CVE-2018-25422 Overview
CVE-2018-25422 is a SQL injection vulnerability [CWE-89] in the MOGG web simulator Script. The flaw resides in the play.php endpoint, which fails to sanitize the id parameter before passing it to a backend SQL query. Unauthenticated attackers can send crafted GET requests to inject arbitrary SQL commands. Successful exploitation allows attackers to extract usernames, credentials, and other sensitive records from the underlying database. The vulnerability affects all versions of the MOGG web simulator Script (mtgas) and has a public exploit published on Exploit-DB.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents through a single crafted HTTP GET request to play.php.
Affected Products
- MOGG web simulator Script (mtgas) — all versions
- play.php endpoint of the application
- Any deployment of the spider312/mtgas GitHub project
Discovery Timeline
- 2026-05-30 - CVE-2018-25422 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2018-25422
Vulnerability Analysis
The vulnerability is a classic SQL injection issue in a PHP web application. The play.php script accepts a user-supplied id parameter via HTTP GET. The application concatenates that parameter directly into a SQL query without parameterization or input validation. As a result, an attacker controls a portion of the SQL statement executed against the backend database.
The issue is mapped to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Exploitation requires no authentication, no user interaction, and only network access to the affected web server. Public exploit code is available via Exploit-DB #45717 and a VulnCheck SQL Injection Advisory.
Root Cause
The root cause is the direct interpolation of attacker-controlled input into a SQL query string. The application does not use prepared statements, bound parameters, or context-aware escaping for the id value. Standard SQL metacharacters and UNION-based payloads pass through into the query unchanged.
Attack Vector
An attacker sends an HTTP GET request to play.php with a malicious payload appended to the id parameter. Typical payloads include boolean-based, UNION-based, or error-based SQL injection to enumerate database schema and exfiltrate rows such as user records. Because the endpoint is reachable without authentication, exploitation can be automated against exposed instances. See the GitHub MTG Automation Tool project for the affected code base.
No verified exploit code is included here. Refer to the linked Exploit-DB entry for the published proof-of-concept request structure.
Detection Methods for CVE-2018-25422
Indicators of Compromise
- HTTP GET requests to play.php containing SQL keywords such as UNION, SELECT, SLEEP, --, or 0x in the id parameter.
- Web server access logs showing abnormally long or URL-encoded id values from a single source IP.
- Database error messages or stack traces returned in HTTP responses from play.php.
- Outbound queries enumerating information_schema tables originating from the web application database user.
Detection Strategies
- Deploy Web Application Firewall (WAF) signatures that match SQL injection patterns on the id query string parameter.
- Correlate web server logs with database audit logs to identify queries originating from play.php that reference system catalogs.
- Alert on HTTP 500 responses from play.php paired with parameter values containing SQL syntax.
Monitoring Recommendations
- Enable verbose logging of query string parameters for the play.php endpoint.
- Monitor for spikes in request volume to play.php from individual source addresses.
- Track database user activity for SELECT operations against authentication-related tables outside normal application patterns.
How to Mitigate CVE-2018-25422
Immediate Actions Required
- Restrict public access to the MOGG web simulator Script until a fix is applied, using network ACLs or authentication at the reverse proxy.
- Audit the play.php source code and replace string-concatenated SQL with parameterized queries or prepared statements.
- Rotate any credentials or session tokens stored in the affected database, assuming prior exfiltration.
Patch Information
No official vendor patch has been identified in the enriched CVE data. The affected project is hosted at the GitHub MTG Automation Tool repository. Operators should review the latest commits and apply community fixes, or migrate away from the affected component. Consult the VulnCheck SQL Injection Advisory for additional remediation guidance.
Workarounds
- Validate the id parameter against a strict numeric allowlist before processing, rejecting any non-integer input.
- Deploy a WAF rule blocking SQL metacharacters in query string parameters targeting play.php.
- Run the database account used by the application with least-privilege permissions, removing access to non-essential tables.
- Disable verbose database error reporting in production to limit information leakage during probing.
# Example WAF rule (ModSecurity) blocking SQLi payloads on play.php id parameter
SecRule REQUEST_URI "@contains /play.php" \
"chain,phase:2,deny,status:403,id:1002518,msg:'CVE-2018-25422 SQLi attempt on play.php id parameter'"
SecRule ARGS:id "@rx (?i)(union|select|sleep|benchmark|--|/\*|0x)" "t:none,t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
