I wonder if the Log4Shell zero-day was used here. That was a crazy vulnerability that allowed arbitrary remote code download and execution through the logging system just using a malformed user agent (no need to inject SQL or even find a vulnerability in the public facing apps).