Archive

Posts Tagged ‘openssl’

Extracting Certs and Keys from .pfx and using with sqlmap

June 5, 2013 Leave a comment

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

  1. Extract private key:
    • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem
  2. Extract certificate:
    • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem
  3. Remove password from private key:
    • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

  • sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″‘ and have sqlmap go through Burp and then not worry about extracting certs/keys. ¬†This would have been easier, but I found out about it later. ¬†Good to know for the future.