Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: parsing of script-args is broken
From: Patrick Donnelly <batrick () batbytes com>
Date: Sun, 17 May 2009 19:55:19 -0600

Hi Jah,

On Sun, May 17, 2009 at 5:04 PM, jah <jah () zadkiel plus com> wrote:
On 16/05/2009 01:30, Patrick Donnelly wrote:

On Sun, May 10, 2009 at 7:23 AM, Patrick Donnelly <batrick () batbytes com>

A key, value, or array value may be a sequence of characters except
'{', '}', ',', '=', and all space characters. You may overcome this
restriction by using quotes (single or double) to allow all characters
within the quotation marks. You may also use the quote delimiter
inside the sequence so long as it is escaped by a backslash.

Hi Patrick,

I am using the sargs5.patch (on windows) and can only pass a value
containing a comma to --script-args by nesting single quotes within double
quotes around the value:

--script-args smbuser=somebody,smbpass="'.n,m '"
NSE: SMB: Extended login as \somebody succeeded

or the other way round:

--script-args smbuser=somebody,smbpass='".n,m "'

or even mismatched:

--script-args smbuser=somebody,smbpass="'.n,m "'

If I use single quotes only:

C:\Program Files\Nmap\nse_main.lua:539: Value at ''.n,m}' is invalid or is
unterminated by a valid seperator
stack traceback:
        [C]: in function 'error'
        C:\Program Files\Nmap\nse_main.lua:539: in function 'parse_value'
        C:\Program Files\Nmap\nse_main.lua:553: in function 'parse_table'
        C:\Program Files\Nmap\nse_main.lua:593: in main chunk
        [C]: ?


I think this just a windows oddity because it treats single quotes as just a
character .  If I use double quotes only, the value containing the comma is
truncated before the comma so it becomes the value ".n"

NSE: SMB: Extended login as \somebody failed (NT_STATUS_LOGON_FAILURE)

Using a Linux or a Cygwin terminal and supplying either single or double
quotes also results in truncation of the value, but nested quotes work OK
(mismatched quotes don't work)

It appears that the double quotes are always stripped from the command
processor (irrespective of whether they're the inner or outer quotes) so in
nse_main.lua they match the pattern for unquoted strings:

local uqi, uqj, uqm = find(str,
        "^%s*([^'\"%s{},=][^%s{},=]*)%s*[},=]", start);

which treats the comma as a separator of key/value pairs and so any
characters after the comma are turned into a new key/value pair.

Is this behaviour as you intended?

Unless I'm terribly mistaken, this looks like the shell is separating
your argument to --script-args into two arguments instead of one. I'm
not very familiar with the Windows shell, but I believe that single
quotes are treated like any other non-special character (as you
hinted). This is the reason surrounding the argument in only single
quotes failed.

--script-args smbuser=somebody,smbpass='.n,m '

The second single quote is treated as an extra argument (I'm not sure
what Nmap will do with a single quote argument).

To look at all your other examples specifically:

--script-args smbuser=somebody,smbpass="'.n,m '"

This works because you surround the space in quotes, forcing it to be
included in the argument to --script-args. The single quotes are just
like any other character. The string in double quotes is concatenated
with "smbuser=somebody,smbpass=". Remember most shells (apparently
including Windows) will concatenate adjacent strings not separated by

--script-args smbuser=somebody,smbpass='".n,m "'

This works similar to above. The single quote is considered part of
the first string to concatenate: "smbuser=somebody,smbpass='", the
second string is ".n,m ", and the third string is simply the single

--script-args smbuser=somebody,smbpass="'.n,m "'

Again, the shell concatenates the strings:
(1) "smbuser=somebody,smbpass="
(2) "'.n,m "
(3) "'"

Linux and Cygwin will both strip the quotes, similar to how Windows
strips the double quotes. If you properly escape the quotes at the
shell you will get the appropriate arguments:

./nmap --script-args smbuser=somebody,smbpass="\".n,m\ \"" localhost

Notice I escaped the space as well, otherwise the shell treats the
final quote as a separate argument to Nmap (which is the error you are
getting). Personally, I always surround the argument to --script-args
(on Linux) in double quotes and use single quotes to delimit any
strings with the invalid characters (commas, curly braces, etc.). This
should also work on windows.

Hope that cleared things up!


-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]