CEH v13 Domain 5.3 Practice Test 004

This practice test covers Domain 5 (Web Application Hacking) Subdomain 3 (SQL Injection) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 5.3 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

Clark targets a login page and submits ' OR '1'='1 into the username field to slip past the authentication check. The application concatenates his input directly into the backend query and grants a session without valid credentials. Which attack technique is Clark performing?

A. Command Injection B. Cross-Site Scripting C. LDAP Injection D. SQL Injection

Question 2

A penetration tester sends a request and observes the page load normally with AND 1=1 but return an error with AND 1=2. No data is ever echoed back, so she infers results purely from the application's true-or-false responses. Which SQL injection type is she using?

A. UNION-based SQLi B. Out-of-band SQLi C. Error-based SQLi D. Boolean-based Blind SQLi

Question 3

Kevin notices no errors or content differences when probing a parameter, so he injects a payload forcing the database to pause before responding. By measuring whether the response is delayed, he confirms the condition is true. Which technique is Kevin relying on?

A. Stacked Queries B. Boolean-based Blind SQLi C. Second-order SQLi D. Time-based Blind SQLi

Question 4

An analyst wants to merge results from another table into the visible output of a vulnerable product listing page. She crafts a payload that appends a second SELECT statement with matching column counts to the original query. Which SQL injection technique is she applying?

A. Error-based SQLi B. Time-based Blind SQLi C. UNION-based SQLi D. Inband piggybacking

Question 5

Select all that apply

Jane discovers a comment form whose input is stored in the database without sanitization. Days later an administrator opens a reporting page that reuses that saved value inside a query, executing her injected code. Which type of SQL injection has Jane achieved? (Choose two)

A. Error-based SQLi B. Second-order SQLi C. Stored SQLi D. UNION-based SQLi E. In-band SQLi

Question 6

Elijah profiles a web app and must determine which database engine sits behind it before tailoring payloads. He notes that concatenation uses || in one system, + in another, and CONCAT() elsewhere, along with distinct error formats. Which activity is Elijah performing?

A. Privilege escalation B. Banner grabbing C. Database fingerprinting D. WAF detection

Question 7

A security team reviews a breach where the attacker appended a semicolon and a second statement to drop a table after the original query. The database driver allowed multiple statements in one call. Which SQL injection technique enabled this destructive action?

A. Boolean-based Blind SQLi B. UNION-based SQLi C. Stacked Queries D. Tautology attack

Question 8

Select all that apply

Clark faces a filter that strips the keyword SELECT from inputs, so he mixes letter casing and inserts inline comments between characters to slip it through. The mangled payload still parses correctly at the database. Which evasion approaches is Clark using? (Select all that apply)

A. Hex/char encoding B. Time delay injection C. Privilege escalation D. Case variation E. Inline comment insertion

Question 9

An enterprise pentester confirms an injection point but the server returns no output and blocks timing payloads, so he forces the database to issue a DNS lookup to a server he controls. The received hostname carries the extracted data. Which SQL injection type is this?

A. Boolean-based Blind SQLi B. Error-based SQLi C. Out-of-band SQLi D. UNION-based SQLi

Question 10

After confirming an injection flaw, an analyst automates extraction by pointing a popular tool at the vulnerable URL to enumerate databases, tables, and dump credentials. The tool also fingerprints the backend and tests tamper scripts automatically. Which tool is the analyst most likely using?

A. sqlmap B. Aircrack-ng C. John the Ripper D. Wireshark

Related Posts

Leave a Comment Cancel Reply