Module 15 - SQL Injection ( EC Mode ) Flashcards
In which of the following SQL injection attacks does an attacker deface a web page, insert malicious content into web pages, or alter the contents of a database?
A. Compromised data integrity
B. Authorization bypass
C. Compromised availability of data
D. Remote code execution
Answer: A. Compromised data integrity
Which of the following is the result obtained after executing the SQL query “SELECT * FROM User_Data WHERE Email_ID = ‘blah’ OR 1=1”?
A. Update Table
B. Add New Records
C. Return More Data
D. Identify the Table Name
Answer: C. Return More Data
security administrator notices that the log file of the company’s webserver contains suspicious entries:
[20/Mar/2011:10:49:07] “GET /login.php?user=test’+oR+3>2%20– HTTP/1.1” 200 9958
[20/Mar/2011:10:51:02] “GET /login.php?user=admin’;%20– HTTP/1.1” 200 9978
The administrator decides to further investigate and analyze the source code of the login.php file:
php
include(‘../../config/db_connect.php’);
$user = $_GET[‘user’];
$pass = $_GET[‘pass’];
$sql = “SELECT * FROM USERS WHERE username = ‘$user’ AND password = ‘$pass’”;
$result = mysql_query($sql) or die (“couldn’t execute query”);
if (mysql_num_rows($result) != 0) echo ‘Authentication granted!’;
else echo ‘Authentication failed!’;
?>
Based on the source code analysis provided, the analyst concludes that the login.php script is vulnerable to:
A. SQL injection
B. Command injection
C. LDAP injection
D. Directory traversal
Answer: A. SQL injection
Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has recently deployed a new Internet-accessible web application. Customers can access their account balances, transfer money between accounts, pay bills, and conduct online financial business using a web browser.
John Stevens is in charge of information security at the Bank of Timbuktu. After one month in production, several customers have complained about the Internet-enabled banking application. Strangely, the account balances of many of the bank’s customers have been changed! However, money has not been removed from the bank; instead, money is transferred between accounts. Given this attack profile, John Stevens reviewed the web application’s logs and found the following entries:
Attempted login of unknown user: johnm
Attempted login of unknown user: susaR
Attempted login of unknown user: sencat
Attempted login of unknown user: pete’’;
Attempted login of unknown user: ‘ or 1=1–
Attempted login of unknown user: ‘; drop table logins–
Login of user jason, sessionID= 0x75627578626F6F6B
Login of user daniel, sessionID= 0x98627579539E13BE
Login of user rebecca, sessionID= 0x9062757944CCB811
Login of user mike, sessionID= 0x9062757935FB5C64
Transfer Funds user jason
Pay Bill user mike
Logout of user mike
What kind of attack did the hacker attempt to carry out at the bank, based on the given information?
A. The hacker first attempted logins with suspected user names, and then used SQL injection to gain access to valid bank login IDs.
B. Brute force attack in which the hacker attempted guessing login IDs and passwords from password-cracking tools.
C. The hacker used a generator module to pass results to the webserver and exploited web application CGI vulnerability.
D. The hacker attempted session hijacking, in which the hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID, and took over Jason’s session.
Answer: A. The hacker first attempted logins with suspected user names, and then used SQL injection to gain access to valid bank login IDs.
SQL injection attacks do not exploit a specific software vulnerability; instead, they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.
A. False
B. True
Answer: B. True
Which of the following system tables does MS SQL Server database use to store metadata that hackers can use to acquire database schema information to further compromise the database?
A. sysdbs
B. sysrows
C. sysobjects
D. syscells
Answer: C. sysobjects
Which of the following methods carries the requested data to the webserver as a part of the message body?
A. HTTP POST
B. HTTP GET
C. IBM DB2
D. Cold fusion
Answer: A. HTTP POST
Which of the following is the most effective technique in identifying vulnerabilities or flaws in the web page code?
A. Traffic analysis
B. Packet analysis
C. Code analysis
D. Data analysis
Answer: C. Code analysis
An attacker injects the following SQL query:
blah’ AND 1=(SELECT COUNT(*) FROM mytable); –
What is the intention of the attacker?
A. Identifying the table name
B. Deleting a table
C. Updating table
D. Adding new records
Answer: A. Identifying the table name
Identify the reason why Web Applications are vulnerable to SQL injection attacks.?
A. Avoid constructing dynamic SQL with concatenated input values.
B. Tests the content of string variables and accepts only expected values.
C. Error messages reveal important information.
D. Reject entries that contain binary data, escape sequences, and comment characters.
Answer: C. Error messages reveal important information.
In which of the following attacks does an attacker pose a true or false question to a database to determine whether an application is vulnerable to SQL injection?
A. Blind SQL injection
B. In-band SQL injection
C. Error-based SQL injection
D. Union SQL injection
Answer: A. Blind SQL injection
In which of the following attacks does an attacker inject an additional malicious query into an original query to make the DBMS execute multiple SQL queries?
A. Tautology
B. System stored procedure
C. Piggybacked query
D. Illegal/logically incorrect query
Answer: C. Piggybacked query
In one of the following attacks, an attacker uses different communication channels to perform the attack and obtain results. It is difficult to perform as the attacker needs to communicate with a database server and determine the server features used by a web application. Which is this attack?
A. Union SQL injection
B. In-band SQL injection
C. End-of-line comment
D. Out-of-band SQL injection
Answer: D. Out-of-band SQL injection
What is the main difference between a “Normal” SQL injection and a “Blind” SQL injection vulnerability?
A. The vulnerable application does not display errors with information about the injection results to the attacker.
B. The request to the webserver is not visible to the administrator of the vulnerable application.
C. A successful attack does not show an error message to the administrator of the affected application.
D. The attack is called “Blind” because, although the application properly filters user input, it is still vulnerable to code injection.
Answer: A. The vulnerable application does not display errors with information about the injection results to the attacker.
In which of the following attacks does an attacker use the same communication channel to perform the attack and retrieve the results?
A. Inferential SQL injection
B. In-band SQL injection
C. Out-of-band SQL injection
D. Blind SQL injection
Answer: B. In-band SQL injection
In which of the following attacks does an attacker use a conditional OR clause in such a way that the condition of the WHERE clause will always be true?
A. End-of-line comment
B. UNION SQL injection
C. Illegal/logically incorrect query
D. Tautology
Answer: D. Tautology
In which of the following attacks does an attacker inject an additional malicious query to the original query?
A. UNION SQL injection
B. Piggybacked query
C. In-line comment
D. Tautology
Answer: B. Piggybacked query
Which of the following attacks is time-intensive because the database should generate a new statement for each newly recovered bit?
A. Error-based SQL injection
B. In-band SQL injection
C. Blind SQL injection
D. UNION SQL injection
Answer: C. Blind SQL injection
Which of the following commands is used to make the CPU wait for a specified amount of time before executing an SQL query?
A. ORDER BY 10–
B. WAITFOR DELAY ‘0:0:10’–
C. UNION SELECT 1,null,null—
D. GET_HOST_NAME()
Answer: B. WAITFOR DELAY ‘0:0:10’–
Which of the following SQL queries is an example of a heavy query used in SQL injection?
A. SELECT * FROM products WHERE id_product=$id_product
B. SELECT Name, Price, Description FROM ITEM_DATA WHERE ITEM_ID = 67 AND 1 = 1
C. SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable
D. SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C
Answer: D. SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C
In which of the following attacks does an attacker pose a true or false question to an database to determine whether an application is vulnerable to SQL injection?
A. Union SQL injection
B. Error-based SQL injection
C. In-band SQL injection
D. Blind SQL injection
Answer: D. Blind SQL injection
Steve works as a penetration tester in a firm named InfoSecurity. Recently, Steve was given an assignment to test the security of the company’s web applications and backend database. While conducting the test, he sends a malicious SQL query with conditional timing delays to the backend database through the web application. This conditional time delay forces the database to wait for a specified amount of time before responding. He performs the same task using different malicious SQL queries. By observing various query responses from the database, Steve came to know that the web application is vulnerable to an SQL injection attack.
What type of SQL injection attack is Steve most likely performing?
A. Out-of-band SQL Injection
B. Error-based SQL injection
C. Blind SQL injection
D. Union-based SQL injection
Answer: C. Blind SQL injection
Select all correct answers.
In blind SQLi, attackers can steal data by asking a series of true or false questions through SQL statements. Select all the correct types of blind SQL injections.?
A. Time delay
B. Boolean exploitation
C. System-stored procedure
D. Tautology
Answer: A. Time delay, B. Boolean exploitation
In which of the following attacks does an attacker use an ORDER BY clause to find the right number of columns in a database table?
A. UNION SQL injection
B. Tautology
C. In-line comments
D. Piggybacked query
Answer: A. UNION SQL injection
In one of the following methods, an attacker attempts to replicate error-free navigation by injecting simple inputs such as ‘ and ‘1’ = ‘1 Or ‘ and ‘1’ = ‘2 and forces an application to generate application errors that reveal information such as table names, column names, and data types. Which is this method?
A. Determining a SELECT query structure
B. Determining the database engine type
C. Parameter tampering
D. Type mismatch
Answer: A. Determining a SELECT query structure
Which of the following issues can be detected when testers send long strings of junk data, similar to strings for detecting buffer overruns that throw SQL errors on a page?
A. Truncation
B. SQL injection
C. SQL modification
D. Input sanitization
Answer: A. Truncation
Which of the following SQL injection queries is used by an attacker to extract table column names?
A. http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,column_name,3,4 from DB_NAME.information_schema.columns where table_name =’EMPLOYEE_TABLE’–
B. http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from EMPLOYEE_NAME –
C. http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,TABLE_NAME,3,4 from sysobjects where xtype=char(85)–
D. http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,DB_NAME,3,4–
Answer: A. http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,column_name,3,4 from DB_NAME.information_schema.columns where table_name =’EMPLOYEE_TABLE’–
In which of the following techniques does an attacker use logical requests such as AND/OR to bypass a firewall?
A. CRLF technique
B. Blind SQL injection
C. Normalization method
D. HPF technique
Answer: B. Blind SQL injection
In which of the following database technologies is the SQL query [SELECT * FROM syscat.columns WHERE tabname= ‘tablename’] used for column enumeration?
A. MSSQL
B. Oracle
C. MySQL
D. DB2
Answer: D. DB2
Which of the following operators is used for string concatenation in an Oracle database?
A. “ “&” “
B. ‘ ‘+’ ‘
C. ‘ ‘||’
D. concat(,)
Answer: C. ‘ ‘||’
Which of the following queries is used to create a database account in Microsoft SQL Server?
A. exec sp_addlogin ‘victor’, ‘Pass123’ exec sp_addsrvrolemember ‘victor’, ‘sysadmin’
B. INSERT INTO mysql.user (user, host, password) VALUES (‘victor’, ‘localhost’, PASSWORD(‘Pass123’))
C. CREATE USER victor IDENTIFIED BY ‘Pass123’
D. CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; GRANT CONNECT TO victor; GRANT RESOURCE TO victor;
Answer: A. exec sp_addlogin ‘victor’, ‘Pass123’ exec sp_addsrvrolemember ‘victor’, ‘sysadmin’
Which of the following countermeasures allows developers to protect PL/SQL code from SQL injection attacks?
A. Maximize user inputs to dynamic SQL
B. Always use single quotes
C. Make use of bind parameters in dynamic SQL
D. Never sanitize user inputs before including them in dynamic SQL statements
Answer: C. Make use of bind parameters in dynamic SQL
Which of the following MSSQL queries allows an attacker to perform column enumeration on a target database?
A. SELECT * FROM syscat.columns WHERE tabname= ‘tablename’
B. SELECT * FROM all_tab_columns WHERE table_name=’tablename’
C. SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tablename’)
D. SELECT attnum,attname from pg_class, pg_attribute WHERE relname= ‘tablename’ AND pg_class.oid=attrelid AND attnum > 0
Answer: C. SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tablename’)
Identify in which stage of the SQL injection methodology is Shea right now.?
A. Information gathering and SQL injection vulnerability detection
B. Launch SQL injection attacks
C. Exploit second-order SQL injection
D. Perform blind SQL injection
Answer: A. Information gathering and SQL injection vulnerability detection
William has been hired by the ITSec, Inc. to perform web application security testing. He wants to see if an SQL injection would be possible. As part of the testing, he tries to catch instances where the user input is used as part of an SQL identifier without any input sanitization. Which of the following characters should William use as the input data to catch the above instances?
