nvmm closed
did you fuzz for black listing ? fuzz potential allowed extensions (png,gif,etc…)
do the same for php file [all lower cases] (php,php5,phar,etc…)
if the web app accept only files with the images extension, you can try rev.phar.png
you may try bypass techniques as well (rev.phar%0a.png / rev.phar%00.png)
dont forget to fuzz the MIME TYPE
when you have found the correct patterns, dont forget to add the correct magic number of the allowed image file before inserting the php code, for eg gif file = GIF8