Abusing an otherwise secure call to shell_execallows users to control part of the sed commands leading to code execution. One thing of note is that this is the FreeBSD version of sed which differs from the more common GNU version in that it doesn’t include the commands to directly execute commands. So instead the author used the s (s/search/replace/) and w (w output_location.txt) commands to replace part of the normal output with some PHP code to cretae a simple web-shell and write it to the web-root.