Except SQLi are there any vulnerabilities that can deface web sites?
good question .
XSS can't deface a website. XSS is simply a trick to make a malicious website look legitimate by "merging" the malicious link in a legitimate website that is XSS vulnerable.
you could take over the box that hosts the website and modify the website files from there.
Then DoS or DDoS maybe. But that won't be a vulnerability.
I guess any software/protocol being used by the web-server could turn into a vulnerability.
it's mean only way that can deface web site is SQLi?
You can use RFI (remote file inclusion) and/or arbitrary file upload exploits to get a PHP shell on there, then go from there.
C|H has a tutorial on here about hiding some PHP code in a JPEG to use as a connection to upload a shell. I wasn't able to get it to work, personally, but it wouldn't hurt to give it a shot ... https://null-byte.wonderhowto.com/how-to/upload-shell-web-server-and-get-root-rfi-part-1-0162818/