Webshell is a kind of backdoor program based on Webpages. Existing Webshell detection methods rely on the script source code, therefore they can only be deployed on the server in which the pages are scanned. By analyzing the HTML feature of Webshell pages, a black box detecting method based on support vector machine (SVM) classification algorithm is proposed. The method is one sort of supervised machine learning system which can detect unknown Webshell without the knowledge of source code. The experimental result indicates that the black box method has a high accuracy along with a low false positive rate, and reaches an approximate detect rate as the white box detection methods. Therefore, it can be deployed in intrusion detection system(IDS) based on network and monitor more than one server from being injected Webshell, thus helping to monitor the intrusion trends and network security situation.