ATR-2026-00570high模型層級攻擊experimental

SQL injection in agent / MCP tool database query

An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.

嚴重度

high

類別

模型層級攻擊

掃描目標

runtime

作者

ATR Community

建議回應

alert

參考資料

CVE

CVE-2026-7591 CVE-2026-4593 CVE-2026-5322 CVE-2026-30860

偵測條件

組合方式: any

01
SQL boolean tautology (' OR '1'='1 / OR 1=1 --)
欄位: content運算子: regex
02
UNION SELECT ... FROM to read arbitrary tables
欄位: content運算子: regex
03
Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)
欄位: content運算子: regex

攻擊範例（規則會觸發）

```
username=admin' OR '1'='1
```

id=1 UNION SELECT username,password FROM users

```
'; DROP TABLE users;--
```
```
?id=1 OR 1=1 --
```

以上為真實攻擊 payload 脫敏版本。用於 regression testing。

正常樣本（規則不會觸發）

benign 1
```
SELECT * FROM users WHERE id = ?
```
benign 2
```
query = "SELECT name FROM products"
```
benign 3
```
if (a == 1 || b == 1) return
```
benign 4
```
page.union of selected items from list
```

完整 YAML 定義

在 GitHub 編輯 →

title: SQL injection in agent / MCP tool database query
id: ATR-2026-00570
rule_version: 1
status: experimental
description: An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: experimental
severity: high
references:
  cve:
  - CVE-2026-7591
  - CVE-2026-4593
  - CVE-2026-5322
  - CVE-2026-30860
  cwe:
  - CWE-89
  external:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30860
metadata_provenance:
  cve: human-authored
  cwe: human-authored
tags:
  category: data-poisoning
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)(?:'\s*or\s+'?1'?\s*=\s*'?1|\bor\s+1\s*=\s*1\b\s*(?:--|#|/\*|;|$))
    description: SQL boolean tautology (' OR '1'='1 / OR 1=1 --)
  - field: content
    operator: regex
    value: (?i)\bunion\s+(?:all\s+)?select\b.{0,120}\bfrom\b
    description: UNION SELECT ... FROM to read arbitrary tables
  - field: content
    operator: regex
    value: (?i);\s*(?:drop|delete|truncate)\s+(?:table|database)\b
    description: Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: username=admin' OR '1'='1
    expected: triggered
    description: attack 1
  - input: id=1 UNION SELECT username,password FROM users
    expected: triggered
    description: attack 2
  - input: '''; DROP TABLE users;--'
    expected: triggered
    description: attack 3
  - input: ?id=1 OR 1=1 --
    expected: triggered
    description: attack 4
  true_negatives:
  - input: SELECT * FROM users WHERE id = ?
    expected: not_triggered
    description: benign 1
  - input: query = "SELECT name FROM products"
    expected: not_triggered
    description: benign 2
  - input: if (a == 1 || b == 1) return
    expected: not_triggered
    description: benign 3
  - input: page.union of selected items from list
    expected: not_triggered
    description: benign 4

修訂歷史

建立於

2026-06-02

最後修改

2026-06-04

在 GitHub 查看完整 commit 歷史 →