# Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak 
# Google Dork: N/A
# Date: 14/8/2022
# Exploit Author: Sohel Yousef   https://www.linkedin.com/in/sohel-yousef-50a905189/
# Software Link: https://gigaland.io/
# Version: 1.9
# Category: webapps

1. Sell Upload 

after connectiong your wallet to the site go to edit profile section 
on the link
localhost/artist/account
upload your shell in php format with no secuirty 
your shell well be in this direction
storage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link 

2. Private key leak 

this link 

localhost//resources/privateJs/transfer.js

have the private key for the ethereum account 

const addressFrom = receiverAddress;
const privKey = '9f09d101c +++  HIDDEN ++++++ ac7bea0db0c25d2b5a3'

async function transfer(addressto, data, history_id) {

    debugger;
    const web3js = new Web3(rpcURL);

    const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});

    const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.