Excellent writeup as always!
Just thought I’d add you can exfil larger files using the following filter:php://filter/read=zlib.deflate/read=convert.base64-encode/resource=.
This lets you get more into the limited number of characters allowed within a url. I couldn’t find a way to exfil default.conf on this box without it.
This can be decoded on the other side using zlib.decompress(base64.b64decode(req), -15) within Python.