoices.sql","walletintaleq.intaleq.xyz/v2/main/ride/cliq/cliq_webhook_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/create_cliq_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/query_click_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/cliq/verify_payment_ai.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/add.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/get.php","walletintaleq.intaleq.xyz/v2/main/ride/driverPayment/update.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add300ToDriver.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addFromAdmin.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addPaymentToken.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/add_s2s_reward.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/convertBudgetToPoints.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/deleteNewDriverGiftCronJob.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/driverStatistic.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/get.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/getDriverDetails.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/getDriverWeekPaymentMove.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/getWalletByDriver.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/get_s2s_wallet_dashboard.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/promotionDriver.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/sendEmailTransfer.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/transfer.php","walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/update.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/ecash_verify.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/ecash_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/payWithEcash.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/driver/webhook_connect.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/ecash_config.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/logs/ecash_production.log","walletintaleq.intaleq.xyz/v2/main/ride/ecash/logs/payment_verification.log","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/ecash_verify.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/ecash_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/payWithEcash.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/passenger/webhook_connect.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/payWithEcash.php","walletintaleq.intaleq.xyz/v2/main/ride/ecash/webhook_ecash.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/generate_keys.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/key.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/mtn_start.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/private_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/public_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver_payout_syria.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/generate_keys.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/initiate_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/key.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/mtn_confirm.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/mtn_start.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/private_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/public_key.pem","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/create_mtn_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/finalize_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/mtn_webhook_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/query_mtn_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/mtn_new/verify_payment_ai.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/add.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/addPaymentTokenPassenger.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/add_s2s_debt.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/get.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/getAllPassengerTransaction.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/getPassengerWalletArchive.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/getWalletByPassenger.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/process_wait_compensation.php","walletintaleq.intaleq.xyz/v2/main/ride/passengerWallet/update.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/error_log","walletintaleq.intaleq.xyz/v2/main/ride/payMob/payWithPayMob.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymet_verfy.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymet_verfy.php.zip","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/payWithCard.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/payWithWallet.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymet_verfy.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymob_payout.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymob_webHookWallet.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_driver/paymob_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_webhook.log","walletintaleq.intaleq.xyz/v2/main/ride/payMob/paymob_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/error_log","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/payWithPayMob.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/paymet_verfy.php","walletintaleq.intaleq.xyz/v2/main/ride/payMob/wallet/paymob_webhook.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/add.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/delete.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/get.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/getAllPayment.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/getAllPaymentVisa.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/getCountRide.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/process_ride_payments.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/update.php","walletintaleq.intaleq.xyz/v2/main/ride/payment/updatePaymetToPaid.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/create_invoice_shamcash.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/deposit_errors.log","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/finalize_deposit.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/last_id.txt","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/check_status.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/create_invoice.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/passenger/finalize_deposit.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/save_transactions_new.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/server_check.php","walletintaleq.intaleq.xyz/v2/main/ride/shamcash/transactions.log","walletintaleq.intaleq.xyz/v2/main/ride/siroWallet/add.php","walletintaleq.intaleq.xyz/v2/main/ride/siroWallet/get.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/archive.zip","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/start_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/driver/syriatel_token_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/logs/payment_verification.log","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/confirm_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/start_payment.php","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/syriatel_token.cache","walletintaleq.intaleq.xyz/v2/main/ride/syriatel/passenger/syriatel_token_handler.php","walletintaleq.intaleq.xyz/v2/main/ride/tips/add.php","walletintaleq.intaleq.xyz/v2/main/ride/tips/get.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/archive.zip","walletintaleq.intaleq.xyz/v2/main/sms_webhook/check_invoice_status.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/check_invoice_status_passenger.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/create_invoice.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/create_invoice_passenger.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/finalize_payout.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/finalize_wallet_payment.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/process_passenger_sms_payment.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/process_with_gemini.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/request_payout.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/save_raw_sms.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/save_raw_sms_passenger.php","walletintaleq.intaleq.xyz/v2/main/sms_webhook/webhook.php"]},"time":{"rules":[],"rules_parse_time":0.3470149040222168,"profiling_times":{"config_time":3.525599956512451,"core_time":5.40887713432312,"ignores_time":0.0010819435119628906,"total_time":8.948032855987549},"parsing_time":{"total_time":0.0,"per_file_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"scanning_time":{"total_time":18.86908459663391,"per_file_time":{"mean":0.04137957148384623,"std_dev":0.022103438948977986},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"matching_time":{"total_time":0.0,"per_file_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_files":[]},"tainting_time":{"total_time":0.0,"per_def_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_defs":[]},"fixpoint_timeouts":[{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at walletintaleq.intaleq.xyz/v2/main/ride/cliq/verify_payment_ai.php:1:0 [rules: 1, first: php.lang.security.injection.tainted-callable.tainted-callable]","location":{"path":"walletintaleq.intaleq.xyz/v2/main/ride/cliq/verify_payment_ai.php","start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":1,"offset":0}}}],"prefiltering":{"project_level_time":0.0,"file_level_time":0.0,"rules_with_project_prefilters_ratio":0.0,"rules_with_file_prefilters_ratio":0.9992372234935164,"rules_selected_ratio":0.09610983981693363,"rules_matched_ratio":0.09610983981693363},"targets":[],"total_bytes":0,"max_memory_bytes":673257216},"engine_requested":"OSS","skipped_rules":[],"profiling_results":[]} \ No newline at end of file diff --git a/study.html b/study.html index 5a8cee9..fbf9194 100644 --- a/study.html +++ b/study.html @@ -373,7 +373,7 @@ 📄 للتفاصيل الكاملة حول الوثائق المطلوبة، شروط المركبات، والمراحل الزمنية الدقيقة، يرجى الرجوع إلى تبويب: دليل التراخيص والتسجيل. -

4. المصاريف التأسيسية الثابتة (CAPEX)

+

4. المصاريف التأسيسية الثابتة (CAPEX) — $11,000

تُدفع لمرة واحدة قبل بدء التشغيل:

@@ -381,19 +381,22 @@ - + - - - - - + + + + + + + +
البندالتكلفة
شهادة الاعتمادية (الهيئة الناظمة)600$
شهادة اعتمادية (الهيئة الناظمة)600$
أتعاب المحامي والتخليص القانوني1,500$
رسوم حكومية (وزارة النقل، سجل تجاري)200$
هواتف خدمة العملاء (3 أجهزة أندرويد)450$
أجهزة ومحطات التطوير (آيفون + أندرويد + أجهزة برمجة عالية الأداء)5,000$
تجهيز المكتب (3 مكاتب + 4 كنبايات ضيافة + أدوات مطبخ)850$
لابتوب للسيرفرات والإعلانات (بخصوص سوريا)350$
إجمالي التأسيس8,950$
هواتف خدمة العملاء (3 أجهزة)450$
أجهزة التطوير (MacBook Pro M4 + iPhone + Android)5,000$
لابتوب للسيرفرات وإدارة الإعلانات350$
تجهيز المكتب — أثاث (مكاتب، كراسي، برادي، رفوف، مراوح)1,320$
تجهيز المكتب — معدات (راوتر، طابعة 65$، إكسسوارات، مكيف، قرطاسية، أدوات ضيافة)855$
تجهيزات سكن المؤسس (سرير، فرشة، ثلاجة، غاز، سخان، برادي)695$
تكاليف السفر والنقل والإقامة التأسيسية (أسبوعين)400$ - 800$
إجمالي التأسيس11,370$ - 11,770$ ≈ 11,500$ - 12,000$
-

5. المصاريف التشغيلية الشهرية (OPEX) — خطة 14 شهراً

+

5. المصاريف التشغيلية الشهرية (OPEX) — $8,000/شهر

@@ -401,18 +404,19 @@ - - - - - - - - - + + + + + + + + +
راتب المطور والمشغل الرئيسي3,500$يغطي 5 أدوار (انظر التفصيل أدناه)
فريق خدمة العملاء (3 موظفين)350$رواتب تتراوح بين 100$ - 130$ للموظف الواحد
أجور السيرفرات والبنية التحتية السحابية200$لاستضافة التطبيق وقواعد البيانات والنسخ الاحتياطي
إيجار المكتب (مقر فعلي بدمشق)600$ضروري لتراخيص وزارة النقل
إيجار سكن300$
إدارة السوشيال ميديا (فريلانسر)200$
مرافق (إنترنت + كهرباء ومياه)110$40$ + 70$
راتب سكرتير (سكرتيرة)100$
الإجمالي الشهري5,360$
الإجمالي لـ 14 شهراً75,040$
فريق خدمة العملاء (3 موظفين)400$بمتوسط $133 للموظف (ألغي السكرتير)
أجور السيرفرات والبنية التحتية السحابية200$استضافة + نسخ احتياطي + Uptime 99.9%
إيجار المكتب (مقر فعلي بدمشق)600$كفرسوسة / المزة — 50-70 م²
إيجار سكن المشغل300$ضمن خطة الرواتب
خدمات الإنترنت45$خط ثابت مزدوج للموثوقية (بدلاً من 40$)
فاتورة الكهرباء70$مكتب + معدات + مكيف
باقات خطوط هواتف (3 أرقام)30$لخدمة العملاء
إعلانات رقمية (Facebook + TikTok)2,855$الباقي من الميزانية (ألغي السوشيال ميديا + السكرتير)
الإجمالي الشهري8,000$
+

ملاحظة: ألغي بند إدارة السوشيال ميديا (200$) وبند السكرتيرة (100$). الفائض (~355$) يُضاف إلى الإعلانات الرقمية (2,855$ بدلاً من 2,500$). تدريب خدمة العملاء: أسبوعين (بدلاً من 4).

🔍 المهام والمسؤوليات المطلوبة من المطور والمشغل الرئيسي (3,500$)

هذا المبلغ يغطي مهاماً كانت لتتطلب فريقاً كاملاً أو شركات خارجية بتكاليف مضاعفة:

@@ -484,85 +488,104 @@

8. التحليل المالي ونقطة التعادل (Break-Even)

-

المصاريف الشهرية الثابتة (بعد انتهاء خطة الحوافز في الشهر السابع):

+

المصاريف الشهرية الثابتة (OPEX):

- - - + +
البندالمبلغ
التشغيل (OPEX) شاملاً السيرفرات5,360$
الإعلانات الرقمية2,500$
الإجمالي7,860$
المصاريف التشغيلية الشهرية (OPEX) شاملة الإعلانات8,000$
الإجمالي8,000$

حساب نقطة التعادل:

- المطلوب: 7,860$ ÷ 0.30$ (عمولة/رحلة) = ~26,200 رحلة شهرياً = ~873 رحلة يومياً + المطلوب: 8,000$ ÷ 0.30$ (عمولة/رحلة) = ~26,667 رحلة شهرياً = ~889 رحلة يومياً

-

الواقع التشغيلي المتوقع في الشهر السادس:

-

التطبيق سيمتلك أسطولاً مزدوجاً:

- - -

جدول التدفق النقدي الشهري (الستة أشهر الأولى):

-

يوضح هذا الجدول مسار الصرف المتوقع حتى الوصول لنقطة التعادل التدريجية في الشهر السادس.

+

جدول التدفق النقدي الشهري — 14 شهراً (نموذج الدفع الشهري):

- + - - - - - - - + + + + + + + + + + + + + + +
الشهرالتشغيل (OPEX)التسويقحوافز السائقينإجمالي الصرف الشهريإجمالي تراكمي
الشهرصرف المستثمرالإيراداتالعجز الشهريالإجمالي المدفوعرحلات/يومسائق نشط
التأسيس (CAPEX)---8,950$8,950$
الشهر 15,360$2,500$1,500$9,360$18,310$
الشهر 25,360$2,500$1,800$9,660$27,970$
الشهر 35,360$2,500$1,950$9,810$37,780$
الشهر 45,360$2,500$2,700$10,560$48,340$
الشهر 55,360$2,500$3,600$11,460$59,800$
الشهر 6 (التعادل)5,360$2,500$4,500$12,360$72,160$
التأسيس (CAPEX)11,500-12,000$-11,500-12,000$11,500-12,000$
الشهر 18,000$270$-7,730$~19,500$30100
الشهر 28,000$630$-7,370$~27,500$70120
الشهر 38,000$1,350$-6,650$~35,500$150220
★ الشهر 4 — نقطة الفحص8,000$3,150$-4,850$~43,500$350350
★ الشهر 5 — آخر نقطة خروج8,000$5,400$-2,600$~51,500$600480
الشهر 68,000$6,750$-1,250$~59,500$750550
⚡ الشهر 7 — تعادل متفائل8,000$8,100$+100$~67,500$900630
⚡ الشهر 8 — تعادل قاعدي8,000$9,450$+1,450$~75,500$1,050750
⚡ الشهر 9 — تعادل محافظ8,000$10,500$+2,500$~83,500$1,167840
الشهر 100$ — ذاتي11,250$+3,250$1,250900
الشهر 110$ — ذاتي12,375$+4,375$1,375980
الشهر 120$ — ذاتي13,500$+5,500$1,5001,050
الشهر 130$ — ذاتي14,400$+6,400$1,6001,100
الشهر 140$ — ذاتي15,300$+7,300$1,7001,150
+

* بعد نقطة التعادل (الشهر 7-9): الإيرادات تغطي كامل OPEX، المستثمر يتوقف عن الدفع الشهري تلقائياً.

-

9. ملخص رأس المال المطلوب من المستثمر

+

9. ملخص رأس المال المطلوب من المستثمر — نموذج الدفع الشهري

- + - - - - - - + + + + + +
البندالمبلغ ($)النسبة
البندالمبلغ ($)
التأسيس والتراخيص وأجهزة التطوير (CAPEX)8,9505%
التشغيل والرواتب والسيرفرات - 14 شهراً (OPEX)75,04042%
التسويق والإعلانات60,00033%
حوافز السائقين (6 أشهر)16,0509%
الاحتياطي والطوارئ المتبقي19,96011%
الإجمالي180,000100%
رأس المال التأسيسي (CAPEX) — دفعة واحدة11,500$ - 12,000$
المصاريف التشغيلية الشهرية (OPEX)8,000$/شهر
إجمالي التعرض عند الخروج المبكر (ش5)~51,500$ - 52,000$
إجمالي الاستثمار حتى التعادل (متفائل — ش7)~59,500$ - 60,000$
إجمالي الاستثمار حتى التعادل (قاعدي — ش8)~67,500$ - 68,000$
إجمالي الاستثمار حتى التعادل (محافظ — ش9)~75,500$ - 76,000$
- المبلغ المطلوب من المستثمر: 180,000$ دولار أمريكي
- (مائة وثمانون ألف دولار أمريكي) + رأس المال التأسيسي: 11,500$ - 12,000$ دولار أمريكي
+ + $8,000/شهر مصاريف تشغيلية حتى التعادل
-

10. مؤشرات الأداء الرئيسية (KPIs) للمستثمر

-

لضمان الشفافية ومتابعة نمو الاستثمار، سيتم الاعتماد على المؤشرات التالية كمعايير نجاح (Milestones):

+

10. مؤشرات الأداء — نقاط الفحص واتخاذ القرار

+ +

نقطة الفحص (الشهر 4):

- + - - - - + + + + + + + +
المؤشرالشهر 3الشهر 6 (نقطة التعادل)الشهر 12
المؤشرالحد الأدنى المقبولالحد المثالي
عدد الرحلات اليومية1508621,500+
سائقون نشطون220500+800+
تقييم متوسط للتطبيق4.3+4.5+4.6+
تكلفة اكتساب الراكب (CAC)<1$<0.6$<0.4$
الرحلات اليومية70 رحلة/يوم150 رحلة/يوم
السائقون المسجلون150 سائق350 سائق
السائقون النشطون (>3 رحلات/أسبوع)50 سائق150 سائق
الإيرادات الشهرية$630$1,350
معدل احتجاز السائق50%70%
تقييم التطبيق في المتجر3.0+3.5+
+
+ +

نقطة القرار النهائي (الشهر 5):

+
+ + + + + + + + + +
المؤشرالحد الأدنى للاستمرارالخروج إذا أقل من
الرحلات اليومية120 رحلة/يوم70 رحلة/يوم
السائقون النشطون100 سائق50 سائق
الإيرادات الشهرية$1,080+$630
نمو أسبوعي موثق+10% نمو متواصلثبات أو تراجع
عقود B2B موقعةعقد واحد على الأقلصفر عقود B2B
@@ -584,11 +607,12 @@

12. الخلاصة للمستثمر

هذا المشروع يتميز بميزة نادرة: المنتج التقني جاهز والسوق مُثبت ميدانياً. نحن لسنا في مرحلة بناء المنتج، نحن في مرحلة السيطرة على السوق.

-

بمبلغ 175,000$ فقط:

+

بمبدأ الدفع الشهري المرحلي:

diff --git a/study_v2_archive.html b/study_v2_archive.html new file mode 100644 index 0000000..5a8cee9 --- /dev/null +++ b/study_v2_archive.html @@ -0,0 +1,1102 @@ + + + + + + دراسة الجدوى - تطبيق سيرو 🇸🇾 + + + + + + + + + + + + + + + + + + +
+
+
+

مشروع النقل الذكي (تطبيق سيرو) — سوريا 🇸🇾

+

خطة تمويل 14 شهراً — النسخة النهائية للمستثمرين

+
+
+ Siro Logo +
+
+ + +
+
+ + + + + +
+
+
+ + +
+ + +
+ +
+

المحتويات

+
+
1. الملخص التنفيذي وأطروحة الاستثمار
+
2. إثبات السوق (Pilot Validation)
+
3. الإطار القانوني والتراخيص
+
4. المصاريف التأسيسية (CAPEX)
+
5. المصاريف التشغيلية الشهرية (OPEX)
+
6. استراتيجية بناء الأسطول
+
استراتيجيات النمو والتسويق (في تبويب مستقل)
+
7. استراتيجية التوسع الجغرافي
+
8. التحليل المالي ونقطة التعادل
+
9. ملخص رأس المال المطلوب
+
10. مؤشرات الأداء الرئيسية (KPIs)
+
11. المخاطر والتخفيف
+
12. الخلاصة للمستثمر
+
+
+ +

1. الملخص التنفيذي وأطروحة الاستثمار

+ +

المشروع

+

إطلاق تطبيق نقل ذكي (سيرو) بهوية تجارية جديدة كلياً في السوق السوري، بدءاً من دمشق، مع خطة توسع منهجية نحو المحافظات الأخرى. التطبيق مبني على بنية تحتية تقنية جاهزة ومُختبرة ميدانياً.

+ +

لماذا هذا الاستثمار مختلف ومربح؟

+
+ "هذا التمويل للنمو والسيطرة على السوق، وليس لبناء المنتج." +
+

على عكس الشركات الناشئة التي تطلب المال لبناء التطبيق وتوظيف فريق البرمجة:

+
    +
  • المنتج البرمجي جاهز بالكامل: تطبيق أندرويد، iOS، لوحة تحكم إدارية، نظام مطابقة ذكي، محافظ رقمية، وخرائط محلية.
    • +
  • البنية التحتية جاهزة: سيرفرات سحابية، أنظمة دفع، خوارزميات مطابقة، ونظام GPS.
    • +
  • الترخيص الحكومي متاح: خبرة سابقة كاملة في إجراءات الترخيص لدى الهيئة الناظمة ووزارة النقل.
    • +
  • كل دولار من هذه الجولة الاستثمارية سيتحول مباشرة إلى مستخدمين وسائقين وحصة سوقية.
    • +
+ +

الفرضيات المالية الأساسية والميزة التنافسية

+ +
+
+

مؤشرات التطبيق:

+
+ + + + + + + + +
متوسط سعر الرحلة2.70$ (حوالي 280 ل.س)
نسبة عمولة التطبيق11% ثابتة
صافي عمولة الرحلة للتطبيق~0.30$
معدل رحلات السائق اليومي3 رحلات (فرضية متحفظة)
خطة التمويل (Runway)14 شهراً
+
+
+
+

مقارنة عمولات السوق (السوق السوري):

+
+ + + + + + + + + + +
التطبيق المنافسنسبة العمولة
تطبيق يلا جو (YallaGo)~ 20%
تطبيق زاكن (Zakinn)~ 17%
تطبيق تفضل15%
تطبيق سيرو (Siro)11% (جذب هائل للسائقين)
+
+
+
+ +

2. إثبات السوق — نتائج التشغيل التجريبي (Pilot)

+

خلال تجربة تشغيلية سابقة مدتها 45 يوماً فقط وبميزانية تسويقية لم تتجاوز 1,400$، تم تحقيق النتائج التالية:

+ +
+ + + + + + + + + + + +
المؤشرالنتيجة
السائقون الموثّقون (Onboarded)1,447 سائق (انظر الملاحظة أدناه)
الركاب المسجلون2,891 راكب
طلبات الرحلات697 طلب رحلة
تكلفة اكتساب الراكب (CAC Signal)~0.48$ فقط
سبب التوقفنفاد ميزانية النمو (وليس فشل المنتج أو رفض السوق)
+
+ +

الدرس المستفاد من التجربة (التغيير الاستراتيجي)

+

السائقون البالغ عددهم 1,447 كانوا موزعين ومشتتين على كافة المحافظات السورية وليس في نطاق جغرافي واحد. التحدي الوحيد كان تشتت الكثافة الجغرافية. هذا الدرس أصبح حجر الأساس لاستراتيجية "الكثافة أولاً (Density-First)" المعتمدة في هذه الخطة، حيث سيتم استهداف الرقعة الجغرافية المحددة والتركيز على السائقين المتواجدين في مناطق الاهتمام فقط.

+
+ 📍 لمشاهدة خارطة توزع السائقين من التجربة السابقة، انتقل إلى تبويب: توزع السائقين +
+ +

3. الإطار القانوني والتراخيص

+ +

الأساس القانوني

+

يعمل المشروع وفق القانون رقم 16 لعام 2021 الذي ينظم نقل الركاب عبر التطبيقات الإلكترونية في سوريا.

+ +

مراحل الترخيص والمدة المتوقعة

+
+ + + + + + + + + + + + +
المرحلةالمدةالتكلفة
تأسيس الشركة + السجل التجاري1-2 أسبوعضمن رسوم المحامي
تقديم طلب الترخيص + الملف الفني1-2 أسبوع
المراجعة الفنية + الموافقة المبدئية (الهيئة الناظمة)2-4 أسابيع
التنسيق مع وزارة النقل2-3 أسابيع
إصدار شهادة الاعتمادية + الترخيص النهائي1-2 أسبوع600$
الإجمالي8-14 أسبوعاً
+
+ +
+ 📄 للتفاصيل الكاملة حول الوثائق المطلوبة، شروط المركبات، والمراحل الزمنية الدقيقة، يرجى الرجوع إلى تبويب: دليل التراخيص والتسجيل. +
+ +

4. المصاريف التأسيسية الثابتة (CAPEX)

+

تُدفع لمرة واحدة قبل بدء التشغيل:

+
+ + + + + + + + + + + + + + +
البندالتكلفة
شهادة الاعتمادية (الهيئة الناظمة)600$
أتعاب المحامي والتخليص القانوني1,500$
رسوم حكومية (وزارة النقل، سجل تجاري)200$
هواتف خدمة العملاء (3 أجهزة أندرويد)450$
أجهزة ومحطات التطوير (آيفون + أندرويد + أجهزة برمجة عالية الأداء)5,000$
تجهيز المكتب (3 مكاتب + 4 كنبايات ضيافة + أدوات مطبخ)850$
لابتوب للسيرفرات والإعلانات (بخصوص سوريا)350$
إجمالي التأسيس8,950$
+
+ +

5. المصاريف التشغيلية الشهرية (OPEX) — خطة 14 شهراً

+
+ + + + + + + + + + + + + + + + +
البندالتكلفة الشهريةملاحظات
راتب المطور والمشغل الرئيسي3,500$يغطي 5 أدوار (انظر التفصيل أدناه)
فريق خدمة العملاء (3 موظفين)350$رواتب تتراوح بين 100$ - 130$ للموظف الواحد
أجور السيرفرات والبنية التحتية السحابية200$لاستضافة التطبيق وقواعد البيانات والنسخ الاحتياطي
إيجار المكتب (مقر فعلي بدمشق)600$ضروري لتراخيص وزارة النقل
إيجار سكن300$
إدارة السوشيال ميديا (فريلانسر)200$
مرافق (إنترنت + كهرباء ومياه)110$40$ + 70$
راتب سكرتير (سكرتيرة)100$
الإجمالي الشهري5,360$
الإجمالي لـ 14 شهراً75,040$
+
+ +

🔍 المهام والمسؤوليات المطلوبة من المطور والمشغل الرئيسي (3,500$)

+

هذا المبلغ يغطي مهاماً كانت لتتطلب فريقاً كاملاً أو شركات خارجية بتكاليف مضاعفة:

+
    +
  1. الإدارة التشغيلية: الإشراف اليومي على العمليات، وتوجيه فريق خدمة العملاء، وإدارة التسعير الديناميكي.
    2. +
  2. التطوير التقني المستمر: تحديث الأكواد، برمجة الميزات الجديدة لضمان الاستقلالية التقنية الكاملة.
    3. +
  3. إدارة السيرفرات (DevOps): مراقبة استقرار السيرفرات السحابية واستيعابها للضغط المتزايد دون توقف.
    4. +
  4. الأمن السيبراني: حماية قواعد بيانات العملاء وتأمين المحافظ الرقمية والأرصدة.
    5. +
  5. إدارة خوارزميات المطابقة: تحسين ربط السائق بالراكب جغرافياً لتقليل أوقات الانتظار.
    6. +
+ +

6. استراتيجية بناء الأسطول (النواة الصلبة + الانتشار العضوي)

+ +

الفلسفة: لماذا لا ندفع لكل السائقين؟

+

تعتمد الخطة على تمويل "النواة الصلبة" من السائقين فقط (السائقون المحفزون)، بينما يتضاعف عدد السائقين النشطين العضويين بشكل طبيعي بفضل العامل النفسي وعدوى النجاح، دون أن يكلفوا الشركة أي حوافز إضافية.

+ +
+ + + + + + + + +
النوعالتعريفالتكلفة على الشركة
السائق المحفزيحقق 7 ساعات عمل يومياً + 80% نسبة قبول = يستحق 15$/شهرمدفوع (كاش + رصيد)
السائق النشط العضوييعمل بدوام جزئي أو لم يحقق شروط الحافز لكنه متواجد وينجز رحلاتصفر تكلفة (يدرّ أرباحاً صافية)
+
+ +

خطة حوافز النواة الصلبة (أول 6 أشهر فقط)

+
+ + + + + + + + + + + + + +
الشهرعدد السائقين المحفزينالتكلفة الشهرية
الأول1001,500$
الثاني1201,800$
الثالث1301,950$
الرابع1802,700$
الخامس2403,600$
السادس3004,500$
الإجمالي16,050$
+
+ + + +

7. استراتيجية التوسع الجغرافي — خارطة دمشق

+ +

التقسيم الجغرافي الاستراتيجي

+
+ + + + + + + + + + +
المنطقةالأحياءالأولويةمستوى الدخل
🟢 منطقة أالمزة، كفرسوسة، المالكيةالشهر 1مرتفع جداً (سفارات، شركات)
🔵 منطقة بأبو رمانة، المهاجرين، الروضة، الجسر الأبيضالأشهر 2-3مرتفع (وزاري، حكومي)
🟡 منطقة جدمر، ركن الدين، القصاع، المزة فيلات غربيةالأشهر 4-6متوسط-مرتفع (كثافة سكانية عالية)
🔴 منطقة دبرزة، جرمانا، قدسيا، دارياالشهر 7+متوسط (ضواحي — يُضاف بعد التعادل)
+
+ +
+ 🗺️ لمشاهدة التوزيع الجغرافي التفصيلي، انتقل إلى تبويب: خارطة التوسع الجغرافي +
+ +

8. التحليل المالي ونقطة التعادل (Break-Even)

+ +

المصاريف الشهرية الثابتة (بعد انتهاء خطة الحوافز في الشهر السابع):

+
+ + + + + + + + + +
البندالمبلغ
التشغيل (OPEX) شاملاً السيرفرات5,360$
الإعلانات الرقمية2,500$
الإجمالي7,860$
+
+ +

حساب نقطة التعادل:

+

+ المطلوب: 7,860$ ÷ 0.30$ (عمولة/رحلة) = ~26,200 رحلة شهرياً = ~873 رحلة يومياً +

+ +

الواقع التشغيلي المتوقع في الشهر السادس:

+

التطبيق سيمتلك أسطولاً مزدوجاً:

+
    +
  • 300 سائق محفز (النواة): 3 رحلات × 300 = 900 رحلة يومياً (تغطي نقطة التعادل بمفردها).
    • +
  • + مئات السائقين النشطين العضويين: رحلات إضافية تشكل الربح الصافي المتزايد.
    • +
+ +

جدول التدفق النقدي الشهري (الستة أشهر الأولى):

+

يوضح هذا الجدول مسار الصرف المتوقع حتى الوصول لنقطة التعادل التدريجية في الشهر السادس.

+
+ + + + + + + + + + + + + +
الشهرالتشغيل (OPEX)التسويقحوافز السائقينإجمالي الصرف الشهريإجمالي تراكمي
التأسيس (CAPEX)---8,950$8,950$
الشهر 15,360$2,500$1,500$9,360$18,310$
الشهر 25,360$2,500$1,800$9,660$27,970$
الشهر 35,360$2,500$1,950$9,810$37,780$
الشهر 45,360$2,500$2,700$10,560$48,340$
الشهر 55,360$2,500$3,600$11,460$59,800$
الشهر 6 (التعادل)5,360$2,500$4,500$12,360$72,160$
+
+ +

9. ملخص رأس المال المطلوب من المستثمر

+
+ + + + + + + + + + + + +
البندالمبلغ ($)النسبة
التأسيس والتراخيص وأجهزة التطوير (CAPEX)8,9505%
التشغيل والرواتب والسيرفرات - 14 شهراً (OPEX)75,04042%
التسويق والإعلانات60,00033%
حوافز السائقين (6 أشهر)16,0509%
الاحتياطي والطوارئ المتبقي19,96011%
الإجمالي180,000100%
+
+ +
+ المبلغ المطلوب من المستثمر: 180,000$ دولار أمريكي
+ (مائة وثمانون ألف دولار أمريكي) +
+ +

10. مؤشرات الأداء الرئيسية (KPIs) للمستثمر

+

لضمان الشفافية ومتابعة نمو الاستثمار، سيتم الاعتماد على المؤشرات التالية كمعايير نجاح (Milestones):

+
+ + + + + + + + + + +
المؤشرالشهر 3الشهر 6 (نقطة التعادل)الشهر 12
عدد الرحلات اليومية1508621,500+
سائقون نشطون220500+800+
تقييم متوسط للتطبيق4.3+4.5+4.6+
تكلفة اكتساب الراكب (CAC)<1$<0.6$<0.4$
+
+ +

11. المخاطر والتخفيف

+
+ + + + + + + + + +
المخاطر المحتملةاحتمالية الحدوثاستراتيجية التخفيف
تأخر إصدار التراخيصمتوسطةمحامٍ متخصص + خبرة سابقة في الإجراءات
تقلب سعر صرف الليرةمرتفعةالاحتياطي المالي المتبقي (16,500$) + التسعير الديناميكي
منافسة شديدةمتوسطةعمولة تنافسية للسائق (11%) + استهداف مناطق غنية
+
+ +

12. الخلاصة للمستثمر

+

هذا المشروع يتميز بميزة نادرة: المنتج التقني جاهز والسوق مُثبت ميدانياً. نحن لسنا في مرحلة بناء المنتج، نحن في مرحلة السيطرة على السوق.

+ +

بمبلغ 175,000$ فقط:

+
    +
  • نغطي 14 شهراً كاملة من العمليات والسيرفرات والتسويق والرواتب.
    • +
  • نصل إلى نقطة التعادل في الشهر السادس أو قبله.
    • +
  • وبعد الشهر السادس، تصبح الشركة ذاتية التمويل للتوسع نحو محافظات أخرى من أرباحها.
    • +
+ +
+

الفرصة أمامك. السوق ينتظر. والبنية التحتية جاهزة.

+

كل ما ينقص هو الوقود.

+
+
+ + +
+

خارطة توزع السائقين — نتائج التشغيل التجريبي

+

توضح الخارطة أدناه الكثافة الجغرافية والتجمعات الفعلية للسائقين الذين تم استقطابهم وتسجيلهم بنجاح (1,447 سائق).
المشكلة واضحة: السائقون مشتتون على امتداد المحافظات السورية، مما يثبت صحة استراتيجية "التركيز وبناء الكثافة" بدمشق أولاً.

+ +
+
+ + +
+

إحصائيات الكثافة

+
إجمالي المجموعات: 0
+
إجمالي السائقين: 0
+
أكبر تجمع: 0
+
+
+
+ + +
+

خارطة التوسع الجغرافي - دمشق

+
+
+ + +
+ +
+

دليل التراخيص والتسجيل: تطبيق نقل ذكي في سوريا

+

(الإجراءات القانونية والفنية الكاملة - محدّث 2026)

+
+ +

1. الإطار القانوني الحاكم

+ +

القانون رقم 16 لعام 2021 (قانون النقل بالتطبيقات الإلكترونية)

+

هذا القانون هو الأساس القانوني الذي يسمح لأصحاب السيارات الخاصة والصغيرة بنقل الركاب عبر تطبيقات الهاتف، بشرط أن تكون الشركة المشغلة مرخصة رسمياً من وزارة النقل وتعمل تحت إشراف الهيئة الناظمة للاتصالات والبريد.

+ +

الجهات المعنية بالترخيص

+
+ + + + + + + + + +
الجهةالدور
الهيئة الناظمة للاتصالات والبريد (NANS)منح الترخيص التقني للتطبيق (شهادة الاعتمادية)، والإشراف على البنية التقنية.
وزارة النقلترخيص الشركة كناقل رسمي، فحص المركبات، والإشراف التشغيلي.
الهيئة الوطنية لخدمات تقانة المعلوماتالإبلاغ عن التطبيق (مبدأ "الإعلام" بدلاً من "الترخيص").
+
+ +

2. شروط الشركة المتقدمة (طالب الترخيص)

+
    +
  1. الشكل القانوني: شركة محدودة المسؤولية مؤسسة في سوريا.
    2. +
  2. غاية الشركة: تقديم خدمة نقل الركاب باستخدام التطبيق الإلكتروني في السجل التجاري.
    3. +
  3. المقر الفعلي: يُفضل بشدة أن يكون للشركة مقر فعلي (مكتب) لتسهيل إجراءات وزارة النقل.
    4. +
+ +

3. الوثائق المطلوبة لتقديم طلب الترخيص

+
+ + + + + + + + + + +
#الوثيقةملاحظات
1استمارة طلب الترخيصنموذج رسمي معتمد
2صورة مصدقة عن السجل التجاريأو نظام التأسيس
3وثائق "لا حكم عليه"للمؤسسين
4ملف فني تقنييوضح آلية عمل التطبيق
+
+ +

4. شروط المركبات والسائقين

+
    +
  • المركبات: مسجلة "فئة خاصة"، لا يزيد عمرها عن 20 سنة، تأمين إلزامي، فحص فني، ملصق شعار الشركة.
    • +
  • السائقين: سوري الجنسية، مالك للمركبة، لا حكم عليه، إجازة سوق سارية.
    • +
+ +

5. مراحل الترخيص وتسلسلها الزمني المتوقع

+ +
+ +
+
+ الأسبوع 1 - 2 +

تأسيس الشركة والسجل التجاري

+

تسجيل الشركة (م.م.ذ) وإضافة غاية "نقل الركاب بالتطبيق الإلكتروني" بشكل رسمي.

+
+
+ +
+
+ الأسبوع 3 - 4 +

تقديم الطلب والملف الفني

+

تجميع كافة الوثائق وتقديمها للهيئة الناظمة للاتصالات والبريد لدراسة الطلب.

+
+
+ +
+
+ الأسبوع 5 - 8 +

المراجعة الفنية والموافقة المبدئية

+

تقوم الهيئة بفحص الملف التقني وبنية التطبيق والسيرفرات ومنح الموافقة المبدئية للعمل.

+
+
+ +
+
+ الأسبوع 8 - 12 +

التنسيق مع وزارة النقل

+

فحص المركبات، التأكد من السلامة التشغيلية وشروط السائقين بحسب القانون.

+
+
+ +
+
+ الأسبوع 12 - 14 +

الترخيص النهائي والإطلاق

+

إصدار شهادة الاعتمادية النهائية وبدء العمليات التشغيلية للتطبيق في الشارع السوري.

+
+
+ +
+ +

6. التكاليف التقديرية للتراخيص

+
+ + + + + + + + + + +
البندالتكلفة التقديرية
رسوم شهادة الاعتمادية (NANS)600$
أتعاب المحامي (لتخليص جميع الإجراءات)1,200$ - 1,500$
رسوم متفرقة (وزارة النقل، سجل تجاري)~200$
الإجمالي التقديري2,000$ - 2,300$
+
+ +

7. نصائح عملية لتسريع الإجراءات

+
    +
  1. وكّل محامياً متخصصاً: محامٍ لديه علاقات في وزارة النقل والهيئة الناظمة سيختصر عليك أسابيع.
    2. +
  2. جهّز الملف الفني مسبقاً: لا تنتظر حتى تقدم الطلب. جهّز وثيقة تقنية احترافية توضح بنية التطبيق.
    3. +
  3. ابدأ بتأسيس الشركة فوراً: السجل التجاري يستغرق وقتاً ويمكن أن يسير بالتوازي مع التطوير.
    4. +
  4. المقر الفعلي ضروري: لا تعتمد على "المكتب المرن (عقد مرن)" لأنه قد لا يكفي لإجراءات فحص وزارة النقل. استأجر مكتباً فعلياً مستقلاً في دمشق.
    5. +
+ +
+ + +
+

دراسات تسويقية واستراتيجيات النمو

+ +

1. استراتيجيات النمو: تحفيز الركاب ونظام الإحالة المتكامل

+

لضمان سرعة الانتشار وتقليل تكلفة الاستحواذ على العملاء (CAC)، يعتمد التطبيق على محرك نمو داخلي (Growth Engine) يحفز التكرار والمشاركة الفيروسية.

+ +

القسم أ: تحفيز الركاب وتعزيز الطلب اليومي

+
    +
  1. التوزيع الذكي وإبراز جودة السائق: عند قبول الطلب، يتلقى الراكب "بطاقة السائق" متضمنة تقييمه وشارته (مثلاً: سائق نخبة، موثوق). يعتمد التوزيع على الأولوية: يُرسل الطلب حصرياً لأعلى السائقين تقييماً في النطاق لمدة 7 ثوانٍ، ثم يُوسع. (معيار الأفضلية = 40% تقييم + 30% نسبة قبول + 30% نشاط الأسبوع).
    2. +
  2. أكواد الترحيب والخصم التدريجية: أول رحلة مخفضة أو مجانية عبر كود التسجيل. تليها أكواد ترويجية ذات صلاحية محدودة (48 ساعة) تُوزع عبر قنوات تيليغرام وواتساب الرسمية لخلق دافع للاستخدام الفوري (Urgency).
    3. +
  3. الرحلات المتسلسلة (Ride Streaks): أهداف أسبوعية بسيطة للراكب تظهر داخل التطبيق (مثال: أتمم 3 رحلات هذا الأسبوع واحصل على الرابعة بخصم 50%). يتجدد النظام تلقائياً كل أسبوع.
    4. +
  4. ساعة السعادة (Happy Hour): خصومات محددة في أوقات هدوء الطلب (مثال: 2 - 4 عصراً) على مناطق محددة، تُعلن عبر إشعارات الـ Push Notification لضمان استمرار دوران الأسطول.
    5. +
  5. محفظة النقاط (Siro Points): كل رحلة تُولد نقاطاً تُضاف لمحفظة الراكب كخصم للرحلات القادمة. هذا يخلق "رصيداً محجوزاً" يدفع المستخدم العشوائي للتحول إلى مستخدم وفيّ.
    6. +
  6. باقة الاشتراك الشهري (Siro Pass): خيار اشتراك مسبق الدفع يمنح الراكب عدداً معيناً من الرحلات بخصم ثابت، مما يضمن طلباً منتظماً ويحسن التدفق النقدي للشركة.
    7. +
+ +

القسم ب: نظام الإحالة والمشاركة الفيروسي (Referral System)

+

الاعتماد على كود موحد من 6 خانات لكل مستخدم. يعمل الكود لجميع أنواع الإحالات، ويقوم السيرفر بتحديد نوع العلاقة تلقائياً لتطبيق المكافأة المناسبة فوراً.

+ +
+ + + + + + + + + + +
نوع الإحالةمكافأة الداعي (Inviter)مكافأة المدعو (Invitee)
راكب ⟵ يدعو ⟵ راكبرصيد 1.5$أول رحلة بنصف السعر
راكب ⟵ يدعو ⟵ سائق0.50$ / رحلة (لأول 30 رحلة)مكافأة تسجيل (بونص)
سائق ⟵ يدعو ⟵ راكب0.30$ / رحلة (لأول 10 رحلات)خصم ترحيبي للراكب
سائق ⟵ يدعو ⟵ سائق5$ بعد 50 رحلة مكتملةمكافأة انضمام
+
+ +
+ استراتيجية الدعوة الفورية داخل السيارة (Quick Invite): +

زر مخصص في واجهة السائق يولد (QR Code) ورابط (Deep Link) فوري. عندما يقلّ السائق راكباً من الشارع (توصيلة خاصة)، يمكن للراكب مسح الكود ليتم توجيهه للمتجر وتنزيل التطبيق. بمجرد التسجيل، يُحسب الكود تلقائياً للسائق كإحالة ناجحة، مما يحول الركاب العشوائيين إلى مستخدمين دائمين لمنصتنا بدون أي إدخال يدوي.

+
+ +

القسم ج: استراتيجية الثقة والالتزام المجتمعي

+

الخطر الحقيقي: أن يجرّب الراكب مرة واحدة وما يعود، أو أن يلتحق السائق ثم يترك بعد شهر. المشكلة في الأسواق المشابهة لم تكن المنتج، بل كانت التوزيع المتشتت وضعف التمويل. مع توفر الكثافة الجغرافية والتمويل، نعالج هذا الخطر عبر التزام متبادل وانتماء للمشروع.

+ +

أولاً — للسائق: الالتزام المتبادل لا الحافز فقط

+
+ مشكلة الحوافز المالية وحدها: السائق يأتي للمال ويرحل مع أول عرض أفضل من المنافس. الحل هو جعله يشعر بالانتماء قبل المال. +
+
    +
  1. ميثاق السائق المؤسس: أول 300 سائق يوقّعون على "ميثاق المؤسسين" — وثيقة رمزية تتضمن: ضمان حد أدنى للدخل خلال الأشهر الثلاثة الأولى من الشركة، مقابل ساعات عمل محددة والحفاظ على تقييم 4.5+ من السائق. (يخلق ولاء نفسي).
    2. +
  2. مجتمع السائقين الرسمي: مجموعة واتساب رسمية مُدارة، لقاء شهري، إشراك السائق في قرارات التطبيق، وإعلان أفضل سائق شهرياً على صفحات سيرو.
    3. +
  3. مسار النمو المرئي للسائق: +
      +
    • 🥉 سائق جديد: 0-50 رحلة ← أولوية في الطلبات العادية
      • +
    • 🥈 سائق فضي: 51-200 رحلة ← طلبات حصرية + شارة مرئية
      • +
    • 🥇 سائق ذهبي: 201-500 رحلة ← أولوية قصوى + مكافأة شهرية
      • +
    • 💎 سائق نخبة: 500+ رحلة ← عمولة مخفضة 9% بدل 11%
      • +
    +
    4. +
+ +

ثانياً — للراكب: الانتماء قبل الخصم

+
+ مشكلة الخصومات وحدها: الراكب الذي جاء بخصم يرحل مع خصم أفضل. الحل هو جعله يشعر أنه جزء من المشروع. +
+
    +
  1. برنامج المؤسسين (أول 500 راكب): شارة "مؤسس سيرو" دائمة، خصم ثابت 10% إلى الأبد، واسمهم في صفحة "من بنى سيرو معنا". تكلفة ضئيلة بأثر نفسي وتسويق عضوي ضخم.
    2. +
  2. الشفافية كسلاح تسويقي: شعار الحملة "سائقك يأخذ ما يصل إلى 89% من كل رحلة". في سوق يأخذ فيه المنافسون 17-20%، هذه الشفافية تكسب ثقة الراكب وتجذب السائق فوراً.
    3. +
  3. ضمان التوفر في المناطق المستهدفة: تعهّد رسمي في التطبيق (في المزة وكفرسوسة وأبو رمانة — سيارتك خلال 8 دقائق أو الرحلة مجانية). يبني توقعاً واضحاً ويميزنا عن المنافسين.
    4. +
+ +

ثالثاً — كسر معادلة الدجاجة والبيضة

+

الراكب لا يفتح التطبيق لعدم وجود سائق، والسائق لا يعمل لعدم وجود راكب. الحل: عملاء B2B كـ Anchor قبل الإطلاق. بدلاً من الاعتماد فقط على الركاب الأفراد في الأيام الأولى، سنقوم بتأمين رحلات يومية مضمونة للسائقين عبر عقود الشركات.

+ +
+

خطة تنفيذ المبيعات للشركات (B2B Execution Plan)

+
    +
  • الشركات المستهدفة (Target): الفنادق المتوسطة والفخمة (مثل فندق الشام، الداما روز)، المطاعم الكبرى لتوصيل موظفيها ليلاً، وشركات الاتصالات والبنوك لنقل مدرائهم.
    • +
  • المسؤول عن التنفيذ والإطار الزمني: يتولى "المشغل الرئيسي" مهام الـ B2B Sales. يبدأ التواصل قبل الإطلاق الفعلي بـ 45 يوماً (أثناء فترة التراخيص).
    • +
  • الشكل القانوني: توقيع "مذكرة تفاهم (MoU)" للتعاون المشترك لا تلزم الشركة بأي مبالغ مقدمة، بل تقدم لهم نظام "لوحة تحكم الشركات (Corporate Dashboard)" لطلب سيارات لموظفيهم ودفع الفواتير نهاية الشهر بخصم خاص.
    • +
  • الفائدة للسائق: السائق المحفز يعرف أن هناك رحلات يومية مضمونة، مما يكسر حاجز الخوف من عدم وجود طلبات في الأيام الأولى.
    • +
+
+

إبرام اتفاقيات مسبقة مع (3 شركات في منطقة أ، فندق أو فندقان، مركز طبي) لتوفير طلبات حقيقية ودخل ثابت للسائق من اليوم الأول قبل دخول الراكب العادي.

+ +
+ + + + + + + + + + + + +
الأداةيخدمالأثر
ميثاق السائق المؤسسسائقولاء نفسي لا مالي فقط
مسار النمو المرئيسائق + راكبحافز مستمر + ثقة
برنامج المؤسسين 500راكبانتماء وتسويق عضوي
شعار الشفافية (حتى 89%)راكب + سائقتمييز فوري عن المنافس
ضمان التوفر 8 دقائقراكبوعد واضح قابل للقياس
عقود B2B قبل الإطلاقالاثنانكسر معادلة الدجاجة والبيضة
+
+ +

2. الخطة التسويقية والإعلانية التفصيلية

+

الميزانية الإجمالية: 60,000$ — موزعة على 3 قنوات رئيسية:

+ +

أ) الحملات الرقمية المستمرة — 35,000$ (14 شهراً × 2,500$/شهر)

+
+ + + + + + + + + +
المنصةالميزانية الشهريةنوع المحتوى والهدف
Facebook & Instagram1,500$إعلانات ممولة موجهة جغرافياً لأحياء دمشق الراقية.
يوتيوب (YouTube Ads)500$إعلانات فيديو قابلة للتخطي تظهر للجمهور السوري لبناء الثقة.
Reels & Shorts500$فيديوهات قصيرة عالية الجودة تبرز تجربة استخدام التطبيق.
+
+ +

ب) حملات المؤثرين (Influencers) — 15,000$

+
+ + + + + + + + +
المعيارالتفصيل
تكلفة المؤثر الواحد500$ - 1,000$ (متوسط 750$ للفيديو)
عدد الفيديوهات الإجمالي20 فيديو مراجعة وتجربة حية
+
+ +

ج) الإعلانات الطرقية (Outdoor Billboards) — 10,000$

+
+ + + + + + + + +
الشهرالموقعالتكلفةالسبب الاستراتيجي
الشهر الرابعلوحة ضخمة في شارع رئيسي بدمشق5,000$دعم الأسطول المتصاعد وتحويل الانتباه من المنافسين
الشهر التاسعلوحة ضخمة في موقع استراتيجي آخر5,000$تجديد الزخم وتثبيت الهيمنة بعد ترسيخ الوجود
+
+
+ +
+ + +
+

