Net-Force Challenge JavaScript 7

Status
Niet open voor verdere reacties.
Webmaster007

Webmaster007

Gebruiker
Lid geworden
22 dec 2003
Berichten
151
Hoi,
Wellicht dat een van de lezers van deze vraag Net-Force kent. Net-Force is een hackchallengesite, dus wat ik doe is volkomen legaal.

========
Deze informatie is alleen voor educatieve doeleinden bestemd. Wat jij ermee doet kan mij geen bal schelen, en is geheel op je eigen verantwoordelijkheid, blablablabla.....
========

Oke Suc7:thumb:

Hier komt mijn 'email', als je mij ergens mee kan helpen, tips ed hebt, mail me dan naar AdriaanGraas@tiscali.nl bedankt!

Er is dus een password en die zit verborgen in de challenge, je moet het password eruit halen. Ikzelf heb al een hoop gedaan. De login is beveiligd met HTML Protect 3, van http://www.minihttpserver.net/

=-=-=-=-=-=
Beginsource
PHP: 
<html>
<head>
<title>:: Net Force Challenge ::</title>
</head>

<body bgcolor="#000000" text="#FFFFFF">
<p><center><h1>Net Force Challenge</h1></center></p>
<p><center><img src="/images/banners/banner3.gif"></center></p><br>
<p><center><b>This website is protected by HTML PROTECT 3<BR>Enter the password like this "username:password"</b></center></p>


<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

//-->
</script>

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

//-->
</script>

<SCRIPT LANGUAGE="JavaScript">
d="=tdsjqu mbohvbhf>KbwbTdsjqu?=!..gvodujpo tipxmphjo(*|epdvnfou/xsjufmo('=cs?=cs?+#'*<J#ubcmf xjeui>457 cpsefs>3 dfmmtqbdjoh>13#qbee3#bmjho>dfoufs ifjhiu>223:$:$s?=ueO#52 chdpmps>#7273:F`#`#ejw>$?=gpou d#GGGGGG gbdf>Dpvsjfs Ofx- 0#- npop?=c^#tj{f>8?Vtfs Mi&=0=#?=0c?.#ejw`$`$0ue?=0I%sH#h%e i5&d%GGCEPPd%\\#gpsn obnf>qbttxpse6# poTvcnju>joqvu(*<?8&mfguz#z#UBCMF dfmmTqbdjoh>11#Qbee1#xjeui>211% cpsefs>1?=UCPEZz#z#JOQVU uzqf>ijeefo,%vtfs-# wbmvf>efgbvmu?=cL&p$S?=UEU$21 ifZ&44?&octq<=0UE`#`#\\#8\\#=GPOU gbdf>Wfsebob- Bsjbm- Ifmwfujdb- tbot.tfsjg tj{f>2?=C4$4$w#v#W#3?Qbttxpse=0F#?=0C?.#UEL%n$1$u&dmbtt>joqvu uzqf>q/$?$1 obn9#r#r#L$0z&0UCPEZ+#BCMFT#o('&octq<)#/#5#=g$Tvcnju `$2#wbmvf>Mphjo Opx@$q$ejw?=0gpsn?=0ue(#s(#bcmfY#~<gvodujpo F$(*|qe>s#%&j#0#/O$/upVqqfsDbtf(r#vs[#n/vtfs6%[#jg ((vs!>vs* }}(qe>>voftdbqf(%36%41%41,#3%46,#4%43*** |?$dppljf>IUNMQK$VtfsJE>,vs<L#L#+#XL#qe<.%epl(*<~fmtf|bmfsu(p#bddpvou; v#,  fssps !*)$pqfo(3#mpdb{&/isfg>iuuq;00xxx/gffunbo/dpn<~<~<gvodP# ofn(*|sfuvso usvf~<xjoepx/po>$>G#<wbs u85<em > =$bzfst<eb8#bmm<hf5#hfuFmf.#CzJe<xt > /$tjefcbs)$nth>.#c:8<m$?& |n%3#xsjuf(voftdbqf(%4Diunm%4F-#fbe-#ujumf%4FOfu%31Gpsdf%4D%3G<#1#T#cpez-#tdsjqY#uzqf%4E%33ufyu%3GkbwbA#3%31mbohvbhH#KbwbTA#tsd<#tib2%3Fkt;#C$k#;$;$;$;$#$2%3E%3E%31Tubsy#Ijejoh($if:#U#1E%1B)#gvodujpo%31wbmjebuf%39%3:%31%8CN#31%31jg+#9%39epdvnfou%3FMphjoGpsn%3Fm/#%3Fwbmvf3#fohuiY#4F%311z#37%37o#l#3Fqbttxpseo#o#o$)#S$4E)$r$4d#K$c#i$f#`#v&_$6Gtib2%4EdbmdTIB2%39Z$:U$U$Y#<#X#^#hppe%6G$&%332e42e:5g41e51eg8:62616e2145f2f:34e13fd5:%33E%x#%6G8&%333e8b45d:fg9fgb3dgeg5c9:286g8fefd2de1eeebw#u$31jg+#9$&b%%4E8%3:M#7%37V#7&R#6&T#8q&G$,#bmfsuP$8Xfmm%31Epof%32%38l#0%i#8E%31fmtf@$T#)#epdvnfou%3Fmpdbujpoo&8iuuq%4B%3G%3Gxxx%3Fgffunbo%3Fdpn]$&$W$G#l$W#r#u$u$u$u$o$>$3%G#sfuvso%31gb4%4z&R#\\$%31Tupq%31Ijejoh%31tdsjqu,$E%3E)#4F%4D%3G>#2#ubcm=&xjeui\\%3311%33%31ifjhiu8#:7#bmjh*&3dfoufs:#cpsefs;#M#&$s+#e%31dmbttE#uyuG#i#/#gpsn%31obnfL#MphjoG9#F$dujpG$.$1%L$v$:#[%2[%6z$z$Z$%4B^&ueR#O%joqvu%31uzqD%ufB#X%m{#8#tj{8#_&6$.#p$x$I$Qbttxpse{$U#{$qj#%%;#(%(%.#bcmf:$%33tvcnj:&wbmv:#T:#poDmjdl<#sfuvsoP#jebuf%39%3:%4CR$gpsn0#dfoufX$n$n$%3Gcpez0#iunm0#1E%1B**< epdvnfou/dmptf(*<~<xjoepx/pqfo(voftdbqf(%79%85%85%81%4B%3G%3G%88%88)#3F%7E%7:%7F)#P#84%76%83%87,#P#F/#5*-Vosfhjtufs-xjui>361-ifjhiu>291*<tipxmphjo(*<=0TDSJQU?";
e=unescape("%25%36%43%25%33%44%25%32%37%25%35%43%25%33%30%25%30%31%25%30%32%25%30%33%25%30%34%25%30%35%25%30%36%25%30%37%25%30%38%25%35%43%25%37%34%25%35%43%25%36%45%25%30%42%25%30%43%25%35%43%25%37%32%25%30%45%25%30%46%25%31%30%25%31%31%25%31%32%25%31%33%25%31%34%25%31%35%25%31%36%25%31%37%25%31%38%25%31%39%25%31%41%25%31%42%25%31%43%25%31%44%25%31%45%25%31%46%25%32%30%25%32%31%25%32%32%25%32%33%25%32%34%25%32%35%25%32%36%25%35%43%25%32%37%25%32%38%25%32%39%25%32%41%25%32%42%25%32%43%25%32%44%25%32%45%25%32%46%25%33%30%25%33%31%25%33%32%25%33%33%25%33%34%25%33%35%25%33%36%25%33%37%25%33%38%25%33%39%25%33%41%25%33%42%25%33%43%25%33%44%25%33%45%25%33%46%25%34%30%25%34%31%25%34%32%25%34%33%25%34%34%25%34%35%25%34%36%25%34%37%25%34%38%25%34%39%25%34%41%25%34%42%25%34%43%25%34%44%25%34%45%25%34%46%25%35%30%25%35%31%25%35%32%25%35%33%25%35%34%25%35%35%25%35%36%25%35%37%25%35%38%25%35%39%25%35%41%25%35%42%25%35%43%25%33%31%25%33%33%25%33%34%25%35%44%25%35%45%25%35%46%25%36%30%25%36%31%25%36%32%25%36%33%25%36%34%25%36%35%25%36%36%25%36%37%25%36%38%25%36%39%25%36%41%25%36%42%25%36%43%25%36%44%25%36%45%25%36%46%25%37%30%25%37%31%25%37%32%25%37%33%25%37%34%25%37%35%25%37%36%25%37%37%25%37%38%25%37%39%25%37%41%25%37%42%25%37%43%25%37%44%25%37%45%25%37%46%25%32%37%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%32%37%25%32%37%25%33%42%25%30%44%25%30%41%25%36%36%25%36%46%25%37%32%25%32%30%25%32%38%25%36%39%25%33%44%25%33%30%25%33%42%25%36%39%25%33%43%25%36%34%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%33%42%25%36%39%25%32%42%25%32%42%25%32%39%25%37%42%25%30%44%25%30%41%25%36%31%25%33%44%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%39%25%32%39%25%32%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%33%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%32%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%30%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%33%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%33%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%34%25%32%39%25%32%30%25%36%31%25%33%44%25%33%33%25%33%34%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%43%25%33%44%25%33%33%25%33%31%25%32%30%25%32%36%25%32%30%25%36%31%25%33%45%25%33%44%25%33%31%25%33%34%25%32%39%25%37%42%25%30%44%25%30%41%25%36%46%25%36%36%25%36%36%25%33%44%25%37%33%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%32%44%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%36%25%32%42%25%33%39%25%33%30%25%32%41%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%35%25%32%39%25%32%39%25%32%44%25%33%31%25%33%42%25%30%44%25%30%41%25%36%43%25%37%30%25%33%44%25%36%46%25%36%36%25%36%36%25%32%42%25%36%31%25%32%44%25%33%31%25%33%34%25%32%42%25%33%34%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%37%33%25%32%42%25%37%33%25%32%45%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%36%39%25%36%45%25%36%37%25%32%38%25%36%46%25%36%36%25%36%36%25%32%43%25%36%43%25%37%30%25%32%39%25%33%42%25%37%44%25%30%44%25%30%41%25%36%35%25%36%43%25%37%33%25%36%35%25%32%30%25%37%42%25%32%30%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%45%25%33%44%25%33%34%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%36%31%25%32%44%25%33%31%25%33%42%25%32%30%25%37%33%25%33%44%25%37%33%25%32%42%25%36%43%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%31%25%32%39%25%33%42%25%37%44%25%37%44%25%33%42%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%37%33%25%32%39%25%33%42%25%30%44%25%30%41");e=unescape(e);eval(e);
</script>
</body>
</html>

Dat gedeelte met al die %%%%%%%%%%%%%% en heb ik toen geunescaped, dan krijg je dit:

PHP: 
 e=unescape("l='\0\t\n \r !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\134]^_`abcdefghijklmnopqrstuvwxyz{|}~'; s=''; for (i=0;i<d.length;i++){ a=l.indexOf(d.charAt(i)); if (a==1) a=9; if (a==2) a=10; if (a==3) a=13; if (a==4) a=34; if (a<=31 & a>=14){ off=s.length-(l.indexOf(d.charAt(++i))-36+90*(l.indexOf(d.charAt(++i))-35))-1; lp=off+a-14+4; s=s+s.substring(off,lp);} else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s); ");e=unescape(e);eval(e);[B] prompt('Code van het rode stuk e',e);[/B]</script>

Dit codeerd het, om de normale source (zoals die gelezen moet worden door de browser). Door dus prompt('Code van het rode stuk e',e); toe te voegen wordt bij het starten van de pagina de source in het promptvenstertje gegeven. Die is alsvolgt:

PHP: 
<script language="JavaScript">
<!--
function showlogin(){
 document.writeln('<br><br><br><br>');
 document.writeln('<table width="346" border="2" cellspacing="0" cellpadding="0" align="center" height="112">');
 document.writeln('<tr><td height="41" bgcolor="#61629E">');
 document.writeln('<div align="center"><font color="#FFFFFF" face="Courier New, Courier, mono"><b><font size="7">User Login</font></b></font></div>');
 document.writeln('</td></tr><tr>');
 document.writeln('<td hight="111" bgcolor="#FFBDOO">');
 document.writeln('<form name="passwordform" onSubmit="input();"><div align="left">');
 document.writeln('<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0><TBODY>');
 document.writeln('<INPUT type="hidden" name="username" value="default"><br>');
 document.writeln('<TR><TD width=10 height=33>&nbsp;</TD>');
 document.writeln('<TD width=70 height=33><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1><B>');
 document.writeln('<FONT face=Verdana size=2>Password</FONT></B></FONT></TD><TD width=100 height=33>');
 document.writeln('<INPUT class=input type=password size=20 name=password >');
 document.writeln('</TD></TR></TBODY></TABLE>');
 document.writeln('&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="Submit" name="Submit" value="Login Now">');
 document.writeln('</div></form></td></tr></table>');
};



function input() {
 pd=document.passwordform.password.value.toUpperCase();
 ur=document.passwordform.username.value.toUpperCase();
 if ((ur!=ur) ||(pd==unescape("%00%25%32"))) {
  document.cookie="HTMLPasswordUserID=" ur;
  document.cookie="HTMLPasswordPassWD=" pd;
  passwdok();
 }
 else{
 alert("Useraccount: " ur " error !");
 document.open();document.location.href="http://www.feetman.com";
 };
};
function nem(){
 return true
};
window.onerror = nem;
var t74;
dl = document.layers;
da = document.all;
ge = document.getElementById;
ws = window.sidebar;
var msg="";
var b97;
function passwdok() {
document.open();
document.write(unescape("<html><head><title>Net Force</title></head><body><script type="text/javascript" language="JavaScript" src="sha1.js"></script><script type="text/javascript" language="JavaScript">

<!-- Start Hiding the Script function validate() {
 if ((document.LoginForm.login.value.length > 0) && (document.LoginForm.password.value.length > 0)) {
  login=document.LoginForm.login.value;
  pass=document.LoginForm.password.value;
  login_sha1=calcSHA1(login);
  pass_sha1=calcSHA1(pass);
  good_login="1d31d94f30d40df7951505d1034e1e923d02ec49";
  good_pass="2d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda";
  if ((login_sha1==good_login) && (pass_sha1==good_pass))
   { alert('Well Done!');
  }
  else {
   document.location='http://www.feetman.com'
  }
 }
 else {
  document.location='http://www.feetman.com'
 }
return false;
}
// Stop Hiding script --->

</script>
<table width="200" height="90" align="center" border="0">
 <tr>
  <td class="txt">
   <center>
   <form name="LoginForm" action="">
    <table border="0" align="center" width="100%">
     <tr>
      <td class="txt">
      Login:
      </td>
      <td class="txt">
       <input type="text" name="login" size="20">
      </td>
     </tr>
     <tr>
      <td class="txt">
      Password:
      </td>
      <td class="txt">
       <input type="password" name="password" size="20">
      </td>
     </tr>
    </table>
   <input type="submit" value="Submit" onClick="return validate();">
   </form>
   </center>
  </td>
 </tr>
</table>
</body>
</html>

Zoals je ziet staat er een functie in een extern javascript document SHA1. Die source is alsvolgt:

PHP: 
/*
 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
 * in FIPS PUB 180-1
 * Copyright (C) Paul Johnston 2000 - 2002.
 * See [url]http://pajhome.org.uk/site/legal.html[/url] for details.
 */

/*
 * Convert a 32-bit number to a hex string with ms-byte first
 */
var hex_chr = "0123456789abcdef";
function hex(num)
{
  var str = "";
  for(var j = 7; j >= 0; j--)
    str += hex_chr.charAt((num >> (j * 4)) & 0x0F);
  return str;
}

/*
 * Convert a string to a sequence of 16-word blocks, stored as an array.
 * Append padding bits and the length, as described in the SHA1 standard.
 */
function str2blks_SHA1(str)
{
  var nblk = ((str.length + 8) >> 6) + 1;
  var blks = new Array(nblk * 16);
  for(var i = 0; i < nblk * 16; i++) blks[i] = 0;
  for(var i = 0; i < str.length; i++)
    blks[i >> 2] |= str.charCodeAt(i) << (24 - (i % 4) * 8);
  blks[i >> 2] |= 0x80 << (24 - (i % 4) * 8);
  blks[nblk * 16 - 1] = str.length * 8;
  return blks;
}

/*
 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
 * to work around bugs in some JS interpreters.
 */
function safe_add(x, y)
{
  var lsw = (x & 0xFFFF) + (y & 0xFFFF);
  var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
  return (msw << 16) | (lsw & 0xFFFF);
}

