Just wanted to post some details from my BH USA 2015 briefing “Exploiting XXE In File Upload Functionality”.
https://www.youtube.com/watch?v=LZUlw8hHp44
I also gave an updated version of the presentation in November for the Blackhat Webcast Series. It included more file types; PDF, JPG, and GIF. The link is here: https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html