Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098

To use this exploit script, you need three parameters. 1. The web page URL of the vulnerable web-server. 2. The vulnerable parameter that might inject commands. 3. A shell command to execute in the remote server.

After succesfully executing the exploit, you'll be able to read the output of your command, somewhere in the response page, like below:

I am not the author of the vulnerability.

I am the author of this exploit program written in Golang.

If you decide to use it or modify it in any way, please don't strip the credits from it.