SQL 注入是否适用于 WMI 查询?
SQL 注入会对 WMI 构成威胁吗?
例如:
给定以下代码,如果 domainName 是外部提供的且未经清理,恶意攻击者可能会实现什么目的?
string domainName = "user-inputted-domain.com";
string wql = "SELECT *
FROM MicrosoftDNS_ATYPE
WHERE OwnerName = '" + domainName + "'";
// perform WMI query here...
如果它是一个威胁(我想确实如此),那么防御它的最佳方法是什么,而不是像使用 LINQ 那样使用普通的参数化查询?简单地去掉任何 ['] 字符就可以解决问题吗?
另一方面,是否有任何用于查询 WMI 的 LINQ 扩展可以解决这个问题?
编辑:找到 SelectQuery 类。还没有尝试过,但它似乎具有更强大的查询构建功能,例如 Condition 属性。
Is SQL injection a threat with WMI?
For example:
Given the following code, if domainName is provided externally and not sanitised, what could a malicious attacker potentially achieve?
string domainName = "user-inputted-domain.com";
string wql = "SELECT *
FROM MicrosoftDNS_ATYPE
WHERE OwnerName = '" + domainName + "'";
// perform WMI query here...
If it is a threat, which I imagine it is, what would be the best way to defend against it in lieu of not using a normal parameterised query like I would with LINQ? Would simply stripping out any ['] characters do the trick?
And on a different note, are there any LINQ extensions for querying WMI which would address this?
Edit: Found the SelectQuery class. Haven't tried it yet, but it seems to have more robust query-building capabilities, e.g. a Condition property.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
它以同样的方式容易受到攻击,因为他们可以在此之后输入任意条件。想想他们是否输入
foo' OR SomeOtherField='bar作为输入。但是,我认为您不能在一个字符串中执行多个 WQL 查询,因此它可能不具有相同的“攻击面”,因为 WQL 是 SQL 的一小部分。所以,攻击方法仍然有效,是的。您面临的具体风险取决于以下一些因素:
It's vulnerable in the same way, in that they could input any arbitrary conditions after that. Think if they put in
foo' OR SomeOtherField='baras their input. However, I don't think you can do multiple WQL queries in one single string so it may not have the same "attack surface" so to speak, since WQL is such a small subset of SQL.So, the attack method would still work, yes. What exact risks that exposes you to depends on some of the following things: