Well I’m currently an academic researcher, so I included the vulnerability and its PoC in a publication rather than in a blog post. Also, due to the sensitive nature of my work, I should not be developing exploits, even in the form of PoCs :D
But anyway yeah. Joomla has a method where they supposedly “lex” the SQL query to replace #__ with the Joomla’s dynamic table prefix. They “lex” by counting quotations! So if there’s a quotation as data (e.g. “Jack’s Horse”) or if there’s a quotation in a comment (e.g. /* Jack’s horse*/) their lexer will silently fail and allow injection into the query as well as leakage of the dynamic table prefix.