15 CEH: SQL Injection
In which of the following evasion techniques does an attacker use a WHERE statement that is always evaluated as *true* so that any mathematical or string comparison can be used, such as "' or '1'='1'"? 1. Declare variables 2. Case variation 3. Variations 4. Null byte
3. Variations
Which of the following tools provides automated web application security testing with innovative technologies including DeepScan and AcuSensor technology? 1. IBM Security AppScan 2. SoftPerfect network scanner 3. Hping2 / Hping3 4. Acunetix web vulnerability scanner
4. Acunetix web vulnerability scanner
Which of the following database management systems contains the system table called "MsysObjects"? 1. Oracle 2. MSSQL 3. MySQL 4. MS Access
4. MS Access
The following query is used to create a database account in *which database server*? exec sp_addlogin 'victor', 'pass123' exec sp_addsrvrolemember 'victor', 'sysadmin'
Microsoft SQL Server
True or false: all relational databases are vulnerable to SQL injection attacks.
True, because the flaw lies in the web application that interacts with the database, not with the database itself
Which of the following functions can be used by an attacker to link a target SQL server's database to the attacker's own machine and retrieve data from the target SQL server database? 1. LOAD_FILE() 2. CONVERT() 3. OPENROWSET() 4. INTO OUTFILE()
3. OPENROWSET()
Which of the following tools is used to build rules that aim to detect SQL injection attacks? 1. Nmap 2. Masscan 3. Snort 4. SuperScan
3. Snort
What character is used in a SQL injection query as a wildcard attribute?
%
What *SQL statement* can be used to determine table and column names?
' group by columnnames having 1=1;--
Identify the reason why Web Applications are vulnerable to SQL injection attacks. 1. Error messages reveal important information 2. Tests the content of string variables and accepts only expected values. 3. Avoid constructing dynamic SQL with concatenated input values. 4. Reject entries that contain binary data, escape sequences, and comment characters.
1. Error messages reveal important information
What 3 *mobile SQL injection tools* does the material recommend?
1. SQLi 2. Droidbug SQLi Spyder 3. sqlmapchik
Which of the following issues can be detected when testers send long strings of junk data, similar to strings for detecting buffer overruns that throw SQL errors on a page? 1. Truncation 2. SQL injection 3. SQL modification 4. Input sanitization
1. Truncation
What 2 *SQL statements* can an attacker use during a *blind SQL injection attack*?
1. WAITFOR DELAY '<HH>:<mm>:<ss>' 2. BENCHMARK(<number of times>, <sql statement>) - Only on MySQL 3. SLEEP - MySQL (doesn't use processor)
What 3 *SQL injection tools* does the material recommend?
1. sqlmap 2. Mole 3. Blisqy
In which of the following techniques does an attacker use logical requests such as AND/OR to bypass a firewall? 1. CRLF technique 2. Blind SQL injection 3. Normalization method 4. HPF technique
2. Blind SQL injection
In which of the following attacks does an attacker use an ORDER BY clause to find the right number of columns in a database table? 1. In-line comments 2. UNION SQL injection 3. Tautology 4. Piggybacked query
2. UNION SQL injection
SQL injection vulnerabilities are a flaw in which of the following? 1. Web server 2. Web application 3. Database
2. Web application
In one of the following defensive techniques, only the list of entities such as data type, range, size, and value that have been approved for secured access are accepted. Which is this technique? 1. Enforcing least privileges 2. Whitelist validation 3. Output encoding 4. Blacklist validation
2. Whitelist validation
In which of the following attacks does an attacker pose a true or false question to an database to determine whether an application is vulnerable to SQL injection? 1. Union SQL injection 2. In-band SQL injection 3. Blind SQL injection 4. Error-based SQL injection
3. Blind SQL injection
Which of the following countermeasures allows developers to protect PL/SQL code from SQL injection attacks? 1. Maximize user inputs to dynamic SQL 2. Always use single quotes 3. Never sanitize user inputs before including them in dynamic SQL statements 4. Make use of bind parameters in dynamic SQL
4. Make use of bind parameters in dynamic SQL
Which of the following system tables does *MS SQL Server database* use to store *metadata*? Hackers can use this system table to acquire database schema information to further compromise the database. 1. sysdbs 2. syscells 3. sysrows 4. sysobjects
4. sysobjects
What is a *blind/inferential SQL injection*?
A SQL injection attack in which the web application either *returns no errors* or *returns a generic web page that doesn't indicate errors*. This type of attack is *time intensive for the attacker*
What is *system stored procedure SQL injection*?
An attacker *exploits the databases' stored procedures*
What is *illegal/logically incorrect query SQL injection*?
An attacker *sends an incorrect query to the database intentionally* to generate an error message that may be helpful in performing further attacks
What is a *piggybacked query SQL injection*?
An attacker injects (appends) an additional malicious query into/onto the original query and both queries are executed
What is an *inline comments SQL injection*?
An attacker integrates multiple vulnerable inputs into a single query using inline comments
What is *error-based* or *illegal/logically incorrect query* *SQL injection*?
An attacker intentionally *inserts bad input* into an application and analyzing the resultant *database errors* to *disclose valuable information*
What is the *heavy query* *blind/inferential SQL injection* technique?
An attacker sends a "heavy" CPU intensive SQL statement to the target and assesses how long it takes them to respond to determine the presence of a SQL injection vulnerability
What is *boolean exploitation blind/inferential SQL injection*?
An attacker sends multiple valid SQL statements that evaluate to true and false and notes the response in the web page to determine the presence of a SQL injection vulnerability
What is *union-based SQL injection*?
An attacker uses a UNION clause to add a malicious query to the requested query
What is the IDS evasion technique that can be used to inject SQL statements into MySQL databases without using double quotes?
CHAR()
What is the SQL injection attack in which an attacker injects statements that are always true so that the queries always return results after evaluating the WHERE condition
Tautology SQL injection
The following query is used to ______________ from a ___________ server. SELECT name FROM syscolumns WHERE id = (SELECT id from sysobjects WHERE name = 'tablename')
perform column enumeration MSSQL
What operator is used for string concatenation in an Oracle database?
||