- Enumerate which file types are actually allowed.
- Check if any of the allowed types give us code execution.
- if none of them are useful. Try to bypass file extension verification.
Apache - .htaccess
if server allows to upload .htaccess, you can upload a customised version of this file, which considers a custom extension (.test) as your required extension .php for example.
echo 'AddType application/x-httpd-php .test' > .htaccess
Now you can name a php coded files as .test. and upload and execute it.