CEH v13 Domain 5.3 Practice Test 002

Question 1

Elijah is conducting a security assessment of a customer-facing web portal and notices that submitting a crafted query string with a single quote returns a generic error page rather than a database error message, indicating the application may still be vulnerable but does not reveal backend details. He crafts requests using payloads such as '1 AND 1=1' and '1 AND 1=2', observing that the first returns normal application output while the second returns a blank or altered page. Which type of SQL injection technique is Elijah using?

A. Boolean-Based Blind SQLi B. Union-Based SQLi C. Error-Based SQLi D. Out-of-Band SQLi

Question 2

A penetration tester is assessing a product search feature on an e-commerce application and determines that user input is passed directly into a backend SQL query without sanitization. She injects the payload ' UNION SELECT null, username, password FROM users-- into the search field and retrieves credential data displayed directly on the results page. Which type of SQL injection did the tester perform?

A. Boolean-Based Blind SQLi B. Union-Based SQLi C. Time-Based Blind SQLi D. Stacked Query Injection

Question 3

Select all that apply

A red team analyst is attempting SQL injection against a web application protected by a WAF that blocks common injection strings including SELECT, UNION, and double-dash comments. She needs to bypass WAF signature matching without triggering alerts to retrieve sensitive data from the backend database. Which two techniques would most effectively help evade WAF detection? (Choose two)

A. Case Variation (SeLeCt, UnIoN) B. Parameterized Queries C. Inline Comments (UN/**/ION SE/**/LECT) D. Stored Procedures E. Input Length Validation

Question 4

Jane is testing a login portal that returns an identical generic error page regardless of whether her injected payload produces a true or false result, leaving her unable to infer data from response content differences. She injects the payload '; IF (1=1) WAITFOR DELAY '0:0:5'-- into the username field and observes a consistent five-second delay before the server responds. Which SQL injection technique is Jane applying?

A. Error-Based SQLi B. Boolean-Based Blind SQLi C. Time-Based Blind SQLi D. Out-of-Band SQLi

Question 5

A penetration tester is tasked with identifying SQL injection vulnerabilities across a large web application with dozens of parameterized URLs and needs to automate both detection and exploitation to maximize test coverage. He supplies a list of target URLs to a command-line tool that automatically tests each parameter with multiple injection payloads, fingerprints the database type, and can dump table contents, enumerate users, and attempt privilege escalation. Which tool is the penetration tester most likely using?

A. Burp Suite B. SQLMap C. Havij D. Nikto

Question 6

Kevin is performing a web application assessment and discovers that entering a single quote in the product ID parameter of an e-commerce site returns a verbose database error message that reveals the table name, column names, and the partial SQL query being executed. He uses this leaked information to craft additional payloads that force the database to return sensitive data embedded within further error messages. Which SQL injection type is Kevin exploiting?

A. Time-Based Blind SQLi B. Boolean-Based Blind SQLi C. Error-Based SQLi D. Second-Order SQLi

Question 7

Select all that apply

A security architect at a financial services firm is reviewing web application development standards after a SQL injection vulnerability was found in a customer portal during a third-party penetration test. She must recommend the two most effective developer-implemented technical controls to eliminate SQL injection vulnerabilities at the code level. Which two countermeasures would most effectively prevent SQL injection attacks? (Choose two)

A. Input Validation and Whitelisting B. Parameterized Queries / Prepared Statements C. SSL/TLS Encryption D. Rate Limiting E. Load Balancing

Question 8

A penetration tester is assessing a cloud-hosted enterprise application and determines that the backend database server has the ability to make outbound DNS and HTTP connections, but the application returns identical responses for all injected payloads and response timing is consistent regardless of conditions. She injects a payload that instructs the database to perform an outbound DNS lookup to an attacker-controlled domain with query results encoded in the subdomain label. Which SQL injection technique is the tester using?

A. Boolean-Based Blind SQLi B. Time-Based Blind SQLi C. Union-Based SQLi D. Out-of-Band SQLi

Question 9

A security analyst discovers that a web application properly sanitizes and escapes all user input fields at the time of data entry, so no SQL injection succeeds during initial testing. However, when the analyst registers an account with the username ' OR '1'='1 and the application later uses that stored username in an unsanitized SQL query during a password reset operation, the payload executes and returns all user records. Which SQL injection variant describes this attack?

A. Stored / Second-Order SQLi B. Union-Based SQLi C. Time-Based Blind SQLi D. Inline Comment Injection

Question 10

An enterprise security team is analyzing web server access logs after a data breach and identifies that the attacker used a GUI-based automated SQL injection tool known for its point-and-click interface, automatic database type fingerprinting, and ability to extract tables and user credentials with minimal manual effort. The tool was fingerprinted in the logs by its unique default User-Agent string that differs distinctly from browsers and other security tools. Which tool was most likely used by the attacker?

A. SQLMap B. Havij C. Metasploit D. BBQSQL

ByThe Test Master

Related Post

CEH v13 Domain 7.1 Practice Test 002

CEH v13 Domain 6.1 Practice Test 002

CEH v13 Domain 5.2 Practice Test 002