You can see the attacker using the multipart/form-data format send the payload to. For applications, and using application/x-www-form-urlencoded access to the data is consistent. About multipart/form-data and application/x-www-form-urlencode difference, you can refer to stackoverflow.
A brief summary, usually a file upload when using multipart/form-data ,transfer common parameter used in the x-www-form-urlencoded 。 File upload contains a large amount of binary data, non-character digits of data, if you use urlencode, you need all the use of url encoding. So that the need for transmission of data expansion.
On the use of multipart/form-data bypass the waf there is also more discussion. multipart/form-data PHP and Java common WAF bypass method , 3 6 0 website po/security po/accelerating music and other similar product protection to bypass the defective one.
Has been able to bypass the waf, should be multipart/form-data is usually used to transfer binary, if the waf for large file parsing possibilities can be influential. So the write scanner when if the form-data to send payload maybe there will be surprises, refer to Baidu a station st2 command execution(unique perform posture)