possible places to insert user/pass

hello guys, im testing a website's security ,and i managed to find an SQL hack where i get the admin's username and password . that alone is what was needed for this job, but i want to complete it by modifying the source code of the home page where i write them a notice where the problem is. the only problem is that i cant find the login page or eny other login method, i tried enything from telnet, SSH, ftp, hidden pages, enything i could of thought about..and note that there is no webpage for the domain, nothing. ineed youre help to suggest possible places to input the admin's username and password i managed to pull, so i can gain admin rights on the site and notify them about it and get this project done allready XD !!

thanx tons 4 ur time :)

send them an email with their user and pass in and say "i found a hack but decided to report it cos im nice"

Check cookies, robots.txt (Might have a login page dir), why not just email them? Usually people don't like it when their page has been defaced saying "Z0mg j00 h4v3 4 53cur|7y 3xpl0i7!". Stick with the email.

EDIT– Mr noob beat me to the post, damn my broken arm and crappy one-hand typing skills

thanx ill try out the stuff u suggested and if it won't work i'll just email them "u got pwn'd " or somsin lol:D

DioXin wrote: thanx ill try out the stuff u suggested and if it won't work i'll just email them "u got pwn'd " or somsin lol:D

… No. Don't do that.

Just email them using well structured language.

Indeed.

there has to be somewhere to enter the details…. have you tried nmap and finding the server theyre hosted on…?

also, you dont need to post anything on thier website to notify them, like others have said, e-mail them.

So you managed to get the admin username and pass but not to find the login page? Quite funny situation, although it's happened to me once as well :happy:

Uber0n wrote: So you managed to get the admin username and pass but not to find the login page? Quite funny situation, although it's happened to me once as well :happy:

I hate when that happens. Thats what you call… smart web design? lol -Bl4ckC4t

have you tried nmap and finding the server theyre hosted on…?

why does he need to know what server they're on? … specially since he already has the login info etc. I mean, that'd be working backwards now, wouldn't it?

He could PING them instead of scanning them to find what server they're on, mate. It faster, and more logical.

well if he finds what server theyre on then he can login on that server that theyre hosting it on, i dont see how thats going backwards?

He's probably found the login info through a known exploit, but the login page doesn't have the standard name. A dictionary URL attack could be suitable ;)