CGI Generic SQL Injection (blind)

high Nessus Plugin ID 42424


A CGI application hosted on the remote web server is potentially prone to SQL injection attack.


By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.


Modify the affected CGI scripts so that they properly escape arguments.

See Also

Plugin Details

Severity: High

ID: 42424

File Name: torture_cgi_blind_sql_injection.nasl

Version: 1.39

Type: remote

Family: CGI abuses

Published: 11/6/2009

Updated: 6/14/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score based on the common rating of a sqli exposure.


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: manual


Risk Factor: High

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Vulnerability Information

Required KB Items: Settings/enable_web_app_tests

Reference Information

CWE: 20, 203, 643, 713, 722, 727, 751, 77, 801, 810, 89, 91, 928, 929