Skip to main content

A personal HTTP server for serving one-time-use shell scripts

Project description

A personal HTTP server for serving one-time-use shell scripts.

You know all those docs for cool dev tools that start out by telling you to install their software in one line, like this?

bash <(curl -s http://example.com/install.sh)

I call that a curl bomb… I don’t know if anyone else does.

This script is an HTTP server that will serve that script to a client exactly once and then quit. Yea, you could just use “python -m http.server”, really this is just a bit more than that.

Example Use

Serve a script stored in a file:

curlbomb /path/to/script

This outputs a curl command to run the script on another computer:

bash <(curl http://10.13.37.133:47601 -H "X-knock: c19fed96a78844b982053448e44060f9")

You can also get the curl without the bomb by specifying –survey. This outputs just the inner curl command, which is useful for testing.

You can pipe scripts to stdin:

echo "pacman --noconfirm -S openssh && systemctl start sshd" | curlbomb

Or from shell scripts:

cat <<EOF | curlbomb
#!/bin/bash
echo "I'm a script output from another script on another computer"
EOF

The shebang line is interpreted and automatically changes the curlbomb command:

cat <<EOF | curlbomb
#!/usr/bin/env python3
import this
print("Hello, from Python!")
EOF

Which outputs the following curlbomb, tailored for Python:

/usr/bin/env python3 <(curl http://10.13.37.133:55298 -H "X-knock: 3b4bc96e29754238a30c286d1c8173c7")

You can switch to wget with -w:

$ echo "apt-get install curl" | curlbomb -w
Client command:

  bash <(wget -q -O - http://10.13.37.133:57670 --header="X-knock: 5e5568bf44624e70a7490783acee150d")

You can tunnel the curlbomb server through another host with –ssh:

echo "apt-get install emacs-nox" | curlbomb --ssh user@example.com:8080

The above command connects to example.com and forwards the curlbomb HTTP port to example.com:8080. Users on example.com will be able to fetch the resource from localhost:8080. If you want anyone in the world to be able to fetch example.com:8080 you will need to modify the sshd_config of the server to allow GatewayPorts:

# Put this in your /etc/ssh/sshd_config and restart your ssh service:
Gatewayports clientspecified

Command Line Args

usage: curlbomb.py [-h] [-k] [-n NUM_GETS] [-p PORT] [-q] [-c COMMAND] [-w]
                   [--ssh SSH_FORWARD] [--ssl CERTIFICATE]
                   [--mime-type MIME_TYPE] [--survey]
                   [FILE]

curlbomb

positional arguments:
  FILE                  File to serve (or don't specify for stdin)

optional arguments:
  -h, --help            show this help message and exit
  -k, --disable-knock   Don't require authentication (no X-knock header)
  -n NUM_GETS           Number of times to serve resource (default:1)
  -p PORT               TCP port number to use (default:random)
  -q                    Be quiet
  -c COMMAND            The the shell command to curlbomb into (default is to
                        detect #!interpreter)
  -w                    Output wget command rather than curl
  --ssh SSH_FORWARD     Forward curlbomb through another host via SSH -
                        [user@]host[:ssh_port][:http_port]
  --ssl CERTIFICATE     Use SSL with the given certificate
  --mime-type MIME_TYPE
                        The content type to serve
  --survey              Just a survey mission, no bomb run

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

curlbomb-1.0.12.tar.gz (9.1 kB view details)

Uploaded Source

File details

Details for the file curlbomb-1.0.12.tar.gz.

File metadata

  • Download URL: curlbomb-1.0.12.tar.gz
  • Upload date:
  • Size: 9.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for curlbomb-1.0.12.tar.gz
Algorithm Hash digest
SHA256 9e1369efa16eb87b7d6223bf987b54b72f5155d74bd63420feab0a6eaad97d58
MD5 d7df9d9b6475cf6f40972e4a573cf3cf
BLAKE2b-256 f5544b87f27dee5028ebc7b953d2b275c8b8d0a0be5bc1ba3ad053fc815d3bad

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page