Invicti detected code execution via local file inclusion, which occurs when a file from the target system is injected into the attacked page and interpreted as code.
At the beginning of the attacking phase, Invicti made an HTTP request which contained custom payload and saw the output of execution of it at this page. This means this code has been executed, and this vulnerability generally happens with inclusion of log files by LFI-vulnerable PHP scripts.
An attacker can execute malicious code by abusing the Local File Inclusion vulnerability on the server.
Significant attacking skills are required because there is no tool or automated way to exploit this vulnerability. The attack consists of three phases: detecting the vulnerability, finding malicious code (or if possible creating one, by uploading an image, etc.) on the targeted system, and including that code via the identified vulnerability to run it. Generally the attacker needs to find the physical path of server access logs or needs to upload an image to the server or abuse /proc/self/
functionality in Linux systems where possible.
You can search and find all vulnerabilities