Admin Function Mode
To start the admin console and enable script upload capabilities:
java -DaccessFlag=true-jar slp-0.0.1-SNAPSHOT.jarThis URL allows the user to upload scripts for scheduled task on Linux and Windows
http://localhost/loggedIn/ostask.ftl
This URL allows the user to upload,activate/deactivate and run admin functions
http://localhost/loggedIn/adminFunctions.ftl
The console allows authorized users to upload the following:
-
.sh β Shell scripts (Linux/macOS)
-
.ps1 β PowerShell scripts (Windows)
-
.exe β Executable scripts (Windows)
-
.bat β Batch scripts (Windows)
| Risk Type | Description |
|---|---|
| π³ Vulnerability | Malicious scripts can escalate privilege or exploit open ports |
| π Unintended Behavior | Poorly-written scripts may conflict with system services or exhaust resources |
| π Data Leakage | Scripts might expose logs, credentials, or sensitive config files |
| π₯ Persistent Backdoors | Scheduled tasks can be abused to create long-lived access for attackers |
| π No Sandboxing | Uploaded scripts are not isolated and run with the same permissions as the server itself |
- Validate all scripts before upload
- Run scripts under a restricted service account
- Use logging and change tracking for all script executions
- Monitor server activity after script runs
To disable script upload functionality, restart the JAR with either of the following:
java -DaccessFlag=false -jar slp-0.0.1-SNAPSHOT.jar
In this case the flag is set to false by default
java -jar slp-0.0.1-SNAPSHOT.jar
