PoC for the SQL injection vulnerability in PostgreSQL with Django, found in Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3
The class django.contrib.postgres.aggregates.StringAgg
for using the PostgreSQL STRING_AGG function had a SQL injection vulnerability. It is
possible to embed an arbitrary query in the value passed to the delimiter parameter at initialization.
The query is injected through a form in this Django app.
Query used for SQL injection: -') AS "mydefinedname" FROM "cve_src_example" GROUP BY "cve_src_example"."label" LIMIT 1 OFFSET 1 --