CVE-2018-25422
MOGG Web Simulator Script SQL Injection Vulnerability
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spider312 | mtgas | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25422 is a SQL injection vulnerability in the MOGG web simulator Script. It allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the 'id' parameter in GET requests to the play.php page.
By exploiting this vulnerability, attackers can extract sensitive database information such as usernames and other confidential data.
The vulnerability arises because the application does not properly sanitize or validate the 'id' parameter, enabling attackers to manipulate SQL queries.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive database information.
- Attackers can extract usernames and other confidential data from the database.
- It may allow attackers to manipulate or take over the database by executing arbitrary SQL commands.
- The exposure of sensitive files and directories, such as configuration files with database credentials, can further increase the risk.
- Unauthorized access to the admin folder due to lack of proper protection can lead to further malicious activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted GET requests to the play.php endpoint with malicious SQL payloads in the id parameter and observing the responses for SQL error messages or extracted database information.
Example commands to test for the SQL injection include using curl or a browser to send requests like:
- curl "http://yourserver/play.php?id=99999'+and+extractvalue(1,concat(0x3a,user(),0x3a))%23"
- curl "http://yourserver/play.php?id=99999'+UNION+SELECT+user()--+"
If the response contains database user information or SQL errors, it indicates the presence of the SQL injection vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include securing sensitive configuration files and restricting access to administrative directories.
- Rename or remove default configuration files such as config.orig.php and footer.orig.php that contain placeholder or sensitive data.
- Protect the admin folder by implementing access controls, for example, using .htaccess to restrict unauthorized access.
Additionally, validate and sanitize all user inputs, especially the id parameter in play.php, to prevent SQL injection attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the MOGG web simulator script allows attackers to extract sensitive database information, including usernames and other confidential data. This unauthorized access to sensitive personal or organizational data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.
Because attackers can exploit this vulnerability to access and potentially exfiltrate sensitive data, organizations using the affected software may face risks related to data breaches, which are subject to regulatory reporting requirements and penalties under these standards.