Hi all,
I just found a great way to automate your cpanel to do virtually anything.
The idea behind it is if you send a packet to the site with login information and a GET message to send to the handler, you can hack pretty much any cPanel operation on your own site.
This is very useful if you want to make an administration that had the power to edit MySQL databases, subdomains, email addresses and such, but did not want to give away cPanel access.
Note: I did take some of this from a guide on how to add email addresses without cPanel access but I modified it for all the other operations.
** NOTE: VBulletin is putting in some extra words in the PHP for some reason, please delete it **
Here's the model:
PHP Code:
$sAuth = base64_encode("{cpanelusername}:{cpanelpassword}");
$sHTTP = "GET /frontend/{cpaneltheme}/{handlerfolder}/{handlerfilename}?{GETvariables}\r\n HTTP/1.0\r\nAuthorization: Basic $sAuth\r\n";
$hSocket = fsockopen("{domainname}", 2082);
$put = fputs($hSocket, $sHTTP);
fclose($hSocket);
Ok, so replace the {} text with the proper text:
{cpanelusername} = Username you use to access cPanel
{cpanelpassword} = Password to get into cPanel
{cpaneltheme} = The name of the theme you use (ie. bluelagoon, x, x2...)
{handlerfolder} = The folder the handler of the form is in (ie. mail, sql...). Find this by analyzing the form you want to "hack" and see where it points to.
{handlerfilename} = Name of the file that handles the form (ie. doaddpop.html...).
{GETvariables} = All the GET variables that you need, this is form-specific so you have to look at the form and see what variables you need to fill in.
{domainname} = Your domain name (what more is there to say?)... (ie. webmaster-talk.com).
Voila. Now you can send a packet with login information and GET info to do your evil bidding in your own cPanel. I decided to give you the models of this procedure for several different operations:
Add MySQL user:
PHP Code:
$sAuth = base64_encode("{cpanelusername}:{cpanelpassword}");
$sHTTP = "GET /frontend/{cpaneltheme}/sql/adduser.html?user={username}&pass={password}\r\n HTTP/1.0\r\nAuthorization: Basic $sAuth\r\n";
$hSocket = fsockopen("{domainname}", 2082);
$put = fputs($hSocket, $sHTTP);
fclose($hSocket);
{username} = MySQL username that you want to create
{password} = Password you want for this user
Add MySQL DB:
PHP Code:
$sAuth = base64_encode("{cpanelusername}:{cpanelpassword}");
$sHTTP = "GET /frontend/{cpaneltheme}/sql/adddb.html?db={dbname}\r\n HTTP/1.0\r\nAuthorization: Basic $sAuth\r\n";
$hSocket = fsockopen("{domainname}", 2082);
$put = fputs($hSocket, $sHTTP);
fclose($hSocket);
{dbname} = Database name
Add POP Email:
PHP Code:
$sAuth = base64_encode("{cpanelusername}:{cpanelpassword}");
$sHTTP = "GET /frontend/{cpaneltheme}/mail/doaddpo.html?email={emailaddress}&domain={domain}&password={password}"a={quota}\r\n HTTP/1.0\r\nAuthorization: Basic $sAuth\r\n";
$hSocket = fsockopen("{domainname}", 2082);
$put = fputs($hSocket, $sHTTP);
fclose($hSocket);
{emailaddress} = Address you want to create (without @xxx.xxx)
{domain} = Your domain name (only xxx.xxx)
{password} = Password you want for the address
{quote} = (Optional) Leave blank for unlimited or else put number (in MB's)
There you go. Just paste this into your page and it should execute properly on the server. Just remeber to copy and paste EXACTLY what you see, because any change in spacing or syntax or any of that will break it. Regarding security... this is somewhat unsafe because it holds your cpanel user and pass, but at the same time it is inside a PHP file which makes it difficult for average folks to see inside. You should probobly put it below the viewable site and make it only accessible to logged in users.
A huge thanks to the genius man who devised this trick, I'm only popularizing it and showing several examples of it.
Hope you like it,
KMKZ
