i got an idea to make something like keychain with keys, which will contain possible passwords to extract my password protected archives. So passwords will stay hidden, but user will still able to extract archive without knowing password.
Problem is if i send password via parameter it is shown in command line parameters.
set mypass=12345
unrar.exe x test.rar -p%mypass%
i tried also send pass via echo but it doesnt seems to work
#echo off
#echo 12345 | unrar.exe x test.rar -p
How to solve this?
The unrar executable does not provide a mechanism to securely accept the archive password. It is accepted in plain text form. There's no getting away from that and you should stop trying to do so.
Use the rar DLL interface instead which gives a slightly increased level of obfuscation. Of course, a moderately determined hacker could inspect the parameters that are being passed. Or inspect the file that is being extracted.
Using of #echo off is the correct approach.
Do note that when you call
#echo something
that "something" is always shown even when you disabled the echo using #echo off.
Also I agree with Uli Gerhardt about the use of unrar.dll instead as this will give you even better control over the extracting process.
EDIT: If you put this code into batch file (*.bat) you will see that the commands won't be shown.
#echo off
set mypass=12345
notepad %mypass%
Same should apply when sending commands from your application.
EDIT2: Do you know that you can even find already made Delphi component which alows you to make use of unrar.dll?
Check at bottom of this page: http://www.rarlab.com/rar_add.htm
Related
I have a classic asp page in VBS and I am trying to create a file on the web server with the following code.
Set fso = CreateObject("Scripting.FileSystemObject")
Set file1 = fso.CreateTextFile("\\localhost\inetpub\wwwroot\cs\batch\123456dirs.bat", true)
This returns the following error:
|666|800a0034|Bad_file_name_or_number
Line 666 is the CreateTextFile line.
According to the Microsoft docs, this means that I'm trying to create a file with an invalid filename. Then it explains the rules for filenames and mine appears to be perfectly valid.
Any suggestions or ideas on how I can further troubleshoot this?
first thing to check to make sure your users have access to the folder. Assuming you're not using windows authentication, make sure IUSR account has write access to the folder.
second, unless inetpub is set up as a share to folder, you're syntax won't work. if the root of your website is located in the CS folder, you can do something like:
Set file1 = fso.CreateTextFile(Server.MapPath( "/cs/batch/123456dirs.bat" ), true)
The createtextfile() function runs on the web server but in the context of the local server itself. Simply put, any path you give it must resolve as if you were logged on to a windows desktop on the server and tried to CD to that path.
The format \localhost... is a UNC path. See this question for a discussion about UNC paths and windows. Unless you know for sure that there is a UNC path mapped for \localhost then that is probably your issue. You may be making the assumption the \localhost will be a reasonable path to use, but as I said unless you know for sure it is available then this is an invalid choice.
Lastly, if you decide to set up a share for \localhost, you will be getting in to some interesting territory around the user context that the web server operates in. You see you will have to set up the share for the IIS user that is configured as the run-as identity for IIS, so you will need to know that and create the required config to give that user the share.
If it were me, I would switch to using a standard windows path, although even then you need to appreciate the run-as user context and security config, etc.
I'd like help in setting password in a batch file but without exposing password.
If I SET password="abc123", I don't want abc123 to be visible in the batch file, as other people will be running the .bat file.
There is unfortunately no good solution to hide a password in batch
Even if you crypt it, change it to HEX, hide it in an Alternative Data Stream (ADS) or whatever you want.
At a moment you have to test the value in your code with an IF test.
At this point the password, crypted or not, will be visible or settedin a variable that can be echoed.
You can also compress your BAT in a self-extracting .EXE, but this is very easy to crack, while the .BAT file have to be decompressed before you run it (in the %temp% folder).
So there is no way to really hide a password in a .BAT file
You can try this method : Password hidden using ADS
create and save your batch file
use the ECHO command to 'place' your password into an ADS attached
to your batch file
use redirection to read the password from the ADS (Alternative Data
Stream) file
Example: I am logged in as user TestUser. From this user I am going to run a command line as an administrator named AdminUser.
Is it possible from this command line to determine the name of the currently logged in TestUser?
I already have scheduled task which is always running as AdminUser, but in its action (batch file), I need to name of the currently logged in user.
Any ideas?
As far as I know this is not really possible.
Depending on how much you know about the environment of the users, the following might be a workaround however:
The command
qwinsta
will give you a list of sessions for the computer. Within these sessions one will be the active one, so if this program is used in an interactive session only this will basically contain the "logged in user" as you described it (it is far more complicated really, there could be many users logged on but only one can be active and I just hope you know enough about the usage scenario of your program to make use of that). You could parse the output and work with that username.
Of course this is a dirty hack and it assumes that during the run time of your task there is no chance that users change.
Also though I chose the qwinsta.exe because it is a very basic approach that needs no API calls or something I am still not sure if the CMD has sufficient parsing capabilities to get the necessary information for you.
%username% variable contains.. well, the user name.
echo/%username%
EDIT
As you said, because you are in a scheduled task, you can get the user name from Windows Registry
#echo off
for /f "tokens=3" %%a in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUserName') do (
set "user=%%a")
set "user=%user:.\=%"
echo/%user%
Now %user% variable contains the logged user name.
Here is a quick way to make this happen using a batch file would be this command:
for /F "tokens=1,2" %%i in ('qwinsta /server:%COMPUTERNAME% ^| findstr "console"') do set tempVar=%%j
echo %tempVar% will show whatever user is actually logged in. Not the user who launched the batch file.
I'm a windows 7 user and I want to access an object from within my public dropbox folder using the command line. How do I do that (note my skills with the command line are weak so be gentle please. This is what I'm basing my information on: DROPBOX CITE LINK
Here's the path to my drop box and what I attempted:
#the path
C:/Users/trinker/Dropbox/Public/plot.png
#the attempt to retrieve the url of plot.png
CD C:/Users/trinker/Dropbox/Public/
C:/Users/trinker/Dropbox/bin/dropbox.py puburl C:/Users/trinker/Dropbox/Public/plot.png
Note my slashes are going the opposite way you'd normally see them on a windows machine as I'm using this within another program that requires the slashes be in this direction or doubled as in \\
The goal is to retrieve the url for the dropbox object.
There is a work around pointed out to me by my friend Dason. Go to your public folder and copy the link from a file. Here's one of mine:
https://dl.dropboxusercontent.com/u/61803503/%20wordcloud.pdf
The account number is always the same for your own drop box. So the following form will allow me to share documents:
file.path("https://dl.dropboxusercontent.com/u/61803503", DOCUMENT_NAME_HERE)
I don't know exactly what you are doing but if that is the url to your dropbox share, and you just wanted to access via command line have you tried just mapping a network drive to that URL to see if it works?
I am using command line with bash in Mac OS X. I will ask in my script:
Enter your password?
>
Do you want to save it and do not ask this more?
The password is to unzip a file. To do this, it always has to be entered, but I want it to only be entered once.
I can easily save it in a text file, but that is too obvious.
So I want to save it in the system. Windows has the "Windows Registry". Is there a similar system in Mac OS X (or Unix) that I can save it in and it will not be lost?
Or is there another way to save the password and it will be more secure? I know if someone runs the script with debug mode (showing how the command line is created) he will easy find the password, but he will have to get the computer, so is a kind of physical security.
You could do it the way system passwords are stored: use a plain text file but store a checksum instead of plain text password. It would be best of the file wasn't accessible to the user, but even if it is, it's not that easy to reverse a checksum. Suppose you read the password into variable password. Then, you could do something like echo "$password" | sha1sum - > password_file. Then at next login, run the password provided by user through the same command and compare results. This way you can check if they entered the correct password without storing the password in cleartext.
Either use your OS's keyring (OSX has something like this), or store it in plain text. Don't pretend that you are secure when you are not. If you cannot store things securely, then store them in plain sight, so the user is not given a false sense of security.