The following are from the presentation "Exploit XXE in File Upload Functionality" presented at BlackHat USA 2015.
Notes, discussion points, and References
Update 1 (08/16/15):
In the final presentation I left out XXE attacks via XMP in PDF (gif, etc.) though it is still in the slide deck. This support is added in oxml_xxe. For example:
ruby oxml_xxe.rb --poc pdf --ip 192.168.14.1:8000
Update 2 (11/19/15):
Recently presented updated material as part of the Blackhat Webcast Series
Additional material was added discussing XXE via PDF, GIF, PNG, and JPG. Updates have been pushed to the tool.
Updated Slides from 11/19/15