CEH#14 - Oriyano - SQL Injection
1. Input validation is used to prevent which of the following? a. bad input b. formatting issues c. language issues d. SQL injection
a,d. Input validation is intended to prevent the submission of bad input into an application, which could allow sql injection to take place.
5. In addition to relational databases, there is also what kind of database? a. hierarchical b. sql c. odbc d. structured
a. a hierarchical db is an alternative to the popular relational db structure.
4. Databases can be a victim of code exploits depending on which of the following: a. configuration b. vendor c. patches d. client version
a. db's can be a victim of source code exploits, depending on their configuration and design.
2. Web applications are used to _____?
a. web applications are ideally suited for providing dynamic content of all types. Although some of this can be done on the client side, there is much more power and capability of the server side.
12. Which command is used to query data in SQL Server? a. cmdshell b. WHERE c. SELECT d. from
b, c, d. The SELECT command is used to craft SQL queries, whereas WHERE and FROM are used to customize queries to get more desirable results.
8. Browsers do not display ______. a. activeX b. hidden fields c. java d. javascript
b. browsers do not render hidden fields, but these fields can be viewed if you use the browser's ability to view source code.
3. Which of the following challenges can be solved by firewalls? a. protection against buffer overflows b. protection against scanning c. enforcement of privileges d. ability to use nonstatndard ports
b. firewalls can prevent the scanning of systems and the probing or discovery of a db.
9. Proper input validation can prevent what from occurring? a. client-side issues b. operating system exploits c. SQL injection attacks d. software failure
b. sql injection attacks are made possible through improper input validation, thus allowing bogus commands to be issued to a db and processed.
15. SQL injection attacks are aimed at which of the following? a. web applications b. web servers c. databases d. database engines
c. SQL injection operates at the db typically associated with a record.
6. Which of the following is a scripting language? a. activex b. java c. cgi d. asp.net
c. cgi is a scripting language that is desgned to be processed on the server side before the results are provided to the client.
11. Which command can be used to access the command prompt in SQL server? a. WHERE b. SELECT c. xp_cmdshell d. cmdshell
c. the xp_cmdshell command is available in all versions of SQL server and can be used to open a command shell. The command has been disabled in current versions of the product, though it is still available to be enabled.
14. Which command is used to remove a table from a database? a. cmdshell -drop table b. REMOVE c. DROPTABLES d. drop tables
d. The drop table command is used to remove a table from a db. This command deletes a table from the db.
10. __________ can be used to attack databases. a. buffer overflows b. sql injection c. buffer injection d. input validation
b. sql injection can be used to attack db's.
13. Which statement is used to limit data in SQL Server? a. cmdshell b. WHERE c. SELECT d. to
b. the WHERE statement limits the results of a SQL query.
7. ______ is used to audit databases? a. ping b. ipconfig c. sqlping d. traceroute
c. SQLPing is used to audit db's and help identify issues that may be of concern or problematic.
16. Which of the following is another name for a record in a database? a. row b. column c. cell d. label
A. A row is a name for a line in a db typically associated with a record.
20. A blind SQL injection attack is used when which of the following is true? a. error messages are not available b. the database is not SQL compatible c. the db is relational d. all of the above
A. When error messages are not descriptive or not available, a blind SQL injection attack can be used to ascertain information from performance or indirect observations.
18. What type of database uses multiple tables linked together in complex relationshipos? a. hierarchical b. relational c. distributed d. flat
B. A relational db uses complex relationships between tables to describe data in an understandable format.
17. What type of database has its information spread across many disparate systems? a. hierarchical b. relational c. distributed d. flat
C. A distributed db is one that has its information spread across many different systems that are networked together and linked via code.
19. What can an error message tell an attacker? a. success of an attack b. failure of an attack c. structure of a db d. all of the above
D. Error messages can reveal success of an attack, failure of an attack, structure of a db, as well as configuration and other information.