A modified version of the well-known webshell - P.A.S. by Profexer (0, 1, 2). Tries to solve the problem of detecting some requests and responses by various Web Application Firewalls and Intrusion Detection Systems. In most cases, such detections entail retaliatory measures from the attacked side, which is not always permissible during penetration tests and in red teaming.

- This tool is for educational and testing purposes only and is not
- intended to be put into practise unless you have authorized access to the system
+ Before using, it's better to remove all HttpOnly cookies for the domain

Features of the original P.A.S.:

P.A.S. Fork changes:

• Work via GET requests (parameters in cookies)
• Automatic switching to POST (with cancellation)
• Obfuscation of query keys and values
• Obfuscation of uploaded files
• Obfuscation of response
• Authorization by password
• Authorization by HTTP header (user-agent by default)
• MySQL dump fix in PDO mode
• Renamed "PHP 4-style constructors"
• Removed pcntl_exec
• New initialization logic (ini_*)
• opcache_invalidate after saving the file
• Dark color mode
• Built-in Ace code editor (loaded on demand)
• Added file extensions in filenames
• Option to display ctime (to find malicious files)
• Option to invert terminal output
• Removed startup "execs"
• FileManager JS crash fix (on rare envs)
• Reload file bug fix
• XHR instead IFRAME communication by default
• The client referrer is not sent
• Removed X-Content-Type-Options header in responses
• Clear output in PHP Console checked by default
• Option to set default tab on startup
• Built-in safemode script
• File sorting (Name, Ext, Size, etc)
• Sort by filename by default
• Reading .gz files (not saving)
• Show as HTML fix in PHP Console
• Maximize file editor window on double click
• Restoring minimized window position
• File reload interval (right click)
• Load default favicon.ico if exists
• Removed expect from exec's
• Syntax highlighting in PHP Console
• Reduce terminal prompt if it's too long
• Go! button moved to the left
• PDO_PGSQL DSN Fix
• Supported PHP versions: 5 >= 5.1.2, 7, 8

"ls -la;cat /etc/passwd":

• Request:

• Response:

Dark mode:

Code Editor:

The script doesn't work and keeps returning the same response.

• Perhaps caching of GET requests is enabled on the server. The solution is to turn off params passing via cookies and use POST requests ($GLOBALS['COOKIE'] = false;).

The randomly repeated password prompts.

• Most likely, your IP address changes with the same frequency. If so, then you need to change $GLOBALS['REMOTE_ADDR'] to false.

Large files not downloading.

• The file wrapping operation happens on the fly, so a lot of RAM is required. The solution is to disable obfuscation by checking the Skip response encoding option in script GUI settings.

How to remove the warning about the limit of request?

• You should disable data transmission via cookies in the GUI (Use cookie to request). Or thus: $GLOBALS['COOKIE'] = false;.

How set an authorization by the header?

• $GLOBALS['SECHEAD'] = 'SECRET_9CA2100C44E50D81BB7E3EED84AF43F4'; and append it for each request in your browser (Secret-9ca2100c44e50d81bb7e3eed84af43f4: foobar). Without password asking - $GLOBALS['PASSHASH'] = '';

Switching the color theme is annoying.

• $GLOBALS['DARK'] = true;

How to configure the code editor?

• You can place the editor source code on your host and specify URL. MODE and THEME is used to set default values during editor initialization. To exclude the editor completely, set the $GLOBALS['ACECONF'] variable to array(). Set DEFAULT to true if you want to load the editor automatically.

UI elements are too small.

• Ctrl and + for zoom / Ctrl and - for zoom out / Ctrl + 0 for reset

How to remove the password prompt?

• $GLOBALS['PASSHASH'] = '';

How to change the default tab?

• You have 5 options: tabFM, tabSQL, tabPHP, tabTrm, tabInf. For example: $GLOBALS['DEFAULT_TAB'] = 'tabFM';, to start script from the File Manager tab.

Send as and Load as encodings don't work.

• Currently, for functionality, you should disable request and response obfuscation in the GUI.

Usage:

• php packer.php pas_fork.php PHAR CM

Modes:

• ASCII // eval
• ASCII CF // create_function, PHP5/7 only
• PHAR // include + phar:// + PHAR container
• PHAR CM // the same compressed
• ZIP // include + phar:// + ZIP container
• ZIP CM // the same compressed ( the output isn't always valid for PHP5/7, try to pack several times )

The php-zip extension is not required for the packaged script to work on target host.

• Official thread on the forum: https://antichat.club/threads/474941/
• Review from Sucuri: https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html