Tags: web 

Rating: 5.0

TL;DR:

1. bypass filter for `eval("return $_")` with `~` (not) operator
2. abuse PHP FindFirstFile on Windows to read `c<<` aka `config.php`
3. blind SSRF time-based SQL Injection with sqlmap and customized Gopherus