PHPJabbers Cinema Booking System SQL Injection Vulnerability in User Management Function

A SQL injection vulnerability has been identified in PHPJabbers Cinema Booking System version 2.0, specifically within the 'pjActionGetUser' function. This vulnerability allows attackers to manipulate database queries by exploiting the 'column' parameter. Successful exploitation could result in unauthorized access to sensitive information, privilege escalation, or manipulation of the database.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data, unauthorized data modification, and potentially allow an attacker to escalate privileges within the application.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'index.php' with the 'controller' set to 'pjAdminUsers', the 'action' set to 'pjActionGetUser', and the 'column' parameter manipulated to inject SQL payloads. This request can be made using a tool like SQLMap to automate the exploitation process.