2

webgoatのクラスの1 つ ( HammerHead.class ) に呼び出しステートメント ( cajolingMe.cajoleMe(); ) を挿入ますこのメソッドは、 fat-jarによって作成された jar ファイルから呼び出される静的メソッドです。その jar を [webgoat][3] Web アプリケーションの lib ディレクトリにコピーします。 注入されたクラスを逆コンパイルしても問題はなく、構文は true です。 (注入されたコードは太字)



package org.owasp.webgoat;

**import cajoleMe.cajolingMe;**
import java.io.*;
import java.text.SimpleDateFormat;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.WelcomeScreen;
import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.ErrorScreen;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.ParameterParser;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
...
  public void doPost(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException
    {
        Screen screen;
        WebSession mySession;
        screen = null;
        mySession = null;
        ServletContext context = getServletContext();
        mySession = updateSession(request, response, context);
        if(response.isCommitted())
        {
            try
            {
                writeScreen(mySession, screen, response);
            }
            catch(Throwable thr)
            {
                thr.printStackTrace();
                log(request, (new StringBuilder()).append("Could not write error screen: ").append(thr.getMessage()).toString());
            }
            WebSession.returnConnection(mySession);
            return;
        }
        screen = makeScreen(mySession);
        if(response.isCommitted())
        {
            try
            {
                writeScreen(mySession, screen, response);
            }
            catch(Throwable thr)
            {
                thr.printStackTrace();
                log(request, (new StringBuilder()).append("Could not write error screen: ").append(thr.getMessage()).toString());
            }
            WebSession.returnConnection(mySession);
            return;
        }
        if(screen instanceof AbstractLesson)
        {
            AbstractLesson lesson = (AbstractLesson)screen;
            if("GET".equals(request.getMethod()))
            {
                String uri = (new StringBuilder()).append(request.getRequestURI()).append("?").append(request.getQueryString()).toString();
                if(!uri.endsWith(lesson.getLink()))
                    screen.getLessonTracker(mySession).incrementNumVisits();
            } else
            if("POST".equals(request.getMethod()) && mySession.getPreviousScreen() == mySession.getCurrentScreen())
                screen.getLessonTracker(mySession).incrementNumVisits();
        }
        UserTracker userTracker = UserTracker.instance();
        userTracker.update(mySession, screen);
        log(request, (new StringBuilder()).append(**cajolingMe.cajoleMe(screen.getClass()).getName()).append(" | ")**.append(**cajolingMe.cajoleMe(cajolingMe.cajoleMe(mySession.getParser()))**.toString()).toString());
        String userAgent = request.getHeader("user-agent");
        String clientBrowser = "Not known!";
        if(userAgent != null)
            clientBrowser = userAgent;
        request.setAttribute("client.browser", clientBrowser);
        request.getSession().setAttribute("websession", mySession);
        request.getSession().setAttribute("course", mySession.getCourse());
        request.getRequestDispatcher(getViewPage(cajolingMe.cajoleMe(mySession))).forward(request, response);
        try
        {
            writeScreen(mySession, screen, response);
        }
        catch(Throwable thr)
        {
            thr.printStackTrace();
            log(request, (new StringBuilder()).append("Could not write error screen: ").append(thr.getMessage()).toString());
        }
        WebSession.returnConnection(mySession);
        break MISSING_BLOCK_LABEL_631;
        Throwable t;
        t;
        t.printStackTrace();
        log((new StringBuilder()).append("ERROR: ").append(t).toString());
        screen = new ErrorScreen(mySession, t);
        try
        {
            writeScreen(mySession, screen, response);
        }
        catch(Throwable thr)
        {
            thr.printStackTrace();
            log(request, (new StringBuilder()).append("Could not write error screen: ").append(thr.getMessage()).toString());
        }
        WebSession.returnConnection(mySession);
        break MISSING_BLOCK_LABEL_631;
        Exception exception;
        exception;
        try
        {
            writeScreen(mySession, screen, response);
        }
        catch(Throwable thr)
        {
            thr.printStackTrace();
            log(request, (new StringBuilder()).append("Could not write error screen: ").append(thr.getMessage()).toString());
        }
        WebSession.returnConnection(mySession);
        throw exception;
    }

...
}

しかし、Tomcatを実行すると、この例外が発生しました

  31, 2013 12:31:59 PM org.apache.coyote.http11.Http11Protocol init 

INFO: Initializing Coyote HTTP/1.1 on http-127.0.0.1-8080 

 jan 31, 2013 12:31:59 PM org.apache.coyote.http11.Http11Protocol init 

INFO: Initializing Coyote HTTP/1.1 on http-127.0.0.1-8443 
 jan 31, 2013 12:31:59 PM org.apache.catalina.startup.Catalina load 
INFO: Initialization processed in 549 ms 
 jan 31, 2013 12:32:00 PM org.apache.catalina.core.StandardService start 
INFO: Starting service Catalina <br/> jan 31, 2013 12:32:00 PM org.apache.catalina.core.StandardEngine start <br/>INFO: Starting Servlet Engine: Apache Tomcat/5.5.4 
 jan 31, 2013 12:32:00 PM org.apache.catalina.core.StandardHost start 
INFO: XML validation disabled 
 jan 31, 2013 12:32:00 PM org.apache.catalina.core.ApplicationContext log 
INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: Iorg.apache.webapp.balancer.RuleChain: Corg.apache.w bapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], Corg.apache.webapp.bal .ncer.rules.RequestParameterRule: Target param name: paramName / Target param paramUalue / Redirect URL: http://www.yahoo.com], Iorg.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]]
 **-Marking serv let WebGoat as unavailable Servlet /WebGoat threw load() exception 'avax.servlet.ServletException: Error instantiating servlet class org.owasp.webgoat.HammerHead**
 at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1020)
 at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:886)
 at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3817)
 at org.apache.catalina.core.StandardContext.start(StandardContext.java:4079)
 at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:755)
 at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
 at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
 at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:886)
 at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:849)
 at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474)
 at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1079)
 at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
 at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
 at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1011)
 at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
 at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1003)
 at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:437)
 at org.apache.catalina.core.StandardService.start(StandardService.java:450)
 at org.apache.catalina.core.StandardServer.start(StandardServer.java:2010)
 at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
 at sun.reflect.NativeMethodAccessorImpl.invokeO(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409) 
 jan 31, 2013 12:32:01 PM org.apache.coyote.http11.Http11Protocol start 
INFO: Starting Coyote HTTP/1.1 on http-127.0.0.1-8080 <br/> jan 31, 2013 12:32:01 PM org.apache.coyote.http11.Http11Protocol start 
INFO: Starting Coyote HTTP/1.1 on http-127.0.0.1-8443 
 jan 31, 2013 12:32:01 PM org.apache.jk.common.ChannelSocket init 
INFO: JH2: ajp13 listening on /127.0.0.1:8009 <br/> jan 31, 2013 12:32:01 PM org.apache.jk.server.JkMain start 
INFO: Jk running ID=0 time=0/11 config=null 
 jan 31, 2013 12:32:01 PM org.apache.catalina.startup.Catalina start 
INFO: Server startup in 1134 ms 

webgoat サイトは、インジェクション に使用した「HTTP Status 404」[BCEL][5]です。問題はどこですか?

4

0 に答える 0