Gigaland NFT Marketplace 1.9 Shell Upload / Key Disclosure

Gigaland NFT Marketplace version 1.9 suffers from remote shell upload and ETH private key disclosure vulnerabilities.

SHA-256 | ce98bcba1114e91aa9e9ba66766075c6356a782f55f6b972328c6840eadf1713

# Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak 
# Google Dork: N/A
# Date: 14/8/2022
# Exploit Author: Sohel Yousef
# Software Link:
# Version: 1.9
# Category: webapps

1. Sell Upload

after connectiong your wallet to the site go to edit profile section
on the link
upload your shell in php format with no secuirty
your shell well be in this direction
storage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link

2. Private key leak

this link


have the private key for the ethereum account

const addressFrom = receiverAddress;
const privKey = '9f09d101c +++ HIDDEN ++++++ ac7bea0db0c25d2b5a3'

async function transfer(addressto, data, history_id) {

const web3js = new Web3(rpcURL);

const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});

const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce

Related Posts