@WilyXem mentioned us in a tweet about a HTC POST SQL injection he found in a subdomain of their site (learning-development.htc.com).
. In the tweet he included a Pastehtml. You can view the tweet below:
HTC – [POST] SQL Injection, full disclosure.http://t.co/uvdjAVyFhttp://t.co/zkCEeeul@BreakTheSec @Zer0Security @securityninja
— WilyXem (@WilyXem) January 25, 2013
He dumped a list of tables in the database “uniprosi_htc” which also included a table holding the admin credentials, “capp_admin”.
[+] DataBase Version : 5.0.45 [+] Current DataBase : uniprosi_htc [+] Others DB's : information_schema, test [+] System User : unipros_htc@localhost