Log in with an administrator account and download the database in the system settings
Modify project_has_files in the sqlite.db database
Compress the modified sqlite.db with gzip and upload it. After uploading it to the project and clicking the file to view/download, the attacker can read and delete any file from the server.
