Resume upload web shell

I wonder how many job application sites accept web shell uploads instead of regular resumes (or other types of uploads). I know how you can inject PHP into exif headers but I wonder if there's a way to fool a site into thinking an upload is a word document or PDF when it's actually a PHP shell.

I don't think Content-Range works with uploads on the majority of servers out there, it's a rare and nonstandard feature.

http://www.grid.net.ru/nginx/resumable_uploads.en.html

>>2
I don't think the general concept of file upload vulnerabilities is that uncommon, otherwise it wouldn't have an OWASP wiki article about it:
https://www.owasp.org/index.php/Unrestricted_File_Upload

script kiddy

>>4

anyone interested in security is a script kiddy

this is the dumbest double standard in tech
nobody complains when a software developer uses an IDE or compiler that they didn't write
but somehow using security tools is a bad thing
you have no idea what you're talking about but you're already being dismissive

>>3
file upload vulns are a popular target so I guess you won't find them in resume upload on major websites, they'll usually be more hidden. plus, 'upload arbitrary shit' is not yet a vulnerability - you need to have a way of executing things you've uploaded. if the script you upload just ends up on some anus recruiter's downloads list, the best you can do is try to phish him