allinurl:forcedownload.php?file=

GHDB-ID:

3738

Author:

DigiP

Google Dork Description:

allinurl:forcedownload.php?file=

Didn't see this anywhere in the GHDB, but its been known for a while and 

widely abused by others.



Google Dork "allinurl:forcedownload.php?file="



Sites that use the forcedownload.php script are vulnerable to url 

manipulation, and will spit out any file on the local site, including the 

PHP files themselves with all server side code, not the rendered page, but 

the source itself. This is most commonly used on wordpress sites to grab the 

wp-config.php file to gain access to the database, but is not limited to 

wordpress sites. I only list it as an example, so people understand the 

weight of flaw.



- DigiP