Does SQL injection apply to WMI queries?

Question

Is SQL injection a threat with WMI?

For example:

Given the following code, if domainName is provided externally and not sanitised, what could a malicious attacker potentially achieve?

string domainName = "user-inputted-domain.com";
string wql = "SELECT * 
    FROM MicrosoftDNS_ATYPE
    WHERE OwnerName = '" + domainName + "'";
// perform WMI query here...

If it is a threat, which I imagine it is, what would be the best way to defend against it in lieu of not using a normal parameterised query like I would with LINQ? Would simply stripping out any ['] characters do the trick?

And on a different note, are there any LINQ extensions for querying WMI which would address this?

---

Edit: Found the SelectQuery class. Haven't tried it yet, but it seems to have more robust query-building capabilities, e.g. a Condition property.

Answer 1

It's vulnerable in the same way, in that they could input any arbitrary conditions after that. Think if they put in foo' OR SomeOtherField='bar as their input. However, I don't think you can do multiple WQL queries in one single string so it may not have the same "attack surface" so to speak, since WQL is such a small subset of SQL.

So, the attack method would still work, yes. What exact risks that exposes you to depends on some of the following things:

• Could a would-be attacker prematurely terminate your WQL statement and then insert their own?
• Could they adjust the filter to release more data than you want (as I mentioned above)?
• probably lots of others I haven't thought of