# Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak # Google Dork: N/A # Date: 14/8/2022 # Exploit Author: Sohel Yousef https://www.linkedin.com/in/sohel-yousef-50a905189/ # Software Link: https://gigaland.io/ # Version: 1.9 # Category: webapps 1. Sell Upload after connectiong your wallet to the site go to edit profile section on the link localhost/artist/account upload your shell in php format with no secuirty your shell well be in this direction storage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link 2. Private key leak this link localhost//resources/privateJs/transfer.js have the private key for the ethereum account const addressFrom = receiverAddress; const privKey = '9f09d101c +++ HIDDEN ++++++ ac7bea0db0c25d2b5a3' async function transfer(addressto, data, history_id) { debugger; const web3js = new Web3(rpcURL); const contract = new web3js.eth.Contract(trabi, trcontractAddress, {}); const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce