Skip to content

Instantly share code, notes, and snippets.

@fffaraz
Created July 5, 2017 20:41
Show Gist options
  • Save fffaraz/d219d8eefd66de70b6d3d1986da0e56f to your computer and use it in GitHub Desktop.
Save fffaraz/d219d8eefd66de70b6d3d1986da0e56f to your computer and use it in GitHub Desktop.
How to defend your website with ZIP bombs
<?php
// https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
// dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip
$agent = lower($_SERVER['HTTP_USER_AGENT']);
//check for nikto, sql map or "bad" subfolders which only exist on wordpress
if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/'))
{
sendBomb();
exit();
}
function sendBomb(){
//prepare the client to recieve GZIP data. This will not be suspicious
//since most web servers use GZIP by default
header("Content-Encoding: gzip");
header("Content-Length: ".filesize('10G.gzip'));
//Turn off output buffering
if (ob_get_level()) ob_end_clean();
//send the gzipped file to the client
readfile('10G.gzip');
}
function startsWith($haystack,$needle){
return (substr($haystack,0,strlen($needle)) === $needle);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment