Try SQL injection. Type a semicolon followed by SELECT * FROM USER.
If they haven’t coded to preclude it, this will cause the server to list all user information. Of course, the table name may be different. If it returns a programming error, try replacing USER with NAME or some such.
Of course, no professional would leave that door open. Only a noob would allow SQL injection into their system.