Date: 30-03-2019
Exploit Author: Ata Hakçıl, Melih Kaan Yıldız
Vendor: ManageEngine
Vendor Homepage: www.manageengine.com
Product: Service Desk Plus
Version: 10.0
Tested On: Windows 10 64 bit
CVE : 2019-10008
https://flameofignis.com/en/vuln/CVE-2019-10008
https://www.youtube.com/watch?v=fCea6yRkkSQ
A security vulnerability was discovered on Service Desk Plus 9.3 It is caused by how session cookies are handled, and causes an attacker with any valid credentials to authenticate as another user without password.
Change the host, low_username, low_password and high_username variables depending on what you have. Low username and password is an account you have access to. high_username is account you want to authenticate as.
After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password. Run this script on a Linux OS.