Attack Chain

1. An unauthenticated attacker identifies a Zeeways Matrimony CMS instance.
2. The attacker crafts a malicious HTTP GET or POST request targeting the profile_list endpoint.
3. The attacker injects SQL code into the up_cast, s_mother, or s_religion parameters of the HTTP request.
4. The web server processes the request and executes the injected SQL code against the database.
5. Depending on the injected SQL, the attacker can extract sensitive information from the database, such as user credentials or personal details, using time-based or error-based techniques.
6. The attacker analyzes the extracted data to identify valuable information.
7. The attacker may use the extracted credentials to further compromise the system or access other resources.

Impact

Successful exploitation of this SQL injection vulnerability could lead to a full database compromise, potentially exposing sensitive user data including personal information, credentials, and financial details. This can result in significant reputational damage, financial losses due to regulatory fines, and legal repercussions for organizations using the vulnerable Zeeways Matrimony CMS. The impact is high due to the ease of exploitation (unauthenticated) and the potential for complete data exfiltration.

Recommendation

• Inspect web server logs for suspicious HTTP requests targeting the /profile_list endpoint with SQL injection attempts in the up_cast, s_mother, and s_religion parameters (see IOC table and enable webserver logging).
• Apply available patches or updates for Zeeways Matrimony CMS to address CVE-2019-25635.
• Deploy the Sigma rule provided to detect exploitation attempts targeting the specified parameters in the URL.
• Implement input validation and sanitization for all user-supplied data, especially for parameters used in database queries to prevent future SQL injection vulnerabilities.