[研究]OWASP WebGoat v2023.8 滲透測試學習平台 (Windows 2022)
2023-12-25
https://owasp.org/www-project-webgoat/
https://github.com/WebGoat/WebGoat
https://github.com/WebGoat/WebGoat/releases
WebGoat 是一個由 OWASP 維護的、故意不安全的 Web 應用程式,旨在教授 Web 應用程序安全課程。
Category:OWASP WebGoat Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
GitHub - WebGoat/WebGoat: WebGoat is a deliberately insecure application
https://github.com/WebGoat/WebGoat
網頁上說需要Java 17 or 21,指令類似如下
https://github.com/WebGoat/WebGoat
網頁上說需要Java 17 or 21,指令類似如下
3. Standalone
Download the latest WebGoat release from https://github.com/WebGoat/WebGoat/releases
export TZ=Europe/Amsterdam # or your timezone
java -Dfile.encoding=UTF-8 -jar webgoat-2023.5.jar
Microsoft Build of OpenJDK
直接下載 (找格式為 .msi 的安裝方便些,此處 .msi 被翻譯成「微星」,看的很不習慣)
Java 安裝後,隨便啟動個「命令提示字元」視窗,測試一下,確認版本。
C:\>java --version openjdk 21.0.1 2023-10-17 LTS OpenJDK Runtime Environment Microsoft-8526870 (build 21.0.1+12-LTS) OpenJDK 64-Bit Server VM Microsoft-8526870 (build 21.0.1+12-LTS, mixed mode, sharing) C:\> |
啟動 WebGoat 其實只要下面即可,不用 -Dfile.encoding=UTF-8 參數
java -jar webgoat-2023.8.jar |
上次在 Windows Server 2019 會失敗,但這次在 Windows 10 會正常執行,所以又補了這篇。
Microsoft Windows [版本 10.0.20348.2159]
(c) Microsoft Corporation. 著作權所有,並保留一切權利。
C:\Users\Administrator>cd\
C:\>java --version
openjdk 21.0.1 2023-10-17 LTS
OpenJDK Runtime Environment Microsoft-8526870 (build 21.0.1+12-LTS)
OpenJDK 64-Bit Server VM Microsoft-8526870 (build 21.0.1+12-LTS, mixed mode, sharing)
C:\>cd WebGoat
C:\WebGoat>java -jar webgoat-2023.8.jar
2023-12-25T16:50:20.924+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : Starting StartWebGoat v2023.8 using Java 21.0.1 with PID 6800 (C:\WebGoat\webgoat-2023.8.jar started by Administrator in C:\WebGoat)
2023-12-25T16:50:20.924+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : No active profile set, falling back to 1 default profile: "default"
2023-12-25T16:50:21.487+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : Started StartWebGoat in 1.015 seconds (process running for 1.684)
__ __ _ _____ _
\ \ / / | | / ____| | |
\ \ /\ / / ___ | |__ | | __ ___ __ _ | |_
\ \/ \/ / / _ \ | '_ \ | | |_ | / _ \ / _' | | __|
\ /\ / | __/ | |_) | | |__| | | (_) | | (_| | | |_
\/ \/ \___| |_.__/ \_____| \___/ \__,_| \__|
2023-12-25T16:50:21.550+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : No active profile set, falling back to 1 default profile: "default"
2023-12-25T16:50:22.768+08:00 INFO 6800 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2023-12-25T16:50:22.831+08:00 INFO 6800 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 64 ms. Found 2 JPA repository interfaces.
2023-12-25T16:50:23.487+08:00 WARN 6800 --- [ main] io.undertow.websockets.jsr : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used
2023-12-25T16:50:23.518+08:00 INFO 6800 --- [ main] io.undertow.servlet : Initializing Spring embedded WebApplicationContext
2023-12-25T16:50:23.518+08:00 INFO 6800 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1921 ms
2023-12-25T16:50:23.846+08:00 INFO 6800 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2023-12-25T16:50:24.252+08:00 INFO 6800 --- [ main] com.zaxxer.hikari.pool.PoolBase : HikariPool-1 - Driver does not support get/set network timeout for connections. (feature not supported)
2023-12-25T16:50:24.252+08:00 INFO 6800 --- [ main] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Added connection org.hsqldb.jdbc.JDBCConnection@2472c7d8
2023-12-25T16:50:24.252+08:00 INFO 6800 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed.
2023-12-25T16:50:24.300+08:00 INFO 6800 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]
2023-12-25T16:50:24.393+08:00 INFO 6800 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 6.2.13.Final
2023-12-25T16:50:24.393+08:00 INFO 6800 --- [ main] org.hibernate.cfg.Environment : HHH000406: Using bytecode reflection optimizer
2023-12-25T16:50:24.737+08:00 INFO 6800 --- [ main] o.s.o.j.p.SpringPersistenceUnitInfo : No LoadTimeWeaver setup: ignoring JPA class transformer
2023-12-25T16:50:24.799+08:00 WARN 6800 --- [ main] org.hibernate.orm.deprecation : HHH90000025: HSQLDialect does not need to be specified explicitly using 'hibernate.dialect' (remove the property setting and it will be selected by default)
2023-12-25T16:50:25.768+08:00 INFO 6800 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000489: No JTA platform available (set 'hibernate.transaction.jta.platform' to enable JTA platform integration)
2023-12-25T16:50:25.768+08:00 INFO 6800 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2023-12-25T16:50:27.705+08:00 INFO 6800 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@32118208, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@414f87a9, org.springframework.security.web.context.SecurityContextHolderFilter@4519f676, org.springframework.security.web.header.HeaderWriterFilter@2fb25f4c, org.springframework.security.web.authentication.logout.LogoutFilter@4337afd, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@91f565d, org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@46e3559f, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@3135bf25, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3596b249, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@781711b7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1ddc6db2, org.springframework.security.web.access.ExceptionTranslationFilter@57ddd45b, org.springframework.security.web.access.intercept.AuthorizationFilter@18d003cd]
2023-12-25T16:50:28.111+08:00 INFO 6800 --- [ main] io.undertow : starting server: Undertow - 2.3.10.Final
2023-12-25T16:50:28.127+08:00 INFO 6800 --- [ main] org.xnio : XNIO version 3.8.8.Final
2023-12-25T16:50:28.127+08:00 INFO 6800 --- [ main] org.xnio.nio : XNIO NIO Implementation Version 3.8.8.Final
2023-12-25T16:50:28.252+08:00 INFO 6800 --- [ main] org.jboss.threads : JBoss Threads version 3.5.0.Final
2023-12-25T16:50:28.314+08:00 INFO 6800 --- [ main] o.s.b.w.e.undertow.UndertowWebServer : Undertow started on port(s) 9090 (http) with context path '/WebWolf'
2023-12-25T16:50:28.314+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : Started StartWebGoat in 6.819 seconds (process running for 8.513)
__ __ _ _____ _
\ \ / / | | / ____| | |
\ \ /\ / / ___ | |__ | | __ ___ __ _ | |_
\ \/ \/ / / _ \ | '_ \ | | |_ | / _ \ / _' | | __|
\ /\ / | __/ | |_) | | |__| | | (_) | | (_| | | |_
\/ \/ \___| |_.__/ \_____| \___/ \__,_| \__|
2023-12-25T16:50:28.361+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : No active profile set, falling back to 1 default profile: "default"
2023-12-25T16:50:28.845+08:00 INFO 6800 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2023-12-25T16:50:28.877+08:00 INFO 6800 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 29 ms. Found 2 JPA repository interfaces.
