Detectify explains how they gained read access to production servers at Google:
One system caught our eyes. The Google Toolbar button gallery. We looked at each other and jokingly said “this looks vuln!”, not knowing how right we were.
They were able to leverage XML External Entity ( XXE ) processing to read local files on Google’s production servers. If you haven’t read up on XXE go watch Mike Adams talk at WordCamp SF 2013, the video is only 30 minutes.
Be very careful when processing XML, it can come back to bite you in very bad ways.