Php

PHP’s loose comparison treats an array as truthy against any string. Sending password[] as an array in the POST body bypasses the string comparison and grants access.

PHP’s loose == treats any string starting with ‘0e’ followed by digits as the float 0. Pass a known magic hash input whose MD5 begins with 0e to bypass a hash comparison.

Craft a file that is simultaneously a valid GIF (magic bytes GIF89a) and a PHP shell (<?php echo system('cat /flag.txt'); ?>). Upload it via the image upload form, find the timestamped filename in the response, and request that URL to execute the shell.

Pass the GET parameter as an array (?richiesta[]=sas) to make PHP receive an array instead of a string, bypassing the string equality check and revealing the flag.

Upload a file starting with the GIF89a magic bytes followed by a PHP shell. The server validates MIME type from the header but saves the file where PHP can execute it. Access the uploaded file URL to run arbitrary commands.

Upload a GIF polyglot containing a PHP shell, then trigger its execution through a local file inclusion vulnerable ?page= parameter that includes the uploaded file path.