A. Semicolon
B. Single quote
C. Right square bracket
D. Double quote
Answer: B. Single quote, D. Double quote
David, a penetration tester, was asked to check the MySQL database of the company for SQL injection attacks. He decided to check the back end database for a double blind SQL injection attack. Which of the following function David need to use to process the time delays which does not use the processor resources of the server?
A. benchmark()
B. mysql_query()
C. addcslashes()
D. sleep()
Answer: D. sleep()
Which of the following tools does an attacker use to perform SQL injection exploitation through techniques such as union and blind SQL exploitation and bypass certain IPS/IDS rules with generic filters?
A. China Chopper
B. Weevely
C. Mole
D. Astra
Answer: C. Mole
______ function is an IDS evasion technique that can be used to inject SQL statements into MySQL database without using double quotes.?
A. CHAR()
B. CHR()
C. CONV()
D. ASCIISTR()
Answer: A. CHAR()
Which of the following DB2 queries allows an attacker to perform column enumeration on a target database?
A. SELECT * FROM all_tab_columns WHERE table_name=’tablename’
B. show columns from tablename
C. SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tablename’) sp_columns tablename
D. SELECT * FROM syscat.columns WHERE tabname= ‘tablename’
Answer: D. SELECT * FROM syscat.columns WHERE tabname= ‘tablename’
David, a penetration tester, wants to use a function which does not use the processor resources of the server for performing double blind SQL injection attack on a MySQL database. Which of the following function should he use?
A. benchmark()
B. mysql_query()
C. addcslashes()
D. sleep()
Answer: D. sleep()
Which of the following tools is commonly used by attackers for SQL injection exploitation techniques such as union and blind SQL exploitation and to bypass certain IPS/IDS rules with generic filters?
A. China Chopper
B. Astra
C. Weevely
D. Mole
Answer: D. Mole
In which of the following evasion techniques does an attacker use a WHERE statement that is always evaluated as “true” so that any mathematical or string comparison can be used, such as “’ or ‘1’=’1’”?
A. Null byte
B. Case variation
C. Variations
D. Declare variables
Answer: C. Variations
Which of the following characters is used in an SQL injection query as a wildcard attribute indicator?
A. %
B. #
C. ‘ or “
D. /…/
Answer: A. %
Williams, a professional hacker, targeted a web application that uses a MongoDB backend database. He used MongoDB operations such as $eq to create a malicious command to bypass the authentication process and exfiltrate the customers’ data stored in the database. What type of attack did Williams perform in the above scenario?
A. Smurf attack
B. NoSQL injection
C. LDAP injection
D. Command injection
Answer: B. NoSQL injection
In which of the following database technologies is the SQL query [SELECT * FROM syscat.columns WHERE tabname=’tablename’] used for column enumeration?
A. DB2
B. Oracle
C. MySQL
D. MSSQL
Answer: A. DB2
Which of the following database management systems contains the system table called “MsysObjects”?
A. MS Access
B. MySQL
C. MSSQL
D. Oracle
Answer: A. MS Access
Shea is a licensed penetration tester who is testing an e-commerce website for SQL injection. After examining and listing all the input fields on the website, she tries to insert a string value in the CVV2 textbox, where a three-digit number is expected, and she ends up with an error message. In which stage of the SQL injection methodology is Shea right now?
A. Information gathering and SQL injection vulnerability detection
B. Exploit second-order SQL injection
C. Perform blind SQL injection
D. Launch SQL injection attacks
Answer: A. Information gathering and SQL injection vulnerability detection
Which of the following functions can be used by an attacker to link a target SQL server’s database to the attacker’s own machine and retrieve data from the target SQL server database?
A. INTO OUTFILE()
B. CONVERT()
C. OPENROWSET()
D. LOAD_FILE()
Answer: A. INTO OUTFILE()
William is performing black box penetration testing to test the security of a company’s web applications. He tries to catch instances where the user input is used as part of an SQL identifier without any input sanitization. Which of the following characters should William use as the input data to catch the above instances?
A. Double quote
B. Semicolon
C. Single quote
D. Right square bracket
Answer: C. Single quote
A tester has been hired to perform source code review of a web application to detect SQL injection vulnerabilities. As part of the testing process, he needs to get all the information about the project from the development team. During the discussion with the development team, he comes to know that the project is in the initial stage of the development cycle. As per the above scenario, which of the following processes does the tester need to follow in order to save the company’s time and money?
A. The tester needs to perform static code analysis as it covers the structural and statement coverage testing
B. The tester needs to perform dynamic code analysis as it uncovers bugs in the software system
C. The tester needs to perform dynamic code analysis as it finds and fixes the defects
D. The tester needs to perform static code analysis as it covers the executable file of the code
Answer: A. The tester needs to perform static code analysis as it covers the structural and statement coverage testing
David is a penetration tester who is checking the MySQL database of a company for SQL injection attacks. He is looking for a double blind SQL injection attack and needs to use functions to process time delays. He wants to use a function that does not use the processor resources of the server. Which of the following function should David use?
A. addcslashes()
B. sleep()
C. mysql_query()
D. benchmark()
Answer: B. sleep()
Robert, a penetration tester, is trying to perform SQL penetration testing on the SQL database of the company to discover coding errors and security loopholes. Robert sends massive amounts of random data to the SQL database through the web application in order to crash the web application of the company. After observing the changes in the output, he comes to know that the web application is vulnerable to SQL injection attacks. Which of the following testing techniques is Robert using to find out the loopholes?
A. Alternate Encodings
B. Fuzzing Testing
C. Out of Band Exploitation
D. Stored Procedure Injection
Answer: B. Fuzzing Testing
Williams, a professional hacker, targeted a web application that uses a MongoDB backend database. He employed MongoDB operations such as $eq to create a malicious command using which he could bypass the authentication process and exfiltrate the customers’ data stored in the database.
Which of the following attacks did Williams perform in the above scenario?
A. Smurf attack
B. Command injection
C. NoSQL injection
D. LDAP injection
Answer: C. NoSQL injection
Which of the following functions can be used by an attacker to link a target SQL server’s database to the attacker’s own machine and retrieve data from the target SQL server database?
A. OPENROWSET()
B. LOAD_FILE()
C. CONVERT()
D. INTO OUTFILE()
Answer: A. OPENROWSET()
Which of the following practices makes web applications vulnerable to SQL injection attacks?
A. Database server running OS commands
B. Implementing consistent coding standards
C. Firewalling the SQL server
D. Minimizing privileges
Answer: A. Database server running OS commands
To defend against SQL injection, a developer needs to take proper actions in configuring and developing an application. Select all correct statements that help in defending against SQL injection attacks.?
A. Ensure that the Web configuration files for each application do not contain sensitive information.
B. Apply input validation only on the client-side.
C. Avoid constructing dynamic SQL with concatenated Input values.
D. Keep untrusted data separate from commands and queries.
Answer: A, C, D.
Which of the following countermeasures prevents buffer overruns?
A. Keep untrusted data separate from commands and queries.
B. Apply the least privilege rule to run the applications that access the DBMS.
C. Use the most restrictive SQL account types for applications.
D. Test the size and data type of the input and enforce appropriate limits.
Answer: D. Test the size and data type of the input and enforce appropriate limits.
Which of the following practices makes an organization’s database server vulnerable to SQL injection attacks?
A. Test the contents of string variables and accept only expected values.
B. Use the same database accounts for multiple applications.
C. Never build Transact-SQL statements directly from user input and use stored procedures to validate user input.
D. Reject entries that contain binary data, escape sequences, and comment characters.
Answer: B. Use the same database accounts for multiple applications.
Which of the following practices helps security professionals protect an organization’s database from SQL injection attacks?
A. Never use a prepared statement to create a parameterized query.
B. Avoid using xp_cmdshell to control the interaction between the SQL server and components of other servers.
C. Enable shell access to the database.
D. Do not isolate the web server by locking it in different domains.
Answer: B. Avoid using xp_cmdshell to control the interaction between the SQL server and components of other servers.
Which of the following tools is used to build rules that aim to detect SQL injection attacks?
A. Snort
B. SuperScan
C. Masscan
D. Nmap
Answer: A. Snort
Which of the following commands has to be disabled to prevent exploitation at the OS level?
A. xp_cmdshell
B. cat
C. ping
D. execute
Answer: A. xp_cmdshell
