The most popular server-side programming language for websites is PHP. Unfortunately, the language provides a lot of ways to run data as PHP code. If an attacker can upload a PHP file and the server has any security defects, getting the file to run on the server might be quite possible.
If the uploader can access the file by a URL, it's absurdly easy.
- Step 1: Upload a PHP file.
- Step 2: Invoke the PHP file by its URL (e.g., http[:]//example.com/uploads/evil[.]php). It will immediately run on the server, with all the privileges of the account that runs the Web application.
Another trick is to get an existing PHP file to include it, perhaps by giving it a parameter that points at the file. The result is similar; the malicious code runs on the server, with few restrictions on what it can do.