Ruby Gems like Escape and Cocaine escape shells to avoid command 
injection by using ''.

For example from the documentation:


From Escape (http://rubygems.org/gems/escape)

"Usage
require 'escape'

Escape.shell_command(["echo", "*"]) #=> #<Escape::ShellEscaped: echo '*'>"




From Cocaine (http://rubydoc.info/gems/cocaine/0.5.1/frames)

"line = Cocaine::CommandLine.new("cat", ":file")
line.command(:file => "haha`rm -rf /`.txt") # => "cat 'haha`rm -rf /`.txt'""


If we upload a file name of \--input some_local_server_filename it should process a local server file instead of our file we uploaded.

I haven't tested this in a PoC yet only on ruby command line pry/irb. 

Maybe test file uploads with burpsuite - modify filename in transit?


'\--input some_local_server' is treated as filename not argument. All we can get is usage information sent back.

Larry W. Cashdollar
6/14/2013