Updated rails_secret_deserialization to add '.' regex for cookie matching.

treburn · treburn · commit 59c7de671edc · 2017-03-16T10:45:43.000-05:00
diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb
@@ -235,7 +235,7 @@ def exploit
       'method' => datastore['HTTP_METHOD'],
     }, 25)
     if res && !res.get_cookies.empty?
-      match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/)
+      match = res.get_cookies.match(/([._A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/)
     end
 
     if match
