欢迎留言讨论,期待与你共同进步掘金人的第一篇博客 - 掘金 (juejin.cn)
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
一、环境描述
Docker version 19.03.5, build 633a0ea838
webgoat-8.0:v8.0.0.M26
webwolf:v8.0.0.M26
宿主机镜像:Ubuntu 16.04.6 LTS,硬盘16G。
二、安装过程
注:以下命令皆在root用户下运行
1.安装Docker环境
1.更新源
sudo -i
apt-get update && apt-get clean
apt install -y curl git
2.安装Docker
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
3.配置Docker加速
vi /etc/docker/daemon.json
添加以下内容
{
"registry-mirrors":["https://docker.mirrors.ustc.edu.cn/"]
}
重新启动Docker并查看Docker信息
systemctl daemon-reload
systemctl restart docker
docker info
2.安装靶场环境
下面实际演示运行的是goatandwolf:v8.1.0集成版本
1.搜索webgoat镜像
docker search webgoat
# webgoat/webgoat-8.0 Latest development version of WebGoat
# webgoat/webgoat-7.1 Latest stable version of WebGoat
docker search webwolf
2.安装webgoat和webwolf
镜像地址
github.com/WebGoat/Web…
hub.docker.com/r/webgoat/w…
hub.docker.com/r/webgoat/w…
docker search webgoat
docker pull webgoat/webgoat-8.0:v8.1.0
docker pull webgoat/webwolf:v8.1.0
docker pull webgoat/goatandwolf:v8.1.0
3.确定下完成
查看本机docker镜像列表情况
docker images
4.运行容器
docker run -d -p 8888:8888 -p 8080:8080 -p 9090:9090 webgoat/goatandwolf:v8.1.0
or
docker run --name goatandwolf -p 8888:8888 -p 8080:8080 -p 9090:9090 -t webgoat/goatandwolf:v8.1.0
docker run -p 8080:8080 -t webgoat/webgoat-8.0:v8.0.0.M26
如果需要后台运行,
docker run -d -p 8080:8080 webgoat/webgoat-8.0:v8.0.0.M26
5.查看容器使用的宿主机端口是否被打开
netstat -ntulp |grep 8080
netstat -ntlp
显示正常,则至此WebGoat安装完成。
三、访问靶场
1.访问导航
先访问
http://IP:8888
2.访问WebGoat
进入页面,http://IP:8080/WebGoat(注意WebGoat的大小写),点击登录按钮下的,Register new user链接,注册一个用户。
自动登入。
3.访问WebWolf
进入页面,http://IP:9090/WebWolf(注意WebWolf的大小写),然后使用上面注册的用户登录。
然后登入。
四、解题思路
五、搭建全过程命令
环境为Centos7
yum clean all
yum makecache
yum install -y wget git curl openssh-server vim bash-completion
exit
yum install net-tools -y
ifconfig
poweroff
tzselect
yum clean all
yum makecache
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
systemctl start docker
docker run hello-world
docker ps
docker images
touch /etc/docker/daemon.json
vim /etc/docker/daemon.json
systemctl daemon-reload
systemctl restart docker
systemctl enable docker
docker search webgoat
docker pull webgoat/webgoat-8.0:v8.1.0
docker search webwolf
docker pull webgoat/webwolf:v8.1.0
docker search goatandwolf
docker pull webgoat/goatandwolf:v8.1.0
docker run --name goatandwolf -p 0.0.0.0:8080:8080 -t webgoat/goatandwolf:v8.1.0
netstat -lntp
docker ps
docker images
df -h
docker ps
docker run -d -p 8888:8888 -p 8080:8080 -p 9090:9090 webgoat/goatandwolf:v8.1.0
netstat -lntp
docker ps
docker stop 3885aced71a0
docker ps
exit
六、项目说明
Webgoat官方DockerHub:Official WebGoat Docker image release 8.0
Webgoat官方GitHub:WebGoat/WebGoat
