nerdexam
EC-Council

312-50V10 · Question #824

Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following crede

The correct answer is D. select * from users where UserName"'attack'or 1=1 - and UserPassword "'123456'. The SQL injection payload uses a single quote to escape the string context, an always-true OR condition, and a comment sequence to neutralize the password check in the resulting query.

SQL Injection

Question

Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials:

Username: attack' or 1? - Password: 123456 Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?

Options

  • Aselect * from Users where UserName ='attack or 1=1 -and UserPassword = '123456"
  • Bselect * from users wherefuserName = 'attack' or 1=1 --'and UserPassword = '123456'
  • Cselect * from Users where UserName ='attack" or 1=1 -and UserPassword = '123456'
  • Dselect * from users where UserName"'attack'or 1=1 - and UserPassword "'123456'

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    7% (2)
  • C
    18% (5)
  • D
    71% (20)

Why each option

The SQL injection payload uses a single quote to escape the string context, an always-true OR condition, and a comment sequence to neutralize the password check in the resulting query.

Aselect * from Users where UserName ='attack or 1=1 -and UserPassword = '123456"

This choice omits the closing single quote after 'attack' and uses only a single dash, which is not a valid inline comment delimiter in Microsoft SQL Server, so the password check would not be suppressed.

Bselect * from users wherefuserName = 'attack' or 1=1 --'and UserPassword = '123456'

Although this choice includes the correct `--` comment syntax, it contains a syntax error in the FROM clause ('wherefuserName') that would cause query execution to fail rather than return results.

Cselect * from Users where UserName ='attack" or 1=1 -and UserPassword = '123456'

This choice incorrectly uses a double quote to close the username string, which does not match the standard single-quote string literal syntax expected by Microsoft SQL Server.

Dselect * from users where UserName"'attack'or 1=1 - and UserPassword "'123456'Correct

When the username `attack' or 1=1 --` is submitted, the injected single quote closes the intended string literal and the `or 1=1` condition makes the WHERE clause always evaluate to true regardless of the actual username value. The double-dash `--` comment delimiter in Microsoft SQL Server causes the remainder of the query, including the password verification clause, to be ignored entirely. This allows authentication bypass without supplying valid credentials.

Concept tested: SQL injection authentication bypass using comment delimiter

Source: https://owasp.org/www-community/attacks/SQL_Injection

Topics

#SQL injection#comment syntax#authentication bypass#MSSQL

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice