It's possible, especially with suitably careless configuration.
For example, there is SELECT ... INTO OUTFILE 'file_name'
But it's also more likely to be a different security problem. I'd seriously consider taking the software offline quickly, especially if the database contains any confidential or private information,,
reference-http://stackoverflow.com/questions/1579160/is-it-possbile-to-write-files-with-mysql-via-sql-injection