dump$this->mlist
now we know all functions starting with _ in this class can be called, and i found the _format_ext_all function is vulnerable
framework/phpok_call.php::_format_ext_all
If you can control $value['content'], it will lead to a deserialization vulnerability, $value from $rslist, $rslist from $call_rs, $call_rs from the data we passed in
popchain
framework/engine/cache.php::__destruct
framework/engine/cache.php::save
$this-> folder is controllable, so we can use php://filter/write=string.rot13/resource= to bypass exit();
PHPOK Version 5.3.147
poc
analysis
framework/api/call_control.php::index_f
The front desk can pass data in json format. After decoding, the controllable data is assigned to
$tmpValue
, then enters the phpok functionframework/phpok_tpl_helper.php::phpok
$GLOBALS['app']->call->phpok($id,$ext)
isphpok_call.php::phpok()
framework/phpok_call.php::phpok
$rs
is completely controllable, so you can control the$func
but there is a limitationdump
$this->mlist
now we know all functions starting with _ in this class can be called, and i found the_format_ext_all
function is vulnerableframework/phpok_call.php::_format_ext_all
If you can control
$value['content']
, it will lead to a deserialization vulnerability,$value
from$rslist
,$rslist
from$call_rs
,$call_rs
from thedata
we passed inpopchain
framework/engine/cache.php::__destruct
framework/engine/cache.php::save
$this-> folder
is controllable, so we can usephp://filter/write=string.rot13/resource=
to bypassexit();
result
shell.php