[SOLVED] Backup OPSsense configuration with wget

[orsomannaro]

I'm migrating from PfSense to OPNsense.

To backup the configuration settings I'm following this guide:

https://wikit.firewall-services.com/doku.php/tuto/sauvegardes/sauvegarde_pfsense_2

but the script for OPNsense doesn't work:

Code: [Select]

#!/bin/bash -e
 
OUT='/var/backups/opnsense'
TMP=$(mktemp -d)
URL='https://opnsense.domain.tld'
LOGIN='backupusr'
PASS='p@ssw0rd'
 
# Submit the login form with the previous values, and save a new CSRF token
/usr/bin/wget -q -O /dev/null --keep-session-cookies --save-cookies $TMP/cookies.txt --no-check-certificate  \
   --post-data "login=Login&usernamefld=$LOGIN&passwordfld=$PASS" $URL/diag_backup.php
 
# Save only the config
/usr/bin/wget -q --keep-session-cookies --load-cookies $TMP/cookies.txt --save-cookies $TMP/cookies.txt --no-check-certificate \
    --post-data "download=Download%20Configuration&donotbackuprrd=yes" $URL/diag_backup.php -O $OUT/config-pfsense.xml \
 
rm -f $TMP/*.txt
rmdir $TMP

Somebody can help me to adjust the script code in the right way?


Thanks for your help.

[franco]

We don't have bash, replace:

#!/bin/bash -e

with

#!/bin/sh -e

It looks like there is nothing bash-specific in there, but I didn't verify.


Cheers,
Franco

[orsomannaro]

Hi Franco.

Thanks for your reply, but change /bin/bash with /bin/sh doesn't solve the problem.

I suppose that the problem resides in the wget instruction parameters.

[fabian]

it could be your credentials as they need to be URL encoded.

[franco]

We don't have an error message. It's very hard to debug this way.

[fabian]

can you remove the -q which is quet so you get some output?

[guest15389]

The scripts seem to need to be updated with the new csrf stuff:

Code: [Select]

felix@plex: backups$ grep magic diag_backup.php
felix@plex: backups$ grep csrf *
diag_backup.php:            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off" action="/diag_backup.php"><input type="hidden" id="__opnsense_csrf" name="UVZLYVFKSUlPbEdKb3RRL3ZkRjhOQT09" value="VlR2SUppNzFBYUJyR1hGUVVSQXErZz09"\/>
felix@plex: backups$
I've played a bit, but haven't hacked together the right values. Will try a bit later.

[fabian]

you need to grep for this line using something like

Code: [Select]

grep "__opnsense_csrf"
and then use

Code: [Select]

cut -d'"' -fnumberto get the key and the value

[guest15389]

Hmm. A little closer, but I still get a 403 as I tried to modify some of the code:

Code: [Select]

wget -O- --keep-session-cookies --save-cookies cookies.txt --no-check-certificate http://192.168.86.1/diag_backup.php  | grep "__opnsense_csrf" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -O- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=login&usernamefld=root&passwordfld=MYPASSWORD&__opnsense_csrf=$(cat csrf.txt)" http://192.168.86.1/diag_backup.php  | grep "__opnsense_csrf" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

Error:

Code: [Select]

--2017-03-03 19:39:50--  http://192.168.86.1/diag_backup.php
Connecting to 192.168.86.1:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-03-03 19:39:50 ERROR 403: Forbidden.

I'm getting a token from the first wget:

Code: [Select]

cat csrf.txt
TWIxOFpIdFdUZ1RGZjBON0NXSERoUT09\


[fabian]

I made my own script to help you out. You can download it here:
https://github.com/fabianfrz/scripts/blob/master/OPNsense/backup_over_http.rb

It is a quick and dirty solution but it seems to work.

[orsomannaro]

Thank you all for your help!


> can you remove the -q

The error is: 403 Forbidden


> I made my own script to help you out

Thank you very much Fabian!

I installed ruby. Ubuntu server 16.04 repository version is: ruby 2.3.1p112 (2016-04-26).

Runnin your script I have this error:

/usr/local/bin/Backuppc_OPNsense.rb:42:in `<main>': undefined method `scan' for nil:NilClass (NoMethodError)

In OPNsense I see the connection logs with pass status.

I'm searching this error on internet ...

[fabian]

this means you do not have the string "__opnsense_csrf" in the body. Do you use 17.1.2?
For debugging, can you add those three lines:

Code: [Select]

puts d.code
puts d.body
exit 0

after d is assigned (line 40)?

[guest15389]

I changed the URL to just http for me and that worked fine for me.

I get the backup file.

I'm running 17.1.2.

[orsomannaro]

this means you do not have the string "__opnsense_csrf" in the body. Do you use 17.1.2?

I'm running OPNsense 16.7

I've updated your script to use 4443 port:

Code: [Select]

indexpage = URI("https://#{SERVER_IP}:4443/index.php")
backuppage = URI("https://#{SERVER_IP}:4443/diag_backup.php")


For debugging, can you add those three lines:

Code: [Select]

puts d.code
puts d.body
exit 0
after d is assigned (line 40)?

This is th output:

Code: [Select]

200
<!doctype html>
<!--[if IE 8 ]><html lang="en" class="ie ie8 lte9 lte8 no-js"><![endif]-->
<!--[if IE 9 ]><html lang="en" class="ie ie9 lte9 no-js"><![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--><html lang="en" class="no-js"><!--<![endif]-->
  <head>

    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

    <meta name="robots" content="index, follow, noodp, noydir" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />

    <title>Login</title>

    <link href="/ui/themes/opnsense/build/css/main.css" rel="stylesheet">
    <link href="/ui/themes/opnsense/build/images/favicon.png" rel="shortcut icon">

    <!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->

  <script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script><script type="text/javascript">var csrfMagicToken = "sid:7a7f16c6317e0e693af8c8d09a4244ea2f82319e,1488785494;ip:a066ee2908007256ef908b4091d91f35f963ab4c,1488785494";var csrfMagicName = "__csrf_magic";</script><script src="/csrf/csrf-magic.js" type="text/javascript"></script></head>
  <body class="page-login">

  <div class="container">
   

    <main class="login-modal-container">
      <header class="login-modal-head" style="height:55px;">
        <div class="navbar-brand">
          <img src="/ui/themes/opnsense/build/images/default-logo.png" height="30" alt="logo"/>
        </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off" action="/index.php"><input type='hidden' name='__csrf_magic' value="sid:7a7f16c6317e0e693af8c8d09a4244ea2f82319e,1488785494;ip:a066ee2908007256ef908b4091d91f35f963ab4c,1488785494" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>

     
          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org" class="redlnk">OPNsense</a> (c) 2014-2016        <a href="https://www.deciso.com/" class="tblnk">Deciso B.V.</a>
      </div>

    </div>

    <script type="text/javascript">CsrfMagic.end();</script></body>
  </html>


[fabian]

Thanks for your response, it was not required anymore to add this code to debug. You should always mention any changes you did which may break some scripts like a changed port.