implementation of Feature #17

lib/core/option.py

@@ -67,6 +67,7 @@ from lib.core.update import update
 from lib.parse.configfile import configFileParser
 from lib.parse.queriesfile import queriesParser
 from lib.request.proxy import ProxyHTTPSHandler
+from lib.request.certhandler import HTTPSCertAuthHandler
 from lib.utils.google import Google
 
 authHandler  = urllib2.BaseHandler()
@@ -518,13 +519,14 @@ def __setHTTPProxy():
 
 def __setHTTPAuthentication():
     """
-    Check and set the HTTP authentication method (Basic, Digest or NTLM),
+    Check and set the HTTP(s) authentication method (Basic, Digest, NTLM or Certificate),
-    username and password to perform HTTP requests with.
+    username and password for first three methods, or key file and certification file for
+    certificate authentication
     """
 
     global authHandler
 
-    if not conf.aType and not conf.aCred:
+    if not conf.aType and not conf.aCred and not conf.aCert:
         return
 
     elif conf.aType and not conf.aCred:
@@ -537,45 +539,67 @@ def __setHTTPAuthentication():
         errMsg += "but did not provide the type"
         raise sqlmapSyntaxException, errMsg
 
-    debugMsg = "setting the HTTP authentication type and credentials"
+    if not conf.aCert:
-    logger.debug(debugMsg)
+        debugMsg = "setting the HTTP authentication type and credentials"
+        logger.debug(debugMsg)
     
-    aTypeLower = conf.aType.lower()
+        aTypeLower = conf.aType.lower()
     
-    if aTypeLower not in ( "basic", "digest", "ntlm" ):
+        if aTypeLower not in ( "basic", "digest", "ntlm" ):
-        errMsg  = "HTTP authentication type value must be "
+            errMsg  = "HTTP authentication type value must be "
-        errMsg += "Basic, Digest or NTLM"
+            errMsg += "Basic, Digest or NTLM"
-        raise sqlmapSyntaxException, errMsg
+            raise sqlmapSyntaxException, errMsg
     
-    aCredRegExp = re.search("^(.*?)\:(.*?)$", conf.aCred)
+        aCredRegExp = re.search("^(.*?)\:(.*?)$", conf.aCred)
     
-    if not aCredRegExp:
+        if not aCredRegExp:
-        errMsg  = "HTTP authentication credentials value must be "
+            errMsg  = "HTTP authentication credentials value must be "
-        errMsg += "in format username:password"
+            errMsg += "in format username:password"
-        raise sqlmapSyntaxException, errMsg
+            raise sqlmapSyntaxException, errMsg
     
-    authUsername = aCredRegExp.group(1)
+        authUsername = aCredRegExp.group(1)
-    authPassword = aCredRegExp.group(2)
+        authPassword = aCredRegExp.group(2)
     
-    passwordMgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
+        passwordMgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
-    passwordMgr.add_password(None, "%s://%s" % (conf.scheme, conf.hostname), authUsername, authPassword)
+        passwordMgr.add_password(None, "%s://%s" % (conf.scheme, conf.hostname), authUsername, authPassword)
     
-    if aTypeLower == "basic":
+        if aTypeLower == "basic":
-        authHandler = urllib2.HTTPBasicAuthHandler(passwordMgr)
+            authHandler = urllib2.HTTPBasicAuthHandler(passwordMgr)
     
-    elif aTypeLower == "digest":
+        elif aTypeLower == "digest":
-        authHandler = urllib2.HTTPDigestAuthHandler(passwordMgr)
+            authHandler = urllib2.HTTPDigestAuthHandler(passwordMgr)
     
-    elif aTypeLower == "ntlm":
+        elif aTypeLower == "ntlm":
-        try:
+            try:
-            from ntlm import HTTPNtlmAuthHandler
+                from ntlm import HTTPNtlmAuthHandler
-        except ImportError, _:
+            except ImportError, _:
-            errMsg  = "sqlmap requires Python NTLM third-party library "
+                errMsg  = "sqlmap requires Python NTLM third-party library "
-            errMsg += "in order to authenticate via NTLM, "
+                errMsg += "in order to authenticate via NTLM, "
-            errMsg += "http://code.google.com/p/python-ntlm/"
+                errMsg += "http://code.google.com/p/python-ntlm/"
-            raise sqlmapMissingDependence, errMsg
+                raise sqlmapMissingDependence, errMsg
     
-        authHandler = HTTPNtlmAuthHandler.HTTPNtlmAuthHandler(passwordMgr)
+            authHandler = HTTPNtlmAuthHandler.HTTPNtlmAuthHandler(passwordMgr)
+    else:
+        debugMsg = "setting the HTTP(s) authentication certificate"
+        logger.debug(debugMsg)
+        
+        aCertRegExp = re.search("^(.+?),\s*(.+?)$", conf.aCert)
+    
+        if not aCertRegExp:
+            errMsg  = "HTTP authentication certificate option "
+            errMsg += "must be in format key_file,cert_file"
+            raise sqlmapSyntaxException, errMsg
+    
+        #os.path.expanduser for support of paths with ~
+        key_file = os.path.expanduser(aCertRegExp.group(1))
+        cert_file = os.path.expanduser(aCertRegExp.group(2))
+        
+        for file in (key_file, cert_file):
+            if not os.path.exists(file):
+                errMsg  = "File '%s' doesn't exist" % file
+                raise sqlmapSyntaxException, errMsg
+        
+        authHandler = HTTPSCertAuthHandler(key_file, cert_file)
 
 def __setHTTPMethod():
     """

lib/core/optiondict.py

@@ -41,6 +41,7 @@ optDict = {
                                "headers":           "string",
                                "aType":             "string",
                                "aCred":             "string",
+                               "aCert":             "string",
                                "proxy":             "string",
                                "threads":           "integer",
                                "delay":             "float",

lib/parse/cmdline.py

@@ -96,6 +96,10 @@ def cmdLineParser():
                            help="HTTP Authentication credentials (value "
                                 "name:password)")
                                 
+        request.add_option("--auth-cert", dest="aCert",
+                           help="HTTP(s) Authentication certificate (value "
+                                "key_file,cert_file)")
+
         request.add_option("--proxy", dest="proxy",
                            help="Use a HTTP proxy to connect to the target url")
 

lib/request/certhandler.py

@@ -22,9 +22,12 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
 
+import sys
 import httplib
 import urllib2
 
+from lib.core.data import conf
+
 class HTTPSCertAuthHandler(urllib2.HTTPSHandler):
     def __init__(self, key_file, cert_file):
         urllib2.HTTPSHandler.__init__(self)
@@ -35,4 +38,8 @@ class HTTPSCertAuthHandler(urllib2.HTTPSHandler):
         return self.do_open(self.getConnection, req)
 
     def getConnection(self, host):
-        return httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file)
+        if sys.version_info >= (2,6):
+            retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file, timeout=conf.timeout)
+        else:
+            retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file)
+        return retVal

sqlmap.conf

@@ -65,6 +65,11 @@ aType =
 # Syntax: username:password
 aCred = 
 
+# HTTP Authentication certificate. Useful only if the target url requires
+# logon certificate and you have such data.
+# Syntax: key_file,cert_file
+aCert = 
+
 # Use a HTTP proxy to connect to the target url.
 # Syntax: http://address:port
 proxy =