Data's Admin - Because Kohl's is too mainstream

Found here, is my new admins commands, which I originally planned on making for the Mobile Bloxxers, a war group that needed better admin commands, and it ended up turning into a much bigger project.

I’ve spent the last few weeks working on this, and now I have made the full release, with many more future updates to come. Anyways, try the testing area here. If you find any bugs to the admin, report it to me.

This admin was designed to work with FilteringEnabled, as well as be useful for war clans and such. Meaning none of those nooby commands.

Here’s an overview of the features:

• Multiple commands in one line

;respawn all!joe;give joe sword

This will respawn everyone but joe, and give joe a sword in 1 command.

• Keybinds, delayed commands, and aliases.

;bind e delay 1 help

When “E” is pressed, it will wait 1 second, then run the command “help” which is an alias of “commands”

• Awesome alias syntax

;setalias sword give <1> sword

Then when you run

;sword me

It will give “me”, the "<1>"st argument a sword.

• Epic gui design
  I would do screenshots, but just look at this place if you want to see what I mean.

• And it’s readable!
  That’s right, I think this is the first admin commands that have readable code with a usable API that allows you to make your own commands, while still keeping the commands in the ever auto-updating admin script.

Please tell me there isn’t a scripting command.

Edit: why is the raig table allowed? :uhhh:

I like your set of commands, but the UI design isn’t that epic to be honest…

Oh, looks like I have an competitor, I am going to release my work later

FINALLY :woohoo: :woohoo: :woohoo:

There is a scripting command, but it will not work if loadstring is disabled.

Edit: That doesn’t mean it breaks the script, it just will just put a message on your screen saying “Loadstring is disabled.”

It has a loadstring vulnerability. If you insert this model into your place where ServerScriptService.LoadStringEnabled = true, exploiters can run arbitrary code and steal points and wreak havok on your game.

jDA1pA9.png971×362 38.3 KB

[quote] It has a loadstring vulnerability. If you insert this model into your place where ServerScriptService.LoadStringEnabled = true, exploiters can run arbitrary code and steal points and wreak havok on your game.

jDA1pA9.png971×362 38.3 KB

[/quote]

Which is why you don’t have to use loadstringenabled.

The ONLY places I ever use loadstringenabled are my group-only training bases, because no exploiters will be going on there.

Remember, it’s not mandatory that you turn on loadstringenabled.

[quote] It has a loadstring vulnerability. If you insert this model into your place where ServerScriptService.LoadStringEnabled = true, exploiters can run arbitrary code and steal points and wreak havok on your game.

jDA1pA9.png971×362 38.3 KB

[/quote]

Which is why you don’t have to use loadstringenabled.

The ONLY places I ever use loadstringenabled are my group-only training bases, because no exploiters will be going on there.

Remember, it’s not mandatory that you turn on loadstringenabled.[/quote]
Just use a remote object to tell the script the code you want to execute. :\

The values are unsecured?

[quote] Which is why you don’t have to use loadstringenabled.

The ONLY places I ever use loadstringenabled are my group-only training bases, because no exploiters will be going on there.

Remember, it’s not mandatory that you turn on loadstringenabled. [/quote]
You should either be running pre-defined scripts, or you should be calling loadstring() on a player’s chat message. You should never loadstring from a StringValue when that StringValue can be manipulated by clients. Simply having LoadStringEnabled on is not a vulnerability unless there are scripts like this to exploit.

Since you only use the ScriptBase when the player tries to run a chat command, replace this code:

createCommand("s", 2, function(speaker, source) if not speaker then return end if not source then return end local enabled = pcall(function() loadstring("local x = 'Hi'") end) if enabled then local s = script.ScriptBases.DataScriptBase:clone() s.Parent = game.Workspace s.Code.Value = source s.SCConnect.Value = script.SCConnect s.Player.Value = speaker s.Disabled = false table.insert(Cleanup, s) else showError(speaker, "LoadString is not enabled on this place.") end end, "s <code>", true)

with something like this:

createCommand("s", 2, function(speaker, source) if not speaker then return end if not source then return end local enabled = pcall(function() loadstring("local x = 'Hi'") end) if enabled then local suc, err = pcall(function() loadstring(source)() end) else showError(speaker, "LoadString is not enabled on this place.") end end, "s <code>", true)

That would get rid of the vulnerability. You’ll have to do a tiny bit of work to fire your RemoteEvent that you use for error catching, but it will definitely be worth it.

Merely, but for LocalScript testing you would need a remote object to pass on the source securely.

Localscript loadstring is not a problem, clients can do whatever they want. It’s only server side loadstring that is a big deal.

Localscript loadstring is not a problem, clients can do whatever they want. It’s only server side loadstring that is a big deal.[/quote]
True, but I much rather not have players crashing other plays through a simple to fix vulnerability like that. :\

[quote] Which is why you don’t have to use loadstringenabled.

The ONLY places I ever use loadstringenabled are my group-only training bases, because no exploiters will be going on there.

Remember, it’s not mandatory that you turn on loadstringenabled. [/quote]
You should either be running pre-defined scripts, or you should be calling loadstring() on a player’s chat message. You should never loadstring from a StringValue when that StringValue can be manipulated by clients. Simply having LoadStringEnabled on is not a vulnerability unless there are scripts like this to exploit.

Since you only use the ScriptBase when the player tries to run a chat command, replace this code:
(Long bits of code)

That would get rid of the vulnerability. You’ll have to do a tiny bit of work to fire your RemoteEvent that you use for error catching, but it will definitely be worth it.[/quote]

Well, that’s good to know. I can’t believe I never thought of this.

And I think it would be useful to fire remote events on the local scripts, because, like Toshir0z said, players could send malicious code to other players.

[quote] Which is why you don’t have to use loadstringenabled.

The ONLY places I ever use loadstringenabled are my group-only training bases, because no exploiters will be going on there.

Remember, it’s not mandatory that you turn on loadstringenabled. [/quote]
You should either be running pre-defined scripts, or you should be calling loadstring() on a player’s chat message. You should never loadstring from a StringValue when that StringValue can be manipulated by clients. Simply having LoadStringEnabled on is not a vulnerability unless there are scripts like this to exploit.

Since you only use the ScriptBase when the player tries to run a chat command, replace this code:

createCommand("s", 2, function(speaker, source) if not speaker then return end if not source then return end local enabled = pcall(function() loadstring("local x = 'Hi'") end) if enabled then local s = script.ScriptBases.DataScriptBase:clone() s.Parent = game.Workspace s.Code.Value = source s.SCConnect.Value = script.SCConnect s.Player.Value = speaker s.Disabled = false table.insert(Cleanup, s) else showError(speaker, "LoadString is not enabled on this place.") end end, "s <code>", true)

with something like this:

createCommand("s", 2, function(speaker, source) if not speaker then return end if not source then return end local enabled = pcall(function() loadstring("local x = 'Hi'") end) if enabled then local suc, err = pcall(function() loadstring(source)() end) else showError(speaker, "LoadString is not enabled on this place.") end end, "s <code>", true)

That would get rid of the vulnerability. You’ll have to do a tiny bit of work to fire your RemoteEvent that you use for error catching, but it will definitely be worth it.[/quote]
The problem with that is that you are now running code in the main script’s environment. Wouldn’t it be better to use a BindableFunction (which, IIRC, doesn’t replicated its OnInvoke callback to the clients, preventing an exploiter from running server code from the client by invoking the function) to send the code from the main script to the loadstring script?

Okay, so I updated the admin, all the loadstring vulnerabilities should be patched.
It auto-updates, so you don’t have to move a muscle.

[quote] Okay, so I updated the admin, all the loadstring vulnerabilities should be patched.
It auto-updates, so you don’t have to move a muscle. [/quote]

So I get two “Command Not Found” UIs when running this command:

:s print(game:GetService('PointsService'):GetAwardablePoints())

[quote] Okay, so I updated the admin, all the loadstring vulnerabilities should be patched.
It auto-updates, so you don’t have to move a muscle. [/quote]

So I get two “Command Not Found” UIs when running this command:

:s print(game:GetService('PointsService'):GetAwardablePoints())

It’s because your command prefix is “:”
And with my admin, it allows multiple commands in 1 line.
So what it’s reading is separate commands:

:s print(game :GetService('PointsService') :GetAwardablePoints())

All as separate commands. Since there’s no commands called “GetService(‘PointsService’)” or “GetAwardablePoints())”, it says “Command not found.”

[quote] [quote=“databrain” post=58424]Okay, so I updated the admin, all the loadstring vulnerabilities should be patched.
It auto-updates, so you don’t have to move a muscle. [/quote]

So I get two “Command Not Found” UIs when running this command:

:s print(game:GetService('PointsService'):GetAwardablePoints())

It’s because your command prefix is “:”
And with my admin, it allows multiple commands in 1 line.
So what it’s reading is separate commands:

:s print(game :GetService('PointsService') :GetAwardablePoints())

All as separate commands. Since there’s no commands called “GetService(‘PointsService’)” or “GetAwardablePoints())”, it says “Command not found.”[/quote]

You should make the command separator something OTHER than the command prefix.