Skip to content

Instantly share code, notes, and snippets.

@Firesphere
Last active May 14, 2020 08:27
Show Gist options
  • Save Firesphere/bcbfc6f90128b47a87cd5d31db9a2d4f to your computer and use it in GitHub Desktop.
Save Firesphere/bcbfc6f90128b47a87cd5d31db9a2d4f to your computer and use it in GitHub Desktop.
What alignment type is this?
RewriteEngine On
RewriteCond %{REQUEST_URI} !^wp-admin.php
# Anything that has "wp-" in its request, will be send to the bomb
RewriteRule ^(.*)wp-(.*)$ wp-admin.php [L]
Generate a gzip bomb:
dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip
Up the count to whatever you like, if you want more, just up the count. This example is 10G after unzipping. But 100G works just fine.
sendBomb();
function sendBomb(){
// Turns out, original came from https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
// I did not realise that, I only googled it a bit and took the relative parts plus the comments to make clear
/// what is going on.
// Many thanks to Christian for the original code. I did not intent to "steal" it and make it my own.
// The following is mostly from Christian, with a minor tweak. He/She deserves the praise for this gzip idea. I only polished it a bit.
//prepare the client to recieve GZIP data. This will not be suspicious
//since most web servers use GZIP by default
header("Content-Encoding: gzip");
header("Content-Length: ".filesize('/path/to/100G.gzip'));
//Turn off output buffering
if (ob_get_level()) ob_end_clean();
//send the gzipped file to the client
readfile('/path/to/100G.gzip');
exit;
}
@Firesphere
Copy link
Author

@rachelle-scheijen
Yes, you can put any (part of a) URL in your .htaccess condition. phpmyadmin is also a very nice one :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment