Mainly, you exploit bugs in the webserver's capacity to handle request like files outside its root, or poorly implemented scripts (like bad php coding or things like that).

You can also hack the system, and defacing the site is only one of the numerous possibilities then offered.

But it's really really *evil* to deface web site!

Jean-Francois