nerdexam
GIAC

GCIH · Question #622

An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in user. This attacker

The correct answer is D. This forces an INSERT condition and will dump all rows in the table to the users screen. The payload ' or 1=1;-- is a classic SQL injection string that manipulates a WHERE clause to always evaluate as true, bypassing privilege-based filters and returning all rows in the table.

Web Application Attacks & Post-Exploitation

Question

An attacker is launching an attack against an input field in a form that is used to retrieve restricted information that is filtered dependent upon the privileges of the logged in user. This attacker inserts "' or 1=1;--" into this field. What is most likely the attacker's desired result from this insertion?

Options

  • AThis forces a bypass on the back-end authentication mechanism, allowing total access to the
  • BThis forces a TRUE condition and may cause the SQL server to return all of the information in the
  • CThis forces a UNION condition and may cause the SQL server to return a list of all columns in the
  • DThis forces an INSERT condition and will dump all rows in the table to the users screen

How the community answered

(45 responses)
  • A
    13% (6)
  • B
    4% (2)
  • C
    9% (4)
  • D
    73% (33)

Why each option

The payload ' or 1=1;-- is a classic SQL injection string that manipulates a WHERE clause to always evaluate as true, bypassing privilege-based filters and returning all rows in the table.

AThis forces a bypass on the back-end authentication mechanism, allowing total access to the

Authentication bypass via SQL injection targets a login form where credentials are validated, not a data-retrieval field that filters results by privilege level.

BThis forces a TRUE condition and may cause the SQL server to return all of the information in the

While 'or 1=1' does create a true condition, choice B is considered incomplete because it only references the mechanism and not the full attacker goal of extracting all restricted rows regardless of the logged-in user's privilege.

CThis forces a UNION condition and may cause the SQL server to return a list of all columns in the

A UNION-based injection requires the UNION keyword in the payload to append a second SELECT statement; the string ' or 1=1;-- contains no UNION clause.

DThis forces an INSERT condition and will dump all rows in the table to the users screenCorrect

The single quote closes the existing string literal in the SQL query, and 'or 1=1' appends an always-true condition that overrides the privilege filter logic. The double-hyphen (--) comments out the remainder of the original query, preventing syntax errors. The combined effect causes the database to ignore user privilege constraints and return every row in the table to the attacker.

Concept tested: SQL injection TRUE condition privilege bypass

Source: https://owasp.org/www-community/attacks/SQL_Injection

Topics

#SQL injection#boolean condition#database enumeration#input validation bypass

Community Discussion

No community discussion yet for this question.

Full GCIH Practice