WebGUI based backup



  • I have used wget to backup the conifg.xml file for a handful of pfSense boxes connected via VPN.  A recent upgrade to 2.3 has caused those backups to fail.

    wget -qO- –keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.0.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > csrf.txt

    wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=012503&__csrf_magic=$(cat csrf.txt)" https://192.168.0.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > csrf2.txt

    wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" https://192.168.0.1/diag_backup.php -O config-router-corp-date +%Y%m%d%H%M%S.xml

    Putting these in manually gives me this error on the last command.

    --2016-04-19 09:33:59--  https://192.168.0.1/diag_backup.php
    Connecting to 192.168.0.1:443... connected.
    WARNING: The certificate of ‘192.168.0.1’ is not trusted.
    WARNING: The certificate of ‘192.168.0.1’ hasn't got a known issuer.
    The certificate's owner does not match hostname ‘192.168.0.1’
    HTTP request sent, awaiting response... 403 Forbidden
    2016-04-19 09:33:59 ERROR 403: Forbidden.

    I understand that the GUI has switched to nginx.  Does anyone have an updated method for grabbing the config remotely?

    Thanks
    Alan


  • Rebel Alliance Developer Netgate

    This set of commands (from https://doc.pfsense.org/index.php/Remote_Config_Backup) works for me against a 2.3 box.

    # wget -qO- --keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.1.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
    # wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=pfsense&__csrf_magic=$(cat csrf.txt)" https://192.168.1.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
    # wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" https://192.168.1.1/diag_backup.php -O config-router-`date +%Y%m%d%H%M%S`.xml
    
    


  • Thank you!


  • Rebel Alliance Developer Netgate

    The main difference seems to be that yours has "$(cat csrf2.txt)" and mine has "$(head -n 1 csrf2.txt)", that second run can have multiple CSRF tokens in the HTML so it's best to only take one, or it can fail.



  • Trying to get this to work on 2.4.2 but all I'm getting (using jimp's lines, adapted with my own credentials and addresses) is the php page again: it downloads the download php page. It creates the cookies and csrf files but no backup xml file.

    Doesn't matter which user I use (admin or dedicated backup user). Fiddled around with the password (for testing now only using a simple word with no fancy characters). Wget doesn't generate any errors (because from its point of view everything is ok).

    Any suggestions?


Log in to reply