External entity injection (also known as "XXE") attacks allow you to read files from the host with the permissions of the XML parser, as well as using the XML parser as a sort of proxy to do internal reconnaissance and even internal attacks.
Your objective is to read /etc/passwd or c:\boot.ini using a blind XXE attack.
PARAMETERS:
Injection Type - Full control of xml
Sanitization - None
Output - No results, verbose errors