ESX Security Patches - billing, drugs, illegal_drugs, jail, qalle-jail, CommunityService

FiveM Resource Development & Modding Releases
, , ,
1

Hello! This is my first ESX related post on this forum. I’ve seen some highly vulnerable resources posted on the forums that have caught little to no attention to the issues in the resources. Some of these resources have been left, without updates for months, or even years. Many ESX server owners/“developers” don’t have the skills or knowledge to fix, or even identify these vulnerabilities. This is what brought me to fixing these issues and posting them publicly.

This thread is dedicated to exploitable resources of ESX. As time goes on, I will be adding more resources that I’ve fixed to the thread.

If you have any resources that you suspect to be vulnerable and would wish for me to provide a fix, please post it below, or privately message me.

Thank you for reading, here’s the updated resources.

ESX_CommunityService

Original

Creator: @Apostolos_Iatridis
Forum: [Release] [ESX] ESX_CommunityService
GitHub: https://github.com/apoiat/ESX_CommunityService

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx_communityservice:endCommunityServiceCommand")

Can be used to force anyone out of community service, even if time is not near the end.

TriggerServerEvent("esx_communityservice:sendToCommunityService", targetId, numberActions)

Can be used to force anyone & everyone into community service for any amount of time/actions.

General Exploits
  • Force anyone into community service for any time
  • Force anyone out of community service

Updated

Creators: @Apostolos_Iatridis & @ATG
GitHub: https://github.com/ATG-Github/ESX_CommunityService
Download: GitHub Release

esx_jail

Original

Creator: @Hawaii_Beach
Forum: [Release] esx_jail
GitHub: https://github.com/ESX-PUBLIC/esx_jail

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx_jail:sendToJail", targetId, time)

Can be used to force anyone & everyone into jail for any amount of time.

General Exploits
  • Force anyone into jail, for any time

Updated

Creators: @Hawaii_Beach & @ATG
GitHub: https://github.com/ATG-Github/esx_jail
Download: GitHub Release

esx-qalle-jail

Original

Creator: @qalle
Forum: [Release-ESX Jail] Prisonwork, Anti Combat Log, Mugshot Photo
GitHub: https://github.com/qalle-fivem/esx-qalle-jail

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx-qalle-jail:jailPlayer", targetId, time, reason)

Can be used to force anyone & everyone into jail for any amount of time, and can specify a message to spam the chat with.

TriggerServerEvent("esx-qalle-jail:unJailPlayer", identifier)

Can be used to force anyone out of jail, even if time is not near the end.

TriggerServerEvent("esx-qalle-jail:prisonWorkReward")

Can be used to give player 13-21$. This could be put into a loop to get the player a lot of lunch money, even if they aren’t in jail.

General Exploits
  • Force anyone into jail, for any time, and any reason
  • Force anyone out of jail
  • Exploit money

Updated

Creators: @qalle & @ATG
GitHub: https://github.com/ATG-Github/esx-qalle-jail
Download: GitHub Release

esx_billing

Original

Creator: @GiZz
GitHub: https://github.com/ESX-Org/esx_billing

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx_billing:sendBill", playerId, society, reason, fineAmount)

Can be used to send a bill to any and all players from any society, any reason, and any fine amount. This can be put in a loop to spam this, also clogging your database.

General Exploits
  • Send bills to any player, from any society, with any reason, and any fine amount

Updated

Creators: @GiZz & @ATG
GitHub: https://github.com/ATG-Github/esx_billing
Download: GitHub Release

esx_drugs

Original

Creator: @ig0ne
Forum Post: [Release] [ESX] [Drugs]
GitHub: https://github.com/ESX-Org/esx_drugs

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx_drugs:pickedUpCannabis")
TriggerServerEvent("esx_drugs:processCannabis")
TriggerServerEvent("esx_drugs:sellDrug")

Can be used to emulate a player collecting, processing, and selling the drug. This is considered a money exploit.

Config.CircleZones = {
     ........
}

This one is less of an exploit but, more of a concern of server owners. The location of the drug can be dumped because it’s stored in the client lua config.

General Exploits
  • Fake collect/process/sell drugs
  • Steal drug location

Updated

Creators: @ig0ne & @ATG
GitHub: https://github.com/ATG-Github/esx_drugs
Download: GitHub Release

esx_drugs (refactored)

Original

Creator: @diorgera
Forum Post: Esx_drugs - Refactored from esx_illegal_drugs
GitHub: https://github.com/diorgesl/esx_drugs

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx_drugs:startHarvest")
TriggerServerEvent("esx_drugs:startTransform")
TriggerServerEvent("esx_drugs:startSell")

Can be used to emulate a player collecting, processing, and selling the drug. This is considered a money exploit.

Config.Drugs= {
     ........
}

This one is less of an exploit but, more of a concern of server owners. The location of the drug can be dumped because it’s stored in the client lua config.

General Exploits
  • Fake collect/process/sell drugs
  • Steal drug location

Updated

Creators: @diorgera & @ATG
GitHub: https://github.com/ATG-Github/esx_drugs-1
Download: GitHub Release

esx_illegal_drugs

Original

Creator: @XxFri3ndlyxX
GitHub: https://github.com/XxFri3ndlyxX/esx_illegal_drugs

Vulnerabilities

The issue with this resource is the fact that it is highly vulnerable to client side executors. Players are able to execute server events and target any player (and the whole server) completely unchecked.

Specific Vulnerabilities 
TriggerServerEvent("esx_drugs:startHarvestCoke")
TriggerServerEvent("esx_drugs:startTransformCoke")
TriggerServerEvent("esx_drugs:startSellCoke")
TriggerServerEvent("esx_drugs:startHarvestMeth")
TriggerServerEvent("esx_drugs:startTransformMeth")
TriggerServerEvent("esx_drugs:startSellMeth")
TriggerServerEvent("esx_drugs:startHarvestWeed")
TriggerServerEvent("esx_drugs:startTransformWeed")
TriggerServerEvent("esx_drugs:startSellWeed")
TriggerServerEvent("esx_drugs:startHarvestartium")
TriggerServerEvent("esx_drugs:startTransformOpium")
TriggerServerEvent("esx_drugs:startSellOpium")
TriggerServerEvent("esx_drugs:stopHarvestCoke")
TriggerServerEvent("esx_drugs:stopTransformCoke")
TriggerServerEvent("esx_drugs:stopSellCoke")
TriggerServerEvent("esx_drugs:stopHarvestMeth")
TriggerServerEvent("esx_drugs:stopTransformMeth")
TriggerServerEvent("esx_drugs:stopSellMeth")
TriggerServerEvent("esx_drugs:stopHarvestWeed")
TriggerServerEvent("esx_drugs:stopTransformWeed")
TriggerServerEvent("esx_drugs:stopSellWeed")
TriggerServerEvent("esx_drugs:stopHarvestOpium")
TriggerServerEvent("esx_drugs:stopTransformOpium")
TriggerServerEvent("esx_drugs:stopSellOpium")

Can be used to emulate a player collecting, processing, and selling the drug. This is considered a money exploit.

Config.Zones = {
     ........
}

Config.Map= {
     ........
}

This one is less of an exploit but, more of a concern of server owners. The location of the drug can be dumped because it’s stored in the client lua config.

General Exploits
  • Fake collect/process/sell drugs
  • Steal drug location

Updated

Creators: @XxFri3ndlyxX & @ATG
GitHub: https://github.com/ATG-Github/esx_illegal_drugs
Download: GitHub Release

Anyone who uses any of the above is also recommended to use this to further protect your server!

32 Likes
2

Could you give some more information, even vaguely, on what was vulnerable?

1 Like
3

Thank you for the suggestion. I will go ahead and do this. (I was in the middle of writing that out for the first one :stuck_out_tongue:)

1 Like
4

it will always be vulnerable since they can dump the whole servers scripts and easly get the triggerserver events commands and just go off that thats how they get past tigo anticheat
tigo does triggerserverevent(“TAC:jail”,player,time)
while normal esx does TriggerServerEvent(“esx_jail:sendToJail”, targetId, time)
so cant really be patched my dude
i can say its been done since ive actually done it myself (on testing server)
only thing that may prevent it is lots of anticheat triggers really close to the trigger cmd so they gotta pick which jail script they wanna execute which might be the anticheat or be the real cmd

which after looking at the “patches” u just edited the esx triggers which isnt hard to do since tigo V1 kinda tells u to change them manually

5

Do me a favor and read the code before you comment. You cannot bypass a server side check.

Already did.

u wot m8? Where did I change any ESX trigger???

TriggerEvent('esx:getSharedObject', function(obj) ESX = obj end)

That’s the default ESX trigger. That’s what’s in the repos.

6

u do know i already downloaded and bypassed it right
using “injectors:redengi and desu”
TriggerEvent(“esx-qalle-jail:openJailMenu”)
triggered all events after installation
and yes you can bypass a server side check

7

You crack me up :clown_face:. How about, try removing yourself from admin (setadmin id 0 and setgroup ip user) and setting your job to unemployed, and then trigger the server event to jail OR do it through the jail menu. It won’t go through, and it will post it in the server console.

8

esx_billing added to the post!

9

never use admin groups and was unemployed then injector set as Job"police" then jailed all 9 test users at once for 1e-9
and nobody watches server console only the owner or who ever has console access
not every modder goes straight into the triggers like ur expecting
but if youd like me to join ur server and do it infront of u and take my 14 day vacation after id like to show u how simple it is

10

Here’s the issue…

You failed to mention that part. I could patch the set job if I knew which server you were doing it on or, better yet if you told me the event/resource. If your job police, it lets you jail (duh).

11

patch it then ill prob figure it out less than 5 min by looking at triggers and see if its special location set

12

Which resource is the exploit to set job in?

13

why the fuck do you even have the mod/hack menu anyways … stop being a fucking moan like the rest of the low life scum that hack’s other servers

STOP BEING A LOW LIFE SCUMBAG

@ATG GOOD TO SEE SOMEONE TAKING CARE OF THE OLD SCRIPTS DUDE … keep it up :slight_smile:

8 Likes
14

Big up to you!! :+1:

3 Likes
15

1sdgfh

I have problem when someone trigger i test it and esx-qalle-jail:unJailPlayer not working and also
esx-qalle-jail:jailPlayer i got error for a nil value xTgt everything is working

16

Try this one. Also, in what way is jail not working?

17

i set like to test it i am not admin also not police i made like to test to triggerevent in client side simple function:
Citizen.CreateThread(function()
while true do
Citizen.Wait(0)
if IsControlJustPressed(0, 73) then – X control press to triggerevent
TriggerServerEvent(“esx-qalle-jail:jailPlayer”)
end
end
end)

also for jailPlayer but
esx-qalle-jail:prisonWorkReward this works perfect without error and printing in console…

Also can all scripts like esx_billing to add maybe xPlayer.kick(’‘kick test’) to kick maybe player when try to do that ?

18

That is not how you call “esx-qalle-jail:jailPlayer”.
You must call it like…

TriggerServerEvent("esx-qalle-jail:jailPlayer", GetPlayerServerId(PlayerId()), 69, "test")

That is why you got the error :slight_smile:

19

yea now its working ahahah i fogot that, thanks bro, also one suggestion to add in server.lua kick fucntion when somoene try to trigger that :slight_smile: Good Job and thanks bro for this update to stop cheaters <3

20

Very nice release :+1: