Backup script problem since pfSense 2.2.6



  • Hello,

    Since pfSense 2.2.6 (CSRF), the backup script doesn't work. I use the new documentation : https://doc.pfsense.org/index.php/Remote_Config_Backup#2.2.6_and_Later

    The first command witch generate csrf.txt seems OK :

    $wget -O- --keep-session-cookies --save-cookies cookies.txt   --no-check-certificate https://X.X.X.X/diag_backup.php   | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
    --2016-05-23 16:17:04--  https://X.X.X.X/diag_backup.php
    Connexion vers X.X.X.X... connecté.
    AVERTISSEMENT : impossible de vérifier l'attribut X.X.X.X du certificat, émis par «/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address» :
      Récupération d'un certificat auto-signé.
        AVERTISSEMENT : le nom commun du certificat «Common Name (eg, YOUR name)» ne concorde pas avec le nom de l'hôte demandé «X.X.X.X».
    requête HTTP transmise, en attente de la réponse... 200 OK
    Taille : non spécifié [text/html]
    Enregistre : «STDOUT»
    
        [ <=>                                                                                                                ] 3 976       --.-K/s   ds 0s      
    
    2016-05-23 16:17:04 (105 MB/s) - envoi sur stdout [3976]
    
    $ cat csrf.txt 
    sid:40cd77611dd43035f2977d732de534802315ade1,1464013094;ip:c909354356740834bd7573ef85313f90883ef9e3,1464013094
    

    The second command witch generate csrf2.txt returns 403 forbidden error :

    $ wget -O- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data 'login=Login&usernamefld=XXXXX&passwordfld=XXXXX&__csrf_magic=$(cat csrf.txt)' https://X.X.X.X/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
    --2016-05-24 15:18:58--  https://X.X.X.X/diag_backup.php
    Connexion vers X.X.X.X... connecté.
    AVERTISSEMENT : impossible de vérifier l'attribut X.X.X.X du certificat, émis par «/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address» :
      Récupération d'un certificat auto-signé.
        AVERTISSEMENT : le nom commun du certificat «Common Name (eg, YOUR name)» ne concorde pas avec le nom de l'hôte demandé «X.X.X.X».
    requête HTTP transmise, en attente de la réponse... 403 Forbidden
    2016-05-24 15:18:58 ERREUR 403: Forbidden.
    
    $ cat csrf2.txt
    

    I use wget 1.14 on Linux Mint 16.

    Best regards,

    Footman.



  • Hello,

    I tried with a more recent version :

    Debian 8.4.0
    wget 1.16

    Unfortunately, I have the same problem…

    Is this script functional for everybody ?

    Best regards,

    Footman.



  • Here is my version of a Backup-Script for pre-2.3 versions and post-2.3 versions

    Hope this helps you.

    
    #!/bin/bash
    die () {
        echo >&2 "$@"
        exit 1
    }
    
    SOURCE="${BASH_SOURCE[0]}"
    while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
      DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
      SOURCE="$(readlink "$SOURCE")"
      [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
    done
    DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
    
    if [ -z "$6" ] 
    then
    set -- "${@:1:5}" $DIR
    fi
    [ "$#" -eq 6 ] || die "6 arguments required, $# provided. parameters required are: IP PORT username password (1|2 for pre2.3 or post2.3) DIRECTORY"
    echo $2 | grep -E -q '^[0-9]+$' || die "Numeric argument required, $2 provided"
    echo $3 | grep -E -q '^[a-zA-Z]+$' || die "Numeric argument required, $3 provided"
    echo $4 | grep -E -q '^[a-zA-Z]+$' || die "Numeric argument required, $4 provided"
    echo $5 | grep -E -q '^[0-9]+$' || die "Numeric argument required, $5 provided"
    echo $(date +"%d.%m.%Y %H:%M:%S") $1 $2 $3 $4 $5 $6/$1 >> $6/logfile.txt
    
    mkdir -p $6/$1
    
    if [ "$5" -eq "1" ] 
    then
    #pre 2.3
    wget -qO- --keep-session-cookies --save-cookies $1-cookies.txt --no-check-certificate https://$1:$2/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf.txt 
    wget -qO- --keep-session-cookies --load-cookies $1-cookies.txt --save-cookies $1-cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=$3&passwordfld=$4&__csrf_magic=$(cat $1-csrf.txt)" https://$1:$2/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf2.txt
    wget -q --keep-session-cookies --load-cookies $1-cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat $1-csrf2.txt)" https://$1:$2/diag_backup.php -O $6/$1/`date +%Y%m%d%H%M%S`.xml
    else
    #post 2.3
    wget -qO- --keep-session-cookies --save-cookies $1-cookies.txt --no-check-certificate https://$1:$2/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf.txt
    wget -qO- --keep-session-cookies --load-cookies $1-cookies.txt --save-cookies $1-cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=$3&passwordfld=$4&__csrf_magic=$(cat $1-csrf.txt)" https://$1:$2/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > $1-csrf2.txt
    wget -q --keep-session-cookies --load-cookies $1-cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 $1-csrf2.txt)" https://$1:$2/diag_backup.php -O $6/$1/`date +%Y%m%d%H%M%S`.xml
    fi
    rm -r $1-cookies.txt
    rm -r $1-csrf.txt
    rm -r $1-csrf2.txt
    
    

    Example usage:

    Pre 2.3 Version (1 at the end)  ./pfbackup.sh IP PORT USERNAME PASSWORD 1 
    Post 2.3 Version (2 at the end)  ./pfbackup.sh IP PORT USERNAME PASSWORD 2



  • Hello azekiel,

    Thanks a lot ! I blocked on this problem for weeks and it was just a quote problem (' instead of ") ! I can see the difference with your script, witch worked well. :)

    Best regards,

    Footman.



  • This script has solved my similar problem reported in:

    https://forum.pfsense.org/index.php?topic=114445.0



  • Script works for 2.4 also!


Log in to reply