# Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak   
# Google Dork: N/A  
# Date: 14/8/2022  
# Exploit Author: Sohel Yousef  
# Software Link:  
# Version: 1.9  
# Category: webapps  
1. Sell Upload   
after connectiong your wallet to the site go to edit profile section   
on the link  
upload your shell in php format with no secuirty   
your shell well be in this direction  
storage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link   
2. Private key leak   
this link   
have the private key for the ethereum account   
const addressFrom = receiverAddress;  
const privKey = '9f09d101c +++ HIDDEN ++++++ ac7bea0db0c25d2b5a3'  
async function transfer(addressto, data, history_id) {  
const web3js = new Web3(rpcURL);  
const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});  
const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce