This document discusses exploiting PHP local file inclusion (LFI) vulnerabilities to achieve arbitrary code execution by including PHP's temporary upload files. On Windows, the random filenames for these temporary files can be brute forced since only the lower 16 bits of the random number are used, limiting possibilities to 65,535 files. On Linux, including these temporary files may be possible if an attacker can list files in the upload directory via a race condition or view the PHP $_FILES array.