Certified Ethical Hacker (CEH v12) — Question 178

During an attempt to perform an SQL injection attack, a certified ethical hacker is focusing on the identification of database engine type by generating an ODBC error. The ethical hacker, after injecting various payloads, finds that the web application returns a standard, generic error message that does not reveal any detailed database information. Which of the following techniques would the hacker consider next to obtain useful information about the underlying database?

Answer options

• A. Utilize a blind injection technique that uses time delays or error signatures to extract information
• B. Try to insert a string value where a number is expected in the input field
• C. Attempt to compromise the system through OS-level command shell execution
• D. Use the UNION operator to combine the result sets of two or more SELECT statements

Correct answer: A

Explanation

The correct answer is A because blind injection techniques, such as those utilizing time delays, can help extract information without relying on visible error messages. Options B and C are less effective as they do not specifically target the information extraction needed after a generic error. Option D, while useful in some contexts, may not be applicable when the database type is still unknown.