Just login as a normal user, then change the url from admin-panel.php to admin-panel1.php, you will have admin access. After this, an attacker can do anything that the admin has access to.