Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials:
Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?
In a SQL injection attack, the intention is to manipulate the query in such a way that it bypasses the normal authentication checks. The provided input aims to inject `attack' or 1=1 --` into the `UserName` field. This results in the query interpreting `1=1` which is always true, and the `--` commenting out the rest of the query. Therefore, the correct SQL command that would be executed by the server is `select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'`. This effectively bypasses the password check. The correct answer is option D.
Well I confirm that it is the D, with the following The query is select * from Users where UserName = 'varName' and UserPassword = 'varPassword'. So if we change by the credentials that say would be the following result: select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456' An important consideration is that it is not asking for any correction of the command or if the command itself is correct, it is asking to be executed on the server.
Answer A. Look at the single quote.
B. select * from Users where UserName = ‘attack’ or 1=1 -- and UserPassword = ‘123456’ In an SQL injection attack, the attacker manipulates the input of an application in a way that results in the execution of unintended SQL commands. In this case, the attacker entered the username "attack' or 1=1 -" and the password "123456". The hyphen at the end of the username is used to comment out the rest of the SQL query that the application may append to the query.
CEH BOOK V12 P.2205
D. select * from Users where UserName = ‘attack’ or 1=1 --’ and UserPassword = ‘123456’ CEH BOOK V12 : P2204 SELECT Count(*) FROM Users WHERE UserName='Blah' or 1=1 --' AND Password='Springfield' SQL Query Executed : SELECT Count(*) FROM Users WHERE UserName='Blah' or 1=1 Code after -- are now comments : --' AND Password='Springfield'
I have my CEHv12 exam tomorrow. Can anyone please give me temporary contributor access ?
CEH BOOK V12 : P2204 SELECT Count(*) FROM Users WHERE UserName='Blah' or 1=1 --' AND Password='Springfield' ' ' --' ' '
A is the correct answer look closely, the username = attack' so the actual query will have 'attack' '....the additional hyphen is for the username then 2 hyphen for the query.
D. select * from Users where UserName = ‘attack’ or 1=1 --’ and UserPassword = ‘123456’
B. select * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456' Option D is incorrect because the SQL injection payload is placed after the closing single quote for 'UserPassword', which would likely result in a syntax error. Option A is incorrect because the payload is missing the closing single quote after 'attack', which would likely result in a syntax error.
Understanding an SQL Injection Query Attacker Launching SQL Injection SELECT Count(*) FROM Users WHERE UserName='Blah' or 1=1 --' AND Password='Springfield' SELECT Count(*) FROM Users WHERE UserName='Blah' or 1=1 --' AND Password='Springfield' CEH V12 Page 2204
D. select * from Users where UserName = ‘attack’ or 1=1 --’ and UserPassword = ‘123456’ pay attention: --’
D. select * from Users where UserName = ‘attack’ or 1=1 --’ and UserPassword = ‘123456’. The point of the question is not whether the select statement will provide anything useful, but to show that you understand how the strings/parameters are passed from the login/password form to the SQL query. This was a question for me when I took the exam on 13 Dec 2023.
select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'
The correct option is D. select * from Users where UserName = ‘attack’ or 1=1 --’ and UserPassword = ‘123456’
The correct option is D.
D. select * from Users where UserName = ‘attack’ or 1=1 --’ and UserPassword = ‘123456’
D is the Correct
https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
GPT 4.0 what you think in that way ? : Apologies for the confusion. In line with the credentials provided and typical SQL injection techniques, the correct SQL command that would be executed by the server, if there is indeed an SQL injection vulnerability, would indeed be: A. select * from Users where UserName = 'attack' or '1'='1' -- and UserPassword = '123456' In this scenario, the injection point is within the UserName parameter, and the rest of the SQL statement is commented out using the double dashes (--). This would cause the where condition to always be true, potentially allowing an attacker to bypass authentication mechanisms.
The answer is D. Please refer to CEH V12 Module 15