But now pls can we move if there is way how to execute lua inside string. Because if eny exploit that @Xiousa is describing exist, it will be destroyed in 2 hours, because it can move roblox earning to 0
The point of Remotes and the concept of FilteringEnabled in the first place was to prevent arbitrary access to the server’s DataModel. You should be creating remoteEvents for admins to perform limited operations serverside even if you’re confident in your player validation. If they get in they can cause serious damage to things like DataStores. I’m fairly certain IP spoofing is a thing.
1 Like
Yes, it’s possible. Use loadstring() and RemoteEvents. The problem is, you absolutely should not use it in this scenario.
As @Xiousa said, player objects can and will be spoofed. Players could gain access to an admins account, for example, and run code. If there is something that an admin needs to do, hardcode it instead of letting any admin run code server side.
TL;DR: Don’t.
2 Likes
I completely agree with Xiousa and AxoLib, you can execute code with loadstrings but you would have to enable loadstrings for it to even work. I am highly against this, as now days enabling loadstrings can simply give an exploiter… an advantage.
loadstring("print(1)")()
And that’ll execute for an exploiter. Imagine the exploiter replaces that with some exploit code, and absolutely demolishes the player experience for others. The reason why loadstrings have to be enabled now is Roblox is doing you a favor, and if you enable it you are taking way more risks than you should, trust me, its not worth it.
3 Likes
micro note: loadstring() doesn't work clientside. You need a Lua VM for that.
3 Likes
Do you have any examples of player objects being spoofed? I’ve never seen such a thing.
Sorry, turns out Roblox gets the player from the connection itself. But, as I said in my edited post, people could gain access to an admins account and run any code they want!
Trolls could be promoted and then run code, and admins could simply go rouge.
There are just too many situations and risks that could happen.
2 Likes
I use highly ranked table and if only owner and co-owners can execute it and i can promote max 1 rank under my rank, the risk is higher with ban command
That still doesn’t get rid of any of the risks I mentioned at all. Accounts can be hacked, people can get disgruntled.
This is getting off topic, what you need to use has been said many times (loadstring and RemoteEvents).
Yes I agree its going off topic.
But what you probably don’t understand is that the command line is for developing and practically team create only, so when we will talk about hacking accounts, hacker can just edit it in team create, and also we all have external contact and also secondary profiles (also in friends so message able) so I can just demote hacked player from the rank he have to new, also when we talk about hacking acounts, the game without updates will die, with console or without console
1 Like
If you’re looking for advice, its objectively a bad idea to allow arbitrary serverside code execution over the perfectly possible alternative of making predetermined commands and using those like any other admin suite. If you’re hell bent on using loadstring(), use loadstring.
1 Like
Ok I think now its best time to just close the topic and don’t answer it, because 1)its going off topic
2)we all losted in it
So I am using predefined commands for lower ranks, but for developers I need to create free command for debugging, because we create it as team and if it is not groupe, the standard server console have only owner.
Respectfully:
- We’ve answered your question multiple times.
loadstring(). - Please clarify
I just think answer it when completely new way is here.
And people gaining access to an admin’s account is an edge case that doesn’t really matter, because if they have access to the admin’s account they can most likely run code in the console regardless.
Only the owner of the game (or the group the game is under) can run code in the console. Anyone else, including admins, cannot.
- Who is admin
Admins are custom made rank, by roblox, you have player and owner only.
2.here:
I say that the team create and player able to use lua commands is 1 and sane group of people
- It’s going off topic so answer only if you have new idea
To summarize everything people have said here so far in regards to the actual question:
You can use loadstring to run arbitrary code server-side. You can also use a Lua bytecode interpreter that is written in Lua, such as GitHub - Rerumu/FiOne: Lua 5.1 bytecode interpreter, in Lua.
This guy understands the risk of having code-execution available through an event. He has already said he has taken the precautions to validate the event user. The point of this forum isn’t to berate someone with your own opinions, just answer the question and move on. (And you really shouldn’t be giving security advice if your advice is based on misconceptions…)
1 Like
It’s simple.
-
Create a RemoteFunction. In this case, I’ll make it
game.ReplicatedStorage.DoArbitraryCode -
Create a server script like this:
function game.ReplicatedStorage.DoArbitraryCode.OnServerInvoke(player, code) -- Error and stop the command if something's wrong. assert(player.UserId == 123456789, "You can't use this dummy!") assert(typeof(code) == "string", "Code argument must be a string.") -- Do the thing. local f, msg = loadstring(code) if f then f() else warn(msg) end end -
Create a text box in a ScreenGui and name it
ScriptBox. -
Create a LocalScript inside of your ScreenGui.
DoArbitraryCode = game.ReplicatedStorage.DoArbitraryCode ScriptBox = script.Parent.ScriptBox ScriptBox.FocusLost:Connect(function(enterPressed) if enterPressed then local text = ScriptBox.Text ScriptBox.Text = "" DoArbitraryCode:InvokeServer(text) end end)
There. You got a simple text box that does Lua. Feel free to do what you want with it.
2 Likes
At my project i have it on litlebit heigher level (commands stored every single in child of object, and for free comand, predefined command with code in argument(everything out of “” is the code reading as key word and everything in “” is string that is not splited by space)), but really thanks for writing result of this long and confusing topic to 1 post.