As more and more critical infrastructures such as transportation, power systems and water are being embedded with sensing and control and linked to the Internet, the resulting security vulnerability can be exploited to inflict systematic damage to the connected physical systems. The class of false-data injection attacks is of particular interest as it only requires the ability to compromise the measurements. We construct such attacks, that are stealthy to set-membership-based anomaly detectors over widely used constrained control systems with bounded disturbances. The design of robust controllers and detectors based on the ability to withstand disturbance lets the attacker masquerade itself as disturbance and necessitates the development of a disturbance set-estimator as a soft-constrained optimisation problem. We then formulate another constrained optimisation problem that maximises the state estimation error by manipulating measurements and results in a computable performance loss and derive its explicit solution as the attack vector. These methods are used to demonstrate the vulnerability of a test system, with attacker having limited knowledge of the control system.