This is a real world demonstration of the SQL Injection attack used in the recent MOVEit hack. This is real world - not just a simple SQL attack. Big thank you to Juniper Networks for supporting the community and making this training free (and sponsoring my channel). Go to juniper.net/davidbombal to get lots of training and also learn how to get certified for $50 (Associate Level). Use this voucher code to register for your courses: DAVIDBOMBAL If you have issues with the Juniper registration, please use these links that they gave me: For Login assistance link userregistration.juniper.net/loginassistance Customer Support link- support.juniper.net/support/requesting-support/ // Mr Robot Playlist // ruclips.net/p/PLhfrWIlLOoKNYR8uvEXSAzDfKGAPIDB8q // Proof of Concept // Horizon3: www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/ // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RUclips: ruclips.net/user/davidbombal // Occupy The Web social // Twitter: twitter.com/three_cube // OTW Discount // Use the code BOMBAL to get a 20% discount off anything from OTW's website: davidbombal.wiki/otw // Occupy The Web books // Linux Basics for Hackers: amzn.to/3JlAQXe Getting Started Becoming a Master Hacker: amzn.to/3qCQbvh Top Hacking Books you need to read: ruclips.net/video/trPJaCGBbKU/видео.html // Other books // The Linux Command Line: amzn.to/3ihGP3j How Linux Works: amzn.to/3qeCHoY The Car Hacker’s Handbook by Craig Smith: amzn.to/3pBESSM Hacking Connected Cars by Alissa Knight: amzn.to/3dDUZN8 // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 00:00 - Coming Up 00:55 - Juniper Free Training (Sponsored segment) 01:51 - OccupyTheWeb books and new books 03:57 - The MOVEit breach explained 05:20 - Clop website // Companies affected 08:52 - The two different vulnerabilities 10:26 - The truth about SQL Injection 12:21 - Using Shodan 14:05 - Proof of concept of the exploit 16:18 - SQL Injection example 20:35 - MOVEit hack analysis / How it was done 28:57 - CVE-2023-35708 SQL Injection vulnerability explained 30:36 - What is Taiwan Semi-Conductor (TSMC) and why they got hacked 31:01 - SQL Injection hack in the real world 32:45 - OccupyTheWeb online classes 33:46 - Union statement // Stacking queries demo 37:02 - Upcoming OccupyTheWeb courses and classes 39:50 - Conclusion Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only.
PEGASUS SPYWARE: Pegasus has the ability to access devices, without victims pressing a link, is what they learned us so far. But that is a lie, it is way more Intelligent than that. The Virus is hidden in Memes and Thumbnails, it’s spread across the World every time after devices Update, using Social Media, and Unaware Victims Executing video’s, Thumbnails, images etc.
@@davidbombal hey can you guys make a full website deface video plz its very common people search for but they dint get much info on that i hope OTW may do it or john
The knowledge flows out of him so casually and easy to understand. Its typically a skill you find in someone that's been doing "It" most of their life. He teaches as easily as someone else might tie their shoes.
1:2 7 THANK YOU SO MUCH DAVID for going the extra mile for us. you subscribers!!!! Just yesterday I had to turn down getting CEH CERT as the entire only 8 - 12 week program plus extra for the exam. There was simply NO way I could afford the $2800 USD+ fee; especially bung in Canada. Thant's like $3600!!!! Simply love your channel and your constant commitment to others :)
It is very intersing concept that show how hacker use sql injection in real world with more advanced techniques to atteck their target ,this teach alot david thanks alot as always
Great content as always. Would love to see more content with OTW, you guys should make that video you talked about on how to reprogram usb drives into rubber duckies.
Another amazing episode, cheers Gentlemen! These should be the MOST EXPENSIVE punctuation marks of all time for each company during the SQL attack. xD In fact forgetting about "oldschool" attack techniques is a common mistake many companies / services make all the time (also from my experience). I mean - Aerosmith was founded in 1970 and it's still a nice band, right? :)
It’s hard to believe someone out there who is more skilled than otw. Impressive work. Thanks David and otw for bringing this to our attention. You both are the best.
Looks like you’re in Utah David, next time you’re in town reach out, I’ll take you out rallying some side by sides, show you some great hiking and camping spots and teach you some survival stuff!!! Great video!!
The organization I work for was affected by that security breach, it was scary to think about but as someone in the IT world, it was interesting to learn about it.
It's always amazing learning you and much more when master OTW is in class. Thanks to you both. I really wish you could do a tutorial video on Juniper registration, somethings ain't really clear to me. Thanks for the prime lectures and keep adding flavors to your teachings ✌️
such a good good video, the knowledge alone is overwhelming and at the same time very understandable, love your channel and love even more OTW, thank you.
Thank you David and OTW, to talk and share you knowledge, all the content you do is very valuable. I learn so much with you guys. Ohh!!! John pass for here too. 😂😂😂 Another great person with nice contents. Thank you guys.
Great video / content again David, wasn't sold on the hacking videos at the beginning 😅 but I have definitely being enjoying the content. Very informative
Great video! Loved it! So clear! Question for you and OTW: wouldn’t any of these big companies have a SIEM blocking exfiltration in big sizes? I recall Sentinel going off alarms and bella when users moved/deleted large volumes of data? Maybe a dumb question…but any answer would be appreciated thanks!
Makes me glad we don't use that particular software from Progress :) Also makes me glad that the software we do use of theirs (their DB software) barely even supports SQL89, and requires you to have the SQL broker enabled for it to even work.
It's not about cyber sec only for you to be exposed to some simple sql injection techniques and how it works in the back, even for us in Software Engineering/Comp Science, one of my lecturers in the web app networking module discussed with us about sql injection, cross site scripting, and other sorts of old school hacking techniques, honestly, I think that every single person involved into IT needs to have at least a basic grasp/knowledge of these technoiques and their basics, or at least know what they are about, maybe in the near future everybody will need to know this, which I'm not really a fan of but, the world is moving forward, and we all need to adapt to it.
Listen David your channel is outstanding!!! No two ways about it. Your video's with otw are just the best. The level of detail and information in these video's are so easy to follow it's unreal. As a 33 year old man who worked in construction his whole life, I cought covid last year and it messed me up so much I had to give up my job, literally in a dark place trying to figure out what the F im gonna do now I found your first vid with otw and instantly became hooked on learning everything I can about hacking (pretty sure my partner is sick of me burning the ear off her on stuff I learn 😅) . Half way through linux basics for hackers and just received his second book!!! So far amazing!!! When I build up the funds I'll become a subscriber hopefully! David keep up the amazing content I appreciate your hard work!!! Your the man!!!
There is no doubt that you will rise fast at the apex of your career MetaspyClub . Because you are a very intelligent, smart, hard worker and your work ethic par excellence. Keep going People like you take the IM out of IMpossible by becoming PRO at tackling PROblems. You Rock!.
Bombal Sir. I am very Sorry. I ddos'ed your site. I thought it would be difficult. But it was gone on the first try. But now ddos is not working. The reason is you are a very Good hacker. You fixed the site and now it is not getting affected.
Will Linux Basics for Hackers get updated? I just recently bought it and got to chapter 3 but some of the stuff requires further research and different tools or routes to get to. I understand this is probably just a normal case of Welcome to Tech! Im just wondering if there are planned updates or expansions on the content.
mr david . you are so good . please can you teach us how we can generate GPT with use only my user data and no wifi connect .please that will be good for all flowers
I find one part confusing, how does everyone have access to their internal code? Is MoveIt open source? Am I understanding correct that OTW thinks they specifically attempted random SQL injection on the databases for years to stumble upon the vulnerability or did they likely analyze the code first then look further?
Thank you sir. I am a Bangladeshi fan of Occupythe web... But my first Language is not English... How can I read the book getting started becoming a master hacker in Bengali language. Or has anyone translated it in Bengali language? It would have been if Ori also got a Bengali book.
Saying “thank you” is not enough to show my gratitude to you MetaspyClub . An honor to work under your guidance. Thank you for everything and mostly important the phone tracking was so satisfying
@@davidbombal yes sorry I meant your link but nonetheless you are helping provide critical skills to so many who just don't have a great deal of resources.
I have a question how do these attackers know the table names and the fields in the table, is it by the fuzzing process mentioned by OTW, is it by studying source code through inspection or something else ?
This is a real world demonstration of the SQL Injection attack used in the recent MOVEit hack. This is real world - not just a simple SQL attack.
Big thank you to Juniper Networks for supporting the community and making this training free (and sponsoring my channel). Go to juniper.net/davidbombal to get lots of training and also learn how to get certified for $50 (Associate Level). Use this voucher code to register for your courses: DAVIDBOMBAL
If you have issues with the Juniper registration, please use these links that they gave me:
For Login assistance link userregistration.juniper.net/loginassistance
Customer Support link- support.juniper.net/support/requesting-support/
// Mr Robot Playlist //
ruclips.net/p/PLhfrWIlLOoKNYR8uvEXSAzDfKGAPIDB8q
// Proof of Concept //
Horizon3: www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
RUclips: ruclips.net/user/davidbombal
// Occupy The Web social //
Twitter: twitter.com/three_cube
// OTW Discount //
Use the code BOMBAL to get a 20% discount off anything from OTW's website: davidbombal.wiki/otw
// Occupy The Web books //
Linux Basics for Hackers: amzn.to/3JlAQXe
Getting Started Becoming a Master Hacker: amzn.to/3qCQbvh
Top Hacking Books you need to read: ruclips.net/video/trPJaCGBbKU/видео.html
// Other books //
The Linux Command Line: amzn.to/3ihGP3j
How Linux Works: amzn.to/3qeCHoY
The Car Hacker’s Handbook by Craig Smith: amzn.to/3pBESSM
Hacking Connected Cars by Alissa Knight: amzn.to/3dDUZN8
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
00:00 - Coming Up
00:55 - Juniper Free Training (Sponsored segment)
01:51 - OccupyTheWeb books and new books
03:57 - The MOVEit breach explained
05:20 - Clop website // Companies affected
08:52 - The two different vulnerabilities
10:26 - The truth about SQL Injection
12:21 - Using Shodan
14:05 - Proof of concept of the exploit
16:18 - SQL Injection example
20:35 - MOVEit hack analysis / How it was done
28:57 - CVE-2023-35708 SQL Injection vulnerability explained
30:36 - What is Taiwan Semi-Conductor (TSMC) and why they got hacked
31:01 - SQL Injection hack in the real world
32:45 - OccupyTheWeb online classes
33:46 - Union statement // Stacking queries demo
37:02 - Upcoming OccupyTheWeb courses and classes
39:50 - Conclusion
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
Sick
Juniper network training not working. their link to register is down currently, keeps taking me in circles.
PEGASUS SPYWARE:
Pegasus has the ability to access devices, without victims pressing a link, is what they learned us so far. But that is a lie, it is way more Intelligent than that.
The Virus is hidden in Memes and Thumbnails, it’s spread across the World every time after devices Update, using Social Media, and Unaware Victims Executing video’s, Thumbnails, images etc.
Ty for everything you do
ThankYou for the new video Mr Bombal.
Very cool to see the MOVEit coverage here -- and especially thank you for the Huntress shoutout! :)
Great to see you here John!! You and the team at Huntress are amazing! Got to get you back here :)
@@davidbombal hey can you guys make a full website deface video plz its very common people search for but they dint get much info on that i hope OTW may do it or john
You two never fail to disappoint. Amazing as always OTW and David. Bravo
Thank you very much!
UNION you also have to have the same data type : varchar,number,DateTime etc
Never fail to disappoint.. 😅
The knowledge flows out of him so casually and easy to understand.
Its typically a skill you find in someone that's been doing "It" most of their life.
He teaches as easily as someone else might tie their shoes.
Agreed! "If you can't explain it simply, you don't understand it well enough." Albert Einstein
This channel is an absolute gem for the IT community! Thank you for bringing consistently great content, David!
I'm a SQL developer who is trying to transition into Cybersecurity (just passed CompTIA Security +), and I REALLY enjoyed this! Thank you
Occupytheweb your voice is life. So calming. ^_^
1:2 7 THANK YOU SO MUCH DAVID for going the extra mile for us. you subscribers!!!! Just yesterday I had to turn down getting CEH CERT as the entire only 8 - 12 week program plus extra for the exam. There was simply NO way I could afford the $2800 USD+ fee; especially bung in Canada. Thant's like $3600!!!! Simply love your channel and your constant commitment to others :)
That's why stored procedures are the best option to avoid any issues with what the DB does or what data is involved.
OTW=respect.
Agreed.
@@davidbombaltell him he owes me a pizza.
otw = american spy
It is very intersing concept that show how hacker use sql injection in real world with more advanced techniques to atteck their target ,this teach alot david thanks alot as always
You're welcome! I think it's great to see a current, real version of this, and then to learn the basics if you don't know yet :)
Seeing OTW, instant like and watch. Best content on YT, and best content on your channel! Waiting for more, great stuff.🤞
"You can't be a hacker if you don't know programming... If I read source code and understand it, it's because I'm capable of writing it."
Great content as always. Would love to see more content with OTW, you guys should make that video you talked about on how to reprogram usb drives into rubber duckies.
Another amazing episode, cheers Gentlemen! These should be the MOST EXPENSIVE punctuation marks of all time for each company during the SQL attack. xD In fact forgetting about "oldschool" attack techniques is a common mistake many companies / services make all the time (also from my experience). I mean - Aerosmith was founded in 1970 and it's still a nice band, right? :)
David, we enjoy OTW, and you are the reason we know him. So, thank both of you
Thank you very much!
awesome video, i love all the information and links you provide. you guys are nailing it!! keep it up
Thank you very much!
I love OTW❤❤❤❤❤.... and also DAVID BOMBAL who represent this type of man on the viewers....
It’s hard to believe someone out there who is more skilled than otw. Impressive work. Thanks David and otw for bringing this to our attention. You both are the best.
man i love ur content. i follow u on spotify as well. more otw and sparc flow pls and ty david. JUST GREAT CONTENT!
Im a student of OTW and his classes are top notch in every aspect! Thanks David for the interview, RESPECT ❤️
So do u really recommend me to buy a subscription to his classes?, since it will be very expensive to me.
@@sdwsom4287 if you want, try his classes in the gold membership which is monthly then upgrade your membership
@@ebooooo1213 OK thanks mate.
@@oppenheimer11 they have different levels. You can get the starter bundle get some knowledge then join classes
Looks like you’re in Utah David, next time you’re in town reach out, I’ll take you out rallying some side by sides, show you some great hiking and camping spots and teach you some survival stuff!!! Great video!!
The organization I work for was affected by that security breach, it was scary to think about but as someone in the IT world, it was interesting to learn about it.
Always happy to have OTW and you posting videos on here together🎉🎉
Thank you. Lots more to come!
@@davidbombal can we get a Neal + OTW round table discussion?! 🫣🤩
It's always amazing learning you and much more when master OTW is in class. Thanks to you both.
I really wish you could do a tutorial video on Juniper registration, somethings ain't really clear to me. Thanks for the prime lectures and keep adding flavors to your teachings ✌️
The ... " we have a chance moment" just awesome.
What a guy you are, David. In the middle of the mountains taking a moment to record something for your sponsor 😂
such a good good video, the knowledge alone is overwhelming and at the same time very understandable, love your channel and love even more OTW, thank you.
Thank you David and OTW, to talk and share you knowledge, all the content you do is very valuable. I learn so much with you guys. Ohh!!! John pass for here too. 😂😂😂 Another great person with nice contents. Thank you guys.
very cool as always ;). Good story, cold beer and OTW!
love the OTW episodes...would love a more in depth episode on ss7 and 2fa also if possible
Great video / content again David, wasn't sold on the hacking videos at the beginning 😅 but I have definitely being enjoying the content. Very informative
Great video! Loved it! So clear! Question for you and OTW: wouldn’t any of these big companies have a SIEM blocking exfiltration in big sizes? I recall Sentinel going off alarms and bella when users moved/deleted large volumes of data? Maybe a dumb question…but any answer would be appreciated thanks!
Many thanks to you David and OTW for the great job you're doing. Maximum respect.🙌🙌
This sure is real. Again LOVE seeing you covering these topics David and GREAT to see you OTW!
Thank you. So nice having OTW share his knowledge and experience with all of us 😀
Makes me glad we don't use that particular software from Progress :) Also makes me glad that the software we do use of theirs (their DB software) barely even supports SQL89, and requires you to have the SQL broker enabled for it to even work.
Thanks David and OTW.
Very knowledge filled.
Glad you enjoyed it
Great 👍 thanks @David as usual learnt a lot
Excellent content my friend David and OTW.
Much appreciated!
That was brililant info. I must have missed when this came out.
hi sir can you please make a video on pivoting devices and discuss of it with master occupy the web!
Great suggestion
@@davidbombal thank you sir !! i am looking forward to it
It's not about cyber sec only for you to be exposed to some simple sql injection techniques and how it works in the back, even for us in Software Engineering/Comp Science, one of my lecturers in the web app networking module discussed with us about sql injection, cross site scripting, and other sorts of old school hacking techniques, honestly, I think that every single person involved into IT needs to have at least a basic grasp/knowledge of these technoiques and their basics, or at least know what they are about, maybe in the near future everybody will need to know this, which I'm not really a fan of but, the world is moving forward, and we all need to adapt to it.
Love you sir from india😊
Thank you! I appreciate your support!
Thank you, David, for everything
Brilliant video David and OTW...🌟
Thanks David I really need that video 👍❤️
You're welcome! I hope you enjoyed the video 😀
I work in a SOC. I'm going to buy this guy's books for sure.
Listen David your channel is outstanding!!! No two ways about it. Your video's with otw are just the best. The level of detail and information in these video's are so easy to follow it's unreal. As a 33 year old man who worked in construction his whole life, I cought covid last year and it messed me up so much I had to give up my job, literally in a dark place trying to figure out what the F im gonna do now I found your first vid with otw and instantly became hooked on learning everything I can about hacking (pretty sure my partner is sick of me burning the ear off her on stuff I learn 😅) . Half way through linux basics for hackers and just received his second book!!! So far amazing!!! When I build up the funds I'll become a subscriber hopefully! David keep up the amazing content I appreciate your hard work!!! Your the man!!!
There is no doubt that you will rise fast at the apex of your career MetaspyClub . Because you are a very intelligent, smart, hard worker and your work ethic par excellence. Keep going People like you take the IM out of IMpossible by becoming PRO at tackling PROblems. You Rock!.
Mr. David, you are like Cristiano Ronaldo in Cyber, but who is Messi? , he is occupy 🤔🤔
occupy
How are you?
I missed you man 😊
Big thanks Mr David ❤
Thank you! But, you are too kind 😀
Very nice content sir! Thank you very much
Thank you! Glad you enjoyed the video :)
This duo you are amazing. Thanks for those knowledge
Ooh this hack was a work of art. Good analysis!
OTW!! Let’s gooo!
Thank you Juniper, thank you David for this and to Occupie the Web the G.O.A.T. for your time a biblical, Dankie...A DANKO 😂
26:31 I was hoping we would only have to contend with this ridiculous scene once.
Every time I see new vid I’m happy that i pushed the subscribe button
Bombal Sir. I am very Sorry. I ddos'ed your site. I thought it would be difficult. But it was gone on the first try. But now ddos is not working. The reason is you are a very Good hacker. You fixed the site and now it is not getting affected.
David I really love your videos.
Could you please give me the e Juniper Elevators community learning 'Elevate Auth Code'?
Thank you very much!
that intro 🤣
Any Devops content or talking about demanding skills soon?
Thank you! I'm working on it 😀
It's good to educate the people
Thanks David and OTW
Những Video có OTW thật sự rất hay!!
Your videos are super cool so even I make videos like you do! Cool videos you make...........
Will Linux Basics for Hackers get updated? I just recently bought it and got to chapter 3 but some of the stuff requires further research and different tools or routes to get to. I understand this is probably just a normal case of Welcome to Tech! Im just wondering if there are planned updates or expansions on the content.
I do not know how to turn a PC on so how do I learn how to code
David Bombal does that book have the pdf so the I can read because in my country amozon is not muxh aviable plz replay to this comment???? sir
I agree
I really enjoyed contents with OTW
Very happy to hear that!
Excellent explications , good for kids
Another outstanding episode with OTW. Guy is right up my alley.
SQL injection can be still use in bug bounty hunting? How about the impact?
thanks mate really useful :)
Hi David, why my vmware workstation just has Ethernet connection, and my wifi adapter usb does not work in kali linux
mr david . you are so good . please can you teach us how we can generate GPT with use only my user data and no wifi connect .please that will be good for all flowers
Do they strip or filter only once? lets say for example, i insert two commas and only one gets deleted.
OTW OTW!!!
I find one part confusing, how does everyone have access to their internal code? Is MoveIt open source?
Am I understanding correct that OTW thinks they specifically attempted random SQL injection on the databases for years to stumble upon the vulnerability or did they likely analyze the code first then look further?
Brilliant video
If they don't have access to the code, then how do they know the table names, collumn names and other things as such?
I just love this man
So brilliant :)
QTW your amazing❤
Thank you sir. I am a Bangladeshi fan of Occupythe web... But my first Language is not English... How can I read the book getting started becoming a master hacker in Bengali language. Or has anyone translated it in Bengali language? It would have been if Ori also got a Bengali book.
Really interesting topic
Glad to hear that you are enjoying the video :)
I’m from Ethiopia and I don’t have any money to pay to learn
I’m currently preparing for ccna exam for next month and I need some resources to study
please cover SDR, sub-gig and etc
Sir big fan
Thank you!
Saying “thank you” is not enough to show my gratitude to you MetaspyClub . An honor to work under your guidance. Thank you for everything and mostly important the phone tracking was so satisfying
Really nice👍👍!
Thanks for training info @David bombal
You're welcome!
When comes up the next vid with you and otw? I bought his book in hope he has an income to take time for content with you 😂🎉
I've tried to register an account in Jupiter, but it's a pain in the ass (feedback for them) as cofusing as a blind man in the middle of a shooting
Ty ser ❤
I don't even realise how 40mints past away much interesting topic fore sure
Very happy to hear that!
Why can't I select All notifications?
I also send a few people a link to your training. David, as always, the best! How do you get it all done!
Thank you! That training that I mentioned isn't content that I created, but made by Juniper 😀
@@davidbombal yes sorry I meant your link but nonetheless you are helping provide critical skills to so many who just don't have a great deal of resources.
@@mytechnotalent Thank you 😀
@@davidbombal pleasure as always David!
GOOD INT3L.👍💯
Hi Mr David, please make a video about WormGPT
thx
I have a question how do these attackers know the table names and the fields in the table, is it by the fuzzing process mentioned by OTW, is it by studying source code through inspection or something else ?
i literally have the same quesiton. i reckon they don't have access to the source code as that would make it easy to exploit.
Could a row level encryption have prevented the attacker from taking usable data out of the database?