CVE-2018-25422
Deferred Deferred - Pending Action
MOGG Web Simulator Script SQL Injection Vulnerability

Publication date: 2026-05-30

Last updated on: 2026-06-01

Assigner: VulnCheck

Description
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-30
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2018-25422
EUVD
EUVD-2018-21944
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spider312 mtgas *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25422 is a SQL injection vulnerability in the MOGG web simulator Script. It allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the 'id' parameter in GET requests to the play.php page.

By exploiting this vulnerability, attackers can extract sensitive database information such as usernames and other confidential data.

The vulnerability arises because the application does not properly sanitize or validate the 'id' parameter, enabling attackers to manipulate SQL queries.

Compliance Impact

The SQL injection vulnerability in the MOGG web simulator script allows attackers to extract sensitive database information, including usernames and other confidential data. This unauthorized access to sensitive personal or organizational data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.

Because attackers can exploit this vulnerability to access and potentially exfiltrate sensitive data, organizations using the affected software may face risks related to data breaches, which are subject to regulatory reporting requirements and penalties under these standards.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information.

  • Attackers can extract usernames and other confidential data from the database.
  • It may allow attackers to manipulate or take over the database by executing arbitrary SQL commands.
  • The exposure of sensitive files and directories, such as configuration files with database credentials, can further increase the risk.
  • Unauthorized access to the admin folder due to lack of proper protection can lead to further malicious activities.
Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the play.php endpoint with malicious SQL payloads in the id parameter and observing the responses for SQL error messages or extracted database information.

Example commands to test for the SQL injection include using curl or a browser to send requests like:

  • curl "http://yourserver/play.php?id=99999'+and+extractvalue(1,concat(0x3a,user(),0x3a))%23"
  • curl "http://yourserver/play.php?id=99999'+UNION+SELECT+user()--+"

If the response contains database user information or SQL errors, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include securing sensitive configuration files and restricting access to administrative directories.

  • Rename or remove default configuration files such as config.orig.php and footer.orig.php that contain placeholder or sensitive data.
  • Protect the admin folder by implementing access controls, for example, using .htaccess to restrict unauthorized access.

Additionally, validate and sanitize all user inputs, especially the id parameter in play.php, to prevent SQL injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart