There is an arbitrary file upload getshell vulnerability in the background

[S2eTo]

File Path: LKT/webapp/modules/system/actions/uploadImgAction.class.php::execute

This method incorrectly splices untrusted file types, resulting in arbitrary file uploads

By modifying the file type in the file upload protocol to: image/php to upload webshell

Uploaded webshell successfully