جميع الحقوق محفوظة - مشروع النقل الذكي (تطبيق سيرو) © 2026

+
+ + + + + + \ No newline at end of file diff --git a/دراسة_الجدوى_سيرو_الإصدار_الثالث.docx b/دراسة_الجدوى_سيرو_الإصدار_الثالث.docx index 0680afa9f82ef429907d30ee5d4441e512ea023b..dae74c60f1bdb746dcc42bbb269e3939e9f6976b 100644 GIT binary patch delta 12434 zcmZX)Wl$c`5-o}ccXubaySuw?yiAgA-KB)hmf0-Q}Nb1Oz+;4feN2lp#pyzu2@0N&4U54l4D(K`aa| z6zboS5lZaK*G*;!h@>yz1~>xX#Mw|c?db8Dkp`aE5$``mo~LSVuo0{X-h_~>9p zT-Tvylo!A!$lLV>ZNg~t>F~9yEsuFtwbDLzeXoB@X#k?E7Z51#GeUi-Bd+kB@6$WC zNxY>4s?%~nc%PVN27;!3DXLoI<#==*FKrLey-)^Yc`AEaQDhPT4vT+08{47KW?^3m z-ecdsE%NiEtWIBde{L8q_M?`L7+%M<|E_$a$`>u!Qb|9WjCrA(_*8y{bGcE3 zmi8{+mpxM%Q$fZ8*m2iVRa=u7b`4gwEY}89uT{0?P2siZjM(YXUHde(I9}|crJn@G ze7QdZdDtx(uGdC4#P2Z5)>hfp4guM<3iie(`yTeSEwzCFVfmM_dm&aX{W&hqX9phM zHIW(jDvK<>IL{kxIV|8Z}>-R}K-+DEXmB>egA$ zk4>i_PEikAnlVd-m=J@iaZrykDROG=(&+a>|F~z3g)%+&%n*t{UMtRf=BIo;4*oP{ z>f!cC8qIcMb14>raq88wEDs2yE~4NO@k+Q`75Pa(GR1Sb_xV0(-C=;F^*%0==T6vu zydO$x&3>ExCpBdDB7|!dAM!ii88gDY40akaE^<7^j&T>90}Cm`S$e;tqoOA=Zxz)m zNzkfaopS;c;CVk~anWCuv)$k#9be;hd-t;ec7Z0cSZ~?7t;V{IbG5uIqK2D!N!&qJ zf~^N=ekhgFpsUrjJKN#8E@+x%F2)F7 zJ^?J@wPO{er&lxrI{Z7uqH;6~rFwS8$#-%9B%&Qk#w!XtBKkE`PwDZ(er!jX+FlMDX4loHU@n9%d+t$Ff{QHQakptDo#b(>8MfQ~1*i?}H(+m=7*-FYbM$nu%^yeyqy3R*^V zC+ZrPZmj0@Yi~vXE~-L(s^L^Is>cf-SU9fL5x3*}`g?Ou>vIMZbiQ2O3|?(-L1J*` z1#*G&bEXFDOExrf0PQF!%o4d3TCa}Bo1Rb|sM|-{Zx5BkpI|{P_DJ-~%dPUjk9yPJ zcAlS~-w+%3oI+x9yFYeK*Qd zxdX0|>ojmrKYinpGK`8tFL;28Q$3++sG7qoFQx!HZ=R`#vf@l1|8N4>=5df7qer~z zOGb@mi5R>c;=eCod2*R;g5D}>dx#lXBj|vK74sr`_>J z;(urB`Q`I-)9ufu@?QnfTMJijl0MQsIgA4NbazB|>^)hme>Q&azQz7N?VHrS)2yVm zx;**qsfs`sq)IkKWn>Z$@Pkz<&0c#+9^YK`P3#Qbwej*im(33!rCYE&Bq(cBTIe_* zT&Gi`W1e6+WO7RVxCA3)uf#$W0~5Lgk!_Kx%`q>g3FF{V~I4pNAnWLyk`BEz1GJ3h6WN z6r_A7=*Tp>%KuEbO~PzpvxLto*zxWsqkrON2_wSJB|m#8eGfg5R9IGZ*Xp~NJ^x7+ zE^Tg@g*ASUFn!?l$7Q`p4x!*jx;AkQ4Y`4MCVSp)X1kBnKzyTA->~%W-wZit+JdtV z#WCw1Uq6b>Cr{ysrG7C-M6QnE-;Eor@~(Y2zQaJaDdrT2g91CL`eYWu9sj62 zqp4$zFR2eJM(^IN+i;0jJotH=myJLA6s}>U%C7WNj1K=IJ$hNa#3G`|xJ!lO8{?-q zio4I9v&w#+EC51}AdPutl)nz#vH+US6MjO4cR!>DjwU7M*mh>J)21E;##-Utk|rWC zhYAYqvRaPi2Y91GxqUN*hJIE-dZI_oM;f$AtHPiX?4oM-Icu_PM?JeLvlriicPSprkmd(rPu$FB zrSgQ}@@X_7;k=w%K7=oc036EVmOQ>h3+|G3M*-wVP!V`G$>!5!LzML=_m@dx#M==k z0IJ1wVbI$^^Gzk+<-x!A(5T=jxuJnsQtT`0plRp z3Dc{Fx;z&~&#u&bS%)EC)yf`&cl^8C`*?$AxTMooC827)a@x2tZi1>8| z_bw^0bMqR8>!1RIu4#QpHtG(iF|xDArr;UVc&Z;26IX0?zrJdvn@oc6438O!-=A7O zUfs7Mhv^Ia~8>dKh-rFLJob&#YO;~L&c7U9#3o0`C z*eW>y4QEH;V|_yAlW9_%fV3nnC$EI^N8i=WSg zDzJp)D^*cWhiI5=J`MBd3J`O_jNV9MS*}((mM{EX(ZP`o|M3DwI7X8)t*J@$qI*l=(C=kpoTQM!per*ejkhYXGu0Tk@qvu>z^_{ZXhga3|miK1pb-U z6)x8mGjV{Y^d4XLq>ZHMGV^dCh|0iz|6I6CNT}BcL(PalxNcmoZoF|9aUY70?98c; z5K$uxdUe2>Z88iJ+)1fyx9l(e7AOIrDWw=2q1ZUw?#DW$;n+CLH(r-X2WV6+M2`dAP`H=|>}hq8Gq zCKUGdiXQumXYhN*$P{rRg*lQe;(K9EF}RU5kwaWsv@Sx{>O3W@V{koHt)<1*Qmg;4dl*s*G=B%E$DkLG%BM$ zfi^l3W-poPE1N6Jb8bKbPrg?}@nJcM?771Db0+KF{<56z;A|hkURQSBXYL@DK~vkr zmmfzbiArvdh@r>pY@Z=qjS-u#akizkTYtBoFj6u)I>NgZpE_(E9F8)SYBjIPbEJ>) z-A4`{zx2}U1Lz_294`0rksv!J{`Mv+j-dmI6Yfm?;0}ZgN{=^GW)ZNb#(gQ{I*>>=KYj4yO~!A)Oi`r^7f>E z!fp;LJC1U_)U~KaigB+Q5&LBW1-MXM=G1$q9fEB8z>-?SE0!iY^9><0^rTnRz2~Hj z)E0pX_RtimGQnjPZl`Vi)Ftbxe!4=T-7@3Zar`MNgSMAU%KOcjC`S>gN%4W|nQSCR z+_s|L%_FFOD;#g*n$U6kc_?Tc$Hjh003tZhn!C14?#sf6W{xe*kb_5GM!4w(h8j_ePvfFQ1QGf!oPW>(V8JT#;z%rrBj^AfLyXExtp$6M zC~&8a<6PS^^7#fOo!nU5OUiEk@&F3R+swlD;_X{ETtslem?-W(V_+M)H54#TL^s50qsBOpCqgdeAp%`yoLu)KoE{f=tG%j+$~+DI zciaaGm*$?EpZ-vzw;+=weD4fmGT(W3O=r|NYMJ}{`*VMF`P4>rcA^S&#_D)QU|$RA z)L!QBc!l|fLY2`Ush4}wsGoYLr;=QmRv5Z0)M4DR56Jh9HS4Yk#n-@gaQ1p!G4lR+ z<%VhF-bIplhxGK>lmVd0wBEisSuKZEVrBo5Af`{01J`cXiN6lphkDx&^#N)}iAc{p zmlO3%6q(8rM?k<3Iu;;#A53_ybiV<=fBRuN2x%MpXMahdlK>l)1{tvkyHdK0#>10* z)8C^vj}f_|r^$MRhg;~#f4?EpS9K=t4WC_xukC180lp8dP0iQgD;iv)=hCw+zb&!& zCN}v-rCZkHrx_OJEr5qt*FdB^n5=>zS@DP__AK;aBr(AX+6@Tyc+|Q(>Ms3R?~xf7 zk-sz?sf0PiKadcQ@j4s6N5Rc@e?WDiFC;T(UR~tV9+E!PRml0rF+FFcf+HXNDX0LN{*;Unv$A&od&3;^yawB-WK8{U@b!?|0 zRuO?&rb4sCFb8;rogCcya{i%P{=FmM?uJ);>U$k$*=(f;Q%gBPLV;)s{tn%mH8)kC zdhx8L4WwI2k;OM$Fw)2vjc{jR+8*ZbRKB;ei~5=*=#?A&$&DrpI5BFvk4TgUZPQ6x zxA1L)+;+?{o)uigGcx->R;fo(P3f}PQaP*e>GU_6J^cXiad^*duz%ae%ZPyZv2<`Q zEAG$F;bc4i~PtILLm5e2q-sDw=#ia?>a^_OR=q9h6E* z8rKdYYWiyPDK&}wcg#TD9UikP0w)CL$>R4u)0ku$2CyGSV<6eR)akEUyB?!_=rwJF zvzjm?@=@QrV-@FUk9mV3x>2I)2xaSl{R6pSW+0VyIJzC`+dQSLk>@G4eaNYaAMdTl z7sCBig)_3H%)XkBlS)`?J!gb1 z)oJd(jW!@%F(6Frk&vrVhvV=U11D zp=8|ztRGSN^GR(dXpF(6`GS*f2WVYvAse-qN^&fc+83$!DzR@AX|vWhEc^cAd7;&& zDBL||kQ5N15sU!~KEkWm?f@sITv5+3+2-u-NB{BhE}R|d$VJq;W609p8oL}|`q?LZ zcY;@{$+dW|Prd)J8?M$Tc$JX03zx$LF?*vbwC%7HH8BTe7@22{FaE|{?L}pgEzp1K z_d2q<3xgDyZzpt$NW&1%a9xl*426bLmED2T&1Zbv7^z`gI8eq^uRteUNoT;D9 zY8=i_qt>#Sa{}86`9e>{4 z&%dWHm)$Q5aN9lIkr?oPep;oODSHxuVbsE5PROp*Lv8e%1;)t!jN3NvfmVFv$X8;; zpk$}SAW%2kn3dY8txJd%QS#=9s~V;f4p6udku=AZlM@wbGSorA+Nh0f#XC+8W>f9h zbkWvyd#*LM1Xe~rg0xUM`-E7nhi1b7{$~! z9~NbW>fD?O<=mLQC$(@sY~;i=cZyE-fl6pZv1@8_8<2`ObP2&Tv+S_<`tv|J7ge<; z-#Msf3c=_KO&XVp@0@X*!XcKlCqn?Pks-pj*`qi@%&EvC;vSyrQ z#vzwvgI9vD*gzR4hLRFdlf5ssa&BqNVFsl^sb!YV!LiF0B>_i=_%j4+qS4aHC5EB< z2A88d957DC(RM4coZjKx`Gu%CU7G20;+;z5QXC=#_$J*zJ2Fqqe%k4L_`gx`0)43o6%QC`Vj zLe@+sSSl;~T@DQD&1I`SPWPS^lmU4s_*)2nxIY&|UD_KC6VOnVI@Fsu{9JE6P^6=y zdfG6DORvEsjXVuwsa=aiLgFv>=0nxdIZkJEq1`oo<)%KyP|HJ0=@dKyyqlpK=aFpZ z=Mh>#Z=ed#@6_k;>8j|`IT%6g+F))qQ*$s|`Z-p(;QPW692KE#(Vh-RKA`r2PIX?+ z&2;z;56Zhaegn?=Nh63v1lhnm~N8{X%|2?fL09xmOG9FQy!;GJy z25VK%Lde-R;bmYZmH=uN*?FJDuASZ!(d@h;xo8cJ;iRIVH#XvWSE`o}`eLLH<0F{} zzEA?S6fPSWm3T8qncEW;3~YZ235eS8L6GSJ32*8zK5lowNWS!{+%X3@guG1W%QbJP_#SOY%=)v$EJV1*vg?5}KqLY?F!$q6oV}9% zV}_AopGEINX5XpE5Utjc$a@GY=6uuu6{S`Mz#?+)3cp zYES1EmB_0u%(D@E1fnOzDkTJ}ZDXv8p!1YSIXG#E`B@_sHi=onza1`4>%;zvrO)5% z*|`oeNpEoHxe&ujd25A}orTXCbv8W9seza$Zw+FiXMMZa)`O)WG(mI~wT5%+bKYe) z9XW4iSe8HI_cd*tgx1V?pLZi9#^3F(iyFtk881^tzOon?01S2Vc*CbjIiY7rS$Jy< zt^}Iz?1$hz!=b3`ZW{)+(Z?vh218xOXNq5G4ue+D<1ZV9yWH1~-=Z&fe9Mkc9U z>3j2;x@@n{2e=_F^IOBMtg(^ZHNJ7IpyC%fkV z4%XBV;<_T112T!k#)fxDzEdo4t?wH)2eI`@2~iPLx2V#+!NOeemeZ-qUel^K1JP8F_(&v>cmFw zT)9w~N;RX!Inx^7T>&q%vK?wqy9t6d;|8~*+`mCm1M*%GI^CeIibqRb>!WY88XI(_ zWe`4Z5~UM=y6#!ORmwVTfh0?