CEH v13 Domain 5.3 Practice Test 003

This practice test covers Domain 5 (Web Application Hacking) Subdomain 3 (SQL Injection) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 5.3 Practice Test 003

10 questions • 8 single-answer, 2 multi-select

Question 1

Kevin, a malicious attacker targeting a government contractor's web portal, submits a single quote character (') into the username field of the login form and receives a verbose MySQL error message exposing the backend table structure. Kevin notes that the application is returning database errors directly to the browser, revealing internal query logic. This behavior indicates the application is vulnerable to a specific SQL injection classification.

A. Boolean-based blind SQLi B. Error-based SQLi C. Time-based blind SQLi D. UNION-based SQLi

Question 2

Jane, a security analyst testing a healthcare web application, submits the payload ' AND 1=1-- into a search field and observes a full result set, then submits ' AND 1=2-- and receives an empty response with no database errors. The application reflects no data differences beyond content presence or absence, yet clearly responds differently to true versus false conditional payloads. Jane concludes that the application is vulnerable to a specific inferential SQL injection technique.

A. Error-based SQLi B. UNION-based SQLi C. Boolean-based blind SQLi D. Out-of-band SQLi

Question 3

Elijah, a penetration tester conducting a black-box assessment of an e-commerce platform, systematically injects ORDER BY 1--, ORDER BY 2--, and ORDER BY 3-- into a search parameter, triggering an application error only on the third iteration. Using this column count, Elijah then constructs a UNION SELECT NULL,NULL-- payload to begin extracting database contents from the backend. This methodology represents a foundational step in a specific SQL injection attack chain.

A. Column count enumeration via ORDER BY B. NULL injection fingerprinting C. GROUP BY clause enumeration D. Stacked query execution

Question 4

A penetration tester is evaluating a web application that returns no errors and reflects no output in HTTP responses, rendering standard in-band injection techniques ineffective. The tester crafts a payload using xp_cmdshell to force the MSSQL database server to issue a DNS lookup to an attacker-controlled server, with encoded database contents embedded in the queried hostname. The attacker's DNS server logs confirm successful data exfiltration through this covert external channel.

A. Inferential blind SQLi B. Time-based blind SQLi C. Out-of-band SQLi D. Error-based SQLi

Question 5

Clark, a red team member, confirms a SQL injection vulnerability in a query parameter of a target web application and wants to automate full database schema extraction and data dumping. He selects a command-line open-source tool that supports all five injection techniques — boolean-based, time-based, error-based, UNION-based, and stacked queries — while automatically fingerprinting the backend DBMS version and type. The tool generates detailed logs of every tested payload and successful injection string.

A. Burp Suite Intruder B. sqlmap C. Havij D. BBQSQL

Question 6

Select all that apply

A development team is performing a post-penetration-test remediation review after SQL injection vulnerabilities were discovered throughout their web application's data access layer. The team wants to implement the most effective developer-side countermeasures that eliminate SQL injection at the code level rather than relying on perimeter controls. Which two countermeasures should the development team prioritize? (Choose two)

A. Parameterized queries / Prepared statements B. HTML output encoding C. Stored procedures using concatenated dynamic SQL D. Web Application Firewall deployment E. Server-side allowlist input validation

Question 7

Jane, a security tester evaluating a cloud-hosted SaaS application, submits the payload ' OR SLEEP(5)-- into a product search field and observes that the HTTP response takes exactly five seconds longer than baseline requests. The application returns no error messages and no visible content differences between injected and normal responses — the only observable indicator is the response delay. Jane classifies this vulnerability as a specific SQL injection technique.

A. Boolean-based blind SQLi B. Error-based SQLi C. Time-based blind SQLi D. Second-order SQLi

Question 8

During a penetration test on a social networking platform, an ethical hacker registers an account with the username admin'-- and observes that the registration endpoint sanitizes the input and stores it in the database without error. However, when the stored username is later retrieved and inserted into a password reset SQL query without re-sanitization, the payload terminates the intended query and resets the administrator account's password. This exploit demonstrates a specific and often overlooked SQL injection variant.

A. First-order SQLi B. UNION-based SQLi C. Second-order (Stored) SQLi D. Blind inferential SQLi

Question 9

Select all that apply

Elijah, a red team operator, has confirmed a SQL injection vulnerability on a web application protected by a WAF that blocks HTTP requests containing the keywords SELECT and UNION in any character case. He needs to craft obfuscated injection payloads that bypass the WAF's signature-based detection engine while remaining interpretable by the backend database parser. Which two WAF evasion techniques should Elijah apply to his SQL injection payloads? (Choose two)

A. URL encoding SQL keywords (e.g., %53%45%4C%45%43%54) B. Switching from POST to GET method C. Inline SQL comment insertion (e.g., SEL/**/ECT) D. Using HTTPS instead of HTTP E. Increasing TCP connection timeout values

Question 10

A security engineer reviewing web application access logs notices database queries containing stacked SQL statements and WAITFOR DELAY commands being generated from user-supplied HTTP parameters, indicating an active automated SQL injection campaign. The engineer suspects an open-source tool was used that supports all five injection techniques including stacked queries, automatically fingerprints DBMS type and version, and is the most widely deployed SQLi automation tool in professional penetration testing. The engineer needs to identify the specific tool responsible for generating these characteristic payloads.

A. SQLNinja B. Havij C. BBQSQL D. sqlmap

Related Posts

Leave a Comment Cancel Reply