I noticed in framework/phpok_call.php::_format_ext_all has an unserialize
and in phpok 5.4 has already fixed something
just like this
https://www.anquanke.com/post/id/194453#h2-5
but in
/framework/phpok_call.php I noticed I found a parse_str
$rs we can control so we just need to use double urlencoded can bypass it but noticed this
I noticed in framework/phpok_call.php::_format_ext_all has an unserialize and in phpok 5.4 has already fixed something just like this https://www.anquanke.com/post/id/194453#h2-5
but in /framework/phpok_call.php I noticed I found a parse_str
$rs we can control so we just need to use double urlencoded can bypass it but noticed this
alias we can use weak compared to bypass
and we can write a pop chain use rot13 bypass
final payload:
and we can get a webshell in /_cache/1.php