Craft a file that is simultaneously a valid GIF (magic bytes GIF89a) and a PHP shell (<?php echo system('cat /flag.txt'); ?>). Upload it via the image upload form, find the timestamped filename in the response, and request that URL to execute the shell.
Upload a file starting with the GIF89a magic bytes followed by a PHP shell. The server validates MIME type from the header but saves the file where PHP can execute it. Access the uploaded file URL to run arbitrary commands.
Upload a GIF polyglot containing a PHP shell, then trigger its execution through a local file inclusion vulnerable ?page= parameter that includes the uploaded file path.
A POST endpoint executes a shell command with user-supplied input but filters spaces, the word ’echo’, and other shell metacharacters. Bypass with ${NULL} (strips to nothing) and ${IFS} (the internal field separator, expands to a space in bash).