Is SQL query used for WMI queries?

Question

Is SQL query used for WMI queries?

Is SQL injection a threat with WMI?

For instance:

Given the following code, if domainName provided externally and is not disinfected, what could a potential attacker achieve?

 string domainName = "user-inputted-domain.com"; string wql = "SELECT * FROM MicrosoftDNS_ATYPE WHERE OwnerName = '" + domainName + "'"; // perform WMI query here...

If this is a threat, which, in my opinion, is the best way to protect against it, instead of not using a normal parameterized query, how would I do with LINQ? Does removing any characters [ ' ] just do the trick?

And in another note, are there any LINQ extensions for the WMI request that will access this?

Edit: Found SelectQuery class. I have not tried it yet, but it seems to have more reliable query building capabilities, for example. a Condition .

+4

sql sql-injection wmi

Petrus theron Dec 11 '10 at 7:51

source share

1 answer

Daniel DiPaolo · Accepted Answer · 2011-01-03T20:27:22+0000

He is vulnerable in the same way that after that they can introduce any arbitrary conditions. Think about whether they inserted foo' OR SomeOtherField='bar as their input. However, I don’t think you can make multiple WQL queries on the same line, so you probably don’t have the same “attack surface”, since WQL is such a small subset of SQL.

So, the attack method will still work, yes. What exact risks that exposed you depend on some of the following things:

Can a potential attacker prematurely terminate your WQL statement and then insert it?
Can they set up a filter to release more data than you want (as I mentioned above)?
perhaps many others that I did not think about.

Is SQL query used for WMI queries?

For instance:

More articles: