I'm sorry I just saw this, but the idea is that sh will read as it executes so you can detect it passively. If you make it `sleep 1` you can detect on the server side that your call to send() hangs until sh proceeds, for the same duration as the sleep. You need to put enough content to make the TCP buffers fill up, but that can be done with all those function definitions that you tend to see in those scripts anyway.
Or the script could also signal through an active mechanism, a different innocuous-looking HTTP request that makes the server switch the content to a malicious payload if it happens at the same time.
Or the script could also signal through an active mechanism, a different innocuous-looking HTTP request that makes the server switch the content to a malicious payload if it happens at the same time.