WebGUI based backup

alan.johnson · Apr 19, 2016, 1:51 PM

I have used wget to backup the conifg.xml file for a handful of pfSense boxes connected via VPN. A recent upgrade to 2.3 has caused those backups to fail.

wget -qO- –keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.0.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=012503&__csrf_magic=$(cat csrf.txt)" https://192.168.0.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" https://192.168.0.1/diag_backup.php -O config-router-corp-date +%Y%m%d%H%M%S.xml

Putting these in manually gives me this error on the last command.

--2016-04-19 09:33:59-- https://192.168.0.1/diag_backup.php
Connecting to 192.168.0.1:443... connected.
WARNING: The certificate of ‘192.168.0.1’ is not trusted.
WARNING: The certificate of ‘192.168.0.1’ hasn't got a known issuer.
The certificate's owner does not match hostname ‘192.168.0.1’
HTTP request sent, awaiting response... 403 Forbidden
2016-04-19 09:33:59 ERROR 403: Forbidden.

I understand that the GUI has switched to nginx. Does anyone have an updated method for grabbing the config remotely?

Thanks
Alan

jimp · Apr 19, 2016, 7:17 PM

This set of commands (from https://doc.pfsense.org/index.php/Remote_Config_Backup) works for me against a 2.3 box.

# wget -qO- --keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.1.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
# wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=pfsense&__csrf_magic=$(cat csrf.txt)" https://192.168.1.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
# wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" https://192.168.1.1/diag_backup.php -O config-router-`date +%Y%m%d%H%M%S`.xml

alan.johnson · Apr 19, 2016, 8:16 PM

Thank you!

jimp · Apr 19, 2016, 8:32 PM

The main difference seems to be that yours has "$(cat csrf2.txt)" and mine has "$(head -n 1 csrf2.txt)", that second run can have multiple CSRF tokens in the HTML so it's best to only take one, or it can fail.

Vorkbaard · Nov 28, 2017, 8:18 AM

Trying to get this to work on 2.4.2 but all I'm getting (using jimp's lines, adapted with my own credentials and addresses) is the php page again: it downloads the download php page. It creates the cookies and csrf files but no backup xml file.

Doesn't matter which user I use (admin or dedicated backup user). Fiddled around with the password (for testing now only using a simple word with no fancy characters). Wget doesn't generate any errors (because from its point of view everything is ok).

Any suggestions?