I have problem, that I develop friend’s game and I need to have permission to console, but only owner have developer console in game, so I made custom console(text box), but how to execute the lua line from the remote event from console
If you have access to edit the place via group permissions, you should be able to access the server developer console. The solution you’re thinking of requires sending a string to the server and then the server calling loadstring() on that to run the script.
Yes group permission is option, but now my friend is owner, not his group
Please do not do this. Firing an event with code you want to run is a surefire way for exploiters to do as they please.
1 Like
Why, i have multi rank admin id table and i will check the player id if it is in the corect rank
I’ve seen several exploits that can spoof the event easily. Not sure if it was patched, but you should never be firing an event with code to trigger a loadstring.
1 Like
Ok but how to slove the problem without bc (without group)
It’s impossible to change the player argument of a fired event…? I’ve never seen any exploit that could change the player argument of a fired event, because that would void basically any sanity checks.
4 Likes
In the past, I’ve seen exploits spoof the player instance, but I’m pretty sure it was patched. Still, it’s just common sense to not let the server trigger any code that the client sends to it.
I’ve never seen anything like this, and if there was, I’m sure it would be marked ROBLOXCRITICAL. This would allow every popular admin to be exploited (adonis, kohls, etc)
3 Likes
If this is true, its also impossible to make ban service, kick service and all other moderation tools
But now pls can we move if there is way how to execute lua inside string. Because if eny exploit that @Xiousa is describing exist, it will be destroyed in 2 hours, because it can move roblox earning to 0
The point of Remotes and the concept of FilteringEnabled in the first place was to prevent arbitrary access to the server’s DataModel. You should be creating remoteEvents for admins to perform limited operations serverside even if you’re confident in your player validation. If they get in they can cause serious damage to things like DataStores. I’m fairly certain IP spoofing is a thing.
1 Like
Yes, it’s possible. Use loadstring() and RemoteEvents. The problem is, you absolutely should not use it in this scenario.
As @Xiousa said, player objects can and will be spoofed. Players could gain access to an admins account, for example, and run code. If there is something that an admin needs to do, hardcode it instead of letting any admin run code server side.
TL;DR: Don’t.
2 Likes
I completely agree with Xiousa and AxoLib, you can execute code with loadstrings but you would have to enable loadstrings for it to even work. I am highly against this, as now days enabling loadstrings can simply give an exploiter… an advantage.
loadstring("print(1)")()
And that’ll execute for an exploiter. Imagine the exploiter replaces that with some exploit code, and absolutely demolishes the player experience for others. The reason why loadstrings have to be enabled now is Roblox is doing you a favor, and if you enable it you are taking way more risks than you should, trust me, its not worth it.
3 Likes
micro note: loadstring() doesn't work clientside. You need a Lua VM for that.
3 Likes
Do you have any examples of player objects being spoofed? I’ve never seen such a thing.
Sorry, turns out Roblox gets the player from the connection itself. But, as I said in my edited post, people could gain access to an admins account and run any code they want!
Trolls could be promoted and then run code, and admins could simply go rouge.
There are just too many situations and risks that could happen.
2 Likes
I use highly ranked table and if only owner and co-owners can execute it and i can promote max 1 rank under my rank, the risk is higher with ban command
That still doesn’t get rid of any of the risks I mentioned at all. Accounts can be hacked, people can get disgruntled.
This is getting off topic, what you need to use has been said many times (loadstring and RemoteEvents).