An XXE attack is based on the concept of external entities in XML. We can utilize the URI portion of external entities to do nasty things such as reading files, exfiltration of data, server-side request forgery, or even executing arbitrary code.
In some of the following examples I have purposely enabled a few features such as the external entity loader, URL fopen, and the expect module of PHP for the sake of demonstration. These come disabled in a default installation of PHP.
Keep in mind that an XXE attack affects other server-side scripting platforms such as JSP, ASP, and so on; so some features which are disabled in PHP by default may work out of the box on other platforms.
Consider the following XML parsing code in PHP:
<?php $xml ...