Metadata-Version: 1.1
Name: curlbomb
Version: 1.1.0
Summary: curlbomb is an HTTP server for serving one-time-use shell scripts
Home-page: https://github.com/EnigmaCurry/curlbomb
Author: Ryan McGuire
Author-email: ryan@enigmacurry.com
License: MIT
Description: curlbomb
        ========
        
        curlbomb is an HTTP server for serving one-time-use shell scripts
        
        You know all those docs for cool dev tools that start out by telling you
        to install their software in one line, like this?
        
        ::
        
            bash <(curl -s http://example.com/install.sh)
        
        I call that a curl bomb... I don't know if anyone else does.
        
        This script is an HTTP server that will serve that script to a client
        exactly once and then quit. Yea, you could just use "python -m
        http.server", really this is just a bit more than that.
        
        Install
        -------
        
        This script can be installed from the `Arch User
        Repository <https://aur.archlinux.org/packages/curlbomb/>`__ (AUR):
        
        ::
        
            pacaur -S curlbomb
        
        Or from the `Python Package
        Index <https://pypi.python.org/pypi/curlbomb>`__ (PyPI):
        
        ::
        
            pip install curlbomb
        
        Example Use
        -----------
        
        Serve a script stored in a file:
        
        ::
        
            curlbomb /path/to/script
        
        This outputs a curl command to run the script on another computer:
        
        ::
        
            KNOCK='nDnXXp8jkZKtbush' bash <(curl -LSs http://10.13.37.133:48690)
        
        By default, the client must pass a KNOCK variable that is passed in the
        HTTP headers. This is for two reasons:
        
        -  It adds a factor of authentication. Requests without the knock are
           denied.
        -  It prevents mistakes as the knock parameter is randomly generated
           each time curlbomb is run.
        
        You can disable the knock requirement with the -k option.
        
        If you want the curl, without the bomb, ie. you just want to grab the
        script without redirecting it to bash, use --survey. This is useful for
        testing the retrieval of scripts without running them.
        
        You can also pipe scripts directly into curlbomb:
        
        ::
        
            echo "pacman --noconfirm -S openssh && systemctl start sshd" | curlbomb
        
        Or from shell scripts:
        
        ::
        
            cat <<EOF | curlbomb
            #!/bin/bash
            echo "I'm a script output from another script on another computer"
            EOF
        
        The shebang line (#!) is interpreted and automatically changes the
        interpreter the client runs:
        
        ::
        
            cat <<EOF | curlbomb
            #!/usr/bin/env python3
            import this
            print("Hello, from Python!")
            EOF
        
        If your client doesn't have curl installed, you can switch to wget with
        -w:
        
        ::
        
            echo "apt-get install curl" | curlbomb -w
        
        By default, curlbomb serves from the IP address of the local machine.
        This usually means that clients on another network will be unable to
        retrieve anything from curlbomb, unless you have a port opened up
        through your firewall. As an alternative, curlbomb can be tunneled
        through SSH to another host that has the proper port open. For instance:
        
        ::
        
            echo "apt-get install emacs-nox" | curlbomb --ssh user@example.com:8080
        
        The above command connects to example.com over SSH (port 22 by default)
        and forwards the local curlbomb HTTP port to example.com:8080. This SSH
        tunnel is left open for as long as curlbomb remains running. Any user on
        example.com will be able to fetch the resource from localhost:8080. If
        you want anyone in the world to be able to fetch example.com:8080 you
        will need to modify the sshd\_config of the server to allow
        GatewayPorts:
        
        ::
        
            # Put this in your /etc/ssh/sshd_config and restart your ssh service:
            Gatewayports clientspecified
        
        For extra security, you can enable SSL with --ssl:
        
        ::
        
            echo "export PASSWORD=hunter2" | curlbomb -c source --ssl /path/to/cert.pem
        
        In the above example we are passing a bit of secure information, a
        password. curlbomb normally prevents access with a knock paramter, and
        for most circumstances this is sufficient, as curlbombs can only be
        retrieved once (-n 1). But the connection itself might be spied on
        through traffic analysis at your ISP or any other router your connection
        flows through. Using SSL makes sure this doesn't happen. To prevent
        having to store the SSL certificate in plain text on your local machine,
        the file may be optionally PGP encrypted in an ascii-armored file. This
        will be automatically decrypted if you are running a gpg-agent.
        
