sqlmap/lib/request/httpshandler.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re
import socket

from lib.core.common import filterNone
from lib.core.common import getSafeExString
from lib.core.compat import LooseVersion
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import SqlmapConnectionException
from lib.core.settings import PYVERSION
from thirdparty.six.moves import http_client as _http_client
from thirdparty.six.moves import urllib as _urllib

ssl = None
try:
    import ssl as _ssl
    ssl = _ssl
except ImportError:
    pass

_protocols = filterNone(getattr(ssl, _, None) for _ in ("PROTOCOL_TLSv1_2", "PROTOCOL_TLSv1_1", "PROTOCOL_TLSv1", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_SSLv2"))
_lut = dict((getattr(ssl, _), _) for _ in dir(ssl) if _.startswith("PROTOCOL_"))
_contexts = {}

class HTTPSConnection(_http_client.HTTPSConnection):
    """
    Connection class that enables usage of newer SSL protocols.

    Reference: http://bugs.python.org/msg128686

    NOTE: use https://check-tls.akamaized.net/ to check if (e.g.) TLS/SNI is working properly
    """

    def __init__(self, *args, **kwargs):
        # NOTE: Dirty patch for https://bugs.python.org/issue38251 / https://github.com/sqlmapproject/sqlmap/issues/4158
        if hasattr(ssl, "_create_default_https_context"):
            if None not in _contexts:
                _contexts[None] = ssl._create_default_https_context()
            kwargs["context"] = _contexts[None]

        self.retrying = False

        _http_client.HTTPSConnection.__init__(self, *args, **kwargs)

    def connect(self):
        def create_sock():
            sock = socket.create_connection((self.host, self.port), self.timeout)
            if getattr(self, "_tunnel_host", None):
                self.sock = sock
                self._tunnel()
            return sock

        success = False

        # Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext
        #               https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni
        if hasattr(ssl, "SSLContext"):
            for protocol in (_ for _ in _protocols if _ >= ssl.PROTOCOL_TLSv1):
                try:
                    sock = create_sock()
                    if protocol not in _contexts:
                        _contexts[protocol] = ssl.SSLContext(protocol)
                        if getattr(self, "cert_file", None) and getattr(self, "key_file", None):
                            _contexts[protocol].load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)
                        try:
                            # Reference(s): https://askubuntu.com/a/1263098
                            #               https://askubuntu.com/a/1250807
                            _contexts[protocol].set_ciphers("DEFAULT@SECLEVEL=1")
                        except ssl.SSLError:
                            pass
                    result = _contexts[protocol].wrap_socket(sock, do_handshake_on_connect=True, server_hostname=self.host if re.search(r"\A[\d.]+\Z", self.host or "") is None else None)
                    if result:
                        success = True
                        self.sock = result
                        _protocols.remove(protocol)
                        _protocols.insert(0, protocol)
                        break
                    else:
                        sock.close()
                except (ssl.SSLError, socket.error, _http_client.BadStatusLine) as ex:
                    self._tunnel_host = None
                    logger.debug("SSL connection error occurred for '%s' ('%s')" % (_lut[protocol], getSafeExString(ex)))

        elif hasattr(ssl, "wrap_socket"):
            for protocol in _protocols:
                try:
                    sock = create_sock()
                    _ = ssl.wrap_socket(sock, keyfile=getattr(self, "key_file"), certfile=getattr(self, "cert_file"), ssl_version=protocol)
                    if _:
                        success = True
                        self.sock = _
                        _protocols.remove(protocol)
                        _protocols.insert(0, protocol)
                        break
                    else:
                        sock.close()
                except (ssl.SSLError, socket.error, _http_client.BadStatusLine) as ex:
                    self._tunnel_host = None
                    logger.debug("SSL connection error occurred for '%s' ('%s')" % (_lut[protocol], getSafeExString(ex)))

        if not success:
            errMsg = "can't establish SSL connection"
            # Reference: https://docs.python.org/2/library/ssl.html
            if LooseVersion(PYVERSION) < LooseVersion("2.7.9"):
                errMsg += " (please retry with Python >= 2.7.9)"

            if kb.sslSuccess and not self.retrying:
                self.retrying = True

                for _ in xrange(conf.retries):
                    try:
                        self.connect()
                    except SqlmapConnectionException:
                        pass
                    else:
                        return

            raise SqlmapConnectionException(errMsg)
        else:
            kb.sslSuccess = True

class HTTPSHandler(_urllib.request.HTTPSHandler):
    def https_open(self, req):
        return self.do_open(HTTPSConnection if ssl else _http_client.HTTPSConnection, req)
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00
			`"""`
Year and version bump 2023-01-03 01:24:59 +03:00			`Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00			`"""`

