LFI via PHP session upload progress
It is possible to exploit LFI by forcibly creating a session (without session_start()!) by sending the PHP_SESSION_UPLOAD_PROGRESS parameter.
The splice also uses a filter combination trick to create the desired prefix in the shellcode, but this is not so...