CSTL Databases

Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTL exam.

You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.

  • Understands and can demonstrate the remote exploitation of Microsoft SQL Server.
  • Understands and can demonstrate how access can be gained to a Microsoft SQL serverthrough the use of default accounts credentials and insecure passwords.
  • Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).
  • Following the compromise of Microsoft SQL server, can use storedprocedures to execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host.
  • Understands and can demonstrate the remote exploitation of an Oracle database.
  • Understands the security attributes of the Oracle TNS Listener service.
  • Can demonstrate how the software versionand patch status can be obtainedfrom an Oracle database.
  • Understands and can demonstrate how access can be gained to an Oracle database server through the use of default accounts credentials and insecure passwords.
  • Can identify and extract useful information stored within a database (e.g.. user account names and passwords, recovering passwords where possible).
  • Following the compromise of an Oracledatabase server, can use stored procedures to execute system commands, escalate privileges,read/write from/to the file system, and/or gain further access to a host.

Understands and can demonstrate the remote exploitation of othercommon SQL database servers, such as MySQL and PostgreSQL.
Understands and can demonstrate the remote exploitation ofcommon no-SQL database servers, such as MongoDB.
Understands and can demonstrate how access can be gained tosuch a database server through the use of default accountscredentials and insecure passwords.
Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).

  • Understands common connection and authentication methods used by web applicationsto connect to database servers.
    Can recognise common database connection string formats, e.g. JDBC.
  • Can identify running databases using from the SQL browser service.
  • Understands the difference between local SQL Server accountsand integrated auth, an the security implications of both.
  • Demonstrate ability to execute operatingsystem commands without xp_cmdshell.