312-50V11 · Question #824
Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following crede
The correct answer is D. select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'. In this SQL injection scenario, the injected apostrophe closes the string literal, the or 1=1 condition makes the WHERE clause always true, and the double-dash comment marker causes SQL Server to ignore the password check.
Question
Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials:
Username: attack' or 1=1 -- Password: 123456 Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?
Options
- Aselect * from Users where UserName = 'attack'' or 1=1 -- and UserPassword = '123456'
- Bselect * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'
- Cselect * from Users where UserName = 'attack or 1=1 -- and UserPassword = '123456'
- Dselect * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'
How the community answered
(44 responses)- A5% (2)
- B7% (3)
- C18% (8)
- D70% (31)
Why each option
In this SQL injection scenario, the injected apostrophe closes the string literal, the or 1=1 condition makes the WHERE clause always true, and the double-dash comment marker causes SQL Server to ignore the password check.
Option A renders the username as 'attack'' with two consecutive apostrophes, which SQL Server interprets as an escaped literal quote rather than a string terminator, so no injection occurs.
Option B omits the closing apostrophe that must appear immediately after attack to terminate the string and begin the injected SQL expression.
Option C wraps the entire payload including or 1=1 inside the string literal as 'attack or 1=1 --, so it is treated as a plain text value rather than executable SQL logic.
The payload attack' or 1=1 -- causes the server to construct: select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'. The apostrophe after attack closes the string, or 1=1 makes the condition always evaluate to true, and -- is SQL Server's inline comment syntax that discards the remainder of the query including the password verification, granting unauthorized access.
Concept tested: SQL injection query construction with comment-based bypass
Source: https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.