SQL Injection
Fill in the blank: ______ function is an IDS evasion technique that can be used to inject SQL statements into MySQL database without using double quotes. CHAR() CONV() ASCIISTR() CHR()
CHAR()
Which of the following is the most effective technique in identifying vulnerabilities or flaws in the web page code? Traffic Analysis Packet Analysis Code Analysis Data Analysis
Code Analysis
Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker? DataThief NetCat Cain and Abel Nmap
DataThief
Which of the following tools is used for detecting SQL injection attacks? Nmap Wireshark IBM Security AppScan NetScanTools Pro
IBM Security AppScan
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back-end database. In order for the tester to see if an SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request? Semicolon Single quote Exclamation mark Double quote
Single quote
In which of the following attacks does an attacker use an ORDER BY clause to find the right number of columns in a database table? Piggybacked query In-line comments UNION SQL injection Tautology
UNION SQL injection
Which of the following system table does MS SQL Server database use to store metadata? Hackers can use this system table to acquire database schema information to further compromise the database. sysdbs sysrows syscells sysobjects
sysobjects
Robert is a user with a privileged account and he is capable of connecting to the database. Rock wants to exploit Robert's privilege account. How can he do that? Access the database and perform malicious activities at the OS level Reject entries that contain binary data, escape sequences, and comment characters Use the most restrictive SQL account types for applications Design the code in such a way it traps and handles exceptions appropriately
Access the database and perform malicious activities at the OS level
Which of the following tools provides automated web application security testing with innovative technologies including DeepScan and AcuSensor technology? IBM Security AppScan Hping2 / Hping3 SoftPerfect network scanner Acunetix web vulnerability scanner
Acunetix web vulnerability scanner
Which of the following SQL queries is an example of a heavy query used in SQL injection? SELECT Name, Price, Description FROM ITEM_DATA WHERE ITEM_ID = 67 AND 1 = 1 SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable SELECT * FROM products WHERE id_product=$id_product SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C
SELECT * FROM products WHERE id=1 AND 1 < SELECT count(*) FROM all_users A, all_users B, all_users C
Which of the following attacks are not performed by an attacker who exploits SQL injection vulnerabilities? Authentication Bypass Remote Code Execution Covering Tracks Information Disclosure
Covering Tracks
Robert, a penetration tester is trying to perform SQL penetration testing on the SQL database of the company to discover coding errors and security loopholes. Robert sends massive amounts of random data to the SQL database through the web application in order to crash the web application of the company. After observing the changes in the output, he comes to know that web application is vulnerable to SQL injection attacks. Which of the following testing techniques is Robert using to find out the loopholes? Fuzzing Testing Stored Procedure Injection Out of Band Exploitation Alternate Encodings
Fuzzing Testing
In which of the following attacks does an attacker use the same communication channel to perform the attack and retrieve the results? Blind SQL injection Out-of-band SQL injection In-band SQL injection Inferential SQL injection
In-band SQL injection
During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with a local system account. How can this weakness be exploited to access the system? Using the Metasploit psexec module setting the SA/admin credential Invoking the stored procedure xp_shell to spawn a Windows command shell Invoking the stored procedure cmd_shell to spawn a Windows command shell Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
Michel, a professional hacker, is trying to perform time-based blind SQL injection attacks on the MySQL backend database of RadioTV Inc. He decided to use an SQL injection tool to perform this attack. Michel surfed the Internet and finally found a tool which has the following features: Sends heavy queries to the target database to perform a Time-Based Blind SQL Injection attack. Database Schema extraction from SQL Server, Oracle and MySQL. Data extraction from Microsoft Access 97/2000/2003/2007 databases. Parameter Injection using HTTP GET or POST. Which of the following tools does Michael use to perform time-based blind SQL injection attacks on the MySQL backend database? Marathon Tool SQLiX SQLDict WebCruiser
Marathon Tool
An attacker uses the following SQL query to perform an SQL injection attack SELECT * FROM users WHERE name = '' OR '1'='1'; Identify the type of SQL injection attack performed. Tautology Illegal/Logically Incorrect Query UNION SQL Injection End-of-Line Comment
Tautology
In which of the following attacks does an attacker use a conditional OR clause in such a way that the condition of the WHERE clause will always be true? UNION SQL injection Illegal/logically incorrect query End-of-line comment Tautology
Tautology
Select all correct answers. To defend against SQL injection, a developer needs to take proper actions in configuring and developing an application. Select all correct statements that help in defending against SQL injection attacks. Avoid constructing dynamic SQL with concatenated Input values Ensure that the Web configuration files for each application do not contain sensitive information Keep untrusted data separate from commands and queries Apply input validation only on the client-side
Avoid constructing dynamic SQL with concatenated Input values Ensure that the Web configuration files for each application do not contain sensitive information Keep untrusted data separate from commands and queries
Which of the following attacks is time-intensive because the database should generate a new statement for each newly recovered bit? Blind SQL Injection UNION SQL Injection Error Based SQL Injection In-band SQL Injection
Blind SQL Injection
Steve works as a penetration tester in a firm named InfoSecurity. Recently, Steve was given an assignment to test the security of the company's web applications and backend database. While conducting the test, he sends a malicious SQL query with conditional timing delays to the backend database through the web application. This conditional time delay forces the database to wait for a specified amount of time before responding. He performs the same task using different malicious SQL queries. By observing various query responses from the database, Steve came to know that the web application is vulnerable to an SQL injection attack. What type of SQL injection attack is Steve most likely performing? Blind SQL injection Error-based SQL injection Union-based SQL injection Out-of-band SQL Injection
Blind SQL injection
Which of the following methods carries the requested data to the webserver as a part of the message body? HTTP GET HTTP POST IBM DB2 Cold Fusion
HTTP POST
An attacker injects the following SQL query: blah' AND 1=(SELECT COUNT(*) FROM mytable); -- What is the intention of the attacker? Updating Table Adding New Records Deleting a Table Identifying the Table Name
Identifying the Table Name
In which of the following attacks, does an attacker inject an additional malicious query to the original query? In-line Comments Piggybacked Query Tautology UNION SQL Injection
Piggybacked Query
William has been hired by the ITSec, Inc. to perform web application security testing. He was asked to perform black box penetration testing to test the security of the company's web applications. No information is provided to William about the company's network and infrastructure. William notices that the company website is dynamic and must make use of a backend database. He wants to see if an SQL injection would be possible. As part of the testing, he tries to catch instances where the user input is used as part of an SQL identifier without any input sanitization. Which of the following characters should William use as the input data to catch the above instances? Right square bracket Single quote Double quote Semicolon
Single quote Double quote
Which of the following tools is used to build rules that aim to detect SQL injection attacks? Nmap Snort Masscan SuperScan
Snort
Which of the following countermeasures prevent buffer overruns? Use the most restrictive SQL account types for applications Keep untrusted data separate from commands and queries Test the size and data type of the input and enforce appropriate limits Apply the least privilege rule to run the applications that access the DBMS
Test the size and data type of the input and enforce appropriate limits
A tester has been hired to perform source code review of a web application to detect SQL injection vulnerabilities. As part of the testing process, he needs to get all the information about the project from the development team. During the discussion with the development team, he comes to know that the project is in the initial stage of the development cycle. As per the above scenario, which of the following processes does the tester need to follow in order to save the company's time and money? The tester needs to perform static code analysis as it covers the structural and statement coverage testing The tester needs to perform static code analysis as it covers the executable file of the code The tester needs to perform dynamic code analysis as it uncovers bugs in the software system The tester needs to perform dynamic code analysis as it finds and fixes the defects
The tester needs to perform static code analysis as it covers the structural and statement coverage testing
What is the main difference between a "Normal" SQL injection and a "Blind" SQL injection vulnerability? The request to the webserver is not visible to the administrator of the vulnerable application. The attack is called "Blind" because, although the application properly filters user input, it is still vulnerable to code injection. A successful attack does not show an error message to the administrator of the affected application. The vulnerable application does not display errors with information about the injection results to the attacker.
The vulnerable application does not display errors with information about the injection results to the attacker.
Select all correct answers. In blind SQLi, attackers can steal data by asking a series of true or false questions through SQL statements. Select all the correct types of blind SQL injections. Time Delay Boolean exploitation Tautology System stored procedure
Time Delay Boolean exploitation
SQL injection attacks do not exploit a specific software vulnerability; instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. True False
True
Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats. Snort can be used to detect SQL injection attacks. Identify the correct Snort rule to detect SQL injection attacks. alert tcp $EXTERNAL_NET any -> 172.16.66.23 443 (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:to_server,estahlished; uricontent:"".pl"";pcre:""/(\%27)|(\')|(\-\-)|(%23)|(#)/i""; classtype:Web-application-attack; sid:9099; rev:5;) rule SQLiTester { meta: description = ""SQL Injection tester"" author = ""Ellaria Sand"" date = ""2016-04-26"" hash = ""dc098f88157b5cbf3ffc82e6966634bd280421eb"" strings: $s0 = "" SQL Injection tester"" ascii $s17 = ""/Blind SQL injection tool"" fullword ascii $s18 = ""SELECT UNICODE(SUBSTRING((system_user),{0},1))"" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1040KB and all of them } ule SQLiTester { meta: description = ""SQL Injection tester"" author = ""Ellaria Sand"" date = ""2016-04-26"" hash = ""dc098f88157b5cbf3ffc82e6966634bd280421eb"" strings: $s0 = "" SQL Injection tester"" ascii $s17 = ""/Blind SQL injection tool"" fullword ascii $s18 = ""WAITFOR DELAY '0:0:10' --"" fullword wide condition: uint32(0) == 0x5a4d and filesize < 1040KB and all of them } alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)"
alert tcp $EXTERNAL_NET any -> 172.16.66.23 443 (msg:""SQL Injection attempt on Finance Dept. webserver""; flow:to_server,estahlished; uricontent:"".pl"";pcre:""/(\%27)|(\')|(\-\-)|(%23)|(#)/i""; classtype:Web-application-attack; sid:9099; rev:5;) rule SQLiTester {
David, a penetration tester, was asked to check the MySQL database of the company for SQL injection attacks. He decided to check the back end database for a double blind SQL injection attack. He knows that double blind SQL injection exploitation is performed based on an analysis of time delays and he needs to use some functions to process the time delays. David wanted to use a function which does not use the processor resources of the server. Which of the following function David need to use? sleep() benchmark() mysql_query() addcslashes()
sleep()
Which of the following commands has to be disabled to prevent exploitation at the OS level? execute xp_cmdshell cat ping
xp_cmdshell