Web applications that rely on databases are constant targets for attackers probing for SQL injection vulnerabilities. If you are a sysadmin, developer, or security researcher, you need a reliable, battle-tested tool to find those weaknesses before someone else does. SQLmap is that tool, and this guide walks you through exactly how to install SQLmap on Debian 13, configure it correctly, and run your first test in a safe and legal environment.

Debian 13, codenamed “Trixie,” is the latest stable release in the Debian project’s long-standing lineage of rock-solid Linux distributions. Its Python 3-first package ecosystem, minimal base footprint, and mature APT package management system make it an excellent platform for running security tools like SQLmap. Whether you are setting up a dedicated penetration testing lab or hardening your own infrastructure, Debian 13 gives you a clean, conflict-free foundation.

This tutorial covers four installation methods: APT (fastest for beginners), Git clone (best for professionals who want the latest build), pip (ideal for Python virtual environments), and Snap (useful for sandboxed portability). For each method, you will get exact terminal commands, explanations of what each command does and why it matters, and expected output examples so you always know if something went wrong. By the end of this guide, you will have a fully working SQLmap setup on Debian 13 and know how to run your first scan.

What Is SQLmap and Why Does It Matter?

SQLmap is an open-source, Python-based command-line tool that automates the detection and exploitation of SQL injection vulnerabilities in web applications. It is actively maintained on GitHub under the sqlmapproject/sqlmap repository and is trusted by penetration testers, security researchers, and bug bounty hunters worldwide.

SQLmap supports a wide range of injection techniques, including:

• Boolean-based blind injection
• Time-based blind injection
• Error-based injection
• UNION query-based injection
• Stacked queries
• Out-of-band injection

Beyond detecting vulnerabilities, SQLmap can fingerprint the back-end DBMS (database management system), enumerate databases, tables, columns, and records, and even attempt operating system shell access via --os-shell. It works with MySQL, PostgreSQL, Microsoft SQL Server, Oracle, SQLite, and many other database engines.

For ethical hackers and sysadmins alike, SQLmap is not optional knowledge. It is a core tool in any serious security toolkit.

Legal Disclaimer: Read Before You Proceed

Using SQLmap against any web application, server, or database system that you do not own or have explicit written authorization to test is illegal in most jurisdictions. This includes systems belonging to employers, clients, or third parties unless a signed scope-of-work agreement is in place.

Acceptable use cases include:

• Your own web servers, applications, and databases
• Deliberately vulnerable lab environments (DVWA, WebGoat, HackTheBox, TryHackMe)
• Authorized penetration testing engagements with documented permission
• CTF (Capture the Flag) competitions

SQLmap itself prints a legal disclaimer every time it runs. That is not decoration. Treat it as a reminder that this tool carries real responsibility.

Prerequisites for Installing SQLmap on Debian 13

Before you run a single command, confirm you have the following in place.

System requirements:

• Debian 13 (Trixie) installed and running (fresh install or existing system)
• Minimum 1 GB RAM and 2 GB free disk space
• A user account with sudo privileges or root access
• Active internet connection

Software dependencies:

• Python 3.x (pre-installed on Debian 13 by default)
• git (required for Method 2)
• python3-pip (required for Method 3)
• snapd (required for Method 4)

Before anything else, update your system:

sudo apt update && sudo apt upgrade -y

This command refreshes your local APT package index and upgrades all installed packages to their latest versions. Skipping this step is the number one cause of broken installs on Debian-based systems. A stale package cache can pull in outdated or incompatible dependencies without warning.

Step 1: Update Your System and Verify Python 3

Why This Step Is Non-Negotiable

SQLmap is built entirely in Python. Before you install it by any method, you need to confirm Python 3 is available and your package lists are current.

Verify Python 3 is installed:

python3 --version

Expected output:

Python 3.12.x

If you see an error, install Python 3 manually:

sudo apt install python3 -y

On Debian 13, Python 3 ships as a default system component, so this is typically a formality. Still, running the check before proceeding saves you from confusing errors later.

