Backup script problem since pfSense 2.2.6

footman

Hello,

Since pfSense 2.2.6 (CSRF), the backup script doesn't work. I use the new documentation : https://doc.pfsense.org/index.php/Remote_Config_Backup#2.2.6_and_Later

The first command witch generate csrf.txt seems OK :

$wget -O- --keep-session-cookies --save-cookies cookies.txt   --no-check-certificate https://X.X.X.X/diag_backup.php   | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
--2016-05-23 16:17:04--  https://X.X.X.X/diag_backup.php
Connexion vers X.X.X.X... connecté.
AVERTISSEMENT : impossible de vérifier l'attribut X.X.X.X du certificat, émis par «/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address» :
  Récupération d'un certificat auto-signé.
    AVERTISSEMENT : le nom commun du certificat «Common Name (eg, YOUR name)» ne concorde pas avec le nom de l'hôte demandé «X.X.X.X».
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : non spécifié [text/html]
Enregistre : «STDOUT»

    [ <=>                                                                                                                ] 3 976       --.-K/s   ds 0s      

2016-05-23 16:17:04 (105 MB/s) - envoi sur stdout [3976]

$ cat csrf.txt 
sid:40cd77611dd43035f2977d732de534802315ade1,1464013094;ip:c909354356740834bd7573ef85313f90883ef9e3,1464013094

The second command witch generate csrf2.txt returns 403 forbidden error :

$ wget -O- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data 'login=Login&usernamefld=XXXXX&passwordfld=XXXXX&__csrf_magic=$(cat csrf.txt)' https://X.X.X.X/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
--2016-05-24 15:18:58--  https://X.X.X.X/diag_backup.php
Connexion vers X.X.X.X... connecté.
AVERTISSEMENT : impossible de vérifier l'attribut X.X.X.X du certificat, émis par «/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address» :
  Récupération d'un certificat auto-signé.
    AVERTISSEMENT : le nom commun du certificat «Common Name (eg, YOUR name)» ne concorde pas avec le nom de l'hôte demandé «X.X.X.X».
requête HTTP transmise, en attente de la réponse... 403 Forbidden
2016-05-24 15:18:58 ERREUR 403: Forbidden.

$ cat csrf2.txt

I use wget 1.14 on Linux Mint 16.

Best regards,

Footman.

footman

Hello,

I tried with a more recent version :

Debian 8.4.0
wget 1.16

Unfortunately, I have the same problem…

Is this script functional for everybody ?

Best regards,

Footman.

azekiel

Here is my version of a Backup-Script for pre-2.3 versions and post-2.3 versions

Hope this helps you.

#!/bin/bash
die () {
    echo >&2 "$@"
    exit 1
}

SOURCE="${BASH_SOURCE[0]}"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
  SOURCE="$(readlink "$SOURCE")"
  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"

if [ -z "$6" ] 
then
set -- "${@:1:5}" $DIR
fi
[ "$#" -eq 6 ] || die "6 arguments required, $# provided. parameters required are: IP PORT username password (1|2 for pre2.3 or post2.3) DIRECTORY"
echo $2 | grep -E -q '^[0-9]+$' || die "Numeric argument required, $2 provided"
echo $3 | grep -E -q '^[a-zA-Z]+$' || die "Numeric argument required, $3 provided"
echo $4 | grep -E -q '^[a-zA-Z]+$' || die "Numeric argument required, $4 provided"
echo $5 | grep -E -q '^[0-9]+$' || die "Numeric argument required, $5 provided"
echo $(date +"%d.%m.%Y %H:%M:%S") $1 $2 $3 $4 $5 $6/$1 >> $6/logfile.txt

mkdir -p $6/$1

if [ "$5" -eq "1" ] 
then
#pre 2.3
wget -qO- --keep-session-cookies --save-cookies $1-cookies.txt --no-check-certificate https://$1:$2/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf.txt 
wget -qO- --keep-session-cookies --load-cookies $1-cookies.txt --save-cookies $1-cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=$3&passwordfld=$4&__csrf_magic=$(cat $1-csrf.txt)" https://$1:$2/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf2.txt
wget -q --keep-session-cookies --load-cookies $1-cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat $1-csrf2.txt)" https://$1:$2/diag_backup.php -O $6/$1/`date +%Y%m%d%H%M%S`.xml
else
#post 2.3
wget -qO- --keep-session-cookies --save-cookies $1-cookies.txt --no-check-certificate https://$1:$2/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf.txt
wget -qO- --keep-session-cookies --load-cookies $1-cookies.txt --save-cookies $1-cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=$3&passwordfld=$4&__csrf_magic=$(cat $1-csrf.txt)" https://$1:$2/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf2.txt
wget -q --keep-session-cookies --load-cookies $1-cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 $1-csrf2.txt)" https://$1:$2/diag_backup.php -O $6/$1/`date +%Y%m%d%H%M%S`.xml
fi
rm -r $1-cookies.txt
rm -r $1-csrf.txt
rm -r $1-csrf2.txt

Example usage:

Pre 2.3 Version (1 at the end)  ./pfbackup.sh IP PORT USERNAME PASSWORD 1 
Post 2.3 Version (2 at the end)  ./pfbackup.sh IP PORT USERNAME PASSWORD 2

footman

Hello azekiel,

Thanks a lot ! I blocked on this problem for weeks and it was just a quote problem (' instead of ") ! I can see the difference with your script, witch worked well. :)

Best regards,

Footman.

it-marmalade

This script has solved my similar problem reported in:

https://forum.pfsense.org/index.php?topic=114445.0

azekiel

Script works for 2.4 also!