题目
访问题目场景
输入IP:127.0.0.1,发现可是个ping命令
我没猜错,这个输入可能存在命令执行的操作,但是经过尝试之后,我们发现,并不能正常执行,所以猜错存在过滤
127.0.0.1||ls
我们在看url的时候发现他的url处存在编码,url编码我们进行尝试,URL编码中ascii字符的边界是%7F,fuzz发现当url=%FF时报错,然后产生了一串巨长的代码,那我们只能代码审计了。
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="robots" content="NONE,NOARCHIVE">
<title>UnicodeEncodeError at /api/ping</title>
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; }
h2 { margin-bottom:.8em; }
h2 span { font-size:80%; color:#666; font-weight:normal; }
h3 { margin:1em 0 .5em 0; }
h4 { margin:0 0 .5em 0; font-weight: normal; }
code, pre { font-size: 100%; white-space: pre-wrap; }
table { border:1px solid #ccc; border-collapse: collapse; width:100%; background:white; }
tbody td, tbody th { vertical-align:top; padding:2px 3px; }
thead th {
padding:1px 6px 1px 3px; background:#fefefe; text-align:left;
font-weight:normal; font-size:11px; border:1px solid #ddd;
}
tbody th { width:12em; text-align:right; color:#666; padding-right:.5em; }
table.vars { margin:5px 0 2px 40px; }
table.vars td, table.req td { font-family:monospace; }
table td.code { width:100%; }
table td.code pre { overflow:hidden; }
table.source th { color:#666; }
table.source td { font-family:monospace; white-space:pre; border-bottom:1px solid #eee; }
ul.traceback { list-style-type:none; color: #222; }
ul.traceback li.frame { padding-bottom:1em; color:#666; }
ul.traceback li.user { background-color:#e0e0e0; color:#000 }
div.context { padding:10px 0; overflow:hidden; }
div.context ol { padding-left:30px; margin:0 10px; list-style-position: inside; }
div.context ol li { font-family:monospace; white-space:pre; color:#777; cursor:pointer; padding-left: 2px; }
div.context ol li pre { display:inline; }
div.context ol.context-line li { color:#505050; background-color:#dfdfdf; padding: 3px 2px; }
div.context ol.context-line li span { position:absolute; right:32px; }
.user div.context ol.context-line li { background-color:#bbb; color:#000; }
.user div.context ol li { color:#666; }
div.commands { margin-left: 40px; }
div.commands a { color:#555; text-decoration:none; }
.user div.commands a { color: black; }
#summary { background: #ffc; }
#summary h2 { font-weight: normal; color: #666; }
#explanation { background:#eee; }
#template, #template-not-exist { background:#f6f6f6; }
#template-not-exist ul { margin: 0 0 10px 20px; }
#template-not-exist .postmortem-section { margin-bottom: 3px; }
#unicode-hint { background:#eee; }
#traceback { background:#eee; }
#requestinfo { background:#f6f6f6; padding-left:120px; }
#summary table { border:none; background:transparent; }
#requestinfo h2, #requestinfo h3 { position:relative; margin-left:-100px; }
#requestinfo h3 { margin-bottom:-1em; }
.error { background: #ffc; }
.specific { color:#cc3300; font-weight:bold; }
h2 span.commands { font-size:.7em;}
span.commands a:link {color:#5E5694;}
pre.exception_value { font-family: sans-serif; color: #666; font-size: 1.5em; margin: 10px 0 10px 0; }
.append-bottom { margin-bottom: 10px; }
</style>
<script type="text/javascript">
//<!--
function getElementsByClassName(oElm, strTagName, strClassName){
// Written by Jonathan Snook, http://www.snook.ca/jon; Add-ons by Robert Nyman, http://www.robertnyman.com
var arrElements = (strTagName == "*" && document.all)? document.all :
oElm.getElementsByTagName(strTagName);
var arrReturnElements = new Array();
strClassName = strClassName.replace(/\-/g, "\-");
var oRegExp = new RegExp("(^|\s)" + strClassName + "(\s|$)");
var oElement;
for(var i=0; i<arrElements.length; i++){
oElement = arrElements[i];
if(oRegExp.test(oElement.className)){
arrReturnElements.push(oElement);
}
}
return (arrReturnElements)
}
function hideAll(elems) {
for (var e = 0; e < elems.length; e++) {
elems[e].style.display = 'none';
}
}
window.onload = function() {
hideAll(getElementsByClassName(document, 'table', 'vars'));
hideAll(getElementsByClassName(document, 'ol', 'pre-context'));
hideAll(getElementsByClassName(document, 'ol', 'post-context'));
hideAll(getElementsByClassName(document, 'div', 'pastebin'));
}
function toggle() {
for (var i = 0; i < arguments.length; i++) {
var e = document.getElementById(arguments[i]);
if (e) {
e.style.display = e.style.display == 'none' ? 'block': 'none';
}
}
return false;
}
function varToggle(link, id) {
toggle('v' + id);
var s = link.getElementsByTagName('span')[0];
var uarr = String.fromCharCode(0x25b6);
var darr = String.fromCharCode(0x25bc);
s.textContent = s.textContent == uarr ? darr : uarr;
return false;
}
function switchPastebinFriendly(link) {
s1 = "Switch to copy-and-paste view";
s2 = "Switch back to interactive view";
link.textContent = link.textContent.trim() == s1 ? s2: s1;
toggle('browserTraceback', 'pastebinTraceback');
return false;
}
//-->
</script>
</head>
<body>
<div id="summary">
<h1>UnicodeEncodeError at /api/ping</h1>
<pre class="exception_value">'gbk' codec can't encode character u'\ufffd' in position 0: illegal multibyte sequence</pre>