Step 2: Install SQLmap via APT (Recommended for Beginners)

APT is Debian’s native package manager and the simplest way to get SQLmap on Debian 13 setup done in under two minutes. The Debian Trixie repository includes SQLmap as an official package, which means APT handles all dependency resolution automatically.

Install SQLmap with APT

sudo apt install sqlmap -y

This command installs SQLmap along with its required dependency python3-magic. The -y flag auto-confirms the installation prompt so you do not need to type “yes” manually.

Expected output (partial):

The following NEW packages will be installed:
  python3-magic sqlmap
0 upgraded, 2 newly installed, 0 to remove and 46 not upgraded.

Verify the APT Installation

sqlmap --version

Expected output:

sqlmap 1.x.x#stable

The #stable tag confirms you are running the APT-packaged stable release.

Alternative: Using apt-get

If you are running older admin scripts that rely on apt-get, this command is fully equivalent:

sudo apt-get update
sudo apt-get install sqlmap -y

Trade-off to know: The APT version is the stable release packaged by Debian maintainers. It may lag behind the GitHub development branch by several months. For most users, this is fine. If you need cutting-edge tamper scripts or the latest injection techniques, use Method 2 (Git clone) instead.

Step 3: Install SQLmap via Git Clone (Best for Professionals)

The Git method pulls SQLmap directly from the official GitHub repository and gives you the latest development build. Professional penetration testers prefer this method because it provides access to tamper scripts and features that have not yet landed in Debian’s stable repos.

Install Git if Not Already Present

sudo apt install git -y

Check if Git is already installed first:

git --version

Clone the Official SQLmap Repository

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

The --depth 1 flag performs a shallow clone, downloading only the latest commit rather than the full commit history. This is faster and uses significantly less disk space.

Navigate Into the Directory and Run SQLmap

cd sqlmap-dev
python3 sqlmap.py --version

Expected output (partial):

       __H__
 ___ ___[)]_____ ___ ___  {1.8.x#dev}

The #dev tag indicates you are running the development build from GitHub.

Create a System-Wide Alias for Convenience

Running python3 ~/sqlmap-dev/sqlmap.py every time is tedious. Create a Bash alias to simplify this:

echo "alias sqlmap='python3 ~/sqlmap-dev/sqlmap.py'" >> ~/.bashrc
source ~/.bashrc

Now you can type sqlmap from any directory and it resolves to the correct path.

Keep SQLmap Up to Date

cd ~/sqlmap-dev
git pull

Or use SQLmap’s built-in update flag:

python3 sqlmap.py --update

Running git pull regularly keeps your tamper scripts, detection techniques, and evasion payloads current. In active testing environments, this matters more than most users initially realize.

Step 4: Install SQLmap via pip (Python Package Method)

The pip method is best suited for developers who want to isolate SQLmap inside a Python virtual environment or for those building automated security pipelines and Docker containers.

Install pip

sudo apt install python3-pip -y

Install SQLmap via pip3

sudo pip3 install sqlmap

Important note for Debian 13 users: Debian 13 enforces PEP 668, which restricts system-wide pip install commands by default to prevent conflicts with APT-managed Python packages. If you see this error:

error: externally-managed-environment

Use a virtual environment instead:

python3 -m venv sqlmap-env
source sqlmap-env/bin/activate
pip install sqlmap

The python3 -m venv sqlmap-env command creates an isolated Python environment. source sqlmap-env/bin/activate activates it. All pip installs inside the virtual environment stay contained and do not touch your system Python installation.

Verify pip Installation

sqlmap --version

Step 5: Install SQLmap via Snap (Sandboxed Option)

Snap packages are distribution-agnostic, containerized packages that run in an isolated environment. This method works on Debian 9 and newer, including Debian 13.

Install snapd

sudo apt install snapd -y
sudo systemctl enable --now snapd.socket

The systemctl enable --now snapd.socket command enables the Snap socket daemon and starts it immediately. Without this step, the snap command may not function correctly after install.

