Gigaland NFT Marketplace 1.9 Shell Upload / Key Disclosure

`# Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak   
# Google Dork: N/A  
# Date: 14/8/2022  
# Exploit Author: Sohel Yousef https://www.linkedin.com/in/sohel-yousef-50a905189/  
# Software Link: https://gigaland.io/  
# Version: 1.9  
# Category: webapps  
  
1. Sell Upload   
  
after connectiong your wallet to the site go to edit profile section   
on the link  
localhost/artist/account  
upload your shell in php format with no secuirty   
your shell well be in this direction  
storage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link   
  
2. Private key leak   
  
this link   
  
localhost//resources/privateJs/transfer.js  
  
have the private key for the ethereum account   
  
const addressFrom = receiverAddress;  
const privKey = '9f09d101c +++ HIDDEN ++++++ ac7bea0db0c25d2b5a3'  
  
async function transfer(addressto, data, history_id) {  
  
debugger;  
const web3js = new Web3(rpcURL);  
  
const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});  
  
const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce  
`