SQL 注入是否适用于 WMI 查询?

发布于 2024-10-07 00:09:03 字数 674 浏览 5 评论 0原文

SQL 注入会对 WMI 构成威胁吗?

例如:

给定以下代码,如果 domainName 是外部提供的且未经清理,恶意攻击者可能会实现什么目的?

string domainName = "user-inputted-domain.com";
string wql = "SELECT * 
    FROM MicrosoftDNS_ATYPE
    WHERE OwnerName = '" + domainName + "'";
// perform WMI query here...

如果它是一个威胁(我想确实如此),那么防御它的最佳方法是什么,而不是像使用 LINQ 那样使用普通的参数化查询?简单地去掉任何 ['] 字符就可以解决问题吗?

另一方面,是否有任何用于查询 WMI 的 LINQ 扩展可以解决这个问题?


编辑:找到 SelectQuery 类。还没有尝试过,但它似乎具有更强大的查询构建功能,例如 Condition 属性。

Is SQL injection a threat with WMI?

For example:

Given the following code, if domainName is provided externally and not sanitised, what could a malicious attacker potentially achieve?

string domainName = "user-inputted-domain.com";
string wql = "SELECT * 
    FROM MicrosoftDNS_ATYPE
    WHERE OwnerName = '" + domainName + "'";
// perform WMI query here...

If it is a threat, which I imagine it is, what would be the best way to defend against it in lieu of not using a normal parameterised query like I would with LINQ? Would simply stripping out any ['] characters do the trick?

And on a different note, are there any LINQ extensions for querying WMI which would address this?


Edit: Found the SelectQuery class. Haven't tried it yet, but it seems to have more robust query-building capabilities, e.g. a Condition property.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

一腔孤↑勇 2024-10-14 00:09:03

它以同样的方式容易受到攻击,因为他们可以在此之后输入任意条件。想想他们是否输入 foo' OR SomeOtherField='bar 作为输入。但是,我认为您不能在一个字符串中执行多个 WQL 查询,因此它可能不具有相同的“攻击面”,因为 WQL 是 SQL 的一小部分。

所以,攻击方法仍然有效,是的。您面临的具体风险取决于以下一些因素:

  • 潜在的攻击者是否可以提前终止您的 WQL 语句,然后插入自己的语句?
  • 他们能否调整过滤器以释放比您想要的更多的数据(正如我上面提到的)?
  • 可能还有很多我没有想到的

It's vulnerable in the same way, in that they could input any arbitrary conditions after that. Think if they put in foo' OR SomeOtherField='bar as their input. However, I don't think you can do multiple WQL queries in one single string so it may not have the same "attack surface" so to speak, since WQL is such a small subset of SQL.

So, the attack method would still work, yes. What exact risks that exposes you to depends on some of the following things:

  • Could a would-be attacker prematurely terminate your WQL statement and then insert their own?
  • Could they adjust the filter to release more data than you want (as I mentioned above)?
  • probably lots of others I haven't thought of
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文