Let's take a look at the code

Because the system does not strictly filter and restrict the pictures uploaded by users, resulting in file upload vulnerabilities. From the code, it can be seen that only the size of the picture and the Content-Type and so on are verified during the upload, so only need to modify the Content-Type to bypass Upload.
After the administrator logged in, open the following one page.

Upload php.php and grab the package to modify the Content-Type to "image/jpg"

Then we can see that php.php was successfully uploaded.
Then we access the uploaded file