Fix rapid7#7022, Failing to find wpnonce in fetch_ninja_form_nonce

wchen-r7 · wchen-r7 · commit e2b9225907e4 · 2016-06-30T11:15:38.000-05:00
This patch fixes a problem when the module is used against an older version of ninja forms (such as 2.9.27), the nonce is found in a hidden input instead of the JavaScript code, which actually causes an undefined method 'gsub' bug in the module. Fix rapid7#7022
diff --git a/modules/exploits/unix/webapp/wp_ninja_forms_unauthenticated_file_upload.rb b/modules/exploits/unix/webapp/wp_ninja_forms_unauthenticated_file_upload.rb
@@ -105,8 +105,13 @@ def fetch_ninja_form_nonce
       'uri'    => uri
     )
 
-    fail_with Failure::UnexpectedReply, 'Failed to acquire a nonce' unless res && res.code == 200
-    res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1]
+    unless res && res.code == 200
+      fail_with Failure::UnexpectedReply, "Unable to access FORM_PATH: #{datastore['FORM_PATH']}"
+    end
+
+    form_wpnonce = res.get_hidden_inputs.first['_wpnonce']
+
+    res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1] || form_wpnonce
   end
 
   def upload_payload(data)
