Python

PHP’s loose == treats any string starting with ‘0e’ followed by digits as the float 0. Pass a known magic hash input whose MD5 begins with 0e to bypass a hash comparison.

The session cookie is a URL-encoded base64 of a JSON string like ‘id-role-username’. Decode it, change the role to 0 and username to admin, re-encode, and access the admin page.

Decode a Morse code file, strip hex prefixes, convert to binary, interpret as Base64, then apply a Caesar shift derived from the first character — five transforms chained together.

The buy endpoint accepts a ‘costo’ (price) POST parameter from the client. Sending costo=0 purchases the expensive flag item for free.

The flag is not in the response body — it is stored in a custom HTTP response header called ‘Flag’. Use a HEAD request and read r.headers[‘Flag’].

Craft a file that is simultaneously a valid GIF (magic bytes GIF89a) and a PHP shell (<?php echo system('cat /flag.txt'); ?>). Upload it via the image upload form, find the timestamped filename in the response, and request that URL to execute the shell.

The theme parameter appends .css to the user-supplied path before serving it. Use …/ triples (which reduce to ../) and a URL-encoded null byte to escape the CSS directory and read /flag.txt.

Pass the GET parameter as an array (?richiesta[]=sas) to make PHP receive an array instead of a string, bypassing the string equality check and revealing the flag.

robots.txt lists a Disallow path that the crawler is never supposed to visit. That path contains the flag.

A WAF strips forbidden SQL keywords. Inject OFFSET inside reserved words (SELECT → SELOFFSETECT) so after the WAF removes OFFSET the original keyword is reconstructed, landing a UNION SELECT to dump the flag.