Entire database dump written to a file of our choice. Super-duper validation of access level (none).
You can also use POST.
Oh, and if really wanted to, you can modify your client name or something to <?php eval(...); ?> and set the filename extension to php. Credit cards are stored in the database, encryption key is in /includes/config.php
PS: In case you wanted to report this vulnerability to them it costs only $75. No other way to contact them.