Hi, please don't pay attention to those messages below, they are all incorrect.
First of all, it is not a shell script, it is a simply PHP script. You seems to have an in-secure uploader that he used to upload the php script, what it does is extract certain server php info such as disable functions, server paths, root folders etc.. He can basically include any file on your server within that file, so if there is a config file that stores sensitive data, he can simple include it. There are certain queryStrings within that file with different actions such as to list your DB table, scan dirs etc. There is also a form within that file that allows him to run php code by simply submit that form.
All that is required is a secure uploader, you can turn off PHP & shell files for that folder. You can achieve that with a simply .htaccess rule or another option would be to move your upload folder below you server public root.
That's all there is to your problem, feel free to message me.
Best regards