关联漏洞
描述
A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server.
介绍
# CVE-2025-63298
A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server.
* [https://www.cve.org/CVERecord?id=CVE-2025-63298](https://www.cve.org/CVERecord?id=CVE-2025-63298)
* [https://www.sourcecodester.com/php/18340/pet-grooming-management-software-download.html](https://www.sourcecodester.com/php/18340/pet-grooming-management-software-download.html)
There is a vulnerable function that will delete every file we put into the 'old_login_image' POST parameter by performing a path traversal.
<img width="947" height="232" alt="image" src="https://github.com/user-attachments/assets/570c0fcb-c164-498e-8897-44d85fd1120d" />
It is possible to delete index.php, which will result in a denial of service.
<img width="753" height="785" alt="image" src="https://github.com/user-attachments/assets/27bab49d-25e3-4a98-a387-ea3ca9493207" />
<img width="479" height="198" alt="image" src="https://github.com/user-attachments/assets/862c2ad9-983d-40b7-a155-a4322005edc3" />
Discovered by Z3robyte on October 2025
文件快照
[4.0K] /data/pocs/c4887e08746e14561ada954f36884c5a87665668
└── [1.3K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。