A bug bounty writeup demonstrating unrestricted file upload leading to RCE by bypassing extension filters through MIME type manipulation in GET parameters, chaining with PUT requests, and exploiting alternative PHP extensions (phps, php3, php5) that bypass .php filtering to execute arbitrary code.
A researcher bypassed file upload restrictions by manipulating MIME type parameters in GET/PUT requests, ultimately achieving RCE through uploading a PHP backdoor with an alternative extension (php5/php7) after initial PNG/JPG restrictions were enforced.
A remote image upload feature allowing RCE through injecting PHP payloads into GIF images with Netscape Looping Application Extensions, which survive PHP-GD image recreation due to preserved null byte blocks. The attack bypasses file extension validation by renaming uploaded images to .php and exploiting image processing that fails to sanitize injected code in GIF metadata.
A researcher bypassed file upload restrictions on a crypto trading platform by manipulating Content-Type headers, uploaded a PHP shell for RCE, extracted database credentials, and gained the ability to modify user account balances, resulting in a P1 severity rating.