Except SQLi are there any vulnerabilities that can deface web sites?
good question .
Then DoS or DDoS maybe. But that won't be a vulnerability.
I guess any software/protocol being used by the web-server could turn into a vulnerability.
it's mean only way that can deface web site is SQLi?
You can use RFI (remote file inclusion) and/or arbitrary file upload exploits to get a PHP shell on there, then go from there.
C|H has a tutorial on here about hiding some PHP code in a JPEG to use as a connection to upload a shell. I wasn't able to get it to work, personally, but it wouldn't hurt to give it a shot ... https://null-byte.wonderhowto.com/how-to/upload-shell-web-server-and-get-root-rfi-part-1-0162818/