I havent tested this yet

the file https://github.com/robbraxman/braxme/blob/3c814ebf7fec0a3ad972251f667bac6ceb511c97/prod/wrapphoto.php allows anyone to download a remote file, however if you start with ?u=http/../ you can download a local server file

file deleted