~lu9bw0;MEV>_%4-{;@TBQQ>)1dQ+KoFggeoH zdYU`XUpAmdww){7K-YMb`#u`is5mJQO7i@~&Ykv}MKGZZ8YKO;RtBTiKab!NYcq=N zRww9Z3Cz7lhaK{;aF4(7xDEx;8DLaIuX==Izq;=UR&dZif)*OLU9b3XzMcAUccU47 z%H`Gzh)=z1-@##y{UgEn!7CfyLc5MUYd^18&4AA;)Xo$oLf4X(ovpPgIn&JXx&8;0 zczB3&(8s5Xr^%6BnG+?-kyV1r!>_?DcUpD*{s8?xLRAL3_tmqDat=47z}gv(cxO$o)5huPD9U+}LBFL=^ye@d3I8QbXzhbwV6ib9KM7A;eb?DzwC zPqN+tdqw=XW%s>jTeVqQ;=c0fV-U{T9rO&I&(|B;Jl{B089xjphc1Gi9on&WBoe;N zSpfSZL8k(Gl?wC{z51}N=+~(ASeb0Jzs<0PM#B97$^4G0&jKx{$7s>3q<4ApzLe}P z@vk_@0z_=K(xOlOTu)qyyfsBt@*D3B=ksI_)rF!C$7r05*sZM7n%x15x+5gJYK2J1 z9qOG?W>PJMHs>MBCeelVHE3R>c$l5I??7CCAZ-#6vm4UA!832NMU=$8LtKoXC4OQ8 zxXufC`7_RrG6C}+TaGV=xJ;%jKPI+ektpIfel(pX8zU@~7pm9lfwAV%h)oK9Z>nx2 zteV{MdY`Wp+!8*=DVC_kVuj*=5N-fa%(CQXPvTTV2+*4^$fk?GT?b^1&AA>u=D_paDkeB(yWK zooNCt1M9Vp%UoNKZP@G!SE2S+$~B+eXqs57L733T_kSpxFwPx^ zBFefGP&(R#y*eV6#oMa23Cetc#6<*4ykcl`ZL$={)6gzNwO?4ho#jgjQ0#k+Q+cPG z27wX&V4h{42NNCU=L-Hgp9Ta-mPs{uFhS&S#_)$+-wdGHn;6D@!WyHpkZ~LzA-nuB zW)YP01;FGBJX{bC4_PEqjR!8n%_*i*w^0L%hA*3N(DW)3>zFcZF{)0k3jd3aG{sl=BVJZk@d|%OftIOEZ!W>`b z64L*~*d1%R2ka=aIOyYJ&0We7&CW+oGm1q|U4yPcI+bk~3GKczO1_XmA!`CY?L2%`0hbE-S zQ(Zj=w<9>&jAFZ+Nsws#`J`@vv2F*Mozz5ylq5LO_i;$tEi&3JdbQt% zp_G_pyC1iw02;FZ2$kv&n)n}Z?FJvTaWs%h>q(I|{6jI$_)5m2ee`aTK;y*#otIj4 zy3lmp(snN{AenCZ@`A`+ak1>VV%k5+M*jKu@4+7z&hFwOp)_GT8e_&om;6g&wP^f1 z!k|050I;3D;~-r+cbOuOHU!EOS;DLQ3IqX)UL6Rca3O-^$%W+I6Y!zb*m)xo?I@`1V_QdSkYqH+)htK6`OQmu|Ob}S!x+Gwb$ zkj%$OiMcRgw2CmK&)Wl0kHOJix>REbK)^KI69q|2plks0s~Atvs(NxHQ~Qb@XoxL| znmQu7~(bqQkJ(V9Ltuu^%j5=Q>yN7m1$dyGH+CQy4H1IbwKJiG!eN z3FgLT0MWp&UnkxgCwz>n??IP8{rcg1W%*&9;%QY&glH4Vd=szX+=hPlclOaG6>I9u z?f}`JIAPnjqjYU;@>rY4q0tfVf;+RGgWM%r|eq2mE@#9FMU0YqlCV|G10h< z+%ISbNW?~9c;u8~Csw_tGkGR|&80owLO(AGF#?=d73J-r9#Q~*FgoW+$|r-uz`rxa z#^yl>7T!wFAdA_Q+;gV_D{tBCkbU-jHygFk%?-rK9p|)!iX?VUH2*K%y>S?C2|rZ zK8(klG%y+%OUeV=-j!8$S!xG4n;3+`VbLS&=xugtJC*uO8jVc zEUD_#9D4q>xx7v48bV&2M-*Qa*0K0C7~{gFCJ_PTXw~p39eahNn<~K9(zsh{M9&*) zvaH+A^ZRMrQQ(N~TUCQn22IDM^#p$!ovE4s^b+%#hrJ@;L-;YpGq%X4{2r-QOmb1v zO3plen>4MG5vjjE!Ffp=h0Yjj;YgO0sFO!17afs=ln6SJ?!!Uh{6nKK+}-B*eyG<% zWV4{o0Qan!&ETzOr}4N{W{Mq5AF{<{RuzAhAvzKxDQzkMswOU%m>!_iK+@1 zXL)bcr~#Qk+GbVsU$4i|qrXj;R+dR%5VWyTR_^l${J`B`bFSc%Ip>o$Ql{PPC?m@B zccs2(l()!DWgAzq*k;p&zGpfdFS$|ZN0y9Xs7 zLKMyJhjagvf%99gSPsYZp^2q}a=~ZL8q_*WT{j%1-_t$GcMy5he#D1jG~!1O)M4tNj1H zf*?z|!2PWZ|MVBFL{Jz!V8k|(eg9z$-4cNMa{9hXN SH+60Rmvzv?nYI2$^M3%Zr=zm~ delta 12239 zcmZvCbx@x@(=JYNcXurg#f!VU{V4A4e&epi-QA(MyL)kWr$BKjr_b}A_so3XoXljd zP43O^-pL=yCfCY6#NuxVBqdo$C`>RguuotKO|$h#1K^NrOMDl-xXeew5 z{A6zS9877oX$j_ zMB!#n0t$%MbcJG-7$MSyY?orTWa;9qili_{+3+aDJ)<|)-!!q^FR3QgO^<>&rzcW* zQ@f0_cetA~tEuMIU03Hgz|A_2^WOT~-n@nGBQ1BtCZ_zth5=r>BoMBU7sqmiJq6KR@kWtfSNt4eSz<4bSe*P8O`F z&+=bqdPYBQ0<3&pT3Yn{pzg0A4>SgTUtYfKxN1ynbE7d2a)lXeY=nj9Vyf0nnzm2FSo63iPvy=glEsEYfHl$aXUPHCc&U@jDEkJ3=wPE z;&pR;+4#P6ybt8W#y_Y<2H^2^rQ!Z%lW<(YoTJp787A&?x7EtNu$g;t2%3wGi*XV1&26CM7Y+jZqR!Ltuy#NNXgXBCm5ddB%uj=FtHX6-?gOrynO6~lANe#Z#`*QOMB|EHDvsy6p0!ZDxGq@CI5@No|)?e~&)af?alm#AEmSkU$@^rN(nGbP#rnVE)F1Al0vP{zF`s8ocOH9#N zb&k+c1$70Edj?{ND5jG8Hy(0+ZoghqVI-PuIXP75GeWJOm~0r{*n0#;6I)@7v}!O| z$X7BWn^20{F#@oJHDKfv>PH|=9G7yQ#r@Z9`iX$%yO>X?FF9C6I^b{TpHZ=|qWy`= z!9ydF)j#HVsTK62`oH%D_N|h2T5ASP4JDeq!%J0}j^R5L($8-QUbkz$JV+fMFZb{- zaaE1OAtPuW%&$7SI96b z(D-^wW#9ud=U%U&dLU$}u8F_1SYH>n`zF|S9)rVi^cvsL386XA*TU?B!Un8ido+ia z#h>zGYago~M^h}TcV8YIJseD*yrC$9jGK^K{HQEOP4N}Z??N#mIv!6lMt>UUM??Vi zCT}&QWOvD1Ye=22HFW&1Xg#3*LL-E$IE)oFsJNgyx=*Vd$Z9pr4U@T!t`m3agzTSe zT2+oYuB}Dja-7w5$o>0uy~$lFS`S;N*{~-)NpLo({>U&zRsIO@?vi{3_uiy`+mT7x zEmVD$HxhL@gg1;Kb+zdV6aThc$2$nzjI-Cuq^?jW?>BXx(O(WP`RW}CJi$H=s=mr` zcRmF(b^Qtqh@%B_e}j8ClmiYC{eDDx$KeQu0IyJH{J$-zzjCJrEr)NiX93#v5JpAe z)`=Y(@3UJHAz-K8L3O^=Bbvd6mn(8I18Yly-lkRGCYe5e_2T)G`mLMP8YvLi5Bu<- zAv^;=K)u8eu5GzaVEfDw7~mgzk!J+R(9<~KFWZrlQ2rp2FfU;dUCFQ5ien%9S|Vn| zk)4CeHPf4pmXMU-sgb#j(ucDH1zqB+Am<&FMs0vPC|r)GF*Xe*)}%P=*vSd zU)?5uPndd^TRv-oJk|j1sPyflpDNMj`*c)Q0=f06#!R`ogUs=4dyJb4t2}Blx8-_V zrS=sye&7OZM<@hwd%x-4Yhmf;P04SB*IU0t$ zWEYUQpRkCUlShm-N4PYpMH=q8ZC*sAuK9`*;Bg3BVjp%%IynOhMcqHCzy8qT^FvjI_3rhMZvFgiU{ToUARdkr@mmvPa zO%(;0E#03}&pS7?H-%+eSp?A!6ZLat0?N}+65a(i(gYBjpG4?SCX1a3|Kkv%CdE@gi=P~vo41$&hg4PbMTSUvPh+E5Ck@p5?D-tQ~ z&~nLyNXCZV)qpCs8zKd56jt7`n^jyY4F< zBFVlbHUc*=QDZCv<>*pQcXf16iav@=sGIx!KHhNjtT=*?7if@Vl$wpinK5TTSGX);l}aJqQvaIE^pe(2Q4FHd9d|`>e3N}D6Z&yhz8bXr zkaHnNtYQ+A^bhTU8Psad zNpFBuVI-&~+8q3#uXsOW@LhD$n(jiT2dor)+Ie41^2+%r;#0$xF%}+$X7&-Q*`nja zZrs^CmlSB~65%{3kPXe&>nM-Ze$dgx6Db`i5s5-&i7wcN83#8h9>Fu44-SmvGQ$xy zRZYbuf%OtOuC>cp6hh@83y&^GH0KbSbH@P!X=C9YPi?q=&NmW${&;=_Seqp*Er=Dd zUX`gfsA+cYLXyNqGt&BVO=LvZEt!o!FmmRmKeAjGJqMHyqpK2olOx}vkVe0(V~9#U z77Q|K;(WMGs&~ca)F=CEE zjXyWzFo;>ct8#A(@W0xiz9Rp^CP=TPT@z&YgJcXdE4W<1dkA%PvRLFhxCiO?&XdB) z_gX0tuSm>@gP59T$UgO3vQo2oKve+~1z&rs4DCu5$ojX4vC8FD>X4mQD6>sDTM<>& zS}gg4j`raOj`nBEOQ_l_3Y0V(IE`0Yeba?DdU)~n9w_%6BPob5EblK0ZZs0MxHLP1 zflJ1>AHtrsa1tFUq^Xl2)-2qq*(0j=W+tIklREdbG{q2RH{QcqNt=Oo#d3givm4y$ z*-N*v8v;?aAF9Dv+cGdI5+nk^Qth_72p<@duu+trC*9+2~iOpgJ$pT((z@I*AD z)J@AU&NnK?&%DnorngY4q1Txz5GK&X=9hhFtqD3BK9Dy!Q$S7XKKDoGO7{yVX2X+2 z4U=jn;$rl?<%-puj723}^3OQ!v43RvXITW(C0$Bz?&8Nwa?19S4vb4Qz!i`b>4V(M ze!oOM-WSDNtLX_VsaXP-P@khzjVv~h_3j^Ew#;57j5e0z9m`vc8B*E3DXI71hP|pa z@h?)FXyzl}j-rH*2e6N%AG&Z8S2-SsJVddbI?3_9899UQj3%vZ>&o~13w ztN0yaC((dU@WWvrjBOwGkt(9N&+&JqNb*pN3lUi&rO{ADb@G5E&u}u8-D_1xs3%Ka z_z^yyHvwkYNGd(VElZ&!mZdb-epMMnIoR|_#d=L>G$sSAjWG&dalgL|D2blax}DVP zYktowH5*4w7#o*|iUjpQB%6#2BOzz`oXje30y0wcMeXmB0Nct)L+3EHSNk9;G@EOR zKsaeA&^W3@A|fEuK!`aip=Ks?1O+Bf_?!lKEWo&0Mi5H7ka+xnD|~$l`>stM=W-BU zNE7NMwKPqWjc?Ya6KHdC818?7IzBi;y+``- zK9ey1uv%0wKXMYJMMdmz#$J2Q)=m!KgdaF9oSD(=tckZ_PZay07 zYLvzcW`l5N>?S;XB-vRKGd=m5op{)vk;n!tCRdzW|!f2xq$UZo+UuMl1B zK3pk_P5}_68Q5wdC@{9lk@NGWIZedbC0G<4ArvyOCNZRsxW7@j+RAcg1m+zTd{Doy zbETR?xohb8W?^jvNlZXrV#T;;Rj_vqdM z>mQZ-pN`as4ZtBoAZj6vo-LRzfDCm+8(hU!Dec=zSIw?`dx><~im1x+z+vIq=fzbc1eAr0Dy8#&h)YmdrYy z5er`nyCHuWuJUer4U$bG*CgBrDE-=+^&BaDY2>A#@ys*BZ*S^b*G^vb&cj?a+=rAc z9Ih#_;S-Q%sXgavQ3i)x*2BAQ3qUJ4)h*)T#8xnUWEbsZ*JnxkgdLl&tqlzk0ys4+ zE)~A%nSQ}?XE#Q|KIthaZQGH%E_yx>Ps{Hk4k224G@SSrf~~krqPQ&C=2+@qOE38$ zjVcpM9ZHKuF|Avt1pV~WW`g)TN6(&=26YXz-O7J6?*!m1` zk%yJavQ_XY8P?!4f+0-F^}uyhX;oStGX08+nD31q=#{g1Y&FU3+oWaz^4f`vT*TLR zeMBlY$LN-P^u8iAgvV4qy#(GYpWEvjX25x-=W-;lOK0vv&{=4@GxSVw-z6vC#N|NT zmFJLN9W_n`BO}^IB*=GeS4qFnC>T@Y3HjAw%#W!^YgGPDzE!Vn5eRJ%?&6^^qqx;e zs-sGU1$=WY-wM!k)si#i+|1j+iDK;J(0Dt@&%Ird+al+N_yeNXyc>m~ zowv6d*d+2ZWRY;|y=ta>?;*{EpdH{-SjbBfTPHuAy=!v9FT5ngn?53`eSt^&6<|7x zm)9l0)2qSBf9!Km0T{UCW^|CN4u0D0mx#3n_d~%h`gvmVG=>`xisOIv6MFHL*(^1M zq$?|Pg87?LA4(G9*voI2;d}i|+fhQ*es0apSw#7-Bbb8CO#7qPjgh!1!hYN|Ps)%{ zOl?l1#ZV>PK4mfSE6N_SEiqqhuy33^zWjJ4DGX!lk1C*OGyu{#v3$=SYQ6_dXoIb; z3Mm1>6pRTz$iKSLt)?Qgr}Ru8AtVfW+L1hEiq^&ttf&xYCRn){)qC_=<)$(>E;eRL zvH!#xM|C4L%v|R4<<+#Oxn{9)vRC$J%~%c(SnyJbJPErA%1+p;mEjF~_7YN^hZl9B zhka|gOy06v^#UGk9wGb>D4nJnN5sEhEvJK{#16DWDeZW|H3F|3-EcMu>M_XXCBIvP~u)jz<&Qg1$ zwyu=kkIL5j#=slHwCb{ls>Z#z5g`b-EdatZei+5 zUOO~>uZk0hM-!T)d(MSREeK)x2|x;%aO#WVGI8?o`Ky1e7sWAQLAB4b9T2M{ZFDOr z)C5(0Z699(k5F`4!mXX(0JF6m@L%PfO!-7D*S8xeAEl78(CH0}v0S#C14V9spe!pm zD=v+Z>^5sHaL{7PC$T5u}xO=Hqy&vHVvTmJo*reT~_ES_6 zmd}!F?8rQRTM!U)SXI`j0$=2jw||=0;J9W;24^V<3f3kYms2wiN3Z zp33D+86k<$U~OPn$hOfo_~9f6@T887b*>OG??AJ5_{0CIVsQ(2u}=uWV)t8WL(ILy z=3KD`-;#={sYwkttbTnf%A_?)Lm+lDC*2*mU);kbkyWs?$&#XgI*Uao!`*5-d|+8a z69ndUQ-^Go^i6X&weUPzm|om$4wp)>5Ic1tf2E*MPkOiX|H3_j|9*kWK~higbOt#k zde1aEuY96VH!xUaFD%&~^U0D_{0E-KH_8m_r+6A)= zgT3fW3U9RvD>iX8lNVQ@9!QkQ+}=lgQTPG%?4@r%wy5<|I z<6FHP4<@H*shcqvB_1Ij9LwQ31cOy>SwFfc2A1N^p}vpQNd)51@TZp%W0J?I3{hr* z9ro%#MT1dM(RE;+68zmVBGt_g-DDm&%{k;)z$2mXtSTEU?$Oliwv3S|7oRF^I;H@< z#oSj#Y$P-pVdyprSgQ4)`a}q$6&HL^De{J77)17cFy;%F#V26)XB@(5z?JNgzu9pswy;$0H0u ziSE=z%L(H?R2yF}<&RJY9kdJE%0{O7o%3z2Uwp)fG_?`TE~4~moGT^nhyXVCFpMGc zc87mn=Qo1MojI!lBOb27xlEoEHXUvbax!u7s_09t)Miz!z-_IZMNwBVv@}G~%E$k( zh?g2#NJ-4Yi0avWPc6e`HG}IQG6avL6J=XTHlixbmZnU{5OEXwghmDRG+|+mp8gar z4;L-f+su`~o~(0~G1>s{cnDOtm>_M>KT}Y_-^0gK5>GQ!4W zNN1EZ7eo^W?R)26CaVG`sAoPe;w7WyeS+pTuYES9uD*bJPOTJm&9rooyl#^#L+RS~ zUiR>EO~Hb>ZiQX`$0lG(_{u(lyyy6!j_A2PfDhE&ri>T=qmWvbMznO&6?eVwsg zgfgV~k%+1Ne&Ifh1fkiLdL$k#ge-%k-4E%bx61(_WnS&Ry3Oj6;N&~^jvIIp_c+43 zvFPa>BePwq0t+N`?Qdp>AN;K#iH8LKJaTMsSJ;9uTemlWiQOu1RI}`jiN`8$NwMrL zHgmgg@Fn!inoG);9)jawQ@1x;AD6(zQvsM4x9_R^sk=v>J0an{(`blK>tP>W0)24P z7g~C59J72_ZQyZ;>A3c3O;l~3B-Gk5T(jQ8L4Bq?ed$C&nS`9Pek^)0<|c!N8dxUB z0k|=Z{bG5*z@fbh8T`!`l{2c3Hw&A8Ok#|4vt_;mJO6pUL9rO$YItX~MpjfYROx zlxQ$zAiEnT>>#Y>qMYZYxc3`Eo4Kd2p)dHaUS9+o>Z`%_-(t%)UbJ=6O@$RpJk7=F z{Yy@O?uwQ0(n8fr@pIh(y=kzmQrvmVQqG%1SDRI~J9GCcpD4;oq)CJA1&}9r#aB}= z=i1fdZrGCs(($`(Oare9FWy!XdZXZ?Ru=ggI8IEYN9; zj&a*LA5c48uWfKYads*Zs&euW6)1Pa&2_s^)A|hIOnLV*xIW!s5K19G` zH0lX`uFA+O9&Pun83BF};t{|ljxA?X`6*~Z}-C2&ID*6(S|zrOdwG?*02 zgw^I9d}hIa=_-MMNAjX2%*Ds!Uc$wg50TcO;g{cTXu^W;D2x$kfViRAS`6`40C8iV zb0|C?9eR}Gi~q-$j7(5{9Ds7!)t4R$+qPeDGRyr#VO<9^>WDs6UOBvoM#BOX5_1SQ z&x9*kdBq5C+n**8)~qCr;uu<)H8ZG~Wep>Pr`*7Ub;!As{X&2C96e>S1j!=MXlrR_ z6fbn)skLod8UYN>2*W^ncW2~XllqhL4V$V!kNGU_tbTK*_<7MYJn*?TZ6Y9F9%SAZ zfXrl-5KfrlPi32@NwRNjQV4Va}K^UH1A$yC~Q??o>h))SZ95ZLGU)Ow^%DDx8DM#Hzqx(l`>q5)5=ftBe)wL%t;K&CZ! zN|zSPA%@l{FGV+#Yobd=Q)iU}xZZsl8SX#JM?K;+6RoZU$f%aMG^)0KwHzF2aC=%S zG8=V#XnNWZ1qmNr0Vi{(o6Rvss>)$aia$(`fnUZje5Uok45l4HMu=k$qCYUc9mB~m zp^x>$bwG_FX#?Eg*|b7>IYVT>oEKLWyd!ENdhB* z%5YSRUyBCvS)AZm7jD0)K>eY4bhI1<5Ywlq3hAzyhXq_v=B@@uV?z&oP=yL?#BpN* z?D#J93%;{@EI&!(MA4`lcP-NMDE0`lng{*qXgcR$xY&%NvXHoenY3N%x=GN11i{Ki z5Q1H&Fi@s{A2s(k#g%BRN}E=yC@qLp9!4QlIIdvB)6uBY&#uuZZAB}5A2qpR!@m^c zH~4{=XS_J76-Moryz647K1YpNFK{B5c=ztHjrMDql6k`W=nmOK|go;GmhS`gNpUX}uKmKi4(X}RIE2u`OAC{QN z6|gFjE05*H{Pja2Td9-GMWLwUhgUBR78Z8#1tA7*M$?uL)tks@?KJOxB;`_2zmP0< zE&)XBX#sq}kQVq39H);Xh-`rVYkSo)QceMBzQ}@%%*?7VQ7pD@?K=S@g`8V4tjK%L z6PtyH)=@bl@j`Q#C6uUzeM8#sO|{aBM86KOtkU!b1%40J%e2}M0R0KvKQYL>M`YRL?X_`JvEa+U zom!V(5xsdW_n2%Z|8x3Cj)il}2bkP=3vmWwIDSA~uG<(A1Q&w12`@Kz35qCG9MIcw zUqGLZ(kyDgGqtfy2t~F<#oGg$y~@UX@W$cfV|i1tN-nLy>sGCs69<`}};p$bp;7$^dv5!e)#2(PnZauV&O7ia9goyyUhJW+ch0UvxgN4`y!1;L=-md%uliy;8l67sj!o|SmkivcI5|%&6GNg*;CsQFm z*{!b)-Gz7K1i3RNR|*wH5}lEdOd^R4rnSLkD@X1t~&a_6`!a4I?aUby(lRp~)qs{ZDNTtW23Rt+_ ze{@ci(A*15cYeYQ8kQLjfpei7iW5f6xp;|Kq>Y}@AX?57%7c&VY%dZ_94}p4 zI)ba2Q7*Ic=@63+_^#_9R|dr;6Fx8)!&_o&WVZM3o8h^Dk`5=XA)!Kk&jG zpBD{@DS}R?sIaAVPEAh|iqmrBio9uccEJPBe4DhB8t^Rdu3g0VqXp2v9jB(4ALqJK zVf*at)@;xmKVcJ><_*a!zcT+k`T_kG&FCw>nP5Rs=$-{5!D$8Eyf|lH$94_E_xk&! zU>!xmy$FcQ{k@=#GUS^7{##_FYV@b!fD7xI75@Nh^lkR;!=T|YxD~U2m1|7+m?P-+ z=X#e}$q6SSQvU-=&?F?=CVs{0b<)ASdtdkUXt^lM0qC$Qe_okDiz9gwiee>BJ(5f6 zbFXad(?ZmQEW@)9v^;fm_y{j{L_H;imGt1gaRgwpaRX;mBS^{sCYM0*J>p5qTA$ip zr40S{n=G*p)MPXsToEoBSZ|5k(lSLr2x9phi<2g#tKh&7CiA^7kx)Kfo44cv92DqE z)r1daXJ92b-+H%+cx0rSR0E%A9HBuSHTix?7xu>8u#&AsXz^V5JoDEzjTIKvB4W5` zLmt3J9Icx6NpE5-xS^DnfBC4)zIyr(o91S-R!p|(a1m-Ia!;{X7BCWT(q|+piA0vT zBYGL4s)*eIpv#U9bvg-#dYD@s^xIPNc6X5=!15rvj4U&|(=dZWJ0a`Iqj=}0AQ(!= z0(UO3>Q~g-8nk~77;N8)k{Jia$ZtSsI#>XyEDf=Ir7z+!=hj=3LK04366S=g z4EC%^Nfc#ZEA^7R8HFTrD8A~*$babGg<4q6*iN|2l#rM)7ELD*R@E_(h7UXp6 z9IoV|T!*ZU($sef0hC=Bp1o#I>heWJAsDM{B?Sw(Zl-TD?aQ$XU9ko3G5_W;!2eBR z)USxq!9}c)78sL$$tV>MLc&J~6iM|g=~2;5T&W`DMe@0p7ycyvGubRWy=Bqu1pA@_ z;A#F&-xb@t61Wjk5=f)Sz24@PZ~X}wDUz0enImMkmgt_Z(suK`)3^brShh@M*gAnFJM4rLl}yL17-kZr%04iP{Fj@ zU|oga`L|>Cx6R*|e~ky@r%X#`kIDGFxE?ZS8j^yKQOaCWZz?KL6U z+>j~JZ6{u*V~S+$qLRGRDz}o0>T)Hb(n|^$clI1^+JZGbUo1L{paF1ineO_qQ?+^K z45gmGbO}8ULo**Al}oS@B|1LBEg`;Jmry_%w@CFP@%Hv5Jygo#Mf=>dtgQ*2Xuyx` zz<;HlfLn*pH}!44gCtZzfDXaO@FA2jC8mI#i1c_ZU0gn(y_g;$JDMh z&M}QZI(f~g0*Xl59niI6(7dd^oI98_WVXFQK6bXqZZ22NdSJR#%GYF6+q+7N$G1Tc zyLYGOw%=OE+xVuSgjB8>>Pu~SRcGTQ#<$S~hZywUPR^XNOLRK-=d6Hge7ZkTk?TUe zv5>15^vKY>$C{7#Q)HOWnhZxP$3Ns|PT@;+%apvSCh3SaB%nRx_M65gF*KtjGH4LF zAB3r#I@Jm}K9?}4@*9XB$fntSr4 zCy->Wqx_EBKLPt*pR3N`D5l(o{wG ziHQ)L=@IAW(i+9wV`p|x+$pi|`huS^Q$WnQU3w*{(?T!IeI2q0ZKs`Y$Xx=eX%YgM zwE}#(0DlKRQlZ?cw7nDO$!TK$r28F|-|a2*#h;N6g#SUgZfxMN{13yLn5%>NU-I>a zsU7FPf_&yV470xm)#j6ZwbA z?NfIH{jZ8cv*5p2-^}$do;CCTi*zk~|C`wD)WS;o57*nyp8%Z=91Ls%3Ji?!FG>8r z#UH$YJ+Y627)41I90C*a|MABYuUiNpkU0~PT8aKO{kfF@V$vk>+?3Gze`)F!ewFyv z0|^Fp3e-A&=IaCGv8(H(;`j7kn z7JqPtoW!|Sa)W=uf91(@HiiHLdxif?SO2fZU-SnD<^EqEX7+Y2YKBHOrvE=DNy6l< z!!TfA9rR#eSpQ@Eb$%jBAx@%I8{)tJ>DfjAaaxv`(nj`gv;A+guRL+5f|T)p$KBK+ zC%^mGl+oX~asP+O_KHM`cItn}%e50g%vB~{S79dlw*SXN^xrO<+Qg_jJZvRd=)W=j RGizvIhJP1Ezv-XW{{i3`R7d~-