WebGUI based backup

alan.johnson

I have used wget to backup the conifg.xml file for a handful of pfSense boxes connected via VPN.  A recent upgrade to 2.3 has caused those backups to fail.

wget -qO- –keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.0.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=012503&__csrf_magic=$(cat csrf.txt)" https://192.168.0.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" https://192.168.0.1/diag_backup.php -O config-router-corp-date +%Y%m%d%H%M%S.xml

Putting these in manually gives me this error on the last command.

--2016-04-19 09:33:59--  https://192.168.0.1/diag_backup.php
Connecting to 192.168.0.1:443... connected.
WARNING: The certificate of ‘192.168.0.1’ is not trusted.
WARNING: The certificate of ‘192.168.0.1’ hasn't got a known issuer.
The certificate's owner does not match hostname ‘192.168.0.1’
HTTP request sent, awaiting response... 403 Forbidden
2016-04-19 09:33:59 ERROR 403: Forbidden.

I understand that the GUI has switched to nginx.  Does anyone have an updated method for grabbing the config remotely?

Thanks
Alan

jimp

This set of commands (from https://doc.pfsense.org/index.php/Remote_Config_Backup) works for me against a 2.3 box.

# wget -qO- --keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.1.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
# wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=pfsense&__csrf_magic=$(cat csrf.txt)" https://192.168.1.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
# wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" https://192.168.1.1/diag_backup.php -O config-router-`date +%Y%m%d%H%M%S`.xml

alan.johnson

Thank you!

jimp

The main difference seems to be that yours has "$(cat csrf2.txt)" and mine has "$(head -n 1 csrf2.txt)", that second run can have multiple CSRF tokens in the HTML so it's best to only take one, or it can fail.

Vorkbaard

Trying to get this to work on 2.4.2 but all I'm getting (using jimp's lines, adapted with my own credentials and addresses) is the php page again: it downloads the download php page. It creates the cookies and csrf files but no backup xml file.

Doesn't matter which user I use (admin or dedicated backup user). Fiddled around with the password (for testing now only using a simple word with no fancy characters). Wget doesn't generate any errors (because from its point of view everything is ok).

Any suggestions?