Incapsula WAF

[ghost]

I scanned a MySQL database and I got a [WARNING] message saying that the URL might have a WAF, therefore I used wafw00f to know which WAF was: it's Incapsula. So I ask you gentlemen, is there a way I can bypass an Incapsula WAF with sqlmap or I need to use another tool?

[stamparm]

You can use something else

On Feb 27, 2017 03:12, "fritori" notifications@github.com wrote:

I scanned a MySQL database and I got a [WARNING] message saying that the URL might have a WAF, therefore I used wafw00f to know which WAF was: it's Incapsula. So I ask you gentlemen, is there a way I can bypass an Incapsula WAF with sqlmap or I need to use another tool?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sqlmapproject/sqlmap/issues/2414, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4P02we846kRAl2HxSmKqk0u4zBzQnyks5rgjD1gaJpZM4MMnzX .

[ghost]

but can I use sqlmap, I mean it's possible with sqlmap? And if sqlmap doesn't work with this, which should I use?

[stamparm]

You've asked whether to use another tool, I've replied go for it. I was assure that you know what is the other tool. I am not aware of any tool that will automagically do that for you

[Ekultek]

I think what he's asking is if there is a script in sqlmap that will bypass the WAF for him?

[stamparm]

Out of box, no. Tamper scripts are just a help for advanced pen testers which know how to bypass the protection (e.g. WAF) in the first place. They are not meant to be used in automagic way. Without user's indepth knowledge of what is going on and why the target is behaving like it is, they are useless.

As said, user asked (I thought in authoritative way) whether he should "use another tool" and I replied yes.

[ghost]

alright, thanks you anyway. I've made a search and so far there isn't any tool that can bypass Incapsula WAF. I thought sqlmap could with the tamper scripts and I apolagise the question, I've asked it wrongly.