Injected Multi-Step Query Attacks

• Injected multi-step query attacks are adversarial strategies that use multi-round, staged payloads to subvert LLMs and database-backed applications.
• They target complex, multi-hop execution pipelines—such as RAG systems and prompt-to-SQL chains—by employing techniques like surrogate modeling and staged code injection.
• These attacks result in significant resource amplification, data exfiltration, and privilege escalation, highlighting the need for robust, multi-layered defense frameworks.

Injected multi-step query attacks constitute a broad class of adversarial strategies where an attacker designs and distributes query payloads—often in several coordinated or staged steps—with the objective of subverting, manipulating, or amplifying the behavior of machine learning systems, LLM-driven applications, or classical database-backed web applications. These attacks leverage multi-round interactions, intermediary storage, surrogate modeling, or staged code injection to achieve complex objectives such as denial of service, data exfiltration, privilege escalation, or resource amplification, all while evading traditional detection mechanisms. Notable manifestations range from end-to-end poisoning of retrieval-augmented generation (RAG) systems to prompt-to-SQL exploit chains and self-replicating database-to-browser worms. The following sections present a comprehensive examination of the main families, technical mechanics, quantitative impacts, defenses, and research frontiers of injected multi-step query attacks.

1. Architectural Patterns and Attack Surface

Injected multi-step query attacks target systems that process, relay, or orchestrate user queries via a complex chain of execution stages. Key architectures susceptible to these attacks include:

• Retrieval-Augmented Generation (RAG): Here, user queries are first used to fetch top-$k$ passages from an indexed corpus; the aggregated context is then fed to a reasoning-capable LLM which generates multi-step answers. Adversaries inject adversarially crafted documents into the corpus so that—on retrieval—they induce pathological model behavior, such as excessive chain-of-thought sampling or logical oscillation (Zhang et al., 19 Jan 2026).
• LLM-Integrated Web Applications: Natural language user input is translated into SQL via LLMs orchestrated through frameworks such as Langchain, with results returned to the user after database execution. Adversaries exploit the multi-stage prompt-to-SQL translation and database readback loop to inject or propagate privileged SQL commands (P₂SQL attacks), often spanning several agent-initiated queries (Pedro et al., 2023, Motlagh et al., 11 May 2026).
• Surrogate-Aided Black-Box Model Medication: Multi-round adversarial evaluation against black-box ML models, where each query is optimized in a multi-surrogate or ensemble setting, using previous victim responses to adapt surrogate architectures and select high-yield adversarial candidates (Chen et al., 2021).
• Database–Browser Hybrid Worms: Coordinated attacks using two-stage quines—where SQL injection on the backend plants JavaScript worms in persistent storage, which on client-side execution autonomously probe for and attack other vulnerable servers (0909.4516).

A common denominator is the reliable existence of a multi-hop execution pipeline: from user input transformation to storage/retrieval, to further model-driven or agent-driven computation, to final output or re-injection.

2. Technical Building Blocks and Attack Methodologies

2.1 Multi-Agent Architectural Design

Injected multi-step attacks frequently employ multi-agent or multi-stage design:

• Contradiction-Based Deliberation Extension (CODE): Implements three agents—Contradiction Architect (blueprint synthesis of logical/evidential contradiction), Conflict Weaver (transforms blueprint into retriever-aligned, fluent passage), and Style Adapter (evolutionary stylistic rewriting for retrievability and entropic maximization of model processing tokens). The pipeline ensures adversarial document optimization for both retrievability and maximum model overthinking (Zhang et al., 19 Jan 2026).

2.2 Staged Prompt Injections and Query Hijacking

• Prompt-to-SQL Chains: The attacker seeds fields or input contexts that, when run through an LLM pipeline, result in the generation and subsequent execution of malicious SQL. Multi-step agents (e.g., SQLDatabaseAgent in Langchain) are susceptible to staged payloads that cross prompt boundaries, exploit re-injected SQLResult contexts, or leverage multi-tool subroutines in the agent’s decision policy (Pedro et al., 2023).
• Hybrid Quine Worms: Using self-replicating payloads, an initial SQL injection imparts a JavaScript quine into all TEXT/NTEXT/VARCHAR database fields. Subsequent browser visits trigger the JS, which in turn executes blind injections against discovered URLs on other servers (0909.4516).

2.3 Multi-Identity Surrogates in Query Optimization

• QueryNet: Maintains a population of surrogates, each generating and scoring adversarial candidates according to jointly optimized gradient similarity (GS) and prediction similarity (PS) with respect to a black-box victim, using victim feedback to adapt surrogate architecture and sampling policy in subsequent rounds. The multi-step selection loop ensures query efficiency while retaining high attack success (Chen et al., 2021).

2.4 Optimization Objectives

The principal optimization axes often include:

• Retrievability: Ensuring high semantic similarity to the user query so that adversarial payloads rank in top-$k$ on production retrievers (Zhang et al., 19 Jan 2026).
• Amplification/Resource Blow-up: Maximizing resource consumption (e.g., model token usage, model compute), subject to maintaining task accuracy or stealth (Zhang et al., 19 Jan 2026).
• Access/Escalation Success: Ensuring the generated query, across multiple rounds and possibly adversarial context accumulation, achieves the goal such as data exfiltration or schema modification (Pedro et al., 2023, Motlagh et al., 11 May 2026).

3. Quantitative Impact and Empirical Evaluation

The empirical impact of injected multi-step query attacks has been rigorously evaluated across diverse system configurations:

• Overthinking Attacks on RAG: On HotpotQA and MuSiQue, CODE caused a multiplication in reasoning token usage by 5.3×–24.7× (e.g., Qwen-Plus: 2,252 clean vs. 55,665 poisoned tokens) with no loss of answer accuracy, and with >90% of queries observing at least a 5× amplification. This suggests large-scale compute and billable inference overhead, even in correct-answer regimes (Zhang et al., 19 Jan 2026).
• P₂SQL and Multi-Step Prompt Injection: Seven LLMs (GPT-3.5, GPT-4, PaLM 2, Llama 2, Vicuna, Guanaco, Tulu) were tested on chain and agent attacks in Langchain. Success rates for chain attacks reached 100% (∼30 trials/model/attack), and for agent-based multi-step attacks were also universal among GPT-3.5, Vicuna, and others, highlighting the pervasiveness of the threat (Pedro et al., 2023). Subtle multi-step SQLi attacks also bypassed restrictive prompt and template defenses, as demonstrated in extensive benchmarks (Motlagh et al., 11 May 2026).
• Multi-Surrogate Query Attacks: QueryNet reduced attack queries per image by 70–93% over baseline on MNIST/CIFAR10, with average queries dropping from 50 to 4 in some settings, and final fooling accuracy of 0–1%, confirming the efficacy of multi-step surrogate-based attack cycles (Chen et al., 2021).

4. Stealth, Obfuscation, and Evasion Mechanisms

Injected multi-step query attacks systematically incorporate stealth and evasion strategies:

• Logic/Evidence Contradictions: CODE-style poisoning constructs contradictions that cannot be resolved in a single reasoning pass, inducing repeated self-correction and extended chain-of-thought expansion. The attack is not visible in the prompt or output, and maintains final accuracy, making detection via prompt or answer analysis infeasible (Zhang et al., 19 Jan 2026).
• Obfuscated Payload Encoding: Multi-step P₂SQL attacks are frequently cloaked via Unicode homoglyphs, keyword splitting, surrogate instructions (“ignore previous instructions”), or staged payload activation that requires several orchestrated context rounds to fully trigger (Motlagh et al., 11 May 2026).
• Hybrid Quines: JS worms split </script> to evade HTML sanitizers, chunk SQL eggs to bypass length limits, and operate purely via blind HTTP requests to obfuscate infection vectors (0909.4516).
• Query Selection Filters: In black-box ML attacks, multi-surrogate candidate filtering preselects only likely-to-succeed attacks, minimizing attenuation of the attack's "signal" by the model's decision surface (Chen et al., 2021).

5. Countermeasures and Defense Frameworks

Defending against injected multi-step query attacks demands layered strategies, each targeting a different locus of the attack pipeline:

• Corpus and Retrieval Sanitization: Trust-aware retriever filtering (e.g., TrustRAG) can be used to block low-trust passages, but fails to reliably detect locally plausible poisoned documents optimized for semantic similarity (Zhang et al., 19 Jan 2026).
• Prompt and Query Constraints: Prompt constraints (e.g., token-budgeted chain-of-thought, forced concise reasoning) modestly reduce overthinking amplification but do not negate deep contradiction-induced resource loops (Zhang et al., 19 Jan 2026).
• Permission Hardening: Fine-grained database permissioning, such as restricting LLM accounts to SELECT-only roles, prevents vertical escalation via prompt-injected SQL (Pedro et al., 2023).
• Automated Query Rewriting: Integration of SQL rewriting (e.g., restricting SELECT to filtered sub-tables) and in-process, contextually aware LLM guards that screen for malicious prompt or result content (Pedro et al., 2023).
• Multi-Layered Security Pipelines: Three-layer defense frameworks combine input sanitization (Input Security Shield), fine-tuned anomaly detection (behavioral and semantic), and signature-based query inspection, jointly achieving detection F1 ≈ 92% and false positive rates under 5% on adversarial prompt benchmarks (Motlagh et al., 11 May 2026).

Defense Layer	Effective Against	Limitations
Prompt Constraints	Resource blow-up	Fails for contradiction attacks
Corpus Filtering	Known poisons	High similarity passages evade filters
Permission Hardening	SQLi/P₂SQL	Does not address model-side logic loops
Anomaly Detection	Obfuscated prompts	Some polymorphic attacks evade

6. Representative Case Studies

• RAG Overthinking via CODE (Zhang et al., 19 Jan 2026): Poisoning samples are crafted to contain logical/evidential contradictions cross-aligned with the target numeric queries. Deployed in Toe-in-the-Water indexing (limited attacker write access), induced over 5×–25× reasoning resource blow-up on five black-box LLMs, with retrieval hit rate 100%, and defense evasion against all prompt and filtering baselines.
• Prompt-to-SQL (P₂SQL) Multi-Step Chains (Pedro et al., 2023, Motlagh et al., 11 May 2026): Adversarial prompt fragments propagated from user input or field-level poisoning (e.g., job descriptions) exploit multi-agent tool chains to trigger state changes (e.g., updating a user’s email) silently and accurately, even with input restrictions and secondary guards.
• Hybrid Worms as Two-Stage Quines (0909.4516): Coordinated malware infects the database via SQLi (Stage 1) and propagates via client-side persistent XSS (Stage 2), automating ongoing server-to-server reinfection through HTML and JS injection primitives.

7. Research Directions and Open Challenges

Open research questions include:

• Robust Contradiction and Error Detection: Current prompt and corpus filters are inadequate against logically deep, style-adapted contradictions that elicit pathological model reasoning (Zhang et al., 19 Jan 2026).
• Generalization of Behavioral Anomaly Detection: Learning semantic representations that reliably detect multi-hop, staged exploit payloads amidst benign prompt variance remains challenging, especially for model-agnostic or polymorphic attack variants (Motlagh et al., 11 May 2026).
• Compositional and Hybrid Defenses: There is a recurring need for combined, cross-layered defenses that jointly address prompt-layer, model-layer, and storage-layer vulnerabilities, while tolerating application-specific constraints (e.g., retrievability, explainability).
• Quantification of Attack Surface in New ML Pipelines: As orchestration frameworks, retrieval-augmented models, and multi-agent systems proliferate, mapping and securing the expanded attack graph is a moving frontier.

Injected multi-step query attacks are now established as a central threat vector in both ML and web infrastructure, demanding continual methodological advancements in both offensive and defensive capacities.