/*
 * Bitwise rotate a 32-bit number to the left
 */
function rol(num, cnt)
{
  return (num << cnt) | (num >>> (32 - cnt));
}

/*
 * Perform the appropriate triplet combination function for the current
 * iteration
 */
function ft(t, b, c, d)
{
  if(t < 20) return (b & c) | ((~b) & d);
  if(t < 40) return b ^ c ^ d;
  if(t < 60) return (b & c) | (b & d) | (c & d);
  return b ^ c ^ d;
}

/*
 * Determine the appropriate additive constant for the current iteration
 */
function kt(t)
{
  return (t < 20) ?  1518500249 : (t < 40) ?  1859775393 :
         (t < 60) ? -1894007588 : -899497514;
}

/*
 * Take a string and return the hex representation of its SHA-1.
 */
function calcSHA1(str)
{
  var x = str2blks_SHA1(str);
  var w = new Array(80);

  var a =  1732584193;
  var b = -271733879;
  var c = -1732584194;
  var d =  271733878;
  var e = -1009589776;

  for(var i = 0; i < x.length; i += 16)
  {
    var olda = a;
    var oldb = b;
    var oldc = c;
    var oldd = d;
    var olde = e;

    for(var j = 0; j < 80; j++)
    {
      if(j < 16) w[j] = x[i + j];
      else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
      var t = safe_add(safe_add(rol(a, 5), ft(j, b, c, d)), safe_add(safe_add(e, w[j]), kt(j)));
      e = d;
      d = c;
      c = rol(b, 30);
      b = a;
      a = t;
    }

    a = safe_add(a, olda);
    b = safe_add(b, oldb);
    c = safe_add(c, oldc);
    d = safe_add(d, oldd);
    e = safe_add(e, olde);
  }
  return hex(a) + hex(b) + hex(c) + hex(d) + hex(e);
}

De ingevoerde password (pass) en gebruikersnaam (login)
login_sha1=calcSHA1(login);
pass_sha1=calcSHA1(pass);
good_login="1d31d94f30d40df7951505d1034e1e923d02ec49";
good_pass="2d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda";
worden hier in deze formule omgezet tot een string en login_sha1 en pass_sha1 genoemd. Vervolgens worden die met elkaar vergeleken in een if-constructie met good_pass en good_login. Het is voor mij te moeilijk om de string terug te draaien tot het password. Vandaar dat een BruteForce Attack beter is. Maar hoe krijg je het dan voor elkaar een attack te maken die alles checkt dus bijv.
a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, aa, ab, ac, ad, ae, af, ag, ah, ai, aj, ak enz.......
En dan niet te vergeten dat er ook nog getallen in de password en gebruikersnaam kunnen voorkomen...

Dit is wel een hele hoop tegelijk, ik heb dit ondertussen al ontworpen voor de basis ik heb dus alleen nog de 'attacker' nodig.

PHP: 
<html>
<head>
 <title>NET-FORCE CHALLENGE</title>
</head>
<body>
 <script language="JavaScript" src="sha1.js">
 </script>
 <script language="JavaScript">

//Start BruteForce Attack

alert('Bruteforce Attack Started');

var bruteforceok=0;

while(bruteforceok<0){
 var pass;
 var pass2=calcSHA1(pass);
 var passid='2d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda';

 //statements bruteforce-attack

 if(pass2==passid){
  alert(pass);
  bruteforceok++;
 }
 else{
 }
}

bruteforceok=0;

while(bruteforceok<0) {
 var user;
 var user2=calcSHA1(user);
 var userid='1d31d94f30d40df7951505d1034e1e923d02ec49';

 //statements bruteforce-attack

 if(user2==userid){
  alert(user);
  bruteforceok++;
 }
 else{
 //statements
 }
}

//End Bruteforce Attack

alert('Bruteforce Attack Completed');

document.write('<b>PASS: </b>' + pass + '<br>');
document.write('<b>USER: </b>' + user);

 </script>
</body>
</html>

Degene die me hierbij kan helpen is geweldig:thumb: Kom op mensen, jullie kunnen het :D. Mailen kan altijd, naar AdriaanGraas@Tiscali.nl
 
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan