How i was kul hacker

These two little stories happened to me when I was young and stupid, but rather stupid than young. Probably each of you, in his time, was fond of something. Perhaps this hobby came to you spontaneously, due to a confluence of various kinds of circumstances, so it happened with me. In those days, far back, I was carried away by the dark side of the power of hacking sites. My interest was idle, I was just starting my way as a web programmer, and several of my websites were hacked using sql-injection. I needed to supplement my knowledge so that this would not be repeated in the future, which, in fact, I did.

Well, like many others, at that time I was fascinated by browser games and decided to apply my little ones at that time and to this knowledge for insidious purposes.

The story about the "football manager"

As I remember, I was lounging in a chair, languidly watching the small virtual players of my team running around the field. Everyday turbulent chaos is going on in the chat, only one thought is in my head - how boring it is. At this point, I had a bit of brute force experience in various forums, my friends and I were playing a “lineup” and to keep abreast of the events of the actions of other clans - I brutalized their forums to read important strategic information :).
')
A thought occurred to me - why not try it here? Let's try to use brute force! It turned out that the captcha was not used at the entrance to the game and the player's login coincides with the nickname in the game. Elementary Watson!

A small script was written that went through the specified logins with standard passwords, I quickly got the players logins from the rating. Passwords took the simplest ones, the record holder was, of course, "123456" after him, with his head held high, went "1234", "111111", "qwerty", "qazwsx" and the like, I only had about 10 basic passwords for which I worked". It turned out several hundreds of accesses, it was for me simple entertainment and I did that I logged in under any player and wrote in the chat on his behalf. Quickly enough, a slight panic started in the game chat, some people wrote something like “Yes, it’s bullshit, but hack me!”, I substituted only one login for the brutal and the base of passwords downloaded somewhere :) I went under his nickname and frightened the rest. After several similar cases, no one laughed and half the chat ran with a shout "Aaaaaaa" in a circle.

At the forum, a few dozen players began to vividly discuss "hacking the site", "draining the base" , "he sold my Ronaldo" and "we will all die." The administration fought back as best she could and didn’t understand what was going on, and since I was not hiding, I quickly went to my main nickname and asked “what for?”. At that moment, I realized that it was a success and I began to foolishly proudly play the evil hacker who is able to destroy their game. In the course of communication, for stopping my destructive actions and helping to eliminate the vulnerability, I requested as much ... $ 100. Yes, it was funny at that moment and at the same time very new to me :). After I called the “price,” the administration responded with something like “chairs in the morning — money in the evening” and hinted that if there really was a vulnerability, they would immediately pay. But then a Marlboro cowboy woke up in me and I replied: "Now my services cost $ 200." Now it looks crazy, but at that moment I really did that :).

In general, after a little reflection, I realized that I had to go back down and write to them about bruteforce and sql-injection (which I found that evening, but a little later). Having done my dirty business, I received the cherished $ 200 on webmoney! Honestly, I did not expect them to pay, but they sent money with comments, “Well, you fucking blackmailer :)”. After that, I completely became impudent and after a couple of days I asked them for game currency (several friends played this game and I wanted to help them), the administration did not refuse and I fell asleep like the golden antelope Raju :)

By the way, now this game feels very good, judging by the statistics from their site, more than 6,000,000 players are registered in the game.

The story about the Sochi site

About 5 years ago my city had a “mainstream” site, the most famous and most visited, and now it has, in fact, but much more competitors. Why I began to check it for sql-injection - I do not know, but the fact is that I found a vulnerability in adding ads - which I used. It was possible to get access to the mysql database version 5 - a list of all the tables and fields, the login and password hash from the administrator of the forum and the site, and of such boring things. But this time I decided that it was time to burn myself to prove myself.

Having found out where the office of this site is located (and they have an entire office, the staff is all serious), I came to the meeting with the director to show them how foolish I was that they themselves came to be vulnerable. Proudly and confidently, I told the site’s director of the site about their problems, and even showed on-line the process of getting any data from their database. After that, he told me the following: “Do you know that in the current year we have already planted two of these?”. He clearly hinted at the wrongness of my actions. It is good that I did not become stupid, but came and told - I thought. In general, the site director asked what I would like for help, and since I am very , very, very modest, I asked only 3,000 rubles :). In the white envelope, I was given the amount and said “hide it so that the employees would not see”, after which I, as a real spy, went outside and was like that.

Of course, the amounts appearing in the article are quite ridiculous, but I ask you to take into account that I didn’t have the goal of “making money” and everything happened quite spontaneously, by the way, I have many such stories, but I was “rewarded” in these two :)