It basically takes the HTTP User Agent header and adds it to a usrlog table. The syntax is like this:
INSERT INTO usrlog (useragent) VALUES ('Injection Point')
There's obviously no output on the page, so I cant use it to really enumerate anything like that, but none of the input is santitized at all. I can throw all the single quotes at it that I want.
The only weird thing is that using -- to comment out the rest of the line doesn't seem to work. Isn't -- supposed to comment out the rest of line?
I just wanted to know if there's anything that could be done with this kind of injection. If you have any ideas, please let me know.