Found this image in the Junkyard. Check it out. Has all sorts of MySQL and header data in the $_GET value, lol. You could set this to be anything. I'm wondering if blobheadervalue2 takes external URLs. Or what custom headers could be sent to do something worthwhile.
I tried changing blobtable to MungoBlobs; DROP TABLE MungoBlobs, but to no avail. You guys can prolly find something if you tried. It's freakishly late, so I don't have time to think, so good luck. Figured I'd share this, as I found it hilarious considering it's on a government website.

http://images.military.com/cs/Satell...&ssbinary=true

images.military.com/cs/Satellite
?blobcol=urldata
&blobheadername1=Content-Type
&blobheadername2=Content-Disposition
&blobheadervalue1=image/jpeg
&blobheadervalue2=inline;filename%3DSmartWeapon_11 1109.jpg
&blobkey=id
&blobnocache=false
&blobtable=MungoBlobs
&blobwhere=1209982875284
&ssbinary=true