Test method: Create a test.asp folder in FTP. The folder name is test.asp. Upload a hack.jpg in this folder. The content of this jpg can be directly <%=now%>, and then, Use IE to remotely access this hack.jpg, and you can find that it is also run as an ASP file! Obviously, as long as your website program allows users to create folders and upload images, hackers can upload images to run as ASP Trojans.
Solution: In setting the execution permission option, directly change the directory with upload permission and cancel the running permission of ASP to solve this problem.