blackops-sql 0.1.6__py3-none-any.whl

blackops_sql-0.1.6.dist-info/licenses/NOTICE

@@ -0,0 +1,27 @@
+BlackOpsSQL
+===========
+
+BlackOpsSQL is a modified fork of BreachSQL by CommonHuman-Lab.
+Original project: https://github.com/CommonHuman-Lab/breachsql
+License: AGPL-3.0-or-later
+
+BlackOpsSQL is an AGPL-3.0-or-later modified fork of BreachSQL by CommonHuman-Lab.
+
+Original copyright (c) 2026 CommonHuman-Lab
+Modifications copyright (c) 2026 roc1t1z3not
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+Upstream dependency notices
+----------------------------
+BlackOpsSQL depends on the following upstream libraries from CommonHuman-Lab,
+used as external PyPI packages (not bundled source):
+
+  - commonhuman-core   — HTTP client, crawler, OpenAPI loader, auth helpers
+  - commonhuman-payloads — SQL injection payload library and WAF signatures
+  - commonhuman-cli    — CLI framework, logging, colour helpers, entry point utils
+
+These libraries remain unmodified and are governed by their own licenses.

blackopssql/__init__.py

@@ -0,0 +1,111 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab (original BreachSQL)
+# Modifications copyright (c) 2026 roc1t1z3not (BlackOpsSQL)
+"""
+BlackOpsSQL — API-aware SQL injection reconnaissance and validation engine.
+
+BlackOpsSQL is an AGPL-3.0-or-later modified fork of BreachSQL by CommonHuman-Lab.
+
+Quick start:
+
+    from blackopssql import scan, ScanOptions
+
+    result = scan("https://target.com/search?q=test")
+    print(result.total_findings)
+
+    opts = ScanOptions(level=2, crawl=True, dbms="mysql")
+    result = scan("https://target.com/search?q=test", opts)
+"""
+
+from blackopssql.engine import scan, ScanOptions
+from blackopssql.engine.reporter import (
+    ScanResult,
+    ErrorBasedFinding,
+    BooleanFinding,
+    TimeFinding,
+    UnionFinding,
+    OOBFinding,
+    FindingType,
+)
+
+__version__ = "0.1.6"
+
+
+def _make_banner() -> str:
+    import re
+    import sys
+
+    _tty = sys.stdout.isatty()
+
+    def _r(t: str) -> str:
+        return f"\033[31;1m{t}\033[0m" if _tty else t
+
+    def _g(t: str) -> str:
+        return f"\033[38;5;46m{t}\033[0m" if _tty else t
+
+    def _d(t: str) -> str:
+        return f"\033[2m{t}\033[0m" if _tty else t
+
+    def _vlen(s: str) -> int:
+        return len(re.sub(r"\033\[[0-9;]*m", "", s))
+
+    # slant font: "BlackOps" (green) + "SQL" (red) merged side-by-side
+    _BO_W = 44
+    _BO = (
+        "    ____  __           __   ____            ",
+        "   / __ )/ /___ ______/ /__/ __ \\____  _____",
+        "  / __  / / __ `/ ___/ //_/ / / / __ \\/ ___/",
+        " / /_/ / / /_/ / /__/ ,< / /_/ / /_/ (__  ) ",
+        "/_____/_/\\__,_/\\___/_/|_|\\____/ .___/____/  ",
+        "                             /_/            ",
+    )
+    _SQL = (
+        "   _____ ____    __ ",
+        "  / ___// __ \\  / / ",
+        "  \\__ \\/ / / / / /  ",
+        " ___/ / /_/ / / /___",
+        "/____/\\___\\_\\/_____/",
+        "                    ",
+    )
+
+    art_colored = [_g(bo.ljust(_BO_W)) + _r(sql) for bo, sql in zip(_BO, _SQL)]
+    art_raw = [bo.ljust(_BO_W) + sql for bo, sql in zip(_BO, _SQL)]
+
+    info = [
+        _d("  API-aware SQL injection reconnaissance and validation engine"),
+        _d("  fork of BreachSQL by CommonHuman-Lab  |  AGPL-3.0-or-later"),
+        _d("  Big thanks to Deorsa for Graphical and Visual design."),
+    ]
+
+    art_raw_widths = [len(l) for l in art_raw]
+    info_raw_widths = [_vlen(l) for l in info]
