David is working on a pen testing assignment as a junior consultant. His supervisor told him to test a web application for SQL injection. The supervisor also informed David the web application is known to be vulnerable to the “admin’ OR ‘” injection. When David tried this string, he received a WAF error message the input is not allowed.
Which of the following strings could David use instead of the above string to bypass the WAF filtering?
A . exec sp_addsrvrolemember ‘name ‘ , ‘sysadmin ‘
B . ‘ union select
C . admin’) or ‘1’=’1′-
D . ‘or username like char(37);
Answer: C