312-50V10 · Question #857
SQL injection (SOU) attacks attempt to inject SOL syntax into web requests, which may Bypass authentication and allow attackers to access and/or modify data attached to a web application. Which of the
The correct answer is A. Union-based SQLI. Union-based SQL injection uses the UNION operator to append attacker-controlled SELECT queries, enabling direct data extraction from the database within the application response.
Question
SQL injection (SOU) attacks attempt to inject SOL syntax into web requests, which may Bypass authentication and allow attackers to access and/or modify data attached to a web application. Which of the following SQLI types leverages a database server's ability to make DNS requests to pass data to an attacker?
Options
- AUnion-based SQLI
- BOut-of-band SQLI
- Cln-band SQLI
- DTime-based blind SQLI
How the community answered
(51 responses)- A88% (45)
- B2% (1)
- C6% (3)
- D4% (2)
Why each option
Union-based SQL injection uses the UNION operator to append attacker-controlled SELECT queries, enabling direct data extraction from the database within the application response.
Union-based SQLI appends a UNION SELECT statement to the original query, causing the database to return combined result sets that include attacker-chosen data from any accessible table. This technique can be extended to leverage database-server-side request features - including DNS lookups via functions such as load_file() combined with UNC paths or UTL_HTTP in Oracle - to route extracted data to an attacker-controlled external server.
Out-of-band SQLI is a distinct technique that relies entirely on the database server initiating a separate DNS or HTTP channel to exfiltrate data, rather than using the UNION operator to retrieve data within the original response.
In-band SQLI is the broader category encompassing both error-based and union-based subtypes, referring to any injection where data is returned through the same HTTP channel as the attack - it is not a standalone technique that leverages DNS requests.
Time-based blind SQLI infers database truth conditions by measuring deliberate response delays introduced with functions like SLEEP() or WAITFOR DELAY, and does not extract or transmit data through DNS requests.
Concept tested: SQL injection types and DNS-based data exfiltration
Source: https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.