<table class="meta">
<tr>
<th>Request Method:</th>
<td>POST</td>
</tr>
<tr>
<th>Request URL:</th>
<td>http://127.0.0.1:8000/api/ping</td>
</tr>
<tr>
<th>Django Version:</th>
<td>1.10.4</td>
</tr>
<tr>
<th>Exception Type:</th>
<td>UnicodeEncodeError</td>
</tr>
<tr>
<th>Exception Value:</th>
<td><pre>'gbk' codec can't encode character u'\ufffd' in position 0: illegal multibyte sequence</pre></td>
</tr>
<tr>
<th>Exception Location:</th>
<td>/opt/api/dnsapi/utils.py in escape, line 9</td>
</tr>
<tr>
<th>Python Executable:</th>
<td>/usr/bin/python</td>
</tr>
<tr>
<th>Python Version:</th>
<td>2.7.12</td>
</tr>
<tr>
<th>Python Path:</th>
<td><pre>['/opt/api',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages']</pre></td>
</tr>
<tr>
<th>Server time:</th>
<td>Wed, 18 Jan 2023 02:04:16 +0000</td>
</tr>
</table>
</div>
<div id="unicode-hint">
<h2>Unicode error hint</h2>
<p>The string that could not be encoded/decoded was: <strong>�</strong></p>
</div>
<div id="traceback">
<h2>Traceback <span class="commands"><a href="#" onclick="return switchPastebinFriendly(this);">
Switch to copy-and-paste view</a></span>
</h2>
<div id="browserTraceback">
<ul class="traceback">
<li class="frame django">
<code>/usr/local/lib/python2.7/dist-packages/django/core/handlers/exception.py</code> in <code>inner</code>
<div class="context" id="c140460418746128">
<ol start="32" class="pre-context" id="pre140460418746128">
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> This decorator is automatically applied to all middleware to ensure that</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> no middleware leaks an exception and that the next middleware in the stack</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> can rely on getting a response instead of an exception.</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> """</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> @wraps(get_response, assigned=available_attrs(get_response))</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> def inner(request):</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> try:</pre></li>
</ol>
<ol start="39" class="context-line">
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre>
response = get_response(request)</pre> <span>...</span></li></ol>
<ol start='40' class="post-context" id="post140460418746128">
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> except Exception as exc:</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> response = response_for_exception(request, exc)</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> return response</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre> return inner</pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre></pre></li>
<li onclick="toggle('pre140460418746128', 'post140460418746128')"><pre></pre></li>
</ol>
</div>
<div class="commands">
<a href="#" onclick="return varToggle(this, '140460418746128')"><span>▶</span> Local vars</a>
</div>
<table class="vars" id="v140460418746128">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>exc</td>
<td class="code"><pre>UnicodeEncodeError('gbk', u'\ufffd', 0, 1, 'illegal multibyte sequence')</pre></td>
</tr>
<tr>
<td>get_response</td>
<td class="code"><pre><bound method WSGIHandler._get_response of <django.core.handlers.wsgi.WSGIHandler object at 0x7fbf7e66eb10>></pre></td>
</tr>
<tr>
<td>request</td>
<td class="code"><pre><WSGIRequest: POST '/api/ping'></pre></td>
</tr>
</tbody>
</table>
</li>
<li class="frame django">
<code>/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py</code> in <code>_get_response</code>
<div class="context" id="c140460419311880">
<ol start="180" class="pre-context" id="pre140460419311880">
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> break</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre></pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> if response is None:</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> wrapped_callback = self.make_view_atomic(callback)</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> try:</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> response = wrapped_callback(request, *callback_args, **callback_kwargs)</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> except Exception as e:</pre></li>
</ol>
<ol start="187" class="context-line">
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre>
response = self.process_exception_by_middleware(e, request)</pre> <span>...</span></li></ol>
<ol start='188' class="post-context" id="post140460419311880">
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre></pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> # Complain if the view returned None (a common error).</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> if response is None:</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> if isinstance(callback, types.FunctionType): # FBV</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> view_name = callback.__name__</pre></li>
<li onclick="toggle('pre140460419311880', 'post140460419311880')"><pre> else: # CBV</pre></li>
</ol>
</div>
<div class="commands">
<a href="#" onclick="return varToggle(this, '140460419311880')"><span>▶</span> Local vars</a>
</div>
<table class="vars" id="v140460419311880">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>callback</td>
<td class="code"><pre><function ping at 0x7fbf7d677d70></pre></td>
</tr>
<tr>
<td>callback_args</td>
<td class="code"><pre>()</pre></td>
</tr>
<tr>
<td>callback_kwargs</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>e</td>
<td class="code"><pre>UnicodeEncodeError('gbk', u'\ufffd', 0, 1, 'illegal multibyte sequence')</pre></td>
</tr>
<tr>
<td>request</td>
<td class="code"><pre><WSGIRequest: POST '/api/ping'></pre></td>
</tr>
<tr>
<td>resolver</td>
<td class="code"><pre><RegexURLResolver 'api.urls' (None:None) ^/></pre></td>
</tr>
<tr>
<td>resolver_match</td>
<td class="code"><pre>ResolverMatch(func=dnsapi.views.ping, args=(), kwargs={}, url_name=None, app_names=[], namespaces=[])</pre></td>
</tr>
<tr>
<td>response</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>self</td>
<td class="code"><pre><django.core.handlers.wsgi.WSGIHandler object at 0x7fbf7e66eb10></pre></td>
</tr>
<tr>
<td>wrapped_callback</td>
<td class="code"><pre><function ping at 0x7fbf7d677d70></pre></td>
</tr>
</tbody>
</table>
</li>
<li class="frame django">
<code>/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py</code> in <code>_get_response</code>
<div class="context" id="c140460402700232">
<ol start="178" class="pre-context" id="pre140460402700232">
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> response = middleware_method(request, callback, callback_args, callback_kwargs)</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> if response:</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> break</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre></pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> if response is None:</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> wrapped_callback = self.make_view_atomic(callback)</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> try:</pre></li>
</ol>
<ol start="185" class="context-line">
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre>
response = wrapped_callback(request, *callback_args, **callback_kwargs)</pre> <span>...</span></li></ol>
<ol start='186' class="post-context" id="post140460402700232">
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> except Exception as e:</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> response = self.process_exception_by_middleware(e, request)</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre></pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> # Complain if the view returned None (a common error).</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> if response is None:</pre></li>
<li onclick="toggle('pre140460402700232', 'post140460402700232')"><pre> if isinstance(callback, types.FunctionType): # FBV</pre></li>
</ol>
</div>
<div class="commands">
<a href="#" onclick="return varToggle(this, '140460402700232')"><span>▶</span> Local vars</a>
</div>
<table class="vars" id="v140460402700232">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>callback</td>
<td class="code"><pre><function ping at 0x7fbf7d677d70></pre></td>
</tr>
<tr>
<td>callback_args</td>
<td class="code"><pre>()</pre></td>
</tr>
<tr>
<td>callback_kwargs</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>e</td>
<td class="code"><pre>UnicodeEncodeError('gbk', u'\ufffd', 0, 1, 'illegal multibyte sequence')</pre></td>
</tr>
<tr>
<td>request</td>
<td class="code"><pre><WSGIRequest: POST '/api/ping'></pre></td>
</tr>
<tr>
<td>resolver</td>
<td class="code"><pre><RegexURLResolver 'api.urls' (None:None) ^/></pre></td>
</tr>
<tr>
<td>resolver_match</td>
<td class="code"><pre>ResolverMatch(func=dnsapi.views.ping, args=(), kwargs={}, url_name=None, app_names=[], namespaces=[])</pre></td>
</tr>
<tr>
<td>response</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>self</td>
<td class="code"><pre><django.core.handlers.wsgi.WSGIHandler object at 0x7fbf7e66eb10></pre></td>
</tr>
<tr>
<td>wrapped_callback</td>
<td class="code"><pre><function ping at 0x7fbf7d677d70></pre></td>
</tr>
</tbody>
</table>
</li>
<li class="frame user">
<code>/opt/api/dnsapi/views.py</code> in <code>wrapper</code>
<div class="context" id="c140460402699440">
<ol start="14" class="pre-context" id="pre140460402699440">
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> # 合并 requests.FILES 和 requests.POST</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> for k, v in request.FILES.items():</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> if isinstance(v, InMemoryUploadedFile):</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> v = v.read()</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> request.FILES[k] = v</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre></pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> request.POST.update(request.FILES)</pre></li>
