Got most of this from https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
Tricks
list of possible Apache dirs: http://wiki.apache.org/httpd/DistrosDefaultLayout
include access log from file descriptor /proc/self/fd/XX: http://pastebin.com/raw.php?i=cRYvK4jb
include email log files: http://devels-playground.blogspot.de/2007/08/local-file-inclusion-tricks.html
include ssh auth.log
abuse avatar/image/attachment file uploads
include session files: https://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/
include PHP’s temporarily uploaded files http://gynvael.coldwind.pl/?id=376
Include file descriptors: LFI-FD-Check.txt
Try appending %00 and ? although these are obsolete