This time, there is one more format function than the 5.3 version. In simple terms, it is a very violent replacement. The deserialized data cannot be passed directly because deserialization requires double quotes.
framework/phpok_tpl_helper.php::phpok
$GLOBALS['app']->call->phpok($id,$ext) is phpok_call.php::phpok()
framework/phpok_call.php::phpok
$rs is completely controllable, so you can control the $func
but there is a limitation
Version 5.4
analysis
Arbitrary SQL statement execution
framework/api/call_control.php::index_f
This time, there is one more
format
function than the 5.3 version. In simple terms, it is a very violent replacement. The deserialized data cannot be passed directly because deserialization requires double quotes.framework/phpok_tpl_helper.php::phpok
$GLOBALS['app']->call->phpok($id,$ext)
isphpok_call.php::phpok()
framework/phpok_call.php::phpok
$rs
is completely controllable, so you can control the$func
but there is a limitationnow we know all functions starting with _ in this class can be called, This time we use
_sql
framework/phpok_call.php::_sql
Escaping is removed here 233333
framework/engine/db/mysqli.php::get_all
You can see that
$rs['sqlinfo']
directly passed queryframework/engine/db/mysqli.php::query
You can execute any sql statement
Deserialization
Here is the same as last time,it's just the deserialization trigger point in
_fields
framework/phpok_call.php::_fields
framework/model/project.php::project_one
framework/model/module.php::fields_all
Just use any of the above statements to insert deserialized data into the
$this-> db-> prefix."fields
table.poc