Metadata-Version: 1.1
Name: curlbomb
Version: 1.0.17
Summary: A personal HTTP server for serving one-time-use shell scripts
Home-page: https://github.com/EnigmaCurry/curlbomb
Author: Ryan McGuire
Author-email: ryan@enigmacurry.com
License: MIT
Description: curlbomb
        ========
        
        A personal HTTP server for serving one-time-use shell scripts.
        
        You know all those docs for cool dev tools that start out by telling you
        to install their software in one line, like this?
        
        ::
        
            bash <(curl -s http://example.com/install.sh)
        
        I call that a curl bomb... I don't know if anyone else does.
        
        This script is an HTTP server that will serve that script to a client
        exactly once and then quit. Yea, you could just use "python -m
        http.server", really this is just a bit more than that.
        
        Install
        -------
        
        This script can be installed from the `Arch User
        Repository <https://aur.archlinux.org/packages/curlbomb/>`__ (AUR):
        
        ::
        
            pacaur -S curlbomb
        
        Or from the `Python Package
        Index <https://pypi.python.org/pypi/curlbomb>`__ (PyPI):
        
        ::
        
            pip install curlbomb
        
        Example Use
        -----------
        
        Serve a script stored in a file:
        
        ::
        
            curlbomb /path/to/script
        
        This outputs a curl command to run the script on another computer:
        
        ::
        
            bash <(curl http://10.13.37.133:47601 -H "X-knock: c19fed96a78844b982053448e44060f9")
        
        The client must pass a X-knock HTTP header by default. This is for two
        reasons:
        
        -  It adds a factor of authentication. Requests without the knock are
           denied.
        -  It prevents mistakes as the knock parameter is randomly generated
           each time curlbomb is run.
        
        You can disable the knock requirement with the -k option.
        
        If you want the curl, without the bomb, ie. you just want to grab the
        script without redirecting it to bash, use --survey. This is useful for
        testing the retrieval of scripts without running them.
        
        You can also pipe scripts directly into curlbomb:
        
        ::
        
            echo "pacman --noconfirm -S openssh && systemctl start sshd" | curlbomb
        
        Or from shell scripts:
        
        ::
        
            cat <<EOF | curlbomb
            #!/bin/bash
            echo "I'm a script output from another script on another computer"
            EOF
        
        The shebang line (#!) is interpreted and automatically changes the
        curlbomb command:
        
        ::
        
            cat <<EOF | curlbomb
            #!/usr/bin/env python3
            import this
            print("Hello, from Python!")
            EOF
        
        Which outputs the following curlbomb, tailored for Python:
        
        ::
        
            /usr/bin/env python3 <(curl http://10.13.37.133:55298 -H "X-knock: 3b4bc96e29754238a30c286d1c8173c7")
        
        You can use -c to specify your own command if the shebang line is
        missing, or misidentified. "bash" is always used as a fallback.
        
        If your client doesn't have curl installed, you can switch to wget with
        -w:
        
        ::
        
            $ echo "apt-get install curl" | curlbomb -w
            Client command:
        
              bash <(wget -q -O - http://10.13.37.133:57670 --header="X-knock: 5e5568bf44624e70a7490783acee150d")
        
        By default, curlbomb serves from the local IP address. This usually
        means that clients on another network will be unable to retrieve
        anything from curlbomb, unless you have a port opened up through your
        firewall. As an alternative, curlbomb can be tunneled through SSH to
        another host that has the proper port open. For instance:
        
        ::
        
            echo "apt-get install emacs-nox" | curlbomb --ssh user@example.com:8080
        
        The above command connects to example.com over SSH (port 22 by default)
        and forwards the local curlbomb HTTP port to example.com:8080. This SSH
        tunnel is left open for as long as curlbomb remains running. Any user on
        example.com will be able to fetch the resource from localhost:8080. If
        you want anyone in the world to be able to fetch example.com:8080 you
        will need to modify the sshd\_config of the server to allow
        GatewayPorts:
        
        ::
        
            # Put this in your /etc/ssh/sshd_config and restart your ssh service:
            Gatewayports clientspecified
        
        For extra security, you can enable SSL with --ssl:
        
        ::
        
            echo "export PASSWORD=hunter2" | curlbomb -c source --ssl /path/to/cert.pem
        
        In the above example we are passing a bit of secure information, a
        password. curlbomb normally prevents access with a knock paramter, but
        the knock itself might be spied on through traffic analysis. Using SSL
        makes sure this doesn't happen. To prevent having to store the SSL
        certificate in plain text on your local machine, the file may be
        optionally PGP encrypted in an ascii-armored file. This will be
        automatically decrypted if you are running a gpg-agent.
        
        Command Line Args
        -----------------
        
        ::
        
            usage: curlbomb [-h] [-k] [-n NUM_GETS] [-p PORT] [-q] [-c COMMAND] [-w]
                            [--ssh SSH_FORWARD] [--ssl CERTIFICATE]
                            [--mime-type MIME_TYPE] [--survey]
                            [FILE]
        
        ``-k`` Don't require a X-knock HTTP header from the client. Normally
        curlbombs are one-time-use and meant to be copy-pasted from terminal to
        terminal. If you're embedding into a script, you may not know the knock
        parameter ahead of time and so this disables that. This is inherently
        less secure than the default.
        
        ``-n NUM_GETS`` The maximum number of times the script may be fetched by
        clients, defaults to 1. Increasing this may be useful in certain
        circumstances, but please note that the same knock parameter is used for
        all requests so this is inherently less secure than the default.
        
        ``-p PORT`` The local TCP number to use
        
        ``-q`` Be quiet. Don't print the curlbomb.
        
        ``-c COMMAND`` Force the curlbomb shell command. By default, this is
        autodected from the first line of the script, called the shebang (#!).
        If none can be detected, and one is not provided, the fallback of "bash"
        is used.
        
        ``--survey`` Only print the curl (or wget) command. Don't redirect to a
        shell command. Useful for testing out script retrieval without running
        them.
        
        ``-w`` Print wget syntax rather than curl syntax. Useful in the case
        where the client doesn't have curl installed.
        
        ``--ssh SSH_FORWARD`` Forwards the curlbomb server to a remote port of
        another computer through SSH. This is useful to serve curlbombs to
        clients on another network without opening up any ports to the machine
        running curlbomb. The syntax for SSH\_FORWARD is
        [user@]host[:ssh\_port][:http\_port].
        
        ``--ssl CERTIFICATE`` Full server to client http encryption using SSL.
        Give the full path to your SSL certificate, optionally PGP
        (ascii-armored) encrypted.
        
        ``--mime-type MIME_TYPE`` The mime-type header to send, by default
        "text/plain"
        
        ``FILE`` The script or other resource to serve via curlbomb. You can
        also not specify this and the resource will be read from stdin.
        
Platform: UNKNOWN
Classifier: Development Status :: 4 - Beta
Classifier: Topic :: Utilities
Classifier: License :: OSI Approved :: MIT License
