Re: Special characters in script-args

[Patrick Donnelly <batrick () batbytes com>]

Hello Ron,

On Fri, May 15, 2009 at 1:06 PM, Ron <ron () skullsecurity net> wrote:
> Hi all,
>
> I posted this to the #nmap channel a few days ago, but I wasn't around to
> see if there was an answer. So I figured I'd ask it here.
>
> If a --script-arg contains a special characters, such as a colon, parsing
> the arguments will fail with a cryptic error. So if somebody is trying to
> use a hash to log in, and passes this string, it'll fail:
>  --script-args=smbuser=admin,smbhash=abc123:abc123
>
> Similarily if a user gives the password on the commandline, like this, it'll
> fail:
>  --script-args=smbuser=admin,smbpass=pass^word
>
> The solution that I use is to pass escaped quotes, like
> smbpass=\"pass^word\", but I don't expect that an ordinary user would know
> to do that (or understand the Lua stackdump when they don't). Is there
> something we can do to make this easier?
>
> (Sorry if this came up in an earlier discussion -- I haven't had a home
> Internet connection for awhile, so I haven't been following bigger threads)

We have been discussing this in [1]. I have a tentative patch [2] that
tries to solve all of these problems. I encourage you to give the
patch a try and report how it worked for you.

[1] http://seclists.org/nmap-dev/2009/q2/0204.html
[2] http://seclists.org/nmap-dev/2009/q2/0380.html


-- 
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org