Strengthen Grav CMS fingerprinting with strict HTML parsing

nakkouchtarek · nakkouchtarek · commit d17dc184bf34 · 2025-12-07T17:14:35.000+01:00
diff --git a/modules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb b/modules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb
@@ -84,9 +84,14 @@ def check
     )
     return CheckCode::Unknown('Connection failed') unless res
 
-    unless res.body.include?('Grav') || res.body.include?('grav')
-      return CheckCode::Safe('Target is not a Grav CMS installation')
-    end
+    html = res.get_html_document
+    return CheckCode::Unknown('Could not parse HTML') unless html
+
+    # First, verify this is a Grav installation
+    return CheckCode::Safe('Target does not appear to be a Grav installation') unless grav_installation?(html)
+
+    # Then verify we have access to the login form
+    return CheckCode::Detected('Grav detected but login form not accessible') unless login_form_present?(html)
 
     version_str = get_version_after_login
     unless version_str
@@ -120,6 +125,26 @@ def exploit
 
   private
 
+  def grav_installation?(html)
+    # Check for Grav-specific data attributes
+    grav_checks = [
+      html.at('//*[@data-gpm-grav]'),
+      html.at('//*[@data-grav-field]'),
+      html.at('//*[@data-grav-disabled]'),
+      html.at('//*[@data-grav-default]')
+    ]
+
+    grav_checks.count { |elem| !elem.nil? } >= 2
+  end
+
+  def login_form_present?(html)
+    # Check for the specific login form inputs we need
+    username_input = html.at('input[@name="data[username]"]')
+    password_input = html.at('input[@name="data[password]"]')
+
+    username_input && password_input
+  end
+
   def get_version_after_login
     result = authenticate
     return nil unless result == :success || result == :already_authenticated
