SQL injection testing commonly involves using tautology-based payloads such as 1 OR 1=1, which force SQL queries to evaluate as true. CEH explains that this confirms improper input sanitization and exposes whether user-supplied fields directly influence database queries. The result often returns all records, indicating successful injection.

The Certified Ethical Hacker (CEH) Footprinting and Reconnaissance module defines Google Hacking, also known as Google Dorking, as the use of advanced search operators to uncover sensitive information unintentionally exposed on the public internet. This technique remains passive, making it ideal during early reconnaissance.
Google Hacking can reveal:
Exposed configuration files
Backup files (.bak, .old, .zip)
Error messages and stack traces
Source code fragments and scripting errors
These findings often indicate coding weaknesses or insecure configurations within a web application. CEH explicitly highlights Google Dorking as an effective way to identify web application weaknesses without scanning or exploiting the target directly.
Option C is correct because Google Hacking is commonly used to identify coding and configuration weaknesses exposed through indexed files.
Option A may be possible indirectly but is not the primary justification.
Option B is incorrect because Google does not index the Deep Web.
Option D involves internal network discovery, which Google Hacking cannot directly achieve.
CEH emphasizes Google Hacking as a powerful passive reconnaissance technique for discovering exposed vulnerabilities.

Tautology-based SQL injection tests, such as using ' OR '1'='1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.

The attack described is website defacement, which occurs when an attacker gains the ability to modify the content of a website-often the homepage-to display unauthorized messages, propaganda, or vandalism.
The scenario explicitly says Mia "alter[s] visible content on the homepage, replacing it with unauthorized messages," and emphasizes the reputational harm even without data theft. That reputational impact is a hallmark of defacement: it undermines customer trust, signals weak security, and can create regulatory/brand consequences even if no confidential information is exfiltrated.
The stated entry point-"exploiting an unpatched vulnerability in the web server"-is also consistent with defacement. Attackers frequently leverage web server or web application weaknesses (misconfigurations, known CVEs, weak credentials, vulnerable plugins, or insecure file permissions) to gain write access to web content or templates. Once write access is achieved, the attacker can replace HTML pages, alter templates, inject malicious scripts, or modify assets so that visitors see the attacker's message.
Why the other options are less appropriate:
DNS hijacking (A) redirects users by changing DNS resolution so that the domain points to an attacker- controlled server. That can lead to a fake site, but it's not the same as modifying the real server's homepage content.
Frontjacking (B) typically involves UI deception-overlaying or framing content to trick users-rather than server-side modification of the homepage.
File upload exploits (C) are a method that can be used to gain code execution or place malicious files on a server, but the question asks for the type of web server attack being demonstrated. The visible outcome described-unauthorized homepage changes-is best categorized as defacement.
Therefore, Mia is most likely demonstrating D. Website Defacement.