Install SQLmap via Snap

sudo snap install sqlmap

Verify Snap Installation

sqlmap --version

Snap trade-off: Snap packages run in a sandbox with restricted access to certain file system paths and system resources. This can cause issues if SQLmap needs to write output files to non-standard directories. For full control over output and file access, APT or Git methods are preferable for professional use.

Step 6: Verify the Installation and Run Your First Command

Regardless of which method you used, run these verification commands to confirm SQLmap is fully operational.

Check the Version

sqlmap --version

View Basic Help

sqlmap -h

View Full Options (Advanced Help)

sqlmap -hh

The -hh flag outputs the complete options list, including advanced parameters for level, risk, tamper scripts, and DBMS-specific options.

Run a Basic Scan Against a Legal Test Target

Use testphp.vulnweb.com, a deliberately vulnerable web application maintained specifically for security testing:

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch

What each flag does:

Always start with --level=1 --risk=1 when testing unfamiliar targets. Higher values increase the chance of triggering WAF rules or causing application errors.

Enumerate Tables in a Specific Database

sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

Dump a Specific Table

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

Step 7: Install Optional Database-Specific Dependencies

When you use SQLmap’s -d flag to connect directly to a database server (bypassing a web application entirely), you need Python bindings specific to that DBMS.

Install the relevant package based on your target database:

• MySQL: pip install pymysql
• PostgreSQL: sudo apt install python3-psycopg2
• Microsoft SQL Server: pip install pymssql
• Oracle: pip install cx_Oracle
• SQLite: sudo apt install python3-pysqlite2
• IBM DB2: pip install ibm-db
• Firebird: pip install kinterbasdb
• Microsoft Access: pip install pyodbc

For standard web-based SQL injection testing, none of these are required. SQLmap handles web application targets without any DBMS bindings.

Troubleshooting Common SQLmap Installation Issues on Debian 13

Error 1: command not found: sqlmap

Cause: The SQLmap binary is not in your system PATH, or an alias was not sourced correctly.

Fix:

source ~/.bashrc

If using the Git method, use the full path directly:

python3 ~/sqlmap-dev/sqlmap.py --version

Error 2: error: externally-managed-environment

Cause: Debian 13 enforces PEP 668, blocking system-wide pip install operations by default.

Fix: Use a virtual environment:

python3 -m venv sqlmap-env
source sqlmap-env/bin/activate
pip install sqlmap

Error 3: ModuleNotFoundError: No module named ‘magic’

Cause: The python3-magic dependency is missing.

Fix:

sudo apt install python3-magic -y

Error 4: APT Version Is Outdated

Cause: Debian’s stable repos package SQLmap at a fixed version that lags the GitHub dev branch.

Fix: Switch to the Git clone method and update regularly:

cd ~/sqlmap-dev && git pull

Error 5: Permission Denied When Running sqlmap.py

Cause: The script file does not have execute permissions.

Fix:

chmod +x ~/sqlmap-dev/sqlmap.py

How To Configure SQLmap on Debian 13 for a Linux Server Tutorial Workflow

Once SQLmap is installed, configuring it for repeatable use in a Linux server tutorial workflow saves significant time across multiple engagements or testing sessions.

Create a SQLmap configuration file:

SQLmap supports a .cfg configuration file that stores frequently used options. Create one in your home directory:

cp ~/sqlmap-dev/sqlmap.conf ~/.sqlmap/sqlmap.conf
nano ~/.sqlmap/sqlmap.conf

Useful settings to configure:

• level = 2 for slightly deeper testing than the default
• threads = 4 to speed up testing with parallel requests
• output-dir = /home/user/sqlmap-output for organized result storage

Save SQLmap output to a directory:

sqlmap -u "http://target.com/page.php?id=1" --dbs --output-dir=/home/user/sqlmap-results

This keeps your findings organized and makes reporting much cleaner after a testing session.

Congratulations! You have successfully installed SQLmap. Thanks for using this tutorial for installing SQLmap on your Debian 13 “Trixie” system. For additional or useful information, we recommend you check the official SQLmap website.