I want to use http://decloak.net/decloak.html in my XSS payload to extract the victim's internal IP. How can I include that script in the payload, via an iframe for example, then extract the results URL to send back to me?

i know its possible with java, so you could get your own applet and get the results that way

i also googled get internal ip address javascript
and came up with this
http://www.gnucitizen.org/projects/javascript-address-info/

http://www.xssed.com/archive/author=PaPPy/

I'm aware of the Java method, and decloak.net uses that too. I want to use decloak.net as it seems to be the most comprehensive. My only question is, how I can include that as part of my demo payload.

well u would have to break the cross domain policy
unless u find xss on decloak.net

id just use a java applet on ur site where your xss payload is

http://www.xssed.com/archive/author=PaPPy/