Certified Ethical Hacker (CEH v13) — Question 76
As a cybersecurity professional, you are responsible for securing a high-traffic web application that uses MySQL as its backend database. Recently, there has been a surge of unauthorized login attempts, and you suspect that a seasoned black-hat hacker is behind them. This hacker has shown proficiency in SQL Injection and appears to be using the 'UNION' SQL keyword to trick the login process into returning additional data. However, your application’s security measures include filtering special characters in user inputs, a method usually effective against such attacks. In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, which strategy is he most likely to employ?
Answer options
- A. The hacker tries to manipulate the 'UNION' keyword in such a way that it triggers a database error, potentially revealing valuable information about the database's structure.
- B. The hacker switches tactics and resorts to a 'time-based blind' SQL Injection attack, which would force the application to delay its response, thereby revealing information based on the duration of the delay.
- C. The hacker attempts to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.
- D. The hacker alters his approach and injects a DROP TABLE' statement, a move that could potentially lead to the loss of vital data stored in the application's database.
Correct answer: C
Explanation
The correct answer is C because encoding malicious input can help the hacker bypass filters designed to block special characters, allowing the injection of harmful SQL commands. Option A is incorrect as causing a database error does not guarantee successful exploitation. Option B, while a valid SQL Injection technique, does not directly relate to the use of the 'UNION' keyword. Option D involves data destruction rather than information retrieval, which is not aligned with the hacker's current strategy.