Inject something like XSS Tunnel (http://labs.portcullis.co.uk/download/XSS-Tunnelling.pdf that gives you a local proxy that you can point your local browser and then sends all of your traffic through the victim, so you'll see and use the website(s) with your victim's session), or BeeF - http://beefproject.com/ for tons of exotic XSS based exploits.