</ol>
<ol start="21" class="context-line">
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre>
return f(*args, **kwargs)</pre> <span>...</span></li></ol>
<ol start='22' class="post-context" id="post140460402699440">
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre></pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre> return wrapper</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre></pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre></pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre>@process_request</pre></li>
<li onclick="toggle('pre140460402699440', 'post140460402699440')"><pre>def ping(request):</pre></li>
</ol>
</div>
<div class="commands">
<a href="#" onclick="return varToggle(this, '140460402699440')"><span>▶</span> Local vars</a>
</div>
<table class="vars" id="v140460402699440">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>args</td>
<td class="code"><pre>(<WSGIRequest: POST '/api/ping'>,)</pre></td>
</tr>
<tr>
<td>f</td>
<td class="code"><pre><function ping at 0x7fbf7d677cf8></pre></td>
</tr>
<tr>
<td>kwargs</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>request</td>
<td class="code"><pre><WSGIRequest: POST '/api/ping'></pre></td>
</tr>
</tbody>
</table>
</li>
<li class="frame user">
<code>/opt/api/dnsapi/views.py</code> in <code>ping</code>
<div class="context" id="c140460402697712">
<ol start="23" class="pre-context" id="pre140460402697712">
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre> return wrapper</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre></pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre></pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre>@process_request</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre>def ping(request):</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre> # 转义</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre> data = request.POST.get('url')</pre></li>
</ol>
<ol start="30" class="context-line">
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre>
data = escape(data)</pre> <span>...</span></li></ol>
<ol start='31' class="post-context" id="post140460402697712">
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre> if not re.match('^[a-zA-Z0-9\-\./]+$', data):</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre> return HttpResponse("Invalid URL")</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre></pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre> return HttpResponse(os.popen("ping -c 1 \"%s\"" % data).read())</pre></li>
<li onclick="toggle('pre140460402697712', 'post140460402697712')"><pre></pre></li>
</ol>
</div>
<div class="commands">
<a href="#" onclick="return varToggle(this, '140460402697712')"><span>▶</span> Local vars</a>
</div>
<table class="vars" id="v140460402697712">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>data</td>
<td class="code"><pre>u'\ufffd'</pre></td>
</tr>
<tr>
<td>request</td>
<td class="code"><pre><WSGIRequest: POST '/api/ping'></pre></td>
</tr>
</tbody>
</table>
</li>
<li class="frame user">
<code>/opt/api/dnsapi/utils.py</code> in <code>escape</code>
<div class="context" id="c140460402698432">
<ol start="2" class="pre-context" id="pre140460402698432">
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> r = ''</pre></li>
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> for i in range(len(data)):</pre></li>
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> c = data[i]</pre></li>
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> if c in ('\\', '\'', '"', '$', '`'):</pre></li>
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> r = r + '\\' + c</pre></li>
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> else:</pre></li>
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre> r = r + c</pre></li>
</ol>
<ol start="9" class="context-line">
<li onclick="toggle('pre140460402698432', 'post140460402698432')"><pre>
return r.encode('gbk')</pre> <span>...</span></li></ol>
</div>
<div class="commands">
<a href="#" onclick="return varToggle(this, '140460402698432')"><span>▶</span> Local vars</a>
</div>
<table class="vars" id="v140460402698432">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>c</td>
<td class="code"><pre>u'\ufffd'</pre></td>
</tr>
<tr>
<td>data</td>
<td class="code"><pre>u'\ufffd'</pre></td>
</tr>
<tr>
<td>i</td>
<td class="code"><pre>0</pre></td>
</tr>
<tr>
<td>r</td>
<td class="code"><pre>u'\ufffd'</pre></td>
</tr>
</tbody>
</table>
</li>
</ul>
</div>
<form action="http://dpaste.com/" name="pasteform" id="pasteform" method="post">
<div id="pastebinTraceback" class="pastebin">
<input type="hidden" name="language" value="PythonConsole">
<input type="hidden" name="title"
value="UnicodeEncodeError at /api/ping">
<input type="hidden" name="source" value="Django Dpaste Agent">
<input type="hidden" name="poster" value="Django">
<textarea name="content" id="traceback_area" cols="140" rows="25">
Environment:
Request Method: POST
Request URL: http://127.0.0.1:8000/api/ping
Django Version: 1.10.4
Python Version: 2.7.12
Installed Applications:
['django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'dnsapi']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware']
Traceback:
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/exception.py" in inner
39. response = get_response(request)
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
187. response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
185. response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/opt/api/dnsapi/views.py" in wrapper
21. return f(*args, **kwargs)
File "/opt/api/dnsapi/views.py" in ping
30. data = escape(data)
File "/opt/api/dnsapi/utils.py" in escape
9. return r.encode('gbk')
Exception Type: UnicodeEncodeError at /api/ping
Exception Value: 'gbk' codec can't encode character u'\ufffd' in position 0: illegal multibyte sequence
</textarea>
<br><br>
<input type="submit" value="Share this traceback on a public website">
</div>
</form>
</div>
<div id="requestinfo">
<h2>Request information</h2>
<h3 id="user-info">USER</h3>
<p>AnonymousUser</p>
<h3 id="get-info">GET</h3>
<p>No GET data</p>
<h3 id="post-info">POST</h3>
<table class="req">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>url</td>
<td class="code"><pre>u'\ufffd'</pre></td>
</tr>
</tbody>
</table>
<h3 id="files-info">FILES</h3>
<p>No FILES data</p>
<h3 id="cookie-info">COOKIES</h3>
<p>No cookie data</p>
<h3 id="meta-info">META</h3>
<table class="req">
<thead>
<tr>
<th>Variable</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>CONTENT_LENGTH</td>
<td class="code"><pre>'139'</pre></td>
</tr>
<tr>
<td>CONTENT_TYPE</td>
<td class="code"><pre>'multipart/form-data; boundary=------------------------a982227d489d71a9'</pre></td>
</tr>
<tr>
<td>DJANGO_SETTINGS_MODULE</td>
<td class="code"><pre>'api.settings'</pre></td>
</tr>
<tr>
<td>GATEWAY_INTERFACE</td>
<td class="code"><pre>'CGI/1.1'</pre></td>
</tr>
<tr>
<td>HOME</td>
<td class="code"><pre>'/root'</pre></td>
</tr>
<tr>
<td>HOSTNAME</td>
<td class="code"><pre>'f84b747e65c1'</pre></td>
</tr>
<tr>
<td>HTTP_ACCEPT</td>
<td class="code"><pre>'*/*'</pre></td>
</tr>
<tr>
<td>HTTP_EXPECT</td>
<td class="code"><pre>'100-continue'</pre></td>
</tr>
<tr>
<td>HTTP_HOST</td>
<td class="code"><pre>'127.0.0.1:8000'</pre></td>
</tr>
<tr>
<td>PATH</td>
<td class="code"><pre>'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'</pre></td>
</tr>
<tr>
<td>PATH_INFO</td>
<td class="code"><pre>u'/api/ping'</pre></td>
</tr>
<tr>
<td>PWD</td>
<td class="code"><pre>'/opt/api'</pre></td>
</tr>
<tr>
<td>QUERY_STRING</td>
<td class="code"><pre>''</pre></td>
</tr>
<tr>
<td>REMOTE_ADDR</td>
<td class="code"><pre>'127.0.0.1'</pre></td>
</tr>
<tr>
<td>REMOTE_HOST</td>
<td class="code"><pre>''</pre></td>
</tr>
<tr>
<td>REQUEST_METHOD</td>
<td class="code"><pre>'POST'</pre></td>
</tr>
<tr>
<td>RUN_MAIN</td>
<td class="code"><pre>'true'</pre></td>
</tr>
<tr>
<td>SCRIPT_NAME</td>
<td class="code"><pre>u''</pre></td>
</tr>
<tr>
<td>SERVER_NAME</td>
<td class="code"><pre>'localhost'</pre></td>
</tr>
<tr>
<td>SERVER_PORT</td>
<td class="code"><pre>'8000'</pre></td>
</tr>
<tr>
<td>SERVER_PROTOCOL</td>
<td class="code"><pre>'HTTP/1.1'</pre></td>
</tr>
<tr>
<td>SERVER_SOFTWARE</td>
<td class="code"><pre>'WSGIServer/0.1 Python/2.7.12'</pre></td>
</tr>
<tr>
<td>TZ</td>
<td class="code"><pre>'UTC'</pre></td>
</tr>
<tr>
<td>wsgi.errors</td>
<td class="code"><pre><open file '<stderr>', mode 'w' at 0x7fbf814b41e0></pre></td>
</tr>
<tr>
<td>wsgi.file_wrapper</td>
<td class="code"><pre>''</pre></td>
</tr>
<tr>
<td>wsgi.input</td>
<td class="code"><pre><socket._fileobject object at 0x7fbf7d5e82d0></pre></td>
</tr>
<tr>
<td>wsgi.multiprocess</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>wsgi.multithread</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>wsgi.run_once</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>wsgi.url_scheme</td>
<td class="code"><pre>'http'</pre></td>
</tr>
<tr>
<td>wsgi.version</td>
<td class="code"><pre>(1, 0)</pre></td>
</tr>
</tbody>
</table>
<h3 id="settings-info">Settings</h3>
<h4>Using settings module <code>api.settings</code></h4>
<table class="req">
<thead>
<tr>
<th>Setting</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>ABSOLUTE_URL_OVERRIDES</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>ADMINS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>ALLOWED_HOSTS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>APPEND_SLASH</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>AUTHENTICATION_BACKENDS</td>
<td class="code"><pre>[u'django.contrib.auth.backends.ModelBackend']</pre></td>
</tr>
<tr>
<td>AUTH_PASSWORD_VALIDATORS</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>AUTH_USER_MODEL</td>
<td class="code"><pre>u'auth.User'</pre></td>
</tr>
<tr>
<td>BASE_DIR</td>
<td class="code"><pre>'/opt/api'</pre></td>
</tr>
<tr>
<td>CACHES</td>
<td class="code"><pre>{u'default': {u'BACKEND': u'django.core.cache.backends.locmem.LocMemCache'}}</pre></td>
</tr>
<tr>
<td>CACHE_MIDDLEWARE_ALIAS</td>
<td class="code"><pre>u'default'</pre></td>
</tr>
<tr>
<td>CACHE_MIDDLEWARE_KEY_PREFIX</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>CACHE_MIDDLEWARE_SECONDS</td>
<td class="code"><pre>600</pre></td>
</tr>
<tr>
<td>CSRF_COOKIE_AGE</td>
<td class="code"><pre>31449600</pre></td>
</tr>
<tr>
<td>CSRF_COOKIE_DOMAIN</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>CSRF_COOKIE_HTTPONLY</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>CSRF_COOKIE_NAME</td>
<td class="code"><pre>u'csrftoken'</pre></td>
</tr>
<tr>
<td>CSRF_COOKIE_PATH</td>
<td class="code"><pre>u'/'</pre></td>
</tr>
<tr>
<td>CSRF_COOKIE_SECURE</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>CSRF_FAILURE_VIEW</td>
<td class="code"><pre>u'django.views.csrf.csrf_failure'</pre></td>
</tr>
<tr>
<td>CSRF_HEADER_NAME</td>
<td class="code"><pre>u'HTTP_X_CSRFTOKEN'</pre></td>
</tr>
<tr>
<td>CSRF_TRUSTED_ORIGINS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>DATABASES</td>
<td class="code"><pre>{'default': {'ATOMIC_REQUESTS': False,
'AUTOCOMMIT': True,
'CONN_MAX_AGE': 0,
'ENGINE': 'django.db.backends.sqlite3',
'HOST': '',
'NAME': '/opt/api/database.sqlite3',
'OPTIONS': {},
'PASSWORD': u'********************',
'PORT': '',
'TEST': {'CHARSET': None,
'COLLATION': None,
'MIRROR': None,
'NAME': None},
'TIME_ZONE': None,
'USER': ''}}</pre></td>
</tr>
<tr>
<td>DATABASE_ROUTERS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>DATA_UPLOAD_MAX_MEMORY_SIZE</td>
<td class="code"><pre>2621440</pre></td>
</tr>
<tr>
<td>DATA_UPLOAD_MAX_NUMBER_FIELDS</td>
<td class="code"><pre>1000</pre></td>
</tr>
<tr>
<td>DATETIME_FORMAT</td>
<td class="code"><pre>u'N j, Y, P'</pre></td>
</tr>
<tr>
<td>DATETIME_INPUT_FORMATS</td>
<td class="code"><pre>[u'%Y-%m-%d %H:%M:%S',
u'%Y-%m-%d %H:%M:%S.%f',
u'%Y-%m-%d %H:%M',
u'%Y-%m-%d',
u'%m/%d/%Y %H:%M:%S',
u'%m/%d/%Y %H:%M:%S.%f',
u'%m/%d/%Y %H:%M',
u'%m/%d/%Y',
u'%m/%d/%y %H:%M:%S',
u'%m/%d/%y %H:%M:%S.%f',
u'%m/%d/%y %H:%M',
u'%m/%d/%y']</pre></td>
</tr>
<tr>
<td>DATE_FORMAT</td>
<td class="code"><pre>u'N j, Y'</pre></td>
</tr>
<tr>
<td>DATE_INPUT_FORMATS</td>
<td class="code"><pre>[u'%Y-%m-%d',
u'%m/%d/%Y',
u'%m/%d/%y',
u'%b %d %Y',
u'%b %d, %Y',
u'%d %b %Y',
u'%d %b, %Y',
u'%B %d %Y',
u'%B %d, %Y',
u'%d %B %Y',
u'%d %B, %Y']</pre></td>
</tr>
<tr>
<td>DEBUG</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>DEBUG_PROPAGATE_EXCEPTIONS</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>DECIMAL_SEPARATOR</td>
<td class="code"><pre>u'.'</pre></td>
</tr>
<tr>
<td>DEFAULT_CHARSET</td>
<td class="code"><pre>u'utf-8'</pre></td>
</tr>
<tr>
<td>DEFAULT_CONTENT_TYPE</td>
<td class="code"><pre>u'text/html'</pre></td>
</tr>
<tr>
<td>DEFAULT_EXCEPTION_REPORTER_FILTER</td>
<td class="code"><pre>u'django.views.debug.SafeExceptionReporterFilter'</pre></td>
</tr>
<tr>
<td>DEFAULT_FILE_STORAGE</td>
<td class="code"><pre>u'django.core.files.storage.FileSystemStorage'</pre></td>
</tr>
<tr>
<td>DEFAULT_FROM_EMAIL</td>
<td class="code"><pre>u'webmaster@localhost'</pre></td>
</tr>
<tr>
<td>DEFAULT_INDEX_TABLESPACE</td>
<td class="code"><pre>u''</pre></td>
</tr>
<tr>
<td>DEFAULT_TABLESPACE</td>
<td class="code"><pre>u''</pre></td>
</tr>
<tr>
<td>DISALLOWED_USER_AGENTS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>EMAIL_BACKEND</td>
<td class="code"><pre>u'django.core.mail.backends.smtp.EmailBackend'</pre></td>
</tr>
<tr>
<td>EMAIL_HOST</td>
<td class="code"><pre>u'localhost'</pre></td>
</tr>
<tr>
<td>EMAIL_HOST_PASSWORD</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>EMAIL_HOST_USER</td>
<td class="code"><pre>u''</pre></td>
</tr>
<tr>
<td>EMAIL_PORT</td>
<td class="code"><pre>25</pre></td>
</tr>
<tr>
<td>EMAIL_SSL_CERTFILE</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>EMAIL_SSL_KEYFILE</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>EMAIL_SUBJECT_PREFIX</td>
<td class="code"><pre>u'[Django] '</pre></td>
</tr>
<tr>
<td>EMAIL_TIMEOUT</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>EMAIL_USE_SSL</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>EMAIL_USE_TLS</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>FILE_CHARSET</td>
<td class="code"><pre>u'utf-8'</pre></td>
</tr>
<tr>
<td>FILE_UPLOAD_DIRECTORY_PERMISSIONS</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>FILE_UPLOAD_HANDLERS</td>
<td class="code"><pre>[u'django.core.files.uploadhandler.MemoryFileUploadHandler',
u'django.core.files.uploadhandler.TemporaryFileUploadHandler']</pre></td>
</tr>
<tr>
<td>FILE_UPLOAD_MAX_MEMORY_SIZE</td>
<td class="code"><pre>2621440</pre></td>
</tr>
<tr>
<td>FILE_UPLOAD_PERMISSIONS</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>FILE_UPLOAD_TEMP_DIR</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>FIRST_DAY_OF_WEEK</td>
<td class="code"><pre>0</pre></td>
</tr>
<tr>
<td>FIXTURE_DIRS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>FORCE_SCRIPT_NAME</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>FORMAT_MODULE_PATH</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>IGNORABLE_404_URLS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>INSTALLED_APPS</td>
<td class="code"><pre>['django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'dnsapi']</pre></td>
</tr>
<tr>
<td>INTERNAL_IPS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>LANGUAGES</td>
<td class="code"><pre>[(u'af', u'Afrikaans'),
(u'ar', u'Arabic'),
(u'ast', u'Asturian'),
(u'az', u'Azerbaijani'),
(u'bg', u'Bulgarian'),
(u'be', u'Belarusian'),
(u'bn', u'Bengali'),
(u'br', u'Breton'),
(u'bs', u'Bosnian'),
(u'ca', u'Catalan'),
(u'cs', u'Czech'),
(u'cy', u'Welsh'),
(u'da', u'Danish'),
(u'de', u'German'),
(u'dsb', u'Lower Sorbian'),
(u'el', u'Greek'),
(u'en', u'English'),
(u'en-au', u'Australian English'),
(u'en-gb', u'British English'),
(u'eo', u'Esperanto'),
(u'es', u'Spanish'),
(u'es-ar', u'Argentinian Spanish'),
(u'es-co', u'Colombian Spanish'),
(u'es-mx', u'Mexican Spanish'),
(u'es-ni', u'Nicaraguan Spanish'),
(u'es-ve', u'Venezuelan Spanish'),
(u'et', u'Estonian'),
(u'eu', u'Basque'),
(u'fa', u'Persian'),
(u'fi', u'Finnish'),
(u'fr', u'French'),
(u'fy', u'Frisian'),
(u'ga', u'Irish'),
(u'gd', u'Scottish Gaelic'),
(u'gl', u'Galician'),
(u'he', u'Hebrew'),
(u'hi', u'Hindi'),
(u'hr', u'Croatian'),
(u'hsb', u'Upper Sorbian'),
(u'hu', u'Hungarian'),
(u'ia', u'Interlingua'),
(u'id', u'Indonesian'),
(u'io', u'Ido'),
(u'is', u'Icelandic'),
(u'it', u'Italian'),
(u'ja', u'Japanese'),
(u'ka', u'Georgian'),
(u'kk', u'Kazakh'),
(u'km', u'Khmer'),
(u'kn', u'Kannada'),
(u'ko', u'Korean'),
(u'lb', u'Luxembourgish'),
(u'lt', u'Lithuanian'),
(u'lv', u'Latvian'),
(u'mk', u'Macedonian'),
(u'ml', u'Malayalam'),
(u'mn', u'Mongolian'),
(u'mr', u'Marathi'),
(u'my', u'Burmese'),
(u'nb', u'Norwegian Bokm\xe5l'),
(u'ne', u'Nepali'),
(u'nl', u'Dutch'),
(u'nn', u'Norwegian Nynorsk'),
(u'os', u'Ossetic'),
(u'pa', u'Punjabi'),
(u'pl', u'Polish'),
(u'pt', u'Portuguese'),
(u'pt-br', u'Brazilian Portuguese'),
(u'ro', u'Romanian'),
(u'ru', u'Russian'),
(u'sk', u'Slovak'),
(u'sl', u'Slovenian'),
(u'sq', u'Albanian'),
(u'sr', u'Serbian'),
(u'sr-latn', u'Serbian Latin'),
(u'sv', u'Swedish'),
(u'sw', u'Swahili'),
(u'ta', u'Tamil'),
(u'te', u'Telugu'),
(u'th', u'Thai'),
(u'tr', u'Turkish'),
(u'tt', u'Tatar'),
(u'udm', u'Udmurt'),
(u'uk', u'Ukrainian'),
(u'ur', u'Urdu'),
(u'vi', u'Vietnamese'),
(u'zh-hans', u'Simplified Chinese'),
(u'zh-hant', u'Traditional Chinese')]</pre></td>
</tr>
<tr>
<td>LANGUAGES_BIDI</td>
<td class="code"><pre>[u'he', u'ar', u'fa', u'ur']</pre></td>
</tr>
<tr>
<td>LANGUAGE_CODE</td>
<td class="code"><pre>'en-us'</pre></td>
</tr>
<tr>
<td>LANGUAGE_COOKIE_AGE</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>LANGUAGE_COOKIE_DOMAIN</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>LANGUAGE_COOKIE_NAME</td>
<td class="code"><pre>u'django_language'</pre></td>
</tr>
<tr>
<td>LANGUAGE_COOKIE_PATH</td>
<td class="code"><pre>u'/'</pre></td>
</tr>
<tr>
<td>LOCALE_PATHS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>LOGGING</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>LOGGING_CONFIG</td>
<td class="code"><pre>u'logging.config.dictConfig'</pre></td>
</tr>
<tr>
<td>LOGIN_REDIRECT_URL</td>
<td class="code"><pre>u'/accounts/profile/'</pre></td>
</tr>
<tr>
<td>LOGIN_URL</td>
<td class="code"><pre>u'/accounts/login/'</pre></td>
</tr>
<tr>
<td>LOGOUT_REDIRECT_URL</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>MANAGERS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>MEDIA_ROOT</td>
<td class="code"><pre>u''</pre></td>
</tr>
<tr>
<td>MEDIA_URL</td>
<td class="code"><pre>u''</pre></td>
</tr>
<tr>
<td>MESSAGE_STORAGE</td>
<td class="code"><pre>u'django.contrib.messages.storage.fallback.FallbackStorage'</pre></td>
</tr>
<tr>
<td>MIDDLEWARE</td>
<td class="code"><pre>['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware']</pre></td>
</tr>
<tr>
<td>MIDDLEWARE_CLASSES</td>
<td class="code"><pre>[u'django.middleware.common.CommonMiddleware',
u'django.middleware.csrf.CsrfViewMiddleware']</pre></td>
</tr>
<tr>
<td>MIGRATION_MODULES</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>MONTH_DAY_FORMAT</td>
<td class="code"><pre>u'F j'</pre></td>
</tr>
<tr>
<td>NUMBER_GROUPING</td>
<td class="code"><pre>0</pre></td>
</tr>
<tr>
<td>PASSWORD_HASHERS</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>PASSWORD_RESET_TIMEOUT_DAYS</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>PREPEND_WWW</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>ROOT_URLCONF</td>
<td class="code"><pre>'api.urls'</pre></td>
</tr>
<tr>
<td>SECRET_KEY</td>
<td class="code"><pre>u'********************'</pre></td>
</tr>
<tr>
<td>SECURE_BROWSER_XSS_FILTER</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SECURE_CONTENT_TYPE_NOSNIFF</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SECURE_HSTS_INCLUDE_SUBDOMAINS</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SECURE_HSTS_SECONDS</td>
<td class="code"><pre>0</pre></td>
</tr>
<tr>
<td>SECURE_PROXY_SSL_HEADER</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>SECURE_REDIRECT_EXEMPT</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>SECURE_SSL_HOST</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>SECURE_SSL_REDIRECT</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SERVER_EMAIL</td>
<td class="code"><pre>u'root@localhost'</pre></td>
</tr>
<tr>
<td>SESSION_CACHE_ALIAS</td>
<td class="code"><pre>u'default'</pre></td>
</tr>
<tr>
<td>SESSION_COOKIE_AGE</td>
<td class="code"><pre>1209600</pre></td>
</tr>
<tr>
<td>SESSION_COOKIE_DOMAIN</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>SESSION_COOKIE_HTTPONLY</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>SESSION_COOKIE_NAME</td>
<td class="code"><pre>u'sessionid'</pre></td>
</tr>
<tr>
<td>SESSION_COOKIE_PATH</td>
<td class="code"><pre>u'/'</pre></td>
</tr>
<tr>
<td>SESSION_COOKIE_SECURE</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SESSION_ENGINE</td>
<td class="code"><pre>u'django.contrib.sessions.backends.db'</pre></td>
</tr>
<tr>
<td>SESSION_EXPIRE_AT_BROWSER_CLOSE</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SESSION_FILE_PATH</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>SESSION_SAVE_EVERY_REQUEST</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>SESSION_SERIALIZER</td>
<td class="code"><pre>u'django.contrib.sessions.serializers.JSONSerializer'</pre></td>
</tr>
<tr>
<td>SETTINGS_MODULE</td>
<td class="code"><pre>'api.settings'</pre></td>
</tr>
<tr>
<td>SHORT_DATETIME_FORMAT</td>
<td class="code"><pre>u'm/d/Y P'</pre></td>
</tr>
<tr>
<td>SHORT_DATE_FORMAT</td>
<td class="code"><pre>u'm/d/Y'</pre></td>
</tr>
<tr>
<td>SIGNING_BACKEND</td>
<td class="code"><pre>u'django.core.signing.TimestampSigner'</pre></td>
</tr>
<tr>
<td>SILENCED_SYSTEM_CHECKS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>STATICFILES_DIRS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>STATICFILES_FINDERS</td>
<td class="code"><pre>[u'django.contrib.staticfiles.finders.FileSystemFinder',
u'django.contrib.staticfiles.finders.AppDirectoriesFinder']</pre></td>
</tr>
<tr>
<td>STATICFILES_STORAGE</td>
<td class="code"><pre>u'django.contrib.staticfiles.storage.StaticFilesStorage'</pre></td>
</tr>
<tr>
<td>STATIC_ROOT</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>STATIC_URL</td>
<td class="code"><pre>'/static/'</pre></td>
</tr>
<tr>
<td>TEMPLATES</td>
<td class="code"><pre>[{'APP_DIRS': True,
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'OPTIONS': {'context_processors': ['django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages']}}]</pre></td>
</tr>
<tr>
<td>TEST_NON_SERIALIZED_APPS</td>
<td class="code"><pre>[]</pre></td>
</tr>
<tr>
<td>TEST_RUNNER</td>
<td class="code"><pre>u'django.test.runner.DiscoverRunner'</pre></td>
</tr>
<tr>
<td>THOUSAND_SEPARATOR</td>
<td class="code"><pre>u','</pre></td>
</tr>
<tr>
<td>TIME_FORMAT</td>
<td class="code"><pre>u'P'</pre></td>
</tr>
<tr>
<td>TIME_INPUT_FORMATS</td>
<td class="code"><pre>[u'%H:%M:%S', u'%H:%M:%S.%f', u'%H:%M']</pre></td>
</tr>
<tr>
<td>TIME_ZONE</td>
<td class="code"><pre>'UTC'</pre></td>
</tr>
<tr>
<td>USE_ETAGS</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>USE_I18N</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>USE_L10N</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>USE_THOUSAND_SEPARATOR</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>USE_TZ</td>
<td class="code"><pre>True</pre></td>
</tr>
<tr>
<td>USE_X_FORWARDED_HOST</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>USE_X_FORWARDED_PORT</td>
<td class="code"><pre>False</pre></td>
</tr>
<tr>
<td>WSGI_APPLICATION</td>
<td class="code"><pre>'api.wsgi.application'</pre></td>
</tr>
<tr>
<td>X_FRAME_OPTIONS</td>
<td class="code"><pre>u'SAMEORIGIN'</pre></td>
</tr>
<tr>
<td>YEAR_MONTH_FORMAT</td>
<td class="code"><pre>u'F Y'</pre></td>
</tr>
</tbody>
</table>
</div>
<div id="explanation">
<p>
You're seeing this error because you have <code>DEBUG = True</code> in your
Django settings file. Change that to <code>False</code>, and Django will
display a standard page generated by the handler for this status code.
</p>
</div>
</body>
</html>
由于文本太多了,我们就不一条一条的分析,直接划到最下方发现
python的模块 Django这个描述,之所以报错的原因是
django报错页面将输入的参数传到了后端的django服务中进行解析,而django设置了编码为gbk导致错误编码了宽字符(超过了ascii码范围)。
我们根据django的目录,
可以从配置文件settings.py的报错中看看有没有database的相关信息?url=@/opt/api/api/settings.py
通过访问url我们能发现这个数据库是
sqlite3
根据前面发现的数据库路径,构造payload “url=@/opt/api/database.sqlite3”, 成功爆出报错信息,并由此在POST数据中找到了flag。
flag:
WHCTF{yoooo_Such_A_G00D_@}