The point of vulnerability is: application/bbs/controller/Index.php
The key code in the figure is for file download
follow in "download",which in extend/org/Http.php
There are no protection measures such as filtering, you can download any file directly
example:
payload:http://127.0.0.1/cms/myucms/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1
Download / etc / passwd on the server and save it as 1.txt
After downloading it opens as shown
Thanks for 0dod