Skip to content
ATR-2026-00570highData Poisoningexperimental

SQL injection in agent / MCP tool database query

An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.

嚴重度
high
類別
Data Poisoning
掃描目標
runtime
作者
ATR Community

建議回應

alert

參考資料

OWASP Agentic
ASI06:2026 - Memory and Context Poisoning
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0051.001 - Indirect

偵測條件

組合方式: any
  1. 01
    SQL boolean tautology (' OR '1'='1 / OR 1=1 --)
    欄位: content運算子: regex
  2. 02
    UNION SELECT ... FROM to read arbitrary tables
    欄位: content運算子: regex
  3. 03
    Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. username=admin' OR '1'='1
  2. id=1 UNION SELECT username,password FROM users
  3. '; DROP TABLE users;--
  4. ?id=1 OR 1=1 --

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. benign 1
    SELECT * FROM users WHERE id = ?
  2. benign 2
    query = "SELECT name FROM products"
  3. benign 3
    if (a == 1 || b == 1) return
  4. benign 4
    page.union of selected items from list

完整 YAML 定義

在 GitHub 編輯 →
title: SQL injection in agent / MCP tool database query
id: ATR-2026-00570
rule_version: 1
status: experimental
description: An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
  cve:
  - CVE-2026-7591
  - CVE-2026-4593
  - CVE-2026-5322
  - CVE-2026-30860
  cwe:
  - CWE-89
  external:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30860
  owasp_llm:
    - LLM01:2025 - Prompt Injection
  owasp_agentic:
    - ASI06:2026 - Memory and Context Poisoning
  mitre_atlas:
    - AML.T0051.001 - Indirect
metadata_provenance:
  cve: human-authored
  cwe: human-authored
compliance:
  eu_ai_act:
    - article: "10"
      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the data-poisoning attempt (SQL injection in agent / MCP tool database query) affecting that data."
      strength: primary
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.5"
      context: "NIST AI RMF MEASURE 2.5 (system validity and reliability demonstrated) is supported by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: primary
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
  iso_42001:
    - clause: "8.2"
      context: "ISO/IEC 42001 Clause 8.2 (AI risk assessment) is informed by this rule, which detects the data-poisoning attempt (SQL injection in agent / MCP tool database query) as an assessed risk."
      strength: primary
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
tags:
  category: data-poisoning
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)(?:'\s*or\s+'?1'?\s*=\s*'?1|\bor\s+1\s*=\s*1\b\s*(?:--|#|/\*|;|$))
    description: SQL boolean tautology (' OR '1'='1 / OR 1=1 --)
  - field: content
    operator: regex
    value: (?i)\bunion\s+(?:all\s+)?select\b.{0,120}\bfrom\b
    description: UNION SELECT ... FROM to read arbitrary tables
  - field: content
    operator: regex
    value: (?i);\s*(?:drop|delete|truncate)\s+(?:table|database)\b
    description: Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: username=admin' OR '1'='1
    expected: triggered
    description: attack 1
  - input: id=1 UNION SELECT username,password FROM users
    expected: triggered
    description: attack 2
  - input: '''; DROP TABLE users;--'
    expected: triggered
    description: attack 3
  - input: ?id=1 OR 1=1 --
    expected: triggered
    description: attack 4
  true_negatives:
  - input: SELECT * FROM users WHERE id = ?
    expected: not_triggered
    description: benign 1
  - input: query = "SELECT name FROM products"
    expected: not_triggered
    description: benign 2
  - input: if (a == 1 || b == 1) return
    expected: not_triggered
    description: benign 3
  - input: page.union of selected items from list
    expected: not_triggered
    description: benign 4

修訂歷史

建立於
2026-06-02
最後修改
2026-07-15
在 GitHub 查看完整 commit 歷史 →