In fact, any command passed in the cmd parameter will get executed on the server. His upload has created a command execution vulnerability.
cmd
What is your bidding?
