From fdf7149438ce1aa2f150c34892c5308446600bdc Mon Sep 17 00:00:00 2001
From: james <james@james-vm-msfdev.james-net>
Date: Sat, 2 Sep 2017 22:12:56 -0500
Subject: [PATCH] Add support for multi-site wp instances in
 wp_admin_shell_upload

This change allows for redirects to be followed in wordpress_helper_get_plugin_upload_nonce
Redirect is from:
/wp-admin/plugin-install.php
to
/wp-admin/network/plugin-install.php
---
 lib/msf/core/exploit/http/wordpress/helpers.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/http/wordpress/helpers.rb b/lib/msf/core/exploit/http/wordpress/helpers.rb
index 206b0364c7..d667ff0ebc 100644
--- a/lib/msf/core/exploit/http/wordpress/helpers.rb
+++ b/lib/msf/core/exploit/http/wordpress/helpers.rb
@@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
   #
   # @param cookie [String] A valid admin session cookie
   # @return [String,nil] The nonce, nil on error
-  def wordpress_helper_get_plugin_upload_nonce(cookie)
-    uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
+  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
+    uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
     options = {
       'method'    => 'GET',
       'uri'       => uri,
@@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
     res = send_request_cgi(options)
     if res && res.code == 200
       return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
+    elsif res && res.redirect? && res.redirection
+      path = wordpress_helper_parse_location_header(res)
+      return wordpress_helper_get_plugin_upload_nonce(cookie, path)
     end
   end
 end