Gigaland NFT Marketplace 1.9 Shell Upload / Key Disclosure

# Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak # Google Dork: N/A# Date: 14/8/2022# Exploit Author: Sohel Yousef   https://www.linkedin.com/in/sohel-yousef-50a905189/# Software Link: https://gigaland.io/# Version: 1.9# Category: webapps1. Sell Upload after connectiong your wallet to the site go to edit profile section on the linklocalhost/artist/accountupload your shell in php format with no secuirty your shell well be in this directionstorage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link 2. Private key leak this link localhost//resources/privateJs/transfer.jshave the private key for the ethereum account const addressFrom = receiverAddress;const privKey = '9f09d101c +++  HIDDEN ++++++ ac7bea0db0c25d2b5a3'async function transfer(addressto, data, history_id) {    debugger;    const web3js = new Web3(rpcURL);    const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});    const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce