Change the value of the filename parameter to .htaccess.
Change the value of the Content-Type header to text/plain.
Replace the contents of the file (PHP payload) with the following Apache directive:
AddType application/x-httpd-php .l33t
Change the value of the filename parameter from exploit.php to exploit.l33t. Send the request again
2. Change the file extension by adding at the end of the file:
Request you have to change:
POST /my-account/avatar ...
In the Content-Disposition header, change the value of the filename parameter to include a URL-encoded null byte, followed by the .jpg extension:
Send the request again:
3. If the server is checking for the actual image while uploading the image file
Create an image file containing a PHP payload with the help of ExifTool:
replace the <YOUR-INPUT-IMAGE>.jpg with your image file in the command below:
In Burp's proxy history, find the GET /files/avatars/polyglot.php request. Use the message editor's search feature to find the START string somewhere within the binary image data in the response. Between this and the END string.