Risky path: /admin.php?c=upload&f=zip&_noCache=0.1683794968
The system allows users to import external plug-ins. When users construct malicious compressed packages, they can execute commands to obtain system permissions.

Version: Version 6.4.100

e.g. Plug-in file structure:

After uploading the plug-in, the system will execute the php file in the compressed package，
So we can control the contents of php files and execute high-risk commands.
As see, echo phpinfo() command in test.php

Then Package the file into a zip file to upload.
After upload this pluging, the system will automatically decompress the compressed package and save the 'test.php' in 'plugins/' path.
Then we can use a browser to access the url path such like 'http://ip:port/plugins/test.php' to execute commands.