Information

Compiled with the virtual table module FTS3, iOS’s SQLite3 exposes the function fts3_tokenizer().
Called with a name of registered tokenizer, fts3_tokenizer() return the address of the tokenizer module in memory.

Dump:

dump

PoC:

SELECT hex(fts3_tokenizer(‘simple’));


References:
https://support.apple.com/en-us/HT210118
https://support.apple.com/en-us/HT210119
https://research.checkpoint.com/select-code_execution-from-using-sqlite/