ME0BB7c7

· 7 years ago · May 22, 2018, 11:56 PM
1Site vulnerable - https://www.bluefields.gob.ni/ 
2
3resource:
4^$
5^contabilidad/
6^articulo/ [name='articulo']
7^categoria/ [name='categoria']
8^historia/ [name='historia']
9^mision_vision/ [name='mision_vision']
10^organigrama/ [name='organigrama']
11^concejo/ [name='concejo']
12^tributacion/ [name='tributacion']
13^urbanismo/ [name='urbanismo']
14^medioambiente/ [name='medioambiente']
15^adquisicion/ [name='adquisicion']
16^registro_civil/ [name='registro_civil']
17^admin/
18^admin/filebrowser/
19^admin/ajax/
20^admin/extras/
21^grappelli/
22^tinymce/
23^mce_explorer/
24^recaudo/
25^reportes/ ^reporte_matricula/ [name='generar_reporte_matricula']
26^reportes/ ^reporte_ingresos/ [name='generar_reporte_ingreso']
27^reportes/ ^generar_reporte_cuenta/ [name='generar_reporte_cuenta']
28^reportes/ ^generar_reporte_contribuyente/ [name='generar_reporte_contribuyente']
29^reportes/ ^generar_reporte_mes_a_mes/ [name='generar_reporte_mes_a_mes']
30^reportes/ ^generar_reporte_matricula_no_paga/ [name='generar_reporte_matricula_no_paga']
31^home/
32^contribuyente/
33^recoleccion/
34^adminactions/
35^media\/(?P<path>.*)$
36---
37
38Using the URLconf defined in alcaldia.urls, Django tried these URL patterns, in this order:
39
40^$
41^contabilidad/
42^articulo/ [name='articulo']
43^categoria/ [name='categoria']
44^historia/ [name='historia']
45^mision_vision/ [name='mision_vision']
46^organigrama/ [name='organigrama']
47^concejo/ [name='concejo']
48^tributacion/ [name='tributacion']
49^urbanismo/ [name='urbanismo']
50^medioambiente/ [name='medioambiente']
51^adquisicion/ [name='adquisicion']
52^registro_civil/ [name='registro_civil']
53^admin/ ^$ [name='index']
54^admin/ ^login/$ [name='login']
55^admin/ ^logout/$ [name='logout']
56^admin/ ^password_change/$ [name='password_change']
57^admin/ ^password_change/done/$ [name='password_change_done']
58^admin/ ^jsi18n/$ [name='jsi18n']
59^admin/ ^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$ [name='view_on_site']
60^admin/ ^recaudo/recibo/
61^admin/ ^payment_procesor/llave/
62^admin/ ^recaudo/barrio/
63^admin/ ^tributacion/declaracion/
64^admin/ ^recaudo/diasferiados/
65^admin/ ^contabilidad/pagoboleta/
66^admin/ ^recaudo/contribuyente/
67^admin/ ^recaudo/municipio/
68^admin/ ^tributacion/colector/
69^admin/ ^home/articulo/
70^admin/ ^recaudo/cooperativa/
71^admin/ ^home/slider/
72^admin/ ^recaudo/aval/
73^admin/ ^payment_procesor/payment/
74^admin/ ^recaudo/comarca/
75^admin/ ^recaudo/boleta/
76^admin/ ^recaudo/unidadmedida/
77^admin/ ^recaudo/rubro/
78^admin/ ^tributacion/recoleccion/
79^admin/ ^home/categoria/
80^admin/ ^auth/user/
81^admin/ ^contabilidad/matricula/
82^admin/ ^recaudo/impuesto/
83^admin/ ^auth/group/
84^admin/ ^recaudo/especie/
85^admin/ ^(?P<app_label>recaudo|payment_procesor|tributacion|contabilidad|home|auth)/$ [name='app_list']
86^admin/filebrowser/
87^admin/ajax/
88^admin/extras/ ^print/ [name='extras_to_print']
89^grappelli/
90^tinymce/
91^mce_explorer/
92^recaudo/
93^reportes/
94^home/
95^contribuyente/
96^recoleccion/
97^adminactions/
98^media\/(?P<path>.*)$
99The current path, admin/extras/, didn't match any of these.
100
101____________
102
103ABSOLUTE_URL_OVERRIDES	
104{}
105ADMINS	
106[]
107ALLOWED_HOSTS	
108['*']
109APPEND_SLASH	
110True
111AUTHENTICATION_BACKENDS	
112[u'django.contrib.auth.backends.ModelBackend']
113AUTH_PASSWORD_VALIDATORS	
114u'********************'
115AUTH_USER_MODEL	
116u'auth.User'
117BASE_DIR	
118'/var/www/bluefields'
119BOWER_COMPONENTS_ROOT	
120'/var/www/bluefields/components/'
121BOWER_INSTALLED_APPS	
122['base',
123 'bootstrap-slider#*',
124 'chart.js#1.0.*',
125 'ckeditor#^4.7.0',
126 'bootstrap-colorpicker#^2.5.1',
127 'bootstrap#^3.3.7',
128 'jquery#^3.2.1',
129 'datatables.net#^1.10.15',
130 'datatables.net-bs#^2.1.1',
131 'bootstrap-datepicker#^1.7.0',
132 'bootstrap-daterangepicker#^2.1.25',
133 'moment#^2.18.1',
134 'fastclick#^1.0.6',
135 'flot#^0.8.3',
136 'fullcalendar#^3.4.0',
137 'jquery.inputmask#^3.3.7',
138 'ionrangeslider#^2.2.0',
139 'jvectormap#^2.0.4',
140 'jquery-knob#^1.2.13',
141 'morris.js#^0.5.1',
142 'pace#^1.0.2',
143 'select2#^4.0.3',
144 'slimscroll#^1.3.8',
145 'bootstrap-timepicker#^0.5.2',
146 'jquery-sparkline#^2.1.3',
147 'font-awesome#^4.7.0',
148 'ionicons#^2.0.1',
149 'jquery-ui#1.11.4']
150CACHES	
151{u'default': {u'BACKEND': u'django.core.cache.backends.locmem.LocMemCache'}}
152CACHE_MIDDLEWARE_ALIAS	
153u'default'
154CACHE_MIDDLEWARE_KEY_PREFIX	
155u'********************'
156CACHE_MIDDLEWARE_SECONDS	
157600
158CSRF_COOKIE_AGE	
15931449600
160CSRF_COOKIE_DOMAIN	
161None
162CSRF_COOKIE_HTTPONLY	
163False
164CSRF_COOKIE_NAME	
165u'csrftoken'
166CSRF_COOKIE_PATH	
167u'/'
168CSRF_COOKIE_SECURE	
169False
170CSRF_FAILURE_VIEW	
171u'django.views.csrf.csrf_failure'
172CSRF_HEADER_NAME	
173u'HTTP_X_CSRFTOKEN'
174CSRF_TRUSTED_ORIGINS	
175[]
176CSRF_USE_SESSIONS	
177False
178CS_MERCHANTID	
179'tc_ni_001299528'
180CS_PASSWORD	
181u'********************'
182CS_URL	
183'https://ics2ws.ic3.com/commerce/1.x/transactionProcessor/CyberSourceTransaction_1.140.wsdl'
184DATABASES	
185{'default': {'ATOMIC_REQUESTS': False,
186             'AUTOCOMMIT': True,
187             'CONN_MAX_AGE': 0,
188             'ENGINE': 'django.db.backends.postgresql_psycopg2',
189             'HOST': 'localhost',
190             'NAME': 'recaudo',
191             'OPTIONS': {},
192             'PASSWORD': u'********************',
193             'PORT': '5432',
194             'TEST': {'CHARSET': None,
195                      'COLLATION': None,
196                      'MIRROR': None,
197                      'NAME': None},
198             'TIME_ZONE': None,
199             'USER': 'postgres'}}
200DATABASE_ROUTERS	
201[]
202DATA_UPLOAD_MAX_MEMORY_SIZE	
2032621440
204DATA_UPLOAD_MAX_NUMBER_FIELDS	
2051000
206DATETIME_FORMAT	
207u'N j, Y, P'
208DATETIME_INPUT_FORMATS	
209[u'%Y-%m-%d %H:%M:%S',
210 u'%Y-%m-%d %H:%M:%S.%f',
211 u'%Y-%m-%d %H:%M',
212 u'%Y-%m-%d',
213 u'%m/%d/%Y %H:%M:%S',
214 u'%m/%d/%Y %H:%M:%S.%f',
215 u'%m/%d/%Y %H:%M',
216 u'%m/%d/%Y',
217 u'%m/%d/%y %H:%M:%S',
218 u'%m/%d/%y %H:%M:%S.%f',
219 u'%m/%d/%y %H:%M',
220 u'%m/%d/%y']
221DATE_FORMAT	
222u'N j, Y'
223DATE_INPUT_FORMATS	
224[u'%Y-%m-%d',
225 u'%m/%d/%Y',
226 u'%m/%d/%y',
227 u'%b %d %Y',
228 u'%b %d, %Y',
229 u'%d %b %Y',
230 u'%d %b, %Y',
231 u'%B %d %Y',
232 u'%B %d, %Y',
233 u'%d %B %Y',
234 u'%d %B, %Y']
235DBBACKUP_CONNECTORS	
236{'default': {'HOST': 'localhost',
237             'PASSWORD': u'********************',
238             'USER': 'postgres'}}
239DBBACKUP_STORAGE	
240'storages.backends.ftp.FTPStorage'
241DBBACKUP_STORAGE_OPTIONS	
242{'location': 'ftp://ftp_@geosaldana.com:Delta2017@ftp.geosaldana.com:21'}
243DEBUG	
244True
245DEBUG_PROPAGATE_EXCEPTIONS	
246False
247DECIMAL_SEPARATOR	
248u'.'
249DEFAULT_CHARSET	
250u'utf-8'
251DEFAULT_CONTENT_TYPE	
252u'text/html'
253DEFAULT_EXCEPTION_REPORTER_FILTER	
254u'django.views.debug.SafeExceptionReporterFilter'
255DEFAULT_FILE_STORAGE	
256u'django.core.files.storage.FileSystemStorage'
257DEFAULT_FROM_EMAIL	
258u'webmaster@localhost'
259DEFAULT_INDEX_TABLESPACE	
260u''
261DEFAULT_TABLESPACE	
262u''
263DIRECTORY	
264''
265DISALLOWED_USER_AGENTS	
266[]
267EMAIL_BACKEND	
268u'django.core.mail.backends.smtp.EmailBackend'
269EMAIL_HOST	
270u'localhost'
271EMAIL_HOST_PASSWORD	
272u'********************'
273EMAIL_HOST_USER	
274u''
275EMAIL_PORT	
27625
277EMAIL_SSL_CERTFILE	
278None
279EMAIL_SSL_KEYFILE	
280u'********************'
281EMAIL_SUBJECT_PREFIX	
282u'[Django] '
283EMAIL_TIMEOUT	
284None
285EMAIL_USE_LOCALTIME	
286False
287EMAIL_USE_SSL	
288False
289EMAIL_USE_TLS	
290False
291EXTRA_MENUS	
292[{'link': '#',
293  'menu': 'Reportes',
294  'options': [{'label': 'Matriculas', 'link': '/reportes/reporte_matricula'},
295              {'label': 'Matriculas no pagas',
296               'link': '/reportes/generar_reporte_matricula_no_paga'},
297              {'label': 'Resumen de Ingreso ',
298               'link': '/reportes/reporte_ingresos'},
299              {'label': 'Reporte de Cta. Cobrar',
300               'link': '/reportes/generar_reporte_cuenta'},
301              {'label': 'Reporte de Cta. Cobrar (2)',
302               'link': '/reportes/generar_reporte_cuenta'},
303              {'label': 'Reporte Contribuyentes',
304               'link': '/reportes/generar_reporte_contribuyente'},
305              {'label': 'Mes a Mes',
306               'link': '/reportes/generar_reporte_mes_a_mes'}]}]
307FILEBROWSER_DIRECTORY	
308''
309FILE_CHARSET	
310u'utf-8'
311FILE_UPLOAD_DIRECTORY_PERMISSIONS	
312None
313FILE_UPLOAD_HANDLERS	
314[u'django.core.files.uploadhandler.MemoryFileUploadHandler',
315 u'django.core.files.uploadhandler.TemporaryFileUploadHandler']
316FILE_UPLOAD_MAX_MEMORY_SIZE	
3172621440
318FILE_UPLOAD_PERMISSIONS	
319None
320FILE_UPLOAD_TEMP_DIR	
