First, we discovered that the application verifies the files before accepting the upload. There are multiple ways for an application to do this. The most simple and common ways are to check the file extension and the request's Content-Type header; the latter is used in this recipe. To bypass this protection, we changed the content type of the file, which is set by default by the browser to application/x-php, to the type that the server expects so that it will accept the file as an image: image/jpeg.

The file we uploaded, webshell.php, takes a GET parameter (cmd) and sets it as an input parameter to the system() function of PHP. What system does is invoke a system command and display its output in the response to the client. The rest of the code is just an HTML form that allows us to input commands over and over again. Notice how the action of the form is set to the relative path where the file was uploaded. It is done in this way because the file is not being called directly, but included. This means its code is interpreted as part of its includer's code, hence, all the relative paths and URLs are interpreted from the perspective of the file doing the inclusion.

Once the file is uploaded, we used an LFI vulnerability to execute it and run system commands on the server.