An Out-Of-Band attack is classified by having two different communication channels, one to launch the attack and the other to gather the results, eg. the attack channel could be a web request, and the data gathering channel could be monitoring HTTP/DNS requests made to a service we control.
An attacker makes a request to a website vulnerable to SQL Injection with an injection payload.
The Website makes a query to the DB which also passes the payload.
The payload contains a request which forces an HTTP request back to the hacker's machine containing data from the DB.