How to upload a shell in Magento
After getting Magento admin credentials, you will need to upload a shell. You can do that by uploading a Magento package containing the PHP shell.
You can download the package from here:
https://github.com/lavalamp-/LavaMagentoBD or https://github.com/P34C3-07/LavaMagentoBD
In the package files, place your shell in the following path here, put your malicious shell inside the “IndexController.php” file.
The next step is to go to http://192.168.1.101/downloader/, then upload your package from the direct package file upload form here:
You will get a message like that after a successful upload:
In the end, you can access your shell by visiting the following link: