[研究]OWASP WebGoat v2025.3 滲透測試學習平台安裝 (Windows 2025)
2025-05-08
https://owasp.org/www-project-webgoat/
https://github.com/WebGoat/WebGoat
https://github.com/WebGoat/WebGoat/releases
WebGoat 是一個由 OWASP 維護的、故意不安全的 Web 應用程式,旨在教授 Web 應用程序安全課程。
Category:OWASP WebGoat Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
GitHub - WebGoat/WebGoat: WebGoat is a deliberately insecure application
https://github.com/WebGoat/WebGoat
網頁上說需要Java 23,指令類似如下
https://github.com/WebGoat/WebGoat
網頁上說需要Java 23,指令類似如下
export TZ=Europe/Amsterdam # or your timezone
java -Dfile.encoding=UTF-8 -jar webgoat-2025.3.jar
Microsoft Build of OpenJDK
直接下載 (找格式為 .msi 的安裝方便些),此處 Java 只到 21,先試試看
Java 安裝後,隨便啟動個「命令提示字元」視窗,測試一下,確認版本。
C:\>java --version openjdk 21.0.7 2025-04-15 LTS OpenJDK Runtime Environment Microsoft-11369940 (build 21.0.7+6-LTS) OpenJDK 64-Bit Server VM Microsoft-11369940 (build 21.0.7+6-LTS, mixed mode, sharing) C:\> |
啟動 WebGoat 其實只要下面即可,不用 -Dfile.encoding=UTF-8 參數
java -jar webgoat-2025.3.jar |
WebGoat 預設只允許本機(localhost)連線,這是為了安全性考量,避免其他人未經授權就能存取它。若你想讓其他機器(例如區網內的其他電腦)也能連上 WebGoat,有幾個方式可以設定,以下是最常見的方式:
java -jar webgoat-2025.3.jar --server.address=0.0.0.0 --server.port=8080 |
或下面(推薦)
java -jar webgoat-2025.3.jar --server.address=0.0.0.0 |
在Windows Server 2025上測試
在Windows Server 2025上測試
C:\>java --version
openjdk 21.0.7 2025-04-15 LTS
OpenJDK Runtime Environment Microsoft-11369940 (build 21.0.7+6-LTS)
OpenJDK 64-Bit Server VM Microsoft-11369940 (build 21.0.7+6-LTS, mixed mode, sharing)
C:\>cd WebGoat
C:\WebGoat>java -jar webgoat-2025.3.jar
Exception in thread "main" java.lang.UnsupportedClassVersionError: org/owasp/webgoat/server/StartWebGoat has been compiled by a more recent version of the Java Runtime (class file version 67.0), this version of the Java Runtime only recognizes class file versions up to 65.0
at java.base/java.lang.ClassLoader.defineClass1(Native Method)
at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1027)
at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
at java.base/java.net.URLClassLoader.defineClass(URLClassLoader.java:524)
at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:427)
at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:421)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:420)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:593)
at org.springframework.boot.loader.net.protocol.jar.JarUrlClassLoader.loadClass(JarUrlClassLoader.java:107)
at org.springframework.boot.loader.launch.LaunchedClassLoader.loadClass(LaunchedClassLoader.java:91)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:534)
at java.base/java.lang.Class.forName(Class.java:513)
at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:99)
at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
at org.springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:40)
C:\WebGoat>
|
說明了兩件事:
class file version 67.0 表示 WebGoat 2025.3 是使用 Java 23 編譯的。
this version of the Java Runtime only recognizes class file versions up to 65.0 表示你目前的 Java 是 Java 21(對應 class file version 65.0)。
移除Java 21,改安裝 jdk-24_windows-x64_bin.msi
執行
C:\>java --version java 24.0.1 2025-04-15 Java(TM) SE Runtime Environment (build 24.0.1+9-30) Java HotSpot(TM) 64-Bit Server VM (build 24.0.1+9-30, mixed mode, sharing) C:\>cd WebGoat C:\WebGoat>java -jar webgoat-2025.3.jar 2025-05-08T09:27:00.195+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : Starting StartWebGoat v2025.3 using Java 24.0.1 with PID 4264 (C:\WebGoat\webgoat-2025.3.jar started by Administrator in C:\WebGoat) 2025-05-08T09:27:00.204+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : No active profile set, falling back to 1 default profile: "default" 2025-05-08T09:27:00.807+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : Started StartWebGoat in 1.257 seconds (process running for 2.196) __ __ _ __ __ _ __ \ \ / /__| |_\ \ / /__ | |/ _| \ \ /\ / / _ \ '_ \ \ /\ / / _ \| | |_ \ V V / __/ |_) \ V V / (_) | | _| \_/\_/ \___|_.__/ \_/\_/ \___/|_|_| 2025-05-08T09:27:01.078+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : No active profile set, falling back to 1 default profile: "default" 2025-05-08T09:27:02.044+08:00 INFO 4264 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode. 2025-05-08T09:27:02.122+08:00 INFO 4264 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 61 ms. Found 2 JPA repository interfaces. WARNING: A restricted method in java.lang.System has been called WARNING: java.lang.System::load has been called by org.apache.tomcat.jni.Library in an unnamed module (jar:nested:/C:/WebGoat/webgoat-2025.3.jar/!BOOT-INF/lib/tomcat-embed-core-10.1.36.jar!/) WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module WARNING: Restricted methods will be blocked in a future release unless native access is enabled 2025-05-08T09:27:04.008+08:00 INFO 4264 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port 9090 (http) 2025-05-08T09:27:04.040+08:00 INFO 4264 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat] 2025-05-08T09:27:04.040+08:00 INFO 4264 --- [ main] o.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/10.1.36] 2025-05-08T09:27:04.111+08:00 INFO 4264 --- [ main] o.a.c.c.C.[.[localhost].[/WebWolf] : Initializing Spring embedded WebApplicationContext 2025-05-08T09:27:04.112+08:00 INFO 4264 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2911 ms 2025-05-08T09:27:04.555+08:00 INFO 4264 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting... 2025-05-08T09:27:05.210+08:00 INFO 4264 --- [ main] com.zaxxer.hikari.pool.PoolBase : HikariPool-1 - Driver does not support get/set network timeout for connections. (feature not supported) 2025-05-08T09:27:05.212+08:00 INFO 4264 --- [ main] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Added connection org.hsqldb.jdbc.JDBCConnection@7bfa1eb5 2025-05-08T09:27:05.215+08:00 INFO 4264 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed. 2025-05-08T09:27:05.424+08:00 INFO 4264 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default] 2025-05-08T09:27:05.578+08:00 INFO 4264 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 6.6.8.Final 2025-05-08T09:27:05.644+08:00 INFO 4264 --- [ main] o.h.c.internal.RegionFactoryInitiator : HHH000026: Second-level cache disabled 2025-05-08T09:27:06.138+08:00 INFO 4264 --- [ main] o.s.o.j.p.SpringPersistenceUnitInfo : No LoadTimeWeaver setup: ignoring JPA class transformer 2025-05-08T09:27:06.226+08:00 WARN 4264 --- [ main] org.hibernate.orm.deprecation : HHH90000025: HSQLDialect does not need to be specified explicitly using 'hibernate.dialect' (remove the property setting and it will be selected bydefault) 2025-05-08T09:27:06.244+08:00 INFO 4264 --- [ main] org.hibernate.orm.connections.pooling : HHH10001005: Database info: Database JDBC URL [Connecting through datasource 'HikariDataSource (HikariPool-1)'] Database driver: undefined/unknown Database version: 2.7.3 Autocommit mode: undefined/unknown Isolation level: undefined/unknown Minimum pool size: undefined/unknown Maximum pool size: undefined/unknown 2025-05-08T09:27:07.471+08:00 INFO 4264 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000489: No JTA platform available (set 'hibernate.transaction.jta.platform' to enable JTA platform integration) 2025-05-08T09:27:07.476+08:00 INFO 4264 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default' 2025-05-08T09:27:08.556+08:00 WARN 4264 --- [ main] r$InitializeUserDetailsManagerConfigurer : Global AuthenticationManager configured with an AuthenticationProvider bean. UserDetailsService beans will not be used by Spring Security for automatically configuring username/password login. Consider removing the AuthenticationProvider bean. Alternatively, consider using the UserDetailsService in a manually instantiated DaoAuthenticationProvider. If the current configuration is intentional, to turn off this warning, increase the logging level of 'org.springframework.security.config.annotation.authentication.configuration.InitializeUserDetailsBeanManagerConfigurer' to ERROR WARNING: A terminally deprecated method in sun.misc.Unsafe has been called WARNING: sun.misc.Unsafe::invokeCleaner has been called by nonapi.io.github.classgraph.utils.FileUtils (jar:nested:/C:/WebGoat/webgoat-2025.3.jar/!BOOT-INF/lib/classgraph-4.8.173.jar!/) WARNING: Please consider reporting this to the maintainers of class nonapi.io.github.classgraph.utils.FileUtils WARNING: sun.misc.Unsafe::invokeCleaner will be removed in a future release 2025-05-08T09:27:11.169+08:00 INFO 4264 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 9090 (http) with context path '/WebWolf' 2025-05-08T09:27:11.222+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : Started StartWebGoat in 10.217 seconds (process running for 12.61) __ __ _ ____ _ \ \ / /__| |__ / ___| ___ __ _| |_ \ \ /\ / / _ \ '_ \| | _ / _ \ / _` | __| \ V V / __/ |_) | |_| | (_) | (_| | |_ \_/\_/ \___|_.__/ \____|\___/ \__,_|\__| 2025-05-08T09:27:11.604+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : No active profile set, falling back to 1 default profile: "default" 2025-05-08T09:27:12.289+08:00 INFO 4264 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode. 2025-05-08T09:27:12.303+08:00 INFO 4264 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 12 ms. Found 2 JPA repository interfaces. 2025-05-08T09:27:12.660+08:00 INFO 4264 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port 8080 (http) 2025-05-08T09:27:12.662+08:00 INFO 4264 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat] 2025-05-08T09:27:12.662+08:00 INFO 4264 --- [ main] o.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/10.1.36] 2025-05-08T09:27:12.671+08:00 INFO 4264 --- [ main] o.a.c.c.C.[.[localhost].[/WebGoat] : Initializing Spring embedded WebApplicationContext 2025-05-08T09:27:12.674+08:00 INFO 4264 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 966 ms 2025-05-08T09:27:13.225+08:00 INFO 4264 --- [ main] org.flywaydb.core.FlywayExecutor : Database: jdbc:hsqldb:file:C:\Users\Administrator/.webgoat-2025.3//webgoat (HSQL Database Engine 2.7) 2025-05-08T09:27:13.290+08:00 INFO 4264 --- [ main] o.f.core.internal.database.base.Schema : Creating schema "container" ... 2025-05-08T09:27:13.325+08:00 INFO 4264 --- [ main] o.f.c.i.s.JdbcTableSchemaHistory : Creating Schema History table "container"."flyway_schema_history" ... 2025-05-08T09:27:13.434+08:00 INFO 4264 --- [ main] o.f.core.internal.command.DbMigrate : Current version of schema "container": null 2025-05-08T09:27:13.466+08:00 INFO 4264 --- [ main] o.f.core.internal.command.DbMigrate : Migrating schema "container" to version "1 - init" 2025-05-08T09:27:13.487+08:00 INFO 4264 --- [ main] o.f.core.internal.command.DbMigrate : Successfully applied 1 migration to schema "container", now at version v1 (execution time 00:00.012s) 2025-05-08T09:27:13.564+08:00 INFO 4264 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default] 2025-05-08T09:27:13.583+08:00 INFO 4264 --- [ main] o.h.c.internal.RegionFactoryInitiator : HHH000026: Second-level cache disabled 2025-05-08T09:27:13.628+08:00 INFO 4264 --- [ main] o.s.o.j.p.SpringPersistenceUnitInfo : No LoadTimeWeaver setup: ignoring JPA class transformer 2025-05-08T09:27:13.634+08:00 WARN 4264 --- [ main] org.hibernate.orm.deprecation : HHH90000025: HSQLDialect does not need to be specified explicitly using 'hibernate.dialect' (remove the property setting and it will be selected bydefault) 2025-05-08T09:27:13.636+08:00 INFO 4264 --- [ main] org.hibernate.orm.connections.pooling : HHH10001005: Database info: Database JDBC URL [Connecting through datasource 'org.springframework.jdbc.datasource.DriverManagerDataSource@5b3c2e59'] Database driver: undefined/unknown Database version: 2.7.3 Autocommit mode: undefined/unknown Isolation level: undefined/unknown Minimum pool size: undefined/unknown Maximum pool size: undefined/unknown 2025-05-08T09:27:13.964+08:00 INFO 4264 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000489: No JTA platform available (set 'hibernate.transaction.jta.platform' to enable JTA platform integration) 2025-05-08T09:27:13.997+08:00 INFO 4264 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default' 2025-05-08T09:27:14.146+08:00 INFO 4264 --- [ main] o.o.w.lessons.logging.LogBleedingTask : Password for admin: NWY0YjQ0ZDYtNjUyOC00Y2EyLWIzZWYtNjU5OTZjOTVjZjcx 2025-05-08T09:27:19.228+08:00 WARN 4264 --- [ main] r$InitializeUserDetailsManagerConfigurer : Global AuthenticationManager configured with an AuthenticationProvider bean. UserDetailsService beans will not be used by Spring Security for automatically configuring username/password login. Consider removing the AuthenticationProvider bean. Alternatively, consider using the UserDetailsService in a manually instantiated DaoAuthenticationProvider. If the current configuration is intentional, to turn off this warning, increase the logging level of 'org.springframework.security.config.annotation.authentication.configuration.InitializeUserDetailsBeanManagerConfigurer' to ERROR 2025-05-08T09:27:20.190+08:00 INFO 4264 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 3 endpoints beneath base path '/actuator' 2025-05-08T09:27:20.230+08:00 WARN 4264 --- [ main] thorizationManagerRequestMatcherRegistry : One of the patterns in [/favicon.ico, /css/**, /images/**, /js/**, fonts/**, /plugins/**, /registration, /register.mvc, /actuator/**] is missing a leading slash. This is discouraged; please include the leading slash in all your request matcher patterns. In future versions of Spring Security, leaving out the leading slash will result in an exception. 2025-05-08T09:27:20.545+08:00 WARN 4264 --- [ main] ion$DefaultTemplateResolverConfiguration : Cannot find template location: classpath:/templates/ (please add some templates, check your Thymeleaf configuration, or set spring.thymeleaf.check-template-location=false) 2025-05-08T09:27:20.586+08:00 INFO 4264 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 8080 (http) with context path '/WebGoat' 2025-05-08T09:27:20.596+08:00 INFO 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : Started StartWebGoat in 9.033 seconds (process running for 21.985) 2025-05-08T09:27:20.599+08:00 WARN 4264 --- [ main] org.owasp.webgoat.server.StartWebGoat : Please browse to http://127.0.0.1:8080/WebGoat to start using WebGoat... |
執行結果正常
訊息顯示 Undertow started on port(s) 8080 (http) with context path '/WebGoat'
或
如果啟動訊息最後出現失敗,port 8080 被占用,可查是誰
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2025-05-08T10:00:10.400+08:00 ERROR 7728 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
***************************
APPLICATION FAILED TO START
***************************
Description:
Web server failed to start. Port 8080 was already in use.
Action:
Identify and stop the process that's listening on port 8080 or configure this application to listen on another port.
|
檢查誰用了 Port 8080
C:\>netstat -nao | find "8080" TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 4264 TCP 127.0.0.1:61395 127.0.0.1:8080 TIME_WAIT 0 TCP 127.0.0.1:61396 127.0.0.1:8080 TIME_WAIT 0 TCP 127.0.0.1:61402 127.0.0.1:8080 TIME_WAIT 0 TCP 127.0.0.1:61403 127.0.0.1:8080 TIME_WAIT 0 C:\>tasklist /fi "pid eq 4264 映像名稱 PID 工作階段名稱 工作階段 # RAM使用量 ========================= ======== ================ =========== ============ java.exe 4264 Console 1 454,144 K C:\> |
可以用【工作管理員】,把 java.exe 【結束工作】
(下圖) 上圖登入畫面按下 Register New User,建立一個帳號就可以登入
要結束程式,「命令提示字元」中按下 Ctrl-C 中斷程式即可。
如果再次用 Java 啟動 WebGoat 發現 Port 8080 仍被占用,就用【工作管理員】把 java.exe 結束掉。
(完)
相關
[研究]OWASP WebGoat v2025.3 滲透測試學習平台安裝 (Windows 2025)
https://shaurong.blogspot.com/2025/05/owasp-webgoat-v20253-windows-2025.html
https://shaurong.blogspot.com/2025/05/owasp-webgoat-v20253-windows-2025.html
[研究]OWASP WebGoat v2023.8 滲透測試學習平台 (Windows 2022)
https://shaurong.blogspot.com/2023/12/owasp-webgoat-v20238-windows-2022.html
[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows Server 2019)(二)
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822-windows-server-2019.html
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822-windows-server-2019.html
[研究]OWASP WebGoat 8.2.2 滲透測試學習平台 (Windows 10)
[研究]OWASP WebGoat 8.2.2、Webwolf 8.2.2滲透測試學習平台安安裝、啟動 (Windows 2019)
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822webwolf-822.html
[研究] OWASP WebGoat 8.0 安裝
http://shaurong.blogspot.com/2018/06/owasp-webgoat-80.html
[研究] OWASP WebGoatFor.Net 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoatfornet.html
[研究] OWASP WebGoat 7.1 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoat-71.html
[研究] OWASP Zed Attack Proxy (ZAP) 2.4.2、2.6.0 滲透測試、弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2015/10/owasp-zed-attack-proxy-zap-242.html
https://shaurong.blogspot.com/2022/05/owasp-webgoat-822webwolf-822.html
[研究] OWASP WebGoat 8.0 安裝
http://shaurong.blogspot.com/2018/06/owasp-webgoat-80.html
[研究] OWASP WebGoatFor.Net 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoatfornet.html
[研究] OWASP WebGoat 7.1 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoat-71.html
[研究] OWASP Zed Attack Proxy (ZAP) 2.4.2、2.6.0 滲透測試、弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2015/10/owasp-zed-attack-proxy-zap-242.html
(完)
沒有留言:
張貼留言