Fixes #2261 2016-11-04 17:04:38 +03:00			`import re`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00			`import socket`

Minor refactoring (drei stuff) 2019-03-29 04:28:16 +03:00			`from lib.core.common import filterNone`
Switching to the getSafeExString (where it can be used) 2015-09-10 16:51:33 +03:00			`from lib.core.common import getSafeExString`
Fixes #4849 2021-10-07 01:29:31 +03:00			`from lib.core.compat import LooseVersion`
Minor update on request 2020-08-23 23:11:24 +03:00			`from lib.core.compat import xrange`
			`from lib.core.data import conf`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`from lib.core.data import kb`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00			`from lib.core.data import logger`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`from lib.core.exception import SqlmapConnectionException`
Minor error message improvement (SSL issues) 2015-12-18 19:15:59 +03:00			`from lib.core.settings import PYVERSION`
God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`from thirdparty.six.moves import http_client as _http_client`
			`from thirdparty.six.moves import urllib as _urllib`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00
			`ssl = None`
			`try:`
			`import ssl as _ssl`
			`ssl = _ssl`
			`except ImportError:`
			`pass`

Minor refactoring (drei stuff) 2019-03-29 04:28:16 +03:00			`_protocols = filterNone(getattr(ssl, _, None) for _ in ("PROTOCOL_TLSv1_2", "PROTOCOL_TLSv1_1", "PROTOCOL_TLSv1", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_SSLv2"))`
Minor patches 2019-11-09 01:45:30 +03:00			`_lut = dict((getattr(ssl, _), _) for _ in dir(ssl) if _.startswith("PROTOCOL_"))`
Fixes #4158 2020-04-07 03:07:54 +03:00			`_contexts = {}`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00
God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`class HTTPSConnection(_http_client.HTTPSConnection):`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00			`"""`
			`Connection class that enables usage of newer SSL protocols.`

			`Reference: http://bugs.python.org/msg128686`
Fixes --check-tor (reported privately) 2022-08-22 17:25:55 +03:00
			`NOTE: use https://check-tls.akamaized.net/ to check if (e.g.) TLS/SNI is working properly`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00			`"""`

			`def __init__(self, args, *kwargs):`
Fixes #4158 2020-04-07 03:07:54 +03:00			`# NOTE: Dirty patch for https://bugs.python.org/issue38251 / https://github.com/sqlmapproject/sqlmap/issues/4158`
			`if hasattr(ssl, "_create_default_https_context"):`
			`if None not in _contexts:`
			`_contexts[None] = ssl._create_default_https_context()`
			`kwargs["context"] = _contexts[None]`

Minor update on request 2020-08-23 23:11:24 +03:00			`self.retrying = False`

God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`_http_client.HTTPSConnection.__init__(self, args, *kwargs)`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00
			`def connect(self):`
			`def create_sock():`
			`sock = socket.create_connection((self.host, self.port), self.timeout)`
			`if getattr(self, "_tunnel_host", None):`
			`self.sock = sock`
			`self._tunnel()`
			`return sock`

			`success = False`
minor updates 2012-06-04 23:52:51 +04:00
Patch related to #1256 2015-11-25 15:04:34 +03:00			`# Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext`
			`# https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni`
Fixes #5216 2022-11-02 01:26:15 +03:00			`if hasattr(ssl, "SSLContext"):`
Trivial refactoring 2020-08-13 17:22:09 +03:00			`for protocol in (_ for _ in _protocols if _ >= ssl.PROTOCOL_TLSv1):`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`try:`
			`sock = create_sock()`
Fixes #4158 2020-04-07 03:07:54 +03:00			`if protocol not in _contexts:`
			`_contexts[protocol] = ssl.SSLContext(protocol)`
Fixes #5242 2022-11-29 17:05:34 +03:00			`if getattr(self, "cert_file", None) and getattr(self, "key_file", None):`
Fixes #5216 2022-11-02 01:26:15 +03:00			`_contexts[protocol].load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)`
Fixes #4462 2020-12-04 13:40:09 +03:00			`try:`
			`# Reference(s): https://askubuntu.com/a/1263098`
			`# https://askubuntu.com/a/1250807`
			`_contexts[protocol].set_ciphers("DEFAULT@SECLEVEL=1")`
			`except ssl.SSLError:`
			`pass`
Fixes #5216 2022-11-02 01:26:15 +03:00			`result = _contexts[protocol].wrap_socket(sock, do_handshake_on_connect=True, server_hostname=self.host if re.search(r"\A[\d.]+\Z", self.host or "") is None else None)`
Fixes #4158 2020-04-07 03:07:54 +03:00			`if result:`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`success = True`
Fixes #4158 2020-04-07 03:07:54 +03:00			`self.sock = result`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`_protocols.remove(protocol)`
			`_protocols.insert(0, protocol)`
			`break`
			`else:`
			`sock.close()`
God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`except (ssl.SSLError, socket.error, _http_client.BadStatusLine) as ex:`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`self._tunnel_host = None`
Minor patches 2019-11-09 01:45:30 +03:00			`logger.debug("SSL connection error occurred for '%s' ('%s')" % (_lut[protocol], getSafeExString(ex)))`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00
Fixes #5216 2022-11-02 01:26:15 +03:00			`elif hasattr(ssl, "wrap_socket"):`
Patch related to #1256 2015-11-25 15:04:34 +03:00			`for protocol in _protocols:`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`try:`
			`sock = create_sock()`
Fixes #5240 2022-11-22 02:28:20 +03:00			`_ = ssl.wrap_socket(sock, keyfile=getattr(self, "key_file"), certfile=getattr(self, "cert_file"), ssl_version=protocol)`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`if _:`
Patch related to #1256 2015-11-25 15:04:34 +03:00			`success = True`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`self.sock = _`
			`_protocols.remove(protocol)`
			`_protocols.insert(0, protocol)`
			`break`
			`else:`
			`sock.close()`
God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`except (ssl.SSLError, socket.error, _http_client.BadStatusLine) as ex:`
Adding a support for SNI (Issue #1256) 2015-06-01 11:45:16 +03:00			`self._tunnel_host = None`
Minor patches 2019-11-09 01:45:30 +03:00			`logger.debug("SSL connection error occurred for '%s' ('%s')" % (_lut[protocol], getSafeExString(ex)))`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00
			`if not success:`
Minor error message improvement (SSL issues) 2015-12-18 19:15:59 +03:00			`errMsg = "can't establish SSL connection"`
Minor patch 2016-08-02 13:38:57 +03:00			`# Reference: https://docs.python.org/2/library/ssl.html`
Fixes #4849 2021-10-07 01:29:31 +03:00			`if LooseVersion(PYVERSION) < LooseVersion("2.7.9"):`
Minor patch 2016-08-02 13:38:57 +03:00			`errMsg += " (please retry with Python >= 2.7.9)"`
Minor update on request 2020-08-23 23:11:24 +03:00
			`if kb.sslSuccess and not self.retrying:`
			`self.retrying = True`

			`for _ in xrange(conf.retries):`
			`try:`
			`self.connect()`
			`except SqlmapConnectionException:`
			`pass`
			`else:`
			`return`

Minor error message improvement (SSL issues) 2015-12-18 19:15:59 +03:00			`raise SqlmapConnectionException(errMsg)`
Minor update on request 2020-08-23 23:11:24 +03:00			`else:`
			`kb.sslSuccess = True`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00
God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`class HTTPSHandler(_urllib.request.HTTPSHandler):`
adding support for newer SSL protocols 2012-06-04 23:46:28 +04:00			`def https_open(self, req):`
God help us all with this Python3 non-sense 2019-03-27 15:33:46 +03:00			`return self.do_open(HTTPSConnection if ssl else _http_client.HTTPSConnection, req)`