Last active
March 22, 2024 17:50
-
-
Save nh-mike/c44d4f442da6bb64ae6fbd2002c63ac0 to your computer and use it in GitHub Desktop.
10G Gzip Bomb, 42.zip protected Nginx web server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implemented from the Hackaday Article, "[DROPPING ZIP BOMBS ON VULNERABILITY SCANNERS](https://hackaday.com/2017/07/08/dropping-zip-bombs-on-vulnerability-scanners/)", this is my implementation on my own Nginx web server. | |
Also, I have added 42.zip as some software automatically extracts zip files (which would be rather unwise for them). | |
For anybody who doesn't match the criteria or needing to be gzip bombed or 42.zipped, we close the connection without informing them. | |
As I use this nginx server as a reverse proxy, nothing is really happening in this config file other than raw nuking. All my own services have DNS records, however illegitimate traffic accesses by IP and is tested in this file. | |
I occasionally check my access logs for anything that looks like a crawler or hack tool scanner, and add it into the location blocks here. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default; | |
server_name _; | |
location / { | |
access_log /var/log/nginx/notnuked.access.log; | |
error_log /var/log/nginx/notnuked.error.log; | |
return 444; | |
} | |
location ~* \.(zip|tar\.gz|mp4)$ { | |
access_log /var/log/nginx/nuked.access.log; | |
error_log /var/log/nginx/nuked.error.log; | |
root /usr/share/nginx/html/; | |
try_files $uri /42.zip; | |
} | |
location ~* ^(\/(\+CSCOE\+|.env|.htaccess|\?XDEBUG_SESSION_START|Autodiscover|GponForm|HNAPI|_ignition|ab2g|actuator|admin|administrator|api|boaform|cgi-bin|config|console|design|dnslookup|ecp|en|images|manage|manager|MGLNDD|mifs|owa|phpMyAdmin.*|pma.*|recordings|remote|setup.cgi|solr|stalker_portal|static|vendor|wp-content)|\\x[0-9a-zA-Z]+) { | |
access_log /var/log/nginx/nuked.access.log; | |
error_log /var/log/nginx/nuked.error.log; | |
fastcgi_pass unix:/var/run/php-fpm/php.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/nukeAttackers.php; | |
include fastcgi_params; | |
} | |
} | |
server { | |
listen 443 default; | |
server_name _; | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"; | |
ssl_protocols TLSv1.3 TLSv1.2; | |
ssl_session_cache builtin:1000 shared:SSL:10m; | |
ssl_session_timeout 1d; | |
ssl_ciphers ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; | |
ssl_prefer_server_ciphers on; | |
ssl_certificate /etc/nginx/localcerts/localhost.crt; | |
ssl_certificate_key /etc/nginx/localcerts/localhost.key; | |
location / { | |
root /usr/share/nginx/html; | |
access_log /var/log/nginx/notnuked.access.log; | |
error_log /var/log/nginx/notnuked.error.log; | |
return 444; | |
} | |
location ~* \.(zip|tar\.gz|mp4)$ { | |
access_log /var/log/nginx/nuked.access.log; | |
error_log /var/log/nginx/nuked.error.log; | |
root /usr/share/nginx/html; | |
try_files $uri /42.zip; | |
} | |
location ~* ^(\/(\+CSCOE\+|.env|.htaccess|\?XDEBUG_SESSION_START|Autodiscover|GponForm|HNAPI|_ignition|ab2g|actuator|admin|administrator|api|boaform|cgi-bin|config|console|design|dnslookup|ecp|en|images|manage|manager|MGLNDD|mifs|owa|phpMyAdmin.*|pma.*|recordings|remote|setup.cgi|solr|stalker_portal|static|vendor|wp-content)|\\x[0-9a-zA-Z]+) { | |
access_log /var/log/nginx/nuked.access.log; | |
error_log /var/log/nginx/nuked.error.log; | |
fastcgi_pass unix:/var/run/php-fpm/php.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/nukeAttackers.php; | |
include fastcgi_params; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
//prepare the client to recieve GZIP data. This will not be suspicious | |
//since most web servers use GZIP by default | |
header("Content-Encoding: gzip"); | |
header("Content-Length: ".filesize('10Gzipbomb.gzip')); | |
//Turn off output buffering | |
if (ob_get_level()) ob_end_clean(); | |
//send the gzipped file to the client | |
readfile('10Gzipbomb.gzip'); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment