EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.
https://kongxin.gitbook.io/empirecms/
https://kongxin.gitbook.io/dedecms-5-7-bug/
https://github.com/kongxin520/EmpireCMS/blob/master/EmpireCMS.md