SQL Injection

Question 1

Which of the following system table does MS SQL Server database use to store metadata? Hackers can use this system table to acquire database schema information to further compromise the database.

sysobjects
sysrows
sysdbs
syscells

Answer 1

sysobjects

Question 2

Which of the following is the most effective technique in identifying vulnerabilities or flaws in the web page code?

Traffic analysis
Code analysis
Data analysis
Packet analysis

Answer 2

Code analysis

Question 3

Identify the reason why Web Applications are vulnerable to SQL injection attacks.

Tests the content of string variables and accepts only expected values.
Reject entries that contain binary data, escape sequences, and comment characters.
Error messages reveal important information
Avoid constructing dynamic SQL with concatenated input values.

Answer 3

Error messages reveal important information

Question 4

In which of the following attacks does an attacker pose a true or false question to an database to determine whether an application is vulnerable to SQL injection?

Union SQL injection
Error-based SQL injection
Blind SQL injection
In-band SQL injection

Answer 4

Blind SQL Injection

Question 5

What is a piggybacked query?

Answer 5

A piggybacked query is when an attacker injects an additional malicious query into an original query to make the DBMS execute multiple SQL queries

Question 6

What is a tautology?

Answer 6

In a tautology-based SQL injection attack, an attacker uses a conditional OR clause such that the condition of the WHERE clause will always be true. Such an attack can be used to bypass user authentication

Question 7

What is an illegal/logically incorrect query?

Answer 7

An illegal or logically incorrect query is one an attacker uses to glean information from the error message the server provides in response to the query.

Question 8

What is a UNION SQL injection?

Answer 8

A union sql injection injects a union clause to a sql statement, along with a select null statement (starting with 1 null, and incrementing from there). This can be used to determine the table’s column count.

Alternatively, you can inject ORDER BY 1 to sort by the first column, 2 for the second, etc. to determine column count.

Question 9

How do you delay for a given amount of time in MySQL?

Answer 9

sleep()

Question 10

What’s the wildcard character in most SQL dialects?

Answer 10

%

Question 11

What function do you use in MySQL to obscure characters instead of using a string literal?

Answer 11

CHAR(int)

Question 12

What is the concatenation operator in SQLite?

Answer 12

||

Question 13

What is the concatenation operator in Oracle?

Answer 13

||

Question 14

What is the concatenation operator in Access?

Answer 14

&

Question 15

What is the concatenation operator in PostgreSQL

Answer 15

||

Question 16

What is the concatenation operator in MySQL?

Answer 16

concat(,)

Question 17

Which system table contains database objects in Access?

Answer 17

msysobjects

Question 18

Which function can be used by an attacker to link a target MSSQL server’s database to the attacker’s own machine and retrieve data from the target SQL server database?

Answer 18

An SQL Server can be linked back to an attacker’s DB via OPENROWSET

Question 19

Which DB2 query allows an attacker to perform column enumeration on a target database?

Answer 19

select * from syscat.columns where tabname=’tablename’;

Question 20

In MSSQL, how do you perform a column enumeration on a table?

Answer 20

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tablename’);