+    inner_w = max(art_raw_widths + info_raw_widths)
+    frame_w = inner_w + 4  # "# " + content + " #"
+
+    top_bot = _r("#" * frame_w)
+    empty = _r("#") + " " * (frame_w - 2) + _r("#")
+
+    rows = ["", top_bot, empty]
+    for colored, raw_w in zip(art_colored, art_raw_widths):
+        rows.append(_r("#") + " " + colored + " " * (inner_w - raw_w) + " " + _r("#"))
+    rows.append(empty)
+    for colored, raw_w in zip(info, info_raw_widths):
+        rows.append(_r("#") + " " + colored + " " * (inner_w - raw_w) + " " + _r("#"))
+    rows += [empty, top_bot, ""]
+    return "\n".join(rows)
+
+
+BANNER = _make_banner()
+
+__all__ = [
+    "__version__",
+    "scan",
+    "ScanOptions",
+    "ScanResult",
+    "ErrorBasedFinding",
+    "BooleanFinding",
+    "TimeFinding",
+    "UnionFinding",
+    "OOBFinding",
+    "FindingType",
+]

blackopssql/__main__.py

@@ -0,0 +1,287 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab (original BreachSQL)
+# Modifications copyright (c) 2026 roc1t1z3not (BlackOpsSQL fork)
+"""
+BlackOpsSQL — __main__.py
+CLI entry point.
+
+Usage:
+    python -m blackopssql -u https://target.com/search?q=test
+    blackops-sql -u https://target.com/search?q=test
+"""
+
+from __future__ import annotations
+
+import copy
+import json
+import os
+import re
+import sys
+import urllib.parse as _up
+
+_HERE   = os.path.dirname(os.path.abspath(__file__))
+_PARENT = os.path.dirname(_HERE)
+for _p in (_PARENT, _HERE):
+    if _p not in sys.path:
+        sys.path.insert(0, _p)
+
+from blackopssql import BANNER
+from blackopssql.engine import scan, ScanOptions
+from blackopssql.engine.scanner import _unique_stem, _output_stem
+from blackopssql.engine.log import get_logger
+from blackopssql._cli.args import build_parser, interactive_prompts
+from blackopssql._cli.summary import print_summary
+from blackops_cli.colour import BOLD, CYAN
+from blackops_cli.logging import setup_logging
+from blackops_cli.entrypoint import (
+    load_url_list, compile_exclude_patterns, parse_headers, validate_timeout,
+)
+
+_cli_logger = get_logger("blackopssql")
+
+_AUTH_PATH_RE       = re.compile(r'/(login|signin|authenticate|session|token)\b', re.IGNORECASE)
+_AUTH_SYNTH_BODY    = '{"email":"test@test.com","password":"test","username":"test"}'
+
+
+def _split_param_list(val) -> list[str]:
+    """Accept either a list (from interactive mode) or a comma-separated string."""
+    if isinstance(val, list):
+        return [p.strip() for p in val if str(p).strip()]
+    return [p.strip() for p in str(val).split(",") if p.strip()]
+
+
+def main() -> None:
+    parser = build_parser()
+    args   = parser.parse_args()
+
+    setup_logging(verbose=args.verbose, quiet=args.quiet or args.json_output, logger_name="blackopssql")
+
+    # Collect target URLs
+    urls: list[str] = []
+    if args.url:
+        urls.append(args.url)
+    if args.url_list:
+        urls.extend(load_url_list(args.url_list))
+
+    # No URL supplied → interactive mode
+    if not urls:
+        args = interactive_prompts()
+        urls = [args.url]
+    elif not args.json_output:
+        print(CYAN(BANNER))
+
+    validate_timeout(args.timeout)
+
+    exclude_patterns = compile_exclude_patterns(args.exclude)
+    headers          = parse_headers(args.header)
+
+    # Form login
+    if getattr(args, "login_url", "") and getattr(args, "login_user", ""):
+        from blackops_core.auth import form_login as _form_login
+        if not args.quiet and not args.json_output:
+            print(f"[*] Authenticating via {args.login_url} ...")
+        auth = _form_login(
+            login_url=args.login_url,
+            username=args.login_user,
+            password=getattr(args, "login_pass", ""),
+            username_field=getattr(args, "login_user_field", "username"),
+            password_field=getattr(args, "login_pass_field", "password"),
+        )
+        if auth.cookies and not args.cookie:
+            args.cookie = auth.cookies
+        headers.update(auth.headers)
+
+    # OpenAPI spec import
+    if getattr(args, "openapi", ""):
+        from blackops_core.openapi import load_openapi as _load_openapi
+        if not args.quiet and not args.json_output:
+            print(f"[*] Loading OpenAPI spec from {args.openapi} ...")
+        api_eps = _load_openapi(args.openapi, base_url=getattr(args, "base_url", ""))
+        seen_oa = set(urls)
+        for ep in api_eps:
+            if ep.url not in seen_oa:
+                urls.append(ep.url)
+                seen_oa.add(ep.url)
+        if not args.quiet and not args.json_output:
+            print(f"[*] OpenAPI: {len(api_eps)} endpoint(s) added")
+
+    # Per-URL POST body overrides: populated by JS discovery for auth endpoints.
+    url_data_overrides: dict[str, str] = {}
+
+    # JS API discovery — parse SPA bundles for REST/API endpoints
+    if (args.crawl or getattr(args, "browser_crawl", False)) and urls:
+        from blackops_core.js_api_discover import js_api_discover as _js_discover
+        seed = urls[0]
+        if not args.quiet and not args.json_output:
+            print(f"[*] JS API discovery on {seed} ...")
+        seen_js = set(urls)
+        js_found = _js_discover(seed)
+        new_js: list[str] = []
+        for _method, js_url, _tmpl in js_found:
+            if js_url not in seen_js:
+                seen_js.add(js_url)
+                new_js.append(js_url)
+                urls.append(js_url)
+                # Synthesise a JSON body for discovered POST auth endpoints so
+                # the scanner can build injectable surfaces (email/password fields).
+                if _method == "POST" and _AUTH_PATH_RE.search(_up.urlparse(js_url).path):
+                    url_data_overrides[js_url] = _AUTH_SYNTH_BODY
+        if not args.quiet and not args.json_output:
+            print(f"[*] JS discovery: {len(new_js)} endpoint(s) found")
+
+    # Browser crawl — headless JS endpoint discovery
+    if getattr(args, "browser_crawl", False) and urls:
+        from blackops_core.browser_crawler import browser_crawl as _browser_crawl
+        seed = urls[0]
+        if not args.quiet and not args.json_output:
+            print(f"[*] Browser-crawling {seed} ...")
+        bc_found = _browser_crawl(
+            start_url=seed,
+            max_pages=args.max_pages,
+            max_depth=args.max_depth,
+            cookies=args.cookie or "",
+        )
+        seen_bc = set(urls)
+        new_bc  = [u for u in bc_found if u not in seen_bc]
+        urls.extend(new_bc)
+        if not args.quiet and not args.json_output:
+            print(f"[*] Browser crawl: {len(new_bc)} additional endpoint(s) queued")
+
+    # --exploit implies --dump-all + auto-named outputs under <host>/ directory
+    if getattr(args, "exploit", False):
+        args.dump_all = True
+        if not args.output and urls:
+            _host = _up.urlparse(urls[0]).hostname or "target"
+            os.makedirs(_host, exist_ok=True)
+            args.output = os.path.join(_host, _host)
+        if not getattr(args, "report_html", "") and args.output:
+            args.report_html = args.output + ".html"
+
+    # Resolve collision-free stem once for the whole session so that every
+    # scan() call in the crawl loop writes to the same base name.
+    if args.output:
+        args.output = _unique_stem(_output_stem(args.output))
+    if getattr(args, "report_html", ""):
+        args.report_html = _unique_stem(_output_stem(args.report_html)) + ".html"
+
+    opts = ScanOptions(
+        crawl=args.crawl,
+        data=args.data,
+        headers=headers,
+        cookies=args.cookie,
+        proxy=args.proxy,
+        threads=args.threads,
+        timeout=args.timeout,
+        delay=args.delay,
+        level=args.level,
+        max_pages=args.max_pages,
+        max_depth=args.max_depth,
+        output=args.output,
+        exclude_patterns=exclude_patterns,
+        dbms=args.dbms,
+        technique=args.technique,
+        oob_callback=args.oob,
+        time_threshold=args.time_threshold,
+        risk=args.risk,
+        second_url=getattr(args, "second_url", ""),
+        path_params=_split_param_list(getattr(args, "path_params", "")),
+        cookie_params=_split_param_list(getattr(args, "cookie_params", "")),
+        header_params=_split_param_list(getattr(args, "header_params", "")),
+        exploit=(
+            getattr(args, "exploit", False)
+            or bool(getattr(args, "dump", ""))
+            or getattr(args, "dump_all", False)
+        ),
+        dump=getattr(args, "dump", ""),
+        dump_all=getattr(args, "dump_all", False),
+    )
+
+    all_results = []
+    any_findings = False
+    multi = len(urls) > 1
+
+    for target_url in urls:
+        if any(p.search(target_url) for p in exclude_patterns):
+            _cli_logger.info("Skipping excluded URL: %s", target_url)
+            continue
+
+        if not args.json_output and not args.quiet:
+            if not multi:
+                print(BOLD(f"[*] Target    : {target_url}"))
+                print(BOLD(f"[*] Level     : {args.level}  Threads: {args.threads}  Crawl: {args.crawl}"))
+                print(BOLD(f"[*] DBMS hint : {args.dbms}  Techniques: {args.technique}  Risk: {args.risk}"))
+                print()
+
+        _scan_opts = opts
+        if target_url in url_data_overrides and not opts.data:
+            _scan_opts = copy.copy(opts)
+            _scan_opts.data = url_data_overrides[target_url]
+
+        result = scan(target_url, _scan_opts)
+        all_results.append(result)
+        if result.total_findings > 0:
+            any_findings = True
+
+        if args.json_output:
+            print(json.dumps(result.to_dict(), indent=2))
+            continue
+
+        if multi:
+            # In multi-URL mode: only show a line when findings exist
+            if result.total_findings > 0:
+                print(f"  [+] {result.total_findings} finding(s) — {target_url}")
+        else:
+            print_summary(result)
+
+    if not args.json_output and multi:
+        # Merge all results into one combined summary
+        from .engine.reporter import ScanResult
+        combined = ScanResult(target=urls[0])
+        combined.duration_s      = sum(r.duration_s for r in all_results)
+        combined.requests_sent   = sum(r.requests_sent for r in all_results)
+        combined.crawled_urls    = sum(r.crawled_urls for r in all_results)
+        combined.params_tested   = sum(r.params_tested for r in all_results)
+        combined.waf_detected    = next((r.waf_detected for r in all_results if r.waf_detected), None)
+        combined.evasion_applied = next((r.evasion_applied for r in all_results if r.evasion_applied), None)
+        combined.dbms_detected   = next((r.dbms_detected for r in all_results if r.dbms_detected), None)
+        for r in all_results:
+            combined.error_based.extend(r.error_based)
+            combined.boolean_based.extend(r.boolean_based)
+            combined.time_based.extend(r.time_based)
+            combined.union_based.extend(r.union_based)
+            combined.oob.extend(r.oob)
+            combined.stacked.extend(r.stacked)
+            combined.extracted.extend(r.extracted)
+            combined.errors.extend(r.errors)
+        combined.target = f"{urls[0]} (+{len(urls)-1} more)" if len(urls) > 1 else urls[0]
+        print()
+        print_summary(combined)
+
+    # ── HTML report ───────────────────────────────────────────────────────────
+    _report_html = getattr(args, "report_html", "")
+    if _report_html and all_results:
+        from blackops_cli.report_html import render_html as _render_html
+        try:
+            _html_str = _render_html(
+                results=[
+                    {**r.to_dict(), "table_dumps": r.dumps_to_dict()["table_dumps"]}
+                    for r in all_results
+                ],
+                tool_name="BlackOpsSQL",
+                tool_version=__import__("blackopssql").__version__,
+            )
+            with open(_report_html, "w", encoding="utf-8") as _fh:
+                _fh.write(_html_str)
+            if not args.json_output and not args.quiet:
+                print(f"[+] HTML report written to {_report_html}")
+        except OSError as _exc:
+            print(f"[!] Cannot write HTML report: {_exc}", file=sys.stderr)
+
+    if args.json_output:
+        sys.exit(0 if not any_findings else 1)
+
+    sys.exit(1 if any_findings else 0)
+
+
+if __name__ == "__main__":
+    main()

blackopssql/_cli/args.py

@@ -0,0 +1,229 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab
+from __future__ import annotations
+
+import argparse
+
+from blackops_cli.colour import CYAN, DIM, YELLOW
+from blackops_cli.prompts import (
+    safe_int as _safe_int,
+    prompt as _prompt,
+    prompt_bool as _prompt_bool,
+    section as _section,
+)
+
+try:
+    from blackopssql import __version__, BANNER
+except ImportError:
+    __version__ = "0.1.0"
+    BANNER = ""
+
+
+def interactive_prompts() -> argparse.Namespace:
+    """Walk the user through all scan options interactively."""
+    print(CYAN(BANNER))
+    print(DIM("  No arguments supplied — entering interactive mode."))
+    print(DIM("  Press Enter to accept defaults. Ctrl+C to exit.\n"))
+
+    _section("Target")
+    url = ""
+    while not url:
+        url = _prompt("  Target URL", hint="e.g. https://target.com/search?q=test")
+        if not url:
+            print(YELLOW("  [!] URL is required."))
+        elif not url.startswith(("http://", "https://")):
+            print(YELLOW("  [!] URL must start with http:// or https://"))
+            url = ""
+
+    _section("Authentication  (optional)")
+    login_url = _prompt("  Login URL", hint="https://target.com/login  (blank to skip)")
+    if login_url:
+        login_user = _prompt("  Username")
+        login_pass = _prompt("  Password")
+    else:
+        login_user = login_pass = ""
+    cookie = _prompt("  Cookies", hint="name=val; name2=val2  (blank if using --login-url)")
+    headers_raw: list[str] = []
+    while True:
+        h = _prompt("  Header", hint="KEY:VALUE  (blank to finish)")
+        if not h:
+            break
+        headers_raw.append(h)
+
+    _section("Request")
+    data  = _prompt("  POST body", hint="form-encoded or JSON  (blank = GET)")
+    proxy = _prompt("  Proxy", hint="http://127.0.0.1:8080")
+
+    _section("SQLi options")
+    dbms       = _prompt("  Target DBMS", default="auto",
+                         hint="mysql | mariadb | mssql | postgres | sqlite | oracle | auto")
+    technique  = _prompt("  Techniques", default="EBTUO",
+                         hint="E=error B=bool T=time U=union O=oob  (e.g. EBT)")
+    oob        = _prompt("  OOB callback URL", hint="https://your.interactsh.io/x  (blank to skip)")
+    time_thr   = _prompt("  Time threshold", default="4", hint="seconds to flag time-based hit")
+    risk_str   = _prompt("  Risk level", default="1", hint="1=safe 2=moderate 3=aggressive")
+    second_url = _prompt("  Second URL", hint="read SQLi response from this URL (blank to skip)")
+    path_params   = _prompt("  Path params",   hint="comma-separated names e.g. id,slug (blank=auto)")
+    cookie_params = _prompt("  Cookie params", hint="comma-separated cookie names to inject (blank=skip)")
+    header_params = _prompt("  Header params", hint="comma-separated header names to inject (blank=skip)")
+
+    _section("Scan options")
+    level_str   = _prompt("  Scan level",  default="1", hint="1=fast  2=thorough  3=deep")
+    threads_str = _prompt("  Threads",     default="5")
+    timeout_str = _prompt("  Timeout",     default="15", hint="seconds per request")
+
+    crawl = _prompt_bool("  Enable crawler", default=False)
+    if crawl:
+        max_pages_str = _prompt("  Max pages", default="100")
+        max_depth_str = _prompt("  Max depth", default="3")
+    else:
+        max_pages_str = "100"
+        max_depth_str = "3"
+
+    _section("Exploitation  (optional)")
+    exploit = _prompt_bool("  Extract data after finding SQLi", default=False)
+    dump    = _prompt("  Dump table", hint="table name to dump rows from (blank to skip)") if exploit else ""
+    print()
+
+    return argparse.Namespace(
+        url=url,
+        url_list="",
+        crawl=crawl,
+        data=data,
+        header=headers_raw,
+        cookie=cookie,
+        proxy=proxy,
+        threads=_safe_int(threads_str, 5, 1, 20),
+        timeout=_safe_int(timeout_str, 15, 5, 120),
+        delay=0.0,
+        level=_safe_int(level_str, 1, 1, 3),
+        max_pages=_safe_int(max_pages_str, 100, 1, 500),
+        max_depth=_safe_int(max_depth_str, 3, 1, 10),
+        exclude=[],
+        output="",
+        json_output=False,
+        quiet=False,
+        verbose=False,
+        dbms=dbms,
+        technique=technique.upper(),
+        oob=oob,
+        time_threshold=_safe_int(time_thr, 4, 1, 30),
+        risk=_safe_int(risk_str, 1, 1, 3),
+        second_url=second_url,
+        path_params=[p.strip() for p in path_params.split(",") if p.strip()],
+        cookie_params=[p.strip() for p in cookie_params.split(",") if p.strip()],
+        header_params=[p.strip() for p in header_params.split(",") if p.strip()],
+        login_url=login_url,
+        login_user=login_user,
+        login_pass=login_pass,
+        login_user_field="username",
+        login_pass_field="password",
+        openapi="",
+        base_url="",
+        browser_crawl=False,
+        exploit=exploit,
+        dump=dump,
+        dump_all=False,
+        report_html="",
+    )
+
+
+def build_parser() -> argparse.ArgumentParser:
+    p = argparse.ArgumentParser(
+        prog="blackops-sql",
+        description="BlackOpsSQL — API-aware SQL injection reconnaissance and validation engine",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    p.add_argument("-V", "--version", action="version", version=f"%(prog)s {__version__}")
+
+    # --- Target ---
+    p.add_argument("-u", "--url",      default="",  help="Target URL")
+    p.add_argument("-L", "--url-list", default="",  metavar="FILE",
+                   help="File of target URLs (one per line)")
+
+    # --- Request ---
+    p.add_argument("--crawl",        action="store_true", help="Enable BFS crawler")
+    p.add_argument("-d", "--data",   default="",  help="POST body")
+    p.add_argument("-H", "--header", action="append", default=[], metavar="KEY:VALUE",
+                   help="Custom header (repeatable)")
+    p.add_argument("-c", "--cookie", default="",  help="Cookie string")
+    p.add_argument("--proxy",        default="",  help="HTTP proxy URL")
+    p.add_argument("-t", "--threads", type=int, default=5,
+                   help="Worker threads 1-20 (default 5)")
+    p.add_argument("--timeout",      type=int, default=15,
+                   help="Request timeout seconds 5-120 (default 15)")
+    p.add_argument("--delay",        type=float, default=0.0,
+                   help="Seconds between requests (default 0)")
+
+    # --- Scan depth ---
+    p.add_argument("--level",     type=int, default=1, choices=[1, 2, 3],
+                   help="Scan depth: 1=fast 2=thorough 3=deep (default 1)")
+    p.add_argument("--max-pages", type=int, default=100,
+                   help="Max pages to crawl (default 100)")
+    p.add_argument("--max-depth", type=int, default=3,
+                   help="Max crawl depth (default 3)")
+    p.add_argument("--exclude",   action="append", default=[], metavar="PATTERN",
+                   help="Regex pattern of URLs to skip (repeatable)")
+
+    # --- SQLi-specific ---
+    p.add_argument("--dbms",      default="auto",
+                   choices=["auto", "mysql", "mariadb", "mssql", "postgres", "sqlite", "oracle"],
+                   help="Target DBMS hint (default: auto-detect)")
+    p.add_argument("--technique", default="EBTUO", metavar="TECHNIQUES",
+                   help="Techniques to use: E=error B=bool T=time U=union O=oob (default: EBTUO)")
+    p.add_argument("--oob",       default="", metavar="URL",
+                   help="Out-of-band callback URL for OOB detection")
+    p.add_argument("--time-threshold", type=int, default=4, dest="time_threshold",
+                   help="Seconds delta to flag time-based SQLi (default 4)")
+    p.add_argument("--risk",      type=int, default=1, choices=[1, 2, 3],
+                   help="Risk level: 1=safe 2=moderate 3=aggressive (default 1)")
+    p.add_argument("--second-url", default="", dest="second_url", metavar="URL",
+                   help="Read SQLi response from this URL after injecting into target "
+                        "(e.g. DVWA high: inject to session-input.php, read from sqli/)")
+    p.add_argument("--path-params", default="", dest="path_params", metavar="NAMES",
+                   help="Comma-separated path segment names to inject "
+                        "(auto-detected from :name/{name} patterns if omitted)")
+    p.add_argument("--cookie-params", default="", dest="cookie_params", metavar="NAMES",
+                   help="Comma-separated cookie names to inject as SQLi surfaces")
+    p.add_argument("--header-params", default="", dest="header_params", metavar="NAMES",
+                   help="Comma-separated HTTP header names to inject as SQLi surfaces")
+
+    # --- Output ---
+    p.add_argument("-o", "--output", default="", metavar="NAME",
+                   help="Output stem — writes <name>.json and <name>.txt")
+    p.add_argument("--json",     action="store_true", dest="json_output",
+                   help="Output raw JSON")
+    p.add_argument("-q", "--quiet",   action="store_true",
+                   help="Suppress live log output")
+    p.add_argument("-v", "--verbose", action="store_true",
+                   help="Show all checks including clean ones")
+    p.add_argument("--login-url", default="", dest="login_url",
+                   help="Login form URL — authenticates before scanning")
+    p.add_argument("--login-user", default="", dest="login_user",
+                   help="Username for form login")
+    p.add_argument("--login-pass", default="", dest="login_pass",
+                   help="Password for form login")
+    p.add_argument("--login-user-field", default="username", dest="login_user_field",
+                   help="Username field name (default: username)")
+    p.add_argument("--login-pass-field", default="password", dest="login_pass_field",
+                   help="Password field name (default: password)")
+    p.add_argument("--openapi", default="", dest="openapi",
+                   help="OpenAPI/Swagger spec file path or URL — imports endpoints to scan")
+    p.add_argument("--base-url", default="", dest="base_url",
+                   help="Base URL override for OpenAPI spec")
+    p.add_argument("--browser-crawl", action="store_true", dest="browser_crawl",
+                   help="Use headless Chromium for endpoint discovery (requires selenium)")
+
+    # --- Exploitation ---
+    p.add_argument("--exploit", action="store_true", default=False,
+                   help="After finding SQLi, dump all tables and write <host>.txt, <host>.json, <host>.html")
+    p.add_argument("--dump", default="", metavar="TABLE",
+                   help="Dump all rows from TABLE using a confirmed injection point (implies --exploit)")
+    p.add_argument("--dump-all", action="store_true", default=False, dest="dump_all",
+                   help="Dump every table discovered during extraction (implies --exploit)")
+
+    # --- Reports ---
+    p.add_argument("--report-html", default="", dest="report_html", metavar="FILE",
+                   help="Write a self-contained HTML report to this file")
+
+    return p