312-50V10 · Question #824
Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following crede
The correct answer is D. select * from users where UserName"'attack'or 1=1 - and UserPassword "'123456'. The SQL injection payload uses a single quote to escape the string context, an always-true OR condition, and a comment sequence to neutralize the password check in the resulting query.
Question
Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials:
Username: attack' or 1? - Password: 123456 Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?
Options
- Aselect * from Users where UserName ='attack or 1=1 -and UserPassword = '123456"
- Bselect * from users wherefuserName = 'attack' or 1=1 --'and UserPassword = '123456'
- Cselect * from Users where UserName ='attack" or 1=1 -and UserPassword = '123456'
- Dselect * from users where UserName"'attack'or 1=1 - and UserPassword "'123456'
How the community answered
(28 responses)- A4% (1)
- B7% (2)
- C18% (5)
- D71% (20)
Why each option
The SQL injection payload uses a single quote to escape the string context, an always-true OR condition, and a comment sequence to neutralize the password check in the resulting query.
This choice omits the closing single quote after 'attack' and uses only a single dash, which is not a valid inline comment delimiter in Microsoft SQL Server, so the password check would not be suppressed.
Although this choice includes the correct `--` comment syntax, it contains a syntax error in the FROM clause ('wherefuserName') that would cause query execution to fail rather than return results.
This choice incorrectly uses a double quote to close the username string, which does not match the standard single-quote string literal syntax expected by Microsoft SQL Server.
When the username `attack' or 1=1 --` is submitted, the injected single quote closes the intended string literal and the `or 1=1` condition makes the WHERE clause always evaluate to true regardless of the actual username value. The double-dash `--` comment delimiter in Microsoft SQL Server causes the remainder of the query, including the password verification clause, to be ignored entirely. This allows authentication bypass without supplying valid credentials.
Concept tested: SQL injection authentication bypass using comment delimiter
Source: https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.