This php script checks if the GET 'start' parameter is set(http://link/?start=1) and in that case if there is any start parameter sent in the post data it tries to include the file with that name and extract the $secret from it.

I used https://reqbin.com/ to send a post request with the required parameters.

Response: