File Station - API (PHP)

Post your questions about BT download, FTP download, HTTP download, or QGet download software here.
Post Reply
dewie125@gmail.com
New here
Posts: 3
Joined: Tue Jan 09, 2024 10:16 pm

File Station - API (PHP)

Post by dewie125@gmail.com »

Hi Guys

I hope you can put me in the right direction here.
I am busy pulling some images from my website to create an 3D image without downloading the images using a script.

The problem is the "sid" It doesn't seem to retrieve it through my php. The weird thing is if I paste the link into my browser I can see the json information and copy the "sid" into my php and it works. Problem is the session expires.
Currently I need it to retrieve the "sid" when I load my website page.

If you have any information regards to how I can do this, it would really be helpful.

Here is a snippet of what I am talking about:

Code: Select all

<?php
$sid = "I NEED TO GET THE SID";
$url ="https://hostname:port/cgi-bin/filemanager/utilRequest.cgi?func=download&sid=" . $sid . "&isfolder=0&compress=0&source_path=/folder1/images/360/&source_file=1_";
?>

<script>
//...... more code

    for (var i = 1; i <= totalImages; i++) {
        
        var imageUrl = '<?php echo $url; ?>' + i + '.png&source_total=1';
        loadImage(imageUrl);
    }

//....more code
</script>


I have tried this code to retrieve the SID:

Code: Select all

<?php
class Qnap {
    public $sid;
    private $loggedIn;

    public function __construct($host, $user, $passwd, $port) { // Set default port to 8082
        $this->sid = null;
        $this->loggedIn = $this->login($host, $port, $user, $passwd);
    }

    // Add a public method to access $loggedIn
    public function isLoggedIn() {
        return $this->loggedIn;
    }

    private function login($host, $port, $user, $passwd) {
        $loginEndpoint = "https://{$host}:{$port}/cgi-bin/authLogin.cgi?" . http_build_query([
            'user' => str_replace('\\', '+', $user),
            'pwd' => $passwd
        ]);

        $xmlResponse = $this->req($loginEndpoint, true);
        if ($xmlResponse !== null) {
            $xml = simplexml_load_string($xmlResponse);
            if ($xml === false) {
                echo 'Failed loading XML';
                foreach(libxml_get_errors() as $error) {
                    echo "\n", $error->message;
                }
                return false;
            }

            if (isset($xml->authPassed) && $xml->authPassed->__toString() === '1') {
                $this->sid = $xml->authSid->__toString();
                return true;
            }
        }
        return false;
    }

    private function req($endpoint, $isXml = false) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $endpoint);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

        $response = curl_exec($ch);
        if ($response === false) {
            echo 'cURL Error: ' . curl_error($ch);
        }
        curl_close($ch);

        return $isXml ? $response : json_decode($response, true);
    }
}

// Example usage
$qnap = new Qnap('hostaddress', 'username', 'Password already encoded', 'port');
if ($qnap->loggedIn) {
    echo 'SID: ' . $qnap->sid;
} else {
    echo 'Login failed.';
}

?>

Many thanks all.

Regards,
Dewald Potgieter
eTiMaGo
New here
Posts: 2
Joined: Thu Jun 21, 2018 1:37 am

Re: File Station - API (PHP)

Post by eTiMaGo »

Facing the same kind of problem, the problem is the password needs to be encrypted, but the only way to do this is using a javascript snippet they provide:

http://eu1.qnap.com/Storage/SDK/get_sid.js

I'm trying to convert this to PHP, will update here if successful...
eTiMaGo
New here
Posts: 2
Joined: Thu Jun 21, 2018 1:37 am

Re: File Station - API (PHP)

Post by eTiMaGo »

Actually far simpler than I feared!

Code: Select all

	function encode($password){

		$password8 = utf8_encode($password);
		$passwordfinal = base64_encode($password8);

		return $passwordfinal;

	}
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: File Station - API (PHP)

Post by dolbyman »

Unclear why file station is used here..just retrieve pictures/files via SMB,NFS,etc

The NAS itself is obviously never ever ever exposed to WAN, so that wouldn't be the case..right?
dewie125@gmail.com
New here
Posts: 3
Joined: Tue Jan 09, 2024 10:16 pm

Re: File Station - API (PHP)

Post by dewie125@gmail.com »

Hi eTiMaGo
Thanks for the reply.
I actually have pre-encoded my password, thus I didn't need to that encode function.
Just an debug I trie to echo the sid but I don't seem to see it, telling me it didn't retrieve the sid at all.
Have you managed to get this right? If so, can you please share your code?
I would really appreciate it. 🙏🙏

@dolbyman
I actually have an online domain / website which needs to pull images from my Qnap.
I don't want to load these images onto my domain. Using this method you are able to retrieve files from your nas through WAN, but obviously with the correct credentials. I hope that makes sense
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: File Station - API (PHP)

Post by dolbyman »

Your NAS is exposed to WAN, NEVER do that ... extreme malware risk (see deadbolt,qlocker,etc)
dewie125@gmail.com
New here
Posts: 3
Joined: Tue Jan 09, 2024 10:16 pm

Re: File Station - API (PHP)

Post by dewie125@gmail.com »

Hi Dolly,
Thanks for the reply.
I'm not sure what the risk is. This is an API method through QNAP, and the password will never be exposed since hackers don't have access to my PHP on my domain. Additionally, this method only retrieves the file, meaning you need to know the image names before attempting to download them. Also, only specific folders have WAN access, and this particular user is limited to certain folders.
User avatar
dolbyman
Guru
Posts: 36122
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: File Station - API (PHP)

Post by dolbyman »

Nope...it doesn't mater what your intented use or methods are, as soon as you NAS web interface is exposed, strong passswords, API, 2FA or certain limited shares have no influence on a hacked NAS...as said, see the mentioned malware topics in here and see what people thought they did and why they ended up paying millions to criminals

Check shodan to see what public scanners already know about your network
Post Reply

Return to “Download Station and QGet”