Some developers implement their own file upload processes. Basically, the file is uploaded, and then checked for validation by the server.
Similarly to antiviruses, the malicious uploaded files that could not be validated are deleted in milliseconds. During that short period of time, an attacker (knowing the uploads location) may have access to the file.
Thus, he could brute force the URL of the uploaded file.
$ python3 ./upload_racer.py -h
$ python3 ./upload_racer.py --url "<URL>" --exclude "<NOT_FOUND_SAMPLE>"