A bug in filtering system of Iran (#filternet) - Proof Of Concept script [more info (in Persian): http://shirazi.blogfa.com/post/388]

filtering_bug.php

<?php
/**
  * There is a bug in filternet. If you connect to yahoo.com:80 
  *   and type `GET / HTTP/1.1\r\nHost: msn.com\r\n\r\n` you can see msn.com page!
  * 
  *
  * How to run:
  * $ php filtering_bug.php <domain-address> <http-host-value>
  *
  * - <domain-address> : connecting via tcp
  * - <http-host-value> : [optional] [default: <domain-address>] value of header `Host`
  * @see http://shirazi.blogfa.com/post/388
  */

// Create a new socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$sock){
	die(socket_strerror(socket_last_error($sock)));
}
// Bind the source address
if(!socket_bind($sock, '0.0.0.0')){
	die(socket_strerror(socket_last_error($sock)));
}

// Get arguments
$domain = $argv[1];
$host = isset($argv[2])? $argv[2]: $domain;
$ip = gethostbyname($domain);

// Connect to destination address
echo "Connecting to '$domain' [$ip] ...\n";

if(!socket_connect($sock, $ip, 80)){
	die(socket_strerror(socket_last_error($sock)));
}

echo "Requesting 'Host: $host' ... \n";
echo "===========================\n\n";

// Write Http request header
$request = 'GET / HTTP/1.1' . "\r\n" .
           'Host: ' . $host . "\r\n" .
           'Connection: close' . "\r\n\r\n";

socket_write($sock, $request);

// Read Response
echo socket_read($sock, 1024);
// Close
socket_close($sock);