CompTIA PenTest+ (PT0-001) — Question 170
Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?
Answer options
- A. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe'גˆ’&amount=200
- B. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' &amount=200
- C. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' גˆ’&amount=200
- D. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='AND 1=1 AND select username from testbank.custinfo where username like 'Joe' גˆ’&amount=200
Correct answer: B
Explanation
Option B is correct because it includes a valid SQL injection that allows Joe to manipulate the database query to gain unauthorized access to funds. Options A and C do not work because of the incorrect usage of the 'notify' parameter, while option D fails due to the use of 'AND' instead of 'OR', which would not yield the desired results for the attack.