Admin Function Mode
To start the admin console and enable script upload capabilities:
java -DaccessFlag=false -jar slp-0.0.1-SNAPSHOT.jarThis URL allows the user to upload scripts for scheduled task on Linux and Windows
http://localhost/loggedIn/ostask.ftl
This URL allows the user to upload,activate/deactivate and run admin functions
http://localhost/loggedIn/adminFunctions.ftl
The console allows authorized users to upload the following:
-
.sh — Shell scripts (Linux/macOS)
-
.ps1 — PowerShell scripts (Windows)
-
.exe — Executable scripts (Windows)
-
.bat — Batch scripts (Windows)
| Risk Type | Description |
|---|---|
| 🕳 Vulnerability | Malicious scripts can escalate privilege or exploit open ports |
| 🔄 Unintended Behavior | Poorly-written scripts may conflict with system services or exhaust resources |
| 👀 Data Leakage | Scripts might expose logs, credentials, or sensitive config files |
| 🔥 Persistent Backdoors | Scheduled tasks can be abused to create long-lived access for attackers |
| 🔓 No Sandboxing | Uploaded scripts are not isolated and run with the same permissions as the server itself |
#🛡️ Recommended Practices
- Validate all scripts before upload
- Run scripts under a restricted service account
- Use logging and change tracking for all script executions
- Monitor server activity after script runs
To disable script upload functionality, restart the JAR with either of the following:
java -DaccessFlag=false -jar slp-0.0.1-SNAPSHOT.jar
In this case the flag is set to false by default
java -jar slp-0.0.1-SNAPSHOT.jar
