nerdexam
EC-Council

312-50V10 · Question #715

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He is determined that the application is vulnerable to SQL injection and has introduced conditional timin

The correct answer is B. Blind SQL injection. Elliot is using time-based blind SQL injection, where no visible output is returned and success is inferred through deliberate query delays.

SQL Injection

Question

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He is determined that the application is vulnerable to SQL injection and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?

Options

  • ANoSQL injection
  • BBlind SQL injection
  • CUnion-based SQL injection
  • DError-based SQL injection

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    83% (24)
  • C
    10% (3)
  • D
    3% (1)

Why each option

Elliot is using time-based blind SQL injection, where no visible output is returned and success is inferred through deliberate query delays.

ANoSQL injection

NoSQL injection targets non-relational databases like MongoDB, but the question explicitly states a SQL back-end database is in use.

BBlind SQL injectionCorrect

Blind SQL injection occurs when the application does not return query results or error messages directly to the attacker. Time-based blind SQL injection specifically uses functions like SLEEP() or WAITFOR DELAY to introduce conditional pauses, allowing the attacker to infer true/false conditions based on response timing rather than visible output.

CUnion-based SQL injection

Union-based SQL injection uses the UNION operator to append a second SELECT query and return data directly in the response, which requires visible output - not timing delays.

DError-based SQL injection

Error-based SQL injection relies on the application returning database error messages that expose data, which also requires visible output from the application.

Concept tested: Time-based blind SQL injection technique

Source: https://owasp.org/www-community/attacks/Blind_SQL_Injection

Topics

#blind SQL injection#time-based injection#SQL injection types#conditional delays

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice