What exploit are these user agents trying to use?
It looks to be trying to exploit some form of command injection. As DarkMatter mentioned in his answer, this was likely a broad attempt to find any vulnerable servers, rather than targeting you specifically. The payload itself just appears to just be testing to see if the server is vulnerable to command injection. It does not appear to have any additional purpose.
In order to test if you would be affected by these specific payloads, the easiest way would be to send them to your own server, and see how they respond. Note, that I only say this because the payloads themselves are benign; I do not recommend doing this with all payloads.
My bet is that your server is not vulnerable, because I would have expected to see follow up request to actually exploit your server.
It is probably nothing. It seems like the broad spam of a scanner looking across the web for any website that evaluates and returns that subtraction when it shouldn't. It is a pretty common thing to see.
The use of actual function names (e.g. print
) suggests they're looking for websites that are using eval
in some way (note that this could be PHP's eval(string $code)
, JavaScript's eval(string)
, and other scripting languages' equivalents).
I note that the executable code appears immediately after the first version
parameter after Mozilla/
. This means the authors of this attack believe that enough websites in the wild are actually using eval
as a (horrible) way of parsing a two-component (major.minor
) version number.
So I imagine vulnerable websites were doing something like this (pseudo-code):
var userAgent = request.headers["User-Agent"];
var indexOfVersion = userAgent.indexof( '/' );
var indexOfVersionEnd = userAgent.indexof( indexOfVersion , ' ' );
var versionText = userAgent.substring( indexOfVersion + 1, indexOfVersionEnd );
var versionNumber = eval( versionText ); // <------- this is the vulnerability!