Hakuin: Injecting Brain into Blind SQL Injection

SQL Injection (SQLI) is a pervasive web attack where malicious input inserted into SQL queries alters their logic, potentially leading to database (DB) exfiltration. The exfiltration process is straightforward when the application responds to injected queries with its data. If it does not, the data can still be deduced with Blind SQLI (BSQLI), an inference technique based on response differences or time delays. Unfortunately, the low inference rate (one bit per request) makes BSQLI slow and severely limits the amount of extractable data.

Here we present Hakuin, a new open-source framework that leverages Machine Learning and statistics to optimize BSQLI. Hakuin uses probabilistic language models trained on millions of tables and columns extracted from Stack Exchange questions to infer DB schemas. To infer DB content, it utilizes several strategies including adaptive language models and opportunistic string guessing. Compared to the state-of-the-art (SOTA) BSQLI tools, Hakuin is about 6x faster on DB schemas, up to 3.2x faster on normal DB columns, and up to 26x faster on columns with limited values.
 
In this session, we describe Hakuin's design, show a performance comparison with 3 SOTA BSQLI tools, and finally do a demo where Hakuin quickly dumps a DB from a vulnerable web application.

Source codes of Hakuin can be found at: https://github.com/pruzko/hakuin