there are php backdoors with an interface to bash.
but it's better to set up ssh access on the machine

well, if you can edit the website files, add some phpshell thread and see.
And so, not knowing how the web server is configured is unknown

The web interface works through a web server. Commands are executed by the server whose commands they are. This happens all the time. If, for example, the web server tells PHP to execute a particular command, PHP does it and sends the results back to the web server. But, since the PHP code is executed on the server, and not on the client, only those who have the right to access the code files on the server can change the code.
You probably noticed that there is no PHP code in the page loaded from the server, because PHP code is for instructions to the PHP server, not the Web server. The situation is the same with Bash, the web server does not have access to the rights to execute these commands, therefore, the Web server cannot directly access these commands through the Web server, the web server functionality simply does not provide this for security purposes. It is possible to execute a bash script via php, but see above.
Although, if it is possible to put some kind of myfile.php file on the server, for example, at /var/web/html/website.com/php and then call the file via www.website.com/php/myfile.php, then if not appropriate security settings, theoretically this can work. Therefore, when uploading files, they either strictly prohibit uploading code files (php, JS, java, and so on, which can potentially be executed on the server), or a special sandbox is used to upload such files, where they cannot be executed...