Nmap Development mailing list archives
Re: Zenmap: bug parsing --script?
From: David Fifield <david () bamsoftware com>
Date: Mon, 26 Jul 2010 12:14:52 -0600
On Sat, Jul 24, 2010 at 01:51:03PM -0600, David Fifield wrote:
On Fri, Jul 23, 2010 at 01:35:08PM -0500, Ron wrote:Hey, I'm preparing canned demos for my Blackhat slot, and I noticed something odd in Zenmap. If I enter the command: nmap -p 21 -T4 -d -n --script "ftp* and not *brute*" 192.168.102.* Then save/restart zenmap, I end up with: nmap -p 21 -T4 -d -n --script "ftp* 192.168.102.* Which doesn't work. In fact, even in the editor when I'm editing the --scripts textbox, as soon as I deselect the box (and it updates the command) it removes everything after the space. Is this a known bug? (I haven't used Zenmap all that much, to be honest).Yes, this is a bug. I'm surprised no one has noticed it before now. The command entry is just breaking words on whitespace to pass them to exec. (In other words, it doesn't just pass the line to a shell; you can't type "nmap localhost && rm -rf /".) You can see what's going on while you're editing the command live. If you enter the command nmap --script "ftp* and not *brute*" you will see the "Target" box automatically populated with the three targets and not *brute*" What you're describing, with the 'and not *brute*"' part being removed, doesn't happen to me. If I save a profile and restore it, it's all there. You might check in ~/.zenmap/scan_profile.usp to see how it's being stored. I have [aaa] command = nmap --script "ftp* and not *brute*" 192.168.0.1 description = I don't think this will be too hard to fix. I think the place to do it is NmapOptions.parse_string, which is just def parse_string(self, opt_string): self.parse(opt_string.split()) However there may be parts of the code that pre-split the string and then pass it to NmapOptions.parse, which is how I envisioned NmapOptions being used. But there are probably only a couple-three places where this happens so it won't be too hard to track them down.
Please try r19281 and see if it works for you. This allows single- and double-quoting of strings. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Zenmap: bug parsing --script? Ron (Jul 23)
- Re: Zenmap: bug parsing --script? David Fifield (Jul 24)
- Re: Zenmap: bug parsing --script? David Fifield (Jul 26)
- Re: Zenmap: bug parsing --script? David Fifield (Jul 27)
- Re: Zenmap: bug parsing --script? David Fifield (Jul 26)
- Re: Zenmap: bug parsing --script? David Fifield (Jul 24)