Whitehat Contest 2021

Imageflare : <?= shell_exec(‘ls’) ?>
Mudbox : Anything you can do, Intention was open_basedir bypass.
BitTrader : Heavy-query Blind SQLi
Imageflare 2.0 : SSRF using readfile() or real IP leak behind CloudFlare