docem

A lot of common document formats, such as doc,docx,odt,etc are just a zip files with a few xml files inside. So why don't we try to embed XXE payloads in them?

That was done in a great research by Will Vandevanter. To create such documents with embedded payloads there is a famous tool called "oxml_xxe". But. It is not convenient to use oxml_xxe when you need to create hundreds of documents with payloads in different places. So there it goes - Docem.

It works like that: you specify sample document - that is a doc that contains magic_symbols that will be replaced by a XXE or XSS payload.