Solution for Pentesterlab File Upload 2
This also shows that even with file validation controls an attacker can manipulate file extensions to get the .php shell through the filters. The result is the same, from here the attacker can view files or upload their own to inject malicious content into the site.
All visitors to the site are then potential victims, as they could be downloading malicious files or being redirected by tampered links without any idea the site has been compromised.
@2codemonte 