Certified Ethical Hacker (CEH v13) — Question 252

During an attempt to perform an SQL injection attack, a certified ethical hacker is focusing on the identification of database engine type by generating an ODBC error. The ethical hacker, after injecting various payloads, finds that the web application returns a standard, generic error message that does not reveal any detailed database information. Which of the following techniques would the hacker consider next to obtain useful information about the underlying database?

Answer options

• A. Utilize a blind injection technique that uses time delays or error signatures to extract information
• B. Try to insert a string value where a number is expected in the input field
• C. Attempt to compromise the system through OS-level command shell execution
• D. Use the UNION operator to combine the result sets of two or more SELECT statements

Correct answer: A

Explanation

The correct answer is A because employing a blind injection technique allows the hacker to infer information about the database through timing or error responses, even when detailed error messages are not available. Option B is not effective since inserting a string where a number is expected may not yield useful database information. Option C involves a different attack vector that is not focused on SQL injection. Option D could be ineffective if the database engine does not support or respond to UNION operations, especially given the lack of detailed error feedback.