Last active
May 14, 2020 08:27
-
-
Save Firesphere/bcbfc6f90128b47a87cd5d31db9a2d4f to your computer and use it in GitHub Desktop.
What alignment type is this?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^wp-admin.php | |
| # Anything that has "wp-" in its request, will be send to the bomb | |
| RewriteRule ^(.*)wp-(.*)$ wp-admin.php [L] | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Generate a gzip bomb: | |
| dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip | |
| Up the count to whatever you like, if you want more, just up the count. This example is 10G after unzipping. But 100G works just fine. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sendBomb(); | |
| function sendBomb(){ | |
| // Turns out, original came from https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html | |
| // I did not realise that, I only googled it a bit and took the relative parts plus the comments to make clear | |
| /// what is going on. | |
| // Many thanks to Christian for the original code. I did not intent to "steal" it and make it my own. | |
| // The following is mostly from Christian, with a minor tweak. He/She deserves the praise for this gzip idea. I only polished it a bit. | |
| //prepare the client to recieve GZIP data. This will not be suspicious | |
| //since most web servers use GZIP by default | |
| header("Content-Encoding: gzip"); | |
| header("Content-Length: ".filesize('/path/to/100G.gzip')); | |
| //Turn off output buffering | |
| if (ob_get_level()) ob_end_clean(); | |
| //send the gzipped file to the client | |
| readfile('/path/to/100G.gzip'); | |
| exit; | |
| } |
Beautiful
I'm picking Chaotic Good. I'm also thinking I might implement this.
Nice
In my case I'm gonna put more links in there for the bomb
Good job, would be even better if you credited the author of the idea!
https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
@imval
I did not realise that. I came up with this myself, after reading about the gzip system. My example of how to create the gzip is indeed not mine, but all other things are entirely my own, or Google previews. I'll update :)
@rachelle-scheijen
Yes, you can put any (part of a) URL in your .htaccess condition. phpmyadmin is also a very nice one :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lawful good