2023-12-25T16:50:29.033+08:00 WARN 6800 --- [ main] io.undertow.websockets.jsr : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used
2023-12-25T16:50:29.033+08:00 INFO 6800 --- [ main] io.undertow.servlet : Initializing Spring embedded WebApplicationContext
2023-12-25T16:50:29.033+08:00 INFO 6800 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 625 ms
2023-12-25T16:50:29.173+08:00 INFO 6800 --- [ main] o.f.c.internal.license.VersionPrinter : Flyway Community Edition 9.16.3 by Redgate
2023-12-25T16:50:29.173+08:00 INFO 6800 --- [ main] o.f.c.internal.license.VersionPrinter : See release notes here: https://rd.gt/416ObMi
2023-12-25T16:50:29.189+08:00 INFO 6800 --- [ main] o.f.c.internal.license.VersionPrinter :
2023-12-25T16:50:29.205+08:00 INFO 6800 --- [ main] o.f.c.i.database.base.BaseDatabaseType : Database: jdbc:hsqldb:file:C:\Users\Administrator/.webgoat-2023.8//webgoat (HSQL Database Engine 2.7)
2023-12-25T16:50:29.221+08:00 WARN 6800 --- [ main] o.f.c.internal.database.base.Database : Flyway upgrade recommended: HSQLDB 2.7 is newer than this version of Flyway and support has not been tested. The latest supported version of HSQLDB is 2.6.
2023-12-25T16:50:29.236+08:00 INFO 6800 --- [ main] o.f.core.internal.database.base.Schema : Creating schema "container" ...
2023-12-25T16:50:29.252+08:00 INFO 6800 --- [ main] o.f.c.i.s.JdbcTableSchemaHistory : Creating Schema History table "container"."flyway_schema_history" ...
2023-12-25T16:50:29.299+08:00 INFO 6800 --- [ main] o.f.core.internal.command.DbMigrate : Current version of schema "container": null
2023-12-25T16:50:29.314+08:00 INFO 6800 --- [ main] o.f.core.internal.command.DbMigrate : Migrating schema "container" to version "1 - init"
2023-12-25T16:50:29.330+08:00 INFO 6800 --- [ main] o.f.core.internal.command.DbMigrate : Migrating schema "container" to version "2 - version"
2023-12-25T16:50:29.366+08:00 INFO 6800 --- [ main] o.f.core.internal.command.DbMigrate : Migrating schema "container" to version "3 - id"
2023-12-25T16:50:29.373+08:00 INFO 6800 --- [ main] o.f.core.internal.command.DbMigrate : Successfully applied 3 migrations to schema "container", now at version v3 (execution time 00:00.075s)
2023-12-25T16:50:29.398+08:00 INFO 6800 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]
2023-12-25T16:50:29.406+08:00 INFO 6800 --- [ main] o.s.o.j.p.SpringPersistenceUnitInfo : No LoadTimeWeaver setup: ignoring JPA class transformer
2023-12-25T16:50:29.409+08:00 WARN 6800 --- [ main] org.hibernate.orm.deprecation : HHH90000025: HSQLDialect does not need to be specified explicitly using 'hibernate.dialect' (remove the property setting and it will be selected by default)
2023-12-25T16:50:29.573+08:00 INFO 6800 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000489: No JTA platform available (set 'hibernate.transaction.jta.platform' to enable JTA platform integration)
2023-12-25T16:50:29.573+08:00 INFO 6800 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2023-12-25T16:50:29.679+08:00 INFO 6800 --- [ main] o.o.w.lessons.logging.LogBleedingTask : Password for admin: NTRjMzkyYjYtMTdjMy00ODcxLWE3ZDAtMzY1OTM3NTMyNjQ0
2023-12-25T16:50:29.803+08:00 WARN 6800 --- [ main] o.o.w.c.lessons.CourseConfiguration : Lesson: webgoat.title has no endpoints, is this intentionally?
2023-12-25T16:50:30.330+08:00 INFO 6800 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 3 endpoint(s) beneath base path '/actuator'
2023-12-25T16:50:30.345+08:00 INFO 6800 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@40b31a16, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@25fa6889, org.springframework.security.web.context.SecurityContextHolderFilter@1e29a81a, org.springframework.security.web.authentication.logout.LogoutFilter@3cf4dec7, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@2a425cf5, org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@17d76ebb, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@305aaedf, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7b4b8199, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4bbf20d1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1de73d37, org.springframework.security.web.access.ExceptionTranslationFilter@38a38ed4, org.springframework.security.web.access.intercept.AuthorizationFilter@299fc582]
2023-12-25T16:50:31.596+08:00 [main] WARN FilenoUtil : Native subprocess control requires open access to the JDK IO subsystem
Pass '--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED' to enable.
