<str style="box-sizing: border-box; font-weight: bold;">Mysql 截断</str>
<str style="box-sizing: border-box;">MySQL中，如果字段非常长，插入时会造成截断。MySQL TEXT类型长度为64kb,如果评论长度超过这个限制，就会被截断。</str>
The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

POC
<a title=’x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA…[64 kb]..AAA’></a>

利用
陌生用户的第一条评论需要审查，如果用户发一条正常的评论，等待评论通过。这样后面的评论就可以直接通过，不需要审查就可以xss了。

解决办法
关闭评论 (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments.

[课程]Linux pwn 探索篇！