It depends on the database you are using. I presume that you are using parameters on your urls? If you are using stored procs this would not be an issue. If you are building sql string then it may be.
Injection attacks take the form of appending pieces of SQL which are always true onto your param i.e. OR 1=1, so you sql becomes something like select * from mytable where custid=3232 or 1=1 which brings back all customers.
To get a list of tables you would need to try and append a UNION query to the string. select * from mytable where custid=3232 UNION select tablename from sysobjects where xtype = 'U'. Doubt this would work as the columns would not match. Maybe if you could work out the columns that the customer query brought back and aliased the second query column to the same name/numbers. It would be messy and unlikely to work.
Also, the user that you run your sql should have as little permissions as possible - not the admin!