        Command Line Args
        -----------------
        
        ::
        
            usage: curlbomb.py [-h] [-k] [-n N] [-p PORT] [-c CMD] [-w] [-l] [-q] [-v]
                               [--ssh SSH_FORWARD] [--ssl CERTIFICATE] [--survey]
                               [--unwrapped] [--disable-postback] [--client-logging]
                               [--mime-type MIME_TYPE] [--version]
                               [FILE]
        
        ``-k, --disable-knock`` Don't require a X-knock HTTP header from the
        client. Normally curlbombs are one-time-use and meant to be copy-pasted
        from terminal to terminal. If you're embedding into a script, you may
        not know the knock parameter ahead of time and so this disables that.
        This is inherently less secure than the default.
        
        ``-n N, --num-gets N`` The maximum number of times the script may be
        fetched by clients, defaults to 1. Increasing this may be useful in
        certain circumstances, but please note that the same knock parameter is
        used for all requests so this is inherently less secure than the
        default.
        
        ``-p PORT`` The local TCP port number to use
        
        ``-c COMMAND`` Force the curlbomb shell command. By default, this is
        autodected from the first line of the script, called the shebang (#!).
        If none can be detected, and one is not provided, the fallback of "bash"
        is used. Note that curlbomb wraps scripts inside of bash, even with -c
        specified, so the client command will still show it as running in bash.
        The wrapped script will use the interpreter specified. See --unwrapped
        to change this behaviour.
        
        ``-w, --wget`` Print wget syntax rather than curl syntax. Useful in the
        case where the client doesn't have curl installed.
        
        ``-l, --log-posts`` Log the client output from the curlbomb server.
        
        ``-q, --quiet`` Be more quiet. Don't print the client curlbomb command.
        
        ``-v, --verbose`` Be more verbose. Turns off --quiet, enables
        --log-posts, and enables INFO level logging within curlbomb.
        
        ``--ssh SSH_FORWARD`` Forwards the curlbomb server to a remote port of
        another computer through SSH. This is useful to serve curlbombs to
        clients on another network without opening up any ports to the machine
        running curlbomb. The syntax for SSH\_FORWARD is
        [user@]host[:ssh\_port][:http\_port].
        
        ``--ssl CERTIFICATE`` Full server to client http encryption using SSL.
        Give the full path to your SSL certificate, optionally PGP
        (ascii-armored) encrypted. The file should contain the entire
        certificate chain, including the CA certificate, if any.
        
        ``--survey`` Only print the curl (or wget) command. Don't redirect to a
        shell command. Useful for testing out script retrieval without running
        them.
        
        ``--unwrapped`` output the full curlbomb command, including all the
        boilerplate that curlbomb normally wraps inside of a nested curlbomb.
        
        This parameter is useful when you want to source variables into your
        current shell:
        
        ::
        
            echo "export PATH=/asdf/bin:$PATH" | curlbomb -c source --unwrapped --disable-postback
        
        Without the --unwrapped option, the client command will not run the
        'source' command directly, but instead a bash script with a 'source'
        inside it. This won't work for sourcing environment variables in your
        shell, so use --unwrapped when you want to use source.
        --disable-postback prevents the command from being piped back to the
        server (as source doesn't have any output.)
        
        ``--disable-postback`` Disables sending client output to the server.
        Note that --log-posts will have no effect with this enabled.
        
        ``--client-logging`` Logs all client output locally on the client to a
        file called curlbomb.log
        
        ``--mime-type MIME_TYPE`` The mime-type header to send, by default
        "text/plain"
        
        ``--version`` Print the curlbomb version
        
        ``FILE`` The script or other resource to serve via curlbomb. You can
        also not specify this and the resource will be read from stdin.
        
Platform: UNKNOWN
Classifier: Development Status :: 4 - Beta
Classifier: Topic :: Utilities
Classifier: License :: OSI Approved :: MIT License
