Usually hackers upload shell to victim's site using the vulnerability in that website. Shell allows hackers to hack/deface the website. Sometimes hackers left the shell in the vulnerable sites. Here is simple google search allows you to find a shell uploaded by hackers.
Use one of the following google dork to find the shell:
- intitle:index of/sh3llZ
- "Index of /sh3llZ"