GCIH · Question #622
An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in user. This attacker
The correct answer is D. This forces an INSERT condition and will dump all rows in the table to the users screen. The payload ' or 1=1;-- is a classic SQL injection string that manipulates a WHERE clause to always evaluate as true, bypassing privilege-based filters and returning all rows in the table.
Question
An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in user. This attacker inserts "' or 1=1;--" into this field. What is most likely the attacker's desired result from this insertion?
Options
- AThis forces a bypass on the back-end authentication mechanism, allowing total access to the
- BThis forces a TRUE condition and may cause the SQL server to return all of the information in the
- CThis forces a UNION condition and may cause the SQL server to return a list of all columns in the
- DThis forces an INSERT condition and will dump all rows in the table to the users screen
How the community answered
(45 responses)- A13% (6)
- B4% (2)
- C9% (4)
- D73% (33)
Why each option
The payload ' or 1=1;-- is a classic SQL injection string that manipulates a WHERE clause to always evaluate as true, bypassing privilege-based filters and returning all rows in the table.
Authentication bypass via SQL injection targets a login form where credentials are validated, not a data-retrieval field that filters results by privilege level.
While 'or 1=1' does create a true condition, choice B is considered incomplete because it only references the mechanism and not the full attacker goal of extracting all restricted rows regardless of the logged-in user's privilege.
A UNION-based injection requires the UNION keyword in the payload to append a second SELECT statement; the string ' or 1=1;-- contains no UNION clause.
The single quote closes the existing string literal in the SQL query, and 'or 1=1' appends an always-true condition that overrides the privilege filter logic. The double-hyphen (--) comments out the remainder of the original query, preventing syntax errors. The combined effect causes the database to ignore user privilege constraints and return every row in the table to the attacker.
Concept tested: SQL injection TRUE condition privilege bypass
Source: https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.