Curl/Wget script login dealing with CSRF



  • Hello, can someone share how they are dealing with the CSRF feature of the login screen on 2.1.

    I have a few scripts that allow local users to execute the wol feature of the firewall, so they can start machines in all the various vlans at their location.  Those scripts stopped working after I upgraded the site to pfSense 2.1.  I just get an error about the token.. or a 403:Forbidden

    The instructions for 2.0 at the following site no longer seem to work.  Do they work for you?
    https://doc.pfsense.org/index.php/Remote_Config_Backup

    Do I need to grab the login page first, then grab the CSRF token, then submit the login form using that token?  Anyone have a vbasic script that does that already.  I'm just looking for something that runs on windows 7 using the standard tools that come with it, + curl.

    Thanks
    Josh



  • Here is the start of a powershell script to log in, anyone have any suggestions on getting it to actually work?

    #Firewall Hostname
    $fwhost = "https://firewall.org.org"
    #Firewall Login Name
    $fwlogin = "admin"
    #Password
    $fwpw = "tacos"
    
    $curlout = [string](.\curl\curl.exe -k -s -c cookies.txt $fwhost)
    $curlout -match "(sid:.{106})"
    
    $curlcmd = ".\curl\curl.exe -k -s -b cookies.txt -d login=Login&usernamefld=${fwlogin}&passwordfld=${fwpw}&__csrf_magic=$($matches[0]) ${fwhost}/services_wol.php"
    
    echo $curlcmd
    
    $curlout = [string](.\curl\curl.exe -k -s -i -b cookies.txt -d "login=Login&usernamefld=${fwlogin}&passwordfld=${fwpw}&__csrf_magic=$($matches[0])" ${fwhost}/services_wol.php)
    
    echo $curlout