I would like to ask a question regarding the classic uploading an image and executing php code exploit on a website.
So I have been trying out this exploit a website I'm supposed to hack (It's set up for us to try and hack it)
The webpage allows us to upload an image, and while changing the mime type using TamperData is easy, the webpage apparently checks if the last characters of the file is '.jpg' or '.jpeg' before allowing the image through.
Regardless of the placement of the PHP code(I've tried just php code, php code pasted at the end of the image file, php code in EXIF headers etc), the website just shows the image file when I open it after uploading (or an error in the case of plain php code saved as .jpg), since the extension is always jpg.
So in such a case, what should be done to execute the file as .php? (null bite poisoning does not work, neither does uploading the code as vuln.php.jpg or vuln.php;.jpg. Both just shows the image)