There is a file upload getshell vulnerability in the background system/actions/payAction.class.php

[S2eTo]

File Path LKT/webapp/modules/system/actions/payAction.class.php#L63

After uploading as a .zip file, the archive will be decompressed. You can gain system control by putting the php webshell file in the compressed package

Upload a compressed package file with webshell below

Successfully accessed the shell file under LKT/webapp/lib/cert