GetTempFileName
function. Looking into documentation we can find the following explanation: The GetTempFileName function creates a temporary file name of the following form:<path>\<pre><uuuu>.TMP
upload_tmp_dir
which normally it's C:\Windows\Temp
php1<<
or phpA<<
). You can Brute-Force more specific masks until you find your uploaded temporary file.