Having a lot of trouble getting the shell manually. I’m aware of the POCs and I think it’s pretty clear what they are doing. My problem is this: I send a request to upload an image with an acceptable file extension. I capture that request in burp and change the file and it’s contents in an effort to upload a new .htac**** file. Despite the fact that I capture the request in burp, when I forward the modified request on, the app still responds that I can only upload files with specific extensions, which tells me this validation is happening on the server. If that’s the case, how are people getting this new file uploaded?