• Check if the metadata is stripped after upload
• Change the file extension
• use pht, phpt, phtml, php3,php4,php5,php6 as file extension (might as well bruteforce it)
• Change the extension but not the content type
• whitelist bypass : Shell.jpg.php or shell.php%00.jpg
• Check for svg file upload
• Lfi (../../../../shell.php)
• Upload large file size for ddos
• Change the magic bytes
• sql (‘sleep(10).jpg)
• If image upload is posible, change content type to image/svg+xml then test for xss, xxe, ssrf