2023-12-25T16:50:33.642+08:00 WARN 6800 --- [ main] ion$DefaultTemplateResolverConfiguration : Cannot find template location: classpath:/templates/ (please add some templates, check your Thymeleaf configuration, or set spring.thymeleaf.check-template-location=false)
2023-12-25T16:50:33.657+08:00 INFO 6800 --- [ main] io.undertow : starting server: Undertow - 2.3.10.Final
2023-12-25T16:50:33.672+08:00 INFO 6800 --- [ main] o.s.b.w.e.undertow.UndertowWebServer : Undertow started on port(s) 8080 (http) with context path '/WebGoat'
2023-12-25T16:50:33.673+08:00 INFO 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : Started StartWebGoat in 5.344 seconds (process running for 13.863)
2023-12-25T16:50:33.673+08:00 WARN 6800 --- [ main] org.owasp.webgoat.server.StartWebGoat : Please browse to http://127.0.0.1:8080/WebGoat to start using WebGoat...
|
執行結果正常
訊息顯示 Undertow started on port(s) 8080 (http) with context path '/WebGoat'
或
檢查誰用了 Port 8080
Microsoft Windows [版本 10.0.20348.2159] (c) Microsoft Corporation. 著作權所有,並保留一切權利。 C:\Users\Administrator>netstat -nao | find "8080" TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 6800 TCP 127.0.0.1:8080 127.0.0.1:49809 ESTABLISHED 6800 TCP 127.0.0.1:8080 127.0.0.1:49810 ESTABLISHED 6800 TCP 127.0.0.1:8080 127.0.0.1:49811 ESTABLISHED 6800 TCP 127.0.0.1:8080 127.0.0.1:49815 ESTABLISHED 6800 TCP 127.0.0.1:49809 127.0.0.1:8080 ESTABLISHED 6268 TCP 127.0.0.1:49810 127.0.0.1:8080 ESTABLISHED 6268 TCP 127.0.0.1:49811 127.0.0.1:8080 ESTABLISHED 6268 TCP 127.0.0.1:49815 127.0.0.1:8080 ESTABLISHED 6268 C:\Users\Administrator>tasklist /fi "pid eq 6800 映像名稱 PID 工作階段名稱 工作階段 # RAM使用量 ========================= ======== ================ =========== ============ java.exe 6800 Console 1 446,152 K C:\Users\Administrator> |
(下圖) 上圖登入畫面按下 Register New User,建立一個帳號就可以登入
要結束程式,「命令提示字元」中按下 Ctrl-C 中斷程式即可。
(完)
相關
[研究]OWASP WebGoat v2023.8 滲透測試學習平台 (Windows 2022)
https://shaurong.blogspot.com/2023/12/owasp-webgoat-v20238-windows-2022.html
[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows Server 2019)(二)
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822-windows-server-2019.html
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822-windows-server-2019.html
[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows 10)
[研究]OWASP WebGoat 8.2.2、Webwolf 8.2.2滲透測試學習平台安安裝、啟動 (Windows 2019)
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822webwolf-822.html
[研究] OWASP WebGoat 8.0 安裝
http://shaurong.blogspot.com/2018/06/owasp-webgoat-80.html
[研究] OWASP WebGoatFor.Net 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoatfornet.html
[研究] OWASP WebGoat 7.1 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoat-71.html
[研究] OWASP Zed Attack Proxy (ZAP) 2.4.2、2.6.0 滲透測試、弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2015/10/owasp-zed-attack-proxy-zap-242.html
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822webwolf-822.html
[研究] OWASP WebGoat 8.0 安裝
http://shaurong.blogspot.com/2018/06/owasp-webgoat-80.html
[研究] OWASP WebGoatFor.Net 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoatfornet.html
[研究] OWASP WebGoat 7.1 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoat-71.html
[研究] OWASP Zed Attack Proxy (ZAP) 2.4.2、2.6.0 滲透測試、弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2015/10/owasp-zed-attack-proxy-zap-242.html
(完)
沒有留言:
張貼留言