321None
322FIRST_DAY_OF_WEEK	
3230
324FIXTURE_DIRS	
325[]
326FORCE_SCRIPT_NAME	
327None
328FORMAT_MODULE_PATH	
329None
330FORM_RENDERER	
331u'django.forms.renderers.DjangoTemplates'
332GEOPOSITION_GOOGLE_MAPS_API_KEY	
333u'********************'
334GRAPPELLI_ADMIN_TITLE	
335'Alcald\xc3\xada de Bluefields'
336GRAPPELLI_SWITCH_USER	
337'True'
338HEADLESS	
339True
340IGNORABLE_404_URLS	
341[]
342IMAGE_CROPPING_BACKEND	
343'image_cropping.backends.easy_thumbs.EasyThumbnailsBackend'
344IMAGE_CROPPING_BACKEND_PARAMS	
345{}
346IMAGE_CROPPING_JQUERY_URL	
347'https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js'
348IMAGE_CROPPING_SIZE_WARNING	
349False
350IMAGE_CROPPING_THUMB_SIZE	
351(300, 300)
352INSTALLED_APPS	
353['base',
354 'grappelli',
355 'dbbackup',
356 'filebrowser',
357 'import_export',
358 'adminactions',
359 'django.contrib.admin',
360 'django.contrib.auth',
361 'django.contrib.contenttypes',
362 'django.contrib.sessions',
363 'django.contrib.messages',
364 'django.contrib.staticfiles',
365 'django.contrib.humanize',
366 'django.contrib.admindocs',
367 'tinymce',
368 'mce_explorer',
369 'easy_thumbnails',
370 'image_cropping',
371 'contabilidad',
372 'tributacion',
373 'recaudo',
374 'contribuyente',
375 'home',
376 'payment_procesor',
377 'sslserver',
378 'reportes',
379 'djangobower',
380 'colorfield']
381INTERNAL_IPS	
382[]
383LANGUAGES	
384[(u'af', u'Afrikaans'),
385 (u'ar', u'Arabic'),
386 (u'ast', u'Asturian'),
387 (u'az', u'Azerbaijani'),
388 (u'bg', u'Bulgarian'),
389 (u'be', u'Belarusian'),
390 (u'bn', u'Bengali'),
391 (u'br', u'Breton'),
392 (u'bs', u'Bosnian'),
393 (u'ca', u'Catalan'),
394 (u'cs', u'Czech'),
395 (u'cy', u'Welsh'),
396 (u'da', u'Danish'),
397 (u'de', u'German'),
398 (u'dsb', u'Lower Sorbian'),
399 (u'el', u'Greek'),
400 (u'en', u'English'),
401 (u'en-au', u'Australian English'),
402 (u'en-gb', u'British English'),
403 (u'eo', u'Esperanto'),
404 (u'es', u'Spanish'),
405 (u'es-ar', u'Argentinian Spanish'),
406 (u'es-co', u'Colombian Spanish'),
407 (u'es-mx', u'Mexican Spanish'),
408 (u'es-ni', u'Nicaraguan Spanish'),
409 (u'es-ve', u'Venezuelan Spanish'),
410 (u'et', u'Estonian'),
411 (u'eu', u'Basque'),
412 (u'fa', u'Persian'),
413 (u'fi', u'Finnish'),
414 (u'fr', u'French'),
415 (u'fy', u'Frisian'),
416 (u'ga', u'Irish'),
417 (u'gd', u'Scottish Gaelic'),
418 (u'gl', u'Galician'),
419 (u'he', u'Hebrew'),
420 (u'hi', u'Hindi'),
421 (u'hr', u'Croatian'),
422 (u'hsb', u'Upper Sorbian'),
423 (u'hu', u'Hungarian'),
424 (u'ia', u'Interlingua'),
425 (u'id', u'Indonesian'),
426 (u'io', u'Ido'),
427 (u'is', u'Icelandic'),
428 (u'it', u'Italian'),
429 (u'ja', u'Japanese'),
430 (u'ka', u'Georgian'),
431 (u'kk', u'Kazakh'),
432 (u'km', u'Khmer'),
433 (u'kn', u'Kannada'),
434 (u'ko', u'Korean'),
435 (u'lb', u'Luxembourgish'),
436 (u'lt', u'Lithuanian'),
437 (u'lv', u'Latvian'),
438 (u'mk', u'Macedonian'),
439 (u'ml', u'Malayalam'),
440 (u'mn', u'Mongolian'),
441 (u'mr', u'Marathi'),
442 (u'my', u'Burmese'),
443 (u'nb', u'Norwegian Bokm\xe5l'),
444 (u'ne', u'Nepali'),
445 (u'nl', u'Dutch'),
446 (u'nn', u'Norwegian Nynorsk'),
447 (u'os', u'Ossetic'),
448 (u'pa', u'Punjabi'),
449 (u'pl', u'Polish'),
450 (u'pt', u'Portuguese'),
451 (u'pt-br', u'Brazilian Portuguese'),
452 (u'ro', u'Romanian'),
453 (u'ru', u'Russian'),
454 (u'sk', u'Slovak'),
455 (u'sl', u'Slovenian'),
456 (u'sq', u'Albanian'),
457 (u'sr', u'Serbian'),
458 (u'sr-latn', u'Serbian Latin'),
459 (u'sv', u'Swedish'),
460 (u'sw', u'Swahili'),
461 (u'ta', u'Tamil'),
462 (u'te', u'Telugu'),
463 (u'th', u'Thai'),
464 (u'tr', u'Turkish'),
465 (u'tt', u'Tatar'),
466 (u'udm', u'Udmurt'),
467 (u'uk', u'Ukrainian'),
468 (u'ur', u'Urdu'),
469 (u'vi', u'Vietnamese'),
470 (u'zh-hans', u'Simplified Chinese'),
471 (u'zh-hant', u'Traditional Chinese')]
472LANGUAGES_BIDI	
473[u'he', u'ar', u'fa', u'ur']
474LANGUAGE_CODE	
475'es-NI'
476LANGUAGE_COOKIE_AGE	
477None
478LANGUAGE_COOKIE_DOMAIN	
479None
480LANGUAGE_COOKIE_NAME	
481u'django_language'
482LANGUAGE_COOKIE_PATH	
483u'/'
484LOCALE_PATHS	
485[]
486LOGGING	
487{}
488LOGGING_CONFIG	
489u'logging.config.dictConfig'
490LOGIN_REDIRECT_URL	
491'/'
492LOGIN_URL	
493'/contribuyente/login/'
494LOGOUT_REDIRECT_URL	
495None
496MANAGERS	
497[]
498MEDIA_ROOT	
499'/var/www/bluefields/media/'
500MEDIA_URL	
501'/media/'
502MESSAGE_STORAGE	
503u'django.contrib.messages.storage.fallback.FallbackStorage'
504MIDDLEWARE	
505['django.middleware.security.SecurityMiddleware',
506 'django.contrib.sessions.middleware.SessionMiddleware',
507 'django.middleware.common.CommonMiddleware',
508 'django.middleware.csrf.CsrfViewMiddleware',
509 'django.contrib.auth.middleware.AuthenticationMiddleware',
510 'django.contrib.messages.middleware.MessageMiddleware',
511 'django.middleware.clickjacking.XFrameOptionsMiddleware']
512MIDDLEWARE_CLASSES	
513[u'django.middleware.common.CommonMiddleware',
514 u'django.middleware.csrf.CsrfViewMiddleware']
515MIGRATION_MODULES	
516{}
517MONTH_DAY_FORMAT	
518u'F j'
519NUMBER_GROUPING	
5200
521PASSWORD_HASHERS	
522u'********************'
523PASSWORD_RESET_TIMEOUT_DAYS	
524u'********************'
525PREPEND_WWW	
526False
527ROOT_URLCONF	
528'alcaldia.urls'
529SECRET_KEY	
530u'********************'
531SECURE_BROWSER_XSS_FILTER	
532False
533SECURE_CONTENT_TYPE_NOSNIFF	
534False
535SECURE_HSTS_INCLUDE_SUBDOMAINS	
536False
537SECURE_HSTS_PRELOAD	
538False
539SECURE_HSTS_SECONDS	
5400
541SECURE_PROXY_SSL_HEADER	
542None
543SECURE_REDIRECT_EXEMPT	
544[]
545SECURE_SSL_HOST	
546None
547SECURE_SSL_REDIRECT	
548False
549SERVER_EMAIL	
550u'root@localhost'
551SESSION_CACHE_ALIAS	
552u'default'
553SESSION_COOKIE_AGE	
5541209600
555SESSION_COOKIE_DOMAIN	
556None
557SESSION_COOKIE_HTTPONLY	
558True
559SESSION_COOKIE_NAME	
560u'sessionid'
561SESSION_COOKIE_PATH	
562u'/'
563SESSION_COOKIE_SECURE	
564False
565SESSION_ENGINE	
566u'django.contrib.sessions.backends.db'
567SESSION_EXPIRE_AT_BROWSER_CLOSE	
568False
569SESSION_FILE_PATH	
570None
571SESSION_SAVE_EVERY_REQUEST	
572False
573SESSION_SERIALIZER	
574u'django.contrib.sessions.serializers.JSONSerializer'
575SETTINGS_MODULE	
576'alcaldia.settings'
577SHORT_DATETIME_FORMAT	
578u'm/d/Y P'
579SHORT_DATE_FORMAT	
580u'm/d/Y'
581SIGNING_BACKEND	
582u'django.core.signing.TimestampSigner'
583SILENCED_SYSTEM_CHECKS	
584[]
585STATICFILES_DIRS	
586[]
587STATICFILES_FINDERS	
588('django.contrib.staticfiles.finders.FileSystemFinder',
589 'django.contrib.staticfiles.finders.AppDirectoriesFinder',
590 'djangobower.finders.BowerFinder')
591STATICFILES_STORAGE	
592u'django.contrib.staticfiles.storage.StaticFilesStorage'
593STATIC_ROOT	
594'/var/www/bluefields/static/'
595STATIC_URL	
596'/static/'
597TEMPLATES	
598[{'APP_DIRS': True,
599  'BACKEND': 'django.template.backends.django.DjangoTemplates',
600  'DIRS': [],
601  'OPTIONS': {'context_processors': ['django.template.context_processors.debug',
602                                     'django.template.context_processors.request',
603                                     'django.contrib.auth.context_processors.auth',
604                                     'django.contrib.messages.context_processors.messages',
605                                     'home.context_processors.categorias',
606                                     'base.context_processors.extra_menus']}}]
607TEMPLATE_LOADERS	
608('django.template.loaders.filesystem.Loader',
609 'django.template.loaders.app_directories.Loader',
610 'apptemplates.Loader')
611TEST_NON_SERIALIZED_APPS	
612[]
613TEST_RUNNER	
614u'django.test.runner.DiscoverRunner'
615THOUSAND_SEPARATOR	
616u','
617THUMBNAIL_DEBUG	
618True
619THUMBNAIL_PROCESSORS	
620('image_cropping.thumbnail_processors.crop_corners',
621 'easy_thumbnails.processors.colorspace',
622 'easy_thumbnails.processors.autocrop',
623 'easy_thumbnails.processors.scale_and_crop',
624 'easy_thumbnails.processors.filters',
625 'easy_thumbnails.processors.background')
626TIME_FORMAT	
627u'P'
628TIME_INPUT_FORMATS	
629[u'%H:%M:%S', u'%H:%M:%S.%f', u'%H:%M']
630TIME_ZONE	
631'UTC'
632TINYMCE_DEFAULT_CONFIG	
633{'cleanup_on_startup': True,
634 'custom_undo_redo_levels': 10,
635 'file_browser_callback': 'mce_explorer',
636 'min_height': 1000,
637 'plugins': 'table,spellchecker,paste,searchreplace',
638 'theme': 'advanced'}
639USE_ETAGS	
640False
641USE_I18N	
642True
643USE_L10N	
644True
645USE_THOUSAND_SEPARATOR	
646False
647USE_TZ	
648True
649USE_X_FORWARDED_HOST	
650False
651USE_X_FORWARDED_PORT	
652False
653WSGI_APPLICATION	
654'alcaldia.wsgi.application'
655X_FRAME_OPTIONS	
656u'SAMEORIGIN'
657YEAR_MONTH_FORMAT	
658u'F Y'