With the application reset and use, under normal circumstances, you can not access sensitive files under config, but you can access public, and when installing the system, there is no restriction on the user's input, as shown in the source code below.
You can see that the database is connected first, then the configuration file is written at the beginning of line 214, so we need to bypass the mechanism, because although the input is not filtered, we have a logic error here, on line 223. Instead of verifying that the table connections in the database are correct, we write the configuration file, so we grab the package view.
When the parameter N=83, the data is written to the configuration file at this time, so we can construct the payload in the parameter prefix input.
Just write test.php in the public directory of the root directory, the content is
When the installation is complete, check the home page to generate the test.php file in the public directory.