PT0-002 · Question #287
PT0-002 Question #287: Real Exam Question with Answer & Explanation
The correct answer is A: SQL injection. WAITFOR can be used in a type of SQL injection attack known as time delay SQL injection or blind SQL injection. This attack works on the basis that true or false queries can be answered by the amount of time a request takes to complete. For example, an attacker can inject a WAITF
Question
A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted?
Options
- ASQL injection
- BHTML injection
- CRemote command injection
- DDLL injection
Explanation
WAITFOR can be used in a type of SQL injection attack known as time delay SQL injection or blind SQL injection. This attack works on the basis that true or false queries can be answered by the amount of time a request takes to complete. For example, an attacker can inject a WAITFOR command with a delay argument into an input field of a web application that uses SQL Server as its database. If the query returns true, then the web application will pause for the specified period of time before responding; if the query returns false, then the web application will respond immediately. By observing the response time, the attacker can infer information about the database structure and data. Based on this information, one possible answer to your question is A. SQL injection, because it is an attack that exploits a vulnerability in a web application that allows an attacker to execute arbitrary SQL commands on the database server.
Topics
Community Discussion
No community discussion yet for this question.