Question 1

You gain SELECT access via SQLi on MySQL. You want SUPER privileges.

What technique applies?

Options :

A : Exploit INTO OUTFILE to drop reverse shell

B : Abuse SET GLOBAL general_log_file + write webshell

C : Elevate using UNION SELECT grant_option_priv

D : Modify mysql.user directly with injected UPDATE

Answer: D

Question 2

An image thumbnailer service accepts a url and fetches the image server-side. The server runs inside AWS. You can supply gopher:// URIs.

Which chain most likely yields temporary AWS credentials that let you enumerate S3 buckets in the same account?

Options :

A : Use SSRF to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and then fetch the role name and token.

B : Submit gopher://169.254.169.254:80/_GET%20/... to craft precise TCP requests to metadata endpoint.

C : Use SSRF to query http://metadata.google.internal instead.

D : Use SSRF to initiate a reverse shell back to you.

Answer: B

Question 3

Developer says “we sanitize server output.” You suspect a DOM sink. Which minimal probe best surfaces a client-side sink without server reflection?

Options :

A :

B :

C :

D :

Answer: C

Question 4

During a penetration test, you find a reflected XSS in a GET parameter ?q=. The web app sets a HttpOnly session cookie. Which of the following BEST allows you to hijack the victim’s authenticated session?

Options :

A : Steal cookies with document.cookie

B : Inject JS to perform CSRF requests using victim’s session

C :

D : Bruteforce the session token using ffuf

Answer: B

Question 5

You need to exploit a CSRF in a stock trading platform. The target action is:

The app accepts requests only from Origin: https://trading.local.

Which CSRF payload is most likely to bypass defenses?

Options :

A :

B :

C :

D :

Answer: D