Module 15 - SQL Injection

Which of the following is used to indicate a single-line comment in structured query language (SQL)? %% " || --

-- Explanation:Single line comments start with --. Any queries/text written after -- will not be executed.For example:--SELECT * FROM Goods;SELECT * FROM Goods;The first query will not be executed as it was written after a single line comment '--'.

Which of the following is a Snort rule that is used to detect and block SQL injection attack? UNION Select Password ' OR 5 BETWEEN 1 AND 7 /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Login.Text +"'", conn);

/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix Explanation:Many of the common attacks use specific type of code sequences or commands that allow attackers to gain an unauthorized access to the target's system and data. These commands and code sequences allow a user to write Snort rules that aim to detect SQL injection attacks. Some of the expressions that can be blocked by the Snort are as follows: /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix /exec(\s|\+)+(s|x)p\w+/ix /((\%27)|(\'))union/ix /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5

Robert is a user with a privileged account and he is capable of connecting to the database. Rock wants to exploit Robert's privilege account. How can he do that? Design the code in such a way it traps and handles exceptions appropriately Use the most restrictive SQL account types for applications Access the database and perform malicious activities at the OS level Reject entries that contain binary data, escape sequences, and comment characters

Access the database and perform malicious activities at the OS level Explanation: A developer may give a database user an account that has high privileges. An attacker who compromises a privileged account can access the database and perform malicious activities at the OS level.

Which of the following tools provides automated web application security testing with innovative technologies including DeepScan and AcuSensor technology? SoftPerfect network scanner Security Acunetix web vulnerability scanner Hping2 / Hping3

Acunetix web vulnerability scanner Explanation:Acunetix Web Vulnerability Scanner provides automated web application security testing with innovative technologies including DeepScan and AcuSensor Technology. It rigorously tests for thousands of web application vulnerabilities including SQL injection and XSS.

Which of the following attacks is time-intensive because the database should generate a new statement for each newly recovered bit? Error Based SQL Injection In-band SQL Injection Blind SQL Injection UNION SQL Injection

Blind SQL Injection Explanation: A Blind/Inferential SQL Injection attack can become time-intensive because the database should generate a new statement for each newly recovered bit.Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. Blind SQL injection is identical to a normal SQL Injection except that when an attacker attempts to exploit an application rather than seeing a useful error message, a generic custom page is displayed. In blind SQL injection, an attacker poses a true or false question to the database to see if the application is vulnerable to SQL injection.

Steve works as a penetration tester in a firm named InfoSecurity. Recently, Steve was given an assignment to test the security of the company's web applications and backend database. While conducting the test, he sends a malicious SQL query with conditional timing delays to the backend database through the web application. This conditional time delay forces the database to wait for a specified amount of time before responding. He performs the same task using different malicious SQL queries. By observing various query responses from the database, Steve came to know that the web application is vulnerable to an SQL injection attack.What type of SQL injection attack is Steve most likely performing? Error-based SQL injection Union-based SQL injection Out-of-band SQL Injection Blind SQL injection

Blind SQL injection Explanation: Blind SQL injection: In this attack, the attacker simply asks a series of false or true questions by sending a malicious SQL query to the database. It is time consuming because a new statement needs to be crafted for each bit recovered. Based on the response, the attacker determines whether the web application is vulnerable to SQL injection attack or not. Error-based SQL injection: In this attack, the attacker obtains information about the database by analyzing the error messages obtained from the underlying database. Union-based SQL injection: In this attack, the attacker uses the UNION SQL operator to combine two or more malicious queries into a single statement. This allows the attacker to get a single result containing responses from all the malicious queries. Out-of-band SQL injection: In this attack, the attacker uses the enabled feature of the database server to launch an attack. This is an alternative to time-based blind injection attack.

In blind SQLi, attackers can steal data by asking a series of true or false questions through SQL statements. Select all the correct types of blind SQL injections. System stored procedure Tautology Time Delay Boolean exploitation

Boolean exploitation Explanation:Unlike an error-based SQL injection, a blind SQL injection is used when a web application is vulnerable to an SQL injection, but the results of the injection are not visible to the attacker. Both (a) and (b) are types of Blind SQLi. However, (c) and (d) are types of error-based SQL injections. Time Delay Explanation:Unlike an error-based SQL injection, a blind SQL injection is used when a web application is vulnerable to an SQL injection, but the results of the injection are not visible to the attacker. Both (a) and (b) are types of Blind SQLi. However, (c) and (d) are types of error-based SQL injections.

Fill in the blank:______ function is an IDS evasion technique that can be used to inject SQL statements into MySQL database without using double quotes. CONV() CHR() ASCIISTR() CHAR()

CHAR() Explanation:With the char() function, an attacker can encode a common injection variable present in the input string in an attempt to avoid detection in the signatures of network security measures. This char() function converts hexadecimal and decimal values into characters that can easily pass through SQL engine parsing.Wrong answers: b. Matlab function that returns the convolution of vectorsc. The Oracle ASCIISTR function takes a string (or an expression that resolves to a string), and returns an ASCII version of the string in the curd. The Oracle CHR() function returns the ASCII character that corresponds to the value passed to it.

Which of the following is the most effective technique in identifying vulnerabilities or flaws in the web page code? Packet Analysis Traffic Analysis Data Analysis Code Analysis

Code Analysis Explanation:Code analysis or code review is the most effective technique in identifying vulnerabilities or flaws in the code. Traffic analysis refers to analyzing the network traffic whereas packet analysis refers to analyzing the network packets that have been transferred in a network. Data analysis refers to analyzing the data. This data can be anything, depending on the situation.

Which of the following attacks are not performed by an attacker who exploits SQL injection vulnerabilities? Information Disclosure Remote Code Execution Covering Tracks Authentication Bypass

Covering Tracks Explanation:SQL injection can be used to implement the following attacks: authentication bypass, information disclosure, compromised data integrity, compromised availability of data, and remote code execution. Covering tracks is one of the main stage during system hacking. In this stage, the attacker tries to hide and avoid being detected, or "traced out," by covering all "tracks," or logs, generated while gaining access to the target network or computer. Let's see how the attacker removes traces of an attack in the target computer.

Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker? Nmap Cain and Abel NetCat Data Thief

Data Thief Explanation: DataThief: DataThief is a tool used to demonstrate to web administrators and developers how to steal data from a web application that is vulnerable to SQL Injection. Data Thief is designed to retrieve the data from a Microsoft SQL Server back-end behind a web application with a SQL Injection vulnerability. NetCat: Netcat is a networking utility that reads and writes data across network connections, using the TCP/IP protocol. It is a reliable ""back-end"" tool used directly or driven by other programs and scripts. It is also a network debugging and exploration tool. Cain and Abel: Cain & Abel is a password recovery tool that runs on the Microsoft operating system. It allows you to recover various kinds of passwords by sniffing the network, cracking encrypted passwords using a dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols. The Cain & Abel tool recovers passwords and credentials from various sources easily. Nmap: Nmap is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. It sends specially crafted packets to the target host and then analyzes the responses to accomplish its goal.

William has been hired by the ITSec, Inc. to perform web application security testing. He was asked to perform black box penetration testing to test the security of the company's web applications. No information is provided to William about the company's network and infrastructure. William notices that the company website is dynamic and must make use of a backend database. He wants to see if an SQL injection would be possible. As part of the testing, he tries to catch instances where the user input is used as part of an SQL identifier without any input sanitization. Which of the following characters should William use as the input data to catch the above instances? Right square bracket Double quote Single quote Semicolon

Double quote Single quote

Select all correct answers. To defend against SQL injection, a developer needs to take proper actions in configuring and developing an application. Select all correct statements that help in defending against SQL injection attacks. Ensure that the Web configuration files for each application do not contain sensitive information Keep untrusted data separate from commands and queries Avoid constructing dynamic SQL with concatenated Input values Apply input validation only on the client-side

Ensure that the Web configuration files for each application do not contain sensitive information Avoid constructing dynamic SQL with concatenated Input values

Identify the reason why Web Applications are vulnerable to SQL injection attacks? Avoid constructing dynamic SQL with concatenated input values Error messages reveal important information Reject entries that contain binary data, escape sequences, and comment characters Tests the content of string variables and accept only expected values

Error messages reveal important information Explanation:Error messages reveal important information: If the input provided by the user does not exist or the structure of the query is wrong, the database server displays an error message. This error message can reveal important information regarding the database, which an attacker can use to gain unauthorized access to the database. B, C, and D are irrelevant in the scenario.

An attacker uses the following SQL query to perform an SQL injection attack SELECT * FROM users WHERE name = '' OR '1'='1'; Identify the type of SQL injection attack performed. Illegal/Logically Incorrect Query End-of-Line Comment ! Tautology UNION SQL Injection

Explanation: In a tautology-based SQL injection attack, an attacker uses a conditional OR clause in such a way that the condition of the WHERE clause will always be true. In SELECT * FROM users WHERE name = '' OR '1'='1'; you can observe OR and WHERE present in the code. The OR clause is in such a way that the condition of the WHERE clause is true. So, This is a form of tautology-based SQL injection attack. An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables, and so on. In a UNION SQL injection, an attacker uses a UNION clause to append a malicious query to the requested query. In End-of-Line SQL injection, an attacker uses Line comments in specific SQL injection inputs.

Which of the following SQL queries is an example of a heavy query used in SQL injection?

For example, the following is a query in Oracle that takes a huge amount of time to execute: SELECT count(*) FROM all_users A, all_users B, all_users C If an attacker injects a malicious parameter to the above query to perform a time-based SQL injection without using functions, then it takes the following form: 1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C The final resultant query takes the form: SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C

Robert, a penetration tester is trying to perform SQL penetration testing on the SQL database of the company to discover coding errors and security loopholes. Robert sends massive amounts of random data to the SQL database through the web application in order to crash the web application of the company. After observing the changes in the output, he comes to know that web application is vulnerable to SQL injection attacks. Which of the following testing techniques is Robert using to find out the loopholes? Out of Band Exploitation Alternate Encodings Stored Procedure Injection Fuzzing Testing

Fuzzing Testing Explanation: Stored Procedure Injection: Stored procedures are used at the back end of the web application to support its functionalities. In the stored procedure injection techniques, malicious SQL queries are executed within the stored procedure. Out of Band Exploitation: In the Out of Band exploitation technique, the tester creates an alternate channel to retrieve data from the server. Alternate Encodings: In the alternate encodings technique, the tester modifies the SQL injection query by using alternate encoding, such as hexadecimal, ASCII, and Unicode. Fuzzing Testing: Fuzz testing (fuzzing) is a black box testing method. It is a quality checking and assurance technique used to identify coding errors and security loopholes in web applications.Huge amounts of random data called 'Fuzz' will be generated by the fuzz testing tools (Fuzzers) and used against the target web application to discover vulnerabilities that can be exploited by various attacks.

Which of the following methods carries the requested data to the webserver as a part of the message body? Cold Fusion HTTP GET HTTP POST IBM DB2

HTTP POST Explanation:An HTTP POST request is one of the methods used to carry the requested data to the webserver. Unlike the HTTP GET method, an HTTP POST request carries the requested data as a part of the message body. Thus, it is considered more secure than HTTP GET

Which of the following tools is used for detecting SQL injection attacks? Nmap NetScanTools Pro Wireshark IBM Security AppScan

IBM Security AppScan Explanation:IBM Security AppScan enhances web and mobile application security, improves application security, and strengthens regulatory compliance. By scanning web and mobile applications prior to deployment, AppScan identifies security vulnerabilities, generates reports, and makes recommendations to apply fixes.

An attacker injects the following SQL query: blah' AND 1=(SELECT COUNT(*) FROM mytable); -- What is the intention of the attacker? Updating Table Adding New Records Deleting a Table Identifying the Table Name

Identifying the Table Name Explanation: When an attacker injects the following SQL query: blah' AND 1=(SELECT COUNT(*) FROM mytable); -- His intention is to identify the table name. For example: SELECT jb-email, jb-passwd, jb-login_id, jb-last_name FROM table WHERE jb-email = 'blah' AND 1=(SELECT COUNT(*) FROM mytable); --'; For updating table, he shall use : blah'; UPDATE jb-customers SET jbemail= '[email protected]' WHERE email='[email protected]; - - For Adding New Records, he shall use : blah'; INSERT INTO jb-customers ('jb-email','jb-passwd','jblogin_id','jb-last_name') VALUES ('[email protected]','hello',' jason','jason springfield');-- For Deleting a Table, he shall use : blah'; DROP TABLE Creditcard; --

In which of the following attacks does an attacker use the same communication channel to perform the attack and retrieve the results? Out-of-band SQL injection Inferential SQL injection Blind SQL injection In-band SQL injection

In-band SQL injection Explanation:Blind/inferential SQL Injection: In a blind/inferential injection, the attacker has no error messages from the system with which to work. Instead, the attacker simply sends a malicious SQL query to the database. Out-of-band SQL injection: Attackers use different communication channels (such as database e-mail functionality, or file writing and loading functions) to perform the attack and obtain the results. In-band SQL injection: An attacker uses the same communication channel to perform the attack and retrieve the results.

During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with a local system account. How can this weakness be exploited to access the system? Invoking the stored procedure cmd_shell to spawn a Windows command shell Using the Metasploit psexec module setting the SA/admin credential Invoking the stored procedure xp_cmdshell to spawn a Windows command shell Invoking the stored procedure xp_shell to spawn a Windows command shell

Invoking the stored procedure xp_cmdshell to spawn a Windows command shell Explanation:Microsoft SQL server has a built-in extended stored procedure to execute commands and return their standard output on the underlying operating system: xp_cmdshell(). This stored procedure is enabled by default on Microsoft SQL Server 2000. On Microsoft SQL Server 2000, the sp_addextendedproc stored procedure can be used. The attacker can create a new procedure from scratch using a shell object if the session user has the required privileges. This technique has been illustrated numerous times and can still be used if the session user is highly privileged. On all Microsoft SQL server versions, this procedure can be executed only by users with the sysadmin server role on.

Shea is a licensed penetration tester. She is working with a client to test their new e-commerce website for SQL injection. After signing the NDA and agreeing on the rules of engagement (RoE), she starts by examining and listing all the input fields on the website. She tries to insert a string value in the CVV2 textbox, where a three-digit number is expected, and she ends up with the below error message. Identify in which stage of the SQL injection methodology is Shea right now. Launch SQL injection attacks Identifying data entry paths Extracting information through error messages Information gathering and SQL injection vulnerability detection

Launch SQL injection attacks

Michel, a professional hacker, is trying to perform time-based blind SQL injection attacks on the MySQL backend database of RadioTV Inc. He decided to use an SQL injection tool to perform this attack. Michel surfed the Internet and finally found a tool which has the following features: Sends heavy queries to the target database to perform a Time-Based Blind SQL Injection attack. Database Schema extraction from SQL Server, Oracle and MySQL. Data extraction from Microsoft Access 97/2000/2003/2007 databases. Parameter Injection using HTTP GET or POST. Which of the following tools does Michael use to perform time-based blind SQL injection attacks on the MySQL backend database? SQLiX SQLDict WebCruiser Marathon Tool

Marathon Tool Explanation: Marathon Tool: Marathon Tool is a POC for using heavy queries to perform a Time-Based Blind SQL Injection attack. This tool is still a work in progress, but is right now in a very good alpha version. It can be used to extract information from web applications using Microsoft SQL Server, Microsoft Access, MySQL or Oracle Databases. (Source: https://marathontool.codeplex.com/) SQLiX:

In which of the following attacks, does an attacker inject an additional malicious query to the original query? Piggybacked Query In-line Comments Tautology UNION SQL Injection

Piggybacked Query

Talisa is inspecting the website Movie Scope for SQL injection attacks. She is using an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and the taking over of database servers. The tool is called sqlmap. Talisa was able to find and exploit an SQL injection vulnerability in the user ID parameter on the website. Now she has full control over the DBMS. However, she had to prove to the website owner that she was able to execute SQL commands on the DB server and successfully retrieve answers from the DB prior to getting paid. From the screenshot below, identify the SQL command that Talisa used in order to retrieve the DBMS version. SELECT @VERSION GET @@VERSION SELECT @@VERSION SELECT * FROM VERSION

SELECT @@VERSION Explanation: The string "SELECT" can be represented by the hexadecimal number 0x73656c656374, which most likely will not be detected by a signature protection mechanism. The DBMS is Microsoft SQL Server and the correct SQL statement to retrieve the SQL server database version is SELECT @@VERSION

Based on the source code analysis, the analyst concludes that the login.php script is vulnerable to: directory traversal command injection directory traversal SQL injection

SQL injection Explanation:An SQL injection query exploits the normal execution of SQL. An attacker submits a request with values that will execute normally but will return data from the database that the attacker wants. The attacker is able to submit these malicious values because of the inability of the application to filter them before processing. If the values submitted by the users are not properly validated, then there is a potential for an SQL injection attack on the application.Consider the query ' if (mysql_num_rows($result) != 0) echo 'Authentication granted!'; a close examination of this query reveals that the condition in the where clause will always be true. This query successfully executes as there is no syntax error, and it does not violate the normal execution of the query.

A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back-end database. In order for the tester to see if an SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request? Exclamation mark Double quote Single quote Semicolon

Single quote Explanation: A tester may try out with any character as per his interest. However, the first attempt any tester generally makes is using single quote. A semicolon is used to terminate SQL statements. A single quote is used to test whether the strings are properly filtered in the targeted application or not. An exclamation mark refers to NOT in SQL. According to https://docs.microsoft.com, "All strings delimited by double quotation marks are interpreted as object identifiers."

Which of the following tools is used to build rules that aim to detect SQL injection attacks? SuperScan Nmap Snort Masscan

Snort Explanation:Many of the common attacks use specific types of code sequences or commands that allow attackers to gain an unauthorized access to the target's system and data. These commands and code sequences allow a user to write Snort rules that aim to detect SQL injection attacks

In which of the following attacks does an attacker use a conditional OR clause in such a way that the condition of the WHERE clause will always be true? UNION SQL injection Illegal/logically incorrect query End-of-line comment Tautology

Tautology Explanation:In a UNION SQL injection, an attacker uses a UNION clause to append a malicious query to the requested query.An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables, and so on. In a tautology-based SQL injection attack, an attacker uses a conditional OR clause in such a way that the condition of the WHERE clause will always be true. In end-of-line SQL injection, an attacker uses Line comments in specific SQL injection inputs.

Which of the following countermeasures prevent buffer overruns? Keep untrusted data separate from commands and queries Use the most restrictive SQL account types for applications Apply the least privilege rule to run the applications that access the DBMS Test the size and data type of the input and enforce appropriate limits

Test the size and data type of the input and enforce appropriate limits Explanation:All the options are some of the countermeasures of SQL Injections. However, option C. i.e. Test the size and data type of the input and enforce appropriate limits is to prevent buffer overruns.

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has recently deployed a new Internet-accessible web application. Customers can access their account balances, transfer money between accounts, pay bills, and conduct online financial business using a web browser.John Stevens is in charge of information security at the Bank of Timbuktu. After one month in production, several customers have complained about the Internet-enabled banking application. Strangely, the account balances of many of the bank's customers have been changed! However, money has not been removed from the bank; instead, money is transferred between accounts. Given this attack profile, John Stevens reviewed the web application's logs and found the following entries: What kind of attack did the hacker attempt to carry out at the bank? The hacker attempted session hijacking, in which the hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID, and took over Jason's session. Brute force attack in which the hacker attempted guessing login IDs and passwords from password-cracking tools. The hacker used a generator module to pass results to the webserver and exploited web application CGI vulnerability. The hacker first attempted logins with suspected user names, and then used SQL injection to gain access to valid bank login IDs.

The hacker first attempted logins with suspected user names, and then used SQL injection to gain access to valid bank login IDs.

A tester has been hired to perform source code review of a web application to detect SQL injection vulnerabilities. As part of the testing process, he needs to get all the information about the project from the development team. During the discussion with the development team, he comes to know that the project is in the initial stage of the development cycle. As per the above scenario, which of the following processes does the tester need to follow in order to save the company's time and money? The tester needs to perform dynamic code analysis as it uncovers bugs in the software system The tester needs to perform dynamic code analysis as it finds and fixes the defects The tester needs to perform static code analysis as it covers the structural and statement coverage testing The tester needs to perform static code analysis as it covers the executable file of the code

The tester needs to perform static code analysis as it covers the structural and statement coverage testing Explanation: Option A: The main objective of static code analysis is to improve the quality of software products by finding errors in the early stages of the development cycle. In static testing, code is not executed. It involves manual or automated reviews of the documents. This review is done during the initial phase of the testing to catch defects early in SDLC. It assesses the code and documentation and covers the structural and statement coverage testing. Option B: Static code analysis is performed in early stages of the development cycle. In static testing, code is not executed, so it does not cover the testing of an executable file of the code. Option C: Dynamic code analysis checks for functional behavior of the software system, memory/CPU usage, and overall performance of the system. In dynamic testing, code is executed to uncover bugs in the software system. This testing is not performed in the early stages of the development cycle. Option D: Dynamic code analysis finds and fixes the defects, but the cost of finding and fixing defects is high.

What is the main difference between a "Normal" SQL injection and a "Blind" SQL injection vulnerability? The attack is called "Blind" because, although the application properly filters user input, it is still vulnerable to code injection. A successful attack does not show an error message to the administrator of the affected application. The request to the webserver is not visible to the administrator of the vulnerable application. The vulnerable application does not display errors with information about the injection results to the attacker.

The vulnerable application does not display errors with information about the injection results to the attacker. Explanation:In a blind SQL injection, an attacker poses a true or false question to the database to see if the application is vulnerable to SQL injections. A normal SQL injection attack is often possible when a developer uses generic error messages whenever an error occurs in the database. This generic message may reveal sensitive information or give a path to the attacker to carry out an SQL injection attack on the application. However, when developers turn off the generic error message for the application, it is quite difficult for the attacker to perform an SQL injection attack. However, it is not impossible to exploit such an application with an SQL injection attack. Blind injection differs from a normal SQL injection in the way it retrieves data from the database. Blind SQL injection is used either to access sensitive data or to destroy the data. Attackers can steal the data by asking a series of true or false questions through SQL statements. The results of the injection are not visible to the attacker. This process consumes more time as the database generates a new statement for each newly recovered bit.

SQL injection attacks do not exploit a specific software vulnerability; instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. True False

True Explanation:The question tests the student understanding of the root cause of SQLi attacks.Web applications use various database technologies as a part of their functionality. Some relational databases used for developing web applications include Microsoft SQL Server, Oracle, IBM DB2, and the open-source MySQL. Developers sometimes unknowingly neglect secure coding practices when using these technologies, which makes the applications vulnerable to SQL injection attacks.

In which of the following attacks does an attacker use an ORDER BY clause to find the right number of columns in a database table? Piggybacked query UNION SQL injection In-line comments Tautology

UNION SQL injection Explanation:In a UNION SQL injection, to find the right numbers of columns, the attacker first launches a query by using an ORDER BY clause, followed by a number to indicate the number of database columns selected:ORDER BY 10--

Which of the following commands is used to make the CPU wait for a specified amount of time before executing an SQL query? ORDER BY 10-- UNION SELECT 1,null,null— WAITFOR DELAY '0:0:10'-- GET_HOST_NAME()

WAITFOR DELAY '0:0:10'--

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats. Snort can be used to detect SQL injection attacks. Identify the correct Snort rule to detect SQL injection attacks. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)" ule SQLiTester { meta: description = ""SQL Injection tester"" author = ""Ellaria Sand"" date = ""2016-04-26"" hash = ""dc098f88157b5cbf3ffc82e6966634bd280421eb"" strings: $s0 = "" SQL Injection tester"" ascii $s17 = ""/Blind SQL injection tool"" fullword ascii $s18 = ""WAITFOR DELAY '0:0:10' --"" fullword wide condition: uint32(0) == 0x5a4d and filesize < 1040KB and all of them } meta: description = ""SQL Injection tester"" author = ""Ellaria Sand"" date = ""2016-04-26"" hash = ""dc098f88157b5cbf3ffc82e6966634bd280421eb"" strings: $s0 = "" SQL Injection tester"" ascii $s17 = ""/Blind SQL injection tool"" fullword ascii $s18 = ""SELECT UNICODE(SUBSTRING((system_user),{0},1))"" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1040KB and all of them } alert tcp $EXTERNAL_NET any -> 172.16.66.23 443 (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:to_server,estahlished; uricontent:"".pl"";pcre:""/(\%27)|(\')|(\-\-)|(%23)|(#)/i""; classtype:Web-application-attack; sid:9099; rev:5;) rule SQLiTester {

alert tcp $EXTERNAL_NET any -> 172.16.66.23 443 (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:to_server,estahlished; uricontent:"".pl"";pcre:""/(\%27)|(\')|(\-\-)|(%23)|(#)/i""; classtype:Web-application-attack; sid:9099; rev:5;) rule SQLiTester { Explanation: B and C are YARA rules and D is a Snort rule for SYN scanning. A is a snort rule for SQL Injection attempt on Finance Department webserver. So A is the correct answer.

David, a penetration tester, was asked to check the MySQL database of the company for SQL injection attacks. He decided to check the back end database for a double blind SQL injection attack. He knows that double blind SQL injection exploitation is performed based on an analysis of time delays and he needs to use some functions to process the time delays. David wanted to use a function which does not use the processor resources of the server. Which of the following function David need to use? addcslashes() benchmark() mysql_query() sleep()

sleep() Explanation: sleep(): This function does not use processor resources of the server. Function sleep() represents an analogue of function benchmark(). Function sleep() is more secure in the given context, because it does not use server resources. benchmark(): This function uses the processor resources of the server. mysql_query(): This function does not permit query stacking or executing multiple queries in a single function call. addcslashes(): This function allows the tester to specify a character range to escape.

Which of the following system table does MS SQL Server database use to store metadata? Hackers can use this system table to acquire database schema information to further compromise the database. sysrows sysdbs syscells sysobjects

sysobjects Explanation:SYSOBJECTS contains a row for every object that has been created in the database, including stored procedures, views, and user tables. Rest of the options does not exist.

Which of the following commands has to be disabled to prevent exploitation at the OS level? execute cat ping xp_cmdshell

xp_cmdshell Explanation:The xp_cmdshell option is an SQL server configuration option that enables system administrators to control whether the xp_cmdshell extended stored procedure can be executed on a system. Disable commands such as xp_cmdshell, as they can affect the OS of the system.