apache 2.4 log php command 200 success, but what is it doing? POST /?q=die('z!a'.'x'); etc

Tim asked:

Im running a centOS 7.x VPS with apache 2.4.29 and php 7.0.28 and I started seeing the following in my logs. I have php.ini secured as best as I can from articles online for a while now, but Im wondering why Im seeing an HTTP status code of 200 success when they do the following and wondering what is it doing and how to prevent it? As best as I can tell die() is the equivalent of exit(). Is this a known older buffer overflow exploit?

bottom line though is why is it returning success and what damage did it do?

Thanks in advance!

[18/Mar/2018:09:57:21 +0000] "POST /?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); HTTP/1.1" 200 3564

My answer:

This is a blind probe for PHP web application vulnerabilities. If you have a PHP web application which somehow executes code from untrusted input, from any of the query parameters given, then the script will die and print z!ax in the web page output.

If this happens, then the prober will come back later (maybe seconds later) to exploit the vulnerability for real.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.